JP2013009245A - Secret information distribution system, secret information distribution method, secret information creation program, and secret information restoration program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect any unauthorized action including a more malicious one that alters distribution information after referring to other distribution information at a point in time at which no alteration is made.SOLUTION: A distribution information creation apparatus creates n pieces of authentification data a from outputs which can be obtained by inputting n pieces of distribution information data v created by subjecting secret information to distribution encoding with a (k, n) threshold secret sharing scheme, and n pieces of checking data e for verifying the secret information into a checking function h. The distribution information creation apparatus outputs the n pieces of distribution information data v, the n pieces of checking data e, and the n pieces of authentification data a to storage devices, respectively. The n storage devices store the outputs of the distribution information creation apparatus. A restoration device reads the data v, e, and a from each of k or more storage devices in the n storage devices, and determines correctness of distribution information on the basis of the readout information.

Description

  The present invention relates to storage of secret information, and more particularly, to secret information distribution that distributes and securely stores secret information.

  When storing confidential information, there are threats of loss or destruction and threats of theft. Here, the secret information is information that should be kept secret, and may be any information specifically. The secret information refers to, for example, a secret key used for encryption.

  Creating a copy of confidential information is an effective measure against the former threat of loss or destruction. However, making a copy increases the threat of the latter theft. There is a secret sharing method as one of information security techniques for solving such a problem.

  In the secret sharing method, the original secret information is distributed to a plurality of shared information, and if the predetermined shared information is collected, the secret information can be uniquely restored. It has the feature of not leaking any information about.

  In this specification, the number of pieces of shared information is n (n is a natural number of 2 or more), and each piece of shared information is identified by 1 to n.

  In the secret sharing method, a set of shared information from which secret information can be restored can be defined by a set of shared information Γ called an access structure. The access structure Γ is a set family having as a component a set of identifiers of the minimum shared information that can restore secret information. Further, in the secret sharing scheme having the access structure Γ, the fact that the shared information set w can recover the secret means that V∈Γ and V⊆W with respect to the shared information identifier set W corresponding to w. It means that such V exists. Further, a set W of shared information identifiers satisfying the above properties is defined as an access set of Γ.

  For example, the (k, n) threshold method is called, (1) Of the n pieces of shared information, less than k pieces of shared information do not provide any information about the secret. (2) From k or more pieces of shared information The access structure Γ in the secret sharing scheme with the characteristic that the secret is uniquely restored is Γ = [V | V⊆ [1,. . . , N] and the number of elements of V is defined by the set family k]. Hereinafter, in the secret sharing method, a problem when restoring secret information will be considered.

  When a certain restorer restores secret information, this restorer needs to collect the shared information from others holding the shared information. At this time, the requested value of the distributed information is not necessarily transferred to the restoring person without falsification. The “tampering” referred to here includes not only an intentional change but also an unintended change such as a device failure or a simple mistake.

  When the secret information is restored using the altered shared information, the value may be different from the secret information. For this reason, the secret sharing method is desired to have a high probability of detecting the falsified shared information when the falsified shared information is used for restoration. The following methods of Non-Patent Documents 2 to 4 are known as examples of one technique for solving these problems.

  Non-Patent Document 2 describes a (k, n) threshold method that can specify the disperse information that is falsified with high probability when less than k / 2 pieces of disperse information is falsified.

  Non-Patent Document 3 describes a (k, n) threshold method that can specify the disperse information that has been falsified with a high probability when less than k / 3 of the disperse information has been falsified. The method described in Non-Patent Document 3 is characterized in that the size of the distributed information is smaller than that in Non-Patent Document 2.

  Non-Patent Document 4 describes a (k, n) threshold method that can specify the disperse information that has been falsified with high probability when less than k / 3 of the disperse information has been falsified. The method described in Non-Patent Document 4 is characterized in that the size of the distributed information is smaller than that of Non-Patent Document 3.

Adi Shamir, "How to share a secret", Comm. ACM, 22 (11), 612-613 (1979) T. Rabin and M. Ben-Or, "Verifiable Secret Sharing and Multiparty Protocols with Honest Majority," Proc. STOC'89, pp. 73--85. K. Kurosawa, S. Obana and W. Ogata, "t-Cheater Identifiable (k, n) Threshold Secret Sharing Schemes," Proc. Crypto'95, Lecture Notes in Computer Science, vol. 963, Springer Verlag, pp. 410 --423, 1995. Ohana, a suboptimal secret sharing scheme that can identify up to t fraudsters, 2007 Cryptography and Information Security Symposium

  By using the technology as described above, safety is guaranteed against fraud in which the distributed information is not altered without referring to the shared information that has not been altered. The

  However, there has never been proposed a more powerful secret sharing method that is more secure against fraud in which shared information is altered after referring to partial information that has not been tampered with that is input for secret restoration.

  The present invention has been made in view of such a situation, and the present invention is also effective against a powerful fraud in which shared information is falsified after referring to other shared information at a time when it has not been falsified. An object is to provide a secret information distribution system, a secret information distribution method, a secret information generation program, and a secret information restoration program that can be detected.

  According to a first aspect of the present invention, a secret information distribution system that includes a distributed information generation device, n (n is a natural number greater than or equal to 2) storage devices, and a restoration device, and distributes and stores secret information The shared information generation apparatus verifies the n pieces of distributed information data v generated by performing the distributed encoding of the secret information using the (k, n) threshold secret sharing method and n pieces of the secret information. N authentication data a is generated from the output obtained by inputting the check data e to the check function h, and the n distributed information data v, the n check data e, and the n authentication data are generated. Output data a is output to the storage device, the n storage devices store the output of the shared information generation device, and the restoration device includes k or more of the storage devices of the n storage devices. The distributed information data v from each of the devices, The check data e and the authentication data a are read, the validity of the shared information is determined based on the read information, and if there is shared information that has been altered as a result of the determination, the altered shared secret information And a secret information restored from the read distributed information data v when the shared information altered as a result of the determination does not exist. Provided.

  According to the second aspect of the present invention, secret information is distributed and stored by a system including a distributed information generation device, n (n is a natural number of 2 or more) storage devices, and a restoration device. A secret information distribution method, wherein the distributed information generation apparatus verifies the n pieces of distributed information data v generated by distributedly encoding the secret information by a (k, n) threshold secret sharing method and the secret information The n pieces of authentication data a are generated from the output obtained by inputting the n pieces of check data e to the check function h, and the n pieces of distributed information data v, the n pieces of check data e, and n authentication data a are respectively output to the storage device, the n storage devices store the output of the shared information generation device, and the restoration device is k pieces of the n storage devices. The distributed information is received from each of the storage devices. The data v, the check data e, and the authentication data a are read out, the validity of the shared information is determined based on the read information, and if there is shared information that has been falsified as a result of the determination, the data has been falsified. An identifier list of shared secret information is output, and if there is no shared information that has been falsified as a result of the determination, secret information restored from the read distributed information data v is output. A distribution method is provided.

  According to a third aspect of the present invention, a secret information distribution system that includes a distributed information generation device, n (n is a natural number of 2 or more) storage devices, and a restoration device, and stores secret information in a distributed manner. A shared information generating program incorporated in the shared information generating apparatus in the above, wherein n pieces of shared information data v generated by distributedly encoding the secret information by a (k, n) threshold secret sharing method and the secret information The n pieces of authentication data a are generated from the output obtained by inputting the n pieces of check data e for performing the verification to the check function h, and the n pieces of distributed information data v and the n pieces of check data are generated. There is provided a distributed information generation program that causes a computer to function as shared information generation for outputting e and n authentication data a to the storage device.

