JP6309866B2 - Anonymization system - Google Patents

Description

  Embodiments described herein relate generally to an anonymization system.

  In recent years, companies and the like (hereinafter referred to as data owners) that possess large amounts of personal data such as customer information and medical record information have increased. Some data owners use information obtained by statistically processing a large amount of personal data for business / customer trend prediction, disease prevention, etc. Are considering starting a new service.

  However, when personal data is used for the above-mentioned purposes, careful attention is required for handling personal data so as to protect privacy. In addition, since the data owner is highly specialized in statistical processing, a company or service (hereinafter referred to as a data analyst) that performs statistical processing is used as an external service. For this reason, the data owner must carry out further privacy protection, explanation of usage, appropriate operation, and the like. Examples of this type of operation include reducing the amount of personal data provided to a data analyst. However, if the amount of personal data is reduced too much from the viewpoint of privacy protection, a useful analysis result cannot be obtained.

  Therefore, in many cases, an anonymization process that makes it difficult or impossible to identify an individual without reducing the amount of information of the personal data as much as possible is used. At this time, the data owner performs anonymization processing on a large amount of personal data, and provides the obtained anonymization data to an external data analyst who performs statistical processing.

  On the other hand, as an example of an external service, there is a cloud computing service (hereinafter also referred to as a cloud service). In recent years, with the spread of cloud services, facilities for managing large amounts of data are shifting from an internal server of a data owner to an external cloud service. Similarly, at this time, the data owner takes security measures such as performing encryption processing or anonymization processing on a large amount of personal data and causing the cloud service to manage the obtained encrypted data or anonymization data. .

  In addition, each device (devices other than information devices) such as vending machines, elevators, plant facilities, etc. is equipped with sensors, processing devices, communication devices, etc., information exchange and remote monitoring / control, etc. via a network without human intervention M2M (machine to machine) services that perform the above are becoming popular. In such an M2M service, it is estimated that a service using a large amount of information collected from each device will be realized in the future.

  Similarly, in the M2M service, security measures are required for personal data included in information to be collected. On the other hand, if the collected information is encrypted as a security measure, the obtained encrypted data cannot be analyzed. On the other hand, when the collected information is anonymized as a security measure, the obtained anonymized data can be analyzed. Although anonymized data is in a state where individuals, devices, location information, etc. cannot be specified, it is preferable from the viewpoint of privacy protection because it can be analyzed by statistical processing.

  As a typical method of anonymization processing, for example, deletion, pseudonymization, top coding, grouping, resampling, sorting, swapping, error introduction, and the like can be cited (for example, see Non-Patent Document 1).

  Here, “deletion” is a method of deleting identification information that can directly or indirectly specify an individual, such as a household or residence.

  “Kana conversion” is a method of deleting identification information that can directly specify an individual such as a name and adding another ID or pseudonym.

  “Top coding” is a method for collecting special attributes that make it easy to identify individuals having particularly large or small values, such as attributes such as age and the number of households. For example, particularly large values and small values are grouped so as to be higher than the upper threshold value and lower than the lower threshold value.

  “Grouping” is a method in which specific values are grouped and changed to class distinction like attributes such as age. In the case of age, for example, the specific value “23 years old” is changed to a class distinction “20s”.

  “Resampling” is a method of providing only a part of all data to the data analyst, such as randomly extracting and providing 80% of the data from the whole.

  “Sort” is a method in which the arrangement order of data records is rearranged to make it random, and individual identification is impossible.

  “Swapping” is a method of exchanging the values of some attributes between two records, such as exchanging the age or height of the two people between data for two people.

  “Introduction of error” is a method of introducing an error into some attributes of a record, for example, introducing an error into height.

“Guidelines for Creating and Providing Anonymous Data Attachment 2 Techniques for Anonymization” [online], March 28, 2011, Ministry of Internal Affairs and Communications, [April 25, 2014 search], Internet <URL: http : //www.stat.go.jp/index/seido/pdf/35glv4.pdf>

  The anonymization process as described above is usually not particularly problematic. However, according to the examination of the present invention, the following (A) the case where the data owner stores the encrypted data in an external service, and (B) the M2M service However, there is room for improvement in both cases where encrypted data is stored in an external service. Hereinafter, a cloud service will be described as an example of an external service.

  (A) When the data owner simply encrypts the personal data and stores the obtained encrypted data in the cloud system, the data owner downloads and decrypts the encrypted data, and the obtained personal data Anonymize and provide anonymized data to data analysts. Here, the data owner obtains all personal data when the encrypted data is downloaded and decrypted. This situation is undesirable for data owners because it makes little sense to use a cloud system. It is assumed that the situation where the data owner obtains all personal data can be avoided unless the data owner decrypts the encrypted data.

  Along with this, the case where the data owner converts the encrypted data so that the data analyst can decrypt it and provides it to the data analyst will be considered. In this case, although the situation where the data owner obtains all personal data can be avoided, the personal data decrypted by the data analyst is not anonymized, which is not preferable from the viewpoint of privacy protection.

  Further, from the viewpoint of anonymizing personal data without decrypting the encrypted data, the case where the cloud system decrypts the encrypted data and anonymizes the data is considered. In this case, personal data obtained by decryption is developed on the cloud system, which is not preferable from the viewpoint of security.

  In addition, consider the case where the data owner anonymizes personal data, encrypts the anonymized data, stores the encrypted data in the cloud system, and the data analyst downloads and decrypts the encrypted data in the cloud system. . In this case, the encrypted data in the cloud system is anonymized data in which the amount of information is reduced from the original personal data. At this time, since it is necessary for the data owner to manage the original personal data separately from the cloud system, the data owner does not make sense to use the cloud system, which is not preferable.

  (B) Data owners need to provide data analysts with anonymized data in which the amount of information is reduced from personal data in the collected information when information is collected or remotely monitored / controlled by each M2M service device. There is. Here, when the data owner collects personal data and stores it in the cloud system, the burden on the data owner is large. Therefore, it is preferable that the device that collected the personal data stores the personal data in the cloud system. However, even when the device that collected the personal data stores the personal data in the cloud system, it is necessary to store the encrypted data obtained by encrypting the personal data in the cloud system from the viewpoint of security.

  However, when the encrypted data is stored in the cloud system in this way, as in (A) above, when the data owner downloads and decrypts the encrypted data, all personal data is obtained. become.

  Note that there is no known method for anonymizing encrypted data stored in a cloud system and providing it to a data analyst without burdening the data owner with decryption processing, anonymization processing, or the like.

  According to the study of the present inventor, it is estimated that the unfavorable situation in the cases (A) and (B) can be avoided if the encrypted data obtained by encrypting the personal data can be anonymized without being decrypted. Is done.

  The problem to be solved by the present invention is to provide an anonymization system that can anonymize encrypted data obtained by encrypting personal data without decrypting it.

  The anonymization system of the embodiment includes one or more encryption devices, anonymization devices, and decryption devices.

  The encryption apparatus includes first storage means and encryption means.

  The first storage means stores personal data including a value for each item.

  The encryption means generates encrypted data from the personal data by a process of encrypting the value of each item included in the personal data.

  The anonymization device includes second storage means and anonymization means.

  The second storage means stores the encrypted data generated by the encryption device.

  The anonymization means generates encrypted anonymized data from the encrypted data by performing anonymization without decrypting values of some items of the encrypted data in the second storage means .

  The decoding device includes third storage means and decoding means.

  The third storage means stores the encrypted anonymized data generated by the anonymization device.

  The decrypting means generates anonymized data from the encrypted anonymized data by a process of decrypting the encrypted anonymized data in the third storage means.

It is a schematic diagram which shows the anonymization system which concerns on 1st Embodiment, and its periphery structure. It is a schematic diagram which shows the structure of the modification in the embodiment. It is a schematic diagram which shows an example of the personal data in the embodiment. It is a sequence diagram for demonstrating the operation | movement in the embodiment. It is a schematic diagram which shows an example of the encryption data in the embodiment. It is a schematic diagram which shows an example of the encryption anonymization data in the embodiment. It is a sequence diagram for demonstrating operation | movement of the modification in the embodiment. It is a sequence diagram for demonstrating the deformation | transformation operation | movement of the modification in the embodiment. It is a schematic diagram which shows the anonymization system which concerns on 2nd Embodiment, and its periphery structure. It is a sequence diagram for demonstrating the operation | movement in the embodiment. It is a sequence diagram for demonstrating the operation | movement in 3rd Embodiment. It is a schematic diagram which shows an example of the personal data in the embodiment. It is a schematic diagram which shows an example of the encryption data in the embodiment. It is a schematic diagram which shows an example of the encryption anonymization data in the embodiment. It is a schematic diagram which shows the anonymization system which concerns on 4th Embodiment, and its periphery structure. It is a sequence diagram for demonstrating the operation | movement in the embodiment. It is a sequence diagram for demonstrating the operation | movement in 5th Embodiment. It is a schematic diagram which shows an example of the personal data in the embodiment. It is a schematic diagram which shows an example of the encryption data in the embodiment. It is a schematic diagram which shows an example of the encryption anonymization data in the embodiment. It is a sequence diagram for demonstrating the operation | movement in 6th Embodiment. It is a sequence diagram for demonstrating the operation | movement in 7th Embodiment. It is a schematic diagram which shows the anonymization system which concerns on 9th Embodiment, and its periphery structure. It is a sequence diagram for demonstrating the operation | movement in the embodiment. It is a schematic diagram which shows an example of the encryption data in the embodiment. It is a schematic diagram which shows an example of the encryption anonymization data in the embodiment. It is a schematic diagram which shows the structure of the modification in the embodiment. It is a sequence diagram for demonstrating operation | movement of the modification in the embodiment. It is a sequence diagram for demonstrating the deformation | transformation operation | movement of the modification in the embodiment. It is a schematic diagram which shows the anonymization system which concerns on 10th Embodiment, and its periphery structure. It is a sequence diagram for demonstrating the operation | movement in the embodiment. It is a sequence diagram for demonstrating the operation | movement in 11th Embodiment. It is a schematic diagram which shows an example of the encryption data in the embodiment. It is a schematic diagram which shows an example of the encryption anonymization data in the embodiment. It is a sequence diagram for demonstrating the operation | movement in 12th Embodiment. It is a sequence diagram for demonstrating the operation | movement in 13th Embodiment. It is a schematic diagram which shows an example of the encryption data in the embodiment. It is a schematic diagram which shows an example of the encryption anonymization data in the embodiment. It is a sequence diagram for demonstrating operation | movement of the modification in the embodiment. It is a sequence diagram for demonstrating the deformation | transformation operation | movement of the modification in the embodiment. It is a schematic diagram which shows the anonymization system which concerns on 14th Embodiment, and its periphery structure. It is a sequence diagram for demonstrating the operation | movement in the embodiment. It is a schematic diagram for demonstrating the outline | summary of each embodiment. It is a schematic diagram for demonstrating the outline | summary of each embodiment.

  Each embodiment will be described below with reference to the drawings, but before that, various encryption methods and the like used individually in each embodiment will be described. Each device used in each embodiment can be implemented with either a hardware configuration or a combination configuration of hardware resources and software. As the software of the combined configuration, a program that is installed in advance on a computer of a corresponding device from a network or a storage medium and that realizes the function of the corresponding device is used.

<Various encryption methods>
As a technique for performing statistical processing using encrypted data, there is known a method capable of executing various processes such as addition / subtraction and size comparison with respect to original data in an encrypted state. As this type of method, for example, the first document ([Paillier]), the second document ([OPE]), the third document ([HLP10]), and the fourth document ([AN2013-51001]) There are first to fourth methods described respectively in FIG. Here, the information regarding each document ([Paillier], [OPE], [HLP10], [AN2013-51001]) is as follows.

[Paillier] Pascal Paillier, Public-Key Cryptosystems Based on Composite Degree Residuosity Classes, EUROCRYPT 1999, pp223-238.
[OPE] A. Boldyreva, N. Chenette, Y. Lee and A. O'Neill. Order-preserving symmetric encryption. In Eurocrypt '09, pp. 224 {241. Springer, 2009.
[HLP10] CY. Hsu, CS. Lu, SC. Pei, “Homomorphic Encryption-based Secure SIFT for Privacy-Preserving Feature Extraction”, Proceedings of SPIE-The International Society for Optical Engineering, 2011.
[AN2013-51001] Japanese Patent Application No. 2013-051001 (filing date: March 13, 2013).

  The first method is an encryption method that can be added and subtracted in an encrypted state (hereinafter referred to as homomorphic encryption), and is also referred to as a [Paillier] method.

  The second scheme is an order preserving encryption scheme in which the magnitude relationship of ciphertext matches the corresponding plaintext magnitude relationship, and is also referred to as an [OPE] scheme.

  The third method is a homomorphic encryption and can be compared in size, and is also referred to as an [HLP10] method.

  The fourth method is a homomorphic encryption and can be compared in size, and is also referred to as [AN2013-51001] method.

  In each embodiment, the encrypted data is anonymized using this type of method. At this time, since the original data is encrypted, the encrypted data can be output to the outside before anonymization. Therefore, the encrypted data can be stored in an external service such as a cloud. Further, the anonymized data may be obtained by decrypting the encrypted anonymized data obtained by anonymizing the encrypted data.

  Next, a typical algorithm of each method for performing calculation in an encrypted state will be described.

  First, the (additive) homomorphic encryption method ([Paillier] method) will be described. The basic model of the [Paillier] method includes the following five functions (hereinafter also referred to as an algorithm): key generation, encryption, ciphertext addition, ciphertext subtraction, and decryption.

(Key generation) KeyGen (1 ^k ) → (pk _A , sk _A )
When the security parameter 1 ^k is input, the key generation algorithm KeyGen outputs a set (pk _A , sk _A ) of the public key pk _A and the secret key sk _A.

(Encryption) Enc (pk _A , m1) → C _{A, m1}
When the public key pk _{A of} user A and plaintext m1 are input, the encryption algorithm Enc outputs ciphertext CA _{, m1} addressed to user A.

(Ciphertext addition) Add (C _{A, m1} , C _{A, m2} ) → C _{A, m1 + m2}
When the ciphertext _{CA, m1} and _{CA , m2} addressed to the user A are input, the addition algorithm Add outputs the ciphertext _{CA, m1 + m2} addressed to the user A.

(Subtraction of ciphertext) Sub ( _CA , _m1 , _{CA , m2} ) → _{CA, m1-m2}
When the ciphertext _{CA, m1} and _{CA , m2} addressed to the user A are input, the subtraction algorithm Sub outputs the ciphertext _{CA, m1-m2} addressed to the user A.

(Decryption) Dec (sk _A , C _{A, m1 + m2} ) → m1 + m2
When the decryption algorithm Dec receives the user A's private key sk _A and the ciphertext C _{A, m1 + m2} addressed to the user A, the decryption algorithm Dec outputs plaintext m1 + m2.

  Next, an order-preserving encryption method ([OPE] method) that can be compared in size is described. The basic model of the [OPE] method includes the following four functions (hereinafter also referred to as an algorithm): key generation, encryption, ciphertext comparison, and decryption.

(Key generation) KeyGen (1 ^k ) → (sk _A )
The key generation algorithm KeyGen outputs the secret key sk _A when the security parameter 1 ^k is input.

(Encryption) Enc (sk _A , m1) → C _{A, m1}
The encryption algorithm Enc outputs the ciphertext C _{A, m1} when the secret key sk _A and the plaintext m1 are input.

The ciphertext comparison algorithm Comp, when ciphertext C _{A, m1} and C _{A, m2} is input, is 1 when m1 is greater than m2, 0 when m1 and m2 are equal, and m1 is greater than m2. If it is smaller, -1 is output.

(Decryption) Dec (sk _A , C _{A, m1} ) → m1
The decryption algorithm Dec outputs the plaintext m1 when the secret key sk _A and the ciphertext C _{A, m1} are input.

  Next, encryption methods that retain the properties of (additive) homomorphic encryption methods and encryption methods that can be compared in size ([HLP10] method, [AN2013-51001] method) will be described. The basic model of this cryptosystem consists of the following six functions (hereinafter also referred to as algorithms): key generation, encryption, ciphertext addition, ciphertext subtraction, ciphertext comparison, and decryption.

(Key generation) KeyGen (1 ^k ) → (sk _A )
The key generation algorithm KeyGen outputs the secret key sk _A when the security parameter 1 ^k is input.

(Encryption) Enc (sk _A , m1) → CA _{, m1}
The encryption algorithm Enc outputs the ciphertext C _{A, m1} when the secret key sk _A and the plaintext m1 are input.

(Ciphertext addition) Add (C _{A, m1} , C _{A, m2} ) → C _{A, m1 + m2}
When the ciphertext C _{A, m1} and C _{A, m2} are input, the addition algorithm Add outputs the ciphertext C _{A, m1 + m2} .

