Abstract: The present invention provides a signature generation device and a signature verification device capable of countering a transcript attack that seeks a private key by analyzing a plurality of signed documents (pairs of a message and a signature) signed using the NTRUSign signature scheme. The signature generation device calculates a hash value vector H of message data, adds a vector based on a private distribution to the hash value vector H to calculate a converted hash value vector H?, and seeks, as a signature vector S, the closest lattice point to the converted hash value vector H? in a lattice defined by private key basis vectors. The signature verification device determines whether the distance between the hash value vector H of the message data and the signature vector S is equal to or less than L? and, if so, recognizes the message data as valid.

Abstract: A management device 200d comprises: a key share generation unit 251d generating a plurality of key shares by decomposing a decryption key, the decryption key being for decrypting an encrypted application program generated as a result of encryption of the application program; and an output unit 252d outputting each of the key shares to a different one of a plurality of detection modules. The detection modules acquire and store therein the key shares. The protection control module 120d comprises: an acquisition unit 381d acquiring the key shares from the detection modules; a reconstruction unit 382d reconstructing the decryption key by composing the key shares; a decryption unit 383d decrypting the encrypted application program with use of the decryption key; and a deletion unit 384d deleting the decryption key, after the decryption by the decryption unit is completed.

Abstract: Provided is a tampering monitoring system that can identify a monitoring module that has been tampered with among a plurality of monitoring modules. A management apparatus is provided with an acquisition unit that acquires a new monitoring module that has not been tampered with, a generation unit that generates a decoy monitoring module by modifying the acquired monitoring module, a transmission unit that transmits the decoy monitoring module to the information security device and causes the information security device to install the decoy monitoring module therein, a reception unit that receives from the information security device, after the decoy monitoring module has been installed, monitoring results generated by the monitoring modules monitoring other monitoring modules, and a determination unit that identifies, by referring to the received monitoring results, a monitoring module that determines the decoy monitoring module to be valid and determines the identified monitoring module to be invalid.

Abstract: A malicious-module identification device (200a) identifies and deactivates a malicious module operating in an information processing device (100a) connected thereto via a network. The malicious-module identification device is provided with a reception unit (2310) for receiving results of tampering detection from a plurality of modules for detecting tampering, a determination unit (210a) for assuming that a module among the plurality of modules is a normal module, determining, based on the assumption, whether a contradiction occurs in the received results of tampering detection, and identifying the module assumed to be a normal module as a malicious module when determining that a contradiction occurs, and a deactivation unit (2320) for outputting an instruction to deactivate the module identified as the malicious module.

Abstract: An information security apparatus (100c) includes a plurality of monitoring modules that monitor for tampering. A management apparatus (200c) includes a reception unit (230c) that receives a plurality of monitoring results each generated by a source monitoring module monitoring a target monitoring module; a detection unit (220c) that detects an abnormality by referring to fewer than all of the received monitoring results; and an identification unit (210c) that identifies, when an abnormality is detected, a monitoring module that has been tampered with from among (i) a monitoring module that generates a monitoring result related to the abnormality, and (ii) one or more monitoring modules identified by tracing back through a chain of monitoring modules consecutively from the target of monitoring to the source of monitoring, starting from the monitoring module that generates the monitoring result related to the abnormality.

Abstract: The present invention aims to perform tamper detection on a protection control module without having detection modules come to know the key data and functions thereof. The detection modules of the present invention perform tamper detection by verifying whether or not the correspondence between the input and output data of the application decryption process performed by the protection control module is correct. Furthermore, the present invention offers improved security against leaks of the application output data by the detection modules by having a plurality of detection modules verify different data blocks.

Abstract: A management device detects whether any normal monitoring module that has not been tampered with exists by referring to monitoring results received from an information security device and selects, when existence is detected, one of the monitoring modules and assumes that the selected monitoring module has been tampered with. The monitoring device then successively applies a procedure to monitoring modules other than the selected monitoring module by referring to the monitoring results, starting from the selected monitoring module, the procedure being to assume that any monitoring module determining that a monitoring module assumed to have been tampered with is normal has also been tampered with. As a result of the procedure, when all of the monitoring modules are assumed to have been tampered with the management device determines the selected monitoring module to be a normal monitoring module that has not been tampered with.

Abstract: To aim to provide a monitoring system and a program execution apparatus that are capable of maintaining the security intensity even in the case where an unauthentic install module is invalidated. Install modules 131 to 133 included in an apparatus 100 each monitor an install module, which is a monitoring target indicated by a monitoring pattern included therein, as to whether the install module performs malicious operations. An install module that performs malicious operations is invalidated in accordance with an instruction from an update server 200. The monitoring patterns are restructured by the update server 200 such that the install modules except the invalidated install module are each monitored by at least another one of the install modules. The restructured monitoring patterns are distributed to the install modules except the invalidated install module.

Abstract: A signature generation apparatus capable of preventing transcript attack on signature data is provided. The signature generation apparatus performing a digital signature operation with the use of a signature key: stores the signature key; performs the digital signature operation on signature target data with the use of the signature key to generate signature data; counts the cumulative count of digital signature operations having been performed by the signature generation unit with the use of the signature key; judges whether the cumulative count has reached a predetermined count; and inhibits the use of the signature key in the digital signature operation from then onward in a case where the judgment unit determines that the cumulative count has reached the predetermined count.

