JP2023182383A - Data retention certification system and data retention certification method - Google Patents

Abstract

To provide a data retention certification system and a data retention certification method that achieve a data retention certification protocol with a small amount of calculation when providing data retention.SOLUTION: A data owner A terminal maintains a trail based on the remainder of an integer n of each of a plurality of blocks generated by dividing data to be deposited, randomly generates a polynomial having the same number of variables as the number of blocks, and transmits it to a data consignee B terminal. The data consignee B terminal divides data to be verified into a plurality of blocks using the same algorithm as the division of the data to be deposited, calculates a substitution value by substituting each block of the divided data to be verified into the polynomial variable, and transmits it to the data owner A terminal. The data owner A terminal determines whether the data to be verified and the data to be deposited match based on whether the substitution value and the value obtained by substituting the trail into the polynomial are congruent modulo the integer n.SELECTED DRAWING: Figure 8

Description

The present invention relates to a data retention certification system and a data retention certification method.

In recent years, data analysis, which extracts unknown and useful knowledge from various data, has been attracting attention. Companies are collecting not only their own data but also data from outside the company, including those of other companies, and analyzing information in various ways, such as using it for marketing and improving operational efficiency, is becoming increasingly recognized as an important activity.

As expectations for information utilization and information distribution for that purpose are increasing, the information being handled often includes sensitive information, personal information, and other information that must not be exposed to security attacks such as leakage or falsification.

When a data owner entrusts or gives data to a third party, such as a cloud or a data analyst, it is important to check whether the data was received correctly at the time of data transmission, and whether the data was received correctly and without data leakage or tampering. There are concerns about data management by third parties, such as whether it is being stored or not. Such concerns are one reason why data owners are hesitant to provide data. From the perspective of data owners' peace of mind, it is desirable to have a method that can confirm whether data entrusted to a third party is being correctly managed.

There are methods to confirm whether data has been received correctly, such as a simple method of returning the hash value of the data immediately after receiving it, but after some time has elapsed since the data was stored, If you want to check the authenticity (whether it has been erased or tampered with), using such a simple method would easily allow a third party to make a false report by retransmitting the stored hash value.

As a technique for preventing this, there is International Publication No. 2014/068734 (Patent Document 1). This publication states, ``We propose a data retention verification system and method that can verify whether or not a server device retains verification target data deposited by a user terminal in a server device with a small amount of communication or calculation. In a data retention verification system and method for verifying whether or not the server device holds verification target data deposited by a terminal in the server device, predetermined verification information is transmitted from the user terminal to the server device, and in the server device, Using the verification target data held and the verification information, calculate server-side evidence data that is specific to the verification target data and smaller in data size than the verification target data, and transfer the calculated server-side evidence data to the user terminal. On the user terminal side, the user terminal side evidence data based on the verification information is compared with the server side evidence data sent from the server device, and based on the comparison result, the server device retains the data to be verified. (See summary).

International Publication No. 2014/068734

The technology described in Patent Document 1 requires a large amount of calculation in the proof protocol due to the use of part of the RSA encryption technology, so when the amount of data or the number of data owners increases, the number of data stored will be reduced. The amount of calculation for all three parties becomes enormous.

Therefore, one aspect of the present invention realizes a data retention proof protocol that requires a small amount of calculation when proving data retention.

In order to solve the above problems, one embodiment of the present invention employs the following configuration. The data retention certification system includes a first terminal and a second terminal, and the first terminal is configured to provide information on the deposited data based on a remainder by an integer n of each of a plurality of blocks generated by dividing the deposited data. A polynomial that holds a trail and has the same number of variables as the number of blocks is randomly generated and transmitted to the second terminal, and the second terminal holds verification target data and The data is divided into a plurality of blocks using the same algorithm as the division of the data to be deposited, and each block of the divided data to be verified is substituted into a variable of the polynomial to calculate a substituted value and transmitted to the first terminal. The first terminal determines whether the verification target data and the deposit target data are congruent with the substituted value and the value obtained by substituting the trail into the polynomial, modulo the integer n. Determine if there is a match.

According to one aspect of the present invention, it is possible to realize a data retention proof protocol that requires a small amount of calculation when proving data retention.

Problems, configurations, and effects other than those described above will be made clear by the following description of the embodiments.

