JPH0353367A - Decentralized information processing system - Google Patents

Abstract

PURPOSE:To transform the secret information without revealing it to an auxiliary device serving as the contract side of calculation and with back-up of the calculating force of the contract side by changing the input information, applying the identity transformation to the input information based on the secret information, and deciding both information valid when they are coincident with each other. CONSTITUTION:A main device 1A is provided to process the secret information together with at least one of auxiliary devices 2-1 - 2-3 which back up the arithmetic of the device 1A. Then a 1st transformation means is added to transform the input information together with a 2nd transformation means which applies the identity transformation to the input information based on the secret information, and a comparison means (proving means 1B) which compares the result of the identity transformation with the input information and decides them valid when they are coincident with each other. Thus the secret information can be processes with high efficiency without revealing it to the device 1A and with back-up of the calculating force of devices 2-1 - 2-3. At the same time, the prove is also possible with high efficiency.

Description

[Detailed Description of the Invention] [Objective of the Invention] (Industrial Application Field) The present invention provides distributed processing of calculations related to secret information using a capture device without leaking the secret information, and also has a verification function. related to distributed information processing systems.

(Conventional technology) With the progress of informationization and networking in society, our lives and work are becoming more efficient and convenient. However, on the other hand, new problems such as misuse of information and invasion of privacy are also coming into focus. In order to protect privacy, when various services are provided via networks, it is important to have technology that allows individuals seeking the service to receive the service without revealing their secrets to the service provider. It is thought that this will become the case. For example, if protecting privacy is a top priority, it is better for service providers to not know what data individuals have accessed when searching a database. Furthermore, in the case of collaborative use of computers, there is no need to let the computer provider know what the users have calculated.

An example of a literature that discusses such "methods of receiving services without disclosing secrets" is "Concerning how to request services without disclosing secrets" (Matsumoto Imai: 19g9
2017 Cryptography and Information Security Symposium Material 11-L
February 989). Specifically, there are methods for converting RSA public key cryptography without leaking secret information or message contents to arithmetic devices, methods for calculating the product of matrix AB without leaking the contents, and methods for explaining to the other party the roots of linear equations. A method has been proposed in which the force of the n hand is calculated by fΔ while preventing the force from being damaged. Among these, the request calculation method for converting the RSA encryption will be described as the method whose characteristics are most easily understood.

RSA encryption is a public key encryption proposed by RLVESL et al. in 1978 (Reference: R.L. RLVC)
st, A. Shamlr and L. Adlma
n：″＾method or obtainingdi
gital S1gnaturOS and eryp
tosyste+ms''. Cotan. of AC
j4, pp. 120-126"). In RSA encryption, positive integers e and n are used as encryption keys, and positive integers d and n are used as decryption keys. The specific method for selecting these key information can be found by referring to the above-mentioned literature. Both plaintext S and ciphertext M are integers less than the public modulus n. Encryption is performed as follows. Do it.

M-38sod n (1) Also, decoding is performed as follows.

d S=M Ilodn (2) RSA encryption is realized by the procedure described above, but to summarize the main points of this encryption here, [A] Public key e, which is different for each person,
n is published in a list-like format and can be accessed by anyone.

[When B colea (a, b) is the least common multiple of a and b, the private keys d, p. Q, λ(n)−1eIIl
(p-1, q-1) is a personal secret, and it is necessary to be careful not to let others know.

[C] In addition to the encryption function, there is a signature function.

[D] To ensure the security of RSA encryption, the private key p
, q must be selected to be approximately 100 decimal digits each. In this case, n is a number of about 200 decimal digits, and RSA encryption/decryption requires a huge amount of calculation.

By the way, an operating method that can maximize the benefits of RSA encryption in a network in which many people subscribe is to issue individual keys to each person, store the keys on a portable storage medium, and then store them individually. It is good to carry it with you. At this time, the above CB
] The points mentioned above are very important for operation. An IC card with a built-in CPU and memory is most suitable as a storage medium for an individual's private key that can satisfy the condition [B]. However, RSA that actually uses an IC card
When trying to construct a cryptographic system, the following two problems arise.

