JP2013157652A - Secret calculation system, encryption device, secrete calculation device, and method and program thereof - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technology which can calculate secrete mapping for n pieces of encrypted input data with a calculation time of O((m+n)logn).SOLUTION: By using an image vector [[a]] in which the second column of an encryption matrix and an encryption column vector [[0]] and a vector derived by encrypting a column vector consisting of n pieces of numeric value 0 are coupled vertically and an updated vector [[c]] in which a vector derived by encrypting a column vector 1consisting of m pieces of numeric value 1 and a vector derived by encrypting a column vector 0consisting of n pieces of numeric value 0 are coupled vertically, iterative calculations are created so as to calculate mapping-applied values so that the number of calculated elements exponentially increases on each iteration, by which secrete calculation is performed.

Description

  The present invention relates to a cryptographic application technique, and in particular, fragments of input data (ciphertext) are sent to three or more secret computing devices, and without being decrypted by each secret computing device, the fragments remain without revealing the input data. The present invention relates to a secret calculation technique for performing calculation.

  There is a method called a secret calculation as a method for obtaining a calculation result without restoring an encrypted numerical value. Non-Patent Document 1 is known as a prior art of secret calculation. In Non-Patent Document 1, encryption is performed such that numerical fragments are distributed to three secret computing devices, and addition / subtraction, constant sum, multiplication, constant multiplication, logical operation (negative, logical product, The result of logical sum, exclusive logical sum) and data format conversion (integer, binary number) can be held in a state of being distributed to the three secret calculation devices, that is, encrypted.

Koji Senda, Hiroki Hamada, Igarashi Univ., Katsumi Takahashi, “Reconsideration of Lightweight Verifiable 3-Party Secret Function Computation”, Proc.

  However, the prior art does not disclose any method for calculating the mapping without restoring the encrypted numerical value and obtaining the result (hereinafter referred to as “secret mapping”). If a secret map is to be realized, the following method can be considered.

  All elements included in the domain and range are encrypted, and each original fragment (ciphertext) included in the domain is compared with a fragment of the input data to obtain a mapping image in the original fragment that matches. There is a need. Therefore, a calculation time O (m) proportional to the size m of the domain is required for one input data. When calculating a secret map for n pieces of encrypted input data, a calculation time of O (mn) is required.

  The present invention relates to a secret calculation device capable of calculating a secret mapping for n pieces of encrypted input data with a calculation time of O ((m + n) logn), an encryption device therefor, an encryption device, and a secret calculation device. It aims at providing the secret system which consists of, its method, and a program.

In order to solve the above problem, according to the first aspect of the present invention, N is an integer of 3 or more, and includes a secret calculation system, an encryption device, and N secret calculation devices. The encryption apparatus sets a mapping that designates an element in the second column of the same row to an element in the first column of each row of an m-row and two-column matrix as a mapping that the matrix expresses, and the matrix T that expresses the mapping A cryptographic matrix generation unit that encrypts each element and generates N cryptographic matrices, and n is the number of input data, and each element of the input vector, which is a column vector having n elements, is encrypted, An encryption input vector generation unit that generates an encryption input vector, and encrypts each element of a mark vector that is a column vector made up of m number 0, number 1, 2, ..., n, and N number of encryption mark vectors Encryption column vector generator for generating ⁿ , column vector 0 ⁿ consisting of n numbers 0, and second column of N encryption matrices and N encryption column vectors [[0 ⁿ ]] Image vector that generates N vertically connected image vectors [[a ₀ ]] A generating unit, encrypts the column vector 1 ^m of m numbers 1, encrypts the n column vectors 0 of numbers 0 to ^n, the N cipher vector [[1 ^m]] and the N cipher An updated vector generation unit that generates N updated vectors [[c ₀ ]] obtained by vertically connecting the column vectors [[0 ⁿ ]], and a column vector including the first column of the N cryptographic matrices , N cipher input vectors, N cipher landmark vectors, N image vectors, and N updated vectors, each of which distributes to N secret computing devices. Each secret computing device adds 1 to the column vector obtained by multiplying each element of the column vector consisting of the first column of the cryptographic matrix by 2 by secret calculation and 2 by multiplying each element of the encryption input vector by secret calculation. The sorting key vector that is vertically connected to the column vector and the matrix that is horizontally connected to the encryption landmark vector, image vector, and updated vector are secreted for each row according to the size relationship of each element of the sorting key vector. The sorting unit for sorting by calculation, and the minimum integer greater than or equal to the logarithmic value of the number of input data plus 1 is the iteration count t, and u [p... Q] is the p + 1 to q rows of the column vector u. A || B represents the logical sum of A and B, i is an integer of 1 to t, and i = 1 to i = t
d = 2 ^i-1
[[c _i ]] [0… d] = [[c _i-1 ]] [0… d]
[[a _i ]] [0… d] = [[a _i-1 ]] [0… d]
[[c _i ]] [d… (m + n)] = [[c _i-1 ]] [d… (m + n)] || [[c _i-1 ]] [0… (m + nd )]
[[a _i ]] [d… (m + n)]
= [[a _i-1 ]] [d… (m + n)] + [[a _i-1 ]] [0… (m + nd)] × ([[c _i ]] [d… (m + n)]-[[c _i-1 ]] [d ... (m + n)])
An iterative calculation unit that performs secret calculation, a random replacement unit that randomly replaces a combination of the encryption landmark vector and the image vector after the iteration calculation by secret calculation for each row, an encryption landmark vector stored in the secret calculation device, and other A mark vector decoding unit that decodes the mark vector from the encryption mark vector stored in the secret computing device, and the elements of the image vector in the same row as the elements having values from 1 to n among the elements of the mark vector A rearrangement unit that obtains the column vectors arranged in order as encryption output vectors.

