JP2020046558A - Generation device, restoration device, transmission device, reception device, generation program, restoration program, transmission program, and reception program - Google Patents

Abstract

To provide a secret distribution system capable of suppressing leakage of secret information while the owner of the secret information does not notice.SOLUTION: A system distributes secret information into n distributed values and can restore the secret information with k distributed values but cannot restore the secret information with less than k distributed values, where n denotes an integer of two or more and k denotes an integer of two or more and n or less. A generation device 12 of the system converts identification information identifying the secret information with one secret key, and thereby generates values corresponding to at least k-1 or less respective distributed values.SELECTED DRAWING: Figure 1

Description

  The present disclosure relates to a generation device, a restoration device, a transmission device, a reception device, a generation program, a restoration program, a transmission program, and a reception program.

  In recent years, cloud computing has attracted attention as a new network technology. Cloud computing is a technology in which data owned by a user is distributed and stored in a virtual large-capacity storage configured by a plurality of servers on a network called a cloud. Cloud computing allows users to access distributed and stored data from anywhere via a network as needed. Furthermore, by encrypting data and implementing confidentiality calculations, it is not only possible to store data simply, but also to perform arbitrary processing while concealing individual data using data distributed and stored on the cloud. Is required.

  Attention has been paid to the use of a secret sharing scheme in order to realize such secret calculation. The secret sharing method is a technique in which one piece of secret information is distributed into n pieces, and among the distributed values distributed into n pieces, k pieces (k ≦ n) of the shared values can be collected to restore the original secret information. It is. Also, in the secret sharing method, information on secret information cannot be obtained from less than k shared values out of n shared values. As this secret sharing scheme, a (k, n) threshold secret sharing scheme by Shamir (hereinafter, also referred to as “Shamir scheme”) is known.

  Also, a ramp-type secret sharing method for realizing a reduction in the data size of the entire sharing value is known. Non-Patent Document 1 proposes a secret sharing scheme called an asymmetric secret sharing scheme.

  Further, Patent Literature 1 discloses a secret sharing system that suppresses the calculation amount of data restoration processing of secret sharing.

JP 2013-243441 A

Kei Takahashi and Keiichi Iwamura, "Secret Sharing Method with Computational Security Suitable for Cloud Computing", CSS2012 (2012)

  However, in the secret sharing method such as the Shamir method, if an attacker who is not a legitimate reconstructor can attack a server in which the shared value is stored and obtain k or more shared values, the k shared The secret information can be restored from the above variance value. Also, in the asymmetric secret sharing scheme, if the attacker can access the key server and the data server and can obtain k shared values including the shared value generated using the key, the secret information can be restored. Can be done.

  That is, in the above-described various secret sharing methods, the secret information may be leaked before the owner of the secret information is known.

  The present disclosure has been made in view of the above circumstances, and a generation device, a restoration device, a transmission device, and a reception device capable of suppressing leakage of secret information while the owner of the secret information does not know. , A generation program, a restoration program, a transmission program, and a reception program.

  The disclosed technology, as one aspect, is such that n is an integer of 2 or more, k is an integer of 2 or more and n or less, secret information is distributed into n distributed values, and the secret information is distributed by k distributed values. In a system that can be restored and the secret information cannot be restored with less than k, the generating device converts the identification information for identifying the secret information by using one secret key, so that at least k-1 or less of the secret information can be restored. A generating unit that generates a value corresponding to each of the variance values;

  According to the present disclosure, it is possible to suppress leakage of secret information while the owner of the secret information does not know.

It is a block diagram showing an example of composition of a secret sharing system concerning a 1st-a 4th embodiment. FIG. 14 is a block diagram illustrating an example of a hardware configuration of a generation device according to first to fourth embodiments. It is a block diagram showing an example of hardware constitutions of a restoration device concerning a 1st-a 4th embodiment. 5 is a flowchart illustrating an example of a distributed process according to the first embodiment. 5 is a flowchart illustrating an example of a restoration process according to the first embodiment. It is a flow chart which shows an example of distributed processing concerning a 2nd embodiment. It is a flow chart which shows an example of restoration processing concerning a 2nd embodiment. It is a flow chart which shows an example of distributed processing concerning a 3rd embodiment. It is a flow chart which shows an example of restoration processing concerning a 3rd embodiment. It is a flow chart which shows an example of distributed processing concerning a 4th embodiment. It is a flow chart which shows an example of restoration processing concerning a 4th embodiment. It is a block diagram showing an example of the composition of the communication system concerning a 5th embodiment. FIG. 16 is a block diagram illustrating an example of a hardware configuration of a transmission device according to a fifth embodiment. It is a block diagram showing an example of hardware constitutions of a receiving set concerning a 5th embodiment. It is a flow chart which shows an example of transmission processing concerning a 5th embodiment. It is a flow chart which shows an example of the receiving processing concerning a 5th embodiment.

  Hereinafter, embodiments of the technology of the present disclosure will be described in detail with reference to the drawings.

  First, before describing the details of the embodiment, the details and problems of the Shamir method and the asymmetric secret sharing method will be described.

<Shamir method>
In a secret sharing system based on the Shamir method, secret information is distributed to n servers. The owner of the secret information requests the dealer existing only at the time of the secret sharing to distribute the secret information, and the dealer calculates the n distributed values by performing the secret sharing operation, and distributes the distributed values to the n servers. And store. Alternatively, the owner of the secret information becomes a dealer at the time of secret sharing and distributes the secret information. On the other hand, the recoverer can recover the secret information by collecting k distributed values among the n distributed values distributed to the n servers. Distribution and restoration of secret information in the Shamir method are performed as described below.

<Dispersion>
1. The dealer chooses an arbitrary prime p where s <p and n <p. Note that s represents secret information.
2. The dealer selects n different _xi (i = 1, 2,..., N) from Z / pZ, and sets the selected _xi as the server ID of each of the n servers.
3. The dealer selects k−1 random numbers a ₁ (l = 1, 2,..., K−1) from Z / pZ and generates the following equation (1) (hereinafter, also referred to as “dispersion equation”). I do.

4. Dealer, by replacing the server ID in the _{x i} of equation (1) to calculate a variance value _{W i,} to distribute _(x i, _{W i)} to each server.

<Restore>
1. The variance value used for restoration is W _i (i = 1, 2,..., K). Also, let the server ID corresponding to the variance value be x _i (i = 1, 2,..., K).
2. Restore person, secret information by the k _{(x i, W} i) collected, the k _{(x i, W} i) were substituted into the above equation (1) was collected, solve the k-number of simultaneous equations Is restored. When s is restored, for example, Lagrange's interpolation formula can be used.

<Asymmetric secret sharing scheme>
T servers (t <k) are selected from the n servers constituting the cloud system, and the selected t servers are used as key servers. The key server does not store the variance value but stores key information for generating a pseudorandom number. A server other than the key server among the n servers is called a data server, and the data server stores the variance value sent from the user who generates the variance value. It is assumed that each user y who manages secret information is assigned an ID [y] (y = 1,..., R) that is information for identifying the user. Also, the m pieces of secret information s _1j ,..., S _mj (j = 1,..., R) managed by each user y also have dID [s _ij ] (i = 1,..., M) are assigned. In the following, Enc (a, b) represents a process of encrypting a using a key b.

