JP2014137474A - Tamper detection device, tamper detection method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a tamper detection device capable of being applied efficiently to secrecy computing and making tamper success probability lower than a conventional device.SOLUTION: A tamper detection device 1 comprises: a selection part 12 for selecting M random numbers of r,...,r; a generation part 13 for generating a checksum c by using an order number d(i,j) obtained on the basis of N values of a,...,a, the random numbers r,...,r, an index i (0≤i≤N-1) of the values of a,...,a, and an index j (0≤j≤M-1) of the random number r,...,r; and a verification part 14 for verifying whether any of the values of a,...,ais tampered by comparing the checksum c with a verification value obtained after calculating by using the values a,...,a, the random number r,...,r, and the order number (i,j). However, M and N are integers of two or more and M<N.

Description

  The present invention relates to a falsification detection technique for detecting data falsification in a secret calculation in which data processing is performed while data is concealed.

  There is a technique described in Non-Patent Document 1 as a checksum used for conventional tampering detection. The checksum described in Non-Patent Document 1 is composed of addition and multiplication, and can be efficiently applied to confidential calculation.

The checksum described in Non-Patent Document 1 generates a checksum c of values a ₀ ,..., A _N-1 ∈F with F as a field, using the random number r∈F, by the following equation (1) To do.

  In Non-Patent Document 1, the checksum c is verified by the following equation (2).

If the expression (2) is 0, it is determined that none of the values a ₀ ,..., A _N−1 has been tampered with. If the expression (2) is other than ₀ , it is determined that at least one of the values a ₀ ,..., A _N−1 has been tampered with.

S. Obana and T. Araki, “Almost optimum secret sharing schemes secure against cheating for arbitrary secret distribution”, ASIACRYPT, Vol. 4284 of Lecture Notes in Computer Science, pp. 364-379, 2006.

  In the falsification detection technique described in Non-Patent Document 1, the success probability of falsification when the body F is determined in advance is N / | F |. Here, N represents the number of target data for checksum generation, and | · | represents the number of elements. In this way, since the success probability of alteration is proportional to the number of data N, the success probability of alteration increases as the target data for generating the checksum increases.

  An object of the present invention is to provide a falsification detection technique that can be efficiently applied to a secret calculation and can set a falsification success probability lower.

In order to solve the above-described problem, the falsification detection device according to the present invention includes a selection unit that selects _M random numbers r ₀ ,..., R _M−1 , where M and N are integers of 2 or more, M <N, and When, N number of values a _0, ..., and a _N-1, M random numbers r _0, ..., and r _M-1, the value _{a 0, ..., a N-} 1 of the index i (0 ≦ i ≦ N−1) and the order d (i, j) determined based on the index j (0 ≦ j ≦ M−1) of the random numbers r ₀ ,..., R _M−1 are generated. A verification value and a checksum calculated using the generator, N values a ₀ ,..., A _N-1 and M random numbers r ₀ ,..., R _m-1 and the order d (i, j) a verification unit that verifies whether any of the values a ₀ ,..., a _N−1 has been falsified by comparing with c.

  According to the falsification detection technique of the present invention, it can be efficiently applied to the secret calculation, and the falsification success probability can be set lower.

It is a figure which illustrates the function structure of a tampering detection apparatus. It is a figure which illustrates the processing flow of checksum generation. It is a figure which illustrates the processing flow of checksum verification.

  Hereinafter, embodiments of the present invention will be described in detail. In addition, the same number is attached | subjected to the component which has the same function in drawing, and duplication description is abbreviate | omitted.

[Embodiment]
<Configuration>
With reference to FIG. 1, the structural example of the tampering detection apparatus 1 of this embodiment is demonstrated. The tampering detection apparatus 1 includes a control unit 101, a memory 102, an input unit 11, a selection unit 12, a generation unit 13, a verification unit 14, and an output unit 15. The falsification detection device 1 is a special device configured by reading a special program into a known or dedicated computer having a CPU (Central Processing Unit), a RAM (Random Access Memory), and the like. The tampering detection apparatus 1 executes each process under the control of the control unit 101. Data input to the falsification detection device 1 and data obtained in each process are stored in the memory 102, and the data stored in the memory 102 is read out as necessary and used for other processes.

<Checksum generation processing>
With reference to FIG. 2, the operation example of the checksum generation process executed by the tampering detection apparatus 1 of this embodiment will be described in detail according to the order of procedures. In the following description, M and N are integers of 2 or more, M <N, and R is a ring.

