JP7250390B1 - Data sharing system, data sharing method, and data sharing program - Google Patents

Abstract

An object of the present invention is to set processing authority for data held by each organization, and to facilitate utilization of data while considering security. A system includes a data providing server, a shared database, and a management server. The data providing server acquires sensitive data including attribute values for each attribute item, and encrypts at least part of the attribute values of the sensitive data. The shared database stores sensitive data encrypted by the data providing server as shared data. The management server manages the processing authority set for each sensitive data attribute item, and upon receiving a processing request for shared data, based on the authority set for the shared data attribute item, , to request the decryption of the attribute value related to the attribute item. The data providing server decrypts the encrypted attribute value of the shared data related to the processing request in response to the decryption request, and provides the shared data related to the processing request including the decoded attribute value. [Selection drawing] Fig. 1

Description

The present disclosure relates to a data sharing system, data sharing method, and data sharing program.

In electronic commerce services provided on the Internet, not only data owned by the organization but also data outside the organization are used, and personal information such as user gender, address, and transaction information is collected by the service provider for marketing purposes. There is a technique to perform statistical analysis as For example, Patent Literature 1 discloses an electronic commerce system that enables a service provider to obtain analysis of transaction history without obtaining personal information of users.

JP 2019-125883 A

However, in the system described in Patent Document 1, a service providing server that wishes to perform statistical analysis transmits an encryption key to all other service providing servers, and the other service providing servers receive the transmitted encrypted key. The data is encrypted using an encryption key and sent to a third party server for statistical analysis. For this reason, for other service providing servers, since the data they own is encrypted with the encryption key of another party, there is concern about the possibility of information security problems such as information leakage and unauthorized use. .

In addition, in order to share and utilize the data owned by the organization with third parties outside the organization, it is necessary to consider security, but excessive data protection such as handling all data with the same security level There is a risk of hindering the promotion of data utilization.

Therefore, the present disclosure was made to solve the above problems, and the purpose is to set the processing authority for the data held by each organization, and to facilitate the utilization of data while considering security. It is to provide a data sharing system that can

In order to achieve the above object, a data sharing system according to the present disclosure is a system comprising a data providing server, a shared database, and a management server, wherein the data providing server includes attribute values for each attribute item. A sensitive data acquisition unit that acquires data, a key management unit that manages an encryption key and a decryption key, and an encryption unit that encrypts at least part of the attribute values of the sensitive data using a predetermined encryption method using the encryption key. and a shared database stores sensitive data encrypted in the data providing server as shared data, and the management server manages the processing authority set for each attribute item of the sensitive data. Then, based on the authority set in the attribute item of the shared data related to the request for processing, the reception unit that receives the request for processing the shared data requests the data providing server to decrypt the attribute value related to the attribute item. The data providing server has a decryption request unit for decrypting the encrypted attribute value of the shared data related to the processing request, and a decryption unit for decrypting the encrypted attribute value of the shared data according to the decryption request using the decryption key. and a providing unit for providing shared data related to the processing request including the attribute value.

Further, in order to achieve the above object, a data sharing method according to the present disclosure is a method in a system including a data providing server, a shared database, and a management server, wherein the data providing server provides an attribute for each attribute item obtaining sensitive data including values; managing encryption and decryption keys; encrypting at least some attribute values of the sensitive data with a predetermined encryption method using the encryption keys; a step in which a database stores encrypted sensitive data as shared data in a data providing server; a step in which a management server manages processing authority set for each attribute item of sensitive data; a step of receiving a request; a step of requesting a data providing server to decrypt an attribute value related to the attribute item based on the authority set in the attribute item of the shared data related to the processing request; decrypting the encrypted attribute value of the shared data relating to the processing request using the decryption key in response to the decryption request; and providing the shared data relating to the processing request including the decrypted attribute value. a step;

Further, in order to achieve the above object, a data sharing program according to the present disclosure is a program executed by a system including a data providing server, a common database, and a management server, wherein a control unit of the data providing server a step of acquiring sensitive data including an attribute value for each attribute item; a step of managing an encryption key and a decryption key; and using the encryption key, encrypting at least part of the attribute value of the sensitive data with a predetermined encryption method. a step in which the storage unit of the shared database stores the sensitive data encrypted in the data providing server as shared data; and a control unit in the management server with processing authority set for each attribute item of the sensitive data. , the step of accepting a request for processing the shared data, and the attribute value related to the attribute item to the data providing server based on the authority set for the attribute item of the shared data related to the processing request. a step of making a decryption request; and providing shared data associated with the processing request, including attribute values.

According to the present disclosure, in a data sharing system, it is possible to facilitate utilization of data held by each organization while considering security.

It is a figure which shows the structure of the data sharing system 1 which concerns on this embodiment. 2 is a functional block diagram showing an example of the functional configuration of the terminal device 100; FIG. 2 is a functional block diagram showing an example of a functional configuration of a data providing server 200; FIG. 3 is a functional block diagram showing an example of a functional configuration of a data conversion server 300; FIG. 3 is a functional block diagram showing an example of a functional configuration of a management server 400; FIG. It is the figure which showed an example of the data structure of sensitive data. FIG. 10 is a diagram showing an example of a screen for setting processing authority; It is a figure which shows an example of the corresponding relationship of predetermined conversion. FIG. 4 is a diagram showing an example of disclosure data; 4 is a flowchart showing an example of processing until disclosed data is displayed in the data sharing system 1. FIG. 3 is a block diagram showing the hardware configuration of a management server 400; FIG. It is a figure which shows the structure of the data-sharing system 2 which concerns on this embodiment. FIG. 10 is a diagram showing an example of a data structure of sensitive data according to the second embodiment; It is a figure which shows an example of the data structure of encrypted sensitive data. It is a figure which shows an example of the data structure of integrated data. 3 is a functional block diagram showing an example of a functional configuration of a management server 700; FIG.

Hereinafter, embodiments of the present disclosure will be described with reference to the drawings. In all the drawings for explaining the embodiments, common constituent elements are given the same reference numerals, and repeated explanations are omitted. It should be noted that the following embodiments do not unduly limit the content of the present disclosure described in the claims. Also, not all the components shown in the embodiments are essential components of the present disclosure.

<Overview of the present invention>
In recent years, an increasing number of organizations possess a large amount of sensitive data such as customer information. As a result, not only the own organization but also the sensitive data possessed by other organizations can be used for statistical analysis processing, etc., and cloud services that lead to new business knowledge and services are becoming widespread. Sensitive data is information that requires careful attention when handling data, such as security considerations and privacy protection. data processing.

Therefore, in the data sharing system according to the present invention, the sensitive data provided by the organizations participating in the system is encrypted using a predetermined encryption method (an encryption method that allows operations including search and analysis to be performed in an encrypted state). method), and the keys used for encryption and decryption are managed by each organization that provided the sensitive data. As a result, the organization can manage the decryption process for the sensitive data held by the organization and the execution results of data processing related thereto.

On the other hand, even if all data can be encrypted with a predetermined encryption method and can be operated while encrypted as described above, data sharing in a form that does not disclose the contents of the data at all promotes data utilization. may interfere with For example, although it is not necessary to acquire the detailed contents of the sensitive data or the result of calculation, if the overall trend and outline are known, it may be sufficient as statistical information. In addition, for example, if shared data including sensitive data held by other organizations can be displayed like the database of the own organization, the visibility will be improved and the convenience of data utilization will be enhanced.

Therefore, in the data sharing system according to the present invention, a disclosure level is set for each attribute item for sensitive data including an attribute value for each attribute item, and disclosure data is generated based on the disclosure level. As a result, sensitive data shared with other organizations can be easily utilized while considering security.

<Embodiment 1>
A data sharing system 1 according to the first embodiment is a system for sharing sensitive data held by "Company A", which is an organization participating in the platform, with users of other organizations.
(Configuration of data sharing system 1)

FIG. 1 is a diagram showing the configuration of a data sharing system 1 according to this embodiment. A configuration of a data sharing system 1 according to the first embodiment will be described with reference to FIG.

The data sharing system 1 includes an in-house system 10, a data center 20, terminal devices 600-1, 600-2, . . . , 600-N (N is a natural number. ), and are communicably connected via a network NW.

The data sharing system 1 is a platform on which an organization participating in the system can set processing authority for other organizations to use sensitive data owned by the system, and allow the use of sensitive data shared with other organizations. be. An organization is a user who uses the system, and is not limited to companies and organizations, but also groups such as divisions, sections, groups, teams, etc. divided by role, individuals who make up the group, and users who use the system. It may be an individual or the like.

The network NW is, for example, a WAN (Wide Area Network), a LAN (Local Area Network), an optical line network, an intranet, etc., but may be composed of any network. Also, the devices and the like that constitute the data sharing system 1 may be locally connected without going through the network NW.

The in-house system 10 is the in-house system of Company A, an organization that participates in the platform. In-house system 10 includes terminal devices 100-1, . 300 and . The in-house system 10 may be on-premises or in the cloud (private cloud, hybrid cloud, etc.), and the terminal device 100 may not be physically located within the company A.