<Dispersion>
Here, a case where the user y is a dealer will be described. Also, here, for simplicity of description, r = 1 and s _ij is represented as s _i .
1. User y sends the ID of its own [y] key server _x 1, ..., to _{x t.}
2. The key server that has received the ID [y] generates Eid (y, j) by the following equation (2) using the encryption device of the key server and the key key _j (j = 1,..., T). Then, the generated Eid (y, j) is sent to the user y.
Eid (y, j) = Enc (ID [y], key _j ) (j = 1,…, t)… (2)
3. User y is received the _{Eid (y, j), dID} [s i] (i = 1, ..., m) for identifying the secret information _{s i} it manages with, the following equation (3), Generate a pseudo-random number q _ij .
q _ij = Enc (dID [s _i ], Eid (y, j))… (3)
4. First, the user y _calculates the k-1-t-order part of the coefficient vector A (i) = [s _i , a _i1 ,..., A _ik-1 ] ^T of the k−1-th dispersion equation of the equation (1). A vector A ^′ _k−1−t = [a _{it + 1} ,..., A _ik−1 ] ^T is determined for each i using a true random number. Next, the user y uses the t-order pseudo-random number sequence Q = [q _i1 ,..., Q _it ] ^T generated by the expression (3) and the ID sequence of the key server by the following expression (4). The remaining partial vectors A ^′ _t (i) = [a _i1 ,..., A _it ] ^T are calculated for each i.

Here, assuming that S = [s _i ,..., S _i ] ^T in the above equation (4), it is expressed by the following equation (5).
A (i) _k-1 = X ^'-1 (QS)… (5)
As a result, the user y _obtains the k-1 order partial vector A (i) _{k in} the coefficient vector A (i) = [s _i , a _i1 ,..., A _ik-1 ] ^T of the k−1 order dispersion equation. ₋₁ = [a _i1 ,..., A _ik-1 ] ^T can all be obtained.
5. In addition, user y, the data server _{x t} + 1, ..., the dispersion value _W it + 1 on the _{x n,} ..., the _{W in,} 4. Is calculated by the same procedure as the (k, n) threshold secret sharing method using the coefficient matrix generated in the procedure described in (1).
6. The user y sends the generated variance values W _1j ,..., W _mj (j = t + 1,..., N) to each data server.

<Restore>
1. Restoring user, n pieces of server _x 1, ..., select any of the k server from _{x n,} dID _{[s i} relative to the selected server, ID of the user y [y] and the secret information _{s i} ].
2. Among the key servers, the server that has received (ID [y], dID [s _i ]) generates Eid (y, j) by the equation (2) using its own key _j and encryption device. Then, a pseudo random number q _ij is generated by equation (3). Then, the server sends the generated pseudo random number q _ij to the reconstructor.
3. Among the data servers, the server that has received (ID [y], dID [s _i ]) sends the variance value W _ij corresponding to its own server ID to the reconstructor.
4. Restoring user, using the pseudo-random number q _ij and variance values W _ij received, (k, n) by the threshold secret sharing scheme and the same procedure, to restore the secret information s _i.

  However, in the secret sharing method such as the Shamir method, if an attacker who is not a legitimate reconstructor can attack a server in which the shared value is stored and obtain k or more shared values, the k shared The secret information can be restored from the above variance value. Also, in the asymmetric secret sharing method, if the attacker can access the key server and the data server and can obtain k shared values including the shared value generated using the key, the secret information is restored. I can do it. Therefore, in the secret sharing method including the Shamir method and the asymmetric secret sharing method, the secret information may be leaked while the owner of the secret information does not know.

  In the secret sharing method including the Shamir method and the asymmetric secret sharing method, when an attacker hijacks a server and outputs a false shared value at the time of restoration, the reconstructor cannot restore correct secret information. Nor can you verify the legitimacy of confidential information.

Therefore, in the following embodiment, a method for solving the following three problems will be described.
(A) The secret information leaks while the owner of the secret information does not know.
(B) Even if a false variance value is output, it cannot be verified.
On the other hand, in general, there is only one ciphertext in the encryption technology, so that n = k = 1 can be interpreted. Also, since encryption is performed using a key, even if a ciphertext corresponding to k = 1 shared value leaks, secret information does not leak if the key is managed safely. Therefore, although (A) is solved by the cryptographic technology, it is generally impossible to correctly decrypt if a false ciphertext is output, and if the decryption result is a random number or the like, it is generally impossible to verify whether it is correct. . Therefore, (B) is not solved by the encryption technology. In general, in the secret sharing method and the encryption technology, the legitimacy of the decryption result can be verified by using a technology having a different mechanism such as a MAC (Message Authentication Code) for the secret information, the sharing value, and the ciphertext. Alternatively, it is not possible to verify the validity of the decryption result using only the encryption technique. Therefore, the following (C) is also solved by the same principle as (B).
(C) Even if a fake ciphertext is output in the cryptographic technique, it cannot be verified.

[First Embodiment]
First, the configuration of a secret sharing system 10 according to the present embodiment will be described with reference to FIG. As shown in FIG. 1, the secret sharing system 10 includes a generating device 12, a restoring device 14, and a plurality of servers 16. The generation device 12, the restoration device 14, and the plurality of servers 16 are connected to the network N and can communicate with each other. In the secret sharing system 10 according to the present embodiment, n is an integer of 2 or more, k is an integer of 2 or more and n or less, secret information is distributed into n shared values, and the secret information is restored using k shared values. This is a system that cannot recover confidential information if the number is less than k.

  The generation device 12 is a device operated by the owner of the secret information (hereinafter, simply referred to as “owner”), and an example of the generation device 12 is an information processing device such as a personal computer. The restoring device 14 is a device operated by a restoring person who restores confidential information (hereinafter, simply referred to as “restoring person”). An example of the restoring device 14 is an information processing device such as a personal computer.

When generating a variance value _{W i} using the aforementioned Shamir method (1), to obtain a dispersion value _{W i} which substitutes the _{x i} is a server ID, and corresponding to _{x i} in equation (1). Therefore, it can be said that x _i is a value for identifying the variance value W _i . Generally, if x _i is not known, secret information cannot be restored even if k variance values W _i are collected. Therefore, in this embodiment, the processing described below, attacker even attracted the k dispersion value W _i, so that can not be recovered secret information.

In the following, generator 12 may include one private key key _0, and m (m is an integer of 1 or more) pieces of secret information _s 1, ..., stores the _{s m,} the secret _s j (j = 1, .., M) are assigned dID [s _j ] as an example of identification information for identifying the secret information s _j . Further, _x ij to differentiate _{x i} mentioned above for each secret information (i = 1, ..., n , j = 1, ..., m) and denoted. Further, n servers 16 (hereinafter, also referred to as "data servers 16") for storing the variance value are prepared. In addition, it is assumed that 2 ≦ t ≦ k−1, and x _ij of _nt (<k) servers 16 is predetermined. In the following, Enc (a, b) means that a is encrypted using the key b, and a | b means that b is connected after a.

  Next, a hardware configuration of the generation device 12 according to the present embodiment will be described with reference to FIG. As shown in FIG. 2, the generation device 12 includes a CPU (Central Processing Unit) 20, a memory 21 as a temporary storage area, and a nonvolatile storage unit 22. The generating device 12 includes a display device 23 such as a liquid crystal display, an input device 24 such as a keyboard, and a network I / F 25 (InterFace) connected to the network N. The CPU 20, the memory 21, the storage unit 22, the display device 23, the input device 24, and the network I / F 25 are connected to the bus 26.

