JP2020076877A - Secure logging system - Google Patents

Abstract

To provide a server-save system that preserves log data even if a logger mounted on a vehicle is attacked, in which the integrity of the log data is ensured without depending on the trust of the server and the server administrator.SOLUTION: A secure logging system using blockchain technology, including a data storage device, a computing resource providing device, and a regional data center included in a vehicle. The data storage device generates vehicle data including secure data generated by the vehicle and transmits the vehicle data to the regional data center. The regional data center stores the vehicle data, the hash value of the immediately preceding block data generated by the block chain technique, and the block data including the nonce. The nonce is determined by the computing resource providing device such that the hash value of the block data including the nonce becomes a value that meets a predetermined condition.SELECTED DRAWING: Figure 1

Description

  The present invention is a server-storing system in which log data is preserved even when a logger mounted on a vehicle is attacked. Furthermore, the integrity of log data does not depend on the trust of the server and the server administrator. Secure logging system for security.

  2. Description of the Related Art Conventionally, there are digital tachographs, taximeters, etc. as vehicle-mounted loggers in vehicles, especially in automobiles. However, the integrity of log data may be compromised by an advanced attacker, and the log data may be tampered with. Also, if the log data is stored in the server, there is no fear of tampering with the log data even if an attack on the in-vehicle logger occurs. However, the integrity of the log data stored on the server depends on the trust of the server and the server administrator, and if the trust is a problem, it cannot be said that the integrity of the log data has been secured. ..

  For the above-mentioned problems, as a technology for ensuring the integrity of data, it has been proposed to physically seal a data storage device, authenticate data using encryption technology, store it on a server, use blockchain technology, etc. There is.

  For example, a physical seal of a data storage device uses a metal seal, a seal seal, or the like, and both are opened by physical destruction of the seal. Therefore, the integrity of the stored data is guaranteed by visual confirmation that no physical destruction is present.

  The data authentication using the cryptographic technique is a technique of adding a certifier or a digital signature for tampering prevention by using the cryptographic technique such as AES (Advanced Encryption Standard) or RSA (Rivest Shamir Adleman). Since the authenticator and the electronic signature can only be made with the confidential information, the integrity of the data is guaranteed by not allowing the confidential information to be held by others.

  Furthermore, it is said that the reliability of the electronic device is higher in the server than in the client device. Therefore, in the server storage method, data integrity is ensured by moving the log data from the client device to the server.

  Furthermore, in systems such as Bitcoin that use blockchain technology, since calculation results that require a huge amount of calculation are used, it is not possible to calculate the calculation results easily, relying on the reliability of a specific person. Without guaranteeing data integrity. A specific example of the conventional blockchain technology described above is shown below.

JP, 2017-187777, A

  However, in the physical sealing of the above-mentioned conventional data storage device, if the physical sealing can be reproduced after the physical destruction, there is a problem that the data can be falsified without knowing the fact of the data falsification. is there. For example, it is useless for attacks by electrical means without physical destruction.

  Further, in the data authentication using the above-mentioned conventional encryption technology, it is difficult to recognize the fact that the confidential information has been leaked, and therefore there is a problem that it is difficult to detect falsification after the leakage of the confidential information. Furthermore, the server storage method cannot guarantee the integrity of data unless the reliability of the server is relied upon. Furthermore, with the blockchain technology used for Bitcoin, etc., it is difficult to maintain the motivation to provide a huge amount of calculation that guarantees the integrity of data, except for monetary consideration, except for systems that generate monetary value. It is difficult to maintain the system. In addition, there is also a problem that the integrity of data may not be guaranteed when a specific person can control the majority of the enormous calculation resources.

  Therefore, the present invention is a server-storing system in which log data is preserved even if a logger mounted on a vehicle is attacked, and the integrity of log data depends on the trust of the server and the server administrator. The purpose is to provide a secure logging system that is secured without doing so. It also provides a system that does not cause inconvenience to users, can secure a huge amount of calculation without causing special incentives, and is extremely difficult for a specific person to occupy the majority of the calculation resources. The purpose is to

In order to solve the above problems, the present invention adopts the following configurations.
That is, the invention of the secure logging system according to claim 1 is a block including a data storage device and a calculation resource providing device included in a vehicle, and a regional data center wirelessly connected to the data storage device and the calculation resource providing device. A secure logging system using chain technology,
The data storage device generates vehicle data including secure data generated by the vehicle, transmits the vehicle data to the regional data center,
The regional data center stores the vehicle data, a hash value of the immediately preceding block data generated by the block chain technology, and block data including a nonce,
The nonce is determined by the computing resource providing device such that the hash value of the block data including the nonce becomes a value that meets a predetermined condition, and is transmitted from the computing resource providing device to the regional data center. It is a nonce.

  According to the above configuration, the log data is preserved even if the logger mounted on the vehicle is attacked, and the integrity of the log data depends on the trust of the server and the server administrator. It is possible to realize a system that does not guarantee. It also provides a system that does not cause inconvenience to users, can secure a huge amount of calculation without causing special incentives, and is extremely difficult for a specific person to occupy the majority of the calculation resources. be able to.

  In order to solve the above problems, the invention according to claim 2 is the secure logging system according to claim 1, wherein the regional data center hashes of the block data including the nonce received from the computing resource providing apparatus. It is characterized in that the block data is transmitted to another regional data center after it is confirmed that the value is a value that meets a predetermined condition.

  According to the above configuration, the block data can be shared with other regional data centers, and it is possible to ensure the integrity to a higher degree than when the block data is stored only in the own regional data center. A secure logging system can be realized.

  In order to solve the above problem, the invention according to claim 3 is the secure logging system according to claim 2, wherein the other regional data center stores the block data including the nonce received from the regional data center. It is characterized in that the block data is stored after confirming that the hash value becomes a value that meets a predetermined condition.

  According to the above configuration, it is possible to realize a secure logging system that has less dependence on the reliability of a specific regional data center and to further ensure the integrity of secure data.

  In order to solve the above problems, the invention according to claim 4 is the secure logging system according to any one of claims 1 to 3, wherein the regional data center receives the nonce received from the computing resource providing apparatus. When the hash value of the block data including the above does not reach a value that meets a predetermined condition, the nonce is discarded.

  According to the above configuration, it is possible to prevent the secure data, whose integrity should be secured, from being stored in a state where the integrity is not secured.

  In order to solve the above problems, the invention according to claim 5 is the secure logging system according to any one of claims 1 to 4, wherein the regional data center uses the vehicle data and the blockchain technology. Before the nonce-giving block data including the previous block hash value, which is the hash value of the immediately previous generated block data, is transmitted to the other regional data center before the nonce calculation start notification is transmitted to the computing resource providing apparatus. Is characterized by.

  According to the above configuration, in the secure logging system, it is possible to avoid a plurality of block data having the same previous block hash value.

  In order to solve the above-mentioned problems, the invention according to claim 6 is the secure logging system according to claim 5, wherein the regional data center transmits the block data before nonce provision to the other region together with the nonce calculation start notification. The data is transmitted to a data center, and the other regional data center transmits the block data before nonce assignment to the computing resource providing apparatus belonging to the other regional data center to start nonce calculation.

  According to the above configuration, by starting the nonce calculation by the computing resource providing devices belonging to each of the plurality of regional data centers, it can be expected to increase the probability that the nonce can be derived earlier.

  In order to solve the above-mentioned problems, the invention according to claim 7 is the secure logging system according to any one of claims 1 to 6, wherein the data storage device stores the secure data and the secure data. Secure hash information that is a hash value of the vehicle, generates vehicle hashed data including the secure hash information in place of the secure data, and transmits the vehicle hashed data in place of the vehicle data to the regional data center. However, the regional data center uses the vehicle hashed data instead of the vehicle data.

  Since block data is shared between regional data centers, a huge storage area is required to store the vehicle data itself of all vehicles included in the block data in the regional data center. In particular, the data amount of secure data included in vehicle data may become enormous.

  However, according to the above configuration, the amount of data stored in the regional data center can be compressed, and even if the secure data is stored in the data storage device, the secure logging system that secures the integrity of the secure data is possible. become.