  According to a fourth aspect of the present invention, in the secret information distribution system, comprising: a distributed information generation device; and n (n is a natural number equal to or greater than 2) storage devices, wherein the secret information is distributed and stored. A restoration program incorporated in the restoration device, wherein the distributed information data v, the check data e, and the authentication data a are read from each of the k or more storage devices of the n storage devices, and read The validity of the distributed information is determined based on the information, and if there is shared information that has been altered as a result of the determination, an identifier list of the distributed secret information that has been altered is output, and the distribution that has been altered as a result of the determination When the information does not exist, the secret information restored from the read distributed information data v is output, and the computer is caused to function as a restoration device. Restoration program is provided that.

  According to the present invention, the check data e stored in a valid storage device is selected independently and uniformly at random, and the function h used for the non-tampering check is a value other than the known value. Since the function value of can not be inferred with a probability higher than ε, it is a powerful fraud that alters the shared information after referring to other shared information at the time when it has not been tampered with However, fraud can be detected.

It is a block diagram showing the basic composition of the whole secret information distribution system concerning an embodiment of the present invention. It is a block diagram showing the basic composition of the distributed information generation device and storage concerning an embodiment of the present invention. It is a block diagram showing the basic configuration of a restoration device and a storage device according to an embodiment of the present invention. It is a block diagram showing a basic configuration of a processing device that executes processing performed by a distributed information generation device and a restoration device according to an embodiment of the present invention. It is a flowchart showing the operation | movement process of the shared information generation apparatus which concerns on the 1st Embodiment of this invention. It is a flowchart showing the operation | movement process of the decompression | restoration apparatus which concerns on the 1st Embodiment of this invention. It is a flowchart showing the operation | movement process of the shared information generation apparatus which concerns on the 2nd Embodiment of this invention. It is a flowchart showing the operation | movement process of the decompression | restoration apparatus which concerns on the 2nd Embodiment of this invention.

  Next, embodiments of the present invention will be described in detail with reference to the drawings. The embodiments described below are given various technically preferable limitations as preferred embodiments of the present invention. However, the scope of the present invention is not limited to these embodiments unless otherwise specified in the following description. That is, although the embodiments described below are preferred embodiments of the present invention, the scope of the present invention is not limited to these embodiments, and various modifications can be made without departing from the gist of the present invention. Implementation in the applied form is possible.

  In describing this embodiment, first, terms used in this specification will be briefly described.

  (K, n) threshold method: A secret sharing method having the property that the secret information is distributed and encoded into n pieces of shared information, and the original secret information can be restored by using any k pieces of shared information. Point to. Non-Patent Document 1 describes the (k, n) threshold method.

  Secret information s: indicates secret information to be stored.

  Secret information data set S: A set of secret information s to be stored.

  Authentication data a: refers to authentication data used for authentication.

  Authentication data set A: a set of authentication data a, indicating the range of the check function h. When a which is an element of A is described as “a [i]”, it represents that the a is the i-th authentication data.

  Distributed information data v: One of data (distributed information) obtained by distributing and encoding the secret information sεS.

  Distributed information data V: A set of data (shared information) obtained by distributedly encoding the secret information sεS. When v that is an element of V is described as “v [i]”, v represents the i-th shared information.

  Check data e: indicates data used for non-tampering check of distributed information.

  Check data set E: A data set used for non-tampering check of distributed information. When e which is an element of E is described as “e [i]”, the e represents the i-th check data.

  Operator: In this specification, the symbol “+” is used as the operator for sum, the symbol “−” for difference, the symbol “*” for product, and the symbol “^” for power.

[Embodiment 1]
FIG. 1 is a diagram showing a basic configuration of the entire secret information distribution system according to the embodiment of the present invention. Referring to FIG. 1, the secret information sharing system includes a shared information generation device 100, a restoration device 200, and a plurality of storage devices 300-1 to 300-n.

  The shared information generation device 100 is a device that receives the secret information s1 and generates the shared information based on the received secret information s1. The plurality of storage devices 300-1 to 300-n are devices that store the shared information generated by the shared information generating device 100. Furthermore, the restoration device 200 is a device that performs restoration based on the distributed information stored in the storage devices 300-1 to 300-n. For convenience of illustration, three storage devices 300-1, 300-2, and 300-n are shown. However, this is merely an example, and an arbitrary number of storage devices 300 may exist.

  When the secret information sharing system according to the embodiment of the present invention stores secret information, the shared information generation device 100 randomly generates check data used for the non-tampering check of the shared information, and (k, n) The storage device 300 stores the shared information generated by the threshold method, the check data, and the authentication data generated using the shared information and the check data.

  When restoring the secret information, the secret information, the check data, and the authentication data that are distributed and encoded are read from the k or more storage devices 300 in the order specified by the restoration device 200.

  Then, it is determined whether the shared information and the check data stored in each storage device correctly correspond to the authentication data, and if it is verified that all the storage devices 300 correspond correctly, If the restored secret information is determined to be correct and the secret is output, and if it is not supported, an identifier list of the unsupported shared information that determines that the shared information has been tampered is output.

  Next, the configuration of the shared information generating apparatus 100 will be described in detail with reference to FIG.

  FIG. 2 is a block diagram illustrating the configuration of the shared information generation apparatus 100. As illustrated in FIG. 2, the shared information generation apparatus 100 includes a secret information distribution unit 101, a check data generation unit 102, and an authentication data generation unit 103.

  The secret information distribution unit 101 receives the secret information s1, and n pieces of data v [1], v [2],. . . , V [n] (v [i] εV) are output to the storage device 300 and the authentication data generation unit 103.

  The check data generation unit 102 generates check data e [i] εE (i = 1,..., N). The check data generation unit 102 outputs the generated check data e [i] εE (i = 1,..., N) to the storage device 300 and the authentication data generation unit 103.

  The authentication data generation unit 103 outputs the output v [i],. . . , V [n] and the output e [1],. . . , E [n] as input and authentication information a [i] = (a [i, 1], a [i, 2], ..., a [i, i-1], a [i, i + 1 ], ..., a [i, n]) (i = 1, ..., n, a [i, j] = h (e [i], v [j])).

  In this embodiment, the check function h (h: E × V → A) is an arbitrary element v [1], v [2],. . . , V [k−2], v, v ′ and any element a [1], a [2],. . . , A [k−2], a ′, | {e [j] | h (e [j], v) = a, h (e [j], v ′) = a ′, h (e [J], v [l]) = a [l] (l = 1, 2,..., K−2)} | / | {e [j] | h (e [j], v) = a , H (e [j], v [l]) = a [l]} | ≦ ε is satisfied for any i, j, l.

  In summary, the shared information generating apparatus 100 receives the secret information s1 that is the source of the secret information data set S (that is, the element of the set S) as input, and the distributed secret information in the storage devices 300-1 to 300-n. V elements v [1] to v [n] that are outputs of the secret information distribution unit 101 are generated in the storage units 301-1 to 301-n, and check data is generated in the check data storage units 302-1 to 302-n. The elements e [1] to e [n] of E that are the outputs of the unit 102 are stored in the check data storage units 303-1 to 303-n as authentication data a [1] to a [ n] respectively.

  Next, the configuration of the storage devices 300-1 to 300-n will be described in detail with reference to FIG.

  The storage devices 300-1 to 300-n include distributed secret information storage units 301-1 to 301-n, check data storage units 302-1 to 302-n, authentication data storage units 303-1 to 303-n, and access. Control units 304-1 to 304-n are included.

  The distributed secret information storage units 301-1 to 301-n are storage units in which the distributed data v that is the source of the distributed information data set V is stored.

  The check data storage units 302-1 to 302-n are storage units in which check data e that is the basis of the check data set E is stored.

  The authentication data storage units 303-1 to 303-n are storage units that store authentication data a that is a source of the authentication data set A.

  The access control units 304-1 to 304-n control data that can be read from the restoration device 200 based on a signal from the read control unit 203 in the restoration device 200.

