WO2013080290A1

WO2013080290A1 - Data dividing device and data dividing program

Info

Publication number: WO2013080290A1
Application number: PCT/JP2011/077431
Authority: WO
Inventors: 松本　勉; 武暢清藤; 佐藤　敦; 昭輝鴨志田; 敏文新谷
Original assignee: 国立大学法人横浜国立大学; 株式会社野村総合研究所
Priority date: 2011-11-28
Filing date: 2011-11-28
Publication date: 2013-06-06
Also published as: JP5530025B2; JPWO2013080290A1

Abstract

Provided is a data dividing device that enables overall optimization and acceleration of XOR calculation when dividing confidential data into n items of divided data using (k, L, n) ramp threshold secret sharing and concealing the same, and when restoring confidential data from at least k divided data items. In this representative embodiment the following are performed: unit confidential data of length S that is extracted from confidential data is divided into a plurality of confidential portion data items, and random number portion data items are generated, the number of items being half the number of confidential portion data items and the length of each item being the same as that of the confidential portion data items; a plurality of divided portion data items are generated on the basis of a divided matrix that defined XOR calculation for generating confidential portion data, random number portion data, and divided portion data from at least one confidential portion data item and one random number portion data item; n types of unit divided data of length S/L are generated by linking a plurality of divided portion data items generated by XOR calculation and including respectively different random number portion data items, and the unit divided data items are linked by type and n items of divided data are generated.

Description

Data division apparatus and data division program

The present invention relates to a technique for concealing electronic data, and in particular, a technique that is effective when applied to a data division apparatus and a data division program used to divide important data into a plurality of non-important data using a secret sharing technique. It is about.

Companies that have an information system need to take measures to protect important data such as highly confidential data in order to prevent information security incidents such as information leakage. On the other hand, various means for realizing these have been proposed.

As a means for protecting important data, for example, it is conceivable that a company or the like stores important data in a data center where multiple security measures are taken. However, the construction and operation of a private data center that can be accessed from the outside requires a great load in terms of technology and cost, and cannot be easily realized.

In contrast, it is possible to use a data center that is operated by a third party and provided as a service to the outside. However, storing important company data in a data center operated and managed by a third party involves a high security risk. In addition, storing important data in virtual data centers and virtual servers in cloud computing environments that have been increasingly used in recent years is extremely risky. Using it for construction is also one of the reasons why it is not popular.

On the other hand, when important data is stored, it is also stored by taking measures to conceal the data and prevent falsification. In general, important data is encrypted and stored using an encryption key. In this case, the encrypted data includes all important data information. Therefore, for example, when encrypted data is acquired by a third party, important data is easily restored when the encryption key is also acquired and decrypted by the third party for some reason. Even if the encryption key is not acquired, since the encryption key has a finite length, theoretically, there is a possibility that important data may be restored from the encrypted data after a finite number of trials.

On the other hand, so-called secret sharing technology is also used as a method for strongly concealing important data. In secret sharing, important data is divided into a number of non-critical data that cannot be recovered by itself (important data cannot be recovered or guessed), and some non-critical data is obtained by a third party. However, it is theoretically impossible to restore important data by a third party.

Various methods have been proposed as secret sharing methods, and for example, a (k, n) threshold secret sharing method described in Non-Patent Document 1 has been used. In (k, n) threshold secret sharing, secret data to be kept secret is divided into n pieces of divided data. By collecting at least k pieces (k ≦ n) or more of the n pieces of divided data, the secret data can be restored from these pieces of divided data. On the other hand, when the number of collected divided data is less than k, it is impossible to restore secret data from these divided data or to infer the contents (to obtain information on the secret data).

Therefore, for example, even when some divided data is illegally collected by a third party, if the number is less than k, the secret data is not restored or guessed, Data can be strongly concealed. Further, for example, even when some divided data is damaged or lost, it is a secret if the number is (nk) or less (k or more divided data remains). Since data can be restored, the availability of secret data can also be increased.

In this (k, n) threshold secret sharing technique, generally, operations for dividing and restoring secret data are performed using polynomial operations and remainder operations. However, when these calculations are performed by information processing on a computer, the calculation load increases. Therefore, if the amount of secret data increases, CPU (Central Processing Unit) resources are consumed in large quantities, and processing performance deteriorates. Have the problem of In contrast, (k, n) threshold secret sharing processing is described as a bitwise exclusive OR (eXclusive OR: hereinafter referred to as “XOR”), and a “+” operator. A method of realizing by calculation is also proposed.

For example, in Japanese Patent Application Laid-Open No. 2011-41326 (Patent Document 1), a plurality of original partial data (secret partial data) is generated by dividing original data (secret data) into predetermined lengths. Corresponding to each of the partial data, a random number having the same length as the secret data or a random number shorter than the secret data is divided for each predetermined length to generate a plurality of random number partial data, and a predetermined definition formula A technique for efficiently dividing secret data by relatively simple processing by performing exclusive OR operation of secret part data and random number part data based on the above and generating a plurality of divided data .

Furthermore, in the general (k, n) threshold secret sharing technique, the size of the secret data is the same as the size of each of the n pieces of divided data generated by performing the secret sharing. The total amount of the n divided data after the execution is n times the data amount of the secret data, and there is a problem that resources such as storage capacity and network bandwidth when storing the data are wasted. Have. On the other hand, a technique for reducing the data amount of divided data generated by secret sharing has been proposed in consideration of use in an actual system.

For example, a so-called ramp type (k, L, n) threshold secret sharing technique as described in Non-Patent Document 2 has been proposed. In the ramp-type secret sharing method, the size of each of the generated n pieces of divided data can be reduced to 1 / L of the size of the secret data, instead of relaxing the security condition for the confidentiality of the data. That is, the data amount of all n pieces of divided data can be reduced to 1 / L in the case of (k, n) threshold secret sharing.

In the case of ramp-type secret sharing, the secret data can be restored by collecting at least k of the n divided data, as in the case of (k, n) threshold secret sharing. is there. On the other hand, if the number of collected divided data is (k−L) or less (1 ≦ L ≦ k), the secret data will not be restored / estimated, but even if it is less than k When more than (k−L) pieces of divided data are collected, there is a characteristic that secret data information is partially obtained. In this respect, (k, n) threshold secret sharing and Is different. When L = 1, this is the same as (k, n) threshold secret sharing (so-called perfect type).

JP 2011-41326 A

In recent years, as portable information processing terminals such as notebook PCs (Personal Computers), tablet PCs, and so-called smartphones are widely used, the risk of information leakage associated with theft or loss of these terminals themselves has increased. . On the other hand, it is conceivable to reduce the risk of information leakage due to loss of the terminal by storing data including important data in the terminal in an external server or the like. At this time, the important data is not stored in an external server or the like as it is, but for example, the secret data is divided into the non-important data by using the secret sharing technique described above to be divided into non-important data. By distributing and storing in a server or the like, for example, it is possible to reduce the risk of information leakage even when storing in a virtual data center or virtual server in a cloud computing environment.

However, these mobile terminals usually have less processing power than desktop PCs, and the network for accessing the server or the like for storing the divided data is also wireless. In many cases, such as communication, there is no bandwidth. Therefore, particularly efficient and high-speed processing is required for secret sharing processing, and the amount of divided data to be generated is also required to be small.

In this regard, in the technique described in Patent Document 1 described above, a plurality of pieces of divided data are generated by XOR operation of the secret part data and the random number part data, thereby improving the efficiency and speed of the process and the ramp type. Although it is not the threshold secret sharing, it is possible to make the data amount of the entire n pieces of divided data smaller than in the case of the general (k, n) threshold secret sharing method.

In the technique described in Patent Document 1, as a target of XOR operation, in principle, a secret random number having the same length as that of the secret data is divided into the same length as that of the secret data corresponding to each of the plurality of secret data. The same number of random number partial data as the partial data is required. On the other hand, for random numbers with a length shorter than that of the secret data, similarly generate the random number partial data by dividing it into the same length as the secret partial data. By reusing it, each of the plurality of secret partial data is made to correspond. At this time, one of the generated divided data is made up of only the random number partial data, and when the divided data is generated, the holding of the reused random number partial data is omitted to avoid duplication. This makes it possible to reduce the data amount of the divided data composed only of the random number partial data.

However, in the method described in Patent Document 1, although the data amount of the entire n pieces of divided data is reduced, the size is actually reduced only by one piece of divided data consisting only of random number partial data. The size of the divided data is the same as that of the secret data. Therefore, the effect of reducing the overall data amount is not so great, and the consumption of resources when transmitting and storing other divided data is not reduced at all. In addition, there is a problem in use in an actual system, for example, there is a risk that the divided data consisting only of random number partial data can be identified from the size.

