JP6643756B2 - Server, service method - Google Patents

Description

  The present invention relates to a server and a service method for storing and holding encrypted data, performing a certain calculation process using the encrypted data in response to a request, and providing a result by encryption, and in particular, relates to a client for decryption. The present invention relates to a server and a service method that reduce the processing load.

  There are services such as cloud servers that store and hold data on behalf of clients. Using this, when a third party uploads data encrypted with the public key disclosed by the client to the server, the client can decrypt (decrypt) this data with the cloud administrator while keeping the content secret. It can be managed as data on the server. For example, it is convenient when handling highly confidential data such as personal medical test results as data.

  In addition, a cloud server has a service that stores and holds data of a client, performs a calculation process on behalf of the client using the data in response to a request from the client with limited resources, and provides the result to the client. (Surrogate calculation). In this case, normally, encrypted data cannot be handled as data. This is because, when calculation processing is performed on encrypted data, the processing result does not generally match the processing result on plaintext data.

  On the other hand, there are some known encrypted data (= encrypted data having homomorphism) in which the calculation processing of the encrypted data corresponds to the processing result of the plaintext data. If such encrypted data is used, the result can be obtained as encrypted data of the same format even if a certain calculation process is performed in the server, and this can be provided to the client. The client can decrypt this with the corresponding private key. In other words, if encrypted data having homomorphism is used, the client can manage the data calculation processing performed on the server with the content kept secret from the cloud administrator.

  However, at present, there is no known cryptographic data having a property that homomorphism is established in any calculation without limitation. For example, it is usual to have homomorphism only in a limited range, such as only addition and only one multiplication. Therefore, when the client receives the service of the server, it is necessary to perform a procedure in which the calculation is performed once using the homomorphism and then the client performs the post-processing in order to obtain the desired result. There are cases. Such a procedure means that the processing load on the client increases.

US 8,565,435 Patent Specification

  The present invention relates to a server and a service method for storing and holding encrypted data, performing a predetermined calculation process using the encrypted data in response to a request, and providing the result in an encrypted form, and reduces a processing load on a client at the time of decryption. It is an object to provide a server and a service method that can be reduced.

The server according to one embodiment of the present invention has the following formula:
c ₁ = e ₁ A + pe ₂
c ₂ = e ₁ P + pe ₃ + m
c = (c ₁ , c ₂ )
Here, e ₁ and e ₂ are vectors each having n components, and each component is an integer sampled from a discrete Gaussian distribution having a variance s ² . e ₃ is an integer each component frequency components is a vector of l sampled from a discrete Gaussian distribution of the variance s ^2. m is plaintext data having a vector format, where the number of components is 1 and each component is an integer expressed modulo p.
n, s, 1, p, A, and P are as follows.
n is a positive integer. s is a positive real number. l is a positive integer. p is a positive integer and p and q are relatively prime. q is a positive integer. A is a square matrix of n rows and n columns, where each element is an integer randomly sampled from a set of integers (0,..., Q-1). P is based on P = pR-AS. R, S, respectively, each element in a matrix of n rows l column was sampled from a discrete Gaussian distribution of the variance s ² integer.
Means for storing and holding a plurality of encrypted data c having a vector format, which is encrypted with the public key (A, P, n, s) of the client, from the client. Means for receiving information when an inner product is to be obtained for the two plaintext data m and m 'corresponding to the two encrypted data c and c', and n-row and n-column means for calculating a square matrix ^{_{W 1 = c 1 'T c}} 1, n row l matrix _W 2 = _{c 1 ^{column' T c 2 + c 1 T}} c 2 ', and a scalar ^{_{ξ = c 2 c 2' T}} , Means for providing the client with the square matrix W ₁ , the matrix W ₂ , and the scalar ξ.

A plurality of (arbitrary) additions and a tensor product m ^T are stored in the server as a relationship with the plaintext data m, m ′,. m ′ has homomorphism. However, there is no direct homomorphism with respect to inner product mm ^'T. Client inner product mm 'when it is desired to obtain a ^T, as the possibility, tensor product m ^{T m'} can be provided to the client as a result of the homomorphic operation utilizing. Further, in this server, when information from the client to obtain the inner product of the plaintext data m and m ′ is provided so that the inner product operation can be supported without using such a tensor product, the information is calculated based on the information. , N rows and n columns square matrix W ₁ = c ₁ ′ ^T c ₁ , n rows and l column matrix W ₂ = c ₁ ′ ^T c ₂ + c ₁ ^T c ₂ ′, and scalar ξ = c ₂ c ₂ ′ ^T And provide them to the client.

In the decoding process in the client, the _{W 1,} the trace determined by multiplying the inner product calculation corresponding secret key ^S * (= ^SS T = a (γ _ij)), in _{W 2,} transposed matrix ^{S T} of the secret key S (= (Σ _ij )) to find the trace, add ξ to the sum of these results, and finally convert it to an integer modulo p, yielding the desired inner product m m m ' ^T is obtained. In these decoding processes, the multiplication requires a total of “n (n + 1)” times, and the addition requires a total of “n (n + 1) +1” times. Thus, the processing load on the client is dramatically reduced as compared with the case of using a tensor product. Is done.