Abstract: The present invention provides a signature generation device and a signature verification device capable of countering a transcript attack that seeks a private key by analyzing a plurality of signed documents (pairs of a message and a signature) signed using the NTRUSign signature scheme. The signature generation device calculates a hash value vector H of message data, adds a vector based on a private distribution to the hash value vector H to calculate a converted hash value vector H?, and seeks, as a signature vector S, the closest lattice point to the converted hash value vector H? in a lattice defined by private key basis vectors. The signature verification device determines whether the distance between the hash value vector H of the message data and the signature vector S is equal to or less than L? and, if so, recognizes the message data as valid.

Abstract: A distributing device for generating private information correctly even if shared information is destroyed or tampered with. A shared information distributing device for use in a system for managing private information by a secret sharing method, including: segmenting unit that segments private information into a first through an nth pieces of shared information; first distribution unit that distributes the n pieces of shared information to n holding devices on a one-to-one basis; and second distribution unit that distributes the n pieces of shared information to the n holding devices so that each holding device holds an ith piece of shared information distributed by the first distribution unit, as well as a pieces of shared information being different from the ith piece of shared information in ordinal position among n pieces of shared information, “i” being an integer in a range from 1 to n.

Abstract: A signature generation apparatus and a signature verification apparatus preventing an occurrence of an inappropriate signature verification error. The signature generation apparatus (110) including a signature generation unit (114) calculating signature vector (s, t) for a message m using a private key, and generating signature data S indicating polynomials sl and sh specifying the polynomial s and a polynomial th which is a quotient when the polynomial t is divided by q.

Abstract: An update server 200 acquires, from an apparatus 100, a result of verifications relating to tampering of a protection control module 120 and each of install modules included in an install module group 130. The update server 200 determines a processing procedure of the apparatus 100 depending on the acquired result of verifications. Specifically, if it is judged that the protection control module 120 and each of the install module are unauthentic, the update server 200 transmits, to the apparatus 100, an instruction to perform updating of the unauthentic protection control module 120 in preference to revocation of the unauthentic install module.

Abstract: To aim provide a software update apparatus including an install module group (130) composed of a plurality of install modules. Each of the install modules has a function of receiving, from an external server (200), a replacement protection control module (121) to be used for updating a protection control module (120) having a function of verifying whether a predetermined application has been tampered with. Each of the install modules simultaneously running is verified by at least another one of the install modules simultaneously running, as to whether the install module has a possibility of performing malicious operations.

Abstract: To aim provide a software update apparatus including an install module group (130) composed of a plurality of install modules. Each of the install modules has a function of receiving, from an external server (200), a replacement protection control module (121) to be used for updating a protection control module (120) having a function of verifying whether a predetermined application has been tampered with. Each of the install modules simultaneously running is verified by at least another one of the install modules simultaneously running, as to whether the install module has a possibility of performing malicious operations. If any of the install modules is verified as having the possibility of performing the malicious operations, any another one of the install modules that is verified as not having the possibility revokes the any install module verified as having the possibility.

Abstract: A signature generation apparatus and a signature verification apparatus which can prevent the occurrence of norm zero vector forgery attack. The signature generation apparatus (110) includes a signature generation unit (114) which generates signature data (S) for a message (m) using a private key stored in a private key storage unit (112), and converts the format of the signature data (S) so that the first sub-element of the N sub-elements in the signature data (S) indicates 0 without changing the norm of the signature data (S). The signature verification apparatus (120) includes a signature verification unit (124) which judges whether or not the first sub-element of the N sub-elements included in the signature data (S) indicates 0, and determines the signature data (S) as unauthorized data when judging that it is not 0.

Abstract: A signature generation apparatus preventing an transcript attack on signature data. The signature generation apparatus for generating signature data for message data (i) acquires, according to a predetermined acquisition method, a private key, which is different from a private key used in a previous digital signature operation, from among a plurality of private keys generated using a key generation method of a signature scheme in which the plurality of private keys correspond to a single public key, and (ii) performs, using the acquired private key, a digital signature operation on the message data according to a signature method of the signature scheme to generate the signature data.

Abstract: A signature generation apparatus and a signature verification which can surely prevent occurrence of inappropriate signature verification error are provided A signature generation apparatus (110) includes a signature generation unit (114) which calculates a signature vector (s, t) for a message m using a private key, and generates signature data S indicating polynomials sl and sh that can specify the polynomial s and a polynomial th which is a quotient when the polynomial t is divided by q.

Abstract: A communication device is secure against an impersonation attack as well. The communication device secretly communicates, with an external device, target data with use of a key shared with the external device. Without being known to a third party, the communication device generates a key shared with the external device using a scheme of which security is proved. Validity of the external device is determined by authentication with use of a key dependent function that is shared with the external device and is dependent on the shared key. If the external device is determined to be valid, for secretly communicating the target data, verification data for verifying validity of the target data is generated from the target data with use of the key dependent function.

Abstract: A signature generation apparatus and a signature verification apparatus which can prevent the occurrence of norm zero vector forgery attack. The signature generation apparatus (110) includes a signature generation unit (114) which generates signature data (S) for a message (m) using a private key stored in a private key storage unit (112), and converts the format of the signature data (S) so that the first sub-element of the N sub-elements in the signature data (S) indicates 0 without changing the norm of the signature data (S). The signature verification apparatus (120) includes a signature verification unit (124) which judges whether or not the first sub-element of the N sub-elements included in the signature data (S) indicates 0, and determines the signature data (S) as unauthorized data when judging that it is not 0.