WO2011077819A1 - 検証装置、秘密情報復元装置、検証方法、プログラム、及び秘密分散システム - Google Patents
検証装置、秘密情報復元装置、検証方法、プログラム、及び秘密分散システム Download PDFInfo
- Publication number
- WO2011077819A1 WO2011077819A1 PCT/JP2010/068586 JP2010068586W WO2011077819A1 WO 2011077819 A1 WO2011077819 A1 WO 2011077819A1 JP 2010068586 W JP2010068586 W JP 2010068586W WO 2011077819 A1 WO2011077819 A1 WO 2011077819A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- pieces
- subset
- secret
- shared
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2117—User registration
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Definitions
- the present invention relates to a secret sharing technique capable of detecting unauthorized persons.
- a secret sharing method is known as an encryption technique that can restore secret information only when a predetermined number of shared information (shares) are collected by distributing the secret information to a plurality of pieces of shared information.
- the secret sharing method even if some of the shared information is lost, the secret information can be restored if more than a predetermined number of shared information remains, so that high security can be ensured even with respect to information loss.
- Non-Patent Document 1 The most famous technique in this secret sharing method is a technique called (k, n) threshold secret sharing method described in Non-Patent Document 1.
- k, n threshold secret sharing method described in Non-Patent Document 1.
- secret sharing method (1) secret information is distributed into n pieces of shared information, (2) when any k pieces of them are gathered, the secret information can be restored, and (3) k It has the feature that no secret information can be obtained from less than partial information.
- Non-Patent Document 1 The (k, n) threshold secret sharing method described in Non-Patent Document 1 does not take into account the injustice of the person managing the distributed information and the failure of the device managing the distributed information. Therefore, when collecting secret information by collecting k pieces of shared information, if even one piece of distributed information different from the original information is output, the secret information cannot be correctly restored, and the restored secret The fact that the information is different from the original secret information could not be detected.
- Non-Patent Documents 4 to 6 describe techniques for not only detecting falsification at the time of restoration but also identifying which shared information has been falsified.
- Non-Patent Document 4 if the number t of tampered shared information is within a range of k ⁇ 2t + 1, all t tampered shared information is identified with high probability. Is possible.
- Non-Patent Document 5 and Non-Patent Document 6 the number of pieces of falsified shared information that can be specified is smaller than the method described in Non-Patent Document 4, but the number of unauthorized persons t is within the range of k ⁇ 3t + 1. Then, a secret sharing method is described in which all of the altered shared information can be specified with high probability.
- the secret sharing method described in Non-Patent Documents 5 and 6 uses the tampered shared information number t unless the number t of the distributed information satisfying k ⁇ 2t + 1 is smaller than that in Non-Patent Document 4.
- the distributed information cannot be specified, there is also an advantage that the data size of the distributed information can be made smaller than that of the secret sharing method described in Non-Patent Document 4.
- the data size of the distributed information is p * q ⁇ (3n-3).
- the size of the distributed information is p * q ⁇ (t + 1), which is relatively small.
- p is an order of a finite field determined in advance and is a power of a prime number.
- q is a prime number satisfying q ⁇ n * p.
- Non-Patent Documents 5 and 6 where the data size of the distributed information is small may be used.
- the method described in Non-Patent Document 4 in which the data size of the distributed information is large must be used.
- the object of the present invention is to identify falsified shared information even when the number of falsified shared information is assumed to exceed the range that can be identified by the methods described in Non-Patent Documents 5 and 6. It is possible to provide a secret sharing method that can be performed and whose data size of shared information is smaller than that described in Non-Patent Document 4.
- the verification device of the present invention is generated from secret information by a (k, n) threshold secret sharing method using a k ⁇ 1 degree polynomial over a finite field based on the power p of a prime number.
- Each of the n pieces of information is distributed secret information
- q is a prime number that satisfies the relationship of q ⁇ n * p
- natural numbers that satisfy k ⁇ t + r are r and t
- the n pieces of information generated by the t-Cheater Identifiable secret sharing method using the t-order polynomial over the finite field GF (q) are used as the unauthorized person identification information so that up to t pieces of unauthorized shared secret information can be identified.
- a verification device for identifying unauthorized shared information from arbitrary k shared information among n shared information that is a pair of distributed secret information and unauthorized person identifying information, wherein k shared information and t And an input means for inputting and the input means For each subset generated by the subset generation means, a subset generation means for generating all subsets that are combinations of selecting r pieces of shared information satisfying r ⁇ t + 2 from the k pieces of shared information, Consistency determining means for determining whether or not illegal distributed information is included in the subset by using each unauthorized person identification information and t-order polynomial belonging to the subset, and a determination result by the consistency determining means And unauthorized person identifying means for identifying unauthorized shared information based on the shared information included in each subset.
- the verification method of the present invention distributes each of n pieces of information generated from secret information by the (k, n) threshold secret sharing method using a k ⁇ 1 order polynomial over a finite field based on the power p of the prime number.
- Secret information, q is a prime number satisfying a relationship of q ⁇ n * p, natural numbers satisfying k ⁇ t + r are r and t, and up to any t distributed illegal secrets included in the n distributed secret information
- n pieces of information generated by t-Cheater Identifiable secret sharing method using t-th order polynomial over finite field GF (q) are set as unauthorized person identification information, and distributed secret information and unauthorized person identification
- the consistency determination means uses each fraudulent identification information and t-order polynomial belonging to the subset for each subset generated by the subset generation means. It is determined whether or not unauthorized shared information is included, and the unauthorized person identifying unit determines the unauthorized shared information based on the determination result by the consistency determining unit and the distributed information included in each subset. It is a verification method to identify.
- the program of the present invention distributes each of n pieces of information generated from secret information by the (k, n) threshold secret sharing method using a k ⁇ 1 degree polynomial over a finite field based on the power p of the prime number.