The storage unit 22 is realized by a hard disk drive (HDD), a solid state drive (SSD), a flash memory, and the like. The generation program 28 is stored in the storage unit 22 as a storage medium. The CPU 20 reads out the generation program 28 from the storage unit 22, expands it in the memory 21, and executes the expanded generation program 28. When the CPU 20 executes the generation program 28, it operates as a generation unit according to the disclosed technology. Also, the storage unit 22, a secret key key ₀ and secret _{s j} as described above is stored.

  Next, a hardware configuration of the restoration apparatus 14 according to the present embodiment will be described with reference to FIG. As shown in FIG. 3, the restoration device 14 includes a CPU 30, a memory 31 as a temporary storage area, and a nonvolatile storage unit 32. The restoration device 14 includes a display device 33 such as a liquid crystal display, an input device 34 such as a keyboard, and a network I / F 35 connected to the network N. The CPU 30, the memory 31, the storage unit 32, the display device 33, the input device 34, and the network I / F 35 are connected to the bus 36.

  The storage unit 32 is realized by an HDD, an SSD, a flash memory, and the like. The restoration program 38 is stored in the storage unit 32 as a storage medium. The CPU 30 reads out the restoration program 38 from the storage unit 32, expands it in the memory 31, and executes the expanded restoration program 38. When the CPU 30 executes the restoration program 38, it operates as a receiving unit and a restoration unit according to the disclosed technology.

  Next, the operation of the secret sharing system 10 according to the present embodiment will be described with reference to FIGS. First, a distribution process for distributing secret information will be described with reference to FIG. When the CPU 20 of the generation device 12 executes the generation program 28, the distributed processing illustrated in FIG. 4 is executed.

In step S10 of FIG. 4, the CPU 20 converts the identification information dID [s _j ] for identifying the secret information s _j using one secret key key ₀ according to the following equation (6), thereby obtaining t t T x _ij corresponding to one server 16 are generated. This x _ij is an example of a value corresponding to each of the variance values W _ij .
x _ij = Enc (dID [s _j ] | i, key ₀ ) (i = 1,…, t, j = 1,…, m)… (6)

In step S12, the CPU 20 generates k−1 random numbers a ₁ (l = 1,..., K−1) and determines the distribution formula (formula (1)).

In step S <b> 14, the CPU 20 uses the t x _ij generated in step S <b> 10 and the predetermined _nt x _ij in accordance with the distribution equation determined in step S <b> 12 to correspond to each x _ij . A variance value W _ij is calculated. In step S16, the CPU 20 transmits the variance value W _ij calculated in step S14 to the corresponding server 16. Each server 16 stores the received variance value W _ij . When the processing in step S16 ends, the distributed processing ends.

  Next, with reference to FIG. 5, a description will be given of a restoration process for restoring confidential information from the distribution value distributed by the distribution process shown in FIG. The restoration process shown in FIG. 5 is executed by the CPU 30 of the restoration device 14 executing the restoration program 38.

In step S20 in FIG. 5, the CPU 30 acquires the variance value W _ij corresponding to dID [s _j ] from the k servers 16. In step S <b> 22, the CPU 30 transmits to the generation device 12 request information requesting transmission of _xij corresponding to servers 16 other than the nt servers 16 in which _xij is predetermined.

After the generation device 12 receives the request information, the owner performs an operation to permit the restoration of the secret information via the input device 24 when the restoration of the secret information is permitted. An operation for prohibiting restoration is performed via the program 24. When an operation to permit restoration is performed by the owner, the CPU 20 of the generation device 12 generates x _ij by the same processing as in step S10, and transmits the generated x _ij to the restoration device 14. Further, the CPU 20 does not generate x _ij when an operation for prohibiting restoration is performed by the owner. That is, in this case, the CPU 20 does not transmit x _ij to the restoration device 14. However, in this transmission processing, even if there is no operation by the owner via the input device 24, a condition permitted by the owner is set in advance, and when the request information satisfies the condition, the transmission is automatically performed, and the request is not satisfied. In such a case, a program or the like may be set in advance so as not to transmit. This is the same in the following.

In step S24, the CPU 30 determines whether or not _xij transmitted from the generation device 12 in response to the request in step S22. If this determination is affirmative, the process proceeds to step S26.

In step S26, the CPU 30 restores the secret information s _j by the same procedure as the (k, n) threshold secret sharing method, using the variance value W _ij obtained in step S20 and x _ij received in step S24. . When the processing in step S26 ends, the restoration processing ends.

On the other hand, for example, if the owner by performing the operation for prohibiting restore the secret information, x _ij is not received even after a predetermined period of time after requesting the transmission of x _ij at step S22, or rejection If the signal has been sent, the determination in step S24 is negative. If the determination in step S24 is negative, the process of step S26 is not performed, and the restoration process ends.

By the way, according to the Lagrange's interpolation formula, from k points (x ₁ , y ₁ ),..., (X _k , y _k ) having different x coordinates, a polynomial W (x ). 3. Sharing of the asymmetric secret sharing method described above. Means that a polynomial is obtained by Lagrange's interpolation formula, but the relationship between x and y may be interchanged. Therefore, from k points (x ₁ , y ₁ ),..., (X _k , y _k ) having different y coordinates, a polynomial F (y) of degree k−1 or less passing through these points may be obtained. The obtained curve is W (x) = F (y). That is, in the present embodiment, the generated variance value is disclosed and the base x coordinate is generated based on the conventional secret sharing method in which the x coordinate is disclosed and the y coordinate is generated and concealed as a variance value.・ Correspond to concealment. When the owner does not permit the restoration of the request information transmitted in step S22, the owner controls the restoration of the confidential information by not performing the operation of inhibiting the restoration and not transmitting _xij to the restoration device 14. be able to. As a result, it is possible to suppress leakage of the secret information while the owner of the secret information does not know. Further, security equal to or higher than that of the asymmetric secret sharing scheme can be ensured.

In the present embodiment, a description will be given of a case where x _ij is generated by encrypting information obtained by concatenating dID [s _j ] and i with key ₀ in step S10 of the distributed processing. However, the present invention is not limited to this. For example, key _i may be generated by encrypting i using key _0, and x _ij may be generated by encrypting dID [s _j ] using key _i . Further, for example, key _j may be generated by encrypting dID [s _j ] using key _0, and x _ij may be generated by encrypting i using key _j .

In the present embodiment, a case has been described in which t x _ij are generated and the remaining _nt x _ij are predetermined, but the present invention is not limited to this. In step S10 of the distributed processing, all n x _ij (i = 1,..., N) may be generated. In this case, in step S22 of the restoration process, an example in which request information for requesting transmission of all x _ij necessary for restoration is transmitted to the generation device 12 is exemplified.

[Second embodiment]
A second embodiment of the disclosed technology will be described. The configuration of the secret sharing system 10 (see FIG. 1), the hardware configuration of the generation device 12 (see FIG. 2), and the hardware configuration of the restoration device 14 (see FIG. 3) are the same as those in the first embodiment. Therefore, the description is omitted.