1 is a block diagram showing a configuration example of a data retention certification system in Example 1. FIG. FIG. 2 is a block diagram showing a configuration example of a data owner A terminal in Example 1. FIG. FIG. 2 is a block diagram showing a configuration example of a data trustee B terminal in the first embodiment. FIG. 3 is a sequence diagram illustrating an example of a process of entrusting data held by a data owner A terminal to a data trustee B terminal in the first embodiment. 7 is a flowchart illustrating an example of a parameter generation process in the first embodiment. 7 is a flowchart illustrating an example of trail data calculation processing in the first embodiment. 3 is a sequence diagram illustrating an example of data retention certification processing in the first embodiment. FIG. 5 is a flowchart illustrating an example of a challenge generation process, a response calculation process, and a response check process in the first embodiment. FIG. 2 is a block diagram showing a configuration example of a data retention certification system in Example 2. FIG. FIG. 2 is a block diagram showing a configuration example of a data trustee C terminal in a second embodiment. FIG. 7 is a sequence diagram illustrating an example of data transfer processing between multiple data entrustees in Embodiment 2;

Hereinafter, embodiments of the present invention will be described in detail based on the drawings. In this embodiment, in principle, the same components are given the same reference numerals, and repeated explanations will be omitted. Note that this embodiment is merely an example for implementing the present invention, and does not limit the technical scope of the present invention.

<System configuration>
FIG. 1 is a block diagram showing a configuration example of a data retention certification system. The data retention certification system includes, for example, a data owner A terminal 100 and a data trustee B terminal 200 connected via a network 1000 such as the Internet.

Data held by data owner A terminal 100 is stored by data trustee B terminal 200. The data owner A terminal 100 checks whether the data trustee B terminal 200 is correctly storing the data of the data owner A terminal 100 through the network 1000.

<Configuration example of data owner A terminal 100>
FIG. 2 is a block diagram showing a configuration example of data owner A terminal 100. As shown in FIG. The data owner A terminal 100 is configured by a computer having an input device 101, an output device 102, a communication device 103, a CPU (Central Processing Unit) 110, an auxiliary storage device 120, and a memory 150, for example.

CPU 110 includes a processor and executes programs stored in memory 150. The memory 150 includes a ROM (Read Only Memory) that is a nonvolatile storage element and a RAM (Random Access Memory) that is a volatile storage element. The ROM stores an unchangeable program (eg, BIOS (Basic Input/Output System)) and the like. The RAM is a high-speed and volatile storage element such as DRAM (Dynamic Random Access Memory), and temporarily stores programs executed by the CPU 110 and data used when executing the programs.

The auxiliary storage device 120 is a large-capacity, non-volatile storage device such as a magnetic storage device (HDD (Hard Disk Drive)), flash memory (SSD (Solid State Drive)), etc., and stores programs and programs executed by the CPU 110. Stores data used during execution. That is, the program is read from the auxiliary storage device 120, loaded into the memory 150, and executed by the CPU 110.

The input device 101 is a device such as a keyboard or a mouse that receives input from an operator. The output device 102 is a device, such as a display device or a printer, that outputs the execution results of a program in a format that can be visually recognized by an operator.

The communication device 103 is a network interface device that controls communication with other devices according to a predetermined protocol. Furthermore, the communication device 103 may include, for example, a serial interface such as a USB (Universal Serial Bus).

A part or all of the programs executed by the CPU 110 are sent to the data owner A via a network from a removable medium (CD-ROM, flash memory, etc.) that is a non-temporary storage medium or an external computer equipped with a non-temporary storage device. The data may be provided to the terminal 100 and stored in a nonvolatile auxiliary storage device 120 that is a non-temporary storage medium. For this reason, data owner A terminal 100 preferably has an interface for reading data from removable media. This also applies to the data trustee B terminal 200 and the data trustee C terminal 300, which will be described later in the second embodiment.

The data owner A terminal 100 is a computer system configured on one physical computer or on multiple logically or physically configured computers, and is a computer system configured on the same computer with separate threads. It may operate on a virtual computer built on multiple physical computer resources. This also applies to the data trustee B terminal 200 and the data trustee C terminal 300, which will be described later in the second embodiment.

The CPU 110 includes, for example, a parameter generation section 111 and a trail calculation section 112. The parameter generation unit 111 generates parameters 141 used for calculation by the data owner A terminal 100 in the data retention certification system.

The trail calculation unit 112 converts the data 131 to be deposited into trail data 132 based on the data 131 and the generated parameters 141 before the data owner A terminal 100 transmits the data 131 to the data trustee B terminal 200. Calculate. The trail data 132 is the correct data (the original data sent by the data owner A terminal 100 to the data trustee B terminal 200, which has been modified (altered, deleted, etc.)) by the data trustee B terminal 200. This data is used to prove that the company owns the

For example, the CPU 110 functions as the parameter generation unit 111 by operating according to the parameter generation program loaded into the memory 150, and functions as the trail calculation unit 112 by operating according to the trail calculation program loaded into the memory 150. . The relationship between programs and functional units is the same for the functional units included in the CPU 210 of the data entrustee B terminal 200 and the CPU 310 of the data entrustee C terminal 300, which will be described later in the second embodiment.