  In order to solve the above problems, the invention according to claim 8 is the secure logging system according to any one of claims 1 to 7, wherein the regional data center is a block indicating a time when the block data is generated. Data generation time information is generated, the block data generation time information is shared between the regional data centers, and the regional data center that generated the block data is in the nonce arbitration period after the generation of the block data. In the meantime, the nonce calculation request notification is not transmitted, and the other regional data center having the oldest block data generation time information among the other regional data centers that transmitted the nonce calculation desire notification generates the block data. It is characterized by

  According to the above configuration, among the regional data centers that desire nonce derivation, the regional data center that has not generated the most block data can generate new block data. Can be equalized.

  In order to solve the above-mentioned problems, the invention according to claim 9 is the secure logging system according to any one of claims 1 to 8, wherein the calculation resource providing device derives a nonce by a nonce calculator. When there is a surplus in the calculation resource of, the calculation providing request is generated, and the calculation providing request is transmitted to one of the regional data centers.

  According to the above configuration, a calculation resource providing device having a surplus of calculation resources can participate as a new calculation resource providing device for deriving a nonce.

  In order to solve the above problems, the invention according to claim 10 is the secure logging system according to any one of claims 1 to 9, wherein the data storage device, the calculation resource providing device, and the regional data center are An input / output control unit is included, and the input / output control unit transmits / receives control information to prevent loss of transmitted / received information and alteration of transmitted / received information.

  According to the above configuration, the data storage device, the computing resource providing device, and the regional data center execute control communication such as TCP communication technology and message authentication technology by the input / output control unit in mutual communication. It becomes possible to prevent the loss of transmitted / received information and the alteration of transmitted / received information.

  According to the present invention, a server-storing system in which log data is preserved even if a logger mounted on a vehicle is attacked, and the integrity of log data depends on the trust of the server and the server administrator. It is possible to realize a system that does not guarantee. It also provides a system that does not cause inconvenience to users, can secure a huge amount of calculation without causing special incentives, and is extremely difficult for a specific person to occupy the majority of the calculation resources. be able to.

It is a figure which shows an example of a secure logging system. It is a figure which shows an example of a data storage device. It is a figure which shows an example of a regional data center. It is a figure which shows an example of a calculation resource provision apparatus. It is a flow chart which shows an example of operation of a data storage device. It is a flow chart which shows an example of operation of a local data center. It is a flow chart which shows an example of operation of a local data center. It is a flowchart which shows an example of operation | movement of a calculation resource provision apparatus. It is a flowchart which shows an example of operation | movement between a data storage apparatus, a local data center, and a calculation resource provision apparatus. It is a flow chart which shows an example of mediation operation between local data centers. It is a figure which shows an example of the image of the block chain concerning this embodiment. It is a schematic diagram explaining an example of the block data before nonce provision concerning this embodiment. It is a schematic diagram explaining an example of block data concerning this embodiment. It is a schematic diagram explaining an example of the vehicle hashed data concerning this embodiment. It is a schematic diagram explaining an example of the vehicle data concerning this embodiment. It is a schematic diagram explaining the difference in the mechanism between the systems regarding the provision of computational resources. It is a schematic diagram explaining the avoidance of the duplicate registration of block data concerning this embodiment.

(Secure logging system 10)
FIG. 1 illustrates an example of the secure logging system 10 of this embodiment. The secure logging system 10 includes computing resource providing devices 3000a to 3000d and data storage devices 1000a to 1000d included in vehicles A, B, C, and D such as automobiles, and regional data centers 2000a to 2000d. Hereinafter, the calculation resource providing devices 3000a to 3000d may be collectively referred to as the calculation resource providing device 3000. The data storage devices 1000a to 1000d may be collectively referred to as the data storage device 1000, and the regional data centers 2000a to 2000d may be collectively referred to as the regional data center 2000.

  An arbitrary number of data storage devices 1000 and local data centers 2000 of the secure logging system 10 may exist. However, the computing resource providing device 3000 must have at least three independent devices. The reason is that if a specific person can control the majority of the enormous amount of computational resources, the integrity of data may not be guaranteed.

  The regional data center 2000 does not necessarily have to be installed for each geographical positional relationship, and may be installed by an automobile manufacturer, a service provider, a public institution, or the like.

(Data storage device 1000)
FIG. 2 illustrates an example of the data storage device 1000 of this embodiment. The data storage device 1000 is included in vehicles A, B, C and D such as automobiles. The data storage device 1000 has a function of collecting car data (for example, drive recorder log data and cyber security attack detection data) for which data integrity is to be guaranteed, temporarily storing the data, and transmitting the data to the server. The data storage device 1000 includes an input unit 1100 for inputting various information, a control unit 1200, a storage unit 1300, and an output unit 1400 for outputting various information.

  The data storage device 1000 shown in FIG. 2 is a general computer. A general computer executes the control program to realize the functions shown in FIG. The control unit 1200 is a CPU (Central Processing Unit). The control unit 1200 reads / writes data stored in the storage unit 1300, inputs / outputs data from / to the input unit 1100 and the output unit 1400, and executes processing in the data storage device 1000.

  The storage unit 1300 is a ROM (Read Only Memory), a RAM (Random access memory), a hard disk, or the like. The storage unit 1300 stores various data such as input data, output data, and intermediate data for the control unit 1200 to execute processing.

  The input unit 1100 has various interface functions, and is configured to be able to switch the interface functions according to the type of information to be acquired under the control of the control unit 1200.

  The control unit 1200 includes an input / output control unit 1210 that controls the input unit 1100 and the output unit 1400, a secure data acquisition unit 1220, a vehicle identification information acquisition unit 1230, and a vehicle data generation unit 1240. Further, although not an essential configuration requirement, the control unit 1200 may include a hash value calculation unit 1250 as necessary.

  The input / output control unit 1210 has a function of switching the interface of the input unit 1100 according to the information that the control unit 1200 is trying to acquire. For example, when the input / output control unit 1210 receives secure data 1311 and vehicle identification information 1313 from an electronic device such as an ECU (electronic control unit) mounted on each of the vehicles A to D, the input / output control unit 1210 has an interface function with the ECU. Select from the input unit 1100. Further, when the input / output control unit 1210 receives control information when executing communication with the regional data center 2000, the input / output control unit 1210 selects the interface function with the regional data center 2000 from the input unit 1100.

  The secure data acquisition unit 1220 acquires secure data 1311, which is a set of data generated by an electronic device such as an ECU of an automobile, whose integrity is desired to be ensured, via the input unit 1100 and transmits it to a server such as the regional data center 2000. Until then, it has a function of storing in the storage unit 1300. In addition, the secure data acquisition unit 1220 generates the secure data identification information 1312 that is information that identifies the generation time and the data type of the secure data 1311, and the storage unit 1300 until the secure data identification information 1312 is transmitted to the server such as the regional data center 2000. It has a function to store in. As a result, it is possible to prevent the secure data 1311 and the secure data specifying information 1312 generated at a timing other than the timing when the transmission path is secured from being lost before being transmitted to the server.

  The secure data 1311 may be generated by the data storage device 1000 itself. Further, the data storage device 1000 may continue to hold the secure data 1311 and the secure data specifying information 1312 even after transmitting them to the server such as the regional data center 2000.

  The vehicle identification information acquisition unit 1230 has a function of acquiring the vehicle identification information 1313, which is information for identifying the automobile that is the transmission source of the secure data 1311, via the input unit 1100 and storing it in the storage unit 1300. The vehicle identification information 1313 is included in vehicle data 1310 described below and transmitted to the regional data center 2000. Therefore, the regional data center 2000 can recognize the vehicle that is the transmission source of the vehicle data 1310 from the vehicle identification information 1313. The data storage device 1000 may continuously retain the vehicle identification information 1313 even after transmitting the vehicle identification information 1313 to a server such as the regional data center 2000.

  Since the vehicle identification information 1313 needs to be vehicle-specific information, it is desirable to set the type of information in advance. For example, a vehicle identification number (hereinafter referred to as VIN (Vehicle Identification Number)) or the like can be used as the vehicle identification information 1313. Note that when VIN is used, the automobile may be specified by an arbitrary third party, which may cause privacy problems. Therefore, a hash value for VIN may be generated and used as the unique information. As a result, the data storage device 1000 can provide information for identifying which vehicle the secure data 1311 stored in the regional data center 2000 is.