In order to solve the above problems, according to the second aspect of the present invention, N is an integer of 3 or more, and the encryption device generates N pieces of ciphertext that can be secretly calculated from a certain numerical value. To do. The encryption apparatus sets a mapping that designates an element in the second column of the same row to an element in the first column of each row of an m-row and two-column matrix as a mapping that the matrix expresses, and the matrix T that expresses the mapping A cryptographic matrix generation unit that encrypts each element and generates N cryptographic matrices, and n is the number of input data, and each element of the input vector, which is a column vector having n elements, is encrypted, An encryption input vector generation unit that generates an encryption input vector, and encrypts each element of a mark vector that is a column vector made up of m number 0, number 1, 2, ..., n, and N number of encryption mark vectors Encryption column vector generator for generating ⁿ , column vector 0 ⁿ consisting of n numbers 0, and second column of N encryption matrices and N encryption column vectors [[0 ⁿ ]] Image vector that generates N vertically connected image vectors [[a ₀ ]] A generating unit, encrypts the column vector 1 ^m of m numbers 1, encrypts the n column vectors 0 of numbers 0 to ^n, the N cipher vector [[1 ^m]] and the N cipher An updated vector generation unit that generates N updated vectors [[c ₀ ]] obtained by vertically connecting the column vectors [[0 ⁿ ]], and a column vector including the first column of the N cryptographic matrices , N cipher input vectors, N cipher landmark vectors, N image vectors, and N updated vectors, each of which distributes to N secret computing devices.

In order to solve the above problem, according to a third aspect of the present invention, there is provided a mapping for designating an element in the second column of the same row with respect to an element in the first column of each row of an m × 2 matrix. , A mapping expressed by a matrix, an encrypted matrix obtained by encrypting each element of the matrix T expressing the mapping, an encryption matrix, n being the number of input data, and each element of an input vector being a column vector having n elements Are encrypted input vectors, encrypted elements of a mark vector, which is a column vector composed of m number 0, and numbers 1, 2,..., N. The column vector 0 ⁿ consisting of 0 numerical values is encrypted, and the second column of the cryptographic matrix and the encrypted column vector [[0 ⁿ ]] are vertically connected to form an image vector [[a ₀ ]], m It encrypts the column vector 1 ^m of numbers 1, column vector of n numbers 0 Encrypt Le 0 ^n, and encryption vector [[1 ^m]] the encryption column vector [[0 ^n]] and the updated vector the concatenation vertically [[c _0]], secure computing apparatus, the secret A column vector obtained by multiplying each element of the column vector consisting of the first column of the cryptographic matrix by 2 by calculation and a column vector obtained by multiplying each element of the cryptographic input vector by 2 by secret calculation and adding 1 vertically A sorting unit that sorts a concatenated sort key vector and a matrix obtained by horizontally concatenating the encryption landmark vector, the image vector, and the updated vector by secret calculation for each row according to the magnitude relation of each element of the sort key vector; , The smallest integer greater than or equal to the logarithmic value of the number of input data plus 1 is the number of iterations t, u [p... Q] is the p + 1 to q rows of the column vector u, and A || B Represents the logical sum of A and B, and i is 1 or more and t or less From i = 1 to i = t
d = 2 ^i-1
[[c _i ]] [0… d] = [[c _i-1 ]] [0… d]
[[a _i ]] [0… d] = [[a _i-1 ]] [0… d]
[[c _i ]] [d… (m + n)] = [[c _i-1 ]] [d… (m + n)] || [[c _i-1 ]] [0… (m + nd )]
[[a _i ]] [d… (m + n)]
= [[a _i-1 ]] [d… (m + n)] + [[a _i-1 ]] [0… (m + nd)] × ([[c _i ]] [d… (m + n)]-[[c _i-1 ]] [d ... (m + n)])
An iterative calculation unit that performs secret calculation, a random replacement unit that randomly replaces a combination of the encryption landmark vector and the image vector after the iteration calculation by secret calculation for each row, an encryption landmark vector stored in the secret calculation device, and other A mark vector decoding unit that decodes the mark vector from the encryption mark vector stored in the secret computing device, and the elements of the image vector in the same row as the elements having values from 1 to n among the elements of the mark vector A rearrangement unit that obtains the column vectors arranged in order as encryption output vectors.

In order to solve the above problem, according to the fourth aspect of the present invention, N is an integer of 3 or more, and the secret calculation method uses an encryption device and N secret calculation devices. In the secret calculation method, the mapping that designates the element in the second column of the same row with respect to the element in the first column of each row of the m-by-2 matrix is a mapping that the matrix represents, and the encryption device An encryption matrix generation step for encrypting each element of the matrix T to be expressed to generate N encryption matrices, n being the number of input data, and an input vector in which the encryption device is a column vector having n elements The encryption input vector generation step for encrypting each element of N and generating N encryption input vectors, and the encryption device is a column vector composed of m number 0, number 1, 2, ..., n A cipher mark vector generating step for encrypting each element of the mark vector and generating N cipher mark vectors, and the encrypting device encrypts a column vector 0 ⁿ consisting of n numerical values 0, and N cipher matrices Second column and N cipher string vectors [[ ^n]] and the image vector generating step of generating the N images vectors linked vertically each [[a _0]], the encryption device encrypts the column vector 1 ^m of m number 1, Encrypt column vector 0 ⁿ consisting of n number 0 and update N by vertically linking N encryption vectors [[1 ^m ]] and N encryption column vectors [[0 ⁿ ]] An updated vector generation step for generating a completed vector [[c ₀ ]], and the encryption apparatus includes a column vector composed of the first column of N cryptographic matrices, N cryptographic input vectors, and N cryptographic landmark vectors. , A transmission step of distributing N image vectors and N updated vectors to N secret calculation devices, respectively, and a column obtained by multiplying each element of a column vector consisting of the first column of the cryptographic matrix by 2 by secret calculation Each element of the encryption input vector A sorting key vector generation step for generating a sorting key vector obtained by vertically concatenating a column vector obtained by multiplying 2 by 1 and a column vector obtained by adding 1; and each secret computing device includes a sorting key vector, an encryption landmark vector, A sorting step for sorting the matrix obtained by horizontally connecting the image vector and the updated vector by secret calculation for each row according to the magnitude relation of each element of the sorting key vector, and a value obtained by adding 1 to the number of input data A step of calculating the smallest integer greater than or equal to the logarithmic value as the number of iterations t, and u [p ... q] from the p + 1 line to the q line of the column vector u, and A || B is the logical sum of A and B I is an integer from 1 to t, and each secret computing device has i = 1 to i = t.
d = 2 ^i-1
[[c _i ]] [0… d] = [[c _i-1 ]] [0… d]
[[a _i ]] [0… d] = [[a _i-1 ]] [0… d]
[[c _i ]] [d… (m + n)] = [[c _i-1 ]] [d… (m + n)] || [[c _i-1 ]] [0… (m + nd )]
[[a _i ]] [d… (m + n)]
= [[a _i-1 ]] [d… (m + n)] + [[a _i-1 ]] [0… (m + nd)] × ([[c _i ]] [d… (m + n)]-[[c _i-1 ]] [d ... (m + n)])
Each of the secret calculation devices, the random calculation step in which each secret calculation device randomly replaces the combination of the encryption landmark vector and the image vector after the iteration calculation by secret calculation for each row, and each secret calculation device A landmark vector decrypting step for decrypting the landmark vector from the cryptographic landmark vector stored in the secret computing device and the cryptographic landmark vector stored in another secret computing device, and each secret computing device has 1 to n of the landmark vector elements And a rearranging step for obtaining a column vector in which the elements of the image vector in the same row as the elements having values up to 1 are arranged in order from 1 to n as an encryption output vector.

