JP2020056840A - Sharing device, secure computation device, verification restoration device, sharing system, secure computation verification restoration system, and program - Google Patents

Abstract

To allow for efficiently repeating secure computation even if secret information includes zeros.SOLUTION: A first generation unit generates a first value obtained by applying first and second random numbers to first secret information, and then generates a second value obtained by applying a third random number to at least either of the first random number and the first secret information.SELECTED DRAWING: Figure 1

Description

  The present disclosure relates to a distribution device, a secret calculation device, a verification / restoration device, a distribution system, a secret calculation verification / restoration system, and a program.

  In recent years, with the progress of big data and IoT environments, utilization of information on individuals is expected. However, in utilizing personal information, leakage of personal information may affect personal privacy. Therefore, in utilizing big data, it is necessary to achieve both a technique for utilizing big data and a technique for protecting information about individuals. As an approach to such a technique for protecting information about an individual, a confidential calculation technique capable of performing calculations while protecting data has been studied.

  Broadly speaking, there are two types of confidential calculation techniques: homomorphic encryption for concealing data mainly using a key, and a method using a secret sharing method for concealing data without using a key. However, the homomorphic encryption generally has a large amount of calculation, and has a problem that a long time is required for arithmetic processing. For this reason, for application to a cloud system, an approach of using a secret sharing scheme, which requires a smaller amount of computation than homomorphic encryption, which requires a large amount of computation, is being studied.

  The secret sharing method is a method of converting secret information possessed by a user into a plurality of different values (hereinafter, shared values) and distributing them. Shamir's (k, n) threshold secret sharing method (hereinafter, “Shamir method” or “(k, n) Shamir method”), which is one of the secret sharing methods, is known.

  There is also known a lamp-type secret sharing scheme in which secret information is divided into L pieces and included as coefficients of a sharing equation. With the ramp-type secret sharing scheme, a reduction in the sharing value can be realized.

  As a technique related to the secret sharing method, for example, Patent Literature 1 discloses a confidential calculation system that performs calculations while concealing data and guarantees the validity of the calculation results.

  Further, Patent Literature 2 discloses a confidential product-sum combination system that performs calculation of an expression including multiplication and addition while keeping data secret by secret sharing while maintaining the validity of the calculation result.

  Further, Patent Literature 3 discloses a technique in which a tallying device performs a tallying process in a state where data to be tallyed and a tallying result thereof are concealed without using completely homomorphic encryption and a trusted third party. .

  One of the secret sharing methods is a TUS method using the Shamir method. The TUS method is characterized in that a confidential operation is realized at n <2k−1, which cannot be realized by other secret sharing methods.

RE-Publication No. 2014-112548 Re-publication 2012-121333 gazette JP 2013-205592 A

  However, in the TUS method, the secret information does not include 0 and the random number does not include 0 in order to once decrypt the secret information αa concealed by the random number in the concealment multiplication. However, other than the secret multiplication, 0 may be included.

  One of the problems of the above-mentioned TUS method is that secret information cannot include 0, and confidential calculation including subtraction cannot be repeated. There is also a problem that the validity of the calculation result cannot be verified.

  The present disclosure has been made in view of the above circumstances, and has a distribution device, a concealment operation device, a verification / recovery device, and a distribution system that can efficiently repeat concealment operations even if secret information includes 0. It is an object of the present invention to provide a confidential operation verification restoration system and a program. It is another object of the present invention to provide a distributed device, a confidential operation device, a verification and restoration device, a distributed system, a confidential operation verification and restoration system, and a program that can efficiently verify the calculation result.

  According to one embodiment of the disclosed technology, the sharing apparatus according to the first invention disperses secret information into n pieces of shared values, where n is an integer of 2 or more, k is an integer of 2 or more and n or less, and k In a system in which the secret information can be restored using the shared values and the secret information cannot be restored when the number is less than k, a first value obtained by applying a first random number and a second random number to the first secret information is represented by: A first generation unit that generates a second value by applying a third random number to at least one of the first random number and the first secret information.

  According to one embodiment of the disclosed technology, the confidential operation device according to the second invention disperses the secret information into n variance values, where n is an integer of 2 or more and k is an integer of 2 or more and n or less, In a system in which the secret information can be restored by k pieces of the variance values and the secret information cannot be restored by less than k pieces, a plurality of first secret numbers obtained by applying a first random number and a second random number to the first secret information. And a plurality of second values obtained by applying a third random number to the first random number or the first secret information, to calculate an operation result between the plurality of first secret information. Generating a third value obtained by operating a plurality of first random numbers and a fourth random number, and applying a fifth random number to the calculated result between the plurality of first random numbers or between the secret information; A second generation unit that generates the fourth value.

  According to one embodiment of the disclosed technology, the confidential operation device according to the second invention disperses the secret information into n variance values, where n is an integer of 2 or more and k is an integer of 2 or more and n or less, In a system in which the secret information can be restored with k pieces of the shared values and the secret information cannot be restored with less than k pieces, at least the third value and the fourth value obtained by the second generator described above. It is characterized by further comprising a third generation unit for generating a sixth random number when one of them is 0, and an addition unit for confidentially adding the sixth random number.

  According to one embodiment of the disclosed technology, the verification / reconstruction apparatus according to the third invention disperses secret information into n distributed values, where n is an integer of 2 or more, k is an integer of 2 or more and n or less, In a system in which the secret information can be restored with k pieces of the variance values and the secret information cannot be restored with less than k pieces, a random number is applied to the secret information obtained by the concealment operation device according to the second invention. A first elimination unit that eliminates secret information and a value corresponding to a fourth random number from the third value generated by the first elimination unit, and whether the operation result of the first random numbers obtained by the elimination by the first elimination unit is correct. And a first determination unit that determines whether or not the determination is made.

  According to one embodiment of the disclosed technology, the verification / reconstruction apparatus according to the fourth invention disperses secret information into n distributed values, where n is an integer of 2 or more and k is an integer of 2 or more and n or less, In a system in which the secret information can be restored with k pieces of the variance values and the secret information cannot be restored with less than k pieces, a random number is applied to the secret information obtained by the concealment operation device according to the second invention. A second elimination unit that eliminates secret information and a value corresponding to a fourth random number from the third value generated by the second elimination unit, and an operation result of the first random numbers obtained by the elimination by the second elimination unit. A second determination unit that determines whether the calculation result of the first random numbers including the sixth random number is correct when the third value or the fourth value is 0. I do.

  According to an embodiment of the disclosed technology, as one aspect, a concealment operation device according to a second invention is configured such that a value obtained from the first exclusion unit according to the third invention or the second exclusion unit according to the fourth invention, Alternatively, the image processing apparatus further includes a restoring unit that obtains an operation result between the first secret information from a value obtained by removing a value corresponding to each of the fifth random numbers from the fourth value.

  According to one embodiment of the disclosed technology, a distributed system according to a fifth invention generates a random number according to claim 1 using a random number generated by a person other than a creator of the first secret information. A dispersing device including a unit.

  According to one embodiment of the disclosed technology, the confidential operation device according to the sixth invention disperses secret information into n distributed values, where n is an integer of 2 or more and k is an integer of 2 or more and n or less, In a system in which the secret information can be restored by k pieces of the shared values and the secret information cannot be restored when the number of pieces of the shared information is less than k, a multiplication unit that performs multiplication of the shared values, and a multiplication value obtained by the multiplication by the multiplication unit. A conversion unit that performs an order conversion process on a variance value using an inseparable multiplied value sent from another device, generates a random number, and adds the generated random number to the variance value after the order conversion returned to the own device. And an adder.

  According to one embodiment of the disclosed technology, a confidential operation verification / reconstruction system according to a seventh aspect of the present invention is configured such that n is an integer of 2 or more, k is an integer of 2 or more and n or less, and secret information is distributed into n variance values. In a system in which the secret information can be restored using the k pieces of the variance values and the secret information cannot be restored when the number is less than k, an operation unit that performs a verification operation based on the registered value by using the secret registered value, And a verification / reconstruction device including a verification unit for verifying whether the calculation result by the calculation unit is correct.

  The disclosed technology has, as one aspect, a program that causes a computer to function as each unit of the device according to any one of the first to seventh inventions.

  According to the present disclosure, even if the secret information includes 0, the secret operation can be efficiently repeated, and the calculation result can be efficiently verified.

It is a block diagram showing an example of composition of a secret sharing system concerning a 1st embodiment. FIG. 3 is a diagram illustrating an example of a hardware configuration of a server 16 according to the first embodiment. FIG. 6 is a diagram illustrating an example of a processing sequence for generating a conversion random number set according to the first embodiment. FIG. 9 is a diagram illustrating an example of a processing sequence for generating a conversion random number set according to a modification of the first embodiment. It is a block diagram showing an example of composition of a secret sharing system concerning a 2nd embodiment. FIG. 6 is a diagram illustrating an example of a hardware configuration of an input device 212 according to a second embodiment. FIG. 13 is a diagram illustrating an example of a hardware configuration of a server 216 according to the second embodiment. It is a figure showing an example of a processing sequence of distribution concerning a 2nd embodiment. It is a figure showing an example of a processing sequence of confidential product-sum operation concerning a 2nd embodiment. It is a figure showing an example of a processing sequence of correction processing concerning a 2nd embodiment. It is a block diagram showing an example of composition of a secret sharing system concerning a 3rd embodiment. FIG. 14 is a diagram illustrating an example of a hardware configuration of a restoration device 314 according to the third embodiment. It is a figure showing an example of the processing sequence of distribution concerning a 3rd embodiment. It is a figure showing an example of a processing sequence of confidential product-sum operation concerning a 3rd embodiment. It is a figure showing an example of a processing sequence of verification concerning a 3rd embodiment. FIG. 14 is a diagram illustrating an example of a hardware configuration of a server 416 according to a fourth embodiment. It is a figure showing an example of the processing sequence of distribution concerning a 4th embodiment. It is a figure showing an example of a distribution processing sequence concerning a modification of a 4th embodiment. FIG. 21 is a diagram illustrating an example of a hardware configuration of a restoration device 514 according to a fifth embodiment. It is a figure showing an example of a processing sequence of distribution concerning a 5th embodiment. It is a figure showing an example of the processing sequence of confidential product-sum operation concerning a 5th embodiment. It is a figure showing an example of a processing sequence of correction processing concerning a 5th embodiment. It is a figure showing an example of a processing sequence of verification concerning a 5th embodiment. It is a block diagram showing an example of composition of a secret sharing system concerning a 6th embodiment. FIG. 21 is a diagram illustrating an example of a hardware configuration of a restoration device 614 according to a sixth embodiment. FIG. 21 is a diagram illustrating an example of a hardware configuration of a blockchain device 616 according to a sixth embodiment. FIG. 18 is a diagram illustrating an example of a hardware configuration of a verification device 618 according to a sixth embodiment. It is a figure showing an example of a processing sequence of distribution, confidential product-sum operation, and correction processing concerning a 6th embodiment. It is a figure showing an example of a processing sequence of verification concerning a 6th embodiment.

  Hereinafter, embodiments of the technology of the present disclosure will be described in detail with reference to the drawings.

  First, before describing the details of the embodiment, the details of the Shamir method and the TUS method, which are the premise of the technology of the embodiment, will be described, and each problem in the TUS method will be described.

<Shamir method>
The Shamir method is a method in which a given piece of secret information is distributed into n pieces of shared information, and k or more pieces of shared information are collected, whereby the original secret information can be restored. However, the original secret information cannot be obtained at all from less than k pieces of shared information. Distribution and restoration of secret information in the Shamir method are performed as described below. Such a method is called a (k, n) Shamir method.

<Dispersion>
1. The user selects an arbitrary prime number p satisfying the conditions of s <p and n <p.

2. The user selects n x _i (i = 0, 1, 2,..., N−1) from the source of GF (p), and sets it as the server ID.

3. The user selects k−1 random numbers a ₁ (l = 1, 2,..., K−1) from the source of GF (p), and generates the following dispersion equation.

_{W i = s + a 1 x} i + a 2 x i 2 + ... + a k-1 x k-1 (mod p)

4. User by replacing the server ID in the x _i of the above equation to calculate the variance value W _i, and transmits to each server S _i.

<Restore process>
1. The shared information is used to restore _{W i (i = 0,1,2, ...} , k-1) to. Further, the server ID corresponding to the shared information and x _i.

2. Restore person, the k (x _i, W _i) collected, collected the k (x _i, W _i) the substituted into the above-mentioned dispersion formula, the secret information by solving the k-number of simultaneous equations Restore some s. At the time of restoration of s, Lagrange's interpolation formula can be used.

  The above is the details of the Shamir method.

<TUS method>
Next, details of the TUS method will be described. Hereinafter, an example in which the sum of products of ab + c is performed using the TUS method will be described. The secret information a, b, c and the random numbers α _j , β _j , λ _j , γ _j are a, b, c, α _j , β _j , λ _j , γ _j Z / pZ. However, a and the random number once restored in the multiplication are not zero. In the following, [a] _j represents a shared value held by the server S _j for the secret information a. Thereafter, all the confidential operations including the secret sharing process are performed modulo p. It is also assumed that the server _Si has a conversion random number set ([ε] _j , ε _j ), ([φ] _j , φ _j ) unknown to the attacker. The conversion random number set is, for example,

And a random number ε _j that constitutes ε.

  The input and output of the secret operation of ab + c are shown below.

(input)
([Αa] _j , [α ₀ ] _j ,..., [Α _k−1 ] _j ) (j = 0, 1,..., K−1)
([Βb] _j , [β ₀ ] _j , ..., [β _k-1 ] _j ) (j = 0,1, ..., k-1)
([Γc] _j , [γ ₀ ] _j ,..., [Γ _k−1 ] _j ) (j = 0, 1,..., K−1)
(output)
([Δ (ab + c)] _i , [δ ₀ ] _j ,..., [Δ _k−1 ] _j ) (i = 0, 1,..., N−1)

  Based on the above input / output, the confidential calculation of ab + c is performed as shown below.