On the other hand, according to the ramp-type (k, L, n) threshold secret sharing technique described above, the security condition is slightly relaxed, but the size of each of the n pieces of divided data is reduced to 1 / L. The total data amount can be reduced to 1 / L. As for the actual arithmetic processing, a method has been proposed in which the XOR operation of data obtained by dividing secret data and random numbers is used to increase the efficiency and speed of generation of divided data by arithmetic processing in a computer.

However, there are various concrete calculation methods (actual calculation formulas) for performing (k, L, n) threshold secret sharing by XOR operation, and the processing performance varies greatly depending on the calculation formula. Also, not only the processing performance when generating divided data from secret data by secret sharing, but also the processing performance when restoring secret data from multiple divided data, the overall efficiency and speed of processing Is required.

Therefore, an object of the present invention is to conceal secret data by dividing it into n pieces of divided data by (k, L, n) ramp type threshold secret sharing, and from (k, L, n, n) To provide a data division apparatus and a data division program that can improve the efficiency and speed of the XOR operation when restoring secret data by ramp-type threshold secret sharing. The above and other objects and novel features of the present invention will be apparent from the description of this specification and the accompanying drawings.

Of the inventions disclosed in this application, the outline of typical ones will be briefly described as follows.

The data dividing apparatus according to the exemplary embodiment of the present invention divides secret data into n pieces of divided data by (k, L, n) ramp type threshold secret sharing, and the n pieces of divided data are different from each other. A data dividing device for distributed storage in a storage device, which has the following characteristics.

That is, the data dividing device divides the unit secret data of length S extracted from the secret data into a plurality of secret part data, and is a random number that is the same length as the secret part data and half the number of the secret part data Generate partial data and define an XOR operation for generating divided partial data from one or more of the secret part data, the random part data, and one or more of the secret part data and the random part data Based on the divided matrix, a plurality of the divided partial data are generated, and the plurality of divided partial data generated by the XOR operation including the different random number partial data are concatenated to obtain n types of length S / L. A division processing unit that generates unit divided data and generates n pieces of divided data by connecting the unit divided data for each type is provided.

The present invention can also be applied to a program that causes a computer to function as the above-described data dividing device.

Among the inventions disclosed in the present application, effects obtained by typical ones will be briefly described as follows.

According to a typical embodiment of the present invention, when secret data is concealed by dividing it into n pieces of divided data by (k, L, n) ramp-type threshold secret sharing, and k or more pieces of divided data From (k, L, n) ramp type threshold secret sharing, it is possible to improve the efficiency and speed of the XOR operation processing when restoring secret data as a whole.

It is the figure which showed the outline | summary about the structural example of the data division | segmentation apparatus which is one embodiment of this invention. It is the flowchart which showed the outline | summary about the example of the flow of the division | segmentation process which produces | generates division | segmentation data by secret sharing from the secret data in one embodiment of this invention. It is the figure which showed the outline | summary about the example of the process which produces | generates four division | segmentation data by (3,2,4) ramp type | mold threshold value secret sharing from the secret data in one embodiment of this invention. It is the figure which showed the outline | summary about the example at the time of calculating divided | segmented partial data from the secret partial data and random number partial data in one embodiment of this invention. It is the flowchart which showed the outline | summary about the example of the flow of the decompression | restoration process which produces | generates secret data from division | segmentation data in one embodiment of this invention by secret sharing. It is the figure which showed the outline | summary about the example of the process which produces | generates secret data by (3, 2, 4) ramp type | mold threshold value secret sharing from three division | segmentation data in one embodiment of this invention. It is the figure which showed the example of the process which acquires the decompression | restoration matrix used in order to decompress | restore secret data from the division | segmentation data (a, b, c) in one embodiment of this invention from a division | segmentation matrix. It is the figure which showed the example of the process which acquires the decompression | restoration matrix used in order to decompress | restore secret data from the division | segmentation data (a, b, d) in one embodiment of this invention from a division | segmentation matrix. It is the figure which showed the example of the process which acquires the decompression | restoration matrix used in order to decompress | restore secret data from the division | segmentation data (a, c, d) in one embodiment of this invention from a division | segmentation matrix. It is the figure which showed the example of the process which acquires the decompression | restoration matrix used in order to decompress | restore secret data from the division | segmentation data (b, c, d) in one embodiment of this invention from a division | segmentation matrix. It is the figure which showed the outline | summary about the example at the time of calculating secret partial data from the division | segmentation partial data (a1-a3, b1-b3, c1-c3) in one embodiment of this invention. It is the figure which showed the outline | summary about the example at the time of calculating secret partial data from the division | segmentation partial data (a1-a3, b1-b3, d1-d3) in one embodiment of this invention. It is the figure which showed the outline | summary about the example at the time of calculating secret partial data from the division | segmentation partial data (a1-a3, c1-c3, d1-d3) in one embodiment of this invention. It is the figure which showed the outline | summary about the example at the time of calculating secret partial data from the division | segmentation partial data (b1-b3, c1-c3, d1-d3) in one embodiment of this invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted.

A data dividing device according to an embodiment of the present invention divides secret data into n pieces of divided data by (k, L, n) ramp type threshold secret sharing, and these divided data are respectively sent to different servers or the like. The data is stored in a storage device in a distributed manner. As a result, it is possible to improve the confidentiality of the secret data against loss, theft, illegal acquisition, etc. of the divided data, and to increase the availability of the secret data against damage, loss, etc. of the divided data. In addition, since the ramp-type secret sharing is used, although the security condition is slightly relaxed, the size of each of the n pieces of divided data is reduced to 1 / L, and the total data amount is (k, n). Compared to the threshold secret sharing case, it is reduced to 1 / L. This reduces the amount of resources used such as network bandwidth and storage area when transmitting and storing each divided data.

In the present embodiment, in (k, L, n) ramp type threshold secret sharing, in order to reduce the amount of CPU resources used by increasing the efficiency and speed of processing, as with known techniques, The divided data is generated based on the XOR operation of the secret partial data obtained by dividing the secret data and the random number partial data having the same length as that suitable for the bit operation. Furthermore, in the present embodiment, specifically, in (3, 2, 4) ramp-type threshold secret sharing, a calculation formula and a calculation procedure for performing an XOR operation are adjusted, and a plurality of secret sharing is performed from secret data. The overall processing performance is improved when generating divided data and when restoring secret data from a plurality of divided data.

<System configuration>
FIG. 1 is a diagram showing an outline of a configuration example of a data dividing apparatus according to an embodiment of the present invention. In the data dividing apparatus 100, for example, secret data 400 that is a target of secret sharing is created by the user, such as an information processing terminal such as a PC or a mobile terminal used by the user, or a file server to which the plurality of information processing terminals are connected. Or a general computer device holding the same.

The data dividing apparatus 100 can be connected to a plurality of servers 200 via a network 300 such as the Internet. The number of servers 200 may be n or more in the (k, L, n) ramp-type threshold secret sharing (four in this embodiment because it is (3, 2, 4) ramp-type threshold secret sharing). desirable. Each of these servers 200 stores the divided data 410 generated by secret sharing from the secret data 400 by the data dividing device 100 and transmitted via the network 300 in a storage device such as an HDD (Hard Disk Drive). It consists of file servers, storage devices, etc.

In order to realize the above-described functions, the data dividing device 100 is implemented by, for example, a division processing unit 110, a distribution management unit 120, a restoration processing unit 130, and an interface implemented as a software program that runs on an OS (Operating System) (not shown). Each part such as the part 140 is included.

The division processing unit 110 is based on, for example, a division matrix 111 that defines an arithmetic expression by XOR described later and a divided intermediate expression 112 from secret data 400 instructed to be securely stored by a user via an interface unit 140 described later. Then, according to a predetermined procedure, (k, L, n) ramp-type threshold secret sharing (in this embodiment, (3, 2, 4) ramp-type threshold secret sharing) is distributed to n servers 200 (this embodiment) In this embodiment, four pieces of divided data 410 are generated. Further, it has a random number generation unit 113 that generates a random number used in the above-described XOR calculation. The random number generation method is not particularly limited, and any known technique can be used as long as it can generate a random number having a predetermined length or more.