The terminal device 100 is an information processing device used by a person (for example, an employee of the company A) who has the authority to access the in-house system 10 of the company A. is. It may also be a wearable terminal such as a head-mounted display, an AR (Augmented Reality)/VR (Virtual Reality)/MR (Mixed Reality) device, or the like. The terminal device 100 may transmit sensitive data including attribute values for each attribute item (column) to the data providing server 200 . The data structure of sensitive data will be described later (see FIG. 6, etc.).

The data providing server 200 is an application server that provides sensitive data owned by company A to the data sharing system 1 . The data providing server 200 encrypts at least part of the attribute values of the sensitive data acquired from the terminal device 100 or the like, and transmits the encrypted attribute values to the management server 400 . Also, in response to a decryption request from the management server 400, it decrypts encrypted attribute values, calculation results, and the like. The data providing server 200 may store and manage the encryption key and the decryption key within its own server, or may store and manage the encryption key and the decryption key in another information processing device (for example, KMS (Key Management System)). ) may be entrusted with management).

The data conversion server 300 is an application that generates data to be disclosed to persons of other organizations (organizations other than company A in the example of FIG. 1) participating in the data sharing system 1 based on the data acquired from the data providing server 200. is the server. The disclosed data generated by the data conversion server 300 is displayed, for example, on the terminal device 600 (described later). Data conversion server 300 is configured separately from data providing server 200 in the example of FIG. 1 , but data providing server 200 may have the functions of data conversion server 300 .

The data center 20 manages data shared in the data sharing system 1 and executes processing according to requests from users. The data center 20 has a management server 400 and a shared database 500 .

The management server 400 stores the encrypted sensitive data acquired from the data providing server 200 in the shared database 500 as shared data. In addition, in response to a request for processing shared data received from a user, the management server 400 requests the data providing server 200, which provided the shared data (sensitive data), the attribute value of the shared data related to the processing request. Request decryption.

The shared database 500 stores sensitive data encrypted in the data providing server 200 as shared data.

The terminal device 600 is an information processing device used by a user who uses the data sharing system 1, and is similar to the terminal device 100 described above. The user of the terminal device 600 is, for example, a user who belongs to an organization other than company A, or a user who is not authorized to access the in-house system 10 .

The terminal device 600 requests the management server 400 to process the shared data stored in the shared database 500 . Here, the "processing" requested by the terminal device 600 includes, for example, viewing shared data, searching, tabulating processing, and statistical processing.

The user may explicitly operate the terminal device 600 to send the request for viewing the shared data to the management server 400, or when the user logs into the data sharing system 1, the request for viewing is automatically sent to the management server. 400 and preset on the terminal device 600 of the user may be displayed. When a user logs into the data sharing system 1 and, for example, shared data of other organizations is also displayed as an initial screen, the user can browse the shared data as if it were a database of his/her own organization.

In FIG. 1, the data sharing system 1 includes one data providing server 200. However, when multiple organizations participate in the data sharing system 1, multiple data providing servers 200 associated with each participating organization Prepare.

The functional configuration and processing of each server, etc., constituting the data sharing system 1 described above will be described below. Note that the functional blocks and processing blocks representing each functional configuration are not limited to being implemented by one device or computer processor, and may be implemented by a distributed group.

(Functional configuration of terminal device 100)
FIG. 2 is a functional block diagram showing an example of the functional configuration of the terminal device 100. As shown in FIG. An example of the functional configuration of the terminal device 100 will be described with reference to FIG. Since the terminal device 600 has the same functional configuration as the terminal device 100, the description of the functional configuration of the terminal device 600 is omitted in this specification.

Terminal device 100 includes communication unit 101 , storage unit 102 , input unit 103 , output unit 104 , and control unit 105 . The terminal device 100 is, as described above, an information processing device operated by, for example, an employee of company A who participates in the platform (data sharing system 1).

The communication unit 101 allows the terminal device 100 to communicate with a server, device, or the like via a network within the in-house system 10 or a network NW (hereinafter sometimes referred to as “network NW, etc.”) according to a predetermined communication protocol. It has a communication interface circuit for The predetermined communication protocol is TCP/IP (Transmission Control Protocol/Internet Protocol) or the like. The communication unit 101 may transmit an identifier that identifies the terminal device.

The communication unit 101 sends the received data to the control unit 105, and also sends the data received from the control unit 105 to a server, a device, or the like via the network NW or the like. Data may be exchanged with functional blocks other than the control unit 105 of the control unit 105 . Note that the communication unit 101 transmits and receives data to and from a device via a network NW or the like, a locally connected device, or the like, through a secure communication channel in which security is ensured. The construction of a secure communication channel and the communication method are well-known techniques using session keys (common keys), public keys, etc., so description thereof will be omitted.

The storage unit 102 is, for example, a memory device such as RAM (Random Access Memory) or ROM (Read Only Memory), or a portable storage device such as HDD (Hard Disk Drive), SSD (Solid State Drive), flexible disk, or optical disk. It is a device. The storage unit 102 stores computer programs, sensitive data, and the like used for various processes of the terminal device 100 . The computer program may be installed in the storage unit 102 from a computer-readable portable recording medium using a known setup program or the like. Portable recording media include, for example, CD-ROMs (Compact Disc Read Only Memory) and DVD-ROMs (Digital Versatile Disc Read Only Memory). The computer program may be installed from a predetermined server or the like. Also, the storage unit 102 may store the session key described above. Further, the sensitive data stored in the storage unit 102 may be deleted after being transmitted to the data providing server 200 in order to prevent information leakage.

The input unit 103 is an interface that receives user input of the terminal device 100 . The input unit 103 is, for example, a keyboard, a touch panel, or a microphone that detects voice input, but is not limited to these. The input unit 103 may receive, for example, sensitive data or the like from the user.

The output unit 104 is an interface that outputs information and notifies the user. The output unit 104 is, for example, a display or a speaker that outputs audio, but is not limited to these. The output unit 104, for example, displays data received from other terminal devices 100, 600, data conversion server 300, etc. on a display.

The control unit 105 is a processor such as a CPU (Central Processing Unit) that controls each function of the terminal device 100 and operates based on a program stored in advance in the storage unit 102 . A DSP (Digital Signal Processor) or the like may be used as the control unit 105 . Further, as the control unit 105, a control circuit such as LSI (Large Scale Integration), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programming Gate Array), or the like may be used.

The control unit 105 executes various processes according to instructions from the user via the input unit 103 . For example, the control unit 105 transmits sensitive data and the like to the data providing server 200 via the communication unit 101 . Also, a request for processing the shared data may be transmitted to the management server 400 via the communication unit 101 .

(Functional configuration of data providing server 200)
FIG. 3 is a functional block diagram showing an example of the functional configuration of the data providing server 200. As shown in FIG. An example of the functional configuration of the data providing server 200 will be described with reference to FIG.

The data providing server 200 includes a communication section 201 , a control section 202 , a storage section 203 , a key management section 204 , an encryption section 205 and a decryption section 206 .

The communication unit 201, like the communication unit 101 of the terminal device 100, has a communication interface circuit for communicating with a server, a device, or the like via a network NW or the like according to a predetermined communication protocol. The communication unit 201 sends the received data to the control unit 202 . Also, the communication unit 201 transmits data received from the control unit 202 to a server, a device, or the like via the network NW. Note that the communication unit 201 transmits and receives data to and from a device or the like via a network NW or the like through a secure communication channel in which security is ensured.

The communication unit 201 functions as a “sensitive data acquisition unit” that acquires sensitive data including attribute values for each attribute item. The communication unit 201, for example, acquires sensitive data owned by an organization participating in the platform. In the example of FIG. 1, the data providing server 200 acquires sensitive data from terminal devices 100 used by employees of company A, for example.

The sensitive data is, for example, the location of each office of Company A, customers, sales of products for each office, etc., and includes attribute items (columns) that indicate the attributes of each office and their attribute values (character strings or numerical value). Sensitive data is not limited to these, and may be, for example, information about an individual. Personal information includes, for example, age, gender, income, area of residence, purchase information, e-mail address, telephone number, place of work, and the like. Further, the sensitive data may be log data or the like related to the device, and the communication unit 201 may acquire the log data from the device or the like. The data structure of sensitive data will be described later (see FIG. 6).

The communication unit 201 also functions as a “providing unit” that provides shared data related to a processing request, including attribute values decoded by a decoding unit 206 (described later). The communication unit 201 provides, for example, the data conversion server 300 (detailed in FIG. 4) with shared data related to the processing request, including the decoded attribute value. Note that the communication unit 201 confirms that, for example, the authority related to disclosure set in (the user of) the terminal device 600 requesting viewing as processing is an authority that permits the disclosure of raw data of at least part of the attribute values. In this case, the shared data including the decoded attribute value and related to the processing request may be transmitted to the terminal device 600 . The terminal device 600 can view attribute values for which disclosure of raw data is permitted.

The control unit 202, like the control unit 105 of the terminal device 100, controls each function of the data providing server 200, and is a processor such as a CPU that operates based on a program stored in advance in a storage unit 203 (described later). be.