1. The k servers S _j publish [αa] _j , [βb] _j , and [γc] _j . _Sj restores αa, βb, and γc.

2-1. The k servers S _j are [α _j ] ₀ ,..., [α _j ] _k−1 , [β _j ] ₀ ,..., [β _j ] _k−1 , [γ _j ] _{0 ,.} ] _K−1 is collected, and the random numbers α _j , β _j , γ _j are restored.

2-2. Server _{S j} generates a random number [delta] _j.

2-3. Using the generated random number δ _j , the server S _j calculates δ _j / α _j β _j ε _j , δ _j / γ _j φ _j and makes it public.

3. All servers S _i computes the following equation.

However,

And

4. The k servers S _j distribute the random number δ _j by the Shamir method, and distribute the random numbers δ _j to all the servers S _i .

5. As described above, the server S _i (i = 0, 1, 2,..., N−1) is used as the shared information regarding the secret information ab + c as ([δ (ab + c)] _i , [δ ₀ ] _{j ,. 1} ] _j ) is retained.

  The above is the details of the secret calculation by the TUS method. The TUS method has the following three problems.

<Problem 1>
The problem 1 is that a method of safely generating a conversion random number set by a plurality of persons is not known. If one of the conversion random number sets are generated, for example, the creator of k random numbers epsilon _0, epsilon _1, ..., and generates epsilon _k-1, to calculate the _{ε = ε 0 ε 1 ... ε} k-1 , Ε are secretly shared and [ε] _j and ε _j are sent to the server S _j , so that S _j can have a conversion random number set ([ε] _j , ε _j ). Since the security of the TUS method depends on the security of the conversion random number set, if the creator of the conversion random number set is an attacker, the confidential calculation using the conversion random number set is not secure. Therefore, even if a plurality of unreliable generators generate a conversion random number set, the TUS method is not secure unless there is a method of generating a secure conversion random number set whose value cannot be known. .

<Problem 2>
Problem 2 is that secret information cannot include 0. For example, if the input is input as a + 1 instead of a, the first input a may be 0, but when the subtraction is included, that is, when calculating ab-c or a-c, the output is 0. there is a possibility. Therefore, there is a problem that the confidential operation cannot be repeated using the operation result by the TUS method.

<Issue 3>
Problem 3 is that the validity of the confidential calculation cannot be verified. Generally, in secret sharing, it is assumed that information held by up to k-1 servers is known by eavesdropping or the like. However, if the k-1 servers capable of eavesdropping are hijacked and output false information or do not perform predetermined processing, the result of the above-mentioned confidential calculation becomes unreliable.

  The above are problems 1 to 3 of the TUS method.

  Solution of the problem 1 is essential in the TUS method, and by solving the problem 1, the security of the TUS method is improved. For example, even when there is no reliable generator of the random number set for conversion, confidential calculation can be performed using the TUS method. Eliminating problem 1 is also required in verification of confidential calculation.

  By solving the second problem, the concealment operation including the subtraction can be repeated, and the practicality of the TUS method is improved. Resolving problem 2 is necessary when verifying the result of repeated operation or the result including 0.

  By solving the problem 3, it is possible to secure security against an active attacker who does not follow a predetermined protocol such as outputting false information. Furthermore, although general secure calculation with a verification function requires extremely complicated processing, the method according to the embodiment of the present invention enables the operation result to be verified very efficiently.

  By solving each of the above problems, it is possible to securely, efficiently, and practically verify the confidential operation.

  Based on the above, each embodiment will be described below. In a secret sharing system described in each of the following embodiments, n is an integer of 2 or more, k is an integer of 2 or more and n or less, secret information is distributed into n shared values, and secret information is distributed by k shared values. , And secret information cannot be restored with less than k.

[First Embodiment]
The first embodiment corresponds to the above problem 1. In other words, even if it is generated by a plurality of unreliable inputters and recoverers, a method of generating a safe conversion random number set in which the value of the conversion random number is unknown is realized. The conversion random number set generated by the method of the present embodiment is also used in each of the following embodiments.

  First, the premise of the method of the first embodiment will be described. In the first embodiment, the methods shown in References 1 and 2 are extended to generate a conversion random number set.

[Reference 1] M. Ben-Or, S. Goldwasser, and A. Wigderson, “Completeness theorems for non-cryptographic fault-tolerant distributed computation,” STOC '88, 1988, pp. 1-10, ACM Press.
[Reference 2] Rosario Gennaro, Michael O. Rabin, and Tal Rabin, “Simplified VSS and fast-track multiparty computations with applications to threshold cryptography,” In Brian A. Coen and Yehuda Afek, editors, PODC, 1998, pp. 101-111, ACM.

  References 1 and 2 show a method of converting a variance value for a 2k-order polynomial into a variance value for a k-order polynomial. For example, Reference 1 discloses the following conversion method.

  A matrix having constants generated by a certain rule as elements is referred to as a matrix A below.

By using the above matrix A, R = W · A is calculated for the variance vector W = (W ₀ , W ₁ ,..., W _2k−1 ) for the _2k- order polynomial, so that the k-th order A variance vector R = (R ₀ , R ₁ ,..., R _2k−1 ) for the polynomial can be converted. The method of Reference 2 can realize conversion to a variance vector R by almost the same processing.

  However, the methods of References 1 and 2 are effective when the number of servers is n ≧ 2k−1, but in the present embodiment, the case of n <2k−1 is handled as in the TUS method. In the configuration of the present embodiment described below, an input device corresponding to two input persons and a restoration apparatus corresponding to one restorer are assumed, and a generation method in the case of n = k will be described. However, as described later, the restoration device does not perform restoration, and acts as a calculation support device.

When 2k-1>n> k, the random number α _{i and the} like are not directly sent to the server, but are distributed using the (k, n) Shamir method, and k servers performing the operation restore the random number α _{i and the} like. use. The secret information λ ₀ and λ ₁ are distributed using the (k, n + k−1) Shamir method, and only k−1 servers out of n servers have [αλ ₀ ] _{i + k} . In addition, since the restoration device knows the value of the conversion random number when the restoration is performed, the restoration device does not perform the restoration and has a role of calculation support. In the following, the secret information λ ₀ , λ ₁ and the random numbers α _{j, i} , β _{j, i} , γ _i are λ ₀ , λ ₁ , α _{j, i} , β _{j, i} , γ _i ∈Z / pZ. However, the secret information and the random number do not include 0. Also, 0 _{r1 and the} like represent 0, and are marked with symbols to distinguish them from others.

Based on the above premise, the configuration of the secret sharing system 10 according to the present embodiment will be described with reference to FIG. As shown in FIG. 1, the secret sharing system 10 includes two input devices 12A and an input device 12B, restoring device 14, and the server ₁₆ 0 _{~16 n-1.} Hereinafter, "input device 12" for the contents to be common to the input device 12A and the input device 12B, and the "server 16" for the contents to be common to the server 16 0 _{~ 16 n-1,} by omitting the last identification Legend In some cases. The input device 12, the restoration device 14, and the server 16 are connected to the network N and can communicate with each other. Note that the server 16 is an example of a confidential operation device including a multiplication unit, a conversion unit, and an addition unit.

  The input device 12 is a device that is operated by a person who inputs confidential information (hereinafter, simply referred to as an “input person”), and an example of the input device 12 is an information processing device such as a personal computer.

  The restoring device 14 is a device operated by a restoring person who restores confidential information (hereinafter, simply referred to as “restoring person”). An example of the restoring device 14 is an information processing device such as a personal computer.

The server 16 has a role of performing calculations related to generation of the conversion random number set, storing the conversion random number set, and the like. In addition, there are n servers 16, which are also described as servers S _i (i = 0,..., N−1) according to the description (the same applies to each embodiment below).

  Next, a hardware configuration of the server 16 according to the present embodiment will be described with reference to FIG. As illustrated in FIG. 2, the server 16 includes a CPU (Central Processing Unit) 20, a memory 21 as a temporary storage area, and a nonvolatile storage unit 22. The server 16 includes a display device 23 such as a liquid crystal display, an input I / F 24 such as a keyboard, and a network I / F 25 (InterFace) connected to the network N. The CPU 20, the memory 21, the storage unit 22, the display device 23, the input I / F 24, and the network I / F 25 are connected to the bus 26.

  The storage unit 22 is realized by a hard disk drive (HDD), a solid state drive (SSD), a flash memory, and the like. The storage unit 22 as a storage medium stores a conversion random number set generation program 28. The conversion random number set generation program 28 includes a multiplication process 28a, a conversion process 28b, and an addition process 28c. The CPU 20 reads out the conversion random number set generation program 28 from the storage unit 22, expands it in the memory 21, and executes the expanded generation program 28. When the CPU 20 executes the multiplication process 28a of the conversion random number set generation program 28, it operates as the multiplication unit according to the disclosed technology. When the CPU 20 executes the conversion process 28b of the conversion random number set generation program 28, it operates as a conversion unit according to the disclosed technology. When the CPU 20 executes the addition process 28c of the conversion random number set generation program 28, the CPU 20 operates as an addition unit according to the disclosed technology.

  Note that the input device 12 and the restoration device 14 can have the same device configuration as the server 16 and differ only in the program to be executed, and thus detailed description will be omitted.

  Next, the operation of the secret sharing system 10 according to the present embodiment will be described with reference to FIG.

<Conversion random number set generation 1: n = k>
FIG. 3 illustrates a processing sequence of the secret sharing system 10 for generating a conversion random number set. In the following, the server 16 will be described on the assumption that any _one of the servers S _i , S _j, and S _k−1 is targeted according to each processing of the sequence.

In S10, the input device 12A generates random numbers λ _{0, i} and α _i (i = 0,..., K−1).

In S12, the input device 12A

Is calculated. Further, the input device 12A calculates [αλ ₀ ] _{i + k} = α × [λ ₀ ] _{i + k} by dispersing λ ₀ by the (k, 2k−1) Shamir method.

In S14, the input device 12A is obtained in S10 and S12 [λ _{0] i,} and transmits _{[αλ 0] i + k,} α i, the lambda _{0, i} to server _{S i.} However, the server S _k-1 does not have [αλ ₀ ] _2k-1 .

In S16, the input device 12B generates random numbers λ _{1, i} and β _i (i = 0,..., K−1).

In S18, the input device 12B

Is calculated. In addition, the input device 12B calculates [βλ ₁ ] _{i + k} = β × [λ ₁ ] _{i + k} by dispersing λ ₁ by the (k, 2k−1) Shamir method.

In S20, the input device 12B is obtained in S16 and S18 [λ _{1] i,} and transmits _{[βλ 1] i + k,} β i, the lambda _{1, i} to _{S i.} However, the server S _k-1 does not have [βλ ₁ ] _2k-1 .

In S22, the server S _i excluding the server S _k-1 (hereinafter simply referred to as S _{i in} the description of this sequence) is [λ ₀ λ ₁ ] _i = [λ ₀ ] _i × [λ ₁ ] _i , [Αβλ ₀ λ ₁ ] _{i + k} = [αλ ₀ ] _{i + k} × [βλ ₁ ] _{i + k} is calculated. Incidentally, S22 is in the server _{S i,} corresponding to the multiplication process 28a of the converting random set generation program 28. CPU20 of the server S _i is, by executing the multiplication process 28a, performs a process of multiplying the variance between the disclosed technique.

In S24, the server _{S i} transmits the restoration apparatus 14 _{[αβλ 0 λ 1] i +} k.

In S26, the server _{S i} computes the α _i β _i.

In S28, restoring device _14, a _{0 r1 (2k-1,2k-1} ) dispersed in Shamir method.

In S30, the restoration device 14 acquires α _i β _i calculated by the server S _i .

In S32, αβ is restored based on the obtained α _i β _i .

In S34, the restoration apparatus 14 calculates [λ ₀ λ ₁ ] ′ _{i + k} = [αβλ ₀ λ ₁ ] _{i + k} / αβ + [0 _r1 ] _{i + k} using 0 _r1 dispersed in S28 and αβ restored in S32. .

In S36, restoring device 14 transmits the calculated _{[λ 0 λ 1] 'i} + k to server _{S i.}

In S38, the server S _i distributes 0 _i by the (k, n) Shamir method and calculates R _{i, j} . When j ≠ i (j = 0,..., n−1), R _{i, j} can be calculated as follows. Note that a _{i, j and the} like in the following are elements of the matrix A.
R _{i, j} = a _{i, j} × [λ ₀ λ ₁ ] _i + a _{i + n, j} × [λ ₀ λ ₁ ] ′ _{i + n} + [0 _i ] _j

Incidentally, S38 is in the server _{S i,} corresponding to the conversion process 28b of the converting random set generation program 28. CPU20 of the server _{S i} is, by executing the conversion process 28b, performs the order conversion of the dispersion value used in the technique disclosed herein. [Λ ₀ λ ₁ ] ′ _{i + k} returned in S 36 is used in the calculation of R _{i, j in} S 38, but [λ ₀ λ ₁ ] ′ _{i + k} is an example of an inseparable multiplication value sent from another device. R _{i, j} is an example of the variance after the degree conversion.

In S40, the server _{S i} determines whether i = j. If i = j, the process proceeds to S42, and if not i = j (ie, if i ≠ j), the process proceeds to S44.

In S42, the server _{S i} generates a random number _{r i,} adds _{r i} R _i, in _j as follows.
_{R i, j = a i,} j × [λ 0 λ 1] i + a i + n, j × [λ 0 λ 1] 'i + n + [0 i] j + r i

Incidentally, S42 is in the server _{S i,} corresponds to the addition process 28c of the converting random set generation program 28. CPU20 of the server S _i is, by executing an addition process 28c, performs a process of adding a random number in the technology disclosed in variance.

In S44, the server _{S i} is calculated R _i, and transmits the _j restoring device 14.

In S46, the restoration device 14 distributes 0 _r2 by the (k, n) Shamir method, and calculates R ′ _{i, j} = R _{i, j} + a _{i, j} × [0 _r1 ] _i + [0 _r2 ] _i . I do. Where j = 0,..., N−1,
(I ≠ j):
R ′ _{i, j} = a _{i, j} × [λ ₀ λ ₁ ] ′ _i + a _{i + n, j} × [λ ₀ λ ₁ ] ′ _{i + n} + [0 _i ] _j + [0 _r2 ] _j (i = j) When:
_{R 'i, j = a i} , j × [λ 0 λ 1]' i + a i + n, j × [λ 0 λ 1] 'i + n + [0 i] j + [0 r2] j + r i
And

In S48, the restoration device 14 sends R ′ _{i, j} to the server _Sj . Thus, R _{i, j} is the variance value after the order conversion calculated in the server S _i is, R _'i, are returned in a _j in the server S _j.

