JP6370230B2 - Secret calculation control device, secret calculation control method, and secret calculation control program - Google Patents

Description

  The present invention relates to an apparatus, a method, and a program for controlling a secret calculation.

  Conventionally, when sensitive data including personal information is statistically processed, a secret calculation system that obtains a calculation result while keeping input data secret has been proposed (for example, see Patent Document 1).

JP 2011-248066 A

  However, the conventional technique is specialized for a specific operation by a single server. In order to respond to various calculation requests, the processing load of the calculation device and further the cost borne by the user increase, and convenience decreases.

  It is an object of the present invention to provide a secret calculation control device, a secret calculation control method, and a secret calculation control program that can efficiently perform a secret calculation that is not limited to a specific calculation.

  The secret calculation control device according to the present invention includes a calculation formula and target data of the calculation formula, an input unit that inputs a calculation formula, and a plurality of calculation nodes that perform a specific calculation using homomorphic encryption. An acquisition unit that acquires cost information, and a determination that determines a calculation procedure for allocating each calculation obtained by decomposing the calculation formula to which of the plurality of calculation nodes based on the resource and calculation cost information And an execution unit that executes a secret calculation using homomorphic encryption on the target data using the plurality of operation nodes in accordance with the determined calculation procedure, and outputs a calculation result.

  The secret calculation control device includes a formula deforming unit that modifies the calculation formula and reduces a calculation cost calculated based on the number of operations included in the calculated calculation formula. The calculation procedure of the following formula may be determined.

  The equation modifying unit may modify the calculation equation so as to reduce the number of encryption and decryption processes in the homomorphic encryption.

  The determination unit may determine the calculation procedure so that the total of the calculation costs is the lowest among the calculation procedures that can obtain the calculation result within a specified time.

  The determination unit may reduce the operation cost by changing operation nodes in order from an operation closer to an output of a calculation formula decomposed into a tree structure.

  The determination unit may reduce the calculation cost by changing the calculation node so that all the branches have the same calculation time in the branch of the calculation formula decomposed into the tree structure.

  When the encryption method for each calculation is different, the execution unit may notify the encryption method for each operation and acquire the data to be calculated encrypted by the encryption method.

  The determination unit distributes the calculation to calculation nodes that do not use the homomorphic encryption different from the plurality of calculation nodes in a calculation procedure after performing a predetermined number of calculations on each of the target data. Also good.

  The secret calculation control method according to the present invention includes an input step for inputting a calculation formula and target data of the calculation formula, and a plurality of calculation nodes that perform a specific calculation using homomorphic encryption. An acquisition step for acquiring cost information, and a determination for determining a calculation procedure for allocating each operation obtained by decomposing the calculation formula to the plurality of operation nodes based on the resource and operation cost information A computer control unit that executes a secret calculation using homomorphic encryption on the target data using the plurality of operation nodes in accordance with the determined calculation procedure, and outputs a calculation result. Will run.

  The secret calculation control program according to the present invention causes the computer to execute each step of the secret calculation control method.

  According to the present invention, it is possible to efficiently perform a secret calculation that is not limited to a specific operation.

It is a figure which shows the function structure of the secret calculation control apparatus which concerns on embodiment. It is a schematic diagram which shows an example of the calculation procedure which concerns on embodiment. It is a flowchart which shows the process of the secret calculation control apparatus which concerns on embodiment.

Hereinafter, an example of an embodiment of the present invention will be described.
The secret calculation control device 1 of the present embodiment is an information processing device (computer) such as a server device or a personal computer, and in response to a calculation request from the user terminal 2, a plurality of operation nodes 3 with input data encrypted. Use to output the calculation result.

  The operation node 3 is a processing device on the public cloud that can perform a specific operation (for example, addition or multiplication) using homomorphic encryption such as additive homomorphism or multiplicative homomorphism. In response to the request, the calculation is performed while the data is kept secret (encrypted), and the result is returned. The plurality of operation nodes 3 differ in the amount of processable data depending on the processing capacity of the CPU or the like, or the memory capacity. The operation node 3 may improve the processing speed by mounting a dedicated circuit (hardware accelerator) specialized for a specific operation algorithm with a different encryption method.

FIG. 1 is a diagram illustrating a functional configuration of a secret calculation control apparatus 1 according to the present embodiment.
The secret calculation control device 1 includes an input unit 11, an expression transformation unit 12, an acquisition unit 13, a determination unit 14, an execution unit 15, and a cryptographic processing unit 16.

