JP4783119B2 - Secret sharing apparatus, method and program - Google Patents

Description

  The present invention relates to a secret sharing apparatus, method, and program for distributing shared information in which secret information is distributed and restoring the secret information from the collected shared information. For example, a complete secret that can be executed at high speed without using polynomial interpolation. The present invention relates to a secret sharing apparatus, method, and program that can realize sharing.

  In general, it is effective to make a copy of secret information in advance as a countermeasure when secret information such as an encryption key is lost. However, when a copy of secret information is created, there is a problem that the risk of theft increases. As a technique for solving such a problem, Shamir proposed a secret sharing method called (k, n) threshold secret sharing method in 1979 (see, for example, Non-Patent Document 1).

  In the (k, n) threshold secret sharing method, secret information is divided into n pieces of distributed information, and the original secret information can be restored by collecting arbitrary k pieces from the n pieces of shared information. No information on the original secret information can be obtained from one piece of shared information. That is, the (k, n) threshold value secret sharing method has a restoration characteristic of secret information with the threshold value k as a boundary (1 <k <n).

  For this reason, according to the (k, n) threshold secret sharing method, even if k−1 or less shared information is leaked, the original secret information is safe, and n−k or less shared information is lost. Even so, management that can restore the original secret information can be realized.

  However, in the Shamir (k, n) threshold secret sharing method, the secret information is distributed and restored by polynomial interpolation that requires a large amount of calculation. There is an inconvenience that requires a high-speed computer.

On the other hand, as a (k, n) threshold secret sharing method that can solve such inconvenience and can greatly reduce the amount of calculation, a method of Sugawara et al. Is known (see, for example, Patent Document 1). Here, the method of Sakakibara et al. Can realize the high-speed execution because the secret information is distributed and restored only by the exclusive OR operation. However, in the method of Sugawara et al., For example, in the (3, 4) threshold method, the original secret information can be restored with two pieces of distributed data depending on how the distributed data is taken (for example, see paragraph 132). ) There is an inconvenience that is not completely secret sharing. Here, the complete secret sharing means that there is a recovery characteristic of secret information with a threshold as a boundary, regardless of how to take the shared data.
A. Shamir: “How to share a secret”, Communications of the ACM, 22, 11, pp.612-613 (1979) JP 2004-213650 A

  As described above, the (k, n) threshold secret sharing method based on Shamir uses polynomial interpolation, and thus has a disadvantage that a high-speed computer is required. On the other hand, the method of Hagiwara et al. Has the disadvantage that it is not perfect secret sharing depending on how to take distributed data.

  Further, according to the study of the present inventor, when it is desired to add shared information in the conventional system, (A) a method of redistributing the distributed information to all members, or (B) an additional member of the distributed information as follows: It is possible to distribute it only to Specifically, in the method (A), based on the number of persons after the addition, all shared information is recreated and redistributed to all members. In the method (B), the dealer creates and holds a large amount of shared information in advance, and distributes the extra shared information to only the additional members when adding members. Alternatively, in the method (B), the dealer may hold the secret information, create the distributed information for the additional number of people from the secret information, and distribute it only to the additional members.

  However, since the method (A) at the time of addition needs to redistribute distributed information to existing members, it takes time and effort. Further, in the method (B), since the dealer needs to hold the number of pieces of shared information that can restore the secret information or the secret information itself at one place, the security is lowered.

  The present invention has been made in consideration of the above circumstances, and an object thereof is to provide a secret sharing apparatus, method, and program capable of realizing complete secret sharing that can be executed at high speed without using polynomial interpolation.

  Another object of the present invention is that it is not necessary to distribute shared information to existing members when adding members, and the number of shared information or secret information that can restore secret information is not stored in one place. Another object of the present invention is to provide a secret sharing apparatus program that can improve security.

  The first invention distributes n (where n ≧ 2) shared information D (0),..., D (n−1) obtained by distributing the secret information S to n storage devices individually. And (2, n) type secret sharing apparatus capable of restoring the secret information S from any two of the n pieces of shared information, wherein the shared information D (0) to D Before the distribution of (n-1), the storage means for temporarily storing the secret information S and the secret information S are divided into n-1 pieces, and the division results are divided into 1 to n-1. .., K (j),..., K (1) are assigned the same row number j (where 0 ≦ j ≦ n−1). n-1), a zero value having the same size as the size of each of the divided secret data, and a line number j = 0 is assigned to the generation result to generate the second divided secret data. A means for generating K (0), and n-1 random numbers having a size equal to or larger than the size of each of the divided secret data, and a column number i from 0 to n-2 (where Means for generating (n-1) random number data R (0), ..., R (i), ..., R (n-2) by assigning 0≤i≤n-2), The divided secret data K (0), K (1), ..., K (j), ..., K (n-1) and the random number data R (0), ..., R (i), ..., R (n- 2) Based on (2), means for calculating n (n−1) pieces of distributed partial data D (j, i) = K (j−i (mod n)) (+) R (i) (where (+ ) Is a symbol representing exclusive OR), and n-1 distributed partial data D (j, 0) to D (j, n-2) having the same row number j among the respective distributed partial data. N number of header information by assigning line number j every time (0),..., H (j),..., H (n−1), header information H (j) and distributed partial data D (j, 0) having the same row number j Means for distributing n pieces of distributed information D (0),..., D (j),..., D (n-1) comprising D (j, n-2) individually to the n storage devices; The secret information S is restored based on any two pieces of distributed information D (i) and D (j) among the distributed n pieces of distributed information D (0) to D (n-1). A secret sharing apparatus including a restoring unit.

  According to the second invention, n (provided that n (note that n ′ ≧ 3) shared information D (0),..., D (n′−1)) in which the secret information S is distributed. n <n ′) distributed information D (0),..., D (n−1) are individually distributed to n storage devices, and any two of the n pieces of distributed information are distributed. A (2, n) type secret sharing apparatus program capable of restoring the secret information S from the information, wherein the shared information D (0) to D (n-1) is distributed to the computer of the secret sharing apparatus. Storage means in which the secret information S is temporarily stored, and the secret information S is divided into n′−1 pieces, and the division results are divided into line numbers j (from 1 to n′−1). By assigning 0 ≦ j ≦ n′−1), n′−1 pieces of first divided secret data K (1),..., K (j),. Raw Means for generating a second divided secret data K (0) (= 0) by generating a zero value having the same size as the size of each of the divided secret data and assigning a row number j = 0 to the generation result; N′−1 random numbers having a size equal to or larger than the size of each divided secret data are generated, and a column number i from 0 to n′−2 (where 0 ≦ i ≦ n′−2) is generated in each generation result. , R (i),..., R (n′−2), and the first and second divided secret data K (0). , K (1), ..., K (j), ..., K (n'-1) and the random number data R (0), ..., R (i), ..., R (n'-2). , N (n′−1) distributed partial data D (j, i) = K (j−i (mod n ′)) (+) means for calculating R (i) (where (+) is exclusive) Symbol representing logical OR), previous Of each distributed partial data, n'-1 distributed partial data D (j, 0) to D (j, n'-2) having the same row number j are assigned a row number j and n. , H (j),..., H (n−1), header information H (j) having the same row number j and distributed partial data D (j, , D (j),..., D (n-1) each consisting of 0) to D (j, n′−2) are distributed to the n storage devices individually. The secret information S based on any two pieces of shared information D (i), D (j) among the distributed n pieces of shared information D (0) to D (n-1). Secret information restoring means for restoring the information, means for judging whether or not the changeable condition t ≦ n′−n is satisfied when the (2, n) type is changed to the (2, n + t) type, and the judgment result is Changeable conditions When satisfying, shared information generation for generating t pieces of shared information D (n),..., D (n-1 + t) based on the arbitrary two pieces of shared information D (i), D (j) Means for distributing the generated t pieces of distributed information D (n),..., D (n-1 + t) individually to t storage devices different from the n storage devices. It is a program for.

  According to a third aspect of the invention, five pieces of shared information D (0),..., D (4) obtained by distributing secret information S are distributed to five storage devices individually, and the five pieces of shared information are distributed. (3, 5) type secret sharing apparatus program capable of restoring the secret information S from any three pieces of shared information, the computer of the secret sharing apparatus being connected to the shared information D (0) ˜ Storage means for temporarily storing the secret information S before D (4) is distributed, dividing the secret information S into two, and assigning an identification number from 0 to 1 to the division result Means for generating two divided secret data K (0) and K (1) having the same size, generating four random numbers having the same size as the size of each of the divided secret data, and generating each result Random number data R with 4 assigned identification numbers from 0 to 3 0), R (1), R (2), R (3), the two divided secret data K (0), K (1), the four random number data R (0) to Based on R (3) and the following 10 equations (where (+) is a symbol representing exclusive OR), 10 distributed partial data D (0, 0, identifiable by a combination of two identification numbers) 0), D (0, 1), D (1, 0), D (1, 1), D (2, 0), D (2, 1), D (3, 0), D (3, 1 ), D (4,0), means for calculating D (4,1), D (0,0) = R (0), D (0,1) = K (0) (+) R (1) (+) R (2), D (1,0) = R (1), D (1,1) = K (1) (+) R (2) (+) R (3), D (2, 0) = R (2), D (2,1) = K (0) (+) R (3) (+) R (0), D (3,0) = R (3), D (3 1) K (1) (+) R (0) (+) R (1), D (4,0) = K (1) (+) R (0) (+) R (2), D (4,1 ) = K (0) (+) R (1) (+) R (3), the two identification numbers of each distributed partial data are row number j and column number i, and each distributed partial data is D (j, i), a row number j is assigned to each of two pieces of distributed partial data D (j, 0) and D (j, 1) having the same row number j, and five pieces of header information H (0 ), H (1), H (2), H (3), H (4), header information H (j) having the same row number j and distributed partial data D (j, 0) , D (j, 1), 5 pieces of distributed information D (0), D (1), D (2), D (3), D (4) are individually distributed to the five storage devices. Means, any three of the distributed five pieces of distributed information D (0) to D (4) Based of the shared information D (j), said a program for functioning as a restoring means for restoring the secret information S.