In S50, the server _{S j ^{is, Σ i = 0 k-1}} R 'i, compute the _{j -r i = [λ] j} . Further, the server _Sj calculates λ _i = λ _{0, i} λ _{1, i} . By the above sequence, a conversion random number set ([λ] _j , λ _i ) is obtained.

[Modification of First Embodiment]
In the above-described conversion random number set generation 1, the case where the input device 12 and the restoration device 14 are required when n = k has been described as an example. On the other hand, when n = k = 2, the following processing that does not require the input device 12 and the restoration device 14 can be performed. That is, it is possible to generate a random number set for conversion with only the server 16.

<Conversion random number set generation 1 ': n = k = 2>
FIG. 4 illustrates a processing sequence for generating a conversion random number set when n = k = 2. In the following, a case where processing is performed between the servers S ₀ and S ₁ among the servers 16 will be described as an example. In the sequence of FIG. 4, the following processes of S60 to S94 are performed. In FIG. 4, each process is described in a simplified manner.

In S60, the server S ₀ generates random numbers λ ₀ , α ₀ , α ₁ , τ ₀ and calculates α = α ₀ α ₁ .

In S62, the server S ₀ distributes λ ₀ by the (2,3) Shamir method, and [αλ ₀ ] ₀ = α × [λ ₀ ] ₀ , [αλ ₀ ] ₂ = α × [λ ₀ ] ₂ , [Τ ₀ λ ₀ ] ₁ = τ ₀ × [λ ₀ ] ₁ .

In S64, the server _{S 0} is obtained [τ ₀ λ _{0] 1,} transmits the alpha ₁ to the server _{S 1.}

In S66, the server _{S 1} is random lambda _1, beta _0, generates a beta _1, to calculate the β = β ₀ β _1.

In S68, the server S ₁ distributes λ ₁ by the (2,3) Shamir method, and [βλ ₁ ] ₀ = β × [λ ₁ ] ₀ , [βλ ₁ ] ₂ = β × [λ ₁ ] ₂ Is calculated.

In S70, the server S ₁ transmits the obtained [βλ ₁ ] ₀ , [βλ ₁ ] ₂ , β ₀ to the server S ₀ .

In S72, the server S ₀ distributes 0 ₀ by the (3,3) Shamir method, and calculates α ₀ β ₀ and the following.
_{[Αβλ 0 λ 1] '0} = [αλ 0] 0 × [βλ 1] 0 + [0 0] 0, [αβλ 0 λ 1]' 2 = [αλ 0] 2 × [βλ 1] 2 + [0 ₀ ] ₂ , [0 ₀ ] ₁

In S74, the server _{S 0} was calculated _{[αβλ 0 λ 1] '0} , [αβλ 0 λ 1]' to send _2, the alpha ₀ beta ₀ to server _{S 1.}

In S76, the server _{S 1} is to disperse _{0 1} (3,3) Shamir method, the calculating the αβ from alpha ₁ beta ₁ and alpha ₀ beta _0, to calculate the following. _However, it is _{[0 01] i = [0} 0] i / αβ + [0 1] i.

_{[0 01] 1 = [0} 0] 1 / αβ + [0 1] 1

In S78, the server _{S 1} is obtained _{[λ 0 λ 1] '0} , [λ 0 λ 1]' 2, transmits the _{[0 01] 1} to the server _{S 0.}

In S80, the server S ₀ distributes 0 _{0 ′} by the (2,2) Shamir method.

In S82, the server _{S 0} generates a random number _{r 0.}

In S84, the server _{S 0} is dispersed _{0 0 ',} and by using the random number _{r 0,} to calculate the following _{R 0,0} and _{R 0, 1.}
R _0,0 = τ ₀ (a _0,0 × [λ ₀ λ ₁ ] ′ ₀ + a _2,0 × [λ ₀ λ ₁ ] ′ ₂ + a _1,0 × [ ₀₀₁ ] ₁ ) + [0 _{0 ′ ] 0 + r 0 = τ 0} (a 0,0 [λ 0 λ 1] 0 + a 2,0 [λ 0 λ 1] 2) + τ 0 [0 01] "0 + [0 0 '] 0 + r 0
R _0,1 = τ ₀ (a _0,1 × [λ ₀ λ ₁ ] ′ ₀ + a _2,1 × [λ ₀ λ ₁ ] ′ ₂ + a _1,1 × τ ₀ [ ₀₀₁ ] ₁ ) + [0 _{0 '] 1 = τ 0 (} a 0,1 [λ 0 λ 1] 0 + a 2, 1 [λ 0 λ 1] 2) + τ 0 [0 01] "1 + [0 0'] 1

In S86, the server _{S 0} transmits the calculated _{R 0,0,} the _{R 0, 1} to the server _{S 1.}

In S88, the server _{S 1 is, [τ 0 λ 0 λ 1} ] 1 = [τ 0 λ 0] 1 × with calculating the [λ _{1] 1,} was dispersed at _{0 1 '(2,2)} Shamir method , Calculate:
R ′ _0,0 = R _0,0 + a _1,0 × [τ ₀ λ ₀ λ ₁ ] ₁ + [0 _{1 ′} ] ₀ = τ ₀ [λ ₀ λ ₁ ] ₀ + τ ₀ [0000 ₀₁ ] ″ ₀₊ [0 _{0 '} ] ₀ + [0 _1' ] ₀ + r _{0
R '0,1 = R 0,1 + a} 1,1 × [τ 0 λ 0 λ 1] 1 + [0 1'] 1 = τ 0 [λ 0 λ 1] 1 + τ 0 [0 01] "1 + [0 _{0 '} ] ₁ + [0 _1' ] ₁

In S90, the server _{S 1} transmits the obtained R _'0,0 the server _{S 0.}

In S92, the server _{S 0} get _{[λ] 0 = R '0,0} -r 0, λ 0 = τ 0 λ 0 conversion random number set as _{([λ] 0, λ 0} ).

In S94, the server _{S 1} is _[λ] 1 = R _'0,1 convert random number set as _{([λ] 1, λ 1} ) obtained.

  The above is the description of the conversion random number generation 1 ′.

  As described above, by generating the conversion random number set using the method of the first embodiment of the present invention, it is possible to safely generate the conversion random number set.

[Second embodiment]
The second embodiment corresponds to the above problem 2. That is, this is a method in a case where the secret information includes 0.

First, the premise of the method of the second embodiment will be described. In the following, secret information a, b, c and random numbers α _{j, i} , β _{j, i} , γ _{j, i} , a ₁ , b ₁ , c ₁ are a, b, c, α _{j, i} , β _{j, i} , γ _{j, i} , a ₁ , b ₁ , c ₁ ∈Z / pZ. Also, the secret information may include 0, but the random number does not include 0. Further, in the second embodiment, the conversion random number set is generated in advance by the method described in the first embodiment, and the server S _i converts the conversion random number set ([ε _{h, i} ] _i , ε _{h, i} ). , (H = 1,..., Required number). In the following description, the confidential product-sum operation at n = k is shown. However, when n> k, α _{j, i} , β _{j, i} , γ _{j, i} , ε _{j, i} etc. are (k, n) The k servers that are distributed by the Shamir method and participate in the calculation may be restored. Also, random numbers a ₁ , b ₁ , c ₁ added to the secret information, such as a + a ₁ , are not 0, and a value whose addition result is not 0 is selected. Since any four arithmetic operations can be configured by combining the product-sum operations, the secret product-sum operation will be described in detail below as an example.

Based on the above premise, the configuration of the secret sharing system 210 according to the present embodiment will be described with reference to FIG. As shown in FIG. 5, the secret sharing system 210 includes three input devices 212A to 212C and a plurality of servers 216 _{0 to} 216 _n−1 . Hereinafter, the content common to the input devices 212A to 212C will be referred to as “input device 212”, and the content common to the servers 216 _{0 to} 216 _n−1 will be referred to as “server 216”. There is also. The input device 212 and the server 216 are connected to the network N and can communicate with each other. Note that the input device 212 is an example of a distribution device including a first generation unit. The server 216 is an example of a confidential operation device including the second generation unit. Further, the server 216 is an example of a confidential operation device including a third generation unit and an addition unit.

  The input device 212 is a device operated by a person who inputs secret information. The input device 212 generates a predetermined value to which a random number is applied, and distributes the generated value to the server 216.

  The server 216 has a role of performing calculations related to the confidential product-sum operation.

  Next, a hardware configuration of the input device 212 according to the present embodiment will be described with reference to FIG. As illustrated in FIG. 6, the input device 212 includes a CPU 220, a memory 221 as a temporary storage area, and a nonvolatile storage unit 222. The input device 212 includes a display device 223, an input I / F 224, and a network I / F 225 connected to the network N. The CPU 220, the memory 221, the storage unit 222, the display device 223, the input I / F 224, and the network I / F 225 are connected to the bus 226.

  The storage unit 222 is realized by an HDD, an SSD, a flash memory, and the like. The storage unit 222 as a storage medium stores a first generation program 228. The CPU 220 reads out the first generation program 228 from the storage unit 222, expands it in the memory 221, and executes the expanded first generation program 228. When the CPU 220 executes the first generation program 228, it operates as a first generation unit according to the disclosed technology. The same applies to the third to fifth embodiments described later.

  Next, a hardware configuration of the server 216 according to the present embodiment will be described with reference to FIG. As shown in FIG. 7, the server 216 includes a CPU 230, a memory 231 as a temporary storage area, and a nonvolatile storage unit 232. Further, the server 216 includes a display device 233, an input I / F 234, and a network I / F 235 connected to the network N. The CPU 230, the memory 231, the storage unit 232, the display device 233, the input I / F 234, and the network I / F 235 are connected to the bus 236.

  The storage unit 232 is realized by an HDD, an SSD, a flash memory, and the like. The storage unit 232 as a storage medium stores a secret product-sum operation program 238. The secret product-sum operation program 238 includes a second generation process 238a, a third generation process 238b, and an addition process 238c. The CPU 230 reads out the confidential product-sum operation program 238 from the storage unit 232, expands it in the memory 231, and executes the expanded confidential product-sum operation program 238. When the CPU 230 executes the second generation process 238a of the confidential product-sum operation program 238, it operates as the second generation unit of the disclosed technology. When the CPU 230 executes the third generation process 238b of the confidential product-sum operation program 238, it operates as the third generation unit of the disclosed technology. When the CPU 230 executes the addition process 238c of the confidential product-sum operation program 238, the CPU 230 operates as an addition unit of the disclosed technology. The same applies to the third and fifth embodiments described later. Note that it is assumed that the correction process is not performed in the server 216, and the secret product-sum calculation program 238 may include only the second generation process 238a, and may not include the third generation process 238b and the addition process 238c.

  Next, an operation of the secret sharing system 210 according to the present embodiment will be described with reference to FIGS.

First, a process of distributing secret information to each server will be described. FIG. 8 illustrates a sharing processing sequence in the secret sharing system 210. In the distribution processing sequence, the secret information held by the input devices 212A to 212C is distributed to the server 216. In the following, the server 216, all servers S which is on all servers of n units, and one of the servers S _i is described as a target in response to the processing of distributed processing sequence.

<Dispersion 2>
In S210, the input device 212A, the random numbers _{a 1, α 1, i,} α 2, i (i = 0, ..., k-1) to generate a.

In S212, the input device 212A, based on the following equation to calculate the alpha ₁ a ₁ and α _{2 (a} + a ₁₎ with respect to the secret information a.

Note that S212 corresponds to the first generation program 228 in the input device 212A. By executing the first generation program 228, the CPU 220 of the input device 212A performs the processing of the first generation unit according to the disclosed technology. The secret information a is an example of the first secret information, the random number a ₁ is an example of the first random number, the random number α ₂ is an example of the second random number, and the random number α ₁ is an example of the third random number. α ₂ (a + a ₁ ) is an example of a first value obtained by applying a first random number and a second random number. α ₁ a ₁ is an example of a second value obtained by applying a third random number to a first random number. The correspondence with the first generation program 228 is the same in the processing performed on the secret information of the input device 212B and the input device 212C below.

In S214, the input device 212A transmits the calculated α ₁ a ₁ and α ₂ (a + a ₁ ) to all servers S.

In S216, the input device 212A transmits the random number alpha _{1, i,} the alpha _{2, i} to server _{S i.}

In S218, the input device 212B generates a random number _{b 1, β 1, i,} β 2, i (i = 0, ..., k-1) to generate a.

In S220, the input device 212B calculates β ₁ b ₁ and β ₂ (b + b ₁ ) for the secret information b based on the following equation.

In S222, the input device 212B transmits the calculated β ₁ b ₁ and β ₂ (b + b ₁ ) to all servers S.

In S224, the input device 212B transmits the random number beta _{1, i,} the beta _{2, i} to _{S i.}

In S226, the input device 212C generates random numbers c ₁ , γ _{1, i} , γ _{2, i} (i = 0,..., K−1).

In S228, the input device 212C calculates γ ₁ c ₁ and γ ₂ (c + c ₁ ) for the secret information c based on the following equation.

In S230, the input device 212C transmits the calculated γ ₁ c ₁ and γ ₂ (c + c ₁ ) to all servers S.

