JP5860378B2 - Secret calculation system, aggregate function device, secret calculation method, and program - Google Patents

Description

  The present invention relates to a cryptographic application technique, and more particularly to a secret calculation technique for calculating a quantile for each group without revealing input data.

  In recent years, an environment in which various information related to individuals can be easily acquired has been established, and in conjunction with the advancement of data analysis technology, expectations for the utilization of information related to individuals are increasing. On the other hand, personal information is required to be handled very carefully from the viewpoint of personal information protection and privacy, and how to protect and utilize data is a problem. In order to solve this problem, various methods for performing calculation without revealing data while keeping it secret have been proposed.

  As a method for obtaining a specific calculation result without restoring the encrypted numerical value, there is a method called secret calculation (see Non-Patent Document 1, for example). In the method described in Non-Patent Document 1, encryption is performed such that numerical fragments are distributed to three secret computing devices, and addition / subtraction, constant sum, multiplication, constant multiplication, logical operation (without performing restoration) The result of negation, logical product, logical sum, exclusive logical sum) and data format conversion (integer, binary number) can be held in a distributed state, that is, encrypted, in three secret calculation devices.

  As a method for realizing the calculation of the statistical value for each group in the secret calculation, for example, there is a method described in Non-Patent Document 2. In the method of Non-Patent Document 2, first, the attribute values representing the input groups are sorted to perform grouping, and then each record is checked to see if it is the same group as the record that was previously referenced. By calculating the statistical value for each group, the statistical value for each group on the secret calculation is realized.

Koji Senda, Hiroki Hamada, Igarashi Univ., Katsumi Takahashi, “Reconsideration of Lightweight Verifiable 3-Party Secret Function Calculation”, CSS 2010. Igarashi Univ., Koji Senda, Hiroki Hirota, Katsumi Takahashi, “Efficient Lightweight Verifiable 3-Party Secret Function Computation and Secure Database Processing Using It”, SCIS 2011.

  However, it is necessary for traditional secret calculation techniques to be able to write statistical values that can be calculated by repeating binary operations, and cannot be applied to the calculation of quantiles including median and quartiles. was there.

  An object of the present invention is to provide a secret calculation technique capable of calculating a quantile for each group without revealing input data.

In order to solve the above-described problem, the secret calculation system of the present invention includes at least one aggregate function device, and a, b, and N are positive integers, and addition, subtraction, multiplication and equal signs in secret calculation A secret key [k] = ([k ₁ ],..., [K _N ] obtained by concealing a key k = (k ₁ ,..., K _N ) representing a group by a concealment method S capable of determination, comparison and stable sorting ]) And a concealment value [v] = ([v ₁ ], ..., [v _N ]) in which the value v = (v ₁ , ..., v _N ) corresponding to the key k is concealed by the concealment method S The a / (a + b) quantile for each group is obtained using secret information including.

The aggregate function device includes an alignment unit, a first staircase calculation unit, a second staircase calculation unit, and a quantile number determination unit. The sorting unit stably sorts the secret information using the concealment method S in the ascending order of the value v using the concealment value [v], and further uses the secret key [k] in the ascending order of the key k according to the concealment method S. Perform stable sorting and generate sorted confidential information. The first staircase calculation unit uses the secret key [k], and the index [c] = ([c ₁ ],..., [C _N ]) indicating the ascending order of the value v for each group in the sorted secret information. Is added. The second staircase calculation unit uses the secret key [k], and the index [d] = ([d ₁ ],..., [D _N ]) indicating the descending order of the value v for each group in the sorted secret information. Is added. The quantile determining unit determines whether each of the values v ₁ ,..., V _N is an a / (a + b) quantile for each group based on the index [c] and the index [d]. A quantile judgment value [f] = ([f ₁ ],..., [F _N ]) is obtained.

  According to the secret calculation technique of the present invention, the quantile for each group can be calculated without revealing the input data.

It is a figure which illustrates the function structure of a secret calculation system. It is a figure which illustrates the function structure of an aggregate function apparatus. It is a figure which illustrates the processing flow of a secret calculation method.

  Prior to the description of the embodiments, a description method and term definitions in this specification will be described.

