WO2019163636A1 - 秘密計算装置、秘密計算認証システム、秘密計算方法、およびプログラム - Google Patents
秘密計算装置、秘密計算認証システム、秘密計算方法、およびプログラム Download PDFInfo
- Publication number
- WO2019163636A1 WO2019163636A1 PCT/JP2019/005351 JP2019005351W WO2019163636A1 WO 2019163636 A1 WO2019163636 A1 WO 2019163636A1 JP 2019005351 W JP2019005351 W JP 2019005351W WO 2019163636 A1 WO2019163636 A1 WO 2019163636A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- secret
- concealment
- value
- random number
- calculation
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/46—Secure multiparty computation, e.g. millionaire problem
Definitions
- the present invention relates to a secret calculation technique, and more particularly to a secret calculation authentication technique for performing an authentication process by a secret calculation.
- Non-Patent Document 1 If a secret calculation technique (for example, see Non-Patent Document 1 etc.) is used, authentication processing can be performed while keeping authentication information (for example, password) secret.
- the above-described method has a problem that the security against impersonation is low. In other words, when an illegal concealment verification value is calculated such that 0 is restored even if w ⁇ ⁇ 0, it is determined that the authentication is successful despite w ⁇ ⁇ 0. End up. Further, since the authentication information w, ⁇ is kept secret, it is difficult to detect such an illegal concealment verification value.
- An object of the present invention is to provide a technique for performing authentication processing with high security against impersonation while keeping authentication information secret.
- the secret computing device stores concealment authentication information [w] i ⁇ [F] L that is a secret sharing value of the authentication information w, and concealment authentication information [ ⁇ ] i ⁇ [] that is a secret sharing value of the authentication information ⁇ .
- a secret sharing value of the extension field random number r m concealed extension field random number [r m] i ⁇ give [F epsilon], first concealment verification value using the [z] i, conceal the y m by secure computing
- the second concealment verification value [y m ] i is obtained, and the third concealment verification is performed by the secretometer calculation using the concealment extended field random number [r m ] i and the second concealment verification value [y m ] i.
- the value [r m y m ] i is obtained and output.
- L is an integer of 1 or more
- ⁇ is an integer of 2 or more
- F is a finite field
- F ⁇ is an expansion field of the finite field F
- the expansion order of the expansion field F ⁇ is ⁇ .
- Ceil (x) is the smallest integer greater than or equal to the real number x
- M ceil (L / ⁇ )
- Authentication processing with high security against impersonation can be performed while keeping authentication information secret.
- FIG. 1 is a block diagram illustrating a functional configuration of a secret calculation authentication system according to the embodiment.
- FIG. 2 is a block diagram illustrating a functional configuration of the secret computing device according to the embodiment.
- FIG. 3A is a block diagram illustrating a functional configuration of the user device according to the embodiment.
- FIG. 3B is a block diagram illustrating a functional configuration of the verification apparatus according to the embodiment.
- FIG. 4 is a flowchart for explaining processing of the user device according to the embodiment.
- FIG. 5 is a flowchart for explaining the processing of the secret computing device of the embodiment.
- FIG. 6 is a flowchart for explaining the processing of the verification apparatus according to the embodiment.
- FIG. 7 is a conceptual diagram for explaining the processing of the embodiment.
- the secret calculation authentication system of the embodiment includes N (plural) secret calculation devices P 1 ,..., P N and a verification device.
- the verification device may be a device external to the N secret calculation devices P 1 ,..., P N , or may be a device included in any of the secret calculation devices P i .
- Each of the secret computing devices P i stores confidential authentication information [w] i ⁇ [F] L , which is a secret sharing value of the authentication information w, in the storage unit.
- i 1,..., N, and N is an integer of 2 or more.
- “ ⁇ 1 ⁇ 2 ” represents that ⁇ 1 belongs to ⁇ 2 .
- the finite field F represents a finite field
- L represents an integer of 1 or more.
- the finite field F may be an elementary field or an expanded field.
- L is an integer of 2 or more.
- [F] represents the original secret sharing value of the finite field F
- [F] L represents a set of L [F].
- [ ⁇ ] i means a secret sharing value of ⁇ assigned to the secret computing device P i .
- the authentication information w is pre-registered for a regular user.
- the authentication information w is not limited, and may be any password, biometric authentication information, voice authentication information, pattern authentication information, or the like.
- Each of the secret computing devices P i may store the confidential authentication information [w] i corresponding to each of the plurality of authentication information w, or the confidential authentication information [w] corresponding to the single authentication information w. Only i may be stored.
- the secret sharing scheme for obtaining the secret sharing value and a known secret sharing scheme (for example, see Reference 1 etc.), Shamir secret sharing scheme (for example, see Reference 2 etc.) and the like (K, N)
- K, N A secret sharing scheme (also referred to as “K-out-of-N threshold secret sharing scheme”) may be used.
- the Shamir secret sharing scheme which is the (K, N) secret sharing scheme, is referred to as “(K, N) Shamir secret sharing scheme”.
- Reference 1 University of Igarashi, Koji Senda, Hiroki Hamada, Katsumi Takahashi, “Efficiency of Lightweight Verifiable 3-Party Secret Function Calculation and Secure Database Processing Using This,” InSCIS2011, 2111.
- Reference 2 A. Shamir, "How to Share a Secret", Communications of the ACM, November 1979, Volume 22, Number 11, pp.612-613.
- Confidential authentication information [ ⁇ ] i ⁇ [F] L which is a secret sharing value of the authentication information ⁇ , is input to the input unit of each secret computing device P i .
- [W ⁇ ] i represents the secret sharing value of w ⁇ .
- the secret calculation method is not limited, and for example, a known secret calculation method described in Non-Patent Document 1 or Reference 3 may be used. The same applies to the following secret calculation. Reference 3: Koji Senda, Hiroki Hamada, Igarashi Univ., Katsumi Takahashi, “Reconsideration of Lightweight Verifiable 3-Party Secret Function Calculation”, In CSS, 2010.
- the random number generation unit of each secret computing device P i obtains and outputs a concealed extended field random number [r m ] i ⁇ [F ⁇ ], which is a secret sharing value of the extended field random number r m ⁇ F ⁇ .
- ⁇ is an integer equal to or greater than 2
- F ⁇ is an extension field of the finite field F
- the extension order of the extension field F ⁇ is ⁇ .
- ceil is a ceiling function
- ceil (x) represents a minimum integer equal to or greater than a real number x.
- M is an integer of 1 or more.
- M is an integer of 2 or more.
- Generation of anonymous extension field random number [r m] i is either an extension field random number r m from secure computing device P i must be performed in a state of being concealed.
- the secret computing devices P 1 ,..., P N can cooperate to generate a concealed extended field random number [r m ] i .