In S232, the input device 212C transmits the random number gamma _{1, i,} the gamma _{2, i} to server _{S i.}

By executing the above-described distributed processing sequence, the server S _i becomes α ₁ a ₁ , α ₂ (a + a ₁ ), β ₁ b ₁ , β ₂ (b + b ₁ ), γ ₁ c ₁ , γ ₂ (c + c ₁₎ ) And α1 _{, i} , β1 _{, i} , γ1 _{, i} , α2 _{, i} , β2 _{, i} , γ2 _{, i} . The server S _i, the first embodiment of the converting random sets generated by the method _{([ε h, i] i} , ε h, i) (h = 0, ..., necessary number) which also has previously And

The characteristic of the distribution 2 described above is that only a value obtained by adding a random number to the secret information and the random number are concealed and released so that the secret information does not leak. In addition, in the secret product-sum operation 2 described below, a value obtained by adding a random number to a secret calculation result based on secret information and a secret calculation result based on the random number are obtained from only the value obtained by adding a random number to the secret information and the random number. It is composed of Also, in the following concealed product-sum operation, the calculation result is new α ₂ (a + a ₁ ), α ₁ a _1, etc., but β ₁ b ₁ , β ₂ (b + b ₁ ) or γ ₁ c ₁ , γ ₂ (C + c ₁ ) may be used. The same applies to α _{2, i} and α _{1, i} .

<Secret product-sum operation 2>
Next, a process of performing a secret product-sum operation will be described. FIG. 9 illustrates a processing sequence of the confidential product-sum operation in the secret sharing system 210. In FIG. 9, for convenience of explanation, it is assumed that the processing sequence of the confidential product-sum operation is performed between the servers S _i and S ₀ among the servers 216, and transmission to all the servers S is performed by the server S 216 in FIG. 9. Although described as a transmission to _i, the processing performed by the server S _i is performed even server S _0.

In S240, the server S _i (i = 0,..., K−1) generates the following random numbers δ _{1, i} , δ _{2, i} .

In S242, the server _{S i} is generated random number [delta] _{1, i} at S240, computes the following with reference to [delta] _{2, i.}

In S244, the server _{S i} transmits a calculation result of S242 in the server _{S 0.}

In S246, the server _{S 0,} using the calculation result received from the server _{S i,} compute the following. Hereafter, Π represents multiplication for i = 0,..., K−1.

In S248, the server _{S 0} transmits the calculation result of S246 to all servers S.

In S250, the server S _i, using the calculation result received from the server S _0, published by calculating the following, to restore the calculation result.

Incidentally, S250 is in the server _{S i,} corresponding to the second generation process 238a confidential product-sum operation program 238. CPU230 server _{S i} is, by executing the second generation process 238a, performs generation of a third value in the disclosed technique, and the generation of the fourth value. δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )} is an example of a third value in the disclosed technology. δ ₁ (c ₁ −a ₁ b ₁ ) is an example of a fourth value in the disclosed technology. The third value is obtained by applying the operation result (c ₁ −a ₁ b ₁ ) of the plurality of random numbers and the fourth random number (δ ₂ ) to the operation result (ab + c) of the plurality of first secret information. Value. In addition, the third value is obtained by replacing a calculation result between a plurality of first secret information with a first secret information, replacing a calculation result between a plurality of first random numbers with a first random number, Has the same format as the first value when is replaced by a second random number. The fourth value is a value obtained by applying a fifth random number (δ ₁ ) to the operation result (c ₁ −a ₁ b ₁ ) of the _first random numbers. The fourth value has the same format as the second value when the calculation result of the plurality of first random numbers is replaced with a first random number and the fifth random number is replaced with a third random number.

S252 is a process when the processing sequence of the confidential product-sum operation is repeated. In S252, the server _{S i is, δ 2 {(ab + c} ) + (c 1 -a 1 b 1)} and _{δ 1 (c 1 -a 1 b} 1) unless 0, a the restored value new α ₂ (a + a ₁ ) and α ₁ a ₁ are set, δ _{2, i} , δ _{1, i} are set to new α _{2, i} , α _{1, i} and the process returns to S240. Processing sequence of the concealed product-sum operation, for example, repeated until the processing ends for all servers S _i.

<Correction process 2>
Next, the correction processing will be described. In the processing sequence of the confidential product-sum operation in FIG. 9 described above, when at least one of δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )}, δ ₁ (c ₁ −a ₁ b ₁ ) is 0. , The following correction processing is performed. FIG. 10 illustrates a processing sequence of the correction processing in the secret sharing system 210. The processing sequence of the correction processing will be described as being performed among all the servers S, the servers S _i , and S ₀ among the servers 216. A case where δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )} = 0 is a first case, and a case where δ ₁ (c ₁ −a ₁ b ₁ ) = 0 is a second case. , A calculation example in a case where at least one of the first case and the second case is applied will be described.

In S260, the server _{S i} is 'generates a _{1, i,} the product tau _1, i a' new random number tau _{1, i} and a publishing _{1, i.}

In S262, the server _{S i} sets _{τ 1 a '1 = Πτ 1} , i a' 1, i to the new alpha ₁ a _1. Also, τ _{1, i} is set to a new α _{1, i} . Incidentally, S262 is in the server _{S i,} corresponding to the third generation process 238b confidential product-sum operation program 238. CPU230 server _{S i} is, by executing the third generation process 238b, and generates the sixth random number in the disclosed technique. a ′ ₁ is an example of the sixth random number.

In S264, the server _{S i} generates a random number tau _{2, i.}

In S266, the server _{S i} performs calculations using random numbers tau _{2, i} generated in S264. In the first case,

Is calculated. In the second case,

Is calculated.

In S268, the server _{S i} transmits a calculation result of S266 in the server _{S 0.}

In S270, the server _{S 0,} using the calculation result received from the server _{S i,} performs multiplication for i calculation. For the first case

Is calculated. In the case of the second case

Is calculated.

In S272, the server _{S 0} transmits the calculation result of S270 in the server _{S i.}

In S274, server _{S i} performs a calculation using the calculation result that is returned in S272, to restore the secret information. For the first case

Is calculated. In the case of the second case

Is calculated. Incidentally, S264 is in the server _{S i,} corresponds to the addition process 238c of confidential product-sum operation program 238. CPU230 server _{S i} is the addition process 238c by the execution, it performs a sixth process of concealing adding a random number (a ') of the disclosed technique.

In S276, the server _{S i,} using the calculation result of S274, it sets a new _{α 2 (a + a 1)} . Also, τ _{2, i} is set to a new α _{2, i} .

  When the confidential product-sum operation is repeated, the process returns to S240 of the processing sequence of the confidential product-sum operation in FIG.

  The above is the description of the processing sequence of the correction processing. The supplementary information on the correction processing will be described below.

In the above, if c = c ₁ = c + c ₁ = 0 and the processing on c is omitted, confidential multiplication is performed. If the processing on a is omitted as α ₂ (a + a ₁ ) = α ₀ a = 1, confidential addition is performed. If + between ab and c is set to-, secret subtraction is performed. Also, alpha ₂ because _(a + a ₁₎ if confidential subtracted alpha ₁ a ₁ from alpha ₀ a is outputted, the confidential product sum calculation processing alpha in S250 of the sequence _{2 (a} + a ₁₎ a multiplication by alpha ₀ a , And -β ₂ (b + b ₁ ) is changed to -β ₁ b ₁

Can be realized. in this case,

Is

To change.

In the above, when δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )} = 0, ab + c = (a ₁ b ₁ −c ₁ ), but a ₁ , b ₁ , and c ₁ are kept secret. Have been. Therefore, the secret information ab + c is not leaked, and (a ₁ b ₁ −c ₁ ) = ab + c, and a ′ ₁ is a new random number added to the secret information ab + c. Then, the calculation can be continued by calculating new α ₂ (a + a ₁ ) and α ₁ a ₁ .

When _{two of} δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )} and δ ₁ (c ₁ −a ₁ b ₁ ) are 0, ab + c = 0 leaks. In the first case and the second case of the processing sequence of the above correction processing, δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )}, δ ₁ (c ₁ −a ₁ b ₁ ) for simplicity. ) Can be read at the same time, but when δ ₁ (c ₁ −a ₁ b ₁ ) is restored and it is 0, the following is calculated to restore δ ₂ (ab + c + a ′ ₁ ).

At this time, if δ ₂ (ab + c + a ′ ₁ ) is 0, the calculation in the case of the first case of S274 in the processing sequence of the correction processing may be performed. Thereby, even if _two of δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )} and δ ₁ (c ₁ −a ₁ b ₁ ) are 0, ab + c = 0 does not leak.

Further, as shown in a secret product-sum operation of a fifth embodiment described later, _one of δ ₁ (c ₁ −a ₁ b ₁ ) and δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )} is If it is 0, the value that has become 0 may be replaced with a new random number, and the random number may be added to the non-zero value.

  As described above, by performing the confidential product-sum operation using the method of the second embodiment of the present invention, even if the secret information includes 0, the confidential operation can be efficiently repeated.

When performing restoration, δ ₀ (ab + c) can be obtained by secretly subtracting δ ₁ (c ₁ −a ₁ b ₁ ) from δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )}. The reconstructor restores δ ₀ and removes the value, thereby obtaining the operation result (ab + c) based on the secret information. Since this processing is executed by the restoration device, when the restoration is included, the network configuration is the same as that of FIG. 11 described later.

[Third embodiment]
The third embodiment corresponds to Problem 3 described above. That is, this is a function for realizing verification of the secret calculation. In the following, for the sake of simplicity, an example will be described in which verification is performed when secret information a, b, c and the calculation result do not include 0.

The configuration of the secret sharing system 310 according to the present embodiment will be described with reference to FIG. As shown in FIG. 11, the secret sharing system 310 includes three input devices 312A～312C, restoration device 314, and a plurality of servers ₃₁₆ 0 _{~316 n-1.} Hereinafter, the content common to the input devices 312A to 312C is referred to as “input device 312”, and the content common to the servers 316 _{0 to} 316 _n−1 is referred to as “server 316”. There is also. The input device 312, the restoration device 314, and the server 316 are connected to the network N and can communicate with each other. Note that the restoration device 314 is an example of a verification restoration device that includes a first elimination unit and a first determination unit.

  The input device 312 is a device operated by a person who inputs secret information. The input device 312 generates a predetermined value on which a random number is applied, and distributes the generated value to the server 316.

  The restoration device 314 is a device operated by a person who restores secret information. The restoration device 314 collects the values disclosed by the input device 312 and the server 316, and verifies whether the result of the confidential product-sum operation is correct.

  The server 316 has a role of performing calculations related to the confidential product-sum operation.

  Next, a hardware configuration of the restoration apparatus 314 according to the present embodiment will be described with reference to FIG. Note that the input device 312 and the server 316 can have the same device configuration as in the second embodiment, and thus detailed description is omitted.

  As shown in FIG. 12, the restoration device 314 includes a CPU 340, a memory 341 as a temporary storage area, and a nonvolatile storage unit 342. Further, the restoration device 314 includes a display device 343, an input I / F 344, and a network I / F 345 connected to the network N. The CPU 340, the memory 341, the storage unit 342, the display device 343, the input I / F 344, and the network I / F 345 are connected to the bus 346.

  The storage unit 342 is realized by an HDD, an SSD, a flash memory, and the like. The storage unit 342 as a storage medium stores a decryption program 348. The decryption program 348 includes a first exclusion process 348a, a first determination process 348b, and a restoration process 348c. The CPU 340 reads out the decryption program 348 from the storage unit 342, expands it in the memory 341, and executes the expanded decryption program 348. When the CPU 340 executes the first exclusion process 348a of the first generation program 348, it operates as the first exclusion unit of the disclosed technology. When the CPU 340 executes the first determination process 348b of the first generation program 348, it operates as the first determination unit of the disclosed technology. When the CPU 340 executes the restoring process 348c of the first generation program 348, it operates as a restoring unit according to the disclosed technology.

  Next, the operation of the secret sharing system 310 according to the present embodiment will be described with reference to FIGS.

<Dispersion 3>
First, a process of distributing secret information to each server will be described. FIG. 13 illustrates a sharing processing sequence in the secret sharing system 310. In the distribution processing sequence, the secret information held by the input devices 312A to 312C is distributed to the server 316. In the following, the server 316, all servers S which is on all servers of n units, and one of the servers S _i is described as a target in response to the processing of distributed processing sequence.

In S310, the input device 312A generates random numbers α _{i, 0} ,..., Α _{i, k−1} (i = 0,2).

In S312, the input device 312A calculates a random number α _i = Π _{j =} 0k ⁻¹ α _{i, j} .

In S314, the input device 312A generates a random number _{a 1,} exposes the calculation result by calculating the following for secret information a. The input device 312A exposes the hash value _{h a1} for _{a 1.}

In S316, the input device 312A transmits alpha _{0, j,} the alpha _{2, j} to the server _{S i.}

In S318, the input device 312B generates random numbers β _{i, 0} ,..., Β _{i, k−1} (i = 0,2).

In S320, the input device 312B calculates a random number β _i = Π _{j =} 0k ⁻¹ β _{i, j} .

In S322, the input device 312B generates a random number _{b 1,} exposes the calculation result by calculating the following for secret information b. The input device 312B exposes a hash value _{h b1} for _{b 1.}

In S324, the input device 312B transmits beta _{0, j,} a beta _{2, j} to the server _{S i.}

In S326, the input device 312C generates random numbers γ _{i, 0} ,..., Γ _{i, k-1} (i = 0,2).

In S328, the input device 312C calculates a random number γ _i = Π _{j = 0} ^k-1 γ _{i, j} .

In S330, the input device 312C generates a random number _{c 1,} exposes the calculation result by calculating the following for secret c. In addition, the input device 312C discloses the hash value h _c1 for c ₁ .

In S332, the input device 312C transmits gamma _{0, j,} a gamma _{2, j} to the server _{S i.}

By the above-described distributed processing sequence, the server _Si has the following.

The input devices 312A, 312B, and 312C may share a ₁ , b ₁ , and c ₁ in secret.

<Secret product-sum operation 3>
Next, a process of performing a secret product-sum operation will be described.

As a premise of the confidential product-sum operation, it is assumed that the distributed processing is correctly performed. Here, it is assumed that the conversion random number set also has ([μ _h ] _i , μ _{h, i} ) (h = 1,..., Required number).

In the following, if c = c ₁ = c + c ₁ = 0 and the processing on c is omitted, confidential multiplication will be performed, and if the processing on a is omitted as α ₂ (a + a ₁ ) = α ₀ a = 1, confidential addition will be performed. If + between ab and c is set to-, secret subtraction is performed. In the following concealed product-sum operation, the calculation result is assumed to be new α ₂ (a + a ₁ ), α ₁ a _1, etc., but β ₁ b ₁ , β ₂ (b + b ₁ ) or γ ₁ c ₁ , γ ₂ ( c + c ₁ ). The same applies to α _{2, i} and α _{1, i} .

