JP2012150379A - Matching system, matching system method, coupling device and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a matching technology which outputs the data coupling tuples of data of which key columns coincide with each other while concealing the coinciding key columns with respect to data recorded in n table storage units.SOLUTION: For all k (k=1,2,...,n), data ext(v) of all or some tuples including coincided data vare obtained in a predetermined order and then a set of ext(v) (k=1,2,...,n) of vof the same order is obtained. A mix-net processing including encryption and permutation by an encryption function having homomorphism and the rearrangement by the predetermined order are performed on the obtained values and each coefficient of a predetermined polynomial, to output the data coupling tuples of data of which key columns coincide with each other.

Description

  The present invention relates to a technique for combining necessary data without disclosing a plurality of tabular data.

  Non-Patent Document 1 describes a technique for combining necessary data in a non-disclosed manner for a plurality of tabular data. Hereinafter, what can be done with the technique described in Non-Patent Document 1 will be briefly described (see Non-Patent Document 1, for example).

  As shown in FIG. 6, it is assumed that there are a first table and a second table. By using the technique of Non-Patent Document 1, the key column data of the first table and the data of the key column of the second table are identified, and the tuple (row) data including the matching data is combined and acquired. can do.

  In the example of FIG. 6, the key column of the first table and the key column of the second table include both 014 and 034 data. Therefore, the combined data that can be acquired includes data obtained by combining the data 014, the tuple data xxx including the data 014 of the first table, and the tuple data bbb including the data 014 of the second table, and data 034 and the tuple data zzz including the data 034 of the first table and the tuple data ccc including the data 034 of the second table are combined.

R.Agrawal, A.V.Evfimievski, and R.Srikant, “Information Sharing Across Private Databases”, ACM SIGMOD 2003, pp.86-97, 2003

  However, according to the technique of Non-Patent Document 1, not only data obtained by combining tuple data including data that matches key columns but also data that matches key columns is known. In the example of FIG. 6, it can be seen that the data 014 and 034 match.

  An object of the present invention is to provide a matching system, a method, a coupling device, and a program in which information of data that matches key columns is concealed.

In the matching system according to the first aspect of the present invention, n is an integer of 2 or more, k is an integer of 1 to n, i = 1,..., K−1, k + 1,. The data of a predetermined key _column V _i of v is v, t is a predetermined number, and f _i (x) = tΠ _vεVi (x−v) = Σ _{j = 0} ^Ji−1 a _{i, j} x ^j An i-th coupling device that calculates E (a _{i, j} ) obtained by encrypting each coefficient a _{i, j} of the polynomial f _i (x) defined by the above with a cryptographic function E having homomorphism, and r _i is an integer of the random number, all or part of the data tuple including data v key column _{V k} a predetermined k-th table as _ext k (v), for each data v key column _{V k,} E _{(a i,} with _{j), c = E (Σ} i∈ {1,2, ..., n} - {k} f i (v) r i _{= Σ i∈ {1,2, ...,} n} - {k} E (a i, j) v calculates the ^j r _i, computes the _{d = E (ext k (v} )), and c and d A function value calculation unit for generating a pair (d, c) of the first and a plurality of pairs (d ′ _π , c ′ _π ) generated by re-encrypting the plurality of pairs (d, c) and replacing with a replacement π In the case where the decryption result c _π of c ′ _π is 0 for each of a plurality of pairs (d ′ _π , c ′ _π ), with one mix net operation unit and E ′ as a cryptographic function having homomorphism If b = 1 and the decoding result of c ′ _π is not c _π = 0, then b = 0 and d ′ _π and E ′ (b) _π of the set of c ′ _π (d ′ _π , c ′ _π ) A flag assigning unit for generating a pair (d′ _π , E ′ (b) _π ) and a plurality of pairs (d′ _π , E ′ (b) _π ) by re-encrypting and substituting by reverse replacement of the replacement π A plurality of pairs (d _j ″, E ″ (b _j )) (j = 1, 2, .., J _k ), and for each of the plurality of sets (d _j ″, E ″ (b _j )), E ″ (b _j ) is used for the order e. _j ″ = E ″ (Σ _{k = 1} ^j b _k ) = Σ _{k = 1} ^j E ″ (b _k ) is calculated, and the calculated order e _j ″ is set to a pair (d _j ″, E ″ (b _j )) added to the order (d _j ″, E ″ (b _j ), e _j ″) to generate a pair, and a plurality of pairs (d _j ″, E ′ '(B _j ), e _j ″) are re-encrypted and replaced with a replacement π ^* ( _{dπ * (j)} ′ ″, E ′ ″ (b _{π * (j)} ), e a pair (d _{π * ) where} b _{π * (j)} = 1 obtained by decoding E ′ '' (b _{π * (j)} ) and a third mix net operation unit that generates _{π * (j)} ''') _(J) Decoding e _{π * (j)} '''of''', E '''(b _{π * (j)} ), e _{π * (j)} ''') to obtain the order e _{π * (j} to generate _a) D of the order decoder, the order _e π _{* (j)} a set _{(d π * (j) '} '',E''' (b π * (j)), e π * (j) ''') a rearrangement unit that outputs _{π * (j)} ′ ″.

