Share generating device, reconstructing device, secure computation system, share generation method, reconstruction method, program, and recording medium

Abstract

A share [x].sub.i of plaintext x in accordance with Shamir's secret sharing scheme is expressed by N shares [x.sub.0].sub.i, . . . , [x.sub.N−1].sub.i, and each share generating device A.sub.i obtains a function value r.sub.i=P.sub.m(i(−))(s.sub.i) of a seed s.sub.i, obtains a first calculated value ζ.sub.i=λ(i, i(−))[x.sub.i(−)].sub.i+r.sub.i using a Lagrange coefficient λ(i, i(−)), a share [x.sub.i(−)].sub.i, and the function value r.sub.i, and outputs the first calculated value ζ.sub.i to a share generating device A.sub.i(−). Each share generating device A.sub.i accepts a second calculated value ζ.sub.i(+), obtains a third calculated value z.sub.i=λ(i, i(+))[x.sub.i].sub.i+ζ.sub.i(+) using a Lagrange coefficient λ(i, i(+)), a share [x.sub.i].sub.i, and the second calculated value ζ.sub.i(+), and obtains information containing the seed s.sub.i and the third calculated value z.sub.i as a share SS.sub.i of the plaintext x in secret sharing and outputs the share SS.sub.i.

Claims

1. A secure computation system comprising: N share generating devices A.sub.0, . . . , A.sub.N−1, wherein N is an integer greater than or equal to 2, m is an integer greater than or equal to 1, m(i) is an integer greater than or equal to 0 and less than m, i=0, . . . , N−1 holds, j=0, . . . , N−1 holds, i(+)=i+1 mod N holds, i(−)=i−1 mod N holds, P.sub.m(i) is a function, and a range of the function P.sub.m(i) belongs to a set F.sup.m(i) whose members are sequences of elements of m(i) fields F, a sum of a value which is obtained by multiplying a share [α].sub.i in accordance with Shamir's secret sharing scheme by a Lagrange coefficient λ(i, i(−)) and a value which is obtained by multiplying a share [α].sub.i(−) in accordance with the Shamir's secret sharing scheme by a Lagrange coefficient λ(i(−), i) is a reconstructed value α and a sum of a value which is obtained by multiplying the share [α].sub.i by a Lagrange coefficient λ(i, i(+)) and a value which is obtained by multiplying a share [α].sub.i(+) in accordance with the Shamir's secret sharing scheme by a Lagrange coefficient λ(i(+), i) is the reconstructed value α, a share [x].sub.i∈F.sup.m of plaintext x in accordance with the Shamir's secret sharing scheme is expressed by N shares [x.sub.0].sub.i, . . . , [x.sub.N−1].sub.i which satisfy m=m(0)+ . . . +m(N−1) and [x.sub.j].sub.i∈F.sup.m(j), a share generating device A.sub.i included in the N share generating devices A.sub.0, . . . , A.sub.N−1 includes processing circuitry configured to store the share [x].sub.i of plaintext x, and each of the N share generating devices A.sub.0, . . . , A.sub.N−1 store a respective share [x].sub.i of plaintext x, and the plaintext x cannot be reconstructed with only one share of the plaintext x, obtain a function value r.sub.i=P.sub.m(i(−))(s.sub.i)∈F.sup.m(i(−)) of an input seed s.sub.i, obtain a first calculated value ζ.sub.i=λ(i, i(−))[x.sub.i(−)].sub.i+r.sub.i∈F.sup.m(i(−)) using the Lagrange coefficient λ(i, i(−)), a share [x.sub.i(−)].sub.i, and the function value r.sub.i, output the first calculated value ζ.sub.i to a share generating device A.sub.i(−), through a network, among the N share generating devices A.sub.0, . . . , A.sub.N−1, accept a second calculated value ζ.sub.i(+)∈F.sup.m(i)), from a share generating device A.sub.i(+), through the network, among the N share generating devices A.sub.0, . . . , A.sub.N−1, obtain a third calculated value z.sub.i=λ(i, i(+))[x.sub.i].sub.i+ζ.sub.i(+)∈F.sup.m(i) using the Lagrange coefficient λ(i, i(+)), the share [x.sub.i].sub.i, and the second calculated value ζ.sub.i(+), and obtain information containing the seed s.sub.i and the third calculated value z.sub.i as a share SS.sub.i of the plaintext x in secret sharing and outputs the share SS.sub.i through the network, the total amount of data of the shares SS.sub.0, . . . , SS.sub.N−1 is less than N times the amount of data of the plaintext x, wherein the secure computation system further comprises a reconstructing device being configured to reconstruct the plaintext x using N shares SS.sub.0, . . . , SS.sub.N−1, wherein the reconstructing device includes processing circuitry configured to accept N shares SS.sub.0, . . . , SS.sub.N−1 through the network, obtain a member x.sub.i=z.sub.i−P.sub.m(i)(s.sub.i(+))∈F.sup.m(i) using the third calculated value z.sub.i∈F.sup.m(i) contained in the share SS.sub.i and a seed s.sub.i(+) contained in a share SS.sub.i(+), and obtain a reconstructed value x∈F.sup.m which is expressed by obtained members x.sub.0, . . . , x.sub.N−1.

2. The secure computation system according to claim 1, wherein N is an integer greater than or equal to 3, i(++)=i+2 mod N holds, i(−−)=i−2 mod N holds, δ=0, . . . , N−1 holds, v is an integer greater than or equal to 1, ceil is a ceiling function, the share [x.sub.j].sub.i can be divided into m(j) shares [(x.sub.j).sub.0].sub.i, . . . , [(x.sub.j).sub.m(j)−1].sub.i∈F, m′(i) is ceil(m(i)/v), and [(x′.sub.δ).sub.j].sub.i is ([(x.sub.δ).sub.vj].sub.i, [(x.sub.δ).sub.vj+1].sub.i, . . . , [(x.sub.δ).sub.v(j+1)−1].sub.i)∈F.sup.v belonging to a set F.sup.v, the processing circuitry of the share generating device A.sub.i is further configured to possess an arbitrary value t.sub.j(−−)∈F.sup.v jointly with a share generating device A.sub.i(−−) and possess an arbitrary value t.sub.i∈F.sup.v jointly with a share generating device A.sub.i(++) and/or possess an arbitrary value u.sub.i(−−)∈F.sup.v jointly with a share generating device A.sub.i(+) and possess an arbitrary value u.sub.i(−)∈F.sup.v jointly with the share generating device A.sub.i(−), obtain a checksum c.sub.i(−−),i=Σ.sub.0≤j<m′(i(−−)){t.sub.i(−−).sup.j+1[(x′.sub.i(−−)).sub.j].sub.i}+t.sub.i(−−).sup.m′(i(−−))+1[(x′.sub.i(−−)).sub.m′(i(−−))−1].sub.i∈F.sup.v when joint possession of the arbitrary value t.sub.i(−−) has been performed and obtains a checksum d.sub.i(−−),i=Σ.sub.0≤j<m′(i(−−)){u.sub.i(−−).sup.j+1[(x′.sub.i(−−)).sub.j].sub.i}+u.sub.i(−−).sup.m′(i(−−))+1[(x′.sub.i(−−)).sub.m′(i(−−))−1].sub.i∈F.sup.v when joint possession of the arbitrary value u.sub.i(−−) has been performed, and obtain a checksum c.sub.i,i=Σ.sub.0≤j<m′(i){t.sub.i.sup.j+1[(x′.sub.i).sub.j].sub.i}+t.sub.i.sup.m′(i)+1[(x′.sub.i).sub.m′(i)−1].sub.i∈F.sup.v when joint possession of the arbitrary value t.sub.i has been performed and obtain a checksum d.sub.i(−),i=Σ.sub.0≤j<m′(i(−)){u.sub.i(−).sup.j+1[(x′.sub.i(−)).sub.j].sub.i}+u.sub.i(−).sup.m′(i(−))+1[(x′.sub.i(−)).sub.m′(i(−))−1].sub.i∈F.sup.v when joint possession of the arbitrary value u.sub.i(−) has been performed, when joint possession of the arbitrary value t.sub.i(−−) and the arbitrary value t.sub.i has been performed, the share SS.sub.i, which is generated, further contains the arbitrary value t.sub.i(−−), the arbitrary value t.sub.i, the checksum c.sub.i(−−), i, and the checksum c.sub.i, i, and when joint possession of the arbitrary value u.sub.i(−−) and the arbitrary value u.sub.i(−) has been performed, the share SS.sub.i, which is generated, further contains the arbitrary value u.sub.i(−−), the arbitrary value u.sub.i(−), the checksum d.sub.i(−−), i, and the checksum d.sub.i(−), i.