  Next, the configuration of the restoration device 200 will be described with reference to FIG. FIG. 3 is a block diagram showing the configuration of the restoration device 200.

  As illustrated in FIG. 3, the restoration device 200 includes a secret information restoration unit 201, an unauthorized information identification unit 202, and a read control unit 203.

  The secret information restoration unit 201 reads data stored in the distributed secret information storage unit 301 included in the plurality of storage devices 300 from the unauthorized information identification unit 202, and outputs the restored secret information data sεS.

  The unauthorized information identification unit 202 includes the shared information v [i−1],... Stored in the shared secret information storage unit 301 included in the k or more storage devices 300. . . , V [i−m] and check data e [i−1],. . . , E [im], and authentication data a [i-1],. . . , E [im] (where each a [i] = (a [i, 1], a [i, 2], ..., a [i, i-1], a [i, i + 1] , ..., a [i, n])). And all i = i−1,. . . , I−m and all j = i−1,. . . , I−m, it is determined whether or not h (e [i], v [j]) = a [i, j] holds for k / 2 or more j. As a result of this determination, if the number of i for which the above equation holds for all j is 2 / k or more, it is determined that the shared information is not falsified, and v [i−1],. . . , V [i−m] are input to the secret information restoring unit 201, and the restored secret information sεS is output.

  On the other hand, when there exists j where the number of i for which the above expression is satisfied is less than 2 / k, the number of i for which h (e [i], v [j]) = a [i, j] is satisfied is k / The list of j that was less than 2 is output as an identifier of the shared information that has been tampered with.

  The read control unit 203 outputs a control signal that transmits data to be read to the access control units 304-1 to 304-n in the storage devices 300-1 to 300-n. The access control units 304-1 to 304-n give the data read permission to the restoration device 200 based on the control signal.

  The shared information generation apparatus 100 and the restoration apparatus 200 illustrated in FIGS. 1, 2, and 3 described above can be realized by an arbitrary method.

  For example, if the distributed information generation device 100 and the restoration device 200 are realized as hardware, it can be realized by a semiconductor integrated circuit such as an LSI (Large Scale Integration) or a DSP (Digital Signal Processor) constituted by a logic circuit or the like.

  Further, the distributed information generation apparatus 100 and the restoration apparatus 200 can be realized as a combination of hardware and software. For example, as shown in FIG. 4, a processing device 10 that executes predetermined processing according to a program, an input unit 20 for inputting commands and information to the processing device 10, and processing results of the processing device 10 The distributed information generation apparatus 100 and the restoration apparatus 200 may be realized by a computer including the output unit 30 for monitoring. This point will be described in detail below.

  Referring to FIG. 4, the processing device 10 includes a CPU 11, a main storage unit 12, a recording medium 13, a data storage unit 14, a memory control interface unit 15, and an I / O interface unit 16. These components are connected to each other via a bus 18.

  The CPU 11 is an arithmetic processing device that performs an operation based on a program. The main storage unit 12 is a main storage unit that temporarily stores information necessary for the arithmetic processing of the CPU 11.

  The recording medium 13 is a recording medium on which a program for causing the CPU 11 to execute processing as the distributed information generation device 100 or the restoration device 200 is recorded. The processing device 10 realizes a function as the distributed information generation device 100 or the restoration device 200 according to the program recorded in the recording medium 13.

  The data storage unit 14 is an auxiliary storage device that stores secret information and access structure data.

  The recording medium 13 and the data storage unit 14 can be realized by any device. The recording medium 13 and the data storage unit 14 are realized by, for example, a hard disk drive (HDD) or a solid state drive (Flash SSD). In addition, this storage device does not need to be in the processing device 10, and an external storage device (not shown) may be used. In this case, the storage device may be realized as another computer and connected using a bus, a cable compliant with the USB standard, or means such as the Internet. Furthermore, although it may be realized by a single storage device, it may be realized by a combination of a plurality of storage devices. In addition, the recording medium 13 may be a magnetic disk, a semiconductor memory, an optical disk, or other recording medium. For example, a flexible disk, CD-ROM (Compact Disc Read-Only Memory), DVD (Digital Versatile Disc), MO (Magneto Optical Disk (Disc)) BD (Blu-ray Disc), or the like may be used. In addition, the data storage unit 14 may be used as the storage device 300 including the distributed secret information storage unit 301, the check data storage unit 302, and the authentication data storage unit 303. That is, the scattered information generation device 100, the restoration device 200, and the storage device 300 may be realized by a plurality of computers or a single computer.

  The memory control interface unit 15 controls data transfer between the main storage unit 12, the recording medium 13, the data storage unit 14, the CPU 11, and the like.

  Next, the operation of the secret information sharing system of this embodiment will be described with reference to FIGS. FIG. 5 is a flowchart showing the operation of the shared information generating apparatus 100, and FIG. 6 is a flowchart showing the operation of the restoration apparatus 200.

  First, the secret information s1 that is the source of the secret information data set S is input to the secret information sharing unit 101 of the shared information generating unit 100 (step A401).

  When the secret information s1 is input to the secret information distribution unit 101, the shared information generation apparatus 100 performs distributed encoding on the secret information s1 by the (k, n) threshold method by the secret information distribution unit 101, and generates v [i ] (I = 1,..., N) are stored in the distributed secret information storage unit 301-i and the authentication data generation unit 103 of the storage device 300-i (step A402).

  Further, the shared information generation apparatus 100 generates check data e [i] (i = 1,..., N) by the check data generation unit 102 and stores the generated e [i] in the storage device 300. -I is stored in the check data storage unit 302-i and the authentication data generation unit 103 (step A403).

  In the shared information generating apparatus 100, the authentication data generating unit 103 uses the shared information v [i] (i = 1,..., N) and the check data e [j] (j = 1,..., N). , J ≠ i), a [i, j] = h (e [i], v [j]) is calculated, and authentication data a [i] = (a [i, 1],. , A [i, i−1], a [i, i + 1],..., A [i, n]) (i = 1,..., N) are stored in the authentication data storage device 300-i. Stored in the section 303-i (step A404).

  As illustrated in FIG. 5, the restoration device 200 sends a control signal indicating that data in the distributed secret information storage unit 301 and the authentication data storage unit 303 is read to the access control unit 304 of the storage device 300, and stores k or more memories. Distributed data v [i] (i = i-1, i-2, ..., im) read from the distributed secret information storage unit 301 and the authentication data storage unit 303 of the apparatus 300, authentication information a [i] (I = i−1, i−2,..., Im) are input to the unauthorized information identification unit 202 (step T501).

  After completion of data reading in step T501, the restoration device 200 indicates that the data in the check data storage unit 302 is read out to the access control unit 304 of the same storage device 300 as the storage device 300 read out in step T501. And the check data e [i] (i = i−1, i−2,..., I−m) read from the check data storage unit 302 of the storage device 300 to the unauthorized information specifying unit 202. Input (step T502). In other words, the distributed data v [i], authentication information a [i], and check data e [i] are read from k or more storage devices 300 that are the same in steps T501 and T502.

  After reading the data in steps T501 and T502, the restoration device 200 reads v [i], e [i], a [i] = (a [i, 1],..., Read in steps T501 and T502. a [i, i-1], a [i, i + 1], ..., a [i, n]) (i = i-1, i-2, ..., im) and j ≠ i. Whether j (j = i−1, i−2,..., I−m) holds, h (e [i], v [j]) = a [i, j] The unauthorized information specifying unit 202 checks (step T503).

  If the number of i for which h (e [i], v [j]) = a [i, j] is established for all j is 2 / k or more by the check in step T503, the secret information Outputs the restored secret information s1 obtained by inputting all the v [i] read into the restoration unit 201 to the secret information restoration unit 201, and ends (Yes in step T504, step T505).