  The vehicle data generation unit 1240 has a function of generating a data set (hereinafter referred to as vehicle data 1310) including the secure data 1311, the secure data specifying information 1312, and the vehicle specifying information 1313, and transmitting the data set to the regional data center 2000. As a result, the secure data 1311, which is the information whose integrity should be ensured, can be transmitted to the regional data center 2000 in a state in which the vehicle to which the secure data 1311 belongs, the generation time, and the data type are clarified. The vehicle data 1310 may be continuously stored in the storage unit 1300 of the data storage device 1000.

  The hash value calculation unit 1250 has a function of calculating the secure hash information 1321 which is a hash value of the secure data 1311, storing it in the storage unit 1300, and then transmitting it to the regional data center 2000. Details of the secure hash information 1321 will be described later.

  Storage unit 1300 stores vehicle data 1310 including secure data 1311, secure data identification information 1312, and vehicle identification information 1313. The secure hash information 1321 is also stored as necessary.

  The output unit 1400 has various interface functions, and is configured so that the interface functions can be switched according to the type of information to be output under the control of the input / output control unit 1210.

(Regional data center 2000)
FIG. 3 illustrates an example of the regional data center 2000 of this embodiment. The regional data center 2000 has a function of safely storing the vehicle data 1310 received from the data storage device 1000 by using Nonce (hereinafter referred to as nonce) generated by the calculation resource providing device 3000 (FIGS. 6 and 7). See). As described above, the regional data center 2000 does not necessarily have to be installed for each geographical positional relationship, and may be installed by an automobile manufacturer, a service provider, a public institution, or the like.

  The regional data center 2000 shown in FIG. 3 is a computer that functions as a server. The functions shown in FIG. 3 are realized by the computer executing the control program. The control unit 2200 is a CPU. The control unit 2200 reads / writes data stored in the storage unit 2300, inputs / outputs data from / to the input unit 2100 and the output unit 2400, and executes processing in the regional data center 2000.

  The storage unit 2300 is a ROM, RAM, hard disk, or the like. The storage unit 2300 stores various data such as input data, output data, and intermediate data for the control unit 2200 to execute processing.

  The input unit 2100 has various interface functions and is configured to be able to switch the interface functions according to the type of information to be acquired under the control of the control unit 2200.

  The control unit 2200 controls the input unit 2100 and the output unit 2400, the input / output control unit 2210, the vehicle data acquisition unit 2220, the vehicle data group generation unit 2230, the hash value calculation unit 2240, the nonce block data generation unit 2250, and the nonce. The acquisition unit 2260, the block data generation unit 2270, and the block data acquisition unit 2290 of another regional data center are included. Further, although not an essential configuration requirement, the control unit 2200 may include a calculation provision request processing unit 2280 as necessary.

  The input / output control unit 2210 has a function of switching the interface of the input unit 1100 according to the information that the control unit 2200 is trying to acquire. For example, when the input / output control unit 2210 receives information such as the vehicle data 1310 from the data storage device 1000, the input / output control unit 2210 selects the interface function with the data storage device 1000 from the input unit 1100. Further, when the input / output control unit 1210 receives information such as the nonce 3320 from the calculation resource providing device 3000, the input / output control unit 1210 selects the interface function with the calculation resource providing device 3000 from the input unit 1100. Further, the input / output control unit 1210 inputs an interface function with another regional data center 2000 when receiving information such as vehicle data 1310 when performing communication with another regional data center 2000. Select from section 1100.

  The vehicle data acquisition unit 2220 has a function of receiving the vehicle data 1310 transmitted from the data storage device 1000 via the input unit 2100 and storing it in the storage unit 2300 as vehicle data 2310. Therefore, the vehicle data 1310 and the vehicle data 2310 are the same data.

  The vehicle data group generation unit 2230 has a function of generating a vehicle data group 2321 that is a data group in which a plurality of vehicle data 2310 acquired by the vehicle data acquisition unit 2220 is collected. The vehicle data group 2321 becomes a part of the data forming the block data 2330 generated by the block chain technology. The amount of vehicle data 2310 included in the vehicle data group 2321 is set to be larger than the amount of vehicle data 2310 that occurs when the calculation resource providing device 3000 derives the nonce 3320. Further, the upper limit of the time for collecting the vehicle data 2310 and generating the vehicle data group 2321 is a time obtained by subtracting the time required for nonce deduction from the grace time until the integrity of the vehicle data 2310 including the secure data 1311 is secured. Set as.

  The hash value calculation unit 2240 has a function of calculating the hash value of the immediately preceding block data generated by the block chain technique, and storing the calculation result as the previous block hash value 2322 in the storage unit 2300. The vehicle data group 2321 and the previous block hash value 2322 are associated with each other, referred to as non-preceding block data 2320, and stored in the storage unit 2300.

  The hash value calculation unit 2240 has a function of receiving the nonce 3320 calculated by the calculation resource providing apparatus 3000 and calculating the hash value of the block data 2330 including the nonce 3320 and the block data 2320 before nonce addition.

  Furthermore, the hash value calculation unit 2240 also has a function of calculating the hash value of the block data 2330 received from another regional data center 2000. Therefore, the block data 2330 may include block data generated by a plurality of regional data centers 2000.

  The pre-nonce block data generation unit 2250 has a function of generating pre-nonce block data 2320 including the vehicle data group 2321 and the previous block hash value 2322 of the immediately preceding block data calculated by the hash value calculation unit 2240. The pre-nonce block data 2320 is transmitted to the calculation resource providing apparatus 3000, and the calculation resource providing apparatus 3000 calculates a nonce 3320 that matches the pre-nonce block data 2320. That is, the pre-nonce block data generation unit 2250 has a function of transmitting the non-preceding block data 2320 to the calculation resource providing device 3000. As a result, it is possible to request the calculation resource providing device 3000 to perform calculation for deriving a nonce, which is a part of information used in a mechanism for ensuring the integrity of information.

  The nonce acquisition unit 2260 has a function of receiving the nonce 3320 calculated by the calculation resource providing apparatus 3000 so as to match the pre-nonce block data 2320 and storing the nonce 3320 in the storage unit 2300 as the nonce 2331. That is, the nonce 3320 calculated by the computing resource providing device 3000 is stored as the nonce 2331 included in the block data 2330 of the regional data center 2000. As a result, the regional data center 2000 can obtain a part of the information required to store the secure data 1311 which is the information whose integrity is to be secured in a state where the integrity is secured.

  Further, when the nonce acquisition unit 2260 has already received the correct nonce for the block data 2320 before nonce addition, it discards the newly received nonce. As a result, it is possible to prevent the block data 2330 from being stored in an overlapping state where the integrity of the secure data 1311 that is the information whose integrity is to be ensured is not guaranteed.

  The block data generation unit 2270 has a function of generating the block data 2330 including the vehicle data group 2321, the previous block hash value 2322, and the nonce 2331 acquired by the nonce acquisition unit 2260, and storing the block data 2330 in the storage unit 2300. Have. As a result, the secure data 1311, which is the information to be guaranteed in the integrity included in the vehicle data group 2321, can be stored in a state in which the integrity is ensured.

  The block data generation unit 2270 has a function of transmitting the generated block data 2330 to another regional data center 2000. As a result, the block data 2330 can be shared with another regional data center 2000, and the integrity can be ensured to a higher degree than when the block data 2330 is stored only in the own regional data center 2000. Like

  The block acquisition unit 2290 of the other regional data center has a function of receiving the block data 2330 transmitted by the other regional data center 2000 and storing it in the storage unit 2300. This makes it possible to ensure the integrity of the block data 2330 to a higher degree than when the block data 2330 is held only by the single regional data center 2000.

  Details of the calculation provision request processing unit 2280 will be described later.

  The storage unit 2300 provides the calculation resource providing apparatus 3000 for the vehicle data 2310, the vehicle data group 2321 and the nonce non-assigned block data 2320 including the vehicle data group 2321 and the nonce non-assigned block data 2320 transmitted from the data storage device 1000. The block data 2330 including the nonce 2331 calculated by, the calculation resource providing device list 2340, and the block data generation time information 2350 are included.