(Subtraction of ciphertext) Sub ( _CA , _m1 , _{CA , m2} ) → _{CA, m1-m2}
When the ciphertext C _{A, m1} and C _{A, m2} are input, the subtraction algorithm Sub outputs the ciphertext _{CA, m1-m2} .

The ciphertext comparison algorithm Comp, when ciphertext C _{A, m1} and C _{A, m2} is input, is 1 when m1 is greater than m2, 0 when m1 and m2 are equal, and m1 is greater than m2. If it is smaller, -1 is output.

(Decryption) Dec (sk _A , C _{A, m1 + m2} ) → m1 + m2
The decryption algorithm Dec outputs the plaintext m1 + m2 when the secret key sk _A and the ciphertext C _{A, m1 + m2} are input.

  An example of a specific algorithm for each function of the [AN2013-51001] method based on the above-described model will be described. Unlike the other methods, the [AN2013-51001] method is not disclosed at the time of filing the present application, so an example of an algorithm for each function will be described in detail.

(Key generation) KeyGen (1 ^k ) → (a, g ^sv , g, N, a ⁻¹ , s, v)
When the security parameter 1 ^k is input, the key generation algorithm KeyGen is provided with an encryption key a, g ^sv , g, N, a secondary operation key a ⁻¹ , s, N, a tertiary operation key v, N, and a decryption key sv, a ⁻¹ , N (or s, v, a ⁻¹ , N) are output.

  Hereinafter, an example of a key generation process by this key generation algorithm KeyGen will be specifically described.

First, the key generation algorithm KeyGen generates prime numbers p and q in which p ′ = (p−1) / 2 and q ′ = (q−1) / 2 are prime numbers. The prime numbers p and q are generated based on the security parameter λ corresponding to the security parameter 1 ^{k so} that the number of bits of the composite number N = pq is greater than λ or λ.

  Next, the key generation algorithm KeyGen calculates the parameters pp'qq 'and N.

Next, the key generation algorithm KeyGen generates a multiplicative group G having an order of pp′qq ′, and randomly selects an element g of G from G. The position number to generate a multiplicative group G is Pp'qq ', for example, select the Z _N 2 ^* original randomly from Z _N 2 ^*, a value obtained by squaring the selected element g What should I do? Here, Z _N 2 ^* is a set of integers that are relatively prime to Z _N 2 and N ² (= (Z / N ² Z) ^* ), and may be called a multiplicative group Z _N 2 ^* for the composite number N ² . . Z _N 2 is a set of integers greater than or equal to 0 and less than N ² (= (Z / N ² Z).

  Next, the key generation algorithm KeyGen randomly selects part a, s, v of each key from the set {1,..., Pp′qq ′} based on the previously calculated parameters pp′qq ′ and N. To do.

Subsequently, the key generation algorithm KeyGen calculates a value of a ⁻¹ satisfying a · a ⁻¹ modN ² = 1 and a value of g ^sv . Thereafter, the key generation algorithm KeyGen includes encryption keys a, g ^sv , g, N, secondary operation keys a ⁻¹ , s, N, tertiary operation keys v, N, and decryption keys sv, a ⁻¹ , N (or s, v, a ⁻¹ , N) is output.

The encryption key may be a, sv, g, N, or a, s, v, g, N. Further, g, N, and N ² may not be included in the encryption key, the secondary operation key, and the tertiary operation key, but may be disclosed to each device as public parameters. In summary, the encryption key includes a, s, v (or a, sv). The secondary operation key includes a ⁻¹ and s. The tertiary operation key includes v.

  The same applies to each embodiment and each modification described below.

  Thus, the key generation process is completed. In this specification, a notation assuming that G is a multiplicative group is adopted, but the present invention is not limited to this, and it is also possible to express the notation assuming that G is an additive group.

(Encryption) Enc (m) → C = (C ₁ , C ₂ )
When the encryption key and plaintext m are input, the encryption algorithm Enc outputs ciphertext C = (C ₁ , C ₂ ).

  Hereinafter, an example of the encryption process by the encryption algorithm Enc will be specifically described.

Here, an example in which the encryption algorithm Enc encrypts k (k is a natural number) plaintexts (numerical data to be encrypted) m ₁ ,..., M _k will be described. Each plaintext _{m i} is the original _{Z N.} Z _N is a set of integers greater than or equal to 0 and less than N (= (Z / NZ)).

First, the encryption algorithm Enc randomly selects _k random numbers r ₁ ,..., Rk from Z _N 2 ^* . Next, the encryption algorithm Enc uses the generated random numbers r ₁ ,..., R _k and the encryption keys a, g ^sv , g, N described above, and plaintexts m _{1 ,.} Is encrypted.

Thereby, the ciphertext C _i (i = 1,..., K) is generated. The encryption key a may be generated by a key generation device provided with the key generation algorithm KeyGen, or may be generated by an encryption device provided with the key generation algorithm KeyGen. In the latter case, the key generation device transmits the encryption keys g ^sv , g, and N to the encryption device, and the encryption device generates the encryption key a and calculates the value of a− ¹ . If the encryption device does not know the value of pp′qq ′, the encryption device a may randomly select the encryption key a from Z _N 2 ^* .

  Thus, the encryption process is completed.

(Cryptographic primary operation) Cal _1st (C) → X = (X ₁ , X ₂ )
When the ciphertext C is input, the primary operation processing algorithm Cal _1st outputs the primary operation result X = (X ₁ , X ₂ ).

Hereinafter, an example of the primary calculation processing by the primary calculation processing algorithm Cal _1st will be specifically described.

  The primary calculation processing in this example is processing for adding / subtracting ciphertext (encrypted data).

As the primary calculation process, a case where the positive / negative of the following expression F is determined by a tertiary calculation process to be described later will be described as an example.

Here, _ni is an arbitrary integer. K is a set of indexes i necessary for calculating Formula F. For example, when F = 2m ₁ −m ₂ , n ₁ = 2, n ₂ = −1, and K = {1, 2}. Also, if you want to determine the magnitude relationship between the minuend _{m a} in the formula F of addition and subtraction and subtrahend _{m b,} for _example, the _{F = m a -m b = 3m} 2 -4m 3 + m 5, n 2 = 3, n ₃ = −4, n ₅ = 1, K = {2, 3, 5}. Here, the reduced number m _a is 3 m ₂ + m ₅ , and the reduced number m _b is 4 m ₃ . If it is desired to determine the magnitude relationship between the numerical values a and b, F = m _a −m _b = m ₁ −m ₂ , n ₁ = 1, n ₂ = −1, and K = {1, 2}. Good.

When the ciphertext C _i (iεK) necessary for the calculation of Formula F is input, the primary calculation processing algorithm Cal _1st calculates the primary calculation result X = (X ₁ , X ₂ ) using the following formula.

Thereafter, the primary operation processing algorithm Cal _1st outputs the primary operation result X = (X ₁ , X ₂ ).

  Thus, the primary calculation process is completed.

(Secondary processing of ciphertext) Cal _2nd (X) → Y = (Y ₁ , Y ₂ )
When the primary operation result X and the secondary operation keys a ⁻¹ , s, and N are input, the secondary operation processing algorithm Cal _2nd outputs the secondary operation result Y = (Y ₁ , Y ₂ ).

Hereinafter, an example of the secondary calculation processing by the secondary calculation processing algorithm Cal _2nd will be specifically described.

  The secondary operation processing in this example is processing for randomizing the ciphertext (encrypted data) subjected to addition and subtraction.

The secondary arithmetic processing algorithm Cal _2nd generates parameters L, J, β, and D. An index for selecting these parameters L, J, β, and D will be described later. The parameters L, J, β, and D may be given from the outside.

Next, the secondary arithmetic processing algorithm Cal _2nd randomly selects β random numbers r ′ _i (i = 0,..., Β−1) from the set {1,. Here, β = 1 or β ≧ 2 may be satisfied. The same applies to other embodiments and modifications. Further, the random number z is randomly selected from the set {0, 1,..., J}. Then, the secondary arithmetic processing algorithm Cal _2nd calculates the random number R shown in the following equation, and acquires the random numbers R and z.

Next, the secondary calculation processing algorithm Cal _2nd uses the above-described secondary calculation keys a ⁻¹ , s, N, the primary calculation result X = (X ₁ , X ₂ ), and the random numbers R, z to The secondary calculation result Y = (Y ₁ , Y ₂ ) is calculated by the equation.

Thereafter, the secondary calculation processing algorithm Cal _2nd outputs the primary calculation result Y = (Y ₁ , Y ₂ ).

Here, an index for selecting each parameter will be described. Let D be the maximum absolute value that can be positive / negative. That is, suppose that it is possible to determine that F is positive when 0 <F <D and that F is negative when -D <F <0. At this time, the secondary arithmetic processing algorithm Cal _2nd selects β random numbers r ′ _i so as to satisfy the following expression.

Further, the secondary arithmetic processing algorithm Cal _2nd selects J so that the probability that R <J is sufficiently small when R, which is the product of β random numbers r ′ _i , is selected as described above.

  Thus, the secondary calculation process is completed.

(Cryptographic tertiary processing)

When the secondary operation result Y and the tertiary operation keys v and N are input, the tertiary operation processing algorithm Cal _3rd outputs a determination result indicating positive or negative (or 0).

Hereinafter, an example of the tertiary operation processing by the tertiary operation processing algorithm Cal _3rd will be specifically described.

  The tertiary operation processing in this example is processing for determining the magnitude relationship between the subtracted number and the reduced number in the addition / subtraction formula from the ciphertext (encrypted data) that has been randomized and added / subtracted.

The tertiary operation processing algorithm Cal _3rd uses the above-described tertiary operation keys v and N and secondary operation results Y ₁ and Y ₂ to calculate W ′ by the following equation.

If W ′ is not a multiple of N, the subsequent calculation is not performed and the cubic operation process is terminated. Otherwise (when W ′ is a multiple of N), the tertiary operation processing algorithm Cal _3rd calculates the tertiary operation result W according to the following equation.

Next, the tertiary arithmetic processing algorithm Cal _3rd determines that the expression F is positive if W <N / 2, and determines that the expression F is negative (or 0) otherwise.

When expressed in the form of F = M _a −M _b , if F is positive, it can be determined that M _a > M _b . If F is negative, it can be determined that M _a ≦ M _b .

Thereafter, the tertiary operation processing algorithm Cal _3rd outputs a determination result.

  Thus, the tertiary operation process is completed.

In the determination, the tertiary calculation processing algorithm Cal _3rd may determine that F = 0 if −J ≦ W ≦ 0. In this case, the tertiary arithmetic processing algorithm Cal _3rd determines that F is negative if −N / 2 <W <−J. The same applies to other embodiments and modifications.

Here, taking the case of F = 3m ₂ -4m ₃ + m ₅ as an example, W = FR−z is shown. The primary calculation results X ₁ and X ₂ , the secondary calculation results Y ₁ and Y _2, and the tertiary calculation result W are respectively expressed as follows.

In the tertiary calculation result W, W = FR−z, and z is subtracted from FR. However, if the value of R is appropriately set as described above, the tertiary arithmetic processing algorithm Cal _3rd can correctly determine the sign of F without being affected by the value of the random number z.

In the above-described example, F = M _a −M _b = 3 m ₂ −4 m ₃ + m ₅ , and therefore, for example, by setting the subtracted number M _a = 3 m ₂ + m ₅ and the subtracted number M _b = 4 m ₃ , the subtracted number (3 m ₂ + M ₅ ) and the subtraction (4 m ₃ ) can be determined. In addition, for example, the relationship between the reduced number (3m ₂ ) and the reduced number (4m ₃ -m ₅ ) may be determined by regarding the reduced number M _a = 3 m ₂ and the reduced number M _b = 4 m ₃ -m _5. it can.

(Decryption) Dec (C) → m
The decryption algorithm Dec outputs a plaintext m when the decryption keys sv, a ⁻¹ , N (or s, v, a ⁻¹ , N) and the ciphertext C are input.

  Hereinafter, an example of the decoding process by the decoding algorithm Dec will be specifically described.

The decryption algorithm Dec uses the decryption keys sv, a ⁻¹ , N (or s, v, a ⁻¹ , N) and the ciphertext C _i to calculate D ′ by the following equation.

If D ′ is not a multiple of N, the subsequent calculation is not performed and the decoding process is terminated. Otherwise (if D 'is a multiple of N), the decryption algorithm Dec is the following equation to calculate the plaintext m _i.

Thereafter, the decryption algorithm Dec outputs plaintext m = m _i (i = 1,..., K).

  Thus, the decoding process is completed.

  On the other hand, as a technique for encrypting data, a method using the same key for encryption and decryption is also known. As this type of scheme, for example, there is a fifth scheme (hereinafter also referred to as [AES] scheme) described in the fifth document ([AES]). Here, the information regarding the fifth document ([AES]) is as follows.

[AES] AES (Advanced Encryption Standard): FIPS-197, http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
An encryption method ([AES] method) that uses the same key for encryption and decryption is described. The basic model of an encryption method that retains the properties of the [AES] method is composed of the following three functions (hereinafter also referred to as an algorithm) of key generation, encryption, and decryption.

(Key generation) KeyGen (1 ^k ) → (sk _A )
The key generation algorithm KeyGen outputs the secret key sk _A when the security parameter 1 ^k is input.

(Encryption) Enc (sk _A , m1) → CA _{, m1}
The encryption algorithm Enc outputs the ciphertext C _{A, m1} when the secret key sk _A and the plaintext m1 are input.

(Decryption) Dec (sk _A , C _{A, m1} ) → m1
The decryption algorithm Dec outputs plaintext m1 + m2 when the secret key sk _A and the ciphertext C _{A, m1} are input.

  The above is a representative algorithm of various encryption methods ([Paillier] method, [OPE] method, [HLP10] method, [AN2013-51001] method, [AES] method) individually used in each embodiment. In each embodiment, as shown in FIG. 43 or 44, anonymization processing (a pseudonymization, top coding) is performed without decrypting encrypted data by various encryption methods ([Paillier] method, [OPE] method,...). , ...). FIG. 43 shows the case (A) in which the data owner saves the encrypted data in the external service. FIG. 44 shows the case (B) in which the M2M service stores the encrypted data in the external service.

<First embodiment: pseudonymization>
FIG. 1 is a schematic diagram showing an anonymization system and its peripheral configuration according to the first embodiment. The anonymization system includes one or more encryption devices 10, anonymization devices 20, and decryption devices 30, and the devices 10, 20, 30 are connected to each other via a communication network 40. The communication network 40 is connected to the statistical processing device 50. The communication network 40 is, for example, a wireless local area network (LAN), a wired LAN, an optical line network, a telephone line network, an intranet, Ethernet (registered trademark), the Internet, or a combination thereof.

  Here, the encryption apparatus 10 includes an encryption parameter storage unit 11, a key storage unit 12, a temporary data storage unit 13, a communication unit 14, a parameter generation unit 15, a random number generation unit 16, an encryption unit 17, and a control unit 18. ing. In the present embodiment, a case where one encryption device 10 is used will be described. The case of using a plurality of encryption devices will be described in the second embodiment.

  The encryption parameter storage unit 11, the key storage unit 12, and the temporary data storage unit 13 can be realized as a storage device that can be read / written by a processor (not shown) or a storage area of the storage device. Store keys and temporary data. The temporary data storage unit 13 constitutes a first storage unit that stores personal data including a value for each item.

  The communication unit 14, the parameter generation unit 15, the random number generation unit 16, the encryption unit 17, and the control unit 18 are realized by, for example, a processor (not shown) executing a program including each step in the encryption device 10 to be described later. It is a functional block. The encryption unit 17 constitutes an encryption unit that generates encrypted data from the personal data by a process of encrypting the value of each item included in the personal data. Moreover, the encryption part 17 comprises the parameter encryption means which encrypts the parameter for anonymous used for the process which anonymizes, and produces | generates the parameter for encryption anonymous. As anonymity parameters, for example, random numbers, threshold values, lower limit values, upper limit values, representative values, errors, and the like can be used as appropriate. In the present embodiment, a random number is used as the anonymous parameter. As an encryption anonymous parameter, for example, an encrypted random number, an encryption threshold value, an encryption lower limit value, an encryption upper limit value, an encryption representative value, an encryption error, and the like can be used as appropriate. In this embodiment, an encrypted random number is used as an encrypted anonymous parameter. However, the parameter encryption means is not essential and can be omitted as described in the thirteenth and fourteenth embodiments.

  The anonymization unit 20 includes an encryption parameter storage unit 21, an encrypted data storage unit 22, a temporary data storage unit 23, a communication unit 24, a random number generation unit 25, an anonymization processing unit 26, a calculation unit 27, a calculation result comparison unit 28, and A control unit 29 is provided.

  The encryption parameter storage unit 21, the encrypted data storage unit 22, and the temporary data storage unit 23 can be realized as a storage device or a storage area of the storage device that can be read / written from a processor (not shown). Stores encrypted data, temporary data, and the like. The temporary data storage unit 23 constitutes a second storage unit that stores the encrypted data generated by the encryption device 10.