When the key is stored in an IC card, it is ideal to perform RSA decryption conversion and signature creation within the IC card, based on the requirement in [B] above. This is because the IC card has an access control function based on password verification, so if the conversion is performed within the IC card, there is no need to worry about d, p, q, and λ(n) leaking outside the IC card. However, at present, it is not possible to achieve a practically sufficient processing speed when converting RSA encryption using an IC card due to the above-mentioned [D] and the insufficient computational power of the IC card. It is also conceivable to mount a high-speed calculation LSI dedicated to RSA in an IC card, but an increase in the cost is unavoidable.

On the other hand, it is easy to use an IC card simply as a key memory with an access control function.

Practical processing speeds can be achieved by having a device other than the IC card, such as a terminal, perform the time-consuming cryptographic conversion, which has high computational power. However, in this case, d is passed to the terminal, so if sufficient care is not taken in the design and maintenance of the terminal device, d may be leaked to others via the terminal. Also, your d may be stolen without your knowledge by a fake terminal.

As a method to solve these two problems, the above-mentioned request calculation method allows efficient RSA encryption conversion using an IC card by borrowing only the computing power of the terminal without leaking information about the private key d to the terminal. The document ``How to request services without disclosing secrets'' is disclosed in several documents. In addition, another request calculation method for RSA encryption is “I
"Request calculation in C card system" (Kawamura, Shinbo,
1989 Annual National Conference of the Society of Electronic Information and Communication, 1989.
It was disclosed in March).

In the requested calculation, an example of a system configuration is shown in which the calculation requesting side uses an IC card and the calculation contracting side uses a terminal. First, the overall outline of the device is as shown in Fig. 4. The device 1 that processes secret information has at least one auxiliary device 2-1, 2-2, . It looks like they are connected via line 3. As shown in FIG. 5, the specific device configuration includes a terminal 9 equipped with a display device 4, a keyboard 5, a reader/writer 7 for an IC card 6, an insertion slot for a floppy disk 8, etc. as supporting devices.
For example, information may be exchanged with the IC card 6 using the IC card 6. As shown in FIG. 6, the IC card 6 in this example includes a CPUIO and an E2 connected thereto.
Data memory 11 consisting of FROM, program memory (ROM) 12, and contact type I/013
This is an example with In this example, this IC card 6 holds secret information. On the other hand, as shown in FIG.
, a keyboard I/018, a display controller 19, a central processing unit (CPU) 20, and a main memory 21 are connected to each other. The aforementioned members 4, 5, 7, and 8 are connected to each member as appropriate.

FIG. 8 shows a typical example of the control process of the terminal 9 when using an IC card. First, the user heads to the terminal 9 and inserts the IC card 6 into the reader/writer 7 in step 801. In step 802, the IC card 6 is initialized, and in step 802, a password is requested from the user. If no password is entered within a predetermined time, it is determined in step 805 that the time has expired, and the process is interrupted. On the other hand, when a password is input in steps 804 and 806, the password input by the user is compared with the registered password stored in the IC card 6 in steps 807 and 808, and if they match, the IC card 6 is used. However, if they do not match, the IC card 6 is unusable. Thereafter, the user can perform the requested calculations by giving instructions to the terminal 9 in the form of commands (steps 809 to 811).

Next, as a specific request calculation method, we will use the above-mentioned method for requesting services without revealing secrets (Matsumoto, Imai: 1989 Cryptography and Information Security Symposium Material 11-1, February 1989). The calculation method will be explained using FIG. 9. This request calculation method is
This is an algorithm in which the card uses the power of the terminal to create an RSA signature yd (-xmodn) from the message X and the private key d.

In step 901, the IC card decomposes the private key d as shown in the following equation.

d-f1dl+f2d2+... + f d sod (p-1) MM d ”” g r d t ten g 2 d 2 + ”
'+ g Md Mllod (Q-1) However,
f. and d1 are integers, 1 F-[f . f. ..., fM] G-[g
1l2 g2,... g)4], D- [d1. d2.
...dM]. Next, send messages X and D to the terminal.

When the terminal receives D in step 905, it proceeds to step 90.
6, calculate 21 of the following equation.

Z − [z . Z. −、
zM]l2 to the tC card.

When the IC card receives Z in step 902, it calculates the following equation in step 903.