  Since the vehicle data 2310 has been described above, description thereof is omitted here to avoid duplication of description.

  The pre-nonce block data 2320 will be described with reference to FIG. FIG. 12 is a diagram for explaining in detail the block data 2320 before nonce provision in the regional data center 2000b. The nonce-added block data 2320 in FIG. 12 includes a vehicle data group 2321 and a previous block hash value 2322.

The vehicle data group 2321 is configured to include vehicle data such as vehicle data B ₁ transmitted from the vehicle B, vehicle data C ₁ transmitted from the vehicle C, vehicle data D ₁ transmitted from the vehicle D in FIG. Good. The vehicle data B ₁ , the vehicle data C ₁ , and the vehicle data D ₁ may have a fixed length or a variable length. Further, as an example, when the engine of the vehicle C and the vehicle D is stopped and the secure data 1311 is not generated in the vehicle C and the vehicle D, the vehicle data C ₁ and the vehicle data D ₁ are generated. May be vehicle data continuously transmitted from vehicle B. The previous block hash value 2322 is a hash value calculated by the hash value calculation unit 2240 for the immediately previous block data.

  The block data 2330 will be described with reference to FIG. FIG. 13 is a diagram for explaining the block data 2330 in the regional data center 2000b in detail. The block data 2330 in FIG. 13 includes a vehicle data group 2321, a previous block hash value 2322, and a nonce 2331.

  Since the vehicle data group 2321 and the previous block hash value 2322 have been described in FIG. 12, the description thereof is omitted here to avoid duplication of description. The nonce 2331 is the nonce 2331 derived by one of the calculation resource providing devices 3000 with respect to the pre-nonce block data 2320 of FIG. 12 transmitted from the regional data center 2000b. is there. In the regional data center 2000b, the hash value calculation unit 2240 calculates the hash value of the block data 2330 including the nonce 2331 and verifies whether the hash value is a hash value having a value that meets a predetermined condition. As a result of the verification, if the hash value of the block data 2330 is a hash value of a value that matches a predetermined condition, the control unit 2200 of the regional data center 2000b stores the block data 2330 in the storage unit 2300. Then, control unit 2200 transmits block data 2330 to regional data center 2000a and regional data center 2000c. Therefore, the block data 2330 is distributed and stored in the plurality of regional data centers 2000.

  The calculation resource providing device list 2340 is a list of the calculation resource providing device 3000 that provides the calculation resource for calculating the nonce 2331 or the vehicle that has the calculation resource providing device. The calculation resource providing device list 2340 has a destination address necessary for communication with a vehicle that owns the calculation resource providing device 3000. As a result, it is possible to provide the block data generation unit 2270 of the control unit 2200 with information regarding the transmission destination of the message for requesting the nonce derivation calculation.

  The block data generation time information 2350 is information indicating the time when the block data generation unit 2270 generated the block data 2330. A method of using the block data generation time information 2350 will be described later.

  The output unit 2400 has various interface functions, and is configured to be able to switch the interface functions according to the type of information to be output under the control of the input / output control unit 2210.

(Computing resource providing device 3000)
FIG. 4 illustrates an example of the computing resource providing device 3000 according to this embodiment. The calculation resource providing device 3000 includes an input unit 3100 for inputting various information, a control unit 3200, a storage unit 3300, and an output unit 3400 for outputting various information.

  The calculation resource providing device 3000 shown in FIG. 4 is a general computer. A general computer executes the control program to realize the functions shown in FIG. The control unit 3200 is a CPU. The control unit 3200 reads / writes data stored in the storage unit 3300, inputs / outputs data from / to the input unit 3100 and the output unit 3400, and executes processing in the calculation resource providing apparatus 3000.

  The storage unit 3300 is a ROM, RAM, hard disk, or the like. The storage unit 3300 stores various data such as input data, output data, and intermediate data for the control unit 3200 to execute processing.

  The input unit 3100 has various interface functions, and is configured to be able to switch the interface functions according to the type of information to be acquired under the control of the control unit 3200.

  The control unit 3200 includes an input / output control unit 3210 that controls the input unit 3100 and the output unit 3400, a block data acquisition unit before nonce provision 3220, a nonce calculation unit 3230, and a nonce output unit 3231. Further, although not an essential configuration requirement, the control unit 3200 may include a calculation provision request generation unit 3240 as necessary.

  The input / output control unit 3210 has a function of switching the interface of the input unit 3100 according to the information that the control unit 3200 is trying to acquire. For example, the input / output control unit 3210 selects the interface function with the regional data center 2000 from the input unit 1100 when receiving the pre-nonce block data 2320 from the regional data center 2000.

  The nonce non-grant block data acquisition unit 3220 has a function of receiving the nonce non-grant block data 2320 transmitted by the regional data center 2000, and storing the nonce non-grant block data 2310 in the storage unit 3300. This makes it possible to obtain the information necessary for the calculation for deriving the nonce 3320 that forms a part of the block data 2330 that uses the block chain technology that is a mechanism for ensuring the integrity of the secure data 1311.

  In addition, when the new block data 2320 before nonce provision is received, the block data acquisition unit 3220 before nonce provision has completed the derivation of the nonce 3320 from the block data 2320 before nonce provision previously received by the nonce calculation unit 3230. If the block data 2320 has not been received, the previously received nonce-added block data 2320 is discarded, and calculation for deriving the nonce is started for the newly received nonce-added block data 2320. As a result, it is possible to start the calculation for deriving the nonce for the new pre-nonce block data 2320 without continuing the calculation for the nonce already derived by the other calculation resource providing device 3000.

  The nonce calculation unit 3230 determines that the hash value of the block data generated by assigning a temporary nonce to the non-preceding block data 3310 received by the non-preceding block data obtaining unit 3220 matches a condition according to a predetermined rule. A nonce 3320 having a value to be obtained is derived. As the specific calculation method and the predetermined rule, for example, the block chain technology used in Bitcoin may be used. The specified value can be set to any value by the secure logging system 10.

  The nonce output unit 3231 has a function of transmitting the nonce 3320 derived by the nonce calculation unit 3230 to the regional data center 2000 via the output unit 3400. At this time, the block data before nonce provision 3310 may be transmitted together with the nonce 3320 in order to indicate which nonce block data 3310 is the nonce 3320. Thereby, the derived nonce 3320, which is a part of the information used in the mechanism for ensuring the integrity of information, can be received by the regional data center 2000.

  The storage unit 3300 stores information including pre-nonce block data 3310 and nonces 3320. The nonce block data 3310 is the same as the nonce block data 2320 received by the nonce block data acquisition unit 3220 from the regional data center 2000, and is used by the nonce calculation unit 3230. Further, the nonce 3320 is the nonce calculated by the nonce calculator 3230 so that the hash value becomes a value that meets a condition according to a predetermined rule.

  The output unit 3400 has various interface functions and is configured to be able to switch the interface functions according to the type of information to be output under the control of the input / output control unit 3210.

(Processing flow of the data storage device 1000)
FIG. 5 is a diagram showing an example of a processing flow of the data storage device 1000 of this embodiment.

  In step S501, the secure data acquisition unit 1220 acquires, via the input unit 1100, secure data 1311 which is a set of data generated by an electronic device such as an ECU of an automobile and whose integrity is desired to be ensured. The secure data acquisition unit 1220 holds the secure data 1311 in the storage unit 1300 until the secure data 1311 is transmitted to the server such as the regional data center 2000. In addition, the secure data acquisition unit 1220 generates the secure data identification information 1312 that is information that identifies the generation time and the data type of the secure data 1311, and the storage unit 1300 until the secure data identification information 1312 is transmitted to the server such as the regional data center 2000. Hold on. Further, the vehicle identification information acquisition unit 1230 acquires vehicle identification information 1313, which is information for identifying the automobile that is the transmission source of the secure data 1311 via the input unit 1100, and holds it in the storage unit 1300. Next, the data storage device 1000 proceeds to step S502.