  On the other hand, when j exists where the number of i for which h (e [i], v [j]) = a [i, j] is less than 2 / k, h (e [i], v [j ]) The list of j for which the number of i for which a [i, j] is satisfied is less than 2 / k is output as an identifier of the falsified shared information, and the process ends (No in step T504, step T506).

  According to the above embodiment, it is impossible for the unauthorized storage device 300 to tamper with the data in the distributed information storage unit 301 so that tampering cannot be detected after the check data of the valid storage device 300 is read. Thus, there is an effect that it becomes impossible to calculate data that succeeds after referring to the information sent from the valid storage device 300.

[Embodiment 2]
Next, a second embodiment of the present invention will be described in detail with reference to the drawings.

  Since the basic configuration of the secret information sharing system according to the second embodiment is the same as that of the first embodiment shown in FIGS. 1, 2, and 3, description thereof is omitted.

  On the other hand, in the second embodiment, the check data generation unit 102 generates check data eεE. The difference from Embodiment 1 is that e is distributedly encoded by the (t, n) threshold method. Accordingly, the operation of the restoration apparatus 200 is also different. Therefore, this point will be mainly described. The points not particularly mentioned are the same as those in the first embodiment.

  First, the distributed information generating apparatus 100 will be described.

  The secret information distribution unit 101 receives the secret information s1, and n pieces of data v [1], v [2],. . . , V [n] (v [i] εV) are output to the storage device 300 and the authentication data generation unit 103.

  In this embodiment, the check data generation unit 102 generates check data e [i] εE (i = 1,..., N). Further, the check data generation unit 102 outputs the generated check data e [i] εE (i = 1,..., N) to the storage device 300.

  The authentication data generation unit 103 outputs the output v [i],. . . , V [n], check data e, and authentication information a [i] = h (e, v [j]).

  In this embodiment, the check function h (h: E × V → A) is an arbitrary element v [1], v [2],. . . , V [t−1], v, v ′ and any element a [1], a [2],. . . , A [t−1], a ′, | {e | h (e, v) = a, h (e, v ′) = a ′, h (e, v [l]) = a [ l] (l = t−1)} | / | {e | h (e, v) = a, h (e, v [l]) = a [l]} | ≦ ε is set to any i, j, Satisfy about l.

  In summary, the shared information generating apparatus 100 receives the secret information s1 that is the source of the secret information data set S (that is, the element of the set S) as input, and the distributed secret information in the storage devices 300-1 to 300-n. The storage units 301-1 to 301-n store the V elements v [1] to v [n] output from the secret information distribution unit, and the check data storage units 302-1 to 302-n check data generation units. 102 outputs e [1] to e [n] and authentication data a [1] to a [n], which are the sources of the authentication data set A, are stored in the check data storage units 303-1 to 303-n, respectively. .

  Further, the storage devices 300-1 to 300-n of the present embodiment store the shared information storage units 301-1 to 301-n in which the elements of the distributed information data set V are stored, and the elements of the check data set E. Check data storage units 302-1 to 302-n, authentication data storage units 303-1 to 303-n in which the source of the authentication data set A is stored, and signals from the read control unit in the restoration device 200 The access control units 304-1 to 304-n that control data that can be read from the restoration device 200 are included.

  Next, the configuration of the restoration device 200 of this embodiment will be described. FIG. 3 is a configuration block diagram of the restoration device 200. As illustrated in FIG. 3, the restoration device 200 includes a secret information restoration unit 201, an unauthorized information identification unit 202, and a read control unit 203.

  The secret information restoration unit 201 reads from the data illegal information identification unit 202 stored in the distributed secret information storage unit 301 included in the plurality of storage devices 300, and outputs the restored secret information data sεS.

  The unauthorized information identification unit 202 includes the shared information v [i−1],... Stored in the shared secret information storage unit 301 included in the k or more storage devices 300. . . , V [i−m] and check data e [i−1],. . . , E [im], and authentication data a [i-1],. . . , A [im] are read out. And e [i-1],. . . , E [i−m] and after restoring e, all i = i−1,. . . , I−m, it is determined whether h (e, v [i]) = a [i] is satisfied. As a result of the determination, when the above equation holds for all i, it is determined that the shared information is not falsified, and v [i−1],. . . , V [i−m] to the secret information restoring unit 201, the restored secret information sεS is output.

  On the other hand, when the above equation does not hold, a list of i for which h (e, v [i]) = a [i] is not established is output as an identifier of the distributed information in which falsification has occurred.

  At this time, since e is shared information of (t, n) threshold secret sharing, m e [i−1],. . . , E [i−m] is corrected to correct t errors, and correct e can be restored.

  The read control unit 203 outputs a control signal that transmits data to be read to the access control units 304-1 to 304-n in the storage devices 300-1 to 300-n. The access control units 304-1 to 304-n give the data read permission to the restoration device 200 based on the control signal.

  In the present embodiment, similar to the first embodiment, the distributed information generation device 100 and the restoration device 200 can be realized by a semiconductor integrated circuit. In addition, as in the first embodiment, the present embodiment can realize the shared information generation apparatus 100 and the restoration apparatus 200 with a processing apparatus 10 as illustrated in FIG. A specific realization method is the same as that described above in the description of the first embodiment.

  Next, the operation of the secret information distribution system of this exemplary embodiment will be described with reference to FIGS. FIG. 7 is a flowchart showing the operation of the shared information generating apparatus 100, and FIG. 8 is a flowchart showing the operation of the restoration apparatus 200.

  First, the secret information s1 that is the source of the secret information data set S is input to the secret information sharing unit 101 of the shared information generating unit 100 (step U601).

  When the secret information s1 is input to the secret information distribution unit 101, the shared information generation apparatus 100 performs distributed encoding on the secret information s1 by the (k, n) threshold method by the secret information distribution unit 101, and generates v [i ] (I = 1,..., N) are stored in the distributed secret information storage unit 301-i and the authentication data generation unit 103 of the storage device 300-i (step U602).

  Further, the shared information generation apparatus 100 generates check data e by the check data generation unit 102, and e [i] (i = 1,...) Obtained by distributedly encoding e by the (t, n) threshold method. , N) and the generated e [i] is stored in the check data storage unit 302-i of the storage device 300-i (step U603).

  The shared information generation apparatus 100 uses the authentication data generation unit 103 to perform the shared information v [i] (i = 1,..., N) and the check data e generated by the check data generation unit 102. a [i] = h (e, v [i]) is calculated, and the authentication data a [i] (i = 1,..., n) is converted into the authentication data storage unit 303-i of the storage device 300-i. (Step U604).

  As illustrated in FIG. 7, the restoration device 200 sends a control signal indicating that data in the distributed secret information storage unit 301 and the authentication data storage unit 303 is read to the access control unit 304 of the storage device 300, and stores k or more memories. Distributed data v [i] and authentication information a [i] read from the distributed secret information storage unit 301 and the authentication data storage unit 303 of the apparatus 300 (i = i-1, i-2,..., Im) Is input to the unauthorized information identification unit 202 (step W701).

  After completion of data reading in step W701, the restoration device 200 indicates that the data in the check data storage unit 302 is read out to the access control unit 304 of the same storage device 300 as the storage device 300 read out in step W701. And the check data e [i] (i = i−1, i−2,..., I−m) read from the check data storage unit 302 of the storage device 300 to the unauthorized information specifying unit 202. Input (step W702). That is, the distributed data v [i], the authentication information a [i], and the check data e [i] are read from k or more storage devices 300 that are the same in steps W701 and W702.

  After reading the data in steps W701 and W702, the restoration device 200 restores e from v [i], e [i], and a [i] read in steps W701 and W702, and i = i−1. , I-2,. . . , I−m), the unauthorized information specifying unit 202 checks whether h (e, v [i]) = a [i] is satisfied (step W703).