<Notation>
All values handled in the present invention are values on the finite ring Z _N. The i-th element of vector a is referred to by a _i . A value obtained by concealing a∈Z _N by means of encryption, secret sharing, etc. is referred to as a secret sentence of a and is denoted as [a]. Also, a is referred to as the plaintext of the secret text [a]. A vector in which each element of the vector v is concealed is denoted as [v].

Is the ceiling function, meaning the smallest integer above.

Is the floor function, meaning the largest integer below.

Represents the logical product of the value a and the value b.

Represents the logical sum of the value a and the value b.

Represents negation of the value a.

<Concealment method>
In the present invention, a known concealment method is used. The concealment method includes techniques such as encryption and secret sharing. The concealment method used in the present invention needs to be able to perform addition, subtraction, multiplication, equal sign determination, comparison, and stable sort operations on the secret calculation. A concealment method may be used.

In the present invention, the addition in the secret calculation is an operation for calculating the secret sentence [x + y] of x + y by inputting the secret sentence [x], [y] of two values x, y∈Z _N. is there. The subtraction in the secret calculation is an operation for calculating the secret text [xy] of xy using the secret text [x], [y] of two values x, y∈Z _N as input. The multiplication in the secret calculation is an operation for calculating the secret text [x * y] of x * y using the secret text [x], [y] of two values x, y∈Z _N as input. Equal sign determination in secret calculation means that secret values [x], [y] of two values x, y∈Z _N are input, and if x = y, one secret statement [1] is set to x In the case of ≠ y, it is an operation for calculating a secret sentence [0] of 0. Comparison in secret calculation means that secret values [x], [y] of two values x, y∈Z _N are input, and if x <y, one secret statement [1] is used. Is an operation that calculates a secret sentence [0] of 0. Stable sort in secret calculation is the input of the secret text [v] of the vector v to be sorted and the secret text [k] of the key vector k used as the reference when sorting, according to the order of the key values The calculation is performed so that no one knows the correspondence of each element before and after the alignment. However, it is assumed that stability is maintained at the time of alignment, that is, the original order is maintained when the values of the designated columns are the same.

  A concealment method applicable in the present invention will be specifically exemplified. For example, the method described in Non-Patent Document 2 described above can be used for concealment, decryption, addition, subtraction, and multiplication. For example, “Takashi Nishide, Kazuo Ohta,“ Multiparty computation for interval, equality, and comparison without bit-decomposition protocol ”, PKC, pp. 343-360, 2007. (Reference 1)”. Method can be used. For the stable sorting, for example, the method described in “Hiro Iwata, Igarashi Univ., Koji Senda, Katsumi Takahashi,“ Linear Time Sorting on Secret Function Calculation ”, SCIS 2011. (reference document 2)” can be used. Therefore, by combining the methods described in Non-Patent Document 2, Reference Document 1, and Reference Document 2, a concealment method capable of performing addition, subtraction, multiplication, equality judgment, comparison, and stable sorting in secret calculation is realized. can do.

  In the present invention, the number of devices that execute the secret calculation is not limited, but the minimum number of devices is determined by the concealment method to be applied. For example, using the fully homomorphic encryption described in “Craig Gentry,“ Fully homomorphic encryption using ideal lattices ”, STOC 2009, pp. 169-178. It is possible to perform addition and multiplication without decoding. When addition and multiplication can be performed, the method of performing equality judgment and comparison without decoding is described in `` Ivan Damgard, Matthias Fitzi, Eike Kiltz, Jesper Buus Nielsen, Tomas Toft, “Unconditionally Secure Constant-Rounds Multi-party Computation for Equality , Comparison, Bits and Exponentiation ", TCC 2006, pp. 285-304. (Reference 4)". When comparison is possible, sorting without decryption is described in “Kenneth E. Batcher,“ Sorting Networks and Their Applications ”, AFIPS Spring Joint Computing Conference 1968, pp. 307-314. Have been described. In addition, it is generally known that stable sorting is possible if sorting is possible (for example, “Wikipedia,“ Sorting algorithm ”, [online], [October 3, 2012 search ], Internet <URL: http: //en.wikipedia.org/wiki/Sorting_algorithm#Stability> (reference 6) "). Therefore, in order to realize the secret calculation of addition, subtraction, multiplication, equality determination, comparison, and stable sort on one apparatus, the methods of Reference 3, Reference 4, and Reference 5 may be combined. .