  In step S502, vehicle data generation unit 1240 generates vehicle data 1310 including secure data 1311, secure data identification information 1312, and vehicle identification information 1313 acquired in step S501, and stores it in storage unit 1300. Next, the data storage device 1000 proceeds to step S503.

  In step S503, the vehicle data generation unit 1240 transmits the vehicle data 1310 generated in step S502 to the regional data center 2000 via the output unit 1400.

(Processing flow of regional data center 2000)
6 and 7 are diagrams showing an example of the processing flow of the regional data center 2000 of this embodiment. In FIG. 6, a process until the regional data center 2000 transmits the block data 2320 before nonce assignment to the computing resource providing apparatus 3000 will be described. In FIG. 7, a process in which the regional data center 2000 receives the nonce 2331 from the computing resource providing apparatus 3000, generates and stores the block data 2330, and transmits the block data 2330 to another regional data center 2000 will be described.

  In step S601 of FIG. 6, the vehicle data acquisition unit 2220 waits for reception of the vehicle data 1310 transmitted from the data storage device 1000. Next, the vehicle data acquisition unit 2220 proceeds to step S602.

  In step S602, vehicle data acquisition unit 2220 determines whether the specified time has elapsed or vehicle data 1310 has been received. When the specified time has elapsed (step S602: specified time has elapsed), the control unit 2200 proceeds to step S605. When vehicle data 1310 is received (step S602: vehicle data reception), control unit 2200 proceeds to step S603. Here, the specified time is a time until the generation of the vehicle data group 2321 is started, and is an arbitrary time set by the secure logging system 10. The upper limit of the time for collecting the vehicle data 2310 and generating the vehicle data group 2321 is a time obtained by subtracting the time required for nonce deduction from the grace time until the integrity of the vehicle data 2310 including the secure data 1311 is secured. Set as.

  In step S603, the vehicle data acquisition unit 2220 acquires the vehicle data 1310 transmitted from the data storage device 1000 and stores the vehicle data 1310 in the storage unit 2300 as the vehicle data 2310. Next, the vehicle data acquisition unit 2220 proceeds to step S604.

  In step S604, the vehicle data acquisition unit 2220 determines whether or not the vehicle data 1310 having a prescribed data amount required to generate the vehicle data group 2321 including the vehicle data 1310 has been received. When the vehicle data 1310 having the specified data amount is received (step S604: YES), the control unit 2200 proceeds to step S605. When the vehicle data 1310 having the specified data amount has not been received (step S604: NO), the control unit 2200 proceeds to step S601. It is assumed that the prescribed data amount includes a plurality of vehicle data 1310, but one vehicle data 1310 may reach the prescribed data amount. The specified data amount is an arbitrary data amount set by the secure logging system 10. Note that the prescribed data amount of the vehicle data 2310 included in the vehicle data group 2321 is set to be larger than the amount of the vehicle data 2310 that occurs when the calculation resource providing device 3000 deduces the nonce.

  In step S605, the vehicle data group generation unit 2230 generates a vehicle data group 2321 that is a data group in which a plurality of vehicle data 2310 acquired by the vehicle data acquisition unit 2220 is collected. The vehicle data group 2321 is a part of data that constitutes block data generated by the block chain technology. Next, the control unit 2200 proceeds to step S606.

  In step S606, the hash value calculation unit 2240 calculates the hash value of the immediately preceding block data generated by the block chain technique, and stores the calculation result in the storage unit 2300 as the previous block hash value 2322. Next, the control unit 2200 proceeds to step S607.

  In step S607, the nonce-giving block data generation unit 2250 generates the non-giving block data 2320 including the vehicle data group 2321 and the previous block hash value 2322 of the immediately preceding block data calculated by the hash value calculation unit 2240. . Next, the control unit 2200 proceeds to step S608.

  In step S608, the nonce granting block data generation unit 2250 acquires all addresses to which the nonce granting block data 2320 should be transmitted from the calculation resource providing device list 2340 stored in the storage unit 2300. Next, the pre-nonce block data generation unit 2250 proceeds to step S609.

  In step S609, the nonce-attached block data generation unit 2250 outputs the nonce-attached block data 2320 to all the addresses acquired in step S608 via the output unit 2400.

  In step S <b> 701 of FIG. 7, the nonce acquisition unit 2260 acquires the nonce 3320 for the block data before nonce provision 3310 from the calculation resource providing device 3000. Next, the control unit 2200 proceeds to step S702.

  In step S <b> 702, the nonce acquisition unit 2260 determines whether or not the correct nonce for the nonce-added block data 2320 has already been received from the calculation resource providing device 3000. If the correct nonce has already been received (step S702: YES), the nonce acquisition unit 2260 proceeds to step S703. If the correct nonce has not been received yet (step S702: NO), the control unit 2200 proceeds to step S704.

  In step S703, the nonce acquisition unit 2260 discards the nonce 3320 received in step S701 from the calculation resource providing device 3000. The process of step S703 is a process for preventing duplicate registration of the block data 2330 having the same previous block hash value 2322.

  In step S704, the block data generation unit 2270 generates block data 2330 including the vehicle data group 2321, the previous block hash value 2322, and the nonce 2331 acquired by the nonce acquisition unit 2260. Next, the control unit 2200 proceeds to step S705.

  In step S705, the hash value calculation unit 2240 calculates the hash value of the block data 2330 generated in step S704. Next, the control unit 2200 proceeds to step S706.

  In step S706, the hash value calculation unit 2240 determines whether or not the calculated hash value is within the specified value. When the calculated hash value is within the specified value (step S706: YES), the control unit 2200 proceeds to step S708. When the calculated hash value is not the hash value within the specified value (step S706: NO), the control unit 2200 proceeds to step S707. The specified value can be set by the secure logging system 10 to any value.

  In step S707, the control unit 2200 discards the block data 2330 generated in step S704 and the nonce 3320 received in step S701. The process of step S707 is a process of preventing registration of block data having an invalid hash value.

  In step S708, the control unit 2200 stores the block data 2330 generated in step S704 in the storage unit 2300 as correct block data. Next, the control unit 2200 proceeds to step S709.

  In step S709, the control unit 2200 transmits the block data 2330 generated in step S704 to another regional data center 2000 via the output unit 2400.

(Processing flow of the computing resource providing device 3000)
FIG. 8 is a diagram showing an example of a processing flow of the computing resource providing device 3000 of this embodiment.

  In step S801, the nonce non-grant block data acquisition unit 3220 acquires the nonce non-grant block data 2320 transmitted from the regional data center 2000, and stores it in the storage unit 3300 as the nonce non-grant block data 3310. That is, the block data 2320 before nonce provision and the block data 3310 before nonce provision are the same data. Next, the control unit 3200 proceeds to step S802.

  In step S <b> 802, the nonce calculator 3230 sets a temporary nonce that is a temporary nonce to the nonce-added block data 3310. The nonce calculator 3230 can set the temporary nonce to an arbitrary value. Next, the control unit 3200 proceeds to step S803.

  In step S803, the nonce calculator 3230 calculates a hash value for the block data before nonce provision 3310 and the block data including the temporary nonce. Next, the control unit 3200 proceeds to step S804.

  In step S804, the pre-nonce addition block data acquisition unit 3220 determines whether or not new non-preceding block data 2320 has been received. When new pre-nonce block data 2320 is received (step S804: YES), the non-preceding block data 3310 for which the hash value is calculated in step S803 is discarded, and the control unit 3200 proceeds to step S802. . If new block data before nonce provision 2320 is not received (step S804: NO), the control unit 3200 proceeds to step S805.

  In step S805, it is determined whether the hash value calculated in step S803 is within the specified value. When the calculated hash value is within the specified value (step S805: YES), the control unit 3200 proceeds to step S806. When the calculated hash value is not the hash value within the specified value (step S805: NO), the control unit 3200 proceeds to step S802, and the nonce calculation unit 3230 sets a different temporary nonce.

  In step S806, the nonce output unit 3231 uses the temporary nonce, which is provisionally set so that the hash value calculated by the nonce calculation unit 3230 matches the predetermined condition, as the official nonce 3320, Send to 2000.

