WO2014007310A1 - 秘密分散システム、データ分散装置、分散データ変換装置、秘密分散方法、およびプログラム - Google Patents
秘密分散システム、データ分散装置、分散データ変換装置、秘密分散方法、およびプログラム Download PDFInfo
- Publication number
- WO2014007310A1 WO2014007310A1 PCT/JP2013/068328 JP2013068328W WO2014007310A1 WO 2014007310 A1 WO2014007310 A1 WO 2014007310A1 JP 2013068328 W JP2013068328 W JP 2013068328W WO 2014007310 A1 WO2014007310 A1 WO 2014007310A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- secret sharing
- value
- distributed
- values
- unit
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
Definitions
- the present invention relates to a computational complexity type secret sharing technique and a multi-party calculation technique.
- Secret sharing is a technology that converts data into a plurality of distributed values and restores the original data by using more than a certain number of distributed values, and makes it impossible to restore the original data from less than a certain number of distributed values.
- N the total number of variance values
- K the minimum number of variance values required for restoration
- p is a prime number
- GF (p) is a finite field of order p
- Non-Patent Document 2 there is a computational complexity type secret sharing scheme in which the original data cannot be restored from less than a certain number of distributed values based on computational safety (for example, see Non-Patent Document 2).
- the information a (a 0 , a 1 , ..., a K-1 ) (a 0 , a 1 , ..., a K-1 ⁇ GF (p)) is encrypted using the common key encryption.
- f (x) c 0 + c 1 x + ... + c K-1 x K-1
- the coefficients c 0 , c 1 ,..., C K ⁇ 1 of the expression f (x) can be uniquely obtained.
- This c 0, c 1, ..., c 0, c 1 the following matrix with a c K-1 variable, ... may be obtained a solution of c K-1. If the common key is restored and c is decrypted, a can be obtained.
- a specific function value F i a 1 , ..., A N
- the linear secret sharing scheme is defined as secret sharing in which all distributed values of the original data a ⁇ GF (p) can be expressed by a linear combination of random numbers on a ⁇ GF (p) and GF (p). It is known that any linear secret sharing scheme can be extended to multi-party computation (see Non-Patent Document 4).
- the total data amount of the distributed value is approximately N times the data amount of the information a.
- the total data amount of the variance values necessary for restoration is approximately K times the data amount of information a. Since an increase in the data amount of the variance value leads to an increase in communication time and stored data, it is desirable to suppress the data amount of the variance value as much as possible.
- the computational complexity type secret sharing scheme is T i (a) + T i (b) ⁇ T i (a + b). Accordingly, unlike the Shamir secret sharing scheme, the computational complexity type secret sharing scheme is not self-evident as a method for performing multi-party calculation of each input addition. However, the computational complexity type secret sharing scheme has an advantage that the total data amount of distributed values and the total data amount of distributed values necessary for restoration can be reduced compared to the Shamir secret sharing scheme.
- the present invention has been made in view of these points, and an object of the present invention is to provide a secret sharing technique capable of performing multi-party calculation using a distributed value by a computational complexity type secret sharing scheme.
- a secret sharing system includes a data distribution device and N distributed data conversion devices.
- N and K are integers of 2 or more
- N ⁇ K, n 1,..., N
- ⁇ is 1 or more and N or less N integers different from each other
- i is i ⁇ is an integer
- f x (n) is N variances of x
- R is a ring
- S is a key space
- P (x) is a mapping that transfers x ⁇ S to ring R
- the data distribution apparatus includes a key selection unit, a pseudo random number generation unit, an encryption unit, a key distribution unit, and a ciphertext distribution unit.
- the encryption unit generates a ciphertext c from the information a ⁇ R using pseudorandom numbers r 1 ,..., R K ⁇ 1 .
- the key distribution unit distributes the keys s 1,..., S K-1 into N distributed values f s1 (n),..., F sK-1 (n) using an arbitrary secret sharing scheme S1.
- the ciphertext distributing unit distributes the ciphertext c into N distributed values f c (n) by an arbitrary secret sharing scheme S0.
- the distributed data conversion apparatus includes a restoration unit, a redistribution unit, and a conversion unit.
- the redistribution unit distributes the restored value U j into N distributed values f Uj (n) by a secret sharing scheme S2 having an arbitrary homomorphism.
- the conversion unit generates a variance value g a (i) of information a from the K variance values f U1 (i),..., F UK (i).
- the secret sharing system includes a data sharing apparatus and N distributed data conversion apparatuses.
- the data distribution apparatus includes a key selection unit, a pseudo random number generation unit, an encryption unit, a key distribution unit, and a ciphertext distribution unit.
- the key selection unit selects K′ ⁇ 1 keys s 1 ,..., S K′ ⁇ 1 ⁇ S.
- the encryption unit generates a ciphertext c from the information a ⁇ R using pseudorandom numbers r 1 ,..., R K′ ⁇ 1 .
- the key distribution unit distributes the keys s 1,..., S K′-1 into N distributed values f s1 (n),..., F sK′-1 (n) using an arbitrary secret sharing scheme S1.
- the ciphertext distribution unit distributes the ciphertext c into N distributed values f c (n) by an arbitrary distribution method S0.
- the distributed data conversion apparatus includes a restoration unit, a redistribution unit, and a conversion unit.
- the redistribution unit distributes the restored value U j into N distributed values f Uj (n) by a secret sharing scheme S2 having an arbitrary homomorphism.
- the conversion unit generates a variance value g a (i) of information a from K ′ variance values f U1 (i),..., F UK ′ (i).
- the secret sharing technique of the present invention it is possible to convert a distributed value according to a computational complexity type secret sharing scheme into a distributed value according to a secret sharing scheme having an arbitrary homomorphism.
- many existing linear secret sharing schemes such as Shamir secret sharing schemes are homomorphic secret sharing schemes, and a method for performing multi-party computation using shared values from existing linear secret sharing schemes such as Shamir secret sharing schemes Is known. Therefore, by selecting an existing linear secret sharing scheme such as Shamir secret sharing scheme as a secret sharing scheme with homomorphism, multi-party calculation can be performed using the distributed value by the complexity secret sharing scheme Become.
- FIG. 1 is a diagram illustrating a functional configuration of the secret sharing system according to the first embodiment.
- FIG. 2 is a diagram illustrating a functional configuration of the data distribution apparatus according to the first embodiment.
- FIG. 3 is a diagram illustrating a functional configuration of the distributed data conversion apparatus according to the first embodiment.
- FIG. 4 is a diagram illustrating a processing flow of the data distribution apparatus according to the first embodiment.
- FIG. 5 is a diagram illustrating a processing flow of the distributed data conversion apparatus according to the first embodiment.
- FIG. 6 is a diagram illustrating a functional configuration of the secret sharing system according to the second embodiment.
- FIG. 7 is a diagram illustrating a functional configuration of the data distribution apparatus according to the second embodiment.
- FIG. 1 is a diagram illustrating a functional configuration of the secret sharing system according to the first embodiment.
- FIG. 2 is a diagram illustrating a functional configuration of the data distribution apparatus according to the first embodiment.
- FIG. 3 is a diagram illustrating a functional configuration of the distributed data conversion
- FIG. 8 is a diagram illustrating a functional configuration of the distributed data conversion apparatus according to the second embodiment.
- FIG. 9 is a diagram illustrating a processing flow of the data distribution apparatus according to the second embodiment.
- FIG. 10 is a diagram illustrating a processing flow of the distributed data conversion apparatus according to the second embodiment.
- the secret sharing system converts a distributed value by a computational complexity type secret sharing scheme into a distributed value by an arbitrary secret sharing scheme having homomorphism.
- the secret sharing system 1 includes a data sharing device 10, at least N distributed data conversion devices 20 1 to 20 N and a network 90.
- the data distribution device 10 and the distributed data conversion devices 20 1 to 20 N are connected to the network 90.
- the network 90 only needs to be configured so that the data distribution device 10 and each of the distributed data conversion devices 20 1 to 20 N can communicate with each other.
- the network 90 can be configured with the Internet, a LAN, a WAN, or the like.