  If h (e, v [i]) = a [i] is satisfied by the check in step W703, all the v [i] read into the secret information restoration unit 201 are input to the secret information restoration unit 201. The obtained restored secret information s1 is output and the process ends (Yes in step W704, step W705).

  On the other hand, if there is i for which h (e, v [i]) = a [i] does not hold, the list of i for which h (e, v [i]) = a [i] does not hold has been altered. The information is output as an identifier, and the process ends (No in step W704, step W706).

  According to the above embodiment, it is impossible for the unauthorized storage device 300 to tamper with the data in the distributed information storage unit 301 so that tampering cannot be detected after the check data of the valid storage device 300 is read. Thus, there is an effect that it becomes impossible to calculate data that succeeds after referring to the information sent from the valid storage device 300.

  Next, an example of the present invention, which is an example that more specifically describes each of the above-described embodiments, will be described.

  Example 1 is an example corresponding to Embodiment 1 described above. In this embodiment, the secret information distribution system uses GF (p) (p: prime number 冪, GF: Galois field) for the data set of secret information s, and check data e [i] = (e [i, 1]. , ..., e [i, i-1], e [i, i + 1], e [i, n]) (where e [i, j] = (e [i, j] {0}, e [I, j] {1})), e [i, j] {b} are elements of GF (p)), and a [i] = (a [i, 1],. , A [i, i-1], a [i, i + 1], ..., a [i, n]).

  Next, the distributed information generation device 100 and the restoration device 200 according to the present embodiment will be described. Secret information sεGF (p) is input to the shared information generating apparatus 100 according to the present embodiment.

  When the secret information s is input, the shared information generating apparatus 100 randomly generates a k−1 order polynomial whose constant term on GF (p) is s by the secret information distributing unit 101. This k−1 order polynomial is denoted as f−s (x).

  The secret information distribution unit 101 includes different 1, 2,. . . , N, v [1] = fs− (1), v [2] = fs− (2),..., V [n] = fs−n (n), and the calculation result Are stored in the distributed secret information storage unit 301-1 of the storage device 300-1, the distributed secret information storage unit 301-2 of the storage device 300-2, ..., and the distributed secret information storage unit 301-n of the storage device 300-n, respectively. To do.

  The check data generation unit 102 is e [i, j] {b} (i = 1,..., N, j = 1,..., N, b = 0, which is an element of GF (p). 1, j ≠ i) is randomly generated, and e [i] (i = 1,..., N) is stored in the check data storage unit 302-i of the storage device 300-i.

  Next, the authentication data generation unit 103 calculates a [i, j] = e [i, j] {1} × v [j] + e [i, j] {0}, and a [i] = ( a [i, 1], ..., a [i, i-1], a [i, i + 1], ..., a [i, n]) (i = 1, ..., n). The data is stored in the authentication data storage unit 303-i of the storage device 300-i.

  On the other hand, the restoration device 200 according to the present embodiment first reads a control signal for reading the shared information and the authentication data from the read control unit 203, and stores the storage devices 300- [i-1], 300- [i-2],. . . , 300- [i-m] to each access control unit 304, and storage devices 300- [i-1], 300- [i-2],. . . , 300- [i-m] from each distributed secret information storage section 301 and each authentication data storage section 303, data v [i], a [i] (i = i-1,..., Im). Is read.

  Next, the restoration device 200 reads a control signal for reading random number distribution information from the read control unit 203 and stores the storage devices 300- [i-1], 300- [i-2],. . . , 300- [i-k] to each access control unit 304, and each check data of the storage devices 300- [i-1], 300- [i-2], ..., 300- [i-k]. Data e [i] is read from the storage unit 302.

  The unauthorized information identification unit 202 receives v [i], e [i], a [i] (i = i−1,..., I−m) and inputs all i = i−1,. . . , I−m and i are different from j = i−1,. . . , I−m, it is checked whether a [i, j] = e [i, j] {1} × v [j] + e [i, j] {0} holds, and the above is performed for all i. When the number of js that satisfy the expression is 2 / k or more, v [i−1],. . . , V [i−m] to calculate and output the secret information s by means such as Lagrangian interpolation. On the other hand, if not established, the list of j for which the above formula is established is less than 2 / k is output as an identifier of the altered shared information.

  In the secret information sharing system according to the present embodiment, it is possible to identify the shared information that has been tampered with less than k / 2 with a probability of 1-1 / p.

  Example 2 is an example corresponding to Embodiment 2 described above. In this embodiment, the secret information distribution system uses GF (p) (p: prime number 冪, GF: Galois field) for the data set of secret information s, and check data e = (e {0}, e {1}). , ..., e {t}), an element of GF (q) ^ (t + 1) (where q is a prime number greater than or equal to p × n) and an element a [i] of GF (q) is used as authentication data. .

  Next, the distributed information generation device 100 and the restoration device 200 according to the present embodiment will be described. Secret information sεGF (p) is input to the shared information generating apparatus 100 according to the present embodiment.

  When the secret information s is input, the shared information generating apparatus 100 randomly generates a k−1 order polynomial whose constant term on GF (p) is s by the secret information distributing unit 101. This k−1 order polynomial is denoted as f−s (x).

  The secret information distribution unit 101 includes different 1, 2,. . . , N, v [1] = fs− (1), v [2] = fs− (2),..., V [n] = fs−n (n), and the calculation result Are stored in the distributed secret information storage unit 301-1 of the storage device 300-1, the distributed secret information storage unit 301-2 of the storage device 300-2, ..., and the distributed secret information storage unit 301-n of the storage device 300-n, respectively. To do.

  The check data generation unit 102 randomly generates e that is an element of GF (q), randomly generates a t-order polynomial fe (x) such that fe (0) = e, and e [i ] = Fe (i) (i = 1,..., N) is stored in the check data storage unit 302-i of the storage device 300-i.

Next, the authentication data generation unit 103 determines that a [i] = e {0} + e {1} × ψ (v [i]) + e {2} × ψ (v [i]) ^ 2+. . . + E {t} × ψ (v [j] ^ t) is calculated and stored in the authentication data storage unit 303-i of the storage device 300-i. (Where ψ (v [i]) is a function defined by ψ (v [i]) = p * (i−1) + v [i])
On the other hand, the restoration device 200 according to the present embodiment first reads a control signal for reading the shared information and the authentication data from the read control unit 203 and stores the storage devices 300- [i-1], 300- [i-2],. . . , 300- [i-m] to each access control unit 304, and storage devices 300- [i-1], 300- [i-2],. . . , 300- [i-m] from each distributed secret information storage section 301 and each authentication data storage section 303, data v [i], a [i] (i = i-1,..., Im). Is read.

  Next, the restoration device 200 reads a control signal for reading random number distribution information from the read control unit 203 and stores the storage devices 300- [i-1], 300- [i-2],. . . , 300- [i-k] to each access control unit 304, and each check data of the storage devices 300- [i-1], 300- [i-2], ..., 300- [i-k]. Data e [i] is read from the storage unit 302.

  The unauthorized information specifying unit 202 receives v [i], e [i], a [i] (i = i−1,..., I−m) as inputs, and e [i−1], e [i. -2],. . . , E [im] to restore correct e using an error correction code decoding method such as the Berlekamp-Massey algorithm or the Euclidean algorithm. Then, a [i] = e {0} + e {1} × ψ (v [i]) + e {2} × ψ (v [i]) ^ 2+. . . + E {t} × ψ (v [j] ^ t) is checked, and if the above equation holds for all i, v [i−1],. . . , V [i−m], the secret information s is calculated and output by means such as Lagrangian complementation, and if i is not established, the list of i is output as an identifier of the altered shared information.