(Communication sequence between the data storage device 1000, the regional data center 2000, and the computing resource providing device 3000)
FIG. 9 illustrates an example of a communication sequence among the data storage device 1000, the regional data center 2000, and the calculation resource providing device 3000.

  In step S901, the data storage device 1000 acquires the secure data 1311 from the ECU of the automobile, or the data storage device 1000 generates the secure data 1311.

  In step S902, vehicle data generation unit 1240 of data storage device 1000 generates vehicle data 1310 including secure data 1311, secure data identification information 1312 and vehicle identification information 1313.

  In step S903, vehicle data generation unit 1240 transmits the generated vehicle data 1310 to regional data center 2000.

  In step S904, vehicle data group generation unit 2230 of local data center 2000 generates vehicle data group 2321 from vehicle data 2310.

  In step S905, the hash value calculation unit 2240 calculates and generates the previous block hash value 2322 which is the hash value of the immediately preceding block data.

  In step S906, the nonce-attached block data generation unit 2250 generates the nonce-attached block data 2320 including the vehicle data group 2321 and the previous block hash value 2322.

  In step S907, the nonce-attached block data generation unit 2250 acquires the destination address from the calculation resource providing device list 2340.

  In step S908, the nonce block data generation unit 2250 transmits the nonce block data 2320 to the computing resource providing apparatus 3000 corresponding to the destination address.

  In step S909, if there is pre-nonce block data 3310 being calculated by the calculation resource providing apparatus 3000, the calculation resource providing apparatus 3000 discards the non-preceding block data 3310 being calculated.

  In step S910, the calculation resource providing device 3000 adds a temporary nonce to the received nonce-added block data 2320.

  In step S911, the nonce calculator 3230 of the calculation resource providing device 3000 calculates the hash value of the block data in which the nonce provision block data 2320 is provisionally provisioned.

  In step S912, the nonce calculator 3230 determines the calculated hash value. If the calculated hash value is a hash value within the specified value, the calculation resource providing device 3000 proceeds to step S913. When the calculated hash value is not the hash value within the specified value, the calculation resource providing device 3000 proceeds to step S910, and the nonce calculator 3230 sets a different temporary nonce.

  In step S 913, the nonce output unit 3231 of the calculation resource providing device 3000 transmits the nonce 3320 to the regional data center 2000.

  In step S914, the regional data center 2000 generates block data 2330 including the nonce 3320 received in step S913 and the nonce pre-block block data 2320 transmitted in step S908.

  In step S915, the hash value calculation unit 2240 of the regional data center 2000 calculates the hash value of the block data 2330.

  In step S916, when the hash value calculated in step S915 is within the specified value, the control unit 2200 stores the block data 2330 generated in step S914 in the storage unit 2300 as correct block data.

  In step S917, the control unit 2200 transmits the block data 2330 generated in step S914 to another regional data center 2000 via the output unit 2400.

  As described above, in the conventional physical sealing by the data storage device, if the physical sealing can be reproduced after the physical destruction, the data can be tampered without knowing the fact of the data tampering. There was a problem of being lost. Further, the physical sealing of the data storage device in the related art has a problem that it is ineffective because it cannot cope with an attack by an electric means that does not cause physical destruction. However, in the present embodiment, the data itself or the information proving the correctness of the data is stored in the regional data center 2000 which is the server. Therefore, even if the data storage device 1000 as a client is accessed and the stored data is tampered with regardless of physical means or electrical means, the local data center 2000, which is the server, detects the tampering fact. It will be possible.

  Further, in the data authentication using the encryption technique in the conventional technology, it is difficult to recognize the fact that the confidential information has been leaked, so that there is a problem that it is difficult to detect falsification after the leakage of the confidential information. However, in the present embodiment, the integrity of the data does not depend on the secret information, and therefore the tampering detection by the leakage of the secret information does not occur.

  Furthermore, the server storage method in the related art cannot guarantee the integrity of data unless the reliability of the server can be relied upon. However, in the present embodiment, falsification of data stored in the server requires an enormous amount of calculation, so falsification is not practical. Therefore, due to the difficulty of tampering with the data stored in the server, the tampering of the data can be detected even if the server is not reliable.

  Further, in the bitcoin using the blockchain technology in the related art, it is difficult to maintain the motivation for providing a huge amount of calculation that guarantees the integrity of data other than financial consideration. In other words, there is a problem in the system maintenance method in order to apply the blockchain technology to a system other than a system that produces financial value. However, in the present embodiment, since the surplus calculation resource in the automobile is utilized, a huge amount of calculation can be secured without causing inconvenience to the provider of the calculation amount, so that the system can be maintained ( (See FIG. 16).

(Modification 1)
Since the block data 2330 is shared between the regional data centers 2000, a huge storage area is required to store the vehicle data 1310 itself of all vehicles included in the block data 2330 in the regional data center 2000. In particular, the data amount of the secure data 1311 included in the vehicle data 1310 may be enormous.

  Therefore, in order to compress the amount of data stored in the regional data center 2000, a system in which the secure data 1311 is stored in the data storage device 1000 and the integrity of the secure data 1311 is ensured can be cited as a modification.

  In this case, the regional data center 2000 stores secure hash information 1321 for securely accessing the secure data 1311 stored in the data storage device 1000, instead of the secure data 1311. The secure hash information 1321 includes the hash information of the secure data 1311.

  That is, the vehicle data 1310 (FIG. 15) is replaced with vehicle hashed data 1320 (FIG. 14) which is a data set of secure hash information 1321, which is hash information of the secure data 1311, vehicle identification information 1313, and secure data identification information 1312. With the secure logging system 10, the amount of data stored in the regional data center 2000 can be compressed.

  That is, the secure data 1311 is stored in the storage unit 1300 of the data storage device 1000 in the secure logging system 10, and the hash value calculation unit 1250 of the data storage device 1000 generates secure hash information of the secure data 1311. The secure hash information may include information about the hash function in addition to the hash value.

  The vehicle data generation unit 1240 generates vehicle hashed data 1320 including the secure hash information 1321, the vehicle identification information 1313, and the secure data identification information 1312, and transmits it to the regional data center 2000. Thereby, the secure hash information 1321 which is the hash information of the secure data 1311 whose integrity should be ensured is transmitted to the regional data center 2000 in a state in which the vehicle to which the secure data 1311 belongs, the generation time and the data type are clarified. You can

(Modification 2)
(Communication between the data storage device 1000 and the regional data center 2000)
In order to reliably transmit / receive vehicle data 1310 (FIGS. 2 and 15) or vehicle hashed data 1320 (FIG. 14) between the data storage device 1000 and the regional data center 2000, transmission / reception processing such as reception response is performed. Control communication is required.

  Therefore, the input / output control unit 1210 of the data storage device 1000 and the input / output control unit 2210 of the regional data center 2000 carry out control communication. As a specific example of control communication, it is assumed that a technology such as TCP communication technology or message authentication technology is used.

  By the control communication, in the transmission / reception of the vehicle data 1310 or the vehicle hashed data 1320 between the data storage device 1000 and the ground data center 2000, it is possible to prevent information loss or unintentional information change. Sending and receiving can be realized.

(Modification 3)
(Communication between the regional data center 2000 and the computing resource providing device 3000)
Control communication is necessary in order to reliably transmit and receive the block data 2320 before nonce addition or the nonce 3320 between the regional data center 2000 and the computing resource providing device 3000.

  Therefore, the input / output control unit 2210 of the regional data center 2000 and the input / output control unit 3210 of the calculation resource providing device 3000 carry out control communication. As a specific example of control communication, it is assumed that a technology such as TCP communication technology or message authentication technology is used.

By the control communication, it is possible to prevent information loss and unintentional information change in the transmission / reception of the block data 2320 before nonce addition or the nonce 3320 between the regional data center 2000 and the calculation resource providing device 3000.
(Modification 4)

(Communication between regional data centers 2000)
Control communication is required in order to reliably transmit and receive the block data 2330 in 2000 local data centers.

  Therefore, the input / output control unit 2210 of the regional data center 2000 carries out control communication. As a specific example of control communication, it is assumed that a technology such as TCP communication technology or message authentication technology is used.