- the data distribution device 10 and each of the distributed data conversion devices 20 1 to 20 N need not necessarily be able to communicate online via a network.
- the information output from the data distribution device 10 may be stored in a portable recording medium such as a USB memory, and input from the portable recording medium to the distributed data conversion devices 20 1 to 20 N offline. .
- the data distribution apparatus 10 includes an input unit 110, a key selection unit 120, a pseudorandom number generation unit 130, an encryption unit 140, a key distribution unit 150, a ciphertext distribution unit 160, and an output unit 170.
- the distributed data conversion apparatus 20 includes an input unit 210, a restoration unit 220, a re-distribution unit 230, a conversion unit 240, an output unit 250, and a storage unit 290.
- the storage unit 290 is, for example, a main storage device such as a RAM (Random Access Memory), an auxiliary storage device configured by a semiconductor memory element such as a hard disk, an optical disk, or a flash memory (Flash Memory), or a relational database or a key-value store.
- the middleware can be configured.
- N and K are integers of 2 or more
- N ⁇ K, n 1,..., N
- ⁇ is 1 or more and N or less N integers
- i is an integer with i ⁇
- f x (n) is N variances of x
- R is a ring
- S is a key space
- P (x) moves x ⁇ S to ring R It is assumed to be a map.
- the map P (x) outputs the elements of the ring R for the input x ⁇ S.
- the same input x corresponds to the same P (x).
- the map P (x) is a deterministic map in which the outputs are equal if the inputs are equal.
- the inputs x and P (x) may or may not correspond one-on-one.
- the map P (x) is a pseudorandom number generation function that returns elements of the ring R using x as a seed.
- the map P (x) is a common key encryption function that outputs a ciphertext belonging to the ring R for a fixed plaintext with x as an encryption key.
- the map P (x) may be a function or an algorithm.
- step S110 information a is input to the input unit 110.
- the information a is a value included in the ring R. Therefore, it can be expressed as a ⁇ R.
- Examples of the information a are a moving image file, an audio file, a text file, a table file, and the like.
- the data amount of information a is, for example, 1 megabyte or more.
- step S120 the key selection unit 120 selects K ⁇ 1 keys s 1 ,..., S K ⁇ 1 ⁇ S.
- the key selection unit 120 may randomly select K-1 keys s 1 ,..., S K-1 one by one at a time, or a predetermined rule from a plurality of values generated in advance and stored in the memory , K-1 keys s 1 ,..., S K-1 may be selected.
- the key length of the keys s 1 ,..., S K ⁇ 1 is set to a length that can ensure the necessary security and acceptable processing performance. For example, it is generally 128 to 256 bits, but this is not a limitation.
- Keys s 1 ,..., S K ⁇ 1 are input to pseudorandom number generator 130.
- step S140 the encryption unit 140 generates a ciphertext c from the information a using pseudorandom numbers r 1 ,..., R K ⁇ 1 . More specifically, as shown in the following equation, the pseudo-random number r 1 from the information a, ..., a result obtained by subtracting the sum of r K-1 and the ciphertext c.
- the keys s 1 ,..., S K ⁇ 1 are also input to the key distribution unit 150.
- the secret sharing scheme S1 may be any secret sharing scheme, but it is desirable to apply a more secure secret sharing scheme in order to distribute the key used for decrypting the information a.
- the Shamir secret sharing scheme can be applied.
- the Shamir secret sharing method restores the original data from K or more distributed values among the distributed values obtained by distributing the original data into N, assuming that N and K are integers of 2 or more and N ⁇ K. However, since the original data information cannot be obtained from less than K shared values, it is a highly secure secret sharing scheme.
- the ciphertext c is input to the ciphertext distribution unit 160.
- the secret sharing scheme S0 may be any secret sharing scheme, but for example, the method described in Non-Patent Document 2 can be applied. However, when applying the method described in Non-Patent Document 2, it is necessary to convert the value c on the ring R into a K-order vector on GF (p).
- the upper bits are padded with 0 so that the element of the ring R becomes K ⁇ L bits.
- the value c may be divided into L bits, and each L bit divided value may be an integer of 0 or more and less than 2 L and may be used as an element of GF (p).
- the output the variance value f s1 (n), ..., f sK-1 (n), f c (n) (n 1, ..., N) , the network respectively distributed data converter 20 1 ⁇ 20 N 90 or a portable recording medium such as a USB memory.
- step S211 the K variance values f sj (i) (i ⁇ ) or the K variance values f c (i) output from the data distribution apparatus 10 are input to the input unit 210.
- the variance value f sj (i) or f c (i) may be stored in the storage unit 290, and the subsequent processing may be executed at an arbitrary timing. Instead of storing in the storage unit 290, it may be configured such that when the variance f sj (i) or f c (i) is input, the subsequent processing is continued.
- the K variance values f sj (i) or the K variance values f c (i) are input to the restoration unit 220.
- the restoration unit 220 generates a restoration value U j from the input variance value f sj (i) or variance value f c (i).
- the variance value f sj (i) is input, the variance value f sj (i) is restored by an arbitrary secret sharing scheme S1 to generate a value u j .
- the mapping P (x) is the same mapping as the pseudorandom number generation unit 130 included in the data distribution apparatus 10.
- the secret sharing scheme S1 may be any secret sharing scheme, but must be the same scheme as the secret sharing scheme S1 used by the key distribution unit 150 included in the data distribution apparatus 10.
- the secret sharing scheme S0 may be any secret sharing scheme, but must be the same scheme as the secret sharing scheme S0 used by the ciphertext distributing unit 160 included in the data distributing apparatus 10.
- the restoration value U j is input to the redistribution unit 230.
- the secret sharing scheme S2 may be any secret sharing scheme as long as it is a secret sharing scheme having homomorphism. For example, an existing linear secret sharing scheme such as Shamir secret sharing scheme can be applied.
- step S211 to step S230 shown in FIG. 5 does not have to be performed by all of the N distributed data conversion apparatuses 20 1 to 20 N , and may be performed by at least K arbitrarily selected.
- step S212 K variance values f U1 (i),..., F UK (i) generated by the redistribution unit 230 included in the K distributed data conversion devices 20 i (i ⁇ ) are input to the input unit 210. Is entered.
- the variance values f U1 (i),..., F UK (i) may be stored in the storage unit 290, and the subsequent processing may be executed at an arbitrary timing. Instead of storing in the storage unit 290, when the variance values f U1 (i),..., F UK (i) are input, the subsequent processing may be executed.
- the variance values f U1 (i),..., F UK (i) are input to the conversion unit 240.
- the conversion unit 240 generates a variance value g a (i) of information a from the K variance values f U1 (i),..., F UK (i). More specifically, as shown in the following equation, the sum of the variance values f U1 (i),..., F UK (i) can be set as the variance value g a (i).
- f UK (i) is a distributed value obtained by distributing the ciphertext c by the secret sharing scheme S2 having homomorphism
- f U1 (i), ..., f UK-1 (i) is homomorphic.
- pseudo random number r 1 by the secret sharing scheme S2 with, ..., a dispersion value obtained by dispersing each r K-1. Therefore, due to the homomorphic nature, the sum of f U1 (i), ..., f UK (i) is the secret sharing of the sum of the ciphertext c and the sum of the pseudorandom numbers r 1 , ..., r K-1
- the distributed value is distributed by the method S2.
- this distributed value g a (i) is a distributed value obtained by distributing the information a by the secret sharing scheme S2. Is equal to
- step S250 the output unit 250 outputs the variance value g a (i).
- the variance value g a (i) may be stored in the storage unit 290, and the variance value g a (i) may be read from the storage unit 290 and output in response to an external request.
- the processing from step S212 to step S250 shown in FIG. 5 is performed by all of the N distributed data conversion devices 20 1 to 20 N.
- the information on the information a obtained by the distributed data converters 20 1 to 20 N is a distributed value according to the secret sharing scheme S2 having homomorphism, and if the random numbers used to generate each distributed value are independent of each other, this embodiment
- the secrecy is reduced to the secrecy of the secret sharing scheme S2 having homomorphism to be used.