  The communication unit 24, the random number generation unit 25, the anonymization processing unit 26, the calculation unit 27, the calculation result comparison unit 28, and the control unit 29 include, for example, a program in which a processor (not shown) includes each step in the anonymization unit 20 described later. It is a functional block realized by executing. The anonymization processing unit 26 generates anonymous anonymized data from the encrypted data by performing anonymization without decrypting values of some items of the encrypted data in the second storage unit. Is configured. The anonymization means has a function of generating encrypted anonymized data from the encrypted data based on the encrypted anonymous parameter generated by the encryption device 10. However, this function is omitted when the encryption anonymous parameter is not used, as described in the thirteenth and fourteenth embodiments.

  The decryption device 30 includes an encryption parameter storage unit 31, a secret key storage unit 32, a temporary data storage unit 33, a communication unit 34, a random number generation unit 35, a key generation unit 36, a decryption unit 37, and a control unit 38.

  The encryption parameter storage unit 31, the secret key storage unit 32, and the temporary data storage unit 33 can be realized as a storage device or a storage area of the storage device that can be read / written by a processor (not shown). Store keys and temporary data. The temporary data storage unit 33 constitutes third storage means for storing encrypted anonymized data generated by the anonymization device 20.

  The communication unit 34, the random number generation unit 35, the key generation unit 36, the decryption unit 37, and the control unit 38 are realized by, for example, a processor (not shown) executing a program including each step in the decryption device 30 described later. It is a functional block. The decrypting unit 37 constitutes decrypting means for generating anonymized data from the encrypted anonymized data by a process of decrypting the encrypted anonymized data in the third storage means. Here, the anonymization data may be, for example, information including values obtained by anonymizing the values of some items in personal data and values of items other than some items. Further, for example, the encrypted anonymized data includes a value obtained by anonymizing encrypted values of some items included in the encrypted data, and values of items other than some items included in the encrypted data. May be included. In encrypted anonymized data, “values in which encrypted values of some items included in encrypted data are anonymized” means that “values in some items included in anonymized data are anonymous The encrypted value may be read as the same value as the “encrypted value”.

  The statistical processing device 50 includes a data storage unit 51, a communication unit 52, and a statistical processing unit 53.

  The data storage unit 51 can be realized as a storage device that can be read / written by a processor (not shown) or a storage area of the storage device, and stores anonymized data, statistical data, and the like.

  The communication unit 52 and the statistical processing unit 53 are, for example, functional blocks realized by a processor (not shown) executing a program including each step in the statistical processing device 50 described later.

  In addition, although the case where each apparatus 10, 20, 30, 50 was provided in FIG. 1 was shown, not only this but each apparatus 10, 20, 30, 50 is one or more arbitrary numbers. May be provided. In FIG. 1, the anonymization device 20 has a function for storing encrypted data (encrypted data storage unit 22), and the decryption device 30 has a function for generating keys (each unit 31, 33 to 36, 38). Not limited to this, for example, as shown in FIG. 2, each function may be arranged in another device. The same applies to any device and any function.

  The present embodiment relates to a technique for pseudonymizing an employee number, which is one of personal data, while being encrypted.

  Personal data is information about an individual, such as name, employee number, age, income, date of birth, and other information that can identify a specific individual by a single or multiple combination. Say. “Personal data” may be called “personal information” or “data of personal information”. In this embodiment, as shown in an example in FIG. 3, attribute values (character strings or numerical values) of attribute items such as name, employee number, age, and income are used as personal data, and the personal data is stored in the table T1. ing. Here, a character string is used for the attribute value of the attribute item “name”. A numerical value is used for the attribute value of the attribute item “employee number” (however, since the employee number is ID information, a combination of a character string and a numerical value may be used). Numerical values are used for the attribute values of the attribute items “age” and “income”. The table T1 includes personal data as attribute values of the attribute items shown in the drawing, but may also include information other than personal data as attribute values of other attribute items (not shown). In any case, personal data is described in the table T1. In addition, as attribute items whose information values other than personal data are attribute values, for example, diseased disease names, purchased product names, questionnaire responses, and the like can be used as appropriate. The term “attribute item” may be simply called “attribute” or “item”, or may be called “attribute information” or “item information”. Similarly, the term “attribute value” may simply be called “value”.

  Personal data anonymization refers to a process of converting personal data so that a specific individual cannot be identified. For the anonymization process, a method as described above is known.

  These definitions are the same in the following embodiments and modifications.

  Next, operation | movement of the anonymization system in this embodiment is demonstrated using the sequence diagram of FIG. 4, and the schematic diagram of FIG.3, FIG5 and FIG.6. In the following description, the case of anonymization using an (additive) homomorphic encryption method will be described as an example.

(Advance preparation)
In step ST1, the key generation unit 36 of the decryption device 30 generates a key pair (public key pk _A , secret key sk _A ) in the homomorphic encryption method based on the security parameter (1 ^k ) in the encryption parameter storage unit 31. Generate.

KeyGen (1 ^k ) → (pk _A , sk _A )
Note that the key generation unit 36 can acquire a random number necessary for the key pair generation process from the random number generation unit 35. Further, the key generation unit 36 of the decryption apparatus 30 stores the generated key pair (pk _A , sk _A ) in the secret key storage unit 32. Here, the public key pk _A is an encryption key, and the secret key sk _A is a decryption key.

In step ST <b> 2, the control unit 38 of the decryption device 30 sends the public key pk _A , which is an encryption key, to the encryption device 10 through the communication unit 34. The control unit 18 of the encryption device 10 stores the public key pk _A received by the communication unit 14 in the key storage unit 12.

In step ST <b> 3, the encryption unit 17 of the encryption device 10 reads the table T <b> 1 illustrated in FIG. 3 from the temporary data storage unit 13. The encryption unit 17 encrypts the attribute value data _i of the attribute item (employee number) to be pseudonymized for each record in the table T1 based on the public key pk _A in the key storage unit 12.

Enc (pk _A , data _i ) → C _{A, data_i}
The encryption unit 17 can obtain parameters and random numbers necessary for the encryption process from the encryption parameter storage unit 11 and the random number generation unit 16, respectively.

Similarly, the encryption unit 17 encrypts the attribute values of attribute items other than the attribute items to be pseudonymized for each record in the table T1 based on the public key pk _A. As a result, the attribute values of all the attribute items in the table T1 are encrypted, and as shown in FIG. 5, a table T1e in which the attribute values of all the attribute items are encrypted is generated as encrypted data.

  In step ST <b> 4, the control unit 18 of the encryption device 10 sends the encrypted data including the table T <b> 1 e to the anonymization device 20 through the communication unit 14.

  In step ST <b> 5, the anonymization device 20 stores the table T <b> 1 e that is encrypted data received by the communication unit 24 in the temporary data storage unit 23.

(Anonymization)
In step ST <b> 6, the random number generation unit 16 of the encryption device 10 generates an anonymous parameter for pseudonymization as the random number R. The encryption unit 17 encrypts the generated random number R with a homomorphic encryption method based on the public key pk _A in the key storage unit 12, and generates encrypted random numbers C _{A, R} that are encryption anonymous parameters. .

Enc (pk _A , R) → C _{A, R}
In step ST7, the control unit 18 of the encryption device 10 sends the attribute item (employee number) to be pseudonymized in the table T1e and the encrypted random numbers C _{A, R} to the anonymization device 20 through the communication unit 14. To do. However, when the anonymization device 20 holds or generates the encrypted random numbers C _{A, R} in advance by obtaining the public key pk _A by the anonymization device 20 in advance, the encrypted random number C _A by the encryption device 10 is used. _Therefore , generation and sending of _R can be omitted. The same applies to the following embodiments and modifications.

In step ST <b> 8, the anonymization device 20 receives the attribute item (employee number) and the encrypted random numbers C _{A, R} through the communication unit 24. The anonymization processing unit 26 includes the attribute value C _{A, data_i of} the attribute item (employee number) that matches the received attribute item (employee number) in the table T1e in the temporary data storage unit 23 and the received encrypted random number. C _{A and R} are added for each record.

Add (C _{A, data_i} , C _{A, R} ) → C _{A, data_i + R}
In other words, the attribute value C _{A, data_i} encrypted in step ST3 is an encrypted attribute value C _{A, R} without being decrypted by adding the encrypted random numbers C _{A, R} in the encrypted state. Converted to _{A, data_i + R.}

In this manner, the attribute value of the attribute item (employee number) to be pseudonymized in the table T1e is anonymized, and as shown in FIG. 6, the table T1a including _{the anonymized} attribute value _{CA, data_i + R} is obtained. Generated as encrypted anonymized data.

  Thereafter, the anonymization processing unit 26 stores the table T1a in the temporary data storage unit 23.

  In step ST <b> 9, the control unit 29 of the anonymization device 20 sends the encrypted anonymization data including the table T <b> 1 a in the temporary data storage unit 23 to the decryption device 30 through the communication unit 24.

According to this embodiment, it becomes possible to anonymize the encrypted data without decrypting it, and to decrypt the obtained encrypted anonymized data and use the anonymized data. Specifically, the attribute value data_i of the table T1 expressed in numerical values can be pseudonymized with a random number R for pseudonymization. Here, the encryption apparatus 10 may create a correspondence table before and after pseudonymization based on the encrypted random numbers CA _{and R} for pseudonymization. In this case, it is possible to specify an individual from the attribute information of the kana table, or to restore the kana processing.

Thereafter, in step ST10, the control unit 38 of the decryption device 30 receives the encrypted anonymized data by the communication unit 34 and stores it in the temporary data storage unit 33. Based on the secret key sk _A that is the decryption key in the secret key storage unit 32, the decryption unit 37 decrypts the value of each attribute item in the table T1a that is the encrypted anonymized data in the temporary data storage unit 33. Then, a table of the obtained decoding results is obtained.

The control unit 38 of the decryption device 30 determines whether or not the attribute value of the attribute item (employee number) to be pseudonymized in the decryption result table is anonymized. For example, when an encrypted random number C _{A, R} with a higher number of digits (eg, 7 digits) than the number of digits of the attribute value before anonymization (eg, 5 digits) is added, the number of digits with the higher attribute value (eg, 7 digits), it is determined that anonymization has occurred. In addition, for example, if the attribute value of an anonymized attribute item (employee number) is different from the value before anonymization and the value after anonymization, it is determined that the attribute value is anonymized. Good. In this case, the encryption device 10 may transmit the value before anonymization to the decryption device 30 at an arbitrary timing. In any case, if the determination result is NO, the process is repeated from step ST6 (or ST4), and the process is repeated until a preferable anonymization result is obtained.

  In step ST11, when the attribute value is anonymized as a result of the determination, the control unit 38 of the decryption device 30 uses the communication unit 34 to safely convert the anonymized data including the decryption result table to the statistical processing device 50. Send to.

  In step ST <b> 12, the statistical processing device 50 executes statistical processing using the anonymized data received by the communication unit 52 and stores the obtained statistical processing result in the data storage unit 51. Thereafter, the statistical processing device 50 appropriately uses the statistical processing result.

  As described above, according to the present embodiment, encrypted data is generated from the personal data by the process of encrypting the value of each item included in the personal data. Encrypted anonymized data is generated from the encrypted data by performing anonymization without decrypting the values of some items of the encrypted data. Anonymized data is generated from the encrypted anonymized data by the process of decrypting the encrypted anonymized data. With such a configuration, the encrypted data obtained by encrypting the personal data can be anonymized without being decrypted.

  Moreover, according to this embodiment, the parameter for anonymization used for the anonymization process is encrypted to generate the parameter for encryption anonymization, and the encrypted anonymization data is converted from the encrypted data based on the parameter for encryption anonymity. Generate. With such a configuration, anonymization data of a preferable anonymization result can be generated by adjusting the parameter for anonymization and redoing the anonymization process.

  In the present embodiment, the decryption device 30 performs key generation. However, the present invention is not limited to this, and the encryption device 10 may perform key generation and send a key to an appropriate device as in the present embodiment. Good.

  In addition, the present embodiment can be similarly implemented by an (additive) homomorphic encryption method and an encryption method capable of comparing sizes. When these encryption methods are used, the same effect can be obtained by performing the present embodiment in the same manner by replacing the encryption algorithm in each encryption method.

  In the present embodiment, as shown in FIG. 2, the key generation device 60 in which the key generation function (random number generation unit 35 and key generation unit 36) is separated from the decryption device 30, and the storage function (encrypted data) from the anonymization device 20. You may deform | transform into the structure provided with the data storage apparatus 70 which isolate | separated the storage part 22). At this time, by making the anonymization device 20 cooperate with the existing data storage device 70, it is possible to obtain the same effect as the present embodiment.

  Here, the key generation device 60 includes an encryption parameter storage unit 61, a temporary data storage unit 62, a communication unit 63, a random number generation unit 64, a key generation unit 65, and a control unit 66.

  The encryption parameter storage unit 61 and the temporary data storage unit 62 can be realized as a storage device that can be read / written by a processor (not shown) or a storage area of the storage device, and store encryption parameters, temporary data, and the like, respectively.

  The communication unit 63, the random number generation unit 64, the key generation unit 65, and the control unit 66 are, for example, functional blocks realized when a processor (not shown) executes a program including each step in the key generation device 60 described later. It has become.

  The data storage device 70 is a device (or system) that is implemented by, for example, the cloud and can store a large amount of data, and includes a data storage unit 71 and a communication unit 72.

  The data storage unit 71 can be realized as a storage device that can be read / written by a processor (not shown) or a storage area of the storage device, and stores data and the like.

  For example, the communication unit 72 is a functional block realized by a processor (not shown) executing a program including each step in the data storage device 70 described later.

  According to the configuration shown in FIG. 2, for example, as shown in FIG. 7, each of the above-described steps ST <b> 1 to ST <b> 12 is executed by each device 10, 20, 30, 50, 60, 70. In FIG. 7, when the same step as shown in FIG. 4 is executed, the same step number is assigned regardless of whether or not the device to be executed is changed, and the step itself is divided into a plurality of substeps. In this case, branch numbers (-1, -2, -3) are added to the step numbers. The method of assigning such step numbers is the same in the following embodiments and modifications.

  FIG. 7 mainly shows the case where the encrypted data stored in the data storage device 70 is anonymized by the anonymization device 20, the obtained anonymized data is updated on the data storage device 70, and sent to the decryption device 30. It is a sequence diagram for demonstrating operation | movement.

In this operation, specifically, the key generation device 60 generates and stores a key pair (ST1), and sends the encryption key to the encryption device 10 (ST2). The encryption device 10 encrypts the data (ST3) and sends the obtained encrypted data to the data storage device 70 (ST4). The data storage device 70 stores the encrypted data (ST5). The encryption device 10 encrypts the random number R (ST6), and sends the obtained encrypted random number CA _{, R} to the anonymization device 20 (ST7). The data storage device 70 sends the stored encrypted data to the anonymization device 20 (ST8-1). The anonymization device 20 anonymizes the sent encrypted data based on the encrypted random numbers C _{A, R} without deciphering the pseudo data, and sends the obtained encrypted anonymized data to the data storage device 70. (ST9-1). The data storage device 70 stores the sent encrypted anonymized data (ST9-2), and sends the encrypted anonymized data to the decryption device 30 (ST9-3). For example, the decryption device 30 requests the key generation device 60 for a decryption key. The key generation device 60 sends the decryption key to the decryption device 30 (ST10-1). The decryption device 30 decrypts the encrypted anonymized data based on the sent decryption key, and determines (confirms) whether or not the obtained anonymized data is anonymized (ST10-2). If the result of determination is no, the process is repeated from step ST6. If the result of the determination is that it is anonymized, steps ST11 to ST12 described above are executed.

  At this time, the effect of the present embodiment can be obtained without greatly changing the existing data storage device 70. This also applies to embodiments and modifications described later.

  Further, for example, FIG. 8 mainly illustrates that the encrypted data stored in the data storage device 70 is anonymized by the anonymization device 20, and the obtained anonymized data is not updated on the data storage device 70, but the decryption device 30 is used. It is a sequence diagram for demonstrating the operation | movement in the case of sending to. Specifically, this operation is an operation of executing step ST9 in which the anonymization device 20 sends the encrypted anonymized data to the decryption device 30 instead of steps ST9-1 to ST9-3 shown in FIG. .

  In this case, the encrypted data in the data storage device 70 remains in a state in which the original data is encrypted, and anonymized data that is anonymized with respect to that state can be appropriately obtained. At this time, since the encrypted data of the data storage device 70 is not updated, it is not necessary to manage the encrypted data before and after anonymization by the encryption device 10 or the decryption device 30, thereby reducing the data management cost. It becomes possible. This also applies to embodiments and modifications described later.

<Modification of First Embodiment: Pseudonymization>
In the first embodiment, the anonymization device 20 uses the encrypted random numbers C _{A, R for} the attribute value C _{A, data_i} of the attribute item (employee number) to be pseudonymized in the table T1e as a pseudonym. Can be

Here, it is assumed that the decrypted anonymized data (a pseudonymized employee number) is leaked and a user who knows information (original data of the employee number) of one record to be pseudonymized is involved. Even in such a situation, the involved user guesses the information (original data of employee number) of other records because each record of anonymized data is pseudonymized with different encrypted random numbers CA _{, R.} I can't.

<Second embodiment: M2M and pseudonymization>
FIG. 9 is a schematic diagram showing the anonymization system and its peripheral configuration according to the second embodiment. The same parts as those in FIG. 1 and FIG. The part is mainly described. In the following embodiments and modifications, the description of the duplicated portions is omitted in the same manner.

  Unlike the first embodiment in which the encryption device 10 encrypts personal data and deposits it in the anonymization device 20, the second embodiment encrypts personal data acquired by each device like the M2M service. The encrypted data is collected by the anonymization device 20. Each device here corresponds to each encryption device (1 to N) 10.

Specifically, in the second embodiment, N encryption devices 10 are provided, and a key generation device 60 and a parameter generation device 80 are further provided, compared to the configuration shown in FIG. However, the parameter generation device 80 is not indispensable. For example, when any encryption device 10 generates a parameter (eg, random number R) and an encryption parameter (encryption random number C _{A, R} ), it is omitted. May be. This is the same in the following embodiments and modifications.

  Here, the N encryption devices (1 to N) 10 include a data acquisition unit 19 instead of the parameter generation unit 15 of the encryption device 10 described above.

  The parameter generation device 80 includes an encryption parameter storage unit 81, a key storage unit 82, a communication unit 83, a parameter generation unit 84, a random number generation unit 85, an encryption unit 86, and a control unit 87.

  The encryption parameter storage unit 81 and the key storage unit 82 can be realized as a storage device that can be read / written by a processor (not shown) or a storage area of the storage device, and store encryption parameters, keys, and the like, respectively.

  The communication unit 83, the parameter generation unit 84, the random number generation unit 85, the encryption unit 86, and the control unit 87 are realized by, for example, a processor (not shown) executing a program including each step in the parameter generation device 80 described later. It is a functional block.

  Next, operation | movement of the anonymization system in this embodiment is demonstrated using the sequence diagram of FIG.

(Advance preparation)
In step ST1, the key generation unit 65 of the key generation device 60 uses the key pair (public key pk _A , secret key sk _A ) in the homomorphic encryption method based on the security parameter (1 ^k ) in the encryption parameter storage unit 61. Is generated.

KeyGen (1 ^k ) → (pk _A , sk _A )
The key generation unit 65 can acquire a random number necessary for the key generation process from the random number generation unit 64. The public key pk _A is an encryption key, and the secret key sk _A is a decryption key.

In step ST <b> 2, the control unit 66 of the key generation device 60 sends the public key pk _A , which is an encryption key, to the encryption devices (1 to N) 10 and the parameter generation device 80 via the communication unit 63. The control unit 18 of each encryption device (1 to N) 10 stores the public key pk _A received by the communication unit 14 in the key storage unit 12. Similarly, the control unit 87 of the parameter generation device 80 stores the public key pk _A received by the communication unit 83 in the key storage unit 82. Each encryption device (1 to N) 10 may input and store the public key pk _A at the time of assembling the device. After the device is arranged, it receives and stores the public key pk _A via the network. Also good. Similarly, the control unit 66 of the key generation device 60 sends the secret key sk _A , which is a decryption key, to the decryption device 30 through the communication unit 63. The control unit 38 of the decryption device 30 stores the secret key s _A received by the communication unit 34 in the secret key storage unit 32.

In step ST <b> 3, the data acquisition unit 19 of each encryption device (1 to N) 10 acquires personal data including the table T <b> 1 and stores it in the temporary data storage unit 13. The encryption unit 17 of each encryption device (1 to N) 10 uses the attribute value data _i of the attribute item (employee number) to be pseudonymized from the table T1 in the temporary data storage unit 13 as the key storage unit 12. Encryption for each record based on the public key pk _A in

Enc (pk _A , data _i ) → C _{A, data_i}
Similarly, the encryption unit 17 of the encryption device (1 to N) 10, based on the public key pk _A, of the table T1, the attribute value of the attribute items other than attribute items of pseudonymization object for each record Encrypt. Thereby, the attribute values of all the attribute items in the table T1 are encrypted, and the table T1e in which the attribute values of all the attribute items are encrypted is generated as encrypted data.

  In step ST4, the control unit 18 of each encryption device (1 to N) 10 uses the communication unit 14 to transmit the encrypted data including the table T1e and the attribute item (employee number) to be pseudonymized in the table T1e. Send to anonymization device 20.

  In step ST5, the anonymization device 20 receives the table T1e as encrypted data and the attribute item (employee number) to be pseudonymized in the table T1e through the communication unit 24. Thereafter, the control unit 29 of the anonymization device 20 stores the table T1e and the attribute item (employee number) to be pseudonymized in the temporary data storage unit 23.

  At this time, the table T1e in the temporary data storage unit 23 is updated with the contents of the newly received table T1e being added. Not limited to this, the anonymization device 20 stores the table T1e received from the encryption device (1 to N) 10 in the temporary data storage unit 23 and collects the N tables T1e into the table T1e. May be updated. In any case, the table T1e in the temporary data storage unit 23 is updated to the contents obtained by collecting the tables T1e received from the encryption device (1 to N) 10. This is the same in the following embodiments and modifications.

(Anonymization)
In step ST <b> 6, the random number generation unit 85 of the parameter generation device 80 generates an anonymous parameter for pseudonymization as the random number R. The encryption unit 86 of the parameter generation device 80 encrypts the generated random number R using a homomorphic encryption method based on the public key pk _A in the key storage unit 82, and an encrypted random number C _A that is an encryption anonymous parameter. _{, R} is generated.

Enc (pk _A , R) → C _{A, R}
In step ST <b> 7, the control unit 87 of the parameter generation device 80 sends the encrypted random numbers C _{A, R} to the anonymization device 20 through the communication unit 83. However, when the anonymization device 20 holds or generates the encrypted random numbers C _{A, R} in advance _, the generation and transmission of the encrypted random numbers C _{A, R} by the parameter generation device 80 can be omitted. The same applies to the following embodiments and modifications.

In step ST <b> 8, the anonymization device 20 receives the encrypted random numbers C _{A, R} through the communication unit 24. The anonymization processing unit 26 has received the attribute value C _{A, data_i of} the attribute item (employee number) that matches the attribute item (employee number) received in step ST5 in the table T1e in the temporary data storage unit 23. Encrypted random numbers C _{A, R} are added for each record.

Add (C _{A, data_i} , C _{A, R} ) → C _{A, data_i + R}
In other words, the attribute value C _{A, data_i} encrypted in step ST3 is an encrypted attribute value C _{A, R} without being decrypted by adding the encrypted random numbers C _{A, R} in the encrypted state. Converted to _{A, data_i + R.}

As described above, the attribute value of the attribute item (employee number) to be pseudonymized in the table T1e is anonymized, and the table T1a including _{the anonymized} attribute value C _{A, data_i + R} is encrypted and anonymous as described above. Generated as digitized data.

  Thereafter, the anonymization processing unit 26 stores the table T1a in the temporary data storage unit 23.

  In step ST <b> 9, the control unit 29 of the anonymization device 20 sends the encrypted anonymization data including the table T <b> 1 a in the temporary data storage unit 23 to the decryption device 30 through the communication unit 24.

  Hereinafter, as described above, steps ST10 to ST12 are executed.

  As described above, according to the present embodiment, even when a plurality of encryption devices 10 are provided, the same operational effects as those of the first embodiment can be obtained.

  Note that this embodiment can also be implemented in an (additive) homomorphic encryption scheme and a cryptographic scheme that can be compared in size. When these encryption methods are used, the same can be realized by replacing the encryption algorithm in each method.

<Modification of Second Embodiment: Kana>
In the second embodiment, as in the modification of the first embodiment, the anonymization device 20 records the attribute value C _{A, data_i} of the attribute item (employee number) to be pseudonymized in the table T1e. It can be pseudonymized with different encrypted random numbers C _{A, R for} each.

  Thereby, the effect similar to the modification of 1st Embodiment can be acquired.

<Third embodiment: Top coding>
Next, an anonymization system according to a third embodiment will be described with reference to FIG.

  The third embodiment is a form in which the encrypted “income” is top-coded, unlike the first embodiment in which the encrypted “employee number” is pseudonymized.

  Next, operation | movement of the anonymization system in this embodiment is demonstrated using the sequence diagram of FIG. 11, and the schematic diagram of FIG. 12 thru | or FIG. In the following description, a case where anonymization is performed using an encryption method capable of comparing sizes will be described as an example.

(Advance preparation)
In step ST21, the key generation unit 36 of the decryption device 30 uses the key (secret key sk _A ) of the decryption device 30 in an encryption method that can be compared in size based on the security parameter (1 ^k ) in the encryption parameter storage unit 31. ) Is generated.

KeyGen (1 ^k ) → (sk _A )
The key generation unit 36 can acquire a random number necessary for the key generation process from the random number generation unit 35. In addition, the key generation unit 36 stores the generated secret key sk _A in the secret key storage unit 32.

In step ST22, the control unit 38 of the decryption device 30 sends the secret key sk _A , which is a common key, to the encryption device 10 through the communication unit 34. The control unit 18 of the encryption device 10 stores the secret key sk _A received by the communication unit 14 in the key storage unit 12.

In step ST <b> 23, the encryption unit 17 of the encryption device 10 reads the table T <b> 1 illustrated in FIG. 12 from the temporary data storage unit 13. The encryption unit 17 encrypts the attribute value data _i of the top coding target attribute item (income) in the table T1 for each record based on the secret key sk _A in the key storage unit 12.

Enc (sk _A , data _i ) → C _{A, data_i}
The encryption unit 17 can obtain parameters and random numbers necessary for the encryption process from the encryption parameter storage unit 11 and the random number generation unit 16, respectively.

Similarly, the encryption unit 17 encrypts the attribute values of attribute items other than the top coding target attribute item for each record in the table T1 based on the secret key sk _A. As a result, the attribute values of all the attribute items in the table T1 are encrypted, and as shown in FIG. 13, a table T1e in which the attribute values of all the attribute items are encrypted is generated as encrypted data.

  In step ST <b> 24, the control unit 18 of the encryption device 10 sends the encrypted data including the table T <b> 1 e to the anonymization device 20 through the communication unit 14.

  In step ST <b> 25, the anonymization device 20 stores the table T <b> 1 e that is encrypted data received by the communication unit 24 in the temporary data storage unit 23.

(Anonymization)
In step ST26, the parameter generation unit 15 of the encryption device 10 generates a threshold value T that is an anonymous parameter for top coding. The encryption unit 17 encrypts the generated threshold value T based on the secret key sk _A in the key storage unit 12 using an encryption method that can be compared in magnitude. Thereby, the encryption threshold value C _{A, T} which is a parameter for encryption anonymity is generated.

Enc (sk _A , T) → C _{A, T}
In step ST27, the control unit 18 of the encryption device 10 sends the attribute item (revenue) to be top-coded in the table T1e and the encryption threshold value C _{A, T} to the anonymization device 20 through the communication unit 14. To do. However, when the anonymization device 20 holds or generates the encryption threshold value C _{A, T} in advance by acquiring the secret key sk _A in advance, the encryption threshold value by the encryption device 10 is obtained. Generation and sending of C _{A, T} can be omitted. The same applies to the following embodiments and modifications.

In step ST <b> 28, the anonymization device 20 receives the attribute item (income) and the encryption threshold value C _{A, T} through the communication unit 24. The anonymization processing unit 26 includes the attribute value C _{A, data_i of} the attribute item (income) that matches the received attribute item (income) in the table T1e in the temporary data storage unit 23, and the received encryption threshold C Compare _{A and T} for each record.

When the comparison result is 1, the anonymization processing unit 26 _{replaces the} attribute value C _{A, data_i} with the encryption threshold value C _{A, T.}

That is, the attribute value C _{A, data_i} encrypted in step ST23 is appropriately replaced with the encryption threshold value C _{A, T} in the encrypted state, thereby anonymizing the attribute without being decrypted. Converted to a value (C _{A, T} ).

As described above, the attribute value of the attribute item (income) to be top-coded in the table T1e is anonymized, and the table T1a including the anonymized attribute value (C _{A, T} ) is encrypted as shown in FIG. Generated as anonymized data.

  Thereafter, the anonymization processing unit 26 stores the table T1a in the temporary data storage unit 23.

  In step ST <b> 29, the control unit 29 of the anonymization device 20 sends the encrypted anonymization data including the table T <b> 1 a in the temporary data storage unit 23 to the decryption device 30 through the communication unit 24.

According to this embodiment, it becomes possible to anonymize the encrypted data without decrypting it, and to decrypt the obtained encrypted anonymized data and use the anonymized data. Specifically, the attribute value data_i of the table T1 expressed by numerical values can be top-coded by the threshold T for top coding. Here, the anonymization device 20 _knows which attribute value (C _{A, data_i} ) has been replaced, and the replaced ciphertexts all have the same value (C _{A, T} ). However, the anonymization device 20 does not know the threshold value T and the original attribute value (data_i).

  Here, when the encryption device 10 holds the encrypted data before the top coding, the encryption device 10 may create a correspondence table before the top coding and after the top coding. If the original data is stored separately, the top-coded attribute value can be restored.

Thereafter, in step ST30, the control unit 38 of the decryption device 30 receives the encrypted anonymized data by the communication unit 34 and stores it in the temporary data storage unit 33. Based on the secret key sk _A in the secret key storage unit 32, the decryption unit 37 decrypts the value of each attribute item in the table T1a, which is encrypted anonymized data in the temporary data storage unit 33, and is obtained A table of decoding results is obtained.

  The control unit 38 of the decryption apparatus 30 determines whether or not the attribute value of the top coding target attribute item (income) is anonymized in the decryption result table. For example, when the attribute value before anonymization is top-coded, if any of the attribute values includes a character string “more than” or “less than”, it is determined that the attribute value is anonymized. Further, for example, when the attribute value of the anonymized attribute item (income) is different from the value before anonymization and the value after anonymization, it may be determined that the attribute value is anonymized. . In this case, the encryption device 10 may transmit the value before anonymization to the decryption device 30 at an arbitrary timing. In any case, if the determination result is NO, the process is repeated from step ST26 (or ST24), and the process is repeated until a preferable anonymization result is obtained.

  In step ST31, when the attribute value is anonymized as a result of the determination, the control unit 38 of the decryption device 30 uses the communication unit 34 to safely convert the anonymized data including the decryption result table to the statistical processing device 50. Send to. However, it is preferable that the anonymized data is sent in a state in which the attribute value of the employee number in the decryption result table is appropriately anonymized. This is the same in the following embodiments and modifications.

  In step ST <b> 32, the statistical processing device 50 executes statistical processing using the anonymized data received by the communication unit 52 and stores the obtained statistical processing result in the data storage unit 51. Thereafter, the statistical processing device 50 appropriately uses the statistical processing result.

  As described above, according to the present embodiment, even when top coding is executed as anonymization processing, the same operational effects as those of the first embodiment can be obtained.

  Note that this embodiment can also be implemented in an (additive) homomorphic encryption scheme and a cryptographic scheme that can be compared in size. When these encryption methods are used, the same can be realized by replacing the encryption algorithm in each method.

<Fourth embodiment: M2M and top coding>
FIG. 15 is a schematic diagram showing an anonymization system and its peripheral configuration according to the fourth embodiment.

  Unlike the third embodiment in which the encryption device 10 encrypts personal data and deposits it in the anonymization device 20, the fourth embodiment encrypts personal data acquired by each device like the M2M service. The encrypted data is collected by the anonymization device 20. Each device here corresponds to each encryption device (1 to N) 10.

Specifically, the fourth embodiment includes N encryption devices 10 and further includes a parameter generation device 80, as compared with the configuration shown in FIG. However, the parameter generation device 80 is not essential. For example, when any of the encryption devices 10 generates a parameter (eg, threshold T) and an encryption parameter (encryption threshold C _{A, T} ). , May be omitted. This is the same in the following embodiments and modifications.

  Here, the N encryption devices (1 to N) 10 include a data acquisition unit 19 instead of the parameter generation unit 15 of the encryption device 10 described above.

  The parameter generation device 80 includes an encryption parameter storage unit 81, a key storage unit 82, a communication unit 83, a parameter generation unit 84, a random number generation unit 85, an encryption unit 86, and a control unit 87.

  The encryption parameter storage unit 81 and the key storage unit 82 can be realized as a storage device that can be read / written by a processor (not shown) or a storage area of the storage device, and store encryption parameters, keys, and the like, respectively.

  The communication unit 83, the parameter generation unit 84, the random number generation unit 85, the encryption unit 86, and the control unit 87 are realized by, for example, a processor (not shown) executing a program including each step in the parameter generation device 80 described later. It is a functional block.

  Next, operation | movement of the anonymization system in this embodiment is demonstrated using the sequence diagram of FIG.

(Advance preparation)
In step ST21, the key generation unit 36 of the decryption device 30 uses the key (secret key sk _A ) of the decryption device 30 in the encryption method that can be compared in size based on the security parameter (1 ^k ) in the encryption parameter storage unit 31. Is generated.

KeyGen (1 ^k ) → (sk _A )
The key generation unit 36 can acquire a random number necessary for the key generation process from the random number generation unit 35. In addition, the key generation unit 36 stores the generated secret key sk _A in the secret key storage unit 32.

In step ST22, the control unit 38 of the decryption device 30 sends the secret key sk _A , which is a common key, to the encryption devices (1 to N) 10 and the parameter generation device 80 through the communication unit 34. The control unit 87 of the parameter generation device 80 stores the secret key sk _A received by the communication unit 83 in the key storage unit 82. Similarly, the control unit 18 of each encryption device (1 to N) 10 stores the secret key sk _A received by the communication unit 14 in the key storage unit 12. Each encryption device (1 to N) 10 may input and store the public key pk _A at the time of assembling the device. After the device is arranged, it receives and stores the public key pk _A via the network. Also good.

In step ST23, the data acquisition unit 19 of each encryption device (1 to N) 10 acquires the personal data composed of the table T1 and stores it in the temporary data storage unit 13. The encryption unit 17 of each encryption device (1 to N) 10 stores the attribute value data _i of the top coding target attribute item (income) in the key storage unit 12 in the table T1 in the temporary data storage unit 13. Is encrypted for each record based on the secret key sk _A.

Enc (sk _A , data _i ) → C _{A, data_i}
Similarly, the encryption unit 17 of each encryption device (1 to N) 10 sets the attribute values of attribute items other than the top coding target attribute item for each record in the table T1 based on the secret key sk _A. Encrypt. Thereby, the attribute values of all the attribute items in the table T1 are encrypted, and the table T1e in which the attribute values of all the attribute items are encrypted is generated as encrypted data.

  In step ST24, the control unit 18 of each encryption device (1 to N) 10 uses the communication unit 14 to anonymously encrypt the encrypted data including the table T1e and the top coding target attribute item (income) in the table T1e. Sent to the digitizing device 20.

  In step ST <b> 25, the anonymization device 20 receives the table T <b> 1 e that is encrypted data and the attribute item (revenue) to be top-coded in the table T <b> 1 e through the communication unit 24. Thereafter, the control unit 29 of the anonymization device 20 stores the table T1e and the top coding target attribute item (income) in the temporary data storage unit 23. The table T1e in the temporary data storage unit 23 is updated to the contents obtained by collecting the tables T1e received from the encryption device (1 to N) 10.

(Anonymization)
In step ST26, the parameter generation unit 84 of the parameter generation device 80 generates a threshold value T, which is an anonymous parameter for top coding. The encryption unit 86 of the parameter generation device 80 encrypts the generated threshold value T using a cryptographic method that can be compared in magnitude based on the secret key sk _A in the key storage unit 82, and is an encrypted anonymous parameter. An encryption threshold value C _{A, T} is generated.

Enc (sk _A , T) → C _{A, T}
In step ST <b> 27, the control unit 87 of the parameter generation device 80 sends the encryption threshold value C _{A, T} to the anonymization device 20 through the communication unit 83. However, when the anonymization device 20 holds or generates the encryption threshold value C _{A, T} in advance _, the generation and transmission of the encrypted random number C _{A, R} by the parameter generation device 80 can be omitted.

  Thereafter, similarly to the third embodiment described above, steps ST28 to ST32 are executed.

  As described above, according to the present embodiment, even when there are a plurality of encryption devices 10, the same operational effects as those of the third embodiment can be obtained.

  Note that this embodiment can also be implemented in an (additive) homomorphic encryption scheme and a cryptographic scheme that can be compared in size. When these encryption methods are used, the same can be realized by replacing the encryption algorithm in each method.

However, in this embodiment, the secret key sk _A is stored in each device. Since this secret key sk _A can be decrypted as well as encrypted, the secret key sk _A is appropriately managed on each device. There must be. This is the same in the following embodiments and modifications.

<Fifth Embodiment: Grouping>
Next, an anonymization system according to a fifth embodiment will be described with reference to FIG.

  In the fifth embodiment, unlike the first embodiment in which the encrypted “employee number” is pseudonymized, the encrypted “age” is grouped.

  Next, operation | movement of the anonymization system in this embodiment is demonstrated using the sequence diagram of FIG. 17, and the schematic diagram of FIG. 18 thru | or FIG. In the following description, a case where anonymization is performed using an encryption method capable of comparing sizes will be described as an example.

(Advance preparation)
In step ST41, the key generation unit 36 of the decryption device 30 uses the decryption device 30's own key (secret key sk _A ) in an encryption method that can be compared in size based on the security parameter (1 ^k ) in the encryption parameter storage unit 31. ) Is generated.

KeyGen (1 ^k ) → (sk _A )
The key generation unit 36 can acquire a random number necessary for the key generation process from the random number generation unit 35. In addition, the key generation unit 36 stores the generated secret key sk _A in the secret key storage unit 32.

In step ST42, the control unit 38 of the decryption device 30 sends the secret key sk _A , which is a common key, to the encryption device 10 through the communication unit 34. The control unit 18 of the encryption device 10 stores the secret key sk _A received by the communication unit 14 in the key storage unit 12.

In step ST43, the encryption unit 17 of the encryption device 10 reads the table T1 illustrated in FIG. 18 from the temporary data storage unit 13. The encryption unit 17 encrypts the attribute value data _i of the attribute item (age) to be grouped in the table T1 for each record based on the secret key sk _A in the key storage unit 12.

Enc (sk _A , data _i ) → C _{A, data_i}
The encryption unit 17 can obtain parameters and random numbers necessary for the encryption process from the encryption parameter storage unit 11 and the random number generation unit 16, respectively.

Similarly, the encryption unit 17 encrypts the attribute values of attribute items other than the grouping target attribute item for each record in the table T1 based on the secret key sk _A. As a result, the attribute values of all the attribute items in the table T1 are encrypted, and as shown in FIG. 19, a table T1e in which the attribute values of all the attribute items are encrypted is generated as encrypted data.

  In step ST44, the control unit 18 of the encryption device 10 sends the encrypted data including the table T1e to the anonymization device 20 through the communication unit 14.

  In step ST <b> 45, the anonymization device 20 stores the table T <b> 1 e that is encrypted data received by the communication unit 24 in the temporary data storage unit 23.

(Anonymization)
In step ST46, the parameter generation unit 15 of the encryption device 10 generates a group lower limit value L, a group upper limit value U, and a group representative value M, which are anonymous parameters for grouping. The encryption unit 17 encrypts the generated lower limit value L, upper limit value U, and group representative value M based on the secret key sk _A in the key storage unit 12 using an encryption method that can be compared in magnitude. As a result, the encryption lower limit value CA _{, L} , the encryption upper limit value CA _{, U,} and the encryption representative value CA _{, M, which} are parameters for encryption anonymity _, are generated.

Enc (sk _A , L) → C _{A, L}
Enc (sk _A , U) → C _{A, U}
Enc (sk _A , M) → C _{A, M}
In step ST47, the control unit 18 of the encryption device 10 causes the communication unit 14 to use the grouping target attribute item (age) in the table T1e, the encryption lower limit value C _{A, L} , and the encryption upper limit value C _{A, U.} The encrypted representative values C _{A, M} are sent to the anonymization device 20. However, when the anonymization device 20 obtains the secret key sk _A in advance, the anonymization device 20 obtains the encryption lower limit value CA _{, L} , the encryption upper limit value CA _{, U,} and the encryption representative value CA _{, M.} In the case of holding or generating in advance, generation and sending of each value C _{A, L} , C _{A, U} and C _{A, M} can be omitted. The same applies to the following embodiments and modifications.

In step ST48, the anonymization device 20 transmits the attribute item (age), the encryption lower limit value C _{A, L} , the encryption upper limit value C _{A, U} and the encryption representative value C _{A, M} by the communication unit 24. Receive. The anonymization processing unit 26 includes the attribute value C _{A, data_i of} the attribute item (age) matching the received attribute item (age) in the table T1e in the temporary data storage unit 23, and the received encryption lower limit C _{A, L} and encryption upper limit values CA _{, U} are compared for each record.

When the attribute value C _{A, data_i} of the attribute item (age) of the table to be grouped is greater than or equal to the encryption lower limit C _{A, L and} less than the encryption upper limit C _{A, U} , the attribute value C _{A, data_i} is the encryption representative. Replace with the values C _{A, M.} Here, when the encryption attribute value C _{A, data_i} is greater than or equal to the encryption lower limit value C _{A, L} , the result of the first comparison processing Comp (C _{A, data_i} , C _{A, L} ) is “1” or “ This corresponds to the case of “0”. When the attribute value C _{A, data_i} is less than or equal to the encryption upper limit value C _{A, U} , the result of the second comparison processing Comp (C _{A, data_i} , C _{A, U} ) is “−1” or “0” It corresponds to.

When the attribute value C _{A, data_i} is _replaced with the encrypted representative value C _{A, M} , the grouping method such as whether or not to include the case where the result of the comparison processing Comp is 0 can be changed as appropriate. ing. As a grouping method, for example, a general method according to the application / purpose may be used, or the general method may be combined with the method of the present embodiment.

That is, the attribute value C _{A, data_i} encrypted in step ST43 is anonymized attribute without being decrypted by appropriately replacing the encrypted representative value C _{A, M} with the encrypted state. Converted to a value (C _{A, M} ).

In this way, the attribute value of the grouping target attribute item (age) in the table T1e is anonymized, and the table T1a including the anonymized attribute value (C _{A, M} ) is encrypted as shown in FIG. Generated as anonymized data.

  Thereafter, the anonymization processing unit 26 stores the table T1a in the temporary data storage unit 23.

  In step ST49, the control unit 29 of the anonymization device 20 sends the encrypted anonymization data including the table T1a in the temporary data storage unit 23 to the decryption device 30 through the communication unit 24.

According to this embodiment, it becomes possible to anonymize the encrypted data without decrypting it, and to decrypt the obtained encrypted anonymized data and use the anonymized data. Specifically, the attribute values data_i of the table T1 expressed by numerical values can be grouped by designating the lower limit value L and the upper limit value U of each group. Here, the anonymization device 20 _knows which attribute value (C _{A, data_i} ) has been replaced, and all the replaced ciphertexts have the same value (encrypted representative value C _{A, M for} each group). However, the anonymization device 20 does not know the lower limit value L, the upper limit value U, the representative value M, and the original attribute value (data_i) of the group.

  Here, when the encryption apparatus 10 holds the encrypted data before grouping, the encryption device 10 may create a correspondence table before and after grouping. If the original data is held separately, the grouped attribute values can be restored.

Thereafter, in step ST50, the control unit 38 of the decryption device 30 receives the encrypted anonymized data by the communication unit 34 and stores it in the temporary data storage unit 33. Based on the secret key sk _A in the secret key storage unit 32, the decryption unit 37 decrypts the value of each attribute item in the table T1a, which is encrypted anonymized data in the temporary data storage unit 33, and is obtained A table of decoding results is obtained.

  The control unit 38 of the decrypting device 30 determines whether or not the attribute value of the grouping target attribute item (age) is anonymized in the decryption result table. For example, when the representative value of each group is “20s”, “30s”, “40s”, etc., it is determined that the group is anonymized when the attribute value includes a character string “Ys”. In addition, for example, when the attribute value of an anonymized attribute item (age) is different from the value before anonymization and the value after anonymization, it may be determined that the attribute value is anonymized. . In this case, the encryption device 10 may transmit the value before anonymization to the decryption device 30 at an arbitrary timing. In any case, when the result of the determination is NO, the process is repeated from step ST46 (or ST44) and repeated until a preferable anonymization result is obtained.

  Thereafter, steps ST51 to ST52 are executed in the same manner as steps ST31 to ST32 described above.

  As described above, according to the present embodiment, even when grouping is executed as an anonymization process, the same effects as those of the first embodiment can be obtained.

  Note that this embodiment can also be implemented in an (additive) homomorphic encryption scheme and a cryptographic scheme that can be compared in size. When these encryption methods are used, the same can be realized by replacing the encryption algorithm in each method.

<Sixth embodiment: M2M and grouping>
Next, an anonymization system according to the sixth exemplary embodiment will be described with reference to FIG.

  Unlike the fifth embodiment in which the encryption device 10 encrypts personal data and deposits it in the anonymization device 20, the sixth embodiment encrypts personal data acquired by each device like the M2M service. The encrypted data is collected by the anonymization device 20. Each device here corresponds to each encryption device (1 to N) 10.

  Next, operation | movement of the anonymization system in this embodiment is demonstrated using the sequence diagram of FIG. In the following description, a case where anonymization is performed using an encryption method capable of comparing sizes will be described as an example.

(Advance preparation)
Steps ST41 to ST42 are executed in the same manner as steps ST21 to ST22 of the fourth embodiment. However, the encryption method used for key generation is the encryption method that can be compared in size in the fifth embodiment.

In step ST43, the data acquisition unit 19 of each encryption device (1 to N) 10 acquires personal data including the table T1 and stores it in the temporary data storage unit 13. The encryption unit 17 of each encryption device (1 to N) 10 stores the attribute value data _i of the attribute item (age) to be grouped in the table T1 in the temporary data storage unit 13 in the key storage unit 12. Encryption is performed for each record based on the secret key sk _A.

Enc (sk _A , data _i ) → C _{A, data_i}
Similarly, the encryption unit 17 of each encryption device (1 to N) 10 encrypts the attribute values of attribute items other than the grouping target attribute item for each record in the table T1, based on the secret key sk _A. Turn into. Thereby, the attribute values of all the attribute items in the table T1 are encrypted, and the table T1e in which the attribute values of all the attribute items are encrypted is generated as encrypted data.

  In step ST44, the control unit 18 of each encryption device (1 to N) 10 anonymizes the encrypted data including the table T1e and the grouping target attribute item (age) in the table T1e by the communication unit 14. Send to device 20.

  In step ST <b> 45, the anonymization device 20 receives the table T <b> 1 e that is encrypted data and the attribute item (age) to be grouped in the table T <b> 1 e through the communication unit 24. Thereafter, the control unit 29 of the anonymization device 20 stores the table T1e and the attribute item (age) to be grouped in the temporary data storage unit 23. The table T1e in the temporary data storage unit 23 is updated to the contents obtained by collecting the tables T1e received from the encryption device (1 to N) 10.

(Anonymization)
In step ST46, the parameter generation unit 84 of the parameter generation device 80 generates a group lower limit value L, a group upper limit value U, and a group representative value M, which are anonymous parameters for grouping. The encryption unit 86 of the parameter generation device 80 encrypts the generated lower limit value L, upper limit value U, and group representative value M based on the secret key sk _A in the key storage unit 82 using an encryption method capable of comparing magnitudes. Turn into. As a result, the encryption lower limit value CA _{, L} , the encryption upper limit value CA _{, U,} and the encryption representative value CA _{, M, which} are parameters for encryption anonymity _, are generated.

Enc (sk _A , L) → C _{A, L}
Enc (sk _A , U) → C _{A, U}
Enc (sk _A , M) → C _{A, M}
In step ST47, the control unit 87 of the parameter generation device 80 uses the communication unit 83 to perform the grouping target attribute item (age) in the table T1e, the encryption lower limit value C _{A, L} , and the encryption upper limit value C _{A, U.} The encrypted representative values C _{A, M} are sent to the anonymization device 20. However, when the anonymization device 20 obtains the secret key sk _A in advance, the anonymization device 20 obtains the encryption lower limit value CA _{, L} , the encryption upper limit value CA _{, U,} and the encryption representative value CA _{, M.} In the case of holding or generating in advance, generation and sending of each value C _{A, L} , C _{A, U} and C _{A, M} can be omitted.

  Thereafter, similarly to the fifth embodiment described above, steps ST48 to ST52 are executed.

  As described above, according to the present embodiment, even when a plurality of encryption devices 10 are provided, the same effects as those of the fifth embodiment can be obtained.

  Note that this embodiment can also be implemented in an (additive) homomorphic encryption scheme and a cryptographic scheme that can be compared in size. When these encryption methods are used, the same can be realized by replacing the encryption algorithm in each method.

<Seventh Embodiment: Introduction of Error>
Next, an anonymization system according to the seventh exemplary embodiment will be described with reference to FIGS. 1, 3, 5, and 6. FIG.