The input unit 11 receives, as an input from the user terminal 2, a calculation formula for performing a secret calculation and target data of the calculation formula.
Hereinafter, the calculation formula will be described as an example of a combination of addition and multiplication. However, the types of operations are not limited to these, and operations that can use homomorphic encryption such as size comparison can be combined.

The expression transformation unit 12 modifies the input calculation formula, and reduces the calculation cost calculated based on the number of operations included in the calculation formula to optimize the processing efficiency. Note that the calculation cost required for each process is not necessarily the same between multiplication and addition, and the equation transformation unit 12 calculates the calculation cost of the entire calculation equation based on a calculation cost ratio for each type of calculation set in advance. It is good to do.
Specifically, the equation transformation unit 12 encloses a calculation equation “ab + ac” in parentheses as “a (b + c)”, for example, to reduce the number of multiplications. Further, the expression modification unit 12 may perform expression modification such as replacing multiplication with addition (for example, 2a = a + a) or replacing addition with multiplication depending on a calculation cost ratio between multiplication and addition.

  Furthermore, the expression modification unit 12 modifies the calculation expression so as to reduce the number of encryption and decryption processes in the homomorphic encryption. Since the encryption method differs between the multiplicative homomorphism and the additive homomorphism, for example, when adding the results of multiplication, it is necessary to decrypt the target data once and encrypt it using another encryption method. Therefore, the formula transformation unit 12 transforms the calculation formula so that the same kind of operations are continued, and reduces the number of times the cryptographic scheme is switched.

  The acquisition unit 13 obtains information on the resource (processing speed, memory capacity, etc.) and the operation cost (price for the operation request) of the operation node 3 from each of the plurality of operation nodes 3 that perform a specific operation using the homomorphic encryption. get.

The determination unit 14 determines a calculation procedure for allocating to each of the plurality of calculation nodes 3 each calculation obtained by decomposing the calculation formula, based on the resource and calculation cost information.
Specifically, the determination unit 14 determines the calculation procedure so that the total calculation cost is the lowest among the calculation procedures that can obtain the calculation result within the time specified by the user terminal 2. In general, the computation node (3) having a higher processing capacity (speed) has a higher computation cost (price). Therefore, the computation node 3 having a low computation cost can be selected even if it takes time by loosening the time limit. . Therefore, the determination unit 14 selects the computation node 3 that is relatively slow, that is, has a low computation cost so that the total computation time is within the specified time.

Further, the determination unit 14 reduces the operation cost by changing the operation node 3 in order from the operation closer to the output of the calculation formula decomposed into the tree structure.
Further, the determination unit 14 reduces the operation cost by changing the operation node 3 so that all the branches have the same calculation time in the branch of the calculation formula decomposed into the tree structure.

FIG. 2 is a schematic diagram illustrating an example of a calculation procedure according to the present embodiment.
This example shows a series of calculation procedures for multiplying the addition result of the numerical value A and the numerical value B by the addition result of the numerical value C and the numerical value D and further adding the numerical value E to output the calculation result. .

Here, the determination unit 14 estimates the time until the calculation result is output based on the resource information of each computation node 3. However, if the computation node 3 having a high processing speed is selected, there is a time margin. To do.
In this case, the determination unit 14 distributes the same calculation in order from the calculation 21 on the side closer to the output to the nodes with low calculation costs even if the processing time increases. Thereby, the determination part 14 can optimize a process procedure efficiently.

  In addition, when the calculation procedure branches into a plurality of operations (23 and 24), if processing waits for one operation in operation 22, there is room for a reduction in operation cost by this waiting time. Therefore, the determination unit 14 distributes all branches (calculations 23 and 24) to nodes having the same processing time so as not to cause this processing waiting as much as possible. Thereby, the determination part 14 can optimize a process procedure efficiently.

The execution unit 15 executes a secret calculation using homomorphic encryption on the target data using the plurality of operation nodes 3 according to the determined calculation procedure, and outputs the calculation result to the user terminal 2.
The execution unit 15 identifies the encryption method used for each computation node 3, and the encryption processing unit 16 encrypts the target data for each computation according to this encryption method. When the encryption method differs between successive operations, the execution unit 15 decrypts the data once by the encryption processing unit 16 and then encrypts the data using a new encryption method.

  The encryption processing unit 16 encrypts data by the designated encryption method or decrypts the encrypted data according to the instruction of the execution unit 15 and provides the encrypted data to the execution unit 15.

FIG. 3 is a flowchart showing processing of the secret calculation control apparatus 1 according to the present embodiment.
In step S <b> 1, the input unit 11 receives a calculation formula for performing a secret calculation and target data for calculation from the user terminal 2. When the secret calculation control device 1 is trusted by the user, the target data may be plain text that is not encrypted.

  In step S2, the formula transformation unit 12 transforms the input calculation formula and reduces the number of individual calculations in order to optimize the calculation load.

  In step S <b> 3, the determination unit 14 selects an operation node 3 having a lower operation cost within a range where it is estimated that a calculation result is obtained within a specified time in order to select and optimize the resources of each operation node 3. Select to determine the calculation procedure.

  In step S4, the secret calculation control device 1 notifies the user terminal 2 of the estimated calculation time and calculation cost determined by the calculation procedure determined in step S3, requests user approval, and determines whether approval has been obtained. If this determination is YES, the process proceeds to step S5, and if the determination is NO, the process returns to step S3, and the calculation procedure is adjusted according to a user instruction.

In step S5, the execution unit 15 sequentially selects individual operations in the calculation procedure.
In step S6, the execution unit 15 identifies the encryption method used by the operation node 3 that requests the selected operation, and determines whether the operation target data needs to be encrypted or re-encrypted by a different encryption method. To do. If this determination is YES, the process proceeds to step S7, and if the determination is NO, the process proceeds to step S8.

  In step S <b> 7, the encryption processing unit 16 performs decryption and encryption on the target data according to the encryption method of the operation node 3.

  In step S8, the execution unit 15 transmits the encrypted data to the computation node 3 and makes a computation request.

  In step S9, the execution unit 15 performs all calculations in the calculation procedure, and determines whether or not the requested calculation has been completed. If this determination is YES, the process proceeds to step S10, and if the determination is NO, the process proceeds to step S5 and proceeds to the next calculation procedure.

  In step S <b> 10, the execution unit 15 decrypts the calculation result by the encryption processing unit 16 and outputs the result to the user terminal 2.

  According to the present embodiment, the secret computation control device 1 uses a plurality of operation nodes 3 that perform a specific operation using homomorphic encryption, thereby combining specific operations that can be performed at each operation node 3. Secret calculations that are not limited to At this time, the secret calculation control apparatus 1 determines the allocation destination of each calculation so as to match the user's request based on the resource of the calculation node 3 and the calculation cost, and can perform the secret calculation efficiently.

Moreover, the secret calculation control apparatus 1 can improve the efficiency of the calculation procedure until obtaining the calculation result by modifying the expression so as to reduce the number of operations when the calculation expression is decomposed.
Furthermore, the secret computation control apparatus 1 needs to repeat the decryption and encryption processes as necessary when the encryption scheme of the homomorphic encryption differs depending on the type of operation. However, the secret calculation control apparatus 1 reduces the number of decryption and encryption processes. Since the calculation formula is modified by adjusting the order of operations, secret processing can be efficiently performed while reducing the processing load.

Furthermore, since the secret calculation control device 1 adjusts the calculation procedure so that the total calculation cost (for example, the price for obtaining the calculation result) is low, the calculation is performed at a lower cost within the time specified by the user. Can provide results.
At this time, the secret calculation control device 1 changes the calculation node 3 to the low-cost calculation node 3 in order from the calculation closer to the output of the calculation formula decomposed into a tree structure. The operation node 3 is changed so that The secret calculation control device 1 can efficiently reduce the calculation cost by these adjustment methods, and can perform the secret calculation suitable for the user's request.

  As mentioned above, although embodiment of this invention was described, this invention is not restricted to embodiment mentioned above. Further, the effects described in the present embodiment are merely a list of the most preferable effects resulting from the present invention, and the effects of the present invention are not limited to those described in the present embodiment.

In this embodiment, the secret calculation control device 1 accepts calculation target data from the user terminal 2 as plain text. However, the user does not want to provide original data to the secret calculation control device 1 or the like. In some cases, encrypted data may be input.
At this time, when the encryption method for each calculation is different, the execution unit 15 notifies the user terminal 2 of the encryption method for each operation, and acquires the calculation target data encrypted by this encryption method. Thereby, the user can obtain the calculation result while keeping the calculation target data secret from the secret calculation control device 1.

Moreover, in this embodiment, all the operation nodes 3 respond | correspond to a homomorphic encryption, and the secret calculation control apparatus 1 distributed to the operation nodes 3 so that all the calculations in a calculation procedure might be performed with respect to the encrypted data. However, it is not limited to this. The determination unit 14 may distribute the calculation to calculation nodes having a low calculation cost that does not use the homomorphic encryption in a calculation procedure after the calculation is performed a predetermined number of times or more on each of the target data.
Even during the calculation procedure, if some calculation is performed on the original data, it may not be secret information. For example, in the calculation for obtaining the average, the data for which the addition immediately before the last division is completed is considered to be no longer secret. Therefore, for example, the secret calculation control apparatus 1 can obtain a calculation result efficiently by using an operation node with a low operation cost without performing cryptographic processing for a predetermined hierarchy of a tree structure obtained by decomposing the calculation formula.

  The control method by the secret calculation control device 1 is realized by software. When realized by software, a program constituting the software is installed in the information processing apparatus (secret calculation control apparatus 1). These programs may be recorded on a removable medium such as a CD-ROM and distributed to the user, or may be distributed by being downloaded to the user's computer via a network. Furthermore, these programs may be provided to the user's computer (the secret calculation control device 1) as a Web service via a network without being downloaded.

DESCRIPTION OF SYMBOLS 1 Secret calculation control apparatus 11 Input part 12 Formula transformation part 13 Acquisition part 14 Determination part 15 Execution part 16 Cryptographic process part

Claims (10)

An input unit for inputting a calculation formula and target data of the calculation formula;
An acquisition unit that acquires information on resources and calculation costs of the calculation node from a plurality of calculation nodes that perform a specific calculation using homomorphic encryption,
A determination unit that determines a calculation procedure for allocating each operation obtained by decomposing the calculation formula to which of the plurality of operation nodes based on the information of the resource and the operation cost;
A secret calculation control device comprising: an execution unit that executes a secret calculation using homomorphic encryption for the target data using the plurality of operation nodes according to the determined calculation procedure, and outputs a calculation result. The equation is modified to reduce the calculation cost calculated based on the number of operations included in the equation after the transformation,
The secret calculation control apparatus according to claim 1, wherein the determination unit determines a calculation procedure of the calculation formula after the transformation.   The secret calculation control apparatus according to claim 2, wherein the formula changing unit changes the calculation formula so as to reduce the number of encryption and decryption processes in the homomorphic encryption.   The said determination part determines the said calculation procedure so that the total of the said calculation cost may become the minimum among the calculation procedures which can obtain the said calculation result within designation | designated time. Secret calculation control device.   The secret calculation control apparatus according to claim 4, wherein the determination unit reduces the calculation cost by changing operation nodes in order from an operation closer to an output of a calculation formula decomposed into a tree structure.   The said determination part reduces the said calculation cost by changing a calculation node so that all the branches may become equivalent calculation time in the branch of the calculation formula decomposed | disassembled into the said tree structure. The secret calculation control device described.   The said execution part notifies the encryption system for every said calculation, and the data of the calculation object encrypted by the said encryption system are acquired when the encryption system for each said calculation differs. The secret calculation control device according to any one of the above.   The determination unit distributes operations to operation nodes that do not use the homomorphic encryption different from the plurality of operation nodes in a calculation procedure after performing a predetermined number of operations on each of the target data. The secret calculation control device according to any one of claims 1 to 7. An input step for inputting a calculation formula and target data of the calculation formula; and
An acquisition step of acquiring resource and calculation cost information of the calculation node from a plurality of calculation nodes performing a specific calculation using homomorphic encryption,
A determination step for determining a calculation procedure for allocating each operation obtained by decomposing the calculation formula to which of the plurality of operation nodes based on the information of the resource and the operation cost;
In accordance with the determined calculation procedure, a computer control unit executes an execution step of executing a secret calculation using homomorphic encryption for the target data using the plurality of operation nodes and outputting a calculation result Secret calculation control method.   A secret calculation control program for causing a computer to execute each step of the secret calculation control method according to claim 9.

Images