  Since the above-mentioned asymmetric secret sharing scheme does not introduce a process of permitting restoration of secret information by the owner at the time of restoration, the user who can obtain k shared values including the key server is an attacker. Can also recover confidential information. When it is assumed that there are a plurality of users, a specific owner cannot manage the key server. In addition, one user is used, and the user (that is, the owner of the secret information) manages all key servers, that is, <1> of <sharing> of the asymmetric secret sharing method. And 2. Is performed by the owner, the owner can generate up to k-1 variance values, but <restoration> does not include permission processing for restoration by the owner. Further, in the asymmetric secret sharing scheme, since it is assumed that there is a key server, the procedure for generating a shared value using a key stored in the key server is fixed. In the present embodiment, a more general-purpose method will be described. According to this method, the problem (A) is universally solved.

In the present embodiment, it is assumed that the server IDs (x _ij ) of all the servers 16 are determined in advance and are publicly available. In the present embodiment, among the servers 16, the server 16 functioning as a key server is referred to as a "key server 16", and the server 16 functioning as a data server is referred to as a "data server 16". However, since the key server 16 exists in the generation device 12, the server 16 specified in the figure is the data server 16, and nt units are prepared. The other assumptions are the same as in the first embodiment.

  The operation of the secret sharing system 10 according to the present embodiment will be described with reference to FIGS. First, a distribution process for distributing secret information according to the present embodiment will be described with reference to FIG. When the CPU 20 of the generation device 12 executes the generation program 28, the distributed processing illustrated in FIG. 6 is executed.

In step S30 in FIG. 6, the CPU 20 converts the identification information dID [s _j ] for identifying the secret information s _j using one secret key key ₀ according to the following equation (7), thereby obtaining t t A variance q _ij corresponding to x _ij (i = 1,..., T) is generated.
q _ij = Enc (dID [s _j ] | i, key ₀ ) (i = 1,…, t, j = 1,…, m)… (7)

In step S32, the CPU 20 determines the coefficient vector A (i) of the k−1-th order dispersion equation of the above equation (1) = k−1−t order in [s _i , a _i1 ,..., A _ik-1 ] ^T The partial vector A ^′ _k−1−t = [a _{it + 1} ,..., A _ik−1 ] ^T is determined for each i using a true random number. Thereafter, the CPU 20 uses Q = [q _i1 ,..., Q _it ] ^T composed of the t pseudo random numbers q _ij generated in step S30 and the ID series of the key server 16 to obtain the following equation (8). according, the dispersion equation k-1 order partial vectors _{a (i) k-1 =} [a i1, ..., a ik-1] the remainder of the vector a _^'t (i) in ^T = _{[a i1,} ..., a _it ] ^T is calculated for each i.

In step S34, CPU 20, the server ID is _x it + 1, _..., variance _W it + 1 on the data server 16 is _{x in, ...,} a _{W in,} using the generated coefficient matrix in step S32, (k, n) It is calculated by the same procedure as the threshold secret sharing method.

In step S36, the CPU 20 transmits the variance value W _ij (j = t + 1,..., N) calculated in step S34 to the corresponding data server 16. Each data server 16 stores the received variance value W _ij . When the processing in step S36 ends, the distributed processing ends.

  Next, with reference to FIG. 7, a description will be given of a restoration process for restoring secret information from a shared value distributed by the sharing process illustrated in FIG. The restoration processing shown in FIG. 7 is executed by the CPU 30 of the restoration device 14 executing the restoration program 38.

In step S40 of FIG. 7, the CPU 30 transmits request information requesting transmission of the variance value corresponding to dID [s _j ] to the generation device 12. After the generation device 12 receives the request information, the owner performs an operation to permit the restoration of the secret information via the input device 24 when the restoration of the secret information is permitted. An operation for prohibiting restoration is performed via the program 24. When an operation to permit restoration is performed by the owner, the CPU 20 of the generation device 12 generates a variance value q _ij by the same processing as in step S30, and transmits the generated variance value q _ij to the restoration device 14. Further, when an operation to prohibit restoration is performed by the owner, the CPU 20 does not generate the variance value q _ij . That is, in this case, the CPU 20 does not transmit the variance value q _ij to the restoration device 14.

In step S42, the CPU 30 determines whether or not the variance value q _ij transmitted from the generation device 12 in response to the request in step S40 has been received. If this determination is affirmative, the process proceeds to step S44.

In step S44, the CPU 30 restores the secret information s _j using the k variance values obtained together with W _{ij of the} data server 16. When the processing in step S44 ends, the present restoration processing ends.

On the other hand, for example, when the variance value q _ij is not received even after a predetermined period has elapsed after requesting the transmission of the variance value q _ij in step S40, the determination in step S42 is negative. If the determination in step S42 is negative, the process in step S44 is not performed, and the restoration process ends.

In the present embodiment, a case will be described where _qij is generated by encrypting information obtained by concatenating dID [s _j ] and i with key ₀ in step S30 of the distributed processing. However, the present invention is not limited to this. For example, key _i may be generated by encrypting i using key _0, and q _ij may be generated by encrypting dID [s _j ] using key _i . Also, for example, key _j may be generated by encrypting dID [s _j ] using key _0, and q _ij may be generated by encrypting i using key _j .

[Third embodiment]
A third embodiment of the disclosed technology will be described. The configuration of the secret sharing system 10 (see FIG. 1), the hardware configuration of the generation device 12 (see FIG. 2), and the hardware configuration of the restoration device 14 (see FIG. 3) are the same as those in the first embodiment. Therefore, the description is omitted.

In the first embodiment, an example in which x _ij for identifying a _shared value is generated using one secret key key ₀ and in the second embodiment, a shared value q _ij is generated using one secret key key ₀ will be described. However, in the present embodiment, an embodiment in which these embodiments are combined will be described. This combination can solve the problem (B) in addition to the problem (A).

In general, the secret information s is a k-number of variance values _{y i,} using the k number of values _{x i} identifies the variance value _{y i,} determined as follows from the interpolation formula to Lagrange. A polynomial W (x) of degree k−1 or less passing k points (x ₁ , y ₁ ), (x ₂ , y ₂ ),..., (x _k , y _k ) having different x-coordinates is 9) It is expressed by the equation.

  However,

And Therefore, the secret information s has the value of W (0). Here, when the server 16 is hijacked by the attacker and the hijacked server 16 outputs a false value y _i + Δy _i , the false W ^′ (0) is expressed by the following equation (10).

For example, in the first restoration, a false variance value y _i + Δy _i is output from the server 16 to restore W ^′ (0), and in the second restoration, a false y _j + Δy _j that is different from the first restoration is added to the server 16. If is output W ^'' (0) is restored from the difference is represented by shown below (11).

Therefore, if Δy _i and Δy _j have the relationship of the following equation (12), the difference between W ^′ (0) and W ^″ (0) is 0, that is, the first and second times are different. The secret information restored respectively matches. Therefore, in this case, it cannot be determined that the restored secret information has a false value.

  However,

Is not determined unless all x _k can be specified. Therefore, if the unknown _{x k} exists for an attacker against the attacker server 16 the compromised, W a ^'(0) and ^W' '(0) difference between becomes 0 [Delta] y _i and [Delta] y _j Cannot be set.

Therefore, in the present embodiment, both the problem (A) relating to leakage of secret information and the problem (B) relating to falsification of secret information are solved by performing the following processing. In the following, as in the second embodiment, nt servers 16 are prepared using only the data server 16 and the server ID x _ij of the data server 16 is predetermined and publicly available. I do. In addition, n> k, and other assumptions are the same as in the first embodiment.