3. The secure computation system according to claim 1, wherein N is an integer greater than or equal to 3, i(++)=i+2 mod N holds, i(−−)=i−2 mod N holds, δ=0, . . . , N−1 holds, v is an integer greater than or equal to 1, ceil is a ceiling function, the share [x.sub.j].sub.i can be divided into m(j) shares [(x.sub.j).sub.0].sub.i, . . . , [(x.sub.j).sub.m(j)−1].sub.i∈F, m′(i) is ceil(m(i)/v), and [(x′.sub.δ).sub.j].sub.i is ([(x.sub.δ).sub.vj].sub.i, [(x.sub.δ).sub.vj+1].sub.i, . . . , [(x.sub.δ).sub.v(j+1)−1].sub.i)∈F.sup.v belonging to a set F.sup.v, the processing circuitry of the share generating device A.sub.i is further configured to possess an arbitrary value t.sub.j(−−)∈F.sup.v jointly with a share generating device A.sub.i(−−), possess an arbitrary value t.sub.i∈F.sup.v jointly with a share generating device A.sub.i(++), possess an arbitrary value u.sub.i(−−)∈F.sup.v jointly with a share generating device A.sub.i(+), and possess an arbitrary value u.sub.i(−)∈F.sup.v jointly with the share generating device A.sub.i(−), obtain a checksum c.sub.i(−−),i=Σ.sub.0≤j<m′(i(−−)){t.sub.i(−−).sup.j+1[(x′.sub.i(−−)).sub.j].sub.i}+t.sub.j(−−).sup.m′(i(−−))+1[(x′.sub.j(−−)).sub.m′(i(−−))−1].sub.i∈F.sup.v and obtain a checksum d.sub.i(−−),i=Σ.sub.0≤j<m′(i(−−)){u.sub.i(−−).sup.j+1[(x′.sub.i(−−)).sub.j].sub.i}+u.sub.i(−−).sup.m′(i(−−))+1[(x′.sub.i(−−)).sub.m′(i(−−))−1].sub.i∈F.sup.v, and obtain a checksum c.sub.i,i=Σ.sub.0≤j<m′(i){t.sub.i.sup.j+1[(x′.sub.i).sub.j].sub.i}+t.sub.j.sup.m′(i)+1[(x′.sub.i).sub.m′(i)−1].sub.i∈F.sup.v and obtains a checksum d.sub.i(−),i=Σ.sub.0≤j<m′(i(−)){u.sub.i(−).sup.j+1[(x′.sub.i(−)).sub.j].sub.i}+u.sub.i(−).sup.m′(i(−))+1[(x′.sub.i(−)).sub.m′(i(−))−1].sub.i∈F.sup.v, and the share SS.sub.i, which is generated, further contains the arbitrary value t.sub.i(−−), the arbitrary value t.sub.i, the arbitrary value u.sub.i(−−), the arbitrary value u.sub.i(−), the checksum c.sub.i(−−), i, the checksum c.sub.i, i, the checksum d.sub.i(−−), i, and the checksum d.sub.i(−), i.

4. The secret computation system according to any one of claims 2, 3, and 1, wherein an amount of data of the seed s.sub.i is smaller than an amount of data of the function value r.sub.i.

5. A method implemented by a secure computation system that includes N share generating devices A.sub.0, . . . , A.sub.N−1, wherein N is an integer greater than or equal to 2, m is an integer greater than or equal to 1, m(i) is an integer greater than or equal to 0 and less than m, i=0, . . . , N−1 holds, j=0, . . . , N−1 holds, i(+)=i+1 mod N holds, i(−)=i−1 mod N holds, P.sub.m(i) is a function, and a range of the function P.sub.m(i) belongs to a set F.sup.m(i) whose members are sequences of elements of m(i) fields F, a sum of a value which is obtained by multiplying a share [α].sub.i in accordance with Shamir's secret sharing scheme by a Lagrange coefficient λ(i, i(−)) and a value which is obtained by multiplying a share [α].sub.i(−) in accordance with the Shamir's secret sharing scheme by a Lagrange coefficient λ(i(−), i) is a reconstructed value α and a sum of a value which is obtained by multiplying the share [α].sub.i by a Lagrange coefficient λ(i, i(+)) and a value which is obtained by multiplying a share [α].sub.i(+) in accordance with the Shamir's secret sharing scheme by a Lagrange coefficient λ(i(+), i) is the reconstructed value α, a share [x].sub.i∈F.sup.m of plaintext x in accordance with the Shamir's secret sharing scheme is expressed by N shares [x.sub.0].sub.i, . . . , [x.sub.N−1].sub.i which satisfy m=m(0)+ . . . +m(N−1) and [x.sub.j].sub.i∈F.sup.m(j), the method comprising: performing, by processing circuitry of a share generating device A.sub.i included in the N share generating devices A.sub.0, . . . , A.sub.N−1, storing the share [x].sub.i of plaintext x, and each of the N share generating devices A.sub.0, . . . , A.sub.N−1 store a respective share [x].sub.i of plaintext x, and the plaintext x cannot be reconstructed with only one share of the plaintext x, obtaining a function value r.sub.i=P.sub.m(i(−))(s.sub.i)∈F.sup.m(i(−)) of an input seed s.sub.i, obtaining a first calculated value ζ.sub.i=λ(i, i(−))[x.sub.i(−)].sub.i+r.sub.i∈F.sup.m(i(−)) using the Lagrange coefficient λ(i, i(−)), a share [x.sub.i(−)].sub.i, and the function value r.sub.i, outputting the first calculated value ζ.sub.i to a share generating device A.sub.i(−), through a network, among the N share generating devices A.sub.0, . . . , A.sub.N−1, accepting a second calculated value ζ.sub.i(+)∈F.sup.m(i)), from a share generating device A.sub.i(+), through the network, among the N share generating devices A.sub.0, . . . , A.sub.N−1, obtaining a third calculated value z.sub.i=λ(i, i(+))[x.sub.i].sub.i+ζ.sub.i(+)∈F.sup.m(i) using the Lagrange coefficient λ(i, i(+)), the share [x.sub.i].sub.i, and the second calculated value ζ.sub.i(+), and obtaining information containing the seed s.sub.i and the third calculated value z.sub.i as a share SS.sub.i of the plaintext x in secret sharing and outputs the share SS.sub.i through the network, the total amount of data of the shares SS.sub.0, . . . , SS.sub.N−1 is less than N times the amount of data of the plaintext x, wherein the secure computation system further comprises a reconstructing device being configured to reconstruct the plaintext x using N shares SS.sub.0, . . . , SS.sub.N−1, wherein the method further comprising: performing, by processing circuitry of the reconstructing device accepting N shares SS.sub.0, . . . , SS.sub.N−1 through the network, obtaining a member x.sub.i=z.sub.i−P.sub.m(i)(s.sub.i(+))∈F.sup.m(i) using the third calculated value z.sub.i∈F.sup.m(i) contained in the share SS.sub.i and a seed s.sub.i(+) contained in a share SS.sub.i(+), and obtaining a reconstructed value x∈F.sup.m which is expressed by obtained members x.sub.0, . . . , x.sub.N−1.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 is a block diagram illustrating the configuration of a secure computation system of an embodiment.

(2) FIG. 2 is a block diagram illustrating the functional configuration of a share generating device of the embodiment.

(3) FIG. 3 is a block diagram illustrating the functional configuration of a reconstructing device of the embodiment.

(4) FIG. 4 is a flow diagram for explaining a share generation method of the embodiment.

(5) FIG. 5 is a flow diagram for explaining a reconstruction method of the embodiment.

DETAILED DESCRIPTION OF THE EMBODIMENTS

(6) Hereinafter, embodiments of the present invention will be described with reference to the drawings.

First Embodiment

(7) First, a first embodiment will be described.

(8) <Configuration>

(9) As illustrated in FIG. 1, a secure computation system 1 of the present embodiment includes N share generating devices 11-A.sub.0, . . . , 11-A.sub.N−1 and a reconstructing device 12, and these devices can communicate with one another through a network such as the Internet. It is to be noted that N is an integer greater than or equal to 2. For example, N is an integer greater than or equal to 3. One example of N is N=3. Although FIG. 1 illustrates one reconstructing device 12, the secure computation system 1 may include a plurality of reconstructing devices.