  By the control communication, it is possible to transmit / receive information capable of preventing information loss or unintentional information change in transmission / reception of block data 2330 between the regional data centers 2000.

(Modification 5)
(Calculation request by the calculation resource providing device 3000)
The computing resource providing device 3000 notifies the regional data center 2000 that it is in a state where it can provide the surplus computing resources. That is, the computing resource providing apparatus 3000 transmits a notification of participation announcement and its own destination address to any of the regional data centers 2000 in order to declare that they will participate in the calculation for deriving the nonce.

  The calculation provision request processing unit 2280 of the regional data center 2000 receives, via the input unit 2100, the notification that the calculation resource providing device 3000 transmits the calculation resource. The notification includes the destination address of the computing resource providing device 3000 or the vehicle equipped with the computing resource providing device 3000. The calculation provision request processing unit 2280 adds the notification of the calculation resource providing device 3000 to the calculation resource providing device list 2340.

  The regional data center 2000 can recognize that the computing resource providing device 3000, which has transmitted the notification of providing the computing resources, can participate in the calculation for deriving the nonce. In addition, it is possible to know the destination address required for the regional data center 2000 to communicate with the calculation resource providing device 3000.

  The calculation provision request generation unit 3240 of the calculation resource providing device 3000 transmits a notification of providing the calculation resource to the regional data center 2000. The notification includes the destination address of the computing resource providing device 3000 or the vehicle equipped with the computing resource providing device 3000. Therefore, it is possible to notify the regional data center 2000 that the calculation resource providing device 3000 can participate in the calculation for deriving the nonce. Further, the regional data center 2000 can acquire the destination address necessary for communicating with the calculation resource providing device 3000.

(Modification 6)
(Nance verification at other regional data centers 2000)
When the nonce check is performed only in the regional data center 2000 that generated the block data 2330, the guarantee of the integrity of the secure data 1311 included in the block data 2330 depends on the reliability of one regional data center 2000. Moreover, the continuity of the block data 2330 may be interrupted. Therefore, by performing the nonce verification in all the regional data centers 2000 sharing the block data 2330, the integrity of the secure data 1311 that does not depend on the reliability of the specific regional data center 2000 can be ensured. Note that the nonce verification can be realized by calculating the hash value of the received block data 2330 and confirming that the hash value of the calculation result is a value conforming to the regulation.

  That is, the hash value calculation unit 2240 of the regional data center 2000, when receiving the block data 2330 transmitted by another regional data center 2000, calculates the hash value for the received block data 2330. When the hash value of the calculation result is a value conforming to the regulation, it is confirmed that the nonce included in the block data 2330 is an appropriate value, and the nonce verification is completed. By performing the nonce verification, the integrity of the secure data 1311 that does not depend on the reliability of the specific regional data center 2000 can be realized.

(Modification 7)
(Avoid duplicate registration of block data 2330 between regional data centers 2000)
In this embodiment, in order to secure the reliability of the secure logging system 10, it is necessary to avoid the existence of a plurality of block data 2330 having the same previous block hash value 2322.

  Therefore, the regional data center 2000 that has started the calculation for deriving the nonce using the previous block hash value 2322 transmits a nonce calculation start notification to another regional data center 2000. By the nonce calculation start notification, it is possible to prevent another regional data center 2000 from starting calculation for nonce deduction for the nonce-added block data 2320 having the same previous block hash value 2322. Further, when the derivation of the nonce 2331 is completed, the regional data center 2000 transmits to the other regional data centers 2000 a nonce calculation end notification, which is a notification that the derivation of the nonce 2331 has been completed. By the nonce calculation start notification and the nonce calculation end notification, it is possible to avoid a plurality of block data 2330 having the same previous block hash value 2322 (FIG. 17).

  Specifically, the input / output control unit 2210 of the regional data center 2000 transmits a nonce calculation start notice and a nonce calculation end notice to another regional data center 2000. As a result, waste for deriving a nonce to another non-grant block data 2320 having the previous block hash value 2322 of the non-grant block data 2320 whose calculation for deriving a nonce has already started in the regional data center 2000. It is possible to prevent unnecessary calculations.

  Referring to FIG. 17, for example, when there is the immediately preceding block data 100c, the hash value 140c of the immediately preceding block data 100c becomes the previous block hash value 140c of the block data 100d to be generated next. In the secure logging system 10, the block data 100d having the previous block hash value 140c is limited to one. Therefore, the existence of the block data 100d 'having the previous block hash value 140c is prohibited in the secure logging system 10. Therefore, the regional data center 2000 that has received the nonce calculation start notification does not transmit the nonce pre-assignment block data 2320 having the previous block hash value 140c to the computing resource providing apparatus 3000. Then, after receiving the nonce calculation end notification, the new block data 100d is received, and the hash value of the new block data 100d is used as the previous block hash value.

(Modification 8)
(Sharing calculation requests for nonce derivation among regional data centers 2000)
Rather than starting calculation for nonce derivation only with the calculation resource providing device 3000 registered in the destination list of the calculation resource providing device list 2340 of one regional data center 2000, the calculation resource providing devices of a plurality of regional data centers 2000 It can be expected that the nonces can be derived earlier if the computation resource providing apparatus 3000 registered in the destination list of the list 2340 performs the nonce derivation calculation.

  For this reason, the calculation resource providing apparatus 3000 registered in the destination list of the calculation resource providing apparatus list 2340 of the plurality of regional data centers 2000 causes the calculation for nonce derivation.

  Specifically, when the input / output control unit 2210 of the regional data center 2000 transmits the above-described nonce calculation start notification, the nonce block data generation unit 2250 stores the generated nonce block data 2320 in another regional data center. Send to 2000.

  As a result, also in the other regional data center 2000, it is possible to obtain the information necessary for requesting the calculation resource providing apparatus 3000 belonging to the other regional data center 2000 to perform the calculation for deriving the nonce.

  That is, when the non-grant block data generation section 2250 of another regional data center 2000 receives the non-grant block data 2320, it transmits the received non-grant block data 2320 to the computing resource providing apparatus 3000. Thereby, also in the other regional data center 2000, the calculation resource providing apparatus 3000 can be requested to perform the calculation for deriving the nonce.

(Modification 9)
(Equalization of block data generation opportunities among the regional data centers 2000)
As described in Modification 7, when the regional data center 2000 attempts to start the calculation for deriving the nonce, the input / output control unit 2210 transmits a nonce calculation start notification to another regional data center 2000. As a result, the regional data center 2000 that loses the competition for transmitting the nonce calculation start notification may not be able to generate the block data 2330 forever. Therefore, the input / output control unit 2210 is provided with an arbitration function with another regional data center 2000, and adjustment is performed so that the chances of generating the block data 2320 before nonce provision are as equal as possible.

  For example, the input / output control unit 2210 synchronizes with the other regional data center 2000 and stores block data generation time information 2350, which is information of the time when the block data 2330 was generated in the past, in the storage unit 2300.

  When the input / output control unit 2210 desires to generate the block data 2330 during the nonce calculation arbitration period, which is a fixed period after the nonce calculation end notice is received, the input / output control unit 2210 is a notice indicating that the nonce calculation is desired. The calculation request notification is transmitted to another regional data center 2000. The nonce calculation request notification includes block data generation time information 2350. The secure logging system 10 can set the nonce calculation arbitration period to an arbitrary value.

  The block data generation time information 2350 included in the nonce calculation request notification received during the nonce calculation arbitration period is compared with the block data generation time information 2350 of the local castle data center 2000. When the block data generation time information 2350 of the own site castle data center 2000 is the oldest, the own site castle data center 2000 transmits a nonce calculation start notification. At the same time as the transmission of the nonce calculation start notification, the time of the block data generation time information 2350 is overwritten with the current time.

  As a result, the regional data center 2000 having the oldest block data generation time information 2350 among the regional data centers 2000 desiring nonce can generate the block data 2330. Therefore, equalization of the generation opportunities of the block data 2330 can be realized.

  FIG. 10 is a diagram showing an example of a communication sequence for equalizing the generation opportunities of the block data 2330 between the regional data centers 2000.