  The operation of the secret sharing system 10 according to the present embodiment will be described with reference to FIGS. First, a distribution process for distributing secret information according to the present embodiment will be described with reference to FIG. When the CPU 20 of the generation device 12 executes the generation program 28, the distributed processing illustrated in FIG. 8 is executed.

At step S50 in FIG. 8, the CPU 20 converts the identification information dID [s _j ] for identifying the secret information s _j using one secret key key ₀ according to the following equation (13), thereby obtaining t t T x _ij corresponding to one server 16 are generated.
x _ij = Enc (dID [s _j ] | i | 0, key ₀ ) (i = 1,…, t, j = 1,…, m)… (13)

In step S52, the CPU 20 converts the identification information dID [s _j ] for identifying the secret information s _j using one secret key key ₀ according to the following equation (14), thereby obtaining t x x Generate a variance value q _ij corresponding to _ij (i = 1,..., t).
q _ij = Enc (dID [s _j ] | i | 1, key ₀ ) (i = 1,…, t, j = 1,…, m)… (14)

As described above, in the present embodiment, the t (≦ k−1) x _ij generated in step S50 is different from the variance value (x _ij is 0, q _ij is 1) by changing the values to be linked. It is generated as a value different from q _ij . The values to be linked are 0 and 1, but are not limited thereto, and any value may be used.

In step S54, CPU 20 uses the generated value in step S50, S52, variance _W it + 1 other than the t distribution value _{q ij, ...,} and calculates the coefficients for calculating the _{W in.} Specifically, the CPU 20 calculates the coefficient vector A (i) of the k−1-th order dispersion equation of the above equation (1) = k−1−t in [s _i , a _i1 ,..., A _ik−1 ] ^T. The next partial vector A ^′ _k−1−t = [a _{it + 1} ,..., A _ik−1 ] ^T is determined for each i using a true random number. Thereafter, the CPU 20 uses Q = [q _i1 ,..., Q _it ] ^T composed of the t pseudo-random numbers q _ij generated in step S50 and the ID series of the key server 16 generated in step S52, according to (15), the dispersion equation k-1 order partial vectors _{a (i) k-1 =} [a i1, ..., a ik-1] the remainder of the vector a _^'t (i) in ^T = [ a _i1 ,... a _it ] ^T is calculated for each i.

In step S56, CPU 20, the server ID is _x it + 1, _..., variance _W it + 1 on the data server 16 is _{x in, ...,} a _{W in,} using the generated coefficient matrix in step S54, (k, n) It is calculated by the same procedure as the threshold secret sharing method.

In step S58, the CPU 20 transmits the variance value W _ij (j = t + 1,..., N) calculated in step S56 to the corresponding data server 16. Each data server 16 stores the received variance value W _ij . When the processing in step S58 ends, the distributed processing ends.

  Next, with reference to FIG. 9, a description will be given of a restoration process for restoring secret information from a shared value distributed by the sharing process illustrated in FIG. The restoration process shown in FIG. 9 is executed by the CPU 30 of the restoration device 14 executing the restoration program 38.

In step S60 of FIG. 9, the CPU 30 receives _kt + u variance values W _ij stored in the data server 16. Note that u represents the number of variance values for verification (an integer of 1 or more). In step S62, the CPU 30 transmits, to the generation device 12, request information for requesting transmission of t variance values and _xij for identifying the variance values. After the generation device 12 receives the request information, the owner performs an operation to permit the restoration of the secret information via the input device 24 when the restoration of the secret information is permitted. An operation for prohibiting restoration is performed via the program 24. The CPU 20 of the generation device 12 generates x _ij and the variance value q _ij by the same processing as steps S50 and S52 when the operation of permitting the restoration is performed by the owner, and generates the generated x _ij and the variance value q _ij. Is transmitted to the restoration device 14. Further, when an operation to prohibit restoration is performed by the owner, the CPU 20 does not generate the x _ij and the variance q _ij . That is, in this case, the CPU 20 does not transmit the x _ij and the variance q _ij to the restoration device 14.

In step S64, the CPU 30 determines whether or not the x _ij and the variance q _ij transmitted from the generation device 12 in response to the request in step S62 have been received. If this determination is affirmative, the process proceeds to step S66.

In step S66, CPU 30 is obtained k + u pieces of _{q ij, W ij,} and with _{x ij,} and a value of dispersion different _{W ij} obtained from the data server 16 _{(q ij} are the same), the secret information Restore s _j u + 1 times. In other words, the CPU 30 restores the secret information two or more times by using the coefficient generated in step S54 and combining different shared values generated from the same secret information in step S56.

In step S68, CPU 30 uses the recovered u + 1 pieces of secret information _{s j} in step S66, the verifying secret information _{s j} which restored. Specifically, when u + 1 pieces of secret information s _j restored in step S66 match, CPU 30 determines that secret information s _j is correct, and when different, secret information s _j is incorrect. That is, it is determined that at least one of the data servers 16 has been attacked. When determining that the secret information s _j is correct, the CPU 30 performs a process using the secret information s _j . On the other hand, if the CPU 30 determines that the secret information s _j is invalid, it displays an error message on the display device 33, for example. When the processing in step S68 ends, the present restoration processing ends.

On the other hand, for example, in such case where x _ij and x _ij and variance values q _ij be transmitted from the requesting after the lapse of a predetermined period of variance q _ij is not received in step S62, a negative determination of step S64 Judgment. If the determination in step S64 is negative, the restoration processing ends without executing the processing in steps S66 and S68.

This will be described below using a specific example. For example, when k = 3, n = 4, t = 2, and u = nk = 1, the generation device 12 includes two key servers 16 since t = 2, and therefore, generates x ₁ and x _{1 2,} and a variance value q _ij corresponding to x ₁ and x ₂ is generated. In this case, there are two data servers 16 since nt = 2, and their server IDs x ₃ and x ₄ are disclosed. Consider a case where these two data servers 16 are hijacked by an attacker and output false variance values y ₃ + Δy ₃ and y ₄ + Δy ₄ .

In this case, the restoring device 14 performs the restoring process by changing the external variance value. That is, the restoring device 14 restores the secret information by a combination of x ₁ , x ₂ , and x _{3 at} the _first time, and performs the x ₁ , to restore the secret information by a combination of _{x 2,} x _4. Here, since x ₁ and x ₂ are values for identifying the variance value generated by the generation device 12, the attacker cannot know x ₁ and x ₂ . In this case, false W ^′ (0) shown in the following equation (16) is restored by the first restoration.

In this case, the false restoration W ^″ (0) shown in the following expression (17) is restored by the second restoration.

Here, even if two data servers 16 corresponding to x ₃ and x ₄ are hijacked by the same attacker, the attacker cannot know x ₁ and x ₂ , so the following (18) ) Can not set Δy ₃ and Δy ₄ . For this reason, W ^′ (0) does not match W ^″ (0). Therefore, the restoration device 14 can verify that the data server 16 has output a fake variance value.

In the above example, and u = 1, in addition to the data server 16 corresponding to x _3, to obtain a dispersion value for the verification from the data server 16 corresponding to x _4. In this case, it cannot be determined whether one or both of the two data servers 16 are unauthorized.