(10) As illustrated in FIG. 2, each share generating device 11-A.sub.i (i=0, . . . , N−1) of the present embodiment includes a division unit 111-A.sub.i, a seed obtaining unit 112-A.sub.i, a function operation unit 113-A.sub.i, secure computation units 114-A.sub.i and 115-A.sub.i, a share generation unit 116-A.sub.i, a storage 117-A.sub.i, a communication unit 118-A.sub.i, and a control unit 119-A.sub.i and executes each processing under control of the control unit 119-A.sub.i. Information output from each processing unit (a part that performs processing) of the share generating device 11-A.sub.i is stored in the storage 117-A.sub.i and is read therefrom when necessary and input to another processing unit.

(11) As illustrated in FIG. 3, the reconstructing device 12 of the present embodiment includes a communication unit 121, an arithmetic unit 122, a concatenation unit 123, a storage 127, and a control unit 128 and executes each processing under control of the control unit 128. Information output from each processing unit of the reconstructing device 12 is stored in the storage 127 and is read therefrom when necessary and input to another processing unit.

(12) <Share Generation Method>

(13) A share generation method (a share conversion method) which is performed by each share generating device 11-A.sub.i (i=0, . . . , N−1) (FIG. 2) of the present embodiment will be described using FIG. 4. It is assumed that a share [x].sub.i∈F.sup.m of plaintext x∈F.sup.m in accordance with Shamir's secret sharing scheme is stored in the storage 117-A.sub.i of each share generating device 11-A.sub.i. A “share” means a fragment in secret sharing. Shamir's secret sharing scheme of the embodiment is a 2-out-of-N threshold secret sharing scheme, in which, given any two different shares, a reconstructed value (plaintext) can be reconstructed; however, given any one piece of share information, information on the reconstructed value cannot be obtained at all. The sum of a value which is obtained by multiplying a share [α].sub.i in accordance with Shamir's secret sharing scheme by a Lagrange coefficient λ(i, i(−)) and a value which is obtained by multiplying a share [α].sub.i(−) in accordance with Shamir's secret sharing scheme by a Lagrange coefficient λ(i(−), i) is a reconstructed value α, and the sum of a value which is obtained by multiplying the share [α].sub.i by a Lagrange coefficient λ(i, i(+)) and a value which is obtained by multiplying a share [α].sub.i(+) in accordance with Shamir's secret sharing scheme by a Lagrange coefficient λ(i(+), i) is also the reconstructed value α. That is,
α=λ(i,i(−))[α].sub.i+λ(i(−),i)[α].sub.i(−)
α=λ(i,i(+))[α].sub.i+λ(i(+),i)[α].sub.i(+)
are satisfied. In other words, λ(i, i(−)) is a coefficient by which the share [α].sub.i is multiplied when the reconstructed value α is reconstructed from the share [α].sub.i and the share [α].sub.i(−) and λ(i(−), i) is a coefficient by which the share [α].sub.i(−) is multiplied at the time of this reconstruction. λ(i, i(+)) is a coefficient by which the share [α].sub.i is multiplied when the reconstructed value α is reconstructed from the share [α].sub.i and the share [α].sub.i+) and λ(i(+), i) is a coefficient by which the share [α].sub.i(+) is multiplied at the time of this reconstruction. It is to be noted that i(+)=i+1 mod N and i(−)=i−1 mod N hold. These Lagrange coefficients λ(i, i(−)), (i(−), i), λ(i, i(+)), and λ(i(+), i) can be easily determined by publicly known Lagrange's interpolation formula. F.sup.m means a set whose members are sequences of elements of in fields F. One example of the set F.sup.m is in-dimensional vectors, whose members are elements of in fields F. α∈β means that a is a member of β. m is an integer greater than or equal to 1. For instance, m is an integer greater than or equal to 2 or an integer greater than or equal to 3. An example of the field F is a set of remainders modulo a prime number p (α mod p, where α is any number), and the operation result in the field F in this case is obtained as a remainder modulo a prime number p. p≥3 holds and, for instance, p=2.sup.61−1 holds. Moreover, the share [x].sub.i may be a share transmitted from another device or a share obtained by performing secure computation on a share transmitted from another device.

(14) The division unit 111-A.sub.i (a first division unit) reads the share [x].sub.i∈F.sup.m of the plaintext x in accordance with Shamir's secret sharing scheme described above from the storage 117-A.sub.i. The division unit 111-A.sub.i divides the share [x].sub.i into N shares [x.sub.0].sub.i, . . . , [x.sub.N−1].sub.i by secure computation and outputs the shares [x.sub.0].sub.i, . . . , [x.sub.N−1].sub.i. It is to be noted that m(i) is an integer greater than or equal to 0 and less than in (for example, m(i) is an integer greater than or equal to 1), in =m(0)+ . . . +m(N−1) is satisfied, and, for i=0, . . . , N−1 and j=0, . . . , N−1, [x.sub.i].sub.i∈F.sup.m(j) is satisfied. It is also possible to make m(0)= . . . =m(N−1)=m/N hold if m is a multiple of N. However, irrespective of whether or not in is a multiple of N, all of m(0), . . . , m(N−1) may not be identical with one another. For example, at least part of m(0), . . . , m(N−1) may be 0. It is to be noted that γ∈F.sup.0 represents a null value. If m(i)=0, [x.sub.i].sub.i∈F.sup.m(i) is a null value. [x.sub.i].sub.i is a share of plaintext x.sub.j in accordance with Shamir's secret sharing scheme described above. The plaintext x is expressed by N x.sub.0∈F.sup.m(0), . . . , x.sub.N−1∈F.sup.m(N−1). For example, the plaintext x is expressed as a sequence x.sub.0| . . . |x.sub.N−1 obtained by arranging N x.sub.0∈F.sup.m(0) . . . , x.sub.N−1∈F.sup.m(N−1). To divide the share [x].sub.i into the N shares [x.sub.0].sub.i, . . . , [x.sub.N−1].sub.i by secure computation, it is only necessary to, for instance, separate and divide the share [x].sub.i directly into the N shares [x.sub.0].sub.i∈F.sup.m(0), . . . , [x.sub.N−1].sub.i∈F.sup.m(N−1). It is to be noted that, if m=1, only one of m(0), . . . , m(N−1) is 1 and the others are 0. In this case, the division unit 111-A.sub.i does not have to divide the share [x].sub.i and only has to output any one of the shares [x.sub.0].sub.i, . . . , [x.sub.N−1].sub.i as [x].sub.i and output all of the other shares as null values. As described above, the share [x].sub.i is expressed by the N shares [x.sub.0].sub.i, . . . , [x.sub.N−1].sub.i. For instance, the share [x].sub.i is expressed as a sequence [x.sub.0].sub.i| . . . |[x.sub.N−1].sub.i obtained by arranging the N shares [x.sub.0].sub.i, . . . , [x.sub.N−1].sub.i (Step S111-A.sub.i).

(15) The seed obtaining unit 112-A.sub.i obtains a seed s.sub.i and outputs the seed s.sub.i. There is no limitation on the data format of the seed s.sub.i and any value can be used as the seed s.sub.i. One example of the seed s.sub.i is an element of a set F.sup.w(i) whose members are sequences of elements of w(i) fields F (s.sub.i∈F.sup.w(i)). It is to be noted that w(i) is an integer greater than or equal to 1 and less than m. The seed s.sub.i (i=0, . . . , N−1) may be an arbitrary value or an output value obtained by other processing. The “arbitrary value” may be a random number (a pseudo random number or a true random number), a value selected from a plurality of preset values, or a value obtained by other processing. It is to be noted that the seed s.sub.i corresponding to the share [x.sub.j].sub.i which is a null value may be set at a null value (Step S112-A.sub.i).

(16) The function operation unit 113-A.sub.i obtains a function value r.sub.i=P.sub.m(i(−))(s.sub.i)∈F.sup.m(−)) (for example, a pseudo random number) using the seed s.sub.i as input and outputs the function value r.sub.i. It is to be noted that P.sub.m(i(−))(s.sub.i) is a function value which is obtained by operating a function P.sub.m(i(−)) on the seed s.sub.i. P.sub.m(i):F.sup.w(i(+)).fwdarw.F.sup.m(i) is a function and the range of a function P.sub.m(i) belongs to a set F.sup.m(i) whose members are sequences of elements of m(i) fields F. One example of the set F.sup.m(i) is a set of m(i)-dimensional vectors, whose members are elements of m(i) fields F. The domain of definition of the function P.sub.m(i) may be any domain of definition. For instance, the domain of definition of the function P.sub.m(i) belongs to a set F.sup.w(i(+)) whose members are sequences of elements of w(i(+)) fields F. Preferably, w(i(+))<m(i) is satisfied (the amount of data of the seed s.sub.i is smaller than the amount of data of the function value r.sub.i). An example of P.sub.m(i) is a pseudo random number generating function. That is, P.sub.m(i(−)) is a function and the range of the function P.sub.m(i(−)) belongs to a set F.sup.m(i(−)) whose members are sequences of elements of m(i(−)) fields F. For example, the domain of definition of the function P.sub.m(i(−)) belongs to the set F.sup.w(i) whose members are sequences of elements of w(i) fields F. Preferably, w(i)<m(i(−)) is satisfied. It is to be noted that the function value r.sub.i corresponding to the share [x.sub.j].sub.i which is a null value may be set at a null value (Step S113-A.sub.i).