  According to a fourth aspect of the invention, seven pieces of shared information D (0),..., D (6) obtained by distributing the secret information S are individually distributed to seven storage devices, and the seven pieces of shared information are distributed. (3, 7) type secret sharing apparatus program capable of restoring the secret information S from any three pieces of shared information, the computer of the secret sharing apparatus being connected to the shared information D (0) ˜ Storage means for temporarily storing the secret information S before D (6) is distributed, dividing the secret information S into three, and assigning an identification number from 0 to 2 to the division result To generate three pieces of divided secret data K (0), K (1), K (2) having the same size, and six random numbers having the same size as the size of each of the divided secret data. In addition, each generation result is assigned an identification number from 0 to 5, Means for generating data R (0), R (1), R (2), R (3), R (4), R (5), the three divided secret data K (0) to K (2 ), Based on the six random number data R (0) to R (5) and the following 21 formulas (where (+) is a symbol representing an exclusive OR), and a combination of two identification numbers. 21 pieces of distributed partial data D (0,0), D (0,1), D (0,2), D (1,0), D (1,1), D (1,2) that can be identified , D (2,0), D (2,1), D (2,2), D (3,0), D (3,1), D (3,2), D (4,0), D (4,1) D (4,2), D (5,0), D (5,1), D (5,2), D (6,0), D (6,1), D ( 6, 2) means for calculating D (0,0) = R (0), D (0,1) = K (0) (+) R (1) (+) R (2) D (0,2) = K (2) (+) R (3) (+) R (5), D (1,0) = R (1), D (1,1) = K (1) ( +) R (2) (+) R (3), D (1,2) = K (0) (+) R (0) (+) R (4), D (2,0) = R (2 ), D (2,1) = K (2) (+) R (3) (+) R (4), D (2,2) = K (1) (+) R (1) (+) R (5), D (3,0) = R (3), D (3,1) = K (0) (+) R (4) (+) R (5), D (3,2) = K (2) (+) R (0) (+) R (2), D (4,0) = R (4), D (4,1) = K (1) (+) R (5) (+ ) R (0), D (4,2) = K (0) (+) R (1) (+) R (3), D (5,0) = R (5), D (5,1) = K (2) (+) R (0) (+) R (1), D (5,2) = K (1) (+) R (2) (+) R (4), D (6 0) = K (1) (+) R (0) (+) R ( ), D (6,1) = K (2) (+) R (1) (+) R (4), D (6,2) = K (0) (+) R (2) (+) R (5) Three distributions having the same row number j when the two identification numbers of the respective distributed partial data are represented by row number j and column number i, and each distributed partial data is represented by D (j, i). A row number j is assigned to each of the partial data D (j, 0), D (j, 1), D (j, 2), and seven pieces of header information H (0), H (1), H (2 ), H (3), H (4), H (5), H (6), header information H (j) having the same row number j and distributed partial data D (j, 0) , D (j, 1), D (j, 2), seven pieces of shared information D (0), D (1), D (2), D (3), D (4), D (5) , D (6) individually distributed to the seven storage devices, the distributed seven Of distributed information D (0) ~D (6), based on any of the three shared information D (j), said a program for functioning as a restoring means for restoring the secret information S.

(Function)
Each of the first to fourth inventions distributes secret information by using (2, n) type, (3,5) type, or (3,7) type threshold secret sharing using exclusive OR. And restoration processing can be realized at a very high speed, and complete secret sharing that can be executed at high speed without using polynomial interpolation can be realized.

  In addition, in the second invention, when it is desired to add a member, any two pieces of distributed information D (i) among the distributed n pieces of distributed information D (0) to D (n-1). , D (j), t shared information D (n),..., D (n-1 + t) for the additional number of people is generated, and this shared information D (n),. -1 + t) is distributed to additional members.

  Thus, according to the second invention, when adding a member, it is not necessary to distribute the distributed information to the existing members, and the number of shared information or secret information that can restore the secret information can be stored in one place. And security can be improved.

  As described above, according to the present invention, complete secret sharing that can be executed at high speed without using polynomial interpolation can be realized.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. Each of the following devices can be implemented for each device with either a hardware configuration or a combined configuration of hardware resources and software. As the software of the combined configuration, a program that is installed in advance on a computer of a corresponding device from a network or a storage medium and that realizes the function of the corresponding device is used.

(First embodiment)
FIG. 1 is a schematic diagram showing the configuration of a secret sharing system according to the first embodiment of the present invention. In this secret sharing system, one client device 10 and n-1 storage server devices 20, 30,..., N0 are connected to each other via a network NW such as the Internet.

  These n devices 10, 20, 30,..., N0 correspond to n members in the (k, n) threshold secret sharing scheme. In particular, n storage units 11, 21,..., N1 that n devices 10, 20,..., N0 individually correspond to n storage devices that n members individually have. Each device 10, 20, 30,..., N0 is assigned a j number (row number) indicating the distribution order of the distributed information. For example, j = 0 is assigned to the client device 10, and j = 1 is assigned to the storage server device 20. The storage server device 30 is assigned j = 2nd,..., The storage server device n0 is assigned j = n−1.

  Here, the client device 10 individually distributes n pieces (where n ≧ 2) of the shared information D (0),..., D (n−1) obtained by distributing the secret information S to the n devices 10. 20,..., N0 and a (2, n) type secret sharing apparatus capable of restoring the secret information S from any two pieces of shared information among the n pieces of shared information. . Note that the number of pieces of shared information may be two or more. For example, n = 2, and the secret information S is divided into n-1 (= 1) pieces to be K (1), which will be described later, and the secret information S is obtained from the distributed two pieces of distributed information D (0), D (1). May be restored.

  Specifically, the client device 10 includes a storage unit 11, an input unit 12, a distributed partial data generation unit 13, a hash value generation unit 14, an original data restoration unit 15, a hash value verification unit 16, a control unit 17, an output unit 18, and Communication units 19 are connected to each other via a bus.

  The storage unit 11 is a storage device as a hardware resource that can be read / written from the control unit 19, and before the distributed information D (0) to D (n-1) described later is distributed, the secret information S Is temporarily stored and shared information D (0) to D (n-1) is created, the shared information creation information is stored, and after the distributed information is distributed, j = 0th shared information D (0) is stored and the secret information S is deleted. Here, the shared information creation information is information in which the identification information j of the shared information D (j) and the distribution destination identification information (device ID, device address information, etc.) of the shared information D (j) are associated with each other. is there.

  The input unit 12 is a normal input device such as a keyboard or a mouse, and has a function of inputting information such as a start of distributed processing or decryption processing and information such as secret information S into the client device 10 by an operation of the operator. Have

  The distributed partial data generation unit 13 is controlled by the control unit 17 and based on the secret information S temporarily stored in the storage unit 11, as shown in FIG. 2 (example of n = 5), n ( It has a function of generating (n-1) pieces of distributed partial data D (j, i). Specifically, the distributed partial data generation unit 12 has the following functions (f12-1) to (f12-4).

  (F12-1) The secret information S stored in the storage unit 11 is divided into n-1 pieces, and the row numbers j from 1 to n-1 (where 0≤j≤n-1) are added to the division result. A function of generating n-1 pieces of divided secret data K (1),..., K (j),.

  (F12-2) A function of creating zero-value data having the same size as the size of each divided secret data and assigning line number j = 0 to the creation result to generate divided secret data K (0).

  (F12-3) n-1 random numbers having a size equal to or larger than the size of each divided secret data are generated, and column numbers i from 0 to n-2 (where 0 ≦ i ≦ n−) are generated in each generation result. 2) A function of assigning and generating n−1 random number data R (0),..., R (i),. Each random number R (i) is a different value.

  (F12-4) The divided secret data K (0), K (1), ..., K (j), ..., K (n-1) and the random number data R (0), ..., R (i), ..., A function for calculating n (n−1) pieces of distributed partial data D (j, i) = K (j−i (mod n)) (+) R (i) based on R (n−2) ( However, (+) is a symbol representing exclusive OR). When K (j−i (mod n)) = K (0) (= 0), it is not always necessary to calculate the term of K (0), for example, without calculating the term of K (0). (J, i) = R (i) may be used. As described above, in the case of K (0) (= 0), it is not always necessary to calculate the term of K (0).

  The hash value generation unit 14 is controlled by the control unit 17, and when the header information H (j) is input from the control unit 17 via the bus, the hash value h (H (j)) of the header information H (j). And the obtained hash value h (H (j)) is output to the bus. The hash value generation unit 14 can be omitted if the header information H (j) is not verified.

  The original data restoration unit 15 is controlled by the control unit 17, and any two of n pieces of distributed information D (0) to D (n-1) distributed to the n devices 10, ..., n0. Based on the distributed information D (i) and D (j), the secret information restoring function for restoring the secret information S is provided. Specifically, the original data restoration unit 15 has the following functions (f15-1) to (f15-8).

  (F15-1) Among the two pieces of shared information D (i) and D (j), with respect to one shared information D (i), distributed partial data D () assigned the same column number i as the row number i A function for determining whether or not i, i) is included.

  (F15-2) As a result of this determination, when the shared information D (i) includes the distributed partial data D (i, i), the distributed partial data D (i, i) and the other shared information D (j) Divided secret data K (r) = D () based on the distributed partial data D (j, i) of the same column number i and j = 0th divided secret data K (0) (= 0) i, i) (+) D (j, i) (+) A first restoration function for restoring K (0) (where r = j−i (mod n)). It is not always necessary to calculate the term of K (0) (= 0). For example, K (r) = D (i, i) (+) D (j, i) without calculating the term of K (0). ).

  (F15-3) A function of determining whether or not the first end condition i−r = n−1 is satisfied after restoration of the divided secret data K (r).

  (F15-4) When this determination result does not satisfy the first termination condition, the restoration formula of the divided secret data K (r) is shifted by r until the first termination condition is satisfied. A second restoration function for restoring the divided secret data K (r + r),..., K ((n−1) r) (where K (r + r) = D (i, ir−r) (+) D (j, ir) (+) K (r), ..., K ((n-1) r) = D (i, i- (n-2) r) (+) D (j, i- (n-2) ) r) (+) K ((n-2) r)).