  In the secret information sharing system according to the present embodiment, it is possible to identify the shared information that has been tampered with less than k / 2 with a probability of 1-1 / p.

  Although the present invention has been specifically described based on the preferred embodiments and preferred examples, the present invention is not limited to the above-described ones, and various modifications can be made without departing from the scope of the invention. Needless to say.

  The embodiment of the present invention described above has the following effects.

  According to the embodiment of the present invention, a storage device that performs partial information alteration must first pass the distributed information and authentication data that are first altered in accordance with the protocol to the restoration device. At this time, the storage device that falsifies the partial information cannot refer to the value of the check data stored in the legitimate storage device that has not been falsified. The check data e stored in a legitimate storage device is selected independently and uniformly at random, and the function h used for checking the non-falsification is a function value other than the known value from ε. It has the property that it cannot be inferred with high probability. Therefore, even if the storage device to be falsified refers to a plurality of shared information and authentication data stored in the storage device, and the falsification is not specified by the fraudulent information identification device, the fraudulent information identification device does not forge. There is an effect that it is guaranteed that the probability that cannot be specified is equal to or less than ε.

  A part or all of the above-described embodiment can be described as in the following supplementary notes, but is not limited thereto.

  In order to achieve the above object, a shared information generating apparatus according to the present invention includes a secret information distributing apparatus that receives secret information as input, and outputs shared information obtained by distributedly encoding the secret information by a (k, n) threshold method, and the secret information. Authentication data is generated from an output obtained by inputting a check data generation device for generating check data for verifying information, the distributed information and the check data, and inputting the data into a predetermined check function h An authentication data generation device.

  Further, the restoration device of the present invention reads the distributed secret information distributed and encoded from the k or more storage devices, and restores the secret information from the k or more storage devices. Read the check data and authentication data, check the validity of the distributed information, and if there is any altered shared information, output the identifier list of the altered distributed secret information In the case where there is no shared information, there is an unauthorized information specifying device that outputs the restored secret information, and a read control device that controls the order of information read from the storage device.

  The information stored in the distributed secret information storage device and the authentication data storage device is read out from all the storage devices participating in the secret restoration in accordance with the order specified by the read control device. Thereafter, the check data storage device is read from all the storage devices participating in the secret restoration. In addition, even when a plurality of function values h (e, v) are known for the function h, the function value h (e, v ') related to v' other than the known value for the same check data e has a low probability. Select from those having features that can only be estimated by ε.

(Supplementary Note 1) A secret information distribution system that includes a shared information generation device, n (n is a natural number of 2 or more) storage devices, and a restoration device, and stores secret information in a distributed manner.
The distributed information generation device includes:
The check function h includes n pieces of distributed information data v generated by distributedly encoding the secret information by the (k, n) threshold secret sharing method and n pieces of check data e for verifying the secret information. N pieces of authentication data a are generated from the obtained output, and the n pieces of distributed information data v, n pieces of check data e, and n pieces of authentication data a are output to the storage device. ,
The n storage devices store the output of the shared information generation device,
The restoration device
The shared information data v, the check data e, and the authentication data a are read from each of the k or more storage devices of the n storage devices, and the validity of the distributed information is verified based on the read information. If there is shared information that has been falsified as a result of the determination, the identifier list of the distributed secret information that has been falsified is output, and if there is no shared information that has been falsified as a result of the determination, the read Output secret information restored from the distributed information data v.
A secret information distribution system characterized by that.

(Supplementary note 2) The secret information distribution system according to supplementary note 1,
The distributed information generation device includes:
The secret information is distributed and encoded by the (k, n) threshold secret sharing method, and n pieces of distributed information v [1], v [2],. . . , V [n], secret information distribution means;
The n pieces of check data e [1], e [2],. . . , E [n] for generating check data;
The shared information v [1],. . . , V [n] and check data e [1],. . . , E [n] as inputs and an output a [i, j] = h (e [i], v [j]) (i ≠ j) obtained by inputting to a predetermined check function h to n Authentication data a [i] = (a [i, 1], a [i, 2], ..., a [i, i-1]), a [i, i + 1],. . . , A [i, n]) (i = 1,..., N),
The storage device
Distributed secret information storage means for storing the distributed information v [i] distributed and generated by the shared information generator;
Check data storage means for storing the check data e [i] generated by the check data generation device;
Authentication data storage means for storing the authentication data a [i] generated by the authentication data generation device,
The restoration device
secret information restoring means for reading the distributed information distributed from the k or more storage devices and restoring the secret information;
Distributed information v [i-1], v [i-2],. . . , V [im] and check data e [i-1], e [i-2],. . . , E [im] and authentication data a [i-1], a [i-2],. . . , A [i−m] and for every possible different i, j (i, j = i−1,..., Im), “h (e [i], v [J]) = a [i, j] ”is determined as to whether or not, and as a result of the determination, v is not satisfied for k / 2 or more e [i]. When [j] exists, the identifier set {i-j1, i-j2,... Of v [j] where the above expression does not hold for k / 2 or more e [i]. . . , I−jw} is output, and v [j] in which the above expression does not hold for k / 2 or more e [i] as a result of the determination does not exist. Includes unauthorized information specifying means for outputting the restored secret information s,
The check function h (h: E × V → A) is an arbitrary element v [1], v [2],. . . , V [t−1], v, v ′ (t ≧ k / 2) and any element a [1], a [2],. . . , A [k−2], a ′, | {e [j] | h (e [j], v) = a, h (e [j], v ′) = a ′, h (e [J], v [l]) = a [l] (l = 1, 2,..., T−1)} | / | {e [j] | h (e [j], v) = a , H (e [j], v [l]) = a [l]} (l = 1, 2,..., T−1) | ≦ ε for any i, j, l A featured secret information distribution system.

(Supplementary note 3) In the secret information distribution system according to supplementary note 1 or 2,
The check function h has n pieces of partial information v [1],. . . , V [n] and check data e [i] = (e [i, 1], e [i, 2], ..., e [i, i-1], e [i, i + 1], e [i, i + 2], ..., e [i, n]) (i = 1, ..., n, where each e [i, j] = (e [i, j] {0}, e [i, j] {1})) (i = 1,..., n), h (e [i], v [j]) = e [i, j] {1} × v A secret information distribution system defined by [j] + e [i, j] {0}.

(Appendix 4) In the secret information distribution system described in Appendix 1,
The shared information generating apparatus outputs n check data e obtained by distributedly encoding the check data e by a (t, n) threshold secret sharing method to the storage device.
The restoration apparatus further comprises a check data e distributed and encoded by the (t, n) threshold secret sharing method to determine the validity of the shared information.

(Appendix 5) In the secret information distribution system described in Appendix 4,
The distributed information generation device includes:
The secret information is distributed and encoded by the (k, n) threshold secret sharing method, and n pieces of distributed information v [1], v [2],. . . , V [n], secret information distribution means;
Check data e [1], e [2],..., Which are distributedly encoded by the (t, n) threshold secret sharing method on the check data e for verifying the secret information. . . , E [n] for generating check data;
The shared information v [1],. . . , V [n] and check data e are input, and output a [i] = h (e, v [i]) (i = 1,...) Obtained by inputting the data into a predetermined check function h. Authentication data generation means for outputting authentication data as authentication data,
The storage device
Distributed secret information storage means for storing the distributed information v [i] distributed and generated by the shared information generator;
Check data storage means for storing the check data e [i] generated by the check data generation device;
Authentication data storage means for storing the authentication data a [i] generated by the authentication data generation device,
The restoration device
secret information restoring means for reading the distributed information distributed from the k or more storage devices and restoring the secret information;
Distributed information v [i-1], v [i-2],. . . , V [i-m], and distributedly encoded check data e [i-1], e [i-2],. . . , E [im] and authentication data a [i-1], a [i-2],. . . , A [i-m], and e [i-1],. . . , E [i−m], the check data e is restored, and for all i (i = i−1,..., I−m), “h (e, v [i]) = a It is checked whether the expression [i] (i = 1, 2,..., M) ”is satisfied, and the identifier set {i−j1, i− of v [i] where the expression is not satisfied j2,. . . , I-jw}, and when such v [i] does not exist, it includes an unauthorized information specifying means for outputting the restored secret information s,
The check function h (h: E × V → A) is an arbitrary element v [1], v [2],. . . , V [t−1], v, v ′ and any element a [1], a [2],. . . , A [t−1], a ′, | {e | h (e, v) = a, h (e, v ′) = a ′, h (e, v [i]) = a [ i] (i = 1, 2,..., t−1)} | / | {e | h (e, v) = a, h (e, v [i]) = a [i] (i = 1, 2,..., T−1} | ≦ ε is satisfied for an arbitrary i.

