JP2013210933A - Recommendation support method, recommendation support device and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To rapidly provide a recommendation with a high degree of accuracy while preventing leakage of information.SOLUTION: A server 10 extracts a user identifier for each attribute and encrypts it (a first arithmetic result). A recommendation support device 30 extracts the user identifier for each option and encrypts it (a second arithmetic result). The server 10 encrypts the second arithmetic result (a third arithmetic result). The recommendation support device 30 encrypts the first arithmetic result (a fourth arithmetic result). The recommendation support device 30, with respect to all combinations of attributes and options, obtains a first summary value by tallying the number of code texts coinciding by the third and fourth arithmetic results and generates multiple sets after randomly excluding one or more code texts from the code texts coinciding by the third and fourth arithmetic results, and with respect to each of the sets, it obtains a second summary value by tallying the number of code texts coinciding with the fourth arithmetic result and calculates a parameter for obtaining a product recommendation value on the basis of the first and second summary values.

Description

  The present invention relates to a technique for performing a recommendation according to a user attribute.

Providing information on products in a compact and quick manner is important in selling products. In recent years, with the speeding up of computers, the increase in capacity of storage devices, and the development of statistical processing techniques, product recommendations based on statistical analysis of customer attributes and purchasing behavior (hereinafter referred to as recommendations) are being made. Usefulness is attracting attention.
However, small stores do not always have enough sales records to make appropriate recommendations. If there are few sales records, it is easy to get into a situation called the cold start problem, where the accuracy of the recommendation decreases. In addition, new customers who do not have a corresponding sales record come to the store.

In such an environment, it is considered useful for a store to make a recommendation in cooperation with an organization that holds a large amount of information. For example, a carrier that manages personal attribute information (gender, address, age, etc.), such as a telecommunications carrier that provides mobile phone communication services or an issuer of electronic money, and a store that holds sales records of products. By coordinating, it becomes possible to make recommendations according to the attributes of visitors to the store. However, with the increasing demand for privacy protection, the handling of personal attribute information requires caution.
Therefore, a privacy protection data mining (PPDM) technique using an encryption technique or a statistical disclosure control technique has been proposed. Appropriate use of PPDM technology is expected to make it possible to safely provide recommendations beyond organizational boundaries. For example, Non-Patent Documents 1 and 2 propose a technique for performing identification using a Bayesian approach without disclosing data from each other in a vertically partitioned database.

Vaidya, J., Kantarcioglu, M. and Clifton, C.: Privacy-preserving Naive Bayes classication, The VLDB Journal, Vol. 17, pp. 879-898 (2008). Hiroaki Kikuchi, Daisuke Kagawa, Kazuhiko Ishii, Masayuki Terada, Nobuyuki Hongo, Consideration of Inter-organizational Privacy Protection Data Mining, IEICE Cryptography and Information Security Symposium 2010, pp. 1-5 (2010). Thomas P. Minka,: Estimating a Dirichlet distribution, 2000 revised 2003, 2009, http://research.microsoft.com/en-us/um/people/minka/papers/dirichlet/

However, it is not easy in practice to recommend a visitor using the above-described conventional technology. The main reasons include visitor privacy protection issues, accuracy issues, and computational costs for learning and identification. That is, 1) Although the prior art prevents the disclosure of data between the provider and the store, there is not enough means for protecting the privacy of the visitor receiving the recommendation. 2) A method for improving the identification accuracy such as smoothing optimization. Is difficult to apply, and it is inevitable that recommendation accuracy is reduced due to overconformity, etc. 3) Every time a recommendation is made to a visitor, the store needs to perform multi-party calculation with a provider at a high calculation cost, etc. There's a problem.
Therefore, an object of the present invention is to provide a recommendation quickly with high accuracy while preventing leakage of information.

  The present invention relates to a server that stores user information in which a user identifier for identifying a user of a terminal and attribute information representing the attribute of the user are associated with each other, an option selected by the user, A recommendation support method that is executed by a recommendation support apparatus that stores a selection history associated with the corresponding user identifier and a terminal that stores attribute information representing an attribute of a user of the own apparatus. A first operation for extracting a user identifier associated with the attribute for each attribute from the user information and transmitting a first operation result obtained by encrypting the user identifier with a first encryption method to the recommendation support device And the recommendation support device extracts a user identifier associated with the option for each option from the selection history, A second calculation step of transmitting a second calculation result obtained by encrypting a user identifier using the first encryption method to the server; and a second calculation result received by the server from the recommendation support device. A third calculation step of transmitting a third calculation result encrypted by the method to the recommendation support device; and a first calculation result obtained by the recommendation support device encrypting the first calculation result received from the server by the first encryption method. A fourth calculation step for calculating four calculation results, and the recommendation support apparatus determines the number of ciphertexts that match between the third calculation result and the fourth calculation result for all combinations of the attribute and the option. A first summing step for summing up to obtain a first summed value; and the recommendation support apparatus, for all combinations of the attribute and the option, A plurality of sets are generated by randomly removing one or more ciphertexts from ciphertexts that match the fourth operation result, and the number of ciphertexts that match the fourth operation result is determined for each of the plurality of sets. A second counting step for calculating and calculating a second total value; and a parameter for calculating a recommendation value corresponding to the product by the recommendation support device based on the first total value and the second total value And a parameter calculation step. A recommendation support method is provided.

  In the recommendation support method, attribute information encryption in which the terminal transmits to the recommendation support device encrypted attribute information obtained by encrypting the attribute information stored in the own device with a second encryption method satisfying additive homomorphism. And the recommendation support apparatus receives the encrypted attribute information from the terminal, and based on the parameter calculated in the parameter calculating step and the encrypted attribute information, the recommended value is added to the homomorphism. A recommendation value encryption step of calculating an encrypted recommendation value encrypted by the third encryption method to be satisfied, and transmitting the encrypted recommendation value to the terminal; and the terminal sends the encrypted recommendation value to the recommendation support device. A decryption step of decrypting the encrypted recommendation value and calculating the recommendation value. Good.

  In the recommendation support method, the server and the recommendation support apparatus may perform encryption using residue calculation as the first encryption method.

  In the first calculation step, the server performs a remainder calculation after calculating the user identifier with a one-way function, and in the second calculation step, the recommendation support device sets the user identifier in one direction. The remainder calculation may be performed after calculating with a function.

  In the first calculation step, the server rearranges ciphertexts included in the first calculation result and transmits the ciphertexts to the recommendation support device. In the third calculation step, the server performs the third calculation. The ciphertexts included in the result may be rearranged and transmitted to the recommendation support apparatus.

  Further, in the recommendation value encryption step, the recommendation support apparatus may encrypt the recommendation value using a remainder calculation satisfying additive homomorphism as the third encryption method.

In addition, the present invention provides a user information storage unit that stores user information in which a user identifier for identifying a user of a terminal and attribute information representing the attribute of the user are associated with each other. A first computing means for extracting the associated user identifier from the user information and transmitting the first computation result obtained by encrypting the user identifier by the first encryption method to the outside; and the second computation result received from the outside. Attribute information storage for storing attribute information representing the attributes of the user of the device itself, and a server having third calculation means for transmitting the third calculation result encrypted with the first encryption method to the outside Means, attribute information encryption means for transmitting the attribute information encrypted by the second encryption method that satisfies the additive homomorphism, and the encryption recommendation value received from the outside, and the encryption Conversion Communication means for performing communication with a terminal having decoding means for decoding a recommendation value and calculating a recommendation value, an option selected by the user, and the user identifier corresponding to the user are associated with each other. A selection history storage means for storing the selected history, and a second operation in which, for each option, a user identifier associated with the option is extracted from the selection history, and the user identifier is encrypted by the first encryption method. Second computing means for transmitting a result to the server; fourth computing means for calculating a fourth computation result obtained by encrypting the first computation result received from the server by the first encryption method; For all combinations with options, a first counting means for counting the number of ciphertexts matching the third calculation result and the fourth calculation result to obtain a first total value; For all combinations with the above-mentioned options, a plurality of sets are created by randomly removing one or more ciphertexts from the ciphertexts that match in the third operation result and the fourth operation result, A second totaling unit that counts the number of ciphertexts that match the fourth calculation result for each to obtain a second totaled value, and corresponds to the product based on the first totaled value and the second totaled value There is provided a recommendation support apparatus comprising parameter calculation means for calculating a parameter for obtaining a recommendation value.
In the recommendation support device, the encrypted attribute information is received from the terminal, and based on the parameter calculated by the parameter calculation means and the encrypted attribute information, the recommendation value satisfies an additive homomorphism. You may make it have the recommendation value encryption means which calculates the encryption recommendation value encrypted with the encryption system, and transmits the said encryption recommendation value to the said terminal.

  In addition, the present invention provides a user information storage unit that stores user information in which a user identifier for identifying a user of a terminal and attribute information representing the attribute of the user are associated with each other. A first computing means for extracting the associated user identifier from the user information and transmitting the first computation result obtained by encrypting the user identifier by the first encryption method to the outside; and the second computation result received from the outside. Attribute information storage for storing attribute information representing the attributes of the user of the device itself, and a server having third calculation means for transmitting the third calculation result encrypted with the first encryption method to the outside Means, attribute information encryption means for transmitting the attribute information encrypted by the second encryption method that satisfies the additive homomorphism, and the encryption recommendation value received from the outside, and the encryption Conversion An option selected by the user, and a user identifier corresponding to the user, having a communication unit that performs communication with a terminal having a decoding unit that decodes the recommendation value and calculates the recommendation value Selection history storage means for storing the associated selection history, and a user identifier associated with the option for each option is extracted from the selection history, and the user identifier is encrypted with the first encryption method Second calculation means for transmitting a second calculation result to the server; fourth calculation means for calculating a fourth calculation result obtained by encrypting the first calculation result received from the server by the first encryption method; A first set for obtaining a first total value by totalizing the number of ciphertexts that match between the third calculation result and the fourth calculation result for all combinations of attributes and options. And a plurality of sets obtained by randomly removing one or more ciphertexts from ciphertexts matching the third operation result and the fourth operation result for all combinations of the attribute and the option. , Based on the second totaling means for totaling the number of ciphertexts that match the fourth operation result for each of the plurality of sets to obtain a second total value, the first total value, and the second total value And a program for functioning as parameter calculation means for calculating a parameter for obtaining a recommendation value corresponding to the product.

  ADVANTAGE OF THE INVENTION According to this invention, a recommendation can be provided rapidly with high precision, preventing the leakage of information.

The figure which shows the structure of the recommendation assistance system 1. FIG. The figure which shows the hardware constitutions of the recommendation assistance apparatus 30. The figure which shows the hardware constitutions of the server. The figure which shows the hardware constitutions of the terminal 50. The sequence diagram which shows operation | movement of embodiment. The figure which shows the relationship between the sales number of persons per month, and processing time. The figure which shows the relationship between the number of PC which a shop can use, and the delay of recommendation.

(1) Configuration of Embodiment FIG. 1 is a diagram showing a configuration of a recommendation support system 1 according to an embodiment of the present invention. The recommendation support system 1 includes a server 10, a recommendation support device 30, and a terminal 50.
FIG. 2 is a diagram illustrating a hardware configuration of the recommendation support apparatus 30. The recommendation support device 30 includes a control unit 301 including an arithmetic device such as a CPU (Central Processing Unit) and a storage device such as a ROM (Read Only Memory) and a RAM (Random Access Memory), and a storage device such as a hard disk device. The storage unit 302 includes a communication unit 303 including a communication interface. The storage unit 302 stores an OS (Operating System) and application programs, and the control unit 301 controls the operation of the recommendation support apparatus 30 by executing these programs. The control unit 301 performs communication between the server 10 and the terminal 50 by controlling the communication unit 303.

  FIG. 3 is a diagram illustrating a hardware configuration of the server 10. Similarly to the recommendation support apparatus 30, the server 10 also includes a control unit 101, a storage unit 102, and a communication unit 103. The control unit 101 controls the operation of the server 10 by executing a program stored in the storage unit 102. The control unit 101 communicates with the recommendation support apparatus 30 by controlling the communication unit 103.

  FIG. 4 is a diagram illustrating a hardware configuration of the terminal 50. The terminal 50 includes a control unit 501 including an arithmetic device such as a CPU and a storage device such as a ROM and a RAM, a storage unit 502 including a storage device such as an SRAM (Static Random Access Memory), an antenna, and a wireless communication interface. A communication unit 503 including a voice input / output unit 504 including a speaker, a microphone, and a voice processing circuit, an operation unit 505 including a plurality of keys and an operator such as a touch screen, a liquid crystal panel, and a liquid crystal driving circuit. And a display unit 506 provided. The storage unit 502 stores an OS and application programs, and the control unit 501 controls the operation of the terminal 50 by executing these programs. In addition, the control unit 501 performs communication with the recommendation support apparatus 30 by controlling the communication unit 503 according to a user operation received by the operation unit 505.

In the present embodiment, a provider, a store, and a visitor are assumed. The provider is, for example, a business operator that manages information related to settlement operations such as prepaid or postpaid electronic money or credit cards, a communication business provider that provides communication services such as mobile phones, and the like. operate. The store operates the recommendation support device 30. The recommendation support device 30 may be provided in a store or may be a server that operates a website of a virtual store in electronic commerce. A visitor is a customer who has come to a store with the terminal 50, or a customer who has accessed a virtual store website from the terminal 50.
The composition of the information held by each of the three parties is as follows. The specific content of the information is only an example.

The provider holds user information (Table 1). The user information includes a user identifier for identifying a user who has a contract for use of electronic money, a credit card, a communication service, etc. with a provider, and the user's attributes (user age, gender, address, etc.). This is information associated with attribute information to be represented.

The store has a sales record (Table 2). The sales record is information in which product information representing a product purchased by a user is associated with a user identifier corresponding to the user. In this example, the merchandise is a book, and the merchandise information is of two types, book A and book B.
The sales record is an example of the selection history according to the present invention. The selection history according to the present invention is information in which an option selected by a user is associated with a user identifier corresponding to the user. The option may be, for example, a product purchased by the user, a product selected by the user as a candidate for the product to be purchased, or a sample selected by the user from a plurality of types of samples. The options are not limited to articles, and may be tangible or intangible services such as a communication service provided by a communication carrier and a tour sold by a travel agency. That is, the option according to the present invention is a concept including everything provided to the user from the store, such as goods, information, services, etc., and the option selected by the user may be provided for a fee, It may be provided free of charge.

The visitor possesses attribute information (Table 3) indicating its own attribute. Note that the terminal 50 may be a terminal that has a usage contract with a provider that operates the server 10, a terminal that has a usage contract with another provider, or a usage contract with any provider. It may be a terminal that is not connected. In other words, the provider that operates the server 10 does not need to have user information corresponding to the user identifier of the visitor. If the terminal 50 has user attribute information, the provider contracts for using the provider. It doesn't matter.

(2) Conditions required for recommendations If it is not necessary to take measures against information leakage, recommendations based on the attributes of visitors can be achieved as follows.
<Procedure 1> The store or the provider associates the attribute information held by the provider with the product information held by the store by the user identifier.
<Procedure 2> The store statistically estimates the relationship between the attribute of the user and the product purchased by the user from the attribute information associated with the product information.
<Procedure 3> The visitor presents his / her attributes to the store when visiting the store.
<Procedure 4> Based on the relationship between the attribute and the product estimated in Procedure 3 and the attribute presented by the visitor, the store estimates the product that the visitor is likely to purchase and recommends it to the visitor. To do.
<Procedure 5> When the visitor is a provider user, if the visitor purchases a product, the store receives a user identifier from the visitor and adds a sales record.

However, the provider, the store, and the visitor demand the following conditions from the recommendation because of the difference in their respective positions. The provider wants to prevent leakage of user information stored by the user. The store wants to provide accurate recommendations, but wants to prevent the leakage of sales records. Visitors want to receive accurate and prompt recommendations at the first store they visit, but want to prevent leaks of their attributes. Providers and stores want to reduce the calculation cost even when the number of users and sales records increase. Table 7 summarizes these requirements.

の元でベイズアプローチによる識別を行う。その構成法は、Vaidyaら（非特許文献１）、および菊池ら（非特許文献２）によってそれぞれ提案されている。以下、両方式による識別器の構成について説明する。 (3) Conventional Method Here, problems of the conventional method of privacy protection data mining will be described.
In order to realize the recommendation while satisfying the requirements shown in Table 7, it is necessary to calculate the recommendation value without disclosing the values held in each database in the vertically partitioned database. Implementation methods include decision tree-based methods, collaborative filtering-based methods, and k-mean clustering-based methods. Here, however, calculation costs and cold start problems (such as low sales records and Vertical segmentation, which is a method based on the Bayesian approach, from the viewpoint of avoiding the problem that the accuracy of the recommendation decreases or the recommendation value cannot be calculated in the first place when it is a new customer. Focus on privacy protected naive Bayes classifiers.
Vertical Split Privacy Protection Naive Bayes Classifier is a vertically partitioned multiple database

Based on the Bayesian approach. The construction method is proposed by Vaidya et al. (Non-Patent Document 1) and Kikuchi et al. (Non-Patent Document 2), respectively. Hereinafter, the configuration of the discriminator using both types will be described.

つきセキュアマッチングを用いてこれを計算する。チャフつきセキュアマッチングは、セキュアマッチング（たとえば、Agrawal, R., Evmievski, A. and Srikant, R.: Information sharing across private databases,Proceedings of the 2003 ACM SIGMOD international conference on Management of data,SIGMOD '03, New York, NY, USA, ACM, pp. 86[97 (2003).）の変種であり、送信暗号文を確率的にダミーデータ（チャフ）に挿げ替えて送信することにより、マッチング結果に人為的なノイズを与える。チャフつきセキュアマッチングの演算結果はチャフによる確率的なバイアスを含むため、マルチパーティ計算を用いてこのバイアスを復元する。これにより、プロバイダが保持する顧客の集合と商店が保持する顧客の集合が一致しない（双方のデータベースが同期していない）場合や、それぞれのデータベースに欠損値がある場合などの効率を改善している。 In the method proposed in Non-Patent Document 2 (hereinafter referred to as Document 2 method), the discriminator is configured according to the models of Equation (1) and Equation (2), as in the Literature 1 method. However, identification of the document 1 method

This is calculated using secure matching. Secure matching with chaff is based on secure matching (for example, Agrawal, R., Evmievski, A. and Srikant, R .: Information sharing across private databases, Proceedings of the 2003 ACM SIGMOD international conference on Management of data, SIGMOD '03, New York, NY, USA, ACM, pp. 86 [97 (2003).), And the transmission ciphertext is probabilistically replaced with dummy data (chaff) and sent to the matching result artificially. Noise. Since the calculation result of the secure matching with chaff includes a stochastic bias due to chaff, this bias is restored using multi-party calculation. This improves efficiency when the set of customers held by the provider does not match the set of customers held by the store (both databases are not synchronized), or when there are missing values in each database. Yes.

However, even in a situation where this assumption does not hold, if the number of records is virtually matched by pre-processing for adding records of the provider users other than the customers of the store as dummy records to the store sales records, It is possible to apply the document 1 method.
In addition, it is possible to match the number of records even by removing the records of users other than the customers of the store from the provider user information instead of adding the dummy records, and greatly reduce the amount of data to be processed. It is possible. However, this is a safety issue. That is, in order to delete unnecessary records from the provider user information, it is necessary to disclose the customer list of the store to the provider. That is, information indicating which user has made a purchase at the store is disclosed to the provider. Therefore, not only the store's business secret is disclosed to the provider, but also the privacy of the store's customers is not protected.

For this reason, in the following description of the document 1 method, a pre-processing for adding a record of a user other than the customer of the store as a dummy record to the store sales record in advance is performed on the store sales record. To do.
Note that the document 2 method is based on secure matching (with chaff), not on the secret inner product calculation, so that there is no database synchronization problem.

(4.2) Safety Next, the safety for each of the provider, the store, and the visitor will be described. In the following description, it is assumed that cryptographic primitives such as the discrete logarithm problem and homomorphic encryption are sufficiently safe.
First, in the document 1 method, on the assumption that the above-mentioned database is kept in synchronization, the sales record held by the store is disclosed to the provider in the process of calculating the recommended value of the visitor by the store. Absent. Further, with regard to user information held by the provider, more information than the recommendation result itself to the visitor is never disclosed to the store or the visitor. From the above, it is considered that information on providers and stores is sufficiently protected.
However, on the other hand, the privacy of visitors is not protected against providers and stores. The multi-party calculation of Equation (1) is performed between the provider and the store. In order to make a recommendation according to the visitor's attributes, it is necessary to disclose to either the provider or the store as input for multi-party calculation.

In the document 2 method, after performing secure matching with chaff between a provider and a store, a recommendation value is calculated using multi-party calculation. The result of secure matching with chaff includes more information than the final recommendation result (it depends on the ratio of chaff. If the ratio of chaff is large, the amount of information disclosed will be small, but the accuracy will be adversely affected). Therefore, the provider information disclosed to the store is larger than that in the document 1 method. Therefore, it is considered that it becomes easier for the store to statistically estimate the contents of the user information as compared with the document 1 method.
However, in consideration of the information that is actually handled, it is possible to obtain V × L, which is composed of aggregate values such as how many men have purchased a product at most (even if the ratio of chaff is 0). It is a summary table. It is said that it is difficult to identify personal information from the summary table except in special cases where the aggregate value is very small (for example, Akihiro Tsuji. Statistical Mathematics, Vol. 51, pp. 337-350 (2003)).
As for the privacy of visitors, the document 2 method is not protected in the same manner as the document 1 method. In calculating the recommendation value, the attribute information of the visitor is disclosed to the provider or the store for multi-party calculation.

(4.3) Accuracy Next, accuracy will be described. Both the literature 1 method and the literature 2 method are maximum likelihood estimations using conditional probabilities. An experiment using the Play Tennis data set revealed that the proposed method achieved a 79% accuracy rate, but the literature 1 and 2 methods only achieved a 36% accuracy rate. In Reference 2, since the chaff is actually mixed in order to ensure safety, there is a concern that the accuracy further decreases (the accuracy decrease depends on the amount of chaff mixed).

  According to the document 1, the provider and the store need to repeat the secret inner product calculation for the number of users N by the total number V of attribute classifications and the number L of product types. This requires a total of 2NVL remainder calculations. On the other hand, the document 2 method requires NW + MG + MGV + NWL times of surplus calculation in total. That is, the provider performs NW surplus calculation for the user information of the N person W items, and the store performs MG surplus calculation for the sales record of the M person G type and exchanges the calculation results with each other. Thereafter, the provider repeats the data received from the store V times and performs MGV surplus calculations, and the store repeats the data received from the provider L times and performs NWL surplus calculations. For example, when learning is performed between a provider having 1 million (N) members and a store that wants to provide recommendations from 100 types (L) of products, the time required for one surplus calculation is 1. When a computer of 5 ms is used, it takes 100 days or more with the literature 1 method, but within 10 days with the literature 2 method.

  The calculation of the recommendation value by the equation (1) is performed every time the visitor visits the store. Therefore, it is necessary to perform this calculation as soon as possible after the visitor visits the store. If the identification process takes many minutes, the visitor has already finished shopping by the time the recommended product is presented, and the recommendation may not make any sense. However, in the identification process using the learning result and the visitor attribute information, both the document 1 method and the document 2 method require multi-party calculation including visitors to providers. It is not realistic from the viewpoint of response to perform multi-party calculation every time a recommendation is presented to a visitor's terminal.

(5) Calculation model of embodiment The calculation model of this embodiment is demonstrated.
First, for accuracy problems, the accuracy will be improved by introducing an experience Bayesian method. However, since cross-validation generally used in the experience Bayesian method performs processing using difference data from which a specific record is removed, there is a problem that personal data can be specified by residual disclosure using difference data To do. Therefore, in the present embodiment, a Bayes discriminator based on the experience Bayes method is constructed without using difference data by performing parameter learning from secret data obtained by secure matching.
Secondly, in order to carry out the recommendation without disclosing the attribute information of the visitor to the store or the provider, the confidential inner product calculation is introduced for the problem of the privacy protection of the visitor.

(5.1) Outline of Calculation Model First, an outline of the calculation model of the Bayes classifier based on the experience Bayes method will be described.
The experience Bayesian method is one of the methods for avoiding the problem of prior probability in Bayesian estimation. The empirical Bayes method introduces unknown variables called hyperparameters in addition to model parameters in order to objectively set prior probabilities in a parametric Bayes model. In the experience Bayesian method, high accuracy can be obtained for these hyperparameters by setting appropriate values objectively from the observed data.

(5.3) Recommendation Value Calculation Formula Finally, the recommendation value calculation formula will be described.
In this embodiment, in order to protect the privacy of a visitor, a confidential inner product calculation is performed between the recommendation support apparatus 30 and the terminal 50. However, since a remainder calculation is required, a delay occurs in the recommendation. Therefore, the delay calculation is suppressed by performing the surplus calculation performed in the terminal 50 in advance. In this embodiment, the marginal likelihood of one product is calculated by a single remainder calculation regardless of the number of users of the provider or the increase in sales records.

(6) Operation of Embodiment FIG. 5 is a sequence diagram showing the operation of the embodiment. The operations described below are operations executed by the control unit 101 of the server 10, the control unit 301 of the recommendation support apparatus 30, and the control unit 501 of the terminal 50 according to the procedures described in the program. The functional block shown in (1) will be described as the subject of the operation.
The operation described below is executed when a recommendation value calculation instruction is input to the recommendation support apparatus 30. Specifically, when the instruction is input, the recommendation support apparatus 30 instructs the server 10 to start the process of step S01, and the recommendation support apparatus 30 starts the process of step S02.

The parameter calculation (processing from steps S01 to S07) may be executed every time the recommendation value is calculated, but may be periodically executed at intervals of, for example, one month. Alternatively, the parameter may be calculated at any time based on the judgment of the store at a timing at which a significant change is expected to appear in the first and second total values. For example, it may be executed after a certain period of time has elapsed after the release of a new product, or may be executed when a change in the sales of a specific product actually appears. When parameters are calculated periodically or as needed in this manner, the calculated parameters are stored in the storage unit 302 of the recommendation support apparatus 30 and a recommendation value calculation instruction is input to the recommendation support apparatus 30. For example, the parameters are read from the storage unit 302, and the processes after step S08 are executed.
In addition, since the content from step S01 to S05 has been demonstrated, description is abbreviate | omitted here.

(7) Specific example (7.1) Book-Crossing data set
The Book-Crossing dataset (hereinafter referred to as BCDS) is a dataset for book evaluation in the Book-Crossing community. This data set was crawled for four weeks from August to September 2004 by Cai-Nicolas Ziegler and contains 1,149,780 ratings for 271,379 books.
BCDS users are anonymized, but have information about age and residence. In this experiment, data over 80 years of age is removed, and the age is incremented by 10 years. In addition, the country of residence is used with the names of 249 countries published by the International Organization for Standardization (ISO). When assigning country names, first assign an English name in ISO3166-1 (in the case of the United States, assign a country name to data that includes United States. If you do not include an English name in ISO3166-1, use ISO3166-1 alpha-3. Assign a country name to data that includes (USA for the United States).

The BCDS evaluation value is assigned with a maximum score of 10 points. In this specific example, a book that the user gave an evaluation value of more than 5 points is regarded as a book that the user is satisfied with.
In this specific example, the user attributes satisfied for each book are learned, and based on the unknown user attributes, it is measured whether a book that the user can satisfy can be recommended. In this specific example, the accuracy of the recommendation is measured by separating the user used for learning and the user used for the test by using a general three-cross test. There are some best-selling books in BCDS that have many ratings, and some are not. In order to secure the number of data used for cross-validation, this specific example targets books (4,518 types) with an evaluation value exceeding 10 cases.

Table 8 shows the results of a recommendation experiment performed on BCDS using the Document 1 method and this embodiment. In this embodiment, an evaluation value that is 1.5 points higher on average than the literature 1 method was obtained.

(7.2) Play-Tennis Data Set Table 9 shows the Play-Tennis data set (left side of the vertical double line). The Play-Tennis data set (hereinafter referred to as PTDS) describes whether tennis was played or rested under the conditions of the attribute of each date for 14 days.

  Using this PTDS, whether or not tennis has been played or rested under the conditions of each attribute can be appropriately identified, and the accuracy according to the present embodiment and the document 1 method is quantitatively clarified. In the measurement of accuracy in this specific example, Leave One Out is used, in which accuracy is accurately measured from a small amount of data, so that data extracted one by one in turn is used as test data and the rest is used as learning data.

Here, the date of PTDS is regarded as the user identifier in the embodiment, the attribute (sky pattern, temperature, humidity, wind) is regarded as attribute information X in the embodiment, and whether tennis is played or rested is regarded as product information Y in the embodiment. . That is, since the attribute information X has four types of items of sky, temperature, humidity, and wind, the number W of items of the attribute information X is four. The attribute information X has a total of 10 categories, ie, three types of sky patterns, three types of temperature, two types of humidity, and two types of wind. That is, the provider holds user information including N = 14 people and W = 4 items. The user identifier t held by the provider is a vector of length N = 14. The attribute information X held by the provider is a matrix of N = 14 rows and V = 10 columns.
The store has data corresponding to the learning data. The store holds M = 13 sales records including G = 1 type of merchandise per sales person (from N ≠ M, the provider and store data are asynchronous). The user identifier u held by the store is a vector of length M = 13. The merchandise information Y held by the store is a matrix of M = 13 rows and L = 2 columns.

The literature 1 method for PTDS and the identification results according to this embodiment are shown in Table 9 (right side of the vertical double line). As in the case of BCDS, the document 1 method showed a bias in the identification results. From this result, a correct answer rate quantitatively indicating the accuracy is calculated. As for the identification results, True Positive when the identification is correct and the recommendation is “Done”, False Negative when the identification is incorrect and the Recommendation is “Relaxed”, and the recommendation is “I performed with incorrect identification and the recommendation” ”Is counted as False Positive, and the case where the identification is correct and the recommendation is“ rested ”is counted as True Negative. The accuracy rate is obtained by (True Positive + True Negative) / (True Positive + False Negative + False Positive + True Negative). Table 10 shows the calculation result of the correct answer rate. In the present embodiment, a correct answer rate 15% higher than that of the literature 1 method was obtained.

(7.3) Calculation Cost The scale of data assumed in the present embodiment is embodied in view of the recent trend of electronic money utilization services. However, electronic money includes prepaid electronic money and postpaid electronic money. Since prepaid electronic money is not always registered correctly, attention is paid here to postpaid electronic money in which the user and the payer are considered to match.

  First, regarding user information, the number of users as of the end of March 2010 is 14.2 million for Company A, 4.86 million for Company B, and 1.1 million for Company C. From this, the number N of user information assumes 1 million-10 million people. As for user attributes, age, gender, and address are assumed, and the number of items W of the attribute information X is assumed to be three items. Further, it is assumed that the age is 8 categories, the sex is 2 categories, the address is 47 categories (prefectures), and the total number V of attribute information X categories is 57 types.

  Next, with regard to sales records, 1,680,000 electronic money payments are made at 786,000 locations nationwide in a month, so the average number of sales information records per month is 218. is there. Since this value is considered to vary greatly depending on the size, location, type of business, repeat rate of visitors, etc., the number of people M included in the sales record is assumed to be 100,000 to 100,000. With regard to the number of types of products, it is considered that it is sufficient to go through 100 menus at restaurants, but there are 2500 types of products at convenience stores. Since it is considered that the store size varies greatly depending on the size, location, type of business, etc., the number L of items is assumed to be 100 to 10,000. In addition, since the settlement amount per transaction in the whole country is 830 yen, it is considered that there are several kinds of products purchased at one visit. If the sales record is tightened on a monthly basis, even if a visitor visits the store every week, it is considered that there are dozens of products purchased by the user per month, so the number of types of products per person included in the sales record The average G assumes 10 types.

  Next, based on the above scale, the calculation cost of the conventional method and this embodiment is clarified by simulation. It is assumed that the provider and the store can each use a computer having a 4-core CPU, and that the visitor can use a terminal having a 1-core CPU, the calculation time required for one surplus is 6 ms / core. Assume that

  FIG. 6 is a diagram showing the relationship between the number of sales per month and the processing time. When the processing time (unit: day) is plotted against the number of sales per month (unit: person) as the calculation cost for learning, when the number of users of the provider is 1 million, as shown in FIG. In the case of 10 million people, it becomes as shown in FIG. As a result of the experiment, a result that the present embodiment is 10 times faster than the document 1 method was obtained. When the number of provider users is 1 million and there are 100 types of products, the document 1 method takes 100 days or more, but in this embodiment, the calculation can be made within 10 days.

  FIG. 7 is a diagram illustrating the relationship between the number of computers that can be used by the store and the delay in recommending to visitors. If the number L of goods such as restaurants is about 100, a delay of a little less than 10 seconds occurs when the number of computers that can be used by the store is one. If the number of computers is increased, VL surpluses performed by the store can be executed in parallel, so that the delay is reduced. However, since the L surpluses performed by the visitor's terminal cannot be executed in parallel, even if the store increases the number of computers, the delay is only asymptotic to 100 × 6 × 10 −3 = 0.6 seconds. When the product type L was increased from 100 types to 1,000 types and 10,000 types, the delay also increased to about 10 times and about 100 times.

(8) Comparison between this embodiment and conventional method (8.1) Safety The safety of the learning process and the safety of the identification assumption of this embodiment will be described. In the following description, it is assumed that cryptographic primitives such as the discrete logarithm problem and homomorphic encryption are sufficiently safe.
The learning process of the present embodiment is composed of the following two processes.
Learning process 1 Calculation of aggregate values by secure matching between provider and store Learning process 2 Calculation of parameters and hyperparameters in store

情報を得ることはない。Ｍ、Ｌ、Ｇ、Ｎ、Ｗ、Ｖはいずれも公開パラメータであるから、プロバイダと商店がこれらの情報を得ても、ユーザのプライバシーの侵害にはならない。 The safety of learning process 1 depends on the safety of secure matching. In this embodiment, one-way secure matching, that is, a protocol in which only the store obtains the aggregated value is used, so the provider can calculate the number of people M, the number of product types L included in the store sales record, and the sales per person. No information other than the number G of products included is obtained. Shops can output secure matching

I don't get information. Since all of M, L, G, N, W, and V are public parameters, even if the provider and the store obtain such information, it does not infringe the privacy of the user.

In the learning process 2, the hyper parameter is optimized by using only the total value that is the output of the learning process 1 and the ciphertext obtained in the learning process 1 by the store. That is, the store does not newly obtain information on the user information of the provider.
The identification process of the present embodiment is configured by calculation of a secret inner product between a store and a visitor, and the store does not newly obtain information on the visitor's privacy. The visitor obtains only the marginal likelihood of each product and the number of types of products, which are the output of the secret inner product calculation.
From the above, except for the global parameters M, L, G, N, W, and V, the provider does not obtain any information by executing this embodiment. Stores get aggregated values, and visitors get marginal likelihood. Here, the total value is related to the protection of the provider's user information, and the peripheral likelihood is related to the protection of the sales record of the store.

Regarding the protection of the sales record of the store, only the products recommended by the literature 1 method and the literature 2 method are disclosed to the visitor, whereas this embodiment discloses the marginal likelihood for each product. This is a trade-off with visitor privacy protection. However, in reality, it is difficult to estimate the sales record of a store from the marginal likelihood for a single user attribute. Even if an attacker can collaborate and collect marginal likelihood for a large number of visitor attributes, he can only estimate the sales ratio of the products for each attribute at most, You can't guess what you bought. When a mobile phone is used as a visitor's terminal, it may be possible to derive recommended products using a SIM / UIM that is an IC card provided in the mobile phone. In this case, information other than recommended products is not disclosed to the visitor as in the case of the literature 1 method and the literature 2 method.
As described above, the privacy of visitors is completely protected in this embodiment. On the other hand, in the document 1 method and the document 2 method, the attributes of the visitor are disclosed to the store as described above.

(8.2) Accuracy In this section, the accuracy of the present embodiment will be described based on experimental results using BCDS and PTDS.
In the experiment using BCDS, as shown in Table 8, the evaluation value of each user for the recommended book averaged 6.0 points in the present embodiment, and averaged 1.6 points in the document 1 method. Here, in consideration of the standard deviation of the evaluation value, this embodiment generally obtains an evaluation value of 5 to 7 points (within 1σ before and after), and in this experiment, a book in which the user gave an evaluation value exceeding 5 points was obtained. Since the recommendation was made after learning, the result that it can be said that the user's satisfaction was generally obtained. Similarly, considering the results of the document 1 method and the document 2 method, the document 1 method and the document 2 method have generally obtained evaluation values of 0 to 3.2 points, and it is said that many users have been satisfied. The result was difficult.

In addition to the evaluation value, the difference between the two also appeared in the types of books included in the recommendation. In the present embodiment, 337 types of books are recommended, but the literature 1 method and the literature 2 method recommend only 60 types of books, resulting in biased recommendations. In the present embodiment, there is a tendency to recommend many kinds of books according to user attributes. It is better to recommend a variety of recommendations depending on the attributes, rather than a monotonous recommendation that recommends the same product to everyone. In an experiment using BCDS, it was confirmed that the present embodiment recommended more products than the literature 1 method and had a high accuracy.
In the experiment using PTDS, only the accuracy rate of 36% was obtained in the literature 1 method and the literature 2 method, but in this embodiment, the accuracy rate of 79% was obtained.

(8.3) Calculation Cost The calculation cost of this embodiment will be described separately for the learning process and the identification process.
The calculation cost of the learning process requires 2NVL times of remainder calculation in the document 1 method, but only NW + MG + MGV + NWL times in the document 2 method and this embodiment. Since the calculation cost of NWL times performed in the store is dominant in the literature 2 method and the present embodiment, the processing time varies mainly depending on the autumn factor N of the provider and the number L of product types of the store. Under the same conditions as described in (4.4), a provider that holds 1 million user information and a store that handles 100 types of products can learn within 10 days. Since this calculation has an extremely high degree of parallelism, it is easy to shorten the calculation time by parallel processing. When scaling out using a cloud with the capacity of 1,000 units, providers with 10 million user information and stores that handle 10,000 types of products can learn within 10 days. It can be carried out.

  The calculation cost of the identification process requires multi-party calculation in the document 1 method and the document 2 method, but in this embodiment, VL + L times of surplus calculation are required, and it is affected by the number of users of the provider and the number of sales records of the store. I do not receive it. Under the same conditions as described in (4.4), a store that handles 100 types of products can provide recommendations to visitors with a delay of about 10 seconds. However, since it is more difficult for a visitor to scale out than a store, the calculation performed L times at the visitor's terminal becomes a bottleneck, and the processing time varies mainly depending on the number of products L. Even if a store uses a cloud with a calculation capacity for 1,000 units, a store handling 10,000 kinds of products requires about 100 seconds. However, when presenting a recommendation, it is possible to respond by ingenuity such as sequentially replacing the products with the highest marginal likelihood until that point in time, without waiting for the end of calculation of recommended values for all products. It is.

(9) Modifications The embodiment may be modified as in the following modifications. A plurality of modified examples may be combined. Further, the embodiment and the modification examples may be combined.
(9.1) Modification 1
In the embodiment, an example is shown in which the second aggregated value is obtained by sequentially removing W ciphertexts corresponding to data for one person in the process of secure sampling, but it corresponds to data for n (2 <n) persons. The second total value may be obtained by sequentially removing nW ciphertexts. In this case, the accuracy is reduced as compared with the case where one person is excluded, but even if the differential attack is successful, only a plurality of users can be narrowed down.
In short, the second total value creates a plurality of sets in which one or more ciphertexts are randomly removed from ciphertexts matching the third operation result and the fourth operation result for all combinations of attributes and options. Then, for each of the plurality of sets, the number of ciphertexts that match the fourth calculation result may be obtained by aggregation.

(9.3) Modification 3
The terminal 50 may be a mobile terminal such as a mobile phone or a stationary information processing apparatus such as a so-called personal computer.

(9.4) Modification 4
In the embodiment, the example in which each control unit of the server 10, the recommendation support device 30, and the terminal 50 operates by executing a program has been described. However, the same function as that of the embodiment is implemented in each device by hardware. May be. Further, the program may be provided by being recorded on a computer-readable recording medium such as an optical recording medium or a semiconductor memory, and the program may be read from the recording medium and stored in the storage unit of each device. Further, this program may be provided via a telecommunication line.

DESCRIPTION OF SYMBOLS 10 ... Server, 101 ... Control part, 102 ... Memory | storage part, 103 ... Communication part, 11 ... User information memory | storage part, 12 ... 1st calculating part, 13 ... 3rd calculating part, 30 ... Recommendation support apparatus, 301 ... Control part , 302 ... storage unit, 303 ... communication unit, 31 ... sales record storage unit, 32 ... second calculation unit, 33 ... fourth calculation unit, 34 ... first tabulation unit, 35 ... second tabulation unit, 36 ... parameter calculation , 37 ... recommended value encryption unit, 50 ... terminal, 501 ... control unit, 502 ... storage unit, 503 ... communication unit, 51 ... attribute information storage unit, 52 ... attribute information encryption unit, 53 ... decryption unit

Claims (9)

A server for storing user information in which a user identifier for identifying a user of the terminal and attribute information representing the attribute of the user are associated;
A recommendation support device that stores a selection history in which an option selected by the user is associated with the user identifier corresponding to the user;
A recommendation support method executed by a terminal that stores attribute information representing an attribute of a user of the own device,
The server extracts a user identifier associated with the attribute for each attribute from the user information, and transmits a first calculation result obtained by encrypting the user identifier with a first encryption method to the recommendation support apparatus. A first calculation step;
The recommendation support device extracts a user identifier associated with the option for each option from the selection history, and transmits a second calculation result obtained by encrypting the user identifier with the first encryption method to the server. A second computing step to:
A third computation step in which the server transmits a third computation result obtained by encrypting the second computation result received from the recommendation support device using the first encryption method to the recommendation support device;
A fourth calculation step in which the recommendation support device calculates a fourth calculation result obtained by encrypting the first calculation result received from the server by the first encryption method;
The recommendation support device calculates the first total value by calculating the number of ciphertexts that match between the third calculation result and the fourth calculation result for all combinations of the attribute and the option. Steps,
A plurality of sets in which the recommendation support device randomly removes one or more ciphertexts from ciphertexts matching the third operation result and the fourth operation result for all combinations of the attribute and the option. A second counting step of calculating the number of ciphertexts that match the fourth operation result for each of the plurality of sets to obtain a second total value;
The recommendation support method further comprising: a parameter calculation step of calculating a parameter for obtaining a recommendation value corresponding to the product based on the first aggregation value and the second aggregation value. . An attribute information encryption step in which the terminal transmits to the recommendation support device encrypted attribute information obtained by encrypting the attribute information stored in the device by a second encryption method satisfying additive homomorphism;
The recommendation support device receives the encrypted attribute information from the terminal, and based on the parameter calculated in the parameter calculating step and the encrypted attribute information, the recommendation value satisfies additive homomorphism. A recommendation value encryption step of calculating an encryption recommendation value encrypted by an encryption method, and transmitting the encryption recommendation value to the terminal;
The recommendation support according to claim 1, further comprising: a decrypting step in which the terminal receives the encrypted recommendation value from the recommendation support device, decrypts the encrypted recommendation value, and calculates a recommendation value. Method.   The recommendation support method according to claim 1, wherein the server and the recommendation support device perform encryption using residue calculation as the first encryption method. In the first calculation step, the server performs a remainder calculation after calculating the user identifier with a one-way function,
4. The recommendation support method according to claim 3, wherein, in the second calculation step, the recommendation support apparatus performs a remainder calculation after calculating the user identifier with a one-way function. 5. In the first calculation step, the server rearranges the ciphertexts included in the first calculation result and transmits them to the recommendation support device,
5. The recommendation support according to claim 1, wherein, in the third calculation step, the server rearranges ciphertexts included in the third calculation result and transmits the ciphertexts to the recommendation support device. Method.   The recommendation value encrypting step, wherein the recommendation support apparatus encrypts the recommendation value using a remainder calculation satisfying additive homomorphism as the third encryption method. The recommendation support method in any one of. User information storage means for storing user information in which a user identifier for identifying a user of a terminal and attribute information representing the attribute of the user are associated, and a user identifier associated with the attribute for each attribute Is extracted from the user information, the first calculation means for transmitting the first calculation result obtained by encrypting the user identifier by the first encryption method to the outside, and the second calculation result received from the outside is the first encryption A server having a third calculation means for transmitting the third calculation result encrypted by the method to the outside, and
Attribute information storage means for storing attribute information representing the attributes of the user of the device itself, and attribute information encryption for transmitting to the outside encrypted attribute information obtained by encrypting the attribute information with a second encryption method satisfying additive homomorphism A communication unit that communicates with a terminal having an encryption unit and a decryption unit that receives the encrypted recommendation value from the outside, decrypts the encrypted recommendation value, and calculates the recommendation value;
A selection history storage unit that stores a selection history in which an option selected by the user is associated with the user identifier corresponding to the user;
Second calculation means for extracting a user identifier associated with the option for each option from the selection history, and transmitting a second calculation result obtained by encrypting the user identifier using the first encryption method to the server; ,
A fourth calculation means for calculating a fourth calculation result obtained by encrypting the first calculation result received from the server by the first encryption method;
First counting means for totaling the number of ciphertexts that match between the third calculation result and the fourth calculation result for all combinations of the attribute and the option to obtain a first total value;
For all combinations of the attribute and the option, create a plurality of sets by randomly removing one or more ciphertexts from ciphertexts matching the third operation result and the fourth operation result, Second counting means for counting the number of ciphertexts that match the fourth operation result for each of the sets to obtain a second total value;
A recommendation support apparatus, comprising: parameter calculation means for calculating a parameter for obtaining a recommendation value corresponding to the product based on the first aggregation value and the second aggregation value.   The encryption attribute information is received from the terminal, and the recommended value is encrypted with a third encryption method satisfying additive homomorphism based on the parameter calculated by the parameter calculation means and the encryption attribute information. 8. The recommendation support apparatus according to claim 7, further comprising a recommendation value encryption unit that calculates the encrypted recommendation value and transmits the encrypted recommendation value to the terminal. User information storage means for storing user information in which a user identifier for identifying a user of a terminal and attribute information representing the attribute of the user are associated, and a user identifier associated with the attribute for each attribute Is extracted from the user information, the first calculation means for transmitting the first calculation result obtained by encrypting the user identifier by the first encryption method to the outside, and the second calculation result received from the outside is the first encryption A server having a third calculation means for transmitting the third calculation result encrypted by the method to the outside, and
Attribute information storage means for storing attribute information representing the attributes of the user of the device itself, and attribute information encryption for transmitting to the outside encrypted attribute information obtained by encrypting the attribute information with a second encryption method satisfying additive homomorphism A computer having communication means for performing communication between the communication means and the terminal having the encryption recommendation value received from the outside, and the decryption means for decoding the encryption recommendation value and calculating the recommendation value;
A selection history storage unit that stores a selection history in which an option selected by the user is associated with the user identifier corresponding to the user;
Second calculation means for extracting a user identifier associated with the option for each option from the selection history, and transmitting a second calculation result obtained by encrypting the user identifier using the first encryption method to the server; ,
A fourth calculation means for calculating a fourth calculation result obtained by encrypting the first calculation result received from the server by the first encryption method;
First counting means for totaling the number of ciphertexts that match between the third calculation result and the fourth calculation result for all combinations of the attribute and the option to obtain a first total value;
For all combinations of the attribute and the option, create a plurality of sets by randomly removing one or more ciphertexts from ciphertexts matching the third operation result and the fourth operation result, Second counting means for counting the number of ciphertexts that match the fourth operation result for each of the sets to obtain a second total value;
The program for functioning as a parameter calculation means which calculates the parameter for calculating | requiring the recommendation value corresponding to the said goods based on the said 1st total value and the said 2nd total value.

Images