JP2010118968A - Secret information distribution device and secret information restoration device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a secrecy distribution technique for preventing the fraudulent alteration of share. <P>SOLUTION: The secret information distribution device generates a set of a plurality of natural numbers x<SB>j</SB>(j=1, 2, ..., n) which are represented as x<SB>j</SB>=1+u<SB>j</SB>×v<SB>j</SB><SP>2</SP>and prime to each other, calculates a remainder α<SB>j</SB>as a result of dividing secret information S with the natural number x<SB>j</SB>, generates a natural number t<SB>j</SB>by subjecting the natural number x<SB>j</SB>and the remainder α<SB>j</SB>to Godel numbering while using prime numbers, and generates and distributes a share including the natural number t<SB>j</SB>. A secret information restoration device performs prime factorization on the natural number t<SB>i</SB>included in each share generated and distributed by the secret information distribution device, reproduces the natural number x<SB>j</SB>and the remainder α<SB>j</SB>on the basis of the resultant prime factor and restores the secret information S on the basis of the reproduced natural number x<SB>j</SB>and remainder α<SB>j</SB>. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an apparatus for distributing and restoring secret information.

  Information corresponds to different measures depending on its importance, and it is necessary to take stronger security measures for information with higher importance. Among these, in order to safely manage information at a confidential level that would impede the operation of the organization, the encryption of the information alone is incomplete, and the management of the encryption key is also important.

  The secret sharing method is a method for managing such a key, and is a method for improving security by distributing secret information to shares. In addition, by setting the number of shares (k: threshold) necessary for restoration in advance, the original secret information can be restored without collecting all the shares.

  However, since the original secret information can be restored with k shares, there is a problem that the information at the time of restoration changes when the share is falsified. If restoration is performed with all combinations, tampering can be found. However, since there are an enormous number of actual combinations, it is often difficult to detect tampering. In addition, if the share of the majority is falsified, there is a risk that an incorrect result will be recognized as a correct result.

  Non-patent document 1 discloses a secret sharing method that can solve this problem.

  Non-Patent Document 1 proposes a secret sharing method in which each share can detect tampering using the Pell equation.

  By detecting share errors by this method, it is possible to restore information without trying all combinations of shares and without admitting wrong results as correct results.

The secret sharing method disclosed in Non-Patent Document 1 will be described.
1. Assumption 1-1. Chinese remainder theorem When the positive integers m ₁ and m ₂ are relatively prime, there exists a solution x in the simultaneous congruence of (1) and (2) for any integer a ₁ and a ₂ , All solutions are congruent modulo N = m ₁ · m ₂ .
x≡a ₁ (mod m ₁ ) ... (1)
x≡a ₂ (mod m ₂ ) ... (2)

2. Pell equation 2-1. Equation (3) is called the Pell equation.
x ² −d · y ² = 1 (3)
(D∈N, √d∈Q, N: natural number, Q rational number)
There are countless solutions x and y that satisfy this equation. When the solution of the Pell equation is expressed as z = x + y√d, the smallest solution among all the solutions is called a basic solution.

3. The Pel equation theorem (4) is called the discriminant of the basic solution of the Pell equation. If the equation (4) is satisfied and z = a + b√d is the solution of the Pell equation, it is the basic solution.
d∈N, √d∈Q, a, b∈N,
^{a ≧ [b 2/2]} ... (4)

4). Distribution phase 4-1. First, the secret information S to be distributed is decomposed into groups so that only the root part can be calculated by the sum of the child nodes, and the other nodes by the product of the child nodes, and a tree (tree) structure is obtained. By reducing the size of each share.

4-2. For the node group S _i , u _j and v _j (j = 1, 2,... N) are randomly generated so that all x _j = 1 + u _j · v _j ² are relatively prime.
4-3. The remainder α _j obtained by dividing the information S _i constituting the node of the tree by x _j (= 1 + u _j · v _j ² ) is obtained.
4-4. A natural number d _j = u _j · (u _j · v _j ² +2) is obtained.
4-5. (I, u _j , v _j , α _j ) at this time is a share.
4-6. Processes 4-2 to 4-5 are performed on all nodes. At this time, the value of n may be different for each node group.

5). Restoration phase 5-1. Take out one share.
5-2. The presence / absence of falsification described later is determined.
5-3. If there is no falsification, it can be used as a share that can be restored, so keep it.
5-4. Processes 5-1 to 5-3 are performed for all shares.
5-5. The classification is performed by the node group specific number i from all the held shares.
5-6. As shown in the equation (5), a congruence formula created from the shares classified by _i is coupled, a congruence formula created from k shares classified by the solution x _i is coupled, and the solution x _i is determined.
x _i ≡ α _ij (mod l + u _ij · v _ij ² ) (5)
(1.ltoreq.i.ltoreq.z) (1.ltoreq.j.ltoreq.k) z: number of node groups, k = threshold number threshold necessary for restoring node group information 5-7. Find a solution for all groups and build a tree.
5-8. Pay attention to the subtree of the tree and check if the calculation is correct.
5-9. If the calculation on the tree is correct, the root portion of the tree becomes the secret information S.