1-1 H 1-1 Next, using the Chinese remainder theorem, from y Sy to pq Obtain signature y (step 904).

Using the above method, it is possible to perform high-speed processing using the power of the terminal without revealing the secret of the IC card, but the external device cannot necessarily be trusted and the communication information between the external device and the Under the assumption that a third party may tamper with the data, the requesting party (IC card) cannot detect the validity of the requested calculation unless it detects fraud on the part of the contracting party (terminal) or tampering of communication information by a third party. That becomes questionable. The methods to solve such problems are "Verification problem in requested calculation of rRSA encryption" (Shinbo 5 Kawamura, Institute of Electronics, Information and Communication Engineers Technical Research Report Vol. 89 k45) and "Verifiable requested calculation" (Matsumoto, Imai , IEICE Technical Research Report Vol. 89 No. 45).

Next, we categorized the methods of verification in the above paper into three types (■ a method that uses inverse transformation, ■ a method that does not use inverse transformation and requests calculation for verification, and ■ a method that requests calculation for inverse transformation as well). The request calculation and verification process executed when the device becomes usable will be explained using FIGS. 10 to 12.

FIG. 10 is an example of calculation using inverse transformation.

The calculation requester gives secret information k to the input information
f k (X) is calculated, then x'-f (y) is calculated in the second-1 processing section 24, and the comparison section k 25 compares X' with the input information X to verify the processing result. do. Therefore, since the comparator 25 compares the input information X and the information X' obtained by the inverse transformation to confirm the calculation result y, the requested calculation can be made truly effective. However, this method cannot be said to be a good algorithm because when the amount of calculation for the inverse-l transformation f is large, the burden of verification becomes large for the calculation requester k.

FIG. 11 is an example in which the contractor is requested to also perform calculation processing without using inverse transformation processing.

The calculation requester gives secret information k to the input information
(x) and obtain the result y1. Next, the second process 28 on the requester and contractor side is used to obtain the result y. The comparison unit 320 of the request source compares y and y, and if they match, the result is considered to be correct, and if they do not match, it is detected that the result is incorrect.

As a specific example of the general configuration explained in FIG.
Signature generation for the A cipher will be explained. The requested calculation of the exponentiation remainder calculation in this example includes a procedure of checking whether the processing of the terminal 9 has been performed correctly, and detecting if the processing has not been performed correctly. The basic idea of this method is to prepare a plurality of key splitters to be used and to confirm that signatures obtained using different splitters match.

First, it is assumed that the calculation requester is the IC card 6 and the contractor is a terminal with a higher computing power than the IC card 6.

The IC card 6 stores a unique secret key d. Also, the public key e and the modulus n are known to both the calculation requesting and contracting parties.

First, the IC card stores the private key d as (3) -1, (3)
-2, (3)-3, (3)-4. This process may be performed by the IC card itself, or may be performed by the center as a key issuance procedure and secretly stored within the IC card.

d=s +f s +f 2s 2+-op
L I +f s Ilod (p-1) (3) -
1mI1 d-s +e s 10e 2s ,,+-゛o
q l l ten e s mod (q-1) (3) -2
mII! d-top + g t t t + g 2
t 2+...+g t od (p-1)
(3) - 3m country d”to9+h tt ltenh 2t ,,+
-゛゜+h t n+od('1-1) (3
) -4mm However, S %S st %" is a small value.

F-[f,f,...,f]. E-[e1
1 2 m. e2.・−
−． e, ko, D-[sl, s2, -=S ko
,G-[g+g.・・・．． g]. H-a
l 2
tA[h , h . ... ,h
]D-[tl. t21 2
11 2... ,t ko,s ,s
, t , t for key d ffi
It is called Op Oq Op Oq Wariko.

These d, E, F, G, H, s, s, op
oq 1,1 becomes the secret information of the IC card. Here o
The Id division shown in p oq is based on the RSA-S2 protocol (Matsumoto,
Imai, “How to ask services w”
ithoutviolatingprivacy”,
This is an improved method of the 1989 Cryptography and Information Security Symposium Proceedings, ■February 1989).

The request calculation protocol using this key division is as shown in FIG.

■The IC card sends D1 to the terminal (step 1201)
.