  In FIG. 10, an arbitration function between the three regional data centers 2000, that is, the regional data center 2000a, the regional data center 2000b, and the regional data center 2000c will be described.

  In step S1001, time synchronization is established between the input / output control unit 2210a of the regional data center 2000a and the input / output control unit 2210b of the regional data center 2000b.

  In step S1002, time synchronization is established between the input / output control unit 2210c of the regional data center 2000c and the input / output control unit 2210b of the regional data center 2000b. The order of step S1001 and step S1002 may be reversed or may be simultaneous.

  In step S1003, the block data generation unit 2270 of the regional data center 2000c, which has the latest past block data generation time information 2350 after nonce arbitration, generates the block data 2330.

  In step S1004, the input / output control unit 2210c of the regional data center 2000c transmits a nonce calculation end notification to the regional data center 2000b.

  In step S1005, the input / output control unit 2210c of the regional data center 2000c sends a nonce calculation end notification to the regional data center 2000a. The order of step S1004 and step S1005 may be reversed or may be simultaneous.

  In step S1006, the nonce arbitration period is started in the regional data center 2000a, the regional data center 2000b, and the regional data center 2000c. The regional data center 2000c that has transmitted the nonce calculation end notification cannot transmit the nonce calculation request notification during the nonce arbitration period.

  In step S1007, the regional data center 2000b transmits a nonce calculation request notification to the regional data center 2000c.

  In step S1008, the regional data center 2000b transmits a nonce calculation request notification to the regional data center 2000a.

  In step S1009, the regional data center 2000a transmits a nonce calculation request notification to the regional data center 2000b.

  In step S1010, the regional data center 2000a transmits a nonce calculation request notification to the regional data center 2000c. The order of steps S1007 to S1010 may be reversed or simultaneous.

  In step S1011, the nonce arbitration period ends at the regional data center 2000a, the regional data center 2000b, and the regional data center 2000c.

  In step S1012, the input / output control unit 2210b of the regional data center 2000b compares the block data generation time information 2350b of the regional data center 2000b with the block data generation time information 2350a of the regional data center 2000a. The block data generation time information 2350a is included in the nonce calculation request notification transmitted by the regional data center 2000a. Since the time of the block data generation time information 2350a is before the block data generation time information 2350b, the regional data center 2000b does not transmit the nonce calculation start notification.

  In step S1013, the input / output control unit 2210a of the regional data center 2000a compares the block data generation time information 2350a of the regional data center 2000a with the block data generation time information 2350b of the regional data center 2000b. The block data generation time information 2350b is included in the nonce calculation request notification transmitted by the regional data center 2000b. Since the time of the block data generation time information 2350a is before the block data generation time information 2350b, the regional data center 2000a transmits a nonce calculation start notification. The order of step S1012 and step S1013 may be reversed or may be simultaneous.

  In step S1014, the input / output control unit 2210a of the regional data center 2000a transmits a nonce calculation start notification to the regional data center 2000b.

  In step S1015, the input / output control unit 2210a of the regional data center 2000a transmits a nonce calculation start notification to the regional data center 2000c. The order of step S1014 and step S1015 may be reversed or may be simultaneous.

  Although the embodiments have been described in detail with reference to the drawings, the present invention is not limited to the contents described in the above embodiments. Further, the constituent elements described above include those that can be easily conceived by those skilled in the art and those that are substantially the same. Furthermore, the configurations described above can be appropriately combined. In addition, various omissions, substitutions, or changes in the configuration can be made without departing from the scope of the present invention.

  The present invention is a server-storing system in which log data is preserved even when a logger mounted on a vehicle is attacked. Furthermore, the integrity of log data does not depend on the trust of the server and the server administrator. It is extremely useful when used for collateral.

10 ... Secure logging system 1000, 1000a, 1000b, 1000c ... Data storage device 1100, 2100, 3100 ... Input unit 1200, 2200, 3200 ... Control unit 1210, 2210, 3210 ... Input / output Control unit 1220 ... Secure data acquisition unit 1230 ... Vehicle specific information acquisition unit 1240 ... Vehicle data generation unit 1250 ... Hash value calculation unit 1300, 2300, 3300 ... Storage unit 1310, 2310, B ₁ , C ₁ , D ₁ ... Vehicle data 1311 ... Secure data 1312 ... Secure data identification information 1313 ... Vehicle identification information 1321 ... Secure hash information 1400, 2400, 3400 ... Output unit 2000, 2000a, 2000b, 2000c ... Regional data center 2220 ... Vehicle data acquisition unit 2230 ... Vehicle data group generation unit 2240 ... Hash value calculation unit 2250 ... Pre-nonce block data generation unit 2260 ... Nance acquisition unit 2270 ... Block data generation unit 2280 ... Calculation provision request processing unit 2290 ... Block data acquisition unit 2320, 3310 ... Block data before nonce addition 2321 ... ... Vehicle data group 2322 ... Previous block hash value 2331, 3320 ... Nonce 2340 ... Calculation resource providing device list 2350, 2350a, 2350b, 2350c ... Block data generation time information 3000, 3000a, 3000b, 3000c ... Calculation resource providing device 3220 ... Pre-nonce block data acquisition unit 3230 ... Nonce calculation unit 3231 ... Nonce output unit 3240 ... Calculation provision request generation unit

Claims (10)

A secure logging system using a block chain technology including a data storage device and a calculation resource providing device included in a vehicle, and a regional data center wirelessly connected to the data storage device and the calculation resource providing device,
The data storage device generates vehicle data including secure data generated by the vehicle, transmits the vehicle data to the regional data center,
The regional data center stores the vehicle data, a hash value of the immediately preceding block data generated by the block chain technology, and block data including a nonce,
The nonce is determined by the computing resource providing device such that the hash value of the block data including the nonce becomes a value that meets a predetermined condition, and is transmitted from the computing resource providing device to the regional data center. Secure logging system characterized by a nonce.   The regional data center confirms that the hash value of the block data including the nonce received from the computing resource providing device is a value that meets a predetermined condition, and then the block data is transferred to another regional data. The secure logging system according to claim 1, wherein the secure logging system is transmitted to a center.   The other regional data center stores the block data after confirming that the hash value of the block data including the nonce received from the regional data center has a value that meets a predetermined condition. The secure logging system according to claim 2, wherein:   The regional data center discards the nonce when the hash value of the block data including the nonce received from the computing resource providing device does not meet a predetermined condition. The secure logging system according to any one of claims 1 to 3.   Before the regional data center transmits the block data before nonce including the vehicle data and a previous block hash value which is a hash value of the immediately preceding block data generated by the block chain technology to the computing resource providing apparatus. The secure logging system according to any one of claims 1 to 4, wherein the nonce calculation start notification is transmitted to another regional data center.   The regional data center transmits the nonce non-grant block data to the other regional data center together with the nonce calculation start notification, and the other regional data center is assigned to the computing resource providing apparatus belonging to the other regional data center. The secure logging system according to claim 5, wherein the block data before nonce addition is transmitted to start nonce calculation.   The data storage device stores the secure data, generates secure hash information that is a hash value of the secure data, generates vehicle hashed data that includes the secure hash information instead of the secure data, and stores the vehicle. 7. The vehicle hashed data is transmitted to the regional data center instead of the data, and the regional data center uses the vehicle hashed data instead of the vehicle data. The secure logging system according to 1 above.   The regional data center generates block data generation time information indicating the time when the block data is generated, shares the block data generation time information between the regional data centers, and generates the block data. Is the latest block data generation time among other regional data centers that have transmitted the nonce calculation request notification without transmitting the nonce calculation request notification during the nonce calculation arbitration period after the block data is generated. 8. The secure logging system according to claim 1, wherein the other regional data center having information generates the block data.   The calculation resource providing device, when there is a surplus of calculation resources for deriving a nonce in the nonce calculation unit, generates a calculation provision request and transmits the calculation provision request to one of the regional data centers. 9. The secure logging system according to any one of claims 1 to 8.   The data storage device, the calculation resource providing device, and the regional data center have an input / output control unit, and the input / output control unit transmits / receives control information, and the transmitted / received information disappears and the transmitted / received information is modified The secure logging system according to any one of claims 1 to 9, wherein

Images