Note that some or all of the functions of the functional units included in the CPU 110, the CPU 210 of the data trustee B terminal 200, and the CPU 310 of the data trustee C terminal 300, which will be described later in the second embodiment, may be implemented using, for example, an ASIC (Application Specific Integrated Circuit). ) or FPGA (Field-Programmable Gate Array).

Further, the CPU 110 displays at least part of the data stored in the auxiliary storage device 120 on the output device 102, reads data stored in the auxiliary storage device 120, and sends data via the communication device 103. and transmits it to the user B terminal 200. This also applies to the CPU 210 of the data trustee B terminal 200 and the CPU 310 of the data trustee C terminal 300, which will be described later in the second embodiment.

The auxiliary storage device 120 includes a data recording section 130 and a parameter recording section 140, each of which is an area for recording data. The data recording unit 130 holds data 131 sent to the data trustee B terminal 200 and trail data 132 calculated by the trail calculation unit 112. The parameter recording unit 140 holds the parameters 141 generated by the parameter generation unit 111.

Note that some or all of the information stored in the auxiliary storage device 120, the auxiliary storage device 220 of the data trustee B terminal 200, and the auxiliary storage device 320 of the data trustee C terminal 300, which will be described later in the second embodiment, are as follows: They may be stored in the memory 150, the memory 250 of the data trustee B terminal 200, and the memory 350 of the data trustee C terminal 300, which will be described later in Example 2, or an external database connected to the terminal. It may be stored in

Note that in this embodiment, the information used by the data retention certification system may be expressed in any data structure without depending on the data structure. For example, a suitable selection of data structures from tables, lists, databases, or queues can store the information.

<Configuration example of data trustee B terminal 200>
FIG. 3 is a block diagram showing a configuration example of the data trustee B terminal 200. As shown in FIG. The data trustee B terminal 200 is configured by, for example, a computer having an input device 201, an output device 202, a communication device 203, a CPU 210, an auxiliary storage device 220, and a memory 250.

The hardware description of each of the input device 201, output device 202, communication device 203, CPU 210, auxiliary storage device 220, and memory 250 is as follows: input device 101, output device 102, communication device 103, CPU 110, auxiliary storage device 120, Since the description is the same as that of the hardware of the memory 150, the description thereof will be omitted.

The CPU 210 includes, for example, a response calculation unit 211. The response calculation unit 211 calculates a response using the data 231 and the challenge received from the data owner A terminal 100.

Auxiliary storage device 220 includes a data recording section 230 that is an area for storing data. The data recording unit 230 holds verification target data 231 received from the data owner A terminal 100.

<Data deposit>
FIG. 4 is a sequence diagram illustrating an example of a process of entrusting data 131 held by data owner A terminal 100 to data trustee B terminal 200. Before the process in FIG. 4 starts, data 131 is stored in the data recording unit 130 of the data owner A terminal 100.

In step S401, the parameter generation unit 111 of the data owner A terminal 100 generates parameters 141 necessary for calculating the trail data 132 for the data 131, and records them in the parameter recording unit 140. Details of step S401 will be described later using FIG. 5.

In step S402, the trail calculation unit 112 of the data owner A terminal 100 calculates trail data 132 based on the data 131 and parameters 141. Details of step S402 will be described later using FIG. 6.

In step S403, the trail calculation unit 112 sends the data 131 to the data trustee B terminal 200. In step S404, after receiving the data 131, the response calculation unit 211 of the data trustee B terminal 200 records the data 131 in the data recording unit 230 as data 231.

In step S405, the trail calculation unit 112 of the data owner A terminal 100 records the trail data 132 in the data recording unit 130. Furthermore, the trail calculation unit 112 may keep the data 131 stored in the data recording unit 130 or may delete the data 131 from the data recording unit 130. The process in step S405 may be executed after step S402 and before the process in step S403.

FIG. 5 is a flowchart illustrating an example of the parameter 141 generation process in step S401. In step S501, the parameter generation unit 111 of the data owner A terminal 100 randomly generates a natural number n. Specifically, for example, the parameter generation unit 111 calculates a natural number n included in a predetermined range, such as a range larger than 2^127 (“^” indicates a power) and smaller than 2^128. Select randomly. Note that in step S401, the parameter generation unit 111 may randomly generate integers, prime numbers, odd numbers, etc. included in a predetermined range instead of natural numbers included in the predetermined range.

In step S502, the parameter generation unit 111 determines the size of each block for dividing the data 131 into blocks. The parameter generation unit 111 may determine the sizes of all blocks to be the same predetermined length, such as 512 MB, or may determine the sizes of at least some blocks to be different.