6). Method of falsification determination Falsification is determined using the Pell equation.
If tampering occurs, tampering can be detected because the share does not satisfy the Pell equation or the discriminant of the basic solution of the Pell equation.
6-1. x _i = 1 + u _i · v _i ² and y = v _i are substituted into the Pell equation shown by the equation (3), respectively, and it is determined whether the equation is satisfied.
6-2. When the Pell equation holds, a = x and b = y are applied to the equation (4) to determine whether or not the basic solution.
6-3. If it is a basic solution, it is determined that no falsification has been performed.

Proposal of secret sharing method that can detect falsification using Pell equation February 4, 2008, Hiroshima City University, 2007 Master thesis, Department of Information Media Engineering, Software Engineering Department Taketo Takeda

  According to the method disclosed in Non-Patent Document 1, it is possible to easily detect the presence or absence of share falsification using the Pell equation, and to further detect falsification from the mutual relationship of information restored using a tree It is also possible.

However, according to this method, since u and v are disclosed, d (= u · (u · v ² +2)) can be completely restored. Therefore, a new triplet u ′, v ′, d ′ can be generated so that falsification cannot be detected, making restoration difficult.

The present invention has been made in view of the above circumstances, and an object thereof is to provide a secret sharing method capable of preventing share tampering.
Another object of the present invention is to provide a secret sharing method that can detect tampering using a more reliable Pell equation.

In order to achieve the above object, a secret information distribution apparatus according to the first aspect of the present invention provides:
x _j = _{1 +} expressed by u ^j · _v j ^2, a plurality of natural numbers relatively prime _{x j (j = 1,2, ...} , n) and _{x j} generating means for generating a set of,
A division means for obtaining a remainder α _j obtained by dividing the secret information S by the natural number x _j ;
Godel numbering means for generating the natural number t _j by converting the natural number x _j and the remainder α _j into a Godel number using a prime number;
A distribution means for generating and distributing a share including the natural number t _j ;
It is characterized by providing.

Means for decomposing the secret information S into a tree structure having z nodes;
The x _j generating means generates a plurality of natural numbers x _ij for each of the i-th (i = 0, 1,..., Z−1) node groups,
The dividing means obtains a remainder α _ij obtained by dividing the value S _{i of} each node by a natural number x _ij ,
The Godel numbering means, for each node, converts the natural number x _ij and the remainder α _ij into a Godel number using a prime number to generate a natural number t _ij ,
The distribution means generates and distributes a share including a natural number t _ij for each node.
You may comprise as follows.

The Godel numbering means, for example, converts the natural number x _j and the remainder α _j into z _j1 and z _j2 by a known conversion formula, and further substitutes them into t _j = z _j1 · p ^zj2 The natural number t _j is obtained. Note that z _j1 and p are prime to each other, and p is a prime number.

means for obtaining a natural number d _j satisfying the Pell equation x _j ² -d · y _j ² = 1 when y _j = v _j ;
Means for distributing the obtained “natural number” d _j to those who have a legitimate authority;
May be further arranged.

means for obtaining a natural number d _j satisfying the Pell equation x _j ² −d _j · y _j ² = 1 when y _j = v _j ;
The Godel number conversion means converts the natural number x _j and the remainder α _j into z _j1 and z _j2 by a known conversion formula, and further substitutes them into t _j = z _j1 · p ₁ ^zj2 · p ₂ ^dj By doing so, you may make it obtain _| require natural number tj. Note that z _j1 , p _1, and p ₂ are prime numbers, and p ₁ and p ₂ are prime numbers.

Moreover, the secret information restoring device according to the second aspect of the present invention provides:
Storage means for storing shares generated by the above-described secret information distribution apparatus;
Reproducing means for factoring the natural number t _j included in the share stored in the storage means and reproducing the natural number x _j and the remainder α _j based on the decomposed prime factor;
Restoring means for restoring the secret information S based on the reproduced natural number x _j and the remainder α _j ;
It is characterized by providing.

Storage means for storing shares generated by the above-described secret information distribution apparatus;
Classification means for classifying the shares stored in the storage means by a node number i;
Regenerating means for decomposing the natural number t _j included in each share and regenerating the natural number x _j and the remainder α _j based on the decomposed prime factor;
The restoring means may be configured to restore the value of each node S _i by solving the simultaneous congruence equation of the reproduced natural number x _j and the remainder α _j for each node group.