In order to solve the above problems, according to the fifth aspect of the present invention, N is an integer of 3 or more, and the encryption method generates N pieces of ciphertext that can be secretly calculated from a certain numerical value. To do. In the encryption method, a mapping that designates an element in the second column of the same row with respect to an element in the first column of each row of an m-row and two-column matrix is a mapping that the matrix represents, and the matrix T that represents the mapping A cryptographic matrix generation step for encrypting each element to generate N cryptographic matrices, and encrypting each element of the input vector, which is a column vector having n elements, where n is the number of input data, A cryptographic input vector generating step for generating a cryptographic input vector, and encrypting each element of a landmark vector which is a column vector consisting of m number 0, number 1, 2,. Encrypting a mark vector generation step for generating ^n, and encrypting a column vector 0 ⁿ consisting of n number 0, and a second column of N encryption matrices and N encryption column vectors [[0 ⁿ ]] respectively N image vectors [[a ₀ ]] connected vertically The image vector generation step to be generated, the column vector 1 ^m consisting of m number 1 and the column vector 0 ⁿ consisting of n number 0 are encrypted, and N encryption vectors [[1 ^m ]] An updated vector generation step for generating N updated vectors [[c ₀ ]] obtained by vertically connecting N encryption column vectors [[0 ⁿ ]], and the first column of the N encryption matrices And a transmitting step of distributing N encryption input vectors, N encryption landmark vectors, N image vectors, and N updated vectors to N secret calculation methods, respectively.

In order to solve the above problem, according to a sixth aspect of the present invention, there is provided a mapping for designating an element in the second column of the same row with respect to the element in the first column of each row of the matrix of m rows and 2 columns. , A mapping expressed by a matrix, an encrypted matrix obtained by encrypting each element of the matrix T expressing the mapping, an encryption matrix, n being the number of input data, and each element of an input vector being a column vector having n elements Are encrypted input vectors, encrypted elements of a mark vector, which is a column vector composed of m number 0, and numbers 1, 2,..., N. The column vector 0 ⁿ consisting of 0 numerical values is encrypted, and the second column of the cryptographic matrix and the encrypted column vector [[0 ⁿ ]] are vertically connected to form an image vector [[a ₀ ]], m It encrypts the column vector 1 ^m of numbers 1, column vector of n numbers 0 Encrypt Le 0 ^n, and encryption vector [[1 ^m]] the encryption column vector [[0 ^n]] and the updated vector the concatenation vertically [[c _0]], secure computing method, the secret A column vector obtained by multiplying each element of the column vector consisting of the first column of the cryptographic matrix by 2 by calculation and a column vector obtained by multiplying each element of the cryptographic input vector by 2 by secret calculation and adding 1 vertically A sorting step of sorting a concatenated sort key vector and a matrix obtained by horizontally concatenating the encryption landmark vector, the image vector, and the updated vector by secret calculation for each row according to the magnitude relation of each element of the sort key vector; , The smallest integer greater than or equal to the logarithmic value of the number of input data plus 1 is the number of iterations t, u [p... Q] is the p + 1 to q rows of the column vector u, and A || B Represents the logical sum of A and B, and i is 1 or more an integer less than or equal to t, i = 1 to i = t
d = 2 ^i-1
[[c _i ]] [0… d] = [[c _i-1 ]] [0… d]
[[a _i ]] [0… d] = [[a _i-1 ]] [0… d]
[[c _i ]] [d… (m + n)] = [[c _i-1 ]] [d… (m + n)] || [[c _i-1 ]] [0… (m + nd )]
[[a _i ]] [d… (m + n)]
= [[a _i-1 ]] [d… (m + n)] + [[a _i-1 ]] [0… (m + nd)] × ([[c _i ]] [d… (m + n)]-[[c _i-1 ]] [d ... (m + n)])
An iterative calculation step for secretly calculating, a random replacement step for randomly replacing the combination of the encryption mark vector and the image vector after the iterative calculation by secret calculation for each row, a mark vector decoding step for decoding the mark vector, and a mark vector A rearrangement step for obtaining, as an encryption output vector, a column vector in which elements of image vectors in the same row as elements having values from 1 to n are sequentially arranged from 1 to n.

  According to the secret calculation method of the present invention, when the size of the domain is m, the secret mapping can be calculated with the calculation time O ((m + n) logn) for the n pieces of encrypted input data. There is an effect.

The figure which shows the structural example of a secret calculation system. The functional block diagram of an encryption apparatus. The figure which shows the processing flow at the time of the initialization of an encryption apparatus. The figure which shows the processing flow at the time of input data acquisition of an encryption apparatus. The functional block diagram of a secret calculation apparatus. The figure which shows the processing flow at the time of the initialization of a secret calculation apparatus. The figure which shows the processing flow at the time of encryption input vector reception of a secret calculation apparatus.

  Hereinafter, embodiments of the present invention will be described. In the drawings used for the following description, constituent parts having the same function and steps for performing the same process are denoted by the same reference numerals, and redundant description is omitted. Further, the processing performed for each element of a vector or matrix is assumed to be applied to all elements of the vector or matrix unless otherwise specified.

<Secret calculation system 10 according to the first embodiment>
FIG. 1 shows a configuration example of the secret calculation system 10. The secret calculation system 10 includes an encryption device 11, a communication line 13, and secret calculation devices 12-1, 12-2, ..., 12-N. However, N is an integer of 3 or more. The communication line 13 includes, for example, a wide area communication line provided by an electric power company, a VPN (Virtual Private Network), a LAN (Local Area Network), or the like, and the secret calculation system 10 and the respective secret calculation devices 12-1, 12-2,. , 12-N and communication between the respective secret computing devices 12-1, 12-2, ..., 12-N. Details of each device will be described below.

