JP5592513B2 - Data originality ensuring method and system, and data originality ensuring program - Google Patents

Description

  The present invention relates to a data originality ensuring method and system for storing data while ensuring its originality, and a data originality ensuring program.

  Along with the development of IT, there is a great increase in opportunities to connect one's own terminal to a communication network such as the Internet, and to communicate data to another terminal connected to the communication network via the communication network.

  At this time, since the terminal is connected to the communication network, a malicious third party (such as a hacker) accesses the terminal via the third party terminal connected to the communication network and is stored in the terminal. There is a risk of falsifying existing data, and it is necessary to ensure the originality of the falsified data (no intentional or negligent falsification and complete content).

  In this regard, conventionally, a technique has been introduced in which data alteration can be detected using an electronic signature to ensure originality (see, for example, Non-Patent Document 1).

  That is, according to the originality ensuring method using the electronic signature technique, Mr. A who is a data transmission source receives an electronic certificate containing a public key guaranteed in advance by a certification authority (CA).

  Then, Mr. A creates an electronic signature for data to be transmitted (also referred to as a data body), and transmits data (data body + electronic signature + electronic certificate) including the created electronic signature to Mr. B.

  Mr. B compares the hash value generated from the data body of the received data with the value obtained by decrypting the electronic signature with the public key included in Mr. A's electronic certificate received from Mr. A. Thus, it is determined whether or not the data has been falsified.

"PKI-related technical explanation", [online], December 12, 2002, Information processing promotion business association, [April 11, 2003 search], Internet <URL: http: //www.ipa.go. jp / security / pki / index.html>

  However, according to the originality ensuring method using the electronic signature technique, when the data received on Mr. B side is stored for a long period of time, there is a risk that the data is falsified due to the compromise of the secret key.

  Therefore, in the method of ensuring originality using the electronic signature technology, an electronic certificate issued from the certificate authority has a predetermined expiration date, and Mr. A revisits the private key and public key before the expiration date. Is generated, and an electronic certificate is issued from the certificate authority for the public key, and data with an electronic signature is generated again using a new private key.

  However, the above-described reissue process of the electronic certificate from the certificate authority based on the validity period of the electronic certificate and the process for creating the data with the electronic signature using the new private key are very time-consuming and time-consuming. Every time, the above-described re-issuance processing of the electronic certificate and data creation processing with the electronic signature must be repeatedly performed, and development of a method that can store data while ensuring its originality more easily has been awaited.

  The present invention has been made in view of the circumstances described above, and provides a data originality ensuring method and system, and a data originality ensuring program capable of storing data with its originality more easily secured. Its purpose is to provide.

  In order to achieve the above-described object, the present invention provides a data originality ensuring system for storing data while ensuring its originality, as described in claim 1, wherein the data is stored using a secret sharing method. The data division unit for dividing the data into a plurality of divided data that can be restored, and a plurality of hardware independent storage units for storing the plurality of divided data, respectively, are provided. .

  The invention described in claim 2 is characterized in that the data dividing unit generates an identification data generating unit that generates identification data that can uniquely identify the data main body from the data main body that is an originality assurance target; A gist is provided with a dividing unit that divides the data combined with the data body using a secret sharing method.

  The gist of the invention described in claim 3 is that the identification data generation unit includes a generation unit that generates a hash value of the data body using a predetermined hash function as the identification data.

  According to a fourth aspect of the present invention, the data dividing unit generates division identification data that can uniquely identify the entire data from the entire data obtained by adding management information related to data division to each divided data. The gist of the plurality of storage units is to store the divided data, management information related to the data division, and the division identification data, respectively.

  The invention described in claim 5 is a data restoration unit that reads the plurality of divided data from the plurality of storage units, respectively, and restores the data body and the identification data from the plurality of read divided data by a secret sharing method, And a confirmation unit that regenerates the identification data from the restored data body and confirms whether the regenerated identification data matches the restored identification data. .

  The invention described in claim 6 reads the divided data, the management information related to the data division, and the division identification data from the plurality of storage units, respectively, and the data body and the data by the secret sharing method from the plurality of read divided data A data restoring unit for restoring each of the identification data, and regenerating the identification data from the restored data body, and confirming whether or not the regenerated identification data and the restored identification data match. The division identification data is regenerated from the entire data including the read data divided and the management information related to the data division for each of the plurality of pieces of divided data, and the regenerated division identification data And a second confirmation unit that confirms whether or not the read division identification data matches. .

  The invention described in claim 7 reads the plurality of pieces of divided data from the plurality of storage units, restores the plurality of pieces of data by combining the read pieces of divided data in different combinations, and the restored pieces of data The gist of the present invention is that it further includes a restoration confirmation unit for confirming whether or not they match each other.

  The invention described in claim 8 is a data originality ensuring method for storing data while ensuring its originality, and each of the data is divided into a plurality of divided data that can be restored using a secret sharing method. The gist of the invention is that the method includes a step of dividing, and a step of storing a plurality of divided pieces of divided data in a plurality of storage devices independent in hardware.

  The invention described in claim 9 is characterized in that the dividing step generates identification data that can uniquely identify the data body from the data body that is an object of securing originality, the generated identification data, and the data body. And a step of dividing the data obtained by combining the two using a secret sharing method.

  The invention described in claim 10 is a computer-readable data originality ensuring program for ensuring the originality of the data and storing the data, wherein the data is stored in the computer using a secret sharing method. Data division processing for dividing the data into a plurality of divided data that can be restored, and storage processing for storing the divided pieces of divided data in a plurality of hardware independent storage devices that can communicate with the computer The gist is to execute each of the above.

  According to an eleventh aspect of the present invention, the division processing includes identification data generation processing for generating identification data that can uniquely identify the data main body, from the data main body that is an originality assurance target, the generated identification data, A gist of the present invention is that it includes a division process for dividing the data combined with the data body using a secret sharing method.

  The gist of the invention described in claim 12 is that the identification data generation process generates a hash value as the identification data by using a predetermined hash function for the data body.

  According to a thirteenth aspect of the present invention, the data division process generates division identification data that can uniquely identify the entire data from the entire data obtained by combining each divided data with management information related to data division. The gist of the storage process is to store the divided data, management information related to the data division, and the division identification data in the plurality of storage devices, respectively.

  According to a fourteenth aspect of the present invention, there is provided a data restoration process in which the plurality of divided data are read from the plurality of storage devices, respectively, and the data body and the identification data are restored from the plurality of read divided data by a secret sharing method. Regenerating the identification data from the restored data body, and causing the computer to execute a confirmation process for confirming whether the regenerated identification data matches the restored identification data. The gist.

  The invention described in claim 15 reads the divided data, the management information related to the data division, and the division identification data from the plurality of storage devices, respectively, and the data body and the data by the secret sharing method from the plurality of read divided data A data restoration process for restoring each of the identification data, regenerating the identification data from the restored data body, and confirming whether or not the regenerated identification data matches the restored identification data The division identification data is regenerated from the entire data obtained by combining the confirmation processing of 1 and the read divided data and management information related to data division for each of the plurality of divided data, and the regenerated division identification data And a second confirmation process for confirming whether or not the read division identification data matches. And summarized in that to execute the over data.

  The invention described in claim 16 reads the plurality of pieces of divided data from the plurality of storage devices, restores the plurality of pieces of data by combining the read pieces of divided data in different combinations, and the restored pieces of data The gist is to further cause the computer to execute a restoration confirmation process for confirming whether or not they match each other.

  According to the data originality ensuring method and system and the data originality ensuring program according to the present invention, the data is divided into a plurality of divided data using the secret sharing method, and a plurality of storage units independent in hardware. Since each data is stored in the (storage device), even if at least a part of the data is falsified, it is possible to easily check whether the divided data is falsified from the divided data including the falsified data. .

  As a result, for example, even when data is stored for a long period of time, data is easily stored without repeating the reissue process of the electronic certificate and the data creation process with the electronic signature, as in the case of an electronic signature. can do.