- Each of the K distributed data conversion devices 20 i obtains any one of the restored values U j that are the variance values of the information a. However, the information is not obtained unless all the K restored values U 1 ,. You can't get a. Therefore, the confidentiality of this embodiment is eventually reduced to the confidentiality of the secret sharing scheme S2 to be used.
- the distributed values f a (1),..., F a (N) of the information a by the computational complexity type secret sharing scheme are used as the distributed values by the secret sharing scheme S2 having an arbitrary homomorphism.
- Examples of secret sharing schemes having homomorphism include existing linear secret sharing schemes such as Shamir secret sharing schemes. Since the method of performing multi-party computation using the existing linear secret sharing scheme such as Shamir secret sharing scheme is known, by selecting any existing linear secret sharing scheme such as Shamir secret sharing scheme as secret sharing scheme S2, Multi-party calculation can be performed using a distributed value based on a computational complexity type secret sharing scheme.
- the secret sharing scheme S0 for distributing the ciphertext c is disclosed in Non-Patent Document 2.
- Applying the described computational complexity type secret sharing scheme reduces the storage capacity required to store the shared value compared to the Shamir secret sharing scheme where the size of the distributed value is comparable to the original data. be able to.
- the secret sharing system converts a distributed value according to a computational complexity type secret sharing scheme into a distributed value according to an arbitrary secret sharing scheme having homomorphism.
- the number of keys to be generated is equal to the number of secret sharing scheme restoration thresholds. However, the number is not necessarily the same.
- the second embodiment an example in which the number of keys and the threshold value for restoration are set to different values is shown.
- the secret sharing system 2 includes a data distribution device 12, at least N distributed data conversion devices 22 1 to 22 N and a network 90.
- the data distribution device 12 and the distributed data conversion devices 22 1 to 22 N are connected to the network 90.
- the network 90 only needs to be configured so that the data distribution device 12 and each of the distributed data conversion devices 22 1 to 22 N can communicate with each other.
- the network 90 can be configured with the Internet, a LAN, a WAN, or the like.
- the data distribution device 12 and the distributed data conversion devices 22 1 to 22 N do not necessarily need to be able to communicate online via a network.
- the information output from the data distribution device 12 may be stored in a portable recording medium such as a USB memory, and input from the portable recording medium to the distributed data conversion devices 22 1 to 22 N offline. .
- the data distribution device 12 includes an input unit 110, a key selection unit 122, a pseudo random number generation unit 132, an encryption unit 142, a key distribution unit 152, a ciphertext distribution unit 160, and an output unit 172.
- the distributed data conversion apparatus 22 includes an input unit 212, a restoration unit 220, a redistribution unit 230, a conversion unit 242, an output unit 250, and a storage unit 290.
- the storage unit 290 is, for example, a main storage device such as a RAM (Random Access Memory), an auxiliary storage device configured by a semiconductor memory element such as a hard disk, an optical disk, or a flash memory (Flash Memory), or a relational database or a key-value store.
- the middleware can be configured.
- I is an integer of i ⁇
- f x (n) is N distributed values of x
- R is a ring
- S is a key space
- P (x) is a ring of x ⁇ S. It is assumed that the map is moved to R.
- the map P (x) outputs the elements of the ring R for the input x ⁇ S.
- the same input x corresponds to the same P (x).
- the map P (x) is a deterministic map in which the outputs are equal if the inputs are equal.
- the inputs x and P (x) may or may not correspond one-on-one.
- the map P (x) is a pseudorandom number generation function that returns elements of the ring R using x as a seed.
- the map P (x) is a common key encryption function that outputs a ciphertext belonging to the ring R for a fixed plaintext with x as an encryption key.
- the map P (x) may be a function or an algorithm.
- step S110 information a is input to the input unit 110.
- the information a is a value included in the ring R. Therefore, it can be expressed as a ⁇ R.
- Examples of the information a are a moving image file, an audio file, a text file, a table file, and the like.
- the data amount of information a is, for example, 1 megabyte or more.
- step S122 the key selection unit 122 selects K′ ⁇ 1 keys s 1 ,..., S K′ ⁇ 1 ⁇ S.
- the key selection unit 122 may randomly select K′ ⁇ 1 keys s 1 ,..., S K′ ⁇ 1 randomly one by one , or may select a predetermined value from a plurality of values generated in advance and stored in the memory.
- K′-1 keys s 1 ,..., S K′-1 may be selected according to the following rules.
- the key length of the keys s 1 ,..., S K′-1 is set to a length that can ensure the necessary security and acceptable processing performance. For example, it is generally 128 to 256 bits, but this is not a limitation.
- the keys s 1 ,..., S K′ ⁇ 1 are input to the pseudorandom number generator 132.
- step S142 the encryption unit 142 generates a ciphertext c from the information a using pseudorandom numbers r 1 ,..., R K′ ⁇ 1 . More specifically, as shown in the following equation, the result of subtracting the sum of pseudorandom numbers r 1 ,.
- the keys s 1 ,..., S K′ ⁇ 1 are also input to the key distribution unit 152.
- the secret sharing scheme S1 may be any secret sharing scheme, but it is desirable to apply a more secure secret sharing scheme in order to distribute the key used for decrypting the information a.
- the Shamir secret sharing scheme can be applied.
- the Shamir secret sharing method restores the original data from K or more distributed values among the distributed values obtained by distributing the original data into N, assuming that N and K are integers of 2 or more and N ⁇ K. However, since the original data information cannot be obtained from less than K shared values, it is a highly secure secret sharing scheme.
- the ciphertext c is input to the ciphertext distribution unit 160.
- the distribution method S0 may be any distribution method, and may be a distribution method called Information Dispersal Algorithm (IDA) that does not consider confidentiality.
- IDA Information Dispersal Algorithm
- the distribution method S0 for example, the method described in Non-Patent Document 2 can be applied. However, when applying the method described in Non-Patent Document 2, it is necessary to convert the value c on the ring R into a K-order vector on GF (p).
- the upper bits are padded with 0 so that the element of the ring R becomes K ⁇ L bits.
- the value c may be divided into L bits, and each L bit divided value may be an integer of 0 or more and less than 2 L and may be used as an element of GF (p).
- step S211 the K variance values f sj (i) (i ⁇ ) or the K variance values f c (i) output from the data distribution device 12 are input to the input unit 212.
- the variance value f sj (i) or f c (i) may be stored in the storage unit 290, and the subsequent processing may be executed at an arbitrary timing. Instead of storing in the storage unit 290, it may be configured such that when the variance f sj (i) or f c (i) is input, the subsequent processing is continued.
- the K variance values f sj (i) or the K variance values f c (i) are input to the restoration unit 220.
- the restoration unit 220 generates a restoration value U j from the input variance value f sj (i) or variance value f c (i).
- the variance value f sj (i) is input, the variance value f sj (i) is restored by an arbitrary secret sharing scheme S1 to generate a value u j .
- the mapping P (x) is the same mapping as that of the pseudorandom number generation unit 130 included in the data distribution device 12.
- the secret sharing scheme S1 may be any secret sharing scheme, but must be the same scheme as the secret sharing scheme S1 used by the key distribution unit 150 included in the data distribution apparatus 12.
- the distribution method S0 may be any distribution method, but must be the same as the distribution method S0 used by the ciphertext distribution unit 160 included in the data distribution device 12.
- the restoration value U j is input to the redistribution unit 230.
- the secret sharing scheme S2 may be any secret sharing scheme as long as it is a secret sharing scheme having homomorphism. For example, an existing linear secret sharing scheme such as Shamir secret sharing scheme can be applied.
- step S211 to step S230 shown in FIG. 10 does not have to be performed by all of the N distributed data converters 22 1 to 22 N , and may be performed by at least K arbitrarily selected.
- step S213 K ′ number of distributed values f U1 (i),..., F UK ′ generated by the redistribution unit 230 included in the K ′ number of distributed data conversion devices 22 i (i ⁇ ) are input to the input unit 212. (i) is input.
- the variance values f U1 (i),..., F UK ′ (i) may be stored in the storage unit 290, and the subsequent processing may be executed at an arbitrary timing. Instead of storing in the storage unit 290, when the variance value f U1 (i),..., F UK ′ (i) is input, the subsequent processing may be continuously executed.