- Information, q is a prime number satisfying a relationship of q ⁇ n * p, natural numbers satisfying k ⁇ t + r are r and t, and up to arbitrary t pieces of illegal distributed secret information included in the n distributed secret information N-information generated by the t-Cheater Identifiable secret sharing method using a t-th order polynomial over a finite field GF (q) is defined as fraudulent identification information, and distributed secret information and fraudulent identification information
- a program for controlling a computer that identifies illegal shared information from arbitrary k pieces of shared information among n pieces of shared information that are paired with each other, the computer including k pieces of shared information and the t Is input, the k
- Consistency determination procedure for determining whether or not illegal distributed information is included in the subset by using each unauthorized person specifying information and t-order polynomial, a determination result by the consistency determination procedure, and each part.
- the secret sharing system of the present invention generates n pieces of distributed secret information from secret information by a (k, n) threshold secret sharing method using a k ⁇ 1 order polynomial over a finite field based on a power p of a prime number, Let q be a prime number satisfying the relationship q ⁇ n * p, and natural numbers satisfying k ⁇ t + r be r and t, so that up to t pieces of illegal distributed information can be specified among the n pieces of distributed information.
- T-Cheater using a t-order polynomial over a finite field GF (q) generates n fraudster identification information by the identifiable secret sharing method, and the n pieces of the distributed secret information and the n fraudster identification information
- Secret information sharing apparatus for outputting, k arbitrary pieces of shared information among n pieces of shared information that are pairs of the distributed secret information and fraudulent identification information generated by the secret information distributing apparatus, and the t Is input, r ⁇ t + 2 is satisfied from k pieces of distributed information All of the subsets that are combinations of selecting r pieces of distributed information are generated, and for each of the subsets, the unauthorized person identification information and t-order polynomials belonging to the subset are used to thereby distribute the unauthorized information to the subset. And a verification device that identifies unauthorized shared information based on the determination result and the shared information included in each subset.
- the verification apparatus satisfies r ⁇ t + 2 from k pieces of distributed information obtained by using a k ⁇ 1th order polynomial on GF (p) and a tth order polynomial on GF (q). All combinations for selecting r pieces are obtained as subsets, and for each subset, it is determined whether or not illegal shared information is included in the subset, and an unauthorized person set is generated. According to this configuration, even if there are t pieces of illegal shared information among the k pieces of shared information, if there are r or more pieces of non-illegal shared information, the verification apparatus can select one of the subsets. As described above, it can be determined that there is no illegal shared information, and from the determination result of each subset, it is possible to identify up to t pieces of incorrect shared information in k with high probability.
- the user can set a value of t that satisfies k ⁇ 3t in the verification device, and can set t larger than the case of k ⁇ 3t + 1 for a constant value of k.
- the size of the distributed information is p * q. Therefore, on the premise of k ⁇ 2t + 1, the size of the shared information is smaller than the method of Non-Patent Document 4 in which the size of the shared information is p * q ⁇ (3n ⁇ 3).
- FIG. 1 is a block diagram illustrating a configuration example of a secret sharing system 1 according to the present embodiment.
- the secret sharing system 1 uses the (k, n) threshold secret sharing method to distribute the secret information into n pieces of shared information, and restores the secret information from any k pieces of shared information included in the n pieces of shared information. It is a system to do.
- the secret sharing system 1 includes a shared information generating device 10 and a secret information restoring device 30.
- the distributed information includes distributed secret information and unauthorized person identification information.
- the distributed secret information is n pieces of information generated by the (k, n) threshold secret sharing method from the secret information to be concealed, and is information used to restore the secret information.
- the unauthorized person identification information is information for detecting the unauthorizedness of the shared information and specifying the unauthorized shared information.
- the illegal shared information is different from the original information at the time of generation because the information is generated by the shared information generation device 10 and then falsified by an unauthorized person or a device that stores the distributed information fails. It is distributed information that became information.
- detecting t pieces of unauthorized shared information is referred to as “detecting t unauthorized persons”.
- the shared information generating apparatus 10 receives the secret information s, the threshold k, the total number n of shared information, and the assumed number of unauthorized persons t.
- the shared information generation device 10 generates n pieces of shared information from these pieces of information.
- the secret information s is original information that should be kept secret, and is information that is a target of secret sharing.
- the threshold value k is the number of pieces of shared information that is necessary to restore the secret information s.
- the total number n of shared information is the total number of shared information generated from the secret information s.
- the assumed number of unauthorized persons t is the upper limit number of expected unauthorized persons.
- the assumed number of unauthorized persons t is the upper limit number of unauthorized persons that can be specified on the restoration side when there is an unauthorized person.
- the distributed information generation apparatus 10 includes a secret information distribution unit 101 and an unauthorized person identification information generation unit 102.
- the secret information sharing unit 101 receives the secret information s, the threshold k, and the total number n of shared information.
- the secret information sharing unit 101 uses the (k, n) threshold secret sharing method to distribute and encode the secret information s.
- p is an order of a finite field determined in advance and is a power of a prime number.
- addition on a finite field is represented by +
- subtraction is represented by-
- multiplication is represented by *
- division is represented by /
- multiplication is represented by ⁇ .
- fs (x) is defined by the following equation.
- fs (x) s + a ⁇ 1 ⁇ * x + a ⁇ 2 ⁇ * x ⁇ 2 + ... a ⁇ k-1 ⁇ x ⁇ (k-1) (1)
- distributed secret information of v ⁇ 1 ⁇ ,... V ⁇ n ⁇ is stored in n storage devices 21 to 2n, respectively.
- the unauthorized person identification information generation unit 102 receives ( ⁇ i ⁇ , v ⁇ i ⁇ ) from the secret information distribution unit 101 and the assumed number of unauthorized persons t.