The control unit 202 controls the encryption unit 205 to encrypt sensitive data acquired via the communication unit 201 . Also, the control unit 202 controls the decoding unit 206 to decode the attribute values of the shared data acquired via the communication unit 201 .

The storage unit 203 has a storage device and the like similar to the storage unit 102 of the terminal device 100 . In addition, the storage unit 203 stores computer programs and the like used for various processes of the data providing server 200 . The storage unit 203 also stores, for example, encrypted sensitive data, encryption keys and decryption keys managed by the key management unit 204, which will be described later.

The key management unit 204 manages encryption keys and decryption keys. The key management unit 204 may generate a key according to the encryption method requested by the encryption unit 205, for example. If the encryption method is, for example, a homomorphic encryption method (Paillier method) that allows addition and subtraction in the encrypted state (additive), a set of public key (encryption key) and private key (decryption key) is generated. .

In addition, the encryption method is an order preserving encryption method (OPE method) in which the size relationship of the ciphertext matches the size relationship of the corresponding plaintext, and a searchable encryption method that can determine whether the plaintext matches in the encrypted state. In the case of the method, a secret key (common key) is generated. As described above, the encryption key and the decryption key may be different keys such as a set of a public key and a private key, or may be the same key such as a common key. Note that the key generation algorithm is a well-known technique, so the explanation is omitted.

The key management unit 204 causes the storage unit 203, for example, to store the generated keys and parameters for key generation. The key management unit 204 manages the generated key in association with the encryption method, which data (attribute value for each attribute item (column), etc.) was used for encryption, and the like. A key management server (not shown in FIG. 1) outside the data providing server 200 may have the function of the key management unit 204, and the key management in the data sharing system 1 may be performed by the key management server. good.

The encryption unit 205 encrypts at least part of the attribute values of the sensitive data acquired by the communication unit 201 using a predetermined encryption method. The predetermined encryption method includes an encryption method that can calculate at least a part of the attribute value of the sensitive data acquired by the communication unit 201 in an encrypted state. Advanced Encryption Standard), DES (Data Encryption Standard), searchable encryption, SHA (Secure Hash Algorithm), MD5 (Message Digest algorithm 5), and the like. Note that "calculation" includes calculations related to addition, subtraction, multiplication and division, searches, and calculations related to analysis.

In this embodiment, the encryption unit 205 uses a homomorphic encryption method (Paillier method, Lifted-Ellgamal method, Somewhat Homomorphic Encryption method, Fully Homomorphic Encryption method, etc.) and/or order preserving encryption method (OPE method). Since the processing efficiency differs depending on the encryption method depending on the content of data processing, each attribute item can be encrypted with homomorphic encryption, attribute values encrypted with order-preserving encryption, or searchable You may hold|maintain by several encryption methods, such as the attribute value encrypted by the encryption method. If the data format is a character string, it is encrypted using a searchable encryption method or an AES encryption that allows complete matching on the ciphertext. The above encryption method applied to each data format is just an example, and the organization that holds the sensitive data determines which attribute value to encrypt and which encryption method to use. may decide.

In response to a decryption request (detailed in FIG. 5) from the management server 400, the decryption unit 206 uses the decryption key to convert the encrypted attribute value of the shared data related to the processing request accepted by the management server 400. Decrypt. More specifically, the decryption unit 206 decrypts, from the storage unit 203, the attribute values of the attribute items encrypted with the encryption key managed by the key management unit 204, among the shared data requested by the management server 400 to be decrypted. Get the decryption key and decrypt it according to the encrypted encryption method. In addition, the decryption unit 206 can decrypt not only the attribute value, but also the execution result obtained by calculating the above attribute value in an encrypted state using a cryptographic method. Note that the decoding algorithm is a well-known technique, so the explanation is omitted.

Also, the decoding unit 206 sends shared data including the decoded attribute value to the control unit 202 . The control unit 202 transmits the shared data to a server or the like connected to the network NW or the like via the communication unit 201 .

(Functional configuration of data conversion server 300)
FIG. 4 is a functional block diagram showing an example of the functional configuration of the data conversion server 300. As shown in FIG. An example of the functional configuration of the data conversion server 300 will be described with reference to FIG.

The data conversion server 300 includes a communication section 301 , a control section 302 and a storage section 303 .

The communication unit 301, like the communication unit 101 of the terminal device 100, has a communication interface circuit for communicating with a server, a device, or the like via a network NW or the like according to a predetermined communication protocol. The communication unit 301 sends the received data to the control unit 302 . Also, the communication unit 301 transmits data received from the control unit 302 to a server, a device, or the like via a network NW or the like. Note that the communication unit 301 transmits and receives data to and from a device or the like via a network NW or the like through a secure communication channel in which security is ensured.

The control unit 302, like the control unit 105 of the terminal device 100, controls each function of the data conversion server 300, and is a processor such as a CPU that operates based on a program stored in advance in a storage unit 303 (described later). be. The control unit 302 performs predetermined conversion on the shared data provided by the data providing server 200 based on the disclosure level information (detailed in FIG. 5) to generate disclosure data. The control unit 302 controls the communication unit 301 to transmit the generated disclosure data to the terminal device 600 that transmitted the processing request.

Here, the "predetermined conversion" includes any one of the processes of abstraction, addition of noise, and replacement of attribute values. The abstraction of attribute values means, for example, coarsening the granularity of attribute value information. The granularity of information is the fineness of information. For example, the coarser the granularity, the more simplified, generalized, and grouped the information, and the finer the granularity, the more specific the information. That is, the coarser the granularity, the more difficult it is to uniquely identify information.

How the attribute value is to be converted according to the content of the attribute item may be set in advance by the data provider as information on the disclosure level.

For example, if the attribute item corresponds to prefectures, and the information on the disclosure level is set to change the granularity of prefecture names and convert prefecture names to region names for disclosure, the control The unit 302 may generate disclosure data by converting the prefecture name of the attribute value into an area name. For example, if the attribute value is "Tokyo", the control unit 302 generates disclosure data converted to "Kanto" (area name). Alternatively, disclosure data may be generated by converting a group name such as "region 1" instead of a specific region name. Further, when the attribute item corresponds to the address, the disclosure data may be generated by deleting the chome and street address and converting the name to the name of the city, town, village or ward.

Further, for example, when the attribute item corresponds to sales, and the information on the disclosure level is set to change the granularity of the numerical value and convert the numerical value into an approximate number for disclosure, the control unit 302 Disclosure data may be generated by converting numerical values of attribute values into round numbers. For example, if the attribute value is "4,329,450 yen", the control unit 302 generates disclosure data converted into an approximate number such as "4,300,000 yen". It should be noted that the extent to which the approximation should be made can be appropriately set by the owner of the sensitive data, etc., according to the disclosure level. For example, it may be changed step by step, such as an approximate number up to the million place and an approximate number up to the 10,000 place. Further, only the characteristic value and the mode value among the attribute values related to the attribute items may be converted into approximate numbers and disclosed.

Also, for example, when an attribute item corresponds to a product ID (product name), as information on the disclosure level, the granularity of the product ID is changed and the product ID is converted into a product category (type) and disclosed. , the control unit 302 may generate disclosure data in which the attribute value product ID is converted into the product category. For example, if the attribute value is a product ID that identifies a product, such as "SL9018BL", the disclosed data is generated by converting it into the product category "office supplies". It should be noted that the product may be converted into subcategories according to the set disclosure level. For example, a subcategory of "office supplies" may disclose information that further identifies the type of product, such as "envelopes" and "clips."

Further, for example, when the attribute item corresponds to age, the granularity of numerical values may be changed to generate disclosure data converted into age groups (eras). For example, if the attribute value is "26 years old", the control unit 302 generates disclosure data converted to "20's".

Further, the control unit 302 may generate disclosure data by adding a predetermined numerical range to the attribute value of the shared data provided by the data providing server 200 as a predetermined conversion. For example, if the attribute item corresponds to age or weight, a differential privacy method may be used to add noise (predetermined numerical value width) to the numerical value. For example, if the attribute value is "26 years old", disclosure data is generated by conversion to give a range of 3 years old, such as "23 to 29 years old".

In this way, by disclosing attribute values after converting them in a predetermined manner instead of disclosing them as raw data, it is possible to protect the contents of sensitive data and share them as meaningful data for analysis. Note that the predetermined conversion described above is an example, and is not limited to these.

On the other hand, the attribute values of attribute items that are not permitted to be disclosed may be disclosed as encrypted attribute values. Disclosure data may be generated. Disclosure data may also be generated by converting or adding encrypted data including irreversible hash data, data generated by learning the original data, or randomly generated data. Disclosure data may also be generated by replacing the attribute values of attribute items whose disclosure is not permitted with a message indicating that they are private, or a description of the billing amount required for disclosure.

In addition, in the present embodiment, the control unit 302 transmits the generated disclosure data to the terminal device 600 that transmitted the processing request. The disclosure data may be transmitted from the server 400 to the terminal device 600 that transmitted the request for processing.