N values a ₀ ,..., A _N−1 ∈R are input to the input unit 11 provided in the tampering detection apparatus 1 (step S11a). The input values a ₀ ,..., A _N−1 are input to the generation unit 13. The values a ₀ ,..., A _N-1 may be any information, but may be ciphertexts of homomorphic encryption or shared values of secret sharing, for example. The homomorphic encryption is an encryption method having homomorphism, and is an encryption method capable of calculating the sum or product of the original plaintext while being encrypted from the ciphertext. An example of homomorphic encryption is ElGamal encryption. The ElGamal cipher is a cipher on the group. For example, if the group is Z / pZ, the ciphertext can be regarded as a ring element. Even if the group is a rational point group on an elliptic curve on the field, the ciphertext is also a field (ie, ring) element. For more information on ElGamal ciphers, see “T. ElGamal,“ A public key cryptosystem and a signature scheme based on discrete logarithms ”, IEEE Transactions on Information Theory, vol.31, no.4, pp.469-472, 1985.” It is described in. Secret sharing is a technology that converts data to be concealed into multiple distributed values and restores the original data by using more than a certain number of distributed values, and makes it impossible to restore the original data from less than a certain number of distributed values. It is. An example of secret sharing is Shamir secret sharing. Details on Shamir secret sharing are described in “A. Shamir,“ How to share a secret ”, Communications of the ACM, vol. 22, issue 11, pp. 612-613, 1979.”.

The selection unit 12 selects M random numbers r ₀ ,..., R _M−1 ∈R (step S12). The selected random numbers r ₀ ,..., R _M−1 are input to the generation unit 13. The selection unit 12 may select M random numbers r ₀ ,..., R _M−1 at random one by one, or M according to a predetermined rule from a plurality of values generated in advance and stored in the memory 102. Random numbers r ₀ ,..., R _M−1 may be selected.

Generator 13 values _{a 0, ..., a N-} 1 and the random number r _0, ..., to generate a checksum c with r _M-1 (step S13). The generated checksum c and random numbers r ₀ ,..., R _M−1 are input to the output unit 15. Specifically, the generation unit 13 calculates the checksum c by the following equation (3).

In equation (3), a function d (i, j) is a function that determines the order of the j-th random number r _j with respect to the i-th value a _i . However, it is assumed that i, i ′ is a positive integer, i ≠ i ′, and any j (where j <M) satisfies d (i, j) ≠ d (i ′, j). That is, the combinations of the orders of the random numbers r ₀ ,..., R _M−1 must be combinations that do not overlap every a _i .

For example, when N = 3 and M = 2, calculation may be performed as c = a ₀ r ₀ + a ₁ r ₁ + a ₂ r ₀ r ₁ . If N = 4 and M = 2, it may be calculated as c = a ₀ r ₀ + a ₁ r ₁ + a ₂ r ₀ r ₁ + a ₃ r ₀ ² r ₁ Then, c = a ₀ r ₀ ² r ₁ + a ₁ r ₀ r ₁ + a ₂ r ₁ + a ₃ r ₀ may be calculated.

M can be any value as long as it is greater than or equal to 2 and less than N. However, if it is the smallest integer exceeding log ₂ N, all orders for random numbers r ₀ , ..., r _M-1 will be 1 or less. Is the most efficient. For example, if N = 7 and M = 3, c = a ₀ r ₀ + a ₁ r ₁ + a ₂ r ₀ r ₁ + a ₃ r ₂ + a ₄ r ₀ r ₂ + a ₅ r ₁ r ₂ + a ₆ r ₀ r ₁ r ₂ , and the order of all random numbers can be 1 or less.
The output unit 15 outputs a checksum c and random numbers r ₀ ,..., R _M−1 (step S15a).

<Checksum verification processing>
With reference to FIG. 3, the operation example of the checksum verification process which the tampering detection apparatus 1 of this embodiment performs is demonstrated in detail according to the order of a procedure.

N values a ₀ ,..., A _N-1 ∈R, M random numbers r ₀ ,..., R _M-1 ∈R and a checksum c are input to the input unit 11 of the tampering detection apparatus 1 ( Step S11b). The input values a ₀ ,..., A _N−1 and the random numbers r ₀ ,..., R _M−1 and the checksum c are input to the verification unit 14.

Verifying section 14 values _{a 0, ..., a N-} 1 and the random number r _0, ..., by using the r _M-1 and the checksum c, value a _0, ..., whether either a _N is falsified A verification result indicating this is generated (step S14). The verification result is input to the output unit 15.