(Supplementary note 6) In the secret information distribution system according to supplementary note 4 or 5,
The check function h has n pieces of partial information v [1],. . . , V [n], check data e = (e {0}, e {1},..., E {t}), an arbitrary prime number satisfying p ≧ n, and a function ψ (v [i ]) = P × (i−1) + v [i], h (e [i], v [j]) = e {0} + e {1} × ψ (v [i]) + e {3 } × ψ (v [i]) ^ 2+. . . + E {t} × ψ (v [i]) ^ t defined by the secret information distribution system.

(Supplementary note 7) In the secret information distribution system according to any one of supplementary notes 1 to 6,
The storage device
Further comprising access control means for controlling the timing of transmitting the information stored in each storage device to the restoration device;
The restoration device
Readout control means for controlling the order of information read from the storage device,
The restoration device starts with the information stored in the distributed secret information storage device and the authentication data storage device from all of the k or more storage devices participating in the restoration of the secret according to the order specified by the read control device. And then reading the check data storage device from all of the k or more storage devices participating in the restoration of the secret.

(Supplementary Note 8) A secret information distribution method for distributing and storing secret information performed by a system including a distributed information generation device, n (n is a natural number of 2 or more) storage devices, and a restoration device. ,
The shared information generating device is
The check function h includes n pieces of distributed information data v generated by distributedly encoding the secret information by the (k, n) threshold secret sharing method and n pieces of check data e for verifying the secret information. N pieces of authentication data a are generated from the obtained output, and the n pieces of distributed information data v, n pieces of check data e, and n pieces of authentication data a are output to the storage device. ,
The n storage devices store the output of the shared information generating device;
The restoration device is
The shared information data v, the check data e, and the authentication data a are read from each of the k or more storage devices of the n storage devices, and the validity of the distributed information is verified based on the read information. If there is shared information that has been falsified as a result of the determination, the identifier list of the distributed secret information that has been falsified is output, and if there is no shared information that has been falsified as a result of the determination, the read Output secret information restored from the distributed information data v.
A secret information distribution method characterized by the above.

(Supplementary note 9) In the shared information generating apparatus in the secret information distributing system that includes a shared information generating apparatus, n (n is a natural number of 2 or more) storage devices, and a restoring device, and that stores the secret information in a distributed manner A distributed information generation program to be incorporated,
The check function h includes n pieces of distributed information data v generated by distributedly encoding the secret information by the (k, n) threshold secret sharing method and n pieces of check data e for verifying the secret information. N pieces of authentication data a are generated from the obtained output, and the n pieces of distributed information data v, n pieces of check data e, and n pieces of authentication data a are output to the storage device. A distributed information generation program for causing a computer to function as distributed information generation.

(Supplementary Note 10) A restoration program incorporated in the restoration device in a secret information distribution system that includes a shared information generation device and n (n is a natural number equal to or greater than 2) storage devices, and stores secret information in a distributed manner Because
Read the distributed information data v, the check data e, and the authentication data a from each of the k or more storage devices of the n storage devices, and determine the validity of the distributed information based on the read information. If there is shared information that has been falsified as a result of the determination, the identifier list of the distributed secret information that has been falsified is output. If there is no shared information that has been falsified as a result of the determination, the read list is output. Outputting secret information restored from the distributed information data v.
A restoration program characterized by causing a computer to function as a restoration device.

  A part or all of the above embodiment can be described as follows, but is not limited to the following.

  In order to achieve the above object, a shared information generating apparatus according to the present invention includes a secret information distributing apparatus that receives secret information as input, and outputs shared information obtained by distributedly encoding the secret information by a (k, n) threshold method, and the secret information. Authentication data is generated from an output obtained by inputting a check data generation device for generating check data for verifying information, the distributed information and the check data, and inputting the data into a predetermined check function h An authentication data generation device.

  Further, the restoration device of the present invention reads the distributed secret information distributed and encoded from the k or more storage devices, and restores the secret information from the k or more storage devices. Read the check data and authentication data, check the validity of the distributed information, and if there is any altered shared information, output the identifier list of the altered distributed secret information In the case where there is no shared information, there is an unauthorized information specifying device that outputs the restored secret information, and a read control device that controls the order of information read from the storage device.

  The information stored in the distributed secret information storage device and the authentication data storage device is read out from all the storage devices participating in the secret restoration in accordance with the order specified by the read control device. Thereafter, the check data storage device is read from all the storage devices participating in the secret restoration. In addition, even when a plurality of function values h (e, v) are known for the function h, the function value h (e, v ') related to v' other than the known value for the same check data e has a low probability. Select from those having features that can only be estimated by ε.

10 processor 11 CPU
12 Main Storage Unit 13 Recording Medium 14 Data Storage Unit 15 Memory Control Interface Unit 16 I / O Interface Unit 100 Distributed Information Generation Device 101 Secret Information Distribution Unit 102 Check Data Generation Unit 103 Authentication Data Unit 200 Recovery Device 201 Secret Information Recovery Unit 202 Unauthorized information identification unit 203 Read control unit 300-1 to 300-n storage device 301-1 to 301-n Distributed secret information storage unit 302-1 to 302-n Check data storage unit 303-1 to 303-n Authentication Data storage units 304-1 to 304-n Access control unit

Claims (10)

