JP3328597B2 - Distributed multiplication apparatus and program recording medium therefor - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a cooperative computing device in which a plurality of processors communicating in a telecommunication system perform calculations in cooperation with each other, and in particular, a plurality of secret input values are known to any other processor. And a cooperative distributed multiplication device that outputs their product.

[0002]

2. Description of the Related Art A method in which a plurality of processors have distributed secret input values and calculate a certain function without revealing the values to each other is called a multi-perfection protocol. Tatsuaki Okamoto, Hirosuke Yamamoto: Modern cryptography (industrial book, 1
997), p227. When the function to be calculated is addition, it is relatively easy to realize. That is, secret A is t
Is secret sharing by the following polynomial A (X) = A + a1X + ... + atX t, each processor Pi is distributed secret value A (w
i), and similarly, the secret B is a polynomial B (X) =
Is secret sharing by ^{B + b1X + ... + btX t} , if each processor Pi is assumed to have a distributed secret value B (wi), C (X ): = A (X) + B (X) = (A + B) +
(A1 + b1) X + ... + (at + bt) Since X ^t is established, each processor Pi is simply the A (wi) B (wi)
, A value equal to C (wi) can be obtained, and therefore, a shared secret value by the t-th order polynomial of A + B can be obtained.

On the other hand, in the case of multiplication, the product A (wi) · B (wi) of the shared secret value held by each processor is the shared secret of A · B by a 2t-order polynomial A (X) · B (X). In order to recover the secret, 2t + 1 correct shared secret values are required. Therefore, each time the distributed multiplication is performed, the number of shared secret values required for restoration increases by t, and if the number of processors exceeds n, the restoration of secrets becomes impossible.

As a method for solving this problem, reference Ben
-Or, Goldwasser, Wigderson: “Completeness Theorem
s for non-cryptographic fault-tolerant distributed
computation ”, by STOC'88, pp.1-10, 1988
There is a method called e Reduction. In this method, 2t
Vector I = (A (w1) · B (w1), A (w2) · B of product of shared secret values of the following polynomials A (X) · B (X)
By the linear combination of (w2),..., A (wn) · B (wn)), the coefficients from the 0th to tth order are A (X) · B (X)
, C (w2),..., C (w
n)) can be expressed. That is, utilizing the fact that an n × n constant vector H exists and W = HI, all the processors cooperate to execute the operation HI while guaranteeing the correctness of the input value. The method of executing was used.

[0005]

However, in this method, in order to proceed with the calculation while assuring that each processor is operating correctly, each processor further distributes its shared secret value, and A complicated procedure of calculating the check vector of the BCH code using the shared secret value is required.

[0006]

According to the present invention, two verifiable secret sharing using a 2t-order polynomial A (X) .B (X) and a t-order polynomial C (X) are performed. At this time, by using a verifiable secret sharing method that can provide a means for easily confirming that the constant terms of A (X) · B (X) and C (X) are equal, the input value from each processor is Whether it is correct or not can be easily verified, and a distributed multiplication device with a small amount of communication and a small amount of calculation is configured.

The processor Pi uses shared secret values A (wi) and B (wi) as t-order polynomials Ai (X) and Bi (X) with A (wi) and B (wi) as constant terms, respectively. Each processor Pj is distributed so as to have Ai (wj) and Bi (wj) by a verifiable secret sharing method. Next, Pi is a 2t-order polynomial ABi (X) = Ai
Ai (wi) · B (wi) is distributed by a verifiable secret sharing method using (X) · Bi (X).

Each processor Pj has already held A
The product of i (wj) and Bi (wj) is the point A on ABi (X)
Verify that it is equal to Bi (wj). That is, ABi
It is verified that (wj) = Ai (wj) · Bi (wj). If not, notify all other processors of the failure. Here, if the number of rejection notifications is t or less, the 2t-order polynomial ABi (X) is a curve Ai (X) · Bi at least 2t + 1 points wj.
(X), and such a 2t-order curve ABi (X) eventually becomes a curve Ai at all points.
(X) · Bi (X), the secret distributed using ABi (X), that is, the constant term of ABi (X) is the constant term of Ai (X) · Bi (X), that is, A (wi). ) ・
B (wi).

Subsequently, Pi represents a constant term as A (wi) · B
(Wi), each processor Pj uses a verifiable secret sharing method using a t-order random polynomial Ci (X).
Distributed so as to have i (wj). Since the secret sharing method used here provides a means for easily verifying that the constant term of the 2t-order polynomial ABi (X) is equal to the constant term of the t-order polynomial Ci (X), each processor confirms this. .