- each secret computing device P i ′ calculates a secret sharing value [r m, i ′ ] i ⁇ [F ⁇ ] of the extended random number r m, i ′ and sends it to the secret computing device P i .
- Calculation of the secure computing apparatus P i is first concealed verification value using the [z] i, and outputs to obtain a second concealment verification value concealing the y m by secure computing [y m] i.
- [y M ⁇ 1 ] i may be divided into M pieces to obtain [y 0 ] i ,..., [Y M ⁇ 1 ] i .
- the second concealment verification value [y m ] i can be handled as a secret sharing value according to the (K, N) Shamir secret sharing scheme on the ⁇ -order extension field F ⁇ .
- K 2
- Coordinate axis ⁇ ( ⁇ , 0, ... , 0) ⁇ F is ⁇ , ⁇ is an integer variable.
- this secret sharing value [y m ] i is the element of the ⁇ -order extension field F ⁇ .
- y m z ⁇ m + z ⁇ m + 1 ⁇ X +...
- each secret computing device P i uses the concealed extended field random number [r m ] i and the second concealment verification value [y m ] i, and performs the third concealment verification value [r m y by secretometer calculation.
- m ] i is obtained and output.
- the concealment authentication information [w] i is a secret distribution value according to the (K, N) Shamir secret sharing scheme
- the concealment authentication information [ ⁇ ] i is the (K, N) Shamir secret distribution scheme.
- the second concealment verification value [y m ] i is obtained by combining the elements of the column representing the first concealment verification value [z] i , and the concealment extension field random number [ r m ] i is a secret sharing value according to the (K, N) Shamir secret sharing scheme, the computing unit of each secret computing device P i sets the second concealment verification value [y m ] i to (K, N)
- the third concealment verification value [r m y m ] i can be obtained as a secret sharing value according to the Shamir secret sharing scheme.
- the multiplication result of the secret sharing value according to the two (K, N) Shamir secret sharing schemes is a secret sharing value according to the (2K-1, N) Shamir secret sharing scheme. Therefore, the third concealment verification value [r m y m ] i obtained in this way is a secret sharing value according to the (2K-1, N) Shamir secret sharing scheme.
- the third concealment verification value [r 0 y 0 ] i ,..., [R M ⁇ 1 y M ⁇ 1 ] i may be output as the concealment value of the authentication result (method 1).
- further random number generation unit of the secure computing apparatus P i is, epsilon in accordance with the following extension field F epsilon on the (2, N) Shamir secret sharing scheme, the second expansion member random number R m ⁇ F ⁇
- the second concealed extended field random number [R m ] i R m + R s m ⁇ I ⁇ F ⁇ which is a secret sharing value is obtained and output.
- the second concealed extended field random number [R m ] i is generated by the second extended field random number R m from any of the secret computing devices P i. It must be done in a concealed state. Such a method is well known and any method may be used.
- [r m y m ] i + [R m ] i ⁇ I is a secret sharing value of r m ⁇ y m according to the (3, N) Shamir secret sharing scheme on the ⁇ -order extension field F ⁇ . ing.
- the processing of the verification apparatus for methods 1 and 2 is shown below.
- the third concealment verification value [r m y m ] i is a secret distribution value according to the ( ⁇ , N) Shamir secret distribution scheme
- the values [r m y m ] ⁇ (1) ,..., [R m y m ] ⁇ ( ⁇ ) are input to the restoration unit of the verification device, and the restoration unit of the verification device uses the third concealment verification value [r m y m ] ⁇ (1) ,..., [r m y m ] ⁇ ( ⁇ ) is used to restore the verification value r m y m and output it.
- ⁇ is a positive integer not less than 1 and not more than N, and is ⁇ (1),..., ⁇ ( ⁇ ) ⁇ ⁇ ⁇ 1,.
- the restoration unit of the verification device has at least 2K ⁇ 1
- the third concealment verification value [r m y m ] ⁇ (1) ,..., [R m y m ] ⁇ (2K ⁇ 1) output from the secret computing device is used to restore the verification value r m y m Output.
- the verification apparatus performs an operation including a secret calculation and restoration using at least a part of [r 0 y 0 ] i ,..., [R M ⁇ 1 y M ⁇ 1 ] i , and is thereby obtained.
- the verification apparatus uses [r m y m ] ⁇ (1) + [R m ] among the above-described fourth concealment verification values [r m y m ] i + [R m ] i ⁇ I.
- [r m y m ] ⁇ (1) + [R m ] ⁇ (1) ⁇ I and [r m y m ] ⁇ (2) + [R m ] ⁇ (2) ⁇ I and [r m y m ] ⁇ (3) + [R m ] ⁇ (3) ⁇ I are input, and the restoration unit of the verification apparatus restores and outputs the verification value r m y m using these.
- the verification device [r 0 y 0 ] i " + [ R0 ] i" ⁇ I ", ..., [rM - 1yM -1 ] i" + [ RM-1 ] i " ⁇ I" [R 0 y 0 +... + R M ⁇ 1 y M ⁇ 1 ] i ′′ is obtained, and r 0 obtained by restoring the secret sharing value [r 0 y 0 +... + R M ⁇ 1 y M ⁇ 1 ] i ′′ y 0 + ...
- the secret calculation authentication system 1 includes a user device 11, a plurality of secret calculation devices 12-1,..., 12-N, and a verification device 13. It is configured to be able to communicate through the network.
- N in the present embodiment is an integer of 2 or more.
- the secret calculation authentication system 1 of FIG. 1 includes one user device 11 and one verification device 13, but the secret calculation authentication system 1 includes two or more user devices 11 and / or The verification device 13 may be included.
- the secret calculation device 12-i of this embodiment includes an input unit 121-i, an output unit 122-i, a control unit 124-i, and calculation units 125-i, 126-i, and 127-. i, a random number generation unit 128-i, a determination unit 129-i, and a storage unit 123-i.
- the secret computing device 12-i executes each process under the control of the control unit 124-i, and the data obtained by each unit is stored in the storage unit 123-i and read out as necessary for other processing. Used. As illustrated in FIG.
- the user device 11 includes an input unit 111, an output unit 112, a control unit 114, a concealment unit 115, and a display unit 116.
- the user device 11 executes each process under the control of the control unit 114, and the data obtained by each unit is stored in a storage unit (not shown), read out as necessary, and used for other processes.
- the verification device 13 of this embodiment includes an input unit 131, an output unit 132, a control unit 134, a restoration unit 136, and a determination unit 137.
- the verification device 13 executes each process under the control of the control unit 134, and data obtained by each unit is stored in a storage unit (not shown), read out as necessary, and used for other processes.
- the authentication information w itself is not disclosed to each secret computing device 12-i.