  Also, a method to calculate an arbitrary function without decryption by two devices is “Andrew Chi-Chih Yao,“ How to Generate and Exchange Secrets (Extended Abstract) ”, FOCS 1986, pp. 162-167. Document 7) ”and the like. By making the input a shared value by secret sharing, it is possible to perform addition and multiplication without decoding on two devices. Therefore, in order to realize the secret calculation of addition, subtraction, multiplication, equality determination, comparison, and stable sort on two devices, the methods of Reference 7, Reference 4, and Reference 5 may be combined. .

  Also, the method of adding and multiplying on three or more devices without decoding is described in “Ronald Cramer, Ivan Damgard, Ueli M. Maurer,“ General Secure Multi-party Computation from any Linear Secret-Sharing Scheme ”, EUROCRYPT 2000. , pp.316-334. (reference document 8) ”and the like. Therefore, in order to realize the secret calculation of addition, subtraction, multiplication, equality judgment, comparison, and stable sort on three or more devices, the methods of Reference 8, Reference 4, and Reference 5 can be combined. Good.

  Although the present invention also uses logical operations (秘密), logical sums (∨), and negation (¬) for secret computation, these logical operations generally combine addition, subtraction, and multiplication. Can be realized. For example, the logical product of the value a and the value b can be realized by a∧b: = a * b. The logical sum of the value a and the value b can be realized by a∨b: = a + b−a * b. The negation of the value a can be realized by ¬a: = 1-a. Further, in the present invention, equal sign negation (≠) in secret calculation is also used, but this calculation can be generally realized by combining equal sign determination and negation. For example, the equality negation of the value a and the value b can be realized by a ≠ b: = ¬ (a = b).

<Median, quantile>
The median is the value of the middle point of a set. When the set size n is an odd number, the median is the value of the (n + 1) / 2th element. When n is an even number, there is a middle point between n / 2 and n / 2 + 1, so there are multiple definitions.

Is called the smaller median,

The th is called the larger median, and simply writing the median represents the smaller median.

  The value of a point that internally divides a set into p: 1-p (0 <p ≦ 1) is called the p quantile. Like the median, there are multiple definitions of quantiles, but in this invention,

The value of the th point is called the p quantile.

<Points of invention>
As described above, according to the conventional secret calculation technique, only the statistical values that can be written by repetition of the binomial calculation can be calculated while keeping the statistical values for each group secret. On the other hand, it is not self-evident to describe quantile calculations such as median and quartiles by repetition of binary operations, and the prior art cannot obtain quantile calculations by secret calculation.

  In this invention, numbers are assigned in ascending order and descending order in the group first, and the place where the magnitude relationship of the value obtained by multiplying the number by b and a is reversed is divided into a: b from the top in the group. Use the property of becoming. Since the place where the magnitude relationship is reversed can be detected by looking at each record and the magnitude relationship before and after the record, an arbitrary quantile can be found efficiently.

[Embodiment]
Hereinafter, embodiments of the present invention will be described in detail. In addition, the same number is attached | subjected to the component which has the same function in drawing, and duplication description is abbreviate | omitted.

<Configuration>
With reference to FIG. 1, the structural example of the secret calculation system 1 of this embodiment is demonstrated. The secret calculation system 1 includes at least one aggregate function device 2. The number of aggregate function devices 2 varies depending on the concealment method to be applied, and may be one or plural. Refer to the above description for details of the number of aggregate function devices 2 and applicable concealment methods. In the following description, a configuration including _M aggregate function devices 2 ₁ ,..., 2 _M is described as an example. M aggregate function devices 2 ₁ ,..., 2 _M are connected to a network 9. The network 9 only needs to be configured so that the connected devices can communicate with each other. For example, the network 9 can be configured by the Internet, a LAN (Local Area Network), a WAN (Wide Area Network), or the like. Each device does not necessarily need to be able to communicate online via a network. For example, the information input to the aggregate function devices 2 ₁ ,..., 2 _M may be stored in a portable recording medium such as a magnetic tape or a USB memory, and input from the portable recording medium offline.