<Encryption device 11>
2 shows a functional block diagram of the encryption device 11, FIG. 3 shows a processing flow when the encryption device 11 is initially set, and FIG. 4 shows a processing flow when the encryption device 11 receives input data.

  The encryption device 11 includes an encryption matrix generation unit 111, an encryption input vector generation unit 112, an encryption landmark vector generation unit 113, an image vector generation unit 114, an updated vector generation unit 115, a transmission unit 116, and a storage unit 117.

  The encryption device 11 receives an m-row / 2-column matrix T representing a mapping and n pieces of input data, and stores them in the storage unit 117. Using this input, N column vectors consisting of the first column of N cryptographic matrices, N cryptographic input vectors, N cryptographic landmark vectors, N image vectors, and N updated vectors are obtained. Generated and output to N secret computing devices. Details of the matrix T and each vector will be described later.

Each unit (encryption matrix generation unit 111, encryption input vector generation unit 112, encryption landmark vector generation unit 113, image vector generation unit 114, and updated vector generation unit 115) in the encryption apparatus 11 performs encryption. As an encryption method, for example, there is a method described in Reference 1.
(Reference 1) SecureSCM. Security analysis. Deliverable D9.2, SecureSCM Project, 2009

  For example, N pieces [[A]] which are ciphertexts are generated from the numerical value A. In this case, the numerical value A cannot be restored unless there are N ′ pieces [[A]] of N pieces [[A]]. However, N ′ is an integer of 2 or more and N or less. The values of N and N ′ vary depending on the encryption method. N fragments [[A]] have different values, but for convenience, all fragments are represented as [[A]].

[Cryptographic matrix generator 111]
N encryption vectors and encryption matrices obtained when the elements of the vector V and the matrix M are encrypted will be described as [[V]] and [[M]], respectively. The encryption matrix generation unit 111 is given a matrix T representing the mapping, encrypts each element of the matrix T, generates N encryption matrices [[T]] (s11), and stores them in the storage unit 117. The mapping from the set (definition area) based on the element included in the first column of the matrix T of m rows and 2 columns to the set (value range) based on the element included in the second column of the matrix T. A mapping that designates the element in the second column of the same row with respect to the element in the first column of each row of the matrix T is called a mapping that the matrix T represents. Let x be the column vector consisting of the first column of the matrix T, and y be the column vector consisting of the second column. Therefore,

It is. However, “ ^T ” represents transposition.

[Cryptographic Mark Vector Generation Unit 113]
The encryption landmark vector generation unit 113 encrypts each element of the landmark vector h, which is a column vector composed of m number 0 and numbers 1, 2,..., N, and N encryption landmark vectors [[h] ] Is generated (s13) and stored in the storage unit 117.

[Image Vector Generation Unit 114]
Image vector generation unit 114, encrypts the n-number column vectors 0 of numbers 0 to ^n, 2-row and N encryption column vector of N encryption matrix [[0 ^n]] and a connecting perpendicular, respectively The generated N image vectors [[a ₀ ]] are generated (s15) and stored in the storage unit 117.

[Updated vector generation unit 115]
Updated vector generation unit 115 encrypts a column vector 1 ^m of m numbers 1, encrypts the n column vectors 0 of numbers 0 to ^n, N pieces of encryption vectors [[1 ^m]] and N updated vectors [[c ₀ ]] obtained by vertically linking the N encrypted string vectors [[0 ⁿ ]] are generated (s17) and stored in the storage unit 117.

The transmission unit 116 includes N column vectors [[x]], N encryption mark vectors [[h]], and N image vectors [[a ₀ ]] that are the first columns of N encryption matrices. When N updated vectors [[c ₀ ]] are generated, these vectors are extracted from the storage unit 117, transmitted to N secret calculation devices, and distributed (s19).

[Cryptographic input vector generation unit 112]
When n pieces of input data are input (s21), the cryptographic input vector generation unit 112 encrypts each element of the input vector k which is a column vector having n elements, and N cryptographic input vectors [[[ k]] is generated (s23) and stored in the storage unit 117.

  When the N encryption input vectors are generated, the transmission unit 116 extracts them from the storage unit 117, transmits them to the N secret calculation devices, and distributes them (s25).

  In the present embodiment, the number of input data is determined in advance as n, and various vectors for the size are generated. If the number of input data is n or less, a symbol representing a blank is input in an insufficient amount to generate various vectors. If the number of input data is n or more, the input data is divided into n blocks. Then, various vectors are generated for each block.

  n may be determined at the time when input data is input without setting n in advance. In this case, the various vectors are generated after input data is input. In the case of this configuration, there is an advantage that a symbol representing a blank or a process of dividing input data can be omitted, and all vectors can be transmitted by one transmission. In the case of the present embodiment, after the input data is input, only the encryption input vector is generated and transmitted, so the response time is fast. However, if n is not predetermined, the input data is input after the input data is input. Since the vector is generated, there is a demerit that the response time becomes long.

<Secret Computing Device 12-1>
FIG. 5 is a functional block diagram of the secret computing device 12-1, FIG. 6 shows a processing flow at the time of initial setting, and FIG. 7 shows a processing flow at the time of receiving the encryption input vector. The other secret computing devices 12-2, 12-3,..., 12-N have the same functional configuration and perform the same processing.

  The secret calculation device 12-1 includes a sorting key vector generation unit 121, a sorting unit 122, an iterative calculation unit 123, a random replacement unit 124, a landmark vector decoding unit 125, a rearrangement unit 126, a transmission / reception unit 127, and a storage unit 128. .

The secret computing device 12-1 first sends a column vector [[x]] consisting of the first column of the encryption matrix [[T]], the encryption landmark vector [[h]], and the image vector [[a] via the transmission / reception unit 127. ₀ ]] and the updated vector [[c ₀ ]] are received and stored in the storage unit 128 (s31 in FIG. 6). Next, the encryption input vector [[k]] is received via the transmission / reception unit 127 and stored in the storage unit 128 (s33 in FIG. 7). Using these vectors, the secret computing device 12-1 does not restore the input vector k, and the ciphertext of the output vector v of size n in which the mapping represented by the matrix T is applied to each element of the input vector k. [[v]] is calculated, and the calculation result is stored in the storage unit 128 while being encrypted. Hereinafter, the processing content of each part is demonstrated.

[Sort key vector generation unit 121]
When receiving the column vector [[x]] consisting of the first column of the encryption matrix [[T]], the sorting key vector generation unit 121 retrieves the column vector [[x]] from the storage unit 128 and performs a secret calculation to obtain the encryption matrix [[T]. ] Is generated by multiplying each element of the column vector [[x]] consisting of the first column by 2 and stored in the storage unit 128 (s32 in FIG. 6).