■The terminal receives the divider D1 in step 1210, calculates Z in equation (4) (15i≦m) in step 1211, and calculates Z″″ [ z
1 Send to z2.

..., Z ] as an IC card m zl-x”tsod n (4)■IC
The card receives this Zt in step 1202, and in step 1203 Y1p of equations (5)-1 and (5)-2
and Ylq are calculated. Next, y1tp tq is determined from these y , y and the Chinese remainder theorem.

-r4 y=(rIz, sod p) ・x”” m
adtp 1 1-1 -XdIIod p (5) - 1
Maro” mod q ) ・x” madylq″″
(rTzl 1-1 -X' sod q (5) - 2
■Next, divide d as in step 1204, and
2 to the terminal.

■ On the terminal 9 side, after receiving D2 in step 1213, in step 1214 it calculates W, -x' Ilod n (1≦i≦m'), and in step 1215, W1 [W, W,
..., W −], and convert this into 1 2
11 Send to IC card 6.

■On the IC card side, after receiving W from the terminal in step 1205, in step 1206, Y 2p and Y 2Q of equations (5)'-1 and (5)'-2 are determined.
Calculate.

-i-1 -X'Ilodp (5)'-1 α 1-1 -X' mod q (5) ' -
2) In step 1207, y and y2 are compared, and if they match, in step 1208 the calculation result y(-y-y
2) is considered to be correct, and if l does not match, it is detected in step 1209 that the result is incorrect.

Note that e , f , g = h1 is limited to 0.11
11 In the case of λ, operations such as nz can also be realized without using exponentiation.

In addition, this method performs requested calculation regarding division D1 and division D2.
It is also possible to perform the requested calculations at the same time.

By following the above procedure, you can check whether the terminal has processed correctly or not. However, this method has a drawback in that the amount of data exchanged between the calculation requester and the contractor is twice that of the method explained in FIG. 10 (two types of dividers and their results).

FIG. 12 is an example of requesting the contractor to perform inverse transformation processing and verifying the calculation.

The method described here is conceptually similar to the method described in FIG. That is, as shown in the outline in Fig. 13, in general, when the information before conversion is x1 and the information after conversion is y, in the request calculation method for conversion y-fk (x) based on secret information k, The first processing units 31 and 32 execute the conversion process, and if an inverse transformation f exists, the second processing units 33 and 34 obtain it, and the comparison unit 35 utilizes the inverse transformation. x' = f (y
)k matches X.

The outline of the protocol is as follows.

■Convert X using the request calculation regarding forward conversion,
The calculation requester obtains y.

■Convert y using the requested calculation regarding the conversion in the opposite direction,
The calculation requester obtains X'.

■The calculation requester compares X and X' and if they match, confirms that the result y is correct.

However, the example shown in FIG. 10 was applicable when the inverse transformation could be easily performed by the requesting party. In this example, the method can be applied even when inverse conversion is difficult for the requester alone.

To achieve this, in this example, request calculation is also applied to the inverse transformation.

It is necessary to consider for each problem what kind of structure should be used for the specific forward request calculation and reverse request calculation.

What must be noted here is that the protocol must be configured in such a way that the secret information k will not be leaked to anyone other than the calculation requester, even if the information regarding the requested calculation in the forward direction and the information regarding the requested calculation in the reverse direction are combined. This means that it will not happen.

Furthermore, in the method explained in Figure 12, different dividers can be sent together from the request calculation source to the contractor side, and the results can also be sent together from the contractor side to the request calculation source, whereas in this method forward conversion is possible. Only after obtaining processing results regarding
It becomes possible to start processing in the reverse direction.

Therefore, since data cannot be exchanged between the request calculation source and the contractor, there is a drawback that two round trips are always required to exchange information between the terminal and the IC card.

Also, looking at the amount of data to be communicated, (amount of communication for the method explained in Figure 10) + (amount of communication required for reverse conversion)
It also has the disadvantage that it requires a certain amount of communication.

(Problems to be Solved by the Invention) As described above, when you want to perform a conversion using secret information d as in the case of RSA encryption, if the calculation time is too much for the device you want to perform the calculation, A problem arises in that it takes an excessive amount of time. For example, if it is attempted to be executed on a device with relatively small calculation power, such as an IC card, a large amount of calculation time is required.

