JP2014206696A - Data secrecy type inner product calculation system, method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To calculate an inner product with relatively small calculation amounts by using data to be kept secret in each of a plurality of organizations as an object.SOLUTION: A device of a first organization performs first deformation for secrecy to a first data string to be kept secret in the organization, and outputs the deformed first data string to a device of a third organization, a device of a second organization performs second deformation for secrecy to a second data string to be kept secret in the organization, and outputs the deformed second data string to the device of the third organization, and the device of the third organization calculates an inner product between the deformed first data string and the deformed second data string, and returns the inner product to at least the device of the second organization. The device of the first organization transmits information related to the first deformation performed by its own device to the device of the second organization, and the device of the second organization calculates an inner product between the first data string and the second data string on the basis of the information related to the second deformation performed by its own device, the information received from the device of the first organization, and the inner product received from the device of the third organization.

Description

  The present invention calculates the inner product of data between organizations while protecting the confidentiality of data when each of a plurality of organizations has data to be kept secret from other organizations, such as data related to personal privacy. It relates to the technology to be made possible.

  In recent years, there have been an increasing number of cases where “life logs” such as personal information and action records are analyzed and used in various business scenes. For example, it is required to analyze data in every scene, such as purchase history such as POS data, usage history of electronic money, boarding history of transportation network, GPS information of cars, call history and usage history of mobile phones and smartphones, etc. ing.

  The information obtained from the “life log” is often useful, and many applications such as behavior pattern estimation, recommendation, and target marketing can be considered. On the other hand, there are great concerns about the handling of privacy information.

  In particular, the “life log” data as described above often has different data for the same individual in different organizations. If it is possible to analyze the “life log” across a plurality of organizations, it is highly possible that extremely useful information can be obtained, but the concern about privacy protection is also extremely large.

  A technology called Privacy Protection Data Mining (PPDM) has been developed to fulfill the demands from both the use and protection of privacy information, and a method for performing data mining while protecting privacy between multiple organizations, Various proposals have been made (see Non-Patent Document 1).

  In addition, as one of data mining performed between a plurality of organizations, there is a case of obtaining a correlation between pieces of information respectively possessed by a plurality of organizations. The process for obtaining the correlation results in a process for calculating the inner product between the data strings (vectors). A method of “secret inner product” has also been proposed in which privacy products are concealed, that is, an inner product can be calculated between two parties while concealing each other's own vectors (see Patent Document 1).

JP 2009-272995 A

Satoshi Sakuma, Shigenobu Kobayashi “Privacy Protection Data Mining”, Journal of Artificial Intelligence Vol. 24 No. 2 (2009)

  One of the existing methods for performing data mining while protecting privacy among a plurality of organizations is to use an agent that does not leak information at any time and does not deviate from a predetermined protocol. Such an agent is called a TTP (Trusted Third Party). In the ideal model assuming TTP, information necessary for data analysis is collected in TTP.

  The protocol that assumes the existence of TTP is superior in terms of both data security and accuracy of analysis results in the ideal model. However, in the real world, it is difficult to realize such an ideal model, and since information is collected in TTP, the damage caused when information leaks from TTP becomes enormous.

  Another existing approach to privacy-preserving data mining takes a cryptographic approach without the use of third parties. Specifically, given polynomial assumptions such as the fact that the factorization of the product of two giant primes is computationally difficult, any polynomial time with the secret inputs of the two agents as arguments A method has been proposed that makes it possible to perform computations beyond agents, and this method has been expanded as a secure multi-party computation (MPC) that can handle the secret input of three or more agents. Has been. In principle, MPC can perform arbitrary distributed data mining, but since the amount of calculation is extremely large, it is difficult to calculate in a time that can withstand actual operation when the amount of data is large.

  A method of combining a security protocol and a cryptographic tool such as a homomorphic public key encryption has also been proposed. Homomorphic public key cryptography is public key cryptography in which an encryption function has homomorphism and data can be added while encrypted. The MPC approach aims at secure calculation of general-purpose functions, but the method using homomorphic public key cryptography aims to efficiently perform secure calculation of specific functions. However, even in this method, since there are encryption / decryption using public key cryptography and computation using homomorphic public key cryptography, the amount of calculation is too large to perform data mining in a practical time. Is concerned.

The existing method of obtaining the "secret inner product" (Patent Document 1), the first computing device having a first n-dimensional vector Va to be concealed, the scalar value and the random number R _j based on the random number W _i based vector Va linear transformation, the remainder of division by the random number M _i for each element in n-dimensional vector obtained by linear conversion calculated p times, the n-dimensional transformation vector X to the remainder with each element, confidential to To the second computing device having the power second n-dimensional vector Vb, and the second computing device calculates the inner product Z of the vector X and the vector Vb and sends it to the first computing device. Is to obtain the inner product of the vector Va and the vector Vb by performing an inverse transformation on the inner product Z. The vectors Va and Vb to which this method can be applied are limited to those in which each element is an integer.