For example, the parameter generation unit 111 can determine the block size so that at least some of the blocks have different sizes by determining the size of each block using random numbers. Further, the parameter generation unit 111 may determine each block size using a pseudo-random number generator. Note that the parameter generation unit 111 uses the random numbers when determining each block size using random numbers, and the seed input to the pseudo random number generator when determining each block size using a pseudo random number generator. is recorded in the parameter recording unit 140 as a parameter 141.

Note that it is desirable that the size of each block is sufficiently larger than the natural number n and sufficiently smaller than the data length of the data 131.

Note that the parameter generation unit 111 transmits information on the block division algorithm (block division position and/or size of each block) and the size of each block to the data trustee B terminal 200 together with the data 131 in step S403. Then, the response calculation section 211 of the data entrustee B terminal 200 records the information in the data recording section 230 together with the data 231.

FIG. 6 is a flowchart showing an example of the calculation process of the trail data 132 in step S402. In step S601, the trail calculation unit 112 executes block division of the data 131 using the following (Formula 1), for example, based on the block division procedure and block size determined in step S502.

M=M1｜｜M2｜｜...｜Mt... (Formula 1)

Here, M is the data 131, Mi (i=1, 2, . . . , t) is each block of the data 131 after division, and || indicates the combination of the blocks. Note that t is the total number of blocks in this example.

In step S602, the trail calculation unit 112 uses the natural number n generated in step S501 for each block Mi to calculate the remainder αi when Mi is divided by n, as shown in the following (Equation 2). A set A(M) consisting of the entire αi corresponding to each of t blocks is stored in the data recording unit 130 as trail data 132.

A(M)={αi|αi=Mi mod n}...(Formula 2)

<Data retention proof>
FIG. 7 is a sequence diagram illustrating an example of data retention certification processing. In the data retention certification process, after the data owner A terminal 100 entrusts the data 131 to the data entrustee B terminal 200, the data entruster B terminal 200 entrusts the data 231 without altering it (falsification, deletion, etc.). It will be checked to see if it has been stored as it was.

In step S701, the trail calculation unit 112 of the data owner A terminal 100 generates a challenge necessary to confirm that the data 131 is stored without modification by the data trustee B terminal 200. Details of step S701 will be described later using FIG. 8.

In step S702, the trail calculation unit 112 transmits a retention certification request including a challenge to the data trustee B terminal 200. In step S703, the response calculation unit 211 of the data trustee B terminal 200 receives the retention certification request including the challenge.

In step S704, the response calculation unit 211 calculates a response using the stored data 231 and the challenge. Details of step S704 will be described later using FIG. 8. In step S705, the response calculation unit 211 transmits the response calculated in step S704 to the data owner A terminal 100.

In step S706, the trail calculation unit 112 of the data owner A terminal 100 receives the response. In step S707, the trail calculation unit 112 uses the trail data 132 and the received response to determine whether or not the deposited data 131 is stored in the data trustee B terminal 200 without being altered. The determination result (OK if it is determined that the data 131 has been modified; NG if it is determined that the data 131 has not been modified) is output to, for example, the output device 102, and the data retention certification is completed. Details of step S707 will be described later using FIG. 8.

FIG. 8 is a sequence diagram showing an example of the challenge generation process in step S701, the response calculation process in step S704, and the response check process in step S707.

In step S801, the trail calculation unit 112 of the data owner A terminal 100 randomly generates a t-variable integer coefficient polynomial F(x1, x2, . . . , xt). Note that the trail calculation unit 112 may randomly select the coefficients of F(x1, x2, . . . , xt) within a predetermined range. Note that F(x1, x2, . . . , xt) can take any degree, but the amount of calculation can be reduced if it is a polynomial with a low degree, such as a first-order polynomial, for example. Further, even if the polynomial is a low degree polynomial such as a first degree polynomial, sufficient accuracy of data retention proof can be ensured.

Further, the trail calculation unit 112 may select the method itself for determining the coefficients of F(x1, x2, . . . , xt). The method of determining the order and coefficient of each term included in F(x1,x2,...,xt) using a pseudorandom function and determining the seed as input to the pseudorandom function is to , x2, . . . , xt).

Specifically, for example, the trail calculation unit 112 determines the coefficients for the t-variable first-order polynomial using a method of continuously applying a hash function, and includes information indicating that the t-variable first-order polynomial is generated, and the hash The first input of the function may be sent to the data trustee B terminal 200 as a challenge.

More specifically, for example, the trail calculation unit 112 randomly generates the input S of the hash function, sets the hash chain h_1=h(S), h_i=h(h_(i-1)), and sets the polynomial F to , may be determined by the following (Equation 3). However, "*" in the following (Formula 3) represents multiplication.