The distribution management unit 120 transmits, for example, each divided data 410 generated from the secret data 400 by the division processing unit 110 to each server 200 according to a predetermined condition based on the setting content of the setting information 122 and stores the divided data. Information relating to which server 200 stores each piece of divided data 410 is recorded in the distribution status 121 and managed. The setting information 122 includes, for example, access information (IP address, host name, etc.) for each server 200 serving as a distributed storage destination, and when there are more servers 200 than n (four in this embodiment), n Criteria and conditions for selecting individual servers 200 (for example, priority order of servers 200, an ordered list, a rotation method, and the like) can be set in advance.

Also, the distribution management unit 120 is based on the content of the distribution status 121 and the setting content of the setting information 122 based on a request from the restoration processing unit 130 when the restoration processing unit 130 described below restores the secret data 400. In accordance with a predetermined condition, m pieces of divided data 410 for restoring the secret data 400 are collected from each server 200 and transferred to the restoration processing unit 130.

The number m of the divided data 410 to be collected must be equal to or more than the number k of the divided data 410 necessary for restoring the secret data 400, and all n pieces of divided data 410 are collected. (That is, k ≦ m ≦ n. In this embodiment, m = 3 or 4). In the setting information 122, for example, when m is m or m <n, the divided data 410 is stored from the target server 200 according to the criteria, conditions, failure, and the like for selecting the target m servers 200. It is possible to set in advance a method for determining the server 200 as an alternative in the case where acquisition is not possible.

If any of the n pieces of divided data 410 cannot be stored in each server 200 when the divided data 410 is distributed and stored due to a failure of the server 200, or more than k pieces cannot be collected when the divided data 410 is collected. In such a case, an error may be returned to the user. In addition, when the divided data 410 is transmitted / received to / from each server 200, the data dividing apparatus 100 and each server 200 transmit / receive the information after performing predetermined encryption on the divided data 410, respectively. The risk of leakage may be further reduced.

For example, for the secret data 400 that is instructed to be used for reference or editing by the user via the interface unit 140, the restoration processing unit 130 divides the divided data 410 more than the number necessary for restoring the secret data 400. Request to get. Furthermore, from the acquired divided data 410, (k, L, n) ramp-type threshold secret sharing (this embodiment) is performed according to a predetermined procedure based on a restoration matrix 131 that defines an arithmetic expression by XOR described later and a restoration intermediate expression 132. In the embodiment, the secret data 400 is restored by (3, 2, 4) ramp-type threshold secret sharing).

The interface unit 140 has a user interface such as a screen display in the data dividing apparatus 100 (or a client terminal (not shown) for the data dividing apparatus 100) and an input / output function such as data transmission / reception. The user can use the functions of the data dividing apparatus 100 by using, for example, a file management screen of a general OS.

For example, on the file management screen, the user moves important data to a specific folder or the like by a simple operation such as drag and drop. With this as a trigger, the division processing unit 110 and the distribution management unit 120 automatically generate n pieces of divided data 410 (four pieces in the present embodiment) using the important data as secret data 400, and each piece of divided data 410 Can be distributed and stored in each server 200 without making the user aware of the above. At this time, the secret data 400 is deleted from the data dividing device 100 (and the user's client terminal for the data dividing device 100). However, for example, the secret data 400 corresponds to the secret data 400 so that the user is not conscious on the file management screen. Create and keep a dummy file etc.

Further, for example, the user performs operations such as reference and editing of the secret data 400 by operating the dummy file of the secret data 400 managed in a specific folder on the file management screen. be able to. That is, with the operation on the dummy file or the like as a trigger, the distributed management unit 120 and the restoration processing unit 130 automatically set m secret data 400 corresponding to the dummy file or the like from each server 200 (k ≦ m ≦ n, book In the embodiment, three or four pieces of divided data 410 are collected, and the secret data 400 can be restored and made available to the user.

<Processing flow (split processing)>
FIG. 2 is a flowchart showing an outline of an example of a flow of division processing for generating the division data 410 from the secret data 400 by secret sharing in the division processing unit 110 of the data division device 100. In the present embodiment, as described above, secret sharing processing is performed by (3, 2, 4) ramp-type threshold secret sharing. FIG. 3 is a diagram showing an outline of an example of processing for generating four pieces of divided data 410 from the secret data 400 by (3, 2, 4) ramp-type threshold secret sharing.

When the important data to be secret shared is designated by the user via the interface unit 140, the division processing unit 110 first sets the important data as the secret data 400, and has a predetermined length S from the top of the secret data 400. The unit secret data is extracted (S01). This unit secret data is data that becomes a processing unit when performing secret sharing processing by XOR operation, and in the present embodiment, the length S is an arbitrary length of multiple bits of 6. In addition, when the length of the secret data 400 is less than S, for example, the secret data 400 is padded with predetermined data such as zero to obtain the unit secret data of length S for the less than S And

Next, the extracted unit secret data 401 is divided to generate six secret partial data (S02). Specifically, as shown in FIG. 3, the unit secret data 401 of length S extracted from the secret data 400 is divided into six equal parts, and six pieces of secret partial data 402 of length S / 6 (s1 to s6). ) Generate.

Furthermore, the random number generation unit 113 generates three random number partial data 403 having the same length (S / 6) as the secret partial data 402, which is half the number of the secret partial data 402 (S03). Specifically, as shown in FIG. 3, three pieces (r1 to r3) of random number partial data 403 having the same length S / 6 as the secret partial data 402 are generated. When generating the random number partial data 403, for example, the random number generation unit 113 may individually generate three of r1 to r3, or the random number generation unit 113 generates one random number longer than S / 2. The division processing unit 110 may divide this and extract three random numbers having a length of S / 6.

Next, the secret part data 402 (s1 to s6) and the random number part data 403 for each of the plurality of divided intermediate expressions 112 that are defined in advance for use in performing an XOR operation for generating divided part data, which will be described later. A value is calculated by performing an XOR operation based on (r1 to r3) (S04). This divided intermediate expression 112 is obtained by extracting an XOR operation expression that repeatedly appears a plurality of times as the divided intermediate expression 112 in the entire XOR operation for generating divided partial data described later. The value of the divided intermediate expression 112 is calculated and held in advance, and the calculation result is used in the XOR operation based on the divided matrix 111, which will be described later. To increase speed and speed. Details of the divided intermediate expression 112 will be described later.

Next, based on the secret part data 402 (s1 to s6) and the random number part data 403 (r1 to r3), an XOR operation is performed based on the contents defined in the partition matrix 111, and the twelve divided part data 412 are obtained. Generate (S05). Specifically, as shown in FIG. 3, a 9 × 1 matrix including a partition matrix 111 defining an XOR operation, random number partial data 403 (r1 to r3), and secret partial data 402 (s1 to s6). By multiplying with the secret data matrix 114, 12 divided partial data 412 (a1 to a3, b1 to b3, c1 to c3, d1 to d3) each having a length S / 6 are obtained.

That is, 12 divided partial data 412 are obtained by the following equations obtained by multiplication of the divided matrix 111 and the secret data matrix 114.

a1 = r1 + s1 + s2 Formula 1
a2 = r2 + s3 + s4 Formula 2
a3 = r3 + s5 + s6 Formula 3
b1 = r1 + s3 + s5 Formula 4
b2 = r2 + s1 + s3 + s5 + s6 Formula 5
b3 = r3 + s2 + s4 + s6 Formula 6
c1 = r1 + s3 + s4 + s6 Equation 7
c2 = r2 + s2 + s3 + s4 + s5 Equation 8
c3 = r3 + s1 + s3 + s3 + s5 + s6 Formula 9
d1 = r1 + s1 + s2 + s3 + s5 Equation 10
d2 = r2 + s1 + s4 + s5 + s6 Formula 11
d3 = r3 + s2 + s4 + s5 Equation 12
In addition, "+" of the operator in each of the above expressions means XOR. In the actual calculation, as described later, the value of each divided intermediate expression 112 calculated in advance in step S04 is added to the portion of the XOR operation that coincides with each divided intermediate expression 112 in each of the above expressions. By substituting, the total number of XOR operations is reduced.

Next, four (four types) of unit divided data are generated from the twelve divided partial data 412 (S06). Specifically, as shown in FIG. 3, unit divided data 411a having a length of S / 2 is generated by concatenating divided partial data 412 of a1 to a3. Similarly, the divided partial data 412 of b1 to b3, c1 to c3, and d1 to d3 are respectively connected to generate unit divided data 411b to 411d. Next, the generated four unit divided data 411 are connected to the end of the corresponding divided data 410 (S07). Specifically, as shown in FIG. 3, unit divided data 411a to 411d of length S / 2 are connected to the end of divided data A (410a) to divided data D (410d), respectively. When there is no divided data 410 to be linked, each unit divided data 411 itself is set as divided data 410.

