阅读说明：本技术 秘密篡改探测系统、秘密篡改探测装置、秘密篡改探测方法以及程序 (Secret tamper detection system, secret tamper detection device, secret tamper detection method, and program ) 是由 五十岚大 于 2018-05-11 设计创作，主要内容包括：在以较少的通信量保持隐匿性的情况下探测秘密计算中的篡改。随机数生成单元(11)生成[<Sup>→</Sup>r<Sub>i</Sub>]、[<Sup>→</Sup>s<Sub>i</Sub>]。随机数乘法单元(12)计算[<Sup>→</Sup>t<Sub>i</Sub>]:＝[<Sup>→</Sup>r<Sub>i</Sub><Sup>→</Sup>s<Sub>i</Sub>]。秘密乘法单元(13)计算[<Sup>→</Sup>z]:＝[<Sup>→</Sup>x<Sup>→</Sup>y]。随机数验证单元(14)在[<Sup>→</Sup>r<Sub>i</Sub>]、[<Sup>→</Sup>s<Sub>i</Sub>]、[<Sup>→</Sup>t<Sub>i</Sub>]中公开第p<Sub>i,j</Sub>个元素,确认作为乘法是否匹配。随机数置换单元(15)在[<Sup>→</Sup>r<Sub>i</Sub>]、[<Sup>→</Sup>s<Sub>i</Sub>]、[<Sup>→</Sup>t<Sub>i</Sub>]中随机置换第p<Sub>i,j</Sub>个以外的元素,生成[<Sup>→</Sup>r’<Sub>i</Sub>]、[<Sup>→</Sup>s’<Sub>i</Sub>]、[<Sup>→</Sup>t’<Sub>i</Sub>]。减法值公开单元(16)计算[<Sup>→</Sup>x-<Sup>→</Sup>r’<Sub>i</Sub>]、[<Sup>→</Sup>y-<Sup>→</Sup>s’<Sub>i</Sub>]。验证值计算单元(17)计算[<Sup>→</Sup>c<Sub>i</Sub>]:＝[<Sup>→</Sup>z]-(<Sup>→</Sup>x-<Sup>→</Sup>r’<Sub>i</Sub>)[<Sup>→</Sup>y]-(<Sup>→</Sup>y-<Sup>→</Sup>s’<Sub>i</Sub>)[<Sup>→</Sup>r’<Sub>i</Sub>]-[<Sup>→</Sup>t’<Sub>i</Sub>]。验证值确认单元(18)确认验证值c<Sub>i</Sub>全部为0的情况。(Tampering in secret computation is detected while maintaining privacy with less traffic. A random number generation unit (11) generates [ 2 ] → r i ]、[ → s i ]. A random number multiplication unit (12) calculates → t i ]:＝[ → r i → s i ]. A secret multiplication unit (13) calculates → z]:＝[ → x → y]. The random number verification unit (14) is in → r i ]、[ → s i ]、[ → t i ]P of i,j Element, confirm as multiplication match. The random number substitution unit (15) is set in → r i ]、[ → s i ]、[ → t i ]In random permutation of p i,j An element other than the element, to produce [ alpha ], [ alpha → r' i ]、[ → s' i ]、[ → t' i ]. A subtraction value disclosing unit (16) calculates → x‑ → r' i ]、[ → y‑ → s' i ]. A verification value calculation unit (17) calculates → c i ]:＝[ → z]‑( → x‑ → r' i )[ → y]‑( → y‑ → s' i )[ → r' i ]‑[ → t' i ]. An authentication value confirmation unit (18) confirms the authentication value c i All 0.)

1. A covert tamper detection system is provided that includes a first sensor,

σ represents an arbitrary integer of 1 or more, N, D represents a predetermined natural number, i represents an integer of 0 or more and less than σ, j represents an integer of 0 or more and less than D,

comprises at least 3 secret tampering detection devices, and when recovered, the secret tampering detection devices become vectors with element number N^→Section of x [ 2 ]^→x]And if the vector is restored, the vector becomes a vector of the element number N^→Section of y [ 2 ]^→y]As input, the output becomes the vector when it is restored^→x sum vector^→y vector of result of multiplication by each element^→z partial value [ 2 ]^→z]，

The secret tamper detection device includes:

a random number generation unit for generating a random number vector which becomes an element number N + D when restored for each integer i^→r_iσ pieces of (2)^→r_i]And a random number vector which becomes the element number N + D when recovered^→s_iσ pieces of (2)^→s_i]；

A random number multiplication unit for calculating the section [ 2 ] by secret calculation for each integer i^→r_i]And the section [ 2 ]^→s_i]Multiplying, generating, and upon restoration, converting the vector into a vector^→r_iSum vector^→s_iVector of result of multiplication by each element^→t_iσ pieces of (2)^→t_i]；

Secret multiplicationA unit that calculates the section [ 2 ] by a secret calculation^→x]And the section [ 2 ]^→y]Multiplying to produce the portion [ 2 ]^→z]；

A random number verification unit for randomly selecting different D integers p with 0 or more and less than D + N for each integer i_i,jIn the section [ 2 ]^→r_i]、[^→s_i]、[^→t_i]P of_i,jAn element identified with the moiety [ 2 ]^→r_i]、[^→s_i]、[^→t_i]As whether the multiplications match;

a random number substitution unit for generating a random number in the section [ 2 ] for each integer i^→r_i]、[^→s_i]、[^→t_i]In random substitution of p_i,jA portion of an element other than unity [ 2 ]^→r'_i]、[^→s'_i]、[^→t'_i]；

A subtraction value disclosure unit that calculates and discloses [ 2 ] for each integer i^→x-^→r'_i]、[^→y-^→s'_i]；

A verification value calculation unit for calculating for each integer i

[^→c_i]:＝[^→z]-(^→x-^→r'_i)[^→y]-(^→y-^→s'_i)[^→r'_i]-[^→t'_i]If the data is restored, the generated data becomes a verification value c_iVector of (2)^→c_iSection [ 2 ]^→c_i](ii) a And

a verification value confirmation unit that uses the portion [ 2 ] for each integer i^→c_i]Validating said verification value c_iAll 0.

2. The covert tamper detection system of claim 1,

the random number generation unit generates random numbers by using a tape tamper detectionInto a protocol to produce the portion [ 2 ]^→r_i]And the section [ 2 ]^→s_i]The unit (c) of (a) is,

the random number multiplication unit is a unit that uses a tamper-free detection multiplication protocol to multiply the section [ 2 ]^→r_i]And the section [ 2 ]^→s_i]The units of the multiplication are such that,

the secret multiplication unit is to use the tamper-free detection multiplication protocol to multiply the section [ 2 ]^→x]And the section [ 2 ]^→y]The units of the multiplication are such that,

the random number verification unit uses a tamper detection disclosing protocol disclosing the section^→r_i]、[^→s_i]、[^→t_i]Middle (p)_i,jThe unit of the individual elements is,

the subtraction value disclosure unit uses the tamper detection disclosure protocol to disclose the

[^→x-^→r'_i]、[^→y-^→s'_i]The unit (2).

3. The covert tamper detection system of claim 1,

the verification value confirmation unit calculates the value of the section [ 2 ]^→c_i]And a checksum formed by a product of exponentiation of each element of (a) and a random number r, wherein the verification value c is confirmed by whether the checksum c is 0 or not_iAll 0.

4. A secret tamper detection device is provided with a plurality of sensors,

σ represents an arbitrary integer of 1 or more, N, D represents a predetermined natural number, i represents an integer of 0 or more and less than σ, j represents an integer of 0 or more and less than D,

will become a vector of element number N if recovered^→Section of x [ 2 ]^→x]And a vector of the number of elements N if restored^→Section of y [ 2 ]^→y]The vector is input, and the output becomes the vector if the output is recovered^→x sum vector^→y multiplying by each elementVector of results^→z partial value [ 2 ]^→z]，

The secret tamper detection device includes:

a random number generation unit for generating a random number vector which becomes an element number N + D when restored for each integer i^→r_iσ pieces of (2)^→r_i]And a random number vector which becomes the element number N + D when recovered^→s_iσ pieces of (2)^→s_i]；

A random number multiplication unit for secret-computing the section [ 2 ] for each integer i^→r_i]And the section [ 2 ]^→s_i]Multiplying, generating, and upon restoration, converting the vector into a vector^→r_iSum vector^→s_iVector of result of multiplication by each element^→t_iσ pieces of (2)^→t_i]；

A secret multiplication unit for calculating the section [ 2 ] by secret calculation^→x]And the section [ 2 ]^→y]Multiplying to produce the portion [ 2 ]^→z]；

A random number verification unit for randomly selecting different D integers p with 0 or more and less than D + N for each integer i_i,jIn the section [ 2 ]^→r_i]、[^→s_i]、[^→t_i]P of_i,jAn element identified with the moiety [ 2 ]^→r_i]、[^→s_i]、[^→t_i]As whether the multiplications match;

a random number substitution unit for generating a random number in the section [ 2 ] for each integer i^→r_i],[^→s_i],[^→t_i]In random substitution of p_i,jA portion of an element other than unity [ 2 ]^→r'_i]、[^→s'_i]、[^→t'_i]；

A subtraction value disclosure unit that calculates and discloses [ 2 ] for each integer i^→x-^→r'_i]、[^→y-^→s'_i]；

A verification value calculation unit for calculating for each integer i

[^→c_i]:＝[^→z]-(^→x-^→r'_i)[^→y]-(^→y-^→s'_i)[^→r'_i]-[^→t'_i]If the data is restored, the generated data becomes a verification value c_iVector of (2)^→c_iSection [ 2 ]^→c_i](ii) a And

a verification value confirmation unit that uses the portion [ 2 ] for each integer i^→c_i]Validating said verification value c_iAll 0 cases.

5. A method of detecting tampering of a secret,

σ represents an arbitrary integer of 1 or more, N, D represents a predetermined natural number, i represents an integer of 0 or more and less than σ, j represents an integer of 0 or more and less than D,

the secret tampering detection method is executed by a secret tampering detection system comprising at least 3 secret tampering detection devices, and the vector is a vector with an element number N when recovered^→Section of x [ 2 ]^→x]And if the vector is restored, the vector becomes a vector of the element number N^→Section of y [ 2 ]^→y]As input, the output becomes the vector when it is restored^→x sum vector^→y vector of result of multiplication by each element^→z partial value [ 2 ]^→z]The method of secret tamper detection of (1),

the secret tamper detection method includes:

the secret tamper detection device generates a random number vector that becomes an element number N + D when restored for each integer i^→r_iσ pieces of (2)^→r_i]And a random number vector which becomes the element number N + D when recovered^→s_iσ pieces of (2)^→s_i]，

The secret tampering detection means converts the section [ 2 ] by secret calculation for each integer [ i ]^→r_i]And the section [ 2 ]^→s_i]Multiplying, generating, and upon restoration, converting the vector into a vector^→r_iSum vector^→s_iVector of result of multiplication by each element^→t_iσ pieces of (2)^→t_i]，

The secret tampering detection means calculates the section [ 2 ] by secret calculation^→x]And the section [ 2 ]^→y]Multiplying to produce the portion [ 2 ]^→z]，

The secret tampering detection device randomly selects different D integers p which are greater than or equal to 0 and less than D + N for each integer i_i,jIn the section [ 2 ]^→r_i]、[^→s_i]、[^→t_i]P of_i,jAn element identified with the moiety [ 2 ]^→r_i]、[^→s_i]、[^→t_i]As whether the multiplications match,

the secret tampering detection means generates, for each integer i, a value in the section [ 2 ]^→r_i],[^→s_i],[^→t_i]In random permutation of p_i,jA portion of an element other than unity [ 2 ]^→r'_i]、[^→s'_i]、[^→t'_i]，

The secret tampering detecting means calculates and discloses for each integer i^→x-^→r'_i]、[^→y-^→s'_i]，

The secret tamper detection device calculates for each integer i

[^→c_i]:＝[^→z]-(^→x-^→r'_i)[^→y]-(^→y-^→s'_i)[^→r'_i]-[^→t'_i]If the data is restored, the generated data becomes a verification value c_iVector of (2)^→c_iSection [ 2 ]^→c_i]，

The secret tampering detecting means uses the section [ 2 ] for each integer i^→c_i]Validating said verification value c_iAll 0.

6. A program that causes a computer to function as the secret tampering detection apparatus according to claim 4.

Technical Field

The present invention relates to a secret calculation technique, and more particularly, to a technique for detecting falsification in secret calculation while maintaining secrecy.

Background

As a technique for detecting falsification while keeping secrecy in secret calculation, there is a technique described in non-patent document 1, for example. The conventional technique described in non-patent document 1 describes a technique of generating preliminary data called triple multiplication (multiplication triple) and detecting falsification in secret calculation by using the triple multiplication.

Disclosure of Invention

Problems to be solved by the invention

In the prior art, it is necessary to generate triple multiplication in advance, and thus there is a case where the traffic increases.

An object of the present invention is to provide a secret tampering detection technique that can detect tampering in secret calculation with less communication traffic while maintaining secrecy.

Means for solving the problems

In order to solve the above-mentioned problems, the secret tampering detecting system of the present invention is such that σ represents an arbitrary integer of 1 or more, N, D represents a predetermined natural number, and i tableEach integer of 0 to σ inclusive, j represents each integer of 0 to D inclusive, and the secret tamper detection system includes at least 3 secret tamper detection devices, and when restored, the secret tamper detection device becomes a vector of the number of elements N^→Section of x [ 2 ]^→x]And if the vector is restored, the vector becomes a vector of the element number N^→Section of y [ 2 ]^→y]As input, the output becomes the vector when it is restored^→x sum vector^→y vector of result of multiplication by each element^→z partial value [ 2 ]^→z]The secret tamper detection device includes: for each integer i, a random number vector is generated which, when restored, becomes the element number N + D^→r_iσ pieces of (2)^→r_i]And a random number vector which becomes the element number N + D when recovered^→s_iσ pieces of (2)^→s_i]The random number generating unit of (1); for each integer i, the section [ 2 ] is calculated by secret calculation^→r_i]And section [ 2 ]^→s_i]Multiplying, generating, and upon restoration, converting the vector into a vector^→r_iSum vector^→s_iVector of result of multiplication by each element^→t_iσ pieces of (2)^→t_i]The random number multiplying unit of (1); the section [ 2 ] is calculated by secret calculation^→x]And section [ 2 ]^→y]Multiplying to produce a partial [ 2 ]^→z]The secret multiplication unit of (1); for each integer i, randomly selecting different D integers p which are more than or equal to 0 and less than D + N_i,jIn section [ 2 ]^→r_i],[^→s_i],[^→t_i]P of_i,jElement, confirmation and part [ 2 ]^→r_i]、[^→s_i]、[^→t_i]As a random number verification unit whether the multiplications match; for each integer i, the value in section [ 2 ] is generated^→r_i]、[^→s_i]、[^→t_i]In random permutation of p_i,jA portion of an element other than unity [ 2 ]^→r'_i]、[^→s'_i]、[^→t'_i]The random number replacing unit of (1); for each integer i, countCacao opening [ alpha ], [ alpha^→x-^→r'_i]、[^→y-^→s'_i]A subtraction value disclosure unit of (1); for each integer i, calculate [ 2 ]^→c_i]:＝[^→z]-(^→x-^→r'_i)[^→y]-(^→y-^→s'_i)[^→r'_i]-[^→t'_i]If the data is restored, the generated data becomes a verification value c_iVector of (2)^→c_iSection [ 2 ]^→c_i]A verification value calculating unit of (1); and for each integer i, a portion [ alpha ], [ alpha^→c_i]Validating the verification value c_iAnd a verification value confirming unit for the case where all are 0.

Effects of the invention

According to the invention, tampering in secret calculation can be detected with less communication traffic while maintaining secrecy.

Drawings

Fig. 1 is a diagram illustrating a functional configuration of a secret tamper detection system.

Fig. 2 is a diagram illustrating a functional configuration of the secret tampering detection apparatus.

Fig. 3 is a diagram illustrating a process flow of the secret tamper detection method.

Detailed Description

Hereinafter, embodiments of the present invention will be described in detail. In the drawings, the same reference numerals are given to constituent elements having the same functions, and redundant description is omitted.

The superscripted right arrow used in this specification "^→"means a vector. "^→"should originally be described directly above the character immediately after, but due to the limitations of the text notation, is described immediately before the character. In the numerical expression, these symbols are described in the original positions, that is, directly above the characters. For example,') "^→The text "x" has the same meaning as the following expression in the numerical expression.

[x]Indicating that a certain value x is spread by secrets. [ X ]]A set of data in which all elements of a certain set X are dispersed secretly. Hereinafter, the secretly dispersed value is also referred to as "share".^→x^→y denotes the vector for each element^→x sum vector^→y vector of multiplied results. F denotes an arbitrary domain.

An embodiment of the present invention is a secret tamper detection system and method for performing tamper detection-accompanied multiplication, which improve the tamper detection technique described in non-patent document 1. The secret tamper detection system and method of embodiments implement the tamper-aware multiplication protocol shown in the following equation.

Scheme 1 tamper-evident multiplication

The input is: [ 2 ]^→x],[^→y]∈[F]^N

Output of^→x^→y]∈[F]^NWherein no output is provided in case of tampering detection

Parameter σ ≧ 1, D ∈ N

1 generating a random number vector [ alpha ], [ alpha ]^→r_i],[^→s_i]∈[F]^N+D

2. calculate each 0 ≦ i<Alpha, alpha^→t_i]:＝[^→r_i ^→s_i]

3 [ calculation ]^→z]:＝[^→x^→y]Confirming completion of the computation-related communication

4 at 0 ≦ i each<In σ, randomly select position p_i,0,…,p_i,D-1

In the vector^→r_i],[^→s_i],[^→t_i]In (1), each 0 ≦ j<P-th of D_i,jElement, confirmation value as being the case of multiplicative match

In the case of mismatch, the falsification is detected and ended

By randomly permutating pi_iReplacing the unpublished remaining elements to obtain the vector [ alpha ], [^→r'_i],[^→s'_i],[^→t'_i]∈[F]^N

5 [ public ], [^→x-^→r'_i],[^→y-^→s'_i]

6 [ calculation ]^→c_i]:＝[^→z]-(^→x-^→r'_i)[^→y]-(^→y-^→s'_i)[^→r'_i]-[^→t'_i]

7 at each 0 ≦ i<σ, confirmation [ alpha ], [ alpha^→c_i]All elements of (2) are 0

If there is any other than 0, the falsification is detected and the process is ended

In the tamper-aware multiplication protocol described above, the following three secret calculation protocols are used. The first is the tamper-free detection multiplication protocol performed in steps 2, 3. A known tamper-free detection multiplication protocol is described in reference 1 and the like, for example. The second is the tamper-detecting random number generation protocol performed in step 1. A known tamper-detecting random number generation protocol is described in reference 2 and the like, for example. The third is the tamper-detection-with-disclosure protocol executed in steps 4, 5. A known tamper-detection-with-disclosure protocol is described in reference 3 and the like, for example.

[ reference 1 ] D.Ikarashi, R.Kikuchi, K.Hamada, and K.Chida. "Actively private and correct MPC scheme in t < n/2from passive security schemes with small overlap", IACR cryptography ePrint Archive,2014:304,2014.

[ reference 2 ] R.Cramer, I.Damgard, and Y.Ishai. "Share conversion, pseudorandom seed-sharing and applications to security calculation", TCC, Vol.3378of Picture Notes in Computer Science, pp.342-362.Springer,2005.

[ reference 3 ] Japanese patent laid-open No. 2016-146530

Referring to fig. 1, a configuration example of the secret tampering detection system according to the embodiment will be described. The secret tamper detection system comprises K (≧ 3) secret tamper detection devices 1₁,…,1_K. In this embodiment, the secret is tampered withDetection device 1₁,…,1_KAre each connected to a communication network 2. The communication Network 2 is a circuit-switched or packet-switched communication Network in which connected devices can communicate with each other, and may use, for example, the internet, a Local Area Network (LAN), a Wide Area Network (WAN), or the like. Moreover, each device does not necessarily need to be communicable online via the communication network 2. For example, the input may be input to the secret tamper detection device 1₁,…,1_KIs stored in a removable recording medium such as a magnetic tape or a USB memory, and is input from the removable recording medium to the secret tampering detection device 1 in an off-line manner₁,…,1_KThus, the structure is as follows.

Referring to fig. 2, secret tamper detection device 1 included in secret tamper detection system is described_k(K is 1, …, K). For example, as shown in FIG. 2, a secret tamper detection device 1_kThe method comprises the following steps: an input unit 10; a random number generation unit 11; a random number multiplication unit 12; a secret multiplication unit 13; a random number verification unit 14; a random number substitution unit 15; a subtraction value disclosure unit 16; a verification value calculation unit 17; a verification value confirmation unit 18; and an output unit 19. The secret tamper detection device 1_k(1 ≦ K ≦ K) tamper detection device 1 with other secrets by one side_k'(K ≠ 1, …, K, where K ≠ K') performs the processing of each step described later in coordination with each other, and realizes the secret tampering detection method according to the embodiment.

Secret tamper detection device 1_kFor example, the present invention is a special device configured by reading a special program into a known or dedicated computer having a Central Processing Unit (CPU) and a main storage device (RAM). Secret tamper detection device 1_kFor example, each process is executed under the control of a central processing unit. Is inputted to the secret tamper detecting device 1_kThe data in (2) or the data obtained in each process is stored in, for example, a main storage device, and the data stored in the main storage device is read out to a central processing unit as necessary and used in other processes. Secret tamper detection device 1_kOf each processing unitA small part may be formed of hardware such as an integrated circuit.

Referring to fig. 3, a process of the secret tamper detection method executed by the secret tamper detection system according to the embodiment is described.

In step S1, the part [ 2 ], [ product ] to be multiplied^→x]、[^→y]∈[F]^NIs inputted to each secret tamper detection device 1_kThe input unit 10 of (1). [^→x]If the vector is recovered, the vector becomes a vector of the number of elements N^→Part of x. [^→y]If the vector is recovered, the vector becomes a vector of the number of elements N^→And y is a moiety. The input unit 10 converts the section [ 2 ]^→x]、[^→y]Is input to the secret multiplying unit 13.

In step S2, each secret tampering detection device 1_kThe random number generation unit 11 of (1) satisfies 0 ≦ i<Each integer i of σ is generated as a random number vector of N + D elements upon recovery using a tamper-aware random number generation protocol^→r_iσ pieces of (2)^→r_i]And a random number vector which becomes the element number N + D when recovered^→s_iσ pieces of (2)^→s_i]. Here, σ is an integer of 1 or more which is predetermined. The larger σ is, the lower the tamper success probability is, but the calculation amount increases. Therefore, the value of σ may be set as appropriate in consideration of desired safety and convenience. The tamper-detecting random number generation protocol may be the protocol described in reference 2 above, for example. The random number generation unit 11 converts the section [ 2 ]^→r_i]、[^→s_i]Is input to the random number multiplying unit 12.

In step S3, each secret tampering detection device 1_kThe random number multiplying unit 12 receives the section [ 2 ] from the random number generating unit 11^→r_i]、[^→s_i]For satisfying 0 ≦ i<Each integer i of σ is divided into sections using a tamper-free detection multiplication protocol^→r_i]And section [ 2 ]^→s_i]Multiplication and generation of vectors for each element upon restoration^→r_iSum vector^→s_iVector of multiplication results^→t_iσ pieces of (2)^→t_i]:＝[^→r_i ^→s_i]. The tamper-free detection multiplication protocol can be applied to the protocol described in reference 1 above, for example. The random number multiplication unit 12 multiplies the part [ 2 ]^→r_i]、[^→s_i]、[^→t_i]Are input to the random number verification unit 14 in groups.

In step S4, each secret tampering detection device 1_kThe secret multiplication unit 13 of (2) receives the section [ 2 ] from the input unit 10^→x]、[^→y]Using a tamper-free detection multiplication protocol, the section [ 2 ]^→x]And section [ 2 ]^→y]Multiplication and calculation, when restored, to vector each element^→x sum vector^→Vector of the result of y multiplication^→z partial value [ 2 ]^→z]:＝[^→x^→y]. The secret multiplication unit 13 multiplies the section [ 2 ]^→x]、[^→y]Is inputted to the subtraction value disclosing unit 16, and the section [ 2 ]^→y]、[^→z]To the authentication value calculation unit 17.

In step S5, each secret tampering detection device 1_kThe random number verifying unit 14 of (2) receives the section [ 2 ] from the random number multiplying unit 12^→r_i]、[^→s_i]、[^→t_i]For a set satisfying 0 ≦ i<Randomly selecting D integers p which are different and are larger than or equal to 0 and smaller than D + N for each integer i of sigma_i,0,…,p_i,D-1. Here, D is a predetermined natural number. Next, the random number verification unit 14 uses the tamper detection disclosing protocol, disclosed in section [ 2 ]^→r_i]、[^→s_i]、[^→t_i]In and satisfies 0 ≦ j<P-th of each integer j of D_i,jElement, confirmation and part [ 2 ]^→r_i]、[^→s_i]、[^→t_i]Whether the respective corresponding sets of disclosed values match as a multiplication. The tamper-detection-with-disclosure protocol may be applied to the protocol described in reference 3. In the case where there are groups of values that do not match as a multiplication, fromThe output unit 19 outputs information indicating that tampering has been detected, and terminates the processing. In the case where the sets of values are all matched as a multiplication, the random number verification unit 14 verifies the section [ 2 ]^→r_i]、[^→s_i]、[^→t_i]And the integer p_i,jIs input to the random number permutation unit 15.

In step S6, the random number substitution unit 15 receives the part [ 2 ] from the random number verification unit 14^→r_i]、[^→s_i]、[^→t_i]And the integer p_i,jFor satisfying 0 ≦ i<Each integer i of sigma, by a predetermined random permutation of pi_iThe replacement section [ 2 ]^→r_i]、[^→s_i]、[^→t_i]Elements not disclosed in (i.e., p-th)_i,jElement other than (II), generating the moiety [ 2 ]^→r'_i]、[^→s'_i]、[^→t'_i]∈[F]^N. The random number substitution unit 15 substitutes a portion [ 2 ]^→r'_i]、[^→s'_i]Is inputted to the subtraction value disclosing unit 16, and the section [ 2 ]^→r'_i]、[^→t'_i]To the authentication value calculation unit 17.

In step S7, each secret tampering detection device 1_kThe subtraction value disclosing unit 16 receives the section [ 2 ] from the secret multiplying unit 13^→x]、[^→y]Receiving the section [ 2 ] from the random number substitution unit 15^→r'_i]、[^→s'_i]For satisfying 0 ≦ i<Each integer i of σ is calculated using the tamper detection overt protocol^→x-^→r'_i]And [ 2 ]^→y-^→s'_i]And discloses. The subtraction value disclosure unit 16 discloses the vector(s) ((s))^→x-^→r'_i)、(^→y-^→s'_i) To the authentication value calculation unit 17.

In step S8, each secret tampering detection device 1_kThe verification value calculation unit 17 receives the section [ 2 ] from the secret multiplication unit 13^→y]、[^→z]From random number toThe changing unit 15 receives the section [ 2 ]^→r'_i]、[^→t'_i]Receives the vector (from subtraction value disclosure unit 16)^→x-^→r'_i)、(^→y-^→s'_i) For satisfying 0 ≦ i<Each integer i of σ is calculated by equation (1), and a verification value c is generated when the integer i is restored_iVector of (2)^→c_iSection [ 2 ]^→c_i]. The verification value calculating unit 17 calculates the section [ 2 ]^→z]、[^→c_i]To the verification value confirmation unit 18.

In step S9, each secret tampering detection device 1_kThe verification value confirming unit 18 of (2) receives the section [ 2 ] from the verification value calculating unit 17^→z]、[^→c_i]For satisfying 0 ≦ i<Each integer i of σ, from section [ 2 ], using the tamper detection public protocol^→c_i]Public verification value c_iVector of (2)^→c_i. Then, the verification value confirmation unit 18 confirms the disclosed vector^→c_iIs 0. Here, vectors are disclosed^→c_iWhen the element other than 0 is included in the data, the output unit 19 outputs information indicating that falsification has been detected, and the process is terminated. In the disclosed vector^→c_iIn the case where the whole element of (2) is 0, the verification value confirmation unit 18 accepts the vector [ 2 ]^→z]To the output unit 19.

In step S10, each secret tampering detection device 1_kThe output unit 19 outputs the vector 2 generated from the verification value confirmation unit 18 to accept^→z]。

Generally, in a tamper-free detection multiplication protocol, an attacker can do the tampering. However, in the secret tamper detection system according to the embodiment, after the multiplication is performed in step S4, verification of the random number vector is performed in step S5, thereby preventing tampering. In order for the attacker to successfully tamper with the object, the attacker also performs tampering in step S3, and thus the attacker needs to perform the tamperingTampering so that the portion for authentication is made^→t_i]It is also reasonable. However, the greater the number of falsifications, the higher the probability that falsification is detected due to the disclosure of step S5. Conversely, the fewer the number of falsifications made, the lower the probability of illegitimately passing the verification. By verifying that σ times has such a property, the tamper success probability can be set to O (N)^-σ)。

The above embodiment can be more efficient by the following processing. In the above embodiment, the verification value c in step S9 is compared with_iConfirmation of whether all are 0 or not is from part [ 2 ]^→c_i]Public verification value c_iAnd then confirmed separately. Here, from the verification value c_iVector of (2)^→c_iSection [ 2 ]^→c_i]By calculating a checksum formed by a product sum with a random number and confirming that the checksum is 0, the verification value can be confirmed with a traffic amount that does not depend on the size of N. As such a checksum, for example, the checksum described in the following reference 4 can be used.

[ reference 4 ] International publication No. 2014/112550

The checksum described in reference 4 is calculated as follows. In the following description, q is an integer of 2 or more, ρ is a minimum integer of (N + D)/q or more, and R is a ring. The verification value confirmation means 18 returns the verification value c to the verification value c when the verification value is restored_iVector of (2)^→c_iSection [ 2 ]^→c_i]Dividing the vector into p value vectors A from the head of the vector by q pieces at a time₀,…,A_ρ-1. The last value vector A when the segmentation is performed_ρ-1If the number of elements (c) is not q, the element number is filled with an arbitrary value (for example, 0) so that the element number is q. The authentication value confirmation unit 18 selects the random number R ∈ R^qThe checksum c is calculated by equation (2).

In this case, the multiplication of the vectors is calculated using the function f defined by equations (3) and (4).

Here, α_i,j,k(i-0, …, q-1; j-0, …, q-1; k-0, …, q-1) is for separating R from two rings^qCorresponds uniformly to a ring R^qThe parameters of the elements of (1). Parameter alpha_i,j,kThere may be a plurality of types, but it is desirable to select the parameter α in consideration of the ease of calculation and the like_i,j,kQ contained in (1)³The value containing the most 0 is used as the parameter α_i,j,k. For example, if the parameter α is determined_i,j,kSuch that R is a domain, R^qAn expanded domain of the domain R, the falsification can be detected efficiently.

The results of comparing the traffic amount between the embodiment and the conventional art are shown. For example, when the field F is a finite field GF (2) having a bit number of 2 in the comparative embodiment and the technique described in non-patent document 1, the same falsification success probability O (N) is obtained^-2) The amount of communication with each part of non-patent document 1 may be about 10N bits, and in the embodiment, about 7N bits.

The invention is as follows. In non-patent document 1 as a conventional technique, first, a triple multiplication (tampering detection) is performed. On the other hand, in the present invention, tamper detection is performed for multiplication to be calculated using triple multiplication from the beginning. In non-patent document 1, the processing is performed in units of integer multiples of the number of multiplications to be calculated. On the other hand, in the present invention, the processing can be performed in parallel in the same unit as the number of multiplications to be calculated. Therefore, the tamper-accompanying detection multiplication can be performed more efficiently than in the past.

While the embodiments of the present invention have been described above, it is needless to say that the specific configurations are not limited to these embodiments, and the present invention is also encompassed by modifications and the like of appropriate design within the scope not departing from the gist of the present invention. The various processes described in the embodiments may be executed not only in time series in the order described, but also in parallel or individually depending on the processing capability of the apparatus that executes the processes or the need.

< program, recording Medium >

When various processing functions in each device described in the above embodiments are realized by a computer, the processing contents of the functions to be provided to each device are described by a program. Then, the computer executes the program, thereby realizing various processing functions in the above-described devices on the computer.

The program in which the processing contents are described may be recorded in a computer-readable recording medium. The computer-readable recording medium may be any medium such as a magnetic recording device, an optical disk, an magneto-optical recording medium, or a semiconductor memory.

The distribution of the program is performed by, for example, selling, transferring, renting, or the like removable recording media such as DVDs and CD-ROMs on which the program is recorded. Further, the program may be stored in a storage device of a server computer, and the program may be distributed by transferring the program from the server computer to another computer via a network.

The computer that executes such a program first temporarily stores, in its own storage device, a program recorded on a removable recording medium or a program transferred from a server computer, for example. When the computer executes the processing, the computer reads the program stored in its own storage device and executes the processing according to the read program. Further, as another execution mode of the program, the computer may directly read the program from the removable recording medium and execute the processing according to the program, or may successively execute the processing according to the received program each time the program is transferred from the server computer to the computer. Further, the above-described processing may be executed by a so-called ASP (Application Service Provider) type Service in which a processing function is realized only by the acquisition of the execution command and the result without transferring the program from the server computer to the computer. The program in the present embodiment includes information for processing by the electronic computer, that is, information based on the program (data or the like that defines the nature of processing by the computer, although not a direct instruction to the computer).

In this embodiment, the present apparatus is configured by executing a predetermined program on a computer, but at least a part of the processing contents may be realized by hardware.