- the unauthorized person identification information generation unit 102 generates n unauthorized persons identification information by the t-Cheater Identifiable secret sharing method so that up to t unauthorized persons can be identified.
- the unauthorized person identification information generation unit 102 generates a t-order polynomial C (x) on GF (q), which is uniformly and randomly selected.
- q is a prime number satisfying q ⁇ n * p.
- C (x) is defined by the following equation.
- the fraudster specific information generation unit 102 substitutes n ( ⁇ i ⁇ , v ⁇ i ⁇ ) from the secret information distribution unit 101 for a predetermined one-to-one function ⁇ , respectively, and ⁇ ( ⁇ i ⁇ , v ⁇ i ⁇ ) is calculated.
- the unauthorized person identification information generation unit 102 substitutes ⁇ ( ⁇ i ⁇ , v ⁇ i ⁇ ) for C (x) defined by the above equation (2), and uses the result as n unauthorized person identification information A. Let ⁇ i ⁇ .
- the one-to-one function ⁇ is defined by the following equation, for example.
- ⁇ ( ⁇ i ⁇ , v ⁇ i ⁇ ) p * ( ⁇ i ⁇ ⁇ 1) + v ⁇ i ⁇ (3)
- p * ( ⁇ i ⁇ ⁇ 1) + v ⁇ i ⁇ is calculated on an integer and then converted to GF (p) by mod q.
- the unauthorized person identification information generation unit 102 outputs n unauthorized persons identification information A ⁇ i ⁇ to the storage device.
- the unauthorized storage device identification information A ⁇ 1 ⁇ ,... A ⁇ n ⁇ is stored in the n storage devices 21 to 2N, respectively.
- FIG. 2 is a block diagram illustrating a configuration example of the storage device 21.
- the storage device 21 includes a distributed information storage unit 211 and an unauthorized person identification information storage unit 212.
- the distributed information storage unit 211 stores the distributed secret information v ⁇ 1 ⁇ .
- the unauthorized person identification information storage unit 212 stores unauthorized person identification information A ⁇ 1 ⁇ .
- the configuration of the storage devices 22 to 2n is the same as the configuration of the storage device 21 shown in FIG.
- the secret information restoration device 30 includes a subset generation unit 301, a consistency check unit 302, an unauthorized person identification unit 303, and a secret information restoration unit 304.
- the secret information restoration device 30 generates and outputs an unauthorized person list CL and secret information s from the k pieces of distributed information, the assumed number of unspecified persons t, and the threshold value k.
- the unauthorized person list CL is unauthorized shared information among k pieces of shared information, that is, a set of unauthorized persons.
- the subset generation unit 301 receives an assumed unspecified number of people t and a threshold value k.
- the subset generation unit 301 reads k pieces of distributed secret information from k pieces of distributed secret information storage units among the storage devices 21 to 2n.
- the subset generation unit 301 reads k unauthorized person identification information from k distributed secret information storage units of the storage devices 21 to 2n.
- the subset generation unit 301 obtains all combinations that select r satisfying the relationship of 2t ⁇ r ⁇ t + 2 from k pieces of shared information (v ⁇ i_j ⁇ , A ⁇ i_j ⁇ ).
- the number C (k, t + 2) of combinations for selecting t + 2 from k is obtained from the following equation.
- the consistency check unit 302 acquires each subset S ⁇ m ⁇ from the subset generation unit 301 by sending a request signal to the subset generation unit 301, and t + 2 pieces of distributed information belonging to each subset Check the consistency of.
- the consistency check unit 302 uses the t + 2 shared secret information in the subset to be verified and the one-to-one function ⁇ used in the secret information distribution unit 101 to obtain ⁇ ( ⁇ j_1 ⁇ , v ⁇ j_1 ⁇ ),..., ⁇ ( ⁇ j_ (t + 2) ⁇ , v ⁇ j_ (t + 2) ⁇ ).
- the consistency check unit 302 then adds arbitrary t + 1 fraudulent identification information included in t + 2 fraudulent identification information, ⁇ ( ⁇ j_1 ⁇ , v ⁇ j_1 ⁇ ),... ⁇ ( ⁇ j_ ( t + 2) ⁇ and v ⁇ j_ (t + 2) ⁇ ) are restored from t + 1 or less polynomials. Then, the consistency check unit 302 determines whether or not there is a point corresponding to the remaining one piece of distributed information on the restored polynomial.
- the consistency check unit 302 ( ⁇ ( ⁇ j_1 ⁇ , v ⁇ j_1 ⁇ ), A ⁇ j_1 ⁇ )... ( ⁇ ( ⁇ j_ (t + 2) ⁇ , v ⁇ j_ (t + 2) ⁇ ), V ⁇ j_ (t + 2) ⁇ ) are all determined to be points on the same polynomial of order t or lower.
- the consistency check unit 302 determines that all of the shared information in the subset is not illegal.
- L ⁇ m ⁇ is information indicating a set of shared information determined not to be illegal.
- the consistency check unit 302 outputs L ⁇ m ⁇ of the empty set.
- the consistency check unit 302 obtains a consistency check set L ⁇ m ⁇ for each of the C (k, t + 2) subsets S ⁇ m ⁇ , and outputs them to the unauthorized person identification unit 303.
- the unauthorized person specifying unit 303 obtains a union set G of C (k, (t + 2)) consistency check sets L ⁇ m ⁇ .
- the unauthorized person specifying unit 303 obtains a difference set between the set of ⁇ i_1 ⁇ ,... ⁇ I_k ⁇ and the union G as an unauthorized person list CL.
- the unauthorized person specifying unit 303 outputs the unauthorized person list CL to the secret information restoring unit 304 and the outside of the secret information restoring apparatus 30.