F=h_1*x1+h_2*x2+...+h_t*xt...(Formula 3)

In step S802, the trail calculation unit 112 transmits information indicating the procedure for generating the polynomial and S, or the generated polynomial itself as a challenge to the data trustee B terminal 200. In step S803, the response calculation unit 211 of the data trustee B terminal 200 receives the challenge.

In step S804, the response calculation unit 211 blocks the data 231 according to the block division algorithm received in step S403 (that is, the position at which the data 231 is divided and the number of blocks in each block are the same as the block division in step S403). To divide. Hereinafter, when data 231 is referred to as M', it is assumed that block division as shown in (Equation 4) below has been performed.

M’=M’1 | | M’2 | |… | | M’t… (Formula 4)

In step S805, the response calculation unit 211 regards each block of M' as a bit sequence, and further regards the bit sequence as a binary expansion of an integer to obtain an integer value, and calculates the integer value as shown in (Equation 5) below. Substitute into the polynomial F indicated by the challenge and calculate the integer value of the polynomial.

F(M')=F(M'1, M'2,..., M't)...(Formula 5)

In step S806, the response calculation unit 211 transmits F(M') to the data owner A terminal 100 as a response. In step S807, the trail calculation unit 112 of the data owner A terminal 100 receives the response F(M').

In step S808, the trail calculation unit 112 uses the trail data 132 (A(M)) to determine whether or not the data has been altered through remainder calculation. Specifically, for example, the trail calculation unit 112 calculates the following (Formula 6) using n and trail data A(M).

F (α1, α2,..., αt) mod n... (Formula 6)

The trail calculation unit 112 determines whether F (α1, α2, ..., αt) is equal to the response F (M') as a remainder modulo n, according to (Equation 7) below. do.

F(M’)≡F(α1,α2,...,αt) mod n...(Formula 7)

When the trail calculation unit 112 determines that the congruence formula (Formula 7) holds, it determines that there is no modification of the data and outputs "OK" to the output device 102, so that the congruence formula (Formula 7) is satisfied. If it is determined that this is not true, it is determined that the data has been altered and "NG" is output to the output device 102. Note that mod n in (Equation 7) represents the remainder after dividing by n, that is, the remainder.

As described above, in the data retention certification system of this embodiment, it is possible to determine whether or not data has been altered only by processing with a small amount of calculation such as addition, multiplication, and remainder calculation. Specifically, the data owner A terminal 100 selects the natural number n when calculating the trail as a smaller value than the block size into which the data 131 is divided, thereby reducing the size of the trail for the original data 131. Can be made smaller. Furthermore, if the data owner A terminal 100 generates a polynomial with a low degree and small coefficients during data retention certification processing, it is possible to reduce the amount of calculation when calculating the value of the polynomial. be. In other words, calculations in the data retention certification process can be executed efficiently, and requests from large volumes of data and a large number of data owners can be efficiently handled. Furthermore, by randomly selecting a polynomial each time, the data owner A terminal 100 can prevent the data trustee B terminal 200 from making a false report based on the challenge response.

Furthermore, by dividing the data 131 into blocks, the data owner A terminal 100 can reduce the amount of communication when the data owner updates a portion of the data.

Next, we will explain the use case of the data retention certification system.

<Cloud storage>
The use of the cloud is steadily increasing, and the cloud has become an important infrastructure that supports social and economic activities. The amount of data owned by data owners, such as images and videos, is increasing, and it is becoming costly to store it in their own IT (Information Technology) environments, so cloud storage services are increasingly being used. ing.

At that time, whether or not the data that the data owner has entrusted to the data trustee (cloud) in the past is stored correctly and unaltered is checked periodically or irregularly (for example, according to the data owner's wishes). If the data owner can confirm the information (depending on the situation), the data owner will feel more secure. Therefore, by applying the method described in this embodiment, the confirmation work can be performed.

When entrusting data to the cloud, the data owner generates a trail for parameters and target data using the procedure of this embodiment, stores the trail, and sends the target data to the cloud. At this time, if the data size of the trail is made to be significantly smaller than the block size when the original data is divided into blocks, the trail data stored on the data owner's device will be smaller, and the data can be stored on the device using the cloud. It is possible to reduce the amount of stored data.

<Information banks and information trust banks>
From the perspective of information utilization, services are being considered that collect personal information and have businesses utilize it as data. When personal information is collected, security measures such as measures against leakage are required. Specifically, processing such as encrypted storage and high-level anonymization when providing information to businesses that utilize it are required.

On the other hand, from the perspective of the individual who provided the data (data owner), there are concerns about data management, such as whether the entrusted data is not altered and stored correctly, and such concerns are one of the barriers to data provision. It becomes. Therefore, by applying the procedure of this embodiment, such concerns can be eliminated.

In the real world, general banks check the status of deposited assets by making entries in passbooks, but when depositing digital data to an information bank etc., data ownership checks whether the digital data has been altered or not. Since it is difficult for a person to make a judgment on his/her own, a protocol is required that can detect false reports with a high probability, such as the process using data retention proof in this embodiment.

When an individual who is a data owner deposits information about himself or herself with an information bank, etc., he/she must generate a trail for the parameters and target data using the steps in this example, then store the trail and send the target data to the information bank. Bye.

<System configuration>
Hereinafter, differences from Example 1 will be mainly described, and descriptions of points similar to Example 1 will be omitted as appropriate. FIG. 9 is a block diagram showing a configuration example of a data retention certification system. The data retention certification system includes, for example, a data owner A terminal 100, a data trustee B terminal 200, and a data trustee C terminal 300, which are connected via a network 1000 such as the Internet.

The data owner A terminal 100 and two data trustee terminals communicate through the network 1000, and after entrusting the data owned by the data owner A terminal 100 to the first data trustee terminal, a portion of the deposited data is Transfer part or all of the data to another data fiduciary terminal. In other words, the data retention certification system of this embodiment realizes data transfer between a plurality of data entrustees.

In this embodiment, when data owner A terminal 100 entrusts data to the first data trustee terminal, encryption is performed to keep the contents of the data secret. When transferring encrypted data entrusted to the first data entrustee terminal to another data entrustee terminal, the key for encryption and decryption must be changed to a different key to ensure high security. Assume that

<Data owner A terminal 100 and data trustee B terminal 200>
The configuration example of the data owner A terminal 100 of the present embodiment is similar to the configuration example of the data owner A terminal 100 shown in FIG. 2 of the first embodiment, and the configuration of the data consignee B terminal 200 of the present embodiment. The example has the same configuration as the data entrustee B terminal 200 shown in FIG. 3 of the first embodiment, so a description thereof will be omitted.

<Data trustee C terminal 300>
FIG. 10 is a block diagram showing a configuration example of the data trustee C terminal 300. As shown in FIG. The data trustee C terminal 300 is configured by a computer having an input device 301, an output device 302, a communication device 303, a CPU 310, an auxiliary storage device 320, and a memory 350, for example.

The hardware descriptions of the input device 301, output device 302, communication device 303, CPU 310, auxiliary storage device 320, and memory 350 are as follows: input device 101, output device 102, communication device 103, CPU 110, auxiliary storage device 120, Since the description is the same as that of the hardware of the memory 150, the description thereof will be omitted.

However, the CPU 310 has a protected area 3100 in which internal processing cannot be viewed from outside the data entrustee C terminal 300, that is, it is isolated from areas on the CPU 310 where other processes are executed, and in which secure calculations can be executed. A TEE (Trusted Execution Environment) or the like is an example of the protected area 3100. It is assumed that encrypted communication is possible between the protected area 3100 and the data owner A terminal 100.

The protected area 3100 includes a response calculation section 311 and an encryption/decryption section 312. The response calculation unit 311 calculates a response using the data 331 transferred from the data entrustee B terminal 200 and the challenge. The encryption/decryption unit 312 executes key decryption, data encryption, and decryption.

Auxiliary storage device 320 includes a data recording section 330 that is an area for storing data. The data recording unit 330 holds data 331 received from the data trustee B terminal 200.

<Data transfer>
FIG. 11 is a sequence diagram illustrating an example of data transfer processing between multiple data entrustees. In step S1001, the parameter generation unit 111 of the data owner A terminal 100 generates parameters for the data 131 to be entrusted in plaintext using a method similar to step S401, and the trail calculation unit 112 of the data owner A terminal 100 generates parameters for the data 131 to be entrusted in plaintext. , the trail for the plaintext data 131 to be deposited is calculated using a method similar to step S402.

In step S1002, the trail calculation unit 112 encrypts the data 131 using the key K using a common key encryption method or the like, and transmits the encrypted data 131 to the data trustee B terminal 200. Note that the key K may be stored in the auxiliary storage device 120 in advance, or may be generated by the trail calculation unit 112 before the process of step S1002 starts. In step S1003, the response calculation unit 211 of the data trustee B terminal 200 stores the received encrypted data 131 as data 231.

In step S1004, the response calculation unit 211 of the data trustee B terminal 200 transmits the stored data 231 to the data trustee C terminal 300, for example, in response to a request from the data owner A terminal 100. Note that if the deposited data 231 is encrypted block by block, the response calculation unit 211 will only process the encrypted data of the requested part of the encrypted data 231. It may also be transmitted to the data entrustee C terminal 300.