A service method according to another aspect has the following formula:
c ₁ = e ₁ A + pe ₂
c ₂ = e ₁ P + pe ₃ + m
c = (c ₁ , c ₂ )
Here, e ₁ and e ₂ are vectors each having n components, and each component is an integer sampled from a discrete Gaussian distribution having a variance s ² . e ₃ is an integer each component frequency components is a vector of l sampled from a discrete Gaussian distribution of the variance s ^2. m is plaintext data having a vector format, where the number of components is 1 and each component is an integer expressed modulo p.
n, s, 1, p, A, and P are as follows.
n is a positive integer. s is a positive real number. l is a positive integer. p is a positive integer and p and q are relatively prime. q is a positive integer. A is a square matrix of n rows and n columns, where each element is an integer randomly sampled from a set of integers (0,..., Q-1). P is based on P = pR-AS. R, S, respectively, each element in a matrix of n rows l column was sampled from a discrete Gaussian distribution of the variance s ² integer.
Stores a plurality of encrypted data c having a vector format, which is encrypted with the public key (A, P, n, s) of the client, and sends two of the plurality of encrypted data from the client. When the information for obtaining the inner product is obtained for the two plaintext data m and m ′ corresponding to the encrypted data c and c ′, the information is received, and based on the information, a square matrix W ₁ of n rows and n columns is received. = C ₁ ′ ^T c ₁ , a matrix W ₂ of n rows and l columns W ₂ = c ₁ ′ ^T c ₂ + c ₁ ^T c ₂ ′, and a scalar ξ = c ₂ c ₂ ′ ^T , and the square matrix W ₁ , Provide the matrix W ₂ and the scalar ξ to the client.

  This service method is a method corresponding to the server described above.

  According to the present invention, in a server and a service method for storing and holding encrypted data, performing a predetermined calculation process using the encrypted data in response to a request, and providing a result by encryption, a client process at the time of decryption The burden can be reduced.

1 is a configuration diagram illustrating a server according to an embodiment and a system including the server. FIG. 2 is an explanatory diagram showing functions of a parameter generation and holding unit shown in FIG. 1. FIG. 2 is an explanatory diagram illustrating functions of a key generation unit 32 illustrated in FIG. 1. FIG. 2 is an explanatory diagram showing an encryption function of a processing unit 21 shown in FIG. FIG. 2 is an explanatory diagram showing a decoding function of a general processing unit 35 shown in FIG. FIG. 2 is an explanatory diagram showing the properties of homomorphic operations that can be performed by the server shown in FIG. FIG. 2 is an explanatory diagram of the reason why the processing load on the client regarding the inner product calculation function of the server 10 shown in FIG. 1 is reduced. FIG. 2 is an explanatory diagram showing the reason why the processing load on the client regarding the calculation function of the sum of inner products of the server 10 shown in FIG. FIG. 2 is an explanatory diagram illustrating functions of an update key generation unit 36 illustrated in FIG. 1. FIG. 2 is an explanatory diagram showing functions of a security update processing unit 14 shown in FIG.

  Based on the above, embodiments of the present invention will be described below with reference to the drawings. FIG. 1 shows a server according to an embodiment and a system including the server. In the figure, a server 10 is, for example, a cloud server, while a client 30 is a device that receives a service provided by the server 10. There can be many clients 30 in one server 10 (other clients are not shown). The following description will be given on the assumption that the server 10 and the client 30 have different management entities. However, by encrypting the data, the third party device 20 appears as if the server 10 is part of the client 30. I have.

  That is, the client 30 stores and manages the data managed by the client 30 in an encrypted state. The public key necessary for this encryption is disclosed by the client 30. Therefore, when data encrypted by the third-party device 20 with the public key disclosed by the client 30 is uploaded to the server 10, the client 30 keeps the data confidential to the cloud administrator (the administrator of the server 10). It can be managed in a state where it is placed on the server 10 as encrypted data which can be decrypted (decrypted) with a secret key. For example, it is convenient when handling highly confidential data such as personal medical test results as data.

  The server 10 includes a communication interface 11, an encrypted data storage / holding unit 12, a calculation processing unit (calculation unit) 13, and a security update processing unit (conversion unit and replacement unit) 14. The client 30 includes a parameter generation and storage unit 31, a key generation unit 32, a key storage unit 33, a communication interface 34, a general processing unit 35 (generates request contents and decrypts the result), and an updated key generation unit 36. The third-party device 20 includes a processing unit (encryption unit) 21 and a communication interface 22.

  Hereinafter, the functions of the internal configuration of the server 10, the client 30, and the third-party device 20 will be described. However, for convenience of understanding, a description will be given along a series of operations, and thus the description will not necessarily be grouped for each device. I refuse the point. The portion surrounded by the dashed line in FIG. 1 is an optional configuration for updating the security of the encrypted data, and can be omitted when the security update is unnecessary. Hereinafter, description will be made mainly with reference to FIG. 1 drawn as a functional block diagram, but FIG. 2 to FIG. 10 which are explanatory diagrams will be appropriately referred to.

(Generation of public key and private key)
To generate the public key and the secret key, first, the client 30 generates the parameters (q, l, p) by the parameter generation and holding unit 31. q is a positive integer, l is a positive integer, p is a positive integer, and p and q are relatively prime (that is, the least common multiple is 1). l is a number set as the number of components of the plaintext vector. The plaintext vector is an integer in which the number of components is 1 and each component is expressed modulo p. FIG. 2 can be referred to above. The generated parameters are stored in the parameter generation and storage unit 31 and passed to the key generation unit 32. Note that “vector” means a horizontal vector unless otherwise specified (the same applies to the following).

The key generation unit 32 generates a public key, a secret key, and a secret key corresponding to inner product calculation based on the parameters (q, l, p) passed from the parameter generation unit 31. The procedure is as follows and reference can be made to FIG. First, s is determined and n is determined. s is a positive real number and is set as a standard deviation of a discrete Gaussian distribution. n is a positive integer and a number related to security (security), and q, s, and n determine security as encryption. By the way, when q = ²¹¹⁴ , s = 8.0, and n = 2661, for example, in the present embodiment, 80-bit security encryption can be obtained. In general, N-bit security encryption is encryption in which a key (secret key) is found by ^2N decryption calculations.

Next, the key generation unit 32 generates normal random matrices R and S. That, R, S, respectively, each element in a matrix of n rows l column is an integer sampled from a discrete Gaussian distribution of the variance s ^2. In addition, the key generation unit 32 generates a uniform random matrix A. That is, A is a square matrix with n rows and n columns, and each element is an integer randomly sampled from a set of integers (0,..., Q-1).

Further, the key generation unit 32 calculates P. The calculation formula is P = pR-AS. P is an n-by-1 matrix, and each element is an integer expressed modulo q. The series of steps described above, the public key (A, P, n, s ), the secret key as S, the inner product calculation corresponding private key as ^S * (= SS ^T), are respectively generated. Each generated key is passed to the key holding unit 33, where it is stored and held. The secret key S and the secret key corresponding to the inner product calculation are managed so that S ^* does not leak out of the client 30, while the public key (A, P, n, s) is disclosed because of the third-party device 20. Is done. The third-party device 20 can be a device owned by a person who handles confidential data, such as a medical institution.

(encryption)
In the system shown in FIG. 1, the client 30 performs data encryption using a public key, and the resulting encrypted data can be sent to the server 10 and stored on the server 10. Similarly, it is also possible to encrypt the plaintext data of the third-party device 20 that requires confidentiality with the public key of the client 30 and transmit the resulting encrypted data to the server 10 for storage and storage on the server 10. it can. The encryption process itself is the same, but the latter operation will be described below. The procedure is as follows, and FIG. 4 can be referred to.

First, the processing unit 21 of the third party device 20 generates noises e ₁ and e ₂ . e ₁ and e ₂ are vectors each having n components, and each component is an integer sampled from a discrete Gaussian distribution having a variance s ² . In addition, the processing unit 21 generates a noise _{e 3.} e ₃ is a vector of frequency components is l, each component is an integer sampled from a discrete Gaussian distribution of the variance s ^2.

Then, the processing unit 21 calculates _{c 1.} The calculation formula is c ₁ = e ₁ A + pe ₂ . c ₁ is a vector of frequency components is n, each component is an integer represented the q modulo. In addition, the processing unit 21 calculates _{c 2.} The calculation formula is c ₂ = e ₁ P + pe ₃ + m. m is a plaintext vector generated by the third-party device 20, the number of components is 1 and each component is an integer expressed modulo p. c ₂ is a vector having 1 component, and each component is an integer expressed modulo q.

Through the above series of procedures, the encrypted data c is generated as c = (c ₁ , c ₂ ). Note that the third party device 20 needs the public key (A, P, n, s) in the above series of procedures, but also needs at least the parameters (l, p). It is assumed that the parameters (l, p) are understood as a premise in the third party device 20. The generated encrypted data is passed from the processing unit 21 to the communication interface 22, and the communication interface 22 sends the passed encrypted data to the server 10 via the communication path.

  The server 10 receives the encrypted data sent from the third party device 20 through the communication interface 11. The encrypted data received by the communication interface 11 is passed from the communication interface 11 to the encrypted data storage unit 12. The encrypted data storage and holding unit 12 stores and holds the encrypted data passed from the communication interface 11. That is, the encrypted data is data placed on the server 10 as encrypted data that can be decrypted only by the client 30 while keeping the content secret from the administrator of the server 10.

(Decryption)
In the system shown in FIG. 1, decryption is performed exclusively by the client 30. As a result, the confidentiality of data to the administrator of the server 10 is maintained. The operation for simply decoding will be described below. When the client 30 decrypts the encrypted data stored in the encrypted data storage unit 12 and returns it to the plaintext data, the client 30 requests to submit the encrypted data c = (c ₁ , c ₂ ). Is performed on the server 10. Therefore, the general processing unit 35 generates information to that effect. Information indicating this request is passed from the general processing unit 35 to the communication interface 34.