(17) The secure computation unit 114-A.sub.i (a first secure computation unit) obtains, using a share [x.sub.i(−)].sub.i and the function value r.sub.i as input, a calculated value (a first calculated value) ζ.sub.i=λ(i, i(−))[x.sub.i(−)].sub.i+r.sub.i∈F.sup.m(i(−)) using the Lagrange coefficient λ(i, i(−)), the share [x.sub.i(−)].sub.i, and the function value r.sub.i and outputs the calculated value ζ.sub.i. It is to be noted that ζ.sub.i=λ(i, i(−))[x.sub.i(−)].sub.i+r.sub.i corresponding to the share [x.sub.i(−)].sub.i which is a null value is set at a null value (Step S114-A.sub.i).

(18) The calculated value ζ.sub.i is input to the communication unit 118-A.sub.i. The communication unit 118-A.sub.i (an output unit) outputs the calculated value ζ.sub.i to a share generating device 11-A.sub.i(−). The output calculated value ζ.sub.i is transmitted to the share generating device 11-A.sub.i(−) through the network (Step S1181-A.sub.i).

(19) A calculated value (a second calculated value) ζ.sub.i(+)=λ(i(+), i)[x.sub.i].sub.i(+)+r.sub.i(+)∈F.sup.m(i) (r.sub.i(+)=P.sub.m(i)(s.sub.i(+))) output from a share generating device 11-A.sub.i(+) is transmitted to the share generating device 11-A.sub.i through the network in a similar manner. It is to be noted that ζ.sub.i(+)=λ(i(+), i)[x.sub.i].sub.i(+)+r.sub.i(+) corresponding to the share [x.sub.i].sub.i(+) which is a null value is set at a null value. The calculated value ζ.sub.i(+) is received (accepted) by the communication unit 118-A.sub.i (an input unit) and output (Step S1182-A.sub.i).

(20) The secure computation unit 115-A.sub.i (a second secure computation unit) obtains, using a share [x.sub.i].sub.i and the calculated value i(+) as input, a calculated value (a third calculated value) z.sub.i=λ(i, i(+))[x.sub.i].sub.i+ζ.sub.i(+)∈F.sup.m(i) using the Lagrange coefficient λ(i, i(+)), the share [x.sub.i].sub.i, and the calculated value ζ.sub.i(+) and outputs the calculated value z.sub.i. Since ζ.sub.i(+)=λ(i(+), i)[x.sub.i].sub.i(+)+r.sub.i(+), z.sub.i=λ(i, i(+))[x.sub.i].sub.i+λ(i(+), i)[x.sub.i].sub.i(+)+r.sub.i(+) holds. Moreover, since x.sub.i=λ(i, i(+))[x.sub.i].sub.i+λ(i(+), i)[x.sub.i].sub.i(+), z.sub.i=x.sub.i+r.sub.i(+) holds. It is to be noted that z.sub.i corresponding to the share [x.sub.i]; which is a null value is set at a null value (Step S115-A.sub.i).

(21) The seed s.sub.i output from the seed obtaining unit 112-A.sub.i and the calculated value z.sub.i output from the secure computation unit 115-A.sub.i are input to the share generation unit 116-A.sub.i. The share generation unit 116-A.sub.i obtains information containing the seed s.sub.i and the calculated value z.sub.i as a share SS.sub.i of the plaintext x in secret sharing and outputs the share SS.sub.i. The share SS.sub.i corresponding to the seed s.sub.i and the calculated value z.sub.i which are null values is information in which the seed s.sub.i and the calculated value z.sub.i are set at null values (Step S116-A.sub.i).

(22) The share SS.sub.i output from the share generation unit 116-A.sub.i is input to the communication unit 118-A.sub.i. The communication unit 118-A.sub.i outputs the share SS.sub.i to the reconstructing device 12. The output share SS.sub.i is transmitted to the reconstructing device 12 through the network. The size of the seed s.sub.i and N do not depend on m. In (2, N)-Shamir's secret sharing, the order of magnitude of the total share size (the total share size which is transmitted) that relates to the data size m of the plaintext x is O(Nm); in the present embodiment, the order of magnitude of the total share size that relates to the data size in of the plaintext x is just O(m). The size of each share is O(m/N). For example, the total amount of data of the share SS.sub.i which is transmitted from each share generating device 11-A.sub.i (i=0, . . . , N−1) is less than N times the amount of data of the plaintext x. For instance, the amount of data of each share SS.sub.i is smaller than the amount of data of the plaintext x (Step S118-A.sub.i).

(23) <Reconstruction Method>

(24) A reconstruction method which is performed by the reconstructing device 12 (FIG. 3) of the present embodiment will be described using FIG. 5.

(25) N shares SS.sub.0, . . . , SS.sub.N−1 output from the share generating devices 11-A.sub.0, . . . , 11-A.sub.N−1 are received (accepted) by the communication unit 121 (an input unit) of the reconstructing device 12 (Step S121).

(26) For each i=0, . . . , N−1, the calculated value z.sub.i contained in the share SS.sub.i and a seed s.sub.i(+) contained in a share SS.sub.i(+) are input to the arithmetic unit 122. The arithmetic unit 122 obtains a member x.sub.i=z.sub.i−P.sub.m(i)(s.sub.i(+)∈F.sup.m(i) using the calculated value z.sub.i and the seed s.sub.i(+) and outputs the member x.sub.i. It is to be noted that P.sub.m(i)(s.sub.i(+)) is a function value which is obtained by operating the function P.sub.m(i) on the seed s.sub.i(+). The function P.sub.m(i) is the same as the function defined in Step S113-A.sub.i. As indicated in Step S115-A.sub.i, z.sub.i=x.sub.i+r.sub.i(+) holds. Moreover, as indicated in Step S1182-A.sub.i, r.sub.i(+)=P.sub.m(i)(s.sub.i(+)) holds. Thus, the member x.sub.i is obtained by an operation z.sub.i−P.sub.m(i)(s.sub.i(+)). It is to be noted that the member x.sub.i corresponding to the calculated value z.sub.i and the seed s.sub.i(+) which are null values is set at a null value (Step S122).

(27) The members x.sub.0, . . . , x.sub.N−1 obtained in the arithmetic unit 122 are input to the concatenation unit 123. The concatenation unit 123 obtains a reconstructed value x obtained by concatenating (joining) the members x.sub.0, . . . , x.sub.N−1 to one another and outputs the reconstructed value x. For example, a sequence x.sub.0| . . . |x.sub.N−1 obtained by arranging x.sub.0∈F.sup.m(0), . . . , x.sub.N−1∈F.sup.m(N−1) is x (Step S123).

Features of the Present Embodiment

(28) Each share generating device 11-A.sub.i (i=0, . . . , N−1) obtains the share SS.sub.i containing the seed s.sub.i and the calculated value z.sub.i∈F.sup.m(i) from the share [x].sub.i in accordance with Shamir's secret sharing scheme and outputs the share SS.sub.i. Here, the size of the seed s.sub.i and N do not depend on m. In (2, N)-Shamir's secret sharing, the order of magnitude of the total share size (the total share size which is transmitted) that relates to the data size m of the plaintext x is O(Nm); in the present embodiment, the order of magnitude of the total share size that relates to the data size m of the plaintext x is just O(m). The size of each share is O(m/N). For example, by setting m(i) and w(i) so that m(i)<m and w(i)<m, it is possible to make the total amount of data of the shares SS.sub.0, . . . , SS.sub.N−1 less than N times the amount of data of the plaintext x∈F.sup.m. This makes it possible to make the total amount of communication data smaller than that of shares in accordance with Shamir's secret sharing scheme. Each share generating device 11-A.sub.i can obtain the share SS.sub.i whose amount of data is small from the share [x].sub.i in accordance with Shamir's secret sharing scheme without obtaining information on the plaintext x. The reconstructing device 12 can reconstruct the plaintext x using the N shares SS.sub.0, . . . , SS.sub.N−1.

Second Embodiment

(29) A second embodiment is a modification of the first embodiment. In the present embodiment, a checksum corresponding to a share is generated at the time of share generation and the share is verified using the checksum at the time of reconstruction of plaintext. In the following description, an explanation of a matter that has already been described in the first embodiment is sometimes simplified, using the same reference character as that of the first embodiment.

(30) <Configuration>

(31) As illustrated in FIG. 1, a secure computation system 2 of the present embodiment includes N share generating devices 21-A.sub.0, . . . , 21-A.sub.N−1 and a reconstructing device 22, and these devices can communicate with one another through a network such as the Internet. It is to be noted that N of the present embodiment is an integer greater than or equal to 3. One example of N is N=3. Although FIG. 1 illustrates one reconstructing device 22, the secure computation system 2 may include a plurality of reconstructing devices.

(32) As illustrated in FIG. 2, each share generating device 21-A.sub.i (i=0, . . . , N−1) of the present embodiment includes a division unit 111-A.sub.i, a seed obtaining unit 112-A.sub.i, a function operation unit 113-A.sub.i, secure computation units 114-A.sub.i and 115-A.sub.i, a joint possession unit 215-A.sub.i, a share generation unit 216-A.sub.i, a division unit 217-A.sub.i, checksum generation units 218-A.sub.i and 219-A.sub.i, a storage 117-A.sub.i, a communication unit 118-A.sub.i, and a control unit 119-A.sub.i and executes each processing under control of the control unit 119-A.sub.i. Information output from each processing unit (a part that performs processing) of the share generating device 21-A.sub.i is stored in the storage 117-A.sub.i and is read therefrom when necessary and input to another processing unit.

(33) As illustrated in FIG. 3, the reconstructing device 22 of the present embodiment includes a communication unit 221, an arithmetic unit 122, a concatenation unit 123, a reconstruction unit 224, a verification value generation unit 225, a determination unit 226, a division unit 229, a storage 127, and a control unit 128 and executes each processing under control of the control unit 128. Information output from each processing unit of the reconstructing device 22 is stored in the storage 127 and is read therefrom when necessary and input to another processing unit.

(34) <Share Generation Method>

(35) A share generation method which is performed by the share generating device 21-A.sub.i (FIG. 2) will be described using FIG. 4. First, in place of the share generating device 11-A.sub.i, the share generating device 21-A.sub.i executes the processing from Steps S111-A.sub.i to S115-A.sub.i described in the first embodiment. It is to be noted that, in the present embodiment, N and m are integers greater than or equal to 3.

(36) Next, the joint possession unit 215-A.sub.i of each share generating device 21-A.sub.i possesses an arbitrary value t.sub.i(−−)∈F.sup.v jointly with a joint possession unit 215-A.sub.i(−−) of a share generating device 21-A.sub.i(−−), possesses an arbitrary value t.sub.i∈F.sup.v jointly with a joint possession unit 215-A.sub.i(++) of a share generating device 21-A.sub.i(++), possesses an arbitrary value u.sub.i(−−)∈F.sup.v jointly with a joint possession unit 215-A.sub.i(+) of a share generating device 21-A.sub.i(+), and possesses an arbitrary value u.sub.i(−)∈F.sup.v jointly with a joint possession unit 215-A.sub.i(−−) of a share generating device 21-A.sub.i(−−). That is, the joint possession unit 215-A.sub.i and the joint possession unit 215-A.sub.i(−−) obtain the same arbitrary value t.sub.i(−−), the joint possession unit 215-A.sub.i and the joint possession unit 215-A.sub.i(++) obtain the same arbitrary value t.sub.i, the joint possession unit 215-A.sub.i(−) and the joint possession unit 215-A.sub.i(+) obtain the same arbitrary value u.sub.i(−−), and the joint possession unit 215-A.sub.i and the joint possession unit 215-A.sub.i(−) obtain the same arbitrary value u.sub.i(−). It is to be noted that v is an integer greater than or equal to 1 and, for example, v=1 holds. A greater data amount reduction effect can be achieved if v is less than or equal to in (for instance, v is less than m). i(+)=i+1 mod N, i(−)=i−1 mod N, i(++)=i+2 mod N, and i(−−)=i−2 mod N hold. Joint possession of an arbitrary value γ between a joint possession unit β.sub.1 and a joint possession unit β.sub.2 may be performed by transmission of the arbitrary value γ or information for identification of the arbitrary value γ from the joint possession unit β.sub.1 to the joint possession unit β.sub.2 or may be performed by transmission of the arbitrary value γ or information for identification of the arbitrary value γ from the joint possession unit β.sub.2 to the joint possession unit β.sub.1, or the joint possession unit β.sub.1 and the joint possession unit β.sub.2 may jointly possess the arbitrary value γ by jointly possessing a common seed value and executing the same processing using the common seed value. The arbitrary values t.sub.i(−−), t.sub.i, u.sub.i(−−), and u.sub.i(−−) may be random numbers (pseudo random numbers or true random numbers), values obtained by other processing, or values selected from a plurality of predetermined values. Joint possession of the arbitrary values t.sub.i(−−), t.sub.i, u.sub.i(−−), and u.sub.i(−) may be performed when any one of the processing from Steps S111-A.sub.i to S115-A.sub.i is executed, in response to requests from the other joint possession units 215-A.sub.i(−−), 215-A.sub.i(++), 215-A.sub.i(+), and 215-A.sub.i(−), or in response to other events, or may be performed in advance. The joint possession unit 215-A.sub.i outputs the obtained arbitrary values t.sub.i(−−), t.sub.i, u.sub.i(−−), and u.sub.i(−) (Step S215-A.sub.i).

(37) The division unit 217-A.sub.i divides, using the share [x.sub.j].sub.i (j=0, . . . , N−1) output from the division unit 111-A.sub.i as input, the share [x.sub.j].sub.i into m(j) shares [(x.sub.j).sub.0].sub.i, . . . , [(x.sub.j).sub.m(j)−1].sub.i∈F by secure computation and outputs the shares [(x.sub.j).sub.0].sub.i, . . . , [(x.sub.j).sub.m(j)−1].sub.i. To divide the share [x.sub.j].sub.i into m(j) shares [(x.sub.j).sub.0].sub.i, . . . , [(x.sub.j).sub.m(j)−1].sub.i∈F by secure computation, it is only necessary to, for instance, separate and divide the share [x.sub.j].sub.i directly into m(j) shares [(x.sub.j).sub.0].sub.i, . . . , [(x.sub.j).sub.m(j)−1].sub.i∈F. It is to be noted that, if [x.sub.j].sub.i∈F.sup.m(i) is a null value, [(x.sub.j).sub.0].sub.i, . . . , [(x.sub.j).sub.m(j)−1].sub.i are also null values (Step S217-A.sub.i).

(38) The arbitrary values t.sub.i(−−) and u.sub.i(−−) and the shares [(x.sub.j).sub.0].sub.i, . . . , [(x.sub.j).sub.m(j)−1].sub.i (j=0, . . . , N−1) are input to the checksum generation unit 218-A.sub.i. The checksum generation unit 218-A.sub.i (a first checksum generation unit) obtains checksums c.sub.i(−−), i and d.sub.i(−−), i in the following manner, using the arbitrary values t.sub.i(−−) and u.sub.i(−−) and the shares [(x.sub.j).sub.0].sub.i, . . . , [(x.sub.j).sub.m(j)−1].sub.i, and outputs the checksums c.sub.i(−−), i and d.sub.i(−−), i.
c.sub.i(−−),i==Σ.sub.0≤j<m′(i(−−)){t.sub.i(−−).sup.j+1[(x′.sub.i(−−)).sub.j].sub.i}+t.sub.i(−−).sup.m′(i(−−))[x′.sub.i(−−)).sub.m′(i(−−))−1].sub.i∈F.sup.v
d.sub.i(−−),i==Σ.sub.0≤j<m′(i(−−)){u.sub.i(−−).sup.j+1[(x′.sub.i(−−)).sub.j].sub.i}+u.sub.i(−−).sup.m′(i(−−))[x′.sub.i(−−)).sub.m′(i(−−))−1].sub.i∈F.sup.v
It is to be noted that δ=0, . . . , N−1 holds, ceil is a ceiling function, and m′(i) is ceil(m(i)/v). [(x′.sub.δ).sub.j].sub.i is ([(x.sub.δ).sub.vj].sub.i, [(x.sub.δ).sub.vj+1].sub.i, . . . , [(x.sub.δ).sub.v(j+1)−1)].sub.i)∈F.sup.v belonging to a set F.sup.v. Moreover, for j=m′(i)−1, if the number of [(x.sub.δ).sub.vj].sub.i, [(x.sub.δ).sub.vj+1].sub.i, . . . , [(x.sub.δ).sub.v(j+1)−1].sub.i is less than v, it is assumed that [(x′.sub.δ).sub.(m′(i)−1)].sub.i=([(x.sub.δ).sub.v(m′(i)−1)].sub.i, [(x.sub.δ).sub.v(m′(i)−1)+1].sub.i, . . . , [(x.sub.δ).sub.m(i)−1].sub.i, 0, . . . , 0)∈F.sup.v. The checksums c.sub.i(−−), i and d.sub.i(−−), i may be calculated on an extension field of the order v over basic field F. Σ.sub.0≤j<m′(i(−−)){β.sub.j} represents β.sub.0+ . . . +β.sub.m′(i(−−).sup.γ and β.sub.i(−−).sup.γ represents (β.sub.i(−−)).sup.γ (Steps S2181-A.sub.i and S2182-A.sub.i).

(39) The arbitrary values t.sub.i and u.sub.i(−) and the shares [(x.sub.j).sub.0].sub.i, . . . , [(x.sub.j).sub.m(j)−1].sub.i (j=0, . . . , N−1) are input to the checksum generation unit 219-A.sub.i. The checksum generation unit 219-A.sub.i (a second checksum generation unit) obtains checksums c.sub.i, i and d.sub.i(−), i in the following manner, using the arbitrary values t.sub.i and u.sub.i(−) and the shares [(x.sub.j).sub.0].sub.i, . . . , [(x.sub.j).sub.m(j)−1].sub.i, and outputs the checksums c.sub.i, i and d.sub.i(−), i.
c.sub.i,i=Σ.sub.0≤j<m′(i){t.sub.i.sup.j+1[(x′.sub.i).sub.j].sub.i}+t.sub.i.sup.m′(i)+1[(x′.sub.i).sub.m′(i)−1].sub.i∈F.sup.v
d.sub.i,i=Σ.sub.0≤j<m′(i){u.sub.i.sup.j+1[(x′.sub.i).sub.j].sub.i}+u.sub.i.sup.m′(i)+1[(x′.sub.i).sub.m′(i)−1].sub.i∈F.sup.v
It is to be noted that β.sub.i.sup.γ represents (β.sub.i).sup.γ and β.sub.i(−).sup.γ represents (β.sub.i(−)).sup.γ. The checksums c.sub.i, i and d.sub.i(−), i may be calculated on an extension field of the order v over basic field F (Steps 2191-A.sub.i and S2192-A.sub.i).

(40) The seed s.sub.i output from the seed obtaining unit 112-A.sub.i, the calculated value z.sub.i output from the secure computation unit 115-A.sub.i, the arbitrary values t.sub.i(−−), t.sub.i, u.sub.i(−−), and u.sub.i(−) output from the joint possession unit 215-A.sub.i, the checksums c.sub.i(−−), and d.sub.i(−−), output from the checksum generation unit 218-A.sub.i, and the checksums c.sub.i, i and d.sub.i(−), i output from the checksum generation unit 219-A.sub.i are input to the share generation unit 216-A.sub.j. The share generation unit 216-A.sub.i obtains information containing the seed s.sub.i, the calculated value z.sub.i, the arbitrary values t.sub.i(−−), t.sub.i, u.sub.i(−−), and u.sub.i(−), and the checksums c.sub.i(−−), i, d.sub.i(−−), i, c.sub.i, i, and d.sub.i(−), i as a share SS.sub.i of the plaintext x in secret sharing and outputs the share SS.sub.i (Step S216-A.sub.i).

(41) The share SS.sub.i output from the share generation unit 216-A.sub.i is input to the communication unit 118-A.sub.i. The communication unit 118-A.sub.i outputs the share SS.sub.i to the reconstructing device 22. The output share SS.sub.i is transmitted to the reconstructing device 22 through the network. The size of the seed s.sub.i, N, and v do not depend on m. In (2, N)-Shamir's secret sharing, the order of magnitude of the total share size (the total share size which is transmitted) that relates to the data size in of the plaintext x is O(Nm); in the present embodiment, the order of magnitude of the total share size that relates to the data size m of the plaintext x is just O(m). The size of each share is O(m/N). For example, the total amount of data of the share SS.sub.i which is transmitted from each share generating device 21-A.sub.i (i=0, . . . , N−1) is less than N times the amount of data of the plaintext x. For instance, the amount of data of each share SS.sub.i is smaller than the amount of data of the plaintext x (Step S218-A.sub.i).

(42) <Reconstruction Method>

(43) A reconstruction method which is performed by the reconstructing device 22 (FIG. 3) of the present embodiment will be described using FIG. 5. N shares SS.sub.0, . . . , SS.sub.N−1 output from the share generating devices 21-A.sub.0, . . . , 21-A.sub.N−1 are received (accepted) by the communication unit 221 (an input unit) of the reconstructing device 22 and output (Step S221).

(44) Next, as described in the first embodiment, the arithmetic unit 122 obtains a member x.sub.i=z.sub.i−P.sub.m(i)(s.sub.i(+))∈F.sup.m(i) using the calculated value z.sub.i contained in the share SS.sub.i and a seed s.sub.i(+) contained in a share SS.sub.i(+) and outputs the member x.sub.i (Step S122).

(45) The checksums c.sub.i(−−), i, d.sub.i(−−), i, c.sub.i, i, and d.sub.i(−−), i contained in each share SS.sub.i (i=0, . . . , N−1) are input to the reconstruction unit 224. The reconstruction unit 224 reconstructs a checksum c.sub.i=Σ.sub.0≤j<m′(i){t.sub.i.sup.j+1(x′.sub.i).sub.j}+t.sub.i.sup.m′(i)+1(x′.sub.i).sub.m′(i)−1 using the checksum c.sub.i, i contained in the share SS.sub.i and a checksum c.sub.i, i(++) contained in a share SS.sub.i(++) as shares in accordance with Shamir's secret sharing scheme (the 2-out-of-N threshold secret sharing scheme) described above and outputs the checksum c.sub.i. Likewise, the reconstruction unit 224 reconstructs a checksum d.sub.i=Σ.sub.0≤j<m′(i){u.sub.i.sup.j+1(x′.sub.i).sub.j}+u.sub.i.sup.m′(i)+1(x′.sub.i).sub.m′(i)−1 using a checksum d.sub.i, i(+) contained in the share SS.sub.i(+) and a checksum d.sub.i, i(++) contained in the share SS.sub.i(++) as shares in accordance with Shamir's secret sharing scheme described above and outputs the checksum d.sub.i. Here, c.sub.i, i(++)=Σ.sub.0≤j<m′(i){t.sub.i.sup.j+1[(x′.sub.i).sub.j].sub.i(++)}+t.sub.i.sup.m(i)+1[(x′.sub.i).sub.m′(i)−1].sub.i(++) contained in the share SS.sub.i(++) and c.sub.i, i=Σ.sub.0≤j<m′(i){t.sub.i.sup.j+1[(x′.sub.i).sub.j].sub.i}+t.sub.i.sup.m(i)+1[(x′.sub.i).sub.m′(i)−1].sub.i contained in the share SS.sub.i are shares of the checksum c.sub.i=Σ.sub.0≤j<m′(i){t.sub.i.sup.j+1(x′.sub.i).sub.j}+t.sub.i.sup.m′(i)+1(x′.sub.i).sub.m′(i)−1 in accordance with Shamir's secret sharing scheme described above. Thus, the reconstruction unit 224 can reconstruct the checksum c.sub.i from c.sub.i, i(++), c.sub.i, i, and the Lagrange coefficients. Moreover, d.sub.i, i(+)=Σ.sub.0≤j<m′(i){u.sub.i.sup.j+1[(x′.sub.i).sub.j].sub.i(+)}+u.sub.i.sup.m(i)+1[(x′.sub.i).sub.m′(i)−1].sub.i(+) contained in the share SS.sub.i(+) and d.sub.i, i(++)=Σ.sub.0≤j<m′(i){u.sub.i.sup.j+1[(x′.sub.i).sub.j].sub.i(++)}+u.sub.i.sup.m′(i)+1[(x′.sub.i).sub.m(i)−1].sub.i(++) contained in the share SS.sub.i(++) are shares of the checksum d.sub.i=Σ.sub.0≤j<m′(i){u.sub.i.sup.j+1(x′.sub.i).sub.j}+u.sub.i.sup.m′(i)+1(x′.sub.i).sub.m′(i)−1 in accordance with Shamir's secret sharing scheme described above. Thus, the reconstruction unit 224 can reconstruct the checksum d.sub.i from d.sub.i, i(+), d.sub.i, i(++), and the Lagrange coefficients (Steps S2241 and S2242).

(46) The member x.sub.i output from the arithmetic unit 122 is input to a division unit 229. The division unit 229 divides the member x.sub.i∈F.sup.m(i) into m(i) sub-members (x.sub.i).sub.0, . . . , (x.sub.i).sub.m(i)−1∈F and outputs the m(i) sub-members (x.sub.i).sub.0, . . . , (x.sub.i).sub.m(i)−1. For example, the member x.sub.i is expressed as a sequence (x.sub.i).sub.0| . . . |(x.sub.i).sub.m(i)−1 obtained by arranging the m(i) sub-members (x.sub.i).sub.0, . . . , (x.sub.i).sub.m(i)−1, and the division unit 229 divides x.sub.i=(x.sub.i).sub.0| . . . |(x.sub.i).sub.m(i)−1 into the sub-members (x.sub.i).sub.0, . . . , (x.sub.i).sub.m(i)−1 (Step S229).

(47) The arbitrary value t.sub.i contained in the share SS.sub.i or SS.sub.i(++), the arbitrary value u.sub.i contained in the share SS.sub.i(+) or SS.sub.i(++), and the sub-members (x.sub.i).sub.0, . . . , (x.sub.i).sub.m(i)−1 output from the division unit 229 are input to the verification value generation unit 225. The verification value generation unit 225 obtains verification values vc.sub.i and vd.sub.i in the following manner, using the arbitrary values t.sub.i and u.sub.i and the sub-members (x.sub.i).sub.0, . . . , (x.sub.i).sub.m(i)−1, and outputs the verification values vc.sub.i and vd.sub.i.
vc.sub.i=Σ.sub.0≤j<m′(i){t.sub.i.sup.j+1(x′.sub.i).sub.j}+t.sub.i.sup.m′(i)+1(x′.sub.i).sub.m(i)−1∈F.sup.v
vd.sub.i=Σ.sub.0≤j<m′(i){u.sub.i.sup.j+1(x′.sub.i).sub.j}+u.sub.i.sup.m′(i)+1(x′.sub.i).sub.m(i)−1∈F.sup.v
It is to be noted that m′(i) is ceil(m(i)/v), (x′.sub.i).sub.j is ((x.sub.i).sub.vj, (x.sub.i).sub.vj+1, . . . , (x.sub.i).sub.v(j+1)−1)∈F.sup.v belonging to the set F.sup.v, and β.sub.i.sup.γ represents (β.sub.i).sup.γ (Step S2251, S2252).

(48) The checksums c.sub.i and d.sub.i output from the reconstruction unit 224 and the verification values vc.sub.i and vd.sub.i output from the verification value generation unit 225 are input to the determination unit 226. The determination unit 226 determines whether c.sub.i=vc.sub.i is satisfied for all i=0, . . . , N−1 (Step S2261). When a determination is made that c.sub.i≠vc.sub.i for any i, the control unit 128 makes the processing terminate with an error message (Step S2263). On the other hand, when a determination is made that c.sub.i=vc.sub.i is satisfied for all i=0, . . . , N−1, the determination unit 226 determines whether d.sub.i=vd.sub.i is satisfied for all i=0, . . . , N−1 (Step S2262). When a determination is made that d.sub.i≠vd.sub.i for any i, the control unit 128 makes the processing terminate with an error message (Step S2263). On the other hand, when a determination is made that d.sub.i=vd.sub.i is satisfied for all i=0, . . . , N−1, the members x.sub.0, . . . , x.sub.N−1 obtained in the arithmetic unit 122 are input to the concatenation unit 123. In this case, as described in the first embodiment, the concatenation unit 123 obtains a reconstructed value x obtained by concatenating the members x.sub.0, . . . , x.sub.N−1 to one another and outputs the reconstructed value x (Step S123).

Features of the Present Embodiment

(49) Also in the present embodiment, it is possible to make the total amount of communication data smaller than that of shares in accordance with Shamir's secret sharing scheme. Each share generating device 21-A.sub.i can obtain the share SS.sub.i whose amount of data is small from the share [x].sub.i in accordance with Shamir's secret sharing scheme without obtaining information on the plaintext x. The reconstructing device 22 can reconstruct the plaintext x using the N shares SS.sub.0, . . . , SS.sub.N−1.

(50) Furthermore, in the present embodiment, the share SS.sub.i contains checksums and the reconstructing device 22 performs verification of the checksums. Thus, the reconstructing device 22 can detect unauthorized processing performed in any share generating device 21-A.sub.i. Moreover, since the reconstructing device 22 verifies two types of checksums, the checksums c.sub.i and d.sub.i, for each i=0, . . . , N−1, it is also possible to detect the generation of an unauthorized checksum in any share generating device 21-A.sub.i.

First Modification of the Second Embodiment

(51) In the second embodiment, when a determination is made in Step S2261 that c.sub.i=vc.sub.i is satisfied, a determination as to whether d.sub.i=vd.sub.i is satisfied is made in Step S2262. However, other determination processing may be performed, as long as processing in Step S123 is executed when c.sub.i=vc.sub.i and d.sub.i=vd.sub.i are satisfied for all i=0, . . . , N−1; otherwise Step S2263 is executed.

Second Modification of the Second Embodiment

(52) In the second embodiment, the reconstructing device 22 verifies two types of checksums, the checksums c.sub.i and d.sub.i. However, the reconstructing device 22 may be configured so as to verify only one of the checksums c.sub.i and d.sub.i. Processing in this case is as follows.

(53) <Share Generation Method>

(54) After the processing from Steps S111-A.sub.i to S115-A.sub.i is executed, in place of the processing in Step S215-A.sub.i, (Processing I) the joint possession unit 215-A.sub.i of each share generating device 21-A.sub.i possesses the arbitrary value t.sub.i(−−)∈F jointly with the joint possession unit 215-A.sub.i(−−) of the share generating device 21-A.sub.i(−−) and possesses the arbitrary value t.sub.i∈F jointly with the joint possession unit 215-A.sub.i(++) of the share generating device 21-A.sub.i(++) or (Processing 11) the joint possession unit 215-A.sub.i of each share generating device 21-A.sub.i possesses the arbitrary value u.sub.i(−−)∈F jointly with the joint possession unit 215-A.sub.i(+) of the share generating device 21-A.sub.i(+) and possesses the arbitrary value u.sub.i(−)∈F jointly with the joint possession unit 215-A.sub.i(−) of the share generating device 21-A.sub.i(−). Only Processing I is executed for all i=0, . . . , N−1 or only Processing II is executed for all i=0, . . . , N−1.

(55) Next, the division unit 217-A.sub.i executes the processing in Step S217-A.sub.i.

(56) Then, the following processing is executed depending on Processing I or Processing II. When joint possession of the arbitrary value t.sub.i(−−) has been performed by the joint possession unit 215-A.sub.i (Processing I), the checksum generation unit 218-A.sub.i performs Step S2181-A.sub.i described above, and obtains the checksum c.sub.i(−−), i=Σ.sub.0≤j<m′i(−−){t.sub.i(−−).sup.j+1[(x′.sub.i(−−)).sub.j].sub.i}+t.sub.i(−−).sup.m′(i(−−)+1[(x′.sub.i(−−))−1].sub.i∈F.sup.v and outputs the checksum c.sub.i(−−), i. In this case, the processing in Step S2182-A.sub.i described above is not executed.

(57) On the other hand, when joint possession of the arbitrary value u.sub.i(−−) has been performed by the joint possession unit 215-A.sub.i (Processing II), the checksum generation unit 218-A.sub.i performs Step S2182-A.sub.i described above, and obtains the checksum d.sub.i(−−), i=Σ.sub.0≤j<m′(i(−−){u.sub.i(−−).sup.j+1[(x′.sub.j(−−)).sub.j].sub.i}+u.sub.i(−−).sup.m′(i(−−)+1[(x′.sub.i(−−)).sub.m′(i(−−))−1].sub.i∈F.sup.v and outputs the checksum d.sub.i(−−), i. In this case, the processing in Step S2181-A.sub.i described above is not executed.

(58) Next, when joint possession of the arbitrary value t.sub.i has been performed by the joint possession unit 215-A.sub.i (Processing I), the checksum generation unit 219-A.sub.i performs Step S2191-A.sub.i described above, and obtains the checksum c.sub.i, i=Σ.sub.0≤j<m′(i){t.sub.i.sup.j+1[(x′.sub.i).sub.j].sub.i}+t.sub.i.sup.m′(i)+1[(x′.sub.i).sub.m′(i)−1].sub.i∈F.sup.v and outputs the checksum c.sub.i, i. In this case, the processing in Step S2192-A.sub.i described above is not executed.

(59) On the other hand, when joint possession of the arbitrary value u.sub.i(−) has been performed by the joint possession unit 215-A.sub.i (Processing II), the checksum generation unit 219-A.sub.i performs Step S2192-A.sub.i described above, and obtains the checksum d.sub.i(−), i=Σ.sub.0≤j<m′(i){u.sub.i(−).sup.j+1[(x′.sub.i(−)).sub.j].sub.i}+u.sub.i(−).sup.m′(i(−))+1[(x′.sub.i(−)).sub.m′(i(−))−1].sub.i∈F.sup.v and outputs the checksum d.sub.i(−), i. In this case, the processing in Step S2191-A.sub.i described above is not executed.

(60) Then, in place of the processing in Step S216-A.sub.i, the following processing is executed depending on Processing I or Processing II. When joint possession of the arbitrary value t.sub.i(−−) and the arbitrary value t.sub.i has been performed by the joint possession unit 215-A.sub.i (Processing I), the share generation unit 216-A.sub.i obtains information containing the seed s.sub.i, the calculated value z.sub.i, the arbitrary value t.sub.i(−−), the arbitrary value t.sub.i, the checksum c.sub.i(−−), i, and the checksum c.sub.i, i as the share SS.sub.i and outputs the share SS.sub.i. On the other hand, when joint possession of the arbitrary value u.sub.i(−−) and the arbitrary value u.sub.i(−) has been performed by the joint possession unit 215-A.sub.i (Processing II), the share generation unit 216-A.sub.i obtains information containing the seed s.sub.i, the calculated value z.sub.i, the arbitrary value u.sub.i(−−), the arbitrary value u.sub.i(−), the checksum d.sub.i(−−), i, and the checksum d.sub.i(−), i as the share SS.sub.i and outputs the share SS.sub.i. Then, the processing in Step S218-A.sub.i is executed.

(61) <Reconstruction Method>

(62) After the processing in Steps S221 and S122 is executed, the reconstruction unit 224 performs the following processing. When the share SS.sub.i contains the checksum c.sub.i, i and the share SS.sub.i(++) contains the checksum c.sub.i, i(++) (Processing 1), the reconstruction unit 224 executes Step S2241, and reconstructs the checksum c.sub.i using the checksum c.sub.i, i and the checksum c.sub.i, i(++) as shares in accordance with Shamir's secret sharing scheme and outputs the checksum c.sub.i. In this case, the processing in Step S2242 described above is not executed.

(63) On the other hand, when the share SS.sub.i(+) contains the checksum d.sub.i, i(+) and the share SS.sub.i(++) contains the checksum d.sub.i, i(++) (Processing II), the reconstruction unit 224 executes Step S2242, and reconstructs the checksum d.sub.i using the checksum d.sub.i, i(+) and the checksum d.sub.i, i(++) as shares in accordance with Shamir's secret sharing scheme and outputs the checksum d.sub.i. In this case, the processing in Step S2241 described above is not executed.

(64) Next, the division unit 229 executes the processing in Step S229.

(65) Then, the following processing is executed depending on Processing I or Processing II. When the checksum c.sub.i has been reconstructed (Processing I), the verification value generation unit 225 executes the processing in Step S2251, and obtains the verification value vc.sub.i=Σ.sub.0≤j<m′(i){t.sub.i.sup.j+1(x′.sub.i).sub.j}+t.sub.i.sup.m′(i)+1(x′.sub.i).sub.m′(i)−1∈F.sup.v and outputs the verification value vc.sub.i. In this case, the processing in Step S2252 described above is not executed. On the other hand, when the checksum d.sub.i has been reconstructed (Processing II), the verification value generation unit 225 executes the processing in Step S2252, and obtains the verification value vd.sub.i=Σ.sub.0≤j<m′(i){u.sub.i.sup.j+1(x′.sub.i).sub.j}+u.sub.i.sup.m′(i)+1(x′.sub.i).sub.m′(i)−1∈F.sup.v and outputs the verification value vd.sub.i. In this case, the processing in Step S2251 described above is not executed.

(66) Then, the following processing is executed depending on Processing I or Processing II. If the checksum c.sub.i has been reconstructed (Processing I), the determination unit 226 determines in Step S2261 whether c.sub.i=vc.sub.i is satisfied for all i=0, . . . , N−1. The processing in Step S2262 is not executed in this case. If a determination is made that c.sub.i≠vc.sub.i for any i, the control unit 128 makes the processing terminate with an error message (Step S2263). On the other hand, if a determination is made that c.sub.i=vc.sub.i is satisfied for all i=0, . . . , N−1, the procedure proceeds to Step S123. On the other hand, if the checksum d.sub.i has been reconstructed (Processing II), the determination unit 226 determines in Step S2262 whether d.sub.i=vd.sub.i is satisfied for all i=0, . . . , N−1. The processing in Step S2261 is not executed in this case. If a determination is made that d.sub.i≠vd.sub.i for any i, the control unit 128 makes the processing terminate with an error message (Step S2263). On the other hand, if a determination is made that d.sub.i=vd.sub.i is satisfied for all i=0, . . . , N−1, the procedure proceeds to Step S123.

(67) [Other Modifications and so Forth]

(68) It is to be noted that the present invention is not limited to the foregoing embodiments. For example, the above-described various kinds of processing may be executed, in addition to being executed in chronological order in accordance with the descriptions, in parallel or individually depending on the processing power of a device that executes the processing or when necessary. In addition, it goes without saying that changes may be made as appropriate without departing from the spirit of the present invention.

(69) The above-described each device is embodied by execution of a predetermined program by a general- or special-purpose computer having a processor (hardware processor) such as a central processing unit (CPU), memories such as random-access memory (RAM) and read-only memory (ROM), and the like, for example. The computer may have one processor and one memory or have multiple processors and memories. The program may be installed on the computer or pre-recorded on the ROM and the like. Also, some or all of the processing units may be embodied using an electronic circuit that implements processing functions without using programs, rather than an electronic circuit (circuitry) that implements functional components by loading of programs like a CPU. An electronic circuit constituting a single device may include multiple CPUs.

(70) When the above-described configurations are implemented by a computer, the processing details of the functions supposed to be provided in each device are described by a program. As a result of this program being executed by the computer, the above-described processing functions are implemented on the computer. The program describing the processing details can be recorded on a computer-readable recording medium. An example of the computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium include a magnetic recording device, an optical disk, a magneto-optical recording medium, and semiconductor memory.

(71) The distribution of this program is performed by, for example, selling, transferring, or lending a portable recording medium such as a DVD or a CD-ROM on which the program is recorded. Furthermore, a configuration may be adopted in which this program is distributed by storing the program in a storage device of a server computer and transferring the program to other computers from the server computer via a network.

(72) The computer that executes such a program first, for example, temporarily stores the program recorded on the portable recording medium or the program transferred from the server computer in a storage device thereof. At the time of execution of processing, the computer reads the program stored in the storage device thereof and executes the processing in accordance with the read program. As another mode of execution of this program, the computer may read the program directly from the portable recording medium and execute the processing in accordance with the program and, furthermore, every time the program is transferred to the computer from the server computer, the computer may sequentially execute the processing in accordance with the received program. A configuration may be adopted in which the transfer of a program to the computer from the server computer is not performed and the above-described processing is executed by so-called application service provider (ASP)-type service by which the processing functions are implemented only by an instruction for execution thereof and result acquisition.

(73) Instead of executing a predetermined program on the computer to implement the processing functions of the present devices, at least some of the processing functions may be implemented by hardware.

DESCRIPTION OF REFERENCE NUMERALS

(74) 1 secure computation system 11-A.sub.i, 21-A.sub.i share generating device 12, 22 reconstructing device

Share generating device, reconstructing device, secure computation system, share generation method, reconstruction method, program, and recording medium

Assignee

Inventors

Cpc classification

Classification Explorer

G09C1/00

PHYSICS

Classification Explorer

H04L9/0861

ELECTRICITY

Classification Explorer

H04L9/085

ELECTRICITY

Classification Explorer

H04L2209/46

ELECTRICITY

Classification Explorer

H04L9/008

ELECTRICITY

Classification Explorer

G09C1/04

PHYSICS

International classification

Classification Explorer

H04L9/08

ELECTRICITY

Classification Explorer

G09C1/04

PHYSICS

Classification Explorer

H04L9/00

ELECTRICITY

Abstract

Claims

Description