1 is a block diagram showing a schematic configuration of a data originality ensuring system according to a first embodiment of the present invention. 3 is a schematic flowchart showing an example of data originality ensuring processing based on a data originality ensuring program in the data originality ensuring system according to the first embodiment of the present invention. The figure which shows roughly the data sequence in the data originality ensuring process shown in FIG. The block diagram which shows schematic structure of the data originality ensuring system concerning the 2nd Embodiment of this invention. The block diagram which shows schematic structure of the data originality ensuring system concerning the 3rd Embodiment of this invention. The schematic flowchart which shows an example of the data originality ensuring process based on the data originality ensuring program in the data originality ensuring system concerning the 3rd Embodiment of this invention. The figure which shows roughly the data sequence in the data originality ensuring process shown in FIG. The figure which shows the structure of the division | segmentation data in the 3rd Embodiment of this invention. The flowchart which shows the division | segmentation process in case the division | segmentation number n = 3 in the 3rd Embodiment of this invention. In the third embodiment of the present invention, 16-bit original data is divided into three parts with the number of divisions n = 3 based on the 8-bit processing unit bit length, and the original data is obtained from the definition formulas and the divided partial data. A table showing the formulas for restoring data. The table | surface which shows the defining formula which produces | generates the division data, division | segmentation partial data, and each division | segmentation partial data in the case of the division number n = 3 in the 3rd Embodiment of this invention. The flowchart which shows the general division | segmentation process in case the division number in the 3rd Embodiment of this invention is n and unit bit length is b. The block diagram which shows schematic structure of the data originality ensuring system concerning the modification of this invention.

  Embodiments of a data originality securing method and system and a data originality securing program according to the present invention will be described with reference to the accompanying drawings.

(First embodiment)
FIG. 1 is a block diagram showing a schematic configuration of a data originality ensuring system 1 according to the first embodiment of the present invention.

  As shown in FIG. 1, the data originality ensuring system 1 can communicate with a network N and a client computer (hereinafter simply referred to as a client) 2 that can connect to and communicate with a communication network N such as the Internet. And a plurality of (4 in this embodiment) data storage server computers (hereinafter simply referred to as storage servers) 3a1 to 3a4 that are independent of each other in terms of hardware.

  The client 2 includes a CPU as an arithmetic processing unit, an interface connected to the CPU and enabling communication between the CPU and the network N, an input unit for data input connected to the CPU, and a memory 10 connected to the CPU. Each has.

  The memory 10 stores data (for example, digital data of M (M is a natural number) bytes; hereinafter also referred to as original data) B to be stored with originality secured. The memory 10 is readable by the client 2 (its CPU), and data for causing the client 2 (its CPU) to execute an originality ensuring process (data storage process) shown in FIGS. 2 and 3 to be described later. An originality ensuring program P is installed.

  The data originality securing program P is mounted on various recording media such as a magnetic memory and a semiconductor memory, and is read from the recording media to the client 2 and loaded into the memory 10 as necessary. It is also possible to do.

  The client 2 has, as a function realized by the data originality ensuring program P, a hash value generation unit 11 that generates, for example, a hash value that can uniquely identify the original data B from the original data B stored in the memory 10. The divided data for dividing the data including the original data B and the hash value H using the secret sharing method to generate divided data D (1) to D (4) (in this embodiment, the number of divisions is 4). The generation unit 13, the original data restoration unit 15 that generates the original data B and the hash value H from the divided data D (1) to D (4), and the divided data D (1) to D (4) via the network N And a communication unit 17 for communication.

  Each of the storage servers 3a1 to 3a4 is connected to the CPU as an arithmetic processing unit, an interface connected to the CPU and enabling communication between the CPU and the network N, an input unit for data input connected to the CPU, and the CPU. And storage devices such as a memory and a hard disk.

  Next, the entire process of the data originality ensuring system 1 according to the present embodiment will be described.

  As shown in FIG. 2 and FIG. 3, the client 2 operates according to the data originality ensuring program P, and stores the originality stored in the memory 10 as the function of the hash value generation unit 11 while ensuring the originality. Data B is read from the memory 10, and a hash value H of the original data B is generated from the read original data B using a predetermined hash function (step S1).

  This hash value H has the property of showing a completely different value when the original data B is changed even by 1 bit, that is, the property of uniquely identifying the original data B.

  Next, as a function of the divided data generation unit 13, the client 2 divides the original data B including the generated hash value H into four data (divided data) D (1) to D (4) using the secret sharing method. (Step S2).

  Hereinafter, the divided data D (1) to D (4) generation processing based on the secret sharing method in step S2 will be described in detail.

  For example, Shamir's secret sharing method ((k, n) threshold method based on quadratic polynomial F (x) = ax2 + bx + B (mod p; represents the remainder when divided by p); where n represents the number of divisions Is assumed to be 4, and k representing the number that can be restored is assumed to be 3}. Here, B is the original data, and F (x) is the divided data. a, b, and p are arbitrarily determined when the original data B is divided. However, p is a prime number larger than a, b, and B.

  At this time, the divided data F (1) to F (4) {corresponding to the divided data D (1) to D (4)} is expressed by the following equations (1) to (4) by the divided data generation processing of the client 2. It is created like this.

F (1) = a + b + B (mod p) (1)
F (2) = 4a + 2b + B (mod p) (2)
F (3) = 9a + 3b + B (mod p) (3)
F (4) = 16a + 4b + B (mod p) (4)
Among the divided data F (1) to F (4), if divided data of k = 3 or more {for example, F (1), F (2), F (4)} is collected, the divided data F (1 ) = A + b + B (mod p) (1)
F (2) = 4a + 2b + B (mod p) (2)
F (4) = 16a + 4b + B (mod p) (4)
To obtain the original data B.

  And even if the divided data of k-1 or less gather, the original data B cannot be restored.

  When the original data B is a long data string, the client 2 sequentially creates F (1) to F (4) for each byte from the beginning of the original data B, for example, and generates divided data D (1). (F (1)) to D (4) (F (4)) are created.

  Then, the client 2 transmits the created divided data D (1) to D (4) as functions of the communication unit 17 to the storage servers 3a1 to 3a4 via the network N (step S3).

  Each storage server 3a1 to 3a4 stores the divided data D (1) to D (4) transmitted via the network N in a storage device such as a hard disk (step S5).

  In this way, the original data B can be stored in the storage servers 3a1 to 3a4 as the divided data D (1) to D (4) divided including the hash value H.

  Next, when confirming whether or not the divided data D (1) to D (4) stored in the storage servers 3a1 to 3a4 has been falsified, the client 2 uses the divided data D (1) to D (4). Are transmitted to the storage servers 3a1 to 3a4 (step S10).

  Each of the storage servers 3a1 to 3a4 reads and reads the respective divided data D (1) to D (4) stored in each storage device such as a hard disk from each storage device in response to the transmitted download request. Each divided data D (1) to D (4) is transmitted to the client 2 via the network N (step S11).

  The client 2 operates according to the data originality ensuring program P, and receives and receives the divided data D (1) to D (4) transmitted via the network N as a function of the original data restoration unit 15. Based on the divided data D (1) to D (4), the original data B1 and the hash value H1 are respectively restored by the secret sharing method (step S12).

  Next, as a function of the original data restoration unit 15, the client 2 regenerates the hash value H2 from the restored original data B1, compares the regenerated hash value H2 with the restored hash value H1, and determines whether or not they match. (Step S13).

  The processing of steps S12 and S13 will be specifically described.

  For example, some of the divided data F (1), F (2), F (3), and F (4) are altered {for example, F (2) to F (4) are Fa (2 ) To Fa (4)}.

At this time, the client 2 uses the following formula F (1) = a + b + B (mod p) (1)
Fa (2) = 4a + 2b + B (mod p) (2)
Fa (3) = 9a + 3b + B (mod p) (3)
Fa (4) = 16a + 4b + B (mod p) (4)
The original data B including the hash value H is restored by combining at least three expressions from among the two.

