JP2012212031A - Decryption result verification device, method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique for verifying whether a decryption device accurately makes a calculation for decryption.SOLUTION: A random number (r of G) is generated, where G is a commutative group, E is a homomorphic encryption function of a public key encryption in which an element of G is a plaintext, B is a function such that it is difficult to calculate an element of (an intersection of a set (S+x) and a set S) which is not 0 with respect to arbitrary (x of G) which is within a range of a set (a subset S of G), and not 0, (m) is a message, C=E(B(m)) is a ciphertext, and I is a function which includes an element (x) of G as an input, and outputs true when such m' that x=B(m') is present. Transmission information C=E(r) is calculated. C+Cis transmitted to a decryption device 2 which can decrypt the decryption function E, and decrypts the received C+Cto output a decryption result (d) thereof. The decryption result (d) is received from the decryption device 2. Verification information d'=d-r is calculated. It is determined whether I(d') is true.

Description

  The present invention relates to a computer calculation technique. In particular, the present invention relates to a technique for performing calculations using calculation results obtained by other computers.

  The following techniques for determining whether or not the calculation result of the decoding performed by the decoding apparatus is correct using the confirmation information Q (m) such as the parity bit can be considered. For the parity bit, see Non-Patent Document 1, for example.

  The requesting device obtains ciphertext E (m || Q (m)) in which m || Q (m) obtained by bit-combining confirmation information Q (m) such as a parity bit with the message m is plaintext. Decoding is performed using the calculation result to be performed by the decoding device. Here, Q (m) is, for example, an even parity bit. That is, 0 is output when the number of 1 bits out of the bits constituting Q (m) is an even number, and 1 is output when the number is odd.

  First, the requesting device transmits the ciphertext E (m || Q (m)) to the decrypting device.

  The decryption device decrypts the received ciphertext E (m || Q (m)) and transmits the calculation result m || Q (m) to the requesting device.

  The requesting device separates the received calculation result m || Q (m) into a message m and confirmation information Q (m). The requesting device determines whether the separated confirmation information Q (m) matches the confirmation information Q (m) generated from the separated message m.

  If they match, it can be determined that the received calculation result m || Q (m) is correct, and the separated message m is set as a correctly decoded message m.

  If they do not match, it can be determined that the received calculation result m || Q (m) is not correct, and it is assumed that the separated message m is not a correctly decoded message m.

  As a result, when the calculation result m || Q (m) of the decoding device includes an accidental error, the requesting device can detect the error with a certain probability.

Edited by Makoto Nagao (7 outside), “Iwanami Information Science Dictionary”, 1st edition, Iwanami Shoten, May 25, 1995, p. 592

  In the technique described in the background art, the decryption apparatus can modify the message m while deceiving the determination of the requesting apparatus.

For example, the decryption device separates the confirmation information Q (m) from m || Q (m) obtained by decrypting the ciphertext E (m || Q (m)). The decryption device generates an arbitrary modified message m ^* and confirmation information Q (m ^* ) corresponding to the message m ^* . For example, m ^* is a value obtained by inverting the value of any two of the bits constituting m. In this case, the value of Q (m ^* ) is the same as the value of Q (m). The decryption device transmits m ^* || Q (m ^* ) to the requesting device instead of m || Q (m).

In this case, the requesting device separates the received m ^* || Q (m ^* ) into a message m ^* and confirmation information Q (m ^* ), and separates the separated confirmation information Q (m ^* ). It is determined whether the confirmation information Q (m ^* ) generated from the message m ^* matches, but this value matches.

  In this way, the decryption device can modify the message m while misleading the requesting device. In other words, the background art requesting device cannot verify whether or not the decoding device has correctly performed the calculation for decoding.

  An object of the present invention is to provide a decoding result verification apparatus, method, and program capable of verifying whether or not the decoding apparatus has correctly performed calculation for decoding.