Further, upon receiving the cryptographic input vector [[k]], the sorting key vector generation unit 121 extracts this from the storage unit 128 and multiplies each element of the cryptographic input vector [[k]] by 2 by a secret calculation. A column vector (2 · [[k]] + 1 ⁿ ) obtained by adding 1 to the object is generated and stored in the storage unit 128.

1 ⁿ represents a column vector having n numerical values 1 as elements. An existing technique can be used as a method of performing addition and multiplication by secret calculation (see, for example, Reference 1).

Further, the sorting key vector generation unit 121 generates a sorting key vector [[e]] by vertically connecting the column vectors 2 · [[x]] and (2 · [[k]] + 1 ⁿ ). (S35), stored in the storage unit 128.

[Sort section 122]
The sorting unit 122 extracts the encryption landmark vector [[h]], the image vector [[a ₀ ]], the updated vector [[c ₀ ]], and the sorting key vector [[e]] from the storage unit 128, and Matrix of horizontally connected vectors

(See formulas (6), (7), (8), and (13)), and sort by secret calculation for each row according to the magnitude relation of each element of the sorting key vector [[e]] (s37) The sorted encryption mark vector [[h]], the image vector [[a ₀ ]], and the updated vector [[c ₀ ]] are stored in the storage unit 128. Note that an existing technique can be used as a method of sorting by secret calculation (for example, see Reference 2).
(See Reference 2) Hiroki Hirota, Dai Igarashi, Koji Senda, Katsumi Takahashi, “Linear time sort on secret function calculation”, SCIS, 2011, pp.1-7

  The sort used in the present embodiment is a ciphertext obtained by encrypting each element of plaintext Y that is arranged in accordance with the value of a specified column of a plaintext X row of a ciphertext pair [[X]] that is sorted by a secret function calculation [ [Y]] may be calculated so long as no one understands the correspondence between each element of [[X]] and [[Y]].

[Iteration calculation unit 123]
The iterative calculation unit 123 calculates the smallest integer equal to or greater than the logarithm of the value obtained by adding 1 to the number of elements of the encrypted input vector (s38), and sets this value as the number of iterations t.

However, ceil (•) represents a ceiling function, and represents a minimum integer greater than or equal to.

The iterative calculation unit 123 extracts the sorted image vector [[a ₀ ]] and updated vector [[c ₀ ]] from the storage unit 128, and from i = 1 to i = t.
d ← 2 ^i-1 (16)
[[c _i ]] [0… d] ← [[c _i-1 ]] [0… d] (17)
[[a _i ]] [0… d] ← [[a _i-1 ]] [0… d] (18)
[[c _i ]] [d… (m + n)] ← [[c _i-1 ]] [d… (m + n)] || [[c _i-1 ]] [0… (m + nd )] (19)
[[a _i ]] [d… (m + n)]
← [[a _i-1 ]] [d… (m + n)] + [[a _i-1 ]] [0… (m + nd)] × ([[c _i ]] [d… (m + n)]-[[c _i-1 ]] [d ... (m + n)])
(20)
The determined by a secret calculation (s39~s45), stored in the storage unit 128 the [[a _t]]. Where u [p... Q] represents the (p + 1) th to qth rows of the column vector u, A || B represents the logical sum of A and B, i represents an integer of 1 to t, and each element Substitution, logical sum, multiplication, and addition are performed on. An existing technique can be used as a method for obtaining a logical sum by a secret calculation (see, for example, Reference 1).

[Random replacement part 124]
Random replacement unit 124, the encryption marker vector [[h]] image vector after repeated calculations and [[a _t]] and was removed from the storage unit 128, and random replacement by secure computing this combination for each row (s47) stores an encryption marker vector after substitution [[h]] and the image vector [[a _t]] in the storage unit 128. In addition, the existing technique can be used as a method of performing random replacement by secret calculation (see Reference 3).
(See Reference 3) Hiroki Hirota, Dai Igarashi, Koji Senda, Katsumi Takahashi, “Random replacement protocol for computing three-party secret functions”, Proceedings of the IPSJ Symposium, 2010, Volume: 2010, Issue: 9, page : 561-566

  The random replacement in the present embodiment is a ciphertext [[Y] obtained by encrypting each element of the plaintext Y obtained by randomly replacing the plaintext X row of the ciphertext pair [[X]] that is randomly replaced by the secret function calculation. [[X]] and [[Y]] may be calculated so that no one knows the correspondence between each element.

[Market Vector Decoding Unit 125]
The mark vector decryption unit 125 transmits the encryption mark vector [[h]] stored in the secret calculation device to at least another (N′−1) secret calculation devices via the transmission / reception unit 127. To request. When the mark vector decryption unit 125 receives (N′−1) cipher mark vectors [[h]] from other secret calculation devices, the mark vector decryption unit 125 combines them with the cipher mark vector [[h]] stored in the secret calculation device. Te, from N 'pieces of encrypted marker vector [[h]], and decodes the original mark vector h (s49), the image vector after substitution a mark vector h after decoding [[a _t]] and row Are stored in the storage unit 128 without changing the relationship. Note that the decryption method in this case only needs to correspond to the encryption performed in the encryption device 11 (see, for example, Reference 1).

[Sort section 126]
Rearranging unit 126 of the restored landmark vector h element, a column vector obtained by arranging the order of the elements of the image vector of the same line as the element with a value from 1 to n [[a _t]] from 1 to n Obtained as an encrypted output vector [[v]] (s51) and stored in the storage unit 128. The encryption output vector [[v]] obtained in this way is obtained by encrypting the output vector v indicating the result of applying the mapping represented by the matrix T to the input vector k. Therefore, the mapping represented by the matrix T can be calculated without restoring the encryption input vector [[k]], and the result can be obtained.

<Effect>
If the calculation to read out the value placed in a certain area while keeping it secret (hereinafter referred to as “secret reading”) is to be realized in the conventional technology, it is necessary to perform confidential reading once for one input data There is. For this reason, it takes time proportional to the size m of the region to “pretend” reading all the values arranged in the region. In the present embodiment, the efficiency is improved by performing confidential reading once for a large amount of input data. In this embodiment, an iterative calculation is performed such that the value after mapping is applied so that the number of elements already calculated increases exponentially at each iteration, and the calculation time is set to O ((m + n) logn by using this calculation. )

<Example>
In the present embodiment, the encryption device 11 will be described with respect to a case where the following matrix T and input vector k are input. In order to facilitate the explanation, each numerical value is described in plain text, but in practice, secret calculation is performed in cipher text.