The storage unit 303 has a storage device and the like similar to the storage unit 103 of the terminal device 100 . Further, the storage unit 303 stores computer programs and the like used for various processes of the data conversion server 300 . The computer program may be installed in the storage unit 303 from a computer-readable portable recording medium using a known setup program or the like. The storage unit 303 stores a table indicating the conversion correspondence relationship for the above-described predetermined conversions for attribute values. A table showing the correspondence will be described later (FIG. 8).

(Functional configuration of management server 400)
FIG. 5 is a functional block diagram showing an example of the functional configuration of the management server 400. As shown in FIG. An example of the functional configuration of the management server 400 will be described with reference to FIG.

The management server 400 includes a communication section 401 , a storage section 410 and a control section 420 .

The communication unit 401, like the communication unit 101 of the terminal device 100, has a communication interface circuit for the management server 400 to communicate with each server, device, etc. via the network NW or the like according to a predetermined communication protocol. The communication unit 401 sends the received data to the control unit 420, and also sends the data received from the control unit 420 to a server, an apparatus, or the like via the network NW or the like.

Also, the communication unit 401 functions as a “receiving unit” that receives requests for processing shared data stored in the shared database 500 . Note that the communication unit 401 transmits and receives data to and from a device or the like via a network NW or the like through a secure communication channel in which security is ensured.

The storage unit 410 has a storage device and the like similar to the storage unit 103 of the terminal device 100 . Further, the storage unit 410 stores computer programs and the like used for various processes of the management server 400 .

The storage unit 410 has a setting file 411 that is information about processing authority set for each attribute item of sensitive data. The authority to process includes the authority to disclose attribute values for each attribute item. The authority for disclosure of attribute values includes information about users who are permitted to disclose, for example, information indicating organizations permitted to disclose sensitive data among organizations participating in the platform. It should be noted that the information may also include information about groups within the organization and job titles, such as departments, groups, and persons with job titles above a certain level in the organization. It may also include email addresses, domains, and information identifying individuals authorized to be disclosed.

Also, the attribute value disclosure authority includes information about the disclosure level for the attribute value. For example, the disclosure level is divided into multiple stages, and the raw data of the attribute value is disclosed (high level), the attribute value (numerical value or character) is disclosed after a predetermined conversion (medium level), and the attribute value is disclosed. It may be divided into levels such as not permitted (low level).

Also, the authority to disclose attribute values may be set using an input element having multiple stages. For example, a plurality of disclosure levels may be set using input elements such as numerical input and slide bars. By dividing the disclosure level into a plurality of stages (for example, four or more stages), the granularity of information may be changed more finely.

In this way, it is possible to change the disclosure contents of the attribute value step by step according to the disclosure level. For example, the disclosure data includes at least one of a decrypted attribute value, a predetermined transformed attribute value, and an encrypted attribute value. Therefore, disclosure data is generated and displayed on the user's terminal device based on the information about the disclosure level. Users who use the data can use the data as if it were a database within their own organization.

In addition, for example, by changing the content to be disclosed depending on the charge amount, users who use sensitive data will be more motivated to know detailed content than when not disclosing everything, Motivation to pay higher fees can be given.

The control unit 420 has an overall control unit 421 , an authority management unit 422 , an arithmetic execution unit 423 and a decryption request unit 424 . The overall control unit 421 is a processor such as a CPU that controls each function of the management server 400 and operates based on a program stored in the storage unit 410 in advance, like the control unit 105 of the terminal device 100 .

The authority management unit 422 manages processing authority set for each attribute item of sensitive data. The authority management unit 422 receives, for example, information about processing authority set for each attribute item of sensitive data, which is input from the terminal device 100 or the like, via the communication unit 401, and stores it in the storage unit 410 as a setting file 411. Memorize. The information about the processing authority may be set in the data providing server 200 and shared with the management server 400, or may be set in advance by the operator of the data sharing system 1. FIG.

Also, the authority management unit 422 may set the disclosure level according to the content of the attribute item of the sensitive data. For example, if the attribute item is information that identifies an individual, such as "name", the attribute value may be automatically set to non-disclosure (low disclosure level). Also, the authority management unit 422 learns the relationship between the content of the attribute item and the predetermined conversion actually performed based on the information about the authority for the received processing, and automatically sets the disclosure level. may

Also, the information on the processing authority may be managed by the data providing server 200 that provided the data. In this case, every time the communication unit 401 receives a request to browse the shared data, the authority management unit 422 inquires of the data providing server 200 that provided the shared data about whether or not to disclose the shared data.

In this embodiment, the processing authority is managed by the management server 400, but may be managed by the data providing server 200, or managed by both the data providing server 200 and the management server 400. can be

The calculation execution unit 423 executes calculation processing on shared data. Then, the calculation execution unit 423 sends the execution result of the process to the decryption request unit 424 (described later). Here, the arithmetic processing includes search processing and/or statistical processing for at least part of the attribute items of shared data. In this embodiment, search processing refers to processing for extracting records that satisfy a predetermined condition. Statistical processing is, for example, processing performed by an aggregation function. SUM function), processing for averaging data in numeric columns of a table (AVG function), processing for obtaining the maximum value of data in any column of a table (MAX function), processing for obtaining the minimum value of data in any column of a table (MIN function), etc., but not limited to these. SQL syntax such as "GROUP BY" for grouping by target segment and "ORDER BY" for rearranging in ascending/descending order may be used.

Note that, in the present embodiment, computation processing is executed in the management server 400, but the data providing server 200 and the shared database 500 are provided with the same function as the computation execution unit 423 to execute computation processing. You may let

The decryption request unit 424 requests the data providing server 200 to decrypt the attribute value related to the attribute item based on the processing authority set for the attribute item of the shared data related to the processing request. For example, when the communication unit 401 receives a browse processing request from the terminal device 600-1, the decryption request unit 424 accesses the setting file 411 and sets the attribute item of the shared data related to the processing request. Refers to the permissions for the processed actions. Decryption request unit 424 determines whether the user associated with terminal device 600-1 is a user whose disclosure is permitted based on the authority for the processing and the identifier of the user associated with terminal device 600-1. to judge. If the user of terminal device 600-1 is determined to be a user whose disclosure is permitted, decryption request unit 424 requests data providing server 200 to decrypt the attribute value of the shared data related to the processing request. conduct. It should be noted that the fact that the user is "permitted to disclose" includes the disclosure of raw data and the permission of disclosure after predetermined conversion.

Note that in the present embodiment, of the shared data stored in the shared database 500, the shared data related to the processing request is included in the above-described decryption request. However, if the sensitive data transmitted to the management server 400 is stored in the data providing server 200, the shared data need not be included in the decryption request. The decryption request may also contain information about the disclosure level. The data conversion server 300 performs predetermined conversion based on the information about the disclosure level acquired via the data providing server 200 .

Further, the decryption request unit 424 may issue a decryption request based on the number of records included in the shared data related to the processing request. If the number of records of the shared data related to the processing request is less than or equal to a predetermined number (for example, 1), there is a possibility that the data can be identified even if the shared data is subjected to a predetermined conversion. Therefore, the decryption request unit 424 may determine that decryption is not requested when the number of records is equal to or less than a predetermined number. Note that the condition for not requesting decryption when there is a possibility that data can be identified is not limited to the number of records, and may be based on a combination of attribute items permitted to be disclosed as raw data.

Further, when the decryption request unit 424 receives the execution result from the calculation execution unit 423, the data providing server 200 manages the data providing server 200 that provided the sensitive data including the attribute item to be processed for the calculation. Requests decryption of execution result by decryption key. In other words, the data providing server 200 that provided the sensitive data including the attribute item manages the result of performing the operation on the attribute value of the attribute item to be processed while it is in an encrypted state for statistical processing. Encrypted with an encryption key. Therefore, the decryption process must be performed by the data providing server 200 that manages the decryption key corresponding to the encryption key. Therefore, the decryption request unit 424 requests the data providing server 200 that provided the sensitive data related to the processing request to decrypt the execution result. The decryption unit 206 of the data providing server 200, in response to the decryption request for the execution result, generates a decryption key corresponding to the encryption key used to encrypt the sensitive data in the same manner as the decryption of the encrypted attribute value of the shared data described above. to decrypt the execution result. Note that disclosure data may be generated by performing a predetermined conversion as described above also regarding the disclosure of the execution result of the calculation.

FIG. 6 is a diagram showing an example of the data structure of sensitive data. In FIG. 6, a table 1000 and a table 1100 are shown.

In this embodiment, the sensitive data is information about Company A's customers. Table 1000 includes attribute item 1010 and records 1021, 1022, and 1023 as sensitive data.

Attribute items 1010 include items (column names) such as “membership number”, “name”, “address”, “date of birth”, “age”, “gender”, “e-mail address”, and “purchase amount”. include.

A record is one row of data in a table and includes attribute values corresponding to attribute items. In the example of FIG. 6, three records 1021, 1022, and 1023 are included. For example, the attribute value corresponding to the attribute item "member number" of record 1021 is "12345". Similarly, "Name" is "Shuichi Kuramochi", "Address" is "4-2-7 Chuo, Higashiyamato-shi, Tokyo", "Date of Birth" is "March 8, 1951", and "Age" is " 71", "male" for "gender", "kuramochi38@example.org" for "mail address", and "35210" for "purchase amount".

In table 1100, attribute values of sensitive data shown in table 1000 are encrypted for each cell. As described in FIG. 3, if the attribute value is numeric, it is encrypted with homomorphic encryption and/or order-preserving encryption, and if the attribute value is a string, it is encrypted with AES and/or searchable encryption. can be encrypted with Note that the encryption method is an example, and is not limited to the method described above.

As shown in FIG. 6, when the attribute value is encrypted, it becomes a random string of numbers, alphabets, and the like. Therefore, even if a user browses the encrypted sensitive data, he/she cannot understand the meaning of the data. In this embodiment, attribute items are not encrypted, and attribute item names are shared among users participating in the platform. By informing the user of what attribute items are included in the shared data, it is possible to motivate the user to pay a fee for data disclosure.

Also, the attribute value may be encrypted for each column instead of being encrypted for each cell. Attribute values may be generated by encrypting data for each record and by encrypting the entire column, so that the decryption target can be selected according to the content of the requested processing. Encrypted data for each record is suitable for search and statistical processing, but the data size increases, while data encrypted for each column is encrypted for each record for browsing. There is an effect that the processing man-hours for decoding are less than for data.

FIG. 7 is a diagram showing an example of a screen for setting processing authority. With reference to FIG. 7, a setting example of authority regarding disclosure of attribute values for each attribute item will be described. For example, the user accesses the portal site of the data sharing system 1, displays a management screen on a terminal device, etc., and sets the authority for processing sensitive data provided to the system 1 via the management screen of the portal site. You may do so.

The table 2000 indicates the disclosure level of the authority for disclosure of attribute values by a slide bar step by step for each user (organization, etc.) who is the disclosure target. In the example of FIG. 7, there are three levels of disclosure. Disclosure level 3 discloses the attribute value as raw data, disclosure level 2 discloses the attribute value after a predetermined conversion, and disclosure level 1 does not disclose the attribute value. , The authority for disclosure is set. That is, in the attribute item "item 1", disclosure level 3 is set for company B and company C, disclosure level 2 is set for company D, and disclosure level 1 is set for company E. In addition, in the case of disclosure level 1 (non-disclosure), the content is disclosed in such a way that it cannot be understood. Alternatively, it may be possible to mask off characters, etc., or display the billing amount for disclosure.

In addition to the slide bar shown in FIG. 7, the authority to disclose the attribute value may be set using an input element having a plurality of stages, such as a numerical input, a check box, or the like. Also, instead of setting for each organization, it may be possible to collectively select/cancel, or to present to the user a disclosure level that is often set according to the content of the attribute item as an initial setting. In addition, although there are three levels of disclosure in FIG. 7, it may be divided into more levels so that the granularity of information to be disclosed can be finely changed.

Information about the processing authority set in the table 2000 is stored as the setting file 411 of the management server 400 .

FIG. 8 is a diagram showing an example of a correspondence relationship between predetermined conversions. For example, the data conversion server 300 performs predetermined conversion based on the table 3000 for attribute values of attribute items. Note that the table 3000 may be acquired from the data providing server 200 or the management server 400 .

A table 3000 shows an example of attribute value conversion for each attribute item. For example, the attribute item "membership number" is converted to "randomize" (numbers are randomly rearranged). For example, for the attribute item "address", the address is converted into the name of the municipality. For the attribute item "date of birth", the date of birth is converted to the Western calendar. For the attribute item "age", convert the age to the age. The attribute item "Purchase Amount" is converted to an approximate number up to the first digit.

Note that as the “predetermined conversion”, the conversion may be defined in more detail according to the disclosure level. For example, the address may be displayed in a region (Kanto, Tohoku, etc.) with a coarse granularity of information instead of the name of the municipality, or may be displayed in a clustered group instead of the name of the region.

In addition, the user may be allowed to select the "predetermined conversion" for the attribute value of the attribute item from a plurality of options using a pull-down or the like. For example, when an attribute item in the table 1000 described with reference to FIG. 6 is selected, conversion methods may be presented in a pulldown so that the user can select from among the presented methods. The conversions presented as options may be set in advance by the operator of the system, or machine learning of the conversion methods selected in the past may be used to suggest a method with a high probability of being selected. good. Also, the selected conversion method may be displayed in the table 1000 .

FIG. 9 is a diagram showing an example of disclosure data. An example of disclosure data generated based on the sensitive data shown in FIG. 6 (see table 1000 in FIG. 6) will be described with reference to FIG. Data such as disclosed data 4000 and 5000 are provided to the user who requested to view the shared data, and displayed on a display or the like. The content of the displayed data differs depending on the processing authority set for the user.

In the disclosure data 4000, the attribute items “name”, “date of birth”, and “mail address” are non-disclosure data. The attribute items "Name" and "Date of Birth" contain encrypted attribute values, and the attribute item "Email Address" contains masking characters such as "****". there is Whether to display the encrypted value as it is or to display it with masking may be appropriately set by the user who provides the sensitive data or the operator of the system.

Raw data is disclosed for the attribute item "gender". That is, the attribute value obtained by decrypting the encrypted attribute value is described.

The attribute item "membership number" describes values obtained by rearranging numbers at random. The attribute item "address" is the address converted to the municipality name, the attribute item "age" is the age converted to the age, and the attribute item "purchase amount" is the amount converted to the first digit. things are described.

The disclosure data 5000 is disclosure data generated based on the sensitive data 1000, but differs from the disclosure data 4000 in the disclosed content.

In the disclosed data 5000, the records for two rows from the bottom are dummy data. It may be data generated by learning raw data, or data generated randomly. Dummy data is added when, for example, the number of records included in the original shared data is insufficient to view data that contains more than a certain number of records.

The attribute item "address" describes an address converted into a region name. The attribute item “age” describes a value obtained by adding “±3” to the age at random. Regarding the attribute item "age", if a specific age is to be disclosed data, the attribute item "date of birth" may be set to be forcibly undisclosed. This is because the year of birth may be known from the age (and vice versa). It is also possible to register in advance a case in which the combination of attribute items reveals the raw data of one of them and set it as a contraindication to the combination to be disclosed.

The attribute item “gender” describes the gender of male or female converted into a number. The numerical representation does not reveal the gender, but can be disclosed as one group.

The attribute item "Purchase Amount" is non-disclosure data, and displays the fee required for disclosure such as "XX yen required for disclosure". Depending on the granularity of information, different charges may be displayed in a manner that allows comparison.

FIG. 10 is a flow chart showing an example of processing until disclosure data is displayed in the data sharing system 1 . An example of the flow of processing in the data sharing system 1 will be described with reference to FIG. Note that the flow of processing is an example, and is not limited to the order shown in FIG.

In step S<b>101 , the communication unit 401 of the management server 400 receives a request for viewing shared data from the terminal device 600 . Note that the processing request may include information for identifying the transmission source, such as user information of the terminal device 600 that requested the processing. The communication unit 401 sends the received processing request to the decryption request unit 424 .

In step S102, the decryption request unit 424 confirms the disclosure level of the shared data related to the processing request. For example, the decryption request unit 424 accesses the setting file 411 and refers to the authority set in the attribute item of the shared data related to the processing request.

In step S103, the decryption request unit 424 requests the data providing server 200 to decrypt the attribute value of the shared data related to the processing request. For example, the decryption request unit 424 makes a decryption request for an attribute value for which disclosure of raw data is permitted as a disclosure level, or disclosure is permitted after a predetermined conversion. Here, with respect to attribute values that are not permitted to be disclosed (that is, undisclosed), the attribute values related to the processing request are encrypted and transmitted from the data providing server 200 to the terminal device 600 that requested the processing. You may In addition, a decryption request is made for all shared data related to the processing request, including attribute values whose disclosure is not permitted. can be

In step S104, the decryption unit 206 of the data providing server 200 decrypts the attribute value of the shared data using the decryption key corresponding to the encryption key used to encrypt the attribute value of the shared data in response to the decryption request. The decoding unit 206 then transmits the shared data related to the processing request, including the decoded attribute value, to the data conversion server 300 via the communication unit 201 . Also, the decryption unit 206 transmits information about the disclosure level to the data conversion server 300 together with the shared data. In the setting file 411 referred to in step S102, the attribute values of the attribute items whose raw data are permitted to be disclosed are sent from the decoding unit 206 to the terminal device 600 that transmitted the browse processing via the communication unit 201. You may send. Compared to transmitting to the terminal device 600 via the data conversion server 300, the communication process can be reduced.

In step S105, the control unit 302 of the data conversion server 300 generates disclosure data by performing a predetermined conversion on the attribute value of the shared data based on the disclosure level information. In addition, the control unit 302 may generate disclosure data by masking attribute values that are not permitted to be disclosed or converting them into indications indicating that they are not disclosed. Generation of disclosure data is as described above (see FIGS. 8, 9, etc.), so description thereof will be omitted. The data conversion server 300 transmits the generated disclosure data to the terminal device 600 that transmitted the browsing process request.

Note that the disclosure data may be transmitted from the data conversion server 300 to the terminal device 600 via the management server 400 . By managing data routing by the management server 400, communication control in the data sharing system 1 can be made more efficient.

In step S106, the terminal device 600 displays the received disclosure data on a display or the like, and the process ends.

(Hardware configuration diagram)
FIG. 11 is a block diagram showing the hardware configuration of the management server 400. As shown in FIG. Management server 400 is implemented in computer 901 . A computer 901 includes a CPU 902 , a main memory device 903 , an auxiliary memory device 904 and an interface 905 .

The operation of each component of management server 400 is stored in auxiliary storage device 904 in the form of a program. The CPU 902 reads out the program from the auxiliary storage device 904, develops it in the main storage device 903, and executes the above processing according to the program. Also, the CPU 902 secures a storage area in the main storage device 903 according to the program. Specifically, the program is a program that causes the computer 901 to perform data processing.

Note that the auxiliary storage device 904 is an example of a non-temporary tangible medium. Other examples of non-transitory tangible media include magnetic disks, magneto-optical disks, CD-ROMs, DVD-ROMs, semiconductor memories, etc. that are connected via the interface 905 . Also, when this program is distributed to the computer 901 via a network, the computer 901 receiving the distribution may develop the program in the main storage device 903 and execute the processing.

Also, the program may be for realizing part of the functions described above. Furthermore, the program may be a so-called difference file (difference program) that implements the above-described functions in combination with another program already stored in the auxiliary storage device 904 . It should be noted that the hardware configuration shown in FIG. 11 may be configured similarly to the data providing server 200, the data conversion server 300, and the terminal devices 100 and 600. FIG. The operation of each component in these devices is realized by the CPU according to the program stored in the auxiliary storage device, as in the management server 400 described above.

(Explanation of effect)
As described above, the data sharing system according to this embodiment includes a data providing server, a shared database, and a management server. sensitive data). Then, the management server requests the data providing server to decode the attribute value related to the attribute item based on the authority set to the attribute item of the shared data related to the processing request. When there are a plurality of data providing servers, the management server issues a decryption request to the data providing server that provided the sensitive data including the attribute items of the shared data related to the processing request. In this way, the management server does not obtain the decryption key for sensitive data, but requests the data providing server that provided the sensitive data to decrypt it. sensitive data can be managed with its own key, preventing leaks.

In this embodiment, the processing authority set for each attribute item of sensitive data includes the authority for disclosing attribute values for each attribute item. Thereby, the user who provides the sensitive data can set for each attribute item whether or not to disclose the attribute value related to the shared data for which the viewing process has been requested. In addition, since the authority to disclose attribute values includes information about users who are permitted to disclose attribute values, it is possible to flexibly set users who are permitted to disclose attribute values.

In addition, in the present embodiment, the attribute value disclosure authority includes information regarding the disclosure level for the attribute value. As a result, the contents to be disclosed of the sensitive data can be set in stages and shared, so that the utilization of the data can be promoted while considering security.

Also, in this embodiment, the authority to disclose attribute values is set using an input element having a plurality of stages. This facilitates the entry of stepwise disclosure levels.

The present embodiment further includes a data conversion server that performs predetermined conversion on attribute values related to shared data to generate disclosure data based on information about the disclosure level. By providing users with disclosed data that includes attribute values that have undergone predetermined conversion, users can treat sensitive data held by other organizations as if they were their own database, which improves security. It is possible to promote the use and application of data while taking care of it.

Also, in this embodiment, the predetermined conversion includes processing for abstracting, adding noise, or replacing attribute values. By changing the granularity (fineness) of the information, it is possible to disclose the outline of the data without specifically disclosing the sensitive data.
.

<Modification 1 of Embodiment 1>
In the data sharing system 1 according to the first embodiment, Company A, which is a user who provides sensitive data, has a key management unit, an encryption unit, a decryption unit, and a data conversion server that generates disclosure data. In the shared system according to Modification 1, the data center side has the functions of the key management unit, the encryption unit, the decryption unit, and the function of the data conversion server. The management server decrypts the encrypted attribute value and provides shared data (disclosed data) related to the processing request. The data providing server sets processing authority for each attribute item, and the management server manages the processing authority.

A trusted data center performs data encryption/decryption and predetermined conversion to provide shared data (disclosed data) so that sensitive data providers can set the authority to process their own sensitive data. By doing so, it is possible to improve the communication efficiency in the data sharing system compared to the first embodiment while controlling the disclosure range of sensitive data and considering security.

In addition, since the data center performs key management, etc., users who participate in the platform of the data sharing system can easily participate in the platform by reducing the cost of introducing and operating a secure environment such as key management.

<Embodiment 2>
The data sharing system 2 according to the second embodiment shares shared data obtained by integrating sensitive data possessed by "Company A", "Company B", and "Company C", which are organizations participating in the platform, with users of other organizations. System.

FIG. 12 is a diagram showing the configuration of the data sharing system 2 according to this embodiment. A configuration of the data sharing system 2 according to the second embodiment will be described with reference to FIG. 12 . In addition, the same code|symbol is attached|subjected to the component which is common in Embodiment 1, and description of repetition is abbreviate|omitted.

The data sharing system 2 includes in-house systems 10, 30, 40, a data center 50, and terminal devices 600-1, .

In-house systems 10, 30, and 40 are in-house systems of company A, company B, and company C, respectively. The in-house system 10 has terminal devices 100-1, . . . , 100-M, a data providing server 200-1, and a data conversion server 300-1. The in-house system 30 has terminal devices 100-(M+1), . The in-house system 40 has terminal devices 100-(P+1), . The data providing server 200-1 and data conversion server 300-1 have the same functions as the data providing server 200 and data conversion server 300 according to the first embodiment, respectively.

The terminal devices 100-1, . Data providing servers 200-1, 200-2, and 200-3 are referred to as "data providing server 200" unless otherwise specified. Data conversion servers 300-1, 300-2, and 300-3 are referred to as "data conversion servers 300" unless otherwise specified.

The data providing server 200 acquires sensitive data from the terminal device 100 . Sensitive data includes an identifier that identifies a record as an attribute item.

The data center 50 has a management server 700 and a shared database 800 .

Management server 700 acquires encrypted sensitive data from data providing servers 200-1, 200-2, and 200-3, and stores it in shared database 800. FIG.

The shared database 800 integrates sensitive data based on identifiers included as attribute items of stored sensitive data. Note that the process of integrating sensitive data may be executed in the management server 700 .

Also, although there are three data providing servers 200 in this embodiment, there may be at least two or more.

FIG. 13 is a diagram showing an example of the data structure of sensitive data according to the second embodiment. In this embodiment, sensitive data is information about an individual and includes attribute items such as age, gender, income, residential area, and purchase information, and attribute values (character strings or numerical values). Further, the sensitive data includes, as an integrated key, an identifier (common ID) that can uniquely identify an individual as an attribute item. Identifiers may be numbers, strings, or combinations thereof. Although predetermined attribute items are shown in FIG. 13 for simplification of explanation, in addition to these, attribute items (not shown) may be included in the sensitive data. Also, the integrated key is not limited to an identifier that can uniquely identify an individual, and any value that can uniquely identify data in a plurality of tables may be used.

FIG. 13 shows tables T1, T2, and T3 in which attribute values of attribute items are stored. Table T1 shows sensitive data provided by data providing server 200-1 (that is, data owned by company A). In table T1, the sensitive data includes, as attribute items, "common ID" which is an identifier that uniquely identifies an individual, "age" which indicates the age of the individual, "sex" which indicates the gender of the individual, and "" which indicates the income of the individual. Income”, and “Purchase Flag 1” indicating whether or not an individual purchases Product 1. In the table T1, the attribute values of the attribute items "common ID", "age", "income", and "purchase flag 1" are numerical values. Although the attribute value of "sex" is a category (character string) in FIG. 13, the category may be represented by a numerical value, for example, by associating the sex with the numerical value. Also, the attribute value may be treated visually as a numerical value or as a character string as a data type.

In the table T1, the attribute value "12345" for the attribute item "common ID", the attribute value "45" for the attribute item "age", the attribute value "female" for the attribute item "sex", and the attribute item "income" On the other hand, the attribute value "450" is stored, and the attribute value "1" is stored for the attribute item "purchase flag 1". This means that the individual whose common ID is 12345 is 45 years old, female, has an income of 4.5 million yen, and has already purchased product 1. Similarly, for the attribute values "67890", "23456", "90123", "89012", and "34567" of the attribute item "common ID", attribute values are stored for each attribute item.

Table T2 shows sensitive data provided by data providing server 200-2 (that is, data owned by company B). The data providing server 200-2 provides sensitive data including attribute items different from those of the company A holding the sensitive data shown in the table T1.

In table T2, the sensitive data includes, as attribute items, a “common ID” that is an identifier that uniquely identifies an individual, a “residence area” that indicates the area in which the individual resides, and a “purchase flag 2”, and “purchase flag 3” indicating whether or not individual product 3 is purchased. In the table T2, the attribute values of the attribute items "common ID", "purchase flag 2", and "purchase flag 3" are numerical values, and the attribute value of the attribute item "residence area" is a character string. In FIG. 13, the attribute value of "residence area" is a category (character string), but the category may be represented by a numerical value, for example, by associating the area with the numerical value. For example, in table T2, the attribute value "67890" for the attribute item "common ID", the attribute value "Tokyo" for the attribute item "residence area", the attribute value "1" for the attribute item "purchase flag 2", the attribute The attribute value "0" is stored for the item "purchase flag 3". This means that the individual whose common ID is 67890 resides in Tokyo, has purchased product 2, and has not purchased product 3. Similarly, for the attribute values "23456", "89012", "12345", "90123", and "34567" of the attribute item "common ID", attribute values are stored for each attribute item.

Attribute items other than "common ID" are different between table T1 and table T2, but records indicated by the same "common ID" correspond to the same individual. For example, the record (individual) specified by the attribute value "67890" of the "common ID" in the table T1 is the same as the record (individual) specified by the attribute value "67890" of the "common ID" in the table T2. .

Table T3 shows sensitive data (data owned by company C) provided by data providing server 200-3. Data providing server 200-3 provides sensitive data different from those of company A and company B, which possess sensitive data shown in tables T1 and T2.

In table T3, the sensitive data includes, as attribute items, a “common ID” that is an identifier that uniquely identifies an individual, a “spousal flag” that indicates the presence or absence of a spouse, a “number of dependents” that indicates the number of dependents, an individual includes a "purchase flag 4" indicating whether or not the product 4 is purchased. In the table T3, the attribute values of the attribute items "Common ID", "Spouse Flag", "Number of Supporters", and "Purchase Flag 4" are numerical values. For example, in table T3, the attribute value "23456" for the attribute item "common ID", the attribute value "1" for the attribute item "spouse flag", the attribute value "3" for the attribute item "number of dependents", the attribute The attribute value "1" is stored for the item "purchase flag 4". This means that the individual whose common ID is 23456 has a spouse, has three dependents, and has purchased product 4. Similarly, attribute values "90123", "56789", "34567", "78901", and "12345" of the attribute item "common ID" are stored for each attribute item.

Attribute items other than the "common ID" are different between the table T3 and the tables T1 and T2. As for the attribute value of the attribute item "common ID", "56789" and "78901" are included only in table T3. That is, each table may be a group including different records instead of the same group of records. In this embodiment, as shown in FIG. 13, the attribute items included in the sensitive data provided by each data providing server are different except for the "common ID" (identifier). As a form, the same attribute item may be included. In that case, the management server 700 may manage sensitive data provided by each data providing server. A system administrator, a person who provides data, or the like can appropriately set and determine which data providing server gives priority to which attribute value is to be provided as integrated data.

FIG. 14 is a diagram showing an example of the data structure of encrypted sensitive data. FIG. 14 shows tables T1e, T2e, and T3e in which attribute values of attribute items other than "common ID" are encrypted.

In table T1e, attribute values other than "common ID" in table T1 are encrypted based on the encryption key managed by data providing server 200-1 (company A). For example, the attribute items "age", "income", and "purchase flag 1" whose attribute values are numerical values are encrypted by homomorphic encryption and/or order-preserving encryption, and the attribute items whose attribute values are character strings are encrypted. "Gender" is encrypted with a searchable encryption method. In table T1e, for the sake of simplification of explanation, data whose attribute values are numerical values indicate values encrypted by homomorphic encryption, for example (the same applies to tables T2e and T3e below).

In table T2e, as in table T1e, attribute values other than "common ID" in table T2 are encrypted based on the encryption key managed by data providing server 200-2 (company B).

Also, in the table T3e, similarly to the table T1e, the attribute values other than the "common ID" in the table T3 are encrypted based on the encryption key managed by the data providing server 200-3 (company C).

FIG. 15 is a diagram illustrating an example of the data structure of integrated data. In FIG. 15, the integrated table Tm is a table integrated using the attribute value (identifier) of the attribute item "common ID" included in the tables T1e, T2e, and T3e shown in FIG. 14 as an integrated key. That is, the integrated data includes attribute items such as "common ID", "age", "income", "purchase flag 1", "residence area", "purchase flag 2", "purchase flag 3", and "spouse flag". , “support number”, and “purchase flag 4”, and the attribute values of each attribute item other than “common ID” are encrypted as shown in FIG. Integrated data having a data structure as shown in FIG. 15 is stored in the shared database 500 as shared data.

In the integrated table Tm, the attribute items "age", "income", and "purchase flag 1" (columns) are sensitive data provided by the data providing server 200-1 (company A). The attribute items "residence area", "purchase flag 2", and "purchase flag 3" (columns) are sensitive data provided by the data providing server 200-2 (company B). The attribute items "spouse flag", "number of dependents", and "purchase flag 4" (columns) are sensitive data provided by the data providing server 200-3 (company C).

For the attribute values "56789" and "78901" of the "common ID" included in the table T3 but not included in the tables T1 and T2, the attribute values of the attribute items included in the tables T1 and T2 are blank (NULL). ) or a dummy numerical value may be stored as appropriate by the designer of the database, the administrator of the management server 400, or the like. Alternatively, records in which attribute values other than the attribute item "common ID" of integrated data are not stored may be deleted.

That is, in the example of FIG. 15, with the attribute item "common ID" of the tables T1e, T2e, and T3e of FIG. A consolidation process is taking place, which involves consolidating tables (adding "records") to

(Functional configuration of management server 700)
FIG. 16 is a functional block diagram showing an example of the functional configuration of the management server 700. As shown in FIG. An example of the functional configuration of the management server 700 will be described with reference to FIG. 16 . Note that functional configurations similar to those of the management server 400 according to the first embodiment are denoted by the same reference numerals, and overlapping descriptions are omitted.

The management server 700 includes a communication section 401 , a storage section 710 and a control section 720 .

The storage unit 710 has the same functional configuration as the storage unit 410 of the management server 400 according to the first embodiment, and stores computer programs and the like used for various processes of the management server 700 .

The storage unit 710 has a setting file 711 that is information about processing authority set for each attribute item of sensitive data. The setting file 711 defines the authority for disclosure of attribute values for each attribute item. For example, each attribute item of shared data is associated with and stored by a user or the like who is permitted to be disclosed. Also, the setting file 711 associates and stores a data provider and the like for each attribute item of integrated data. Since the setting of processing authority is as described with reference to FIG. 7 and the like, description thereof will be omitted.

The storage unit 710 also stores encrypted sensitive data that the communication unit 401 has received from the data providing server 200 .
The control unit 720 has an overall control unit 421 , an authority management unit 722 , an arithmetic execution unit 423 , a decryption request unit 724 and an integrated data generation unit 725 .

The authority management unit 722 manages the authority for processing set for each attribute item of sensitive data, for example, receives information on the authority for the processing from each data providing server 200, and stores it in the storage unit 710 as a setting file 711. . The functional configuration is the same as that of the authority management unit 422 according to the first embodiment, except for receiving information about authority for processing from each data providing server 200 .

The decryption request unit 724 requests the data providing server 200 to decrypt the attribute value related to the attribute item based on the processing authority set for the attribute item of the shared data related to the processing request. When the shared data is data generated by integrating a plurality of sensitive data, the decryption request unit 724 refers to the setting file 711 and determines the attribute value transmission source of the attribute item related to the processing request. A decryption request is made to the data providing server 200 . For example, in the example of the integrated table Tm shown in FIG. 15, a decryption request is made to the data providing server 200-1 for the attribute values of the attribute items "age", "sex", "income", and "purchase flag 1". .

The integrated data generation unit 725 receives the encrypted sensitive data from each data providing server 200 via the communication unit 401 and stores the encrypted sensitive data in the storage unit 710, using identifiers included in the sensitive data as attribute items (Figs. In the example of FIG. 15, integrated data is generated by integrating based on the common ID). The integrated data generation unit 725 then sends the generated integrated data to the overall control unit 421 , and the overall control unit 421 stores the integrated data as shared data in the shared database 500 via the communication unit 401 . Further, the integrated data generation unit 725 may delete the integrated sensitive data from the storage unit 710 after generating the integrated data. Further, the process of integrating the sensitive data may be performed by another information processing apparatus that has acquired the encrypted sensitive data instead of the management server 700 .

After the decryption request unit 724 issues a decryption request to each data providing server 200, the attribute value of the shared data related to the processing request is decrypted, and the disclosed data is generated in the data conversion server 300. Same as form 1. Each data conversion server 300 may transmit the generated disclosed data to the terminal device 600 that transmitted the processing request, and the terminal device 600 may integrate the disclosed data. Further, the disclosure data generated by each data conversion server 300 is transmitted to the management server 700, the disclosure data are integrated in the management server 700, and the integrated disclosure data is sent to the terminal device 600 that transmitted the processing request. good too. The disclosed data integration can be performed in the same manner as the encrypted sensitive data integration process.

Note that, as described with reference to FIG. 12 , the process of generating the integrated data performed by the integrated data generation unit 725 may be executed in the shared database 800 .

(Explanation of effect)
As described above, the data sharing system according to the present embodiment discloses data obtained by integrating sensitive data provided from a plurality of data providing servers to other organizations as shared data. At this time, the management server issues a decryption request to the data providing server that provided the attribute value included in the shared data related to the browsing process request. Since the management server does not obtain the decryption key, it requests the data providing server that provided the sensitive data to decrypt it. It can be managed with a key to prevent leaks.

The above embodiment can be implemented in various other forms, and various omissions, replacements, and modifications can be made without departing from the scope of the invention. These embodiments and their modifications are intended to be included in the invention described in the claims and their equivalents as well as included in the scope and gist of the invention.

Further, the present invention may be in the aspects shown in the following appendices.

[Appendix 1]
A data sharing system comprising a data providing server, a shared database, and a management server,
The data providing server is
a sensitive data acquisition unit that acquires sensitive data including an attribute value for each attribute item;
a key management unit that manages encryption and decryption keys;
an encryption unit that encrypts at least a part of attribute values of the sensitive data with a predetermined encryption method using the encryption key;
has
the shared database stores the encrypted sensitive data as shared data in the data providing server;
The management server is
an authority management unit that manages processing authority set for each attribute item of the sensitive data;
a reception unit that receives a request for processing the shared data;
a decryption request unit that requests the data providing server to decrypt an attribute value associated with the attribute item based on the authority set for the attribute item of the shared data associated with the processing request;
has
The data providing server is
a decryption unit that decrypts the encrypted attribute value of the shared data related to the processing request using the decryption key in response to the decryption request;
a providing unit that provides shared data related to the processing request including the decrypted attribute value;
A data sharing system, further comprising:

[Appendix 2]
The data sharing system according to [Supplementary Note 1], wherein the processing authority includes authority to disclose an attribute value for each attribute item.

[Appendix 3]
The data sharing system according to [Appendix 2], wherein the authority for disclosure of the attribute value includes information regarding a user who permits disclosure.

[Appendix 4]
The data sharing system according to [Appendix 2] or [Appendix 3], wherein the authority regarding disclosure of the attribute value includes information regarding a disclosure level for the attribute value.

[Appendix 5]
The data sharing system according to [Appendix 4], further comprising a data conversion server that performs predetermined conversion on the shared data provided by the providing unit based on the information on the disclosure level to generate disclosure data.

[Appendix 6]
The data sharing system according to [Appendix 5], wherein the predetermined conversion includes any one of abstraction, noise addition, and replacement of the attribute value.

[Appendix 7]
The data sharing system according to any one of [Appendix 2] to [Appendix 6], wherein the authority to disclose the attribute value is set using an input element having a plurality of stages.

[Appendix 8]
The data sharing system according to [Appendix 7], wherein the disclosure data includes at least one of the decrypted attribute value, the predetermined converted attribute value, and the encrypted attribute value.

[Appendix 9]
The data sharing system according to any one of [Appendix 1] to [Appendix 8], wherein there are at least two or more data providing servers.

[Appendix 10]
[Appendix 9], wherein the shared data is sensitive data obtained by integrating the encrypted sensitive data in the plurality of data providing servers based on the identifier included as the attribute item of the sensitive data. data sharing system.

1, 2 data sharing system 100, 600 terminal device 200 data providing server 300 data conversion server 400, 700 management server 500 shared database 101, 201, 301, 401 communication unit 105, 202, 302, 420 , 720 control unit, 102, 203, 303, 410, 710 storage unit, 204 key management unit, 205 encryption unit, 206 decryption unit, 411 setting file, 421 overall control unit, 422, 722 authority management unit, 423 operation execution 424, 724 decryption request unit 725 integrated data generation unit 103 input unit 104 output unit.

Claims (9)

A data sharing system comprising a data providing server, a shared database, a management server, and a data conversion server ,
The data providing server is
a sensitive data acquisition unit that acquires sensitive data including an attribute value for each attribute item;
a key management unit that manages encryption and decryption keys;
an encryption unit that encrypts at least a part of attribute values of the sensitive data with a predetermined encryption method using the encryption key;
has
the shared database stores the encrypted sensitive data as shared data in the data providing server;
The management server is
an authority management unit that manages authority regarding disclosure of the attribute value set for each attribute item of the sensitive data;
a reception unit that receives a request for processing the shared data;
a decryption request unit that requests the data providing server to decrypt an attribute value associated with the attribute item based on the authority set for the attribute item of the shared data associated with the processing request;
has
The data providing server is
a decryption unit that decrypts the encrypted attribute value of the shared data related to the processing request using the decryption key in response to the decryption request;
a providing unit that provides shared data related to the processing request including the decrypted attribute value;
further having
the attribute value disclosure authority includes information about a disclosure level for the attribute value;
The data conversion server performs predetermined conversion on the shared data provided by the providing unit based on the information on the disclosure level to generate disclosure data;
The data sharing system , wherein the predetermined conversion includes at least either abstraction of the attribute value or noise addition processing . 2. The data sharing system according to claim 1 , wherein the authority for disclosure of the attribute value includes information regarding a user who permits disclosure. 3. The data sharing system according to claim 2 , wherein the authority to disclose the attribute value is set using an input element having multiple stages. 4. The data sharing system according to claim 3 , wherein said disclosure data includes at least one of said decrypted attribute value, said predetermined transformed attribute value, and said encrypted attribute value. 5. The data sharing system according to any one of claims 1 to 4 , wherein there are at least two or more of said data providing servers. 6. The data according to claim 5 , wherein said shared data is sensitive data obtained by integrating said encrypted sensitive data in a plurality of said data providing servers based on an identifier included as said attribute item of said sensitive data. shared system. A data sharing method in a system comprising a data providing server, a shared database, a management server, and a data conversion server ,
The data providing server
a step of obtaining sensitive data including attribute values for each attribute item;
managing encryption and decryption keys;
a step of encrypting at least part of the attribute values of the sensitive data with a predetermined encryption method using the encryption key;
The shared database is
storing the encrypted sensitive data as shared data in the data providing server;
The management server
a step of managing authority relating to disclosure of the attribute value set for each attribute item of the sensitive data;
receiving a request for processing the shared data;
requesting the data providing server to decrypt an attribute value related to the attribute item based on the authority set to the attribute item of the shared data related to the processing request;
The data providing server
decrypting the encrypted attribute value of the shared data related to the processing request using the decryption key in response to the decryption request;
providing shared data associated with the processing request including the decrypted attribute value;
with
the attribute value disclosure authority includes information about a disclosure level for the attribute value;
further comprising a step in which the data conversion server performs a predetermined conversion on the shared data provided by the data providing server based on the information regarding the disclosure level to generate disclosure data;
The data sharing method , wherein the predetermined conversion includes at least either abstraction of the attribute value or noise addition processing . A data sharing program in a system comprising a data providing server, a shared database, a management server, and a data conversion server ,
The control unit of the data providing server,
a step of obtaining sensitive data including attribute values for each attribute item;
managing encryption and decryption keys;
a step of encrypting at least part of the attribute values of the sensitive data with a predetermined encryption method using the encryption key;
The storage unit of the shared database is
storing the encrypted sensitive data as shared data in the data providing server;
The control unit of the management server,
a step of managing authority relating to disclosure of the attribute value set for each attribute item of the sensitive data;
receiving a request for processing the shared data;
requesting the data providing server to decrypt an attribute value related to the attribute item based on the authority set to the attribute item of the shared data related to the processing request;
The control unit of the data providing server,
decrypting the encrypted attribute value of the shared data related to the processing request using the decryption key in response to the decryption request;
providing shared data associated with the processing request including the decrypted attribute value;
with
the attribute value disclosure authority includes information about a disclosure level for the attribute value;
further comprising a step in which the data conversion server performs a predetermined conversion on the shared data provided by the data providing server based on the information regarding the disclosure level to generate disclosure data;
The data sharing program , wherein the predetermined conversion includes at least either abstraction of the attribute value or noise addition processing . a sensitive data acquisition unit that acquires sensitive data including an attribute value for each attribute item;
a key management unit that manages encryption and decryption keys;
an encryption unit that encrypts at least a part of attribute values of the sensitive data with a predetermined encryption method using the encryption key;
a storage unit that stores the encrypted sensitive data as shared data;
an authority management unit that manages authority regarding disclosure of the attribute value set for each attribute item of the sensitive data;
a reception unit that receives a request for processing the shared data;
a decryption request unit that requests decryption of an attribute value related to the attribute item based on the authority set to the attribute item of the shared data related to the processing request;
a decryption unit that decrypts the encrypted attribute value of the shared data related to the processing request using the decryption key in response to the decryption request;
a providing unit that provides shared data related to the processing request including the decrypted attribute value;
has
the attribute value disclosure authority includes information about a disclosure level for the attribute value;
further comprising a data conversion unit that performs a predetermined conversion on the shared data provided by the provision unit based on the information regarding the disclosure level to generate disclosure data;
The data sharing system , wherein the predetermined conversion includes at least either abstraction of the attribute value or noise addition processing .

Images