  (F15-5) When the determination result of f15-3 satisfies the first termination condition, or when the shared information D (i) does not include the distributed partial data D (i, i) by f15-1, the other shared information D The distributed partial data D (j, j) to which the same column number j as the row number j in (j) is assigned, and the distributed partial data D (i of the same column number j included in one shared information D (i). , J) and j = 0th divided secret data K (0) (= 0), the other divided secret data K (−r) = D (i, j) (+) D (j, j) A third restoration function for restoring (+) K (0). It is not always necessary to calculate the term of K (0) (= 0). For example, K (−r) = D (i, j) (+) D (j, j).

  (F15-6) A function of determining whether or not the second end condition j + r = n−1 is satisfied after restoration of the divided secret data K (−r).

  (F15-7) When this determination result does not satisfy the second end condition, the remaining division is sequentially performed until the second end condition is satisfied by shifting the restoration formula of the divided secret data K (-r) by r. A fourth restoration function for restoring the secret data K (−r−r),..., K (− (n−1) r) (where K (−r−r) = D (i, j + r) (+) D (j, j + r) (+) K (-r), ..., K (-(n-1) r) = D (i, j + (n-2) r) (+) D (j, j + (n -2) r) (+) K (-(n-2) r)).

  (F15-8) The secret information is obtained by concatenating n−1 pieces of divided secret data K (1),..., K (n−1) restored by the corresponding restoration functions among the restoration functions. S = K (1) ‖K (2) ‖ ... function to restore 復 元 K (n-1) (where ‖ is a symbol representing concatenation).

  The hash value verification unit 16 is controlled by the control unit 17, and when the header information H (j) and its hash value h (H (j)) are input from the control unit 17 via the bus, the hash value h (H The header information H (j) is verified based on (j)), and the verification result is output to the bus. The verification content is a method for determining that the header information H (j) is valid based on a match between the hash value calculated from the header information H (j) and the input hash value h (H (j)). The hash value verification unit 16 can be omitted if the header information H (j) is not verified.

  Here, the header information H (j) includes a data identifier indicating the line number j, a header size indicating the size of the header, an original data size m indicating the size of the original data, The division number n−1 indicating the division number of the secret information S, the processing unit bit length a indicating the processing unit bit of the distributed partial data D (i, j), and the random data size a indicating the data size of the random number R (i) A divided data size a representing the size of the divided secret data K (j), a padding algorithm representing the presence or absence of padding and an algorithm, hash algorithm information (option), and the like are conceivable. The hash algorithm information is added when the hash value of the header information is calculated and the originality of the header information is guaranteed. That is, hash algorithm information is added or omitted according to security requirements. However, when the hash algorithm is determined in advance by the system as a security requirement, the hash algorithm information can be omitted from the header information.

  The data format of the shared information D (j) is, as shown in the lower part of FIG. 3, header information H (j), its hash value h (H (j)), n−1 pieces of distributed partial data. D (j, 0), D (j, 1), ..., D (j, n-2). Here, the hash value h (H (j)) is an option, and can be omitted according to security requirements, like the hash algorithm information in the header information H (j).

  The control unit 17 has a function of controlling the units 11, 13 to 16, 18, and 19 based on instructions input from the input unit 12 and based on flowcharts of FIGS. 4 and 5 to be described later. Further, the control unit 17 has, for example, the following functions (f17-1) to (f17-2).

  (F17-1) Of the distributed partial data generated by the distributed partial data generation unit 13, n−1 distributed partial data D (j, 0) to D (j, n− having the same row number j are included. 2) A function for generating n pieces of header information H (0),..., H (j),.

  (F17-2) Header information H (j) having the same row number j and n pieces of distributed information D (0) consisting of distributed partial data D (j, 0) to D (j, n-2), .., D (j),..., D (n-1) are individually distributed to n devices 10, 20,. The control unit 17 may distribute the distributed information D (0) to D (n-1) in an encrypted state from the viewpoint of preventing the shared information D (0) to D (n-1) from leaking. Good.

  The output unit 18 is a normal output device such as a display device or a printer device, and is controlled by the control unit 18 and has a function of outputting an input screen for commands and the like, an output screen for secret information S after restoration, and the like. .

  The communication unit 19 is controlled by the control unit 17 and has a communication interface function between the client device 10 and the network NW.

On the other hand, each of the storage server devices 20 to n0 will be described.
Each of the storage server devices 20 to n0 has the same configuration except that the distributed information D (1) to D (n-1) to be stored is different from each other. Therefore, the storage server device 20 will be described as a representative example here.

  The storage server device 20 includes a storage unit 21 and a communication unit 22.

  The storage unit 21 is a storage device as a hardware resource that can be read / written from the communication unit 22, and stores the distributed information D (1) distributed from the client device 10.

  The communication unit 22 writes the shared information D (1) distributed from the client device 10 to the storage unit 21, and reads the shared information D (1) requested from the client device 10 from the storage unit 21. A function of returning D (1) to the client device 10;

  Note that the communication unit 22 may have an authentication function of the client device 10 from the viewpoint of preventing the shared information D (1) from leaking. In this case, after authentication of the client device 10, the shared information D (1) Is provided as a configuration for replying.

  Here, each storage server device 20, 30,..., N0 can be replaced with another client device, a USB (Universal Serial Bus) memory, a mobile phone, a PDA (Personal Digital Assistants: personal digital assistant), or It can be replaced with other devices other than a computer, such as an external HDD (Hard Disc Drive).

  When each storage device 20, 30,..., N0 is replaced with another client device, it may hold functions such as the distributed partial data generation unit 13 and the original data restoration unit 15 as described above. That is, the device that can restore the secret information may be other than the client device 10. For example, any number of devices j0,... Among the storage devices 20, 30,. Similarly, in the case of distribution, a device other than the client device 10 may distribute the secret information. For example, an arbitrary number of devices j0,... Among the storage devices 20, 30,. In addition, when each storage device 20, 30,..., N0 is replaced with a device having physical connection means or wireless communication means such as a USB memory or a mobile phone, the network NW may be omitted. The above-described modification in which the storage devices 20, 30,..., N0 are replaced with other devices can be similarly applied to the following embodiments.

  Next, the operation of the secret sharing system configured as described above will be described. Here, the (2, n) type threshold secret sharing method will be described as an example.

  First, consider a case where distributed information D (j) obtained by distributing secret information S by (2, n) threshold secret sharing method is distributed to n members (initial members). At this time, n must be a prime number. Therefore, when it is desired to distribute the distributed information to the composite number n, the secret sharing method is applied to n ′ where n <n ′ and n ′ is a prime number. In the following, an example of the (2, n) secret sharing method is shown.

(Distributed processing operation)
In the client device 10, it is assumed that secret information S having a bit length m is temporarily stored in the storage unit 11 before the distributed information D (0) to D (n−1) is distributed.

  At this time, in the client device 10, as shown in FIG. 4, it is assumed that a distributed processing start command is input from the input unit 12 by an operation of an operator (hereinafter also referred to as a dealer) (ST1).

  The client device 10 starts distributed processing based on this start command. The control unit 17 determines the bit length of the secret information S as m, the number of distributions as n, and the processing unit bit as a (ST1). Note that the bit length m of the secret information S can be found from the secret information S in the storage unit 11. The processing unit bit a is determined in advance according to the specification of the distributed data generation unit 13.

  Subsequently, the control unit 17 determines that the bit length (m / (n-1)) when the secret information S having the bit length m is divided into n-1 pieces exceeds the processing unit bit a (m / (n-1). )> A) or not (ST2). When the processing unit bit a is exceeded, a prime number n ′ greater than n is searched, and the obtained prime number n ′ is replaced with the variance number n (ST3), step Return to ST1.

  On the other hand, if the result of the determination in step ST <b> 2 is negative, the control unit 17 inputs the secret information S and the distribution number n to the distributed partial data generation unit 13.

  The distributed partial data generation unit 13 has a bit length (m / (n-1)) when the secret information S having the bit length m is divided into n-1 based on the secret information S and the distribution number n. It is determined whether it is equal to bit a (m / (n-1) = a) (ST4).

  If the determination result in step ST4 is negative, the distributed partial data generation unit 13 divides the secret information S into n-1 pieces of divided secret data K (0) to K (n-2), and the last divided secret. The data K (n-2) is padded (with padding) (ST5), and the process proceeds to step ST6.

  Note that padding does not necessarily have to be performed on the last divided secret data K (n-2), and may be performed on other divided secret data K (j). However, in the present embodiment, the secret information S will be described as an example in which the secret information S can be divided into four (no padding). Further, as shown in FIG. 2, a (2, 5) type with a dispersion number n = 5 and a threshold value k = 2 will be described as an example.

  If the result of determination in step ST4 is equal to the processing unit bit a, the distributed partial data generation unit 13 divides the secret information S into n−1 pieces, and the division result includes row numbers j from 1 to n−1. (Where 0 ≦ j ≦ n−1) is assigned to generate n−1 pieces of divided secret data K (1),..., K (j),. To do. In the (2, 5) type example, divided secret data K (1),..., K (4) are generated.

  In addition, the distributed partial data generation unit 13 generates a zero value having the same size as the size of each divided secret data, assigns a line number j = 0 to the generation result, and generates divided secret data K (0).

  Further, the distributed partial data generation unit 13 generates n−1 random numbers having a size equal to or larger than the size of each divided secret data, and each generation result includes a column number i (0 to n−2). .Ltoreq.i.ltoreq.n-2) is assigned to generate n-1 random number data R (0),..., R (i),. In the (2, 5) type example, four random number data R (0),..., R (3) are generated.

  Next, the distributed partial data generation unit 13 divides the secret data K (0), K (1),..., K (j), ..., K (n-1) and random number data R (0),. Based on (i),..., R (n−2), n (n−1) pieces of distributed partial data D (j, i) = K (j−i (mod n)) (+) R (i ) Is calculated (ST7). This calculation is performed by repeating the row number j from 0 to n-1 and repeating the column number i from 0 to n-2. In the (2, 5) type example, as shown in FIG. 2, 20 distributed partial data D (j, i) are generated. If K (j−i (mod n)) = K (0) (= 0), D (j, i) = R (i) may be set without calculating the term of K (0). .

  Thereafter, the distributed partial data generation unit 13 outputs the obtained distributed partial data n (n−1) pieces of distributed partial data D (j, i) to the control unit 17.

  The control unit 17 assigns a row number j to each of n-1 pieces of distributed partial data D (j, 0) to D (j, n-2) having the same row number j among the distributed partial data. , H (j),..., H (n−1) are generated (ST8). The header information H (j) includes information such as the presence / absence of padding for K (n−1) and the size of the original data.

