WO2023058186A1 - Information processing program, information processing method, and information processing apparatus - Google Patents

Information processing program, information processing method, and information processing apparatus Download PDF

Info

Publication number
WO2023058186A1
WO2023058186A1 PCT/JP2021/037125 JP2021037125W WO2023058186A1 WO 2023058186 A1 WO2023058186 A1 WO 2023058186A1 JP 2021037125 W JP2021037125 W JP 2021037125W WO 2023058186 A1 WO2023058186 A1 WO 2023058186A1
Authority
WO
WIPO (PCT)
Prior art keywords
numerical calculation
calculation program
secret
input
information
Prior art date
Application number
PCT/JP2021/037125
Other languages
French (fr)
Japanese (ja)
Inventor
中村允一
森永正信
Original Assignee
富士通株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 富士通株式会社 filed Critical 富士通株式会社
Priority to PCT/JP2021/037125 priority Critical patent/WO2023058186A1/en
Publication of WO2023058186A1 publication Critical patent/WO2023058186A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • This case relates to an information processing program, an information processing method, and an information processing device.
  • Zero Knowledge Proof A cryptographic technique called Zero Knowledge Proof (ZKP) is known that allows a prover to convince a verifier that a certain proposition is true while keeping part of the information about the proposition secret.
  • ZKP Zero Knowledge Proof
  • a prover generates data called proof (hereinafter simply referred to as proof) from information about a proposition and sends it to a verifier.
  • proof data called proof (hereinafter simply referred to as proof) from information about a proposition and sends it to a verifier.
  • the verifier verifies the validity of the transmitted proof. It is designed to be probabilistically difficult to generate a valid proof if the proposition is false. Therefore, if the proof is valid, the verifier can be convinced that the proposition is true (see Non-Patent Document 1, for example).
  • Zero-knowledge proofs have been put into practical use in the blockchain field, such as the crypto asset Zcash and the layer 2 technology zkSync (see Patent Documents 1 and 2, for example).
  • the above-mentioned privacy problem can be solved to some extent, but the following problems may occur separately.
  • the secret sharing method in order to distribute secret information, it is required to entrust generation of certificates to a plurality of third parties. In this case, if a certain percentage of a plurality of third parties collude, there is a risk that confidential information will leak out.
  • the amount of calculation for each of multiple third parties is about the same as the amount of calculation when entrusting the generation of proof to a single third party. The total amount of computation can also grow in proportion to the number of third parties.
  • the information processing program performs a first encryption process and a second encryption process on a secret input to a numerical calculation program and a secret output from the numerical calculation program, which are kept secret by a prover in a zero-knowledge proof, respectively. and modifying the numerical calculation program into another numerical calculation program including decryption processing paired with the first encryption processing, the numerical calculation program, and the second encryption processing, and modifying the numerical calculation program transmitting first information including a calculation program and public input to and public output from said numerical calculation program published by said prover to a verifier in said zero-knowledge proof, and encrypting said secret; causing a computer to execute a process of transmitting second information including the input and the secret output, the separate numerical calculation program, the public input and the public output to a third party different from the prover and the verifier; , the third party generates a proof of the proposition in the zero-knowledge proof based on the second information, and transmits the generated proof to the verifier.
  • Leakage of confidential information can be suppressed even if the generation of certificates is outsourced to a third party.
  • FIG. 1 is an example of an information processing system.
  • FIG. 2 shows an example of the hardware configuration of the prover terminal.
  • FIG. 3 shows an example of the hardware configuration of the verifier server.
  • FIG. 4 is an example of the functional configuration of the prover terminal.
  • FIG. 5 is an example of the functional configuration of the verifier server.
  • FIG. 6 is an example of the functional configuration of the third party server.
  • FIG. 7 is an example of a processing sequence diagram of the information processing system.
  • FIG. 8 is a flow chart showing an example of the operation of the prover terminal.
  • FIG. 9(a) is a diagram for explaining an example of a numerical calculation program.
  • FIG. 9B is a diagram explaining an example of another numerical calculation program.
  • FIG. 10 is a flow chart showing an example of the operation of the third party server.
  • FIG. 11 is a flow chart showing an example of the operation of the verifier server.
  • FIG. 12 is another example of the functional configuration of the prover terminal.
  • FIG. 13 is
  • the information processing system ST includes a prover terminal 100 , a verifier server 200 and a third party server 300 .
  • the prover terminal 100 is an example of an information processing device, and is a terminal device that realizes a prover in zero-knowledge proof.
  • the verifier server 200 is a server device that implements a verifier in zero-knowledge proof.
  • the third party server 300 is a server device that implements a third party that is different from both the prover and the verifier. Third parties are sometimes called workers.
  • the information processing system ST does not include a plurality of third party servers 300, but includes one third party server 300. FIG. That is, the information processing system ST includes a single third party server 300 .
  • the first performance representing the performance of the third party server 300 is higher than the second performance representing the performance of the prover terminal 100 .
  • the memory capacity of the third party server 300 is higher than the memory capacity of the prover terminal 100 .
  • the number of cores and the clock frequency of the processor provided in the third party server 300 are higher than the number of cores and the clock frequency of the processor provided in the prover terminal 100 .
  • the third party server 300 has higher performance than the prover terminal 100.
  • the third performance representing the performance of the verifier server 200 may be approximately the same as the second performance, or may be higher than the second performance and lower than the first performance.
  • the prover terminal 100, the verifier server 200, and the third party server 300 are connected to each other. More specifically, the prover terminal 100, the verifier server 200, and the third party server 300 are connected via a wireless communication network NW1, a mobile base station BS, and a wired communication network NW2. For example, if the certifier terminal 100 is included in the communicable area AR of the mobile base station BS, the certifier terminal 100 is connected to the verifier server via the wireless communication network NW1, the mobile base station BS, and the wired communication network NW2. 200 and third party servers 300 .
  • the wireless communication network NW1 for example, there is a communication network using LTE (Long Term Evolution).
  • the wired communication network NW2 includes communication networks such as LAN (Local Area Network) and the Internet.
  • the prover terminal 100 transmits the first information 10 to the verifier server 200 when, for example, the verifier server 200 requests proof in the zero-knowledge proof.
  • the first information 10 includes public information in which a part of the information regarding the proposition in the zero-knowledge proof is made public.
  • the proposition is that the prover terminal 100 knows the correct input and output (specifically, the input/output relationship between input and output) of the numerical calculation program.
  • Public information includes public inputs and public outputs.
  • a public input is an input to a numerical calculation program that the prover terminal 100 makes public.
  • a public output is an output from a numerical calculation program that the prover terminal 100 makes public. Both the public input and the public output are part of the information about the proposition in the zero-knowledge proof.
  • the first information 10 includes, in addition to public information, another numerical calculation program modified from the numerical calculation program.
  • the prover terminal 100 transmits the second information 20 to the third party server 300 when the proof is requested.
  • the second information 20 includes the above-described public information and another numerical calculation program, as well as encrypted secret information in which the rest of the information related to the proposition in the zero-knowledge proof is kept secret and encrypted.
  • the encrypted secret information includes an encrypted secret input and an encrypted secret output.
  • the encrypted secret input is the secret input encrypted in the first encryption process.
  • the encrypted secret output is the secret output encrypted in the second encryption process.
  • the first encryption process and the second encryption process are different.
  • a secret input is an input to a numerical calculation program that is kept secret by the prover terminal 100 .
  • the secret output is the output from the numerical calculation program that the prover terminal 100 keeps secret. Both secret input and secret output keep the rest of the information about the proposition in the zero-knowledge proof secret.
  • the third party server 300 When the third party server 300 receives the second information 20 transmitted from the prover terminal 100, the third party server 300 generates a proof 30 related to the proposition in the zero-knowledge proof based on the received second information 20, and sends the generated proof 30 to the verifier. Send to server 200 .
  • the verifier server 200 verifies the validity of the proof 30 based on the first information 10 sent from the prover terminal 100 and the proof 30 sent from the third party server 300 .
  • the verifier server 200 After verifying the correctness of the proof 30, the verifier server 200 sends the verification result regarding the correctness of the proposition to the prover terminal 100. Accordingly, the prover terminal 100 receives the verification result. For example, when the verifier server 200 determines that the proposition is true as a result of verifying the validity of the proof 30, the verifier server 200 transmits a verification result including true as a result of the validity of the proposition. Conversely, when the verifier server 200 determines that the proposition is false as a result of verifying the validity of the proof 30, the verifier server 200 transmits a verification result including false as a result of the validity of the proposition.
  • the prover terminal 100 can entrust the third-party server 300 with the process of generating the proof.
  • the calculations executed by the prover terminal 100 are mainly encryption of secret information (specifically, secret input and secret output). Since encryption is much smaller than the amount of calculation that occurs when generating a proof, the calculation load (for example, the amount of calculation) on the prover terminal 100 can be reduced.
  • the encrypted secret information (specifically, encrypted secret input and encrypted secret output) is disclosed to the third party server 300, and an attack on the third party server 300 occurs.
  • the secret sharing method the amount of calculation related to the process of generating the proof is proportional to the number of servers (see, for example, Non-Patent Document 3) by adopting a plurality of third-party servers 300. Since the third-party server 300 may be used, this is almost the same as when the prover terminal 100 generates the proof by itself.
  • the hardware configuration of the prover terminal 100 will be described with reference to FIG.
  • the prover terminal 100 includes a CPU (Central Processing Unit) 100A as a processor, RAM (Random Access Memory) 100B, ROM (Read Only Memory) 100C, and NVM (Non-Volatile Memory) 100D as memories. there is The prover terminal 100 also includes an RF (Radio Frequency) circuit 100E, an acceleration sensor 100F, and a camera 100G. An antenna 100N is connected to the RF circuit 100E. A CPU (not shown) that implements a communication function may be used instead of the RF circuit 100E.
  • the camera 100G includes an image sensor such as CMOS (Complementary Metal Oxide Semiconductor) or CCD (Charge Coupled Device).
  • CMOS Complementary Metal Oxide Semiconductor
  • CCD Charge Coupled Device
  • the prover terminal 100 includes a touch panel 100H as an input unit, a display 100I as a display unit, and a speaker 100J.
  • the CPU 100A to the speaker 100J are interconnected by an internal bus 100K. That is, the prover terminal 100 can be realized by a smart device such as a smart phone or a tablet terminal, or a computer including a PC.
  • the information processing programs stored in the ROM 100C and NVM 100D are stored in the RAM 100B by the CPU 100A.
  • the CPU 100A executes the stored information processing program, the CPU 100A realizes various functions described later and executes various processes described later. In this way, a computer can be realized by cooperation of the CPU 100A and the RAM 100B.
  • an information processing method can be realized by the CPU 100A executing various kinds of processing.
  • the information processing program may correspond to a flow chart described later.
  • the hardware configuration of the verifier server 200 will be described with reference to FIG. Note that the hardware configuration of the third party server 300 is basically the same as the hardware configuration of the verifier server 200, so detailed description thereof will be omitted.
  • the verifier server 200 includes a CPU 200A, a RAM 200B, a ROM 200C, and a network I/F (interface) 200D.
  • Verifier server 200 may include at least one of HDD (Hard Disk Drive) 200E, input I/F 200F, output I/F 200G, input/output I/F 200H, and drive device 200I, if necessary.
  • the CPU 200A to the drive device 200I are interconnected by an internal bus 200J.
  • An input device 710 is connected to the input I/F 200F.
  • the input device 710 includes, for example, a keyboard and a mouse.
  • a display device 720 is connected to the output I/F 200G.
  • the display device 720 is, for example, a liquid crystal display.
  • a semiconductor memory 730 is connected to the input/output I/F 200H. Examples of the semiconductor memory 730 include USB (Universal Serial Bus) memory and flash memory.
  • the input/output I/F 200H reads programs stored in the semiconductor memory 730 .
  • the input I/F 200F and the input/output I/F 200H are provided with USB ports, for example.
  • the output I/F 200G has, for example, a display port.
  • a portable recording medium 740 is inserted into the drive device 200I.
  • Portable recording media 740 include removable discs such as CD (Compact Disc)-ROM and DVD (Digital Versatile Disc).
  • Drive device 200I reads a program recorded on portable recording medium 740 .
  • the network I/F 200D has, for example, a LAN port.
  • a network I/F 200D is connected to the above-described wired communication network NW2.
  • the programs stored in the ROM 200C and HDD 200E are stored in the RAM 200B described above by the CPU 200A.
  • the program recorded on the portable recording medium 740 is stored in the RAM 200B by the CPU 200A.
  • the CPU 200A executes the stored programs, various functions described later are realized, and various processes described later are executed. Note that the program may correspond to a flow chart described later.
  • FIG. 4 shows the essential functions of the prover terminal 100 .
  • the prover terminal 100 includes a storage unit 110, a processing unit 120, and a communication unit .
  • the storage unit 110 can be implemented by one or both of the RAM 100B and NVM 100D described above.
  • the processing unit 120 can be realized by the CPU 100A described above.
  • the communication unit 130 can be realized by the RF circuit 100E and the antenna 100N described above. Therefore, the storage unit 110, the processing unit 120, and the communication unit 130 are connected to each other.
  • Storage unit 110 includes information storage unit 111 and program storage unit 112 .
  • the processing unit 120 includes an encryption unit 121 , a correction unit 122 , a transmission unit 123 and a reception unit 124 .
  • the information storage unit 111 stores public information and confidential information.
  • Public information is information in which a part of the information about the proposition in the zero-knowledge proof is made public.
  • the public information in this embodiment includes public input that is input to the numerical calculation program that the prover terminal 100 makes public.
  • the public information in this embodiment includes public output, which is the output from the numerical calculation program in response to the public input.
  • Confidential information is information in which the rest of the information about the proposition in the zero-knowledge proof is kept secret.
  • Confidential information in this embodiment includes a secret input which is an input to a numerical calculation program kept secret by the prover terminal 100 .
  • the secret information in this embodiment includes a secret output which is an output from the numerical calculation program in response to the secret input.
  • the program storage unit 112 stores various programs.
  • the program storage unit 112 stores the numerical calculation program described above.
  • the numerical calculation program may be, for example, a hash function calculation program.
  • the program storage unit 112 includes a first encryption program that implements the first encryption process, and a first decryption program that implements the first decryption process paired with the first encryption process.
  • the program storage unit 112 also contains a second encryption program that implements the second encryption process, and a second decryption program that implements the second decryption process paired with the second encryption process.
  • the encryption unit 121 encrypts the secret input with the first encryption process and encrypts the secret output with the second encryption process.
  • the modifying unit 122 modifies the numerical calculation program into another numerical calculation program including a combination of the first decryption process, the numerical calculation program and the second encryption process.
  • the transmitting unit 123 transmits the first information 10 to the verifier server 200 and the second information to the third party server 300 .
  • the receiving unit 124 receives from the verifier server 200 a verification result regarding the correctness of the proposition verified by the verifier server 200 based on the first information 10 and the proof 30 .
  • FIG. 5 shows the essential functions of the verifier server 200 .
  • the verifier server 200 includes a storage unit 210, a processing unit 220, and a communication unit 230.
  • the storage unit 210 can be realized by one or both of the RAM 200B and HDD 200E described above.
  • the processing unit 220 can be realized by the CPU 200A described above.
  • the communication unit 230 can be implemented by the network I/F 200D described above. Therefore, the storage unit 210, the processing unit 220, and the communication unit 230 are connected to each other.
  • Storage unit 210 includes information storage unit 211 .
  • the processing unit 220 includes a receiving unit 221 , a verification unit 222 and a transmitting unit 223 .
  • the receiving unit 221 independently receives the first information 10 and the proof 30 and stores them in the information storage unit 211 .
  • the information storage unit 211 stores the first information 10 and the proof 30 .
  • the verification unit 222 acquires the first information 10 and the proof 30 from the information storage unit 211, and based on the acquired first information 10 and the proof 30 and a known predetermined verification method (for example, see Patent Document 1) , to verify the correctness of the proposition.
  • the transmitting unit 223 transmits the verification result regarding the correctness of the proposition to the prover terminal 100 .
  • the verification unit 222 verifies the validity of the proof 30 and determines that the proposition is true, it transmits a verification result including true as a result of the validity of the proposition.
  • the verifier 222 verifies the validity of the proof 30 and determines that the proposition is false, it transmits a verification result including false as a result of the validity of the proposition.
  • FIG. 6 shows the essential functions of the third party server 300 .
  • the third party server 300 includes a storage unit 310, a processing unit 320, and a communication unit 330.
  • the storage unit 310 can be implemented by one or both of the RAM 200B and HDD 200E described above.