  In addition, in the above method, depending on the contents of the n-dimensional vector Va, the second computing device can generate a random number for performing inverse transformation by taking the common divisor of each element of the received n-dimensional transformation vector X. By estimating the value, the value of each element of the original Va that should be kept secret in the first calculation device may be calculated. In order to prevent such a situation and to ensure practically sufficient safety, the number of digits of each random number R, M, W must be sufficiently larger than the number of digits of the input variable, and the remainder is increased. The number of times p to be calculated must also be made sufficiently large, but this would increase the amount of calculation.

  In view of the above situation, the present invention uses only a third party in a realistic environment where there is no ideal third party that can be trusted. It is an object of the present invention to make it possible for a plurality of organizations to obtain an inner product for data that should be kept secret within each organization, while reducing the amount of calculation to a practical level, rather than trying to calculate in (1).

  A data concealed inner product calculation system according to an example in accordance with the principle of the present invention includes: a first organization apparatus having storage means for storing a first data string to be concealed in the first organization; A second organization apparatus having storage means for storing a second data string to be kept secret in the organization; and a third organization apparatus having calculation means for calculating an inner product between the input data strings. .

  Then, the first organization apparatus performs a first modification for concealment on the first data string, and outputs the modified first data string to the third organization apparatus. The second organization apparatus performs a second modification for concealment on the second data string, and outputs the modified second data string to the third organization apparatus. The third organization apparatus calculates an inner product of the deformed first data string and the deformed second data string by the calculating means, and outputs the inner product at least as described above. Return means for returning to the second tissue device is provided.

  Further, the first tissue device includes a transmission unit that transmits information on the first deformation performed by the device to the second tissue device, and the second tissue device includes: Based on the information about the second deformation performed, the information received from the first tissue device, and the inner product received from the third tissue device, the first data sequence and the second The calculation means which calculates | requires the inner product with these data strings is provided.

  In the data concealed inner product calculation system described above, the device of the third organization shall return the calculated inner product to the device of the first organization, and the device of the first organization Based on information about the first deformation performed by the device, information received from the second tissue device, and the inner product received from the third tissue device, the first data string and the Computation means for obtaining an inner product with the second data string is also provided, and the device of the second organization transmits information on the second deformation performed by the device to the device of the first organization. It is good also as what also has the transmission means to perform.

  In the above configuration, the third tissue device for calculating the inner product receives each of the first tissue device and the second tissue device as a modified data string, and the third tissue device The original data string to be concealed cannot be obtained only from the information handled by the device. Therefore, even if information leakage occurs in the device of the third organization, it is possible to keep the confidentiality of data to a third party, and a realistic third-party organization as a device of the third organization It becomes possible to use.

  In addition, the first tissue device does not receive the data string of the second tissue device, but also the modified data string, and the inner product calculated by the third tissue device, Only the information related to how the second organization's device has been transformed, so unless information is leaked from the third organization's device, it should be kept secret in the second organization. It is not possible to obtain the data string. Similarly, the device of the second organization cannot obtain the original data string to be concealed within the first organization. Therefore, it is possible to maintain the confidentiality of the data including the confidentiality of the other organization even if the modification to the data string to be kept confidential in each of the first and second organizations is relatively simple. It is possible to reduce the calculation amount to a practical level.

  In the data concealed inner product calculation system described above, each data in the first data string and each data in the second data string may be associated with the same data ID.

  As a result, the data strings independently possessed by the first organization and the second organization are related to the common ID space, and it is possible to obtain the correlation between the information possessed by each of the plurality of organizations. For example, if an airline (first organization) has customer travel information and a hospital (second organization) has patient disease information, no individual is identified by each ID. However, if the same ID is associated with the same person's information in both organizations, it traveled to a specific area by obtaining the inner product of the two data strings and suffered from a specific disease It becomes possible to ask for the number of people.

  In the data concealed inner product calculation system described above, the transmission means of the first organization apparatus (and the transmission means of the second organization apparatus) is used by the third organization apparatus for calculation by the calculation means. The information may be transmitted after it is confirmed that the deformed first data string and the deformed second data string have been erased.

  As a result, after the second tissue apparatus obtains information on the first deformation, the information of the deformed first data string held in the third tissue apparatus leaks, It is possible to prevent a situation in which the first data string to be concealed in the first organization can be calculated in the second organization. Similarly, it is possible to prevent a situation in which the second data string to be concealed in the second organization becomes possible in the first organization.

  In the data concealed inner product calculation system described above, the third organization apparatus calculates the inner product of the deformed first data string and the deformed second data string by the calculating means, The inner product is left, the deformed first data string and the deformed second data string are erased, and after the erase, the inner product is replaced with the second tissue device (and the first tissue device). The first tissue device transmitting means (and the second tissue device transmitting means) after the inner product from the third tissue device is received, Information may be transmitted.

  Thus, the third tissue device holds the deformed data sequence after receiving the deformed data sequence from each of the first tissue device and the second tissue device, Since it is limited to a short time until the calculation of the inner product is completed, it is possible to sufficiently reduce the risk of information leakage from the device of the third organization.