- the secret sharing scheme used in the secret calculation authentication system 1 is determined in advance, and the user device 11, the plurality of secret calculation devices 12-1,... The secret calculation is performed on the secret sharing value according to the distribution method.
- ⁇ Secret calculation authentication process> As illustrated in FIG. 4, first, the user inputs authentication information ⁇ to the input unit 111 of the user device 11 (FIG. 3A) (step S1111).
- Step S115 The concealment authentication information [ ⁇ ] i is sent to the output unit 112, and the output unit 112 outputs each concealment authentication information [ ⁇ ] i to each secret calculation device 12-i (step S1121).
- each authentication information [ ⁇ ] i is transmitted to each secret computing device 12-i (FIG. 2) via the network and input to the input unit 121-i (step S121-i). ).
- the confidential authentication information [ ⁇ ] i is input to the determination unit 129-i.
- the confidential authentication information [ ⁇ ] i is stored in the storage unit 123-i as any of the confidential authentication information [w] i (for example, any of the confidential authentication information [w after the processing in step S1291-i is not performed [w I ) is read (step S123-i), and it is determined whether the size of the confidential authentication information [ ⁇ ] i and the size of the confidential authentication information [w] i are the same (step S1291-i). If it is determined that these are not the same, information indicating “failure” is output (step S1221-i), and the process proceeds to step S1292-i.
- the arithmetic unit 125-i first arithmetic unit
- Computing unit 126-i (second calculation unit) concealing the verification value [z] i as input, concealing the verification value concealed the y m by secure computing [y m] i (second ciphering verification value ) And output.
- Step S126-i The computing unit 127-i (third computing unit) receives the concealed expanded field random number [r m ] i and the concealment verification value [y m ] i as inputs, and the concealment verification value [r m y m by secretometer calculation. I (third concealment verification value) is obtained and output, and the process proceeds to step S1292-i (step S127-i).
- step S1292-i it is determined whether the processing after step S123-i has been executed for all the confidential authentication information [w] i stored in the storage unit 123-i (step S1292-i). If the processing after step S123-i has not been executed for all the concealment authentication information [w] i , the processing is returned to step S123-i. On the other hand, when the process after step S123-i is executed for all the confidential authentication information [w] i , the process of step S1222-i is executed.
- step S1222-i the concealment verification value [r m y m ] i obtained in step S127-i is input to the output unit 122-i. If the concealment verification value [r m y m ] i obtained in step S127-i does not exist, information indicating “failure” is input to the output unit 122-i.
- the output unit 122-i outputs information indicating the concealment verification value [r m y m ] i or “failure” to the verification device 13 (step S1222-i).
- the information indicating the concealment verification value [r m y m ] i or “failure” is transmitted to the verification device 13 via the network and input to the input unit 131 of the verification device 13 (FIG. 3B). (Step S131). If information indicating “failure” is input, the process of step S1322 is executed. On the other hand, when information representing the concealment verification value [r m y m ] i is input, the processes after step S136 are executed.
- step S136 the restoration unit 136 uses the concealment verification values [r m y m ] ⁇ (1) ,..., [R m y m ] ⁇ (K) corresponding to the same w to check the value r m y m. Is restored and output. However, ⁇ (1),..., ⁇ (K) ⁇ ⁇ ⁇ 1,..., N ⁇ (step S136).
- the authentication result which is “information indicating that authentication has succeeded” output from step S1321 or “information indicating that authentication has failed” output in step S1322, is input to the output unit 132.
- the output unit 132 outputs the verification result to the user device 11.
- the verification result is input to the input unit 111 of the user device (FIG. 3A) (step S1112) and displayed from the display unit 116 (step S116).
- the secret calculation authentication system 2 includes a user device 11, a plurality of secret calculation devices 22-1,..., 22-N, and a verification device 23. It is configured to be able to communicate through the network.
- N in the present embodiment is an integer of 3 or more.
- the secret calculation authentication system 2 of FIG. 1 includes one user device 11 and one verification device 13, but the secret calculation authentication system 2 includes two or more user devices 11 and / or The verification device 13 may be included.
- the secret calculation device 22-i of this embodiment includes an input unit 121-i, an output unit 122-i, a control unit 124-i, and calculation units 125-i, 126-i, and 127-. i, 223-i, 224-i, random number generation units 128-i, 228-i, determination unit 129-i, and storage unit 123-i.
- the secret computing device 22-i executes each process under the control of the control unit 124-i, and the data obtained by each unit is stored in the storage unit 123-i and read as necessary for other processes. Used. As illustrated in FIG.
- the verification device 23 includes an input unit 131, an output unit 132, a control unit 134, a restoration unit 236, and a determination unit 137.
- the verification device 23 executes each process under the control of the control unit 134, and data obtained by each unit is stored in a storage unit (not shown), read out as necessary, and used for other processes.
- each authentication information [ ⁇ ] i output from the user device 11 is input to the input unit 121-i of each secret calculation device 22-i (FIG. 2) (step S121-i).
- steps S123-i and S1291-i described in the first embodiment are executed, and the size of the confidential authentication information [ ⁇ ] i and the size of the confidential authentication information [w] i are mutually determined in step S1291. If it is determined that they are not the same, information indicating “failure” is output (step S1221-i), and the process proceeds to step S1292-i.
- the steps S125-i and S128- described in the first embodiment are performed.
- the processing of i, 126-i and S127-i is executed.
- the computing unit 223-i (fourth computing unit) multiplies the concealed extension field random number [R m ] i and I on the ⁇ -order extension field F ⁇ , and the extension field multiplication value [R m ] i.
- step S1292-i it is determined whether the processing after step S123-i has been executed for all the confidential authentication information [w] i stored in the storage unit 123-i (step S1292-i). If the processing after step S123-i has not been executed for all the concealment authentication information [w] i , the processing is returned to step S123-i. On the other hand, when the process after step S123-i is executed for all the confidential authentication information [w] i , the process of step S2222-i is executed.
- step S1222-i the concealment verification value [r m y m ] i + [R m ] i ⁇ I obtained in step S224-i is input to the output unit 122-i. If the concealment verification value obtained in step S224-i does not exist, information indicating “failure” is input to the output unit 122-i.
- the output unit 122-i outputs information indicating the concealment verification value [r m y m ] i + [R m ] i ⁇ I or “failure” to the verification device 13 (step S2222-i).
- the concealment verification value [r m y m ] i + [R m ] i ⁇ I or information indicating “failure” is transmitted to the verification device 23 via the network, and the verification device 23 (FIG. 3B) to the input unit 131 (step S131). If information indicating “failure” is input, the process of step S1322 is executed. On the other hand, when information representing the concealment verification value [r m y m ] i is input, the processes after step S236 are executed.
- step S236 the restoration unit 236 performs [r m y m ] K (1) + [R m ] K (1) ⁇ I and [r m y m ] K according to the (3, N) Shamir secret sharing scheme.
- the verification value r m y m is restored using + [R m ] K (2) ⁇ I and [r m y m ] K (3) + [R m ] K (3) ⁇ I Output.
- ⁇ K (1), K (2), K (3) ⁇ ⁇ ⁇ 1,..., N ⁇ step S236).
- step S1371 If it is determined that the process of step S1371 is not performed for any w, the process returns to step S123-i. On the other hand, if it is determined that the process of step S1371 has been performed for all w, the process of step S1322 is executed. In step S1322, the determination unit 137 outputs “information indicating that authentication has failed” (step S1322). The subsequent processing is the same as in the first embodiment.
- the present invention is not limited to the above-described embodiment.
- the secret calculation devices 12-1 to 12-N may include the user device 11 or include the verification device 13. You may go out.
- the secret sharing values handled by each unit of each device may or may not conform to the same secret sharing scheme. In the latter case, a secret sharing value according to a specific secret sharing scheme may be converted into a secret sharing value according to another secret sharing scheme by a known secret sharing value conversion method.
- “obtaining ⁇ using ⁇ ” may mean calculating ⁇ by calculation using ⁇ , or extracting ⁇ that has been pre-calculated by search processing using ⁇ . It may be.
- Each of the above devices is a general-purpose or dedicated computer including a processor (hardware processor) such as a CPU (central processing unit) and a memory such as a random-access memory (RAM) and a read-only memory (ROM). Is configured by executing a predetermined program.
- the computer may include a single processor and memory, or may include a plurality of processors and memory.
- This program may be installed in a computer, or may be recorded in a ROM or the like in advance.
- some or all of the processing units are configured using an electronic circuit that realizes a processing function without using a program, instead of an electronic circuit (circuitry) that realizes a functional configuration by reading a program like a CPU. May be.
- An electronic circuit constituting one device may include a plurality of CPUs.
- a computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, and the like.
- This program is distributed, for example, by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.
- a computer that executes such a program first stores a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device.
- the computer reads a program stored in its own storage device, and executes a process according to the read program.
- the computer may read the program directly from the portable recording medium and execute processing according to the program, and each time the program is transferred from the server computer to the computer.
- the processing according to the received program may be executed sequentially.
- the above-described processing may be executed by a so-called ASP (Application Service Provider) type service that does not transfer a program from the server computer to the computer but implements a processing function only by the execution instruction and result acquisition. Good.
- ASP Application Service Provider
- the processing functions of this apparatus are not realized by executing a predetermined program on a computer, but at least a part of these processing functions may be realized by hardware.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Complex Calculations (AREA)
Abstract
Description
[概要]
実施形態の秘密計算認証システムは、N個(複数個)の秘密計算装置P1,…,PNと検証装置とを有する。検証装置はN個の秘密計算装置P1,…,PNの外部の装置であってもよいし、何れかの秘密計算装置Piの内部に含まれた装置であってもよい。秘密計算装置Piのそれぞれは、認証情報wの秘密分散値である秘匿化認証情報[w]i∈[F]Lを記憶部に格納する。ただし、i=1,…,Nであり、Nは2以上の整数である。「β1∈β2」はβ1がβ2に属することを表す。Fは有限体を表し、Lは1以上の整数を表す。有限体Fは、素体であってもよいし、拡大体であってもよい。例えばLは2以上の整数である。[F]は有限体Fの元の秘密分散値を表し、[F]LはL個の[F]からなる集合を表す。[α]iは秘密計算装置Piに割り当てられたαの秘密分散値を意味する。認証情報wは正規の利用者に対して事前登録されたものである。認証情報wに限定はなく、例えば、パスワード、生体認証情報、音声認証情報、パターン認証情報等どのようなものであってもよい。秘密計算装置Piのそれぞれは、複数個の認証情報wにそれぞれ対応する秘匿化認証情報[w]iを格納してもよいし、単数の認証情報wに対応する秘匿化認証情報[w]iのみを格納してもよい。秘密分散値を得るための秘密分散方式に限定はなく、複製型秘密分散方式(例えば、参考文献1等参照)、シャミア秘密分散方式(例えば、参考文献2等参照)などの周知の(K,N)秘密分散方式(「K-out-of-Nしきい値秘密分散方式」ともいう)を用いればよい。ただし、Kは2以上の整数であり、K≦Nを満たす。例えばK=2である。(K,N)秘密分散方式では、任意の相違なるK個の秘密分散値が与えられれば秘匿化されている秘密情報を復元できるが、任意のK-1個の秘密分散値が与えられても秘密情報の情報はまったく得られない。以下では(K,N)秘密分散方式であるシャミア秘密分散方式を「(K,N)シャミア秘密分散方式」と呼ぶ。
参考文献1:五十嵐大,千田浩司,濱田浩気,高橋克巳,“軽量検証可能3パーティ秘匿関数計算の効率化及びこれを用いたセキュアなデータベース処理,”InSCIS2011,2011.
参考文献2:A. Shamir, "How to Share a Secret", Communications of the ACM, November 1979, Volume 22, Number 11, pp.612-613.
参考文献3:千田浩司, 濱田浩気, 五十嵐大, 高橋克巳, “軽量検証可能3パーティ秘匿関数計算の再考”, In CSS, 2010.
[ym]i=ym+ysm・I
=(zεm+ysm,0・i,…,zε(m+1)-1+ysm,ε-1・i) (1)
なぜなら、ε次拡大体Fε上の(2,N)シャミア秘密分散方式に則って秘密分散値を求めるための多項式をg(χ)=y0+ysm・χ∈Fεとみなせるからである。ただし、ysm,0,…,ysm,ε-1は拡大体上乱数ysm∈Fεのベクトル表現ysm=(ysm,0,…,ysm,ε-1)∈Fεの各要素であり、iに対応する座標軸I∈Fεのベクトル表現がI=(i,0,…,0)∈Fεである。座標軸χ=(η,0,…,0)∈Fεであり、ηは整数変数である。χ=I=(i,0,…,0)としたg(I)が[ym]iであり、χ=0=(0,0,…,0)としたg(0)がymである。式(1)に示すように、この秘密分散値[ym]iはε次拡大体Fεの元となっている。なお、ym∈Fε,ysm∈Fε,I∈Fεを多項式表現すると以下のようになる。
ym=zεm+zεm+1・X+…+zε(m+1)-1・Xε-1
ysm=sm,0+sm,1・X+…+ysm,ε-1・Xε-1
I=i+0・X+…+0・Xε-1
従って、ym+ysm・I∈Fεを多項式表現すると以下のようになる。
=ym+ysm・I
=zεm+zεm+1・X+…+zε(m+1)-1・Xε-1+(sm,0+sm,1・X+…+ysm,ε-1・Xε-1)(i+0・X+…+0・Xε-1)
=zεm+zεm+1・X+…+zε(m+1)-1・Xε-1+sm,0・I+sm,1・I・X+…+ysm,ε-1・I・Xε-1
=zεm+sm,0・I+(zεm+1+sm,1・I)・X+…+(zε(m+1)-1+ysm,ε-1・I)・Xε-1 (2)
ただし、Xは有限体F上の既約多項式ρ(X)についてρ(X)=0を満たす。式(2)の各係数を要素とするベクトルは(zεm+ysm,0・i,…,zε(m+1)-1+ysm,ε-1・i)となる。このことから、ym+ysm・I∈Fεをベクトル表現すると式(1)のようになることが分かる。
[rm]i=rm+rsm・I (3)
ただし、rsm∈Fεは拡大体乱数ある。式(2)および式(3)から、以下を満たすことが分かる。
[rmym]i=[rm]i[ym]i
=(ym+ysm・I)(rm+rsm・I)
=rm・ym+(rm・ys+rs・ym)・I+rs・ys・I2∈Fε (4)
これにより、[rmym]iが(3,N)シャミア秘密分散方式に則ったrmymの秘密分散値となっていることが分かる。なぜなら、ε次拡大体Fε上の(3,N)シャミア秘密分散方式に則って秘密分散値を求めるための多項式をg’(χ)=rm・ym+(rm・ys+rs・ym)・χ+rs・ys・χ2∈Fεとみなせ、χ=I=(i,0,…,0)としたg’(I)が[rmym]iとなり、χ=0=(0,0,…,0)としたg’(0)がrm・ymとなるからである。
次に図面を用いて本発明の第1実施形態を説明する。第1実施形態は方式1の一例である。
<構成>
図1に例示するように、本実施形態の秘密計算認証システム1は、利用者装置11、複数個の秘密計算装置12-1,…,12-N、および検証装置13を有し、これらはネットワークを通じて通信可能に構成されている。本実施形態のNは2以上の整数である。なお、説明の簡略化のため、図1の秘密計算認証システム1は利用者装置11および検証装置13をそれぞれ1個含むが、秘密計算認証システム1が2個以上の利用者装置11および/または検証装置13を含んでいてもよい。
各秘密計算装置12-i(ただし、i=1,…,N)の記憶部123-iには、事前登録された単数または複数の秘匿化認証情報[w]i∈[F]Lが格納される。認証情報w自体は各秘密計算装置12-iに公開されない。なお、秘密計算認証システム1で使用される秘密分散方式は予め定められており、利用者装置11、複数個の秘密計算装置12-1,…,12-N、および検証装置13は、この秘密分散方式に則った秘密分散値に対する秘密計算を行う。
図4に例示するように、まず利用者が利用者装置11(図3A)の入力部111に認証情報ωを入力する(ステップS1111)。認証情報ωは秘匿化部115に送られ、秘匿化部115は当該認証情報ωの秘密分散値である秘匿化認証情報[ω]i(ただし、i=1,…,N)を得て出力する(ステップS115)。秘匿化認証情報[ω]iは出力部112に送られ、出力部112は各秘匿化認証情報[ω]iを各秘密計算装置12-iに対して出力する(ステップS1121)。
検証装置13が[r0y0]i,…,[rM-1yM-1]iの少なくとも一部を用いた秘密計算および復元を含む演算を行い、それによって得られた復元値を用い、すべてのm=0,…,M-1についてrmym=0を満たすか否かを判定してもよい。前述した一例の他、例えば、検証装置13が[r0y0]μ,…,[rM-1yM-1]μを用いた秘密計算によって秘密分散値[r0y0+r1y1]μ,[r2y2+r3y3]μ,…,[rM-2yM-2+rM-1yM-1]μを得、これらから復元されるr0y0+r1y1,r2y2+r3y3,…,rM-2yM-2+rM-1yM-1がすべて0である場合にすべてのm=0,…,M-1についてrmym=0を満たすと判定し、そうでない場合にm=0,…,M-1の何れかについてrmym=0を満たさないと判定してもよい。
次に図面を用いて本発明の第2実施形態を説明する。第2実施形態は方式2の一例である。以下では第1実施形態との相違点を中心に説明し、第1実施形態と共通する事項については同じ参照番号を用いて説明を簡略化する。また、以下では逐一説明しないが、特に断りのない限り、本実施形態では、秘密分散方式として(2,N)シャミア秘密分散方式が用いられる。
図1に例示するように、本実施形態の秘密計算認証システム2は、利用者装置11、複数個の秘密計算装置22-1,…,22-N、および検証装置23を有し、これらはネットワークを通じて通信可能に構成されている。本実施形態のNは3以上の整数である。なお、説明の簡略化のため、図1の秘密計算認証システム2は利用者装置11および検証装置13をそれぞれ1個含むが、秘密計算認証システム2が2個以上の利用者装置11および/または検証装置13を含んでいてもよい。
第1実施形態と同じである。
図4に例示するように、第1実施形態で説明したステップS1111,S115,S1121の処理が実行される。これによって利用者装置11から出力された各秘匿化認証情報[ω]iは各秘密計算装置22-i(図2)の入力部121-iに入力される(ステップS121-i)。その後、第1実施形態で説明したステップS123-i,S1291-iの処理が実行され、ステップS1291で秘匿化認証情報[ω]iのサイズと秘匿化認証情報[w]iのサイズとが互いに同一でないと判定された場合には「失敗」を表す情報を出力し(ステップS1221-i)、ステップS1292-iの処理に進む。一方、秘匿化認証情報[ω]iのサイズと秘匿化認証情報[w]iのサイズとが互いに同一であると判定された場合には第1実施形態で説明したステップS125-i,S128-i,126-i,S127-iの処理が実行される。本実施形態では、rm∈Fεであり、rsm∈Fεであり、ysm∈Fεであり、I∈Fεであり、[rm]i=rm+rsm・I∈Fεであり、[ym]i=ym+ysm・I∈Fεであり、[rmym]i=rm・ym+(rm・ysm+rsm・ym)・I+rsm・ysm・I2∈Fεである。
検証装置23が[r0y0]i”+[R0]i”・I”,…,[rM-1yM-1]i”+[RM-1]i”・I”の少なくとも一部を用いた秘密計算および復元を含む演算を行い、それによって得られた復元値を用い、すべてのm=0,…,M-1についてrmym=0を満たすか否かを判定してもよい。ただし、i”=φ(1),φ(2),φ(3)であり、I”=(i”,0,…,0)∈Fεである。前述した一例の他、例えば、検証装置23が[r0y0]i”+[R0]i”・I”,…,[rM-1yM-1]i”+[RM-1]i”・I”を用いた秘密計算によって、r0y0+r1y1,r2y2+r3y3,…,rM-2yM-2+rM-1yM-1それぞれの秘密分散値を生成し、これらから復元されるr0y0+r1y1,r2y2+r3y3,…,rM-2yM-2+rM-1yM-1がすべて0である場合にすべてのm=0,…,M-1についてrmym=0を満たすと判定し、そうでない場合にm=0,…,M-1の何れかについてrmym=0を満たさないと判定してもよい。
本発明は上述の実施形態に限定されるものではない。例えば、秘密計算装置12-1~12-Nの少なくとも一部(例えば、すべての秘密計算装置12-1~12-N)が利用者装置11を含んでいてもよいし、検証装置13を含んでいてもよい。また、各装置の各部で扱われる秘密分散値がすべて同じ秘密分散方式に則ったものであってもよいし、そうでなくてもよい。後者の場合、公知の秘密分散値の変換方法によって、特定の秘密分散方式に則った秘密分散値が他の秘密分散方式に則った秘密分散値に変換されてもよい。また、「αを用いてβを得る」とは、αを用いた計算によってβを算出することであってもよいし、αを用いた検索処理により、事前計算されていたβを抽出することであってもよい。
11 利用者装置
12-i,22-i 秘密計算装置
13,23 検証装置
Claims (9)
- Lが1以上の整数であり、εが2以上の整数であり、Fが有限体であり、Fεが前記有限体Fの拡大体であり、前記拡大体Fεの拡大次数がεであり、ceil(x)が実数x以上の最小の整数であり、M=ceil(L/ε)であり、j=0,…、L-1であり、m=0,…,M-1であり、
認証情報wの秘密分散値である秘匿化認証情報[w]i∈[F]Lを格納する記憶部と、
認証情報ωの秘密分散値である秘匿化認証情報[ω]i∈[F]Lの入力を受け付ける入力部と、
前記秘匿化認証情報[w]iおよび前記秘匿化認証情報[ω]iを用い、秘密計算によって第1秘匿化検証値[z]i=[w-ω]iを得る第1演算部と、
拡大体乱数rmの秘密分散値である秘匿化拡大体乱数[rm]i∈[Fε]を得る乱数生成部と、
z=(z0,…,zL-1)=w-ωであり、zj∈Fであり、m=0,…,M-1についてym=(zεm,…,zε(m+1)-1)であり、q=ε(M-1),…,εM-1のうちq>L-1となるzqが0であり、前記第1秘匿化検証値[z]iを用い、秘密計算によってymを秘匿化した第2秘匿化検証値[ym]iを得る第2演算部と、
前記秘匿化拡大体乱数[rm]iおよび前記第2秘匿化検証値[ym]iを用い、秘密計計算によって第3秘匿化検証値[rmym]iを得て出力する第3演算部と、
を有する秘密計算装置。 - 請求項1の秘密計算装置であって、
Mが2以上の整数である、秘密計算装置。 - 請求項1または2の秘密計算装置であって、
KおよびNが2以上の整数であり、K≦Nであり、
前記秘匿化拡大体乱数[rm]iは、(K,N)シャミア秘密分散方式に則った秘密分散値であり、
前記第2演算部は、前記第1秘匿化検証値[z]iを表す列の要素を結合して前記第2秘匿化検証値[ym]iを得、
前記第3演算部は、前記第2秘匿化検証値[ym]iを前記(K,N)シャミア秘密分散方式に則った秘密分散値として前記第3秘匿化検証値[rmym]iを得、
前記第3秘匿化検証値[rmym]iが(2K-1,N)シャミア秘密分散方式に則った秘密分散値となる、秘密計算装置。 - 請求項3の秘密計算装置であって、
K=2である、秘密計算装置。 - 請求項4の秘密計算装置であって、
rm∈Fεであり、rsm∈Fεであり、ysm∈Fεであり、Rsm∈Fεであり、I∈Fεであり、[rm]i=rm+rsm・I∈Fεであり、[ym]i=ym+ysm・I∈Fεであり、[rmym]i=rm・ym+(rm・ysm+rsm・ym)・I+rsm・ysm・I2∈Fεであり、
当該秘密計算装置は、
第2拡大体乱数Rm∈Fεの秘密分散値である第2秘匿化拡大体乱数[Rm]i=Rm+Rsm・I∈Fεを得る第2乱数生成部と、
拡大体乗算値[Rm]i・I=Rm・I+Rsm・I2∈Fεを得る第4演算部と、
第4秘匿化検証値[rmym]i+[Rm]i・I=rm・ym+(rm・ysm+rsm・ym+Rm)・I+(rsm・ysm+Rsm)・I2∈Fεを得て出力する第5演算部と、
をさらに有する秘密計算装置。 - 複数の秘密計算装置と検証装置とを有し、
Lが1以上の整数であり、εが2以上の整数であり、Fが有限体であり、Fεが前記有限体Fの拡大体であり、前記拡大体Fεの拡大次数がεであり、ceil(x)が実数x以上の最小の整数であり、M=ceil(L/ε)であり、j=0,…、L-1であり、m=0,…,M-1であり、
前記秘密計算装置のそれぞれは、
認証情報wの秘密分散値である秘匿化認証情報[w]i∈[F]Lを格納する記憶部と、
認証情報ωの秘密分散値である秘匿化認証情報[ω]i∈[F]Lの入力を受け付ける第1入力部と、
前記秘匿化認証情報[w]iおよび前記秘匿化認証情報[ω]iを用い、秘密計算によって第1秘匿化検証値[z]i=[w-ω]iを得る第1演算部と、
拡大体乱数rmの秘密分散値である秘匿化拡大体乱数[rm]i∈[Fε]を得る乱数生成部と、
z=(z0,…,zL-1)=w-ωであり、zj∈Fであり、m=0,…,M-1についてym=(zεm,…,zε(m+1)-1)であり、q=ε(M-1),…,εM-1のうちq>L-1となるzqが0であり、前記第1秘匿化検証値[z]iを用い、秘密計算によってymを秘匿化した第2秘匿化検証値[ym]iを得る第2演算部と、
前記秘匿化拡大体乱数[rm]iおよび前記第2秘匿化検証値[ym]iを用い、秘密計計算によって第3秘匿化検証値[rmym]iを得て出力する第3演算部と、を含み、
前記検証装置は、すべてのm=0,…,M-1についてrmym=0を満たす場合に認証成功と判定する、秘密計算認証システム。 - 請求項6の秘密計算認証システムであって、
N個の前記秘密計算装置を有し、
Nが3以上の整数であり、
前記秘匿化拡大体乱数[rm]iは、(2,N)シャミア秘密分散方式に則った秘密分散値であり、
前記第2演算部は、前記第1秘匿化検証値[z]iを表す列の要素を結合して前記第2秘匿化検証値[ym]iを得、
前記第3演算部は、前記第2秘匿化検証値[ym]iを前記(2,N)シャミア秘密分散方式に則った秘密分散値として前記第3秘匿化検証値[rmym]iを得、
rm∈Fεであり、rsm∈Fεであり、ysm∈Fεであり、Rsm∈Fεであり、I∈Fεであり、[rm]i=rm+rsm・I∈Fεであり、[ym]i=ym+ysm・I∈Fεであり、[rmym]i=rm・ym+(rm・ysm+rsm・ym)・I+rsm・ysm・I2∈Fεであり、i=1,…,Nであり、
前記秘密計算装置のそれぞれは、
第2拡大体乱数Rm∈Fεの秘密分散値である第2秘匿化拡大体乱数[Rm]i=Rm+Rsm・I∈Fεを得る第2乱数生成部と、
拡大体乗算値[Rm]i・I=Rm・I+Rsm・I2∈Fεを得る第4演算部と、
第4秘匿化検証値[rmym]i+[Rm]i・I=rm・ym+(rm・ysm+rsm・ym+Rm)・I+(rsm・ysm+Rsm)・I2∈Fεを得て出力する第5演算部と、をさらに含む、
前記検証装置は、(3,N)シャミア秘密分散方式に則って、{φ(1),φ(2),φ(3)}⊆{1,…,N}について、[rmym]φ(1)+[Rm]φ(1)・Iと[rmym]φ(2)+[Rm]φ(2)・Iと[rmym]φ(3)+[Rm]φ(3)・Iとに対する演算を行い、すべてのm=0,…,M-1についてrmym=0を満たす場合に認証成功と判定する、秘密計算認証システム。 - 秘密計算装置の秘密計算方法であって、
Lが1以上の整数であり、εが2以上の整数であり、Fが有限体であり、Fεが前記有限体Fの拡大体であり、前記拡大体Fεの拡大次数がεであり、ceil(x)が実数x以上の最小の整数であり、M=ceil(L/ε)であり、j=0,…、L-1であり、m=0,…,M-1であり、
入力部が、認証情報ωの秘密分散値である秘匿化認証情報[ω]i∈[F]Lの入力を受け付ける入力ステップと、
第1演算部が、認証情報wの秘密分散値である秘匿化認証情報[w]i∈[F]Lおよび前記秘匿化認証情報[ω]iを用い、秘密計算によって第1秘匿化検証値[z]i=[w-ω]iを得る第1演算ステップと、
乱数生成部が、拡大体乱数rmの秘密分散値である秘匿化拡大体乱数[rm]i∈[Fε]を得る乱数生成ステップと、
z=(z0,…,zL-1)=w-ωであり、zj∈Fであり、m=0,…,M-1についてym=(zεm,…,zε(m+1)-1)であり、q=ε(M-1),…,εM-1のうちq>L-1となるzqが0であり、第2演算部が、前記第1秘匿化検証値[z]iを用い、秘密計算によってymを秘匿化した第2秘匿化検証値[ym]iを得る第2演算ステップと、
第3演算部が、前記秘匿化拡大体乱数[rm]iおよび前記第2秘匿化検証値[ym]を用い、秘密計計算によって第3秘匿化検証値[rmym]iを得る第3演算ステップと、
を有する秘密計算方法。 - 請求項1から5の何れかの秘密計算装置としてコンピュータを機能させるためのプログラム。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2019223507A AU2019223507B2 (en) | 2018-02-20 | 2019-02-14 | Secure computation device, secure computation authentication system, secure computation method, and program |
EP19757721.6A EP3757976B1 (en) | 2018-02-20 | 2019-02-14 | Secret calculation device, secret calculation authentication system, secret calculation method, and program |
JP2020501714A JP6933290B2 (ja) | 2018-02-20 | 2019-02-14 | 秘密計算装置、秘密計算認証システム、秘密計算方法、およびプログラム |
CN201980013979.7A CN111758127B (zh) | 2018-02-20 | 2019-02-14 | 秘密计算装置及其方法、秘密计算认证系统以及记录介质 |
US16/970,552 US11329808B2 (en) | 2018-02-20 | 2019-02-14 | Secure computation device, secure computation authentication system, secure computation method, and program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2018027999 | 2018-02-20 | ||
JP2018-027999 | 2018-02-20 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019163636A1 true WO2019163636A1 (ja) | 2019-08-29 |
Family
ID=67687561
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2019/005351 WO2019163636A1 (ja) | 2018-02-20 | 2019-02-14 | 秘密計算装置、秘密計算認証システム、秘密計算方法、およびプログラム |
Country Status (6)
Country | Link |
---|---|
US (1) | US11329808B2 (ja) |
EP (1) | EP3757976B1 (ja) |
JP (1) | JP6933290B2 (ja) |
CN (1) | CN111758127B (ja) |
AU (1) | AU2019223507B2 (ja) |
WO (1) | WO2019163636A1 (ja) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220271933A1 (en) * | 2021-02-19 | 2022-08-25 | Samsung Electronics Co., Ltd. | System and method for device to device secret backup and recovery |
CN116363395B (zh) * | 2023-05-15 | 2023-08-22 | 北京金睛云华科技有限公司 | 基于秘密分享的可验证图片相似度识别方法和装置 |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016159357A1 (ja) * | 2015-04-03 | 2016-10-06 | 日本電気株式会社 | 秘密計算システム、サーバ装置、秘密計算方法、および、プログラム |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007517303A (ja) * | 2003-12-24 | 2007-06-28 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | 認可証明書使用中のプライバシー保護 |
EP1815637B1 (en) * | 2004-11-16 | 2016-04-20 | Koninklijke Philips N.V. | Securely computing a similarity measure |
JP4875448B2 (ja) * | 2006-10-11 | 2012-02-15 | 日本電信電話株式会社 | 鍵生成装置、匿名署名システム、管理装置、匿名署名方法及びプログラム |
JP2008250931A (ja) * | 2007-03-30 | 2008-10-16 | Toshiba Corp | 分散情報復元システム、情報利用装置、および、検証装置 |
JP5047198B2 (ja) * | 2008-01-21 | 2012-10-10 | 日本電信電話株式会社 | 秘密計算システム、秘密計算方法、秘密計算装置、検証装置、およびプログラム |
JP5406796B2 (ja) * | 2010-07-07 | 2014-02-05 | 日本電信電話株式会社 | 本人性証明システム、検証装置、本人性証明方法 |
US9276911B2 (en) * | 2011-05-13 | 2016-03-01 | Indiana University Research & Technology Corporation | Secure and scalable mapping of human sequencing reads on hybrid clouds |
JP5852518B2 (ja) * | 2012-06-18 | 2016-02-03 | 日本電信電話株式会社 | 認証暗号化装置、認証復号装置、およびプログラム |
JP5841954B2 (ja) * | 2013-01-21 | 2016-01-13 | 日本電信電話株式会社 | セキュア認証方法 |
WO2015105479A1 (en) * | 2014-01-07 | 2015-07-16 | Empire Technology Development Llc | Anonymous signature scheme |
JP6053238B2 (ja) * | 2016-01-13 | 2016-12-27 | 日本電信電話株式会社 | 秘密改ざん検知システム、秘密計算装置、秘密改ざん検知方法、およびプログラム |
JP6563857B2 (ja) * | 2016-06-01 | 2019-08-21 | 日本電信電話株式会社 | コミットメントシステム、共通参照情報生成装置、コミット生成装置、コミット受信装置、コミットメント方法、プログラム |
-
2019
- 2019-02-14 JP JP2020501714A patent/JP6933290B2/ja active Active
- 2019-02-14 WO PCT/JP2019/005351 patent/WO2019163636A1/ja unknown
- 2019-02-14 EP EP19757721.6A patent/EP3757976B1/en active Active
- 2019-02-14 CN CN201980013979.7A patent/CN111758127B/zh active Active
- 2019-02-14 US US16/970,552 patent/US11329808B2/en active Active
- 2019-02-14 AU AU2019223507A patent/AU2019223507B2/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016159357A1 (ja) * | 2015-04-03 | 2016-10-06 | 日本電気株式会社 | 秘密計算システム、サーバ装置、秘密計算方法、および、プログラム |
Non-Patent Citations (5)
Title |
---|
A. SHAMIR: "How to Share a Secret", COMMUNICATIONS OF THE ACM, vol. 22, no. 11, November 1979 (1979-11-01), pages 612 - 613, XP000565227, DOI: 10.1145/359168.359176 |
DAI IKARASHIKOJI CHIDAKOKI HAMADAKATSUMI TAKAHASHI: "Secure Database Operations Using An Improved 3-party Verifiable Secure Function Evaluation", IN SCIS 2011, 2011 |
IVAN DAMGARDMATTHIAS FITZIEIKE KILTZJESPER BUUS NIELSENTOMAS TOFT: "Unconditionally Secure Constant-Rounds Multi-party Computation for Equality, Comparison, Bits and Exponentiation", TCC 2006, pages 285 - 304 |
KIKUCHI, RYO ET AL.: "Password-Based Authentication Protocol for Secret-Sharing-Based Multiparty Computation", IEICE TRANSACTIONS ON FUNDAMENTALS OF ELECTRONICS , COMMUNICATIONS AND COMPUTER SCIENCES, vol. E101 . A, no. 1, 1 January 2018 (2018-01-01), pages 51 - 63, XP055493896, ISSN: 1745-1337 * |
KOJI CHIDAKOKI HAMADADAI IKARASHIKATSUMI TAKAHASHI: "A Three-party Secure Function Evaluation with Lightweight Verifiability Revisited", IN CSS, 2010 |
Also Published As
Publication number | Publication date |
---|---|
AU2019223507A1 (en) | 2020-09-10 |
EP3757976B1 (en) | 2023-10-11 |
CN111758127A (zh) | 2020-10-09 |
EP3757976A1 (en) | 2020-12-30 |
JP6933290B2 (ja) | 2021-09-08 |
AU2019223507B2 (en) | 2021-05-06 |
EP3757976A4 (en) | 2021-11-17 |
CN111758127B (zh) | 2023-08-08 |
JPWO2019163636A1 (ja) | 2021-02-04 |
US20210028926A1 (en) | 2021-01-28 |
US11329808B2 (en) | 2022-05-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107210006B (zh) | 不一致检测方法、检测系统、检测装置以及记录介质 | |
WO2011052056A1 (ja) | データ処理装置 | |
JP5762232B2 (ja) | プライバシを保護したまま暗号化された要素の順序を選択するための方法およびシステム | |
JP6575532B2 (ja) | 暗号化装置、復号装置、暗号処理システム、暗号化方法、復号方法、暗号化プログラム、及び復号プログラム | |
JP5299286B2 (ja) | 分散情報生成装置、復元装置、検証装置及び秘密情報分散システム | |
CN115804059A (zh) | 生成秘密份额 | |
WO2016104476A1 (ja) | 秘密改ざん検知システム、秘密計算装置、秘密改ざん検知方法、およびプログラム | |
WO2019163636A1 (ja) | 秘密計算装置、秘密計算認証システム、秘密計算方法、およびプログラム | |
WO2014030706A1 (ja) | 暗号化データベースシステム、クライアント装置およびサーバ、暗号化データ加算方法およびプログラム | |
CN110719172A (zh) | 区块链系统中的签名方法、签名系统以及相关设备 | |
EP3633656B1 (en) | Secret tampering detection system, secret tampering detection apparatus, secret tampering detection method, and program | |
JP2016126354A (ja) | 秘密改ざん検知システム、秘密計算装置、秘密改ざん検知方法、およびプログラム | |
CN116170142B (zh) | 分布式协同解密方法、设备和存储介质 | |
CN115668334A (zh) | 隐匿信息处理系统、加密装置、加密方法和加密程序 | |
KR20240045231A (ko) | 디지털 서명 셰어의 생성 | |
JP7205016B2 (ja) | 秘匿情報処理システムおよび秘匿情報処理方法 | |
TWI701931B (zh) | 具分級機制的數位簽章方法及適用該方法的硬體錢包裝置 | |
CN114547684A (zh) | 一种保护隐私数据的多方联合训练树模型的方法及装置 | |
CN115276950B (zh) | 隐私数据的处理方法、装置和计算设备 | |
JP6933293B2 (ja) | 秘密計算装置、秘密計算方法、プログラム、および記録媒体 | |
JPWO2020058806A5 (ja) | ||
CN117411652B (zh) | 数据处理方法、电子设备及计算机可读存储介质 | |
CN117728959B (zh) | 门限签名方法和装置、电子设备和存储介质 | |
WO2020240646A1 (ja) | データ利用者鍵生成装置、鍵生成方法及び鍵生成プログラム | |
CN114091089A (zh) | 数据处理方法、装置、系统及计算机可读存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19757721 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2020501714 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2019223507 Country of ref document: AU Date of ref document: 20190214 Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2019757721 Country of ref document: EP Effective date: 20200921 |