Storage means for storing shares generated by the above-described secret information distribution apparatus;
Externally, a receiving means for receiving a natural number d _j,
Regenerating means for decomposing the natural number t _j included in each share and regenerating the natural number x _j and the remainder α _j based on the decomposed prime factor;
The restoration means verifies whether or not each share has been tampered with using the reproduced natural number x _j , remainder α _j and received d _j, and based on the share determined that tampering has not occurred, the secret information S May be configured to restore.

Means for storing the share generated by the above-mentioned secret information distribution apparatus;
Regenerating means for decomposing a natural number t _j included in each share and regenerating the natural number x _j , the remainder α _j and the natural number d _j based on the decomposed prime factor,
The restoration means verifies the presence or absence of falsification of each share using the reproduced natural number x _j , remainder α _j and natural number d _j, and restores the secret information S using the share determined that there is no falsification. You may comprise as follows.

Computer
x _j = _{1 +} expressed by u ^j · _v j ^2, disjoint plurality of natural numbers _{x j (j = 1,2, ...} , n) x j generating means for generating a set of,
A division means for obtaining a remainder α _j obtained by dividing the secret information S by the natural number x _j ;
Godel numbering means for generating a natural number t _j by converting the natural number x _j and the remainder α _j into a Godel number using a prime number;
A distribution means for generating and distributing a share including the natural number t _j ;
You may produce and distribute computer programs that function as

  According to the present invention, secret information can be more safely distributed.

  The secret sharing / restoring system 100 according to the embodiment of the present invention will be described below.

  The secret sharing / restoring system 100 has a function of secretly distributing the secret information S to a plurality of shares in a form capable of falsification detection using the Pell equation, while restoring the original secret information S from the collected plurality of shares. Is provided.

  As shown in FIG. 1, the secret sharing / restoring system 100 includes a control unit 10, a storage unit 20, an input unit 30, an output unit 40, and a communication unit 50.

  The control unit 10 operates according to an operation program stored in the storage unit 20 and performs secret sharing processing, falsification detection processing, restoration processing, and the like, which will be described later.

  The storage unit 20 includes a RAM (Random Access Memory), a ROM (Read Only Memory), a hard disk device, a flash memory, and the like, stores an operation program for the control unit 10, and functions as a work area for the control unit 10. .

  The storage unit 20 includes a RAM, a ROM, a hard disk device, a flash memory, and the like. As a storage unit, the storage unit 20 stores an operation program of the control unit 10, stores arbitrary data, and functions as a work area of the control unit 10. To do.

  The input unit 30 is composed of an arbitrary input device, and inputs the secret information S to be distributed and a plurality of shares to be restored.

  The output unit 40 includes an arbitrary output device, and outputs a plurality of shares obtained by secret sharing of the secret information S to be distributed, secret information S restored from the plurality of shares, and the like. Further, the output unit 40 performs processing for distributing information necessary for restoring the secret information S (a natural number d, which will be described later) to a person having a legitimate authority.

  The communication unit 50 communicates with an external device, and various data, for example, secret information S to be distributed, a plurality of generated shares, a plurality of shares to be restored, and a plurality of shares to be restored from the original Secret information S and the like are transmitted and received. In addition, the communication unit 50 performs a process for distributing information necessary for restoring the secret information S (a natural number d, which will be described later) to a person having a legitimate authority.

  Next, a procedure for distributing the secret information S to a plurality of shares by the secret sharing / restoration system 100 and then restoring the secret information S from the plurality of shares will be described with reference to the flowchart shown in FIG.

  First, the control unit 10 determines secret information S (step S101). The secret information S is, for example, data input from the input unit 30, data received via the communication unit 50, or data obtained by processing these.

Next, the control unit 10 decomposes the secret information S into a tree structure having z nodes (step S102). Here, the nodes of the first hierarchy of the tree structure are numerical values whose sum of those values is the value of the secret information S, and the nodes of the second hierarchy and lower are such that the value of the upper node is the product of the lower nodes Decompose. In other words, the secret information S sum is divided into two numbers _S 0, _{S 1} except prime the S, further, the values _{S 0} and _{S 1,} respectively, the two values at which the product is _S 0, _{S 1} Divide and repeat the same division to make the number of nodes z.

For example, when z = 6, as illustrated in FIG. 10, the secret information S is divided into two numerical values S ₀ and S ₁ other than the prime numbers whose sum is S. Further, each of the values _{S 0} and _{S 1,} the product is divided into _S 0, 2 two values as the _{S 1 S 2} and _S 3, _{S 4} and _{S 5.} Therefore, S = S ₀ + S ₁ , S ₀ = S ₂ · S ₃ , and S ₁ = S ₄ · S ₅ are established.