For example, if k = 3, n = 5, t = 2, u = n-k = 2, there are three data server 16, used for validation in addition to the two dispersion values of _{x 3} be able to. Here, only the data server 16 corresponding to x ₅ is hijacked, consider the case of outputting a variance value y _{5 +} Δy ₅ false. In this case, the two secret information obtained by performing the two restorations using the variance values corresponding to x ₃ and x ₄ are equal because Δy ₃ = Δy ₄ = 0, and the variance values corresponding to x ₅ Only the confidential information restored using is different from other confidential information. That is, in this case, the unauthorized data server 16 can be specified.

  Also, if two data servers 16 are hijacked, all three pieces of secret information obtained by the three restorations are different, so in this case, it is determined that two or more data servers 16 are illegal. Can be. Accordingly, if the number of data servers 16 that are hijacked and output a fake variance value is e, if e <u, an unauthorized data server 16 can be specified.

In the present embodiment, in steps S50 and S52 of the distributed processing, the variance value q _ij and the x _ij for identifying the variance value q _ij are different values by connecting different numbers (0 and 1 in the present embodiment). However, the present invention is not limited to this. Any other method may be used as long as x _ij is different from variance q _ij .

Further, in the present embodiment, step S50, S52 dID the _{x ij} and variance values _{q ij} in distributed processing _[s j], i, and 0 (or 1) is connected to, and generated by encrypting one Although the case has been described, the present invention is not limited to this. For example, the combination to be connected may be different from that of the present embodiment, or x _ij and the shared value q _ij may be generated by performing encryption multiple times.

Also, through the first to third embodiments, x _ij are generated for each secret information s _i, which, when restoring single secret information, from generator 12 can be obtained x _ij , And other confidential information to which different x _ij is set cannot be restored. Thereby, a decrease in safety can be suppressed. Further, even if the attacker attempts to obtain x _ij from the variance, x _ij cannot be similarly obtained because the variance is stored only in nt (<k) data servers 16.

[Fourth embodiment]
A fourth embodiment of the disclosed technology will be described. The configuration of the secret sharing system 10 (see FIG. 1), the hardware configuration of the generation device 12 (see FIG. 2), and the hardware configuration of the restoration device 14 (see FIG. 3) are the same as those in the first embodiment. Therefore, the description is omitted.

  In the third embodiment, an example in which a variance value for verification is used has been described on the assumption that n> k. In the present embodiment, an example in which n = k and a variance value for verification is not used will be described. In the present embodiment, one piece of secret information is distributed twice using different distribution formulas, and verification is performed by checking whether or not the secret information obtained by the two restorations matches, as in the third embodiment.

  The operation of the secret sharing system 10 according to the present embodiment will be described with reference to FIGS. First, a distribution process for distributing secret information according to the present embodiment will be described with reference to FIG. When the CPU 20 of the generation device 12 executes the generation program 28, the distributed processing illustrated in FIG. 10 is executed.

In step S70 of FIG. 10, the CPU 20 converts the identification information dID [s _j ] for identifying the secret information s _j using one secret key key ₀ according to the following equations (19) and (20). Then, x _ij and x ^′ _ij are generated. The x _ij and x ^′ _ij correspond to two different server IDs.
x _ij = Enc (dID [s _j ] | i | 0, key ₀ ) (i = 1,…, t, j = 1,…, m)… (19)
x ^' _ij = Enc (dID [s _j ] | i | 2, key ₀ ) (i = 1,…, t, j = 1,…, m)… (20)

In step S72, the CPU 20 converts the identification information dID [s _j ] for identifying the secret information s _j using one secret key key ₀ according to the following equation (21), thereby obtaining t x x Generate a variance value q _ij corresponding to _ij (i = 1,..., t). Further, the CPU 20 converts the identification information dID [s _j ] for identifying the secret information s _j using one secret key key ₀ in accordance with the following equation (22), thereby obtaining t x ^′ _ij. A variance value q ^′ _ij corresponding to (i = 1,..., T) is generated.
q _ij = Enc (dID [s _j ] | i | 1, key ₀ ) (i = 1,…, t, j = 1,…, m)… (21)
q ^' _ij = Enc (dID [s _j ] | i | 2, key ₀ ) (i = 1,…, t, j = 1,…, m)… (22)

In step S74, the CPU 20 sets <4> of <sharing> of the asymmetric secret sharing scheme. The k-1 order polynomial W (x) passing through t (x _ij , q _ij ) and (0, s _j ) is obtained by using the procedure of (1). The polynomial W (x) is represented by the following equation (23).

In step S76, the CPU 20 sets <4> of <sharing> of the asymmetric secret sharing scheme. By using the above procedure, a k−1-th order polynomial V (x) passing through t (x ^′ _ij , q ^′ _ij ) and (0, s _j ) is obtained. The polynomial V (x) is represented by the following equation (24).

In step S78, CPU 20, the server ID is _x it + 1, _..., variance _W it + 1 on the data server 16 is _{x in, ...,} a _{W in,} using the calculated polynomial W (x) in step S74, (k , N) Calculate by the same procedure as the threshold secret sharing method.

In step S80, CPU 20, the server ID is _x it + 1, _..., variance _V it + 1 on the data server 16 is _{x in, ...,} a _{V in,} using the calculated polynomial V (x) in step S76, (k , N) Calculate by the same procedure as the threshold secret sharing method.

In step S82, the CPU 20 transmits the variance values W _ij , V _ij (j = t + 1,..., N) calculated in steps S78 and S80 to the corresponding data server 16. Each data server 16 stores the received dispersion values W _ij and V _ij . When the processing in step S82 ends, the distributed processing ends.

  Next, with reference to FIG. 11, a description will be given of a restoration process for restoring secret information from the shared value distributed by the sharing process illustrated in FIG. When the CPU 30 of the restoration device 14 executes the restoration program 38, the restoration processing shown in FIG. 11 is executed.

In step S90 of FIG. 11, the CPU 30 receives _kt variance values W _ij and V _ij stored in the data server 16. In step S92, the CPU 30 generates request information for requesting transmission of t variance values q _ij , q ^′ _ij and x _ij , x ^′ _ij for identifying the variance values q _ij , q ^′ _ij. 12 is transmitted. After the generation device 12 receives the request information, the owner performs an operation to permit the restoration of the secret information via the input device 24 when the restoration of the secret information is permitted. An operation for prohibiting restoration is performed via the program 24. The CPU 20 of the generation device 12 generates x _ij , x ^′ _ij and variance values q _ij , q ^′ _ij by the same processing as in steps S70 and S72 when an operation to permit restoration is performed by the owner. The obtained x _ij , x ^′ _ij and the variance values q _ij , q ^′ _ij are transmitted to the restoration device 14. Further, when an operation to prohibit restoration is performed by the owner, the CPU 20 does not generate x _ij , x ^′ _ij and variance values q _ij , q ^′ _ij . That is, in this case, the CPU 20 does not transmit the x _ij , x ^′ _ij and the variance values q _ij , q ^′ _ij to the restoration device 14.

In step S94, the CPU 30 determines whether x _ij , x ^′ _ij and variance values q _ij , q ^′ _ij transmitted from the generating device 12 in response to the request in step S92. If this determination is affirmative, the process proceeds to step S96.

In step S96, the CPU 30 restores the secret information s _j by the polynomial W (x) using the obtained k q _ij , W _ij , and x _ij . Further, the CPU 30 restores the secret information s _j by the polynomial V (x) using the obtained k q ^′ _ij , V _ij and x ^′ _ij .