  In the data concealed inner product calculation system described above, the third organization apparatus calculates the inner product of the deformed first data string and the deformed second data string by the calculating means, The modified first data string and the modified second data string are erased, and it is determined whether or not these data strings have leaked out of the organization before erasure, and the judgment result is the first Means for notifying the tissue apparatus (and the second tissue apparatus) of the first tissue apparatus, and the transmission means (and the second tissue apparatus transmission means) of the first tissue The information may be transmitted after the determination result that the possibility is not received is notified from the device of the third organization.

  Thus, after confirming that the information leakage has not occurred in the third tissue device, the first tissue device transmits information on the first deformation to the second tissue device. If it is notified that there is a possibility that information leakage has occurred in the device of the third organization, by not sending information on the first deformation to the device of the second organization It becomes possible to keep the state where the second organization cannot calculate the first data string. Similarly, the device of the second organization can keep the state where the first organization cannot calculate the second data string by not transmitting the information on the second deformation.

  In the data confidential inner product calculation system described above, at least communication between the first organization device and the third organization device, and the second organization device and the third organization device. It is preferable that the communication between the mobile phone and the mobile phone be protected so that it cannot be intercepted by anyone other than the two parties that perform the communication, and a third party cannot impersonate the communication partner. In addition, communication between the device of the first organization and the device of the second organization should not be intercepted by anyone other than the two parties performing the communication, and a third party shall be the communication partner. It may be protected so that it is not possible.

  As a result, safety related to communication and safety related to calculation are separated, and for communication, existing encryption technology is applied to ensure safety, and calculation is performed according to the principle of the present invention. By using a method based on information-theoretic safety, it is possible to ensure safety with a relatively small amount of calculation.

  In the data concealment type inner product calculation system described above, the device of the third organization has a value of data larger than a predetermined number among the plurality of data constituting the modified first or second data string being zero. In some cases, the calculation of the inner product is not performed, and a calculation rejection notification may be returned instead of the inner product.

For example, where the first data string is {x ₁ , x ₂ ,..., X _N }, {1, 0,..., 0}, {0, 1,. ,... {0, 0,..., 1} (a data string in which the k th element is 1 and all other elements are all 0), and the inner product is obtained, the k th of the first data string The element value (x _k ) can be known, and if this is repeated as k = 1 to N, {x ₁ , x ₂ ,..., X _N } can all be known. This is not limited to the case where all but one of the N elements are all zero, and if the number of elements that are larger than a predetermined ratio depending on the size of N are all zero, the value of each element is estimated. I can do it. Therefore, when such a data string is input, if the device of the third organization does not calculate the inner product, the safety can be increased.

  In the data concealed inner product calculation system described above, the device of the third organization stores which data ID set of which organization the transformed data string used for the calculation of the inner product relates to. In addition, when the modified data sequence related to the same data ID set is received from a device of the same organization within a predetermined period, the inner product is not calculated, and the calculation rejection is performed instead of the inner product. Notifications may be returned.

For example, where the first data string is {x ₁ , x ₂ ,..., X _N }, as the second data string, first, {1, 2,. , Other elements are all 1), and then {1, 1,..., 1} (all data is 1), and from the inner product obtained first Next, when the inner product obtained is subtracted, the value (x _k ) of the k-th element of the first data string can be known. Therefore, if the two data strings input to calculate the inner product this time are related to the same data ID of the same organization as the two data strings calculated for the inner product during the past certain period, If the tissue device does not calculate the dot product, it can increase safety.

  Below, a specific example is shown regarding the 1st and 2nd deformation | transformation performed in the data concealment type inner product calculation system mentioned above.

  In the first example, the first modification performed by the device of the first organization generates a first random number and multiplies each data constituting the first data string by the first random number. The second modification performed by the device of the second organization is to generate a second random number, and multiply each data constituting the second data string by the second random number. The information related to the first modification is the first random number, and the information related to the second modification is the second random number.

  In the first example, the amount of calculation is small, but if only one random number is used, some information in the original data sequence is inferred from the variation in the value of each element in the transformed data sequence. Since there is a possibility, it is preferable to combine the examples of shuffles described later, or to adopt the following second or third example.

  In the second example, the first modification performed by the device of the first organization generates a first random number sequence and adds the first random number sequence to each data constituting the first data sequence. The second modification performed by the device of the second organization generates a second random number sequence, and adds each data constituting the second data sequence to the data constituting the second data sequence. Each of the data constituting the second random number sequence is added, the information regarding the first modification is the first random number sequence, and the information regarding the second modification is the second random number sequence It is.

  The first organization apparatus calculates an inner product of the first data string and the second random number sequence, and the calculation result of the second organization apparatus is calculated by the first organization apparatus. Means for transmitting to the second tissue device so that it can be used as information received from the second tissue device. The device of the second organization calculates the inner product of the second data sequence and the first random number sequence, and the calculation means of the device of the first organization calculates the calculation result of the second organization. The information processing apparatus may further include means for transmitting to the first tissue device so that the information can be used as information received from the first device.

  The second example corresponds to performing encryption using a random number having the same amount of information on the original data string, and can be said to have complete secrecy (Shanon Secure). In other words, even if information is leaked from the device of the third organization, information theoretical safety is expected.