  The control unit 17 includes n pieces of shared information D (0), which includes header information H (j) having the same row number j and distributed partial data D (j, 0) to D (j, n-2). .., D (j),..., D (n-1) are distributed to the n storage units 11, 21,. Information D (1),..., D (n-1) is individually distributed to the storage server devices 20, ..., n0 (ST9). In the (2, 5) type example, five pieces of shared information D (0),..., D (4) are distributed. Each of the storage server devices 20 to 50 stores the distributed information D (1),..., D (4) distributed in the storage units 21 to 51.

  Thus, the secret information distribution process is completed.

  In the (2, 5) type, it is not always necessary to distribute the five pieces of shared information D (0) to D (4). For example, four pieces of shared information D (0) to D (3) may be distributed, and the remaining one shared information D (4) may be distributed to a new member when a new member is added. This will be described in a later second embodiment.

(Restore processing operation)
In the client device 10, it is assumed that a restoration process start command is input from the input unit 12 by an operation of the operator.

  The client device 10 starts the restoration process based on this start command. The control unit 17 selects any two pieces of shared information D (i), D (n) among the n pieces of shared information D (0) to D (n−1) distributed to the n devices 10,. j) is collected (ST11), and the obtained distributed information D (i) and D (j) are input to the original data restoration unit 15.

  When the original data restoration unit 15 receives the shared information D (i) and D (j), the original data restoration unit 15 obtains the figure from the header information H (i) and H (j) of the two shared information D (i) and D (j). 6 and FIG. 7, for example, it is analyzed that j = (i =) 1st and j = 3rd shared information D (i), D (j) (ST12). For example, it is confirmed that the shared information is D (1), D (3).

  The original data restoration unit 15 is the distributed partial data to which one of the two pieces of shared information D (i) and D (j) is assigned the same column number i as the row number i with respect to one shared information D (i). It is determined whether or not D (i, i) is included (ST13). For example, regarding the distributed information D (1), it is determined whether or not the distributed partial data D (1, 1) is included.

  As a result of the determination in step ST13, when the shared information D (i) includes the distributed partial data D (i, i) (ST13; YES), the original data restoring unit 15 executes step ST14.

  In step ST14, this distributed partial data D (i, i), the distributed partial data D (j, i) of the same column number i included in the other shared information D (j), and j = 0th division Based on the secret data K (0) (= 0), the divided secret data K (r) = D (i, i) (+) D (j, i) (+) K (0) is restored (however, R = j-i (mod n)).

  For example, the random number data R (1) is calculated based on the exclusive OR of the distributed partial data D (1,1) and the divided secret data K (0) (= 0) (ST14-1). Note that D (1,1) = R (1) may be used without calculating the exclusive OR with K (0) (= 0). Subsequently, the divided secret data K (2) is restored based on the exclusive OR of the random number data R (1) and the distributed partial data D (3, 1) (ST14-2).

  Further, after the restoration of the divided secret data K (r), it is determined whether or not the first end condition ir = n−1 is satisfied. For example, after restoration of K (2), it is determined whether or not the first end condition ir (mod 5) = 1−2 (mod 5) = 4 satisfies n−1 = 5-1 = 4. Satisfy this case.

When this determination result does not satisfy the first termination condition, the restoration formula of the divided secret data K (r) is shifted by r, so that the other first divided secret data K ( r + r),..., K ((n-1) r) are restored. However,
K (r + r) = D (i, ir) (+) D (j, ir) (+) K (r),
…,
K ((n-1) r) = D (i, i- (n-2) r) (+) D (j, i- (n-2) r) (+) K ((n-2) r )).

  On the other hand, when the determination result in step ST14 satisfies the first termination condition or the determination result in step ST13 is negative, the original data restoration unit 15 executes step ST15.

  In step ST15, the distributed partial data D (j, j) to which the same column number j as the row number j in the other shared information D (j) is assigned and the same included in one shared information D (i). Based on the distributed partial data D (i, j) of the column number j and the j = 0th divided secret data K (0) (= 0), the other divided secret data K (−r) = D (i , J) (+) D (j, j) (+) K (0) is restored.

  For example, the random number data R (3) is calculated based on the exclusive OR of the distributed partial data D (3, 3) and the divided secret data K (0) (= 0) (ST15-1). Note that D (3,3) = R (3) may be used without calculating the exclusive OR with K (0) (= 0). Subsequently, the divided secret data K (3) is restored based on the exclusive OR of the random number data R (3) and the distributed partial data D (1, 3) (ST15-2).

  Further, after the restoration of the divided secret data K (−r), it is determined whether or not the second end condition j + r = n−1 is satisfied. For example, after restoring K (3), it is determined whether or not the second end condition j + r (mod 5) = 3 + 2 (mod 5) = 5 (mod 5) = 0 satisfies n−1 = 4. This case is not satisfied.

When the determination result does not satisfy the second end condition, the remaining divided secret data K (− is sequentially changed until the second end condition is satisfied by shifting the restoration formula of the divided secret data K (−r) by r. r−r),..., K (− (n−1) r) are restored. However,
K (−r−r) = D (i, j + r) (+) D (j, j + r) (+) K (−r),
…,
K (-(n-1) r) = D (i, j + (n-2) r) (+) D (j, j + (n-2) r) (+) K (-(n-2) r )).

  For example, the remaining divided secret data K (1) and K (4) are restored by steps ST15-3 to ST15-6 in FIGS.

  When step ST15 is completed, the original data restoring unit 15 sends the restored n-1 pieces of divided secret data K (1), ..., K (n-1) to the control unit 17. In this example, four pieces of divided secret data K (1),..., K (4) are transmitted.

  The control unit 17 removes the divided secret data K (1),..., K (n-1) based on the header information H (i), H (j) if there is a process such as padding ( ST16). Thereafter, the control unit 17 concatenates the divided secret data K (1),..., K (n-1) to each other so that the secret information S = K (1) ‖K (2) ‖ ... ‖K (n -1) is restored (ST17). In this example, secret information S = K (1) ‖K (2) ‖ ... ‖K (4) is restored.

  As described above, according to the present embodiment, the (2, n) -type threshold secret sharing using exclusive OR makes it possible to perform processing of secret information distribution and restoration very quickly, and polynomial interpolation It is possible to realize complete secret sharing that can be executed at high speed without using the.

  Supplementally, unlike the technique described in Patent Document 1, the present embodiment realizes the complete secret sharing method, so that not only the original secret information cannot be restored from k−1 or less distributed partial data. In addition, it is possible to obtain an effect that partial data of secret information cannot be restored.

  In addition to this, according to the present embodiment, the distributed partial data is K (*) + R (*), and K (0) is created in a pseudo manner to create all the same partial data. It is possible. On the other hand, the distributed partial data in Patent Document 1 is K (*) + R (*), K (*) + R (*) + R (*), R (*), etc. Because the combination of random numbers is different, it cannot be created algorithmically. Further, in the distributed partial data of Patent Document 1, the amount of calculation inevitably increases when restoring from the distributed partial data such as K (*) + R (*) + R (*). It is increasing.

(Second Embodiment)
Next, a second embodiment of the present invention will be described with reference to FIG.
This embodiment is a modification of the first embodiment, and extends the (2, n) type threshold secret sharing to the (2, n ′) type threshold secret sharing (n <n ′). A new member can be added by a possible configuration.

  Here, unlike the first embodiment, n is not limited to a prime number. If n is not a prime number, a (2, n ′) type secret sharing method is constructed using a prime number n ′ larger than n, and distributed information is distributed to n of them, thereby a (2, n) type secret. Realize a distributed system. In this case, new members can be added by n'-n people. For example, a (2, 5) type secret sharing method is constructed, and distributed information is distributed to four of them, thereby realizing a (2, 4) type secret sharing system. In this case, only one new member can be added.

  The distributed information for the new member may be created by the client device 10 at the time of addition, or the client device such as the most authorized user, the above-mentioned dealer, or a trusted third party, or storage. It is conceivable that a server device or the like is created. This is because it is difficult to manage the entire user in a system in which any user can add members. A form that can be added only by a specific user or organization is desired.

  Next, a specific configuration of the second embodiment will be described.

  The client device 10 has n (provided that n ′ (where n ′ ≧ 3) distributed information D (0),..., D (n′−1)) in which secret information S is distributed. <N ′) distributed information D (0),..., D (n−1) is distributed to n storage units 11,..., N0 individually, and any two of the n pieces of distributed information A (2, n) type secret sharing apparatus capable of restoring the secret information S from each piece of shared information is realized.

  Here, in addition to the functions described above, the control unit 17 determines whether or not the changeable condition t ≦ n′−n is satisfied when it is desired to change the (2, n) type to the (2, n + t) type. When the determination result satisfies the changeable condition, t pieces of shared information D (n),..., D (n-1 +) based on arbitrary two pieces of shared information D (i) and D (j). t) and the t pieces of distributed information D (n),..., D (n-1 + t) thus generated are t storage devices different from the n storage units 11,. It has the function to distribute it individually.

  Next, the operation of the secret sharing system configured as described above will be described.

  As shown in FIG. 8, in a certain group of members, the secret information S is distributed using the (k, n ′) threshold secret sharing method (n <n ′, k ≦ n), and n ′ Consider a case where t new members are newly added to the group in a state where n pieces of shared information are distributed to n members among the pieces of shared information (ST21).

  For example, as shown in FIG. 9, the secret information S is distributed using the (2, 5) threshold secret sharing method, and n = 4 pieces of shared information among 4 pieces of the shared information n ′ = 5. This is a case where t = 1 new member is newly added to the group in a state of being distributed to human members.

  First, consider a case where a dealer creates shared information for a new member using shared information of a member who already holds shared information.

  At this time, in the client apparatus 10, the control unit 17 confirms the number n of distributed distributed information D (j) based on the shared information creation information in the storage unit 11, and the changeable condition t ≦ n ′. It is determined whether or not −n is satisfied (ST22).

  When the determination result in step ST22 satisfies the changeable condition, the control unit 17 collects arbitrary two pieces of shared information D (i) and D (j) (ST23), and the shared information D (i) and D Based on (j), the (n + 1) th distributed partial data D (n, 0) to D (n, n′−2) are generated, and thereafter the n + tth distributed partial data D (n−1) are sequentially generated. + t, 0) to D (n-1 + t, n'-2) are generated (ST24).