FIG. 14 illustrates a processing sequence of the confidential product-sum operation in the secret sharing system 310. In Figure 14, for convenience of explanation, among the server 316 will be described assuming that the server S _i or processing sequences of all servers S Oite confidential product-sum operation is performed.

In S340, the server _{S i} is a random number [delta] _{0, i,} to produce a [delta] _{2, i.}

In S342, the server S _i is generated random number [delta] _{0, i,} with [delta] _{2, i,} to publish a calculation result by calculating the following. However, if a value of 0 is disclosed, the disclosed server suspends the process because there is an unauthorized process.

  In S344, all servers calculate the following.

In S346, the server _{S i} is restored by calculating the following, restored _{δ 2 {(ab + c)} + (c 1 -a 1 b 1)}, publish δ ₀ (ab + c).

S348 is a process when the operation is continued. In S348, the server _{S i is, δ 0 (ab + c)} , δ 2 {(ab + c) + (c 1 -a 1 b 1) a new alpha ₀ a, is set to _{α 2 (a + a 1)} , the new alpha _{According to 0} a, α ₂ (a + a ₁ ), δ _{0, i} , δ _{2, i is set} to new α _{0, i} , α _{2, i} and the process returns to S340.

<Verification and restoration 3>
Next, the verification process will be described. FIG. 15 illustrates a verification processing sequence in the secret sharing system 310. In the processing sequence of the verification, the input device 312A, an input device 312B, and the input device 312C is assumed to have published _{a 1, b 1, c 1,} respectively.

In S360, the restoration device 314 collects δ _{0, i} , δ _{2, i} from the server S _i .

In S362, restoration device 314, the collected _{δ 0, i, δ 2,} i of the product [delta] _0, to calculate the [delta] _2, the product [delta] _0, publish to calculate the following with reference to [delta] _2.

Note that S362 corresponds to the first exclusion process 338a of the decryption program 348 in the restoration device 314. The CPU 340 of the restoration device 314 executes the first exclusion process 348a, thereby performing the processing of the first exclusion unit in the disclosed technology. The above calculation uses a third value δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )} and δ ₀ (ab + c) generated by applying a random number to the operation result of the secret information. In this case, the secret information (ab + c) and the values corresponding to the fourth random numbers δ ₂ and δ ₀ are excluded to obtain the calculation result of the first random numbers for making the determination.

In S364, the restoration device 314 collects a ₁ , b ₁ , c ₁ published by the input devices 312A, 312B, and 312C and their hash values.

In S366, restoring apparatus 314 includes a _{a 1, b 1, c 1,} which is published to verify the hash values match, the process proceeds to S368 if correct hash value, the process proceeds to S374 to be right To detect fraud.

In S368, the restoration device 314 calculates c ₁ −a ₁ b ₁ using the published a ₁ , b ₁ , and c ₁ .

In S370, restoring apparatus 314 includes a _{c 1 -a} 1 _b 1 calculated from _{a 1, b 1, c 1,} which is published to verify whether _{c 1 -a} 1 _b 1 calculated in S362 is equal to If the calculation result is correct, the flow shifts to S372, and if not correct, the flow shifts to S374 to detect fraud.

  Note that S370 corresponds to the first determination process 348b of the decryption program 348 in the restoration device 314. The CPU 340 of the restoration device 314 executes the first determination process 348b to perform the processing of the first determination unit in the disclosed technology.

In S372, when the verification result is correct, the restoration device 314 determines that δ ₀ (ab + c) / δ ₀ used in S362 is ab + c.

  In S374, it is assumed that the verification result is fraud detection.

The above is the verification processing sequence. If a ₁ , b ₁ , c ₁ is secretly shared, as a process corresponding to S 366, the sharing values of a ₁ , b ₁ , c ₁ are disclosed by each server, and the restoration device 314 a ₁ , b ₁ , c ₁ may be restored.

  If the calculation is repeated, the final calculation result based on the random number is restored in S362, all random numbers are collected in S364, and the same calculation is configured using the random number. The result of S362 and the result of S368 Verify that the results match.

If the attacker does not know the input value or the random number, it can be said that the operation cannot be performed so that (c ₁ −a ₁ b ₁ ) matches. Therefore, it can be said that δ ₀ (ab + c) / δ ₀ used in the calculation is correct.

  In addition, the verification processing can be performed not at the end of the operation but in an arbitrary product-sum operation unit.

In the present embodiment, the verification processing sequence is performed by the restoration device 314. However, as long as the server S _i discloses δ _{0, i} , δ _{2, i} , any device can perform verification from the public value. In this case, the person who restores cannot cheat.

However, if the server S _i to publish _{δ 0, i, δ 2,} i, for example by inputting person A attacker, 'using a ₁ a + a' a ₁ differs a to that published the hash value in a distributed processing ₁ enter a, if have published _{a 1,} although the verification result is invalid in S370, since _{δ 0 (ab + c) /} δ 0 are restored in S362, only the attacker that calculation result is correct You can know. Therefore, if S360 and S362 are modified as follows from S360 'to S364', and if the result of S370 is correct, the following S371 'is added and processed, δ ₀ (ab + c) is kept secret and a _{Since 1} b ₁ + c ₁ is calculated, it is possible to prevent only an attacker from knowing the operation result. Further, if the confidential calculation in S360 'to S364' described below is considered as a part of the confidential product-sum operation, the processing in S360 'to S364' described below is also verified. Further, instead of the reconstruction apparatus 314 S374, the server _{S i} is _{δ 0, i, [μ 7} ] i, if expose [mu _{8] i,} can be a public process. This measure can be applied to the following embodiments.

In S360 ', the server _{S i} transmits _{(1 / δ 0, i μ} 7, i), the restoration device _{314 (1 / δ 2, i} μ 8, i).

In S362 ', restoration device 314, received the product _{(1 / δ 0 μ 7)} , exposes the _{(1 / δ 2 μ 8)} , collects below the server has calculated.

  In S364 ', the restoration device 314 restores the collected calculation result and publishes the result.

In S371 ′, when the result of S370 is correct, the restoration apparatus 314 collects δ _{0, i} , [μ ₇ ] _i , [μ ₈ ] _i , checks the result of S364 ′, and calculates the calculated δ ₀ (ab + c ) / Δ ₀ is ab + c. If the check results do not match, the server whose [a ₁ b ₁ + c ₁ ] _i does not match is regarded as invalid.

However, in the case where the input person is an attacker, a fake answer can be obtained by the recoverer without performing fraud detection as follows. For example, since the user C knows c and c ₁ and is independent of a and b, it is possible to match c ₁ even if an incorrect process is performed only on a portion related to c. This measure is shown in the following embodiment.

  Therefore, the present embodiment is effective when the input person does not cheat, that is, when the attacker is an external attacker who does not know up to k-1 servers or inputs.

  Further, the restoration device 314 functions as a confidential operation device including a restoration unit that obtains an operation result of obtaining the operation results of the first secret information from the value obtained from the first exclusion unit. The restoration device 314 obtains the value obtained from S372 by executing the restoration process 348c through each processing sequence of the present embodiment, and obtains the operation result (ab + c) between the first secret information.

  As described above, by verifying the confidential product-sum operation using the method according to the third embodiment of the present invention, it is possible to detect illegality of the confidential product-sum operation.

[Fourth embodiment]
The fourth embodiment focuses on the point that in the third embodiment, the injustice of the user who knows the input could not be prevented, and the present embodiment shows a method capable of preventing the injustice including the collusion of the user.

  The configuration of the fourth embodiment can be the same as that of the second embodiment of FIG. 5 described above. In the secret sharing system 410, the input device 212 is replaced by the input device 412 and the server 216 is replaced by the server 416. do it. The server 416 is an example of a sharing device, and the secret sharing system 410 is an example of a sharing system.

In secret sharing system 410, in order to prevent fraud, so as not to generate only input device 412 to _{a 1, b 1, c 1} . Thus, for example, user C operating the input device 412C is does not know the c _1, not be matched to illegally c ₁ a part related to C. Also, in the present embodiment, the secret information does not include 0 as in the third embodiment, but the conversion random number set ([ε _h ] _i , ε _{h, i} ) ( h = 1,..., 12) are distributed in advance.

  Next, a hardware configuration of the server 416 according to the present embodiment will be described with reference to FIG. Note that the input device 412 can have the same hardware configuration as that of the second embodiment, and a detailed description thereof will be omitted.

  As shown in FIG. 16, the server 416 includes a CPU 430, a memory 431 as a temporary storage area, and a nonvolatile storage unit 432. The server 416 includes a display device 433, an input I / F 434, and a network I / F 435 connected to the network N. The CPU 430, the memory 431, the storage unit 432, the display device 433, the input I / F 434, and the network I / F 435 are connected to the bus 436.

  The storage unit 432 is realized by an HDD, an SSD, a flash memory, and the like. The storage unit 432 as a storage medium stores a secret product-sum operation program 238 and a fourth generation program 440. The CPU 430 reads the fourth generation program from the storage unit 432, expands it in the memory 431, and executes the expanded fourth generation program 440. When the CPU 430 executes the fourth generation program 440, it operates as a fourth generation unit according to the disclosed technology.

  Next, the operation of the secret sharing system 410 according to the present embodiment will be described with reference to FIG. In the fourth embodiment, the distribution processing sequence is different from that of the third embodiment. Therefore, only the distribution processing sequence will be described. FIG. 17 illustrates a sharing processing sequence in the secret sharing system 410.

<Dispersion 4>
In S410, the input device 412A generates _k random numbers α _0,0 ,..., Α _{0, k−1} and calculates the random numbers α ₀ = Π _{j =} 0k ⁻¹ α _{0, j} .

In S412, the input device 412A determines that the set of k random numbers (α _{1a, 0} ,..., Α _{1a, k−1} ), (β _{1a, 0} ,..., Β _{1a, k−1} ), (γ _{1a, 0} ,..., Γ _{1a, k−1} ), and a random number α _1a = Π _{j = 0} ^k−1 α _{1a, j} , β _1a = Π _{j = 0} ^k−1 β _{1b, j} , γ _1a = Π Calculate _{j = 0} ^k-1 γ _{1a, j} .

In S414, the input device 412A calculates α ₀ a = α ₀ × a for the secret information a and makes it public.

In S416, the input device 412A transmits _{(α 1a, i, β 1a} , i, γ 1a, i, α 0, i) to the server _{S i.}

In S418, the input device 412A, the random number _{a 1a, b 1a,} generates a _{c 1a.}

In S420, the input device 412A, using the random number generated in S418, to calculate the following _{α 1a a 1a, β 1a b} 1a, publish gamma _1a c _1a. Further, the input device 412A holds the random numbers a _1a , b _1a , c _1a and discloses the hash values ha _{1, a} , h _{b1, a} , h _{c1, a} .

In S422, the input device 412B generates _k random numbers β _0,0 ,..., Β _{0, k−1} and calculates the random numbers β ₀ = Π _{j =} 0k ⁻¹ β _{0, j} .

In S424, the input device 412B sets the set of k random numbers (α _{1b, 0} ,..., Α _{1b, k−1} ), (β _{1b, 0} ,..., Β _{1b, k−1} ), (γ _{1b, 0} ,..., Γ _{1b, k-1} ) and a random number α _1b = Π _{j = 0} ^k-1 α _{1b, j} , β _1b = Π _{j = 0} ^k-1 β _{1b, j} , γ _1b = Π _{j = 0} ^k−1 γ _{1b, j} is calculated.

In S426, the input device 412B calculates β ₀ b = β ₀ × b for the secret information b and makes it public.

In S428, the input device 412B transmits _{(α 1b, i, β 1b} , i, γ 1b, i, β 0, i) to the server _{S i.}

In S430, the input device 412B generates random numbers a _1b , b _1b , and c _1b for the user B.

In S432, the input device 412B uses the random numbers generated in S430 to calculate the following and publish α _1ba a _1b , β _1b b _1b , and γ _{1bc 1b} . Further, the user B holds the random numbers a _1b , b _1b , and c _{1b ,} and discloses the hash values ha _{1, b} , h _{b1, b} , and _{hc1, b} .

In S434, the input device 412C generates _k random numbers γ _0,0 ,..., Γ _{0, k−1} and calculates the random numbers γ ₀ = Π _{j =} 0k ⁻¹ γ _{0, j} .

In S436, the input device 412C determines the set of k random numbers (α _{1c, 0} ,..., Α _{1c, k−1} ), (β _{1c, 0} ,..., Β _{1c, k−1} ), (γ _{1c, 0} ,..., Γ _{1c, k−1} ), and a random number α _1c = Π _{j = 0} ^k−1 α _{1c, j} , β _1c = Π _{j = 0} ^k-12 β _{1c, j} , γ _1c = Π Calculate _{j = 0} ^k-1 γ _{1c, j} .

In S438, the input device 412C calculates γ ₀ c = γ ₀ × c for the secret information c for the user C and publishes it.

In S440, the input device 412C transmits _{(α 1c, i, β 1c} , i, γ 1c, i, γ 0, i) to the server _{S i.}

In S442, the input device 412C generates random numbers a _1c , b _1c , and c _1c .

In S444, the input device 412C calculates the following using the random numbers generated in S442, and publishes α _1c a _1c , β _1c b _1c , and γ _1c c _1c . Further, the user C holds the random numbers a _1c , b _1c , c _1c and publishes the hash values ha _{1, c} , h _{b1, c} , h _{c1, c} .

The above is the processing in the input devices 412A to 412C. From the following is a process of the server S _i.

In S446, the server _{S i} is the random number _{α 1, i, β 1,} i, to generate the gamma _{1, i.}

In S448, the server _{S i,} using the random number generated in S446, to calculate the following, to publish the calculation result. However, if a value of 0 is disclosed, the disclosed server suspends the process because there is an unauthorized process.

In S450, the server _{S i} is the multiplication relates i, compute the following.

In S452, the server _{S i} calculates the following with reference to conversion random sets _{[ε 1] i ~ [ε} 9] i, exposes the calculation results.