- the variance values f U1 (i),..., F UK ′ (i) are input to the conversion unit 242.
- the conversion unit 242 generates a variance value g a (i) of information a from K ′ variance values f U1 (i),..., F UK ′ (i). More specifically, as shown in the following equation, the sum of the variance values f U1 (i),..., F UK ′ (i) can be set as the variance value g a (i).
- f UK ′ (i) is a distributed value obtained by distributing the ciphertext c by the secret sharing scheme S2 having homomorphism
- f U1 (i),..., F UK′-1 (i) This is a distributed value in which pseudorandom numbers r 1 ,..., R K′ ⁇ 1 are distributed by the secret sharing scheme S2 having isomorphism. Therefore, due to the property of homomorphism, the sum of f U1 (i), ..., f UK ' (i) is the sum of ciphertext c and the sum of pseudorandom numbers r 1 , ..., r K'-1.
- the distributed value is distributed by the secret sharing method S2.
- this distributed value g a (i) is a distribution obtained by distributing the information a by the secret sharing scheme S2. Equal to value.
- step S250 the output unit 250 outputs the variance value g a (i).
- the variance value g a (i) may be stored in the storage unit 290, and the variance value g a (i) may be read from the storage unit 290 and output in response to an external request. Note that the processing from step S213 to step S250 shown in FIG. 10 is performed by all of the N distributed data conversion devices 22 1 to 22 N.
- the information on the information a obtained by the distributed data converters 22 1 to 22 N is a distributed value according to the secret sharing scheme S2 having homomorphism, and if the random numbers used for generating each distributed value are independent of each other, this embodiment
- the secrecy is reduced to the secrecy of the secret sharing scheme S2 having homomorphism to be used.
- Each of the K ′ distributed data converters 22 i obtains any one of the restored values U j that are the variance values of the information a, but can obtain all K ′ restored values U 1 ,..., U K ′.
- Information a cannot be obtained without it. However, since U K ′ was distributed by an arbitrary distribution method, confidentiality cannot be guaranteed. Therefore, the confidentiality of this embodiment is eventually reduced to the confidentiality of the secret sharing scheme S2 to be used if K ′> K.
- the distributed values f a (1),..., F a (N) of the information a by the computational complexity type secret sharing scheme are used as the distributed values by the secret sharing scheme S2 having an arbitrary homomorphism.
- Examples of secret sharing schemes having homomorphism include existing linear secret sharing schemes such as Shamir secret sharing schemes. Since the method of performing multi-party computation using the existing linear secret sharing scheme such as Shamir secret sharing scheme is known, by selecting any existing linear secret sharing scheme such as Shamir secret sharing scheme as secret sharing scheme S2, Multi-party calculation can be performed using a distributed value based on a computational complexity type secret sharing scheme.
- Non-Patent Document 2 since the lower limit of the size of the distributed value is 1 / K of the original data, it is described in Non-Patent Document 2 as a sharing scheme S0 that distributes the ciphertext c. Compared to Shamir's secret sharing scheme, where the size of the distributed value is the same as the original data, the amount of storage required to store the distributed value can be reduced Can do.
- the program describing the processing contents can be recorded on a computer-readable recording medium.
- a computer-readable recording medium any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.
- this program is distributed, for example, by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.
- a computer that executes such a program first stores a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device.
- the computer reads a program stored in its own recording medium and executes a process according to the read program.
- the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer.
- the processing according to the received program may be executed sequentially.
- the program is not transferred from the server computer to the computer, and the above processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good.
- ASP Application Service Provider
- the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).
- the present apparatus is configured by executing a predetermined program on a computer.
- a predetermined program on a computer.
- at least a part of these processing contents may be realized by hardware.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
Description
[第一実施形態]
この発明の第一実施形態に係る秘密分散システムは、計算量型秘密分散方式による分散値を、準同型性をもつ任意の秘密分散方式による分散値に変換する。