Each piece of divided data 410 includes information for identifying whether it is of divided data A (410a), divided data B (410b), divided data C (410c), or divided data D (410d). Is added to the header or the like. Thereby, for each divided data 410 acquired at the time of restoration, the unit divided data 411 constituting the divided data 410 is constituted by any divided partial data 412 of a1 to a3, b1 to b3, c1 to c3, or d1 to d3. Can be known from information such as headers. In addition to this, for example, when the unit secret data 401 is extracted by padding data such as zero because the length of the secret data 400 is less than S in step S01, the validity of the last unit secret data 401 is valid. A length of information or the like may be added.

Thereafter, it is determined whether or not there is a remainder that has not yet been processed in the secret data 400 (S08). If there is a remainder, the process returns to step S01 and the above series of processing is repeated until there is no remainder in the secret data 400. . If there is no unprocessed remainder in the secret data 400, the division process ends.

Note that the four pieces of divided data 410 (divided data A to D) obtained by the above processing using the divided matrix 111 shown in FIG. 3 satisfy the requirement of (3, 2, 4) ramp-type threshold secret sharing. Is. That is, the information of the unit secret data 401 constituting the secret data 400 (the information of the secret partial data 402 of s1 to s6) cannot be obtained from each of the unit divided data 411 constituting each of the divided data 410.

For example, when a third party acquires the divided data A (410a), the information of the divided partial data 412 of a1 to a3 can be obtained from the unit divided data 411a constituting the divided data A (410a). Even if the third party knows that the divided partial data 412 is generated from the three expressions of Expressions 1 to 3, r1 consisting of Expressions 1 to 3 Simultaneous equations with ˜r3 and s1 to s6 as variables cannot be solved.

Further, since the random equations r1 to r3 cannot be deleted from the simultaneous equations consisting of the equations 1 to 3, any information (solution) of the secret partial data 402 of s1 to s6 cannot be obtained ( That is, the normalized information entropy is 1.) Accordingly, the confidentiality of the secret data 400 (unit secret data 401 including the secret partial data 402 of s1 to s6) is maintained. The same applies to the divided data 410 of the divided data B (410b) to the divided data D (410d).

In other words, three calculation formulas (for example, for obtaining three divided partial data 412 (for example, a1 to a3) respectively constituting four different unit divided data 411 (for example, unit divided data 411a)) In the above formulas 1 to 3), each formula is expressed as “one or two or more different secret partial data 402 (s1 to s6) and one or two or more different random number partial data 403 (r1 If the division matrix 111 is configured as expressed as “XOR operation of r3”, each piece of divided data 410 (unit divided data 411) has randomness equivalent to that of random number data. Information of the secret data 400 (unit secret data 401) cannot be obtained from the data 410. In the present embodiment, each of the three calculation formulas has only one random number partial data 403 that is different from each other (for example, Formula 1 is only r1, Formula 2 is only r2, and Formula 3 is only r3). It is said.

On the other hand, if there are three different pieces of divided data 410, the secret data 400 can be restored. That is, it is possible to obtain all of the information of the unit secret data 401 (information of the secret partial data 402 of s1 to s6) constituting the secret data 400 from each of the unit divided data 411 constituting the three different divided data 410. it can. For example, when the user collects three pieces of divided data 410, that is, divided data A (410a), divided data B (410b), and divided data C (410c), as in the above case, the nine pieces of Equations 1 to 9 are used. A simultaneous equation consisting of independent equations will be obtained. By solving this, information (solution) of nine variables r1 to r3 and s1 to s3 can be obtained, and the unit secret data 401 and the secret data 400 are obtained from the information of the secret partial data 402 of s1 to s6. Can be recovered (ie, normalized information entropy is zero).

If there are two different pieces of divided data 410, it is possible to obtain a part of the information of the secret data 400. For example, when the user collects two pieces of divided data 410 of divided data A (410a) and divided data B (410b), similar equations to the above, simultaneous equations consisting of six equations of Equations 1 to 6 are obtained. Will be. In this simultaneous equation, it is not possible to obtain all the information (solutions) r1 to r3 and s1 to s6. For example, the

equations

1 and 4, the

equations

2 and 5, and the

equations

3 and 6 can be used as random components. Since certain r1 to r3 can be erased, the relationship between s1 to s6 can be obtained as a simple primary expression. Theoretically, half of the information s1 to s6 can be obtained from these equations (the normalized information entropy is 0.5).

In the present embodiment, the partition matrix 111 used for the partitioning process in the (3, 2, 4) ramp-type threshold secret sharing shown in FIG. 3 is the restoration used for the restoration process of the secret data 400 from the partitioned data 410 described later. Together with the matrix 131, the number of XOR operations in the entire division / restoration secret sharing process is adjusted to be small. Specifically, with respect to each pattern of the matrix that can be established as the partition matrix 111 (and the restoration matrix 131 obtained for this), in consideration of the influence of an intermediate expression to be described later, The number of XOR operations was analyzed to obtain a pattern with a small number, that is, a high processing efficiency as a whole. The partition matrix 111 shown in FIG. 3 is the adjusted partition matrix 111 obtained by the above procedure.

Furthermore, in the present embodiment, it is executed when the divided portion data 412 (a1 to a3, b1 to b3, c1 to c3, d1 to d3) is calculated based on the above equations 1 to 12 in step S05 in FIG. The divided intermediate expression 112 is used so that the number of XOR operations to be performed (the “+” operator in Expressions 1 to 12) is reduced. That is, an XOR operation expression that appears repeatedly in the above formulas 1 to 12 is defined in advance as the divided intermediate expression 112, and the value of each divided intermediate expression 112 is calculated in advance in step S04 of FIG. . Thereafter, when the divided partial data 412 (a1 to a3, b1 to b3, c1 to c3, d1 to d3) is calculated by the XOR operation in the equations 1 to 12 in step S05, the portions that coincide with the divided intermediate equations 112 For the above, by using the calculation result of the divided intermediate expression 112 calculated in advance, the redundant XOR operation is eliminated as much as possible, and the processing efficiency and speed are increased.

<Split intermediate type>
FIG. 4 shows a case where the divided portion data 412 (a1 to a3, b1 to b3, c1 to c3, d1 to d3) is calculated from the secret portion data 402 (s1 to s6) and the random number portion data 403 (r1 to r3). It is the figure which showed the outline | summary about the example. The upper diagram of FIG. 4 schematically shows the contents of the partition matrix 111 shown in FIG. 3 as a table, and the rows and columns of the table correspond to the rows and columns of the partition matrix 111 shown in FIG. ing. By performing an XOR operation (for example, r1 + s1 + s2 for the first row) for each row (for example, r1, s1, and s2 for the first row) corresponding to the column where “1” stands. It is shown that the divided partial data 412 (for example, a1 in the case of the first row) can be obtained. That is, each row of the table of the partition matrix 111 shown in FIG. 4 shows the contents of the XOR operation shown in the above equations 1 to 12.

Here, in the present embodiment, as shown in the lower part of FIG. 4, seven divided intermediate expressions 112 from t1 to t7 are defined, and these are columns in which “1” stands (each in FIG. 4). (Corresponding to the column of the division matrix 111 shown in the upper stage) represents the calculation of the following equation.

t1 = s3 + s4 Equation 13
t2 = s1 + s2 Formula 14
t3 = s3 + s5 Formula 15
t4 = s5 + s6 Equation 16
t5 = r3 + s2 + s4 Equation 17
t6 = t2 + t3 Equation 18
t7 = r2 + s1 + t4 Equation 19
In addition, by using the divided intermediate expression 112 of t1 to t7, the expressions 1 to 12 are simplified by the following expressions, respectively.

a1 = r1 + t2 Formula 1 ′
a2 = r2 + t1 Formula 2 ′
a3 = r3 + t4 Formula 3 ′
b1 = r1 + t3 Formula 4 ′
b2 = s3 + t7 Formula 5 ′
b3 = s6 + t5 Formula 6 ′
c1 = r1 + s6 + t1 Formula 7 ′
c2 = r2 + s2 + s5 + t1 Equation 8 ′
c3 = r3 + s6 + t6 Formula 9 ′
d1 = r1 + t6 Formula 10 ′
d2 = s4 + t7 Formula 11 ′
d3 = s5 + t5 Formula 12 ′
Here, in the above Expressions 1 to 12 before the simplification, the number of 2-input XOR operations (that is, the number of “+” operators) is 38, but the above Expression 1 ′ to Expression 12 ′. In (and the equations 13 to 19 which are the divided intermediate equations 112), the number of XOR operations is greatly reduced to 25 (reduction rate 34.2%). Accordingly, rather than directly executing the XOR operation based on the partition matrix 111 (the above formulas 1 to 12), the split intermediate formula 112 (the above formulas 13 to 19) is calculated in advance, By performing the XOR operation based on the partition matrix 111 by using the above (Equation 1 ′ to Equation 12 ′ above), it is possible to increase the efficiency and speed of the processing relating to the XOR operation.