  A configuration example of the aggregate function device 2 included in the secret calculation system 1 will be described with reference to FIG. The aggregate function device 2 includes a control unit 101, a memory 102, an input unit 11, an alignment unit 12, a first staircase calculation unit 13, a second staircase calculation unit 14, a quantile number determination unit 15, and an output unit 16. The aggregate function device 2 may further include a secret information storage unit 19. The aggregate function device 2 is a special device configured by reading a special program into a known or dedicated computer having, for example, a CPU (Central Processing Unit), a RAM (Random Access Memory), and the like. The aggregate function device 2 executes each process under the control of the control unit 101. Data input to the aggregate function device 2 and data obtained in each process are stored in the memory 102, and the data stored in the memory 102 is read out as necessary and used for other processes. The secret information storage unit 19 includes, for example, a main storage device such as a RAM (Random Access Memory), an auxiliary storage device configured by a semiconductor memory element such as a hard disk, an optical disk, or a flash memory, middleware such as a relational database and a key value store, Etc. can be configured.

<Processing>
With reference to FIG. 3, the operation example of the secret calculation system 1 of this embodiment will be described in detail in the order of procedures.

To the aggregation function device _{2 m (1 ≦ m ≦ M} ) input unit 11 provided in the confidential key _{[k] = ([k 1} ], ..., [k N]) and confidentiality values _{[v] = ([v 1} ], ..., [v _N ]) are input (step S11). The secret key [k] is a vector in which a key k = (k ₁ ,..., K _N ) representing a group is concealed by a predetermined concealment method S. Confidential value [v] is key _{k = (k 1, ...,} k N) value _{v = (v 1, ...,} v N) corresponding to the a vector concealed by a predetermined concealment scheme S. The predetermined concealment method S is a concealment method that can perform operations of addition, subtraction, multiplication, equality determination, comparison, and stable sorting in secret calculation. Refer to the above description for details on the concealment method S.

The confidential information input to the input unit 11 is input to the alignment unit 12. Alternatively, the aggregate function device 2 _m may be configured to include the confidential information storage unit 19, and the confidential information input to the input unit 11 may be stored in the confidential information storage unit 19. In this case, the arrangement unit 12 may be configured to read the confidential information from the confidential information storage unit 19 at an arbitrary opportunity.

  The sorting unit 12 stably sorts the secret information using the secret value [v] in ascending order of the value v by the concealment method S. Subsequently, the secret sort method S is used to perform stable sorting using the secret key [k] in ascending order of the key k (step S12). As a result, the secret information is in a state in which the same record continues for the value of the key k (ie, group), and the value v is arranged in ascending order within the same group. The secret information arranged in this way is referred to as arranged secret information in the following description.

The sorted secret information is input to the first staircase calculation unit 13. The first staircase calculation unit 13 uses the secret key [k] to create an index [c] = ([c ₁ ],..., [Vector] indicating the ascending order of the value v for each group in the sorted secret information. c _N ]) is added (step S13). When the i-th record of the sorted confidential information is the j-th record in the same group, it can be expressed as c _i = j−1. The index [c] may be added by any method. However, if the “step + calculation” algorithm shown below is used, the amount of calculation can be reduced and processing can be performed efficiently.

The sorted secret information is input to the second staircase calculation unit 14. The second staircase calculation unit 14 uses the secret key [k] to create an index [d] = ([d ₁ ],..., [Vector] indicating the descending order of the value v for each group in the sorted secret information. d _N ]) is added (step S14). When the i-th record of the sorted confidential information is the j-th record in the same group, d _i = j−1 can be expressed. The index [d] may be added by any method. However, if the “step calculation” algorithm shown below is used, the amount of calculation can be reduced and processing can be performed efficiently.

  In this embodiment, the first staircase calculation unit 13 and the second staircase calculation unit 14 have been described as performing processing in order. However, the first staircase calculation unit 13 and the second staircase calculation unit 14 do any processing first. You may do it. That is, the index [d] may be added by the first staircase calculator 13 after the index [d] is added by the second staircase calculator 14. Moreover, you may perform the process of the 1st staircase calculation part 13 and the process of the 2nd staircase calculation part 14 simultaneously in parallel.

The sorted confidential information to which the index [c] and the index [d] are added is input to the quantile number determination unit 15. The quantile determination unit 15 obtains quantile determination values [f] = ([f ₁ ],..., [F _N ]) based on the index [c] and the index [d] (step S15). The quantile judgment value [f] = ([f ₁ ], ..., [f _N ]) is the a / (a + b) quantile for each group to which the values v ₁ , ..., v _N belong. This is a vector obtained by concealing a vector f = (f ₁ ,..., F _N ) of truth value indicating whether or not by the concealment method S. To determine the quantile, when the i-th record of the sorted confidential information is the j-th record in the same group, _j, whose magnitude relationship between b * c _j and a * d _j is reversed, Utilizes the property of representing the position internally divided into a: b from the top. That is, when calculating the p quantile, which is the point that internally divides into p: 1-p, find _{j where} the magnitude relationship between (1-p) * c _j and p * d _j is reversed, and correspond to j Let f _i = 1 for _i . In other cases, f _n = 0 (n ≠ i).

A more general case where the a / (a + b) quantile is obtained will be specifically described. As described above, there are a plurality of definitions of the a / (a + b) quantile. For example, there is a definition that the value of the i-th element expressed by the following equation is the a / (a + b) quantile. Where n _g is the number of elements in the group. This definition is the first definition in the following description.

When the a / (a + b) quantile is obtained in the first definition, i satisfying the following equation may be obtained. Let f _i = 1 and f _n = 0 (n ≠ i).

In addition, there is a definition that the value of the i-th element expressed by the following equation is the a / (a + b) quantile. Where n _g is the number of elements in the group. This definition is the second definition in the following description.

When the a / (a + b) quantile is obtained in the second definition, i satisfying the following equation may be obtained. Let f _i = 1 and f _n = 0 (n ≠ i).

  In order to obtain the smaller median, a = 1, b = 1 may be used in the equation for obtaining the a / (a + b) quantile in the first definition. Alternatively, i satisfying the following expression may be obtained. In the latter case, since the comparison process can be replaced with an equal sign determination, the calculation can be performed more efficiently.

  In the case of obtaining the larger median value, a = 1 and b = 1 may be used in the equation for obtaining the a / (a + b) quantile in the second definition. Alternatively, i satisfying the following expression may be obtained. In the latter case, since the comparison process can be replaced with an equal sign determination, the calculation can be performed more efficiently.

The quantile determination value [f] = ([f ₁ ],..., [F _N ]) generated by the quantile determination unit 15 is output via the output unit 16 (step S16).

<Effect>
As described above, the secret calculation technique of the present invention uses the concealment method S that can perform each operation of addition, subtraction, multiplication, equality determination, comparison, and stable sorting without decoding the input, By combining these operations, quantile calculation for secret calculation is realized.

  Therefore, according to the secret calculation technique of the present invention, the quantile calculation for each group can be performed without decrypting the input secret text.

[Program, recording medium]
The present invention is not limited to the above-described embodiment, and it goes without saying that modifications can be made as appropriate without departing from the spirit of the present invention. The various processes described in the above-described embodiments are not only executed in time series according to the order described, but may be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

  When various processing functions in each device described in the above embodiment are realized by a computer, the processing contents of the functions that each device should have are described by a program. Then, by executing this program on a computer, various processing functions in each of the above devices are realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

DESCRIPTION OF SYMBOLS 1 Secret calculation system 2 Aggregation function apparatus 9 Network 11 Input part 12 Arrangement part 13 1st staircase calculation part 14 2nd staircase calculation part 15 Quantile number determination part 16 Output part 19 Confidential information storage part 101 Control part 102 Memory

Claims (7)