In addition, it is possible to reduce the calculation time by preparing not only a device that performs the calculation but also a device that supports it and having these devices share the calculations related to confidential information.
If secret information is directly shown to the auxiliary device, there is a risk that this secret information may be stolen by the auxiliary device or a third party. For example, RSA
If you prepare an external device that can perform calculations at high speed and show the private key d to it to have it calculate, there is a risk that the decryption conversion will be known to the external device and it will be used illegally.

Furthermore, under the premise that external devices cannot necessarily be trusted and that a third party may tamper with the communication information between the external device and the external device, the requestor must be able to avoid fraud on the part of the contractor or the possibility that the communication information may have been tampered with by a third party. Since falsification cannot be detected, the validity of the requested calculation itself becomes questionable.

In contrast, "request calculation" is used to efficiently convert confidential information by borrowing the calculation power of the external device without leaking the confidential information to the external device, and "verification" is used to prevent fraud on the contractor's side and third party communication information. A method has been proposed to detect tampering by someone.

However, conventional calculation methods have problems in that the amount of communication and the number of times of communication increase depending on the method, and the amount of calculation for verification is large.

Therefore, the present invention provides a distributed information processing system that can efficiently carry out processing without leaking confidential information to anyone other than the main device, borrow the computational power of auxiliary devices, and efficiently perform risk calculations. The purpose is to provide.

[Structure of the Invention] (Means for Solving the Problems) As shown in FIG.
and at least one auxiliary device 2-1, 2-2, . In a distributed processing system that performs distributed processing, a first conversion means that performs the conversion on the input information;
a second conversion means that performs identity conversion on the input information based on the secret information; and a second conversion means that compares the result of the identity conversion means with the input information, and compares the result of the identity conversion means with the input information. It is provided with a comparison means (verification means IB) which considers it to be valid when the two match.

(Function) In the present invention configured as described above, the secret information unique to the main device is not leaked to the auxiliary device that is the subcontractor of calculation.
Moreover, the conversion can be performed by borrowing the computational power of the contractor. Furthermore, by comparing the input information with the result obtained by the identity conversion means using the processing result of the contractor side of the conversion, the auxiliary device can perform the requested calculation just to confirm that the processing result of the auxiliary device is correct. Even if you don't have one, you can easily check the calculation requester.

(Example) Hereinafter, an example of the present invention will be described. In addition, in the following description of the embodiment, FIGS. 5 to 8 shown in the conventional example will be used as is.

FIGS. 2 and 3 are a flowchart of processing and an explanatory diagram showing the general configuration of the first embodiment of the present invention.

Here, a request calculation for secret conversion (signature generation) of RSA encryption using the Chinese remainder theorem will be explained. As in the conventional example, the IC card 6 is the requesting source for the calculation, and the terminal 9, which has a larger computing power than the IC card 6, is the contractor.

Now, the IC card 6 stores an RSA encryption decryption key unique to that IC card. This is d, n, p, q
shall be. However, p and q are each sufficiently large prime numbers, which are kept secret from everyone other than the IC card 6. The public modulus n is the product of p and q. Also, d is a secret index. The exponent e and modulus n that make up the public key cryptography may be known by the calculation contractor.

First, in order to use the IC card 6, the terminal 9 performs control processing using the method described in the prior art section to make the IC card 6 usable. This part is not an essential part of the present invention. 'After the IC card 6 becomes usable,
By using an appropriate request calculation method, the calculation requesting side can obtain a message M before conversion and a message S representing the calculation result.

If the calculation contractor did the conversion correctly, M and S
The following equation (6) should hold between .