Incidentally, S450 is in the server _{S i,} corresponding to the fourth generation program 440. CPU430 server _{S i} is, by executing the fourth generation program 440 performs the processing of the fourth generation unit in the technology disclosed herein. For example, in the calculation of the process, a random number _{a 1,} generated using _{a 1a, a 1b, a 1c} . a _1a , a _1b , and a _1c are examples of random numbers generated by persons other than the creator of the first secret information.

In S454, the server _{S i is, α 1 a 1, β 1} b 1, to restore the gamma ₁ c _1.

In S456, the server _{S i} is the random number _{α 2, i, β 2,} i, to generate the gamma _{2, i.}

In S458, the server _{S i,} using the random number generated in S456, to calculate the following, to publish the calculation result. However, if a value of 0 is disclosed, the disclosed server suspends the process because there is an unauthorized process.

In S460, the server _{S i} is the multiplication relates i, compute the following.

In S462, server _{S i} calculates the following, to publish the calculation result.

In S464, the server _{S i is, α 2 (a + a 1} ), β 2 (b + b 1), to recover the _{γ 2 (c + c 1)} .

By the above-described distributed processing sequence, the server _Si has the following in addition to the conversion random number set. Note that the input device 412A, the input device 412B, and the input device 412C may share a _1h , b _1h , c _1h (h = a, b, c) in secret.

  The above is the distribution processing sequence of the present embodiment.

The secret product-sum operation for this embodiment is the same as that of the third embodiment, and the verification is basically the same as that of the third embodiment. However, a1 _{, a} , a1 _{, b} , a1 _{, c} , b1 _{, a} , b1 _{, b} , b1 _{, c} , c1 _{, a} , c1 _{, b} , c1 _{, c1, c} are represented by hash values. After verification, a ₁ , b ₁ , and c ₁ are converted to a ₁ = a _{1, a} + a _{1, b} + a _{1, c} , b ₁ = b _{1, a} + b _{1, b} + b _{1, c} , c ₁ = c _{1, The} only difference is that it is calculated by _a + c1 _{, b} + c1 _{, c} . Further, when the operation is repeated, all a _1h , b _1h , c _1h (h = a, b, c) are collected, and the validity of the operation part by the random number is verified.

Regarding security, when the input person is not an attacker, that is, when the attacker is up to k-1 servers or external attackers, it can be said that the security is the same as in the third embodiment. In addition, the user A operates the input device 412A of _{a 1, b 1, c 1} in the present embodiment, the user B operating the input device 412B, and to generate at all of the user C operating the input device 412C It can be said that it is safe even if the input person becomes an attacker as follows.

  For example, if user C is an attacker, user C knows c but does not know c1. This is because c1 is created by users A, B, and C. Therefore, even if the user C illegally operates a portion related to C, the final result cannot be set to 0 because the user C does not know c1. Also, the user C can operate q4-q6, but cannot adjust other values because he does not know c1. This can be said for the collusion of two users. If (c1-a1b1) '-(c1-a1b1) = 0, it can be said that no fraud has been performed.

However, if all persons who know the values of a, b, and c collaborate, a different value can be set as the calculation result based on the secret information while setting (c1-a1b1) '-(c1-a1b1) = 0. Although it is not assumed that all members collude in one confidential product-sum operation, if the confidential product-sum operation is repeated, if all the inputs that execute one multiply-accumulate operation collude, the above difference value remains zero. , An incorrect value can be used as the calculation result. Therefore, in the case of repeating the confidential product-sum operation, it is assumed that all of the input persons constituting one product-sum operation are not colluded. In addition, when the confidential product-sum operation is repeated and all the input persons regarding one product-sum operation are colluded, random numbers a ₁ , b ₁ , and c ₁ are also leaked. Therefore, in order to prevent the calculation participant from knowing the random numbers a ₁ , b ₁ , c ₁ , a set of conversion random numbers held in advance by each server is used. In this way, variance 4 can be made very simple as follows.

[Modification of Fourth Embodiment]
Hereinafter, as a modified example of the fourth embodiment, an example in which a set of random numbers for conversion ([λ] _j , λ _i ), ([ε] _j , ε _i ), ([μ] _j , μ _i ) will be described. . In the following, a _{1 and the} like are formed by multiplication of α _{1, i} , and the value of a _{1 and the} like is safe because no one knows it. In the following generation of [α ₂ (a + a ₁ )] _i , a method that can be used even when a = 0 is also shown.

  FIG. 18 illustrates a distribution processing sequence in the modification. In the sequence of FIG. 18, the following processes of S470 to S490 are performed. In FIG. 18, each process is described in a simplified manner.

<Dispersion 4 '>
In S470, the input device 412A generates a random number α _{2, j} (j = 0,..., K−1), calculates a random number α ₂ = Π _{j = 0} ^k−1 α _{2, j} and outputs the secret information a Then, α ₂ a = α ₂ × a is calculated and secret sharing is performed.

In S472, the input device 412A transmits alpha _{2, j,} a [α _{2 a] j} to the server _{S j.}

In S474, the input device 412B generates the random number β _{2, j} (j = 0,..., K−1), calculates the random number β ₂ = Π _{j = 0} ^k−1 β _{2, j} , and outputs the secret information b Then, β ₂ b = β ₂ × b is calculated and secret sharing is performed.

In S476, the input device 412B transmits β _{2, j} , [β ₂ b] _j to the server S _j .

In S478, the input device 412C generates a random number γ _{2, j} (j = 0,..., K−1), calculates a random number γ ₂ = Π _{j = 0} ^k−1 γ _{2, j,} and generates the secret information c. On the other hand, γ ₂ c = γ ₂ × c is calculated and secret sharing is performed.

In S480, the input device 412C sends γ _{2, j} , [γ ₂ c] _j to the server S _j .

In S482, the server _{S i} defines a random number _{a 1, i, b 1,} i, c 1, i, λ i = α 1, i a 1, i, ε i = β 1, i b 1, i, μ Decompose as _i = γ _1, ic _{1, i} . Server _{S i} publishes a hash value of _{a 1, i, b 1,} i, c 1, i.

In S484, the server S _i publishes [λ] _i , [ε] _i , [μ] _i and restores λ = α ₁ a ₁ , ε = β ₁ b ₁ , μ = γ ₁ c ₁ . Here, α ₁ = Π _{i = 0} ^k−1 α _{1, i} , a ₁ = Π _{i = 0} ^k−1 a _{1, i} , β ₁ = Π _{i = 0} ^k−1 β _{1, i} , b ₁ = Π _{i = 0} ^k−1 b _{1, i} , γ ₁ = Π _{i = 0} ^k−1 γ _{1, i} , c ₁ = Π _{i = 0} ^k−1 c _{1, i}

In S486, the server _{S i} is the random number _{α 2, i, β 2,} i, to generate the gamma _{2, i,} and publish calculate the following.

In S488, server _{S i} calculates the following.

In S490, the server _{S i} is restored by calculating the _{following, α 2 (a + a 1} ), β 2 (b + b 1), exposes the _{α 2 (a + a 1)} .

  As described above, by distributing the secret information by using the method of the fourth embodiment of the present invention, even if the secret information includes 0, it is possible to prevent fraud including collusion of the user.

[Fifth Embodiment]
The fifth embodiment shows a method of verifying an operation result when secret information includes 0.

First, the premise of the method of the fifth embodiment will be described. In the third and fourth embodiments, since α ₀ a obtained by multiplying the secret information by a random number is disclosed, when the secret information is 0, for example, when a = 0, α ₀ a = 0, and the secret information is leaked. On the other hand, in the second embodiment, since a value obtained by multiplying the secret information by a random number is not generated, even if the secret information is 0, no leak occurs. Therefore, utilizing the principle, verification is performed when secret information includes 0.

Also, for the sake of simplicity in the distribution of the present embodiment, a case where there is no attack from the user is considered as in the distribution of the third embodiment. If you want to be secure against attacks from the user, the random number, such as a ₁ in the following, the input person as in the modified example of the fourth embodiment does not generate directly generated using the conversion random number pairs Just do it. In this case, the input device cannot know both α ₂ and a ₁ of the generated α ₂ (a + a ₁ ), thereby preventing fraud. The same applies to b ₁ , c ₁ , a ₂ , b ₂ , c ₂ . Also, in the confidential product-sum operation of the present embodiment, it is assumed that the server _Si has ([μ _h ] _i , μ _{h, i} ) (h = 1,..., Necessary number) as a conversion random number set.

  The configuration of the fifth embodiment can be the same as that of the third embodiment shown in FIG. 11, and in the secret sharing system 510, the input device 312 is the input device 512, the restoration device 314 is the restoration device 514, and the server is the server. The configuration may be such that the server 316 is replaced with the server 316. Note that the restoration device 514 is an example of a verification restoration device including a second elimination unit and a second determination unit.

  Next, a hardware configuration of the restoration apparatus 514 according to the present embodiment will be described with reference to FIG.

  As shown in FIG. 19, the restoration device 514 includes a CPU 540, a memory 541 as a temporary storage area, and a nonvolatile storage unit 542. The restoration device 514 includes a display device 543, an input I / F 544, and a network I / F 545 connected to the network N. The CPU 540, the memory 541, the storage unit 542, the display device 543, the input I / F 544, and the network I / F 545 are connected to the bus 546.

  The storage unit 542 is realized by an HDD, an SSD, a flash memory, and the like. The storage unit 542 as a storage medium stores a decryption program 548. The decryption program 548 includes a second exclusion process 548a, a second determination process 548b, and a restoration process 548c. The CPU 540 reads out the decryption program 548 from the storage unit 542, expands it in the memory 541, and executes the expanded decryption program 548. When the CPU 540 executes the second exclusion process 548a of the decryption program 548, it operates as the second exclusion unit of the disclosed technology. When the CPU 540 executes the second determination process 548b of the decryption program 548, it operates as the second determination unit of the disclosed technology. When the CPU 540 executes the restoring process 548c of the decryption program 548, it operates as a restoring unit according to the disclosed technology.

  Note that the hardware configuration of each of the other devices can be the same as the hardware configuration of the third embodiment, and a detailed description thereof will be omitted.

  Next, the operation of the secret sharing system 510 according to the present embodiment will be described with reference to FIGS.

<Dispersion 5>
First, a process of distributing secret information to each server will be described. FIG. 20 illustrates a sharing processing sequence in the secret sharing system 510. In the distribution processing sequence, the secret information held by the input devices 512A to 512C is distributed to the server 516. In the following, the server 516, all servers S which is on all servers of n units, and one of the servers S _i is described as a target in response to the processing of distributed processing sequence.

In S510, the input device 512A generates random numbers α _{i, 0} ,..., Α _{i, k−1} (i = 1,..., 4).

In S512, the input device 512A calculates a random number α _i = Π _{j =} 0k ⁻¹ α _{i, j} .

In S514, the input device 512A generates random numbers a ₁ and a ₂ , calculates the following for the secret information a, and publishes the calculation result. The input device 512A exposes the hash value _{h a1, h a2} for _{a 1, a 2.}

In S516, the input device 512A _is, α _{0, j,} .., transmits the alpha _{4, j} to the server _{S i.}

In S518, the input device 512B generates random numbers β _{i, 0} ,..., Β _{i, k−1} (i = 1,..., 4).

In S520, the input device 512B calculates a random number β _i = Π _{j =} 0k ⁻¹ β _{i, j} .

In S522, the input device 512B generates random numbers b ₁ and b ₂ , calculates the following for the secret information b, and publishes the calculation result. Further, the input device 512B discloses the hash values h _b1 and h _b2 for b ₁ and b ₂ .

In S524, the input device 512B _includes, β _{0, j,} .., transmits the beta _{4, j} to the server _{S i.}

In S526, the input device 512C generates random numbers γ _{i, 0} ,..., Γ _{i, k-1} (i = 1,..., 4).

In S528, the input device 512C calculates a random number γ _i = Π _{j =} 0k ^-1 γ _{i, j} .

In S530, the input device 512C generates random numbers c ₁ and c ₂ , calculates the following for the secret information c, and publishes the calculation result. Further, the input device 512C discloses the hash values h _c1 and h _c2 for c ₁ and c ₂ .

In S532, the input device 512C _is, γ _{0, j,} .., sends the gamma _{4, j} to the server _{S i.}

By the above-described distributed processing sequence, the server _Si has the following.

The input device 512A, an input device 512B, and the input device 512C _{is, a 1, b 1, c} 1, a 2, a _{b 2, c 2} may be secret sharing.

<Secret product-sum operation 5>
Next, a process of performing a secret product-sum operation will be described. FIG. 21 illustrates the processing sequence of the confidential product-sum operation in the secret sharing system 510. In Figure 21, for convenience of explanation, among the server 516 will be described assuming that the server S _i or processing sequences of all servers S Oite confidential product-sum operation is performed.

In S540, the server _{S i} is a random number _{δ 1, i, δ 2,} i, δ 3, i, to produce a [delta] _{4, i.}

In S542, the server _{S i} is generated random number _{δ 1, i, δ 2,} i, δ 3, i, with [delta] _{4, i,} to publish a calculation result by calculating the following. However, if a value of 0 is disclosed, the disclosed server suspends the process because there is an unauthorized process.

  In S544, all servers calculate the following.

In S546, the server _{S i} is restored by calculating the following, restored _{δ 2 {(ab + c)} + (c 1 -a 1 b 1)}, δ 1 (c 1 -a 1 b 1), δ 4 {{Ab + c) + (c ₂ −a ₂ b ₂ )}, δ ₃ (c ₂ −a ₂ b ₂ ) is published.

S548 is a process when the operation is continued. In S548, the server _{S i is, δ 1 (c 1 -a 1} b 1), δ 2 {(ab + c) + (c 1 -a 1 b 1)}, δ 3 (c 2 -a 2 b 2), If δ ₄ {(ab + c) + (c ₂ −a ₂ b ₂ )} is not 0, new α ₁ a ₁ , α ₂ (a + a ₁ ), α ₃ a ₂ , α ₄ (a + a ₂ ) are set. Then, δ _{1, i} , δ _{2, i} , δ _{3, i} , δ _{4, i} are set to new α _{1, i} , α _{2, i} , α _{3, i} , α _{4, i} and the process returns to S540. .