The information indicating the request passed to the communication interface 34 is sent from the communication interface 34 to the server 10 via the communication path. The server 10 receives the information indicating the request sent from the client 30 through the communication interface 11. Information indicating the request received by the communication interface 11 is passed from the communication interface 11 to the calculation processing unit 13. The calculation processing unit 13 extracts the corresponding encrypted data c = (c ₁ , c ₂ ) from the encrypted data storage processing unit 12 according to the content of the passed request. Then, the calculation processing unit 13 passes the extracted encrypted data to the communication interface 11 without performing any particular processing in this case. In general, the calculation processing unit 13 may perform a certain calculation process on the encrypted data. Such a case will be described later.

The encrypted data passed to the communication interface 11 is sent from the communication interface 11 to the client 30 via a communication path. The client 30 receives the encrypted data sent from the server 10 by the communication interface 34. The encrypted data c = (c ₁ , c ₂ ) received by the communication interface 34 is passed from the communication interface 34 to the general processing unit 35.

The general processing unit 35 performs the following as a decryption operation of the encrypted data c = (c ₁ , c ₂ ). This point can be referred to FIG. First, m bar is calculated. The calculation formula is m bar = m = c ₁ S + c ₂ . S is a secret key as described above, and is held in the key holding unit 33. Next, a plaintext vector m is calculated. The calculation formula is m = m bar mod p. m is a plaintext vector (= decoding result) obtained by decoding. As a matter of course, this decryption cannot be executed except by the client 30 holding the secret key S. The secret key is managed so as not to leak out of the client 30.

  As described above, it has been described that the confidentiality of data to the server administrator is maintained in terms of the service of storing and holding data for the client 30 performed by the server 10.

(Properties of encrypted data)
Next, a characteristic unique to the encrypted data generated as described above will be described. The encrypted data generated by the procedures shown in FIGS. 2, 3, and 4 have a certain homomorphism. One of them is the homomorphism of addition, and in general, c + c ′ = Enc (pk, m + m ′). Here, “Enc” means a function of performing the above-described encryption on the plaintext data m + m ′ using the public key pk, and specifically, the public key pk (public key) = (A, P, n , S).

  That is, with the encrypted data c and c ′ and the corresponding plaintext data m and m ′, the operation result of the addition c + c ′ performed on the encrypted data is obtained by encrypting the operation result of the addition m + m ′ performed on the plaintext data. Is equal to This point can be confirmed by referring to FIGS.

  Since the data is such encrypted data, the result of the addition operation performed by the server 10 can be provided to the client 30 as data encrypted in the same format. The client 30 can decrypt this with the corresponding secret key S. That is, by using the encrypted data having a certain homomorphism, the client 30 can manage the certain arithmetic processing of the data performed on the server 10 with the contents kept secret from the server administrator.

The encrypted data generated by the procedures shown in FIGS. 2, 3 and 4 have another homomorphism. That is, this encrypted data generally satisfies c ^T c ′ = Enc (pk, m ^T m ′). Here, c ^T and m ^T are obtained by converting the horizontal vectors c and m into vertical vectors, respectively. That is, the operation result of the tensor product c ^T c ′ (= square matrix of n + 1 rows and n + 1 columns) performed on the encrypted data between the encrypted data c and c ′ and the corresponding plaintext data m and m ′ is plaintext data. The encrypted result of the performed tensor product m ^T m ′ (= a square matrix of n + 1 rows and n + 1 columns) is equal for each element. This point can be confirmed by referring to FIGS.

  Therefore, by using such cryptographic data having homomorphism of the multiplication, the client 30 can also manage the calculation processing for obtaining the product performed on the server 10 with the contents kept secret from the server administrator. The client 30 can decrypt the calculation result with the secret key S.

  Summarizing the above points, it means that the server 10 can process the encryption data generated by the procedures shown in FIGS. 2, 3, and 4 for performing the calculation in the secondary format. When such processing is performed in the server 10, the result becomes data corresponding to the result of performing the same processing on plaintext data, which has a format encrypted with the original public key. Accordingly, the server 10 performs the calculation processing on behalf of the client 30, and provides the result to the client 30, and the client 30 can decrypt this with the secret key. In other words, regarding the calculation processing of the secondary format, the client 30 can manage the calculation processing with the contents kept secret from the server administrator.

FIG. 6 illustrates the relationship between the homomorphism described above and the calculation of the quadratic form once again. FIG. 6 may be easily understood from the above points, but will be briefly reviewed. First, according to FIGS. 2 to 4, the following holds for the plaintext vectors m and m ′ and their ciphertext vectors c and c ′.
c + c '= Enc (pk , m + m') homomorphism ^{c T c '= Enc (pk} , m T m' of ... addition) homomorphism multiplication ... tensor product

Then, for example, plaintext data _x i, the encrypted data _Enc of _{y i (pk, x i)} , Enc (pk, y i) calculation of the quadratic form with:
N
Σ a _i · Enc (pk, x _i ) · Enc (pk, y _i ) (i is a data number)
i = 1
Is equivalent to the following equation, which is the result of encrypting a secondary calculation using plaintext data.
N
Enc (pk, Σ a _i · x _i y _i )
i = 1

Accordingly, performs calculation processing while the server 10 to conceal the plaintext data x _i, y _i to the server administrator, then the client 30 can obtain the calculation result in the decoding.

(About inner product operation)
In the above, the homomorphism of the multiplication of the tensor product in the encrypted data has been described. However, this is, of course, the result of the inner product operation m m ′ ^T of the plaintext vectors m and m ′ and the respective encrypted text vectors c and c. Does not imply homomorphism with the result of the inner product operation c c ' ^T of'. Client 30 inner product mm 'when it is desired to obtain a ^T, as the possibility, tensor product m ^{T m'} can provide this if as a result of the homomorphic operation utilizing the client 30. In this case, in short, it corresponds to encrypting and decrypting each component of the plaintext vector as separate plaintext, and the efficiency of the decryption process at the client 30 does not increase.

Therefore, the server 10 has a function for calculating inner products that increases the efficiency of the decoding process of the client 30 when it is desired to obtain inner products. FIG. 7 is referred to for this description. Plaintext vector m, with respect to ^T 'inner product m m a' m as the number (m m ^'T) bar modulo q, deformation of the formulas shown in the block in the middle of FIG. 7 (mainly the matrix Utilizing the nature of trace)
_{^{Tr (c 1 'T c 1}} SS T) + Tr ((c 1' T c 2 + c 1 T c 2 ') S T) + c 2 c 2' T
It can be expressed as.

That is, in order for the client 30 to obtain the inner product m m ′ ^T of m and m ′, c ₁ ′ ^T c ₁ (a matrix of n rows and n columns; = W ₁ = (α _ij )), c ₁ ′ ^T The requirement to have c ₂ + c ₁ ^T c ₂ ′ (a matrix of n rows and l columns; = W ₂ = (β _ij )) and c ₂ c ₂ ′ ^T (scalar; = ξ) is calculated. What is necessary is just to send to the server 10. In subsequent client 30, the _{W 1,} the trace determined by multiplying the inner product calculation corresponding private key ^S * (= ^SS T = a (γ _ij)), in _{W 2,} transposed matrix ^{S T} of the secret key S (= (Σ _ij )) to find the trace, add ξ to the sum of the above results, and finally convert it to an integer modulo p, yielding the desired inner product m m m ' ^T is obtained.

That is, the server 10 receives the information when the inner product of the two plaintext data m and m ′ corresponding to the two encrypted data c and c ′ is to be obtained from the client 30 (the communication interface 11). ), Based on this information, a square matrix W ₁ = c ₁ ′ ^T c ₁ of n rows and n columns, a matrix W ₂ = c ₁ ′ ^T c ₂ + c ₁ ^T c ₂ ′ of n rows and l columns, and a scalar ξ = _{c 2 c} 2 'calculates the ^T (calculation processing unit 13). Then, the server 10 provides the square matrix W ₁ , the matrix W ₂ , and the scalar ξ to the client 30 (from the calculation processing unit 13 to the client 30 via the communication interface 11). The subsequent operation at the client 30 is as described above.

Regarding the calculation amount in the client 30,
^{_{Tr (c 1 'T c 1}} SS T) + Tr ((c 1' T c 2 + c 1 T c 2 ') S T) + c 2 c 2' T
n n l
= Σ (Σ α _ik γ _ki + Σ β _ij σ _ji ) +
i = 1 k = 1 j = 1
Thus, it is shown that, as the total amount of calculation, the multiplication can be performed by a total of “n (n + 1)” times and the addition can be performed by a total of “n (n + 1) +1” times. According to the total amount of calculation, the decoding process can be more than 30 times faster in the case of 80-bit security and 128-bit security, respectively, than in the case of calculating the inner product using the tensor product.

(Regarding the calculation of the sum of inner products)
Next, the calculation of the sum of inner products will be described with reference to FIG. According to that shown in FIG. 7, the sum of the ^T 'dot product _m 1 _{m 1'} of the plaintext vector _m 1, _{m 1,} plaintext vector _m u, until ^T 'dot product _m u _{m u} of' _{m u} (. 1 to It can be seen that if u) is required by the client 30, it is not enough to obtain u sets of W ₁ , W ₂ , ξ for each inner product and send these from the server 10 to the client 30. In other words, it suffices that the server 10 obtains W ₁ , W ₂ , ξ for each inner product, and sends ΣW ₁ , ΣW ₂ , Σξ to the client 30 (Σ takes the sum of 1 to u). , Decoding is achieved by the following equation. That is,
^{_{(Tr (ΣW 1 SS T)}} + Tr (ΣW 2 S T) + Σξ) mod p
It is.

  This formula has the same form as the formula for decoding to obtain one dot product, so that the client 30 again calculates the total amount of multiplication as “n (n + 1)” times and the addition as “ n (n + 1) +1 "times. There are many applications in which the client 30 needs the sum of inner products of vector data. According to the server 10 of the embodiment, the client 30 can perform very efficient decoding even in such a case.

  As described above, it has been described that the client 30 can manage the calculation processing of the data performed on the server 10 using the homomorphic encrypted data with the content being kept secret from the server administrator.

(Generation of update key)
Next, a procedure for updating the security of the encrypted data stored and held in the encrypted data storage and holding unit 12 will be described (this is an option made by the configuration surrounded by a dashed line in FIG. 1). A common reason for requiring security updates is that cryptographic data has the potential to be compromised from a long-term perspective. In general, to update the security of encrypted data, it is necessary to decrypt the encrypted data once and then perform encryption corresponding to the update again, or to perform security update processing on the encrypted data directly without decrypting the encrypted data. Will be either. In any case, the processing load is not necessarily light, and it is considered that it is preferable to perform the processing not on the client 30 but on the server 10 side.

  If the server 10 performs the process of updating the security of the encrypted data, in the former case, the confidentiality of the data content with respect to the server administrator is lost at the time of the process. Therefore, consistent confidentiality cannot be maintained in a series of services such as data storage and maintenance, calculation processing, and security update, and the services include deficiencies. Therefore, the server 10 is configured to handle encrypted data having homomorphism and to directly perform security update processing on the encrypted data. Then, even if security update processing is performed, homomorphism of the encrypted data is maintained.

The operation for security update starts with generation of an update key in the client 30. The following procedure can refer to FIG. First, the key generation unit 32 of the client 30 generates a new public key (A _new , P _new , n _new , s _new ) generated in the same manner as the public key (A, P, n, s) and a secret key S. A new secret key S _new generated in the same manner is prepared. This operation can be referred to FIG. n _new is a positive integer and is larger than n (= for improving security). The new public key and the new secret key are passed from the key generation unit 32 to the key holding unit 33 and held, and further passed from the key holding unit 33 to the update key generation unit 36. Note that the public key (A, P, n, s) and the secret key S are also passed from the key holding unit 33 to the updated key generation unit 36.

The update key generation unit 36 first calculates κ = ceiling (log ₂ q). ceiling () is a ceiling function, and is a function that converts the number in parentheses into a minimum integer larger than that. Next, the update key generation unit 36 generates random matrices X and E. That is, X is a matrix of nκ rows and n _new columns, and each element is an integer randomly sampled from a set of integers (0,..., Q−1). E is a matrix of nκ rows and l columns, and each element is an integer sampled from a discrete Gaussian distribution having a variance of s _new ² .

Further, the update key generation unit 36 calculates Y. The calculation formula is Y = −XS _new + pE + Power2 (S). Here, Power2 (S) is a matrix of nκ rows and l columns, and is a function for converting S so that Bits (c) · Power2 (S) = c · S. Further, here, Bits (c) is a vector in which the number of components is n and the number of components is nκ in a vector c in which each component is an integer expressed modulo q. Y is a matrix of nκ rows and l columns, and each element is an integer expressed modulo q.

  Through the above series of procedures, the update key is generated as (X, Y) by the update key generation unit 36. This update key is generated so as to have a certain relationship with the public key. Then, the updated key and the new public key held in the key holding unit 33 are passed from the updated key generation unit 36 and the key holding unit 33 to the communication interface 34, respectively. The updated key and the new public key passed to the communication interface 34 are sent from the communication interface 34 to the server 10 via a communication path.

  The server 10 receives the updated key and the new public key sent from the client 30 through the communication interface 11. The update key and the new public key received by the communication interface 11 are passed from the communication interface 11 to the security update processing unit 14. The security update processing unit 14 performs a process of updating security for the encrypted data stored in the encrypted data storage processing unit 12 using the passed update key and the new public key (described below).

(Security Update)
The server 10 uses the update key (X, Y) and the new public key (A _new , P _new , n _new , s _new ) sent from the client 30 to encrypt and store the encrypted data in the encrypted data storage processing unit 12. Performs security update processing for data. This operation is performed by the security update processing unit 14. The security update processing unit 14 uses the update key and the new public key to convert the encrypted data into a form encrypted with the new public key and performs the same Is converted to updated encrypted data which is data having homomorphism. The procedure is as follows, and FIG. 10 can be referred to.

First, the security update processing unit 14 generates noises f ₁ and f ₂ . f ₁ and f ₂ are vectors each having n _new components, and each component is an integer sampled from a discrete Gaussian distribution having a variance s _new ² . In addition, the security update processing unit 14 generates a noise _{f 3.} f ₃ is a vector having a number of components of 1 and each component is an integer sampled from a discrete Gaussian distribution having a variance of s _new ² .

Next, the security update processing unit 14 calculates F. The calculation formula is F = [Bits (c ₁ ) X | Bits (c ₁ ) Y + c ₂ ]. Here, the symbol “|” means matrix concatenation. F is a vector having n _new + l components, and each component is an integer expressed modulo q. For c ₁ and c ₂ , encrypted data (c ₁ , c ₂ ) is extracted from the encrypted data storage processing unit 12 and used. Further, the security update processing unit 14 calculates zero encrypted data E (0). The calculation formula is E (0) = f ₁ [A _new | P _new ] + p [f ₂ | f ₃ ] (see FIG. 4).

Through the above series of procedures, updated encrypted data c _new = (c _new1 , c _new2 ), which is encrypted data after security update, is calculated as F + E (0). The updated encrypted data c _new = (c _new1 , c _new2 ) converted and calculated from the original encrypted data c = (c ₁ , c ₂ ) is passed from the security update processing unit 14 to the encrypted data storage unit 12. . The security update processing unit 14 discards the original encrypted data and replaces it with the updated encrypted data.

  The above-described conversion from the encrypted data to the updated encrypted data maintains the original homomorphism as the encrypted data. This point can be confirmed by referring to FIGS. 9 and 10 and FIGS. Therefore, in the server 10 that performs a predetermined calculation process using the encrypted data in response to the request and provides the result in the encrypted form, the security of the encrypted data can be updated.

  Since the security update is performed on the encrypted data as an operation of the server 10, the processing load on the client 30 whose resources are limited is eliminated. This security update can be repeated many times even if the security is reduced due to the progress of the decryption technology. As a matter of course, the server 10 has a great effect that confidentiality is maintained consistently through a series of services such as data storage, calculation processing, and security update. After the security is updated, the client 30 naturally discloses the new public key instead of the existing public key, and as a result, the third party device 20 thereafter performs encryption using the new public key. The necessary plaintext data is encrypted and sent (uploaded) to the server 10.

  Although the embodiments of the present invention have been described above, the embodiments are presented as examples and are not intended to limit the scope of the invention. The new embodiment can be implemented in other various forms, and various omissions, replacements, and changes can be made without departing from the spirit of the invention. This embodiment and its modifications are included in the scope and gist of the invention, and are also included in the invention described in the claims and their equivalents.

  DESCRIPTION OF SYMBOLS 10 ... Server, 11 ... Communication interface, 12 ... Encrypted data storage / holding part, 13 ... Calculation processing part (calculation part), 14 ... Security update processing part (conversion part, replacement part), 20 ... Third party equipment, 21 ... Processing unit (encryption unit), 22 communication interface, 30 client, 31 parameter generation and holding unit, 32 key generation unit, 33 key storage unit, 34 communication interface. 35: General processing unit (request content generation unit, result decryption unit), 36: Update key generation unit.

Claims (6)

The following formula:
c ₁ = e ₁ A + pe ₂
c ₂ = e ₁ P + pe ₃ + m
c = (c ₁ , c ₂ )
( Here, e ₁ and e ₂ are vectors each having n components, and each component is an integer sampled from a discrete Gaussian distribution having a variance s ² ,
e ₃ is a vector having l components, where each component is an integer sampled from a discrete Gaussian distribution with variance s ² ;
m is plaintext data having a vector format, where the number of components is 1 and each component is an integer expressed modulo p ;
n is a positive integer ,
s is a positive real number ,
l is a positive integer ,
p is a positive integer, p and q are relatively prime ,
q is a positive integer ,
A is a square matrix of n rows and n columns, where each element is an integer randomly sampled from a set of integers (0,..., Q-1) ;
P is due to P = pR-AS (provided that, R, S, respectively, each element in a matrix of n rows l columns integer sampled from a discrete Gaussian distribution of the variance ^{s 2))}
Means for storing and holding a plurality of encrypted data c having a vector format, which is encrypted with the public key (A, P, n, s) of the client, according to
Means for receiving, when information from the client to obtain an inner product of two plaintext data m, m ′ corresponding to two encrypted data c, c ′ of the plurality of encrypted data is obtained, ,
Based on the information,
a square matrix W ₁ = c ₁ ′ ^T c ₁ with n rows and n columns,
n lines l matrix _W 2 = _{c 1} column ^{_{'T c 2 + c 1 T}} c 2', and
Means for calculating a scalar ξ = c ₂ c ₂ ′ ^T ;
Means for providing the square matrix W ₁ , the matrix W ₂ , and the scalar ξ to the client. From the client, a first inner product that is an inner product of two plaintext data m and m ′ corresponding to two encrypted data c and c ′ of the plurality of encrypted data, and a first inner product of the plurality of encrypted data Second information is obtained which is information to be summed with a second inner product which is an inner product of two plaintext data m "and m""corresponding to the two encrypted data c" and c "". Sometimes means for receiving the second information;
Based on the second information,
a second square matrix of n rows and n columns' W ₁ = c ₁ ′ ^T c ₁ + c ₁ ″ ′ ^T c ₁ ″;
n lines l second matrix row ^{_{ΣW 2 = c 1 'T c}} 2 + c 1 T c 2' + c 1 "'T c 2" + c 1 "T c 2"', and
Means for calculating a _second scalar Σξ = c ₂ c ₂ ′ ^T + c ₂ ″ c ₂ ″ ′ ^T ;
The server according to claim 1, further comprising: means for providing the second square matrix {W ₁ , the second matrix {W ₂ , and the second scalar}} to the client. An update key having a relationship with the public key, which is a key for performing security update on the encrypted data, and a new public key, which is a public key of the client after the security update, is performed by the client. Means for receiving the updated key and the new public key when sent from
As the security update performed on the encrypted data, using the update key and the new public key, updating the encrypted data to be data having a format encrypted by the new public key and having homomorphism. Means for converting to encrypted data;
2. The server according to claim 1, further comprising: after the encrypted data is converted into the updated encrypted data, means for discarding the encrypted data and replacing the encrypted data with the updated encrypted data. The update key uses the public key, a secret key corresponding to the public key, the new public key, and a new secret key corresponding to the new public key, using the following equation:
X: a matrix of nκ rows and n _new columns, each element being an integer randomly sampled from a set of integers (0,..., Q−1) Y = −XS _new + pE + Power2 (S)
( Where κ is given by κ = ceiling (log ₂ q) ,
n _new is a positive integer greater than n ;
S _new is a matrix of n _new rows and l columns, where each element is an integer sampled from a discrete Gaussian distribution with variance s _new ² ,
s _new is a positive real number ,
E is an nκ-by-l matrix, where each element is an integer sampled from a discrete Gaussian distribution with variance s _new ² ,
Power2 (S) is a matrix of nκ rows and l columns, and a function for converting S so that Bits (c) · Power2 (S) = c · S ;
Bits (c) is a vector in which the number of components is n and each component is an integer expressed by modulo q .
The public key is (A, P, n, s ), the secret key is S, the new public key _{(A new, P new, n} new, s new), the new secret key is Ri _{S new} der,
A _new is a square matrix with n _new rows and n _new columns, where each element is an integer randomly sampled from a set of integers (0,..., Q−1) ;
P _{new is} due to _{P new = pR new -A new S} new ( provided that, _R new _{new, S new new} respectively, each element in a matrix of n rows l column is an integer sampled from a discrete Gaussian distribution of the variance _{s new new} ² is there))
Is the key (X, Y) generated by
The updated encrypted data has the following formula:
F = [Bits (c ₁ ) X | Bits (c ₁ ) Y + c ₂ ]
E (0) = f ₁ [A _new | P _new ] + p [f ₂ | f ₃ ]
(Where, Bits (c ₁₎ is a vector number component of each of its component bits of the vector c ₁ are integers each component is expressed with q modulo by n, the number of components becomes Enukappa,
f ₁ and f ₂ are vectors each having n _new components, and each component is an integer sampled from a discrete Gaussian distribution having a variance s _new ² ;
f ₃ is a vector having a number of components of 1 and each component is an integer sampled from a discrete Gaussian distribution having a variance of s _new ² )
The server according to claim 3, wherein the encrypted data is F + E (0) generated by:   The following formula:
  c₁= E₁A + pe₂
  c₂= E₁P + pe₃+ M
  c = (c₁, C₂)
(Where e₁, E₂Is a vector with n components and each component has a variance s²Integers sampled from a discrete Gaussian distribution of,
e₃Is a vector having l components, and each component has a variance s²Integers sampled from a discrete Gaussian distribution of,
m is plaintext data having a vector format, where the number of components is 1 and each component is an integer expressed modulo p.,
n is a positive integer,
s is a positive real number,
l is a positive integer,
p is a positive integer and p and q are relatively prime,
q is a positive integer,
A is a square matrix of n rows and n columns, where each element is an integer randomly sampled from a set of integers (0,..., Q-1),
P is determined by P = pR-AS(However,R and S are matrices of n rows and l columns, each element having a variance s²Integers sampled from a discrete Gaussian distribution of))
The encrypted data c having a vector format and encrypted with the public key (A, P, n, s) of the client isThe memory holding unitHold multiple memories,
  When the client provides information for obtaining an inner product of two plaintext data m and m 'corresponding to two encrypted data c and c' of the plurality of encrypted data,Communication interfaceAccept the information,
  Based on the information,
square matrix W of n rows and n columns₁= C₁’^Tc₁,
    a matrix W of n rows and l columns₂= C₁’^Tc₂+ C₁ ^Tc₂',and
Scalar ξ = c₂c₂’^TToCalculation processing partCalculate,
  The square matrix W₁, The matrix W₂, And the scalar ξThe communication interface unit isProvide to the client
  Using a serverService method. From the client, a first inner product that is an inner product of two plaintext data m and m ′ corresponding to two encrypted data c and c ′ of the plurality of encrypted data, and a first inner product of the plurality of encrypted data Second information is obtained which is information to be summed with a second inner product which is an inner product of two plaintext data m "and m""corresponding to the two encrypted data c" and c "". When the communication interface unit receives the second information,
Based on the second information,
a second square matrix of n rows and n columns' W ₁ = c ₁ ′ ^T c ₁ + c ₁ ″ ′ ^T c ₁ ″;
n lines l second matrix row ^{_{ΣW 2 = c 1 'T c}} 2 + c 1 T c 2' + c 1 "'T c 2" + c 1 "T c 2"', and
The calculation processing unit calculates a second scalar Σξ = c ₂ c ₂ ′ ^T + c ₂ ″ c ₂ ″ ′ ^T ,
It said second square matrix .SIGMA.W _1, wherein the second matrix .SIGMA.W _2, and service method of claim 5, wherein said second scalar Σξ said communication interface unit to provide to said client.

Images