[0010] Verifiable secret sharing methods that provide such means include, for example, the method by Pedersen,
There is a method by Feldmann. Pedersen
According to the method, each coefficient of the polynomial used for the verifiable secret sharing is released after being committed by the bit commitment function. Similarly, Feldmann
According to the method, each coefficient of the polynomial is encrypted and then made public. Thus, each processor has a public commit or encrypted value for the constant term,
This verification is possible by confirming that A (wi) · B (wi) is equal to Ci (wj).

Each of the above-mentioned distributed processes may be performed in parallel.
Each verification may be performed in parallel, that is, simultaneously.
If any of the above verifications fail, the results will be disclosed. The above procedure is executed for all processors Pi, and each processor determines Ci (w) for at least 2t + 1 processors determined to be acceptable.
j) is considered a correct value. Assuming that a set of indices i of the processors determined to be passed is α, if 2t + 1 or more are correct, | α | ≧ 2t + 1.

Finally, each processor Pj has a correct Ci.
(Wj) is interpolated by polynomial interpolation. That is, La
change the gradient interpolation coefficient

[0013]

(Equation 1) Is calculated, and the result is set as a shared secret value of A and B held by Pj. Assuming that the value is Cj, | β |> = t +
When 1,

[0014]

(Equation 2) And the multiplication results A and B can be recovered. Alternatively, when the shared secret values of the secret values A and B to be multiplied do not include zero, it can be solved more efficiently by the following means. In other words, when using a verifiable secret sharing method in which the coefficients of a polynomial used for secret sharing are bit-committed and published, by using the isomorphism of the bit commit, the constant term of the used polynomial becomes
It is possible to easily confirm that it is the product of two secrets.

A function BC (g, x) having a parameter g and a secret value x as inputs is represented by BC (BC (g, x), y) =
A bit commitment function having the property of BC (g, xy) is used. Polynomial S with secret value s as a constant term
The verifiable secret sharing method using (X) and the parameter g shall publish the BC (g, s), and each processor must make sure that the received shared secret value matches the published BC (g, s). It shall have a verification means to confirm.

The processor Pi has a shared secret value A (wi)
Is a polynomial Ai (X) of degree t with A (wi) as a constant term.
And each processor Pj is distributed such that each processor Pj has Ai (wj) by a verifiable secret sharing method using the parameter and the parameter g. At this time, Pi is Ai0: = BC (g, A (w
i)), and each processor Pj issues BC (g, A
Verify that (wi)) matches the received Ai (wj).

Similarly, the processor Pi has a shared secret value B
(Wi) is a t-order polynomial B with B (wi) as a constant term
Distributed by a verifiable secret sharing method using i (X) and parameter g. At this time, Pi is Bi0 = BC
(G, B (wi)), and each processor Pj shares the shared secret value Bi (wj) and the public value Bi0: = BC (g,
Receiving B a (wi)), Bi0 to verify that consistent with Bi (wj).

Further, Pi is B instead of parameter g.
C (g, A (wi)) is used as a parameter,
The shared secret value B (wi) is shared using the polynomial Bi (X). Since the polynomials used are the same, Pj
Is the same Bi (wj) as the previous secret sharing, so that it is not necessary to send this. On the other hand, ABi0:
= BC (BC (g, A (wi)), B (wi)) is published and each processor Pj verifies that ABi0 matches Bi (wj) with respect to parameters BC (g, A (wi)). .

Subsequently, Pi is a constant term of A (wi) · B
Each processor Pj is distributed so as to have Ci (wj) by a verifiable secret sharing method using a t-order random polynomial Ci (X) and a parameter g as (wi).
At this time, Ci0: = BC (g, A (wi) · B (w
i)) is published and each processor Pj verifies that Ci0 matches the received Ci (wj).

Here, Pi is correctly A (wi) · B (w
If i) is dispersed, the public value Ci0 becomes Ci0 = BC
(G, A (wi) · B (wi)) = BC (BC (g, A
(Wi), B (wi)) = ABi0, which is the same as the last published value. Therefore, each processor can verify the validity of the distributed values by verifying that Ci0 is equal to Bi0.

Also in this case, each of the above-mentioned dispersions may be performed in parallel (simultaneously), and each verification may be performed collectively. For all of the above verifications, each processor publishes a pass or fail notification and, if any of the verifications fail, publishes a failure. The above procedure is performed for all processors Pi, and each processor has at least t +
For one processor i determined to be rejected, Ci
(Wj) is rejected. Assuming that a set of indices i determined to be passed is α, if t + 1 or more are correct,
| Α | ≧ t + 1.