図1を参照して、第一実施形態に係る秘密分散システム1の構成例を説明する。秘密分散システム1は、データ分散装置10と少なくともN台の分散データ変換装置201~20Nとネットワーク90を含む。データ分散装置10と分散データ変換装置201~20Nは、ネットワーク90に接続される。ネットワーク90は、データ分散装置10と分散データ変換装置201~20Nそれぞれとが相互に通信可能なように構成されていればよく、例えばインターネットやLAN、WANなどで構成することができる。また、データ分散装置10と分散データ変換装置201~20Nそれぞれとは必ずしもネットワークを介してオンラインで通信可能である必要はない。例えば、データ分散装置10が出力する情報をUSBメモリなどの可搬型記録媒体に記憶し、その可搬型記録媒体から分散データ変換装置201~20Nへオフラインで入力するように構成してもよい。
図4を参照して、データ分散装置10の動作例を、実際に行われる手続きの順に従って説明する。以下の説明では、N,Kは2以上の整数であり、N≧Kであり、n=1,…,Nであり、λは互いに異なる1以上N以下のK個の整数であり、iはi∈λの整数であり、fx(n)はxのN個の分散値であり、Rは環であり、Sは鍵空間であり、P(x)はx∈Sを環Rへ移す写像であるものとする。写像P(x)は、入力されたx∈Sに対して環Rの要素を出力するものである。同一の入力xには同一のP(x)が対応する。すなわち、写像P(x)は入力が等しければ出力も等しくなる、確定的な写像である。入力xとP(x)とは一対一で対応してもよいし、しなくてもよい。例えば、写像P(x)はxをシードとして環Rの要素を返す擬似乱数生成関数である。また例えば、写像P(x)はxを暗号化鍵として固定の平文に対して環Rに属する暗号文を出力する共通鍵暗号関数である。写像P(x)は関数であってもよいし、アルゴリズムであってもよい。
図5を参照して、分散データ変換装置20iの動作例を、実際に行われる手続きの順に従って説明する。
ステップS211において、入力部210に、データ分散装置10が出力したK個の分散値fsj(i)(i∈λ)もしくはK個の分散値fc(i)が入力される。分散値fsj(i)もしくはfc(i)は記憶部290に記憶しておき、任意のタイミングで後続の処理を実行するように構成してもよい。記憶部290には記憶せず、分散値fsj(i)もしくはfc(i)が入力されると引き続き後続の処理を実行するように構成してもよい。
なお、図5に示すステップS212からステップS250までの処理は、N台の分散データ変換装置201~20Nのすべてで行う。
分散データ変換装置201~20Nが得る情報aに関する情報は、準同型性をもつ秘密分散方式S2による分散値であり、各分散値の生成に用いる乱数が互いに独立であれば、この実施形態の機密性は、利用する準同型性をもつ秘密分散方式S2の機密性に帰着される。また、K台の分散データ変換装置20iはそれぞれ情報aの分散値である復元値Ujの何れかを得るが、K個の復元値U1,…,UKすべてを得られない限り情報aを得ることはできない。そのため、この実施形態の機密性は、結局、利用する秘密分散方式S2の機密性に帰着される。
この実施形態の秘密分散システムは、計算量型秘密分散方式による情報aの分散値fa(1),…,fa(N)を、任意の準同型性をもつ秘密分散方式S2による分散値ga(1),…,ga(N)に変換することができる。
この発明の第二実施形態に係る秘密分散システムは、計算量型秘密分散方式による分散値を、準同型性をもつ任意の秘密分散方式による分散値に変換する。第一実施形態では、生成する鍵の数と秘密分散方式の復元の閾値を同数であったが、必ずしも同数でなくとも構わない。第二実施形態では、鍵の数と復元の閾値を異なる値とした場合の例を示す。
図6を参照して、第二実施形態に係る秘密分散システム2の構成例を説明する。秘密分散システム2は、データ分散装置12と少なくともN台の分散データ変換装置221~22Nとネットワーク90を含む。データ分散装置12と分散データ変換装置221~22Nは、ネットワーク90に接続される。ネットワーク90は、データ分散装置12と分散データ変換装置221~22Nそれぞれとが相互に通信可能なように構成されていればよく、例えばインターネットやLAN、WANなどで構成することができる。また、データ分散装置12と分散データ変換装置221~22Nそれぞれとは必ずしもネットワークを介してオンラインで通信可能である必要はない。例えば、データ分散装置12が出力する情報をUSBメモリなどの可搬型記録媒体に記憶し、その可搬型記録媒体から分散データ変換装置221~22Nへオフラインで入力するように構成してもよい。
図9を参照して、データ分散装置12の動作例を、実際に行われる手続きの順に従って説明する。以下の説明では、N,K,K’は2以上の整数であり、N≧Kであり、n=1,…,Nであり、λは互いに異なる1以上N以下のK個の整数であり、iはi∈λの整数であり、fx(n)はxのN個の分散値であり、Rは環であり、Sは鍵空間であり、P(x)はx∈Sを環Rへ移す写像であるものとする。写像P(x)は、入力されたx∈Sに対して環Rの要素を出力するものである。同一の入力xには同一のP(x)が対応する。すなわち、写像P(x)は入力が等しければ出力も等しくなる、確定的な写像である。入力xとP(x)とは一対一で対応してもよいし、しなくてもよい。例えば、写像P(x)はxをシードとして環Rの要素を返す擬似乱数生成関数である。また例えば、写像P(x)はxを暗号化鍵として固定の平文に対して環Rに属する暗号文を出力する共通鍵暗号関数である。写像P(x)は関数であってもよいし、アルゴリズムであってもよい。
図10を参照して、分散データ変換装置22iの動作例を、実際に行われる手続きの順に従って説明する。
ステップS211において、入力部212に、データ分散装置12が出力したK個の分散値fsj(i)(i∈λ)もしくはK個の分散値fc(i)が入力される。分散値fsj(i)もしくはfc(i)は記憶部290に記憶しておき、任意のタイミングで後続の処理を実行するように構成してもよい。記憶部290には記憶せず、分散値fsj(i)もしくはfc(i)が入力されると引き続き後続の処理を実行するように構成してもよい。
なお、図10に示すステップS213からステップS250までの処理は、N台の分散データ変換装置221~22Nのすべてで行う。
分散データ変換装置221~22Nが得る情報aに関する情報は、準同型性をもつ秘密分散方式S2による分散値であり、各分散値の生成に用いる乱数が互いに独立であれば、この実施形態の機密性は、利用する準同型性をもつ秘密分散方式S2の機密性に帰着される。また、K’台の分散データ変換装置22iはそれぞれ情報aの分散値である復元値Ujの何れかを得るが、K’個の復元値U1,…,UK’すべてを得られない限り情報aを得ることはできない。ただしUK’については、任意の分散方式で分散していたため、秘匿性は保証できない。そのため、この実施形態の機密性は、結局、K’>Kとすれば、利用する秘密分散方式S2の機密性に帰着される。
この実施形態の秘密分散システムは、計算量型秘密分散方式による情報aの分散値fa(1),…,fa(N)を、任意の準同型性をもつ秘密分散方式S2による分散値ga(1),…,ga(N)に変換することができる。
準同型性をもつ秘密分散方式としては、例えば、Shamir秘密分散方式など既存の線形秘密分散方式が挙げられる。Shamir秘密分散方式など既存の線形秘密分散方式を用いてマルチパーティ計算を行う方法は既知であるため、秘密分散方式S2としてShamir秘密分散方式など既存の任意の線形秘密分散方式を選択することで、計算量型秘密分散方式による分散値を用いてマルチパーティ計算を行うことができるようになる。
この発明は上述の実施形態に限定されるものではなく、この発明の趣旨を逸脱しない範囲で適宜変更が可能であることはいうまでもない。上記実施例において説明した各種の処理は、記載の順に従って時系列に実行されるのみならず、処理を実行する装置の処理能力あるいは必要に応じて並列的にあるいは個別に実行されてもよい。
Claims (12)
- データ分散装置とN台の分散データ変換装置を含む秘密分散システムであって、
N,Kは2以上の整数であり、N≧Kであり、n=1,…,Nであり、λは互いに異なる1以上N以下のK個の整数であり、iはi∈λの整数であり、fx(n)はxのN個の分散値であり、Rは環であり、Sは鍵空間であり、P(x)はx∈Sを環Rへ移す写像であり、
前記データ分散装置は、
K-1個の鍵s1,…,sK-1∈Sを選択する鍵選択部と、
前記鍵s1,…,sK-1からrj=P(sj)(j=1,…,K-1)を計算することにより擬似乱数r1,…,rK-1を生成する擬似乱数生成部と、
情報a∈Rから前記擬似乱数r1,…,rK-1を用いて暗号文cを生成する暗号化部と、
前記鍵s1,…,sK-1を任意の秘密分散方式S1によりそれぞれN個の分散値fs1(n),…,fsK-1(n)に分散する鍵分散部と、
前記暗号文cを任意の秘密分散方式S0によりN個の分散値fc(n)に分散する暗号文分散部と、
を備え、
前記分散データ変換装置は、
K個の分散値fsj(i)が入力されると、前記分散値fsj(i)を前記秘密分散方式S1により復元した値ujからUj=P(uj)を計算し、K個の分散値fc(i)が入力されると、前記分散値fc(i)を前記秘密分散方式S0により復元することで、復元値Uj(j=K)を生成する復元部と、
前記復元値Ujを任意の準同型性をもつ秘密分散方式S2によりN個の分散値fUj(n)に分散する再分散部と、
K個の分散値fU1(i),…,fUK(i)から前記情報aの分散値ga(i)を生成する変換部と、
を備える秘密分散システム。 - データ分散装置とN台の分散データ変換装置を含む秘密分散システムであって、
N,K,K’は2以上の整数であり、N≧Kであり、n=1,…,Nであり、λは互いに異なる1以上N以下のK個の整数であり、iはi∈λの整数であり、fx(n)はxのN個の分散値であり、Rは環であり、Sは鍵空間であり、P(x)はx∈Sを環Rへ移す写像であり、
前記データ分散装置は、
K’-1個の鍵s1,…,sK’-1∈Sを選択する鍵選択部と、
前記鍵s1,…,sK’-1からrj=P(sj)(j=1,…,K’-1)を計算することにより擬似乱数r1,…,rK’-1を生成する擬似乱数生成部と、
情報a∈Rから前記擬似乱数r1,…,rK’-1を用いて暗号文cを生成する暗号化部と、
前記鍵s1,…,sK’-1を任意の秘密分散方式S1によりそれぞれN個の分散値fs1(n),…,fsK’-1(n)に分散する鍵分散部と、
前記暗号文cを任意の分散方式S0によりN個の分散値fc(n)に分散する暗号文分散部と、
を備え、
前記分散データ変換装置は、
K個の分散値fsj(i)が入力されると、前記分散値fsj(i)を前記秘密分散方式S1により復元した値ujからUj=P(uj)を計算し、K個の分散値fc(i)が入力されると、前記分散値fc(i)を前記分散方式S0により復元することで、復元値Uj(j=K’)を生成する復元部と、
前記復元値Ujを任意の準同型性をもつ秘密分散方式S2によりN個の分散値fUj(n)に分散する再分散部と、