  In a third example, the first modification performed by the device of the first organization generates a first random number and a first random number sequence, and each data constituting the first data sequence includes Each data constituting the first random number sequence is added to each result obtained by multiplying the first random number, and the second modification performed by the device of the second organization includes the second random number and the first random number. Generating a second random number sequence, and adding each data constituting the second random number sequence to each result of multiplying the second random number by each data constituting the second data sequence, The information regarding the first variation is the first random number and the first random number sequence, and the information regarding the second variation is the second random number and the second random number sequence.

  The first organization apparatus calculates an inner product of the first data string and the second random number sequence, and the calculation result of the second organization apparatus is calculated by the first organization apparatus. Means for transmitting to the second tissue device so that it can be used as information received from the second tissue device. The device of the second organization calculates the inner product of the second data sequence and the first random number sequence, and the calculation means of the device of the first organization calculates the calculation result of the second organization. The information processing apparatus may further include means for transmitting to the first tissue device so that the information can be used as information received from the first device.

  The third example corresponds to performing encryption using a random number having a larger amount of information on the original data string, and can be said to have complete confidentiality (Shanon Secure). The information exchanged between the first, second, and third organizations is limited, so there is not enough information to infer the original first and second data strings It is.

  In the data concealed inner product calculation system described above, each of the first organization device and the second organization device constitutes a data sequence for the first data sequence and the second data sequence, respectively. Means for replacing the order of data according to the same rule, and the first modification and the second modification, respectively, with respect to the first data string and the second data string whose order has been interchanged May be performed.

  This configuration utilizes the fact that the inner product of the two vectors is the same as the inner product before the replacement even if the order of the elements in the vector is replaced in the same way by the two vectors. Can be used in combination with any of the examples. For example, if the order of the elements in the data string is shuffled each time, and how the shuffling is shared only between the first and second organizations, the third party Even if the variation of the value of each element in the column is seen, it is not known which data ID corresponds to each element, so that privacy information can be effectively protected.

  The invention of the data concealed inner product calculation system described above may be the invention of the method of the entire system, the invention of a program (or a recording medium on which the program is recorded) for operating a general-purpose computer system as the system. As an invention of any one of the first organization device, the second organization device, and the third organization device in the system, a program for operating a general-purpose computer as each device of the present system (or its program) Of course, both the invention of the recording medium on which the program is recorded and the invention of the method executed in each device of the system are realized. Some of them are illustrated below.

  A method according to one example in accordance with the principles of the present invention includes a first organization device for storing a first data stream to be concealed within a first organization and a second to be concealed within a second organization. The second organization device that stores the data string uses the third organization device to obtain the inner product of the first data row and the second data row while maintaining the confidentiality of the data. It is a way for.

  Then, the device of the first organization performs a first modification for concealment on the first data sequence, and outputs the modified first data sequence to the device of the third organization. The second organization apparatus performs a second modification for concealment on the second data string, and outputs the modified second data string to the third organization apparatus, The third tissue device calculates an inner product of the deformed first data string and the deformed second data string, and returns the inner product to at least the second tissue device.

  Furthermore, the device of the first tissue transmits information on the first deformation performed by the device to the device of the second tissue, and the device of the second tissue is performed by the device. Based on the information about the second deformation, the information received from the first tissue device, and the inner product received from the third tissue device, the first data string and the second data string Find the dot product with.

  In the data concealed inner product calculation method described above, the device of the third organization returns the calculated inner product to the device of the first organization, and the device of the second organization Information on the second deformation performed by the own device is transmitted to the device of the tissue, and the device of the first tissue transmits the information on the first deformation performed by the own device and the information on the second tissue. An inner product of the first data string and the second data string may be obtained based on the information received from the device and the inner product received from the third organization device.

  A program according to an example in accordance with the principle of the present invention includes a first organization device for storing a first data string to be concealed in a first organization, and a second organization to be concealed in a second organization. The second organization device that stores the data string uses the third organization device to obtain the inner product of the first data row and the second data row while maintaining the confidentiality of the data. Is a program that causes a computer to operate as an apparatus of the first organization in the system.

  The first organization program causes the computer to perform a first modification for concealment of the first data string, and the modified first data string is used as a device of the third organization. And receiving the inner product of the transformed first data string and the data string output from the second tissue device returned from the third tissue device, and From the organization device, the second organization device receives information on the second transformation performed on the second data string for concealment before outputting to the third organization device, Based on the information relating to the first deformation performed by the device itself, the information received from the device of the second tissue, and the inner product received from the device of the third tissue, the first data string, An inner product with the second data string is obtained.

  A program according to another example according to the principle of the present invention includes a first organization apparatus for storing a first data string to be concealed in the first organization, and a second organization to be concealed in the second organization. The second organization device that stores the data string uses the third organization device to obtain the inner product of the first data row and the second data row while maintaining the confidentiality of the data. Is a program that causes a computer to operate as a third organization apparatus.

  The program for the third organization receives the data string obtained by performing the first modification for concealment on the first data string from the device of the first organization. And receiving the data string obtained by performing the second modification for concealment on the second data string from the second organization apparatus, and receiving the data string from the first organization apparatus. Calculating a dot product of a data string and a data string received from the second tissue device, wherein the inner product is determined by at least one of the first tissue device and the second tissue device. Based on the information on the first deformation and the information on the second deformation, the first tissue apparatus and the first tissue device so that the inner product of the first data string and the second data string can be obtained At least one of the second tissue devices; It returned to.