  • the processing unit 320 can be implemented by the CPU 200A described above.
  • the communication unit 330 can be implemented by the network I/F 200D described above. Therefore, the storage unit 310, the processing unit 320, and the communication unit 330 are connected to each other.
  • Storage unit 310 includes information storage unit 311 .
  • the processing unit 320 includes a receiving unit 321 , an auxiliary data recording unit 322 , a proof generating unit 323 and a transmitting unit 324 .
  • the receiving unit 321 receives the second information 20 and stores it in the information storage unit 311. Thereby, the information storage unit 311 stores the second information 20 .
  • the auxiliary data recording section 322 acquires the second information 20 from the information storage section 311 .
  • the auxiliary data recording unit 322 extracts the encrypted secret input, the public input, and another numerical calculation program from the acquired second information 20.
  • FIG. After extracting them, the auxiliary data recording unit 322 puts the encrypted secret input and public input into another numerical calculation program, and records and outputs the auxiliary data obtained during the execution of another numerical calculation program.
  • the separate numerical calculation program since the separate numerical calculation program includes the first decryption processing paired with the first encryption processing, the encrypted secret input is decrypted into the unencrypted secret input inside the separate numerical calculation program. be able to.
  • another numerical calculation program includes the numerical calculation program before modification. Therefore, inside another numerical calculation program, a combination of a secret input and a public input is input to the numerical calculation program, and data obtained during execution of the numerical calculation program is recorded as auxiliary data.
  • the auxiliary data recording unit 322 outputs this auxiliary data.
  • the proof generation unit 323 acquires the second information 20 from the information storage unit 311. After obtaining the second information 20 , the proof generation unit 323 extracts the encrypted secret input, the encrypted secret output, the public input, and the public output from the obtained second information 20 . When the proof generation unit 323 extracts these, the encrypted secret input, the encrypted secret output, the public input, the public output, the auxiliary data output from the auxiliary data recording unit 322, and a known predetermined proof generation method (for example, A proof 30 is generated based on (see Patent Document 1).
  • the transmission unit 324 transmits the proof 30 generated by the proof generation unit 323 to the verifier server 200 .
  • the transmission unit 223 of the verifier server 200 transmits a certification request (step S1).
  • a certification request is information for which certification is requested.
  • the transmission unit 223 transmits a certification request via the communication unit 330, for example, upon detecting access from the prover terminal 100.
  • FIG. Accordingly, the receiving unit 124 of the prover terminal 100 receives the certification request via the communication unit 130 (step S2). Note that the prover terminal 100 can transmit the access to the verifier server 200 when detecting an operation on the input unit (not shown).
  • the encryption unit 121 Upon receiving the certification request, the encryption unit 121 encrypts the secret information (step S3). That is, the encryption unit 121 encrypts the secret input and secret output. After the encryption unit 121 finishes encrypting the secret information, the modification unit 122 modifies the numerical calculation program to another numerical calculation program (step S4). After correcting the numerical calculation program, the transmission unit 123 transmits the first information 10 to the verifier server 200 via the communication unit 130 (step S5).
  • the first information 10 includes public information and another numerical calculation program. As noted above, public information includes public inputs and public outputs. After completing the transmission of the first information 10, the transmission unit 123 transmits the second information 20 to the third party server 300 via the communication unit 130 (step S6).
  • the second information 20 includes public information, another numerical calculation program, and encrypted secret information.
  • the encrypted secret information includes an encrypted secret input and an encrypted secret output.
  • the processing order of the processing in step S5 and the processing in step S6 may be reversed, or may be the same timing.
  • the receiving unit 221 of the verifier server 200 receives the first information 10 via the communication unit 230 (step S7). After receiving the first information 10 , the receiver 221 waits until the proof 30 is received.
  • the receiving section 321 of the third party server 300 receives the second information 20 via the communication section 330 (step S8).
  • the proof generating unit 323 generates the proof 30 (step S9). More specifically, when the receiving unit 321 receives the second information 20, the auxiliary data recording unit 322 records and outputs the auxiliary data, and the proof generating unit 323 stores the auxiliary data, public information, encrypted secret information, and known public information.
  • a proof 30 is generated based on a proof generation technique.
  • the transmission unit 324 transmits the proof 30 to the verifier server 200 via the communication unit 330 (step S10).
  • the receiving unit 221 of the verifier server 200 receives the proof 30 via the communication unit 230 (step S11).
  • the verification unit 222 verifies the validity of the proof 30 (step S12).
  • the transmission unit 223 transmits the verification result via the communication unit 230 (step S13).
  • the receiving unit 124 of the prover terminal 100 receives the verification result via the communication unit 130 (step S14).
  • a display unit (not shown) of the prover terminal 100 may display the verification result.
  • the receiving unit 124 receives the certification request as shown in FIG. 8 (step S21).
  • the encryption unit 121 encrypts the secret input and secret output (step S22). More specifically, the encryption unit 121 acquires the secret input from the information storage unit 111 and acquires the numerical calculation program from the program storage unit 112 .
  • the encryption unit 121 acquires the secret input and the numerical calculation program, as shown in FIG. 9A, the encryption unit 121 puts the secret input into the numerical calculation program and acquires the secret output.
  • the encryption unit 121 obtains the secret output, it encrypts the secret input with the first encryption process and encrypts the secret output with the second encryption process. As a result, encrypted secret input and encrypted secret output are obtained.
  • the encryption unit 121 acquires the public input from the information storage unit 111, and as shown in FIG. Inject public and secret inputs to obtain public outputs.
  • the encryption unit 121 stores the acquired secret output and public output in the information storage unit 111 .
  • the information storage unit 111 stores confidential information including confidential input and confidential output, and stores public information including public input and public output.
  • the modification unit 122 modifies the numerical calculation program into another numerical calculation program (step S23). Specifically, as shown in FIG. 9B, the modifying unit 122 modifies the numerical calculation program into another numerical calculation program including a numerical calculation program, a first decryption program, and a second encryption program. . Note that the first decryption program and the second encryption program may be acquired from the program storage unit 112 by the correction unit 122 .
  • the first decryption program corresponds to the first encryption program
  • the secret input before encryption can be restored from the encrypted secret input. can. Therefore, if a secret input is input to a numerical calculation program inside another numerical calculation program, a secret output corresponding to the secret input can be obtained. Further, within another numerical computation program, when the secret output is fed into a second encryption program, an encrypted secret output can be generated from the secret output. Since the encrypted secret output is generated based on the encrypted secret input, the encrypted secret output and the encrypted secret input maintain the correct input/output relationship. That is, the correct input/output relation between secret input and secret output and the correct input/output relation between encrypted secret output and encrypted secret input are synonymous.
  • the transmission unit 123 transmits the first information 10 to the verifier server 200 (step S24).
  • the first information 10 includes public information (specifically public input and public output) and another numerical calculation program.
  • the transmitter 123 transmits the second information 20 to the third party server 300 (step S25).
  • the second information 20 includes public information, separate numerical calculation programs, and encrypted secret information (encrypted secret input and encrypted secret output).
  • the receiver 124 waits until it receives the verification result.
  • the receiving unit 124 receives the verification result (step S26) and ends the process.
  • the receiving section 321 receives the second information 20 (step S31).
  • the auxiliary data recording unit 322 records and outputs auxiliary data based on the second information 20 (step S32). More specifically, the auxiliary data recording unit 322 inputs the public input and encrypted secret input included in the second information 20 to another numerical calculation program included in the second information 20 .
  • Another numerical calculation program includes a first decoding program. Therefore, of the public input and the encrypted secret input input to another numerical calculation program, the encrypted secret input is independently decrypted into the secret input inside another numerical calculation program. That is, public inputs are immutable inside another numerical computation program.
  • the auxiliary data recording unit 322 inputs the combination of the public input and the decrypted secret input into a numerical calculation program included in another numerical calculation program, and records and outputs auxiliary data obtained during execution of the numerical calculation program.
  • auxiliary data recording unit 322 may separately input the public input and the decrypted secret input into a numerical calculation program included in another numerical calculation program.
  • the auxiliary data may be recorded and output based on the first data obtained during the execution of the public input of the numerical calculation program and the second data obtained during the execution of the secret input of the numerical calculation program. good.
  • the proof generating unit 323 When the auxiliary data recording unit 322 outputs the auxiliary data, the proof generating unit 323 generates the proof 30 (step S33). More specifically, the proof generation unit 323 generates the proof 30 based on the auxiliary data, the public input, the public output, the encrypted secret input, the encrypted secret output, and a known proof generation method. When the proof generating unit 323 generates the proof 30, the sending unit 324 sends the proof 30 to the verifier server 200 (step S34), and ends the process.
  • the transmission unit 223 transmits a certification request (step S41).
  • the receiver 221 waits until the first information 10 is received.
  • the receiving section 221 receives the first information 10 (step S42).
  • the receiver 221 waits until the proof 30 is received.
  • the certification 30 is transmitted from the third party server 300, the receiving unit 221 receives the certification 30 (step S43).
  • the verification unit 222 verifies the validity of the proof 30 (step S44). More specifically, the verification unit 222 generates the proof 30 based on the public input, the public output, and another numerical calculation program included in the first information 10, the proof 30, and a predetermined verification technique provided in the verification unit 222. verify the legitimacy of As a result of verifying the correctness of the proof 30, when the verification unit 222 determines that the proposition is true (step S45: YES), the verification result including true is transmitted to the prover terminal 100 (step S46), and the process is started. finish.
  • proof 30 has been generated based on public input, public output, another numerical computation program, encrypted secret input, and encrypted secret output.
  • the encrypted secret input and the encrypted secret of the proof 30 If the correct input/output relationship of output can be determined, the correct input/output relationship of secret input and secret output can also be determined. In this case, the verification unit 222 determines that the proposition is true. As a result of verifying the validity of the proof 30, when the verification unit 222 determines that the proposition is false (step S45: NO), the verification result including false is transmitted to the prover terminal 100 (step S47), and the process is started. finish.
  • FIG. 12 the same components as those of the prover terminal 100 shown in FIG. 4 are denoted by the same reference numerals, and description thereof will be omitted. Further, in FIG. 13, the same reference numerals are given to the same processes as the processes of the prover terminal 100 shown in FIG. 8, and the description thereof will be omitted.
  • the processing unit 120 according to the second embodiment is different from the processing unit 120 according to the first embodiment in that a random value generation unit 125 is further provided.
  • a random value generator 125 generates a first random value and a second random value. Both the first random value and the second random value are values (specifically, numerical values) randomly specified by the random value generator 125 . That is, both the first random value and the second random value are values randomly specified by the prover terminal 100 .
  • the random value generating unit 125 when the receiving unit 124 receives the certification request in the process of step S21, the random value generating unit 125 generates a first random value and a second random value (step S51). After the random value generator 125 generates the first random value and the second random value, the encryption unit 121 encrypts the secret input based on the first random value (step S52).
  • the encryption unit 121 adds a first random value to the secret input, and encrypts the secret input after the addition by the first encryption process. This generates an encrypted secret input corresponding to the first random value.
  • the encrypted secret input corresponding to the first random value is decrypted by the first decryption process, the secret input to which the first random value is added is restored. Therefore, when returning to the original secret input, the first random value is subtracted from the secret input to which the first random value is added. That is, when encryption is performed by the first encryption process based on the first random value and the secret input, the process of subtracting the first random value must be included in the first decryption process paired with the first encryption process. Just do it.
  • the encryption unit 121 After encrypting the secret input based on the first random value, the encryption unit 121 encrypts the secret output based on the second random value (step S53). As described above, when the secret input after addition of the first random value is encrypted by the first encryption process, the encryption unit 121 adds the second random value to the secret output, and converts the secret output after addition to the second random value. Encrypt by the second encryption process. This generates an encrypted secret output corresponding to the second random value. When the encrypted secret output corresponding to the second random value is decrypted by the second decryption process, the secret output to which the second random value is added is restored. Therefore, when returning to the original secret output, the second random value should be subtracted from the secret output to which the second random value is added. That is, when encryption is performed by the second encryption process based on the second random value and the secret output, the process of subtracting the second random value must be included in the second decryption process paired with the second encryption process. Just do it.
  • the modification unit 122 modifies the numerical calculation program to another numerical calculation program (step S54). Specifically, the modifying unit 122 modifies the numerical calculation program into another numerical calculation program including a numerical calculation program, a first decryption program, and a second encryption program.
  • the first decoding program includes a process of subtracting the first random value.
  • a process of adding a second random value to the second encryption program is included. That is, another numerical calculation program according to the second embodiment is different from another numerical calculation program according to the first embodiment.
  • the transmission unit 123 transmits the first information 10 to the verifier server 200 by the process of step S24.
  • addition of the first random value to the secret input and subtraction of the first random value from the secret input, and addition of the second random value to the secret output and subtraction of the second random value from the secret output are performed. Although described, it is not specifically limited to this example.
  • the secret input is multiplied by the first random value
  • the secret input multiplied by the first random value is divided by the first random value.
  • the secret output is multiplied by the second random value in the second encryption process, and the secret output multiplied by the second random value is divided by the second random value in the second decryption process.
  • the correction unit 122 When correcting the numerical calculation program, the correction unit 122 according to the third embodiment rearranges the order of addition and multiplication across the first decryption program, the numerical calculation program, and the second encryption program, so that the numerical calculation program to another numerical calculation program. That is, the correction unit 122 shuffles by changing the order of calculation described in the first decryption program, the numerical calculation program, and the second encryption program.
  • the first decryption program, the numerical calculation program, and the second encryption program are all programs for calculating polynomials (on a finite field) that are combinations of addition and multiplication. As a result, it is possible to conceal what kind of calculation the first decryption program and the second encryption program perform, and it is possible to improve security against leakage of the secret input and the secret output.
  • the encrypted secret input can be decrypted by the first decryption program, and the encrypted secret output can be decrypted by the second decryption program. Therefore, if the first decryption program leaks to the third party server 300 alone, the third party server 300 can use the first decryption program to decrypt the secret input. Similarly, if the second decryption program is leaked to the third party server 300 alone, the third party server 300 can decrypt the secret output using the second decryption program.
  • the transmission unit 123 simply combines the first decryption program, the numerical calculation program, and the second encryption program in this order to create another numerical calculation program (Fig. 9(b)). )) as part of the second information 20 to the third party server 300 .
  • the third party server 300 can confirm the inside of another numerical calculation program by a technique such as reverse engineering, it may identify the first decryption program and the second encryption program. As a result, highly confidential encrypted secret input and encrypted secret output may be decrypted.
  • the order of the calculations described in the first decryption program, the numerical calculation program, and the second encryption program is changed and shuffled to prevent leakage of secret input and secret output. Safety can be improved.
  • the present invention is not limited to specific embodiments, and various modifications and variations can be made within the scope of the gist of the present invention described in the claims. Change is possible.
  • the proof generation unit 323 generates the proof 30 based on the encrypted secret input, the encrypted secret output, the public input, the public output, another numerical calculation program, and a known proof generation technique. good too.
  • ST information processing system 100 prover terminal 120 processing unit 121 encryption unit 122 correction unit 123 transmission unit 124 reception unit 125 random value generation unit 200 verifier server 300 third party server