K’個の分散値fU1(i),…,fUK’(i)から前記情報aの分散値ga(i)を生成する変換部と、
を備える秘密分散システム。 - 請求項1に記載の秘密分散システムであって、
前記暗号化部は、前記情報aから前記擬似乱数r1,…,rK-1の総和を減算して前記暗号文cを生成し、
前記変換部は、前記分散値fU1(i),…,fUK(i)の総和を前記分散値ga(i)とする
秘密分散システム。 - 請求項2に記載の秘密分散システムであって、
前記暗号化部は、前記情報aから前記擬似乱数r1,…,rK’-1の総和を減算して前記暗号文cを生成し、
前記変換部は、前記分散値fU1(i),…,fUK’(i)の総和を前記分散値ga(i)とする
秘密分散システム。 - 請求項1から4のいずれかに記載の秘密分散システムであって、
前記秘密分散方式S2は、Shamir秘密分散方式である
秘密分散システム。 - N,Kは2以上の整数であり、N≧Kであり、n=1,…,Nであり、fx(n)はxのN個の分散値であり、Rは環であり、Sは鍵空間であり、P(x)はx∈Sを環Rへ移す写像であり、
K-1個の鍵s1,…,sK-1∈Sを選択する鍵選択部と、
前記鍵s1,…,sK-1からrj=P(sj)(j=1,…,K-1)を計算することにより擬似乱数r1,…,rK-1を生成する擬似乱数生成部と、
情報a∈Rから前記擬似乱数r1,…,rK-1を用いて暗号文cを生成する暗号化部と、
前記鍵s1,…,sK-1を任意の秘密分散方式S1によりそれぞれN個の分散値fs1(n),…,fsK-1(n)に分散する鍵分散部と、
前記暗号文cを任意の秘密分散方式S0によりN個の分散値fc(n)に分散する暗号文分散部と、
を備えるデータ分散装置。 - N,K,K’は2以上の整数であり、N≧Kであり、n=1,…,Nであり、fx(n)はxのN個の分散値であり、Rは環であり、Sは鍵空間であり、P(x)はx∈Sを環Rへ移す写像であり、
K’-1個の鍵s1,…,sK’-1∈Sを選択する鍵選択部と、
前記鍵s1,…,sK’-1からrj=P(sj)(j=1,…,K’-1)を計算することにより擬似乱数r1,…,rK’-1を生成する擬似乱数生成部と、
情報a∈Rから前記擬似乱数r1,…,rK’-1を用いて暗号文cを生成する暗号化部と、
前記鍵s1,…,sK’-1を任意の秘密分散方式S1によりそれぞれN個の分散値fs1(n),…,fsK’-1(n)に分散する鍵分散部と、
前記暗号文cを任意の分散方式S0によりN個の分散値fc(n)に分散する暗号文分散部と、
を備えるデータ分散装置。 - N,Kは2以上の整数であり、N≧Kであり、n=1,…,Nであり、λは互いに異なる1以上N以下のK個の整数であり、iはi∈λの整数であり、fx(n)はxのN個の分散値であり、Rは環であり、Sは鍵空間であり、P(x)はx∈Sを環Rへ移す写像であり、
K個の分散値fsj(i)が入力されると、前記分散値fsj(i)を所定の秘密分散方式S1により復元した値ujからUj=P(uj)を計算し、K個の分散値fc(i)が入力されると、前記分散値fc(i)を所定の秘密分散方式S0により復元することで、復元値Ujを生成する復元部と、
前記復元値Ujを任意の準同型性をもつ秘密分散方式S2によりN個の分散値fUj(n)に分散する再分散部と、
K個の分散値fU1(i),…,fUK(i)から前記情報aの分散値ga(i)を生成する変換部を備え、
前記分散値fsj(i)は、K個の鍵s1,…,sK-1∈Sを前記秘密分散方式S1によりそれぞれN個に分散した分散値fs1(n),…,fsK-1(n)に含まれ、
前記分散値fc(i)は、前記鍵s1,…,sK-1からrj=P(sj)(j=1,…,K-1)を計算することにより生成された擬似乱数r1,…,rK-1を用いて情報a∈Rから生成した暗号文cを、前記秘密分散方式S0によりN個に分散した分散値fc(n)に含まれる
分散データ変換装置。 - N,K,K’は2以上の整数であり、N≧Kであり、n=1,…,Nであり、λは互いに異なる1以上N以下のK個の整数であり、iはi∈λの整数であり、fx(n)はxのN個の分散値であり、Rは環であり、Sは鍵空間であり、P(x)はx∈Sを環Rへ移す写像であり、
K個の分散値fsj(i)が入力されると、前記分散値fsj(i)を所定の秘密分散方式S1により復元した値ujからUj=P(uj)を計算し、K個の分散値fc(i)が入力されると、前記分散値fc(i)を所定の分散方式S0により復元することで、復元値Uj(j=K’)を生成する復元部と、
前記復元値Ujを任意の準同型性をもつ秘密分散方式S2によりN個の分散値fUj(n)に分散する再分散部と、
K’個の分散値fU1(i),…,fUK’(i)から前記情報aの分散値ga(i)を生成する変換部を備え、
前記分散値fsj(i)は、K’個の鍵s1,…,sK’-1∈Sを前記秘密分散方式S1によりそれぞれN個に分散した分散値fs1(n),…,fsK’-1(n)に含まれ、
前記分散値fc(i)は、前記鍵s1,…,sK’-1からrj=P(sj)(j=1,…,K’-1)を計算することにより生成された擬似乱数r1,…,rK’-1を用いて情報a∈Rから生成した暗号文cを、前記分散方式S0によりN個に分散した分散値fc(n)に含まれる
分散データ変換装置。 - N,Kは2以上の整数であり、N≧Kであり、n=1,…,Nであり、λは互いに異なる1以上N以下のK個の整数であり、iはi∈λの整数であり、fx(n)はxのN個の分散値であり、Rは環であり、Sは鍵空間であり、P(x)はx∈Sを環Rへ移す写像であり、
データ分散装置が、K-1個の鍵s1,…,sK-1∈Sを選択する鍵選択ステップと、
前記データ分散装置が、前記鍵s1,…,sK-1からrj=P(sj)(j=1,…,K-1)を計算することにより擬似乱数r1,…,rK-1を生成する擬似乱数生成ステップと、
前記データ分散装置が、情報a∈Rから前記擬似乱数r1,…,rK-1を用いて暗号文cを生成する暗号化ステップと、
前記データ分散装置が、前記鍵s1,…,sK-1を任意の秘密分散方式S1によりそれぞれN個の分散値fs1(n),…,fsK-1(n)に分散する鍵分散ステップと、
前記データ分散装置が、前記暗号文cを任意の秘密分散方式S0によりN個の分散値fc(n)に分散する暗号文分散ステップと、
分散データ変換装置が、K個の分散値fsj(i)が入力されると、前記分散値fsj(i)を前記秘密分散方式S1により復元した値ujからUj=P(uj)を計算し、K個の分散値fc(i)が入力されると、前記分散値fc(i)を前記秘密分散方式S0により復元することで、復元値Ujを生成する復元ステップと、
前記分散データ変換装置が、前記復元値Ujを任意の準同型性をもつ秘密分散方式S2によりN個の分散値fUj(n)に分散する再分散ステップと、
前記分散データ変換装置が、K個の分散値fU1(i),…,fUK(i)から前記情報aの分散値ga(i)を生成する変換ステップと、
を含む秘密分散方法。 - N,K,K’は2以上の整数であり、N≧Kであり、n=1,…,Nであり、λは互いに異なる1以上N以下のK個の整数であり、iはi∈λの整数であり、fx(n)はxのN個の分散値であり、Rは環であり、Sは鍵空間であり、P(x)はx∈Sを環Rへ移す写像であり、
データ分散装置が、K’-1個の鍵s1,…,sK’-1∈Sを選択する鍵選択ステップと、
前記データ分散装置が、前記鍵s1,…,sK’-1からrj=P(sj)(j=1,…,K’-1)を計算することにより擬似乱数r1,…,rK’-1を生成する擬似乱数生成ステップと、
前記データ分散装置が、情報a∈Rから前記擬似乱数r1,…,rK’-1を用いて暗号文cを生成する暗号化ステップと、
前記データ分散装置が、前記鍵s1,…,sK’-1を任意の秘密分散方式S1によりそれぞれN個の分散値fs1(n),…,fsK’-1(n)に分散する鍵分散ステップと、
前記データ分散装置が、前記暗号文cを任意の分散方式S0によりN個の分散値fc(n)に分散する暗号文分散ステップと、
分散データ変換装置が、K個の分散値fsj(i)が入力されると、前記分散値fsj(i)を前記秘密分散方式S1により復元した値ujからUj=P(uj)を計算し、K個の分散値fc(i)が入力されると、前記分散値fc(i)を前記分散方式S0により復元することで、復元値Uj(j=K’)を生成する復元ステップと、
前記分散データ変換装置が、前記復元値Ujを任意の準同型性をもつ秘密分散方式S2によりN個の分散値fUj(n)に分散する再分散ステップと、
前記分散データ変換装置が、K’個の分散値fU1(i),…,fUK’(i)から前記情報aの分散値ga(i)を生成する変換ステップと、
を含む秘密分散方法。 - 請求項6または7に記載のデータ分散装置もしくは請求項8または9に記載の分散データ変換装置としてコンピュータを機能させるためのプログラム。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201380035818.0A CN104429019B (zh) | 2012-07-05 | 2013-07-04 | 秘密分散系统、数据分散装置、分散数据变换装置以及秘密分散方法 |
US14/408,426 US9432188B2 (en) | 2012-07-05 | 2013-07-04 | Secret sharing system, data distribution apparatus, distributed data transform apparatus, secret sharing method and program |
JP2014523777A JP5885840B2 (ja) | 2012-07-05 | 2013-07-04 | 秘密分散システム、データ分散装置、分散データ変換装置、秘密分散方法、およびプログラム |
EP13813379.8A EP2879324B1 (en) | 2012-07-05 | 2013-07-04 | Secret sharing system, data distribution apparatus, distributed data transform apparatus, secret sharing method, and program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2012-151140 | 2012-07-05 | ||
JP2012151140 | 2012-07-05 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014007310A1 true WO2014007310A1 (ja) | 2014-01-09 |
Family
ID=49882061
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2013/068328 WO2014007310A1 (ja) | 2012-07-05 | 2013-07-04 | 秘密分散システム、データ分散装置、分散データ変換装置、秘密分散方法、およびプログラム |
Country Status (5)
Country | Link |
---|---|