- the secret information restoration unit 304 determines whether or not the unauthorized person list CL is an empty set. When CL is an empty set, it is presumed that there is no fraud in all shared information. In this case, the secret information restoring unit 304 restores the secret information s from the k pieces of distributed secret information v ⁇ i_j ⁇ using a known method. As a method of restoring the secret information s, there are a method of solving a k-element primary simultaneous equation, a method of using Lagrange complement, and the like.
- the secret information restoration unit 304 outputs the secret information s restored to the outside of the secret information restoration device 30.
- the secret information restoration device 30 when the value of t that satisfies k ⁇ 2t + 2 is set, the secret information restoration device 30 can detect up to t unauthorized persons with high probability. The reason will be described.
- the secret information restoration device 30 restores a t-order polynomial from t + 1 points collected from t + 1 pieces of shared information, and determines whether or not a point corresponding to other shared information is on the restored polynomial. An unauthorized person is identified.
- the secret information restoring device 30 can identify up to t unauthorized persons with high probability when k ⁇ 2t + 2. Specifically, when the i-th shared information includes illegal information, the probability that the distributed information belongs to CL and the unauthorized person is identified with respect to the output CL of the unauthorized person specifying unit 303. Is 1-1 / q.
- FIG. 3 is a block diagram showing a configuration example of a computer for realizing the shared information generating apparatus 10 or the secret information restoring apparatus 30 of the present embodiment.
- the computer includes a processing device 11, an input device 12, and an output device 13.
- the processing device 11 executes predetermined processing according to the program.
- the input device 12 is a device used for inputting commands and information to the processing device 11.
- the output device 13 is a device for monitoring the processing result of the processing device 11.
- the processing device 11 includes a CPU (Central Processing Unit) 111, a main storage device 112, a recording medium 113, a data storage device 114, memory control interface units 115 to 117, and I / O interface units 118 and 119. And they are connected to each other via a bus 120.
- CPU Central Processing Unit
- the CPU 111 is a processor that executes a program.
- the main storage device 112 temporarily stores information necessary for the processing of the CPU 111.
- the recording medium 113 stores a program for causing the CPU 111 to execute.
- the data storage device 114 stores secret information and access structure data.
- the memory control interface units 115 to 117 are interface devices that control writing and reading of data in the main storage device 112, the recording medium 113, and the data storage device 114.
- FIG. 3 shows an example in which the data storage device 114 exists in the processing device 11, but the data storage device 114 may not be in the processing device 11.
- the data storage device 114 may exist separately from the processing device 11 and may be connected to the processing device 11.
- the data storage device 114 can also be used as the storage devices 21 to 2n shown in FIGS.
- the recording medium 113 is a magnetic disk, semiconductor memory, optical disk, or other recording medium.
- FIG. 4 is a flowchart showing the operation of the shared information generating apparatus 10. This operation starts when an application for distributing secret information is executed.
- the shared information generating apparatus 10 receives input of the secret information s, the threshold k, the total number n of shared information, and the assumed number of unauthorized persons t (step S1).
- the secret information distribution unit 101 uses the (k, n) threshold value secret distribution method using the k ⁇ 1 degree polynomial, and the n pieces of distributed secret information v ⁇ i ⁇ from the secret information s. Is generated.
- the secret information sharing unit 101 outputs the shared secret information to the storage devices 21 to 2n (step S2).
- the unauthorized person identification information generation unit 102 generates n unauthorized persons identification information A ⁇ i ⁇ from n distributed secret information using a polynomial of t order or less and a one-to-one function.
- the unauthorized person identification information generation unit 102 outputs the unauthorized person identification information to the storage devices 21 to 2n (step S3).
- the shared information generating apparatus 10 ends the operation for secret sharing.
- FIG. 5 is a flowchart showing the operation of the secret information restoring device 30. This operation starts when an application for restoring secret information is executed.
- the secret information restoration device 30 accepts the input of the assumed unspecified number of persons t and the threshold value k (step T1).
- the secret information restoration device 30 reads k pieces of shared information from the k pieces of storage devices (step T2).
- the subset generation unit 301 obtains all combinations that select t + 2 among k pieces of shared information as subsets, and generates C (k, t + 2) subsets S ⁇ m ⁇ .
- the subset generation unit 301 outputs these subsets to the consistency check unit 302 in response to a request from the consistency check unit 302 (step T3).
- the consistency check unit 302 executes a consistency check process for determining whether or not unauthorized distributed information is included in each subset (step T4).
- the unauthorized person identification unit 303 obtains the union G of the consistency check set L ⁇ m ⁇ generated by the consistency check process. Then, a difference set between the set of ⁇ i_1 ⁇ ,... ⁇ I_k ⁇ and the union G is obtained as an unauthorized person list CL (step T5).
- the unauthorized person identification unit 303 determines whether or not the unauthorized person list CL is an empty set (step T6).
- the secret information restoring unit 304 restores the secret information s from the k pieces of distributed secret information v ⁇ i_j ⁇ . Then, the secret information restoration unit 304 outputs the secret information s and the empty set unauthorized person list CL (step T7).
- the unauthorized person specifying unit 303 outputs an unauthorized person list CL and a symbol indicating that unauthorized shared information has been detected (step T8). .
- FIG. 6 is a flowchart showing the inconsistency check process.
- the consistency check unit 302 sets an initial value 1 to the index m (step T41).
- the consistency check unit 302 acquires all data pairs (distributed information) in the subset S ⁇ m ⁇ (step T42). The consistency check unit 302 determines whether or not all of the acquired data pairs are consistent by using a polynomial of order t or less obtained from the unauthorized person identification information and a one-to-one function (step T43).
- step T43 If all the data pairs are consistent (step T43: YES), the consistency check unit 302 generates a consistency check set L ⁇ m ⁇ indicating the set of data pairs in the subset S ⁇ m ⁇ ( Step T44).