Finally, each processor Pj has the correct Ci
(Wj) is interpolated by polynomial interpolation. That is, La
change the gradient interpolation coefficient

[0023]

(Equation 3) Is calculated, and the result is set as a shared secret value of A and B held by Pj. Assuming that the value is Cj, from the set β of indices of the processors having the correct Cj, | β | ≧ t + 1
When,

[0024]

(Equation 4) And the multiplication results A and B can be recovered. According to the present invention, the equivalence of secrets distributed by the processors Pi can be verified only by comparing the values output by the verifiable secret sharing method, and a distributed multiplication device with a small amount of communication and a small amount of calculation can be realized. .

[0025]

Embodiment 1 Embodiment 1 of the present invention will be described below. First,
n-number of the user (the processor) and P1 to Pn, connected at each of the user devices 11 ₁ to 11 _n between the secure channel 12 as shown in FIG. 1, The total decipherer device 12 _i ( i =
1, 2,..., N) can be used by each user to ensure that they receive the same contents.

It is assumed that secret values A and B whose products are to be calculated are distributed in advance by a verifiable secret sharing method. Below, Pederse is used as a verifiable secret sharing method.
The case where the method of n is used is described. First, it is assumed that there are large prime numbers p and q, and q divides p−1. In the following description, the fields created by p and q are written as Fp and Fq, respectively, and the subgroup of the order q of Fp is written as Gq. Each user Pj
It is assumed that a unique value wj such that wj∈Zq is disclosed. It is assumed that A and B are both elements of Fq.

[0027] Random polynomial A (X) on each processor Pj is two _{Fq = a 0 + a 1 X} + ... + a t X t and _{U (X) = u 0 +} u 1 X + ... + u t X t value A for wj of (Wj) and U (wj). Where a ₀ =
A. It is assumed that EA _k : = g ^ak h ^uk modp is disclosed for k = 0,..., T for elements g and h of Gq selected at random.

At this time, the pair of (A (wj), U (wj)) is the shared secret value of Pj with respect to the secret value A. Each processor Pj,

[0029]

(Equation 5) Is satisfied, the validity of the held shared secret value (A (wj), U (wj)) can be verified. In the following description, the Peders
The method of en is described as Ped (A, u ₀ ) → (Aj, Uj) (EA ₀ ,..., EA _t ). Here, A in parentheses of Ped (A, u ₀ )
And u ₀ mean the constant terms of two random polynomials used for secret sharing, as described above. (Aj, Uj) is P
j denotes a shared secret value of A received via a secure communication channel, and is a value at X = wj of random polynomials Aj (X) and Uj (X) where A and u ₀ are constant terms, respectively. And j takes 1,..., N. Further, EA _k is g ^ak h ^uk modp made commitments k order coefficient of the polynomial, exposed through a broadcast channel.

It is assumed that the secret value B is similarly distributed by the above verifiable secret sharing method. That is, it is assumed that Ped (B, v ₀ ) → (Bj, Vj) (EB ₀ ,..., EB _t ) using the random number v ₀ . From the above initial state, the processor Pj first converts Aj and Bj into random numbers ui ₀ and vi ₀
A _{wish, Ped (Aj, ui 0)} → (Aji, Uji) (EAj 0, ..., EAj t) Ped (Bj, vi 0) → (Bji, Vji) (EBj 0, ..., EBj t) as Spread. That Pj is t following random polynomial Aj as shown in FIG. _{2 (X) = a j0 +} a j1 X + ... + a jt X
^t and Uj (X) = u _j0 + u _j1 X +... + u _jt X ^t are generated (S1), and the commitment value EA _jk = g ^ajk h ^ujk mod
a p k = 0, ..., calculated for the t (S2), also a random polynomial _{Bj (X) = b j0 +} b j1 X + ... + b jt X t and _{Vj (X) = v j0 +} v j1 X + ... + v jt X t Is generated (S
3) The commitment value EB _jk = g ^bjk h ^vjk mod p is calculated for k = 0,..., T (S4), and (Aji, Uji) and (Bji, Vj) are assigned to all processors Pi.
i) is transmitted via a secure communication channel (S5), and (EAj ₀ ,..., EAj _t ) and (EBj) are transmitted via a broadcast-type communication channel.
j ₀ ,..., EBj _t ) is transmitted (S6).