  However, since the divided data F (2) to F (4) are altered to the divided data Fa (2) to Fa (4), even if the divided data Fa (2) to Fa (4) are combined, Since the restored original data B1 is different from the original data B that is the object of securing the originality, the hash value H2 regenerated from the original data B1 is also different from the restored hash value H1. As a result, it is possible to confirm on the client 2 side that at least a part of the divided data D (1) to D (4) stored in the storage servers 3a1 to 3a4 has been falsified.

  As described above, according to the present embodiment, the original data B is divided into a plurality of divided data D (1) to D (4) using the secret sharing method and stored in the storage servers 3a1 to 3a4, respectively. Therefore, even when at least a part of the divided data D (1) to D (4) is falsified, the divided data D is divided from the divided data D (1) to D (4) including the falsified data. The presence or absence of tampering with respect to (1) to D (4) can be easily confirmed.

  As a result, for example, even when the original data B is stored for a long period of time, it is possible to easily perform the original data without repeating the reissue process of the electronic certificate and the data creation process with the electronic signature as in the case of the electronic signature. Data B can be stored.

  Further, according to the present embodiment, the original data B is divided into divided data D (1) to D (4) and stored in the storage servers 3a1 to 3a4. For example, the divided data D (1) to D Even when one divided data in (4) is falsified, the original data B can be restored using the remaining divided data.

  As a result, the originality of the original data B can be ensured more reliably.

(Second Embodiment)
FIG. 4 is a schematic flowchart showing an example of an originality ensuring process based on a data originality ensuring program in the data originality ensuring system according to the second embodiment of the present invention. Note that the configuration of the data originality ensuring system in the present embodiment is different in the contents of the data originality ensuring program and the processing of the client, and the other configurations are substantially the same as the configuration shown in FIG. The description is omitted.

  In the present embodiment, the client 2 reads, as a function of the divided data generation unit 13, the original data B stored in the memory 10, which is to be stored with the originality secured, from the memory 10, and the read original data B is secretly stored. The data is divided into four data (divided data) D (1) to D (4) using a distribution method (step S21).

  Note that the process of step S21 is substantially the same as the process of step S2.

  Next, as a function of the communication unit 17, the client 2 transmits the created divided data D (1) to D (4) to the storage servers 3a1 to 3a4 via the network N (step S22).

  Each storage server 3a1 to 3a4 stores the divided data D (1) to D (4) transmitted via the network N in a storage device such as a hard disk (step S23).

  In this way, the original data B can be stored in the storage servers 3a1 to 3a4 as the divided data D (1) to D (4).

  Next, when confirming whether or not the divided data D (1) to D (4) stored in the storage servers 3a1 to 3a4 has been falsified, the client 2 uses the divided data D (1) to D (4). Are transmitted to the storage servers 3a1 to 3a4 (step S30).

  Each of the storage servers 3a1 to 3a4 reads out and reads each of the divided data D (1) to D (4) stored in the storage device such as the hard disk from the storage device in response to the transmitted download request. The divided data D (1) to D (4) are transmitted to the client 2 via the network N (step S31).

  The client 2 receives the divided data D (1) to D (4) transmitted via the network N as a function of the original data restoration unit 15, and receives the received divided data D (1) to D (4). Are combined in different combinations by the secret sharing method to restore a plurality of original data B1 to Bm (in this embodiment, m = 2), and check whether the restored original data B1 to B2 match each other ( Step S32).

  The process of step S32 will be specifically described.

  The client 2 uses, for example, a predetermined combination of the divided data F (1), F (2), F (3), and F (4), for example, divided data F (1) to F (3). The original data B1 is restored by the secret sharing method, and then the original data B2 is restored by the secret sharing method using a combination different from the above combination, for example, the divided data F (2) to F (4).

  At this time, when falsification occurs in a part of the divided data F (1) to F (4), as described above, the restored original data B1 and B2 are the original data to be secured for originality. Unlike B, and the original data B1 and B2 combine the divided data F (1) to F (4) in different combinations, the restored original data B1 and B2 are different from each other.

  Therefore, in the client 2, at least part of the divided data D (1) to D (4) stored in the storage servers 3a1 to 3a4 has been falsified due to a mismatch between the restored original data B1 and original data B2. This can be confirmed on the client 2 side.

  In the present embodiment, divided data F (1) to F (3) and divided data F (2) to F (4) are combined as different combinations from the divided data F (1) to F (4). However, the present invention is not limited to this combination, and it is sufficient to select a plurality of combinations in which each of the four divided data D (1) to D (4) is used at least once for restoration. It is possible to confirm whether or not the original data restored based on the combination of each other matches.

(Third embodiment)
FIG. 5 is a block diagram showing a schematic configuration of a data originality ensuring system 4 according to the third embodiment of the present invention.

  As shown in FIG. 5, the data originality ensuring system 4 is communicably connected to a network N and a terminal 5 and a dividing device 6 that can connect to and communicate with a communication network N such as the Internet. A plurality of (3 in this embodiment) data storage server computers (hereinafter simply referred to as storage servers) 3a1 to 3a3 independent of each other in terms of hardware. With the above system configuration, the dividing device 6 divides the data into a plurality of divided data in response to a data storage request from the terminal 5 via the network N, and the divided plurality of divided data via the network N. The information is stored in a plurality of storage servers 3a1 to 3a3. The communication between the terminal 5 and the dividing device 6 and the communication between the dividing device 6 and each of the storage servers 3a1 to 3a3 are performed in order to prevent leakage of communication contents, such as SSL (Secure Socket Layer), IP- Communication data is encrypted by VPN (Virtual Private Network) or the like.

  The terminal 5 and the dividing device 6 are connected to a CPU as an arithmetic processing unit, an interface connected to the CPU and enabling communication between the CPU and the network N, an input unit for data input connected to the CPU, and the CPU. Each with its own memory.

  The terminal 5 transmits the data {for example, digital data of M (M is a natural number) bytes; hereinafter referred to as original data} B to be stored by the user while ensuring the originality, and the stored data Is received from the dividing device 6.

  The memory 10 of the dividing device 6 stores the original data B transmitted from the terminal 5. The memory 10 can be read by the dividing device 6 (its CPU), and the data originality for causing the dividing device 6 (its CPU) to execute data originality ensuring processing shown in FIGS. 6 and 7 to be described later. The securing program P3 is installed.

  The data originality ensuring program P3 is mounted on various recording media such as a magnetic memory and a semiconductor memory, and is read from the recording medium to the dividing device 6 and loaded into the memory as necessary. It is also possible to do.

  As a function realized by the data originality ensuring program P3, the dividing device 6 generates, for example, a hash value H that can uniquely identify the original data B from the original data B stored in the memory 10, and will be described later. A hash value generation unit 32 that generates the hash values h1 to h3, and a secret sharing method (secret sharing method different from the first and second embodiments) S described below for data including the original data B and the hash value H The divided data (hereinafter also referred to as a divided data main body) D (1) to D (3) (in this embodiment, the number of divisions is 3) is generated by dividing the generated data, and the divided data main body D (1 ) To D (3), header information, and divided data composed of hash values h1 to h3 generated from the entire content of the divided data body and the header information (hereinafter referred to as transmission divided data). (B) a divided data generating unit 33 for generating DD (1) to DD (3), and a random number generating unit 34 for generating random data used when generating the divided data bodies D (1) to D (3). The hash values h1 to h3 are regenerated from the divided data bodies D (1) to D (3) acquired from the storage servers 3a1 to 3a3 and the header information, and the hash value H is regenerated from the restored original data B. And a hash value confirmation unit 35 that confirms the authenticity of the data, and an original data restoration unit that generates the original data B and the hash value H from the divided data bodies D (1) to D (3) using the secret sharing method S 36 and a data transmission / reception unit 37 that transmits and receives the original data B and the transmission divided data DD (1) to DD (3) via the network N.

  Each of the storage servers 3a1 to 3a3 is connected to a CPU which is an arithmetic processing unit, an interface connected to the CPU and enabling communication between the CPU and the network N, an input unit for data input connected to the CPU, and the CPU. And storage devices such as a memory and a hard disk.

  Next, the entire process of the data originality ensuring system 4 according to the present embodiment will be described with reference to FIGS. Here, FIG. 6 is a flowchart showing a data originality ensuring process based on the data originality ensuring program P3 in the present embodiment, and FIG. 7 is a data sequence of the data originality ensuring process shown in FIG. .

  As shown in FIGS. 6 and 7, when the user specifies the original data B that the user wants to store and transmits the original data B from the terminal 5 to the dividing device 6, the dividing device 6 follows the data originality ensuring program P3. As a function of the hash value generation unit 32, the original data B, which is stored in the memory 10 and is to be stored with the originality secured, is read from the memory 10, and the read original data B is read using a predetermined hash function. A hash value H of the original data B is generated (steps S101 and S102).

  This hash value H has the property of showing a completely different value when the original data B is changed even by 1 bit, that is, the property of uniquely identifying the original data B.

  Next, the dividing device 6 uses the secret sharing method S to convert the original data B including the generated hash value H into three data (divided data) D (1) to D (3) as a function of the divided data generation unit 33. (Step S103). Each piece of divided data D (i) (i = 1, 2, 3) includes data in the format shown in FIG. 8, that is, hash value hi (i = 1, 2, 3), and management information related to data division. Transmission division data DD (i) composed of header information Ai (i = 1, 2, 3) and division data D (i) (i = 1, 2, 3) is generated (steps S104 and S105).

  Here, the hash value hi is generated as a function of the hash value generation unit 32 from the entire content including the header information Ai and the divided data D (i) using a predetermined hash function. The data identifier Ai1 of the header information Ai is information indicating that the data is divided by the secret sharing method S of the present embodiment, the version information Ai2 is information identifying the version of the data format, and the header In the size Ai3, information indicating the total data length of the area from the original data size to the divided data size is stored. The original data size Ai4 is information indicating the length of the original data (original data B including the hash value H), the division number Ai5 is information indicating the number of data divisions (3 in the present embodiment), In the processing unit bit length Ai6, information indicating a processing unit bit length (described later) used in the division processing by the secret sharing method S is stored. The random data size Ai7 includes information indicating the length of random data used in the division processing by the secret sharing method S, and the divided data type Ai8 includes information indicating the number of divided data (for example, 3 In the case of division, information indicating whether the divided data is D (1), D (2), or D (3)) and the divided data size Ai9 include the length of the divided data D (i). Is stored.

  Then, the dividing device 6 transmits the created transmission divided data DD (1) to DD (3) to the storage servers 3a1 to 3a3 via the network N as functions of the data transmitting / receiving unit 37 (step S106).

  Each of the storage servers 3a1 to 3a3 stores the transmission divided data DD (1) to DD (3) transmitted via the network N in a storage device such as a hard disk (step S107).

  In this way, transmission divided data DD composed of divided data D (1) to D (3) obtained by dividing the original data B including the hash value H, header information A1 to A3, and hash values h1 to h3. (1) to DD (3) can be stored in the storage servers 3a1 to 3a3, respectively.

  Next, when the transmission divided data DD (1) to DD (3) stored in the storage servers 3a1 to 3a3 are taken out, the original data B that the user wants to take out is specified and taken out from the terminal 5 to the dividing device 6. When the instruction is transmitted, the dividing device 6 transmits download requests for the transmission divided data DD (1) to DD (3) to the storage servers 3a1 to 3a3, respectively (steps S108 and S109).

  Each of the storage servers 3a1 to 3a3 reads out each read divided data DD (1) to DD (3) stored in a storage device such as a hard disk from each storage device in response to the transmitted download request. Each transmission division data DD (1) to DD (3) is transmitted to the division device 6 via the network N (step S110).

  The dividing device 6 operates according to the data originality ensuring program P3, receives the transmission divided data DD (1) to DD (3) transmitted via the network N as a function of the hash value confirmation unit 35, The hash values h1 ′ to h3 ′ are regenerated from the divided data bodies D (1) to D (3) and the header information A1 to A3 of the received transmission divided data DD (1) to DD (3) (step S111). Then, the regenerated hash values h1 ′ to h3 ′ are compared with the hash values h1 to h3 of the received transmission divided data DD (1) to DD (3) to confirm whether or not they match (step S112). ). Thereby, it is possible to confirm that the contents of the data acquired from the storage servers 3a1 to 3a3 are missing or not tampered with.

  Next, when there are at least two transmission divided data DD (1) to DD (3) having the same hash value in step S112, the original data restoring unit 36 functions as the divided data D (1) to D ( 3) and the original data B1 and the hash value H1 are respectively restored by the secret sharing method S based on the header information A1 to A3 (step S113). This is because data can be acquired even if the divided data cannot be acquired from the storage servers 3a1 to 3a3 or the hash value match cannot be confirmed. When the number is greater than or equal to the number (in the present embodiment, two or more as will be described later), subsequent processing (data restoration processing) is performed.

  Next, the dividing device 6 regenerates the hash value H2 from the restored original data B1 as a function of the hash value confirmation unit 35, and compares the regenerated hash value H2 with the restored hash value H1 to determine whether they match. It is confirmed whether or not (steps S114 and S115). Thereby, it can be confirmed that the contents of the restored original data B and the hash value H are missing or have not been tampered with. Further, even when the contents of the header information A1 to A3 and the divided data bodies D (1) to D (3) are falsified, the hash values h1 to h3 are calculated according to the falsified contents and rewritten (in this case) In step S112, the hash values match), and tampering can be detected.

  Then, the dividing device 6 transmits the restored original data B to the terminal 5 via the network N, whereby the terminal 5 acquires the original data B (steps S116 and S117).

  Here, the secret sharing method S in the present embodiment will be described in detail. Note that the original data in the following description refers to original data that is a target of data division, that is, original data B that includes the hash value H generated by the hash value generation unit 33 in the present embodiment.

  In the division and restoration of the original data in this embodiment, the original data is divided into pieces of divided data having a desired number of divisions based on a desired processing unit bit length. In this case, the processing unit bit length is set to an arbitrary value. The original data is divided into processing unit bit lengths, and the divided partial data is generated from the original partial data by one less than the number of divisions. If it does not match an integer multiple of (number-1) times, the bit length of the original data is adjusted to an integer multiple of (number of divisions -1) times the processing unit bit length by, for example, filling the end of the original data with 0. Thus, the present embodiment can be applied.

  The random numbers described above are also generated from the random number generator 34 as (partition number-1) random number partial data having a bit length of the processing unit bit length corresponding to each of the (partition number-1) original partial data. Is done. That is, the random numbers are divided into processing unit bit lengths, and are generated as (partition number-1) random number partial data having a bit length of the processing unit bit length. Further, the original data is divided into a desired number of divided data based on the processing unit bit length, and each of the divided data also corresponds to each of the (division number-1) original partial data. It is generated as (partition number -1) pieces of divided partial data having a bit length. That is, each piece of divided data is divided into processing unit bit lengths, and is generated as (partition number-1) pieces of divided partial data having a bit length of the processing unit bit length.

  In the following description, the above-described original data, random numbers, divided data, number of divisions, and processing unit bit length are represented by B, R, D, n, and b, respectively, and one of a plurality of data, random numbers, and the like. I (= 1 to n) and j (= 1 to n-1) are used as variables to represent one, (division number n-1) original partial data, (division number n-1) random number partial data , And one of each of the divided data D with the number of divisions is represented by B (j), R (j) and D (i), respectively, and a plurality of ( The divided partial data of (n-1) is represented by D (i, j). That is, B (j) represents the j-th original partial data when the original data B is numbered in order from the top by dividing the processing unit bit length from the top.

  When this notation is used, the original data, random number data, and divided data, and the original partial data, random number partial data, and divided partial data that constitute these, respectively, are represented as follows.

Original data B = (n-1) original partial data B (j)
= B (1), B (2), ..., B (n-1)
Random number R = (n-1) random number partial data R (j)
= R (1), R (2), ..., R (n-1)
n divided data D (i) = D (1), D (2),..., D (n)
Each partial data D (i, j)
= D (1,1), D (1,2), ..., D (1, n-1)
D (2,1), D (2,2), ..., D (2, n-1)
………
D (n, 1), D (n, 2), ..., D (n, n-1)
(i = 1 ~ n), (j = 1 ~ n-1)
In the present embodiment, an exclusive OR operation (XOR) of the original partial data and the random number partial data is performed on the plurality of partial data divided for each processing unit bit length as described above. The original data is divided using a definition formula consisting of exclusive OR (XOR) of data and random number partial data, and a method of using a polynomial or a remainder operation for the above data division processing Compared to the (methods in the first and second embodiments), the use of exclusive OR (XOR) operation, which is a bit operation suitable for computer processing, requires high-speed and high-performance processing capability. In addition, it is possible to generate divided data by repeating simple arithmetic processing even for large-capacity data, and the storage capacity required for storing the divided data is a multiple that is proportional to the number of divisions. It can be made smaller than that. Further, the divided data is generated by stream processing in which calculation processing is performed in order from the top of the data for each predetermined fixed length.

  In the following description, the exclusive OR operation (XOR) used in the present embodiment is expressed by an operation symbol “*”. However, in the bitwise operation rule of this exclusive OR operation, Each calculation result is as follows.

The operation result of 0 * 0 is 0
The result of 0 * 1 is 1
The result of 1 * 0 is 1
The result of 1 * 1 is 0
In addition, the XOR operation has an exchange law and a joint law. That is,
a * b = b * a
It is mathematically proved that (a * b) * c = a * (b * c) holds.

  Also, a * a = 0, a * 0 = 0 * a = a holds.

  Here, a, b, and c represent bit strings having the same length, and 0 represents a bit string having the same length and consisting of all “0”.

  Next, the operation of the secret sharing method S according to the present embodiment will be described with reference to drawings such as flowcharts. Prior to this description, definitions of symbols shown in the flowcharts of FIGS. 9 to 12 will be described.

  (1) Πi = 1nA (i) means A (1) * A (2) *... A (n).

  (2) c (j, i, k) is (n-1) × (n-1) matrix U [n-1, n-1] × (P [n-1, n-1]) ^ It is defined as the value of i row and k column of (j-1).

  At this time, Q (j, i, k) is defined as follows.

When c (j, i, k) = 1 Q (j, i, k) = R ((n-1) × m + k)
Q (j, i, k) = 0 when c (j, i, k) = 0
(3) U [n, n] is an n × n matrix, and the value of i rows and j columns is represented by u (i, j).
When i + j <= n + 1, u (i, j) = 1
When i + j> n + 1, u (i, j) = 0
It means that the matrix is “upper triangular matrix”. Specifically, the matrix is as follows.

(4) P [n, n] is an n × n matrix, and the value of i rows and j columns is represented by p (i, j).
When j = i + 1, p (i, j) = 1
p (i, j) = 1 when i = n, j = 1
For other cases p (i, j) = 0
It means that the matrix is “rotation matrix”. Specifically, the matrix is as follows, and when multiplied from the right side of another matrix, the first column of the other matrix is changed to the second column, the second column to the third column,. Is moved to the nth column, and the nth column is moved to the first column. That is, when the matrix P is applied to another matrix a plurality of times from the right side, each column can be moved so as to rotate rightward by that number of times.

  (5) If A and B are n × n matrices, A × B means the product of the matrices A and B. The calculation rules for the matrix components are the same as those used in normal mathematics.

  (6) When A is an n × n matrix and i is an integer, A ^ i means i products of the matrix A. A ^ 0 means the unit matrix E.

(7) The unit matrix E [n, n] is an n × n matrix, and the value of i rows and j columns is represented by e (i, j).
e (i, j) = 1 when i = j
For other cases e (i, j) = 0
Let's mean a matrix that is Specifically, the matrix is as follows. Let A be any n × n matrix
A × E = E × A = A
There is a property to become.

  Next, with reference to the flowchart shown in FIG. 9 and the specific data shown in FIGS. 10 and 11, the division process of the original data B will be described first.

  First, the original data B is supplied to the dividing device 6 (step S201 in FIG. 9). In this example, the original data B is 16 bits “10110010 00110111”.

  Next, the user instructs the dividing device 6 to 3 as the division number n from the terminal 5 (step S203). A predetermined value in the dividing device 6 may be used as the division number n. Note that the three pieces of divided data generated by the dividing device 6 according to the number of divisions n = 3 are D (1), D (2), and D (3). The divided data D (1), D (2), and D (3) are all 16-bit data that is the same as the bit length of the original data.

  Then, the processing unit bit length b used to divide the original data B is determined to be 8 bits, and a 16-bit random number R having the same bit length as the original data is obtained from the random number generator 34 and generated. (Step S205). The processing unit bit length b may be specified by the user from the terminal 5 to the dividing device 6 or a value predetermined in the dividing device 6 may be used. The processing unit bit length b may be any number of bits, but here it is 8 bits that can divide the original data B. Accordingly, the original data B of the above 16-bit “10110010 00110111” is divided into “10110010” when the two original divided data B (1) and B (2) are divided by the 8-bit processing unit bit length. And “00110111”.

  In the next step S207, it is determined whether or not the bit length of the original data B is an integer multiple of 8 × 2, and if it is not an integer multiple, the end of the original data B is padded with zeros to obtain 8 × 2 Fit to an integer multiple. The division processing when the processing unit bit length b is set to 8 bits and the division number n is set to 3 as in this example is not limited to 16 bits as the bit length of the original data B. This is effective for the original data B that is an integral multiple of length b × (number of divisions n−1) = 8 × 2.

  Next, in step S209, the variable m, that is, the variable m meaning the integer multiple described above is set to zero. As in this example, when the original data B has a processing unit bit length b × (number of divisions n−1) = 8 × 2 = 16 bits, the variable m is 0, but is doubled to 32 bits. In this case, the variable m is 1, and in the case of 3 times 48 bits, the variable m is 2.

  Next, it is determined whether or not there is data for 8 × 2 bits from the 8 × 2 × m + 1 bit of the original data B (step S211). This is because the division processing shown in step S211 and subsequent steps is performed on the processing unit bit length b × (number of divisions n−1) = 8 × 2 = 16 bits specified by the variable m of the original data B, Whether data B has the next 16 bits or not is determined. In the case where the original data B is 16 bits as in this example, if the dividing process after step S211 is performed once on the 16-bit original data B, the variable m is incremented by 1 in step S219 described later. However, in the original data B in this example, there is no data of 17 bits or later corresponding to the case where the variable m is m + 1, so the process proceeds from step S211 to step S221. In this case, however, the variable m is Since it is 0, the 8 × 2 × m + 1 bit of the original data B becomes 8 × 2 × 0 + 1 = 1, and the data is 8 × 2 bits from the first 16 bits of the original data B. Since it exists, it progresses to step S213.

  In step S213, the variable j is changed from 1 to 2 (= number of divisions n−1), and 8 bits from the 8 × (2 × m + j−1) +1 bit of the original data B (= processing unit bits) 2) (partition number n-1) original partial data B (1) obtained by dividing the original data B by the processing unit bit length. , B (2) is generated as follows.

Original data B = B (1), B (2)
First original partial data B (1) = “10110010”
Second original partial data B (2) = “00110111”
Next, the variable j is changed from 1 to 2 (= number of divisions n-1), and a random number of 8 bits generated from the random number generator 34 is set in the random number partial data R (2 × m + j). Thus, 2 (division number n-1) random number partial data R (1) and R (2) obtained by dividing the random number R by the processing unit bit length are generated as follows (step S215).

Random number R = R (1), R (2)
First random number partial data R (1) = “10110001”
Second random number partial data R (2) = “00110101”
Next, in step S217, the variable i is changed from 1 to 3 (= number of divisions n), and the variable j is further changed from 1 to 2 (= number of divisions n-1) in each variable i, as shown in step S217. Each divided partial data D (i, 2 × m + j) that constitutes each of the plurality of divided data D (i) by a definition formula consisting of exclusive OR of the original partial data and random number partial data for generating the divided data ) Is generated. As a result, the following divided data D is generated.

Split data D
= 3 pieces of divided data D (i) = D (1), D (2), D (3)
First divided data D (1)
= 2 pieces of partial data D (1, j) = D (1,1), D (1,2)
= "00110110", "10110011"
Second divided data D (2)
= 2 pieces of partial data D (2, j) = D (2,1), D (2,2)
= "00000011", "00000010"
Third divided data D (3)
= 2 pieces of partial data D (3, j) = D (3,1), D (3,2)
= "10110001", "00110101"
Note that the definition formula shown in step S217 for generating each divided partial data (i, j) is specifically described in the table shown in FIG. 11 when the number of divisions n = 3 as in this example. Will be. From the table shown in FIG. 11, the definition formula for generating the divided partial data D (1,1) is B (1) * R (1) * R (2), and the definition formula for D (1,2) Is B (2) * R (1) * R (2), D (2,1) is defined as B (1) * R (1), and D (2,2) is defined as B (2) * R (2), the defining formula for D (3,1) is R (1), and the defining formula for D (3,2) is R (2). The table shown in FIG. 11 also describes general definition formulas for arbitrary integers when m> 0.

  In this way, after the divided data D is generated for the variable m = 0 meaning an integer multiple, the variable m is then incremented by 1 (step S219), and the process returns to step S211 to return to the original data B corresponding to the variable m + 1 However, since the original data B in this example is 16 bits and there is no data after 17 bits, the process proceeds from step S211 to step S221 and is generated as described above. The divided data D (1), D (2), and D (3) are temporarily stored in the memory 10 of the dividing device 6, and the dividing process is terminated. The divided data D (1), D (2), D (3) stored in this way cannot be estimated as original data alone.

  Here, the divided data generation process based on the definition formula in step S217 in the flowchart of FIG. 9 described above, specifically, the divided data generation process when the number of divisions n = 3 will be described in detail.

  First, in the case of a variable m = 0 meaning an integer multiple, each divided partial data D constituting each of the divided data D (i) = D (1) to D (3) from the definition formula shown in step S217. (i, 2 × m + j) = D (i, j) (i = 1 to 3, j = 1 to 2) is as follows.

D (1,1) = B (1) * Q (1,1,1) * Q (1,1,2)
D (1,2) = B (2) * Q (2,1,1) * Q (2,1,2)
D (2,1) = B (1) * Q (1,2,1) * Q (1,2,2)
D (2,2) = B (2) * Q (2,2,1) * Q (2,2,2)
D (3,1) = R (1)
D (3,2) = R (2)
Specifically, Q (j, i, k) included in the above four formulas among the above six formulas is obtained.

When c (j, i, k) is a value of i rows and k columns of U [2,2] × (P [2,2]) ^ (j-1) which is a 2 × 2 matrix, Is defined as

When c (j, i, k) = 1 Q (j, i, k) = R (k)
Q (j, i, k) = 0 when c (j, i, k) = 0
here,
When j = 1

When j = 2

  If this is used, each division | segmentation partial data D (i, j) is produced | generated by the following definitional expressions.

D (1,1) = B (1) * Q (1,1,1) * Q (1,1,2) = B (1) * R (1) * R (2)
D (1,2) = B (2) * Q (2,1,1) * Q (2,1,2) = B (2) * R (1) * R (2)
D (2,1) = B (1) * Q (1,2,1) * Q (1,2,2) = B (1) * R (1) * 0 = B (1) * R (1 )
D (2,2) = B (2) * Q (2,2,1) * Q (2,2,2) = B (2) * 0 * R (2) = B (2) * R (2 )
The definition formula for generating each of the divided partial data D (i, j) is also illustrated in FIG.

  FIG. 10 shows the original data from the respective data and definition formulas and the divided partial data when the 16-bit original data B is divided into three with the division number n = 3 based on the 8-bit processing unit bit length as described above. It is a table | surface which shows the calculation formula in the case of decompress | restoring.

  Here, the divided data D (1), D (2), D (3) and the respective divided partial data D (1,1), D (1,2), D (2,1), The process of generating D (2,2), D (3,1), and D (3,2) and the general form of the definition formula will be described.

  First, for the first divided data D (1), the first divided partial data D (1,1) is defined by the definition formula B (1) * R (1) * R (2) described above. Then, the second divided partial data D (1, 2) is defined by the definition formula B (2) * R (1) * R (2). The general form of this defining formula is B (j) * R (j) * R (j + 1) for D (1, j), and for D (1, j + 1) B (j + 1) * R (j) * R (j + 1) (j is an odd number). When calculated according to the definition formula, D (1,1) is 00110110 and D (1,2) is 10110011, so D (1) is 00100110 10110011. The general form of the definition formula is collectively shown in FIG.

  For the second divided data D (2), D (2,1) is defined by B (1) * R (1), and D (2,2) is B (2) * R ( Defined in 2). The general form of this definition is B (j) * R (j) for D (2, j) and B (j + 1) * R for D (2, j + 1) (j + 1) (j is an odd number). When calculated according to the definition formula, D (2,1) becomes 00000011 and D (2,2) becomes 00000010, so D (2) is 00000011 00000010.

  Further, for the third divided data D (3), D (3,1) is defined by R (1) and D (3,2) is defined by R (2). The general form of this definition is R (j) for D (3, j) and R (3, j + 1) for D (3, j + 1) (j is Odd number). When calculated according to the definition formula, D (3,1) is 10110001, D (3,2) is 00110101, and D (3) is 10110001 00110101.

  In the above description, the length of B, R, D (1), D (2), and D (3) is 16 bits. However, by repeating the division process from the beginning of the data, what length Even from the original data B, the divided data D (1), D (2), and D (3) can be generated. In addition, the processing unit bit length b can be arbitrarily set, and the original data having an arbitrary length, specifically, processing is performed by repeating the above dividing process every b × 2 in order from the top of the original data B. The present invention can be applied to original data having an integral multiple of the unit bit length b × 2. If the length of the original data B is not an integer multiple of the processing unit bit length b × 2, for example, the length of the original data B is set to the processing unit bit length b × 2 by filling the end portion of the data with 0. The division processing of this embodiment described above can be applied by adjusting to an integral multiple of.

  Next, processing for restoring original data from divided data will be described with reference to the table shown on the right side of FIG.

  First, it requests the dividing device 6 to restore the original data B. When receiving the restoration request for the original data B, the dividing device 6 stores the divided data D (1), D (2), D (3) corresponding to the original data B in the storage servers 3a1, 3a2, 3a3. Therefore, the divided data D (1), D (2), D (3) are acquired from the storage servers 3a1, 3a2, 3a3 via the network N, and the acquired divided data D ( 1) Restore original data B from D (2) and D (3) as follows.

  First, the first original partial data B (1) can be generated from the divided partial data D (2,1) and D (3,1) as follows.

D (2,1) * D (3,1) = (B (1) * R (1)) * R (1)
= B (1) * (R (1) * R (1))
= B (1) * 0
= B (1)
Specifically, since D (2,1) is 00000011 and D (3,1) is 10110001, B (1) is 10110010.

  Also, the second original partial data B (2) can be generated from the other divided partial data as follows.

D (2,2) * D (3,2) = (B (2) * R (2)) * R (2)
= B (2) * (R (2) * R (2))
= B (2) * 0
= B (2)
Specifically, since D (2,2) is 00000010 and D (3,2) is 00110101, B (2) is 00110111.

In general, let j be an odd number
D (2, j) * D (3, j) = (B (j) * R (j)) * R (j)
= B (j) * (R (j) * R (j))
= B (j) * 0
= B (j)
Therefore, B (j) can be obtained by calculating D (2, j) * D (3, j).

In general, j is an odd number,
D (2, j + 1) * D (3, j + 1) = (B (j + 1) * R (j + 1)) * R (j + 1)
= B (j + 1) * (R (j + 1) * R (j + 1))
= B (j + 1) * 0
= B (j + 1)
Therefore, if D (2, j + 1) * D (3, j + 1) is calculated, B (j + 1) is obtained.

  Next, when D (1) and D (3) are acquired and B is restored, it is as follows.

D (1,1) * D (3,1) * D (3,2) = (B (1) * R (1) * R (2)) * R (1) * R (2) = B ( 1) * (R (1) * R (1)) * (R (2) * R (2))
= B (1) * 0 * 0
= B (1)
Therefore, B (1) can be obtained by calculating D (1,1) * D (3,1) * D (3,2). Specifically, since D (1,1) is 00110110, D (3,1) is 1010001, and D (3,2) is 0110101, B (1) is 10110010.

Similarly,
D (1,2) * D (3,1) * D (3,2) = (B (2) * R (1) * R (2)) * R (1) * R (2)
= B (2) * (R (1) * R (1)) * (R (2) * R (2))
= B (2) * 0 * 0
= B (2)
Therefore, if D (1,2) * D (3,1) * D (3,2) is calculated, B (2) is obtained. Specifically, since D (1,2) is 10110011, D (3,1) is 10110001, and D (3,2) is 00110101, B (2) is 00110111.

In general, let j be an odd number
D (1, j) * D (3, j) * D (3, j + 1) = (B (j) * R (j) * R (j + 1)) * R (j) * R (j +1)
= B (j) * (R (j) * R (j)) * (R (j + 1) * R (j + 1))
= B (j) * 0 * 0
= B (j)
Therefore, B (j) can be obtained by calculating D (1, j) * D (3, j) * D (3, j + 1).

In general, j is an odd number,
D (1, j + 1) * D (3, j) * D (3, j + 1) = (B (j + 1) * R (j) * R (j + 1)) * R (j) * R (j + 1)
= B (j + 1) * (R (j) * R (j)) * (R (j + 1) * R (j + 1))
= B (j + 1) * 0 * 0
= B (j + 1)
Therefore, if D (1, j + 1) * D (3, j) * D (3, j + 1) is calculated, B (j + 1) is obtained.

  Next, when D (1) and D (2) are acquired and B is restored, it is as follows.

D (1,1) * D (2,1) = (B (1) * R (1) * R (2)) * (B (1) * R (1))
= (B (1) * B (1)) * (R (1) * R (1)) * R (2)
= 0 * 0 * R (2)
= R (2)
Therefore, R (2) is obtained by calculating D (1,1) * D (2,1). Specifically, since D (1,1) is 00110110 and D (2,1) is 00000011, R (2) is 00110101.

Similarly,
D (1,2) * D (2,2) = (B (2) * R (1) * R (2)) * (B (2) * R (2))
= (B (2) * B (2)) * R (1) * (R (2) * R (2))
= 0 * R (1) * 0
= R (1)
Therefore, R (1) is obtained by calculating D (1,2) * D (2,2). Specifically, since D (1,2) is 10110011 and D (2,2) is 00000010, R (1) is 10110001.

  Using these R (1) and R (2), B (1) and B (2) are obtained.

D (2,1) * R (1) = (B (1) * R (1)) * R (1)
= B (1) * (R (1) * R (1))
= B (1) * 0
= B (1)
Therefore, if D (2,1) * R (1) is calculated, B (1) is obtained. Specifically, since D (2,1) is 00000011 and R (1) is 10110001, B (1) is 10110010.

Similarly,
D (2,2) * R (2) = (B (2) * R (2)) * R (2)
= B (2) * (R (2) * R (2))
= B (2) * 0
= B (2)
Therefore, B (2) can be obtained by calculating D (2,2) * R (2). Specifically, since D (2,2) is 00000010 and R (2) is 00110101, B (2) is 00110111.

In general, let j be an odd number
D (1, j) * D (2, j) = (B (j) * R (j) * R (j + 1)) * (B (j) * R (j))
= (B (j) * B (j)) * (R (j) * R (j)) * R (j + 1)
= 0 * 0 * R (j + 1)
= R (j + 1)
Therefore, R (j + 1) can be obtained by calculating D (1, j) * D (2, j).

Similarly,
D (1, j + 1) * D (2, j + 1) = (B (j + 1) * R (j) * R (j + 1)) * (B (j + 1) * R (j +1))
= (B (j + 1) * B (j + 1)) * R (j) * (R (j + 1) * R (j + 1))
= 0 * R (j) * 0
= R (j)
Therefore, R (j) can be obtained by calculating D (1, j + 1) * D (2, j + 1).

  Using these R (j) and R (j + 1), B (j) and B (j + 1) are obtained.

D (2, j) * R (j) = (B (j) * R (j)) * R (j)
= B (j) * (R (j) * R (j))
= B (j) * 0
= B (j)
Therefore, B (j) can be obtained by calculating D (2, j) * R (j).

Similarly,
D (2, j + 1) * R (j + 1) = (B (j + 1) * R (j + 1)) * R (j + 1)
= B (j + 1) * (R (j + 1) * R (j + 1))
= B (j + 1) * 0
= B (j + 1)
Therefore, B (j + 1) can be obtained by calculating D (2, j + 1) * R (j + 1).

  As described above, when the divided data is repeatedly generated from the beginning of the original data based on the processing unit bit length b to generate divided data, the three divided data D (1), D (2), D ( Even if not all of 3) is used, the original data can be restored as described above using two divided data of the three divided data.

  As another method of the present invention, the original data can be divided by using the random number R having a bit length shorter than that of the original data B.

  That is, the random number R described above is data having the same bit length as B, D (1), D (2), D (3), but the random number R is shorter than the bit length of the original data B, and the divided data D This short bit length random number R is repeatedly used to generate (1), D (2), and D (3).

  Since the divided data D (3) is generated only from the random number R, the divided data D (3) need not be stored repeatedly with the random number R. For example, when the bit length of the original data B is 1600 bits (200 bytes), the random number R is a repetition of arbitrarily selected 160 bits (20 bytes) of data. That is, R (1) to R (20) are randomly generated, and R (21) to R (200) are R (21) = R (1), R (22) = R (2), ..., R (40) = R (20), R (41) = R (1), R (42) = R (2), ..., R (60) = R (20), R (61) = R (1) , R (62) = R (2), ..., R (80) = R (20), ... ……, R (181) = R (1), R (182) = R (2), ..., R (200) = R (20).

  In the above description, D (3) is generated by defining divided part data D (3, j) as random part data R (j), but it is sufficient to store up to D (3,20). . That is, the length of D (3) is 1/10 of D (1) and D (2). Therefore, the total amount of data to be stored is three times the original data B in the previous embodiment, but can be 2.1 times in this embodiment.

  If the length of the data of the repetitive part in the random number R is too short, it is possible that R is decoded only from D (1) or D (2). Therefore, it is desirable to select an appropriate length.

  Next, a general division process when the number of divisions is n and the processing unit bit length is b will be described with reference to the flowchart shown in FIG.

  First, the original data B is supplied to the dividing device 6 (step S401). Further, the user instructs the dividing device 6 from the terminal 5 about the division number n (an arbitrary integer satisfying n ≧ 3) (step S403). A predetermined value in the dividing device 6 may be used as the division number n. The processing unit bit length b is determined (step S405). Note that b is an arbitrary integer greater than 0. Next, it is determined whether or not the bit length of the original data B is an integer multiple of b × (n−1). If it is not an integer multiple, the end of the original data B is filled with 0 (step S407). Further, a variable m meaning an integer multiple is set to 0 (step S409).

  Next, it is determined whether or not data of b × (n−1) bits from the b × (n−1) × m + 1 bit of the original data B exists (step S411). As a result of this determination, if there is no data, the process proceeds to step S421. However, in this case, since the variable m is set to 0 in step S409, the data exists, so step S413. Proceed to

  In step S413, the variable j is changed from 1 to n-1, and b × (n−1) × m + j−1) +1 bit of the original data B is converted into the original partial data B ( (n-1) × m + j) is repeated, whereby (n-1) pieces of original partial data B (1), B (2) obtained by dividing the original data B by the processing unit bit length b , ... B (n-1) is generated.

  Next, the variable j is changed from 1 to n-1, and a random number of the processing unit bit length b generated from the random number generator 34 is set in the random number partial data R ((n-1) × m + j). Thus, n-1 random number partial data R (1), R (2),... R (n-1) obtained by dividing the random number R by the processing unit bit length b are generated (step S415).

  Next, in step S417, while changing the variable i from 1 to n and further changing the variable j from 1 to n-1 in each variable i, a plurality of definition expressions for generating the divided data shown in step S417 are used. Each divided partial data D (i, (n−1) × m + j) constituting each of the divided data D (i) is generated. As a result, the following divided data D is generated.

Split data D
= n pieces of divided data D (i) = D (1), D (2), ... D (n)
First divided data D (1)
= n-1 divided partial data D (1, j) = D (1,1), D (1,2), ... D (1, n-1)
Second divided data D (2)
= n-1 divided partial data D (2, j) = D (2,1), D (2,2), ... D (2, n-1)
………
………
N-th divided data D (n)
= n-1 divided partial data D (n, j) = D (n, 1), D (n, 2), ... D (n, n-1)
As described above, after generating the divided data D for the variable m = 0, the variable m is then incremented by 1 (step S419), and the process returns to step S411 to return b × (n of the original data B corresponding to the variable m = 1. -1) Similar division processing is performed for the bits after the bit. Finally, if there is no data in the original data B as a result of the determination in step S411, the process proceeds from step S411 to step S421, and the divided data D (1),. Are temporarily stored in the memory 10, and the dividing process is terminated.

  As described above, according to the present embodiment, the original data B is divided into a plurality of divided data D (1) to D (3) by the secret sharing method S including the hash value H of the original data B, Moreover, it consists of the hash values h1 to h3 calculated from the divided data D (1) to D (3), the header information A1 to A3, and the divided data D (1) to D (3) and the header information A1 to A3. Transmission division data DD (1) to DD (3) and the transmission division data DD (1) to DD (3) are stored in the storage servers 3a1 to 3a3, respectively. 1) to DD (3), even if at least a part of the transmission divided data DD (1) to DD (3) including the falsified data is tampered with, the transmission divided data DD (1) to DD (3) ) Can be easily checked for tampering Can.

  As a result, for example, even when the original data B is stored for a long period of time, it is possible to easily perform the original data without repeating the reissue process of the electronic certificate and the data creation process with the electronic signature as in the case of the electronic signature. Data B can be stored.

  Further, according to the present embodiment, the original data B is divided into the transmission divided data DD (1) to DD (3) and stored in the storage servers 3a1 to 3a3. Therefore, for example, the transmission divided data DD (1) Even when one of the divided data of ~ DD (3) is falsified, the original data B can be restored using the remaining divided data.

As a result, the originality of the original data B can be more reliably ensured. Further, the secret sharing method in the first and second embodiments is used for secret key division management of the public key cryptosystem. Although this is a practical method for data with a relatively small data capacity, the secret sharing method S in the present embodiment does not require arithmetic processing of multiple-precision integers including polynomial arithmetic and remainder arithmetic. Therefore, even when a large amount of large volume data is processed, it is possible to obtain an effect that data can be divided and restored easily and quickly.

  In the first and second embodiments, the storage servers 3a1 to 3a4 in which the divided data D (1) to D (4) obtained by dividing the original data B are connected to the client 2 via the network N. In the third embodiment, the transmission divided data DD (1) to DD (3) obtained by dividing the original data B are stored in the storage servers 3a1 to 3a1 connected to the dividing device 6 via the network N. Although it is configured to store in 3a3, the present invention is not limited to this configuration.

  For example, a modification of the data originality ensuring system 1 is shown in FIG.

  As shown in FIG. 13, the data originality ensuring system 1 </ b> A according to the modification is configured as a client system 25 alone on the client side, and the client system 25 is connected to the client 2 and the client 2 with a LAN. And a plurality of storage devices 20a1 to 20a4 that are independent of each other in hardware.

  Even if the data originality ensuring system 1A is configured as shown in FIG. 13, the original data B can be stored in the plurality of storage devices 20a1 to 20a4 as the divided data D (1) to D (4), The original data B can be stored while ensuring the originality of the original data B easily and reliably.

  Similarly, as a modified example of the data originality ensuring system 4, the terminal 5, the dividing device 6, and the storage servers 3a1 to 3a3 may be configured as a client system alone on the client side.

  Furthermore, each system configuration described in the above embodiment is merely a preferable specific example, and if it is functionally the same, other system configurations, for example, the data originality ensuring system 1 This system configuration may be a system configuration as shown in the data originality ensuring system 4. This is a system configuration in which the function of the client 2 of the data originality ensuring system 1 is distributed to the terminal 5 and the dividing device 6. Similarly, for example, the system configuration of the data originality ensuring system 4 may be a system configuration as shown in the data originality ensuring system 1. This is a function of the client 2 by integrating the functions of the terminal 5 and the dividing device 6 of the data originality ensuring system 4.

  In addition, according to the above-described embodiment and its modification, Shamir's secret sharing method {(k, n) threshold method as a secret sharing method; provided that n representing the number of divisions is 4 and k represents the number that can be restored. And the secret sharing method S are used, but the present invention is not limited to this configuration, and other secret sharing methods other than the secret sharing method described in the above embodiment may be used. Is possible.

  Furthermore, according to the above-described embodiment and the modification thereof, the hash value is used as identification data that can uniquely identify the original data. However, identification data other than the hash value, for example, parity, checksum (original data in a block) It may be a value obtained by dividing, and regarding the divided blocks as numerical values, and adding up all the blocks.

DESCRIPTION OF SYMBOLS 1, 1A, 4 ... Data originality ensuring system 2 ... Client 3a1-3a4 ... Storage server 5 ... Terminal 6 ... Dividing device 10 ... Memory 11 ... Hash value generation part 13 ... Divided data generation part 15 ... Original data restoration part 17 ... Communication unit 20a1 to 20a4 ... Storage device 25 ... Client system 31, 37 ... Data transmission / reception unit 32 ... Hash value generation unit 33 ... Divided data generation unit 34 ... Random number generation unit 35 ... Hash value confirmation unit 36 ... Original data restoration unit 37 ... Data transmitter / receiver

Claims (3)

A data originality ensuring system for storing data while ensuring its originality,
A data dividing unit for dividing the data into a plurality of pieces of divided data that can be restored by using a secret sharing method;
A plurality of storage units each storing a plurality of divided data divided,
The secret sharing method is:
Generating a plurality of partial data of a predetermined length from the data;
Separate random number data into a plurality of said predetermined length, to generate a plurality of random number partial data,
Performing an exclusive OR operation process combining the partial data and the random number partial data, generating the plurality of divided data ,
A data originality securing system, wherein the data can be restored by combining n-1 pieces of divided data among the plurality (n pieces) of divided data . A data originality securing method for storing data with its originality performed by a computer system,
The computer system includes a plurality of storage units that respectively store a plurality of divided data pieces.
A data division step of dividing the data into a plurality of pieces of divided data that can be restored using a secret sharing method;
Storing the plurality of divided data in the plurality of storage units, respectively,
The secret sharing method is:
Generating a plurality of partial data of a predetermined length from the data;
Separate random number data into a plurality of said predetermined length, to generate a plurality of random number partial data,
Performing an exclusive OR operation process combining the partial data and the random number partial data, generating the plurality of divided data ,
A data originality securing method, wherein the data can be restored by combining n-1 pieces of divided data among the plurality (n pieces) of divided data . Computer system,
A data dividing unit that divides the data into a plurality of pieces of divided data that can be restored using a secret sharing method; and
Function as a plurality of storage units for storing a plurality of divided data,
The secret sharing method is:
Generating a plurality of partial data of a predetermined length from the data;
Separate random number data into a plurality of said predetermined length, to generate a plurality of random number partial data,
Performing an exclusive OR operation process combining the partial data and the random number partial data, generating the plurality of divided data ,
A program for ensuring data originality, wherein the data can be restored by combining n-1 pieces of divided data among the plurality (n pieces) of divided data .

Images