  According to the present invention, for example, by using a realistic third-party organization, the inner volume is obtained for data that should be kept secret in each organization by a plurality of organizations while keeping the amount of calculation at a practical level. Is possible.

The figure which shows the structural example of the data concealment type inner product calculation system which concerns on embodiment of this invention The figure explaining the 1st example of the calculation procedure in this system The figure explaining the 2nd example of the calculation procedure in this system The figure explaining the 2nd example (continuation of FIG. 3) of the calculation procedure in this system The figure explaining the 3rd example of the calculation procedure in this system The figure explaining the 3rd example (continuation of FIG. 5) of the calculation procedure in this system The figure explaining the 3rd example (continuation of FIG. 6) of the calculation procedure in this system The figure explaining the 4th example of the calculation procedure in this system The figure explaining the 4th example (continuation of FIG. 8) of the calculation procedure in this system The figure explaining the 4th example (continuation of FIG. 9) of the calculation procedure in this system

  Hereinafter, a data concealment type inner product calculation system according to an embodiment of the present invention will be described with reference to the drawings for illustration.

  In this system, when two independent organizations have some information regarding a common ID space, the information held by both organizations may contain information related to privacy, so each other will not obtain the information of the other party. In this way, it is possible to analyze the relevance and tendency of data held by the two organizations. This analysis is performed by obtaining a correlation coefficient between data of two tissues. The feature of this system is that the existence of a cloud (third party organization) based on realistic preconditions makes it possible for two organizations to disclose their respective information to each other without correlating each other's information. It is to make it possible to obtain the above with a calculation amount suitable for practical use.

In the analysis performed in this system, the organizations A and B share the ID space U = {1, 2,..., N}, and each of the organizations A and B has a data string (vector) corresponding to this ID space. S _X = {X ₁ , X ₂ ,..., X _N } (represented as {X _i } _i ), S _Y = {Y ₁ , Y ₂ ,..., Y _N } (represented as {Y _i } _i ) The result is that the correlation coefficient ρ between S _X and S _Y is obtained without disclosing the contents of S _X and S _Y to any organization other than its own organization. ρ is obtained by the following equation (Equation 1). The elements X _i and Y _i constituting the vectors S _X and S _Y can be arbitrary real numbers.

  In this system, in calculating the inner product of the data of the organization A and the organization B while keeping the data secret, the existence of a third party different from the organization A and the organization B is used. However, unlike the ideal model that assumes TTP, the requirements for third-party organizations in this system are realistic that can be applied to business scenes. The availability of such a requirement to a third party is particularly useful in situations where data analysis on the cloud is becoming more common with the recent penetration of cloud models. That is, according to the present system, it is possible to efficiently perform data analysis using computing resources on the cloud while protecting privacy.

Here, when the problem of obtaining the correlation coefficient ρ is simplified, S _x (Equation 2) and S _y (Equation 3) are defined as follows, and S _x and S _y are disclosed to others. However, the problem is to find the inner product s = Σx _i y _i .

FIG. 1 shows an example of the configuration of this system. The system includes a computer 10 of organization A, a computer 20 of organization B, and a computer 30 of a third party. The computer 10 of the organization A stores S _X = {X _i } _i that should be kept secret from the organization B and all other organizations including the third party organization in the data holding unit 100. The data holding unit 200 stores S _Y = {Y _i } _i that should be kept secret from all other organizations including the organization A and the third party organization.

  The data to be concealed is stored after being subjected to a security process such as encryption so as not to leak from each organization. As long as safety is ensured, the data may be stored not on the computer of each organization but on a cloud via a network (however, a storage service different from the third party computer 30 in this system).

The computers of organizations A and B have their own confidential parameter holding units, and the data transformation processing unit 110 of organization A uses the parameters held in its own confidential parameter holding unit 120 to conceal it. The data transformation processing unit 210 of the organization B _applies the transformation to the power data S _X = {X _i } _i , and uses the parameters held in its own secrecy parameter holding unit 220, the data S _Y = { Y _i } Add deformation to _i . Information regarding privacy is concealed by performing a predetermined deformation process using the concealment parameter in this way.

  Then, the computers of the organizations A and B transmit the modified data from the respective communication units 130 and 230 to the communication unit 320 of the computer of the third party organization. From the transformed data, the original data cannot be restored unless the concealment parameters used for the transformation are known.

Therefore, even if the modified data leaks from the computer of the third party organization, the original data S _X and S _Y cannot be leaked as they are unless the values of the confidential parameters of the organizations A and B are leaked. Absent.

However, as will be described later, between the organizations A and B, since the value of each confidential parameter is exchanged for the calculation of the inner product, if the data after the transformation process is leaked from the computer of the third party organization, this system Although the outside organization cannot restore the original data S _X and S _Y , the organization A can restore the data S _Y of the organization B, and the organization B can restore the data S _{X of the} organization A. In order to prevent this, before exchanging the value of the concealment parameter between the organizations A and B, the computer of the third party organization is set in a state in which the nonexistent computer is not likely to leak (that is, the transformation process). It is good to erase the data afterwards).