Here, a polynomial in which Aj used in Ped (Aj, ui ₀ ) secret sharing is a constant term is expressed by Aj (X) =
and _{a j0 + a j1 X + ...} + a jt X t. Similarly, Ped
Bj (X) = b _j0 + b _j1 X +... + B _jt X ^t is a polynomial in which Bj used in the secret sharing (Bj, vi ₀ ) is a constant term.
And Here, a _j0 = Aj and b _j0 = Bj. The processor Pj calculates the product Aj (X) · Bj of the two polynomials.
(X) is calculated, and this is calculated as ABj (X) = e _j0 + e _j1 X +
.. + E _j2t X ^2t (S7). Also it generates 2t next random polynomial _{Dj (X) = d j0 +} d j1 X + ... + d j2t X 2t ( Fig. 3, S8). ABj (X) and Dj
The coefficients of the k-th order term of (X) are e _jk and d _jk , respectively.
Pj is ^{EABjk: = g ejk h djk mod} p a k = 0,
, 2t (S9), and (EAB _j0 ,..., E
AB _j2t ) through a broadcast-type communication channel (S1)
0). Also, Dji: = Dj (wi) is sent to Pi via a secure communication channel (S11).

Further, the processor Pj executes Ped (Aj · Bj, dj ₀ ) → (Cji, Rji) (ECj ₀ ,..., ECj _t ). That is, t-order random polynomial Cj (X) =
and _{c j0 + c j1 X + ...} + c jt X t, Rj (X) = r j0 + r
to generate a _{j1 X + ... + r jt X} t (S12), the commitment value ^{_{EC jk = g cjk h rjk mod}} p a k = 0, ..., calculated for the t (S13), Cji = Cj (wi), Rji
= Rj (wi) through a secure channel to the processor Pi
, And ECj ₁ ,..., ECj _t are made public through a broadcast-type communication channel (S15).

Each processor Pi has Aji, Uji, B
ji, Vji, Dji, Cji, Rji, EAik, E
Bik, ECik, k = 0,..., T, EABik k =
0,..., 2t received from Pj, j = 1 ,.
i (FIG. 4, S1) , the verification equation

[0034]

(Equation 6) Is established (S2), and if one is not established, "fail" is notified to all other processors via the broadcast communication path (S3). If the number of failure notifications is t or less (S4), Pi is received (Cji, Rj).
Pass i). If the rejection is less than t, the set α
To add a j of the case-rated (S5).

The above procedure is repeated for all processors Pj j =
1,..., N are executed (S6, S7). The sharing process by the verifiable secret sharing method always includes the checking process. The verification at the time of sharing Aj and Uj is performed by Expressions (1) and (5), and the checking at the time of sharing Bj and Vj is (2), which is performed by equation (6). Verification at the time of distribution of ABj and Dj is performed by Expression (3), and this verification is performed by Aj (w
The product of i) and Bj (wi) is the point ABj on ABj (X)
(Wi) and verify that Aj · Bj's Ci
Verification in variance using (X) and Ri (X) is performed by Expression (4), and Expression (7) verifies that the constant term of Cj (X) is equal to the constant term of ABj (X).

[0036] One to all of the processor Pj the verification described above
After that went had, each processor Pi is, the set on the index j of passing the Cji and α, Lagrang
e interpolation coefficient

[0037]

(Equation 7) , And this is used as the shared secret value (C
i, Ri) (S8). And a verification commitment.

[0038]

(Equation 8) Are calculated for k = 0,..., T (S9). When actually publishing the multiplication result, as shown in FIG.
Each processor Pi publishes the shared secret value (Ci, Ri) (S1), and this is received by each processor (S2), and each processor receives wi = wi ^k mod q

[0039]

(Equation 9) Is verified (S3). If not, the j is disclosed (S4).
5) If the verification is successful, it is accepted as a correct shared secret value, and j is added to the set β (S6). The verification in step S3 is performed for all processors Pj (S7, S7
8). Let β be a set of indexes of correct shared secret values obtained by the above means.

When | β | ≧ t + 1,

[0041]

(Equation 10) And each processor can recover the multiplication results A and B (S9). Equations (1), (2),
EAj ₀ , EBj ₀ , ECj for each k = 0 in (4)
_Since they are ₀ , they are not sent, and verification equations (1),
Instead of (5), (2), (6), (4), (7),

[0042]

[Equation 11] It is also possible to verify as. Notification of rejection can also be made collectively after all processors have completed verifiable secret sharing. Second Embodiment Hereinafter, a second embodiment of the present invention will be described.

First, n users (processors) are assigned to P1
To Pn, each user device (processor) is connected by a secure communication path, and all user devices (processors)
To make it possible for each user to use a broadcast communication path that is guaranteed to receive the same contents. The secret values A and B whose products are to be calculated are determined in advance by a verifiable secret sharing method.
It is assumed that they are dispersed. Hereinafter, a case where Pedersen's method is used as the verifiable secret sharing method will be described.