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Provided is an information processing program that causes a computer to execute a process, the process being characterized by comprising: encrypting a secret input that is kept secret by a prover in zero-knowledge proof and input to a numerical calculation program and a secret output from the numerical calculation program by a first encryption process and a second encryption process, respectively; modifying the numerical calculation program into another numerical calculation program including a decryption process associated with the first encryption process, the numerical calculation program, and the second encryption process; transmitting first information including the other numerical calculation program, a public input that is made public by the prover and input to the numerical calculation program, and a public output from the numerical calculation program to a verifier in the zero-knowledge proof; and transmitting second information including the encrypted secret input and secret output, the other numerical calculation program, the public input, and the public output to a third party different from the prover and the verifier, wherein the third party generates a proof for a proposition in the zero-knowledge proof on the basis of the second information and transmits the generated proof to the verifier. 

Description

情報処理プログラム、情報処理方法、及び情報処理装置Information processing program, information processing method, and information processing apparatus
 本件は、情報処理プログラム、情報処理方法、及び情報処理装置に関する。 This case relates to an information processing program, an information processing method, and an information processing device.
 証明者がある命題が真であることを、その命題に関する情報の一部を秘密にしたまま、検証者へ納得させるゼロ知識証明(ZKP:Zero Knowledge Proof)と呼ばれる暗号技術が知られている。ゼロ知識証明では、証明者は証明と呼ばれるデータ(以下、単に証明という)を命題に関する情報から生成し、検証者へ送信する。検証者は送信された証明の正当性を検証する。命題が偽である場合、正当な証明を生成することが確率的に困難であるように設計されている。このため、証明が正当であれば、検証者は命題が真であると納得することができる(例えば非特許文献1参照)。ゼロ知識証明は、暗号資産Zcashやレイヤー2技術zkSyncなどブロックチェーン分野で実用化されている(例えば特許文献1及び2参照)。 A cryptographic technique called Zero Knowledge Proof (ZKP) is known that allows a prover to convince a verifier that a certain proposition is true while keeping part of the information about the proposition secret. In zero-knowledge proof, a prover generates data called proof (hereinafter simply referred to as proof) from information about a proposition and sends it to a verifier. The verifier verifies the validity of the transmitted proof. It is designed to be probabilistically difficult to generate a valid proof if the proposition is false. Therefore, if the proof is valid, the verifier can be convinced that the proposition is true (see Non-Patent Document 1, for example). Zero-knowledge proofs have been put into practical use in the blockchain field, such as the crypto asset Zcash and the layer 2 technology zkSync (see Patent Documents 1 and 2, for example).
 ところで、上述した証明の生成は計算負荷が高く、証明の生成には膨大な計算量が発生する。このため、ハイスペックなコンピュータに比べて比較的メモリ容量や計算能力の小さなスマートフォンなどのデバイスで証明を生成する場合、証明の生成に時間がかかるという問題がある。 By the way, generating the above-mentioned proof has a high computational load, and generates a huge amount of calculations. For this reason, there is a problem that it takes time to generate a proof when using a device such as a smart phone, which has a relatively small memory capacity and computing power compared to a high-spec computer.
 この問題に対処するため、証明の生成を証明者及び検証者のいずれとも異なるワーカーと呼ばれる第三者へ委託することで、証明者の計算量を低減させる技術が提案されている(例えば非特許文献2参照)。一方、証明の生成には証明者が秘密にする入力や出力などの秘密情報も求められるため、第三者への秘密情報の開示につながる可能性がある。すなわち、証明者のプライバシーの問題が生じる可能性がある。このプライバシーの問題に配慮した技術として、秘密分散法を用いた技術が提案されている(例えば非特許文献3参照)。 In order to deal with this problem, a technology has been proposed that reduces the amount of calculation of the prover by entrusting the generation of the proof to a third party called a worker who is different from both the prover and the verifier (for example, non-patented Reference 2). On the other hand, generating a proof also requires confidential information such as inputs and outputs kept secret by the prover, which may lead to disclosure of confidential information to a third party. That is, there is a potential issue of the prover's privacy. As a technology that considers this privacy problem, a technology using a secret sharing method has been proposed (see, for example, Non-Patent Document 3).
特開2021-064891号公報JP 2021-064891 A 米国特許出願公開第2020/0250320号明細書U.S. Patent Application Publication No. 2020/0250320
 しかしながら、秘密分散法を用いた技術の場合、上述したプライバシーの問題をある程度解消できる可能性があるが、以下のような問題が別に生じるおそれがある。例えば、秘密分散法の場合、秘密情報の分散を図るために、複数の第三者に証明の生成を委託することが求められる。この場合、仮に複数の第三者の一定の割合が結託すると、秘密情報が流出するおそれがある。また、非特許文献3によれば、複数の第三者の各計算量は、単一の第三者に証明の生成を委託する場合の計算量と同程度であるため、証明の生成に要する全計算量は第三者の数に比例して増大するおそれもある。 However, in the case of technology using the secret sharing method, it is possible that the above-mentioned privacy problem can be solved to some extent, but the following problems may occur separately. For example, in the case of the secret sharing method, in order to distribute secret information, it is required to entrust generation of certificates to a plurality of third parties. In this case, if a certain percentage of a plurality of third parties collude, there is a risk that confidential information will leak out. In addition, according to Non-Patent Document 3, the amount of calculation for each of multiple third parties is about the same as the amount of calculation when entrusting the generation of proof to a single third party. The total amount of computation can also grow in proportion to the number of third parties.
 そこで、1つの側面では、証明の生成を第三者に委託しても、秘密情報の漏洩を抑制する情報処理プログラム、情報処理方法、及び情報処理装置を提供することを目的とする。 Therefore, in one aspect, it is an object to provide an information processing program, an information processing method, and an information processing apparatus that suppress leakage of confidential information even if generation of a certificate is entrusted to a third party.
 1つの実施態様では、情報処理プログラムは、ゼロ知識証明における証明者が秘密にする数値計算プログラムへの秘密入力と前記数値計算プログラムからの秘密出力をそれぞれ第1暗号化処理と第2暗号化処理で暗号化し、前記数値計算プログラムを、第1暗号化処理と対になる復号化処理と前記数値計算プログラムと前記第2暗号化処理とを含む別の数値計算プログラムに修正し、前記別の数値計算プログラムと前記証明者が公開する前記数値計算プログラムへの公開入力と前記数値計算プログラムからの公開出力とを含む第1情報を、前記ゼロ知識証明における検証者に送信し、暗号化した前記秘密入力及び前記秘密出力と前記別の数値計算プログラムと前記公開入力及び前記公開出力とを含む第2情報を、前記証明者及び前記検証者と異なる第三者に送信する、処理をコンピュータに実行させ、前記第三者が前記第2情報に基づいて前記ゼロ知識証明における命題に関する証明を生成し、生成した前記証明を前記検証者に送信する、ことを特徴とする。 In one embodiment, the information processing program performs a first encryption process and a second encryption process on a secret input to a numerical calculation program and a secret output from the numerical calculation program, which are kept secret by a prover in a zero-knowledge proof, respectively. and modifying the numerical calculation program into another numerical calculation program including decryption processing paired with the first encryption processing, the numerical calculation program, and the second encryption processing, and modifying the numerical calculation program transmitting first information including a calculation program and public input to and public output from said numerical calculation program published by said prover to a verifier in said zero-knowledge proof, and encrypting said secret; causing a computer to execute a process of transmitting second information including the input and the secret output, the separate numerical calculation program, the public input and the public output to a third party different from the prover and the verifier; , the third party generates a proof of the proposition in the zero-knowledge proof based on the second information, and transmits the generated proof to the verifier.
 証明の生成を第三者に委託しても、秘密情報の漏洩を抑制することができる。 Leakage of confidential information can be suppressed even if the generation of certificates is outsourced to a third party.
図1は情報処理システムの一例である。FIG. 1 is an example of an information processing system. 図2は証明者端末のハードウェア構成の一例である。FIG. 2 shows an example of the hardware configuration of the prover terminal. 図3は検証者サーバのハードウェア構成の一例である。FIG. 3 shows an example of the hardware configuration of the verifier server. 図4は証明者端末の機能構成の一例である。FIG. 4 is an example of the functional configuration of the prover terminal. 図5は検証者サーバの機能構成の一例である。FIG. 5 is an example of the functional configuration of the verifier server. 図6は第三者サーバの機能構成の一例である。FIG. 6 is an example of the functional configuration of the third party server. 図7は情報処理システムの処理シーケンス図の一例である。FIG. 7 is an example of a processing sequence diagram of the information processing system. 図8は証明者端末の動作の一例を示すフローチャートである。FIG. 8 is a flow chart showing an example of the operation of the prover terminal. 図9(a)は数値計算プログラムの一例を説明する図である。図9(b)は別の数値計算プログラムの一例を説明する図である。FIG. 9(a) is a diagram for explaining an example of a numerical calculation program. FIG. 9B is a diagram explaining an example of another numerical calculation program. 図10は第三者サーバの動作の一例を示すフローチャートである。FIG. 10 is a flow chart showing an example of the operation of the third party server. 図11は検証者サーバの動作の一例を示すフローチャートである。FIG. 11 is a flow chart showing an example of the operation of the verifier server. 図12は証明者端末の機能構成の他の一例である。FIG. 12 is another example of the functional configuration of the prover terminal. 図13は証明者端末の動作の他の一例を示すフローチャートである。FIG. 13 is a flow chart showing another example of the operation of the prover terminal.
 以下、本件を実施するための形態について図面を参照して説明する。 Hereinafter, the form for carrying out this matter will be described with reference to the drawings.
(第1実施形態)
 図1に示すように、情報処理システムSTは証明者端末100と検証者サーバ200と第三者サーバ300とを備えている。証明者端末100は、情報処理装置の一例であり、ゼロ知識証明における証明者を実現する端末装置である。検証者サーバ200はゼロ知識証明における検証者を実現するサーバ装置である。第三者サーバ300は証明者及び検証者のいずれともと異なる第三者を実現するサーバ装置である。第三者はワーカーと呼ばれることがある。情報処理システムSTは複数の第三者サーバ300を備えておらず、1台の第三者サーバ300を備えている。すなわち、情報処理システムSTは単一の第三者サーバ300を備えている。 (First embodiment)
As shown in FIG. 1 , the information processing system ST includes a prover terminal 100 , a verifier server 200 and a third party server 300 . The prover terminal 100 is an example of an information processing device, and is a terminal device that realizes a prover in zero-knowledge proof. The verifier server 200 is a server device that implements a verifier in zero-knowledge proof. The third party server 300 is a server device that implements a third party that is different from both the prover and the verifier. Third parties are sometimes called workers. The information processing system ST does not include a plurality of third party servers 300, but includes one third party server 300. FIG. That is, the information processing system ST includes a single third party server 300 .
 図1では、証明者端末100の一例としてスマートフォンが示されているが、タブレット端末やPC(Personal Computer)などであってもよい。第三者サーバ300の性能を表す第1性能は証明者端末100の性能を表す第2性能より高くなっている。例えば第三者サーバ300が備えるメモリの容量は証明者端末100が備えるメモリの容量より高くなっている。また、第三者サーバ300が備えるプロセッサのコア数やクロック周波数は証明者端末100が備えるプロセッサのコア数やクロック周波数より高くなっている。このように、第三者サーバ300は証明者端末100より高性能である。なお、検証者サーバ200の性能を表す第3性能は第2性能と同程度であってもよいし、第2性能より高く第1性能より低くてもよい。 Although a smartphone is shown as an example of the prover terminal 100 in FIG. 1, it may be a tablet terminal or a PC (Personal Computer). The first performance representing the performance of the third party server 300 is higher than the second performance representing the performance of the prover terminal 100 . For example, the memory capacity of the third party server 300 is higher than the memory capacity of the prover terminal 100 . Further, the number of cores and the clock frequency of the processor provided in the third party server 300 are higher than the number of cores and the clock frequency of the processor provided in the prover terminal 100 . Thus, the third party server 300 has higher performance than the prover terminal 100. FIG. The third performance representing the performance of the verifier server 200 may be approximately the same as the second performance, or may be higher than the second performance and lower than the first performance.
 証明者端末100、検証者サーバ200、及び第三者サーバ300は互いに接続されている。より詳しくは、証明者端末100、検証者サーバ200、及び第三者サーバ300は無線通信ネットワークNW1、携帯基地局BS、及び有線通信ネットワークNW2を介して接続されている。例えば、携帯基地局BSの通信可能領域AR内に証明者端末100が含まれていれば、証明者端末100は無線通信ネットワークNW1、携帯基地局BS、及び有線通信ネットワークNW2を介して検証者サーバ200及び第三者サーバ300と接続することができる。なお、無線通信ネットワークNW1としては例えばLTE(Long Term Evolution)などを利用した通信ネットワークがある。有線通信ネットワークNW2としては例えばLAN(Local Area Network)やインターネットなどの通信ネットワークがある。 The prover terminal 100, the verifier server 200, and the third party server 300 are connected to each other. More specifically, the prover terminal 100, the verifier server 200, and the third party server 300 are connected via a wireless communication network NW1, a mobile base station BS, and a wired communication network NW2. For example, if the certifier terminal 100 is included in the communicable area AR of the mobile base station BS, the certifier terminal 100 is connected to the verifier server via the wireless communication network NW1, the mobile base station BS, and the wired communication network NW2. 200 and third party servers 300 . As the wireless communication network NW1, for example, there is a communication network using LTE (Long Term Evolution). The wired communication network NW2 includes communication networks such as LAN (Local Area Network) and the Internet.
 証明者端末100は、例えば検証者サーバ200からゼロ知識証明における証明が要求されると、第1情報10を検証者サーバ200に送信する。詳細は後述するが、第1情報10は、ゼロ知識証明における命題に関する情報の一部が公開された公開情報を含んでいる。本実施形態では、一例として、数値計算プログラムの正しい入力と出力(具体的には入力と出力の入出力関係)を証明者端末100が知っていることを命題として採用している。公開情報は公開入力と公開出力を含んでいる。公開入力は証明者端末100が公開する数値計算プログラムへの入力である。公開出力は証明者端末100が公開する数値計算プログラムからの出力である。公開入力及び公開出力はいずれもゼロ知識証明における命題に関する情報の一部が公開されている。第1情報10は公開情報以外にも、数値計算プログラムを修正した別の数値計算プログラムも含んでいる。 The prover terminal 100 transmits the first information 10 to the verifier server 200 when, for example, the verifier server 200 requests proof in the zero-knowledge proof. Although the details will be described later, the first information 10 includes public information in which a part of the information regarding the proposition in the zero-knowledge proof is made public. In this embodiment, as an example, the proposition is that the prover terminal 100 knows the correct input and output (specifically, the input/output relationship between input and output) of the numerical calculation program. Public information includes public inputs and public outputs. A public input is an input to a numerical calculation program that the prover terminal 100 makes public. A public output is an output from a numerical calculation program that the prover terminal 100 makes public. Both the public input and the public output are part of the information about the proposition in the zero-knowledge proof. The first information 10 includes, in addition to public information, another numerical calculation program modified from the numerical calculation program.
 また、証明者端末100は、証明が要求されると、第2情報20を第三者サーバ300に送信する。詳細は後述するが、第2情報20は、上述した公開情報及び別の数値計算プログラムに加え、ゼロ知識証明における命題に関する情報の残部が秘密にされて暗号化された暗号化済秘密情報を含んでいる。暗号化済秘密情報は暗号化済秘密入力と暗号化済秘密出力を含んでいる。暗号化済秘密入力は第1暗号化処理で暗号化した秘密入力である。暗号化済秘密出力は第2暗号化処理で暗号化した秘密出力である。第1暗号化処理と第2暗号化処理は相違する。秘密入力は証明者端末100が秘密にする数値計算プログラムへの入力である。秘密出力は証明者端末100が秘密にする数値計算プログラムからの出力である。秘密入力及び秘密出力はいずれもゼロ知識証明における命題に関する情報の残部が秘密にされている。 Also, the prover terminal 100 transmits the second information 20 to the third party server 300 when the proof is requested. Although the details will be described later, the second information 20 includes the above-described public information and another numerical calculation program, as well as encrypted secret information in which the rest of the information related to the proposition in the zero-knowledge proof is kept secret and encrypted. I'm in. The encrypted secret information includes an encrypted secret input and an encrypted secret output. The encrypted secret input is the secret input encrypted in the first encryption process. The encrypted secret output is the secret output encrypted in the second encryption process. The first encryption process and the second encryption process are different. A secret input is an input to a numerical calculation program that is kept secret by the prover terminal 100 . The secret output is the output from the numerical calculation program that the prover terminal 100 keeps secret. Both secret input and secret output keep the rest of the information about the proposition in the zero-knowledge proof secret.
 第三者サーバ300は証明者端末100から送信された第2情報20を受信すると、受信した第2情報20に基づいてゼロ知識証明における命題に関する証明30を生成し、生成した証明30を検証者サーバ200に送信する。検証者サーバ200は、証明者端末100から送信された第1情報10と、第三者サーバ300から送信された証明30とに基づいて、証明30の正当性を検証する。 When the third party server 300 receives the second information 20 transmitted from the prover terminal 100, the third party server 300 generates a proof 30 related to the proposition in the zero-knowledge proof based on the received second information 20, and sends the generated proof 30 to the verifier. Send to server 200 . The verifier server 200 verifies the validity of the proof 30 based on the first information 10 sent from the prover terminal 100 and the proof 30 sent from the third party server 300 .