In step S1005, the response calculation unit 311 of the data trustee C terminal 300 stores the received encrypted data as data 331. In step S1006, the trail calculation unit 112 of the data owner A terminal 100 generates a challenge for the plaintext data 131 generated in the same manner as step S801, and challenges the plaintext data 131 using the key K used in the original encryption. , new key K', and the generated challenge are transmitted to the protected area 3100 of the data trustee C terminal 300.

Note that the key K' may be stored in the auxiliary storage device 120 in advance, or may be generated by the trail calculation unit 112 before the process of step S1006 starts. Further, the encryption key and encryption algorithm for encrypting the keys K and K' are shared in advance between the data owner A terminal 100 and the data trustee C terminal 300, for example.

In step S1007, the encryption/decryption unit 312 of the data trustee C terminal 300 decrypts the key K and the key K' within the protected area 3100, and transfers the data 331 received in step S1005 to the protected area using the key K. 3100. Furthermore, in step S1007, the response calculation unit 311 calculates a response within the protected area 3100 based on the decrypted data and the challenge transmitted in step S1006, using the same method as in steps S804 and S805. do. Furthermore, in step S1007, the encryption/decryption unit 312 encrypts the decrypted data with the key K' inside the protected area 3100 and stores it as data 331.

In step S1008, the response calculation unit 311 transmits the response calculated in step S1007 to the data owner A terminal 100.

In step S1009, the trail calculation unit 112 of the data owner A terminal 100 checks the response in the same manner as in step S808, and determines whether the data has been altered. Further, in step S1009, if the trail calculation unit 112 determines that the congruence formula (Formula 7) holds true, it determines that there is no modification of the data, outputs "OK" to the output device 102, and outputs "OK" to the output device 102 (Formula 7). If it is determined that the congruence equation 7) does not hold, it is determined that the data has been altered and "NG" is output to the output device 102.

Therefore, if the data owner A terminal 100 determines that the data has not been altered, the data owner It can be confirmed that the data has been correctly transferred from the B terminal 200 to the data trustee terminal C300.

Note that the present invention is not limited to the above-described embodiments, and includes various modifications. For example, the embodiments described above are described in detail to explain the present invention in an easy-to-understand manner, and the present invention is not necessarily limited to having all the configurations described. Further, it is also possible to replace a part of the configuration of one embodiment with the configuration of another embodiment, and it is also possible to add the configuration of another embodiment to the configuration of one embodiment. Further, it is possible to add, delete, or replace a part of the configuration of each embodiment with other configurations.

Further, each of the above-mentioned configurations, functions, processing units, processing means, etc. may be partially or entirely realized in hardware by designing, for example, an integrated circuit. Furthermore, each of the above configurations, functions, etc. may be realized by software by a processor interpreting and executing a program for realizing each function. Information such as programs, tables, files, etc. that implement each function can be stored in a memory, a recording device such as a hard disk, an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

In addition, the control lines and information lines are shown to be necessary for explanation purposes, and not all control lines and information lines are necessarily shown in the product. In reality, almost all components may be considered to be interconnected.

100 Data Owner A Terminal, 103 Communication Device, 110 CPU, 111 Parameter Generation Unit, 112 Trail Calculation Unit, 120 Auxiliary Storage Device, 131 Data, 132 Trail Data, 141 Parameter, 200 Data Trustee B Terminal 203 Communication Device, 210 CPU, 211 response calculation unit, 220 auxiliary storage device, 231 data, 300 data entrustee C terminal, 303 communication device, 310 CPU, 311 response calculation unit, 312 encryption/decryption unit, 331 data, 3100 protected area

Claims (10)