First, there are large prime numbers p and q, and q is p−
It shall be divisible by 1. In the following description, the fields created by p and q are written as Fp and Fq, respectively, and the subgroup of the order q of Fp is written as Gq. It is assumed that a unique value wj such that wj∈Zq is disclosed to each decryptor Pj. A and B
Are all elements of Fq. Each processor Pj has a random polynomial A (X) = a ₀ + a ₁ X on two Fqs.
+ ... + a ^_t X _t and _{U (X) = u 0 +} u 1 X + ... + u
value for wj of ^_t X _t A (wj), holds the U (wj). Here, it is assumed that a ₀ = A. It is assumed that EA _k : = g ^ak h ^uk modp is disclosed for k = 0,..., T for elements g and h of Gq selected at random.

At this time, the pair of (A (wj), U (wj)) is the shared secret value of Pj with respect to the secret value A. Each processor Pj,

[0046]

(Equation 12) Is satisfied, the validity of the held shared secret value (A (wj), U (wj)) can be verified. In the following description, the Peders
The method of en is described as Ped (A, u ₀ ) [g, h] → (Aj, Uj) (EA ₀ ,..., EA _t ). Here, A in parentheses of Ped (A, u ₀ )
And u ₀ mean the constant terms of two random polynomials used for secret sharing, as described above. [G, h] means that the commitment function uses g and h as the base of the power. (Aj, Uj) means a shared secret value of A received by Pj via a secure communication channel, and is a random polynomial Aj having A and u ₀ as constant terms, respectively.
(X) and Uj (X) at X = wj,
j takes 1,..., n. Further, EA _k is g ^ak h ^uk modp made commitments k order coefficient of the polynomial, exposed through a broadcast channel. Where Pj
Let EAj ₀ : = g ^Aj h ^Uj modp be the commitment to the secret value (Aj, Uj) ^held by. This EAj ₀ is
Published EA _0, ..., by using the EA _t,

(Equation 20) Note that anyone can calculate, as in.

It is assumed that the secret value B is similarly distributed by the above verifiable secret sharing method. That is, it is assumed that Ped (B, v ₀ ) [g, h] → (Bj, Vj) (EB ₀ ,..., EB _t ) using the random number v ₀ . From the above initial state, the processor Pj first selects the random numbers ui ₀ and vi ₀ and obtains Ped (Bj, vi ₀ ) [g, h] → (Bji, Vji) (EBj ₀ ,..., EBj _t ). Bj is distributed. That is, as shown in FIG. 6, a random polynomial Bj (X) of order t and Vj (X) are generated (S
1), the commitment value _EBjk is calculated for k = 0,..., T (S2), and Bj (wi), Vj (w
i) to the processor Pi through a secure channel (S
3), EAj ₀ ~EAj _t, publish through the broadcast communication path EBj ₀ ~EBj _t (S4).

Here, a polynomial in which Bj used in Ped (Bj, ui ₀ ) secret sharing is a constant term is represented by Bj (X) =
and _{b j0 + b j1 X + ...} + b jt X t. Where b _j0 = B
j. Next, choose a random number di ₀ the Bj, as the bottom of the EAj ₀ instead of the bottom _{g, Ped (Bj, di 0} ) [EAj 0, h] → (Bji, Dji) (EABj 0, ..., EABj t ). However, the same polynomial Bj (X) as that immediately before is used for a polynomial having Bj as a constant term. Therefore, the corresponding shared secret value is Ped (Bj, d
i ₀ ) equal to the shared secret value of Bj in [g, h]. On the other hand, a polynomial Dj (X) = d with di ₀ as a constant term
_{j0 + d j1 X + ... +} d jt X t is randomly selected (Fig. 7, S5). The EABj _k a k = 0, ..., computed for t (S6), Dj sends (wi) to Pi through a secure communication path (S7), to expose through the broadcast communication path EABj ₀ ~EABj _t ( S8). Furthermore, Aj ・ Bj
Then, random polynomials Cj (X) and Rj (X) of order t with u _i0 · Bj + d _i0 as constant terms are generated (S9). Assuming that the coefficients of the k-th order term of Cj (X) and Rj (X) are c _jk and r _jk , Pj is EABjk: =
g ^{cjk hrjk} mod p is calculated for k = 0,..., t (S10), and (EC _j0 ,..., EC _jt ) is made public through a broadcast communication channel (S11). Also, Cji: = Cj (w
i) and Rji: = Rj (wi) are sent to Pi via a secure communication channel (S12).

Each processor Pi has a verification formula

[0050]

(Equation 13) Is confirmed, and if even one does not hold, "fail" is notified to all other processors via the broadcast communication path. If there are no more than t failure notifications,
Pi accepts the received (Cji, Rji). The above procedure is executed by all the processors Pj j = 1,..., N.