 検証者サーバ200は、証明30の正当性を検証し終えると、命題の正当性に関する検証結果を証明者端末100に送信する。これにより、証明者端末100は検証結果を受信する。例えば、検証者サーバ200は、証明30の正当性を検証した結果、命題が真であると判断した場合、命題の正当性に関する結果として真を含む検証結果を送信する。逆に、検証者サーバ200は、証明30の正当性を検証した結果、命題が偽であると判断した場合、命題の正当性に関する結果として偽を含む検証結果を送信する。 After verifying the correctness of the proof 30, the verifier server 200 sends the verification result regarding the correctness of the proposition to the prover terminal 100. Accordingly, the prover terminal 100 receives the verification result. For example, when the verifier server 200 determines that the proposition is true as a result of verifying the validity of the proof 30, the verifier server 200 transmits a verification result including true as a result of the validity of the proposition. Conversely, when the verifier server 200 determines that the proposition is false as a result of verifying the validity of the proof 30, the verifier server 200 transmits a verification result including false as a result of the validity of the proposition.
 このように、証明者端末100は、証明を生成する処理を第三者サーバ300に委託することができる。証明者端末100が実行する計算は主として秘密情報(具体的には秘密入力と秘密出力)の暗号化である。暗号化は証明を生成する際に発生する計算量に比べて非常に小さいため、証明者端末100にかかる計算負荷(例えば計算量など)を低減することができる。 In this way, the prover terminal 100 can entrust the third-party server 300 with the process of generating the proof. The calculations executed by the prover terminal 100 are mainly encryption of secret information (specifically, secret input and secret output). Since encryption is much smaller than the amount of calculation that occurs when generating a proof, the calculation load (for example, the amount of calculation) on the prover terminal 100 can be reduced.
 一方、第三者サーバ300には暗号化済秘密情報(具体的には暗号化済秘密入力と暗号化済秘密出力)が開示されるにすぎず、第三者サーバ300への攻撃が発生しても秘密情報が漏洩する危険性が少ない。また、第三者サーバ300において不正な処理が発生しても、同様に、秘密情報が漏洩する危険性が少ない。さらに、秘密分散法を用いた場合、複数台の第三者サーバ300を採用することにより証明を生成する処理に係る計算量が台数に比例するが(例えば非特許文献3参照)、1台の第三者サーバ300を採用すればよいため、証明者端末100が自身で証明を生成する場合とほぼ同じである。 On the other hand, only the encrypted secret information (specifically, encrypted secret input and encrypted secret output) is disclosed to the third party server 300, and an attack on the third party server 300 occurs. However, there is little risk of confidential information being leaked. Also, even if unauthorized processing occurs in the third party server 300, there is little risk of leakage of confidential information. Furthermore, when the secret sharing method is used, the amount of calculation related to the process of generating the proof is proportional to the number of servers (see, for example, Non-Patent Document 3) by adopting a plurality of third-party servers 300. Since the third-party server 300 may be used, this is almost the same as when the prover terminal 100 generates the proof by itself.
 図2を参照して、証明者端末100のハードウェア構成について説明する。 The hardware configuration of the prover terminal 100 will be described with reference to FIG.
 証明者端末100は、プロセッサとしてのCPU(Central Processing Unit)100Aと、メモリとしてのRAM(Random Access Memory)100B、ROM(Read Only Memory)100C、及びNVM(Non-Volatile Memory)100Dとを含んでいる。また、証明者端末100は、RF(Radio Frequency)回路100Eと、加速度センサ100Fと、カメラ100Gとを含んでいる。RF回路100Eにはアンテナ100Nが接続されている。RF回路100Eに代えて通信機能を実現するCPU(不図示)が利用されてもよい。カメラ100GはCMOS(Complementary Metal Oxide Semiconductor)やCCD(Charge Coupled Device)といった画像センサを含んでいる。 The prover terminal 100 includes a CPU (Central Processing Unit) 100A as a processor, RAM (Random Access Memory) 100B, ROM (Read Only Memory) 100C, and NVM (Non-Volatile Memory) 100D as memories. there is The prover terminal 100 also includes an RF (Radio Frequency) circuit 100E, an acceleration sensor 100F, and a camera 100G. An antenna 100N is connected to the RF circuit 100E. A CPU (not shown) that implements a communication function may be used instead of the RF circuit 100E. The camera 100G includes an image sensor such as CMOS (Complementary Metal Oxide Semiconductor) or CCD (Charge Coupled Device).
 さらに、証明者端末100は、入力部としてのタッチパネル100Hと、表示部としてのディスプレイ100Iと、スピーカ100Jとを含んでいる。CPU100Aからスピーカ100Jまでは、内部バス100Kによって互いに接続されている。すなわち、証明者端末100はスマートフォンやタブレット端末といったスマートデバイス、PCを含むコンピュータによって実現することができる。 Furthermore, the prover terminal 100 includes a touch panel 100H as an input unit, a display 100I as a display unit, and a speaker 100J. The CPU 100A to the speaker 100J are interconnected by an internal bus 100K. That is, the prover terminal 100 can be realized by a smart device such as a smart phone or a tablet terminal, or a computer including a PC.
 RAM100Bには、ROM100CやNVM100Dに記憶された情報処理プログラムがCPU100Aによって格納される。格納された情報処理プログラムをCPU100Aが実行することにより、CPU100Aは後述する各種の機能を実現し、後述する各種の処理を実行する。このように、CPU100AとRAM100Bとが協働することによってコンピュータを実現することができる。また、CPU100Aが各種の処理を実行することにより、情報処理方法を実現することができる。なお、情報処理プログラムは後述するフローチャートに応じたものとすればよい。 The information processing programs stored in the ROM 100C and NVM 100D are stored in the RAM 100B by the CPU 100A. As the CPU 100A executes the stored information processing program, the CPU 100A realizes various functions described later and executes various processes described later. In this way, a computer can be realized by cooperation of the CPU 100A and the RAM 100B. Moreover, an information processing method can be realized by the CPU 100A executing various kinds of processing. The information processing program may correspond to a flow chart described later.
 図3を参照して、検証者サーバ200のハードウェア構成について説明する。なお、第三者サーバ300のハードウェア構成は基本的に検証者サーバ200のハードウェア構成と同様であるため、詳細な説明は省略する。 The hardware configuration of the verifier server 200 will be described with reference to FIG. Note that the hardware configuration of the third party server 300 is basically the same as the hardware configuration of the verifier server 200, so detailed description thereof will be omitted.
 検証者サーバ200は、CPU200A、RAM200B、ROM200C及びネットワークI/F(インタフェース)200Dを含んでいる。検証者サーバ200は、必要に応じて、HDD(Hard Disk Drive)200E、入力I/F200F、出力I/F200G、入出力I/F200H、ドライブ装置200Iの少なくとも1つを含んでいてもよい。CPU200Aからドライブ装置200Iまでは、内部バス200Jによって互いに接続されている。 The verifier server 200 includes a CPU 200A, a RAM 200B, a ROM 200C, and a network I/F (interface) 200D. Verifier server 200 may include at least one of HDD (Hard Disk Drive) 200E, input I/F 200F, output I/F 200G, input/output I/F 200H, and drive device 200I, if necessary. The CPU 200A to the drive device 200I are interconnected by an internal bus 200J.
 入力I/F200Fには、入力装置710が接続される。入力装置710としては、例えばキーボードやマウスなどがある。出力I/F200Gには、表示装置720が接続される。表示装置720としては、例えば液晶ディスプレイがある。入出力I/F200Hには、半導体メモリ730が接続される。半導体メモリ730としては、例えばUSB(Universal Serial Bus)メモリやフラッシュメモリなどがある。入出力I/F200Hは、半導体メモリ730に記憶されたプログラムを読み取る。入力I/F200F及び入出力I/F200Hは、例えばUSBポートを備えている。出力I/F200Gは、例えばディスプレイポートを備えている。 An input device 710 is connected to the input I/F 200F. The input device 710 includes, for example, a keyboard and a mouse. A display device 720 is connected to the output I/F 200G. The display device 720 is, for example, a liquid crystal display. A semiconductor memory 730 is connected to the input/output I/F 200H. Examples of the semiconductor memory 730 include USB (Universal Serial Bus) memory and flash memory. The input/output I/F 200H reads programs stored in the semiconductor memory 730 . The input I/F 200F and the input/output I/F 200H are provided with USB ports, for example. The output I/F 200G has, for example, a display port.
 ドライブ装置200Iには、可搬型記録媒体740が挿入される。可搬型記録媒体740としては、例えばCD(Compact Disc)-ROM、DVD(Digital Versatile Disc)といったリムーバブルディスクがある。ドライブ装置200Iは、可搬型記録媒体740に記録されたプログラムを読み込む。ネットワークI/F200Dは、例えばLANポートを備えている。ネットワークI/F200Dは上述した有線通信ネットワークNW2と接続される。 A portable recording medium 740 is inserted into the drive device 200I. Portable recording media 740 include removable discs such as CD (Compact Disc)-ROM and DVD (Digital Versatile Disc). Drive device 200I reads a program recorded on portable recording medium 740 . The network I/F 200D has, for example, a LAN port. A network I/F 200D is connected to the above-described wired communication network NW2.
 上述したRAM200Bには、ROM200CやHDD200Eに記憶されたプログラムがCPU200Aによって格納される。RAM200Bには、可搬型記録媒体740に記録されたプログラムがCPU200Aによって格納される。格納されたプログラムをCPU200Aが実行することにより、後述する各種の機能が実現され、また、後述する各種の処理が実行される。なお、プログラムは後述するフローチャートに応じたものとすればよい。 The programs stored in the ROM 200C and HDD 200E are stored in the RAM 200B described above by the CPU 200A. The program recorded on the portable recording medium 740 is stored in the RAM 200B by the CPU 200A. When the CPU 200A executes the stored programs, various functions described later are realized, and various processes described later are executed. Note that the program may correspond to a flow chart described later.
 図4を参照して、証明者端末100の機能構成について説明する。なお、図4では証明者端末100の機能の要部が示されている。 The functional configuration of the prover terminal 100 will be described with reference to FIG. Note that FIG. 4 shows the essential functions of the prover terminal 100 .
 図4に示すように、証明者端末100は記憶部110、処理部120、及び通信部130を含んでいる。記憶部110は上述したRAM100BとNVM100Dの一方又は両方によって実現することができる。処理部120は上述したCPU100Aによって実現することができる。通信部130は上述したRF回路100E及びアンテナ100Nによって実現することができる。したがって、記憶部110、処理部120、及び通信部130は互いに接続されている。記憶部110は情報記憶部111とプログラム記憶部112とを含んでいる。処理部120は暗号化部121と修正部122と送信部123と受信部124とを含んでいる。 As shown in FIG. 4, the prover terminal 100 includes a storage unit 110, a processing unit 120, and a communication unit . The storage unit 110 can be implemented by one or both of the RAM 100B and NVM 100D described above. The processing unit 120 can be realized by the CPU 100A described above. The communication unit 130 can be realized by the RF circuit 100E and the antenna 100N described above. Therefore, the storage unit 110, the processing unit 120, and the communication unit 130 are connected to each other. Storage unit 110 includes information storage unit 111 and program storage unit 112 . The processing unit 120 includes an encryption unit 121 , a correction unit 122 , a transmission unit 123 and a reception unit 124 .
 情報記憶部111は公開情報と秘密情報とを記憶する。公開情報はゼロ知識証明における命題に関する情報の一部が公開された情報である。本実施形態における公開情報は、証明者端末100が公開する数値計算プログラムへの入力である公開入力を含んでいる。また、本実施形態における公開情報は公開入力に対する数値計算プログラムからの出力である公開出力を含んでいる。一方、秘密情報はゼロ知識証明における命題に関する情報の残部が秘密にされた情報である。本実施形態における秘密情報は証明者端末100が秘密にする数値計算プログラムへの入力である秘密入力を含んでいる。また、本実施形態における秘密情報は秘密入力に対する数値計算プログラムからの出力である秘密出力を含んでいる。 The information storage unit 111 stores public information and confidential information. Public information is information in which a part of the information about the proposition in the zero-knowledge proof is made public. The public information in this embodiment includes public input that is input to the numerical calculation program that the prover terminal 100 makes public. Also, the public information in this embodiment includes public output, which is the output from the numerical calculation program in response to the public input. Confidential information, on the other hand, is information in which the rest of the information about the proposition in the zero-knowledge proof is kept secret. Confidential information in this embodiment includes a secret input which is an input to a numerical calculation program kept secret by the prover terminal 100 . Also, the secret information in this embodiment includes a secret output which is an output from the numerical calculation program in response to the secret input.
 プログラム記憶部112は種々のプログラムを記憶する。例えば、プログラム記憶部112は上述した数値計算プログラムを記憶する。数値計算プログラムは、例えばf(x,y)=x+y+xyといった加算と乗算を組み合わせた多項式を含んでいる。数値計算プログラムとしては例えばハッシュ関数計算プログラムなどであってもよい。そのほか、プログラム記憶部112は第1暗号化処理を実現する第1暗号化プログラム、及び第1暗号化処理と対になる第1復号化処理を実現する第1復号化プログラムを含んでいる。また、プログラム記憶部112は第2暗号化処理を実現する第2暗号化プログラム、及び第2暗号化処理と対になる第2復号化処理を実現する第2復号化プログラムを含んでいる。 The program storage unit 112 stores various programs. For example, the program storage unit 112 stores the numerical calculation program described above. Numerical programs include polynomials combining additions and multiplications, for example f(x,y)=x 2 +y 3 +xy. The numerical calculation program may be, for example, a hash function calculation program. In addition, the program storage unit 112 includes a first encryption program that implements the first encryption process, and a first decryption program that implements the first decryption process paired with the first encryption process. The program storage unit 112 also contains a second encryption program that implements the second encryption process, and a second decryption program that implements the second decryption process paired with the second encryption process.
 暗号化部121は秘密入力を第1暗号化処理で暗号化し、秘密出力を第2暗号化処理で暗号化する。修正部122は数値計算プログラムを、第1復号化処理と数値計算プログラムと第2暗号化処理の組合せを含む別の数値計算プログラムに修正する。送信部123は第1情報10を検証者サーバ200に送信し、第2情報を第三者サーバ300に送信する。受信部124は第1情報10と証明30とに基づいて検証者サーバ200によって検証された命題の正当性に関する検証結果を検証者サーバ200から受信する。 The encryption unit 121 encrypts the secret input with the first encryption process and encrypts the secret output with the second encryption process. The modifying unit 122 modifies the numerical calculation program into another numerical calculation program including a combination of the first decryption process, the numerical calculation program and the second encryption process. The transmitting unit 123 transmits the first information 10 to the verifier server 200 and the second information to the third party server 300 . The receiving unit 124 receives from the verifier server 200 a verification result regarding the correctness of the proposition verified by the verifier server 200 based on the first information 10 and the proof 30 .
 図5を参照して、検証者サーバ200の機能構成について説明する。なお、図5では検証者サーバ200の機能の要部が示されている。 The functional configuration of the verifier server 200 will be described with reference to FIG. Note that FIG. 5 shows the essential functions of the verifier server 200 .
 図5に示すように、検証者サーバ200は記憶部210、処理部220、及び通信部230を含んでいる。記憶部210は上述したRAM200BとHDD200Eの一方又は両方によって実現することができる。処理部220は上述したCPU200Aによって実現することができる。通信部230は上述したネットワークI/F200Dによって実現することができる。したがって、記憶部210、処理部220、及び通信部230は互いに接続されている。記憶部210は情報記憶部211を含んでいる。処理部220は受信部221と検証部222と送信部223とを含んでいる。 As shown in FIG. 5, the verifier server 200 includes a storage unit 210, a processing unit 220, and a communication unit 230. The storage unit 210 can be realized by one or both of the RAM 200B and HDD 200E described above. The processing unit 220 can be realized by the CPU 200A described above. The communication unit 230 can be implemented by the network I/F 200D described above. Therefore, the storage unit 210, the processing unit 220, and the communication unit 230 are connected to each other. Storage unit 210 includes information storage unit 211 . The processing unit 220 includes a receiving unit 221 , a verification unit 222 and a transmitting unit 223 .
 受信部221は第1情報10と証明30を独立して受信し、情報記憶部211に保存する。これにより、情報記憶部211は第1情報10と証明30を記憶する。検証部222は、情報記憶部211から第1情報10と証明30とを取得し、取得した第1情報10と証明30と公知である所定の検証手法(例えば特許文献1参照)とに基づいて、命題の正当性を検証する。送信部223は、命題の正当性に関する検証結果を証明者端末100に送信する。例えば、検証部222が証明30の正当性を検証した結果、命題が真であると判断した場合、命題の正当性に関する結果として真を含む検証結果を送信する。逆に、検証部222が証明30の正当性を検証した結果、命題が偽であると判断した場合、命題の正当性に関する結果として偽を含む検証結果を送信する。 The receiving unit 221 independently receives the first information 10 and the proof 30 and stores them in the information storage unit 211 . Thereby, the information storage unit 211 stores the first information 10 and the proof 30 . The verification unit 222 acquires the first information 10 and the proof 30 from the information storage unit 211, and based on the acquired first information 10 and the proof 30 and a known predetermined verification method (for example, see Patent Document 1) , to verify the correctness of the proposition. The transmitting unit 223 transmits the verification result regarding the correctness of the proposition to the prover terminal 100 . For example, when the verification unit 222 verifies the validity of the proof 30 and determines that the proposition is true, it transmits a verification result including true as a result of the validity of the proposition. Conversely, when the verifier 222 verifies the validity of the proof 30 and determines that the proposition is false, it transmits a verification result including false as a result of the validity of the proposition.
 図6を参照して、第三者サーバ300の機能構成について説明する。なお、図6では第三者サーバ300の機能の要部が示されている。 The functional configuration of the third party server 300 will be described with reference to FIG. Note that FIG. 6 shows the essential functions of the third party server 300 .
 図6に示すように、第三者サーバ300は記憶部310、処理部320、及び通信部330を含んでいる。記憶部310は上述したRAM200BとHDD200Eの一方又は両方によって実現することができる。処理部320は上述したCPU200Aによって実現することができる。通信部330は上述したネットワークI/F200Dによって実現することができる。したがって、記憶部310、処理部320、及び通信部330は互いに接続されている。記憶部310は情報記憶部311を含んでいる。処理部320は受信部321と補助データ記録部322と証明生成部323と送信部324とを含んでいる。 As shown in FIG. 6, the third party server 300 includes a storage unit 310, a processing unit 320, and a communication unit 330. The storage unit 310 can be implemented by one or both of the RAM 200B and HDD 200E described above. The processing unit 320 can be implemented by the CPU 200A described above. The communication unit 330 can be implemented by the network I/F 200D described above. Therefore, the storage unit 310, the processing unit 320, and the communication unit 330 are connected to each other. Storage unit 310 includes information storage unit 311 . The processing unit 320 includes a receiving unit 321 , an auxiliary data recording unit 322 , a proof generating unit 323 and a transmitting unit 324 .
 受信部321は第2情報20を受信し、情報記憶部311に保存する。これにより、情報記憶部311は第2情報20を記憶する。補助データ記録部322は情報記憶部311から第2情報20を取得する。補助データ記録部322は第2情報20を取得すると、取得した第2情報20から暗号化済秘密入力と公開入力と別の数値計算プログラムを抽出する。補助データ記録部322は、これらを抽出すると、暗号化済秘密入力と公開入力を別の数値計算プログラムに投入し、別の数値計算プログラムの実行途中に得られる補助データを記録して出力する。 The receiving unit 321 receives the second information 20 and stores it in the information storage unit 311. Thereby, the information storage unit 311 stores the second information 20 . The auxiliary data recording section 322 acquires the second information 20 from the information storage section 311 . When the auxiliary data recording unit 322 acquires the second information 20, it extracts the encrypted secret input, the public input, and another numerical calculation program from the acquired second information 20. FIG. After extracting them, the auxiliary data recording unit 322 puts the encrypted secret input and public input into another numerical calculation program, and records and outputs the auxiliary data obtained during the execution of another numerical calculation program.
 ここで、別の数値計算プログラムは第1暗号化処理の対となる第1復号化処理を含むため、別の数値計算プログラムの内部で暗号化済秘密入力を暗号化前の秘密入力に復号することができる。また、別の数値計算プログラムは修正前の数値計算プログラムも含んでいる。したがって、別の数値計算プログラムの内部では秘密入力と公開入力の組合せが数値計算プログラムに入力され、数値計算プログラムの実行途中に得られるデータが補助データとして記録される。補助データ記録部322はこの補助データを出力する。 Here, since the separate numerical calculation program includes the first decryption processing paired with the first encryption processing, the encrypted secret input is decrypted into the unencrypted secret input inside the separate numerical calculation program. be able to. Also, another numerical calculation program includes the numerical calculation program before modification. Therefore, inside another numerical calculation program, a combination of a secret input and a public input is input to the numerical calculation program, and data obtained during execution of the numerical calculation program is recorded as auxiliary data. The auxiliary data recording unit 322 outputs this auxiliary data.
 証明生成部323は情報記憶部311から第2情報20を取得する。証明生成部323は第2情報20を取得すると、取得した第2情報20から暗号化済秘密入力と暗号化済秘密出力と公開入力と公開出力を抽出する。証明生成部323はこれらを抽出すると、暗号化済秘密入力と暗号化済秘密出力と公開入力と公開出力と補助データ記録部322から出力された補助データと公知である所定の証明生成手法(例えば特許文献1参照)とに基づいて、証明30を生成する。送信部324は、証明生成部323が生成した証明30を検証者サーバ200に送信する。 The proof generation unit 323 acquires the second information 20 from the information storage unit 311. After obtaining the second information 20 , the proof generation unit 323 extracts the encrypted secret input, the encrypted secret output, the public input, and the public output from the obtained second information 20 . When the proof generation unit 323 extracts these, the encrypted secret input, the encrypted secret output, the public input, the public output, the auxiliary data output from the auxiliary data recording unit 322, and a known predetermined proof generation method (for example, A proof 30 is generated based on (see Patent Document 1). The transmission unit 324 transmits the proof 30 generated by the proof generation unit 323 to the verifier server 200 .
 図7を参照して、情報処理システムSTの処理シーケンスについて説明する。 A processing sequence of the information processing system ST will be described with reference to FIG.
 図7に示すように、検証者サーバ200の送信部223は証明要求を送信する(ステップS1)。証明要求は証明を要求する情報である。送信部223は、例えば証明者端末100からのアクセスを検出すると、通信部330を介して証明要求を送信する。これにより、証明者端末100の受信部124は、通信部130を介して、証明要求を受信する(ステップS2)。なお、証明者端末100は入力部(不図示)に対する操作を検出すると、上記アクセスを検証者サーバ200に送信することができる。 As shown in FIG. 7, the transmission unit 223 of the verifier server 200 transmits a certification request (step S1). A certification request is information for which certification is requested. The transmission unit 223 transmits a certification request via the communication unit 330, for example, upon detecting access from the prover terminal 100. FIG. Accordingly, the receiving unit 124 of the prover terminal 100 receives the certification request via the communication unit 130 (step S2). Note that the prover terminal 100 can transmit the access to the verifier server 200 when detecting an operation on the input unit (not shown).
 証明要求を受信すると、暗号化部121は秘密情報を暗号化する(ステップS3)。すなわち、暗号化部121は秘密入力と秘密出力を暗号化する。暗号化部121が秘密情報を暗号化し終えると、修正部122は数値計算プログラムを別の数値計算プログラムに修正する(ステップS4)。数値計算プログラムを修正し終えると、送信部123は、通信部130を介して、第1情報10を検証者サーバ200に送信する(ステップS5)。第1情報10は公開情報と別の数値計算プログラムを含んでいる。上述したように、公開情報は公開入力と公開出力を含んでいる。第1情報10を送信し終えると、送信部123は、通信部130を介して、第2情報20を第三者サーバ300に送信する(ステップS6)。第2情報20は公開情報と別の数値計算プログラムと暗号化済秘密情報を含んでいる。上述したように、暗号化済秘密情報は暗号化済秘密入力と暗号化済秘密出力を含んでいる。なお、ステップS5の処理とステップS6の処理の処理順序は逆であってもよいし、同じタイミングであってもよい。 Upon receiving the certification request, the encryption unit 121 encrypts the secret information (step S3). That is, the encryption unit 121 encrypts the secret input and secret output. After the encryption unit 121 finishes encrypting the secret information, the modification unit 122 modifies the numerical calculation program to another numerical calculation program (step S4). After correcting the numerical calculation program, the transmission unit 123 transmits the first information 10 to the verifier server 200 via the communication unit 130 (step S5). The first information 10 includes public information and another numerical calculation program. As noted above, public information includes public inputs and public outputs. After completing the transmission of the first information 10, the transmission unit 123 transmits the second information 20 to the third party server 300 via the communication unit 130 (step S6). The second information 20 includes public information, another numerical calculation program, and encrypted secret information. As noted above, the encrypted secret information includes an encrypted secret input and an encrypted secret output. The processing order of the processing in step S5 and the processing in step S6 may be reversed, or may be the same timing.
 第1情報10が送信されると、検証者サーバ200の受信部221は通信部230を介して第1情報10を受信する(ステップS7)。第1情報10を受信すると、受信部221は証明30を受信するまで待機する。第2情報20が送信されると、第三者サーバ300の受信部321は通信部330を介して第2情報20を受信する(ステップS8)。受信部321が第2情報20を受信すると、証明生成部323は証明30を生成する(ステップS9)。より詳しくは、受信部321が第2情報20を受信すると、補助データ記録部322が補助データを記録して出力し、証明生成部323が補助データと公開情報と暗号化済秘密情報と公知の証明生成手法とに基づいて、証明30を生成する。証明生成部323が証明30を生成すると、送信部324は通信部330を介して証明30を検証者サーバ200に送信する(ステップS10)。 When the first information 10 is transmitted, the receiving unit 221 of the verifier server 200 receives the first information 10 via the communication unit 230 (step S7). After receiving the first information 10 , the receiver 221 waits until the proof 30 is received. When the second information 20 is transmitted, the receiving section 321 of the third party server 300 receives the second information 20 via the communication section 330 (step S8). When the receiving unit 321 receives the second information 20, the proof generating unit 323 generates the proof 30 (step S9). More specifically, when the receiving unit 321 receives the second information 20, the auxiliary data recording unit 322 records and outputs the auxiliary data, and the proof generating unit 323 stores the auxiliary data, public information, encrypted secret information, and known public information. A proof 30 is generated based on a proof generation technique. When the proof generation unit 323 generates the proof 30, the transmission unit 324 transmits the proof 30 to the verifier server 200 via the communication unit 330 (step S10).
 証明30が送信されると、検証者サーバ200の受信部221は通信部230を介して証明30を受信する(ステップS11)。受信部221が証明30を受信すると、検証部222は証明30の正当性を検証する(ステップS12)。検証部222が証明30の正当性を検証し終えると、送信部223は通信部230を介して検証結果を送信する(ステップS13)。検証結果が送信されると、証明者端末100の受信部124は通信部130を介して検証結果を受信する(ステップS14)。なお、証明者端末100の表示部(不図示)は検証結果を表示してもよい。 When the proof 30 is transmitted, the receiving unit 221 of the verifier server 200 receives the proof 30 via the communication unit 230 (step S11). When the receiving unit 221 receives the proof 30, the verification unit 222 verifies the validity of the proof 30 (step S12). After the verification unit 222 has verified the validity of the proof 30, the transmission unit 223 transmits the verification result via the communication unit 230 (step S13). When the verification result is transmitted, the receiving unit 124 of the prover terminal 100 receives the verification result via the communication unit 130 (step S14). A display unit (not shown) of the prover terminal 100 may display the verification result.
 図8及び図9を参照して、証明者端末100が実行する処理の詳細について説明する。 Details of the processing executed by the prover terminal 100 will be described with reference to FIGS.
 上述したように、検証者サーバ200から証明要求が送信されると、図8に示すように、受信部124は証明要求を受信する(ステップS21)。受信部124が証明要求を受信すると、暗号化部121は秘密入力と秘密出力を暗号化する(ステップS22)。より詳しくは、暗号化部121は情報記憶部111から秘密入力を取得し、プログラム記憶部112から数値計算プログラムを取得する。暗号化部121は秘密入力と数値計算プログラムを取得すると、図9(a)に示すように、数値計算プログラムに秘密入力を投入して秘密出力を獲得する。暗号化部121は秘密出力を獲得すると、秘密入力を第1暗号化処理で暗号化し、秘密出力を第2暗号化処理で暗号化する。これにより、暗号化済秘密入力と暗号化済秘密出力を得る。 As described above, when a certification request is transmitted from the verifier server 200, the receiving unit 124 receives the certification request as shown in FIG. 8 (step S21). When the receiving unit 124 receives the certification request, the encryption unit 121 encrypts the secret input and secret output (step S22). More specifically, the encryption unit 121 acquires the secret input from the information storage unit 111 and acquires the numerical calculation program from the program storage unit 112 . When the encryption unit 121 acquires the secret input and the numerical calculation program, as shown in FIG. 9A, the encryption unit 121 puts the secret input into the numerical calculation program and acquires the secret output. When the encryption unit 121 obtains the secret output, it encrypts the secret input with the first encryption process and encrypts the secret output with the second encryption process. As a result, encrypted secret input and encrypted secret output are obtained.
 なお、秘密入力と秘密出力の暗号化前、暗号化中又は暗号化後、暗号化部121は情報記憶部111から公開入力を取得し、図9(a)に示すように、数値計算プログラムに公開入力と秘密入力を投入して公開出力を獲得する。暗号化部121は獲得した秘密出力と公開出力を情報記憶部111に保存する。これにより、情報記憶部111は秘密入力と秘密出力を含む秘密情報を記憶し、公開入力と公開出力を含む公開情報を記憶する。 Before, during, or after encryption of the secret input and secret output, the encryption unit 121 acquires the public input from the information storage unit 111, and as shown in FIG. Inject public and secret inputs to obtain public outputs. The encryption unit 121 stores the acquired secret output and public output in the information storage unit 111 . Thereby, the information storage unit 111 stores confidential information including confidential input and confidential output, and stores public information including public input and public output.
 秘密入力と秘密出力を暗号化すると、修正部122は数値計算プログラムを別の数値計算プログラムに修正する(ステップS23)。具体的には図9(b)に示すように、修正部122は、数値計算プログラムを、数値計算プログラムと第1復号化プログラムと第2暗号化プログラムとを含む別の数値計算プログラムに修正する。なお、第1復号化プログラムと第2暗号化プログラムは、修正部122がプログラム記憶部112から取得すればよい。 After encrypting the secret input and secret output, the modification unit 122 modifies the numerical calculation program into another numerical calculation program (step S23). Specifically, as shown in FIG. 9B, the modifying unit 122 modifies the numerical calculation program into another numerical calculation program including a numerical calculation program, a first decryption program, and a second encryption program. . Note that the first decryption program and the second encryption program may be acquired from the program storage unit 112 by the correction unit 122 .
 第1復号化プログラムは第1暗号化プログラムと対応するため、第1復号化プログラムに暗号化済秘密入力が投入されると、暗号化済秘密入力から暗号化前の秘密入力を復元することができる。したがって、別の数値計算プログラムの内部で、秘密入力を数値計算プログラムに投入すれば、秘密入力に応じた秘密出力を獲得することができる。さらに、別の数値計算プログラムの内部で、秘密出力が第2暗号化プログラムに投入されると、秘密出力から暗号化済秘密出力を生成することができる。暗号化済秘密出力は暗号化済秘密入力に基づいて生成されているため、暗号化済秘密出力と暗号化済秘密入力は正しい入出力関係を維持する。すなわち、秘密入力と秘密出力の正しい入出力関係と暗号化済秘密出力と暗号化済秘密入力の正しい入出力関係は同義になる。 Since the first decryption program corresponds to the first encryption program, when the encrypted secret input is input to the first decryption program, the secret input before encryption can be restored from the encrypted secret input. can. Therefore, if a secret input is input to a numerical calculation program inside another numerical calculation program, a secret output corresponding to the secret input can be obtained. Further, within another numerical computation program, when the secret output is fed into a second encryption program, an encrypted secret output can be generated from the secret output. Since the encrypted secret output is generated based on the encrypted secret input, the encrypted secret output and the encrypted secret input maintain the correct input/output relationship. That is, the correct input/output relation between secret input and secret output and the correct input/output relation between encrypted secret output and encrypted secret input are synonymous.
 数値計算プログラムを修正すると、送信部123は第1情報10を検証者サーバ200に送信する(ステップS24)。第1情報10は公開情報(具体的には公開入力と公開出力)と別の数値計算プログラムを含んでいる。第1情報10を送信すると、送信部123は第2情報20を第三者サーバ300に送信する(ステップS25)。第2情報20は公開情報と別の数値計算プログラムと暗号化済秘密情報(暗号化済秘密入力と暗号化済秘密出力)を含んでいる。送信部123が第2情報20を送信すると、受信部124は検証結果を受信するまで待機する。検証者サーバ200から検証結果が送信されると、受信部124は検証結果を受信し(ステップS26)、処理を終了する。 After correcting the numerical calculation program, the transmission unit 123 transmits the first information 10 to the verifier server 200 (step S24). The first information 10 includes public information (specifically public input and public output) and another numerical calculation program. After transmitting the first information 10, the transmitter 123 transmits the second information 20 to the third party server 300 (step S25). The second information 20 includes public information, separate numerical calculation programs, and encrypted secret information (encrypted secret input and encrypted secret output). When the transmitter 123 transmits the second information 20, the receiver 124 waits until it receives the verification result. When the verification result is transmitted from the verifier server 200, the receiving unit 124 receives the verification result (step S26) and ends the process.
 図10を参照して、第三者サーバ300が実行する処理の詳細について説明する。 Details of the processing executed by the third party server 300 will be described with reference to FIG.
 証明者端末100から第2情報20が送信されると、受信部321は第2情報20を受信する(ステップS31)。受信部321が第2情報20を受信すると、補助データ記録部322は第2情報20に基づいて補助データを記録して出力する(ステップS32)。より詳しくは、補助データ記録部322は第2情報20に含まれる公開入力と暗号化済秘密入力を第2情報20に含まれる別の数値計算プログラムに投入する。別の数値計算プログラムは第1復号化プログラムを含んでいる。このため、別の数値計算プログラムに投入された公開入力と暗号化済秘密入力のうち、暗号化済秘密入力が単独で別の数値計算プログラムの内部で秘密入力に復号される。すなわち、公開入力は別の数値計算プログラムの内部で不変である。補助データ記録部322は公開入力と復号された秘密入力の組合せを別の数値計算プログラムに含まれる数値計算プログラムに投入し、数値計算プログラムの実行途中に得られる補助データを記録して出力する。 When the second information 20 is transmitted from the prover terminal 100, the receiving section 321 receives the second information 20 (step S31). When the receiving unit 321 receives the second information 20, the auxiliary data recording unit 322 records and outputs auxiliary data based on the second information 20 (step S32). More specifically, the auxiliary data recording unit 322 inputs the public input and encrypted secret input included in the second information 20 to another numerical calculation program included in the second information 20 . Another numerical calculation program includes a first decoding program. Therefore, of the public input and the encrypted secret input input to another numerical calculation program, the encrypted secret input is independently decrypted into the secret input inside another numerical calculation program. That is, public inputs are immutable inside another numerical computation program. The auxiliary data recording unit 322 inputs the combination of the public input and the decrypted secret input into a numerical calculation program included in another numerical calculation program, and records and outputs auxiliary data obtained during execution of the numerical calculation program.
 なお、補助データ記録部322は公開入力と復号された秘密入力を別の数値計算プログラムに含まれる数値計算プログラムに個別に投入してもよい。この場合、数値計算プログラムの公開入力に対する実行途中に得られる第1データと、数値計算プログラムの秘密入力に対する実行途中に得られる第2データとに基づいて、補助データを記録して出力してもよい。 It should be noted that the auxiliary data recording unit 322 may separately input the public input and the decrypted secret input into a numerical calculation program included in another numerical calculation program. In this case, the auxiliary data may be recorded and output based on the first data obtained during the execution of the public input of the numerical calculation program and the second data obtained during the execution of the secret input of the numerical calculation program. good.
 補助データ記録部322が補助データを出力すると、証明生成部323は証明30を生成する(ステップS33)。より詳しくは、証明生成部323は補助データ、公開入力、公開出力、暗号化済秘密入力、暗号化済秘密出力、及び公知の証明生成手法に基づいて、証明30を生成する。証明生成部323が証明30を生成すると、送信部324は証明30を検証者サーバ200に送信し(ステップS34)、処理を終了する。 When the auxiliary data recording unit 322 outputs the auxiliary data, the proof generating unit 323 generates the proof 30 (step S33). More specifically, the proof generation unit 323 generates the proof 30 based on the auxiliary data, the public input, the public output, the encrypted secret input, the encrypted secret output, and a known proof generation method. When the proof generating unit 323 generates the proof 30, the sending unit 324 sends the proof 30 to the verifier server 200 (step S34), and ends the process.
 図11を参照して、検証者サーバ200が実行する処理の詳細について説明する。 Details of the processing executed by the verifier server 200 will be described with reference to FIG.
 まず、送信部223は証明要求を送信する(ステップS41)。送信部223が証明要求を送信すると、受信部221は第1情報10を受信するまで待機する。証明者端末100から第1情報10が送信されると、受信部221は第1情報10を受信する(ステップS42)。第1情報10を受信すると、受信部221は証明30を受信するまで待機する。第三者サーバ300から証明30が送信されると、受信部221は証明30を受信する(ステップS43)。 First, the transmission unit 223 transmits a certification request (step S41). When the transmitter 223 transmits the certification request, the receiver 221 waits until the first information 10 is received. When the first information 10 is transmitted from the prover terminal 100, the receiving section 221 receives the first information 10 (step S42). After receiving the first information 10 , the receiver 221 waits until the proof 30 is received. When the certification 30 is transmitted from the third party server 300, the receiving unit 221 receives the certification 30 (step S43).
 受信部221が証明30を受信すると、検証部222は証明30の正当性を検証する(ステップS44)。より詳しくは、検証部222は、第1情報10に含まれる公開入力、公開出力、及び別の数値計算プログラムと、証明30と、検証部222が備える所定の検証手法とに基づいて、証明30の正当性を検証する。証明30の正当性を検証した結果、検証部222が命題は真であると判断した場合(ステップS45:YES)、真を含む検証結果を証明者端末100に送信し(ステップS46)、処理を終了する。ここで、証明30は公開入力、公開出力、別の数値計算プログラム、暗号化済秘密入力、及び暗号化秘密出力に基づいて生成されている。このため、第1情報10に含まれる公開入力、公開出力、及び別の数値計算プログラムと、検証部222が備える所定の検証手法とに基づいて、証明30の暗号化済秘密入力と暗号化秘密出力の正しい入出力関係を判断できれば、秘密入力と秘密出力の正しい入出力関係も判断することができる。この場合、検証部222は命題が真であると判断する。証明30の正当性を検証した結果、検証部222が命題は偽であると判断した場合(ステップS45:NO)、偽を含む検証結果を証明者端末100に送信し(ステップS47)、処理を終了する。 When the receiving unit 221 receives the proof 30, the verification unit 222 verifies the validity of the proof 30 (step S44). More specifically, the verification unit 222 generates the proof 30 based on the public input, the public output, and another numerical calculation program included in the first information 10, the proof 30, and a predetermined verification technique provided in the verification unit 222. verify the legitimacy of As a result of verifying the correctness of the proof 30, when the verification unit 222 determines that the proposition is true (step S45: YES), the verification result including true is transmitted to the prover terminal 100 (step S46), and the process is started. finish. Here, proof 30 has been generated based on public input, public output, another numerical computation program, encrypted secret input, and encrypted secret output. Therefore, based on the public input and public output included in the first information 10, another numerical calculation program, and a predetermined verification method provided in the verification unit 222, the encrypted secret input and the encrypted secret of the proof 30 If the correct input/output relationship of output can be determined, the correct input/output relationship of secret input and secret output can also be determined. In this case, the verification unit 222 determines that the proposition is true. As a result of verifying the validity of the proof 30, when the verification unit 222 determines that the proposition is false (step S45: NO), the verification result including false is transmitted to the prover terminal 100 (step S47), and the process is started. finish.
(第2実施形態)
 図12及び図13を参照して、本件の第2実施形態について説明する。なお、図12において、図4に示される証明者端末100の各部と同様の構成には同一符号を付し、その説明を省略する。また、図13において、図8に示される証明者端末100の各処理と同様の処理には同一符号を付し、その説明を省略する。 (Second embodiment)
A second embodiment of the present case will be described with reference to FIGS. 12 and 13. FIG. 12, the same components as those of the prover terminal 100 shown in FIG. 4 are denoted by the same reference numerals, and description thereof will be omitted. Further, in FIG. 13, the same reference numerals are given to the same processes as the processes of the prover terminal 100 shown in FIG. 8, and the description thereof will be omitted.
 まず、図12に示すように、第2実施形態に係る処理部120はランダム値生成部125をさらに備える点で、第1実施形態に係る処理部120と相違する。ランダム値生成部125は第1ランダム値と第2ランダム値を生成する。第1ランダム値と第2ランダム値はいずれもランダム値生成部125が無作為(ランダム)に指定した値(具体的には数値)である。すなわち、第1ランダム値と第2ランダム値はいずれも証明者端末100が無作為に指定した値である。 First, as shown in FIG. 12, the processing unit 120 according to the second embodiment is different from the processing unit 120 according to the first embodiment in that a random value generation unit 125 is further provided. A random value generator 125 generates a first random value and a second random value. Both the first random value and the second random value are values (specifically, numerical values) randomly specified by the random value generator 125 . That is, both the first random value and the second random value are values randomly specified by the prover terminal 100 .
 図13に示すように、ステップS21の処理で受信部124が証明要求を受信すると、ランダム値生成部125は第1ランダム値及び第2ランダム値を生成する(ステップS51)。ランダム値生成部125が第1ランダム値及び第2ランダム値を生成すると、暗号化部121は第1ランダム値に基づき秘密入力を暗号化する(ステップS52)。 As shown in FIG. 13, when the receiving unit 124 receives the certification request in the process of step S21, the random value generating unit 125 generates a first random value and a second random value (step S51). After the random value generator 125 generates the first random value and the second random value, the encryption unit 121 encrypts the secret input based on the first random value (step S52).
 例えば、暗号化部121は秘密入力に第1ランダム値を加算し、加算後の秘密入力を第1暗号化処理で暗号化する。これにより、第1ランダム値に応じた暗号化済秘密入力が発生する。第1ランダム値に応じた暗号化済秘密入力を第1復号化処理により復号すると、第1ランダム値が加算された秘密入力が復元する。このため、元の秘密入力に戻す場合には、第1ランダム値が加算された秘密入力から第1ランダム値を減算すればよい。すなわち、第1ランダム値と秘密入力に基づいて第1暗号化処理で暗号化する場合には、第1暗号化処理に対になる第1復号化処理に第1ランダム値を減算する処理を含めればよい。 For example, the encryption unit 121 adds a first random value to the secret input, and encrypts the secret input after the addition by the first encryption process. This generates an encrypted secret input corresponding to the first random value. When the encrypted secret input corresponding to the first random value is decrypted by the first decryption process, the secret input to which the first random value is added is restored. Therefore, when returning to the original secret input, the first random value is subtracted from the secret input to which the first random value is added. That is, when encryption is performed by the first encryption process based on the first random value and the secret input, the process of subtracting the first random value must be included in the first decryption process paired with the first encryption process. Just do it.
 第1ランダム値に基づき秘密入力を暗号化すると、暗号化部121は第2ランダム値に基づき秘密出力を暗号化する(ステップS53)。上述したように、第1ランダム値加算後の秘密入力を第1暗号化処理で暗号化した場合には、暗号化部121は秘密出力に第2ランダム値を加算し、加算後の秘密出力を第2暗号化処理で暗号化する。これにより、第2ランダム値に応じた暗号化済秘密出力が発生する。第2ランダム値に応じた暗号化済秘密出力を第2復号化処理により復号すると、第2ランダム値が加算された秘密出力が復元する。このため、元の秘密出力に戻す場合には、第2ランダム値が加算された秘密出力から第2ランダム値を減算すればよい。すなわち、第2ランダム値と秘密出力に基づいて第2暗号化処理で暗号化する場合には、第2暗号化処理に対になる第2復号化処理に第2ランダム値を減算する処理を含めればよい。 After encrypting the secret input based on the first random value, the encryption unit 121 encrypts the secret output based on the second random value (step S53). As described above, when the secret input after addition of the first random value is encrypted by the first encryption process, the encryption unit 121 adds the second random value to the secret output, and converts the secret output after addition to the second random value. Encrypt by the second encryption process. This generates an encrypted secret output corresponding to the second random value. When the encrypted secret output corresponding to the second random value is decrypted by the second decryption process, the secret output to which the second random value is added is restored. Therefore, when returning to the original secret output, the second random value should be subtracted from the secret output to which the second random value is added. That is, when encryption is performed by the second encryption process based on the second random value and the secret output, the process of subtracting the second random value must be included in the second decryption process paired with the second encryption process. Just do it.
 第2ランダム値に基づき秘密出力を暗号化すると、修正部122は数値計算プログラムを別の数値計算プログラムに修正する(ステップS54)。具体的には、修正部122は、数値計算プログラムを、数値計算プログラムと第1復号化プログラムと第2暗号化プログラムとを含む別の数値計算プログラムに修正する。ただし、第2実施形態では、第1復号化プログラムに第1ランダム値を減算する処理が含まれている。また、第2暗号化プログラムに第2ランダム値を加算する処理が含まれている。すなわち、第2実施形態に係る別の数値計算プログラムは第1実施形態に係る別の数値計算プログラムと相違する。これにより、第1ランダム値に応じた暗号化済秘密入力と第2ランダム値に応じた暗号化済秘密出力は正しい入出力関係を維持する。修正部122が数値計算プログラムを別の数値計算プログラムに修正すると、ステップS24の処理により、送信部123は第1情報10を検証者サーバ200に送信する。 After encrypting the secret output based on the second random value, the modification unit 122 modifies the numerical calculation program to another numerical calculation program (step S54). Specifically, the modifying unit 122 modifies the numerical calculation program into another numerical calculation program including a numerical calculation program, a first decryption program, and a second encryption program. However, in the second embodiment, the first decoding program includes a process of subtracting the first random value. Also, a process of adding a second random value to the second encryption program is included. That is, another numerical calculation program according to the second embodiment is different from another numerical calculation program according to the first embodiment. As a result, the encrypted secret input corresponding to the first random value and the encrypted secret output corresponding to the second random value maintain a correct input/output relationship. When the correcting unit 122 corrects the numerical calculation program to another numerical calculation program, the transmission unit 123 transmits the first information 10 to the verifier server 200 by the process of step S24.
 なお、一例として、秘密入力への第1ランダム値の加算及び秘密入力からの第1ランダム値の減算、並びに秘密出力への第2ランダム値の加算及び秘密出力からの第2ランダム値の減算を説明したが、この例に特に限定されない。 As an example, addition of the first random value to the secret input and subtraction of the first random value from the secret input, and addition of the second random value to the secret output and subtraction of the second random value from the secret output are performed. Although described, it is not specifically limited to this example.
 例えば、第1暗号化処理の際には秘密入力に第1ランダム値を乗算し、第1復号化処理の際には第1ランダム値が乗算された秘密入力を第1ランダム値で除算してもよい。同様に、第2暗号化処理の際には秘密出力に第2ランダム値を乗算し、第2復号化処理の際には第2ランダム値が乗算された秘密出力を第2ランダム値で除算してもよい。このような手法によっても、加算と減算と同様の効果を得ることができる。このように、第2実施形態によれば、秘密情報の暗号化や数値計算プログラムの修正に第1ランダム値及び第2ランダム値を採用することで、第1実施形態に比べて、秘密情報が漏洩する危険性を抑えることができる。 For example, in the first encryption process, the secret input is multiplied by the first random value, and in the first decryption process, the secret input multiplied by the first random value is divided by the first random value. good too. Similarly, the secret output is multiplied by the second random value in the second encryption process, and the secret output multiplied by the second random value is divided by the second random value in the second decryption process. may Such a method can also provide the same effect as addition and subtraction. As described above, according to the second embodiment, by adopting the first random value and the second random value for the encryption of the secret information and the correction of the numerical calculation program, the secret information is more secure than in the first embodiment. You can reduce the risk of leakage.
(第3実施形態)
 本件の第3実施形態について説明する。第3実施形態に係る修正部122は、数値計算プログラムを修正する際、第1復号化プログラム、数値計算プログラム、及び第2暗号化プログラムを跨いで加算と乗算の順序を組み替えて、数値計算プログラムを別の数値計算プログラムに修正する。すなわち、修正部122は第1復号化プログラム、数値計算プログラム、及び第2暗号化プログラムに記述されている計算の順序を入れ替えることでシャッフルする。第1復号化プログラム、数値計算プログラム、及び第2暗号化プログラムはいずれも加算と乗算の組合せである(有限体上の)多項式を計算するプログラムである。これにより、第1復号化プログラム及び第2暗号化プログラムがどのような計算を行うプログラムであるかを秘匿でき、秘密入力と秘密出力の漏洩に対する安全性を向上させることができる。 (Third embodiment)
A third embodiment of this case will be described. When correcting the numerical calculation program, the correction unit 122 according to the third embodiment rearranges the order of addition and multiplication across the first decryption program, the numerical calculation program, and the second encryption program, so that the numerical calculation program to another numerical calculation program. That is, the correction unit 122 shuffles by changing the order of calculation described in the first decryption program, the numerical calculation program, and the second encryption program. The first decryption program, the numerical calculation program, and the second encryption program are all programs for calculating polynomials (on a finite field) that are combinations of addition and multiplication. As a result, it is possible to conceal what kind of calculation the first decryption program and the second encryption program perform, and it is possible to improve security against leakage of the secret input and the secret output.
 ここで、第1実施形態で説明したように、暗号化済秘密入力は第1復号化プログラムで復号することができ、暗号化済秘密出力は第2復号化プログラムで復号することができる。したがって、第1復号化プログラムが第三者サーバ300に単独で流出すると、第三者サーバ300は第1復号化プログラムを使って秘密入力を復号することができる。同様に、第2復号化プログラムが第三者サーバ300に単独で流出すると、第三者サーバ300は第2復号化プログラムを使って秘密出力を復号することができる。 Here, as described in the first embodiment, the encrypted secret input can be decrypted by the first decryption program, and the encrypted secret output can be decrypted by the second decryption program. Therefore, if the first decryption program leaks to the third party server 300 alone, the third party server 300 can use the first decryption program to decrypt the secret input. Similarly, if the second decryption program is leaked to the third party server 300 alone, the third party server 300 can decrypt the secret output using the second decryption program.
 また、第1実施形態でも説明したように、送信部123は第1復号化プログラム、数値計算プログラム、及び第2暗号化プログラムを単純にこの順番で組み合わせた別の数値計算プログラム(図9(b)参照)を第2情報20の一部として第三者サーバ300へ送信する。この場合、第三者サーバ300がリバースエンジニアリングなどの技術によって別の数値計算プログラムの内部を確認できれば、第1復号化プログラム及び第2暗号化プログラムを特定する可能性がある。結果的に、秘匿性の高い暗号化済秘密入力と暗号化済秘密出力が復号される可能性がある。しかしながら、第3実施形態によれば、第1復号化プログラム、数値計算プログラム、及び第2暗号化プログラムに記述されている計算の順序を入れ替えてシャッフルすることで、秘密入力と秘密出力の漏洩に対する安全性を向上させることができる。 Further, as described in the first embodiment, the transmission unit 123 simply combines the first decryption program, the numerical calculation program, and the second encryption program in this order to create another numerical calculation program (Fig. 9(b)). )) as part of the second information 20 to the third party server 300 . In this case, if the third party server 300 can confirm the inside of another numerical calculation program by a technique such as reverse engineering, it may identify the first decryption program and the second encryption program. As a result, highly confidential encrypted secret input and encrypted secret output may be decrypted. However, according to the third embodiment, the order of the calculations described in the first decryption program, the numerical calculation program, and the second encryption program is changed and shuffled to prevent leakage of secret input and secret output. Safety can be improved.
 以上、本発明の好ましい実施形態について詳述したが、本発明に係る特定の実施形態に限定されるものではなく、請求の範囲に記載された本発明の要旨の範囲内において、種々の変形・変更が可能である。例えば、上述した実施形態では補助データに基づいて証明30を生成することを説明したが、補助データを採用せずに、証明30を生成することもできる。具体的には、証明生成部323は暗号化済秘密入力と暗号化済秘密出力と公開入力と公開出力と別の数値計算プログラムと公知の証明生成手法とに基づいて、証明30を生成してもよい。 Although the preferred embodiments of the present invention have been described in detail above, the present invention is not limited to specific embodiments, and various modifications and variations can be made within the scope of the gist of the present invention described in the claims. Change is possible. For example, although the embodiment described above describes generating the proof 30 based on the auxiliary data, the proof 30 can also be generated without employing the auxiliary data. Specifically, the proof generation unit 323 generates the proof 30 based on the encrypted secret input, the encrypted secret output, the public input, the public output, another numerical calculation program, and a known proof generation technique. good too.
  ST 情報処理システム
  100 証明者端末
  120 処理部
  121 暗号化部
  122 修正部
  123 送信部
  124 受信部
  125 ランダム値生成部
  200 検証者サーバ
  300 第三者サーバ
  ST information processing system 100 prover terminal 120 processing unit 121 encryption unit 122 correction unit 123 transmission unit 124 reception unit 125 random value generation unit 200 verifier server 300 third party server

Claims (15)

  1.  ゼロ知識証明における証明者が秘密にする数値計算プログラムへの秘密入力と前記数値計算プログラムからの秘密出力をそれぞれ第1暗号化処理と第2暗号化処理で暗号化し、
     前記数値計算プログラムを、第1暗号化処理と対になる復号化処理と前記数値計算プログラムと前記第2暗号化処理とを含む別の数値計算プログラムに修正し、
     前記別の数値計算プログラムと前記証明者が公開する前記数値計算プログラムへの公開入力と前記数値計算プログラムからの公開出力とを含む第1情報を、前記ゼロ知識証明における検証者に送信し、
     暗号化した前記秘密入力及び前記秘密出力と前記別の数値計算プログラムと前記公開入力及び前記公開出力とを含む第2情報を、前記証明者及び前記検証者と異なる第三者に送信する、処理をコンピュータに実行させ、
     前記第三者が前記第2情報に基づいて前記ゼロ知識証明における命題に関する証明を生成し、生成した前記証明を前記検証者に送信する、
     ことを特徴とする情報処理プログラム。     encrypting a secret input to a numerical calculation program and a secret output from the numerical calculation program, which are kept secret by a prover in zero-knowledge proof, by a first encryption process and a second encryption process, respectively;
    modifying the numerical calculation program into another numerical calculation program including decryption processing paired with the first encryption processing, the numerical calculation program, and the second encryption processing;
    transmitting to a verifier in the zero-knowledge proof first information including the another numerical calculation program, a public input to the numerical calculation program published by the prover, and a public output from the numerical calculation program;
    a process of transmitting second information including the encrypted secret input and secret output, the separate numerical calculation program, and the public input and public output to a third party different from the prover and the verifier; on the computer, and
    the third party generates a proof of the proposition in the zero-knowledge proof based on the second information, and transmits the generated proof to the verifier;
    An information processing program characterized by:
  2.  前記暗号化する処理は、前記証明者が無作為に指定した第1ランダム値を前記秘密入力に加算して前記第1暗号化処理で暗号化し、前記証明者が無作為に指定した第2ランダム値を前記秘密出力に加算して前記第2暗号化処理で暗号化する、
     ことを特徴とする請求項1に記載の情報処理プログラム。     The encryption process includes adding a first random value randomly specified by the prover to the secret input, encrypting the secret input by the first encryption process, and adding a second random value randomly specified by the prover to the secret input. adding a value to the secret output and encrypting it with the second encryption process;
    The information processing program according to claim 1, characterized by:
  3.  前記暗号化する処理は、前記証明者が無作為に指定した第1ランダム値を前記秘密入力に乗算して前記第1暗号化処理で暗号化し、前記証明者が無作為に指定した第2ランダム値を前記秘密出力に乗算して前記第2暗号化処理で暗号化する、
     ことを特徴とする請求項1に記載の情報処理プログラム。     The encryption process includes multiplying the secret input by a first random value randomly specified by the prover, encrypting the secret input by the first encryption process, and encrypting the secret input with a second random value randomly specified by the prover. multiplying the secret output by a value and encrypting it with the second encryption process;
    The information processing program according to claim 1, characterized by:
  4.  前記復号化処理、前記数値計算プログラム、及び前記第2暗号化処理は、いずれも加算と乗算の組合せであり、
     前記修正する処理は、前記復号化処理、前記数値計算プログラム、及び前記第2暗号化処理を跨いで前記加算と前記乗算の順序を組み替えて、前記数値計算プログラムを前記別の数値計算プログラムに修正する、
     ことを特徴とする請求項1から3のいずれか1項に記載の情報処理プログラム。     The decryption process, the numerical calculation program, and the second encryption process are all combinations of addition and multiplication,
    The modifying process changes the order of the addition and the multiplication across the decryption process, the numerical calculation program, and the second encryption process, and modifies the numerical calculation program into the different numerical calculation program. do,
    4. The information processing program according to any one of claims 1 to 3, characterized by:
  5.  前記第1情報と前記証明とに基づいて前記検証者によって検証された前記命題の正当性に関する検証結果を受信する処理を含む、
     ことを特徴とする請求項1から4のいずれか1項に記載の情報処理プログラム。     receiving a verification result regarding the correctness of the proposition verified by the verifier based on the first information and the proof;
    5. The information processing program according to any one of claims 1 to 4, characterized by:
  6.  前記第2情報を送信する処理は、前記第2情報を単一の前記第三者に送信する、
     ことを特徴とする請求項1から5のいずれか1項に記載の情報処理プログラム。     the process of transmitting the second information transmits the second information to the single third party;
    6. The information processing program according to any one of claims 1 to 5, characterized by:
  7.  前記第三者を実現するサーバ装置の第1性能は前記コンピュータの第2性能より高い、
     ことを特徴とする請求項1から6のいずれか1項に記載の情報処理プログラム。     a first performance of the server device realizing the third party is higher than a second performance of the computer;
    7. The information processing program according to any one of claims 1 to 6, characterized by:
  8.  ゼロ知識証明における証明者が秘密にする数値計算プログラムへの秘密入力と前記数値計算プログラムからの秘密出力をそれぞれ第1暗号化処理と第2暗号化処理で暗号化し、
     前記数値計算プログラムを、第1暗号化処理と対になる復号化処理と前記数値計算プログラムと前記第2暗号化処理とを含む別の数値計算プログラムに修正し、
     前記別の数値計算プログラムと前記証明者が公開する前記数値計算プログラムへの公開入力と前記数値計算プログラムからの公開出力とを含む第1情報を、前記ゼロ知識証明における検証者に送信し、
     暗号化した前記秘密入力及び前記秘密出力と前記別の数値計算プログラムと前記公開入力及び前記公開出力とを含む第2情報を、前記証明者及び前記検証者と異なる第三者に送信する、処理をコンピュータが実行し、
     前記第三者が前記第2情報に基づいて前記ゼロ知識証明における命題に関する証明を生成し、生成した前記証明を前記検証者に送信する、
     ことを特徴とする情報処理方法。     encrypting a secret input to a numerical calculation program and a secret output from the numerical calculation program, which are kept secret by a prover in zero-knowledge proof, by a first encryption process and a second encryption process, respectively;
    modifying the numerical calculation program into another numerical calculation program including decryption processing paired with the first encryption processing, the numerical calculation program, and the second encryption processing;
    transmitting to a verifier in the zero-knowledge proof first information including the another numerical calculation program, a public input to the numerical calculation program published by the prover, and a public output from the numerical calculation program;
    a process of transmitting second information including the encrypted secret input and secret output, the separate numerical calculation program, and the public input and public output to a third party different from the prover and the verifier; is executed by the computer and
    the third party generates a proof of the proposition in the zero-knowledge proof based on the second information, and transmits the generated proof to the verifier;
    An information processing method characterized by:
  9.  ゼロ知識証明における証明者が秘密にする数値計算プログラムへの秘密入力と前記数値計算プログラムからの秘密出力をそれぞれ第1暗号化処理と第2暗号化処理で暗号化部と、
     前記数値計算プログラムを、第1暗号化処理と対になる復号化処理と前記数値計算プログラムと前記第2暗号化処理とを含む別の数値計算プログラムに修正部と、
     前記別の数値計算プログラムと前記証明者が公開する前記数値計算プログラムへの公開入力と前記数値計算プログラムからの公開出力とを含む第1情報を、前記ゼロ知識証明における検証者に送信し、暗号化した前記秘密入力及び前記秘密出力と前記別の数値計算プログラムと前記公開入力及び前記公開出力とを含む第2情報を、前記証明者及び前記検証者と異なる第三者に送信する送信部と、を備え、
     前記第三者が前記第2情報に基づいて前記ゼロ知識証明における命題に関する証明を生成し、生成した前記証明を前記検証者に送信する、
     ことを特徴とする情報処理装置。     a secret input to a numerical calculation program and a secret output from the numerical calculation program which are kept secret by a prover in zero-knowledge proof by a first encryption process and a second encryption process, respectively;
    a modification unit that converts the numerical calculation program into another numerical calculation program that includes decryption processing paired with a first encryption processing, the numerical calculation program, and the second encryption processing;
    transmitting to a verifier in said zero-knowledge proof first information including said another numerical calculation program, a public input to said numerical calculation program published by said prover, and a public output from said numerical calculation program; a transmission unit configured to transmit second information including the secret input and the secret output, the different numerical calculation program, the public input and the public output to a third party different from the prover and the verifier; , and
    the third party generates a proof of the proposition in the zero-knowledge proof based on the second information, and transmits the generated proof to the verifier;
    An information processing device characterized by:
  10.  前記暗号化部は、前記証明者が無作為に指定した第1ランダム値を前記秘密入力に加算して前記第1暗号化処理で暗号化し、前記証明者が無作為に指定した第2ランダム値を前記秘密出力に加算して前記第2暗号化処理で暗号化する、
     ことを特徴とする請求項9に記載の情報処理装置。     The encryption unit adds a first random value randomly specified by the prover to the secret input, encrypts the secret input by the first encryption process, and adds a second random value randomly specified by the prover to the secret input. is added to the secret output and encrypted with the second encryption process,
    10. The information processing apparatus according to claim 9, characterized by:
  11.  前記暗号化部は、前記証明者が無作為に指定した第1ランダム値を前記秘密入力に乗算して前記第1暗号化処理で暗号化し、前記証明者が無作為に指定した第2ランダム値を前記秘密出力に乗算して前記第2暗号化処理で暗号化する、
     ことを特徴とする請求項9に記載の情報処理装置。     The encryption unit multiplies the secret input by a first random value randomly specified by the prover, encrypts the secret input in the first encryption process, and encrypts the secret input with a second random value randomly specified by the prover. multiplied by the secret output and encrypted with the second encryption process;
    10. The information processing apparatus according to claim 9, characterized by:
  12.  前記復号化処理、前記数値計算プログラム、及び前記第2暗号化処理は、いずれも加算と乗算の組合せであり、
     前記修正部は、前記復号化処理、前記数値計算プログラム、及び前記第2暗号化処理を跨いで前記加算と前記乗算の順序を組み替えて、前記数値計算プログラムを前記別の数値計算プログラムに修正する、
     ことを特徴とする請求項9から11のいずれか1項に記載の情報処理装置。     The decryption process, the numerical calculation program, and the second encryption process are all combinations of addition and multiplication,
    The modifying unit rearranges the order of the addition and the multiplication across the decryption process, the numerical calculation program, and the second encryption process, and modifies the numerical calculation program into the different numerical calculation program. ,
    12. The information processing apparatus according to any one of claims 9 to 11, characterized by:
  13.  前記第1情報と前記証明とに基づいて前記検証者によって検証された前記命題の正当性に関する検証結果を受信する受信部
     をさらに備えることを特徴とする請求項9から12のいずれか1項に記載の情報処理装置。     13. The method according to any one of claims 9 to 12, further comprising a receiving unit that receives a verification result regarding the correctness of the proposition verified by the verifier based on the first information and the proof. The information processing device described.
  14.  前記送信部は、前記第2情報を単一の前記第三者に送信する、
     ことを特徴とする請求項9から13のいずれか1項に記載の情報処理装置。     the transmission unit transmits the second information to the single third party;
    14. The information processing apparatus according to any one of claims 9 to 13, characterized by:
  15.  前記第三者を実現するサーバ装置の第1性能は前記情報処理装置の第2性能より高い、
     ことを特徴とする請求項9から14のいずれか1項に記載の情報処理装置。
          the first performance of the server device realizing the third party is higher than the second performance of the information processing device;
    15. The information processing apparatus according to any one of claims 9 to 14, characterized by:
PCT/JP2021/037125 2021-10-07 2021-10-07 Information processing program, information processing method, and information processing apparatus WO2023058186A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/037125 WO2023058186A1 (en) 2021-10-07 2021-10-07 Information processing program, information processing method, and information processing apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/037125 WO2023058186A1 (en) 2021-10-07 2021-10-07 Information processing program, information processing method, and information processing apparatus