(6) As a specific method of the above procedure, the IC card decomposes the secret key d as shown in the following equations (7) and (8). Furthermore, (9
), Im[i, t .・・・
・, tM], J- [j, I2 J2 , . . . Calculate JMI. This process may be performed by the IC card itself, or may be performed by a center as part of the key issuance procedure and secretly stored in the IC card.

d″″do, +f , d i+−゛゜+ f d
fflod (p-1) (7) II1 dd + g , d , +...Oq + g d sod (q-1) (8) 11
1m 1■h +i, d l+... Op + i d sod (p-1) (9) Zen
1 1″″ho9+j ld l+−゛゜+j d
■od(q-1) (10) IIm However, d Sd Sh , h is a small value and is op oq op oq. D-[d,d.・・・．． d], F-[
1 2 tp f ,f . ... , f ], G-[g
,g21 2 ml
・・・．． g], Im[i. t.・・・
・ ,i]J-ta 1 2
m[J1. J2,...,j],d
,d ,h ,1 0p
OQ 01)h is called the splitter of key d. These d, G, F, 09 1, J, d. d. h. h is the op oq op oq secret information of the IC card.

The request calculation protocol (signature creation using RSA encryption) including a verification function using this key splitter is shown in FIG.

■The IC card sends D to the terminal (step 2o1).

■The terminal receives the divider in step 210, and in step 211 Z. Z-
[z. Z. −, z ] to IC1 2
Send to Snow Card.

■The IC card receives this Z in step 203, and divides it into dividers F, G, d. d is used to calculate the following equation in step 204. If the terminal does not cheat, the calculation result will be as follows.

i-1 −　Mda+od　p 1-1 -M’modq Next, using the Chinese remainder theorem, Sp Search for name S.

From S q a The calculation with nzl"mod does not use exponentiation and is 1-1 It is possible to achieve this.

Next, in order to confirm the validity of the signature S, a method of detecting whether the processing of the terminal 9 has been performed correctly will be described.

■In step 203, Z received from the terminal and divider 1
, J is used to calculate the following equation in step 205. If the terminal did not make any illegal calculations, the result would be:

dust 1-1 Drama Msodp ■ 1-1 -Mmodq Next, using the Chinese remainder theorem, from W 1W to pq Find W.

■In step 206, M and W are compared, and if they match, the validity of the signature S is confirmed (step 207), and if they do not match, it is detected that S is incorrect (step 20).
8).

Through the above procedure, it is possible to check whether the signature S was generated by correct processing at the terminal.

When the signature S is generated by the correct processing of the terminal, S
trust in the validity of

When considering the security of the above processing method, it is clear that if the terminal 9 executes a valid operation, the IC card 6 will determine that "the terminal 9 has executed a valid operation."

Next, consider whether the terminal 9 passes the last test formula, but the result S can be derived to be different from a valid signature. W-M is the final verification formula.

In step 205 of FIG. 2, W receives secret information 1, J, p, q, h . h open
Made using oq. Here, h. The term h is o
p oq id ten...+L d, jld l+...
111 The term m+i jd is calculated using random request calculation results.
a This prevents an attack method that allows the final test formula to pass even though it has been calculated. Therefore, it is difficult for a terminal to seek a divider Z that passes the verification formula even though the signature generated using Z received from the terminal is invalid.

The terminal also uses d. d,op
Since oq F and G are never known, the secret information d cannot be known.

The above dividers F, G, I, and J can be classified into the following (1) to (4) depending on the presence or absence of a common part between F, G and I, J.

(1) The h+1st to kth terms of F and G, and the h+th term of ■ and J
When the 1st term to the kth term are each equal.

F-{f. ... "h.fhat'・
・・・ ,fk1 0 ,... ,0} G-(g ・゛゛ ・gh ' gh+1 ・
゜゜゜・gk1 0. ... ,0} 1-[1,... ,f ,... + f k,
l k+1...h+1. 1) Drama J-tO.・・・．． g,...,gk
``k+1hat...,j) ■ (2) When the first k terms of F and I and the first k terms of G and J are each equal, and the k+1 to m terms of F and G are all O.

F-ff,... f, ,0. ...
,01l G-{g ,... ,gk ,o ,...
．． 0}l 1-(f... ``k''k+1'...
・．． i 1lIm J=(gt... .gk ``k+1'・
..., j1 (3) When the first k terms of F and 1 and the first k terms of G and J are each equal, and all of the m terms among the k+l terms of l and J are O.

F-(f,... ``k''k+1'...
・．． f 1lII G-(g.... ”k,gk+1'...
．． g 1lIl 1- (f .・ , fk ,0 .-,01l J-1g ,... .gk .0 .....
．． 01l (4) When there is no equal term between F, G and I, J.