A data retention certification system,
including a first terminal and a second terminal;
The first terminal is
Maintaining a trail for the deposit target data based on a remainder by an integer n of each of a plurality of blocks generated by dividing the deposit target data,
randomly generating a polynomial having the same number of variables as the number of blocks and transmitting it to the second terminal;
The second terminal is
Hold the data to be verified,
dividing the verification target data into a plurality of blocks using the same algorithm as the division of the deposit target data;
calculating a substituted value for each block of the divided verification target data to a variable of the polynomial, and transmitting the substituted value to the first terminal;
The first terminal is
determining whether the verification target data and the deposit target data match based on whether the substituted value and the value obtained by substituting the trail into the polynomial are congruent modulo the integer n; Retention proof system. The data retention certification system according to claim 1,
The deposited data M is divided into t blocks M1||M2||...|Mt,
The first terminal is
As the trail, generate A(M)={αi|αi=Mi mod n} (i=1, 2,..., t),
Randomly generate a t variable integer coefficient polynomial F (x1, x2, ..., xt) as the polynomial,
The second terminal is
Divide the verification target data M' into t blocks M'1||M'2||...||M't,
As the substituted value, calculate F(M')=F(M'1, M'2,..., M't),
The first terminal is
A data retention certification system that determines whether the verification target data and the deposit target data match based on whether F(M')≡F(α1, α2, ..., αt) mod n holds true. . The data retention certification system according to claim 1,
The first terminal is a data retention proof system that randomly generates a first-order polynomial as the polynomial. The data retention certification system according to claim 1,
The integer n is a value randomly selected from a predetermined range,
In the data retention proof system, each of the plurality of blocks has a block size of the same predetermined value or a value determined based on random numbers or pseudorandom numbers. The data retention certification system according to claim 1,
including a third terminal holding the verification target data;
The second terminal has a normal area and a protected area isolated from the normal area as an area for performing calculations,
The first terminal is
holding a first key and a second key;
transmitting a ciphertext obtained by encrypting the first key and the second key to the protected area of the second terminal;
The verification target data is encrypted with the first key,
The verification target data held by the second terminal is transmitted from the third terminal,
The second terminal is
in the protected area, acquiring the first key and the second key by decrypting the ciphertext;
in the protected area, decrypting the verification target data using the first key;
in the protected area, encrypting the decrypted verification target data with the second key;
In the protected area, dividing the decrypted verification target data into a plurality of blocks using the same algorithm as the division of the deposit target data,
calculating a substituted value by substituting each block into which the decrypted verification target data is divided into variables of the polynomial, and transmitting the substituted value to the first terminal;
The first terminal is
Determining whether the decrypted verification target data and the deposit target data match based on whether the substituted value and the value obtained by substituting the trail into the polynomial are congruent modulo the integer n. , Data Retention Proof System. A data retention certification method using a data retention certification system, the method comprising:
The data retention certification system includes a first terminal and a second terminal,
The first terminal maintains a trail for the deposit target data based on a remainder by an integer n of each of a plurality of blocks generated by dividing the deposit target data,
The second terminal holds verification target data,
The data retention certification method is
the second terminal randomly generates a polynomial having the same number of variables as the number of blocks, and transmits it to the second terminal;
The second terminal divides the verification target data into a plurality of blocks using the same algorithm as the division of the deposit target data,
the second terminal calculates a substituted value by substituting each block of the divided verification target data into a variable of the polynomial, and transmits the substituted value to the first terminal;
The first terminal matches the verification target data and the deposit target data based on whether the substituted value and the value obtained by substituting the trail into the polynomial are congruent modulo the integer n. Data retention certification method to determine whether 7. The data retention certification method according to claim 6,
The deposited data M is divided into t blocks M1||M2||...|Mt,
The data retention certification method is
The first terminal generates A(M)={αi|αi=Mi mod n} (i=1, 2, . . . , t) as the trail,
The first terminal randomly generates a t variable integer coefficient polynomial F (x1, x2, ..., xt) as the polynomial,
The second terminal divides the verification target data M' into t blocks M'1||M'2||...|M't,
The second terminal calculates F(M')=F(M'1, M'2, ..., M't) as the substituted value,
The first terminal determines whether the verification target data and the deposit target data match based on whether F(M')≡F(α1, α2, ..., αt) mod n holds true. Data retention proof method. 7. The data retention certification method according to claim 6,
A data retention proof method, wherein the first terminal randomly generates a first-order polynomial as the polynomial. 7. The data retention certification method according to claim 6,
The integer n is a value randomly selected from a predetermined range,
The data retention proof method, wherein each of the plurality of blocks has a block size of the same predetermined value or a value determined based on random numbers or pseudo-random numbers. 7. The data retention certification method according to claim 6,
The data retention certification system includes a third terminal that retains the verification target data,
The second terminal has a normal area and a protected area isolated from the normal area as an area for performing calculations,
The first terminal holds a first key and a second key,
The verification target data is encrypted with the first key,
The verification target data held by the second terminal is transmitted from the third terminal,
The data retention certification method is
the first terminal transmits a ciphertext obtained by encrypting the first key and the second key to the protected area of the second terminal;
the second terminal obtains the first key and the second key by decrypting the ciphertext in the protected area;
the second terminal decrypts the verification target data in the protected area using the first key;
the second terminal encrypts the decrypted verification target data with the second key in the protected area;
the second terminal divides the decrypted verification target data into a plurality of blocks in the protected area using the same algorithm as the division of the deposit target data;
calculating a substituted value by substituting each block into which the decrypted verification target data is divided into variables of the polynomial, and transmitting the substituted value to the first terminal;
The first terminal determines whether the decrypted data to be verified and the data to be entrusted are determined based on whether the substituted value and the value obtained by substituting the trail into the polynomial are congruent modulo the integer n. A data retention proof method that determines whether there is a match.

Images