In step S98, CPU 30 uses the two secret _{s j} restored in step S96, verifies the secret _{s j} which restored. Specifically, CPU 30, when the secret information _{s j} restored by secret _{s j} and the polynomial V (x) was restored by polynomial W (x) match, it determines that the secret _{s j} is correct. On the other hand, when the secret information s _j restored by the polynomial W (x) is different from the secret information s _j restored by the polynomial V (x), the CPU 30 determines that the secret information s _j is invalid, that is, the data server 16. Is determined to have been attacked. When determining that the secret information s _j is correct, the CPU 30 performs a process using the secret information s _j . On the other hand, if the CPU 30 determines that the secret information s _j is invalid, it displays an error message on the display device 33, for example. When the processing in step S98 ends, the restoration processing ends.

On the other hand, for example, _x ij at step S92, x _^'ij and variance values _q ij, _{^q' x} ij even after a predetermined period of time after requesting the transmission of the _ij, x _^'ij and variance values _q ij, ^q' _{For example, when ij} is not received, the determination in step S94 is negative. If the determination in step S94 is negative, the restoration processing ends without executing the processing in steps S96 and S98.

This will be described below using a specific example. For example, consider the case where n = k = 2 and t = 1. In this case, the data server 16 is a n-t = 1 units, the server ID of the data server 16 and x _2, assumed to be compromised by an attacker. Consider the case where the data server 16 corresponding to the _{x 2} outputs the variance _{W 2 + ΔW 2, V 2} + ΔV 2 fake.

In this case, the restoration device 14 restores W ^′ (0) represented by the following expression (25) by performing the restoration of the secret information by the polynomial W (x) for the first time.

Further, in this case, the restoring device 14 restores V ^′ (0) represented by the following expression (26) by performing the restoration of the secret information using the polynomial V (x) for the second time.

The difference between W ^′ (0) and V ^′ (0) is 0 if ΔW ₂ and ΔV ₂ are in the relationship of the following equation (27), but the attacker knows x ₁ and x ^′ ₁ Therefore, ΔW ₂ and ΔV ₂ at which the difference between W ^′ (0) and V ^′ (0) becomes 0 cannot be set. For this reason, W ^′ (0) does not match V ^′ (0). Therefore, the restoration device 14 can verify that the data server 16 has output a fake variance value.

[Fifth Embodiment]
A fifth embodiment of the disclosed technology will be described. In the third and fourth embodiments, the legitimacy of the restored secret information is verified by using the verification sharing value without using a technique different from the secret sharing such as the MAC for verifying the sharing value. The method has been described. This method is simple because a variance value of the same format is used without using a MAC or the like, and the format such as the bit length can be made the same (the MAC has a defined bit length). In the present embodiment, an example in which a verification method of a decryption result having the same characteristics as those of the third and fourth embodiments is applied to encryption technology will be described.

  First, the configuration of the communication system 40 according to the present embodiment will be described with reference to FIG. As shown in FIG. 12, the communication system 40 includes a transmitting device 42 and a receiving device 44. The transmitting device 42 and the receiving device 44 are connected to the network N and can communicate with each other. In the present embodiment, the transmitting device 42 and the receiving device 44 store the same secret key.

  The transmitting device 42 is a device that is operated by a sender that transmits confidential information, and an example of the transmitting device 42 is an information processing device such as a personal computer. The receiving device 44 is a device operated by a recipient who receives the secret information, and an example of the receiving device 44 is an information processing device such as a personal computer.

  Next, a hardware configuration of the transmission device 42 according to the present embodiment will be described with reference to FIG. As shown in FIG. 13, the transmission device 42 includes a CPU 50, a memory 51 as a temporary storage area, and a nonvolatile storage unit 52. The transmitting device 42 includes a display device 53 such as a liquid crystal display, an input device 54 such as a keyboard, and a network I / F 55 connected to the network N. The CPU 50, the memory 51, the storage unit 52, the display device 53, the input device 54, and the network I / F 55 are connected to the bus 56.

  The storage unit 52 is realized by an HDD, an SSD, a flash memory, and the like. The transmission program 58 is stored in the storage unit 52 as a storage medium. The CPU 50 reads the transmission program 58 from the storage unit 52, expands it in the memory 51, and executes the expanded transmission program 58. When the CPU 50 executes the transmission program 58, it operates as a generation unit and a transmission unit according to the disclosed technology.

  Next, a hardware configuration of the receiving device 44 according to the present embodiment will be described with reference to FIG. As shown in FIG. 14, the receiving device 44 includes a CPU 60, a memory 61 as a temporary storage area, and a nonvolatile storage unit 62. The receiving device 44 includes a display device 63 such as a liquid crystal display, an input device 64 such as a keyboard, and a network I / F 65 connected to the network N. The CPU 60, the memory 61, the storage unit 62, the display device 63, the input device 64, and the network I / F 65 are connected to the bus 66.

  The storage unit 62 is realized by an HDD, an SSD, a flash memory, and the like. The storage unit 62 as a storage medium stores a reception program 68. The CPU 60 reads out the reception program 68 from the storage unit 62, expands it in the memory 61, and executes the expanded reception program 68. When the CPU 70 executes the receiving program 68, it operates as a receiving unit and a verifying unit according to the disclosed technology.

  Next, the operation of the communication system 40 according to the present embodiment will be described with reference to FIGS. First, a transmission process of transmitting secret information will be described with reference to FIG. The transmission process shown in FIG. 15 is executed by the CPU 50 of the transmission device 42 executing the transmission program 58.

In step S100 of FIG. 15, the CPU 50 generates a _first random number a ₁ and a second random number α ₁ using a secret key. In step S102, CPU 50, to the secret information a, by the action of the first random number _{a 1} and the second random number alpha ₁ generated in step S100 to generate the first transmission data. Specifically, the CPU 50 multiplies the result obtained by adding the first random number a ₁ to the secret information a by the second random number α ₁ to encrypt the first transmission data (α ₁ (A + a ₁ )). In step S104, the CPU 50 transmits the first transmission data generated in step S102 to the receiving device 44.

In step S106, CPU 50 uses the secret key to generate a third random number _{a 2} and the fourth random number alpha _2. In step S108, CPU 50 is similar for secret information a, the fourth random number alpha ₂ was replaced with the third random number _{a 2} and a second random number alpha ₁ was replaced with the first random number _{a 1} in step S102 To generate the second transmission data. Specifically, CPU 50 is a result obtained by adding the third random number a ₂ secret information a, the second transmission data encrypted by multiplying the fourth random number alpha ₂ (alpha ₂ (A + a ₂ )). In step S110, the CPU 50 transmits the second transmission data generated in step S108 to the same receiving device 44 as the transmission destination of the first transmission data. When the processing in step S110 ends, the transmission processing ends.

  Next, a reception process for receiving information transmitted by the transmission process shown in FIG. 15 will be described with reference to FIG. When the CPU 60 of the receiving device 44 executes the receiving program 68, the receiving process shown in FIG. 16 is executed.

In step S120 in FIG. 16, the CPU 60 receives the first transmission data transmitted from the transmission device 42 in step S104 of the transmission process. In step S122, the CPU 60 generates a _first random number a ₁ and a second random number α ₁ using the same secret key as the secret key stored in the transmitting device 42.

In step S124, CPU 60, from the first transmission data received in step S120, to eliminate the second random number alpha ₁ generated in step S122. Specifically, CPU 60 divides the first transmission data in the second random number alpha _1. That is, the result of eliminating the second random number α ₁ from the first transmission data is represented by α ₁ (a + a ₁ ) / α ₁ .