  It is possible to conceal information on data that matches the key column.

The block diagram for demonstrating the example of a matching system. The block diagram for demonstrating the modification of a 1st mixnet calculating part. The block diagram for demonstrating the modification of a 2nd mixnet calculating part. The block diagram for demonstrating the modification of a 3rd mix net calculating part. A program for explaining an example of a method of a matching system. The figure for demonstrating the outline | summary of the conventional matching system.

  Embodiments of the present invention will be described below with reference to the drawings.

[First embodiment]
As shown in FIG. 1, the matching system of the first embodiment includes a first coupling device 1, a second coupling device 2,..., A k-th coupling device k,. ,..., K1, n1, first mix net operation unit a, flag assignment unit b, second mix net operation unit c, order assignment unit d, third mix net operation unit e, order decoding unit f, rearrangement unit g. For example, a control unit i is provided. n is an integer of 2 or more.

First coupling device 1 possesses a first table _{T 1.} The first table T ₁ is stored in the table storage unit 11. Similarly, assuming that i = 2, 3,..., N, the i-th coupling device i has an i-th table T _i . The i table T _i is stored in the table storage unit i1.

Each table _Ti includes a column and a tuple. The matching system identifies matching data in a predetermined column of all the tables T _i (i = 1, 2,..., N), and the matching data v ^* (hereinafter referred to as matching data v ^* ). Data that combines all or part of the data ext _k (v ^* ) of the included tuples is acquired. A column for which matching data is specified is called a key column. It is assumed that the key column V _i of each table T _i is predetermined.

  The control unit i sets k to any number from 1 to n and not yet set (step S1). For example, k = 1.

Through the processing from step S2 to step S10 below, it is possible to acquire all or part of the data ext _k (v ^* ) of the tuples including the matching data v ^* of the table T _k arranged in a predetermined order. The controller i sequentially changes k to a different value and repeats the processing from step S2 to step S10, so that all the tuples including the matching data v ^* of each table T _k (k = 1, 2,..., N) or Some data ext _k (v ^* ) can be acquired. Data obtained corresponding to each k is arranged in a common predetermined order, for example, in the dictionary order of the matching data v ^* . Therefore, by obtaining a set of ext _k (v ^* ) (k = 1, 2,..., N) of v _{* in} the same order, a set of ext _k (v ^* ) for the same matching data v ^*. That is, (ext ₁ (v ^* ), ext ₂ (v ^* ),..., Ext _n (v ^* )) can be acquired.

As i = 1,..., k−1, k + 1,..., n, each i-th coupling device is expressed as f _i (x) = _tΠvεVi (x−v) = Σ _{j = 0} ^Ji−1 a _i, E (a _{i, j} ) obtained by encrypting each coefficient a _{i, j} of the polynomial f _i (x) defined by _j x ^j with a cryptographic function E having homomorphism is calculated (step S2).

Here, t is a predetermined number. For example, t may be 1 or a random number. Ji is the number of data v constituting the key column V _i . The subscript Vi in the above equation of the polynomial f _i (x) means the key column V _i . E (a _{i, j} ) is transmitted to the first mix net operation unit a.

The function value calculation unit h uses the above E (a _{i, j} ) for each data v of the key column V _k and c = E (Σ _{iε {1, 2,..., N} − {k}} f _i. (V) r _i ) = Σ _{i∈ {1, 2,..., N} − {k}} E (a _{i, j} ) v ^j r _i is calculated, and d = E (ext _k (v)) is calculated. Then, a set (d, c) of c and d is generated (step S3). r _i is an integer random number. ext _k (v) is data of all or part of the tuple including the data v of the key column V _k . When the number of key columns _{V k} of the data v and Jk pieces, Jk number of pairs (d, c) is generated. The generated set (d, c) is transmitted to the first mix net operation unit a in a predetermined order. The predetermined order is, for example, a dictionary order. Hereinafter, when the predetermined order is simply referred to, this predetermined order is meant.

Since the cryptographic function E has the property of homomorphism, E (αβ) = E (β + β +... + Β) = E (β) + E (β) +... + E (β) = αE (β ) _{Therefore, E (Σ i∈ {1,2,} ..., n} - {k} f i (v) r i) = Σ i∈ {1,2, ..., n} - {k} E (a i _, is to become a ^_j) v _j r _i.