Next, 0 is set to the pointer i specifying the node (step S103). Further, 0 is set to the pointer j indicating the number of shares for node _{S i} (step S104).

Next, for the node S _i specified by the pointer i, all 1 + u _j · v _j ² are relatively prime, and the product of k 1 + u _j · v _j ² is less than the node value S _i. Then, a set of natural numbers u _ij and v _ij is randomly generated (steps S105 to S110).

Specifically, first, a natural number u _ij and a natural number v _ij are generated with random numbers (step S105).

Next, x _ij = 1 + u _ij · v _ij ² is calculated (step S106).
Next, it is determined whether or not gcd (1 + u _ij · v _ij ² ) = 1 (j = 1, 2,... K−1) is satisfied (step S107). That is, it is determined whether or not the generated k x _i (x _{i0 to} x _ik ) are relatively prime.

When the generated x _i is not in a prime relationship with each other (step S107; No), the process returns to step S105, and the natural number u _ij and the natural number v _ij are generated again with random numbers.

On the other hand, if it is determined in step S107 that gcd (x _ij ) = gcd (1 + u _ij · v _ij ² ) = 1 holds, that is, if all generated x _ij are determined to be relatively prime. (Step S107; Yes), it is determined whether or not the product of the generated k x _ij is larger than the value of the i-th node S _i (Step S108). Smaller or product is equal to the value of the node _{S i} (step S108; No), the process returns to step S105.

If it is determined in step S108 that the product of k x _ij is larger than S _i (step S108; Yes), for the node S _i , all 1 + u _ij · v _ij ² are relatively prime and k Natural numbers u _ij and v _{ij in} which the product of x _ij is larger than S _i are aligned.

Subsequently, a remainder α _ij obtained by dividing S _i by x _ij is obtained (step S109). _{That, S i ≡α ij (mod (} 1 + u ij · v ij 2)) is seeking alpha _ij which satisfies.

Further, a value d _ij = u _ij · (u _ij · v _ij ² +2) with α _ij as a basic solution of the Pell equation is obtained (step S110).

The obtained set of values (i, x _ij , α _ij ) is stored in the storage unit 20 as one of the shares (step S111).

Next, it is determined whether or not the value j is a predetermined value k−1 (step S112).
If it is determined that the value j is less than k−1 (step S112; No), the pointer j is incremented by 1 (step S113), the process returns to step S105, and the same operation is repeated.

If it is determined that the value j = k−1 (step S112; Yes), it is determined whether or not the value i is a predetermined value z−1 (step S114).
When it is determined that i is less than z−1 (step S114; No), the pointer i is incremented by 1 (step S115), the process returns to step S104, and the same operation is repeated.

On the other hand, when it is determined that i = z−1 (step S114; Yes), the processing for obtaining the shares for all the nodes S _i (S _{0 to} S _z−1 ) is completed.

If the share stored in step S111 is left as it is, there is a risk that the share itself is falsified and cannot be restored as described in the background art section.
Therefore, in order to prevent falsification of the share, x _ij and α _ij are converted in step S116.

Details of this conversion processing will be described with reference to FIG.
First, a pointer i specifying a node is set to 0 (step S201), and a pointer j specifying a share for each node is set to 0 (step S202).
Subsequently, with respect to the share specified by the pointers i and j, x _ij and α _ij are orthogonally transformed into z _ij1 and z _ij2 by the following equation (step S203).

Z _ij1 = x _ij + α _ij
Z _ij2 = x _ij -α _ij

  Next, an arbitrary prime number p is generated (step S204).

Next, it is determined whether or not gcd (Z _ij1 , p) = 1 holds, that is, whether or not Z _ij1 and p are relatively prime (step S205).
If not established (step S205; No), the process returns to step S204 to generate a prime number p.
If it is established (step S205; Yes), the generated Z _ij1 and Z _ji2 are _converted into Godel numbers using the prime number p according to the equation (2) to generate a natural number t _ij (step S206).

t _ij = Z _ij1 · p ^Zij2 . . . . (2)
Where gcd (Z _ij1 , p) = 1

Next, (i, t _ij ) is set as one share (step S207).

Next, it is determined whether or not the value j is a predetermined value k−1 (step S208).
If it is determined that the value j is less than k−1 (step S208; No), the pointer j is incremented by 1 (step S209), the process returns to step S203, and the same operation is repeated.

If it is determined that j = k−1 (step S208; Yes), it is determined whether or not the value i is a predetermined value z−1 (step S212).
If it is determined that i is less than z−1 (step S212; No), the pointer i is incremented by 1 (step S211), the process returns to step S202, and the same operation is repeated.

On the other hand, if it is determined that i = z−1 (step S212; Yes), the processing for converting the shares for all the nodes S _i (S _{0 to} S _z−1 ) is completed, and FIG. Return to the main flow.

The control unit 10 outputs or transmits the generated share (i, t _ij ) from the output unit 40 or the communication unit 50.
Further, the control unit 10 stores data such as the values u _ij , v _ij , and d _ij generated in steps S105 and S110 in the storage unit 20.
In addition, the control unit 10 distributes the natural number d to a person who has a legitimate authority to restore the secret information S in order to determine whether the share has been tampered via the output unit 40 or the communication unit 50. I do.

  Next, an operation for restoring the original secret information S from the shares thus distributed will be described.

First, the control unit 10 stores the share and the natural number d _ij obtained via the input unit 30 or the communication unit 50 in the storage unit 20.

  The control unit 10 appropriately performs the falsification determination process shown in FIG. 4, takes out the share stored in the storage unit 20 (step S <b> 301), determines the presence / absence of falsification (step S <b> 302), and determines that there is no falsification. Since it can be used as a share that can be restored (step S302; No), it is retained (step S303). On the other hand, if it is determined that there is tampering (step S302; Yes), the share is discarded (step S304). Subsequently, it is determined whether or not the processing has been completed for all shares (step S305). If the falsification determination has been completed for all shares (step S305; Yes), the falsification determination processing is terminated and terminated. If not (step S305; No), the process returns to step S301 and the same processing is performed for the next share.

The determination of whether or not tampering is performed in step S302 is performed using the Pell equation.
If tampering occurs, tampering can be detected because the share does not satisfy the Pell equation or the discriminant of the basic solution of the Pell equation.
A procedure for determining the presence or absence of falsification using the Pell equation will be described with reference to FIG.

As described above, the control unit 10 receives in advance the natural number d _ij distributed from the dealer (who distributed the share) via the input unit 30 or the communication unit 50 via a recording medium or communication, and stores the storage unit 20 is stored.

The control unit 10 extracts a natural numerical value t _ij from the share selected in step S301 (step S321).
The natural number t _ij is _primed to obtain a format of Z _ij1 · p ^Zij2 (p is a prime number), and Z ₁ and Z ₂ are obtained (step S322).

Then, x _ij = a _{(Z ij1 + Z ij2) /} 2, determining the x _ij (step S323).
Then, it had been received from the dealer, from the natural numbers _{d ij} and x _ij, is substituted for ^{_{x ij -d ij · v ij 2}} = 1, obtaining the v _ij (step S324).
Next, it is determined whether or not v _ij is a natural number (step S325). If it is a natural number (step S325; Yes), the Pell equation is established and the necessary condition for falsification detection is satisfied.

Next, it is determined whether u _ij and v _ij satisfy the discriminant of the basic solution of the Pell equation. That is, it is determined whether or not satisfy ^{_{u ij ≧ [v ij 2/}} 2] ( step 326).

  If it is determined that the basic solution discriminant is satisfied (step S326; Yes), it is determined that no falsification has been performed (step 327).

  On the other hand, if it is determined that the basic solution discriminant is not satisfied (step S326; No), it is determined that falsification has been performed (step 328).

  In this way, for each share, it is possible to quickly determine whether or not the share has been tampered by determining whether or not the Pell equation is satisfied, and whether or not the Pell equation basic solution discriminant is satisfied. it can. Furthermore, the situation where the secret information S is erroneously restored can be prevented by discarding the share determined to be falsified.

  Next, a process of restoring the secret information S using a share determined not to be tampered will be described with reference to the flowchart of FIG.

The control unit 10 classifies all shares (i, j, t _ij ) held in the storage unit 20 by the node-specific number i (step S401).
i = 0 is set (step S402).
The k simultaneous congruence formulas created from all the shares classified by i are explained using the Gauss method, and the solution S _i (≡α _ij (mod x _ij )) is obtained (step S403).

Next, it is determined whether or not i = z−1, that is, whether or not the value S _i has been obtained for all nodes (step S404).

If i <z−1 (step S404; No), an unprocessed node remains, so i = i + 1 (step S405), and the process returns to step S403 to obtain a solution S _i .

On the other hand, if i = z−1 (step S404; Yes), since the restoration of the values S _i of all the nodes is completed, the tree is reproduced using the values S _i (step S406).

  Subsequently, the tree is verified (step S407). That is, paying attention to the subtree of the tree, it is checked whether the product of the two node values immediately below (the sum for the root) is equal to the value of the node. If all nodes are equal to the product of the two node values immediately below (the sum for the root), it is determined that the tree is correct.

When it is determined that the tree is correct (step S408; Yes), the value synthesized at the root of the tree is set as secret information S (step S409).
On the other hand, when it is determined that the tree is not correct (step S408; No), predetermined error processing is performed (step S410), for example, processing for notifying share tampering is performed.
Thus, the secret information S is restored.

According to this embodiment, the information x _i and alpha _i constituting the share and Godel number by using the prime number p generates a natural number t _i, to distribute it.

For this reason, it becomes difficult to estimate the original information x _i and α _i of the share, and the alteration of the share can be made more difficult.
Further, since the falsification of the share is verified from the Pell equation and the reproduced tree structure, it is possible to quickly determine whether the share has been falsified, and it is possible to prevent the situation where the secret information S is restored using the falsified share.

(Second Embodiment)
In the first embodiment, when restoring the share, the dealer needs to distribute the value d _ij (= u _ij · (u _ij · v _ij ² +2)) to the restoration destination. It is also possible to include _ij in the share.

For example,
t _i = z _ij1 · p ₁ ^Zij2 · p ₂ ^dij
p ₁ and p ₂ are prime numbers, z _ij1 , p ₁ , and p ₂ are prime to each other, and p ₁ > p ₂ ,
_Dij can be included in the natural number _tij .

When restoring the secret information S, the natural number t _i included in the share is _primed into a form of a · p ₁ ⁿ · p ₂ ^m , and from p ₁ > p ₂ , Z _ij1 = a, Z Share can be restored by _{setting ij2} = n, _dij = m, and _xi = ( _Zij1 + _Zij2 ) / 2 and [alpha] _i = ( _{Zij1- Zij2} ) / 2.

By using a similar method, u _ij and v _ij can be included in the natural number t _ij .

In the above embodiment, the natural numbers x _i and α _i constituting the share are converted into z _ij1 and z _ij2 by orthogonal transformation, but the natural numbers x _i and α _i are converted from z _ij1 and z _ij2 after the transformation. Any conversion formula can be used as long as.

further,
^{_{t i = α ij · p 1}} xij · p 2 dij
t _i = x _ij · p ₁ ^αij · p ₂ ^dij
And so on.
The share may be (i, j, t _ij ). In this way, it is easy to specify j.

(Application 1)
Next, an application example of the secret sharing method using the above configuration will be described.
Raw civil engineering is an essential material for civil engineering and construction work. On the other hand, it is difficult to maintain the quality of the ready-mixed material uniformly, and there may be a case where it is desired to check the quality of the ready-made food after the completion of the construction.

  However, there is a background in that the sampling of raw concrete samples at the construction site is not sufficiently conducted, and the traceability of the raw concrete survival process is poor, and the cause investigation using the raw concrete sample analysis data has not been made after the accident occurred.

In view of this, the following provides a method that makes it possible to improve the efficiency of raw sample collection and analysis data management, and the efficiency of raw sample analysis data collation after an accident.
First, an overall view of the system is shown in FIG.

As shown in the figure, the ready-mixed concrete is produced at a factory 101, loaded on a mixer truck 102, and carried into a construction site 103.
In the factory 101, production data 101a of ready-mixed food is managed, and information such as production date / time, material / lot, and production record is recorded and managed in a database.

  The person in charge of the mixer truck 102 records the production data 101 a of the loaded concrete containers on the portable terminal 111. This portable terminal has the same configuration as the secret sharing / restoring system 100 shown in FIG. The output unit 40 includes an RFID reader / writer.

  The person in charge of the mixer truck 102 also inputs data such as the unloading time from the factory, the loading time to the construction site, and the loading location from the input unit 30 or the like into the portable terminal 111 thereof.

  Subsequently, when arriving at the construction site 103, the person in charge of the mixer truck 102 inputs data 102 a such as a carry-in time and a carry-in place into the portable terminal 111.

  Next, the person in charge of the construction site takes out the sample 106 from the loaded raw concrete and embeds the RFID chip 107.

  The person in charge inputs the ID of the sample RFID chip 107 to the portable terminal 111.

  The mobile terminal 111 generates a plurality of shares from the input information, that is, production information, import records, sample chip IDs, and the like, and distributes and stores these in a plurality of RFIDs 105. The same share may be recorded on a plurality of RFIDs 105.

Subsequently, the RFID chip 105 is embedded in the live control 104.
The raw control unit 104 is placed and constitutes a part of the structure.

  On the other hand, the raw sample 106 in which the RFID 107 is embedded is transported to a predetermined test organization 108 and analyzed.

  The analysis result 109 is stored in a DB or the like in association with the ID of the RFID 107 embedded in the raw live sample 106.

  When a problem occurs in the building, the share stored in the RFID 105 embedded in the problem location is read by the RFID reader having the configuration shown in FIG. As described above, the RFID 105 stores the ID of the RFID 107 embedded in the live control sample 106, production data, and transport / carry-in data in the form of a share.

  As described above, the reading device determines whether or not the read share has been tampered with based on the Pell equation, restores the value of each node, and restores the secret information by the above-described method.

This secret information includes the ID of the sample RFID 107.
The person in charge searches the DB using the sample ID included in the restored information as a key, and reads the analysis data associated with the corresponding ID.

As a result, it is possible to obtain the production data, transport / carry-in data, and sample analysis data of the problem concrete and analyze the problem.
Note that the information stored in the RFID chip 105 can be arbitrarily changed as long as the sample of the live control used in the problem part can be finally identified.

(Application example 2)
In this example, it is assumed that the electronic voting is performed and the voting results are accumulated in the counting device.

For example, as shown in FIG. 8, a plurality of polling stations 201 (201 _{A to} 201 _C ) have a plurality of voting terminals 202 (202 _{1 to} 202 _n ) and a storage device 203 connected to the voting terminals 202, respectively. Suppose it is placed.

  Each time a vote is performed, the voting terminal 202 generates voting information including information such as a voting number, a voter, and time, encrypts the voting information, and transmits the voting information to the storage device 203.

  The storage device 203 receives the voting information transmitted from each voting terminal 202, performs safety processing such as duplication, and stores it in the hard disk device 204 or the like.

  After the voting time ends, the storage device 203 forms a plurality of nodes using the stored information as the secret information S, generates a plurality of shares from each node, and distributes and stores them in the plurality of storage devices 205. Here, in each storage device 205, a share that can restore the original secret information S is selected and stored only from the share stored in each storage device, although the combinations are different from each other.

  Subsequently, the plurality of storage devices 205 are transported to a counting station, for example, by separate transport means.

  The aggregation device 207 installed in the aggregation station 206 reads the shares stored in the plurality of storage devices 205, and determines whether each share is falsified based on the Pell equation.

  If it is determined that there is no falsification, each node is restored from the share, and then the presence or absence of falsification is verified from the relationship between the nodes. Further, if the mutual relationship between nodes is normal, the root node is obtained and used as the original information.

  Based on the vote information restored from the shares provided from the plurality of polling places 201, the number of votes is totaled.

  With such a configuration, even if some information is lost during transportation, the original information can be reproduced with the remaining information, and the confidential information can be transported and reproduced safely. .

(Application 3)
The above-described technology can be applied to general communication.

  Here, as an example, a case is assumed in which arbitrary audio data and image data are securely transmitted by wire or wireless.

  As illustrated in FIG. 9, the transmission device 301 accumulates data to be transmitted in a buffer or the like. The transmission device 301 reads and encrypts data stored in a buffer or the like by a predetermined amount (eg, in units of frames).

Furthermore, the transmission apparatus 301 divides the encrypted predetermined amount of information as secret information S into a plurality of nodes, for example, nodes S _{0 to} S ₅ . Subsequently, a plurality of shares are generated for each node.

  Subsequently, the transmission apparatus 301 allocates shares to a plurality of transmission channels. At this time, the transmitting apparatus 301 distributes the shares so that the original data cannot be restored only by monitoring the shares transmitted through one transmission channel. The transmission device 301 transmits each distributed share through each transmission channel.

  On the other hand, the receiving device 302 receives a share transmitted via a plurality of transmission channels, and determines whether the received share has been tampered with using the Pell equation. If tampering is detected, the share is discarded, and if it is determined that there is no tampering, the share is accumulated.

Subsequently, the receiving device 302 restores the nodes S _{0 to} S ₅ from the received share.
Furthermore, the consistency between restored nodes is checked. If consistency is obtained, the root portion is set as secret information S. This process is performed for each frame.

  With such a configuration, it is possible to transmit secret information safely.

  Although the embodiments and application examples of the present invention have been described above, these are merely examples, and various modifications, applications, and combinations with other technologies are possible, and these are also the inventions and inventions described in the claims. It should be understood that the invention falls within the scope of the invention corresponding to the specific examples described in the embodiments.

For example, the system configuration, processing procedure, and the like can be arbitrarily changed.
Further, regardless of a dedicated system, a computer program for executing the above-described distributed processing and / or restoration processing is installed in a computer to form the above-described secret sharing processing device and / or restoration device. The restoration process may be executed.

1 is a block diagram of a secret sharing / restoring system according to an embodiment of the present invention. It is a flowchart of a distributed process. It is a flowchart which shows the detail of the conversion process shown in FIG. It is a flowchart of the falsification determination process which verifies the presence or absence of the falsification of a share. It is a flowchart which shows the detail of the procedure of the tampering determination using a pel equation. It is a flowchart of a restoration process. It is a figure which shows the example of the system which manages the data of raw control as the application example 1. FIG. It is a figure which shows the example applied to the electronic voting system as the application example 2. FIG. It is a figure which shows the example applied to the communication system as the application example 3. FIG. It is a figure which shows the example which divides | segments secret information into several nodes.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Control part 20 ... Memory | storage part 30 ... Input part 40 ... Output part 50 ... Communication part 100 ... Secret sharing / restoration system

Claims (10)

x _j = _{1 +} expressed by u ^j · _v j ^2, a plurality of natural numbers relatively prime _{x j (j = 1,2, ...} , n) and _{x j} generating means for generating a set of,
A division means for obtaining a remainder α _j obtained by dividing the secret information S by the natural number x _j ;
Godel numbering means for generating the natural number t _j by converting the natural number x _j and the remainder α _j into a Godel number using a prime number;
A distribution means for generating and distributing a share including the natural number t _j ;
A secret information distributing apparatus comprising: Means for decomposing the secret information S into a tree structure having z nodes;
The x _j generating means generates a plurality of natural numbers x _ij for each of the i-th (i = 0, 1,..., Z−1) node groups,
The dividing means obtains a remainder α _ij obtained by dividing the value S _{i of} each node by a natural number x _ij ,
The Godel numbering means, for each node, converts the natural number x _ij and the remainder α _ij into a Godel number using a prime number to generate a natural number t _ij ,
The distribution means generates and distributes a share including a natural number t _ij for each node.
The secret information distribution apparatus according to claim 1. The Godel numbering means converts the natural number x _j and the remainder α _j into z _j1 and z _j2 by a known conversion formula, and further substitutes it into t _j = z _j1 · p ^zj2 , ^{thereby obtaining} a natural number t _j is obtained, where z _j1 and p are prime to each other, and p is a prime number.
The secret information dispersal device according to claim 1 or 2. means for obtaining a natural number d _j satisfying the Pell equation x _j ² −d _j · y _j ² = 1 when y _j = v _j ;
Means for distributing the obtained natural number d _j to those having a legitimate authority;
The secret information distribution apparatus according to claim 1, further comprising: means for obtaining a natural number d _j satisfying the Pell equation x _j ² −d _j · y _j ² = 1 when y _j = v _j ;
The Godel number conversion means converts the natural number x _j and the remainder α _j into z _j1 and z _j2 by a known conversion formula, and further substitutes them into t _j = z _j1 · p ₁ ^zj2 · p ₂ ^dj To obtain a natural number t _j , where z _j1 , p ₁ and p ₂ are prime numbers, and p ₁ and p ₂ are prime numbers,
The secret information distribution apparatus according to claim 1, wherein the secret information distribution apparatus is a secret information distribution apparatus. Storage means for storing shares generated by the secret information distribution apparatus according to any one of claims 1 to 5,
Reproducing means for factoring the natural number t _j included in the share stored in the storage means and reproducing the natural number x _j and the remainder α _j based on the decomposed prime factor;
Restoring means for restoring the secret information S based on the reproduced natural number x _j and the remainder α _j ;
A secret information restoring apparatus comprising: Storage means for storing shares generated by the secret information distribution apparatus according to any one of claims 1 to 5,
Classification means for classifying the shares stored in the storage means by the node group number i;
Regenerating means for decomposing the natural number t _j included in each share and regenerating the natural number x _j and the remainder α _j based on the decomposed prime factor;
The restoration means restores the value of each node S _i by solving the simultaneous congruence equation of the reproduced natural number x _j and the remainder α _j for each node group.
A secret information restoring apparatus characterized by that. Storage means for storing shares generated by the secret information distribution apparatus according to claim 3;
Receiving means for receiving a natural number d from outside;
Regenerating means for decomposing the natural number t _j included in each share and regenerating the natural number x _j and the remainder α _j based on the decomposed prime factor;
The restoration means verifies whether or not each share has been tampered with using the reproduced natural number x _j , remainder α _j and received d _j, and based on the share determined that tampering has not occurred, the secret information S Restore,
A secret information restoring apparatus characterized by that. Means for storing shares generated by the secret information distribution apparatus according to claim 5;
Regenerating means for decomposing a natural number t _j included in each share and regenerating the natural number x _j , the remainder α _j and the natural number d _j based on the decomposed prime factor,
The restoration means verifies the presence or absence of falsification of each share using the reproduced natural number x _j , remainder α _j and natural number d _j, and restores the secret information S using the share determined that there is no falsification.
A secret information restoring apparatus characterized by that. Computer
x _j = _{1 +} expressed by u ^j · _v j ^2, disjoint plurality of natural numbers _{x j (j = 1,2, ...} , n) x j generating means for generating a set of,
A division means for obtaining a remainder α _j obtained by dividing the secret information S by the natural number x _j ;
Godel numbering means for generating a natural number t _j by converting the natural number x _j and the remainder α _j into a Godel number using a prime number;
A distribution means for generating and distributing a share including the natural number t _j ;
A computer program that functions as a computer program.

Images