In step S126, CPU 60 receives the second transmission data transmitted from transmission device 42 in step S110 of the transmission process. In step S128, CPU 60 uses the secret key and the same secret key transmitting device 42 has stored, to generate a third random number _{a 2} and the fourth random number alpha _2.

In step S130, CPU 60, from the second transmission data received in step S126, eliminating the fourth random number alpha ₂ generated in step S128. Specifically, CPU 60 divides the second transmission data in the fourth random number alpha _2. In other words, the results from the second transmission data to eliminate the fourth random number alpha ₂ is represented by _{α 2 (a + a 2)} / α 2.

In step S132, the CPU 60 calculates a difference between the exclusion result in step S124 and the exclusion result in step S130. This difference is expressed by the following equation (28).
α ₁ (a + a ₁ ) / α ₁ −α ₂ (a + a ₂ ) / α ₂ (28)

Then, the CPU 60 determines whether or not the calculated difference is equal to the difference (a ₁ −a ₂ ) between the first random number a ₁ generated in step S122 and the third random number a ₂ generated in step S128. Verify. Specifically, CPU 60 is (28) difference calculated by the equation is equal to the difference of the first random number a ₁ and the third random number a _2, it is determined that the received data is correct, the secret information a Is decrypted. On the other hand, decision CPU60 is that the difference calculated by the equation (28), if the first random number a ₁ and different from the third difference between the random number a _2, there is illegal, such as tampering or counterfeiting in the received data Then, for example, an error message is displayed on the display device 63. When the processing in step S132 ends, the reception processing ends.

In the present embodiment, the attacker causes the receiving device 44 to receive α ₁ (a + a ₁ ) + Δ ₁ as fake first transmission data and α ₂ (a + a ₂ ) + Δ ₂ as fake second transmission data. It can be received by the receiving device 44. However, since the attacker cannot know a ₁ , α ₁ , a ₂ , and α ₂ , it generates fake transmission data such that the difference represented by the expression (28) is equal to a ₁ −a _2. I can't. Therefore, the receiving device 44 can verify the validity of the received data.

  In the above embodiments, various processes executed by the CPU executing software (programs) may be executed by various processors other than the CPU. In this case, the processor for executing a specific process such as a programmable logic device (PLD) whose circuit configuration can be changed after manufacturing a field-programmable gate array (FPGA) and an application specific integrated circuit (ASIC). A dedicated electric circuit or the like which is a processor having a circuit configuration designed exclusively is exemplified. In addition, various processes may be executed by one of these various processors, or a combination of two or more processors of the same type or different types (for example, a plurality of FPGAs, a combination of a CPU and an FPGA, or the like). ). Further, the hardware structure of these various processors is more specifically an electric circuit in which circuit elements such as semiconductor elements are combined.

  In the first to fourth embodiments, the mode in which the generation program 28 is stored (installed) in the storage unit 22 in advance has been described, but the present invention is not limited to this. The generation program 28 may be provided in a form recorded on a recording medium such as a CD-ROM (Compact Disc Read Only Memory), a DVD-ROM (Digital Versatile Disc Read Only Memory), and a USB (Universal Serial Bus) memory. Good. The generation program 28 may be downloaded from an external device via a network.

  In the first to fourth embodiments, the mode in which the restoration program 38 is stored (installed) in the storage unit 32 in advance has been described, but the present invention is not limited to this. The restoration program 38 may be provided in a form recorded on a recording medium such as a CD-ROM, a DVD-ROM, and a USB memory. The restoration program 38 may be downloaded from an external device via a network.

  In the fifth embodiment, the mode in which the transmission program 58 is stored (installed) in the storage unit 52 in advance has been described, but the present invention is not limited to this. The transmission program 58 may be provided in a form recorded on a recording medium such as a CD-ROM, a DVD-ROM, and a USB memory. Further, the transmission program 58 may be configured to be downloaded from an external device via a network.

  In the fifth embodiment, the mode in which the reception program 68 is stored (installed) in the storage unit 62 in advance has been described, but the present invention is not limited to this. The receiving program 68 may be provided in a form recorded on a recording medium such as a CD-ROM, a DVD-ROM, and a USB memory. The receiving program 68 may be downloaded from an external device via a network.

Reference Signs List 10 secret sharing system 12 generating device 14 restoring device 16 server 20, 30, 50, 60 CPU
21, 31, 51, 61 memory 22, 32, 52, 62 storage unit 28 generation program 38 restoration program 40 communication system 42 transmission device 44 reception device 58 transmission program 68 reception program

Claims (14)

When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
A generation device comprising: a generation unit configured to generate a value corresponding to each of at least k−1 or less of the shared values by converting identification information for identifying the secret information using one secret key. When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
A generation device comprising: a generation unit configured to generate k−1 or less of the shared values by converting identification information for identifying the secret information using one secret key. The generation device according to claim 2, wherein the generation unit calculates a coefficient for obtaining a share value other than the k−1 or less share values using the generated value and the secret information. A receiving unit that receives a value generated by the generating device according to claim 1 or 2,
A restoring unit that restores the secret information using the value received by the receiving unit,
Restoration device equipped with. A restoring unit comprising: a restoring unit that restores the secret information two or more times by a combination of different variance values generated from the same secret information using a coefficient generated by the generation device according to claim 3. Generating first transmission data by applying a first random number and a second random number to the secret information;
A generation unit configured to generate second transmission data by causing a third random number instead of the first random number and a fourth random number instead of the second random number to act on the secret information in a similar manner;
A transmitting unit that transmits the first transmission data and the second transmission data to the same receiving device;
A transmission device comprising: A receiving unit that receives the first transmission data and the second transmission data transmitted by the transmission device according to claim 6,
The difference between the result of removing the second random number from the first transmission data and the result of removing the fourth random number from the second transmission data is the difference between the first random number and the third random number. A verification unit that verifies whether the difference is equal to
A receiving device comprising: When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
Generating a process for causing a computer to execute processing for generating values corresponding to at least k-1 or less of the shared values by converting identification information for identifying the secret information using one secret key program. When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
A generation program for causing a computer to execute a process of generating k−1 or less of the shared values by converting identification information for identifying the secret information using one secret key. The generation program according to claim 9, further causing the computer to execute a process of calculating a coefficient for obtaining a variance value other than the k−1 or less variance values using the generated value and the secret information. . Receiving a value generated by executing the generation program according to claim 8 or 9;
A restoration program for causing a computer to execute a process of restoring the secret information using a received value. A computer executes a process of restoring the secret information two or more times by using a combination of different variance values generated from the same secret information by using a coefficient generated by executing the generation program according to claim 10. Restore program for. Generating first transmission data by applying a first random number and a second random number to the secret information;
A second transmission data is generated by causing a third random number in place of the first random number and a fourth random number in place of the second random number to act on the secret information in the same manner,
A transmission program for causing a computer to execute a process of transmitting the first transmission data and the second transmission data to the same receiving device. Receiving the first transmission data and the second transmission data transmitted by executing the transmission program according to claim 13,
The difference between the result of removing the second random number from the first transmission data and the result of removing the fourth random number from the second transmission data is the difference between the first random number and the third random number. A receiving program for causing a computer to execute a process of verifying whether or not the difference is equal to the difference.