In addition, for example, a Service-to-Self intercepts communication between the organization A and a third party organization, acquires data after transformation processing, and intercepts communication between the organization A and the organization B. If the value of the concealment parameter used by the organization A is acquired, the data S _{X of the} organization A is restored. In order to prevent this, the communication path between the organization A and the third-party organization is protected by a dedicated line or encrypted so that it cannot be intercepted. Preferably, the parameters are encrypted and exchanged.

The third party computer 30 receives N arbitrary numbers {p _i } _i and {q _i } _i (i∈U) from the computer 10 of the organization A and the computer 20 of the organization B, respectively. The inner product calculation unit 310 calculates Σp _i q _i . Then, the calculation result is returned to each of the computer 10 of the organization A and the computer 20 of the organization B via the communication unit 320.

In this example, the computer 10 of organization A and the computer 20 of organization B have the same internal configuration, and each is based on the calculation results returned from the computer 30 of the third party by the inner product calculation units 140 and 240. Thus, the inner product s = Σx _i y _i can be obtained by itself.

As an alternative, one organization (organization B for explanation) passes the data {q _i } _i after transformation of S _Y to the third party, but the calculation result of the third party is It is returned only to organization A, and organization B then passes information necessary to calculate the inner product while keeping the original data confidential, such as the concealment parameters used for the transformation process, to organization A. The calculation may be performed only by the organization A.

The third-party computer 30 stores {p _i } _i and {q _i } _i received from the organizations A and B in the working memory 330 in the inner product calculation unit 310, but storage storage (not shown) If it is not stored in, the risk of information leakage can be reduced. When the calculation of Σp _i q _i is completed, the memory control unit 340 of the third-party organization remains in the working memory 330 (within the storage when using the storage together), leaving only the calculation result {p All information such as _i } _i and {q _i } _i and calculation process data is deleted, and after the deletion is completed, the calculation result is transmitted to the computer 10 of the organization A and the computer 20 of the organization B.

  The computer 10 of the organization A that has received the calculation result communicates the value of the confidential parameter held in the confidential parameter holding unit 120 after confirming the reception of the calculation result under the control of the transmission control unit 150. From the unit 130 to the communication unit 230, the computer 20 of the organization B can calculate the inner product s by the inner product calculation unit 240. Similarly, the computer 20 of the organization B confirms the confidential parameter stored in the confidential parameter holding unit 220 after confirming the reception of the calculation result from the third party under the control of the transmission control unit 250. The value is sent from the communication unit 230 to the communication unit 130 so that the computer 10 of the organization A can calculate the inner product s by the inner product calculation unit 140.

  As another example, the memory control unit 340 of the third-party organization first transmits the calculation result to the computer 10 of the organization A and the computer 20 of the organization B, and then erases all the information handled for the calculation. The completion of the erasure work may be notified again to the computer 10 of the organization A and the computer 20 of the organization B.

  In this case, the computer 10 of the organization A is held in the concealment parameter holding unit 120 after confirming that it has received a deletion completion notification from a third party under the control of the transmission control unit 150. The value of the confidential parameter is sent from the communication unit 130 to the communication unit 230. Similarly, the computer 20 of the organization B confirms that the deletion completion notification has been received from the third party under the control of the transmission control unit 250, and then the confidential information held in the confidential parameter holding unit 220. The parameter value is sent from the communication unit 230 to the communication unit 130.

  In other words, the computers of organizations A and B have their own risk of information leaking from the third party (the related data is still not deleted on the third party computer). By not transmitting the value of the concealment parameter to the other party, it is possible to reduce the possibility that the data to be concealed will be restored to the other party.

  Further, when it is discovered that information has been leaked due to some incident before the information is deleted in the computer 30 of the third party organization, the fact is detected and the computer 10 of the organization A and the organization B It is preferable to notify the computer 20. When organization A and organization B receive this notification, they must stop sending their own concealment parameter values to the other party or request the other party to discard the transmitted values. Thus, the possibility that the data to be concealed will be restored to the other party can be reduced.

  Alternatively, the organization A and the organization B have their own confidential parameters for a predetermined period determined based on the time taken to determine whether or not there is information leakage even after the third party computer 30 erases the information. The value of the confidential parameter is sent to the other party after receiving a notification that there has been no information leakage from a third party after a predetermined period. Also good.

  In this way, the values of the confidential parameters of the organizations A and B should be protected from being leaked to others, not only those held by themselves but also those received from the other party. is there. Therefore, it is preferable to store the value of the concealment parameter received from the other party only in the working memory (not shown) in the inner product calculation units 140 and 240 and delete it when the calculation of the inner product s is completed.

  It is desirable that the secrecy parameter holding units 120 and 220 perform security processing such as encryption on the value of their own secrecy parameters and hold them. In addition, each time an inner product is obtained, the value of the concealment parameter is changed (for example, a random number is paid out each time), and the concealment parameter holding units 120 and 220 hold values. In order to obtain one inner product with one organization (possibly the same organization as the previous inner product calculation), since the transformation of the data to be concealed, It is safer if the process for obtaining the inner product ends.

  With regard to the security of communication between each of the organizations A and B and the third party organization, it is only necessary to encrypt the communication with the level of security normally used in business. For example, an encryption mechanism similar to that used in online shopping, electronic payment, commercial transactions, net banking, etc. may be used.

  In order to reduce the risk of information leakage while related data exists in the third party computer, the third party computer 30 prepares a virtual space dedicated to the organization A, and the computer of the organization A 10 is limited to only processing related to communication with the network 10, and a virtual space dedicated to the organization B is prepared to limit processing only to processing related to communication with the computer 20 of the organization B. .

  In order to reduce the overall risk of information leakage, it is also effective to shorten the period in which related data exists in the computer of a third-party organization. In addition, it is preferable that the computers of the two organizations access the third party computer at the same timing (send the modified data).

  In addition, between the computer 10 of the organization A and the computer 30 of the third party, between the computer 20 of the organization B and the computer 30 of the third party, and between the computer 10 of the organization A and the computer 20 of the organization B. There may be a separate communication network (for example, a wireless network and a wired network) between them, or all may be connected to a single communication network (for example, the Internet).

  The computers 10 and 20 of the organizations A and B are configured, for example, by installing a program for this method in a device having a computing function. For the encryption / decryption key and the secret parameter when the data holding units 100 and 200 are encrypted data, the storage or processing / reverse processing using the same is performed on hardware or software. You may make it provide in the module which raised security.

  The computer 30 of the third party organization can be configured by installing a program for this method in a general-purpose server or a server group, and may be realized as a calculation service on the cloud.

  The function of each part in FIG. 1 will be further described along with specific examples shown below. The function of each part can be realized by hardware or software, or a combination of hardware and software.

As shown in FIG. 2, the first example of the calculation procedure in this system operates as follows. Here, the inner product to be obtained is z = Σx _i y _i .

(1) Organization A selects a random number α ≠ 0 and transmits {α × x _i } _i to a third party organization. α is held in the confidential parameter holding unit 120, and {α × x _i } _i is calculated by the data transformation processing unit 110. The original x _i information is concealed by the random number α.

(1 ′) Organization B selects a random number β ≠ 0 and sends {β × y _i } _i to a third party. β is held in the confidential parameter holding unit 220, and {β × y _i } _i is calculated by the data transformation processing unit 210. The original y _i information is concealed by the random number β.

(2) The third-party organization uses the inner product calculation unit 310 to calculate s ₁ = Σ (α × x _i ) (β × y _i ) = from {α × x _i } _i and {β × y _i } _i. αβΣx _i y _i = αβ × z is calculated.

(3) The third party transmits the value of s ₁ = αβ × z to the organization A.

(3 ′) The third-party organization transmits the value of s ₁ = αβ × z to the organization B.

  (4) After confirming that the third party has deleted all the information, organization A and organization B exchange the values of α and β held in the respective confidential parameter holding units 120 and 220 .

(5) The inner product calculation unit 140 of the organization A communicates from the organization B with the value of s ₁ received from the third party organization via the communication unit 130, the value of α held in the confidential parameter holding unit 120. Z = Σx _i y _i is obtained by calculating s ₁ / αβ from the value of β received via the unit 130.

(5 ′) The inner product calculation unit 240 of the organization B receives the value of s ₁ received from the third party via the communication unit 230, the value of β held in the confidential parameter holding unit 220, and the organization A Z = Σx _i y _i is obtained by calculating s ₁ / αβ from the value of α received via the communication unit 230.

In the above first example, when the elements of {x _i } _i and {y _i } _i contain zero, it may not be possible to conceal sufficiently. Also, if only one random number is used, it is feared that some information can be inferred from variations in element values even after conversion.

Therefore, in the first example, the step of changing the order of the elements is added in the second example shown in FIGS. In the second example, when S (v) is a replacement for changing the order of elements in the vector v, the inner product of S (S _X ) and S (S _Y ) after replacement is S for any replacement S. It uses the same inner product of _X and S _Y and operates as follows.

  (0) Organization A arbitrarily generates a replacement (function) S for changing the order of N elements, and transmits it to organization B.

(1) Organization A selects random number α ≠ 0, holds it in concealment parameter holding section 120, and replaces the order of the elements of {x _i } _i according to replacement S ({α × x _i } _i ) Is calculated by the data transformation processing unit 110 and transmitted to a third party. Since the order of the elements is arbitrarily changed, information can be concealed even when the original vector {x _i } _i has a tendency in the order of the elements.

(1 ′) Organization B selects random number β ≠ 0, holds it in concealment parameter holding section 220, and replaces the order of the elements of {y _i } _i according to replacement S ({β × y _i }) _i ) is calculated by the data transformation processing unit 210 and transmitted to a third party. Since the order of the elements is arbitrarily changed, information can be concealed even when the original vector {y _i } _i has a tendency in the order of the elements.

(2) a third party is the inner product calculation unit 310, S because _{({α × x i} i} ) and _{S ({β × y i}} i), s 2 = Σ (α × x i) ( β × y _i ) = αβΣx _i y _i = αβ × z is calculated.