It is possible to further reduce the number of XOR operations during the dividing process from 25 by adjusting the contents of the dividing matrix 111. In this case, however, the number of XOR operations during the restoring process described later can be reduced. As a result, the number of XOR operations is not necessarily minimized as the entire division / restoration process. When considering the entire division / restoration process, what is obtained as a result of analysis having a high processing efficiency (the number of XOR operations is small) is the division matrix 111 shown in FIG.

<Processing flow (restoration processing)>
FIG. 5 is a flowchart showing an outline of an example of the flow of restoration processing for generating the secret data 400 from the divided data 410 by secret sharing in the restoration processing unit 130 of the data dividing device 100. In the present embodiment, as described above, secret sharing processing is performed by (3, 2, 4) ramp-type threshold secret sharing. FIG. 6 is a diagram showing an overview of an example of processing for generating (restoring) secret data 400 from three pieces of divided data 410 by (3, 2, 4) ramp-type threshold secret sharing.

First, as pre-processing of restoration processing, when important data to be used for reference or editing, for example, important data to be restored is designated by the user via the interface unit 140, the restoration processing unit 130 The data is set as the secret data 400, and the distribution management unit 120 is requested and acquired as many pieces of divided data 410 as necessary (three or more in the present embodiment) to restore the data.

In the example of FIG. 6, a case is shown in which three pieces of divided data 410 of divided

data

410a, 410b, 410c are used for restoration. For this purpose, three pieces of divided data 410 of the divided

data

410a, 410b, 410c are acquired via the distribution management unit 120 and used for restoration, and all four pieces of division data 410 are obtained via the distribution management unit 120. The case where the data 410 is acquired and three of the divided

data

410a, 410b, and 410c are used for restoration is included.

When the restoration processing unit 130 acquires the three pieces of divided data 410, first, the unit divided data 411 (a, b, c) having a predetermined length S / 2 is extracted from the head of the three pieces of divided data 410, respectively. (S11). This unit division data 411 is data that becomes a processing unit when performing secret sharing processing by XOR operation. Next, for each extracted unit division data 411, it is specified which type it is (S12). In the example of FIG. 6, each unit divided data 411 (a, b, c) extracted from each divided data 410 (a, b, c) is unit divided data based on information added to a header or the like. 411a, 411b, 411c (or unit divided data 411d) is specified.

Next, three divided partial data 412 are extracted from each extracted unit divided data 411 (S13). Specifically, as shown in FIG. 6, three unit divided data 411 (a, b, c) having a length S / 2 are divided into three equal parts, and divided partial data 412 having a length S / 6. Are generated three by one (a1 to a3, b1 to b3, c1 to c3).

Next, for use in performing an XOR operation for generating secret partial data 402, which will be described later, a plurality of restoration intermediate formulas 132 defined for each combination of the types of the unit divided data 411 identified in step S12. For each, an XOR operation is performed based on the divided partial data 412 extracted in step S13 to calculate values (S14). In the same way as the above-described split intermediate formula 112, the restore intermediate formula 132 extracts an XOR formula that repeatedly appears multiple times as the restore intermediate formula 132 in the entire XOR calculation for generating secret partial data 402 described later. Is. The value of this restoration intermediate formula 132 is calculated and held in advance, and the calculation result is used in the XOR operation based on the restoration matrix 131, thereby eliminating the XOR operation with overlapping contents as much as possible and improving the processing efficiency. Increase speed. The details of the restoration intermediate formula 132 will be described later.

Next, based on the divided partial data 412 extracted in step S13, an XOR operation is performed according to the contents defined in the restoration matrix 131 defined for each type of unit divided data 411 identified in step S12. Pieces of secret partial data 402 are generated (S15). Specifically, as shown in FIG. 6, a restoration matrix that defines an XOR operation for each combination of types of unit divided data 411 (in the example of FIG. 6, three unit divided data 411 of a, b, and c). 131 (restoration matrix 131a in the example of FIG. 6) and a divided data matrix 133a of 9 rows and 1 column whose elements are the divided partial data 412 (a1 to a3, b1 to b3, and c1 to c3 in the example of FIG. 6). By multiplication, six pieces of secret partial data 402 (s1 to s6) each having a length S / 6 are obtained.

That is, as shown in the example of FIG. 6, in the case of being based on the three pieces of divided data 410 of the divided

data

410a, 410b, and 410c, the following equations obtained by multiplication of the restoration matrix 131a and the divided data matrix 133a are used. Six pieces of secret data 402 are obtained.

s1 = a2 + b1 + b2 + c1 Equation 20
s2 = a1 + a2 + a3 + b1 + c2 + c3 Equation 21
s3 = a1 + b2 + c1 + c2 Equation 22
s4 = a2 + a3 + b3 + c2 Equation 23
s5 = a1 + a3 + b1 + c3 Expression 24
s6 = a1 + a2 + b3 + c1 + c2 + c3 Formula 25
Note that the random number partial data 403 (r1 to r3) can also be obtained from the matrix multiplication described above, but the process is omitted because it is not necessary for restoring the secret data 400. Further, as in the case of the division processing, in the actual calculation, as will be described later, in the equations 20 to 25, the XOR operation portion corresponding to each restored intermediate equation 132 is calculated in advance in step S14. By substituting the value of each restored intermediate expression 132, the total number of XOR operations is reduced.

Next, unit secret data 401 is generated from the six secret partial data 402 (S16). Specifically, as shown in FIG. 6, the secret partial data 402 of s1 to s6 are concatenated to generate unit secret data 401 of length S. Next, the generated unit secret data 401 is linked to the end of the secret data 400 (S17). Specifically, as shown in FIG. 6, the unit secret data 401 having a length S is connected to the end of the secret data 400. If there is no secret data 400 to be linked, the unit secret data 401 itself is set as the secret data 400.

Thereafter, it is determined whether or not there is a remaining portion that has not yet been processed in each divided data 410 (S18). If there is a remaining portion, the process returns to step S11 and the above series of processing is not left in each divided data 410. Repeat until. If there is no unprocessed remainder in each divided data 410, the restoration process is terminated.

Note that the secret data 400 (unit secret data 401 including the secret partial data 402 of s1 to s6) obtained based on the restoration matrix 131 as shown in FIG. The same thing. This is because the plurality of restoration matrices 131 defined for each type of combination of the unit divided data 411 identified in step S12 are inverse matrices obtained from the portion related to the combination in the divided matrix 111. is there.

FIG. 7 is a diagram showing an example of processing for obtaining the restoration matrix 131a used for restoring the secret data 400 from the divided data 410 (a, b, c) from the divided matrix 111. In order to obtain the restored matrix 131a, as shown in the upper part of FIG. 7, the row corresponding to the divided data 410 (a, b, c) used in the restoration in the divided matrix 111, that is, the corresponding row. Nine rows (shaded portions in the figure) from which the divided portion data 412 (a1 to a3, b1 to b3, c1 to c3) can be obtained are extracted, and 9 rows and 9 columns as shown in the lower left part of FIG. Get the submatrix of.

From this submatrix, an inverse matrix as shown on the lower right side of FIG. This inverse matrix becomes the restoration matrix 131a. Note that the element value “1” in the partition matrix 111 indicates a bit for determining an element to be XORed instead of the numerical value “1”. Therefore, for example, when the inverse matrix is obtained by using the sweep-out method, the restoration matrix 131 can be obtained by treating it as “1” even when the element value becomes −1 by the subtraction process in the procedure. .

Similarly, FIG. 8 is a diagram showing an example of processing for obtaining the restoration matrix 131b used for restoring the secret data 400 from the divided data 410 (a, b, d) from the divided matrix 111. 8, the row corresponding to the divided data 410 (a, b, d) used in the restoration in the divided matrix 111, that is, the divided partial data 412 (a1 to a3, Nine rows (shaded portions in the figure) from which b1 to b3 and d1 to d3) can be obtained are extracted to obtain a 9 × 9 submatrix as shown in the lower left part of FIG. The inverse matrix obtained from this partial matrix is the restoration matrix 131b.

Similarly, FIG. 9 is a diagram showing an example of processing for obtaining the restoration matrix 131c used for restoring the secret data 400 from the divided data 410 (a, c, d) from the divided matrix 111. 9, the row corresponding to the divided data 410 (a, c, d) used in the restoration in the divided matrix 111, that is, the divided partial data 412 (a1 to a3, 9 rows (shaded portions in the figure) from which c1 to c3 and d1 to d3) can be obtained are extracted to obtain a 9 × 9 submatrix as shown in the lower left part of FIG. The inverse matrix obtained from this partial matrix is the restoration matrix 131c.

Similarly, FIG. 10 is a diagram showing an example of processing for obtaining the restoration matrix 131d used for restoring the secret data 400 from the divided data 410 (b, c, d) from the divided matrix 111. As shown in the upper part of FIG. 10, the row corresponding to the divided data 410 (b, c, d) used in the restoration in the divided matrix 111, that is, the divided partial data 412 (b1 to b3, b) corresponding thereto. Nine rows (shaded portions in the figure) from which c1 to c3 and d1 to d3) can be obtained are extracted to obtain a 9 × 9 submatrix as shown in the lower left part of FIG. The inverse matrix obtained from this partial matrix is the restoration matrix 131d.

<Restore intermediate expression>
FIG. 11 is a diagram showing an outline of an example of calculating the secret part data 402 (s1 to s6) from the divided part data 412 (a1 to a3, b1 to b3, c1 to c3). Similar to FIG. 4 described above, the upper diagram of FIG. 11 schematically shows the contents of the restoration matrix 131a shown in FIG. 7 as a table, and the rows and columns of the table are the restoration matrix shown in FIG. This corresponds to the row / column 131a.

Here, in the present embodiment, as shown in the lower part of FIG. 11, five restoration intermediate expressions 132a w1 to w5 are defined, and these are columns in which “1” stands (each in FIG. 11). (Corresponding to the column of the restoration matrix 131a shown in the upper part) represents the calculation of the following equation.

w1 = b2 + c1 Formula 26
w2 = a3 + b1 Equation 27
w3 = a1 + c3 Expression 28
w4 = a2 + c2 Equation 29
w5 = w3 + w4 Equation 30
Further, by using the w1 to w5 restoration intermediate equation 132a, the above equations 20 to 25 are simplified by the following equations, respectively.

s1 = a2 + b1 + w1 Equation 20 ′
s2 = w2 + w5 Formula 21 ′
s3 = a1 + c2 + w1 Formula 22 ′
s4 = a3 + b3 + w4 Formula 23 ′
s5 = w2 + w3 Formula 24 ′
s6 = b3 + c1 + w5 Formula 25 ′
Here, in Expressions 20 to 25 before simplification, the number of two-input XOR operations is 22, but the above Expressions 20 ′ to 25 ′ (and Expression 26 which is the restoration intermediate expression 132a). In Expression 30), the number of XOR operations is greatly reduced to 15 (a reduction rate of 31.8%). Accordingly, rather than directly executing the XOR operation based on the restoration matrix 131a (the above equations 20 to 25), the restoration intermediate equation 132a is calculated in advance (the above equations 26 to 30), and the restoration intermediate equation 132a is By using this to execute the XOR operation based on the restoration matrix 131a (formulas 20 ′ to 25 ′ described above), it is possible to increase the efficiency and speed of the processing relating to the XOR operation.

Similarly, FIG. 12 is a diagram showing an outline of an example of calculating the secret part data 402 (s1 to s6) from the divided part data 412 (a1 to a3, b1 to b3, d1 to d3). The upper diagram of FIG. 12 schematically shows the contents of the restoration matrix 131b shown in FIG. 8 as a table, and the rows and columns of the table correspond to the rows and columns of the restoration matrix 131b shown in FIG. ing. Here, in this embodiment, as shown in the lower part of FIG. 12, five restoration intermediate expressions 132b of x1 to x5 are defined, and these are columns in which “1” stands (each in FIG. 12). (Corresponding to the column of the restoration matrix 131b shown in the upper part) represents the calculation of the following equation.

x1 = a1 + a3 Expression 31
x2 = a2 + b1 Formula 32
x3 = b2 + b3 + d2 + x1 Equation 33
x4 = d3 + x1 + x2 Formula 34
x5 = a3 + b2 + d1 + x2 Equation 35
Further, by using the above-described x1 to x5 restoration intermediate expression 132b, multiplication of the restoration matrix 131b and the divided data matrix having the divided partial data 412 (a1 to a3, b1 to b3, d1 to d3) as elements is performed. The formulas (not shown) for obtaining the six secret partial data 402 (s1 to s6) are represented by the following simplified formulas, respectively.

s1 = b1 + x3 Formula 36 ′
s2 = d1 + x3 Expression 37 ′
s3 = b2 + x4 Formula 38 ′
s4 = d2 + x4 Equation 39 ′
s5 = d3 + x5 Expression 40 ′
s6 = b3 + x5 Formula 41 ′
Here, before simplification, the number of XOR operations is 30. However, in the above Expressions 36 ′ to 41 ′ (and Expressions 31 to 35 which are the restoration intermediate expressions 132b), the number of XOR operations is as follows. The number is greatly reduced to 16 (reduction rate 46.6%).

Similarly, FIG. 13 is a diagram showing an outline of an example of calculating the secret part data 402 (s1 to s6) from the divided part data 412 (a1 to a3, c1 to c3, d1 to d3). The upper diagram of FIG. 13 schematically shows the contents of the restoration matrix 131c shown in FIG. 9 as a table, and the rows and columns of the table correspond to the rows and columns of the restoration matrix 131c shown in FIG. ing. Here, in this embodiment, as shown in the lower part of FIG. 13, five restoration intermediate expressions 132c from y1 to y5 are defined, and each of these is a column in which “1” stands (see FIG. 13). (Corresponding to the column of the restoration matrix 131c shown in the upper part) represents the calculation of the following equation.

y1 = a2 + c2 Formula 42
y2 = a3 + c3 Formula 43
y3 = c2 + d2 Formula 44
y4 = a1 + c1 Formula 45
y5 = c3 + d3 Formula 46
In addition, by using the above-described intermediate expression 132c for y1 to y5, multiplication of the restoration matrix 131c and the divided data matrix having the divided partial data 412 (a1 to a3, c1 to c3, d1 to d3) as elements is performed. The formulas (not shown) for obtaining the six secret partial data 402 (s1 to s6) are represented by the following simplified formulas, respectively.

s1 = a1 + d1 + y1 + y2 Equation 47 ′
s2 = y4 + y5 Formula 48 ′
s3 = c1 + d1 + y1 + y5 Formula 49 ′
s4 = y3 + y4 Formula 50 ′
s5 = s2 + y1 Formula 51 ′
s6 = y2 + y3 ... Formula 52 '
Here, before the simplification, the number of XOR operations is 24, but in the above equations 47 ′ to 52 ′ (and equations 42 to 46 which are the restoration intermediate equations 132c), the number of XOR operations is The number is greatly reduced to 15 (reduction rate 37.5%).

Similarly, FIG. 14 is a diagram showing an outline of an example of calculating the secret part data 402 (s1 to s6) from the divided part data 412 (b1 to b3, c1 to c3, d1 to d3). The upper diagram of FIG. 14 schematically shows the contents of the restoration matrix 131d shown in FIG. 10 as a table, and the rows and columns of the table correspond to the rows and columns of the restoration matrix 131d shown in FIG. ing. Here, in this embodiment, as shown in the lower part of FIG. 14, two restoration intermediate expressions 132d z1 to z2 are defined, and each of these is a sequence in which “1” stands (see FIG. 14). (Corresponding to the column of the restoration matrix 131d shown in the upper stage) represents the calculation of the following equation.

z1 = a1 + a3 Formula 53
z2 = a2 + b1 Formula 54
Further, by using the above-described restoration intermediate expression 132d of z1 to z2, multiplication of the restoration matrix 131d and the divided data matrix having the divided partial data 412 (b1 to b3, c1 to c3, d1 to d3) as elements is performed. The formulas (not shown) for obtaining the six secret partial data 402 (s1 to s6) are represented by the following simplified formulas, respectively.

s1 = d1 + z2 (Formula 55 ′)
s2 = b1 + z2 (Formula 56 ′)
s3 = b2 + d2 + s4 Equation 57 ′
s4 = b1 + d3 + z1 ... Formula 58 '
s5 = b2 + c1 + c2 + d1 Equation 59 ′
s6 = b3 + d3 + s5 Equation 60 ′
Here, before the simplification, the number of XOR operations is 26, but in the above-described Expression 55 ′ to Expression 60 ′ (and Expression 53 to Expression 54 which is the restoration intermediate expression 132d), the number of XOR operations is It is greatly reduced to 15 (reduction rate: 42.3%).