US (1) | US9432188B2 (ja) |
EP (1) | EP2879324B1 (ja) |
JP (1) | JP5885840B2 (ja) |
CN (1) | CN104429019B (ja) |
WO (1) | WO2014007310A1 (ja) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015135380A (ja) * | 2014-01-16 | 2015-07-27 | 日本電信電話株式会社 | シェア変換システム、シェア変換方法、プログラム |
JP2015135381A (ja) * | 2014-01-16 | 2015-07-27 | 日本電信電話株式会社 | シェア変換システム、シェア変換方法、プログラム |
JP2015170057A (ja) * | 2014-03-05 | 2015-09-28 | 富士通株式会社 | 秘匿検索装置、秘匿検索方法および秘匿検索プログラム |
CN112313728A (zh) * | 2018-06-20 | 2021-02-02 | 日本电信电话株式会社 | 秘密结合系统、方法、秘密计算装置以及程序 |
CN112567443A (zh) * | 2018-08-13 | 2021-03-26 | 日本电信电话株式会社 | 秘密联接信息生成系统、秘密联接系统、它们的方法、秘密计算装置以及程序 |
CN112567442A (zh) * | 2018-08-13 | 2021-03-26 | 日本电信电话株式会社 | 秘密强映射计算系统、它们的方法、秘密计算装置以及程序 |
CN112602135A (zh) * | 2018-08-13 | 2021-04-02 | 日本电信电话株式会社 | 秘密联接系统、该方法、秘密计算装置以及程序 |
CN112602135B (zh) * | 2018-08-13 | 2024-05-24 | 日本电信电话株式会社 | 秘密联接系统、该方法、秘密计算装置以及记录介质 |
Families Citing this family (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9679149B2 (en) * | 2012-07-05 | 2017-06-13 | Nippon Telegraph And Telephone Corporation | Secret sharing system, data distribution apparatus, distributed data transform apparatus, secret sharing method and program |
US10432409B2 (en) | 2014-05-05 | 2019-10-01 | Analog Devices, Inc. | Authentication system and device including physical unclonable function and threshold cryptography |
JP6034927B1 (ja) * | 2015-07-27 | 2016-11-30 | 日本電信電話株式会社 | 秘密計算システム、秘密計算装置、およびプログラム |
US9680809B2 (en) * | 2015-10-12 | 2017-06-13 | International Business Machines Corporation | Secure data storage on a cloud environment |
CN105204782B (zh) * | 2015-10-13 | 2018-12-11 | 中国联合网络通信集团有限公司 | 一种实现数据存储的方法及装置 |
CN108140335B (zh) * | 2015-10-13 | 2020-12-29 | 日本电信电话株式会社 | 秘密随机数合成装置、秘密随机数合成方法以及记录介质 |
CN105357004B (zh) * | 2015-12-03 | 2018-10-16 | 万达信息股份有限公司 | 一种医疗隐私数据自加密及解密的方法 |
WO2018008547A1 (ja) * | 2016-07-06 | 2018-01-11 | 日本電信電話株式会社 | 秘密計算システム、秘密計算装置、秘密計算方法、およびプログラム |
JP6974461B2 (ja) * | 2016-08-02 | 2021-12-01 | エックス−ロゴス、エルエルシー | 幾何代数を用いた高度データ中心型暗号化システムのための方法およびシステム |
CN106453285B (zh) * | 2016-09-27 | 2019-07-23 | 中国农业大学 | 一种秘密数据共享的验证方法及装置 |
US10958452B2 (en) | 2017-06-06 | 2021-03-23 | Analog Devices, Inc. | System and device including reconfigurable physical unclonable functions and threshold cryptography |
EP3675088B1 (en) * | 2017-08-22 | 2022-11-02 | Nippon Telegraph And Telephone Corporation | Share generating device, share converting device, secure computation system, share generation method, share conversion method, program, and recording medium |
AU2018321008B2 (en) * | 2017-08-22 | 2021-05-20 | Nippon Telegraph And Telephone Corporation | Share generating device, reconstructing device, secure computation system, share generation method, reconstruction method, program, and recording medium |
CN109241016B (zh) * | 2018-08-14 | 2020-07-07 | 阿里巴巴集团控股有限公司 | 多方安全计算方法及装置、电子设备 |
CN111914264A (zh) * | 2019-05-08 | 2020-11-10 | 华控清交信息科技(北京)有限公司 | 索引创建方法及装置、数据验证方法及装置 |
CN112000978B (zh) * | 2019-06-19 | 2023-12-19 | 华控清交信息科技(北京)有限公司 | 隐私数据的输出方法、数据处理系统及存储介质 |
US11943350B2 (en) * | 2019-10-16 | 2024-03-26 | Coinbase, Inc. | Systems and methods for re-using cold storage keys |
CN111428276B (zh) * | 2020-03-19 | 2022-08-02 | 腾讯科技(深圳)有限公司 | 一种数据处理的方法、装置、设备和介质 |
US20220271933A1 (en) * | 2021-02-19 | 2022-08-25 | Samsung Electronics Co., Ltd. | System and method for device to device secret backup and recovery |
US20220385453A1 (en) * | 2021-05-28 | 2022-12-01 | Atakama LLC | Secure file transfer |
GB2620988A (en) * | 2022-07-29 | 2024-01-31 | Pqshield Ltd | Method and apparatus for storing/recovering a plurality of secret shares |
CN116506852B (zh) * | 2023-03-16 | 2024-03-22 | 暨南大学 | 一种节点易损坏环境下的分布式物联网密钥安全分发方法及系统 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004279526A (ja) * | 2003-03-13 | 2004-10-07 | Oki Electric Ind Co Ltd | 秘密再構成方法、分散秘密再構成装置、及び秘密再構成システム |
JP2007124610A (ja) * | 2005-09-20 | 2007-05-17 | Nippon Telegr & Teleph Corp <Ntt> | 秘密情報分散装置及び秘密情報復元装置及び方法及びプログラム |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1207868C (zh) * | 2001-09-28 | 2005-06-22 | 中国科学院研究生院 | 一种安全的数字签名方法与系统 |
FR2925736B1 (fr) * | 2007-12-21 | 2010-09-24 | Eads Secure Networks | Procede de production d'une preuve de presence ou de fonctionnement d'une entite dans une zone identifiee pendant une duree superieure a un seuil donne, et systeme de surveillance |
CN101217728B (zh) * | 2007-12-29 | 2013-01-30 | 北京握奇数据系统有限公司 | 用于无线写卡的空卡、无线写卡服务器及无线写卡方法 |
EP2423904B1 (en) * | 2009-04-24 | 2015-01-07 | Nippon Telegraph And Telephone Corporation | Secret sharing system, sharing apparatus, share management apparatus, acquisition apparatus, processing methods therefore, secret sharing method, program, and recording medium |
-
2013
- 2013-07-04 US US14/408,426 patent/US9432188B2/en active Active
- 2013-07-04 WO PCT/JP2013/068328 patent/WO2014007310A1/ja active Application Filing