A group is represented by a concealment method S that includes at least one aggregate function device, a, b, and N are positive integers, and can perform addition, subtraction, multiplication, equality judgment, comparison, and stable sorting in secret calculation. A secret key [k] = ([k ₁ ],..., [K _N ]) in which the key k = (k ₁ ,..., K _N ) is concealed, and a value corresponding to the key k by the concealment method S Using secret information including a secret value [v] = ([v ₁ ],..., [v _N ]) in which v = (v ₁ ,..., v _N ) is concealed, a / ( a + b) a secret computation system for obtaining quantiles,
The aggregate function device is:
The secret information is stably sorted in the ascending order of the value v using the secret value [v] by the concealment method S, and further the key k using the secret key [k] by the concealment method S. An sorting unit that performs stable sorting in ascending order of and generates sorted confidential information;
Using the secret key [k], an index [c] = ([c ₁ ],..., [C _N ]) indicating the ascending order of the value v for each group is added to the sorted secret information A first staircase calculation unit;
Index [d] = ([d ₁ ],..., [D _N ]) indicating the descending order of the value v for each group is added to the sorted secret information using the secret key [k]. A second staircase calculation unit;
Based on the index [c] and the index [d], quantiles indicating whether each of the values v ₁ ,..., V _N is an a / (a + b) quantile for each group. A quantile determination unit for obtaining a number determination value [f] = ([f ₁ ],..., [F _N ]);
A secret calculation system comprising: The secret calculation system according to claim 1,
The quantile determining unit is
Based on the magnitude relationship between a * (d _{i + 1} +1) and b * c _{i + 1 and} the magnitude relationship between b * c _i and a * (d _i +1) for i = 1, ..., N , Whether the value v _i is an a / (a + b) quantile for each group, and the quantile judgment value [f] = ([f ₁ ],..., [F _N ] ) Is a secret calculation system. The secret calculation system according to claim 2,
The quantile determining unit is
For i = 1,..., N, it is determined whether or not the following expression is satisfied. For i satisfying the following expression, the quantile determination value [f _i ] is an a / (a + b) quantile. Set as stuff

A secret computation system characterized by that. The secret calculation system according to claim 2,
The quantile determining unit is
For i = 1,..., N, it is determined whether or not the following expression is satisfied. For i satisfying the following expression, the quantile determination value [f _i ] is an a / (a + b) quantile. Set as stuff

A secret computation system characterized by that. A key k = (k ₁ ,..., k representing a group by a concealment scheme S capable of addition, subtraction, multiplication, equality determination, comparison, and stable sorting in a secret calculation, where a, b, N are positive integers. _N ) and a secret key [k] = ([k ₁ ],..., [K _N ]) and a value v = (v ₁ ,..., V _N corresponding to the key k by the concealment method S. ) To conceal the a / (a + b) quantile for each group using concealment information including concealment values [v] = ([v ₁ ],..., [V _N ]) A functional device,
The secret information is stably sorted in the ascending order of the value v using the secret value [v] by the concealment method S, and further the key k using the secret key [k] by the concealment method S. An sorting unit that performs stable sorting in ascending order of and generates sorted confidential information;
Using the secret key [k], an index [c] = ([c ₁ ],..., [C _N ]) indicating the ascending order of the value v for each group is added to the sorted secret information A first staircase calculation unit;
Index [d] = ([d ₁ ],..., [D _N ]) indicating the descending order of the value v for each group is added to the sorted secret information using the secret key [k]. A second staircase calculation unit;
Based on the index [c] and the index [d], quantiles indicating whether each of the values v ₁ ,..., V _N is an a / (a + b) quantile for each group. A quantile determination unit for obtaining a number determination value [f] = ([f ₁ ],..., [F _N ]);
An aggregate function device comprising: A key k = (k ₁ ,..., k representing a group by a concealment scheme S capable of addition, subtraction, multiplication, equality determination, comparison, and stable sorting in a secret calculation, where a, b, N are positive integers. _N ) and a secret key [k] = ([k ₁ ],..., [K _N ]) and a value v = (v ₁ ,..., V _N corresponding to the key k by the concealment method S. ) Is a secret for obtaining the a / (a + b) quantile for each group using secret information including a secret value [v] = ([v ₁ ],..., [V _N ]). A calculation method,
The aggregation function device stably sorts the concealment information using the concealment method S in the ascending order of the value v using the concealment value [v], and further uses the concealment method S to obtain the concealment key [k]. A sorting step for performing stable sorting in ascending order of the keys k to generate sorted secret information;
The aggregate function device uses the secret key [k] to indicate an index [c] = ([c ₁ ],..., [C] indicating the ascending order of the value v for each group in the sorted secret information. _N ]) to add a first staircase calculation step;
The aggregate function device uses the secret key [k] to add an index [d] = ([d ₁ ],..., [D] indicating the descending order of the value v for each group in the sorted secret information. _N ]) to add a second staircase calculation step;
Based on the index [c] and the index [d], the aggregate function device determines whether each of the values v ₁ ,..., V _N is an a / (a + b) quantile for each group. Quantile number determination step for obtaining quantile determination value [f] = ([f ₁ ],..., [F _N ]) indicating whether or not,
A secret calculation method comprising:   A program for causing a computer to function as the aggregate function device according to claim 5.

Images