  For example, as illustrated in FIG. 10, the control unit 17 performs fifth distribution partial data D (4,0) to D (4,3) based on the two pieces of distribution information D (1) and D (3). ) Is generated. At this time, the distributed partial data D (4,0) to D (4,3) are calculated as follows.

D (4,0) = D (1,0) (+) D (1,2) (+) D (3,2),
D (4,1) = D (1,1) (+) D (1,3) (+) D (3,3),
D (4,2) = D (1,0) (+) D (1,1) (+) D (1,3) (+) D (3,0) (+) D (3,1) ( +) D (3,2) (+) D (3,3),
D (4,3) = D (1,0) (+) D (1,3) (+) D (3,0).

  The control unit 17 sets the row number j for every n′−1 pieces of distributed partial data D (j, 0) to D (j, n′−2) having the same row number j among the distributed partial data. , T header information H (n),..., H (n-1 + t) are generated (ST25). In this example, since t = 1, header information H (4) is generated.

  The control unit 17 includes t pieces of shared information D (n) including header information H (j) having the same row number j and distributed partial data D (j, 0) to D (j, n′−2). ,..., D (n-1 + t) is generated. In this example, t = 1 shared information D (4) is generated. Further, the control unit 17 uses the shared information creation information as identification information j (= n,..., N-1 + t) of t pieces of shared information D (n),..., D (n-1 + t). Update to include (ST26). In this example, the shared information creation information is updated to include identification information j = 4.

  Thereafter, the control unit 17 uses the generated t pieces of distributed information D (n),..., D (n−1 + t) to be stored in t storage devices different from the n storage units 11,. (ST27). In this example, t = 1 shared information D (4) is distributed to one storage device.

  As a result, the (2, n) type secret sharing system is expanded to the (2, n + t) type secret sharing system. In this example, the (2,4) type is expanded to the (2,5) type. Here, when t = n′−n, the (2, n + t) type is the (2, n ′) type.

  On the other hand, when the determination result in step ST22 does not satisfy the changeable condition, the (2, n ″) type secret sharing method is applied to the prime number n ″ larger than n ′, and the distributed information is distributed to all members (n + t). Is redistributed (ST29). In this case as well, the (2, n) type is expanded to the (2, n + t) type.

  As described above, according to the present embodiment, in addition to the effects of the first embodiment, the (2, n) type secret sharing method is changed to the (2, n + t) type or (2, n ′) type secret. It can be extended to distributed systems (t ≦ n′−n, n <n ′).

  Supplementally, when it is desired to add a member, based on any two pieces of distributed information D (i) and D (j) among the distributed n pieces of distributed information D (0) to D (n-1). Then, t shared information D (n),..., D (n-1 + t) corresponding to the additional number of people is generated, and this shared information D (n),. Distribute to members.

  For example, when the (2, 4) type is expanded to the (2, 5) type, the fourth shared information D (4) is distributed to new members, so that the previously distributed distributed information D (0) to Without updating D (3), it can be extended to the (2,5) type secret sharing method.

  At this time, the shared information D (n),... To be added can be created without restoring the original secret information from the two pieces of shared information. Further, it is possible to cope with the addition of members by keeping n 'large at the time of data division.

  Further, according to the present embodiment, it becomes possible to add a new member without updating the distributed information distributed in the initial stage. In addition, since the dealer creates new shared information using the existing shared information, it is not necessary for the dealer or other members to hold the original confidential information, and it is possible to build a security-secure system. become. That is, according to this embodiment, when adding a member, it is not necessary to distribute the distributed information to the existing members, and the number of shared information or secret information that can restore the secret information can be stored in one place. And security can be improved. Also, existing members who have authority can cooperate to distribute distributed information to new members.

(Third embodiment)
FIG. 11 is a schematic diagram showing the configuration of a secret sharing system according to the third embodiment of the present invention. The same parts as those in FIG. 1 are denoted by the same reference numerals, and the substantially same parts are denoted by alphabetic suffixes. Detailed description thereof is omitted. In the following embodiments, the same description is omitted.

  This embodiment is a modification of the first embodiment, and is a (3, 5) type secret sharing system. Accordingly, the functions of the distributed partial data generation unit 13a, the original data restoration unit 15a, and the control unit 17a are changed corresponding to the (3, 5) type secret sharing system. Further, the number of storage server devices 20, 30, 40, 50 is determined to be n-1 = 4.

  Here, specifically, the distributed partial data generation unit 13a has the following functions (f13a-1) to (f13a-4).

  (F13a-1) The secret information S received from the control unit 17a is divided into two, and by assigning identification numbers from 0 to 1 to the division result, two pieces of divided secret data K (0 ), A function for generating K (1).

  (F13a-2) Four random numbers having the same size as the size of each divided secret data are generated, and an identification number from 0 to 3 is assigned to each generation result to generate four random number data R (0), R A function for generating (1), R (2), and R (3).

  (F13a-3) Based on two pieces of divided secret data K (0), K (1), four pieces of random number data R (0) to R (3) and the following ten expressions (however, (+) Is a symbol representing an exclusive OR), 10 distributed partial data D (0,0), D (0,1), D (1,0), D () that can be identified by a combination of two identification numbers. 1,1), D (2,0), D (2,1), D (3,0), D (3,1), D (4,0), D (4,1) .

D (0,0) = R (0),
D (0,1) = K (0) (+) R (1) (+) R (2),
D (1,0) = R (1),
D (1,1) = K (1) (+) R (2) (+) R (3),
D (2,0) = R (2),
D (2,1) = K (0) (+) R (3) (+) R (0),
D (3,0) = R (3),
D (3,1) = K (1) (+) R (0) (+) R (1),
D (4,0) = K (1) (+) R (0) (+) R (2),
D (4,1) = K (0) (+) R (1) (+) R (3).

  (F13a-4) A function of sending the calculated 10 distributed partial data D (j, i) to the control unit 17a.

  When the original data restoration unit 15a receives any three pieces of distributed information D (j) from the distributed five pieces of distributed information D (0) to D (4) from the control unit 17a, the original data restoration unit 15a It has a restoration function for restoring the secret information S based on the pieces of shared information D (j).

  The control unit 17a has a function of controlling the respective units 11, 13a, 14, 15a, 16, 18, and 19 based on a command input from the input unit 12 and based on flowcharts of FIGS. . Moreover, the control part 17a has the following functions (17a-1)-(17a-2), for example.

  (17a-1) When two identification numbers of each distributed partial data are row number j, column number i, and each distributed partial data is represented as D (j, i), two distributed data having the same row number j A row number j is assigned to each of the partial data D (j, 0) and D (j, 1), and five pieces of header information H (0), H (1), H (2), H (3), Function to generate H (4).

  (17a-2) Five pieces of shared information D (0), D (D) composed of header information H (j) having the same row number j and distributed partial data D (j, 0), D (j, 1) 1) A function of distributing D (2), D (3), and D (4) individually to the five storage units 11 to 51.

  Next, the operation of the secret sharing system configured as described above will be described.

(Distributed processing operation)
In the client device 10, it is assumed that the secret information S having a bit length m is temporarily stored in the storage unit 11 before the distributed information D (0) to D (4) is distributed.

  At this time, in the client device 10, when a distributed processing start command is input from the input unit 12 by an operation of the operator, the distributed processing is started.

  The control unit 17a inputs the secret information S in the storage unit 11 to the distributed partial data generation unit 13a.

  As shown in FIG. 12, the distributed partial data generation unit 13a divides the secret information S into two, and assigns two divided secrets of the same size to each other by assigning identification numbers from 0 to 1 to the division result. Data K (0) and K (1) are generated (ST31).

  Here, the two divided secret data K (0) and K (1) must have the same size. For this reason, when the secret information S has an odd-bit size, 0 is added (padded) to the end so that the secret information S is represented by a bit (digit) that is a multiple of 2. Thereafter, the padded secret information S is divided into two so as to have the same data size. Data size is handled in bits. A bit that is a multiple of 2 is expressed as 10100110, for example.

  Next, the distributed partial data generation unit 13a generates four random numbers having the same size as the divided secret data K (0) and K (1), and assigns an identification number from 0 to 3 to each generation result. The four random number data R (0), R (1), R (2), R (3) are generated (ST32).

  Based on the two pieces of divided secret data K (0), K (1) and the four pieces of random number data R (0) to R (3), the distributed partial data generation unit 13a has 10 as shown in FIG. Pieces of distributed partial data D (0,0), D (0,1), D (1,0), D (1,1), D (2,0), D (2,1), D (3 , 0), D (3, 1), D (4, 0), D (4, 1).

  Thereafter, the distributed partial data generation unit 13a sends the distributed partial data to the control unit 17a.

  When the two identification numbers of each distributed partial data are row number j and column number i, and each distributed partial data is represented as D (j, i), the control unit 17a has two distributed numbers having the same row number j. A row number j is assigned to each of the partial data D (j, 0) and D (j, 1), and five pieces of header information H (0), H (1), H (2), H (3), H (4) is generated (ST33).

  Next, the control unit 17a includes five pieces of shared information D (0) including header information H (j) having the same row number j and distributed partial data D (j, 0) and D (j, 1). , D (1), D (2), D (3), and D (4). For example, the distributed information D (0) is obtained by combining header information H (j), distributed partial data D (0,0), and distributed partial data D (0,1) in units of bit strings.

  Thereafter, the control unit 17a distributes the five pieces of shared information D (0), D (1), D (2), D (3), and D (4) individually to the five storage units 11 to 51. As described above, the shared information D (0) is written in the storage unit 11, and the distributed information D (1),..., D (4) is individually distributed to the storage server devices 20,. Each of the storage server devices 20 to 50 stores the distributed information D (1),..., D (4) distributed in the storage units 21 to 51.

  Thus, the secret information distribution process is completed.

(Restore processing operation)
In the client device 10, it is assumed that a restoration process start command is input from the input unit 12 by an operation of the operator.

  The client device 10 starts the restoration process based on this start command. As shown in FIG. 14, the control unit 17a collects any three pieces of shared information among the five pieces of shared information D (0) to D (4) distributed to the five devices 10,. (ST35), and the obtained shared information is input to the original data restoration unit 15a. In this example, D (0), D (2), and D (4) are used among the five pieces of shared information.