  The function value calculation unit h is provided in the k-th coupling device k as shown in FIG. For this reason, in the process of step S1, a coupling device that may be selected as the k-th coupling device k from the first coupling device 1 to the n-th coupling device n includes the function calculation unit h. Note that the function value calculation unit h may be provided outside the k-th coupling device k.

The first mix net operation unit a re-encrypts the plurality of sets (d, c) and generates a plurality of sets (d ′ _π , c ′ _π ) that are replaced by the replacement π (step S4). The substitution π is an element of a symmetric group of order Jk. A plurality of sets (d ′ _π , c ′ _π ) are transmitted to the flag assigning unit b. Since the number of the plurality of sets (d, c) is Jk, the number of the sets (d ′ _π , c ′ _π ) is also Jk.

For example, it is assumed that the number of sets (d, c) is three, and each is set (d ₁ , c ₁ ), set (d ₂ , c ₂ ), and set (d ₃ , c ₃ ). At this time, each of these three sets (d, c) is encrypted, and the set (d ₁ ′, c ₁ ′), the set (d ₂ ′, c ₂ ′), and the set (d ₃ ′, c _3). '). Permutation π: {1, 2, 3} → {1, 2, 3} is a bijective mapping that maps 1 to π (1), 2 to π (2), and 3 to π (3) For example, it is assumed that π (1) = 2, π (2) = 3, and π (3) = 1. In this case, when the set (d ₁ ′, c ₁ ′), the set (d ₂ ′, c ₂ ′), and the set (d ₃ ′, c ₃ ′) are replaced with a substitution π, the set (d _{π (3 )} ′, C _{π (3)} ′), pair (d _{π (1)} ′, c _{π (1)} ′) and pair (d _{π (2)} ′, c _{π (2)} ′).

Flag imparting unit b, for each of a plurality of pairs _{(d 'π, c' π} ), c ' when a decoding result c _[pi = 0 for _[pi is a b = 1, c' the decoding result of the _[pi c _[pi = a b = 0 if not zero, the c 'set of _{π (d' π, c '} π) of d' _[pi and E '(b) a set of the _{π (d' π, E '} (b) _π ) is generated (step S5). Since the number of the plurality of sets (d ′ _π , c ′ _π ) is Jk, the number of sets (d ′ _π , E ′ (b) _π ) is also Jk. The plurality of generated sets (d ′ _π , E ′ (b) _π ) are transmitted to the second mix net operation unit c.

When v is the coincidence data v ^* , _cπ = 0 and b = 1, and when v is not the coincidence data v ^* , b = 0 when _cπ ≠ 0.

decoding of c _'[pi is performed by the decoding unit b1 of the flag imparting unit b illustrated in FIG. The encryption of b is performed by the encryption unit b2 of the flag assigning unit b. E ′ is a cryptographic function having homomorphism.

In the processing of the mix net by the first mix net operation unit a, the order of the plurality of sets (d, c) is changed based on the replacement π. _[pi, 'but _[pi) can be known whether corresponding to the matched data v ^*, the set _{(d' c π, c '} π) can not know whether it corresponds to what data v . As described above, in order to conceal the correspondence between the pair (d ′ _π , c ′ _π ) and the data v to the flag assigning unit b, the mix net processing by the first mix net operation unit a is performed. In addition, the order of the plurality of sets (d, c) and the plurality of sets (d′ _π , E ′ (b) _π ) replaced by the processing of the mix net by the first mix net calculation unit a is as follows. The processing returns to the original order in the mix net processing by the net operation unit b, that is, the “predetermined order” described in step S3 of the function value calculation unit h.

The second mix net computation unit c re-encrypts the plurality of pairs (d ′ _π , E ′ (b) _π ) and replaces them with the reverse substitution π ⁻¹ of the substitution π (d _j ″, E '' (B _j )) (j = 1,..., J _k ) is generated (step S6). Since the number of the sets (d ′ _π , E ′ (b) _π ) is Jk, the number of the sets (d _j ″, E ″ (b _j )) is also Jk. The set (d _j ″, E ″ (b _j )) means the j-th set (d ″, E ″ (b)) in the “predetermined order”. The plurality of generated sets (d _j ″, E ″ (b _j )) are transmitted to the order assigning unit d. E ″ (x) generated by re-encrypting E (x) for a certain value x can be regarded as an output value when the value x is input to the encryption function E ″. The cryptographic function E ″ in this case is assumed to have homomorphism.

The reverse substitution π ⁻¹ of the substitution π is a substitution such that π · π ⁻¹ becomes an identity substitution. For example, permutation π: {1,2,3} → {1,2,3} is a bijection that copies 1 to π (1), 2 to π (2), and 3 to π (3) a mapping, π (1) = 2, π (2) = 3, π (3) = 1 in the case where as the reverse replacement ^{π -1: {1,2,3} → {} 1,2, 3}, a copy of the 1 [pi ^-1 (1), copy the 2 [pi ^-1 (2), a mapping bijective View daylight 3 to ^{π -1 (3), π -1} (1) = 2, π ⁻¹ (2) = 1, π ⁻¹ (3) = 2.