F-ff,...,fk,0.・・・ 、
0)1 G-tg,...,gk. o. ... ,0}
l I- (0 . . . 0 . i
．．・・・．． ilk+1 m J-to. ..., O. j,...,
j }k+1 ■ How to create the dividers in (1) to (4) above will be considered.

(1) is a general form, where F, G, I, and J have common terms and non-common terms. In the proposed method, the information necessary for the requested calculation and the verification is exchanged in one communication, so only the calculation requesting side knows which terms will be used for the verification.

Therefore, although it does not check all the terms of Z necessary for signature generation (in other words, when taking the inner product of I, J and Z, the "0" term of I, J and the corresponding term of Z The product is “
0゛, so even if there was fraud in the 2 term corresponding to the 0 term in I and J, it would not be discovered. )
, by changing unchecked items to incorrect values, or by combining these two pieces of information, such as when sending and receiving information about request calculations and information about verification separately.
It is possible to sufficiently prevent a sniping attack in which the check formula passes even though i is invalid.

Since (2) checks all terms of Z necessary for signature generation, this division method can also prevent the above-mentioned sniping attack.

In (3), during signature generation, W appears which is compared with M to confirm validity, so if Z is an invalid result, check the validity of Z before requesting signature S. The amount of calculation can be reduced because there is no need to create incorrect signatures.

When creating a divider like this, it does not check all the terms of Z necessary for signature generation, but
The system of the present invention can sufficiently prevent the sniper attack described in the discussion of (1).

(4) also does not check all items, but
The system of the present invention can sufficiently prevent the sniper attack described in the discussion of (1).

FIG. 3 shows the general system configuration when expanded.

In FIG. 3, the calculation requester gives secret information k to the input information
(X) is pre-processed, and then a third processing section 1305 obtains the processing result, and a second processing section 302 performs x' - gk (x).
Post-processing is performed to obtain X', and a comparing section 303 calculates X' and
The processing result obtained by the third processing section is calculated by comparing the processing result with the processing result obtained by the third processing section.

Therefore, in the present invention, the comparison section compares the input information X and the information X' obtained from the second processing section to confirm the calculation result.

Note that if the contractor performs the correct processing, X-X- will be obtained, and in that case, the function G will be an identity transformation.

Furthermore, the present invention is not limited to the above embodiments, and can be implemented with various modifications without departing from the gist thereof.

[Effects of the Invention] As described above, according to the present invention, it is possible to perform conversion without leaking secret information unique to the main device to the auxiliary device that is the subcontractor of calculations, and moreover, by borrowing the calculation power of the subcontractor. can.

Furthermore, by comparing the input information with the result obtained by the identity conversion means using the processing result of the contractor side of the conversion, the auxiliary device can perform the requested calculation just to confirm that the processing result of the auxiliary device is correct. Even if it is not, the calculation requester can easily
ll can be confirmed.

[Brief explanation of drawings]

Fig. 1 is a diagram showing an overview of the present invention, Figs. 2 and 3 are a processing flowchart showing an embodiment of the invention and a general configuration example diagram, and Fig. 4 is an outline of a conventional information processing device. FIG. 5 is a perspective view showing the external appearance of the IC card and terminal, FIG. 6 is a block diagram showing the configuration of the IC card, FIG. 7 is a block diagram showing an example of the configuration of the terminal, and FIG. 8 9 is a flowchart of terminal initialization processing, and FIGS. 9 to 13 are flowcharts showing conventional processing methods and schematic diagrams showing general configuration examples. IA...Main device, IB...Verification means, 2-1.2-
2.2-3... Auxiliary device, 6... IC card, 9.
...terminal.

Claims (1)

[Scope of Claims] A main device that processes secret information and at least one auxiliary device that assists calculations of the main device, and performs conversion based on the secret information without leaking the secret information to anyone other than the main device. In a distributed processing system that performs distributed processing, a first conversion unit that performs the conversion on the input information; a second conversion unit that performs identity conversion on the input information based on the secret information; Distributed information processing characterized by comprising a comparison means that compares the result of the identity conversion means with the input information, and considers the result to be valid when the result of the identity conversion means and the input information match. system.