- step T43 If any data pair is not consistent (step T43: NO), the consistency check unit 302 generates an empty set consistency check set L ⁇ m ⁇ (step T45).
- step T44 or T45 the consistency check unit 302 increments m (step T46).
- the consistency check unit 302 determines whether m is larger than C (k, t + 2) (step T47).
- step T47: NO the consistency checking unit 302 returns to step T42.
- step T47: YES If m is larger than C (k, t + 2) (step T47: YES), the consistency check unit 302 ends the consistency check process.
- the secret information restoring device 30 is configured to restore secret information if the unauthorized person list CL is an empty set. However, if there is no need to restore the shared information, the secret information restoring device 30 may be configured not to provide the secret information restoring unit 304.
- the number r of elements in each subset is t + 2, but it is also possible to satisfy r> t + 2. Even in this case, if the value of t satisfying the relationship of k ⁇ r + t is input to the secret sharing system, the secret information restoring device 30 can detect up to t unauthorized persons with high probability.
- FIGS. 4 to 6 are realized by the information processing apparatus executing a computer program. All or a part of these is realized by a control circuit in the information processing apparatus. May be.
- the n pieces of shared information generated by the shared information generation device 10 are distributed and stored in the storage devices 21 to 2n, and the secret information is restored from the k or more storage devices 2 when the secret information is restored.
- the distributed information is delivered to the device 30.
- the method for transmitting the shared information from the shared information generating device 10 to the storage devices 21 to 2n and the method for transmitting the shared information from the storage devices 21 to 2n to the secret information restoring device 30 are not particularly limited.
- the distributed information may be transmitted via a storage medium or may be transmitted by data communication.
- the secret information restoration device of the present invention is an example of the verification device of the present invention.
- the verification apparatus performs k pieces of distributed information obtained using the k ⁇ 1th order polynomial on GF (p) and the tth order polynomial on GF (q). From this, all combinations for selecting r satisfying r ⁇ t + 2 are obtained as subsets, and for each subset, it is determined whether or not unauthorized distributed information is included in the subset, and an unauthorized person set is generated. According to this configuration, even if there are t pieces of illegal shared information among the k pieces of shared information, if there are r or more pieces of non-illegal shared information, the verification apparatus can select one of the subsets. As described above, it can be determined that there is no illegal shared information, and from the determination result of each subset, it is possible to identify up to t pieces of incorrect shared information in k with high probability.
- the user can set a value of t that satisfies k ⁇ 3t in the verification device, and can set t larger than the case of k ⁇ 3t + 1 for a constant value of k.
- the size of the distributed information is p * q. Therefore, on the premise of k ⁇ 2t + 1, the size of the shared information is smaller than the method of Non-Patent Document 4 in which the size of the shared information is p * q ⁇ (3n ⁇ 3).
- the secret sharing system according to the present embodiment is different from the secret sharing system according to the first embodiment in that a more flexible parameter setting is possible.
- the secret sharing system of this embodiment will not be described in detail with respect to the same configuration as that described with reference to FIGS. 1 to 6, and will be described in detail with respect to differences from the first embodiment.
- the secret information dispersal unit 101 of this embodiment is the same as that of the first embodiment except that the k ⁇ 1th order polynomial fs (x) on GF (p ⁇ N) obtained by expanding the finite field GF (p) is selected.
- the configuration is the same as that of the secret information distribution unit 101.
- addition on a finite field is expressed as +, subtraction is ⁇ , multiplication is *, division is /, and ⁇ multiplication is ⁇ .
- the unauthorized person identification information generation unit 102 according to the present embodiment is different from the configuration of the unauthorized person identification information generation unit 102 according to the first embodiment in that the unauthorized person identification information generation unit 102 includes two pieces of information.
- Ce (x) is defined by the following equation.
- Ce (x) e + e ⁇ 1 ⁇ x +... + E ⁇ t ⁇ x ⁇ t (5)
- the unauthorized person specifying information generating unit 102 generates a random and uniform t-order polynomial Cs (x) on GF (q).
- q is a prime number that satisfies q ⁇ n * p.
- Cs (x) is defined by the following equation.
- the fraudster specific information generation unit 102 substitutes n ( ⁇ i ⁇ , fe (v ⁇ i ⁇ )) into a predetermined one-to-one function ⁇ ( ⁇ i ⁇ , fe (x)), and ⁇ ( ⁇ I ⁇ , fe (v ⁇ i ⁇ )) is acquired.
- the unauthorized person identification information generation unit 102 obtains Cs ( ⁇ ( ⁇ i ⁇ , fe (v ⁇ i ⁇ ))), and sets the result as Ae ⁇ i ⁇ .
- the unauthorized person identification information generation unit 102 outputs As ⁇ i ⁇ and Ae ⁇ i ⁇ as unauthorized person identification information A ⁇ i ⁇ .
- the configuration is the same as that of the secret information restoring apparatus 30 of the embodiment.
- Consistency check unit 302 determines whether (j_1, As ⁇ j_1 ⁇ ),... (J_ (t + 2), As ⁇ j_ (t + 2) ⁇ ) are all points on the same polynomial of order t or lower. Determine whether.
- the consistency check unit 302 (( ⁇ (j_1, v ⁇ j_1 ⁇ ), Ae ⁇ j_1 ⁇ ), ... (( ⁇ (j_ (t + 2), v ⁇ j_ (t + 2) ⁇ )), Ae ⁇ It is determined whether j_ (t + 2) ⁇ ) are all points on the same polynomial of order t or lower.
- the check unit 302 determines that there is no illegal information in the shared information in the subset.
- the size of the secret information is p ⁇ (N + 1) * q
- the probability that tampering can be detected is 1 ⁇ N / p ⁇ 1 / q.