In the present embodiment, the adjusted partition matrix 111 and the partition intermediate expression 112, and the restoration matrix 131 and the restoration intermediate expression 132 in the case of using (3, 2, 4) ramp-type threshold secret sharing are specifically described. As described above, not only the (3, 2, 4) type but also the other (k, L, n) type, the partition matrix 111 and the restoration matrix 131 are obtained with the same idea, and the middle of the partition It is possible to reduce the number of XOR operations by defining the expression 112 and the restoration intermediate expression 132, thereby making the processing more efficient and faster.

As described above, according to the data division apparatus 100 and the data division program operating on the data division apparatus 100 according to the embodiment of the present invention, the secret data 400 is converted into the (k, L, n) ramp type threshold value. The data is divided into n pieces of divided data 410 by secret sharing, and these divided data 410 are distributed and stored in different servers 200 or the like. As a result, the confidentiality of the secret data 400 against loss, theft, unauthorized acquisition, etc. of the divided data 410 can be improved, and the availability of the secret data 400 against damage, loss, etc. of the divided data 410 can be increased.

In addition, since the security condition is slightly relaxed because ramp-type secret sharing is used, the size of each of the n pieces of divided data 410 is reduced to 1 / L, and the total data amount is reduced to (k, n ) Reduced to 1 / L compared to threshold secret sharing. This makes it possible to reduce the amount of resources used such as the bandwidth and storage area of the network 300 when transmitting and storing each divided data 410.

Also, in (k, L, n) ramp type threshold secret sharing, secret sharing processing is performed by XOR calculation so as to be suitable for bit calculation in a computer. That is, an XOR operation of one or more of the secret partial data 402 obtained by dividing the secret data 400 and one of the random number partial data 403 that is the same length as the secret partial data 402 and half the secret partial data 402 is performed. Based on this, a plurality of divided portion data 412 is generated, and a plurality of divided portion data 412 generated by an XOR operation including different random number portion data 403 is concatenated to generate unit divided data 411 and divided data 400. This makes it possible to increase the efficiency and speed of the secret sharing process.

Further, in the present embodiment, specifically, in (3, 2, 4) ramp type threshold secret sharing, calculation formulas (partition matrix 111 and restoration matrix 131) for performing an XOR operation are adjusted, and intermediate The number of XOR operations is greatly reduced by adjusting the calculation procedure using the equations (the divided intermediate equation 112 and the restored intermediate equation 132) (in the above example of the divided intermediate equation and the restored intermediate equation, the reduction rate by the intermediate equation) (40.2% on average). Thereby, it is actually possible to generate a plurality of divided data 410 from the secret data 400 by (3, 2, 4) ramp-type threshold secret sharing, and to restore the secret data 400 from the plurality of divided data 410, It becomes possible to improve the processing performance at that time as a whole.

As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the present invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Needless to say.

The present invention can be used for a data division apparatus and a data division program used to divide important data into a plurality of non-important data using a secret sharing technique and conceal it.

DESCRIPTION OF SYMBOLS 100 ... Data division | segmentation apparatus, 110 ... Division | segmentation process part, 111 ... Division | segmentation matrix, 112 ... Division | segmentation intermediate type | formula, 113 ... Random number generation part, 114 ... Secret data matrix, 120 ... Distribution | distribution management part, 121 ... Distribution | distribution status, 122 ... Setting information , 130: Restoration processing unit, 131, 131a to d ... Restoration matrix, 132, 132a to d ... Restoration intermediate formula, 133a ... Divided data matrix, 140 ... Interface unit,
200 ... server,
300 ... Network,
400: Secret data, 401: Unit secret data, 402: Secret partial data, 403: Random number partial data, 410, 410a to d ... Divided data, 411, 411a to d ... Unit divided data, 412 ... Divided partial data.