The encryption device 11 generates the following landmark vector h, image vector a ₀ , and updated vector c ₀ . The secret computing device 12-1 generates the following sort key vector e.

  The sorting unit 122 sorts a matrix obtained by horizontally connecting these vectors in accordance with the magnitude relationship of each element of the sorting key vector [[e]]. Each vector after sorting is shown below.

Iterative calculation unit 123 uses the image vector _{a 0} and updated vector _{c 0} after sorting, repeated formula (16) to (20) i = 1 to i = t. The image vector a _i and the updated vector c _{i at} each i are as follows.

The random replacement unit 124 uses the sorted landmark vector h and the iterated image vector a _4.

Randomly replace the combination of Note that random replacement is performed in order to prevent the distribution of the calculation result of the mapping from the position of the element 0 of the mark vector h. The row of the element 0 of the mark vector h is the element of the second column of the encryption matrix of the image vector a ₀ (the second column of the encryption matrix and the encryption column vector [[0 ⁿ ]] connected vertically). Corresponds to the line. For example, between the 4th 0 and the 5th 0 of h, h has 5 elements (9, 5, 2, 3 and 7). This indicates that there are five values between the fourth element and the fifth element of y. When the mark vector h is restored before the random replacement, this distribution can be found. However, this can be prevented by restoring the mark vector h after the random replacement.

Rearranging unit 126 of the restored landmark vector h element, a column vector obtained by arranging the order of the elements of the image vector of the same line as the element with a value from 1 to n [[a _t]] from 1 to n Obtained as an encryption output vector v.

It can be seen that the output vector v is a vector obtained by applying the mapping represented by the matrix T to the input vector k.

In the first embodiment, each element of the input vector k need not necessarily be included in the column vector x consisting of the first column of the matrix T. In this case, if each element of x is set to x ₁ , x ₂ ,..., X _m from the smallest, and the mapping represented by the matrix T is f, [−∞, x ₁ ), [x ₁ , x ₂ ), ..., [x _m-1 , x _m ), [x _m , ∞] include 0, f (x ₁ ), ..., f (x _m-1 ), f (x _m ), respectively. Is output as Even if the input vector in the above example is k = (37, 30, 32, 49, 28, 3, 34, 41, 25) ^T , the same output vector v = (40, 30, 30, 50, 30, 0, 30, 40, 30) ^T is obtained, and in this example, rounding is performed for natural numbers of 54 or less.

<Modification>
In the present embodiment, the sort key vector generation unit 121 performs processing on the secret computing device side, but may be performed on the encryption device 11 side. In this case, the encryption device 11 transmits the generated N sort key vectors [[e]] to the N secret calculation devices 12-1, 12-2,.

  In this embodiment, the number of iterations t is obtained on the secret computing device side, but t is obtained in the encryption device 11, and t is set to N secret computing devices 12-1, 12-2,..., 12-N. It is good also as a structure which transmits and distributes.

  In the present embodiment, the encryption device is configured as a device different from the secret calculation device, but the encryption device may be mounted on any one of the secret calculation devices.

  The present invention is not limited to the above-described embodiments and modifications. For example, the various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. In addition, it can change suitably in the range which does not deviate from the meaning of this invention.

<Program and recording medium>
The above-described encryption device and secret calculation device can also be operated by a computer. In this case, each process of a program for causing a computer to function as a target device (a device having the functional configuration shown in the drawings in various embodiments) or a process procedure (shown in each embodiment) is processed by the computer. A program to be executed by the computer may be downloaded from a recording medium such as a CD-ROM, a magnetic disk, or a semiconductor storage device or via a communication line into the computer, and the program may be executed.

Claims (7)

N is an integer equal to or greater than 3, and is a secret calculation system including an encryption device and N secret calculation devices,
The encryption device is:
The mapping that designates the element in the second column of the same row for the element in the first column of each row of the m-row and two-column matrix is the mapping that the matrix expresses, and each element of the matrix T that expresses the mapping is encrypted A cryptographic matrix generation unit for generating N cryptographic matrices;
a cryptographic input vector generation unit that encrypts each element of an input vector, which is a column vector having n elements, where n is the number of input data, and generates N cryptographic input vectors;
an encryption landmark vector generation unit that encrypts each element of a landmark vector, which is a column vector composed of m number 0 and numbers 1, 2,..., n, and generates N encryption landmark vectors;
encrypts the column vector 0 ⁿ of n numbers 0, N pieces of the N images vectors second column and N encryption column vector [[0 ^n]] and were coupled perpendicularly each encryption matrix an image vector generation unit for generating [[a ₀ ]];
The column vector 1 ^m consisting of m numbers 1 is encrypted, the column vector 0 ⁿ consisting of n numbers 0 is encrypted, and N encryption vectors [[1 ^m ]] and N encryption column vectors [[ 0 ⁿ ]] and N updated vectors [[c ₀ ]] that are vertically connected to each other,
A column vector consisting of the first column of the N number of cryptographic matrices, N number of cryptographic input vectors, N number of cryptographic landmark vectors, N number of image vectors, and N number of updated vectors, A transmission unit distributed to a secret computing device,
Each of the secret computing devices
A column vector obtained by multiplying each element of the column vector consisting of the first column of the cryptographic matrix by 2 by secret calculation, and a column vector obtained by adding 1 to each element of the encryption input vector multiplied by 2 by secret calculation; A secret key vector that is vertically concatenated, and a matrix that horizontally concatenates the encryption landmark vector, the image vector, and the updated vector are secreted for each row according to the magnitude relationship of each element of the sort key vector. A sorting section for sorting by calculation;
The minimum integer greater than or equal to the logarithm of the number of input data plus 1 is the number of iterations t, u [p... Q] is the p + 1th to qth rows of the column vector u, and A || B is Represents the logical sum of A and B, i is an integer of 1 to t, and i = 1 to i = t
d = 2 ^i-1
[[c _i ]] [0… d] = [[c _i-1 ]] [0… d]
[[a _i ]] [0… d] = [[a _i-1 ]] [0… d]
[[c _i ]] [d… (m + n)] = [[c _i-1 ]] [d… (m + n)] || [[c _i-1 ]] [0… (m + nd )]
[[a _i ]] [d… (m + n)]
= [[a _i-1 ]] [d… (m + n)] + [[a _i-1 ]] [0… (m + nd)] × ([[c _i ]] [d… (m + n)]-[[c _i-1 ]] [d ... (m + n)])
An iterative calculation unit that secretly calculates
A random replacement unit that randomly replaces the combination of the encryption landmark vector and the image vector after the repeated calculation by secret calculation for each row;
A mark vector decrypting unit that decrypts the mark vector from the cipher mark vector stored by the secret computer and the cipher mark vector stored by another secret computer;
A reordering unit that obtains, as an encryption output vector, a column vector in which image vector elements in the same row as elements having values from 1 to n are arranged in order from 1 to n among the elements of the mark vector,
Secret calculation system. N is an integer equal to or greater than 3, and is an encryption device that generates N pieces of ciphertext that can be secretly calculated from a certain numerical value,
The mapping that designates the element in the second column of the same row for the element in the first column of each row of the m-row and two-column matrix is the mapping that the matrix expresses, and each element of the matrix T that expresses the mapping is encrypted A cryptographic matrix generation unit for generating N cryptographic matrices;
a cryptographic input vector generation unit that encrypts each element of an input vector, which is a column vector having n elements, where n is the number of input data, and generates N cryptographic input vectors;
an encryption landmark vector generation unit that encrypts each element of a landmark vector, which is a column vector composed of m number 0 and numbers 1, 2,..., n, and generates N encryption landmark vectors;
encrypts the column vector 0 ⁿ of n numbers 0, N pieces of the N images vectors second column and N encryption column vector [[0 ^n]] and were coupled perpendicularly each encryption matrix an image vector generation unit for generating [[a ₀ ]];
The column vector 1 ^m consisting of m numbers 1 is encrypted, the column vector 0 ⁿ consisting of n numbers 0 is encrypted, and N encryption vectors [[1 ^m ]] and N encryption column vectors [[ 0 ⁿ ]] and N updated vectors [[c ₀ ]] that are vertically connected to each other,
A column vector consisting of the first column of the N number of cryptographic matrices, N number of cryptographic input vectors, N number of cryptographic landmark vectors, N number of image vectors, and N number of updated vectors, Including a transmission unit distributed to the secret computing device,
Encryption device. The mapping that designates the element in the second column of the same row for the element in the first column of each row of the m-by-2 matrix is the mapping that the matrix represents, and each element of the matrix T that represents the mapping is encrypted The encryption matrix is an encryption matrix, n is the number of input data, each element of the input vector, which is a column vector having n elements, is encrypted, and the encryption input vector is m numbers 0 and 1 , 2,..., N, which are encrypted vector elements of the mark vector, are used as encryption mark vectors, and a column vector 0 ⁿ consisting of n number 0 is encrypted, and two columns of the encryption matrix An image vector [[a ₀ ]] is obtained by vertically concatenating the eyes and the cipher sequence vector [[0 ⁿ ]], and a column vector 1 ^m consisting of m numbers 1 is encrypted, and n numbers 0 encrypts the column vector 0 ⁿ comprising encryption vector [[1 ^m]] the encryption column vector And Le [[0 ^n]] and the updated vector the concatenation vertically [[c _0]],
A column vector obtained by multiplying each element of the column vector consisting of the first column of the cryptographic matrix by 2 by secret calculation, and a column vector obtained by adding 1 to each element of the encryption input vector multiplied by 2 by secret calculation; A secret key vector that is vertically concatenated, and a matrix that horizontally concatenates the encryption landmark vector, the image vector, and the updated vector are secreted for each row according to the magnitude relationship of each element of the sort key vector. A sorting section for sorting by calculation;
The minimum integer greater than or equal to the logarithm of the number of input data plus 1 is the number of iterations t, u [p... Q] is the p + 1th to qth rows of the column vector u, and A || B is Represents the logical sum of A and B, i is an integer of 1 to t, and i = 1 to i = t
d = 2 ^i-1
[[c _i ]] [0… d] = [[c _i-1 ]] [0… d]
[[a _i ]] [0… d] = [[a _i-1 ]] [0… d]
[[c _i ]] [d… (m + n)] = [[c _i-1 ]] [d… (m + n)] || [[c _i-1 ]] [0… (m + nd )]
[[a _i ]] [d… (m + n)]
= [[a _i-1 ]] [d… (m + n)] + [[a _i-1 ]] [0… (m + nd)] × ([[c _i ]] [d… (m + n)]-[[c _i-1 ]] [d ... (m + n)])
An iterative calculation unit that secretly calculates
A random replacement unit that randomly replaces the combination of the encryption landmark vector and the image vector after the repeated calculation by secret calculation for each row;
A mark vector decrypting unit that decrypts the mark vector from the cipher mark vector stored by the secret computer and the cipher mark vector stored by another secret computer;
A reordering unit that obtains, as an encryption output vector, a column vector in which image vector elements in the same row as elements having values from 1 to n are arranged in order from 1 to n among the elements of the mark vector,
Secret computing device. N is an integer equal to or greater than 3, and is a secret calculation method using an encryption device and N secret calculation devices,