Next, each processor sets a set related to the index j of the passed Cji to α, and sets Lagrang
e interpolation coefficient

[0052]

[Equation 14] , And this is used as the shared secret value (C
i, Ri). And a verification commitment.

[0053]

(Equation 15) Are calculated for k = 0,..., T. FIG. 9 shows the above-described verification and the process of obtaining the shared secret value (Ci, Ri).
When actually publishing the multiplication result, each processor Pi publishes the shared secret value (Ci, Ri), as in FIG.
Each processor that receives this

[0054]

(Equation 16) Is verified, and if so, it is accepted as a correct shared secret value. Let β be a set of indexes of correct shared secret values obtained by the above means. | Β | ≧ t
When +1

[0055]

[Equation 17] And each processor can recover the multiplication results A and B. As in the case of the first embodiment, EAj ₀ , EBj
₀ , ECj ₀ are not sent, and the verification equations (2), (5),
(4) Instead of (7),

[0056]

(Equation 18) It is also possible to verify as. Notification of rejection can also be made collectively after all processors have completed verifiable secret sharing. Also in the first and second embodiments, each verification in the verifiable secret sharing may be performed for each sharing, and as described above, all the verifications may be performed collectively. Further, the transmission of each variance value through the secure communication channel may be performed each time or collectively, and the disclosure of each commitment value may be performed each time or collectively.

In the above procedure, the communication via the broadcast communication path may be realized by using a “non-erasable presentation board” instead. FIG. 8 shows an example of a functional configuration of a processor (dispersion multiplication device) used in the first or second embodiment. Memory 21
Include p, q, g, h, shared secret values A (wj), B (w
j) and the like, and are used for temporarily storing various information (values) in distributed processing, verification processing, recovery processing, and the like. The verifiable secret sharing unit 22 includes a random polynomial generation unit 23, a commitment calculation unit 24, and a shared secret verification unit 25.
j (X), Vj (X), Dj (X), Cj (X), Rj
(X) and the like, and the commitment calculation unit 24
_{j 0, EBj k, ECj k} , performs calculations such EABj _k, distributed secret verification unit 25 verifies by each validation expression shown in Formula (1) to (7). The shared secret restoration unit 26

[0058]

[Equation 19] Is performed. Various types of shared secret secure communication transmitter 27, receiver 28, broadcast transmitter 29, receiver 31
Are provided, and the sequential operation of each unit is performed by the control unit 32. Each of these functions can be performed by decoding and executing a program by a computer.

[0059]

According to the above-described distributed multiplication apparatus of the present invention, each processor can easily detect a fraudulent operation of another processor by a verification type check, and is recovered by bringing the shared secret value. It can be verified that the result is the product of A and B.

[Brief description of the drawings]

FIG. 1 is a block diagram showing an example of a system configuration according to an embodiment of the present invention.

FIG. 2 shows a processor Pj according to the first embodiment of the present invention.
5 is a flowchart showing up to the middle of the secret sharing processing procedure.

FIG. 3 is a flowchart showing a continuation of FIG. 2;

FIG. 4 is a flowchart showing a processing procedure of a processor Pi in the first embodiment until a shared secret value of a multiplication result is obtained from verification processing.

FIG. 5 is a diagram illustrating a processor P according to the first and second embodiments of the present invention.
7 is a flowchart showing a procedure for recovering the multiplication result of i.

FIG. 6 is a flowchart showing a halfway of a secret sharing process performed by a processor Pj in a second embodiment of the present invention.

FIG. 7 is a flowchart showing a continuation of FIG. 6;

FIG. 8 is a block diagram showing a functional configuration example of a processor (dispersion multiplication device) in the first and second embodiments of the present invention.

FIG. 9 is a flowchart showing a processing procedure until a shared secret value of a multiplication result is obtained from the verification processing of the processor Pi in the second embodiment.

──────────────────────────────────────────────────の Continued on front page (56) References Verifiable Secret Sharing and Multi party Protocols with the Honey Majority, proc. of STOC '89, p. 73-85 Span Programs and General Security Multi-Party Computation, BRICS Report Series, RS-97-28 Efficiency Multi-Responsibility RS (Int.Cl. ⁷ , DB name) G09C 1/00 650 G09C 1/00 640 G06F 17/10 JICST file (JOIS)

Claims (6)

(57) [Claims] 1. n processors are P1 to Pn, and i
The processor Pi has a unique public value wi, and the two secret values A and B are t with A and B as constant terms, respectively.
It is distributed to n processors by a verifiable secret sharing method using the following polynomials A (X) and B (X), and the i-th processor Pi has shared secret values A (wi), B
(Wi), n processors cooperate to form a secret t-order polynomial C with A and B as constant terms.
(X), and the shared secret value C (wi) is
i, wherein each processor Pj calculates a shared secret value A (w j ) and B (w j ) by A
(W j ), t-order polynomial A j with B (w j ) as a constant term
According to the verifiable secret sharing method using (X) and B j (X), each processor P i is assigned A j (w i ) and B j (w
and means for dispersing to have i), 2 t degree polynomial ABj (X) = Aj (X ) · Bj (X)
Each processor by the verifiable secret sharing method using
Pi is the product of Aj (wi) and Bj (wi) is Aj (X) ·
Verify that it is equal to the point ABj (wi) on Bj (X)
And means for dispersing to have a value of order, each by verifiable secret sharing method using a constant number term A (w j) · B ( w j) to t following random polynomial C j (X) and means for dispersing to have a processor Pj is Ci (wj), each processor P i is, Aj (wi) and Bj (wi) the product of a point on ABj (X)
J = 1 to n ( 1) that it is equal to ABj (wi) and that the constant term of Ci (X ) is equal to the constant term of ABi (X) .
Validate over soup j ≠ i), pass or provided with means to expose the failure notification, C j (w i) the interpolated by the polynomial interpolation for all j where t + 1 or more processors was passed for these verification The value obtained is
Distributed multiplication apparatus according to claim Rukoto provided with means to the distributed secret value C (w i) of P i to the secret of the t-order polynomial C (X) to the B and constant terms. 2. The distributed multiplication apparatus according to claim 1, wherein the function BC () is a bit commitment function, and each processor Pj performs distribution of the shared secret values A (w j ) and B (w j ).
The B C (A (w j) ) and BC (B (w j)) to it
A means for publishing as Aj0 and Bj0 respectively is provided , and when A (wj) · B (wj) is dispersed, BC ( Aj
(Wj) · B (wj))
Provided, each processor P i is the received A j (w i), B j (w i) is Ai0, Bi0
When provided with a means to verify that matched each, product of the Aj and (wi) and Bj (wi) has been published,
And means for verifying by aligned with Ci0, received Cj (wi) distributed multiplier, characterized in Rukoto a manual stage to verify that consistent with Ci0 published. 3. The n processors are P1 to Pn, and i
The processor Pi has a unique public value wi, and the two secret values A and B are verifiable secret sharing methods using t-order polynomials A (X) and B (X), where A and B are constant terms, respectively. , The i-th processor Pi has shared secret values A (wi), B
(Wi), n processors cooperate to form a secret t-order polynomial C with A and B as constant terms.
(X), and the shared secret value C (wi) is
a function BC (a, x) is a bit commitment function that uses a as a public parameter and x as a secret value.
(BC (g, x), y) = BC (g, xy), and each processor Pj sets the shared secret value A (wj) as a constant term with A (wj) as a constant term.
By the verifiable secret sharing method using the following polynomial Aj (X) and parameter g, each processor Pi
(Wi) and BC (g, A
(Wi)) is disclosed as Ai0, and the shared secret value B (wj) is defined as t (t) where B (wj) is a constant term.
By the verifiable secret sharing method using the following polynomial Bj (X) and parameter g, each processor Pi
(Wi) and BC (g, B
(W i)) includes means to expose as Bi0 a distributed secret value B (the wj), the polynomial Bj (X) and a parameter BC (g, A (wi) by verifiable secret sharing method using a), each Processor Pi is Bj (wi)
And BC (BC (g, A (w
i)), means for publishing B (wi)) as ABi0, and a verifiable secret sharing using a t-order random polynomial Ci (X) and a parameter g where the constant term is A (wj) · B (wj). Depending on the method, each processor Pi is Cj (wi)
And BC (g, C (wi))
The each comprise means for publishing as Ci0, each processor Pi is the correct value der Rukoto is A i0, Bj (wi) is received aligned with Bi0, and ABi0
Matching that received Cj (wi) matches with Ci0, Ci0
And ABi0 are equal, j = 1 to n (where j ≠
i) and means for publishing a pass or fail notification for these verifications; and Aj the values interpolated by polynomial interpolation of Cj (wi) for all j's passed by t + 1 or more processors.