Unlike the first embodiment using the random number _R and the encrypted random number C _{A, R} , the seventh embodiment uses the error R and the encryption error CA _{, R.} That is, in the seventh embodiment, the random number R in the first embodiment is regarded as an error R, and the attribute value of the table T1 is anonymized (error) by the same configuration (FIG. 1) and processing as in the first embodiment. The pseudonym by the introduction of). At this time, the table T1 is sequentially changed to the tables T1e and T1a as in the first embodiment (FIGS. 3, 5, and 6).

According to the configuration as described above, as shown in FIG. 22, it is possible to obtain the same operational effects as those of the first embodiment. In addition to anonymization (a pseudonymization) in the first embodiment, the present embodiment encrypts the encrypted attribute values (C _{A, data_i + R} ) of attribute items (age, income) other than the employee number. Anonymization can be further promoted by introducing (adding or subtracting) the conversion error CA _{, R.}

<Modification of Seventh Embodiment: Introduction of Error>
In the modified example of the seventh embodiment, as in the modified example of the first embodiment, the anonymization device 20 uses the attribute value C _{A, data_i} of the attribute item (employee number) to be pseudonymized in the table _T1e. On the other hand, pseudonyms can be created by introducing different encryption errors CA _{, R} for each record.

  Thereby, the effect similar to the modification of 1st Embodiment can be acquired.

Further, in the modification of the seventh embodiment, in addition to the attribute item (employee number) to be pseudonymized, the attribute value C _{A, data_i} of the attribute item (age, income) to be introduced for each error is _recorded for each record. Anonymization can be further promoted by introducing different encryption errors C _{A, R} <Eighth embodiment: introduction of M2M and error>
Next, an anonymization system according to an eighth embodiment will be described with reference to FIG.

Unlike the second embodiment in which the random number _R and the encrypted random number C _{A, R} are used for M2M, the eighth embodiment uses the error R and the encryption error C _{A, R} for M2M. That is, in the eighth embodiment, the random number R in the second embodiment is regarded as an error R, and the attribute value of the table is anonymized (a pseudonym by introducing an error) by the same process as in the second embodiment. It has a configuration.

According to the above configuration, it is possible to obtain the same operational effects as those of the second embodiment. In addition to the anonymization (a pseudonymization) in the second embodiment, this embodiment introduces _an encryption error CA _{, R} into the encrypted attribute values of attribute items (age, income) other than the employee number. By adding (subtracting), anonymization can be further promoted.

<Modification of Eighth Embodiment: Introduction of Error>
In the modified example of the eighth embodiment, as in the modified example of the second embodiment, the anonymization device 20 uses the attribute value C _{A, data_i} of the attribute item (employee number) to be pseudonymized in the table _T1e. On the other hand, pseudonyms can be created by introducing different encryption errors CA _{, R} for each record.

  Thereby, the effect similar to the modification of 2nd Embodiment can be acquired.

Further, in the modified example of the eighth embodiment, in addition to the attribute item (employee number) to be pseudonymized, the attribute value C _{A, data_i} of the attribute item (age, income) to be introduced for each error is _recorded for each record. Anonymization can be further promoted by introducing different encryption errors CA _{, R.}

<Ninth embodiment: Top coding with [AN2013-51001] method>
FIG. 23 is a schematic diagram showing an anonymization system and its peripheral configuration according to the ninth embodiment.

  Unlike the third embodiment using the [OPE] method, the ninth embodiment uses the [AN2013-51001] method.

  Accordingly, the ninth embodiment further includes an anonymization support device 90 as compared to the configuration illustrated in FIG.

  The anonymization support device 90 includes a key storage unit 91, a temporary data storage unit 92, a communication unit 93, a parameter generation unit 94, a random number generation unit 95, a calculation unit 96, and a control unit 97.

  The key storage unit 91 and the temporary data storage unit 92 can be realized as a storage device that can be read / written by a processor (not shown) or a storage area of the storage device, and store a key, temporary data, and the like, respectively.

  The communication unit 93, the parameter generation unit 94, the random number generation unit 95, the calculation unit 96, and the control unit 97 are realized by, for example, a processor (not shown) executing a program including each step in the anonymization support device 90 described later. It is a functional block.

  In addition, the anonymization device 20 further includes a key storage unit 220 as compared with the configuration illustrated in FIG. 1.

  In the configuration shown in FIG. 1, the decryption device 30 includes a key storage unit 320 instead of the secret key storage unit 32.

  Next, operation | movement of the anonymization system in this embodiment is demonstrated using the sequence diagram of FIG. 24, and the schematic diagram of FIG.25 and FIG.26. The following description will be given by taking as an example the case of anonymization using the (additive) homomorphic encryption of [AN2013-51001] and an encryption method that can be compared in size.

(Advance preparation)
In step ST61, the key generation unit 36 of the decryption device 30 performs key generation in the encryption scheme [AN2013-51001] based on the security parameter (1 ^k ) in the encryption parameter storage unit 31. Thereby, the key generation unit 36 includes the encryption keys a, g ^sv , g, N, the secondary operation keys a ⁻¹ , s, N, the tertiary operation keys v, N, and the decryption keys sv, a ⁻¹ , N (Or s, v, a ⁻¹ , N).

KeyGen (1 ^k ) → (a, g ^sv , g, N, a ⁻¹ , s, v)
The key generation unit 36 can acquire a random number necessary for the key generation process from the random number generation unit 35. Further, the key generation unit 36 generates the generated encryption keys a, g ^sv , g, N, the secondary operation keys a ⁻¹ , s, N, the tertiary operation keys v, N, and the decryption keys sv, a ⁻¹ , N (or s, v, a ⁻¹ , N) is stored in the key storage unit 320.

In step ST62, the control unit 38 of the decryption device 30 sends the encryption keys a, g ^sv , g, and N to the encryption device 10 through the communication unit 34. The control unit 18 of the encryption device 10 stores the encryption keys a, g ^sv , g, and N received by the communication unit 14 in the key storage unit 12.

  In step ST63, the control unit 38 of the decryption device 30 sends the tertiary operation keys v and N to the anonymization device 20 through the communication unit 34. The control unit 29 of the anonymization device 20 stores the tertiary operation keys v and N received by the communication unit 24 in the key storage unit 220.

In step ST <b> 64, the control unit 38 of the decryption device 30 sends the secondary operation keys a ⁻¹ , s, and N to the anonymization support device 90 through the communication unit 34. The control unit 97 of the anonymization support device 90 stores the secondary operation keys a ⁻¹ , s, and N received by the communication unit 93 in the key storage unit 91.

In step ST <b> 65, the encryption unit 17 of the encryption device 10 reads the table T <b> 1 illustrated in FIG. 12 from the temporary data storage unit 13. The encryption unit 17 records the attribute value data _i of the top coding target attribute item (income) in the table T1 for each record based on the encryption keys a, g ^sv , g, and N in the key storage unit 12. Encrypt to.

Enc (data _i ) → C _{data_i}
The encryption unit 17 can obtain parameters and random numbers necessary for the encryption process from the encryption parameter storage unit 11 and the random number generation unit 16, respectively.

Similarly, the encryption unit 17 encrypts attribute values of attribute items other than the top coding target attribute item for each record in the table T1 based on the encryption keys a, g ^sv , g, and N. Thereby, the attribute values of all the attribute items in the table T1 are encrypted, and as shown in FIG. 25, a table T1e in which the attribute values of all the attribute items are encrypted is generated as encrypted data.

  In step ST66, the control unit 18 of the encryption device 10 sends the encrypted data including the table T1e to the anonymization device 20 through the communication unit 14.

  In step ST <b> 67, the anonymization device 20 stores the table T <b> 1 e that is encrypted data received by the communication unit 24 in the temporary data storage unit 23.

(Anonymization)
In step ST68, the parameter generation unit 15 of the encryption device 10 generates a threshold value T, which is an anonymous parameter for top coding. The encryption unit 17 encrypts the generated threshold value T using the encryption method [AN2013-51001] based on the encryption keys a, g ^sv , g, and N in the key storage unit 12. Thus, encryption threshold C _T is an encryption anonymity parameter is generated.

Enc (T) → C _T
In step ST69, the control section 18 of the encryption device 10, the communication unit 14, a top coding target property item in the table T1e (revenue), sends the encrypted threshold C _T anonymous apparatus 20. However, anonymizing apparatus 20 encryption key a, g ^sv, g, by previously obtaining the N, if the encryption threshold C _T anonymizing device 20 is held in advance or generated, encryptor 10 It can be omitted generation and sending of encrypted threshold C _T by. The same applies to the following embodiments and modifications.

In step ST70, the anonymizing apparatus 20, the communication unit 24 receives the attribute item (income) and the encrypted threshold C _T. The computing unit 27 of the anonymization device 20 includes the attribute value C _{data_i of} the attribute item (income) that matches the received attribute item (income) in the table T1e in the temporary data storage unit 23, and the received encryption threshold value. Based on C _T , a primary calculation result X = (X ₁ , X ₂ ) is generated.

  In step ST71, the control unit 29 of the anonymization device 20 sends the primary calculation result X to the anonymization support device 90 through the communication unit 24.

In step ST <b> 72, the anonymization support device 90 receives the primary calculation result X through the communication unit 93. Based on the received primary calculation result X and the secondary calculation keys a ⁻¹ , s, and N in the key storage unit 91, the calculation unit 96 of the anonymization support device 90 uses the secondary calculation result Y = (Y ₁ , Y ₂ ).

  In step ST <b> 73, the control unit 97 of the anonymization support device 90 sends the secondary calculation result Y to the anonymization device 20 through the communication unit 93.

  In step ST74, the anonymization device 20 receives the secondary calculation result Y by the communication unit 24. The calculation unit 27 of the anonymization device 20 generates a tertiary calculation result W based on the received secondary calculation result Y and the tertiary calculation keys v and N in the key storage unit 91.

  In step ST75, the calculation result comparison unit 28 of the anonymization device 20 compares the tertiary calculation result W with N / 2, determines that the comparison result is positive when W <N / 2, and compares otherwise. The result is determined to be negative (or 0). The determination result is output from the calculation result comparison unit 28 to the anonymization processing unit 26.

Anonymity processing unit 26 of the anonymizing apparatus 20, when the determination result is positive, replacing the attribute value C _{data_i} encryption threshold C _T. Note that “when the determination result is positive” corresponds to “when expression F = C _data — _i− C _T is positive”. “Other than that” corresponds to “when the formula F = C _data — _i −C _T is negative (or 0)”.

That is, the attribute value C _{data_i} encrypted in step ST65 is appropriately replaced with the encryption threshold value C _T in the encrypted state, thereby anonymizing the attribute value (C _T ).

Thus, the attribute value of the top coding target attribute item (income) in the table T1e is anonymized, and the table T1a including the anonymized attribute value (C _T ) is encrypted and anonymous as shown in FIG. Generated as digitized data.

  Thereafter, the anonymization processing unit 26 stores the table T1a in the temporary data storage unit 23.

  In step ST76, the control unit 29 of the anonymization device 20 sends the encrypted anonymization data including the table T1a in the temporary data storage unit 23 to the decryption device 30 through the communication unit 24.

According to this embodiment, it becomes possible to anonymize the encrypted data without decrypting it, and to decrypt the obtained encrypted anonymized data and use the anonymized data. Specifically, the attribute value data_i of the table T1 expressed by numerical values can be top-coded by the threshold T for top coding. Here, the anonymization device 20 _knows which attribute value (C _{data — i} ) has been replaced, and all the replaced ciphertexts have the same value (C _T ). However, the anonymization device 20 does not know the threshold value T and the original attribute value (data_i). Moreover, the encryption apparatus 10 may create a correspondence table before and after top coding when the encrypted data before top coding is held. If the original data is stored separately, the top-coded attribute value can be restored.

Thereafter, in step ST76, the control unit 38 of the decryption device 30 receives the encrypted anonymized data by the communication unit 34 and stores it in the temporary data storage unit 33. The decryption unit 37 is encrypted anonymized data in the temporary data storage unit 33 based on the decryption keys sv, a ⁻¹ , N (or s, v, a ⁻¹ , N) in the key storage unit 320. The value of each attribute item in the table T1a is decoded, and a table of obtained decoding results is obtained.

  The control unit 38 of the decryption apparatus 30 determines whether or not the attribute value of the top coding target attribute item (income) is anonymized in the decryption result table. Specifically, for example, the determination may be performed in the same manner as in the third embodiment. If the determination result is negative, the process is repeated from step ST68 (or ST66) and repeated until a favorable anonymization result is obtained.

  Thereafter, steps ST78 to ST79 are executed in the same manner as steps ST31 to ST32 of the third embodiment.

  As described above, according to the present embodiment, even when top coding is executed as anonymization processing using the [AN2013-51001] encryption method, the same operational effects as those of the first embodiment can be obtained. .

  As in the modification shown in FIGS. 2 and 7, the present embodiment replaces encrypted data and encrypted anonymous data with the anonymization device 20 as shown in FIG. A data storage device 70 for storing the anonymized data may be further provided. At this time, by making the anonymization device 20 cooperate with the existing data storage device 70, it is possible to obtain the same effect as the present embodiment. For example, as shown in FIG. 28, the encrypted data may be sent to the data storage device 70 in step ST66, and the data storage device 70 may store the encrypted data in step ST67. Alternatively, the data storage device 70 may send the encrypted data to the anonymization device 20 in step ST70-1, and the anonymization device 20 may generate a primary calculation result in step ST70-2. Similarly, the anonymization device 20 may send the encrypted anonymized data to the data storage device 70 in step ST76-1, and the data storage device 70 may store the encrypted anonymization data in step S76-2. In step ST76-3, the data storage device 70 may send the encrypted anonymized data to the decryption device 30. At this time, the effect of the present embodiment can be obtained without greatly changing the existing data storage device 70. This also applies to embodiments and modifications described later.

  Further, for example, as in the modification shown in FIG. 8, as shown in FIG. 29, the original step ST76 may be executed instead of steps ST76-1 to ST76-3 in FIG. In this case, the same effect as the operation shown in FIG. 8 can be obtained.

<Tenth embodiment: M2M, [AN2013-51001] method and top coding>
FIG. 30 is a schematic diagram showing an anonymization system and its peripheral configuration according to the tenth embodiment.

  Unlike the ninth embodiment in which the encryption device 10 encrypts personal data and deposits it in the anonymization device 20, the tenth embodiment encrypts personal data acquired by each device like the M2M service. The encrypted data is collected by the anonymization device 20. Each device here corresponds to each encryption device (1 to N) 10.

  Specifically, the tenth embodiment includes N encryption devices 10 and further includes a parameter generation device 80, as compared with the configuration shown in FIG. The configurations of the N encryption devices (1 to N) 10 and the parameter generation device 80 are the same as those in the fourth embodiment.

  Next, operation | movement of the anonymization system in this embodiment is demonstrated using the sequence diagram of FIG.

(Advance preparation)
Step ST61 is executed in the same manner as in the ninth embodiment described above.

In step ST62, the control unit 38 of the decryption device 30 sends the encryption keys a, g ^sv , g, and N to the N encryption devices (1 to N) 10 and the parameter generation device 80 through the communication unit 34. . The control unit 87 of the parameter generation device 80 stores the encryption keys a, g ^sv , g, and N received by the communication unit 83 in the key storage unit 82. Similarly, the control unit 18 of the encryption device 10 stores the encryption keys a, g ^sv , g, and N received by the communication unit 14 in the key storage unit 12. Each encryption device (1 to N) 10 may store the encryption keys a, g ^sv , g, and N when the device is assembled. After the devices are arranged, the encryption key a is transmitted via the network. , G ^sv , g, N may be received and stored.

  Steps ST63 to ST64 are executed in the same manner as in the ninth embodiment described above.

In step ST65, the data acquisition unit 19 of each encryption device (1 to N) 10 acquires the personal data composed of the table T1 and stores it in the temporary data storage unit 13. The encryption unit 17 of each encryption device 10 uses the attribute value data _i of the top coding target attribute item (income) in the table T 1 in the temporary data storage unit 13 as the encryption key a in the key storage unit 12. , G ^sv , g and N are encrypted for each record.

Enc (data _i ) → C _{data_i}
The encryption unit 17 can obtain parameters and random numbers necessary for the encryption process from the encryption parameter storage unit 11 and the random number generation unit 16, respectively.

Similarly, the encryption unit 17 encrypts attribute values of attribute items other than the top coding target attribute item for each record in the table T1 based on the encryption keys a, g ^sv , g, and N. Thereby, the attribute values of all the attribute items in the table T1 are encrypted, and the table T1e in which the attribute values of all the attribute items are encrypted is generated as encrypted data.

  In step ST66, the control unit 18 of each encryption device (1 to N) 10 uses the communication unit 14 to anonymously encrypt the encrypted data including the table T1e and the top coding target attribute item (income) in the table T1e. Sent to the digitizing device 20.

  In step ST <b> 67, the anonymization device 20 receives the table T <b> 1 e as encrypted data and the attribute item (revenue) to be top-coded in the table T <b> 1 e through the communication unit 24. Thereafter, the control unit 29 of the anonymization device 20 stores the table T1e and the top coding target attribute item (income) in the temporary data storage unit 23. The table T1e in the temporary data storage unit 23 is updated to the contents obtained by collecting the tables T1e received from the encryption device (1 to N) 10.

(Anonymization)
In step ST68, the parameter generation unit 84 of the parameter generation device 80 generates a threshold value T that is an anonymous parameter for top coding. The encryption unit 86 of the parameter generation device 80 encrypts the generated threshold value T using the encryption method [AN2013-51001] based on the encryption keys a, g ^sv , g, and N in the key storage unit 82. Turn into. Thus, encryption threshold C _T is an encryption anonymity parameter is generated.

Enc (T) → C _T
In step ST69, the control unit 87 of the parameter generation device 80 sends the encrypted threshold value _CT to the anonymization device 20 through the communication unit 83.

  Thereafter, steps ST70 to ST79 are executed as in the ninth embodiment described above.

  As described above, according to the present embodiment, even when a plurality of encryption devices 10 are provided, the same operational effects as those of the ninth embodiment can be obtained.

  In this embodiment, unlike the fourth and sixth embodiments, the device does not store the secret key itself, so even if the key is stolen from the device, the encrypted data is decrypted or anonymized. It is not possible.

<Eleventh embodiment: [AN2013-51001] method for grouping>
Next, an anonymization system according to the eleventh embodiment will be described with reference to FIG.

  The eleventh embodiment differs from the ninth embodiment in which the encrypted “income” is top-coded, and is a form in which the encrypted “age” is grouped.

  Next, operation | movement of the anonymization system in this embodiment is demonstrated using the sequence diagram of FIG. 32, and the schematic diagram of FIG.33 and FIG.34. In the following description, the case of anonymization using the encryption method of [AN2013-51001] will be described as an example.

(Advance preparation)
Steps ST81 to ST84 are executed in the same manner as steps ST61 to ST64 of the ninth embodiment.

In step ST85, the encryption unit 17 of the encryption device 10 reads the table T1 before encryption from the temporary data storage unit 13. The encryption unit 17 sets the attribute value data _i of the attribute item (age) to be grouped in the table T1 for each record based on the encryption keys a, g ^sv , g, and N in the key storage unit 12. Encrypt.

Enc (data _i ) → C _{data_i}
The encryption unit 17 can obtain parameters and random numbers necessary for the encryption process from the encryption parameter storage unit 11 and the random number generation unit 16, respectively.

Similarly, the encryption unit 17 encrypts attribute values of attribute items other than the grouping target attribute item for each record in the table T1 based on the encryption keys a, g ^sv , g, and N. Thereby, the attribute values of all the attribute items in the table T1 are encrypted, and as shown in FIG. 33, a table T1e in which the attribute values of all the attribute items are encrypted is generated as encrypted data.

  Steps ST85 to ST86 are executed in the same manner as steps ST65 to ST66 of the ninth embodiment.

(Anonymization)
In step ST88, the parameter generation unit 15 of the encryption device 10 generates a lower limit value L, an upper limit value U, and a representative value M for each group, which are anonymous parameters for grouping. The encryption unit 17 uses the generated lower limit value L, upper limit value U, and representative value M based on the encryption keys a, g ^sv , g, and N in the key storage unit 12 as an encryption scheme of [AN2013-51001] Encrypt with Thereby, the encryption lower limit value C _L , the encryption upper limit value C _U and the encryption representative value C _{M that} are parameters for encryption anonymity are generated.

Enc (L) → C _L
Enc (U) → C _U
Enc (M) → C _M
In step ST89, the control unit 18 of the encryption device 10 causes the communication unit 14 to use the grouping target attribute item (age) in the table T1e, the encryption lower limit C _L , the encryption upper limit C _U, and the encryption representative. The value C _M is sent to the anonymization device 20. However, the anonymization device 20 obtains the encryption keys a, g ^sv , g, and N in advance, so that the encryption lower limit value C _L , the encryption upper limit value C _U and the encryption representative value C _M are anonymization device 20. Can be stored or generated in advance, the generation and sending of the values C _L , C _U and C _M can be omitted. The same applies to the following embodiments and modifications.

In step ST90, the anonymization device 20 receives the attribute item (age), the encryption lower limit value C _L , the encryption upper limit value C _U, and the encryption representative value C _M via the communication unit 24. The calculation unit 27 of the anonymization device 20 includes the attribute value C _{data_i of} the attribute item (age) that matches the received attribute item (age) in the table T1e in the temporary data storage unit 23, and the received encryption lower limit value. Based on C _L and the encryption upper limit value C _U , primary calculation results X _L and X _U are generated. Here, the primary calculation result X _L = (X1 _L , X2 _L ) is analysis information regarding the lower limit L. The primary calculation result X _U = (X1 _U , X2 _U ) is analysis information regarding the upper limit value U.

In step ST <b> 91, the control unit 29 of the anonymization device 20 sends the primary calculation results X _L and X _U to the anonymization support device 90 through the communication unit 24.

In step ST <b> 92, the anonymization support device 90 receives the primary calculation results X _L and X _U through the communication unit 93. The calculation unit 96 of the anonymization support device 90 performs the secondary calculation result Y based on the received primary calculation results X _L and X _U and the secondary calculation keys a ⁻¹ , s, and N in the key storage unit 91. _L and Y _U are generated. Here, the secondary calculation result Y _L = (Y1 _L , Y2 _L ) is analysis information regarding the lower limit L. The primary calculation result Y _U = (Y1 _U , Y2 _U ) is analysis information regarding the upper limit value U.

In step ST93, the control unit 97 of the anonymization support device 90, the communication unit 93, and sends secondary calculation results Y _L, the Y _U anonymous apparatus 20.

In step ST94, the anonymization device 20 receives the secondary calculation results Y _L and Y _U through the communication unit 24. The calculation unit 27 of the anonymization device 20 generates the tertiary calculation results W _L and W _U based on the received secondary calculation results Y _L and Y _U and the tertiary calculation keys v and N in the key storage unit 91. To do. Here, tertiary calculation result W _L is analytical information about the lower limit L. The tertiary operation result W _U is analysis information regarding the upper limit value U.

In step ST95, the computation result comparison unit 28 of the anonymization device 20 compares the tertiary computation result W _L regarding the lower limit _L with N / 2, and determines that the comparison result is positive when W _L <N / 2. Otherwise, the comparison result is determined to be negative (or 0). The determination result related to the lower limit value L is output from the calculation result comparison unit 28 to the anonymization processing unit 26.

Similarly, the operation result comparison unit 28 of the anonymization device 20 compares the tertiary operation result W _U related to the upper limit L with N / 2, and determines that the comparison result is positive when W _U <N / 2. Otherwise, the comparison result is determined to be negative (or 0). The determination result regarding the upper limit value U is output from the calculation result comparison unit 28 to the anonymization processing unit 26.

After that, the anonymization processing unit 26 of the anonymization device 20 determines the attribute value C _{data_i} as the encrypted representative value C _M when the determination result regarding the lower limit value L is positive and the determination result regarding the upper limit value U is negative (or 0). Replace with Note that “when the determination result regarding the lower limit _L is positive” corresponds to “when the formula F = C _data — _i− C _L is positive”. "When the judgment result of the upper limit value U is negative (or zero)" corresponds to "when equation F = C _{data_i} -C _U is negative (or zero)". That is, the anonymization processing unit 26 _replaces the attribute value C _{data_i} with the encrypted representative value C _M when the attribute value C _{data_i} exceeds the encryption lower limit value C _L and is within the range of the encryption upper limit value C _U or less. .

As a result, the attribute value C _{data_i} encrypted in step ST85 is appropriately replaced with the encrypted representative value C _M in the encrypted state, thereby anonymizing the attribute value (C _M ).

In this way, the attribute value of the grouping target attribute item (age) in the table T1e is anonymized, and the table T1a including the anonymized attribute value (C _M ) is encrypted and anonymized as shown in FIG. Generated as data.

  Thereafter, the anonymization processing unit 26 stores the table T1a in the temporary data storage unit 23.

  In step ST96, the control unit 29 of the anonymization device 20 sends the encrypted anonymization data including the table T1a in the temporary data storage unit 23 to the decryption device 30 through the communication unit 24.

According to this embodiment, it becomes possible to anonymize the encrypted data without decrypting it, and to decrypt the obtained encrypted anonymized data and use the anonymized data. Specifically, the attribute values data_i of the table T1 expressed by numerical values can be grouped by designating the lower limit value L and the upper limit value U of each group. Here, the anonymization device 20 _knows which attribute value (C _{data — i} ) has been replaced, and all the replaced ciphertexts have the same value (encrypted representative value C _{M for} each group). However, the anonymization device 20 does not know the lower limit value L, the upper limit value U, the representative value M, and the original attribute value (data_i) of the group.

  Here, when the encryption apparatus 10 holds the encrypted data before grouping, the encryption device 10 may create a correspondence table before and after grouping. If the original data is held separately, the grouped attribute values can be restored.

Thereafter, in step ST97, the control unit 38 of the decryption device 30 receives the encrypted anonymized data by the communication unit 34 and stores it in the temporary data storage unit 33. The decryption unit 37 is encrypted anonymized data in the temporary data storage unit 33 based on the decryption keys sv, a ⁻¹ , N (or s, v, a ⁻¹ , N) in the key storage unit 320. The value of each attribute item in the table T1a is decoded, and a table of obtained decoding results is obtained.

  The control unit 38 of the decrypting device 30 determines whether or not the attribute value of the grouping target attribute item (age) is anonymized in the decryption result table. Specifically, for example, the determination may be performed in the same manner as in the fifth embodiment. If the result of the determination is no, the process is repeated from step ST88 (or ST86) and repeated until a favorable anonymization result is obtained.

  Thereafter, steps ST98 to ST99 are executed in the same manner as steps ST51 to ST52 described above.

  As described above, according to the present embodiment, even when grouping is executed as an anonymization process using the [AN2013-51001] encryption method, the same effects as those of the first embodiment can be obtained.

<Twelfth embodiment: M2M, [AN2013-51001] method and grouping>
Next, an anonymization system according to the twelfth embodiment will be described with reference to FIG.

  Unlike the eleventh embodiment in which the encryption device 10 encrypts personal data and deposits it in the anonymization device 20, the twelfth embodiment encrypts personal data acquired by each device like the M2M service. The encrypted data is collected by the anonymization device 20. Each device here corresponds to each encryption device (1 to N) 10.

  Specifically, the twelfth embodiment is provided with N encryption devices 10 and a parameter generation device 80, as compared with the configuration shown in FIG. The configurations of the N encryption devices (1 to N) 10 and the parameter generation device 80 are the same as those in the fourth embodiment.

  Next, operation | movement of the anonymization system in this embodiment is demonstrated using the sequence diagram of FIG.

(Advance preparation)
Step ST81 is executed similarly to the eleventh embodiment described above.

In step ST82, the control unit 38 of the decryption device 30 sends the encryption keys a, g ^sv , g, and N to the N encryption devices (1 to N) 10 and the parameter generation device 80 through the communication unit 34. . The control unit 87 of the parameter generation device 80 stores the encryption keys a, g ^sv , g, and N received by the communication unit 83 in the key storage unit 82. Similarly, the control unit 18 of the encryption device 10 stores the encryption keys a, g ^sv , g, and N received by the communication unit 14 in the key storage unit 12. Each encryption device (1 to N) 10 may store the encryption keys a, g ^sv , g, and N when the device is assembled. After the devices are arranged, the encryption key a is transmitted via the network. , G ^sv , g, N may be received and stored.

  Steps ST83 to ST84 are executed in the same manner as in the eleventh embodiment described above.

In step ST85, the data acquisition unit 19 of each encryption device (1 to N) 10 acquires the personal data composed of the table T1 and stores it in the temporary data storage unit 13. The encryption unit 17 of each encryption device 10 uses the attribute value data _i of the attribute item (age) to be grouped in the table T1 in the temporary data storage unit 13 as the encryption key a in the key storage unit 12, Encrypt for each record based on g ^sv , g, and N.

Enc (data _i ) → C _{data_i}
The encryption unit 17 can obtain parameters and random numbers necessary for the encryption process from the encryption parameter storage unit 11 and the random number generation unit 16, respectively.

Similarly, the encryption unit 17 encrypts attribute values of attribute items other than the top coding target attribute item for each record in the table T1 based on the encryption keys a, g ^sv , g, and N. Thereby, the attribute values of all the attribute items in the table T1 are encrypted, and the table T1e in which the attribute values of all the attribute items are encrypted is generated as encrypted data.

  In step ST86, the control unit 18 of each encryption device (1 to N) 10 uses the communication unit 14 to anonymize the encrypted data including the table T1e and the grouping target attribute item (age) in the table T1e. Send to device 20.

  In step ST87, the anonymization device 20 receives the table T1e as encrypted data and the attribute item (age) to be grouped in the table T1e by the communication unit 24. Thereafter, the control unit 29 of the anonymization device 20 stores the table T1e and the attribute item (age) to be grouped in the temporary data storage unit 23. The table T1e in the temporary data storage unit 23 is updated to the contents obtained by collecting the tables T1e received from the encryption device (1 to N) 10.

(Anonymization)
In step ST88, the parameter generation unit 84 of the parameter generation device 80 generates a group lower limit value L, a group upper limit value U, and a group representative value M, which are anonymous parameters for grouping. The encryption unit 86 of the parameter generation device 80 generates the generated lower limit value L, upper limit value U, and group representative value M based on the encryption keys a, g ^sv , g, and N in the key storage unit 82 [ Encrypt with the encryption method of AN2013-51001]. Thereby, the encryption lower limit value C _L , the encryption upper limit value C _U and the encryption representative value C _{M that} are parameters for encryption anonymity are generated.

Enc (L) → C _L
Enc (U) → C _U
Enc (M) → C _M
In step ST89, the control unit 87 of the parameter generation device 80 causes the communication unit 83 to perform the grouping target attribute item (age) in the table T1e, the encryption lower limit value C _L , the encryption upper limit value C _U, and the encryption representative. The value C _M is sent to the anonymization device 20.

  Thereafter, steps ST90 to ST99 are executed in the same manner as in the eleventh embodiment described above.

  As described above, according to the present embodiment, even when a plurality of encryption devices 10 are provided, the same operational effects as those of the eleventh embodiment can be obtained.

  In this embodiment, unlike the fourth and sixth embodiments, the device does not store the secret key itself, so even if the key is stolen from the device, the encrypted data is decrypted or anonymized. It is not possible.

<Thirteenth embodiment: Deletion, resampling, sorting, or swapping>
Next, an anonymization system according to the thirteenth embodiment will be described with reference to FIG.

  The thirteenth embodiment is a form in which the encrypted “employee number” is deleted, unlike the first embodiment in which the encrypted “employee number” is pseudonymized. Note that this embodiment differs from the first to twelfth embodiments described above in that it is an encrypted anonymous parameter (e.g., an encrypted random number, an encrypted threshold) that is used to encrypt an anonymous parameter used for anonymization processing. Encryption lower limit, encryption upper limit, encryption representative value, encryption error, etc.).

  Such an embodiment can be modified to a form using “resampling”, “sort” or “swapping” instead of “deletion”.

  Next, operation | movement of the anonymization system in this embodiment is demonstrated using the sequence diagram of FIG. 36, and the schematic diagram of FIG.37 and FIG.38. In the following description, the case of anonymization using the [AES] encryption method will be described as an example.

(Advance preparation)
In step ST101, the key generation unit 36 of the decryption device 30 generates a key (secret key sk _A ) in the [AES] encryption method based on the security parameter (1 ^k ) in the encryption parameter storage unit 31.

KeyGen (1 ^k ) → (sk _A )
The key generation unit 36 can acquire a random number necessary for the key generation process from the random number generation unit 35. In addition, the key generation unit 36 stores the generated secret key sk _A in the secret key storage unit 32.

In step ST102, the control unit 38 of the decryption device 30 sends the secret key sk _A , which is a common key, to the encryption device 10 through the communication unit 34. The control unit 18 of the encryption device 10 stores the secret key sk _A received by the communication unit 14 in the key storage unit 12.

In step ST103, the encryption unit 17 of the encryption device 10 reads the table T1 shown in FIG. 3 from the temporary data storage unit 13. The encryption unit 17 encrypts the attribute value data _i of the attribute item (employee number) to be deleted in this table T1 for each record based on the secret key sk _A in the key storage unit 12.

Enc (sk _A , data _i ) → C _{A, data_i}
The encryption unit 17 can obtain parameters and random numbers necessary for the encryption process from the encryption parameter storage unit 11 and the random number generation unit 16, respectively.

Similarly, the encryption unit 17 encrypts the attribute values of attribute items other than the attribute item to be deleted in the table T1 based on the secret key sk _A for each record. Thereby, the attribute values of all the attribute items in the table T1 are encrypted, and as shown in FIG. 37, a table T1e in which the attribute values of all the attribute items are encrypted is generated as encrypted data.

  In step ST104, the control unit 18 of the encryption device 10 sends the encrypted data including the table T1e to the anonymization device 20 through the communication unit 14.

  In step ST <b> 105, the anonymization device 20 stores the table T <b> 1 e that is encrypted data received by the communication unit 24 in the temporary data storage unit 23.

(Anonymization)
In step ST106, the control unit 18 of the encryption device 10 sends the attribute item (employee number) to be deleted in the table T1e to the anonymization device 20 through the communication unit 14. However, when the anonymization device 20 holds the attribute item to be deleted in advance, the sending of the attribute item to be deleted by the encryption device 10 can be omitted. The same applies to the following embodiments and modifications.

In step ST107, the anonymization device 20 receives the attribute item (employee number) to be deleted through the communication unit 24. The anonymization processing unit 26 deletes the column of the attribute item (employee number) that matches the received attribute item (employee number) from the table T1e in the temporary data storage unit 23. That is, the anonymization processing unit 26 deletes the attribute item (employee number) to be deleted and the attribute value (C _{A, data_i} ) from the table T1e shown in FIG. Thereby, as shown in FIG. 38, the anonymized table T1a is generated as encrypted anonymized data.

  Thereafter, the anonymization processing unit 26 stores the table T1a in the temporary data storage unit 23.

  In step ST108, the control unit 29 of the anonymization device 20 sends the encrypted anonymization data including the table T1a in the temporary data storage unit 23 to the decryption device 30 through the communication unit 24.

According to this embodiment, it becomes possible to anonymize the encrypted data without decrypting it, and to decrypt the obtained encrypted anonymized data and use the anonymized data. Specifically, it is possible to delete the attributes of the table T1 expressed by numerical values, character strings, and the like. Here, the anonymization device 20 knows the deleted attribute item (employee number) and its attribute value (C _{A, data_i} ). However, the anonymization device 20 does not know the original attribute value (data_i) of the deleted attribute item (employee number).

  Here, when the encryption device 10 holds the encrypted data before the deletion, the encryption device 10 may create a correspondence table before and after the deletion. If the original data is held separately, it is possible to specify an individual from the attribute item and attribute value of the original data and to restore the deletion process.

Thereafter, in step ST109, the control unit 38 of the decryption device 30 receives the encrypted anonymized data by the communication unit 34 and stores it in the temporary data storage unit 33. Based on the secret key sk _A in the secret key storage unit 32, the decryption unit 37 decrypts the value of each attribute item in the table T1a, which is encrypted anonymized data in the temporary data storage unit 33, and is obtained A table of decoding results is obtained.

  The control unit 38 of the decryption device 30 determines whether or not the attribute value of the attribute item (employee number) to be deleted is anonymized in the decryption result table. For example, if the decryption result table does not include a column of attribute items to be deleted as intended, it is determined that the table is anonymized. In this case, the encryption device 10 may transmit the attribute item to be deleted to the decryption device 30 at an arbitrary timing. If the determination result is negative, the process is repeated from step ST104 and repeated until a favorable anonymization result is obtained.

  Thereafter, steps ST110 to ST111 are executed in the same manner as steps ST11 to ST12 described above.

  As described above, according to the present embodiment, even when the deletion is executed as the anonymization process, the same operational effects as those of the first embodiment can be obtained except for the operational effects related to the encrypted anonymous parameters.

  Although this embodiment performed the anonymization process which deletes the encrypted attribute value, it may replace with this and the anonymization process which resamples, sorts, or swaps the encrypted attribute value may be performed. In this case, the same effect can be obtained by carrying out the present embodiment in the same manner.

  Further, key generation by the encryption device 10 may be executed instead of key generation by the decryption device 30. In this case, the encryption device 10 may carry out by sending the secret key to the decryption device 30.

  Note that this embodiment is not limited to encryption methods that use the same key for encryption and decryption, such as [AES], but also (additive) homomorphic encryption methods, encryption methods that can be compared in size, and (additive) It can also be implemented in the same manner with an encryption method that holds an encryption method that can be compared in size with a homomorphic encryption method. When these encryption methods are used, the same can be realized by replacing the encryption algorithm in each method.

  Further, the present embodiment may further include a key generation device 60 and a data storage device 70 as in the modification shown in FIG. At this time, by making the anonymization device 20 cooperate with the existing data storage device 70, it is possible to obtain the same effect as in the present embodiment. For example, as shown in FIG. 39, the encrypted data may be sent to the data storage device 70 in step ST104, and the data storage device 70 may store the encrypted data in step ST105. Alternatively, the data storage device 70 may send the encrypted data to the anonymization device 20 in step ST107-1, and the anonymization device 20 may delete the column of attribute items to be deleted in step ST107-2. Similarly, the anonymization device 20 may send the encrypted anonymized data to the data storage device 70 in step ST108-1, and the data storage device 70 may store the encrypted anonymization data in step S108-2. Further, the data storage device 70 may send the encrypted anonymized data to the decryption device 30 in step ST108-3. At this time, the effect of the present embodiment can be obtained without greatly changing the existing data storage device 70. This also applies to embodiments and modifications described later.

  Further, for example, as in the modification shown in FIG. 8, as shown in FIG. 40, the original step ST108 may be executed instead of steps ST108-1 to ST108-3 in FIG. In this case, the same effect as the operation shown in FIG. 8 can be obtained.

<Fourteenth embodiment: M2M and deletion, resampling, sorting or swapping>
FIG. 41 is a schematic diagram showing the anonymization system and its peripheral configuration according to the fourteenth embodiment.

  The fourteenth embodiment differs from the thirteenth embodiment in which the encryption device 10 encrypts personal data and deposits it in the anonymization device 20, and encrypts the personal data acquired by each device like the M2M service. The encrypted data is collected by the anonymization device 20. Each device here corresponds to each encryption device (1 to N) 10.

  Specifically, the fourteenth embodiment includes N encryption devices 10 and further includes a user terminal 100 as compared to the configuration illustrated in FIG. 1. However, the user terminal 100 is not essential, and may be omitted when any of the encryption devices 10 sends the attribute item (employee number) to be deleted to the anonymization device 20, for example. The same applies to the following modifications.

  Here, the configuration of the N encryption devices (1 to N) 10 is the same as that of the fourth embodiment described above except for the method of anonymization processing.

  The user terminal 100 is a computer having a normal communication function, and includes, for example, a storage unit 101, a communication unit 102, and a control unit 103.

  Next, operation | movement of the anonymization system in this embodiment is demonstrated using the sequence diagram of FIG. In the following description, the case of anonymization using the [AES] encryption method will be described as an example.

(Advance preparation)
Step ST101 is executed in the same manner as in the thirteenth embodiment described above.

In step ST102, the control unit 38 of the decryption device 30 sends the secret key sk _A , which is a common key, to each encryption device (1 to N) 10 through the communication unit 34. The control unit 18 of each encryption device (1 to N) 10 stores the secret key sk _A received by the communication unit 14 in the key storage unit 12. Each encryption device (1 to N) 10 may input and store the public key pk _A at the time of assembling the device. After the device is arranged, it receives and stores the public key pk _A via the network. Also good.

In step ST103, the data acquisition unit 19 of each encryption device (1 to N) 10 acquires personal data including the table T1 and stores it in the temporary data storage unit 13, as shown in FIG. The encryption unit 17 of each encryption device (1 to N) 10 stores the attribute value data _i of the attribute item (employee number) to be deleted in the key storage unit 12 in the table T1 in the temporary data storage unit 13. Is encrypted for each record based on the secret key sk _A.

Enc (sk _A , data _i ) → C _{A, data_i}
The encryption unit 17 can obtain parameters and random numbers necessary for the encryption process from the encryption parameter storage unit 11 and the random number generation unit 16, respectively.

Similarly, the encryption unit 17 encrypts the attribute values of attribute items other than the attribute item to be deleted in the table T1 based on the secret key sk _A for each record. Thus, as described above, as shown in FIG. 37, a table T1e in which the attribute values of all the attribute items are encrypted is generated as encrypted data.

  In step ST104, the control unit 18 of each encryption device (1 to N) 10 sends the encrypted data including the table T1e to the anonymization device 20 through the communication unit 14.

  In step ST <b> 105, the anonymization device 20 stores the table T <b> 1 e that is encrypted data received by the communication unit 24 in the temporary data storage unit 23. The table T1e in the temporary data storage unit 23 is updated to the contents obtained by collecting the tables T1e received from the encryption device (1 to N) 10.

(Anonymization)
In step ST <b> 106, the control unit 103 of the user terminal 100 sends the attribute item (employee number) to be deleted to the anonymization device 20 through the communication unit 102. However, when the anonymization device 20 holds the attribute item to be deleted in advance, the sending of the attribute item to be deleted by the encryption device 10 can be omitted. The same applies to the following modifications.

  Thereafter, steps ST107 to ST111 are executed in the same manner as in the thirteenth embodiment described above.

  As described above, according to the present embodiment, even when there are a plurality of encryption devices 10, the same operational effects as those of the thirteenth embodiment can be obtained.

However, in this embodiment, the secret key sk _A is stored in each device. Since this secret key sk _A can be decrypted as well as encrypted, the secret key sk _A is appropriately managed on each device. There must be.

  In the present embodiment, anonymization processing for resampling, sorting, or swapping encrypted attribute values may be executed instead of the anonymization processing for deleting the encrypted attribute value. In this case, the same effect can be obtained by carrying out the present embodiment in the same manner.

  In addition, this embodiment is not limited to an encryption method that uses the same key for encryption and decryption, such as [AES], but an (additive) homomorphic encryption method, an encryption method that can be compared in size, and (additive) It can also be implemented in the same manner with an encryption method that holds an encryption method that can be compared in size with a homomorphic encryption method. When these encryption methods are used, the same can be realized by replacing the encryption algorithm in each method.

  According to at least one embodiment described above, encrypted data is generated from the personal data by the process of encrypting the value of each item included in the personal data. Encrypted anonymized data is generated from the encrypted data by performing anonymization without decrypting the values of some items of the encrypted data. Anonymized data is generated from the encrypted anonymized data by the process of decrypting the encrypted anonymized data. With such a configuration, the encrypted data obtained by encrypting the personal data can be anonymized without being decrypted.

  Note that the methods described in the above embodiments are, as programs that can be executed by a computer, magnetic disks (floppy (registered trademark) disks, hard disks, etc.), optical disks (CD-ROMs, DVDs, etc.), magneto-optical disks. (MO), stored in a storage medium such as a semiconductor memory, and distributed.

  In addition, as long as the storage medium can store a program and can be read by a computer, the storage format may be any form.

  In addition, an OS (operating system) running on a computer based on an instruction of a program installed in the computer from a storage medium, MW (middleware) such as database management software, network software, and the like realize the above-described embodiment. A part of each process may be executed.

  Furthermore, the storage medium in each embodiment is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted via a LAN, the Internet, or the like is downloaded and stored or temporarily stored.

  Further, the number of storage media is not limited to one, and the case where the processing in each of the above embodiments is executed from a plurality of media is also included in the storage media in the present invention, and the media configuration may be any configuration.

  The computer in each embodiment executes each process in each of the above embodiments based on a program stored in a storage medium, and a single device such as a personal computer or a plurality of devices are connected to a network. Any configuration of the system or the like may be used.

  In addition, the computer in each embodiment is not limited to a personal computer, and includes an arithmetic processing device, a microcomputer, and the like included in an information processing device, and is a generic term for devices and devices that can realize the functions of the present invention by a program. Yes.

  In addition, although some embodiment of this invention was described, these embodiment is shown as an example and is not intending limiting the range of invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

  DESCRIPTION OF SYMBOLS 10 ... Encryption apparatus, 11, 21, 31, 61, 81 ... Encryption parameter storage part, 12, 220, 320, 82, 91 ... Key storage part, 13, 23, 33, 62, 92 ... Temporary data storage part, 14, 24, 34, 52, 63, 72, 83, 93, 102 ... communication unit, 15, 84, 94 ... parameter generation unit, 16, 25, 35, 64, 85, 95 ... random number generation unit, 17, 86 ... Encryption section, 18, 29, 38, 66, 87, 97, 103 ... Control section, 19 ... Data acquisition section, 20 ... Anonymization device, 22 ... Encrypted data storage section, 26 ... Anonymization processing section, 27 96 ... Calculation unit 28 ... Calculation result comparison unit 30 ... Decryption device 32 ... Secret key storage unit 33 ... Temporary data storage unit 36,65 ... Key generation unit 37 ... Decryption unit 40 ... Communication network 50 ... Statistical processing device, 51 ... Data storage unit, 53 ... Meter processing unit, 60 ... key generation device, 70 ... data storage device, 71 ... data storage unit, 80 ... parameter generation device, 90 ... anonymization support device, 100 ... user terminal, 101 ... storage unit, T1, T1e, T1a …table.

Claims (6)

An anonymization system comprising one or more encryption devices, anonymization devices and decryption devices,
The encryption device is:
First storage means for storing personal data including a value for each item;
Key storage means for storing a common key in an encryption method capable of comparing sizes;
Encrypting means for generating encrypted data from the personal data by a process of encrypting the value of each item included in the personal data based on the common key ;
With
The anonymization device
Second storage means for storing the encrypted data generated by the encryption device;
Anonymization means for generating encrypted anonymized data from the encrypted data by anonymizing without decrypting values of some items of the encrypted data in the second storage means;
With
The decoding device
Third storage means for storing the encrypted anonymized data generated by the anonymization device;
Key storage means for storing the common key;
Decryption means for generating anonymized data from the encrypted anonymized data by a process of decrypting the encrypted anonymized data in the third storage means based on a common key in the key storage means ;
Equipped with a,
The encryption device includes threshold encryption means for generating an encryption threshold by encrypting a threshold that is an anonymity parameter used for the anonymization process based on the common key. And
The anonymization means compares the value of a part of the items of the encrypted data with the generated encryption threshold value, and anonymizes the value of the part of the items according to the comparison result The anonymization system is characterized in that the encrypted anonymized data is generated from the encrypted data by the process of converting the encrypted data .   An anonymization system comprising one or more encryption devices, anonymization devices and decryption devices,
  The encryption device is:
  First storage means for storing personal data including a value for each item;
  Key storage means for storing a common key in an encryption method capable of comparing sizes;
  Encrypting means for generating encrypted data from the personal data by a process of encrypting the value of each item included in the personal data based on the common key;
  With
  The anonymization device
  Second storage means for storing the encrypted data generated by the encryption device;
  Key acquisition means for acquiring the common key;
  Anonymization means for generating encrypted anonymized data from the encrypted data by anonymizing without decrypting values of some items of the encrypted data in the second storage means;
  With
  The decoding device
  Third storage means for storing the encrypted anonymized data generated by the anonymization device;
  Key storage means for storing the common key;
  Decryption means for generating anonymized data from the encrypted anonymized data by a process of decrypting the encrypted anonymized data in the third storage means based on a common key in the key storage means;
  With
  The anonymization device includes threshold encryption means for generating an encryption threshold by encrypting a threshold that is an anonymity parameter used for the anonymization process based on the common key. And
  The anonymization means compares the value of a part of the items of the encrypted data with the generated encryption threshold value, and anonymizes the value of the part of the items according to the comparison result The encrypted anonymized data is generated from the encrypted data by processing
  An anonymization system characterized by that.   In the anonymization system of Claim 1 or Claim 2,
  The anonymization means is an anonymization system that anonymizes values of some of the items by replacing values of the some items with the encryption threshold according to the comparison result.   In the anonymization system of Claim 1,
  The threshold value is a group upper limit value or a group lower limit value used when the anonymization process is grouping.
  The encryption device further includes representative value encryption means for generating an encrypted representative value by encrypting a group representative value used when the anonymization process is grouping based on the common key. And
  The anonymization means is an anonymization system that anonymizes values of the partial items by replacing values of the partial items with the encrypted representative values according to the comparison result.   In the anonymization system of Claim 2,
  The threshold value is a group upper limit value or a group lower limit value used when the anonymization process is grouping.
  The anonymization device further includes representative value encryption means for generating an encrypted representative value by encrypting a group representative value used when the anonymization process is grouping based on the common key. And
  The anonymization means is an anonymization system that anonymizes values of the partial items by replacing values of the partial items with the encrypted representative values according to the comparison result. In the anonymization system according to any one of claims 1 to 5 ,
The anonymized data is information including the value of the partial item in the personal data and the value of the item other than the partial item,
The encrypted anonymized data includes values obtained by anonymizing encrypted values of the some items included in the encrypted data and items other than the some items included in the encrypted data. An anonymization system characterized by being information including a value.