- p is appropriately selected.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
Description
本発明を実施するための第1の実施形態について図面を参照して詳細に説明する。図1は、本実施形態の秘密分散システム1の一構成例を示すブロック図である。秘密分散システム1は、(k、n)閾値秘密分散法を用いて秘密情報をn個の分散情報に分散し、n個の分情報に含まれる任意のk個の分散情報から秘密情報を復元するためのシステムである。図1を参照すると、秘密分散システム1は、分散情報生成装置10と、秘密情報復元装置30とを有する。
そして、秘密情報分散部101は、上記(1)式を用いて、fs(1)、fs(2)、・・・fs(n)を計算し、それらの結果を分散秘密情報v{i}(i=1、2、・・・n)とする。秘密情報分散部101は、{i}(i=1、2、・・・n)と、{i}から算出されたv{i}とのペア({i}、v{i})を不正者特定情報生成部102へ出力し、v{i}を記憶装置へ出力する。
不正者特定情報生成部102は、予め定めた一対一関数φに、秘密情報分散部101からのn個の({i}、v{i})をそれぞれ代入して、φ({i}、v{i})を算出する。不正者特定情報生成部102は、上記(2)式で定義されるC(x)に、φ({i}、v{i})を代入し、その結果をn個の不正者特定情報A{i}とする。
上記(3)式において、p*({i}―1)+v{i}は、整数上で計算された後、mod qによってGF(p)に変換される。
整合性チェック部302は、部分集合生成部301に対して要求信号を送ることにより、部分集合生成部301から各部分集合S{m}を取得し、それぞれの部分集合に属するt+2個の分散情報の整合性をチェックする。
本発明の第2の実施形態について説明する。本実施形態の秘密分散システムは、より柔軟なパラメータ設定を可能とする点で第1の実施形態の秘密分散システムと異なる。なお、本実施形態の秘密分散システムについて、図1~図6で説明した構成と同様な構成の詳細な説明を省略し、第1の実施形態と異なる点について詳しく説明する。
不正者特定情報生成部102は、Ce(x)に、i=1、2、・・・nをxとして代入し、それらの結果をAs{i}(=Ce(i))とする。
そして、不正者特定情報生成部102は、下記のfe(x)に、v{i}をxとして代入して、fe(v{i})を求める。
不正者特定情報生成部102は、予め定めた一対一関数φ({i}、fe(x))に、n個の({i}、fe(v{i}))をそれぞれ代入してφ({i}、fe(v{i}))を取得する。
Claims (10)
- 素数の冪乗pに基づく有限体上のk-1次多項式を使用した(k、n)閾値秘密分散法により秘密情報から生成されたn個の情報のそれぞれを分散秘密情報とし、
qをq≧n*pの関係を満たす素数とし、k≧t+rを満たす自然数をr、tとし、n個の前記分散秘密情報に含まれる任意のt個までの不正な分散秘密情報を特定できるように、有限体GF(q)上のt次多項式を使用したt-Cheater Identifiable秘密分散法により生成されたn個の情報を不正者特定情報とし、
分散秘密情報と不正者特定情報との対であるn個の分散情報のうち任意のk個の分散情報から不正な分散情報を特定する検証装置であって、
k個の分散情報と前記tとを入力する入力手段と、
前記入力手段に入力された前記k個の分散情報から、r≧t+2を満たすr個の分散情報を選ぶ組み合わせである部分集合を全て生成する部分集合生成手段と、
前記部分集合生成手段により生成された前記部分集合ごとに、該部分集合に属する各不正者特定情報及びt次多項式を使用することにより該部分集合に不正な分散情報が含まれるか否かを判断する整合性判断手段と、
前記整合性判断手段による判断結果と、各部分集合に含まれている分散情報とに基づいて、不正な分散情報を特定する不正者特定手段と、
を有する検証装置。 - 前記rは2t≧r≧t+2を満たす自然数である、請求項1に記載の検証装置。
- 前記rはt+2である、請求項1に記載の検証装置。
- 前記pに基づく有限体は、GF(p)であり、
前記不正者特定情報は、前記分散秘密情報をv{i}(i=1、2、・・・n)、一対一関数をφとして、φ({i}、v{i})を前記GF(q)上のt次多項式に代入して得られた情報であり、
前記整合性判断手段は、前記部分集合に属する前記分散秘密情報をv{j_1}、・・・v{j_k}、該部分集合に属する前記不正者特定情報をA{j_1}、・・・A{j_k}として、
(φ({j_1}、v{j_1})、A{j_1})、・・・(φ({j_(t+2)}、v{j_(t+2)})、v{j_(t+2)})が全て同一のt次以下の多項式上の点となるか否かにより、該部分集合に不正な分散情報が含まれるか否かを判断する、請求項1乃至3のいずれか1項に記載の検証装置。 - 前記pに基づく有限体は、GF(p^N)であり、
前記不正者特定情報は、
{i}(i=1、2、・・・n)を前記GF(p^N)上の第1のt次多項式に代入して得られたAs{i}と、
前記分散秘密情報をv{i}、
関数fe(x)をfe(x)=x{0}+x{1}*e+x{2}*e^2+・・・+x{N}*e^N、
一対一関数をφとして、
該φ({i}、fe(v{i}))を前記GF(q)上の第2のt次多項式に代入して得られたAe{i}とを含み、
前記整合性判断手段は、
前記部分集合に属する前記分散秘密情報をv{j_1}、・・・v{j_k}、該部分集合に属する前記不正者特定情報をAs{j_1}、・・・A{j_k}及びAe{j_1}、・・・Ae{j_k}を含む情報として、
(j_1、As{j_1})、・・・(j_(t+2)、As{j_(t+2)})が、全て同一のt次以下の多項式上の点であり、且つ、
((φ(j_1、v{j_1})、Ae{j_1})、・・・((φ(j_(t+2)、v{j_(t+2)})、Ae{j_(t+2)})が全て同一のt次以下の多項式上の点であるか否かにより、該部分集合に不正な分散情報が含まれるか否かを判断する、請求項1乃至3のいずれか1項に記載の検証装置。 - 前記整合性判断手段は、前記部分集合ごとに、該部分集合に不正な分散情報が含まれないと判断された場合、{j_1}、・・・{j_(t+2)}の集合を整合性確認集合として生成し、該部分集合に不正な分散情報が含まれると判断した場合、空集合を整合性確認集合として生成し、
前記不正者特定手段は、前記整合性判断手段により生成された前記部分集合毎の前記整合性確認集合の和集合と、{i_1}、・・・{i_k}の集合との差集合を前記不正者集合として生成する、請求項4又は5に記載の検証装置。 - 請求項6に記載の検証装置と、
前記不正者特定手段により生成された前記不正者集合が空集合であれば、k個の前記分散秘密情報から、前記秘密情報を復元して出力する秘密情報復元手段と、
を有する秘密情報復元装置。 - 素数の冪乗pに基づく有限体上のk-1次多項式を使用した(k、n)閾値秘密分散法により秘密情報から生成されたn個の情報のそれぞれを分散秘密情報とし、
qをq≧n*pの関係を満たす素数とし、k≧t+rを満たす自然数をr、tとし、n個の前記分散秘密情報に含まれる任意のt個までの不正な分散秘密情報を特定できるように、有限体GF(q)上のt次多項式を使用したt-Cheater Identifiable秘密分散法により生成されたn個の情報を不正者特定情報とし、
分散秘密情報と不正者特定情報との対であるn個の分散情報のうち任意のk個の分散情報から不正な分散情報を特定する検証方法であって、