- 2013-07-04 CN CN201380035818.0A patent/CN104429019B/zh active Active
- 2013-07-04 EP EP13813379.8A patent/EP2879324B1/en active Active
- 2013-07-04 JP JP2014523777A patent/JP5885840B2/ja active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004279526A (ja) * | 2003-03-13 | 2004-10-07 | Oki Electric Ind Co Ltd | 秘密再構成方法、分散秘密再構成装置、及び秘密再構成システム |
JP2007124610A (ja) * | 2005-09-20 | 2007-05-17 | Nippon Telegr & Teleph Corp <Ntt> | 秘密情報分散装置及び秘密情報復元装置及び方法及びプログラム |
Non-Patent Citations (6)
Title |
---|
A. SHAMIR: "How to share a secret", COMMUN. ACM, vol. 22, no. 11, 1979, pages 612 - 613, XP000565227, DOI: doi:10.1145/359168.359176 |
H. KRAWCZYK: "Secret sharing made short", CRYPTO, 1993, pages 136 - 146, XP019194050 |
KOJI CHIDA ET AL.: "Efficient Conversions from Computational SSS And Ramp SSS to Multi-Party Computation", IEICE TECHNICAL REPORT, vol. 112, no. 126, 12 July 2012 (2012-07-12), pages 267 - 271, XP008175631 * |
KOJI CHIDA ET AL.: "Multiparty Keisan ni Tekiyo Kano na Keisanryoteki Short Himitsu Bunsan", DAI 29 KAI SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY (SCIS2012), 30 January 2012 (2012-01-30), pages 3B3 - 2, XP008176581 * |
M. BEN-OR; S. GOLDWASSER; A. WIGDERSON: "Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract", STOC, 1988, pages 1 - 10 |
R. CRAMER; 1. DAMGARD; U. MAURER: "General Secure Multi-Party Computation from any Linear Secret-Sharing Scheme", EUROCRYPTO, 2000, pages 316 - 334, XP055258618, DOI: doi:10.1007/3-540-45539-6_22 |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015135380A (ja) * | 2014-01-16 | 2015-07-27 | 日本電信電話株式会社 | シェア変換システム、シェア変換方法、プログラム |
JP2015135381A (ja) * | 2014-01-16 | 2015-07-27 | 日本電信電話株式会社 | シェア変換システム、シェア変換方法、プログラム |
JP2015170057A (ja) * | 2014-03-05 | 2015-09-28 | 富士通株式会社 | 秘匿検索装置、秘匿検索方法および秘匿検索プログラム |
CN112313728A (zh) * | 2018-06-20 | 2021-02-02 | 日本电信电话株式会社 | 秘密结合系统、方法、秘密计算装置以及程序 |
CN112313728B (zh) * | 2018-06-20 | 2024-04-19 | 日本电信电话株式会社 | 秘密结合系统、方法、秘密计算装置以及记录介质 |
CN112567443A (zh) * | 2018-08-13 | 2021-03-26 | 日本电信电话株式会社 | 秘密联接信息生成系统、秘密联接系统、它们的方法、秘密计算装置以及程序 |
CN112567442A (zh) * | 2018-08-13 | 2021-03-26 | 日本电信电话株式会社 | 秘密强映射计算系统、它们的方法、秘密计算装置以及程序 |
CN112602135A (zh) * | 2018-08-13 | 2021-04-02 | 日本电信电话株式会社 | 秘密联接系统、该方法、秘密计算装置以及程序 |
CN112567442B (zh) * | 2018-08-13 | 2024-04-09 | 日本电信电话株式会社 | 秘密强映射计算系统、它们的方法、秘密计算装置以及记录介质 |
CN112567443B (zh) * | 2018-08-13 | 2024-05-14 | 日本电信电话株式会社 | 秘密联接信息生成系统及方法、秘密联接系统及方法、秘密计算装置、记录介质 |
CN112602135B (zh) * | 2018-08-13 | 2024-05-24 | 日本电信电话株式会社 | 秘密联接系统、该方法、秘密计算装置以及记录介质 |
Also Published As
Publication number | Publication date |
---|---|
CN104429019A (zh) | 2015-03-18 |
US9432188B2 (en) | 2016-08-30 |
EP2879324A4 (en) | 2016-05-04 |
JP5885840B2 (ja) | 2016-03-16 |
EP2879324A1 (en) | 2015-06-03 |
CN104429019B (zh) | 2017-06-20 |
US20150172049A1 (en) | 2015-06-18 |
EP2879324B1 (en) | 2018-05-16 |
JPWO2014007310A1 (ja) | 2016-06-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5885840B2 (ja) | 秘密分散システム、データ分散装置、分散データ変換装置、秘密分散方法、およびプログラム | |
JP5826934B2 (ja) | 秘密分散システム、データ分散装置、分散データ変換装置、秘密分散方法、およびプログラム | |
US9438423B2 (en) | Encryption device, encryption method, and information processing device | |
JP6095792B2 (ja) | 秘密ビット分解装置、秘密モジュラス変換装置、秘密ビット分解方法、秘密モジュラス変換方法、プログラム | |
JP5944841B2 (ja) | 秘密分散システム、データ分散装置、分散データ保有装置、秘密分散方法、およびプログラム | |
JP6194886B2 (ja) | 暗号化統計処理システム、復号システム、鍵生成装置、プロキシ装置、暗号化統計データ生成装置、暗号化統計処理方法、および、暗号化統計処理プログラム | |
JP5860557B1 (ja) | 秘密公開方法、秘密公開システム、秘密公開装置、およびプログラム | |
JP5872085B1 (ja) | 分散値変換システム、分散値変換装置、分散値変換方法、およびプログラム | |
JPWO2019130528A1 (ja) | 変換鍵生成装置、暗号文変換装置、秘匿情報処理システム、変換鍵生成方法、変換鍵生成プログラム、暗号文変換方法及び暗号文変換プログラム | |
KR20130036044A (ko) | 비밀 분산 시스템, 분산 장치, 분산 관리 장치, 취득 장치, 비밀 분산 방법, 프로그램, 및 기록 매체 | |
JP5872084B1 (ja) | 分散値変換システム、分散値変換装置、分散値変換方法、およびプログラム | |
JP5864004B1 (ja) | 分散値変換システム、分散値変換装置、分散値変換方法、およびプログラム | |
JP5732429B2 (ja) | 秘密分散システム、データ分散装置、データ復元装置、秘密分散方法、およびプログラム | |
KR101249394B1 (ko) | 래티스 환경을 기반으로 한 대리 재암호화 방법 및 장치 | |
JP6006809B2 (ja) | 復号サービス提供装置、処理装置、安全性評価装置、プログラム、および記録媒体 | |
JP5458116B2 (ja) | データ分散装置、分散データ変換装置、データ復元装置 | |
JP5889454B1 (ja) | 分散値変換システム、分散値変換装置、分散値変換方法、およびプログラム | |
JP2015135380A (ja) | シェア変換システム、シェア変換方法、プログラム | |
EP3675088B1 (en) | Share generating device, share converting device, secure computation system, share generation method, share conversion method, program, and recording medium | |
US11811741B2 (en) | Information processing system and information processing method | |
JP2019040047A (ja) | 計算システム、計算方法及び計算プログラム | |
JP5506633B2 (ja) | 代理計算システム、端末装置、代理計算装置、代理計算方法、及びプログラム | |
JP2017009914A (ja) | 指標算出システム、指標算出方法、指標算出プログラム、及び、照合システム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13813379 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2014523777 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14408426 Country of ref document: US Ref document number: 2013813379 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |