(19)
(11)EP 3 239 963 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
22.07.2020 Bulletin 2020/30

(21)Application number: 15873044.0

(22)Date of filing:  22.12.2015
(51)International Patent Classification (IPC): 
G09C 1/00(2006.01)
H04L 9/08(2006.01)
(86)International application number:
PCT/JP2015/085774
(87)International publication number:
WO 2016/104476 (30.06.2016 Gazette  2016/26)

(54)

SECRET FALSIFICATION DETECTION SYSTEM, SECRET COMPUTATION APPARATUS, SECRET FALSIFICATION DETECTING METHOD, AND PROGRAM

SYSTEM ZUR ERKENNUNG GEHEIMER FÄLSCHUNG, VORRICHTUNG ZUR GEHEIMEN BERECHNUNG, VERFAHREN ZUR ERKENNUNG GEHEIMER FÄLSCHUNG UND PROGRAMM

SYSTÈME DE DÉTECTION DE FALSIFICATION DE SECRET, DISPOSITIF DE CALCUL DE SECRET, PROCÉDÉ DE DÉTECTION DE DE FALSIFICATION DE SECRET, ET PROGRAMME


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 26.12.2014 JP 2014264439

(43)Date of publication of application:
01.11.2017 Bulletin 2017/44

(73)Proprietor: Nippon Telegraph and Telephone Corporation
Tokyo 100-8116 (JP)

(72)Inventor:
  • IKARASHI, Dai
    Musashino-shi, Tokyo 180-8585 (JP)

(74)Representative: MERH-IP Matias Erny Reichl Hoffmann Patentanwälte PartG mbB 
Paul-Heyse-Strasse 29
80336 München
80336 München (DE)


(56)References cited: : 
WO-A1-2014/112548
JP-A- 2013 009 245
JP-A- 2014 137 474
WO-A1-2014/112548
JP-A- 2014 137 474
JP-A- 2014 138 349
  
  • Dai Ikarashi ET AL: "An Efficient SIMD Protocol against Malicious Adversaries for Secure Computation Schemes Based on (k, n) Secret Sharing Schemes with Small Party Sets", Computer security symposium 2013, 23 October 2013 (2013-10-23), XP055490586, Retrieved from the Internet: URL:https://www.google.fr/url?sa=t&rct=j&q =&esrc=s&source=web&cd=1&ved=0ahUKEwicu_W7 mojcAhVFyKYKHWx8ChAQFggqMAA&url=https%3A%2 F%2Fipsj.ixsq.nii.ac.jp%2Fej%2Findex.php%3 Faction%3Dpages_view_main%26active_action% 3Drepository_action_common_download%26item _id%3D98299%26item_no%3D1%26attribute_id%3 D1%26file_ [retrieved on 2018-07-05]
  • IKARASHI,DAI ET AL.: 'Actively Private and Correct MPC Scheme in t<n/2 from Passively Secure Schemes with Small Overhead' CRYPTOLOGY 30 April 2014, XP061015887 Retrieved from the Internet: <URL:https://eprint.iacr.org/2014/ 304/20140430:210051> [retrieved on 2016-03-17]
  • RYO KIKUCHI ET AL.: 'Himitsu Keisan ni Tekishita Himitsu Bunsan to Compact na Himitsu Bunsan tono Sogo Henkan Protocol' 2014 NEN SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY GAIYOSHU 21 January 2014, pages 1 - 8, XP009504169
  • DAI IKARASHI: 'Hijo ni Kokoritsu na n?2k-1 malicious Model-jo Himitsu Bunsan Base Multi Party Keisan no Koseiho' 2013 NEN SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY GAIYOSHU 22 January 2013, pages 1 - 8, XP009504170
  • DAI IKARASHI ET AL: "Hijo ni Kokoritsu na n?2k-1 malicious Model-jo Himitsu Bunsan Base Multi Party Keisan no Koseiho [An Extremely Efficient Secret-sliaring-based Multi-Party Computation against Malicious Adversary]", 2013 NEN SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY GAIYOSHU; SCIS 2013; KYOTO, JAPAN; 22-25/01/2013, IEICE, JP, 22 January 2013 (2013-01-22), pages 1-8, XP009504170,
  
Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


Description

TECHNICAL FIELD



[0001] The present invention relates to a secret computation technique, and more particularly, to a technique for detecting falsification during secret computation.

BACKGROUND ART



[0002] A method described in Non-Patent Literature 1 is a conventional technique for detecting falsification during secret computation. In the secret falsification detecting method described in Non-Patent Literature 1, a function F having m inputs and µ outputs and formed of addition, multiplication by a constant, multiplication, a sum of products, and random permutation on a ring R is calculated on a malicious model having concealability and validity. A malicious model means a model in which an attacker performs any unauthorized activity, whereas a semi-honest model means a model in which an attacker performs an authorized activity but steals a glance at data in the activity.

[0003] In Non-Patent Literature 1, falsification is detected during secret computation in three phases. In a randomizing phase, a shared value is converted to a randomized shared value for which validation is possible. In a computation phase, desired secret computation is performed by using operations for randomized shared values, formed of operations in the semi-honest model. In this phase, the computation is performed while the checksums are collected, which are required in the following validating phase. In the validating phase, validation is performed collectively for the checksums collected in the computation phase. When validity is found, the result of computation in the computation phase is output; if validity is not found, the result of computation is not output but only the fact that validity is not found is output.

PRIOR ART LITERATURE


NON-PATENT LITERATURE



[0004] 

Non-Patent Literature 1: Dai Ikarashi, Koji Chida, Koki Hamada, and Ryo Kikuchi, "An Extremely Efficient Secret-sharing-based Multi-Party Computation against Malicious Adversary", SCIS 2013, 2013

Non-Patent Literature 2 : Extremely efficient secret-sharing-based Multi-Party Computation against Malicious Adversary.

Non-Patent Literature 3: An efficient SIMD protocol agains Malicious adversary for secure computation schemes based on (k,n) Secret Sharing Schmes with small Party sets.



[0005] Patent literature JP2014137474;

[0006] WO2014/112548A1.

SUMMARY OF THE INVENTION



[0007] The invention is defined by the independent claims. Preferred embodiments are set out in the dependent claims.

PROBLEMS TO BE SOLVED BY THE INVENTION



[0008] The secret falsification detecting technique described in Non-Patent Literature 1 requires secret computation that uses one type of secret sharing, but it cannot be applied to secret computation that uses a plurality of types of secret sharing.

[0009] Taking the above-described point into account, an object of the present invention is to detect falsification during secret computation that uses a plurality of types of secret sharing.

MEANS TO SOLVE THE PROBLEMS



[0010] To solve the above-described problem, the present invention provides a secret computation method of detecting falsification during secret computation, with N secret computation apparatuses having, as inputs, shared values [a0], ..., [aM-1] obtained by secret sharing M values a0, ..., aM-1 and, as an output, a function value [F([a0], ..., [aM-1])] obtained with a function F for performing secret computation that uses J types of secret sharing, wherein N is an integer equal to or larger than 3, M is an integer equal to or larger than 1, µ is an integer equal to or larger than 1, J is an integer equal to or larger than 2, m is an integer equal to or larger than 0 and smaller than M, and j is an integer equal to or larger than 0 and smaller than J. The secret falsification detecting method includes a random number generating step in which random number generating sections of the secret computation apparatuses secret share J random numbers r0, ..., rJ-1 to obtain shared values [r0], ..., [rJ-1]; a randomizing step in which, assuming that the m-th shared value [am] is a shared value obtained by the j-th secret sharing, randomizing sections of the secret computation apparatuses multiply the shared value [am] by the shared value [rj] to calculate a shared value [amrj], and pair the shared value [am] and the shared value [amrj] to generate a randomized shared value <am> := <[am], [amrj]>; a secret computation step in which secret computation sections of the secret computation apparatuses obtain, when performing secret computation that uses the j-th secret sharing, the function value [F([a0], ..., [aM-1])] while including, in a checksum Cj, randomized shared values that are computation objects and randomized shared values that are computation results; a synchronizing step in which synchronizing sections of the secret computation apparatuses keep idling until all of secret computation that uses secret sharing are completed; and a validating step in which, assuming that, for j = 0, ..., J - 1, µj indicates the total number of randomized shared values included in the j-th checksum Cj, and <f0>, ..., <fµj-1> indicate the randomized shared values included in the j-th checksum Cj, validating sections of the secret computation apparatuses verify that the shared value [ϕj] obtained by multiplying the sum of shared values [f0], ..., [fµj-1] included in the checksum Cj := (<f0>, ..., <fµj-1>) by the shared value [rj] is equal to the shared value [ψj] obtained by adding shared values [f0rj], ..., [fµj-1rj] included in the checksum Cj := (<f0>, ..., <fµj-1>).

EFFECTS OF THE INVENTION



[0011] According to a secret falsification detecting technique of the present invention, falsification can be detected during secret computation that uses a plurality of types of secret sharing.

BRIEF DESCRIPTION OF THE DRAWINGS



[0012] 

Fig. 1 is a view showing an example of the functional configuration of a secret falsification detecting system;

Fig. 2 is a view showing an example of the functional configuration of a secret computation apparatus; and

Fig. 3 is a view showing an example of the processing flow of a secret falsification detecting method.


DETAILED DESCRIPTION OF THE EMBODIMENTS



[0013] Prior to a description of an embodiment, the notation method used in this specification and basic technical concepts of the present invention will be described.

Notation method



[0014] Values handled in the present invention are those on a ring R unless otherwise specified. An associative hypercomplex ring A is on the ring R. An associative hypercomplex ring is an associative ring and has a linear space structure on any field, which is compatible with the characteristics of the associative ring. In other words, an associative hypercomplex ring is established when values handled in a vector space fall in a ring not in a field.

[0015] The i-th element of a vector X is referred to as Xi.

[0016] Concealed text of a value x ∈ R is expressed by [x]. Concealed text is a value obtained by concealing a value with encryption, secret sharing, or other means. When X expresses a set, [X] is a set obtained by concealing each element of the set X.

[0017] The number of elements in the set X is expressed by |X|.

[0018] A randomized share value of a value x ∈ R is expressed by <x>. A randomized share value is a pair formed of a share value [x] of a value x ∈ R and a share value [xr] of the product xr of the value x and a random number r ∈ A. Therefore, the randomized share value can be defined by Formula (1).



[0019] In the randomized share value, the 0-th element ([x] in Formula (1)) is also called the R component, and the first element ([xr] in Formula (1)) is also called the A component.

[0020] A space having a random number r ∈ A as a parameter and formed of randomized share values is expressed by <Rr>.

Security



[0021] To prove the security of a protocol in the field of cryptographical theory, users, participants, and attackers are modeled. A malicious model or a semi-honest model is used as such a model. A malicious model means a model in which an attacker performs any unauthorized activity, whereas a semi-honest model means a model in which an attacker performs an authorized activity but steals a glance at data in the activity. Therefore, a protocol for which the security thereof is proved in a malicious model has a higher security than a protocol for which the security thereof is proved in a semi-honest model.

Features of the present invention



[0022] The conventional secret falsification detecting technique requires secret computation that uses one type of secret sharing, but it cannot detect falsification in secret computation that uses a plurality of types of secret sharing. When a plurality of types of secret sharing are used, it may seem that the conventional secret falsification detecting technique can be used to verify secret computation for each type of secret sharing, but this implementation causes a security problem. To maintain proper security in secret computation that uses a plurality of types of secret sharing, a secret falsification detecting technique according to the present invention is configured to satisfy the following conditions.
  1. 1. An identical random number is used when randomized shared values are generated in different types of secret sharing on an identical ring.
  2. 2. Secret computation has been completed in all types of secret sharing before validation is performed.


[0023] Concealability is improved when verification is performed collectively for as many types of secret sharing as possible compared with when verification is performed for each type of secret sharing independently, because the number of values made public becomes smaller. Therefore, the secret sharing formats for checksums are integrated into one format and verification is performed collectively for different types of secret sharing on an identical ring.

Embodiment



[0024] An aspect of the present invention will be described below in detail. In the drawings, components having identical functions will be denoted by the same reference numerals, and overlaps in the descriptions will be omitted.

[0025] Referring to Fig. 1, an example configuration of a secret falsification detecting system according to an embodiment will be described. The secret falsification detecting system includes N (≥ 3) secret computation apparatuses 11 to 1N. In the present embodiment, the secret computation apparatuses 11 to 1N are separately connected to a communication network 2. The communication network 2 is a circuit switching or packet switching communication network configured to allow mutual communication between the connected secret computation apparatuses 11 to 1N, and can be configured, for example, by the Internet, a local area network (LAN), or a wide area network (WAN). Online communication capability through the communication network 2 is not necessarily required between the secret computation apparatuses 11 to 1N. For example, information to be input to the secret computation apparatuses 11 to 1N may be stored in a portable recording medium, such as a magnetic tape or a USB memory, and may be input off-line from the portable recording medium to the secret computation apparatuses 11 to 1N.

[0026] Referring to Fig. 2, an example configuration of the secret computation apparatus 1n (n = 1 to N) included in the secret falsification detecting system will be described. The secret computation apparatus 1n includes, for example, a control section 101, a storage 102, an input section 11, a random number generating section 12, a randomizing section 13, a secret computation section 14, a synchronizing section 15, a validating section 16, and an output section 17.

[0027] The secret computation apparatus 1n is, for example, a special apparatus configured by reading a special program into a known or special computer having a central processing unit (CPU), a main memory (a random access memory: RAM), and other components. The secret computation apparatus 1n executes processing under the control of the control section 101, for example. Data input to the secret computation apparatus 1n or data obtained by processing is stored in the storage 102, for example, and the data stored in the storage 102 is read into the control section 101 and used for other processing when necessary. At least a part of the processing sections of the secret computation apparatus 1n may be configured by hardware such as an integrated circuit.

[0028] Referring to Fig. 3, the processing procedure of a secret falsification detecting method according to the embodiment will be described.

[0029] In step S11, M (≥ 1) shared values [a0], ..., [aM-1] are input to the input section 11 of the secret computation apparatus 1n. The input shared values [a0], ..., [aM-1] are output to the randomizing section 13. The shared value [am] (m = 0, ..., M - 1) is obtained by secret sharing a value am. The number M of the input shared values [a0], ..., [aM-1] is appropriately determined on the basis of the content of the secret computation performed in the secret computation section 14.

[0030] Any secret sharing method can be used if a desired operation can be performed in secret computation. In the present aspect the shared values [a0], ..., [aM-1] should be obtained by J (≥ 2) types of secret sharing. A plurality of types of secret sharing may be performed on an identical ring or on different rings. In addition, a plurality of types of secret sharing performed on an identical ring are mixed with secret sharing performed on a different ring. Even if the shared values [a0], ..., [aM-1] are obtained only by one type of secret sharing, and a plurality of types of secret sharing are used as a whole by performing conversion in secret computation, a falsification detecting technique according to the present invention can be applied. For details of secret sharing methods to which the technique can be applied, refer to Reference Literature 1 noted below or others.
Reference Literature 1: Koji Chida, Koki Hamada, Dai Ikarashi, and Katsumi Takahashi, "A Three-Party Secure Function Evaluation with Lightweight Verifiability Revisited", CSS2010, 2010

[0031] In step S12, the random number generating section 12 generates shared values [r0], ..., [rJ-1] of J random numbers r0, ..., rJ-1 selected from the associative hypercomplex ring A. The generated shared values [r0], ..., [rJ-1] are output to the randomizing section 13. The shared values [r0], ..., [rJ-1] need to be generated while the random numbers r0, ..., rJ-1 are concealed from all of the secret computation apparatuses 11 to 1N.

[0032] For example, the secret computation apparatuses 11 to 1N included in the secret falsification detecting system can cooperatively generate shared values [rj] of random numbers rj. Specifically, the secret computation apparatuses 1n first generate random numbers rn individually. Next, based on the concealment method described in Reference Literature 1, described above, the shared values [rn] of the random numbers rn are generated. Then, the secret computation apparatuses 1n calculate [rj] = Σn<N[rn] to obtain the shared values [rj] of the random numbers rj individually. With this configuration, the shared values [rj] of random numbers rj can be obtained while none of the secret computation apparatuses 11 to 1N know the random numbers rj. If random numbers are allowed to be shared beforehand or pseudo-random numbers are allowed to be used, replicated secret sharing can be used to generate the shared values [rj] of random numbers rj. When replicated secret sharing is used, the shared values [rj] of random numbers rj can be generated without any communication between the secret computation apparatuses 11 to 1N. For details of replicated secret sharing, refer to Reference Literature 2 below.
Reference Literature 2: R. Cramer, I. Damgard, and Y Ishai, "Share conversion, pseudorandom secret-sharing and applications to secure computation", TCC., Vol. 3378 of Lecture Notes in Computer Science, pp. 342-362, Springer, 2005.

[0033] When different types of secret sharing performed on an identical ring exist among J types of secret sharing, the shared value for one type of secret sharing is converted to a shared value for the other type of secret sharing to make the random numbers equal. Even in this conversion, falsification should be able to be detected or falsification should be impossible. For example, when j-th (j = 0, ..., J -1) secret sharing and j'-th (j' = 0, ..., J -1, j ≠ j') secret sharing are on an identical ring, a shared value [rj] is generated by secret sharing a random number rj used for the j-th secret sharing, and the shared value [rj] is converted to a shared value [rj'] obtained by the j'-th secret sharing, with a method in which falsification can be detected or a method in which falsification is impossible. For example, a method in which falsification is impossible, used for converting replicated secret sharing to linear secret sharing is described in Reference Literature 2, described above.

[0034] In step S13, the randomizing section 13 uses the shared values [a0], ..., [aM-1] and the shared values [r0], ... [rJ-1] to generate randomized shared values <a0>, ..., <aM-1>. Specifically, assuming that the m-th shared value [am] is the shared value obtained by the j-th secret sharing for m = 0, ..., M - 1, the randomizing section 13 uses the shared value [am] and the shared value [rj] to obtain [amrj] = [am] × [rj] with the secret computation method described in Reference Literature 1, described above, and makes the shared value [am] and the shared value [amrj] as a pair to generate the randomized shared value <am> = ([am], [amrj]). The generated randomized shared values <a0>, ..., <aM-1> are output to the secret computation section 14.

[0035] In step S14, the secret computation section 14 applies a function F for performing secret computation that uses J types of secret sharing to the randomized shared values <a0>, ..., <aM-1> to obtain the concealed function value [F([a0], ..., [aM-1])]. The function F is calculated while the randomized shared values that are computation objects and the randomized shared values that are computation results are included in J checksums corresponding to the types of secret sharing used. For example, in the operation that uses the j-th (j = 0, ..., J - 1) secret sharing, the randomized shared values that are computation objects and the randomized shared values that are computation results are added to the j-th checksum Cj := <f0>, ..., <fpj-1>, where <f0>,..., <fµj-1> are the randomized shared values that are computation objects or computation results, the subscript µj-1 means µj-1, and µj indicates the number of randomized shared values included in the checksum Cj. The initial value of µj is 0. Every time randomized shared values are newly included in the checksum Cj, the value is increased by the number of the randomized shared values newly added. The randomized shared values to be included in the checksum and the timing when the randomized shared values are included in the checksum differ according to the type of operations (for example, addition, multiplication by a constant, multiplication, the sum of products, and random permutation) in secret computation. Details thereof are the same as in the secret falsification detecting method described in Non-Patent Literature 1.

[0036] In step S15, the synchronizing section 15 executes synchronization processing (SYNC) for keeping idling until all of secret computation complete for all types of secret sharing, before validation is performed. When detecting the completion of all of the secret computation for all the types of secret sharing, the synchronizing section 15 outputs the function value [F([ao], ..., [aM-1])] requested by the secret computation section 14 and J checksums C0, ..., CJ-1 to the validating section 16.

[0037] In step S16, the validating section 16 verifies the checksums C0, ..., CJ-1 by using the shared values [r0], ... [rJ-1] to validate the function value [F([a0], ..., [aM-1])]. When it is determined that no falsification is found after verifying all of the J checksums C0, ..., CJ-1, the validating section 16 outputs the function value [F([a0], ..., [aM-1])] to the output section 17. When it is determined that falsification is found, the validating section 16 outputs information indicating that determination to the output section 17.

[0038] When it is determined that no falsification is found in step S16, if subsequent processing remains to calculate the desired function, the procedure may return to step S14 again to repeatedly execute processing from secret computation to validation. In that case, each time validation is completed, the randomized shared values included in the checksums C0, ..., CJ-1 may be discarded. This repetition of secret computation and validation is necessary when values guaranteed to be not falsified are disclosed and subsequent processing is executed by using those values. This is because disclosing falsified values may impair concealability.

[0039] In step S17, the output section 17 outputs the function value [F([a0], ..., [aM-1])] or the information indicating that falsification is found, received from the validating section 16.

[0040] The j-th checksum Cj is verified on the basis of the shared value [ϕj] obtained by multiplying the sum of the R components [f0], ..., [fµj-1] of the randomized shared values included in the checksum Cj, by the shared value [rj], and the shared value [ψj] obtained by adding the A components [f0rj], ..., [fµj-1rj] of the randomized shared values included in the checksum Cj. Specifically, the validating section 16 verifies the checksum Cj in the following manner, for example. First, shared values [ρ0], ..., [ρµj-1] of µj random numbers ρ0, ..., ρµj-1 on an associative hypercomplex ring A are generated. The shared values [ρ0], ..., [ρµ-1] should be generated with the random numbers ρ0, ..., ρµj-1 being concealed from all of the secret computation apparatuses 1n. The shared values[ρ0], ..., [ρµj-1] need to be generated in the same manner as in the random number generating section 12. Next, the shared value [ϕj] is obtained by Formula (2), described below, by using the R components [f0], ..., [fµj-1] of the randomized shared values included in the checksum Cj, the shared values [ρ0], ..., [ρµj-1] of the random numbers ρ0, ..., ρµj-1, and the shared value [rj] of the random numbers rj.



[0041] The shared value [ψj] is also obtained by Formula (3), described below, by using the A components [f0rj], ..., [fµj-1rj] of the randomized shared values included in the checksum Cj, and the shared values [ρ0], ..., [ρ0µj-1] of the random numbers ρ0, ..., ρµj-1.



[0042] Then, the shared value [δj] = [ϕj] - [ψj] is recovered by subtracting the shared value [ψj] from the shared value [ϕj]. The recovery method needs to be the recovery operation of the secret sharing corresponding to each shared value, and validation is performed in a malicious model. Specifically, each secret computation apparatus 1n (n = 0, ..., N - 1) sends the shared value [δj] to another secret computation apparatus In' (n' = 0, ..., N - 1, n ≠ n') to check the consistency of the shared values in order to perform complete validation. In that case, the total amount of communication is N*(N - 1), where the total number of secret computation apparatuses 1n is N. When the amount of data of the shared values is large, if a method based on probability is used, the total amount of communication can be reduced to N*(K - 1), where K indicates the number of secret computation apparatuses 1n required for recovery. Secret computation includes a semi-honest operation that includes recovery for which validity is not guaranteed. Even if recovery for which validity is not guaranteed is included as a component of secret computation, it does not affect the security of the whole secret computation.

[0043] When the recovered values δ0, ..., δJ-1 are zero in all of the secret computation apparatuses 11, ..., 1N, it is determined that no falsification occurred in the whole secret computation. If a recovered value δj is not zero in any of the secret computation apparatuses 1j, it is determined that falsification occurred in the secret computation.

[0044] When different types of secret sharing exist on an identical ring among J types of secret sharing, if validation is performed collectively for as many types of secret sharing as possible, concealability is improved because the number of values made public becomes smaller. For example, when j-th (j = 0, ..., J - 1) secret sharing and j'-th (j' = 0, ..., J - 1, j # j') secret sharing are on an identical ring, validation is performed in the following manner. First, the shared value [ϕj] obtained from the checksum Cj as described above and the shared value [ψj] obtained from the checksum Cj as described above are converted to those obtained by j'-th secret sharing. Then, it is verified that the shared value [ϕj + ϕj'] obtained by adding the converted shared value [ϕj] to the shared value [ϕj'] calculated from the checksum Cj' is equal to the shared value [ψj + ψj'] obtained by adding the converted shared value [ψj] to the shared value [ψj'] calculated from the j'-th checksum Cj'. In other words, [δ] = ([ϕj + ϕj']) - ([ψj + ψj') is calculated for all combinations of all types of secret sharing on each identical ring, and when the recovery value δ is zero, it is determined that no falsification occurred in secret computation that uses j-th secret sharing and j'-th secret sharing, as a whole. When [δ] = ([ϕj + ϕj']) - ([ψj + ψj']) is calculated and the recovery value δ is not zero, it is determined that falsification occurred in one of the operations of secret computation that uses j-th secret sharing and j'-th secret sharing. In this manner, verification is performed for all combinations of all types of secret sharing on each identical ring to verify that no falsification occurred in the whole secret computation. In the present aspect, one example has been described in which two types of secret sharing exist on an identical ring. Validation can be performed with the same method even if three or more types of secret sharing exist on an identical ring.

[0045] The basic concept of validation will be described below. Checksum verification means verifying [fi] [rj] - [firj] = 0 when each randomized shared value <fi> is focused on. Assuming that the shared value [fi] and the shared value [firj] are both falsified to be [fi + x] and [firj + y], Formula (4) is obtained during verification.



[0046] An attacker needs to manipulate [fi] and [firj] to make the value of (xrj - y) zero. Since the attacker does not know the random number rj ∈ A, the probability of satisfying the above-described condition is 1/|A|, In the present aspect, since the random numbers ρ0, ..., ρµj-1 are multiplied, the probability of successful falsification is 2/|A| at most.

[0047] As described above, the secret falsification detecting system according to the present aspect can detect falsification even in secret computation that uses a plurality of types of secret sharing.

[0048] The present invention is not limited to the above described aspect, and it is needless to say that appropriate changes can be made to the above aspect without departing from the scope of the present invention. Each type of processing described in the aspect may be executed not only time sequentially according to the order of description but also in parallel or individually when necessary or according to the processing capabilities of the apparatuses that execute the processing.

Program and recording medium



[0049] When various types of processing functions in each apparatus, described in the aspect are implemented by a computer, the processing details of the functions that should be provided by each apparatus are described in a program. When the program is executed by a computer, the processing functions in each apparatus are implemented on the computer.

[0050] The program containing the processing details can be recorded in a computer-readable recording medium. The computer-readable recording medium can be any type of medium, such as a magnetic recording device, an optical disc, a magneto-optical recording medium, or a semiconductor memory.

[0051] This program is distributed by selling, transferring, or lending a portable recording medium, such as a DVD, a CD-ROM, or a USB memory, with the program recorded on it, for example. The program may also be distributed by storing the program in a storage of a server computer and transferring the program from the server computer to another computer through the network.

[0052] A computer that executes this type of program first stores the program recorded on the portable recording medium or the program transferred from the server computer in its storage. Then, the computer reads the program stored in its storage and executes processing in accordance with the read program. In a different program execution form, the computer may read the program directly from the portable recording medium and execute processing in accordance with the program, or the computer may execute processing in accordance with the program each time the computer receives the program transferred from the server computer. Alternatively, the above-described processing may be executed by a so-called application service provider (ASP) service, in which the processing functions are implemented just by giving program execution instructions and obtaining the results without transferring the program from the server computer to the computer. The program of this form includes information that is provided for use in processing by the computer and is treated correspondingly as a program (something that is not a direct instruction to the computer but is data or the like that has characteristics that determine the processing executed by the computer).

[0053] In the description given above, the apparatuses are implemented by executing the predetermined programs on the computer, but at least a part of the processing details may be implemented by hardware.


Claims

1. A secret falsification detecting method of detecting falsification during secret computation, with N secret computation apparatuses (1) having, as inputs, shared values [a0], ..., [aM-1] obtained by secret sharing M values ao, ..., aM-1 and, as an output, a function value [F([a0], ..., [aM-1])] obtained with a function F for performing secret computation that uses J types of secret sharing,
wherein N is an integer equal to or larger than 3, M is an integer equal to or larger than 1, µ is an integer equal to or larger than 1, J is an integer equal to or larger than 2, m is an integer equal to or larger than 0 and smaller than M, and j is an integer equal to or larger than 0 and smaller than J;
the secret falsification detecting method comprising:

a random number generating step in which random number generating sections (12) of the secret computation apparatuses (1) secret share Jrandom numbers r0, ..., rJ-1 to obtain shared values [r0], ..., [rJ-1];

a randomizing step in which, assuming that the m-th shared value [am] is a shared value obtained by the j-th secret sharing, randomizing sections (13) of the secret computation apparatuses (1) multiply the shared value [am] by the shared value [rj] to calculate a shared value [amrj], and pair the shared value [am] and the shared value [amrj] to generate a randomized shared value <am> := <[am], [amrj]>;

a secret computation step in which secret computation sections (14) of the secret computation apparatuses (1) obtain, when performing secret computation that uses the j-th secret sharing, the function value [F([a0], ..., [aM- 1])] while including, in a checksum Cj, randomized shared values that are computation objects and randomized shared values that are computation results;

a synchronizing step in which synchronizing sections (15) of the secret computation apparatuses (1) keep idling until all of secret computation that uses secret sharing are completed, and output the function value [F([a0], ..., [aM-1])] and J checksums C0, ..., CJ-1 when detecting the completion of all of the secret computation for all the types of secret sharing; and

a validating step in which, assuming that, for j = 0, ..., J - 1, µj indicates the total number of randomized shared values included in the j-th checksum Cj, and <f0>, ..., <fµj-1> indicate the randomized shared values included in the j-th checksum Cj, validating sections (16) of the secret computation apparatuses (1) verify that the shared value [ϕj] obtained by multiplying the sum of shared values [f0], ..., [fµj-1] included in the checksum Cj := (<f0>, ..., <fµj-1>) by the shared value [rj] is equal to the shared value [ψj] obtained by summing shared values [f0rj], ..., [fµj-1rj] included in the checksum Cj := (<f0>, ..., <fµj-1>) together,

wherein j' is an integer equal to or larger than 0 and smaller than J, j ≠ j', the j-th secret sharing and the j'-th secret sharing are on an identical ring, and the j-th secret sharing can be converted to the j'-th secret sharing with a method in which falsification can be detected or a method in which falsification is impossible;

in the random number generating step, the shared value [rj] is generated by secret sharing the random number rj by the j-th secret sharing, and the shared value [rj] is converted to a shared value [rj'] obtained by the j'-th secret sharing; and

in the validating step, the shared value [ϕj] calculated from the j-th checksum Cj and the shared value [ψj] calculated from the checksum Cj are converted to shared values obtained by the j'-th secret sharing, and it is verified that the shared value [ϕj + ϕj'] obtained by adding the shared value [ϕj] to the shared value [ϕj] calculated from the j'-th checksum Cj' is equal to the shared value [ψj + ψj'] obtained by adding the shared value [ψj] to the shared value [ψj] calculated from the j'-th checksum Cj'.


 
2. The secret falsification detecting method according to Claim 1, wherein the secret computation step, the synchronizing step, and the validating step are repeatedly executed a plurality of times.
 
3. A secret computation apparatus (1) for detecting falsification during secret computation, the secret computation apparatus (1) having, as inputs, shared values [a0], ..., [aM-1] obtained by secret sharing M values ao, ..., aM-1 and, as an output, a function value [F([a0], ..., [aM-1])] obtained with a function F for performing secret computation that uses J types of secret sharing,
wherein M is an integer equal to or larger than 1, µ, is an integer equal to or larger than 1, J is an integer equal to or larger than 2, m is an integer equal to or larger than 0 and smaller than M, and j is an integer equal to or larger than 0 and smaller than J;
the secret computation apparatus (1) comprising:

a random number generating section (12) adapted to secret share J random numbers r0, ..., rJ-1 to obtain shared values [r0], ..., [rJ-1];

a randomizing section (13), assuming that the m-th shared value [am] is a shared value obtained by the j-th secret sharing, adapted to multiply the shared value [am] by the shared value [rj] to calculate a shared value [amrj], and to pair the shared value [am] and the shared value [amrj] to generate a randomized shared value <am> := <[am], [amrj]>;

a secret computation section (14) adapted to obtain, when performing secret computation that uses the j-th secret sharing, the function value [F([a0], ..., [aM-1])] while including, in a checksum Cj, randomized shared values that are computation objects and randomized shared values that are computation results;

a synchronizing section (15) adapted to keep idling until all of secret computation that uses secret sharing are completed, and output the function value [F([a0], ..., [aM-1])] and J checksums C0, ..., CJ-1 when detecting the completion of all of the secret computation for all the types of secret sharing; and

a validating section (16), assuming that, for j = 0, ..., J- 1, µj indicates the total number of randomized shared values included in the j-th checksum Cj, and <f0>, ..., <fµj-1> indicate the randomized shared values included in the j-th checksum Cj, adapted to verify that the shared value [ϕj] obtained by multiplying the sum of shared values [f0], ..., [fµj-1] included in the checksum Cj := (<f0>, ..., <fµj-1>) by the shared value [rj] is equal to the shared value [ψj] obtained by summing shared values [f0rj], ..., [fµj-1rj] included in the checksum Cj := (<f0>, ..., <fµj-1>) together,

wherein j' is an integer equal to or larger than 0 and smaller than J, j ≠ j', the j-th secret sharing and the j'-th secret sharing are on an identical ring, and the j-th secret sharing can be converted to the j'-th secret sharing with a method in which falsification can be detected or a method in which falsification is impossible;

the random number generating section (12) generates the shared value [rj] by secret sharing the random number rj by the j-th secret sharing, and converts the shared value [rj] to a shared value [rj'] obtained by the j'-th secret sharing; and

the validating section (16) converts the shared value [ϕj] calculated from the j-th checksum Cj and the shared value [ψj] calculated from the checksum Cj to shared values obtained by the j'-th secret sharing, and verifies that the shared value [ϕj + ϕj'] obtained by adding the shared value [ϕj] to the shared value [ϕj'] calculated from the j'-th checksum Cj' is equal to the shared value [ψj + ψj'] obtained by adding the shared value [ψj] to the shared value [ψj'] calculated from the j'-th checksum Cj'.


 
4. A secret falsification detecting system for detecting falsification during secret computation, with N secret computation apparatuses (1) according to claim 3,
wherein N is an integer equal to or larger than 3.
 
5. A program which run by multiple distributed processor execute the secret falsification detecting method according to Claim 1 or 2.
 


Ansprüche

1. Verfahren zur Erkennung geheimer Fälschung des Erkennens einer Fälschung während einer geheimen Berechnung, wobei N geheime Berechnungsvorrichtungen (1) als Eingaben geteilte Werte [a0], ..., [aM-1], welche durch geheimes Teilen von M Werten a0, ... , aM-1 erhalten werden, und als eine Ausgabe einen Funktionswert [F( [a0], ..., [aM-1])] aufweisen, welcher mit einer Funktion F zum Durchführen einer geheimen Berechnung erhalten wurde, welche J Typen des geheimen Teilens verwendet,
wobei N eine ganze Zahl größer oder gleich 3 ist, M eine ganze Zahl größer oder gleich 1 ist, µ eine ganze Zahl größer oder gleich 1 ist, J eine ganze Zahl größer oder gleich 2 ist, m eine ganze Zahl größer oder gleich 0 und kleiner als M ist und j eine ganze Zahl größer oder gleich 0 und kleiner als J ist;
das Verfahren zur Erkennung geheimer Fälschung Folgendes umfassend:

einen Zufallszahl-Erzeugungsschritt, bei welchem Zufallszahl-Erzeugungsabschnitte (12) der geheimen Berechnungsvorrichtungen (1) J Zufallszahlen r0, ..., rJ-1 geheim teilen, um geteilte Werte [r0], ..., [rJ-1] zu erhalten;

einen Zufallsverteilungsschritt, bei welchem unter der Annahme, dass der m-te geteilte Wert [am] ein geteilter Wert ist, der durch das j-te geheime Teilen erhalten wird, Zufallsverteilungsabschnitte (13) der geheimen Berechnungsvorrichtungen (1) den geteilten Wert [am] mit dem geteilten Wert [rj] multiplizieren, um einen geteilten Wert [amrj] zu berechnen, und den geteilten Wert [am] und den geteilten Wert [amrj] paaren, um einen zufällig verteilten geteilten Wert <am> := <[am], [amrj]> zu erzeugen;

einen geheimen Berechnungsschritt, bei welchem geheime Berechnungsabschnitte (14) der geheimen Berechnungsvorrichtungen (1) beim Durchführen einer geheimen Berechnung, welche das j-te geheime Teilen verwendet, den Funktionswert [F([a0], [aM-1)] erhalten, während in einer Prüfsumme Cj zufällig verteilte geteilte Werte, welche Berechnungsobjekte sind, und zufällig verteilte geteilte Werte enthalten sind, welche Berechnungsergebnisse sind;

einen Synchronisierungsschritt, bei welchem Synchronisierungsabschnitte (15) der geheimen Berechnungsvorrichtungen (1) im Ruhezustand bleiben, bis alle geheimen Berechnungen, welche geheimes Teilen verwenden, abgeschlossen sind, und den Funktionswert [F([a0], ..., [ aM-1])] und J Prüfsummen C0, ..., CJ-1 ausgeben, wenn der Abschluss aller geheimen Berechnungen für alle Typen des geheimen Teilens erkannt wird; und

einen Validierungsschritt, bei welchem unter der Annahme, dass für j = 0, ..., J-1 µj die Gesamtzahl zufällig verteilter geteilter Werte angibt, welche in der j-ten Prüfsumme Cj enthalten sind, und <f0>, ..., <fµj-1> die zufällig verteilten geteilten Werte angibt, welche in der j-ten Prüfsumme Cj enthalten sind, Validierungsabschnitte (16) der geheimen Berechnungsvorrichtungen (1) verifizieren, dass der geteilte Wert [ϕj], welcher durch Multiplizieren der Summe geteilter Werte [f0], ..., [fµj-1] erhalten wird, in der Prüfsumme Cj := (<f0>, ... , <fµj-1>) mit dem geteilten Wert [rj] gleich dem geteilten Wert [ψj] ist, welcher durch Summieren geteilter Werte [f0rj], ..., [fµj-1rj] erhalten wird, welche in der Prüfsumme Cj := (<f0>, ... , <fµj-1>) zusammen enthalten sind, wobei j' eine ganze Zahl größer oder gleich 0 und kleiner als J ist, j # j', das j-te geheime Teilen und das j'-te geheime Teilen auf einem identischen Ring sind und das j-te geheime Teilen in das j'-te geheime Teilen mit einem Verfahren, bei welchem eine Fälschung erkannt werden kann, oder mit einem Verfahren umgewandelt werden kann, bei welchem eine Fälschung unmöglich ist;

bei dem Zufallszahl-Erzeugungsschritt der geteilte Wert [rj] durch geheimes Teilen der Zufallszahl rj durch das j-te geheime Teilen erzeugt wird und der geteilte Wert [rj] in einen geteilten Wert [rj'] umgewandelt wird, welcher durch das j'-te geheime Teilen erhalten wird; und

bei dem Validierungsschritt der geteilte Wert [ϕj], welcher aus der j-ten Prüfsumme Cj berechnet wird, und der geteilte Wert [ψj], welcher aus der Prüfsumme Cj berechnet wird, in geteilte Werte umgewandelt werden, welche durch das j'-te geheime Teilen erhalten werden, und verifiziert ist, dass der geteilte Wert [ϕj + ϕj'], welcher durch Addieren des geteilten Werts [ϕi] zu dem geteilten Wert [ϕj'] erhalten wird, welcher aus der j'-ten Prüfsumme Cj' berechnet wird, gleich dem geteilten Wert [ψj + ψj'] ist, welcher durch Addieren des geteilten Werts [ψj] zu dem geteilten Wert [ψj'] erhalten wird, welcher aus der j'-ten Prüfsumme Cj' berechnet wird.


 
2. Verfahren zur Erkennung geheimer Fälschung nach Anspruch 1, wobei der geheime Berechnungsschritt, der Synchronisierungsschritt und der Validierungsschritt mehrmals wiederholt ausgeführt werden.
 
3. Geheime Berechnungsvorrichtung (1) zum Erkennen einer Fälschung während einer geheimen Berechnung, wobei die geheime Berechnungsvorrichtung (1) als Eingaben geteilte Werte [a0], ..., [aM-1] , welche durch geheimes Teilen von M Werten a0, ..., aM-1 erhalten werden, und als eine Ausgabe einen Funktionswert [F([a0], ..., [aM- 1])] aufweist, welche mit einer Funktion F zum Durchführen einer geheimen Berechnung erhalten wird, welche J Typen des geheimen Teilens verwendet,
wobei M eine ganze Zahl größer oder gleich 1 ist, µ eine ganze Zahl größer oder gleich 1 ist, J eine ganze Zahl größer oder gleich 2 ist, m eine ganze Zahl größer oder gleich 0 und kleiner als M ist und j eine ganze Zahl größer oder gleich 0 und kleiner als J ist; die geheime Berechnungsvorrichtung (1) Folgendes umfassend:

einen Zufallszahl-Erzeugungsabschnitt (12), welcher eingerichtet ist, um J Zufallszahlen r0, ..., rJ-1 geheim zu teilen, um geteilte Werte [r0], ..., [rJ-1] zu erhalten;

einen Zufallsverteilungsabschnitt (13), welcher unter der Annahme, dass der m-te geteilte Wert [am] ein geteilter Wert ist, der durch das j-te geheime Teilen erhalten wird, eingerichtet ist, um den geteilten Wert [am] mit dem geteilten Wert [rj] zu multiplizieren, um einen geteilten Wert [amrj] zu berechnen, und den geteilten Wert [am] und den geteilten Wert [amrj] zu paaren, um einen zufällig verteilten geteilten Wert <am> := <[am], [amrj]> zu erzeugen;

einen geheimen Berechnungsabschnitt (14), welcher eingerichtet ist, um beim Durchführen einer geheimen Berechnung, welche das j-te geheime Teilen verwendet, den Funktionswert [F([a0], [aM-1])] zu erhalten, während in einer Prüfsumme Cj zufällig verteilte geteilte Werte, welche Berechnungsobjekte sind, und zufällig verteilte geteilte Werte enthalten sind, welche Berechnungsergebnisse sind;

einen Synchronisierungsabschnitt (15), welcher eingerichtet ist, um im Ruhezustand bleiben, bis alle geheimen Berechnungen, welche geheimes Teilen verwenden, abgeschlossen sind, und den Funktionswert [F([a0], ..., [aM-1)] und J Prüfsummen C0, ..., CJ-1 auszugeben, wenn der Abschluss aller geheimen Berechnungen für alle Typen des geheimen Teilens erkannt wird; und

einen Validierungsabschnitt (16), welcher unter der Annahme, dass für j = 0, ..., J-1 µj die Gesamtzahl zufällig verteilter geteilter Werte angibt, welche in der j-ten Prüfsumme Cj enthalten sind, und <f0>, ..., <fµj-1> die zufällig verteilten geteilten Werte angibt, welche in der j-ten Prüfsumme Cj enthalten sind, eingerichtet ist, um zu verifizieren, dass der geteilte Wert [ϕj], welcher durch Multiplizieren der Summe geteilter Werte [f0], ..., [fµj-1] erhalten wird, in der Prüfsumme Cj := (<f0>, ..., <fµj-1>) mit dem geteilten Wert [rj] gleich dem geteilten Wert [ψj] ist, welcher durch Summieren geteilter Werte [f0rj], ..., [fµj-1rj] erhalten wird, welche in der Prüfsumme Cj := (<f0>, ..., <fµj-1>) zusammen enthalten sind, wobei j' eine ganze Zahl größer oder gleich 0 und kleiner als J ist, j # j', das j-te geheime Teilen und das j'-te geheime Teilen auf einem identischen Ring sind und das j-te geheime Teilen in das j'-te geheime Teilen mit einem Verfahren, bei welchem eine Fälschung erkannt werden kann, oder mit einem Verfahren umgewandelt werden kann, bei welchem eine Fälschung unmöglich ist;

der Zufallszahl-Erzeugungsabschnitt (12) den geteilten Wert [rj] durch geheimes Teilen der Zufallszahl rj durch das j-te geheime Teilen erzeugt und den geteilten Wert [rj] in einen geteilten Wert [rj'] umwandelt, welcher durch das j'-te geheime Teilen erhalten wird; und

der Validierungsabschnitt (16) den geteilten Wert [ϕj] , welcher aus der j-ten Prüfsumme Cj berechnet wird, und den geteilten Wert [ψj], welcher aus der Prüfsumme Cj berechnet wird, in geteilte Werte umwandelt, welche durch das j'-te geheime Teilen erhalten werden, und verifiziert, dass der geteilte Wert [ϕj + ϕj'], welcher durch Addieren des geteilten Werts [ϕi] zu dem geteilten Wert [ϕj'] erhalten wird, welcher aus der j'-ten Prüfsumme Cj' berechnet wird, gleich dem geteilten Wert [ψj + ψj'] ist, welcher durch Addieren des geteilten Werts [ψj] zu dem geteilten Wert [ψj'] erhalten wird, welcher aus der j'-ten Prüfsumme Cj' berechnet wird.


 
4. System zum Erkennen geheimer Fälschung zum Erkennen einer Fälschung während einer geheimen Berechnung mit N geheimen Berechnungsvorrichtungen (1) nach Anspruch 3,
wobei N eine ganze Zahl größer oder gleich 3 ist.
 
5. Programm, welches durch mehrere verteilte Prozessoren abläuft, welche das Verfahren zur Erkennung geheimer Fälschung nach Anspruch 1 oder 2 ausführen.
 


Revendications

1. Procédé de détection de falsification de secret pour détecter une falsification pendant un calcul de secret, avec N appareils de calcul de secret (1) ayant, en tant qu'entrées, des valeurs partagées [a0], ..., [aM-1] obtenues par le partage de secret de M valeurs a0, ..., aM-1 et, en tant que sortie, une valeur de fonction [F([a0], ..., [aM-1])] obtenue avec une fonction F pour effectuer un calcul de secret qui utilise J types de partage de secret,
dans lequel N est un entier supérieur ou égal à 3, M est un entier supérieur ou égal à 1, µ est un entier supérieur ou égal à 1, J est un entier supérieur ou égal à 2, m est un entier supérieur ou égal à 0 et inférieur à M, et j est un entier supérieur ou égal à 0 et inférieur à J ;
le procédé de détection de falsification de secret comprenant :

une étape de génération de nombres aléatoires à laquelle les sections de génération de nombres aléatoires (12) des appareils de calcul de secret (1) effectuent le partage de secret de J nombres aléatoires r0, ..., rJ-1 pour obtenir des valeurs partagées [r0], ..., [rJ-1] ;

une étape de randomisation à laquelle, en supposant que la m-ième valeur partagée [am] est une valeur partagée obtenue par le j-ième partage de secret, les sections de randomisation (13) des appareils de calcul de secret (1) multiplient la valeur partagée [am] par la valeur partagée [rj] pour calculer une valeur partagée [amrj], et apparient la valeur partagée [am] et la valeur partagée [amrj] pour générer une valeur partagée randomisée <am> := <[am], [amrj]> ;

une étape de calcul de secret à laquelle les sections de calcul de secret (14) des appareils de calcul de secret (1) obtiennent, lors de l'exécution d'un calcul de secret qui utilise le j-ième partage de secret, la valeur de fonction [F([a0], ..., [aM-1])] tout en incluant, dans une somme de contrôle Cj, les valeurs partagées randomisées qui sont les objets de calcul et les valeurs partagées randomisées qui sont les résultats de calcul ;

une étape de synchronisation à laquelle les sections de synchronisation (15) des appareils de calcul de secret (1) restent inactives jusqu'à ce que la totalité du calcul de secret qui utilise le partage de secret soit achevé, et sortent la valeur de fonction [F([a0], ..., [aM-1])] et J sommes de contrôle C0, ..., CJ-1 lors de la détection de l'achèvement de la totalité du calcul de secret pour tous les types de partage de secret ; et

une étape de validation à laquelle, en supposant que, pour j = 0, ..., J-1, µj indique le nombre total de valeurs partagées randomisées incluses dans la j-ième somme de contrôle Cj, et <f0>, ..., <fµj-1> indiquent les valeurs partagées randomisées incluses dans la j-ième somme de contrôle Cj, les sections de validation (16) des appareils de calcul de secret (1) vérifient que la valeur partagée [ϕj] obtenue en multipliant la somme des valeurs partagées [f0], ..., [fµj-1] incluses dans la somme de contrôle Cj := (<f0>, ..., <fµj-1>) par la valeur partagée [rj] est égale à la valeur partagée [ψj] obtenue en sommant les valeurs partagées [f0rj], ..., [fµj-1rj] incluses dans la somme de contrôle Cj := (<f0>, ..., <fµj-1>) les unes avec les autres,

dans lequel j' est un entier supérieur ou égal à 0 et inférieur à J, j ≠ j', le j-ième partage de secret et le j'-ième partage de secret sont sur un même anneau, et le j-ième partage de secret peut être converti en le j'-ième partage de secret par un procédé dans lequel une falsification peut être détectée ou un procédé dans lequel une falsification est impossible ;

à l'étape de génération de nombres aléatoires, la valeur partagée [rj] est générée par le partage de secret du nombre aléatoire rj par le j-ième partage de secret, et la valeur partagée [rj] est convertie en une valeur partagée [rj'] obtenue par le j'-ième partage de secret ; et

à l'étape de validation, la valeur partagée [ϕj] calculée à partir de la j-ième somme de contrôle Cj et la valeur partagée [ψj] calculée à partir de la somme de contrôle Cj sont converties en les valeurs partagées obtenues par le j'-ième partage de secret, et il est vérifié que la valeur partagée [ϕj + ϕj'] obtenue en ajoutant la valeur partagée [ϕj] à la valeur partagée [ϕj'] calculée à partir de la j'-ième somme de contrôle Cj' est égale à la valeur partagée [ψj + ψj'] obtenue en ajoutant la valeur partagée [ψj] à la valeur partagée [ψj'] calculée à partir de la j'-ième somme de contrôle Cj'.


 
2. Procédé de détection de falsification de secret selon la revendication 1, dans lequel l'étape de calcul de secret, l'étape de synchronisation, et l'étape de validation sont exécutées à plusieurs reprises une pluralité de fois.
 
3. Appareil de calcul de secret (1) pour détecter une falsification pendant un calcul de secret, l'appareil de calcul de secret (1) ayant, en tant qu'entrées, des valeurs partagées [a0], ..., [aM-1] obtenues par le partage de secret de M valeurs ao, ..., aM-1 et, en tant que sortie, une valeur de fonction [F([a0], ..., [aM-1])] obtenue avec une fonction F pour effectuer un calcul de secret qui utilise J types de partage de secret,
dans lequel M est un entier supérieur ou égal à 1, µ est un entier supérieur ou égal à 1, J est un entier supérieur ou égal à 2, m est un entier supérieur ou égal à 0 et inférieur à M, et j est un entier supérieur ou égal à 0 et inférieur à J ;
l'appareil de calcul de secret (1) comprenant :

une section de génération de nombres aléatoires (12) conçue pour effectuer le partage de secret de J nombres aléatoires r0, ..., rJ-1 pour obtenir des valeurs partagées [r0], ..., [rJ-1] ;

une section de randomisation (13), en supposant que la m-ième valeur partagée [am] est une valeur partagée obtenue par le j-ième partage de secret, conçue pour multiplier la valeur partagée [am] par la valeur partagée [rj] pour calculer une valeur partagée [amrj], et pour apparier la valeur partagée [am] et la valeur partagée [amrj] pour générer une valeur partagée randomisée <am> := <[am], [amrj]> ;

une section de calcul de secret (14) conçue pour obtenir, lors de l'exécution d'un calcul de secret qui utilise le j-ième partage de secret, la valeur de fonction [F([a0], ..., [aM-1])] tout en incluant, dans une somme de contrôle Cj, les valeurs partagées randomisées qui sont les objets de calcul et les valeurs partagées randomisées qui sont les résultats de calcul ;

une section de synchronisation (15) conçue pour rester inactive jusqu'à ce que la totalité du calcul de secret qui utilise le partage de secret soit achevé, et pour sortir la valeur de fonction [F([a0], ..., [aM-1])] et J sommes de contrôle C0, ..., CJ-1 lors de la détection de l'achèvement de la totalité du calcul de secret pour tous les types de partage de secret ; et

une section de validation (16), en supposant que, pour j = 0, ..., J-1, µj indique le nombre total de valeurs partagées randomisées incluses dans la j-ième somme de contrôle Cj, et <f0>, ..., <fµj-1> indiquent les valeurs partagées randomisées incluses dans la j-ième somme de contrôle Cj, conçue pour vérifier que la valeur partagée [ϕj] obtenue en multipliant la somme des valeurs partagées [f0], ..., [fµj-1] incluses dans la somme de contrôle Ci := (<f0>, ..., <fµj-1>) par la valeur partagée [rj] est égale à la valeur partagée [ψj] obtenue en sommant les valeurs partagées [f0rj], ..., [fµj-1rj] incluses dans la somme de contrôle Cj := (<f0>, ..., <fµj-1>) les unes avec les autres,

dans lequel j' est un entier supérieur ou égal à 0 et inférieur à J, j ≠ j', le j-ième partage de secret et le j'-ième partage de secret sont sur un même anneau, et le j-ième partage de secret peut être converti en le j'-ième partage de secret par un procédé dans lequel une falsification peut être détectée ou un procédé dans lequel une falsification est impossible ;

la section de génération de nombres aléatoires (12) génère la valeur partagée [rj] par le partage de secret du nombre aléatoire rj par le j-ième partage de secret, et convertit la valeur partagée [rj] en une valeur partagée [rj'] obtenue par le j'-ième partage de secret ; et

la section de validation (16) convertit la valeur partagée [ϕj] calculée à partir de la j-ième somme de contrôle Cj et la valeur partagée [ψj] calculée à partir de la somme de contrôle Cj sont converties en les valeurs partagées obtenues par le j'-ième partage de secret, et vérifie que la valeur partagée [ϕj + (ϕj'] obtenue en ajoutant la valeur partagée [ϕj] à la valeur partagée [ϕj'] calculée à partir de la j'-ième somme de contrôle Cj' est égale à la valeur partagée [ψj + ψj'] obtenue en ajoutant la valeur partagée [ψj] à la valeur partagée [ψj'] calculée à partir de la j'-ième somme de contrôle Cj'.


 
4. Système de détection de falsification de secret pour détecter une falsification pendant un calcul de secret, avec N appareils de calcul de secret (1) selon la revendication 3,
dans lequel N est un entier supérieur ou égal à 3.
 
5. Programme qui est exécuté par de multiples processeurs répartis qui exécutent le procédé de détection de falsification de secret selon la revendication 1 ou 2.
 




Drawing














Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description




Non-patent literature cited in the description