The sequencing unit d has a plurality of pairs _{(d j '', E '} ' (b j)) for each, E '' with _{(b j),} the sequence _{e j '' = E ''} (Σ k _{= 1} ^j b _k ) = Σ _{k = 1} ^j E ″ (b _k ) is calculated, and the calculated order e _j ″ is added to the pair (d _j ″, E ″ (b _j )) The set (d _j ″, E ″ (b _j ), e _j ″) is generated (step S7). Since the number of pairs (d _j ″, E ″ (b _j )) is Jk, the number of pairs (d _j ″, E ″ (b _j ), e _j ″) is also Jk.

As described above, when v is the coincidence data v ^* , c _π = 0 and b = 1, and when v is not the coincidence data v ^* , b = 0 when c _π ≠ 0. Become. Therefore, the order e _j ″ is obtained by encrypting the order when matching data v ^* is arranged in a predetermined order with the cryptographic function E ″.

The third mix net operation unit e re-encrypts a plurality of sets (d _j ″, E ″ (b _j ), e _j ″) and replaces them with a replacement π ^* (d _{π * ( j)} ''',E''' ( _{bπ * (j)} ), _{eπ * (j)} ''') are generated (step S8).

The substitution π ^* is an element of a symmetric group of order Jk. A plurality of sets ( _{dπ * (j)} ′ ″, E ′ ″ ( _{bπ * (j)} ), _{eπ * (j)} ′ ″) are transmitted to the order decoding unit f. Since the number of the plurality of pairs (d _j ″, E ″ (b _j ), e _j ″) is Jk, the pair (d _{π * (j)} ′ ″, E ′ ″ (b _{π * The number of (j)} ), _{eπ * (j)} ′ ″) is also Jk.

In the mix net processing by the third mix net calculation unit e, the order of the plurality of pairs (d _j ″, E ″ (b _j ), e _j ″) is switched based on the substitution π ^* . As a result, the order decoding unit f that does not know the permutation π ^* can perform arbitrary combinations (d _{π * (j)} ′ ″, E ″ ′ (b _{π * (j)} ), e _{π * (j)} ″ It is possible to know the number of matching data v ^* in the “predetermined order”, and the pair ( _{dπ * (j)} ′ ″, E ′ ″ ( _{bπ * (j)} ), e _{π * (j)} ''') cannot know which data v corresponds to. Thus, the correspondence between the pair ( _{dπ * (j)} ′ ″, E ′ ″ ( _{bπ * (j)} ), _{eπ * (j)} ′ ″) and the data v is represented as an order decoding unit. In order to conceal it to f, the mix net processing is performed by the third mix net computing unit e.

The order decoding unit f decodes E ′ ″ (b _{π * (j)} ) and sets (d _{π * (j)} ′ ″, E ′ ″ (b _{π ) where} b _{π * (j)} = 1. _{* (J)} ), _{eπ * (j)} ′ ″) of _{eπ * (j)} ′ ″ is decoded to generate the order _{eπ * (j)} (step S9). The generated order e _{π * (j)} and d _{π * (j)} ′ ″ corresponding to the order e _{π * (j)} are transmitted to the rearrangement unit g.

The rearrangement part g is in the order e _{π * (j)} in pairs (d _{π * (j)} ′ ″, E ′ ″ (b _{π * (j)} ), e _{π * (j)} ′ ″). d _{π * (j)} '''is output (step S10). This _{dπ * (j)} ′ ″ corresponds to all or part of the data ext _k (v ^* ) of the tuple including the coincidence data v ^* . _{Dπ * (j)} ′ ″ is output as many as the number of the matching data v ^* .

  The control unit i determines whether all integers from 1 to n are set to k (step S11). If not set, the process returns to step S1, and the control unit i sets any number from 1 to n and not yet set to k. If it is determined that all the integers from 1 to n are set to k, the processing of the matching system is terminated.

In this way, by repeating the processing from step S2 to step S10, all or a part of the tuple data ext _k (including matching data v ^* of each table T _k (k = 1, 2,..., N)). v ^* ) can be obtained.

[Second Embodiment]
The matching system and method of the second embodiment are different from the matching system and method of the first embodiment in the function value calculation unit h, the first mix net operation unit a, and the flag assignment unit b. Hereinafter, a description will be given centering on differences from the first embodiment. Explanation of similar parts is omitted.

The function value calculation unit h of the second embodiment uses r _i as an integer random number, and ext _k (v) all or part of the tuple including the data v of the predetermined key column V _{k in} the k-th table. And a bit string corresponding to ext _k (v) is a check code t _k (v), and for each data v of the key column V _k , using E (a _{i, j} ), c = E ((Σ _{i∈ { 1, 2,..., N-1}-{k}} f _i (v) r _i ) + (ext _k (v) || t _k (v))) = (Σ _{i∈ {1, 2,... ^{n-1} - {k}}} E (a i, j) v j r i) + E ((ext k (v) || t k (v))) to calculate the (step S3).

  The definition of c is different from the first embodiment. In the first embodiment, the set (d, c) is transmitted, whereas in the second embodiment, only c is transmitted to the first mix net operation unit a in a predetermined order.

Here, || represents a bit combination. The check code t _k (v) is a bit string corresponding to ext _k (v). For example, the check code t _k (v) may be a fixed bit string such as 00... 0 that does not depend on v, or may be a bit string that depends on v, for example, a hash value of ext _k (v). .

The first mix net operation unit a generates a plurality of c _π by replacing a plurality of c arranged in a predetermined order with a replacement π. Multiple c _[pi the order has been rearranged is transmitted to the flag addition module b.

Flag addition module b3 as cryptographic function with homomorphism of E ', for each of a plurality of c _[pi, when it is determined that the decoded result of the c _[pi = a ext k _(v) is set to b = 1 , C _π decoding result = ext _k (v), b = 0, and E ′ (b) _π and d _π ′ = E (ext _k (v)) corresponding to c _π A flag assigning unit for generating a pair (d ′ _π , E ′ (b) _π ) of
decoding of c _'[pi is performed by the decoding unit b1 of the flag imparting unit b illustrated in FIG. The encryption of b is performed by the encryption unit b2 of the flag assigning unit b. Moreover, the decoding result of the c _[pi = determination of whether an _ext k (v) is performed by the determination unit b3.

When the bit sequence corresponding to t _k (v) in the bit sequence of the decoding result of c _π by the decoding unit b1 matches t _k (v) bit-combined by the function value calculation unit h, the determination unit b3 _If the decoding result of c _π = ext _k (v) and they do not match, it is determined that the decoding result of c _π is not ext _k (v).

_If the decoding result of cπ is not ext _k (v), the bit value corresponding to t _k (v) among the bit strings of the decoding result of c _π is calculated by the function value calculation unit h with respect to ext _k (v). It is very likely that the bit combination t _k (v) does not match. For this reason, when the bit string corresponding to t _k (v) in the bit string of the decoding result of c _π by the decoding unit b 1 matches t _k (v) bit-connected by the function value calculation unit h, the c _π It is possible to determine that the decoding result of the above = ext _k (v). It is assumed that the flag assigning unit b knows information about the check code t _k (v) in advance because it is necessary to determine the above match. When the check code t _k (v) is a bit string depending on v, the flag assigning unit b knows information about the permutation π and knows the check code t _k (v) corresponding to c _π . Shall.

Thus, by flag addition module b is to be determined whether the decoding result of the c _[pi = a _ext k (v) using the check code _{t k} (v), ext k with respect to the flag imparting unit b (V) can be concealed.

  Other processes are the same as those in the first embodiment.

[Modifications, etc.]
The cryptographic functions E, E ′, E ″ E ′ ″ may be probabilistic ciphers having homomorphic properties. This increases safety.

  As illustrated in FIG. 2, the first mix net calculation unit a includes a first mix net configuration unit a 1 provided in the first coupling device 1 and a first mix net calculation unit a 2 provided in the second coupling device 2. ,..., A first mix net configuration unit ak provided in the kth coupling device k,..., And a first mix net configuration unit an provided in the nth coupling device n. In this case, these n first mix net components ai (i = 1, 2,..., N) jointly perform processing, thereby realizing processing of the first mix net arithmetic unit a.

  For example, assuming that the re-encryption function is a multiple cipher or a threshold function, the first mix net configuration unit ai sequentially sets i = k + 1, k + 2,..., N, 1, 2,. (D, c) are re-encrypted, exchanged in a predetermined order, and transmitted to the first mix net configuration unit ai + 1 (if i = n, the first mix net configuration unit a1).

  At this time, each first mix net configuration unit ai (i = 1, 2,..., N) may re-encrypt only d and perform partial decryption on c. Each first mix net configuration unit ai (i = 1, 2,..., N) performs partial decoding on c to restore c. That is, the first mix net operation unit a configured by the first mix net configuration unit ai (i = 1, 2,..., N) may perform the processing of the decoding unit b1 simultaneously with the processing of the mix net. .

Similarly, as illustrated in FIG. 4, the second mix net component c is provided in the first coupler 1, the second mix net component c 1 provided in the first coupler 1, and the second mix provided in the second coupler 2. .., A second mix net configuration unit ck provided in the k-th coupling device k, and a second mix net configuration unit cn provided in the n-th coupling device n. In this case, the second mix net configuration unit ci is sequentially set to a plurality of sets (d ′ _π , E ′ (b) as i = k−1, k−2,..., 1, n, n−1,. ) _Π ) is re-encrypted and replaced in a predetermined order, and transmitted to the second mix net configuration unit ai + 1 (if i = n, the first mix net configuration unit a1).

  Similarly, as illustrated in FIG. 5, the third mix net component e is provided in the first coupler 1, the third mix net e 1 provided in the first coupler 1, and the third mix provided in the second coupler 2. .., A third mix net configuration unit ek provided in the k-th coupling device k, and a third mix net configuration unit en provided in the n-th coupling device n.

At this time, each third mix net component ei (i = 1, 2,..., N) re-encrypts d _j ″ and e _j ″ to obtain E ″ (b _j ). May perform partial decoding. Each third mix net component ei (i = 1, 2,..., N) performs partial decoding on E ″ (b _j ), thereby restoring b _{π * (j)} . That is, the third mix net operation unit e configured by the third mix net configuration unit ei (i = 1, 2,..., N) simultaneously performs E ′ ″ (b _{π * (j )} ) May be decrypted.

The matching system may include a final decoding unit that decodes d _{π * (j)} ′ ″ output by the rearrangement unit g to generate ext _k (v ^* ).

  In the above embodiment, data is directly transmitted and received between the respective units of the matching system. However, the data may be exchanged via a storage unit (not shown).

  When the i-th coupling device i (i = 1, 2,..., N) is realized by a computer, the processing content of each part of the i-th coupling device i is described by a program. Then, by executing this program on a computer, the processing functions of each part of the i-th coupling device i are realized on the computer.

  Each of these programs can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The present invention is not limited to the above embodiments and modifications. For example, the various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

  Moreover, you may combine said embodiment and a modification. Needless to say, other modifications are possible without departing from the spirit of the present invention.

Claims (6)

n is an integer of 2 or more, k is an integer of 1 to n,
where i = 1,..., k-1, k + 1,..., n, v is the data of a predetermined key _column V _{i in} the i-th table, t is a predetermined number, and f _i (x) = _{tΠvε vi (x-v) = Σ} j = 0 Ji-1 a i, j x each coefficient of ^j defined in the polynomial _{f i} (x) _{a i,} is encrypted with an encryption function E with homomorphism the _j An i-th coupling device for calculating E (a _{i, j} );
For each data v of the key column V _k , where r _i is an integer random number and all or part of the tuple including the data v of the predetermined key column V _{k in} the k-th table is ext _k (v) Using E (a _{i, j} ), c = E (Σ _{iε {1, 2,..., N} − {k}} f _i (v) r _i ) = Σ _{iε {1, 2,. n}-{k}} E (a _{i, j} ) v ^j r _i is calculated, d = E (ext _k (v)) is calculated, and the pair (d, c) of c and d is generated. A function value calculator,
A first mixnet operation unit that re-encrypts the plurality of sets (d, c) and generates a plurality of sets (d ′ _π , c ′ _π ) that are replaced by a replacement π;
Assuming that E ′ is an encryption function having homomorphism, for each of the plurality of sets (d ′ _π , c ′ _π ), if c ′ _π decryption result c _π = 0, then b = 1, c 'as b = 0 and when not, the decoded result c _[pi = 0 for _[pi, the c' set of _{π (d 'π, c'} π) of d _'[pi and E' (b) a set of the _[pi (d ' _π , E ′ (b) _π ), a flag assigning unit;
A plurality of sets (d _j ″, E ″ (b _j )) (j _{== reciphering} the plurality of sets (d ′ _π , E ′ (b) _π )) 1, 2,..., J _k )
For each of the plurality of sets (d _j ″, E ″ (b _j )), using E ″ (b _j ), the order e _j ″ = E ″ (Σ _{k = 1} ^j b _{k ^{) = Σ k = 1 j E}} '' ( the calculated _{b k),} calculated in the order e _{j 'set the' (d j '', E} '' (b j)) added pairs to _{(d j} '', E '' (b _j ), e _j ″),
A plurality of sets (d _{π * (j)} ′ ″, E ′ obtained by re-encrypting the plurality of sets (d _j ″, E ″ (b _j ), e _j ″) and replacing them with a replacement π ^*. '' (B _{π * (j)} ), e _{π * (j)} '''),
_{E '''(b π *} (j)) b π * decoding the _(j) = 1 and comprising a set _{(d π * (j)'} '', E '''(b π * (j)), an order decoding unit that decodes e _{π * (j)} ′ ″ of e _{π * (j)} ′ ″ ₎ to generate the order e _{π * (j)} ;
D _{[pi * (j} of the order e _{π * (j)} a set _{(d π * (j) '} '',E''' (b π * (j)), e π * (j) ''') ₎ Sorting section that outputs''',
Including matching system. n is an integer of 3 or more, k is an integer of 1 to n,
where i = 1,..., k-1, k + 1,..., n, v is the data of a predetermined key _column V _{i in} the i-th table, t is a predetermined number, and f _i (x) = _{tΠvε vi (x-v) = Σ} j = 0 Ji-1 a i, j x each coefficient of ^j defined in the polynomial _{f i} (x) _{a i,} is encrypted with an encryption function E with homomorphism the _j An i-th coupling device for calculating E (a _{i, j} );
r _i is an integer random number, all or part of the tuple including data v of a predetermined key column V _{k in} the k-th table is ext _k (v), || is a bit combination, and ext _k ( v) the bit string corresponding to the as check code _t k (v), for each data v key column _{V k,} using the above _{E (a i, j),} c = E ((Σ i∈ {1,2, _{.., N} − {k}} f _i (v) r _i ) + (ext _k (v) || t _k (v))) = (Σ _{i∈ {1, 2,..., N} − {k}} E (a _{i, j} ) v ^j r _i ) + E ((ext _k (v) || t _k (v)));
A first mix net calculator for generating a plurality of c _[pi substituted by replacing the plurality of c aligned in a predetermined order [pi,
If the bit string corresponding to t _k (v) among the bit strings of the decoding results of c _π matches the above t _k (v), the decoding result of c _π = ext _k (v), which does not match In this case, the determination unit determines that the decoding result of c _π is not ext _k (v),
The E 'as a cryptographic function with homomorphism, for each of said plurality of c _[pi, and the b = 1 when it is determined that the decoding result of the c _[pi = a ext k _(v), the decoding of the c _[pi result = _ext k (v) not equal as b = 0 If it is determined, E corresponding to the _c π '(b) π and _{d π' = E (ext k} (v)) of the set (d ' _π , E ′ (b) _π ), a flag assigning unit;
A plurality of sets (d _j ″, E ″ (b _j )) (j _{== reciphering} the plurality of sets (d ′ _π , E ′ (b) _π )) 1, 2,..., J _k )
For each of the plurality of sets (d _j ″, E ″ (b _j )), using E ″ (b _j ), the order e _j ″ = E ″ (Σ _{k = 1} ^j b _{k ^{) = Σ k = 1 j E}} '' ( the calculated _{b k),} calculated in the order e _{j 'set the' (d j '', E} '' (b j)) added pairs to _{(d j} '', E '' (b _j ), e _j ″),
A plurality of sets (d _{π * (j)} ′ ″, E ′ obtained by re-encrypting the plurality of sets (d _j ″, E ″ (b _j ), e _j ″) and replacing them with a replacement π ^*. '' (B _{π * (j)} ), e _{π * (j)} '''),
_{E '''(b π *} (j)) b π * decoding the _(j) = 1 and comprising a set _{(d π * (j)'} '', E '''(b π * (j)), an order decoding unit that decodes e _{π * (j)} ′ ″ of e _{π * (j)} ′ ″ ₎ to generate the order e _{π * (j)} ;
D _{[pi * (j} of the order e _{π * (j)} a set _{(d π * (j) '} '',E''' (b π * (j)), e π * (j) ''') ₎ Sorting section that outputs''',
Including matching system. n is an integer of 2 or more, k is an integer of 1 to n,
where i = 1,..., k-1, k + 1,..., n, v is the data of a predetermined key _column V _{i in} the i-th table, t is a predetermined number, and f _i (x) = _{tΠvε vi (x-v) = Σ} j = 0 Ji-1 a i, j x each coefficient of ^j defined in the polynomial _{f i} (x) _{a i,} is encrypted with an encryption function E with homomorphism the _j An i-th combining step for calculating E (a _{i, j} );
For each data v of the key column V _k , where r _i is an integer random number and all or part of the tuple including the data v of the predetermined key column V _{k in} the k-th table is ext _k (v) Using E (a _{i, j} ), c = E (Σ _{iε {1, 2,..., N} − {k}} f _i (v) r _i ) = Σ _{iε {1, 2,. n}-{k}} E (a _{i, j} ) v ^j r _i is calculated, d = E (ext _k (v)) is calculated, and the pair (d, c) of c and d is generated. A function value calculation step;
A first mixnet operation step for re-encrypting the plurality of sets (d, c) and generating a plurality of sets (d ′ _π , c ′ _π ) replaced by a replacement π;
Assuming that E ′ is an encryption function having homomorphism, for each of the plurality of sets (d ′ _π , c ′ _π ), if c ′ _π decryption result c _π = 0, then b = 1, c 'as b = 0 and when not, the decoded result c _[pi = 0 for _[pi, the c' set of _{π (d 'π, c'} π) of d _'[pi and E' (b) a set of the _[pi (d ' a flagging step for generating _π , E ′ (b) _π );
A plurality of sets (d _j ″, E ″ (b _j )) (j _{== reciphering} the plurality of sets (d ′ _π , E ′ (b) _π )) 1, 2,..., J _k )
For each of the plurality of sets (d _j ″, E ″ (b _j )), using E ″ (b _j ), the order e _j ″ = E ″ (Σ _{k = 1} ^j b _{k ^{) = Σ k = 1 j E}} '' ( the calculated _{b k),} calculated in the order e _{j 'set the' (d j '', E} '' (b j)) added pairs to _{(d j} '', E '' (b _j ), e _j ″) to generate an ordering step;
A plurality of sets (d _{π * (j)} ′ ″, E ′ obtained by re-encrypting the plurality of sets (d _j ″, E ″ (b _j ), e _j ″) and replacing them with a replacement π ^*. '' (B _{π * (j)} ), e _{π * (j)} ''') to generate a third mixnet operation step;
_{E '''(b π *} (j)) b π * decoding the _(j) = 1 and comprising a set _{(d π * (j)'} '', E '''(b π * (j)), an order decoding step of decoding e _{π * (j)} '''of e _{π * (j)} ''' ₎ to generate order e _{π * (j)} ;
D _{[pi * (j} of the order e _{π * (j)} a set _{(d π * (j) '} '',E''' (b π * (j)), e π * (j) ''') ₎ A reordering step that outputs''',
Matching system method including: n is an integer of 3 or more, k is an integer of 1 to n,
where i = 1,..., k-1, k + 1,..., n, v is the data of a predetermined key _column V _{i in} the i-th table, t is a predetermined number, and f _i (x) = _{tΠvε vi (x-v) = Σ} j = 0 Ji-1 a i, j x each coefficient of ^j defined in the polynomial _{f i} (x) _{a i,} is encrypted with an encryption function E with homomorphism the _j An i-th combining step for calculating E (a _{i, j} );
r _i is an integer random number, all or part of the tuple including data v of a predetermined key column V _{k in} the k-th table is ext _k (v), || is a bit combination, and ext _k ( v) the bit string corresponding to the as check code _t k (v), for each data v key column _{V k,} using the above _{E (a i, j),} c = E ((Σ i∈ {1,2, _{.., N} − {k}} f _i (v) r _i ) + (ext _k (v) || t _k (v))) = (Σ _{i∈ {1, 2,..., N} − {k}} A function value calculating step for calculating E (a _{i, j} ) v ^j r _i ) + E ((ext _k (v) || t _k (v)));
A first mix net computation step of generating a plurality of c _[pi substituted by substituted [pi a plurality of c aligned in a predetermined order,
If the bit string corresponding to t _k (v) among the bit strings of the decoding results of c _π matches the above t _k (v), the decoding result of c _π = ext _k (v), which does not match A determination step for determining that the decoding result of c _π = ext _k (v) in the case;
The E 'as a cryptographic function with homomorphism, for each of said plurality of c _[pi, and the b = 1 when it is determined that the decoding result of the c _[pi = a ext k _(v), the decoding of the c _[pi result = _ext k (v) not equal as b = 0 If it is determined, E corresponding to the _c π '(b) π and _{d π' = E (ext k} (v)) of the set (d ' a flagging step for generating _π , E ′ (b) _π );
A plurality of sets (d _j ″, E ″ (b _j )) (j _{== reciphering} the plurality of sets (d ′ _π , E ′ (b) _π )) 1, 2,..., J _k )
For each of the plurality of sets (d _j ″, E ″ (b _j )), using E ″ (b _j ), the order e _j ″ = E ″ (Σ _{k = 1} ^j b _{k ^{) = Σ k = 1 j E}} '' ( the calculated _{b k),} calculated in the order e _{j 'set the' (d j '', E} '' (b j)) added pairs to _{(d j} '', E '' (b _j ), e _j ″) to generate an ordering step;
A plurality of sets (d _{π * (j)} ′ ″, E ′ obtained by re-encrypting the plurality of sets (d _j ″, E ″ (b _j ), e _j ″) and replacing them with a replacement π ^*. '' (B _{π * (j)} ), e _{π * (j)} ''') to generate a third mixnet operation step;
_{E '''(b π *} (j)) b π * decoding the _(j) = 1 and comprising a set _{(d π * (j)'} '', E '''(b π * (j)), an order decoding step of decoding e _{π * (j)} '''of e _{π * (j)} ''' ₎ to generate order e _{π * (j)} ;
D _{[pi * (j} of the order e _{π * (j)} a set _{(d π * (j) '} '',E''' (b π * (j)), e π * (j) ''') ₎ A reordering step that outputs''',
Matching system method including:   A coupling device which is the i-th coupling device of the matching system according to claim 1.   The program for functioning a computer as each part of the coupling device of Claim 5.

Images