Publications (1)

Publication Number Publication Date
WO2023058186A1 true WO2023058186A1 (en) 2023-04-13

Family

ID=85803304

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/037125 WO2023058186A1 (en) 2021-10-07 2021-10-07 Information processing program, information processing method, and information processing apparatus

Country Status (1)

Country Link
WO (1) WO2023058186A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190116174A1 (en) * 2017-10-16 2019-04-18 Microsoft Technology Licensing, Llc Selecting and securing proof delgates for cryptographic functions
JP2021001991A (en) * 2019-06-24 2021-01-07 株式会社日立製作所 Anonymous data management system and anonymous data management method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190116174A1 (en) * 2017-10-16 2019-04-18 Microsoft Technology Licensing, Llc Selecting and securing proof delgates for cryptographic functions
JP2021001991A (en) * 2019-06-24 2021-01-07 株式会社日立製作所 Anonymous data management system and anonymous data management method

Similar Documents

Publication Publication Date Title
US11601407B2 (en) Fast oblivious transfers
CN107959567B (en) Data storage method, data acquisition method, device and system
US9065637B2 (en) System and method for securing private keys issued from distributed private key generator (D-PKG) nodes
CN111181720A (en) Service processing method and device based on trusted execution environment
JP2019533384A (en) Data transmission method, apparatus and system
US11405365B2 (en) Method and apparatus for effecting a data-based activity
CN111541678A (en) Block chain-based proxy re-encryption method, system and storage medium
JP2023500570A (en) Digital signature generation using cold wallet
US20120294445A1 (en) Credential storage structure with encrypted password
US11374910B2 (en) Method and apparatus for effecting a data-based activity
US20200195446A1 (en) System and method for ensuring forward & backward secrecy using physically unclonable functions
CN113987554B (en) Method, device and system for obtaining data authorization
US11190499B2 (en) Communication terminals, server devices, and programs
CN111193703B (en) Communication apparatus and communication method used in distributed network
US11637817B2 (en) Method and apparatus for effecting a data-based activity
US20160148002A1 (en) Key storage apparatus, key storage method and program therefor
CN116318696B (en) Proxy re-encryption digital asset authorization method under condition of no initial trust of two parties
CN117240433A (en) Information sharing method and device based on proxy re-encryption
WO2023058186A1 (en) Information processing program, information processing method, and information processing apparatus
KR102512871B1 (en) Centralized private key management method for multiple user devices related to a single public key
Fugkeaw et al. Proxy-assisted digital signing scheme for mobile cloud computing
US11956359B2 (en) Privacy preserving identity data exchange based on hybrid encryption
KRISHNAMOORTHY et al. IMPLEMENTATION AND MANAGEMENT OF SECURITY FOR SENSITIVE DATA IN CLOUD COMPUTING ENVIRONMENT USING ELLIPTICAL CURVE CRYPTOGRAPHY
CN115766268A (en) Processing method, device, equipment and storage medium
CN117254907A (en) Communication method and device based on elliptic curve public key cryptographic algorithm and electronic equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21959928

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE