HTML5 Webook

28/84

words, the integration of quantum key distribution and secret sharing can be a very reasonable approach as they make up for each other’s shortcomings.NICT and Tokyo Institute of Technology jointly pro-posed a totally information theoretically secure distributed storage system based on a user-friendly single-password-authenticated secret sharing scheme and secure transmis-sion using quantum key distribution, and demonstrated a distributed storage system with information theoretically secure data transmission, storage, and authentication in 2016 [13]. In this paper, we describe the protocol and the system.2Information theory-based, safe single-password secret sharing protocol2.1Shamir’s (k, n) threshold schemeIn this section, we discuss Shamir’s (k, n) threshold scheme, on which our scheme is based [12]. e (k, n) threshold scheme works as follows: rst, n owner of secret data S (integer) creates n individual values called “shares” out of S; second, the data owner secretly transfers each of the values to each of 1 to n shared servers; then, the data owner erases the secret data S; the secret data S is recovered through a predened computation on the k shares col-lected from k servers in collaboration—k is dened as the threshold. e computation is performed using the for-mula below.Share: random k-1th order polynomial of which the constant term is the secret data(1)where are random integers and is the secret data S.Holders of the ith share receive , where “i” is the share-holder identier. In a reconstruction operation, () is calculated from the pairs of collected from k shared servers. e secret data S is recovered as follows. When the identier of k shared servers in collabo-ration is dened as , the following equations rep-resent shares existing at each share server:(2)If are substituted with numerical values, k individual linear equations with k variables of are generated. erefore, by solving the simul-taneous equations, all the unknown variables can be ob-tained. en, the secret data S can be reconstructed.Lagrange Interpolation is applied for actual secret-data reconstruction.Figure 1 shows an instance of the (3, 4) threshold scheme. Substitution of more than three pairs is sucient for the reconstruction of secret data S.2.2Password secret sharing protocolis protocol protects any secret data from information leakage. In addition, it allows addition and multiplication between shares. For instance, the share obtained from addition of data and is , and similarly, the share obtained from is . In the multiplying process, however, the degree of the polynomial is . So, of shares is necessary to reconstruct . We took advantage of these characteristics to implement the password-sharing protocol, which requires only a single password for safe authentication as dened in information theory. Our scheme can be roughly divided into three phases: the “registration phase,” where the share of the secret data and the share of the password are trans-mitted; the “pre-computation phase,” where shared compu-tations are executed to secure data secrecy at the time of data reconstruction; and the “data-reconstruction phase.” More details are described below using an example of the (3, 4) threshold.(1) Registration phase (1-1) Since each calculation in the nite eld with prime order can deal with only blocks of length at most bits, secret data D, which has gener-FiF1　Example of Shamir’s (3, 4) threshold schemef(x)=a2x2+a1x+a00a0shareSecret datayx(i1, f(i1))(i2, f(i2))(i3, f(i3))(i4, f(i4))Shares are distributed to share severs24　　　Journal of the National Institute of Information and Communications Technology Vol. 64 No. 1 (2017)3 Quantum Key Distribution Network