The decryption result verification apparatus according to one aspect of the present invention is an arbitrary homomorphic encryption function in a public key cryptosystem in which G is a commutative group, E is a plaintext of G, and B is a set S⊆G as a range. Is a function that is difficult to calculate for non-zero x∈G of (S + x) ∩S, m is a message, C = E (B (m)) is ciphertext, and I is G A random number generation unit that generates a random number rεG and a transmission information C ₀ = E (r) as a function that outputs true when there is m ′ with x = B (m ′) when the element x is input. A transmission information generation unit that calculates C + C ₀ , a transmission unit that can decrypt the encryption function E and decrypts the received C + C ₀ and outputs the decryption result d, and a decryption result from the decryption device a receiving unit that receives d, a verification information generating unit that calculates d ′ = d−r, and I (d ′) = true Including and Luca determination unit.

  The decryption result verification device can verify whether the decryption device has correctly performed the calculation for decryption.

The block diagram for demonstrating the structure of the decoding result verification apparatus of embodiment. The flowchart for demonstrating the process of the decoding result verification apparatus of embodiment.

  An embodiment of the present invention will be described below with reference to the drawings.

[Definition of symbols]
First, symbols are defined as follows.

  G is a commutative group. Note that group operations are expressed additively.

  E is a homomorphic encryption function in a public key cryptosystem that uses G as a plaintext. Since E has the property of homomorphism, E (a) + E (b) = E (a + b) for any a∈G and any b∈G. E is open to the public, and the decryption result verification apparatus 1 can calculate the function E.

  D is a decryption function in the public key cryptosystem corresponding to E. That is, D (E (y)) = y for any yεG.

  B is a function having the set S⊆G as a range. Further, B has a property that it is difficult to calculate a non-zero element under (S + x) ∩S for any non-zero x∈G.

  m is a message.

  C = E (B (m)) is a ciphertext to be decrypted. The ciphertext C is generated by a ciphertext generation device (not shown).

  I is a function that outputs true when there is an m ′ satisfying x = B (m ′) with the x element of G as an input, and outputs false when it does not exist.

  A is a function that outputs a message with the element of G as an input, and is a function that satisfies the property of A (B (m)) = m for an arbitrary message m.

  h is a secure hash function such as SHA-256, for example.

  || is a bit combination.

[Decryption result verification apparatus and method]
The decryption result verification device 1 (FIG. 1) according to an embodiment of the present invention decrypts the ciphertext E (B (m)) using the result of a predetermined calculation performed by the decryption device 2. At that time, the decryption result verification apparatus 1 can verify whether the calculation result of the decryption apparatus 2 is correctly performed. In other words, it is possible to verify whether or not the decryption apparatus 2 has modified the message m.

  As illustrated in FIG. 1, the decryption result verification device 1 includes, for example, a random number generation unit 11, a transmission information generation unit 12, a transmission unit 13, a reception unit 14, a verification information generation unit 15, a determination unit 16, and an output unit 17.

  The random number generation unit 11 (FIG. 1) of the decryption result verification apparatus 1 generates a random number rεG (step S1). The generated random number r is transmitted to the transmission information generation unit 12 and the verification information generation unit 15.

The transmission information generation unit 12 of the decryption result verification device 1 generates transmission information C ₀ = E (r) using the random number r (step S2). The generated transmission information C ₀ is transmitted to the transmission unit 13.

The ciphertext C = E (B (m)) and the transmission information C ₀ are input to the transmission unit 13 of the decryption result verification device 1. Transmission unit 13 may calculate the C + _{C 0,} and transmits the decoding apparatus 2 (step S3).

Decoder 2 receives the C + _{C 0.} The decryption device 2 can decrypt the encryption function E, decrypts the received C + C ₀ , and transmits the decryption result d to the decryption result verification device 1 (step S4). Specifically, the decoding device 2 decodes C + C ₀ using the decoding function D. Because of the homomorphism of E, when the decoding device 2 performs the calculation correctly, the decoding result d = D (C + C ₀ ) = D (E (B (m)) + E (r)) = D (E ( B (m) + r)) = B (m) + r.

  The receiving unit 14 of the decoding result verification apparatus 1 receives the decoding result d (step S5). The receiving unit 14 transmits the received decoding result d to the verification information generating unit 15.

  The verification information generation unit 15 of the decryption result verification device 1 calculates verification information d ′ = dr using the decryption result d and the random number r (step S6). The calculated 'is transmitted to the determination unit 16.

  The determination unit 16 determines whether I (d ′) = true (step S7). That is, it is determined whether or not the verification information d ′ belongs to the set S.

  If I (d ′) = true, it can be determined that the decoding result d of the decoding device 2 is correct. The reason will be described later. In this case, the determination unit 16 transmits the verification information d ′ to the output unit 17. The output unit 17 that has received the verification information d 'calculates and outputs A (d') (step S8). In this case, A (d ′) = m.

  Unless I (d ′) = true, the decoding result d of the decoding device 2 cannot be determined to be correct. The reason will be described later. In this case, the determination unit 16 outputs information indicating that an error has occurred.

  In this way, the decoding result verification apparatus 1 can verify whether the decoding apparatus 2 has correctly performed the calculation for decoding.

[Specific examples of B, A and I]
For example, B (m) = m || h (m). If B defined in this way does not satisfy the properties of B, then h can be identified as a random oracle, but there is no practicable algorithm for identifying a secure hash function as a random oracle. It is believed that. Therefore, B defined in this way satisfies the property of B.

  When the bit length of the output of the hash function h is L, A is a function that outputs a bit string excluding the lower L bits with respect to the input.

  I (d ′) outputs true when the lower L bits of d and the hash value h (A (d ′)) of bits other than the lower L bits of d ′ match, This is a function that outputs false if not done.

[Reason why it is possible to determine whether the decoding result d of the decoding device 2 is correct based on the value of I (d ′)]
The algorithm of the above embodiment can be described as the following <Method 1>. Here, the ciphertext C = E (B (m)). The machine X corresponds to the decoding device 2 of the above embodiment.

<Method 1>
1. A random number r is generated and C ₀ = E (r) is calculated.

2. The ciphertext C + C ₀ is input to the machine X, and the decryption result d is received from the machine X.

  3. Calculate d '= d-r.

4). If I (d ′) is true, A (d) is output. Otherwise, an error is output.

  In <Method 1>, when considering the possibility of machine X responding maliciously, an attack by X succeeds in an event where I (d ') is true and A (d') is other than m. I will call it. In the following, the probability that the attack by the machine X is successful is evaluated.

  If encryption of information to be transmitted to the machine X is omitted in <Method 1>, the following <Method 2> is obtained. When considering the possibility of machine X responding maliciously, an event where I (d ′) is true and A (d ′) is other than m is referred to as a successful attack by machine X. To do.

<Method 2>
1. B (m) + r is input to the machine X, and the decoding result d is received from the machine X.

  2. Calculate d '= d-r.

3. If I (d ′) is true, A (d ′) is output. Otherwise, an error is output.

  When the symbol r is replaced with r-B (m), the following <Method 3> is obtained. When considering the possibility of machine X responding maliciously, an attack by machine X is said to be successful when I (d ′) is true and A (d ′) is other than m. To do.

<Method 3>
1. The ciphertext r is input to the machine X, and the decryption result d is received from the machine X.

  2. d '= d-r + B (m) is calculated.

  3. If I (d ') is true, A (d') is output. Otherwise, an error is output.

  For any B (m), the distribution of random numbers r and r + B (m) is equal or difficult to identify, so for any machine X, the probability of successful attack in <Method 2> and the attack in <Method 3> Probability of success is equal or difficult to identify.

  Here, consider the following <Method 4>. When considering the possibility that the machine Y will respond maliciously, the attack by the machine Y is said to be successful when I (d ′) is true and A (d ′) is other than m. To do.

<Method 4>
1. The decryption result d is received from the machine Y.

  2. Calculate d '= d + B (m).

  3. If I (d ') is true, A (d') is output. Otherwise, an error is output.

Well, if there is a machine X, the probability of successful attacks in the <method 3> is assumed to be p _X. The machine Y _X that communicate with an external machine M using the machine X as a subroutine may be configured as follows.

_<Y X>
1. A random number r is generated and transmitted to the machine X. Receive d from machine X.

  2. Calculate dr and return to machine M.

The <method 4> is regarded as a machine M, by replacing the mechanical Y in <Method 4> the machine Y _X, the output of the replaced resulting scheme is equal to <method 3>. Therefore, the probability that the machine _X succeeds in the attack of <scheme 3> is equal to the probability that the machine Y _X succeeds in the attack of <scheme 4>.

  By the way, assuming the definition of B in the above embodiment, for any machine Y, the probability that the machine Y will succeed in the attack of <Method 4> can be ignored. The definition for B is “assuming that B satisfies the following property: where B is S, and for any non-zero x∈G, (S + x) ∩ that is not zero under S It ’s difficult to calculate. ”

  Because if d ≠ 0 if the attack of <scheme 4> is successful and I (d ′) is true, then B (m) ∈S becomes B (m) + d∈S, and d This is because B (m) ε (S + x) ∩S can be calculated if x is regarded as xεG.

Therefore, the use of the mechanical Y _X as machine Y for any machine X, the probability that the machine Y _X has successfully attack <scheme 4> is negligible. Since the probability that the machine _X succeeds in the attack of <scheme 3> is equal to the probability that the machine Y _X succeeds in the attack of <scheme 4>, p _X is a negligible amount for any machine X.

  <Method 2> is obtained by removing the encryption by public key encryption from <Method 1>. Therefore, the probability that an arbitrary machine X will succeed in the attack of <Method 1> is that the machine X is an attack of <Method 2>. Is less than the probability of success. Therefore, the probability that an arbitrary machine X succeeds in the attack of <Method 1> is a negligible amount.

  That is, the decryption device 2 cannot alter the message m while deceiving the judgment of the decryption result verification device 1. In other words, the decryption result verification device 1 can verify whether the decryption device 2 has correctly performed the calculation for decryption.

[Modifications, etc.]
The random number r may be a predetermined integer that the decryption device 2 cannot know.

  Data exchange between the units of the decryption result verification apparatus 1 may be performed directly or may be performed via a storage unit (not shown).

  In addition, the present invention is not limited to the above-described embodiment. For example, the various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

  Further, when the above-described configuration is realized by a computer, processing contents of functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  Needless to say, other modifications are possible without departing from the spirit of the present invention.

DESCRIPTION OF SYMBOLS 1 Decoding result verification apparatus 11 Random number generation part 12 Transmission information generation part 13 Transmission part 14 Reception part 15 Verification information generation part 16 Determination part 17 Output part 2 Decoding apparatus

Claims (5)

A homomorphic encryption function in a public key cryptosystem where G is a commutative group, E is a plaintext element of G, B is a set S⊆G as a range, and x∈G that is not 0 (S + x) ∩ A function that is difficult to calculate a non-zero element under S, m is a message, C = E (B (m)) is a ciphertext, I is an element x of G and x = B (m ′) As a function that outputs true when m 'exists,
A random number generator for generating a random number rεG;
A transmission information generator for calculating transmission information C ₀ = E (r);
The C + C _0, a transmission unit that transmits to decode the C + C ₀ received is capable decodes the encryption function E decoding apparatus for outputting the decoded result d,
A receiving unit for receiving the decoding result d from the decoding device;
A verification information generator for calculating verification information d ′ = d−r;
A determination unit for determining whether I (d ′) = true;
A decryption result verification device. In the decryption result verification apparatus according to claim 1,
A is a function that outputs a message with an element of G as an input, and satisfies a property of A (B (m)) = m for an arbitrary message m.
If I (d ′) = true, it further includes an output unit for outputting A (d ′).
Decryption result verification device. In the decryption result verification device according to claim 1 or 2,
Let h be a hash function and ||
B (m) = m || h (m),
Decryption result verification device. A homomorphic encryption function in a public key cryptosystem where G is a commutative group, E is a plaintext element of G, B is a set S⊆G as a range, and x∈G that is not 0 (S + x) ∩ A function that is difficult to calculate a non-zero element under S, m is a message, C = E (B (m)) is a ciphertext, I is an element x of G and x = B (m ′) As a function that outputs true when m 'exists,
A random number generation unit for generating a random number rεG,
A transmission information generation step in which a transmission information generation unit calculates transmission information C ₀ = E (r);
A transmission step in which the transmission unit transmits C + C ₀ to a decryption device that can decrypt the encryption function E and decrypts the received C + C ₀ and outputs the decryption result d;
A receiving step for receiving the decoding result d from the decoding device;
A verification information generation step in which the verification information generation unit calculates verification information d ′ = d−r;
A determination step for determining whether or not I (d ′) = true;
A decryption result verification method including:   The program for functioning a computer as each part of the decoding result verification apparatus in any one of Claim 1 to 3.

Images