<Correction 5>
Next, a correction process performed when the calculation result in S546 is 0 will be described. In the processing sequence of the confidential product-sum operation in FIG. 21 described above, when at least one of δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )}, δ ₁ (c ₁ −a ₁ b ₁ ) is 0. , The following correction processing is performed. FIG. 22 illustrates a processing sequence of the correction processing in the secret sharing system 510. Processing sequence of the correction processing will be described as being performed by the server S _i. A case where δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )} = 0 is a first case, and a case where δ ₁ (c ₁ −a ₁ b ₁ ) = 0 is a second case. , A calculation example in a case where at least one of the first case and the second case is applied will be described.

In S560, the server S _i generates and publishes new random numbers τ _{0, i} and w _i .

In S562, server _{S i} calculates the _{τ 0 w = Πτ 0, i} w i. In addition, the server _{S i} is, to publish the hash value of _{w i.}

In S564, the server S _i is a random number tau _{1, i,} to generate a tau _{2, i,} compute the following using the generated random number. In the first case,

Is calculated. In the second case,

Is calculated.

In S566, server _{S i} is, to publish the results of calculation of S564. However, if a value of 0 is disclosed, the disclosed server suspends the process because there is an unauthorized process.

In S568, the server S _i by using the calculation results published, calculates the following multiplying the i. In the first case,
.
In the second case,
.

In S570, the server _{S i} performs the following calculation, and sets the new value. In the first case,

Τ ₀ w is assumed to be new τ ₂ {(ab + c) + (c ′ ₁ −a ₁ b ₁ )}. The server _{S i} has issued restored by calculating the following, they a new alpha ₁ a _1, and _{α 2 (a + a 1)} , a new and _{τ 1, i, τ 2,} i = τ 0, i The process returns to S540 of the processing sequence of the confidential product-sum operation of FIG. 21 as α _{1, i} , α _{2, i} .

In the second case,

Τ ₀ w is assumed to be a new τ ₁ (c ′ ₁ −a ₁ b ₁ ). The server _{S i} has issued restored by calculating the following, they a new alpha ₁ a _1, and _{α 2 (a + a 1)} , a new and _{τ 1, i = τ 0,} i, τ 2, i The process returns to S540 of the processing sequence of the confidential product-sum operation of FIG. 21 as α _{1, i} , α _{2, i} . Note that c ′ ₁ = c ₁ + w.

The above is the processing sequence of the correction processing. Note that the same applies to a case where δ ₃ (c ₂ −a ₂ b ₂ ), δ ₄ {(ab + c) + (c ₂ −a ₂ b ₂ )} is 0.

<Verification / Restoration 5>
Next, the verification process will be described. FIG. 23 illustrates a verification processing sequence in the secret sharing system 510. In the processing sequence of the verification, the input device 512A, an input device 512B, and the input device 512C is assumed to have published _{a 1, b 1, c 1} , a 2, b 2, c 2. In addition, if you are performing the correction processing, the server that generated the w _i is to publish its value and the hash value. Since, although the _{w i} is included in ₁ c'than _{c'1 = c} 1 + w, also expressed as _{c 1 c'1} for simplicity.

In S580, the restoration device 514 collects δ _{2, i} , δ _{4, i} from the server S _i .

In S582, restoration device 514, the collected [delta] _{2, i,} [delta] _4, the product of the _i [delta] _2, to calculate the [delta] _4, product [delta] _2, and publish calculate the following using the [delta] _4.

Note that S582 corresponds to the second exclusion process 548a of the decryption program 548 in the restoration device 514. The CPU 540 of the restoration device 514 executes the second exclusion process 548a to perform the processing of the second exclusion unit in the disclosed technology. The above calculation calculates each of the third values δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )}, δ ₄ {(ab + c) + (c ₂ −a ₂ b ₂ )} This corresponds to eliminating values corresponding to _four random numbers δ _{2 and} δ ₄ .

In S584, restoration device 514 collects the input device 512A, an input device 512B, and the input device _{a 1} to 512C _{exposes, b 1, c 1, a} 2, b 2, c 2 and the hash value.

In S586, restoration device 514, proceeds _{a 1, b 1, c 1} , a 2, b 2, c 2 , which is published to verify the hash values match, the S588 is correct hash value If not, the process proceeds to S594 to detect fraud. Incidentally, the way when the result is 0, restoration device 514 exposes collects w _i the newly defined, verifies the hash value.

In S588, the restoration device 514 uses (a ₁ , b ₁ , c ₁ , a ₂ , b ₂ , and c ₂ ) that have been made public, and (c ₁ -a ₁ b ₁ )-(c ₂ -a ₂ b _2). ) Is calculated. Incidentally, if the middle operation result is corrected becomes 0, _{c 1, c 2} becomes _{c'1, c'2.}

In S590, the restoration apparatus 514 calculates (c ₁ -a ₁ b ₁ )-(c ₂ -a ₂ b) from the published a ₁ , b ₁ , c ₁ , a ₂ , b ₂ , c _{2. 2} ) and (c ₁ −a ₁ b ₁ ) − (c ₂ −a ₂ b ₂ ) calculated from the restoration value (that is, the products δ ₂ , δ ₄ ) in S582, and verify that the calculation result is correct. If not, the process proceeds to S590, and if not, the process proceeds to S594 to detect the fraud.

Note that S590 corresponds to the second determination process 548b of the decryption program 548 in the restoration device 514. The CPU 540 of the restoration device 514 executes the second determination process 548b to perform the processing of the second determination unit in the disclosed technology. Further, c ′ ₁ = c ₁ + w in the case where δ ₁ (c ₁ −a ₁ b ₁ ) = 0 is corrected corresponds to the sixth random number. (C ₁ −a ₁ b ₁ ) − (c ₂ −a ₂ b ₂ ) that is the calculation result of S582 corresponds to the calculation result of the first random numbers. As described above, c ₁ and c ₂ here are c ′ ₁ and c ′ ₂ .

In S592, if the verification result is correct, the restoration device 514 uses the public value (c ₁ -a ₁ b) from δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )} / δ ₂ used in S582. _The value obtained by subtracting ₁ ) is defined as ab + c.

  In S594, it is assumed that the verification result is fraud detection.

The above is the verification processing sequence. If a ₁ , b ₁ , c ₁ , a ₂ , b ₂ , and c ₂ are secretly shared, a ₁ , b ₁ , c ₁ , a ₂ , b is executed in each server as processing corresponding to S586. _2, exposes the dispersion value of _{c 2,} the restoring device _{514 a 1, b 1, c} 1, a 2, b 2, c 2 may be the restoration.

  If the calculation is repeated, a final calculation result based on random numbers is calculated in S582, all random numbers are collected in S584, a similar calculation is configured using the random numbers, and a result calculated in S582 is calculated. It is verified whether the results calculated in S588 match.

In the above, δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )} and δ ₄ {(ab + c) + (c ₂ −a ₂ b ₂ )} have the same form for simplicity. However, as long as both contain (ab + c), there is no problem even if the difference is only a random number, even if the calculation is of a different format.

If the same modification as that of the second embodiment is performed, concealment subtraction and concealment division can be realized. Also, it can be said that the security of the present embodiment is secure against an attacker who does not know the secret information and the random number, as in the third embodiment. However, similarly to the third embodiment, for example, the user C knows c, c ₁ , and c _2, and thus can adjust the relationship between them to make a fraud. Therefore, the random numbers a ₁ , b ₁ , c ₁ , a ₂ , b ₂ , and c ₂ are not generated by the input device of the input device, and the variance 4 or the variance 4 ′ as shown in the fourth embodiment. You just need to generate it.

Further, it is safe even if δ ₂ {(ab + c) + (c ₁ −a ₁ b ₁ )} or δ ₄ {(ab + c) + (c ₂ −a ₂ b ₂ )} is corrected in the correction processing 5. I can say that.

  As described above, all of the problems 1 to 3 can be solved.

  Further, the restoration device 514 functions as a confidential operation device including a restoration unit that obtains an operation result of obtaining the operation results of the first secret information from the value obtained from the second elimination unit. The restoration device 514 obtains the value obtained from S592 by executing the restoration process 548c through each processing sequence of the present embodiment, and obtains the operation result (ab + c) between the first secret information.

  As described above, by distributing the secret information by using the method of the fifth embodiment of the present invention, even if the secret information contains 0, it is possible to prevent fraud including collusion of the user. Further, by performing the confidential product-sum operation using the method of the fifth embodiment, even if the secret information includes 0, the concealment operation can be efficiently repeated. In addition, by verifying the confidential product-sum operation using the method of the fifth embodiment, it is possible to detect the illegality of the confidential product-sum operation.

[Sixth embodiment]
The sixth embodiment shows a case where the proposed method described in the first to fifth embodiments is modified and applied to a block chain. That is, an input device operated by an input person who registers a value, a verification device operated by a verifier that verifies the value and disclosed to a blockchain, a blockchain device, and a value disclosed to the blockchain are confirmed. Consider a system consisting of a restoration device operated by a restoration person. The input device informs the verification device of the value to be registered, but wants to keep the registered value secret from the restoring device. However, in the blockchain, openness and verifiability are important, so that the restoring device can execute calculations such as total values and various statistical values (hereinafter, referred to as verification calculations) from secret registration values, and verify the calculation results. It can be so. That is, the registered value is concealed and disclosed by one blockchain device, but anyone can execute the verification operation using the registered value, and can know the total value, the statistic value, and the like. A great feature is that it is possible to verify that the operation result is correct.

The configuration of the secret sharing system 610 according to the present embodiment will be described with reference to FIG. As shown in FIG. 24, the secret sharing system 610 includes an input device 6, a restoration device 614, a blockchain device 616, and a verification device 618. Each device is connected to the network N and can communicate with each other. The blockchain device 616 is an example of an arithmetic device, the restoration device 614 is an example of a verification and restoration device including a verification unit, and the secret sharing system 610 is an example of a secret operation verification and restoration system.

Hereinafter, the blockchain device 616 will be referred to as S ₁ and the registered value will be referred to as secret information, and a description will be given of the case of k = 2 (k can be set arbitrarily. Most efficient). For simplicity, it is assumed that the verification operation to be executed is a product-sum operation, the registered value does not include 0, and the operation result does not include 0. Hereinafter, a case will be described in which α ₂ (a + a ₁ ), α ₁ a ₁ , and α ₀ a are used in order to perform the same operation on the secret information and the operation on the random number. The following example shows a case in which the input person sends the values of a, b, and c to the verifier every time they occur, and after the verifier confirms them, confidentially discloses them.

  Next, a hardware configuration of the restoration apparatus 614 according to the present embodiment will be described with reference to FIG.

  As illustrated in FIG. 25, the restoration device 614 includes a CPU 640, a memory 641 as a temporary storage area, and a nonvolatile storage unit 642. The restoration device 614 includes a display device 643, an input I / F 644, and a network I / F 645 connected to the network N. The CPU 640, the memory 641, the storage unit 642, the display device 643, the input I / F 644, and the network I / F 645 are connected to the bus 646.

  The storage unit 642 is realized by an HDD, an SSD, a flash memory, and the like. The verification and restoration program 648 is stored in the storage unit 642 as a storage medium. The CPU 640 reads out the verification / restoration program 648 from the storage unit 642, expands it in the memory 641, and executes the expanded verification / restoration program 648. When the CPU 640 executes the verification / restoration program 648, it operates as a verification unit of the disclosed technology.

  Next, a hardware configuration of the block chain device 616 according to the present embodiment will be described with reference to FIG.

  As shown in FIG. 26, the blockchain device 616 includes a CPU 650, a memory 651 as a temporary storage area, and a nonvolatile storage unit 652. The block chain device 616 includes a display device 653, an input I / F 654, and a network I / F 655 connected to the network N. The CPU 650, the memory 651, the storage unit 652, the display device 653, the input I / F 654, and the network I / F 655 are connected to the bus 656.

  The storage unit 652 is realized by an HDD, an SSD, a flash memory, and the like. The arithmetic unit 658 is stored in the storage unit 652 as a storage medium. The CPU 650 reads the operation program 658 from the storage unit 652, expands it in the memory 651, and executes the expanded operation program 658. When the CPU 650 executes the calculation program 658, the CPU 650 operates as a calculation unit according to the disclosed technology.

  Next, a hardware configuration of the verification device 618 according to the present embodiment will be described with reference to FIG.

  As illustrated in FIG. 27, the verification device 618 includes a CPU 660, a memory 661 as a temporary storage area, and a nonvolatile storage unit 662. Further, the verification device 618 includes a display device 663, an input I / F 664, and a network I / F 665 connected to the network N. The CPU 660, the memory 661, the storage unit 662, the display device 663, the input I / F 664, and the network I / F 665 are connected to the bus 666.

  The storage unit 662 is realized by an HDD, an SSD, a flash memory, and the like. The verification program 668 is stored in the storage unit 662 as a storage medium. The CPU 660 reads the verification program 668 from the storage unit 662, expands it in the memory 661, and executes the expanded verification program 668.

  Note that the input device 612 can have the same configuration as the verification device 618, and thus a detailed description is omitted.

  Next, an operation of the secret sharing system 610 according to the present embodiment will be described with reference to FIGS.

<Distribution 6 = Data registration>
FIG. 28 illustrates a processing sequence of sharing (data registration) and confidential product-sum operation (verification operation) in the secret sharing system 610. FIG. 29 illustrates the processing sequence of the verification / restoration processing (data verification).

  In step S610, the input device 612 transmits the secret information a, b, and c to the verification device 618 using a secure communication channel every time the secret information a, b, and c is generated.

  The verification device 618 checks the received a, b, and c, and if there is no problem, performs the following.

In S612, the verification device 618 generates three random numbers α ₀ , α ₁ , and α ₂ for the secret information a. Also generates a random number a _1, it calculates the following values.

In S614, the verification unit 618, the calculation result of S612, and transmits the hash value _{h a1} for _{a 1} block chain device _{S 1.}

In S616, the verification device 618 generates three random numbers β ₀ , β ₁ , and β ₂ for the secret information b. Also generates a random number b _1, it calculates the following values.