  Upon receiving the shared information D (0), D (2), D (4), the original data restoring unit 15a refers to the header information H (0), H (2), H (4) of the shared information, Distributed partial data D (j, 0) and D (j, 1) are confirmed for each shared information D (j) (ST36).

  Based on the distributed partial data D (j, 0) and D (j, 1) for each shared information D (j), the original data restoration unit 15a uses two pieces of divided secret data K (0) and K (1). Is calculated (ST37).

  For example, as shown in FIG. 15, the divided secret data K (1) is calculated by exclusive OR of the distributed partial data D (0,0), D (2,0) and D (4,0). (ST37-1).

  Intermediate data K (0) (+) R (3) is calculated by exclusive OR of the distributed partial data D (0,0) and D (2,1) (ST37-2).

  Intermediate data K (0) (+) R (1) is calculated by exclusive OR of the distributed partial data D (2,0) and D (0,1) (ST37-3).

  Intermediate data R (1) (+) R (3) is calculated by exclusive OR of intermediate data K (0) (+) R (3) and K (0) (+) R (1) ( ST37-4).

  The divided secret data K (0) is calculated from the intermediate data R (1) (+) R (3) and the distributed partial data D (4, 1) (ST37-5).

  Based on the divided secret data K (0), K (1) and the header information H (0), H (2), H (4), the original data restoration unit 15a uses the original secret information S = K (0 ) Restore ‖K (1) (ST38).

  As described above, according to the present embodiment, the (3, 5) -type threshold secret sharing using exclusive logical sum realizes the processing of secret information distribution and restoration very quickly, and polynomial interpolation It is possible to realize complete secret sharing that can be executed at high speed without using the.

(Fourth embodiment)
FIG. 16 is a schematic diagram showing a configuration of a secret sharing system according to the fourth exemplary embodiment of the present invention.

  This embodiment is a modification of the first embodiment, and is a (3, 7) type secret sharing system. Accordingly, the functions of the distributed partial data generation unit 13b, the original data restoration unit 15b, and the control unit 17b are changed corresponding to the (3, 7) type secret sharing system. Further, the number of storage server devices 20, 30, 40, 50, 60, 70 is determined to be n-1 = 6.

  Here, the distributed partial data generation unit 13b specifically has the following functions (f13b-1) to (f13b-4).

  (F13b-1) The secret information S received from the control unit 17b is divided into three, and by assigning an identification number from 0 to 2 to the division result, three pieces of divided secret data K (0 ), K (1), and a function for generating K (1).

  (F13b-2) Six random numbers having the same size as the size of each divided secret data are generated, and an identification number from 0 to 5 is assigned to each generation result, and six random data R (0), R A function for generating (1), R (2), R (3), R (4), and R (5).

  (F13b-3) Two identification numbers based on three pieces of divided secret data K (0) to K (2), six random number data R (0) to R (5) and the following 21 formulas 21 pieces of distributed partial data D (0, 0), D (0, 1), D (0, 2), D (1, 0), D (1, 1), D (1 , 2), D (2,0), D (2,1), D (2,2), D (3,0), D (3,1), D (3,2), D (4 0), D (4,1) D (4,2), D (5,0), D (5,1), D (5,2), D (6,0), D (6,1) , D (6, 2).

D (0,0) = R (0),
D (0,1) = K (0) (+) R (1) (+) R (2),
D (0,2) = K (2) (+) R (3) (+) R (5),
D (1,0) = R (1),
D (1,1) = K (1) (+) R (2) (+) R (3),
D (1,2) = K (0) (+) R (0) (+) R (4),
D (2,0) = R (2),
D (2,1) = K (2) (+) R (3) (+) R (4),
D (2,2) = K (1) (+) R (1) (+) R (5),
D (3,0) = R (3),
D (3,1) = K (0) (+) R (4) (+) R (5),
D (3,2) = K (2) (+) R (0) (+) R (2),
D (4,0) = R (4),
D (4,1) = K (1) (+) R (5) (+) R (0),
D (4,2) = K (0) (+) R (1) (+) R (3),
D (5,0) = R (5),
D (5,1) = K (2) (+) R (0) (+) R (1),
D (5,2) = K (1) (+) R (2) (+) R (4),
D (6,0) = K (1) (+) R (0) (+) R (3),
D (6,1) = K (2) (+) R (1) (+) R (4),
D (6,2) = K (0) (+) R (2) (+) R (5).

  (F13b-4) A function of sending the calculated 21 distributed partial data D (j, i) to the control unit 17b.

  When the original data restoration unit 15b receives any three pieces of distributed information D (j) from the distributed seven pieces of distributed information D (0) to D (6) from the control unit 17a, the original data restoration unit 15b It has a restoration function for restoring the secret information S based on the pieces of shared information D (j).

  The control unit 17b has a function of controlling the respective units 11, 13b, 14, 15b, 16, 18, and 19 based on the commands input from the input unit 12 and based on the flowcharts of FIGS. . Moreover, the control part 17b has the following functions (17b-1)-(17b-2), for example.

  (17b-1) When two identification numbers of each distributed partial data are row number j and column number i, and each distributed partial data is expressed as D (j, i), three distributed numbers having the same row number j A row number j is assigned to each of the partial data D (j, 0), D (j, 1), D (j, 2), and seven pieces of header information H (0), H (1), H (2 ), H (3), H (4), H (5), H (6).

  (17b-2) Seven pieces of shared information consisting of header information H (j) having the same row number j and distributed partial data D (j, 0), D (j, 1), D (j, 2) A function of distributing D (0), D (1), D (2), D (3), D (4), D (5), and D (6) individually to the seven storage units 11 to 71.

  Next, the operation of the secret sharing system configured as described above will be described.

(Distributed processing operation)
In the client device 10, it is assumed that the secret information S having a bit length m is temporarily stored in the storage unit 11 before the distributed information D (0) to D (6) is distributed.

  At this time, in the client device 10, when a distributed processing start command is input from the input unit 12 by an operation of the operator, the distributed processing is started.

  The control unit 17b inputs the secret information S in the storage unit 11 to the distributed partial data generation unit 13b.

  As shown in FIG. 17, the distributed partial data generation unit 13b divides the secret information S into three pieces, and assigns identification numbers from 0 to 2 to the division result, so that three divided secrets having the same size can be obtained. Data K (0), K (1), and K (2) are generated (ST41).

  Here, the three pieces of divided secret data K (0), K (1), and K (2) must have the same size. For this reason, 0 is added (padding) to the end so that the secret information S is expressed by bits (digits) that are multiples of 3. Thereafter, the padded secret information S is divided into three pieces so as to have the same data size. Data size is handled in bits. A bit that is a multiple of 3 is expressed as, for example, 101001100.

  Next, the distributed partial data generation unit 13b generates six random numbers having the same size as the divided secret data K (0), K (1), K (2), and 0 to 5 for each generation result. .., R (5) are generated (ST42).

  Based on the three pieces of divided secret data K (0) to K (2) and the six pieces of random number data R (0) to R (5), the distributed partial data generation unit 13b, as shown in FIG. Pieces of distributed partial data D (0,0), D (0,1), D (0,2), D (1,0), D (1,1), D (1,2), D (2 , 0), D (2,1), D (2,2), D (3,0), D (3,1), D (3,2), D (4,0), D (4 1) D (4,2), D (5,0), D (5,1), D (5,2), D (6,0), D (6,1), D (6,2) Is calculated.

  Thereafter, the distributed partial data generation unit 13b sends these distributed partial data to the control unit 17b.

  When the two identification numbers of each distributed partial data are row number j and column number i, and each distributed partial data is represented as D (j, i), the control unit 17b has three distributed numbers having the same row number j. A row number j is assigned to each of the partial data D (j, 0), D (j, 1), D (j, 2), and seven pieces of header information H (0), H (1),. (6) is generated (ST43).

  Next, the control unit 17b includes seven pieces of header information H (j) having the same row number j and distributed partial data D (j, 0), D (j, 1), D (j, 2). , D (6) are generated. For example, the shared information D (0) is a combination of header information H (j) and distributed partial data D (0,0), D (0,1), D (0,2) in units of bit strings. .

  Thereafter, the control unit 17b stores the shared information D (0) so that the seven shared information D (0),..., D (6) are individually distributed to the seven storage units 11 to 71. 11 and distributed information D (1),..., D (6) is individually distributed to the storage server devices 20,..., 70 (ST44). Each of the storage server devices 20 to 70 stores the distributed information D (1),..., D (6) distributed in the storage units 21 to 71.

  Thus, the secret information distribution process is completed.

(Restore processing operation)
In the client device 10, it is assumed that a restoration process start command is input from the input unit 12 by an operation of the operator.

  The client device 10 starts the restoration process based on this start command. As shown in FIG. 19, the control unit 17b collects arbitrary three pieces of shared information among the seven pieces of shared information D (0) to D (6) distributed to the five devices 10,. (ST45), and the obtained shared information is input to the original data restoration unit 15b. In this example, D (0), D (2), and D (6) are used among the seven pieces of shared information.

  Upon receiving the shared information D (0), D (2), D (6), the original data restoration unit 15b refers to the header information H (0), H (2), H (6) of the shared information, For each shared information D (j), the distributed partial data D (j, 0), D (j, 1), D (j, 2) are confirmed (ST46).

  Based on the distributed partial data D (j, 0), D (j, 1), D (j, 2) for each shared information D (j), the original data restoration unit 15b generates three pieces of divided secret data K ( 0), K (1), K (2) are calculated (ST47).

  For example, as shown in FIG. 20, intermediate data R (1) (+) R (5) is calculated by exclusive OR of distributed partial data D (0, 1) and D (6, 2) ( ST47-1).

  The divided secret data K (1) is calculated by exclusive OR of the intermediate data R (1) + R (5) and the distributed partial data D (2, 2) (ST47-2).

  Random number data R (3) is calculated by exclusive OR of the divided secret data K (1) and the distributed partial data D (6,0) and D (0,0) (ST47-3).

  Intermediate data R (1) (+) R (3) is calculated by exclusive OR of the distributed partial data D (2,1) and D (6,1) (ST47-4).