Means for setting a shared secret value C (wi) of Pi with respect to a secret t-order polynomial C (X) having B as a constant term, respectively. 4. The n processors are P1 to Pn, and i
The processor Pi has a unique public value wi, and the two secret values A and B are verifiable secret sharing methods using t-order polynomials A (X) and B (X), where A and B are constant terms, respectively. , The i-th processor Pi is distributed secret values A (wi) and B (wi)
N processors cooperate,
A distributed multiplication device that generates a secret t-order polynomial C (X) having A and B as constant terms and obtains a shared secret value C (wi) by Pi
Then, as each processor Pj, the shared secret values A (w j ) and B (w j ) are
(W j ), t-order polynomial A j with B (w j ) as a constant term
According to the verifiable secret sharing method using (X) and B j (X), each processor P i uses A j (w i ) and B j (w
means for dispersing to have i), 2t order polynomial AB j (X) = A j (X) · B j (X)
Each processor by the verifiable secret sharing method using
Pi is the product of Aj (wi) and Bj (wi) is ABj (X)
Value to verify that it is equal to the above point ABj (wi)
Means for dispersing to have, a constant term A (w j) · B ( w j) each processor by verifiable secret sharing method using a t following the random polynomial C j (X) to P i is C j and means for dispersing to have a (w i), as each processor Pi, Aj (wi) and Bj (wi) the product of a point on ABj (X)
J = 1 to n ( 1) that it is equal to ABj (wi) and that the constant term of Cj (X ) is equal to the constant term of ABj (X) .
Validate over soup j ≠ i), means for publishing a pass or fail notice for these verification, an interpolated value by Cj the (wi) polynomial interpolation for all j where t + 1 or more processors have passed, AB
For a secret t-order polynomial C (X) with
dispersing multiplication and means for the distributed secret value C (wi) of i
A computer-readable recording medium that records a program that causes a computer to function as a computing device . 5. The recording medium according to claim 4, wherein a function BC () is a bit commitment function, and said variance multiplying device is a processor for each of said processors Pj , wherein said processor Aj performs distributed processing of said A ( wj ) and B ( wj ) B C (a in
(W j)) and B C (B (w j) ) the Aj0 and B
means for publishing as j0, and at the time of the distributed processing of A (w j ) · B (w j ) , BC
Hand to publish a (A (w j) · B (w j)) as Cj0
Ai , Aj (wi) and Bj (wi), each of which is published as a stage and each processor Pi
0, a means for verifying that it matches Bi0, and an AB in which the product of Aj (wi) and Bj (wi) is disclosed
means for verifying that consistent with i0, recording medium and means received Cj (wi) to verify that consistent with Ci0, wherein the free Mukoto. 6. The n processors are denoted by P1 to Pn, and i
The processor Pi has a unique public value wi, and the two secret values A and B are verifiable secret sharing methods using t-order polynomials A (X) and B (X), where A and B are constant terms, respectively. , The i-th processor Pi has shared secret values A (wi), B
(Wi), n processors cooperate to form a secret t-order polynomial C with A and B as constant terms.
A shared multiplication device that generates (X) and obtains a shared secret value Ci by Pi. A function BC (a, x) is a bit commitment function that uses a as a public parameter and x as a secret value, and BC
(BC (g, x), y) = BC (g, xy). Each processor Pj has a shared secret value A (wj) and a constant term A (wj).
By the verifiable secret sharing method using the following polynomial Aj (X) and parameter g, each processor Pi
(Wi) and BC (g, A
Means for publishing (wi)) as Ai0, and sharing secret value B (wj) with B (wj) as a constant term
By the verifiable secret sharing method using the following polynomial Bj (X) and parameter g, each processor Pi
(Wi) and BC (g, B
(Wi)) as Bi0, and the shared secret value B (wj) is converted to each processor Pi by a verifiable secret sharing method using the polynomial Bj (X) and the parameter BC (g, A (wj)). Is Bj (wi)
And BC (BC (g, A (w
i)), B (w i )) means to expose as ABi0 and the constant term A (wj) · B (wj ) and to the use of t following random polynomial Cj (X) and parameter g verifiable secret sharing Depending on the method, each processor Pi has Cj (w
i) and BC (g, C ( w
and means to expose the i)) as Ci0, as each processor Pi, published been Ai0 correct value der Rukoto, received Bj (wi) be consistent with Bi0 published, received Bj (Wi) matches the published ABi0, Cj (wi) received matches the published Ci0, and that Ci0 is equal to ABi0 over j = 1 to n (where j ≠ i) Means for verifying and publishing a pass or fail notification for these verifications; and A.multiplier interpolation of Cj (wi) for all j's for which t + 1 or more processors pass.
A computer-readable storage medium storing a program for causing a computer to function as a distributed multiplication device including means for setting a shared secret value Ci of Pi for a secret t-order polynomial C (X) having B as a constant term.