In S618, the verification unit 618, the calculation result of S616, and transmits the hash value _{h b1} for _{b 1} to block the chain system _{S 1.}

In S620, the verification device 618 generates three random numbers γ ₀ , γ ₁ , and γ ₂ for the secret information c. Also generates a random number c _1, it calculates the following values.

In S622, the verification unit 618, the calculation result of S620, and transmits the hash value _{h c1} for _{c 1} to block the chain system _{S 1.}

In S624, the verification device 618 generates a conversion random number set ([ε _i ] ₀ , ε _{i, 0} ) and ([ε _i ] ₁ , ε _{i, 1} ) (i = 1,..., Required number). .

In S626, the verification device 618 multiplies ([[epsilon] _i ] ₁ , [epsilon] _{i, 1} ) by a random number [mu] ([[epsilon] _i ] ₀ , [epsilon] _{i, 0} ), ([[mu] _i ] ₁ , [epsilon] _i, transmitting _one) to block the chain system _{S 1.}

In S628, the verification unit 618, a random number [delta] _0, [delta] _1, to produce a [delta] _2, and transmits the following block chain device _{S 1.}

In S630, the block chain device _{S 1} publishes the value transmitted from the verification device 618 as a registration value.

  The above is the distribution processing sequence.

<Secret product-sum operation 6 = Verification operation>
In S632, the block chain device _{S 1} transmits to the verification device 618 the calculation results to calculate the following. Here, μ ₂ = μδ ₂ , μ ₁ = μδ ₁ , μ ₀ = μδ ₀ .

Incidentally, S632 is in the block chain device _{S i,} corresponds to the process of the arithmetic program 658. CPU650 block chain device _{S i} is, by executing the calculation program 658 performs the processing of the calculation unit in the disclosed technique. Using the secret registered value δ ₂ / α ₂ β ₂ ε ₁ or the like, a verification operation based on the registered value, that is, the above calculation is performed.

  The above is the processing sequence of the secret product-sum operation.

<Verification / Restoration 6 = Data verification>
FIG. 29 illustrates a verification processing sequence in the secret sharing system 610. The secret sharing system 610 executes the following verification processing sequence when completing the operation and performing verification.

In S650, the verification device 618 discloses δ ₂ {(ab + c) + (a ₁ b ₁ + c ₁ )}, δ ₀ (ab + c) and a ₁ , b ₁ , c ₁ , δ ₂ , δ ₀ .

  In S652, the restoration device 614 calculates the following.

In S654, the restoration device 614 verifies whether a ₁ , b ₁ , and c ₁ match the hash value. If the hash value is correct, the process proceeds to S656, and if not, the process proceeds to S662 and the process proceeds to S662.

In S656, the restoration device 614 calculates a ₁ b ₁ + c ₁ using the published a ₁ , b ₁ , c ₁ .

In S658, restoration device 614, has been _{a 1 b} 1 + _c 1 and has been _{a 1 b} 1 + _c 1 is either verified equal calculated in S652 calculated in S656, the same calculation result, the process proceeds to S660 if correct, properly If not, the process proceeds to S662 and is determined to be illegal.

Note that step S658 corresponds to the processing of the verification and restoration program 648 in the restoration device 614. CPU640 server _{S i} is, by executing a verification restoration program 648 performs the processing of the verification unit in the disclosed technique.

In S660, the restoration device 614 sets (ab + c = δ ₀ (ab + c)) / δ ₀ as the confirmation value.

  In S662, it is assumed that the verification result is incorrect.

  The above is the verification processing sequence.

  In the above description, the verification operation is the product-sum operation, but the product-sum operation is an addition if b = 1 and a multiplication if c = 0. Further, subtraction and division are also possible as shown in the second embodiment. Furthermore, since any four arithmetic operations can be configured by combining the product-sum operations, any verification operation can be performed.

Further, at the time of distribution (data registration) in the present embodiment, the registered value is concealed and made public, but the recoverer cannot obtain any information regarding the secret information. Also, in the confidential product-sum operation (verification operation), since the random numbers δ ₂ , δ ₁ , δ ₀ are concealed, the operation can be executed but no information can be obtained on the secret information and the operation result. If δ ₀ (ab + c) becomes 0, the secret information leaks, but there is no problem because the calculation result based on the secret information does not include 0. When the calculation result includes 0, the confidential calculation of the fifth embodiment may be adopted. Therefore, no information is obtained regarding the update of δ ₂ {(ab + c) + (a ₁ b ₁ + c ₁ )}, δ ₁ (a ₁ b ₁ + c ₁ ) in the correction processing of the present embodiment. Finally, in the verification (data verification) of the present embodiment, the verification device 618 discloses the random numbers a ₁ , b ₁ , c ₁ , δ ₂ , and δ ₀ , thereby verifying the validity of the restored operation result. .

The feature of this embodiment is that anyone can execute the confidential calculation and the verification process. In other words, up to the previous embodiment, members who can participate in the confidential product-sum operation are limited to k servers to which various values have been distributed at the time of distribution, and the other members can confirm the correctness of the operation result, but can verify by themselves. Processing could not be performed. According to the present embodiment, even if the k servers do not request the confidential calculation, all the values are disclosed and anyone can perform the verification process. In addition, the final result can be known by disclosing the random number used for the final result, but since δ ₂ and δ ₀ for restoring the intermediate result are not disclosed, the input value and the intermediate calculation result are not disclosed. No information is available.

  However, since the verifier knows all the inputs and also sets the random number by himself, it is possible to cheat, but there is no problem if the verifier can be trusted. If it is not reliable, it is sufficient that only the verifier does not generate a random number as in the fourth embodiment. For example, the input device 612 performs the following generation processing instead of the processing of S612 to 622 and the processing of S628 of distribution (data registration), and transmits the generated data to the verification device 618.

Verification device 618 the received values to secret sharing, and sends the following values multiplied by μ the variance value of one in the block chain device S _1.

At this time, the verification device 618 can know α ₀ , β ₀ , γ ₀ from the values of a, b, c sent in S610, but cannot know any more information. Therefore, the public value cannot be adjusted so that the difference between the calculation results of the random numbers becomes zero. If the input device 612 sends a false value, the verification device 618 can directly confirm the validity of the verification result based on the secret information known in S610 in S654. Also, if the value sent by the input device 612 is sent after attaching the digital signature of the input device 612, and after verifying the value, it is possible to prove that the input device 612 is sending a false value. On the other hand, if the input device obtains the digital signature of the verification device, it can be used to prevent registration of a false value by the verification device 618.

Further, as shown in the fourth embodiment, the input random numbers a ₁ , b ₁ , c ₁ may be generated in cooperation with others. For example, a combination of an input device and the verification device, or the verification device and restore apparatus, changing a ₁ to the input device or verification device is set to _{a "1 = a 1 + a} '1 does not have known the creator Good.

In the above-mentioned sharing (data registration), three inputs of α ₂ (a + a ₁ ), α ₁ a ₁ , and α ₀ a are generated. However, if the calculation of the random number does not have to be the same as the calculation of the secret information, , Α ₂ (a + a ₁ ), α ₀ a as in the third embodiment, or two sets of α ₂ (a + a ₁ ), α ₁ a ₁ as in the fifth embodiment, and are updated in the same format. You may go.

  As described above, by distributing secret information using the method of the sixth embodiment of the present invention, the above-described first to fifth embodiments can be applied to applications where openness is important, such as a blockchain. The same confidential calculation as in the embodiment can be applied.

  In the above embodiments, various processes executed by the CPU executing software (programs) may be executed by various processors other than the CPU. In this case, the processor for executing a specific process such as a programmable logic device (PLD) whose circuit configuration can be changed after manufacturing a field-programmable gate array (FPGA) and an application specific integrated circuit (ASIC). A dedicated electric circuit or the like which is a processor having a circuit configuration designed exclusively is exemplified. In addition, various processes may be executed by one of these various processors, or a combination of two or more processors of the same type or different types (for example, a plurality of FPGAs, a combination of a CPU and an FPGA, or the like). ). Further, the hardware structure of these various processors is more specifically an electric circuit in which circuit elements such as semiconductor elements are combined.

  Further, in each of the above-described embodiments, the mode in which various programs are stored (installed) in the storage unit in advance has been described, but the present invention is not limited to this. The various programs may be provided in a form recorded on a recording medium such as a CD-ROM (Compact Disc Read Only Memory), a DVD-ROM (Digital Versatile Disc Read Only Memory), and a USB (Universal Serial Bus) memory. . Further, the various programs may be downloaded from an external device via a network.

10, 210, 310, 410, 510, 610 Secret sharing system 12, 212, 312, 412, 512, 612 Input device 14, 314, 414, 514, 614 Recovery device 16, 216, 316, 416, 516, 516 Server 616 Block Chain device 618 Verification device

Claims (19)

When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
Generating a first value obtained by applying a first random number and a second random number to the first secret information;
A distribution apparatus comprising: a first generation unit configured to generate a second value obtained by applying a third random number to at least one of the first random number and the first secret information. When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
A plurality of first values obtained by applying a first random number and a second random number to first secret information, and a plurality of first values obtained by applying a third random number to the first random number or the first secret information Using the second value,
Generating a calculation result between the plurality of first random numbers and a third value obtained by applying a fourth random number to the calculation result between the plurality of first secret information;
A confidential operation device, comprising: a second generation unit configured to generate a fourth value obtained by applying a fifth random number to an operation result between the plurality of first random numbers or between secret information. When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
A third generator configured to generate a sixth random number when at least one of the third value and the fourth value obtained by the second generator according to claim 2 is 0;
An adder for confidentially adding the sixth random number;
A secret arithmetic device further comprising: When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
A method for removing a value corresponding to the secret information and the fourth random number from a third value generated by applying a random number to the secret information, obtained by the secret arithmetic device according to claim 2 or 3. 1 exclusion unit,
A first determination unit that determines whether an operation result of the first random numbers obtained by the exclusion by the first exclusion unit is correct,
A verification / restoration device equipped with: When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
A method for removing a value corresponding to the secret information and the fourth random number from a third value generated by applying a random number to the secret information, obtained by the secret arithmetic device according to claim 2 or 3. 2 exclusion part,
The calculation result of the first random numbers obtained by the exclusion by the second exclusion unit, wherein the first random number including the sixth random number when the third value or the fourth value is 0 is zero. A second determination unit that determines whether the calculation result is correct;
A verification / restoration device equipped with: When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
A value obtained from the first exclusion unit according to claim 4 or the second exclusion unit according to claim 5, or a value corresponding to each fifth random number from the fourth value according to claim 2 A confidential operation device including a restoring unit that obtains an operation result between first confidential information from an excluded value and a third value. A dispersing apparatus comprising: a fourth generator configured to generate the random number according to claim 1 using a random number generated by a person other than a creator of the first secret information,
Distributed system with. When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
A multiplication unit for multiplying the variance values,
A conversion unit that performs degree conversion processing of a variance value using a multiplication value obtained by the multiplication by the multiplication unit and an inseparable multiplication value sent from another device,
An adding unit that generates a random number and adds the generated random number to the variance value after the degree conversion returned to the own device;
A confidential computing device provided. When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
An arithmetic unit including an arithmetic unit that performs an operation for verification based on the registered value, using the secret registered value,
A verification and restoration device including a verification unit for verifying whether the operation result by the operation unit is correct,
Operation verification and restoration system equipped with When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. On systems that cannot restore
Generating a first value obtained by applying a first random number and a second random number to the first secret information;
A program that functions as a first generation unit that generates a second value obtained by applying a third random number to at least one of the first random number and the first secret information. When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. Computer in a system that cannot restore
A plurality of first values obtained by applying a first random number and a second random number to first secret information, and a plurality of first values obtained by applying a third random number to the first random number or the first secret information Using the second value,
Generating a calculation result between the plurality of first random numbers and a third value obtained by applying a fourth random number to the calculation result between the plurality of first secret information;
A program functioning as a second generation unit that generates a fourth value obtained by applying a fifth random number to an operation result between the plurality of first random numbers or between secret information. When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. Computer in a system that cannot restore
A third generator configured to generate a sixth random number when at least one of the third value and the fourth value obtained by the second generator according to claim 11 is 0,
An adder for confidentially adding the sixth random number;
A program to function as When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. Computer in a system that cannot restore
A first exclusion for excluding secret information and a value corresponding to a fourth random number from a third value generated by applying a random number to the secret information obtained by the program according to claim 11 or 12. Department and
A first determination unit that determines whether an operation result of the first random numbers obtained by the exclusion by the first exclusion unit is correct,
A program to function as When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. Computer in a system that cannot restore
A second exclusion for excluding secret information and a value corresponding to a fourth random number from a third value generated by applying a random number to the secret information, obtained by the program according to claim 11 or 12. Department and
The calculation result of the first random numbers obtained by the exclusion by the second exclusion unit, wherein the first random number including the sixth random number when the third value or the fourth value is 0 is zero. A second determination unit that determines whether the calculation result is correct;
A program to function as When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. Computer in a system that cannot restore
A value obtained from the first exclusion unit according to claim 13 or the value obtained from the second exclusion unit according to claim 14, or a value corresponding to each fifth random number from the fourth value according to claim 11 A program for functioning as a means for obtaining an operation result between the first secret information from the excluded value and the third value. In the distributed device, the computer
A program that functions as a fourth generation unit that generates the random number according to claim 10 using a random number generated by a person other than a creator of the first secret information. When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. Computer in a system that cannot restore
A multiplication unit for multiplying the variance values,
A conversion unit that performs degree conversion processing of a variance value using a multiplication value obtained by the multiplication by the multiplication unit and an inseparable multiplication value sent from another device,
An adding unit that generates a random number and adds the generated random number to the variance value after the degree conversion returned to the own device;
A program to function as When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
In the arithmetic device, a computer, using a secret registered value, an arithmetic unit that performs a verification operation based on the registered value,
A program to function as When n is an integer of 2 or more and k is an integer of 2 or more and n or less, the secret information is distributed into n pieces of shared values, and the secret information can be restored by the k pieces of shared values. System that cannot restore
In the verification and restoration device, a verification unit that verifies whether a calculation result by the calculation unit according to claim 18 is correct,
A program to function as