Specifically, the verification unit 14 evaluates the following formula (4). If the expression (4) is true, it is determined that none of the values a ₀ ,..., A _N−1 has been tampered with. If the expression (4) is false, it is determined that at least one of the values a ₀ ,..., A _N−1 has been tampered with.

In equation (5), function d (i, j) is the same function as function d (i, j) in equation (1).
The output unit 15 outputs the verification result (step S15b).

<Effect>
The checksum described in Non-Patent Document 1 has a tampering success probability of at most N / p, where N is the number of data to be generated as a checksum and p is the number of elements in the ring R. Since the falsification success probability is proportional to N, the falsification success probability increases as the number of data increases.
The checksum of this embodiment has a falsification success probability expressed by the following equation (5).

  Thus, assuming that the number of random numbers is M, the success probability of falsification is proportional to the Mth root of N. For example, if M = 2, the success probability of falsification can be about √N. Therefore, in particular, as the target data for generating the checksum is larger, it is possible to suppress an increase in the success probability of alteration as compared with the conventional alteration detection technology.

  Therefore, according to the falsification detection technique of the present invention, it can be efficiently applied to the secret calculation, and the probability of falsification success can be set lower.

[Application example]
The tampering detection technology of the present invention can be used in various ways. For example, there may be a case in which ciphertext based on homomorphic encryption or distributed data based on secret sharing is deposited in a server managed by a third party. In such a case, when a malicious attacker enters the server and alters the data, or when the server itself alters the data that has been deposited maliciously, the server is infected with malware and the data is altered. Risks such as when to do. By generating and assigning the checksum according to the present invention to the data to be deposited, the server can process data while keeping it secret, and also prevent data tampering. can do.

[Program, recording medium]
The present invention is not limited to the above-described embodiment, and it goes without saying that modifications can be made as appropriate without departing from the spirit of the present invention. The various processes described in the above-described embodiments are not only executed in time series according to the order described, but may be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

  When various processing functions in each device described in the above embodiment are realized by a computer, the processing contents of the functions that each device should have are described by a program. Then, by executing this program on a computer, various processing functions in each of the above devices are realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

DESCRIPTION OF SYMBOLS 1 Tampering detection apparatus 11 Input part 12 Selection part 13 Generation part 14 Verification part 15 Output part 101 Control part 102 Memory

Claims (4)

M and N are integers of 2 or more, M <N,
A selection unit for selecting _M random numbers r ₀ ,..., R _M−1 ;
N values a _0, ..., and a _N-1, the random number r _0, ..., and r _M-1, the value _{a 0, ..., a N-} 1 of the index i (0 ≦ i ≦ N- 1 ) And the order d (i, j) determined based on the index j (0 ≦ j ≦ M−1) of the random number r ₀ ,..., R _M−1. When,
Comparing the checksum c with the verification value calculated using the values a ₀ ,..., A _N-1 , the random numbers r ₀ ,..., Rm _-1 and the order d (i, j). A verification unit that verifies whether any of the values a ₀ ,..., A _N−1 has been falsified,
Including tamper detection device. The falsification detection device according to claim 1,
The order d (i, j) is such that i, i ′ is a positive integer, i ≠ i ′, j <M, and d (i, j) ≠ d (i ′, j) with any j And
The generation unit generates the checksum c by calculating the following equation:

The verification unit, the following expression is the value a ₀ if true, ..., a none of _N-1 is determined not to be tampered, the value a ₀ if the following expression is false, ..., a Judge that at least one of _N-1 has been tampered with

A tamper detection device characterized by that. M and N are integers of 2 or more, M <N,
A selection step in which the selection unit selects _M random numbers r ₀ ,..., R _M−1 ;
Generating unit, N number of values a _0, ..., and a _N-1, the random number r _0, ..., and r _M-1, the value _{a 0, ..., a N-} 1 of the index i (0 ≦ i ≦ N-1) and the random number _{r 0, ..., r M-} 1 of the index j (0 ≦ j ≦ M- 1) the degree d (i determined based on, j) and with the checksum c A generation step to generate;
A verification value calculated by the verification unit using the values a ₀ ,..., A _N−1 , the random numbers r ₀ ,..., R _m−1 and the order d (i, j), and the checksum c; A verification step for verifying whether any of the values a ₀ ,..., A _N-1 has been falsified by comparing
Tamper detection method including   A program for causing a computer to function as the falsification detection device according to claim 1.

Images