A secret information distribution system that includes a distributed information generation device, n (n is a natural number of 2 or more) storage devices, and a restoration device, and distributes and stores secret information,
The distributed information generation device includes:
The check function h includes n pieces of distributed information data v generated by distributedly encoding the secret information by the (k, n) threshold secret sharing method and n pieces of check data e for verifying the secret information. N pieces of authentication data a are generated from the obtained output, and the n pieces of distributed information data v, n pieces of check data e, and n pieces of authentication data a are output to the storage device. ,
The n storage devices store the output of the shared information generation device,
The restoration device
The shared information data v, the check data e, and the authentication data a are read from each of the k or more storage devices of the n storage devices, and the validity of the distributed information is verified based on the read information. If there is shared information that has been falsified as a result of the determination, the identifier list of the distributed secret information that has been falsified is output, and if there is no shared information that has been falsified as a result of the determination, the read Output secret information restored from the distributed information data v.
A secret information distribution system characterized by that. The secret information distribution system according to claim 1,
The distributed information generation device includes:
The secret information is distributed and encoded by the (k, n) threshold secret sharing method, and n pieces of distributed information v [1], v [2],. . . , V [n], secret information distribution means;
The n pieces of check data e [1], e [2],. . . , E [n] for generating check data;
The shared information v [1],. . . , V [n] and check data e [1],. . . , E [n] as inputs and an output a [i, j] = h (e [i], v [j]) (i ≠ j) obtained by inputting to a predetermined check function h to n Authentication data a [i] = (a [i, 1], a [i, 2], ..., a [i, i-1]), a [i, i + 1],. . . , A [i, n]) (i = 1,..., N),
The storage device
Distributed secret information storage means for storing the distributed information v [i] distributed and generated by the shared information generator;
Check data storage means for storing the check data e [i] generated by the check data generation device;
Authentication data storage means for storing the authentication data a [i] generated by the authentication data generation device,
The restoration device
secret information restoring means for reading the distributed information distributed from the k or more storage devices and restoring the secret information;
Distributed information v [i-1], v [i-2],. . . , V [im] and check data e [i-1], e [i-2],. . . , E [im] and authentication data a [i-1], a [i-2],. . . , A [i−m] and for every possible different i, j (i, j = i−1,..., Im), “h (e [i], v [J]) = a [i, j] ”is determined as to whether or not, and as a result of the determination, v is not satisfied for k / 2 or more e [i]. When [j] exists, the identifier set {i-j1, i-j2,... Of v [j] where the above expression does not hold for k / 2 or more e [i]. . . , I−jw} is output, and v [j] in which the above expression does not hold for k / 2 or more e [i] as a result of the determination does not exist. Includes unauthorized information specifying means for outputting the restored secret information s,
The check function h (h: E × V → A) is an arbitrary element v [1], v [2],. . . , V [t−1], v, v ′ (t ≧ k / 2) and any element a [1], a [2],. . . , A [k−2], a ′, | {e [j] | h (e [j], v) = a, h (e [j], v ′) = a ′, h (e [J], v [l]) = a [l] (l = 1, 2,..., T−1)} | / | {e [j] | h (e [j], v) = a , H (e [j], v [l]) = a [l]} (l = 1, 2,..., T−1) | ≦ ε for any i, j, l A featured secret information distribution system. In the secret information distribution system according to claim 1 or 2,
The check function h has n pieces of partial information v [1],. . . , V [n] and check data e [i] = (e [i, 1], e [i, 2], ..., e [i, i-1], e [i, i + 1], e [i, i + 2], ..., e [i, n]) (i = 1, ..., n, where each e [i, j] = (e [i, j] {0}, e [i, j] {1})) (i = 1,..., n), h (e [i], v [j]) = e [i, j] {1} × v A secret information distribution system defined by [j] + e [i, j] {0}. The secret information distribution system according to claim 1,
The shared information generating apparatus outputs n check data e obtained by distributedly encoding the check data e by a (t, n) threshold secret sharing method to the storage device.
The restoration apparatus further comprises a check data e distributed and encoded by the (t, n) threshold secret sharing method to determine the validity of the shared information. The secret information distribution system according to claim 4,
The distributed information generation device includes:
The secret information is distributed and encoded by the (k, n) threshold secret sharing method, and n pieces of distributed information v [1], v [2],. . . , V [n], secret information distribution means;
Check data e [1], e [2],..., Which are distributedly encoded by the (t, n) threshold secret sharing method on the check data e for verifying the secret information. . . , E [n] for generating check data;
The shared information v [1],. . . , V [n] and check data e are input, and output a [i] = h (e, v [i]) (i = 1,...) Obtained by inputting the data into a predetermined check function h. Authentication data generation means for outputting authentication data as authentication data,
The storage device
Distributed secret information storage means for storing the distributed information v [i] distributed and generated by the shared information generator;
Check data storage means for storing the check data e [i] generated by the check data generation device;
Authentication data storage means for storing the authentication data a [i] generated by the authentication data generation device,
The restoration device
secret information restoring means for reading the distributed information distributed from the k or more storage devices and restoring the secret information;
Distributed information v [i-1], v [i-2],. . . , V [i-m], and distributedly encoded check data e [i-1], e [i-2],. . . , E [im] and authentication data a [i-1], a [i-2],. . . , A [i-m], and e [i-1],. . . , E [i−m], the check data e is restored, and for all i (i = i−1,..., I−m), “h (e, v [i]) = a It is checked whether the expression [i] (i = 1, 2,..., M) ”is satisfied, and the identifier set {i−j1, i− of v [i] where the expression is not satisfied j2,. . . , I-jw}, and when such v [i] does not exist, it includes an unauthorized information specifying means for outputting the restored secret information s,
The check function h (h: E × V → A) is an arbitrary element v [1], v [2],. . . , V [t−1], v, v ′ and any element a [1], a [2],. . . , A [t−1], a ′, | {e | h (e, v) = a, h (e, v ′) = a ′, h (e, v [i]) = a [ i] (i = 1, 2,..., t−1)} | / | {e | h (e, v) = a, h (e, v [i]) = a [i] (i = 1, 2,..., T−1} | ≦ ε is satisfied for an arbitrary i. In the secret information distribution system according to claim 4 or 5,
The check function h has n pieces of partial information v [1],. . . , V [n], check data e = (e {0}, e {1},..., E {t}), an arbitrary prime number satisfying p ≧ n, and a function ψ (v [i ]) = P × (i−1) + v [i], h (e [i], v [j]) = e {0} + e {1} × ψ (v [i]) + e {3 } × ψ (v [i]) ^ 2+. . . + E {t} × ψ (v [i]) ^ t defined by the secret information distribution system. The secret information distribution system according to any one of claims 1 to 6,
The storage device
Further comprising access control means for controlling the timing of transmitting the information stored in each storage device to the restoration device;
The restoration device
Readout control means for controlling the order of information read from the storage device,
The restoration device starts with the information stored in the distributed secret information storage device and the authentication data storage device from all of the k or more storage devices participating in the restoration of the secret according to the order specified by the read control device. And then reading the check data storage device from all of the k or more storage devices participating in the restoration of the secret. A secret information distribution method for distributing and storing secret information, performed by a system including a shared information generation device, n (n is a natural number of 2 or more) storage devices, and a restoration device,
The shared information generating device is
The check function h includes n pieces of distributed information data v generated by distributedly encoding the secret information by the (k, n) threshold secret sharing method and n pieces of check data e for verifying the secret information. N pieces of authentication data a are generated from the obtained output, and the n pieces of distributed information data v, n pieces of check data e, and n pieces of authentication data a are output to the storage device. ,
The n storage devices store the output of the shared information generating device;
The restoration device is
The shared information data v, the check data e, and the authentication data a are read from each of the k or more storage devices of the n storage devices, and the validity of the distributed information is verified based on the read information. If there is shared information that has been falsified as a result of the determination, the identifier list of the distributed secret information that has been falsified is output, and if there is no shared information that has been falsified as a result of the determination, the read Output secret information restored from the distributed information data v.
A secret information distribution method characterized by the above. Distributed information incorporated in the shared information generating apparatus in a shared information distributing system that includes a shared information generating apparatus, n (n is a natural number equal to or greater than 2) storage devices, and a restoring apparatus, and that distributes and stores secret information A generation program,
The check function h includes n pieces of distributed information data v generated by distributedly encoding the secret information by the (k, n) threshold secret sharing method and n pieces of check data e for verifying the secret information. N pieces of authentication data a are generated from the obtained output, and the n pieces of distributed information data v, n pieces of check data e, and n pieces of authentication data a are output to the storage device. A distributed information generation program for causing a computer to function as distributed information generation. A restoration program incorporated in the restoration device in a secret information distribution system that includes a shared information generation device and n (n is a natural number of 2 or more) storage devices, and distributes and stores secret information,
Read the distributed information data v, the check data e, and the authentication data a from each of the k or more storage devices of the n storage devices, and determine the validity of the distributed information based on the read information. If there is shared information that has been falsified as a result of the determination, the identifier list of the distributed secret information that has been falsified is output. If there is no shared information that has been falsified as a result of the determination, the read list is output. Outputting secret information restored from the distributed information data v.
A restoration program characterized by causing a computer to function as a restoration device.

Images