A mapping that designates an element in the second column of the same row with respect to an element in the first column of each row of an m-row and two-column matrix is defined as a mapping that the matrix represents, and the encryption device uses a matrix T that represents the mapping. A cryptographic matrix generation step of encrypting each element of N and generating N cryptographic matrices;
n is the number of input data, and the encryption device encrypts each element of the input vector, which is a column vector having n elements, and generates N encrypted input vectors, and
The encryption device encrypts each element of a mark vector, which is a column vector composed of m number 0, and numbers 1, 2,..., N, and generates N number of mark points. Steps,
The encryption device encrypts the n-number column vectors 0 of numbers 0 to ^n, 2-row and N encryption column vector of N the encryption matrix [[0 ^n]] and a connecting perpendicular, respectively An image vector generation step for generating N image vectors [[a ₀ ]] performed;
The encryption apparatus encrypts a column vector 1 ^m consisting of m number ^1s , encrypts a column vector 0 ⁿ consisting of n numbers 0, and N encryption vectors [[1 ^m ]] and N An updated vector generation step for generating N updated vectors [[c ₀ ]] obtained by vertically connecting the cipher string vectors [[0 ⁿ ]] of
The encryption apparatus includes a column vector consisting of the first column of the N number of the encryption matrices, N number of the encryption input vectors, N number of the encryption landmark vectors, N number of the image vectors, and N number of the updated matrices. A transmission step of distributing the vector to each of N secret computing devices;
A column vector obtained by multiplying each element of the column vector consisting of the first column of the cryptographic matrix by 2 by secret calculation, and a column vector obtained by adding 1 to each element of the encryption input vector multiplied by 2 by secret calculation; A sorting key vector generation step for generating a sorting key vector obtained by vertically concatenating
Each of the secret computing devices performs a matrix obtained by horizontally connecting the sorting key vector, the encryption landmark vector, the image vector, and the updated vector according to the magnitude relationship of each element of the sorting key vector. A sorting step for sorting by secret calculation every time,
Calculating a minimum integer equal to or greater than the logarithm of the value obtained by adding 1 to the number of input data as the number of iterations t;
u [p... q] is the column vector u from the p + 1th row to the qth row, A || B represents the logical sum of A and B, i is an integer of 1 to t, and each of the secrets The computing device is from i = 1 to i = t
d = 2 ^i-1
[[c _i ]] [0… d] = [[c _i-1 ]] [0… d]
[[a _i ]] [0… d] = [[a _i-1 ]] [0… d]
[[c _i ]] [d… (m + n)] = [[c _i-1 ]] [d… (m + n)] || [[c _i-1 ]] [0… (m + nd )]
[[a _i ]] [d… (m + n)]
= [[a _i-1 ]] [d… (m + n)] + [[a _i-1 ]] [0… (m + nd)] × ([[c _i ]] [d… (m + n)]-[[c _i-1 ]] [d ... (m + n)])
An iterative calculation step for secretly calculating
A random replacement step in which each of the secret calculation devices randomly replaces the combination of the encryption landmark vector and the image vector after the iterative calculation by secret calculation for each row;
A landmark vector decrypting step in which each of the secret computing devices decrypts the landmark vector from the cipher landmark vector stored by the secret computing device and the cipher landmark vector stored by another secret computing device;
Reordering step in which each of the secret computing devices obtains as a cipher output vector a column vector in which image vector elements in the same row as elements having values from 1 to n are arranged in order from 1 to n among the elements of the mark vector Including,
Secret calculation method. N is an encryption method for generating N pieces of ciphertext that can be secretly calculated from a certain numerical value, where N is an integer of 3 or more,
The mapping that designates the element in the second column of the same row for the element in the first column of each row of the m-row and two-column matrix is the mapping that the matrix expresses, and each element of the matrix T that expresses the mapping is encrypted A cryptographic matrix generation step for generating N cryptographic matrices;
a cryptographic input vector generation step of encrypting each element of an input vector, which is a column vector having n elements, where n is the number of input data, and generating N cryptographic input vectors;
a cryptographic landmark vector generation step of encrypting each element of a landmark vector that is a column vector composed of m number 0, number 1, 2, ..., n, and generating N number of cryptographic landmark vectors;
encrypts the column vector 0 ⁿ of n numbers 0, N pieces of the N images vectors second column and N encryption column vector [[0 ^n]] and were coupled perpendicularly each encryption matrix an image vector generation step for generating [[a ₀ ]];
The column vector 1 ^m consisting of m numbers 1 is encrypted, the column vector 0 ⁿ consisting of n numbers 0 is encrypted, and N encryption vectors [[1 ^m ]] and N encryption column vectors [[ 0 ⁿ ]] vertically connected to each other to generate N updated vectors [[c ₀ ]],
A column vector consisting of the first column of the N number of cryptographic matrices, N number of cryptographic input vectors, N number of cryptographic landmark vectors, N number of image vectors, and N number of updated vectors, Sending to the secret calculation method,
Encryption method. The mapping that designates the element in the second column of the same row for the element in the first column of each row of the m-by-2 matrix is the mapping that the matrix represents, and each element of the matrix T that represents the mapping is encrypted The encryption matrix is an encryption matrix, n is the number of input data, each element of the input vector, which is a column vector having n elements, is encrypted, and the encryption input vector is m numbers 0 and 1 , 2,..., N, which are encrypted vector elements of the mark vector, are used as encryption mark vectors, and a column vector 0 ⁿ consisting of n number 0 is encrypted, and two columns of the encryption matrix An image vector [[a ₀ ]] is obtained by vertically concatenating the eyes and the cipher sequence vector [[0 ⁿ ]], and a column vector 1 ^m consisting of m numbers 1 is encrypted, and n numbers 0 encrypts the column vector 0 ⁿ comprising encryption vector [[1 ^m]] the encryption column vector And Le [[0 ^n]] and the updated vector the concatenation vertically [[c _0]],
A column vector obtained by multiplying each element of the column vector consisting of the first column of the cryptographic matrix by 2 by secret calculation, and a column vector obtained by adding 1 to each element of the encryption input vector multiplied by 2 by secret calculation; A secret key vector that is vertically concatenated, and a matrix that horizontally concatenates the encryption landmark vector, the image vector, and the updated vector are secreted for each row according to the magnitude relationship of each element of the sort key vector. A sorting step to sort by calculation;
The minimum integer greater than or equal to the logarithm of the number of input data plus 1 is the number of iterations t, u [p... Q] is the p + 1th to qth rows of the column vector u, and A || B is Represents the logical sum of A and B, i is an integer of 1 to t, and i = 1 to i = t
d = 2 ^i-1
[[c _i ]] [0… d] = [[c _i-1 ]] [0… d]
[[a _i ]] [0… d] = [[a _i-1 ]] [0… d]
[[c _i ]] [d… (m + n)] = [[c _i-1 ]] [d… (m + n)] || [[c _i-1 ]] [0… (m + nd )]
[[a _i ]] [d… (m + n)]
= [[a _i-1 ]] [d… (m + n)] + [[a _i-1 ]] [0… (m + nd)] × ([[c _i ]] [d… (m + n)]-[[c _i-1 ]] [d ... (m + n)])
An iterative calculation step for secretly calculating
A random replacement step of randomly replacing a combination of the encryption landmark vector and the image vector after the iterative calculation by a secret calculation for each row;
A landmark vector decoding step of decoding the landmark vector;
A reordering step for obtaining, as an encryption output vector, a column vector in which image vector elements in the same row as elements having a value from 1 to n among the elements of the mark vector are arranged in order from 1 to n;
Secret calculation method.   A program for causing a computer to function as the encryption device according to claim 2 or the secret calculation device according to claim 3.

Images