  Random number data R (1) is calculated by exclusive OR of intermediate data R (1) (+) R (3) and random number data R (3) (ST47-5).

  The divided secret data K (0) is calculated by exclusive OR of the random number data R (1) and R (2) and the distributed partial data D (0, 1) (ST47-6).

  Random number data R (5) is calculated by exclusive OR of intermediate data R (1) (+) R (5) and random number data R (1) (ST47-7).

  The divided secret data K (2) is calculated by exclusive OR of the distributed partial data D (0, 2) and the random number data R (3) and R (5) (ST57-8).

  Based on the divided secret data K (0) to K (2) and the header information H (0), H (2), H (6), the original data restoration unit 15b uses the original secret information S = K (0 ) ‖K (1) ‖K (2) is restored (ST48).

  As described above, according to the present embodiment, the (3, 7) -type threshold secret sharing using exclusive OR makes it possible to realize the secret information distribution and restoration processing at a very high speed, and polynomial interpolation. It is possible to realize complete secret sharing that can be executed at high speed without using the.

  Note that the method described in the above embodiment includes a magnetic disk (floppy (registered trademark) disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a magneto-optical disk (MO) as programs that can be executed by a computer. ), And can be distributed in a storage medium such as a semiconductor memory.

  In addition, as long as the storage medium can store a program and can be read by a computer, the storage format may be any form.

  In addition, an OS (operating system) running on a computer based on an instruction of a program installed in the computer from a storage medium, MW (middleware) such as database management software, network software, and the like realize the above-described embodiment. A part of each process may be executed.

  Furthermore, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted via a LAN or the Internet is downloaded and stored or temporarily stored.

  Further, the number of storage media is not limited to one, and the case where the processing in the above embodiment is executed from a plurality of media is also included in the storage media in the present invention, and the media configuration may be any configuration.

  The computer according to the present invention executes each process in the above-described embodiment based on a program stored in a storage medium, and is a single device such as a personal computer or a system in which a plurality of devices are connected to a network. Any configuration may be used.

  In addition, the computer in the present invention is not limited to a personal computer, but includes an arithmetic processing device, a microcomputer, and the like included in an information processing device, and is a generic term for devices and devices that can realize the functions of the present invention by a program. .

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

It is a schematic diagram which shows the structure of the secret sharing system which concerns on the 1st Embodiment of this invention. It is a schematic diagram which shows an example of the distribution partial data in the embodiment. It is a schematic diagram which shows an example of the header information and distribution information in the embodiment. It is a flowchart for demonstrating the operation | movement of the distributed process in the embodiment. It is a flowchart for demonstrating operation | movement of the decompression | restoration process in the embodiment. It is a schematic diagram for demonstrating the operation | movement of the decompression | restoration process in the embodiment. FIG. 6 is a reference diagram for explaining an operation of a restoration process in the same embodiment. It is a flowchart for demonstrating operation | movement of the secret sharing system which concerns on the 2nd Embodiment of this invention. It is a schematic diagram which shows an example of the distribution partial data in the embodiment. FIG. 6 is a reference diagram for explaining an operation of a restoration process in the same embodiment. It is a schematic diagram which shows the structure of the secret sharing system which concerns on the 3rd Embodiment of this invention. It is a flowchart for demonstrating the operation | movement of the division | segmentation process in the embodiment. It is a schematic diagram which shows an example of the distribution partial data in the embodiment. It is a flowchart for demonstrating operation | movement of the decompression | restoration process in the embodiment. It is a schematic diagram for demonstrating the operation | movement of the decompression | restoration process in the embodiment. It is a schematic diagram which shows the structure of the secret sharing system which concerns on the 4th Embodiment of this invention. It is a flowchart for demonstrating the operation | movement of the division | segmentation process in the embodiment. It is a schematic diagram which shows an example of the distribution partial data in the embodiment. It is a flowchart for demonstrating operation | movement of the decompression | restoration process in the embodiment. It is a schematic diagram for demonstrating the operation | movement of the decompression | restoration process in the embodiment.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10 ... Client apparatus, 11-n1 ... Saving part, 12 ... Input part, 13, 13a, 13b ... Distributed partial data generation part, 14 ... Hash value generation part, 15, 15a, 15b ... Original data restoration part, 16 ... Hash Value verification unit, 17, 17a, 17b ... control unit, 18 ... output unit, 19, 22 to n2 ... communication unit, 20, 30, ..., n0 ... storage server device, NW ... network.

Claims (7)