部分集合生成手段が、k個の分散情報から、r≧t+2を満たすr個の分散情報を選ぶ組み合わせである部分集合を全て生成し、
整合性判断手段が、前記部分集合生成手段により生成された前記部分集合ごとに、該部分集合に属する各不正者特定情報及びt次多項式を使用することにより該部分集合に不正な分散情報が含まれるか否かを判断し、
不正者特定手段が、前記整合性判断手段による判断結果と、各部分集合に含まれている分散情報とに基づいて、不正な分散情報を特定する、検証方法。 - 素数の冪乗pに基づく有限体上のk-1次多項式を使用した(k、n)閾値秘密分散法により秘密情報から生成されたn個の情報のそれぞれを分散秘密情報とし、
qをq≧n*pの関係を満たす素数とし、k≧t+rを満たす自然数をr、tとし、n個の前記分散秘密情報に含まれる任意のt個までの不正な分散秘密情報を特定できるように、有限体GF(q)上のt次多項式を使用したt-Cheater Identifiable秘密分散法により生成されたn個の情報を不正者特定情報とし、
分散秘密情報と不正者特定情報との対であるn個の分散情報のうち任意のk個の分散情報から不正な分散情報を特定するコンピュータを制御するためのプログラムであって、
前記コンピュータに、
k個の分散情報と前記tとが入力されると、該k個の分散情報から、r≧t+2を満たすr個の分散情報を選ぶ組み合わせである部分集合を全て生成する部分集合生成手順、
前記部分集合生成手順で生成された前記部分集合ごとに、該部分集合に属する各不正者特定情報及びt次多項式を使用することにより該部分集合に不正な分散情報が含まれるか否かを判断する整合性判断手順、及び
前記整合性判断手順による判断結果と、各部分集合に含まれている分散情報とに基づいて、不正な分散情報を特定する不正者特定手順、
を実行させるためのプログラム。 - 素数の冪乗pに基づく有限体上のk-1次多項式を使用した(k、n)閾値秘密分散法により秘密情報からn個の分散秘密情報を生成し、qをq≧n*pの関係を満たす素数とし、k≧t+rを満たす自然数をr、tとして、n個の前記分散情報のうち、任意のt個までの不正な分散情報を特定できるように、有限体GF(q)上のt次多項式を使用したt-Cheater Identifiable秘密分散法によりn個の不正者特定情報を生成し、n個の該分散秘密情報及びn個の該不正者特定情報を出力する秘密情報分散装置と、
前記秘密情報分散装置により生成された分散秘密情報と不正者特定情報との対であるn個の分散情報のうち任意のk個の分散情報と、前記tとが入力されると、k個の分散情報から、r≧t+2を満たすr個の分散情報を選ぶ組み合わせである部分集合を全て生成し、該部分集合ごとに、該部分集合に属する各不正者特定情報及びt次多項式を使用することにより該部分集合に不正な分散情報が含まれるか否かを判断し、該判断結果と、各部分集合に含まれている分散情報とに基づいて、不正な分散情報を特定する検証装置と、
を有する秘密分散システム。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2011547376A JP5609892B2 (ja) | 2009-12-22 | 2010-10-21 | 検証装置、秘密情報復元装置、検証方法、プログラム、及び秘密分散システム |
US13/514,073 US8861717B2 (en) | 2009-12-22 | 2010-10-21 | Verification device, secret information restoration device, verification method, program, and secret sharing system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2009290786 | 2009-12-22 | ||
JP2009-290786 | 2009-12-22 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011077819A1 true WO2011077819A1 (ja) | 2011-06-30 |
Family
ID=44195365
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2010/068586 WO2011077819A1 (ja) | 2009-12-22 | 2010-10-21 | 検証装置、秘密情報復元装置、検証方法、プログラム、及び秘密分散システム |
Country Status (3)
Country | Link |
---|---|
US (1) | US8861717B2 (ja) |
JP (1) | JP5609892B2 (ja) |
WO (1) | WO2011077819A1 (ja) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012124270A1 (ja) * | 2011-03-15 | 2012-09-20 | パナソニック株式会社 | 改ざん監視システム、管理装置、保護制御モジュール及び検知モジュール |
JP5860556B1 (ja) * | 2015-02-06 | 2016-02-16 | 日本電信電話株式会社 | 不整合検知方法、不整合検知システム、不整合検知装置、およびプログラム |
US10437525B2 (en) * | 2015-05-27 | 2019-10-08 | California Institute Of Technology | Communication efficient secret sharing |
US10546139B2 (en) * | 2017-04-21 | 2020-01-28 | Ntropy Llc | Systems and methods for securely transmitting large data files |
US11463439B2 (en) | 2017-04-21 | 2022-10-04 | Qwerx Inc. | Systems and methods for device authentication and protection of communication on a system on chip |
US10057269B1 (en) * | 2017-04-21 | 2018-08-21 | InfoSci, LLC | Systems and methods for device verification and authentication |
US10579495B2 (en) | 2017-05-18 | 2020-03-03 | California Institute Of Technology | Systems and methods for transmitting data using encoder cooperation in the presence of state information |
CN110889695A (zh) * | 2019-11-25 | 2020-03-17 | 支付宝(杭州)信息技术有限公司 | 基于安全多方计算保存和恢复隐私数据的方法和装置 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008050544A1 (fr) * | 2006-10-24 | 2008-05-02 | Nec Corporation | Dispositif de génération d'informations distribuées et dispositif de décodage |