Claims

A data dividing device that divides secret data into n pieces of divided data by (k, L, n) ramp-type threshold secret sharing, and distributes and stores the n pieces of divided data in different storage devices,
Dividing the unit secret data of length S extracted from the secret data into a plurality of secret partial data;
Generating random number partial data having the same length as the secret partial data and half the number of the secret partial data;
Based on a division matrix defining an XOR operation for generating divided partial data from one or more of the secret partial data, the random number partial data, and the secret partial data and one of the random number partial data Generating a plurality of the divided portion data,
A plurality of the divided partial data generated by the XOR operation including the different random number partial data are concatenated to generate n types of unit divided data of length S / L,
A data dividing apparatus comprising a division processing unit that generates n pieces of divided data by connecting the unit divided data for each type.
The data dividing device according to claim 1, wherein
extracting a plurality of the divided partial data from the unit divided data of length S / 2 extracted from each of the k pieces of divided data;
A plurality of the secret partial data is generated by an XOR operation of the extracted partial partial data based on a restoration matrix that is an inverse matrix with respect to the partial matrix of the partial matrix corresponding to the combination of the types of the divided data,
Concatenating the generated secret part data to generate the unit secret data of length S,
A data division apparatus comprising: a restoration processing unit that concatenates the generated unit secret data to generate the secret data.
The data dividing device according to claim 2, wherein
In the XOR operation based on the partition matrix or the restoration matrix, the partition processing unit or the restoration processing unit defines an XOR operation expression that appears multiple times as an intermediate expression, and the partition matrix or the restoration matrix A data dividing device, wherein the value of the intermediate expression calculated in advance is substituted into a portion that matches the intermediate expression in the XOR operation based on the above.
A data dividing device that divides secret data into four divided data by (3, 2, 4) ramp-type threshold secret sharing, and distributes and stores the four divided data in different storage devices,
Dividing unit secret data of length S extracted from the secret data into six secret partial data of length S / 6,
Generate three random number partial data of length S / 6,
Based on a division matrix defining an XOR operation for generating divided partial data from one or more of the secret partial data, the random number partial data, and the secret partial data and one of the random number partial data , 12 pieces of the partial data are generated,
Four pieces of unit divided data having a length of S / 2 are generated by concatenating the three pieces of divided partial data generated by the XOR operation including different random number partial data,
A data dividing apparatus comprising a division processing unit that generates four pieces of divided data by connecting the unit divided data for each type.
The data dividing device according to claim 4, wherein
Extracting each of the three divided partial data from the unit divided data of length S / 2 extracted from each of the three divided data;
Six secret partial data are generated by XOR operation of the extracted divided partial data based on a restoration matrix that is an inverse matrix of the partial matrix of the divided matrix corresponding to the combination of types of the divided data,
Concatenating the generated secret part data to generate the unit secret data of length S,
A data division apparatus comprising: a restoration processing unit that concatenates the generated unit secret data to generate the secret data.
The data dividing device according to claim 4, wherein
Twelve pieces of divided partial data are generated from one or more of the secret partial data (s1 to s6) and one of the random number partial data (r1 to r3) defined by the divided matrix. The XOR operation formula for
a1 = r1 + s1 + s2
a2 = r2 + s3 + s4
a3 = r3 + s5 + s6
b1 = r1 + s3 + s5
b2 = r2 + s1 + s3 + s5 + s6
b3 = r3 + s2 + s4 + s6
c1 = r1 + s3 + s4 + s6
c2 = r2 + s2 + s3 + s4 + s5
c3 = r3 + s1 + s3 + s3 + s5 + s6
d1 = r1 + s1 + s2 + s3 + s5
d2 = r2 + s1 + s4 + s5 + s6
d3 = r3 + s2 + s4 + s5
Each of the three divided partial data a1 to a3, b1 to b3, c1 to c3, and d1 to d3 is connected to generate four types of unit partial data A to D. Characteristic data dividing device.
The data dividing device according to claim 6, wherein
The formula of the XOR operation for generating the secret partial data from the divided partial data based on the restoration matrix is as follows when the type of the divided data is A, B, C:
s1 = a2 + b1 + b2 + c1
s2 = a1 + a2 + a3 + b1 + c2 + c3
s3 = a1 + b2 + c1 + c2
s4 = a2 + a3 + b3 + c2
s5 = a1 + a3 + b1 + c3
s6 = a1 + a2 + b3 + c1 + c2 + c3
When the divided data types are A, B, and D,
s1 = a1 + a3 + b1 + b2 + b3 + d2
s2 = a1 + a3 + b2 + b3 + d1 + d2
s3 = a1 + a2 + a3 + b1 + b2 + d3
s4 = a1 + a2 + a3 + b1 + d2 + d3
s5 = a2 + a3 + b1 + b2 + d1 + d3
s6 = a2 + a3 + b1 + b2 + b3 + d1
And when the type of the divided data is A, C, D,
s1 = a1 + a2 + a3 + c2 + c3 + d1
s2 = a1 + c1 + c3 + d3
s3 = a2 + c1 + c2 + c3 + d1 + d3
s4 = a1 + c1 + c2 + d2
s5 = a1 + a2 + c1 + c2 + c3 + d3
s6 = a3 + c2 + c3 + d2
When the divided data types are B, C, and D,
s1 = b3 + c1 + c2 + c3 + d1 + d2
s2 = b1 + b3 + c1 + c2 + c3 + d2
s3 = b1 + b2 + b3 + c1 + d2 + d3
s4 = b1 + b3 + c1 + d3
s5 = b2 + c1 + c2 + d1
s6 = b2 + b3 + c1 + c2 + d1 + d3
A data dividing device characterized in that the unit partial data is generated by concatenating the six secret partial data s1 to s6.
The data dividing device according to claim 6, wherein
In the XOR operation formula based on the partition matrix, the partition processing unit includes:
t1 = s3 + s4
t2 = s1 + s2
t3 = s3 + s5
t4 = s5 + s6
t5 = r3 + s2 + s4
t6 = t2 + t3
t7 = r2 + s1 + t4
The values of each of the divided intermediate expressions are calculated in advance, and the value of the divided intermediate expression is set to a portion that matches the divided intermediate expression in the XOR operation based on the divided matrix. A data dividing device characterized by substituting.
The data dividing device according to claim 7, wherein
In the XOR operation formula based on the restoration matrix, the restoration processing unit, when the type of the divided data is A, B, C,
w1 = b2 + c1
w2 = a3 + b1
w3 = a1 + c3
w4 = a2 + c2
w5 = w3 + w4
If each of the formulas is a restoration intermediate formula and the types of the divided data are A, B, D,
x1 = a1 + a3
x2 = a2 + b1
x3 = b2 + b3 + d2 + x1
x4 = d3 + x1 + x2
x5 = a3 + b2 + d1 + x2
When each of the above formulas is a restoration intermediate formula and the types of the divided data are A, C, and D,
y1 = a2 + c2
y2 = a3 + c3
y3 = c2 + d2
y4 = a1 + c1
y5 = c3 + d3
If each of the formulas is a restoration intermediate formula and the type of the divided data is B, C, D,
z1 = a1 + a3
z2 = a2 + b1
The values of each of the restoration intermediate expressions are calculated in advance, and the value of the restoration intermediate expression is set to a portion that matches the restoration intermediate expression in the XOR operation based on the restoration matrix. A data dividing device characterized by substituting.
A data division program that causes a computer to function as a data division device that divides secret data into four divided data by (3, 2, 4) ramp-type threshold secret sharing,
Dividing unit secret data of length S extracted from the secret data into six pieces of secret partial data of length S / 6;
Generating three random number partial data of length S / 6;
Based on a division matrix defining an XOR operation for generating divided partial data from one or more of the secret partial data, the random number partial data, and the secret partial data and one of the random number partial data Generating twelve pieces of partial data;
Concatenating three pieces of the divided partial data generated by the XOR operation including the different random number partial data to generate four types of unit divided data of length S / 2;
And a step of generating four pieces of divided data by connecting the unit divided data for each type.
The data division program according to claim 10,
Extracting each of the three divided partial data from the unit divided data of length S / 2 extracted from each of the three divided data;
Identifying a combination of types of the divided data;
Generating six pieces of the secret partial data by XOR operation of the extracted partial partial data based on a restoration matrix that is an inverse matrix for the partial matrix of the partial matrix corresponding to the combination of the types of the divided data;
Concatenating the generated secret partial data to generate the unit secret data of length S;
A data division program, comprising: a restoration processing unit that concatenates the generated unit secret data to generate the secret data.
The data division program according to claim 10,
Twelve pieces of divided partial data are generated from one or more of the secret partial data (s1 to s6) and one of the random number partial data (r1 to r3) defined by the divided matrix. The XOR operation formula for
a1 = r1 + s1 + s2
a2 = r2 + s3 + s4
a3 = r3 + s5 + s6
b1 = r1 + s3 + s5
b2 = r2 + s1 + s3 + s5 + s6
b3 = r3 + s2 + s4 + s6
c1 = r1 + s3 + s4 + s6
c2 = r2 + s2 + s3 + s4 + s5
c3 = r3 + s1 + s3 + s3 + s5 + s6
d1 = r1 + s1 + s2 + s3 + s5
d2 = r2 + s1 + s4 + s5 + s6
d3 = r3 + s2 + s4 + s5
Each of the three divided partial data a1 to a3, b1 to b3, c1 to c3, and d1 to d3 is connected to generate four types of unit partial data A to D. A featured data partitioning program.
The data division program according to claim 11,
The formula of the XOR operation for generating the secret partial data from the divided partial data based on the restoration matrix is as follows when the type of the divided data is A, B, C:
s1 = a2 + b1 + b2 + c1
s2 = a1 + a2 + a3 + b1 + c2 + c3
s3 = a1 + b2 + c1 + c2
s4 = a2 + a3 + b3 + c2
s5 = a1 + a3 + b1 + c3
s6 = a1 + a2 + b3 + c1 + c2 + c3
When the divided data types are A, B, and D,
s1 = a1 + a3 + b1 + b2 + b3 + d2
s2 = a1 + a3 + b2 + b3 + d1 + d2
s3 = a1 + a2 + a3 + b1 + b2 + d3
s4 = a1 + a2 + a3 + b1 + d2 + d3
s5 = a2 + a3 + b1 + b2 + d1 + d3
s6 = a2 + a3 + b1 + b2 + b3 + d1
And when the type of the divided data is A, C, D,
s1 = a1 + a2 + a3 + c2 + c3 + d1
s2 = a1 + c1 + c3 + d3
s3 = a2 + c1 + c2 + c3 + d1 + d3
s4 = a1 + c1 + c2 + d2
s5 = a1 + a2 + c1 + c2 + c3 + d3
s6 = a3 + c2 + c3 + d2
When the divided data types are B, C, and D,
s1 = b3 + c1 + c2 + c3 + d1 + d2
s2 = b1 + b3 + c1 + c2 + c3 + d2
s3 = b1 + b2 + b3 + c1 + d2 + d3
s4 = b1 + b3 + c1 + d3
s5 = b2 + c1 + c2 + d1
s6 = b2 + b3 + c1 + c2 + d1 + d3
A data division program characterized in that the unit partial data is generated by concatenating six secret partial data s1 to s6.
The data division program according to claim 12,
Before the step of generating the divided partial data by the XOR operation based on the partition matrix, in the formula of the XOR operation based on the partition matrix,
t1 = s3 + s4
t2 = s1 + s2
t3 = s3 + s5
t4 = s5 + s6
t5 = r3 + s2 + s4
t6 = t2 + t3
t7 = r2 + s1 + t4
Each of the formulas as divided intermediate formulas, and executing the step of calculating the value of each divided intermediate formula in advance,
In the step of generating the divided partial data by an XOR operation based on the divided matrix, a value of the divided intermediate expression is substituted into a portion that matches the divided intermediate expression.
In the data division program according to claim 13,
Before the step of generating the secret partial data by the XOR operation based on the restoration matrix, in the XOR operation formula based on the restoration matrix, when the type of the divided data is A, B, C,
w1 = b2 + c1
w2 = a3 + b1
w3 = a1 + c3
w4 = a2 + c2
w5 = w3 + w4
If each of the formulas is a restoration intermediate formula and the types of the divided data are A, B, D,
x1 = a1 + a3
x2 = a2 + b1
x3 = b2 + b3 + d2 + x1
x4 = d3 + x1 + x2
x5 = a3 + b2 + d1 + x2
When each of the above formulas is a restoration intermediate formula and the types of the divided data are A, C, and D,
y1 = a2 + c2
y2 = a3 + c3
y3 = c2 + d2
y4 = a1 + c1
y5 = c3 + d3
If each of the formulas is a restoration intermediate formula and the type of the divided data is B, C, D,
z1 = a1 + a3
z2 = a2 + b1
And performing the step of calculating the value of each restoration intermediate expression in advance,
In the step of generating the secret partial data by an XOR operation based on the restoration matrix, a data division program characterized by substituting the value of the restoration intermediate expression for a portion that matches the restoration intermediate expression.