N (where n ≧ 2) shared information D (0),..., D (n−1) are distributed to n storage devices individually, and the n pieces of secret information S are distributed. (2, n) type secret sharing apparatus capable of restoring the secret information S from any two pieces of shared information,
Storage means for temporarily storing the secret information S before the distributed information D (0) to D (n-1) is distributed;
The secret information S is divided into n-1 pieces, and row numbers j from 1 to n-1 (where 0.ltoreq.j.ltoreq.n-1) are assigned to the divided results, so that n-1 having the same size. Means for generating the first divided secret data K (1), ..., K (j), ..., K (n-1);
Means for generating a second value of the divided secret data K (0) by creating a zero value having the same size as the size of each of the divided secret data and assigning a line number j = 0 to the creation result;
N-1 random numbers having a size equal to or larger than the size of each of the divided secret data are generated, and a column number i from 0 to n-2 (where 0 ≦ i ≦ n−2) is assigned to each generation result. Means for generating n-1 random number data R (0), ..., R (i), ..., R (n-2);
The first and second divided secret data K (0), K (1), ..., K (j), ..., K (n-1) and the random number data R (0), ..., R (i), ..., n (n-1) pieces of distributed partial data D (j, i) = K (j-i (mod n)) (+) R (i) are calculated based on R (n-2). Means (where (+) is a symbol representing exclusive OR),
Among the distributed partial data, a row number j is assigned to each of n−1 distributed partial data D (j, 0) to D (j, n−2) having the same row number j, and n pieces of distributed partial data are assigned. Means for generating header information H (0), ..., H (j), ..., H (n-1);
N shared information D (0),..., D (j consisting of header information H (j) having the same row number j and distributed partial data D (j, 0) to D (j, n-2) ),..., D (n-1) individually distributed to the n storage devices;
The secret information S is restored based on any two pieces of distributed information D (i) and D (j) among the distributed n pieces of distributed information D (0) to D (n-1). Recovery means,
A secret sharing apparatus comprising: N (where n ≧ 2) shared information D (0),..., D (n−1) are distributed to n storage devices individually, and the n pieces of secret information S are distributed. Secret sharing method executed by a (2, n) type secret sharing apparatus capable of restoring the secret information S from any two pieces of shared information.
A storage step of temporarily storing the secret information S in a storage device included in the secret sharing device before distributing the shared information D (0) to D (n-1);
The secret information S is divided into n-1 pieces, and row numbers j from 1 to n-1 (where 0.ltoreq.j.ltoreq.n-1) are assigned to the divided results, so that n-1 having the same size. Generating the first divided secret data K (1), ..., K (j), ..., K (n-1);
Creating a zero value having the same size as each of the divided secret data, assigning a line number j = 0 to the creation result, and generating the second divided secret data K (0);
N-1 random numbers having a size equal to or larger than the size of each of the divided secret data are generated, and a column number i from 0 to n-2 (where 0 ≦ i ≦ n−2) is assigned to each generation result. Generating n−1 random number data R (0),..., R (i),.
The first and second divided secret data K (0), K (1), ..., K (j), ..., K (n-1) and the random number data R (0), ..., R (i), ..., n (n-1) pieces of distributed partial data D (j, i) = K (j-i (mod n)) (+) R (i) are calculated based on R (n-2). A process (where (+) is a symbol representing exclusive OR),
Among the distributed partial data, a row number j is assigned to each of n−1 distributed partial data D (j, 0) to D (j, n−2) having the same row number j, and n pieces of distributed partial data are assigned. Generating header information H (0), ..., H (j), ..., H (n-1);
N shared information D (0),..., D (j consisting of header information H (j) having the same row number j and distributed partial data D (j, 0) to D (j, n-2) ), ..., D (n-1) individually distributed to the n storage devices;
The secret information S is restored based on any two pieces of distributed information D (i) and D (j) among the distributed n pieces of distributed information D (0) to D (n-1). Restoration process,
A secret sharing method comprising: N (where n ≧ 2) shared information D (0),..., D (n−1) are distributed to n storage devices individually, and the n pieces of secret information S are distributed. (2, n) type secret sharing apparatus program capable of restoring the secret information S from any two pieces of shared information,
A computer of the secret sharing device;
Storage means for temporarily storing the secret information S before the distributed information D (0) to D (n-1) is distributed;
The secret information S is divided into n-1 pieces, and row numbers j from 1 to n-1 (where 0.ltoreq.j.ltoreq.n-1) are assigned to the divided results, so that n-1 having the same size. Means for generating the first divided secret data K (1), ..., K (j), ..., K (n-1),
Means for generating a second divided secret data K (0) (= 0) by generating a zero value having the same size as the size of each of the divided secret data and assigning a line number j = 0 to the generation result;
N-1 random numbers having a size equal to or larger than the size of each of the divided secret data are generated, and a column number i from 0 to n-2 (where 0 ≦ i ≦ n−2) is assigned to each generation result. Means for generating n−1 random number data R (0),..., R (i),.
The first and second divided secret data K (0), K (1), ..., K (j), ..., K (n-1) and the random number data R (0), ..., R (i), ..., n (n-1) pieces of distributed partial data D (j, i) = K (j-i (mod n)) (+) R (i) are calculated based on R (n-2). Means (where (+) is a symbol representing exclusive OR),
Among the distributed partial data, a row number j is assigned to each of n−1 distributed partial data D (j, 0) to D (j, n−2) having the same row number j, and n pieces of distributed partial data are assigned. Means for generating header information H (0),..., H (j),.
N shared information D (0),..., D (j consisting of header information H (j) having the same row number j and distributed partial data D (j, 0) to D (j, n-2) ), ..., D (n-1) individually distributed to the n storage devices,
The secret information S is restored based on any two pieces of distributed information D (i) and D (j) among the distributed n pieces of distributed information D (0) to D (n-1). Secret information recovery means,
Program to function as. In the program according to claim 3,
The secret information restoring means is
Among the two pieces of shared information D (i), D (j), with respect to one shared information D (i), distributed partial data D (i, i) assigned the same column number i as the row number i Means for determining whether or not
As a result of this determination, when the distributed information D (i) includes the distributed partial data D (i, i), the same column included in the distributed partial data D (i, i) and the other shared information D (j) Based on the distributed partial data D (j, i) with the number i and the second divided secret data K (0) (= 0), the first divided secret data K (r) = D (i, i) (+ ) D (j, i) (+) first restoring means for restoring K (0) (where r = j−i (mod n)),
Means for determining whether or not the first end condition i−r = n−1 is satisfied after the restoration of the first divided secret data K (r);
When this determination result does not satisfy the first end condition, the restoration formula of the first divided secret data K (r) is shifted by r until the first end condition is satisfied until another first division Second restoring means for restoring the secret data K (r + r),..., K ((n−1) r) (where K (r + r) = D (i, ir−r) (+) D (j, i -R) (+) K (r), ..., K ((n-1) r) = D (i, i- (n-2) r) (+) D (j, i- (n-2) r) (+) K ((n-2) r)),
When the determination result satisfies the first termination condition or when the shared information D (i) does not include the distributed partial data D (i, i), the same column as the row number j in the other shared information D (j) The distributed partial data D (j, j) to which the number j is assigned, the distributed partial data D (i, j) of the same column number j included in one shared information D (i), and the second divided secret data Based on K (0) (= 0), the other first divided secret data K (−r) = D (i, j) (+) D (j, j) (+) K (0) is restored. Third restoring means to
Means for determining whether or not the second end condition j + r = n−1 is satisfied after the restoration of the first divided secret data K (−r);
When this determination result does not satisfy the second end condition, the rest of the first divided secret data K (-r) is restored by shifting the restoration formula by r until the second end condition is satisfied. Fourth secret means for restoring the divided secret data K (−r−r),..., K (− (n−1) r) (where K (−r−r) = D (i, j + r) (+ ) D (j, j + r) (+) K (-r), ..., K (-(n-1) r) = D (i, j + (n-2) r) (+) D (j, j + ( n-2) r) (+) K (-(n-2) r)),
The n-1 pieces of first divided secret data K (1),..., K (n-1) restored by the corresponding restoration means among the respective restoration means are connected to each other, whereby the secret information S = K (1) ‖K (2) ‖ ... means for restoring ‖K (n-1) (where ‖ is a symbol representing concatenation),
The program characterized by including. Out of n ′ (where n ′ ≧ 3) shared information D (0),..., D (n′−1) obtained by distributing the secret information S, n (where n <n ′) The distributed information D (0),..., D (n-1) is individually distributed to n storage devices, and the secret information S is obtained from any two shared information among the n shared information. A (2, n) type secret sharing device program that can be restored,
A computer of the secret sharing device;
Storage means for temporarily storing the secret information S before the distributed information D (0) to D (n-1) is distributed;
By dividing this secret information S into n′−1 and assigning row numbers j from 1 to n′−1 (where 0 ≦ j ≦ n′−1) to the division result, means for generating n'-1 pieces of first divided secret data K (1), ..., K (j), ..., K (n'-1);
Means for generating a second divided secret data K (0) (= 0) by generating a zero value having the same size as the size of each of the divided secret data and assigning a line number j = 0 to the generation result;
N′−1 random numbers having a size equal to or larger than the size of each of the divided secret data are generated, and the column number i from 0 to n′−2 (where 0 ≦ i ≦ n′−2) is generated in each generation result. ) To generate n′-1 random number data R (0),..., R (i),.
The first and second divided secret data K (0), K (1), ..., K (j), ..., K (n'-1) and the random number data R (0), ..., R (i) ,..., R (n′−2), n (n′−1) pieces of distributed partial data D (j, i) = K (j−i (mod n ′)) (+) R (i ) (Where (+) is an exclusive OR symbol),
Among the distributed partial data, a row number j is assigned to each of n′−1 distributed partial data D (j, 0) to D (j, n′−2) having the same row number j, and n , H (j),..., H (n−1) generating means for header information H (0),.
N pieces of shared information D (0),..., D (consisting of header information H (j) having the same row number j and distributed partial data D (j, 0) to D (j, n′−2). j),..., D (n-1) individually distributed to the n storage devices;
The secret information S is restored based on any two pieces of distributed information D (i) and D (j) among the distributed n pieces of distributed information D (0) to D (n-1). Secret information recovery means,
Means for determining whether or not the changeable condition t ≦ n′−n is satisfied when it is desired to change the (2, n) type to the (2, n + t) type;
When the determination result satisfies the changeable condition, t pieces of shared information D (n),..., D (n-1 +) based on the arbitrary two pieces of shared information D (i) and D (j). t) distributed information generating means for generating
Means for individually distributing the generated t pieces of distributed information D (n),..., D (n-1 + t) to t storage devices different from the n storage devices;
Program to function as. Five pieces of shared information D (0),..., D (4) obtained by distributing the secret information S are individually distributed to five storage devices, and any three of the five pieces of shared information are distributed. A (3, 5) type secret sharing apparatus program capable of restoring the secret information S from each piece of shared information,
A computer of the secret sharing device;
Storage means for temporarily storing the secret information S before the distributed information D (0) to D (4) is distributed;
Means for generating two pieces of divided secret data K (0) and K (1) having the same size by dividing the secret information S into two and assigning identification numbers from 0 to 1 to the division result ,
Four random numbers having the same size as the size of each of the divided secret data are generated, and an identification number from 0 to 3 is assigned to each generation result to generate four random number data R (0), R (1), Means for generating R (2), R (3);
Based on the two pieces of divided secret data K (0), K (1), the four pieces of random number data R (0) to R (3) and the following ten expressions (where (+) is exclusive) 10 symbols of distributed partial data D (0, 0), D (0, 1), D (1, 0), D (1, 1) that can be identified by a combination of two identification numbers. ), D (2,0), D (2,1), D (3,0), D (3,1), D (4,0), D (4,1),
D (0,0) = R (0),
D (0,1) = K (0) (+) R (1) (+) R (2),
D (1,0) = R (1),
D (1,1) = K (1) (+) R (2) (+) R (3),
D (2,0) = R (2),
D (2,1) = K (0) (+) R (3) (+) R (0),
D (3,0) = R (3),
D (3,1) = K (1) (+) R (0) (+) R (1),
D (4,0) = K (1) (+) R (0) (+) R (2),
D (4,1) = K (0) (+) R (1) (+) R (3),
When the two identification numbers of the respective distributed partial data are row number j and column number i, and each distributed partial data is represented as D (j, i), two distributed partial data D having the same row number j ( j, 0), D (j, 1) is assigned a row number j, and five pieces of header information H (0), H (1), H (2), H (3), H (4) Means for generating,
Five pieces of shared information D (0), D (1), D () consisting of header information H (j) having the same row number j and distributed partial data D (j, 0), D (j, 1) 2), means for distributing D (3), D (4) individually to the five storage devices;
A restoring means for restoring the secret information S based on any three pieces of shared information D (j) among the distributed five pieces of shared information D (0) to D (4);
Program to function as. Seven pieces of shared information D (0),..., D (6) obtained by distributing the secret information S are individually distributed to seven storage devices, and any three of the seven pieces of shared information. (3, 7) type secret sharing apparatus program capable of restoring the secret information S from each piece of shared information,
A computer of the secret sharing device;
Storage means for temporarily storing the secret information S before the distributed information D (0) to D (6) is distributed;
The secret information S is divided into three, and an identification number from 0 to 2 is assigned to the division result, so that three pieces of divided secret data K (0), K (1), K (2 )
Six random numbers having the same size as the size of each of the divided secret data are generated, and an identification number from 0 to 5 is assigned to each generation result to generate six random data R (0), R (1), Means for generating R (2), R (3), R (4), R (5);
Based on the three pieces of divided secret data K (0) to K (2), the six random number data R (0) to R (5), and the following 21 formulas (where (+) is exclusive) (Symbol representing logical sum) and 21 distributed partial data D (0,0), D (0,1), D (0,2), D (1,0) that can be identified by a combination of two identification numbers. ), D (1,1), D (1,2), D (2,0), D (2,1), D (2,2), D (3,0), D (3,1) , D (3,2), D (4,0), D (4,1) D (4,2), D (5,0), D (5,1), D (5,2), D Means for calculating (6,0), D (6,1), D (6,2);
D (0,0) = R (0),
D (0,1) = K (0) (+) R (1) (+) R (2),
D (0,2) = K (2) (+) R (3) (+) R (5),
D (1,0) = R (1),
D (1,1) = K (1) (+) R (2) (+) R (3),
D (1,2) = K (0) (+) R (0) (+) R (4),
D (2,0) = R (2),
D (2,1) = K (2) (+) R (3) (+) R (4),
D (2,2) = K (1) (+) R (1) (+) R (5),
D (3,0) = R (3),
D (3,1) = K (0) (+) R (4) (+) R (5),
D (3,2) = K (2) (+) R (0) (+) R (2),
D (4,0) = R (4),
D (4,1) = K (1) (+) R (5) (+) R (0),
D (4,2) = K (0) (+) R (1) (+) R (3),
D (5,0) = R (5),
D (5,1) = K (2) (+) R (0) (+) R (1),
D (5,2) = K (1) (+) R (2) (+) R (4),
D (6,0) = K (1) (+) R (0) (+) R (3),
D (6,1) = K (2) (+) R (1) (+) R (4),
D (6,2) = K (0) (+) R (2) (+) R (5),
When the two identification numbers of each distributed partial data are row number j and column number i, and each distributed partial data is represented as D (j, i), three distributed partial data D (same row number j) j, 0), D (j, 1), D (j, 2) is assigned a row number j, and seven pieces of header information H (0), H (1), H (2), H ( 3), means for generating H (4), H (5), H (6),
Seven pieces of shared information D (0) composed of header information H (j) having the same row number j and distributed partial data D (j, 0), D (j, 1), D (j, 2), Means for distributing D (1), D (2), D (3), D (4), D (5), D (6) individually to the seven storage devices;
A restoring means for restoring the secret information S based on any three pieces of shared information D (j) among the seven pieces of distributed information D (0) to D (6) distributed;
Program to function as.

Images