WO2009025220A1 (ja) * | 2007-08-22 | 2009-02-26 | Nec Corporation | 秘密情報分散システム、方法及びプログラム並びに伝送システム |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5625692A (en) * | 1995-01-23 | 1997-04-29 | International Business Machines Corporation | Method and system for a public key cryptosystem having proactive, robust, and recoverable distributed threshold secret sharing |
JP4146252B2 (ja) | 2003-01-24 | 2008-09-10 | 日本電信電話株式会社 | 不正者特定可能な匿名通信方法、それに使用される利用者装置、及び中継サーバ装置 |
JP2007135170A (ja) | 2005-10-12 | 2007-05-31 | Hitachi Ltd | 電子データ送受信方法 |
JP2008250931A (ja) | 2007-03-30 | 2008-10-16 | Toshiba Corp | 分散情報復元システム、情報利用装置、および、検証装置 |
-
2010
- 2010-10-21 US US13/514,073 patent/US8861717B2/en active Active
- 2010-10-21 JP JP2011547376A patent/JP5609892B2/ja active Active
- 2010-10-21 WO PCT/JP2010/068586 patent/WO2011077819A1/ja active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008050544A1 (fr) * | 2006-10-24 | 2008-05-02 | Nec Corporation | Dispositif de génération d'informations distribuées et dispositif de décodage |
WO2009025220A1 (ja) * | 2007-08-22 | 2009-02-26 | Nec Corporation | 秘密情報分散システム、方法及びプログラム並びに伝送システム |
Also Published As
Publication number | Publication date |
---|---|
JP5609892B2 (ja) | 2014-10-22 |
US8861717B2 (en) | 2014-10-14 |
US20120243679A1 (en) | 2012-09-27 |
JPWO2011077819A1 (ja) | 2013-05-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5609892B2 (ja) | 検証装置、秘密情報復元装置、検証方法、プログラム、及び秘密分散システム | |
CN109194466B (zh) | 一种基于区块链的云端数据完整性检测方法及系统 | |
JP5338668B2 (ja) | 秘密情報分散システム、方法及びプログラム並びに伝送システム | |
KR20190052631A (ko) | 물리적으로 복제 불가능한 기능의 원격 재등록 | |
CN109478279A (zh) | 区块链实现的方法和系统 | |
JP2020522205A (ja) | プログレッシブキー暗号化アルゴリズム | |
JP5957095B2 (ja) | 改ざん検知装置、改ざん検知方法、およびプログラム | |
JP5299286B2 (ja) | 分散情報生成装置、復元装置、検証装置及び秘密情報分散システム | |
CN104782077B (zh) | 密码证书重发的方法和装置以及防篡改设备 | |
JP5582143B2 (ja) | 秘密情報分散システム,秘密情報分散方法及びプログラム | |
Khedr et al. | Cryptographic accumulator-based scheme for critical data integrity verification in cloud storage | |
US20180351752A1 (en) | Device and system with global tamper resistance | |
AU2006236071A1 (en) | Incorporating shared randomness into distributed cryptography | |
JPWO2008001628A1 (ja) | 分散情報生成装置及び復元装置 | |
CN112352399A (zh) | 用于使用物理上不可克隆函数在板上生成密码密钥的方法 | |
Abo-Alian et al. | Auditing-as-a-service for cloud storage | |
JP6059159B2 (ja) | シェア変換システム、シェア変換方法、プログラム | |
JP2013009245A (ja) | 秘密情報分散システム及び秘密情報分散方法並びに秘密情報生成プログラム及び秘密情報復元プログラム | |
KR20200080011A (ko) | 데이터를 분산해서 저장하는 시스템 및 방법 | |
Wu et al. | Two quantum secret sharing schemes with adversary structure | |
KR102067053B1 (ko) | 다변수 2차 다항식 기반 포스트 양자 서명 스킴의 안전성 검증 장치 및 방법 | |
JP5381981B2 (ja) | 分散情報生成装置 | |
JP6059160B2 (ja) | シェア変換システム、シェア変換方法、プログラム | |
Preneel | Cryptography best practices | |
Davis et al. | Smart Grids Secured By Dynamic Watermarking: How Secure? |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10839056 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13514073 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011547376 Country of ref document: JP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 10839056 Country of ref document: EP Kind code of ref document: A1 |