(3) The third party transmits a value of s ₂ = αβ × z to the organization A.

(3 ′) The third-party organization transmits the value of s ₂ = αβ × z to the organization B.

  (4) After confirming that the third party has deleted all the information, organization A and organization B exchange the values of α and β held in the respective confidential parameter holding units 120 and 220 .

(5) The inner product calculation unit 140 of the organization A communicates from the organization B with the value of s ₂ received from the third-party organization via the communication unit 130, the value of α held in the confidential parameter holding unit 120. Z = Σx _i y _i is obtained by calculating s ₂ / αβ from the value of β received via the unit 130.

(5 ′) The inner product calculation unit 240 of the organization B receives the value of s ₂ received from the third party organization via the communication unit 230, the value of β held in the confidential parameter holding unit 220, and the organization A Z = Σx _i y _i is obtained by calculating s ₂ / αβ from the value of α received via the communication unit 230.

  It should be noted that the technique for improving the safety by applying the replacement for changing the order of the elements in the vector can be combined with the third and fourth examples described later and other examples.

FIGS. 5 to 7 show a third example as a calculation procedure that is safer in terms of information theory. The third example estimates {x _i } _i and {y _i } _i by limiting the information exchanged between the organizations A and B and the third party organization with all information. In order to avoid the lack of information, it operates as follows.

(1) The organization A selects a random number α ≠ 0 and a random number sequence {a _i } _i and holds it in the confidential parameter holding unit 120, and also converts {α × x _i + a _i } _i into data transformation processing Calculated by the unit 110 and transmitted to a third party. This modification corresponds to performing encryption using random numbers having a larger amount of information for the input, and data ({α × x _i + a _i } _i ) handled by a third party is leaked alone. Even so, information-theoretic security is guaranteed for the original data {x _i } _i .

(1 ′) The organization B selects a random number β ≠ 0 and a random number sequence {b _i } _i and stores the random number sequence {b _i } _i in the concealment parameter storage unit 220 and converts {β × y _i + b _i } _i into the data transformation Calculated by the processing unit 210 and transmitted to a third party. This modification corresponds to performing encryption using a random number having a larger amount of information for the input, and data ({β × y _i + b _i } _i ) handled by a third party is leaked alone. Even so, information theoretical safety is guaranteed for the original data {y _i } _i .

(2) The third-party organization uses the inner product calculation unit 310 to calculate Z = Σ (α × x _i + a _i ) (β from {α × x _i + a _i } _i and {β × y _i + b _i } _i. Xy _i + b _i ) = αβΣx _i y _i + αΣb _i x _i + βΣa _i y _i + Σa _i b _i = αβ × z + α × s ₃ + β × s ₄ + s ₅

  (3) The third-party organization transmits the value of Z to organization A.

  (3 ') The third party transmits the value of Z to the organization B.

(4) After confirming that the third party has deleted all the information, the organization A and the organization B have the values of {a _i } _i held in the respective confidential parameter holding units 120 and 220. , {B _i } _i exchange each value.

(5) the inner product calculation unit 140 of the tissue A has a {x _{i} i} stored in the data storage unit 100, and {a _{i} i} held in the hidden parameter holding unit 120, a communication from the tissue B From {b _i } _i received via the unit 130, s ₃ = Σb _i x _i and s ₅ = Σa _i b _i are calculated.

(5 ′) The inner product calculation unit 240 of the organization B includes {y _i } _i stored in the data holding unit 200, {b _i } _i stored in the concealment parameter holding unit 220, and the organization A S ₄ = Σa _i y _i and s ₅ = Σa _i b _i are calculated from {a _i } _i received via the communication unit 230.

(6) The organization A sends the calculated value of s _{3 and} the value of α held in the concealment parameter holding unit 120 to the organization B, and the organization B sends the calculated value of s ₄ and concealment The value of β held in the parameter holding unit 220 is sent to the organization A.

(7) The inner product calculation unit 140 of the organization A stores the values of s ₃ and s ₅ calculated previously, the value of Z received from the third-party organization via the communication unit 130, and the confidential parameter storage unit 120. By calculating (Z−α × s ₃ −β × s ₄ −s ₅ ) / αβ from the value of α and the values of s ₄ and β received from the organization B via the communication unit 130. , Z = Σx _i y _i is obtained.

(7 ′) The inner product calculation unit 240 of the organization B stores the previously calculated values of s ₄ and s ₅ , the Z value received from the third party via the communication unit 230, and the confidential parameter holding unit 220. (Z−α × s ₃ −β × s ₄ −s ₅ ) / αβ is calculated from the held β value and the s ₃ and α values received from the organization A via the communication unit 230. Thus, z = Σx _i y _i is obtained.

  In addition, as a 4th example which implements a 3rd example partially, there are the following calculation procedures as shown in FIGS.

(1) The organization A selects a random number sequence {a _i } _i and stores it in the concealment parameter storage unit 120, and calculates {x _i + a _i } _i by the data transformation processing unit 110, Send to person organization. This modification corresponds to performing encryption using a random number having the same amount of information on the input, even if data ({x _i + a _i } _i ) handled by a third party is leaked alone. , Information theoretical security is guaranteed for the original data {x _i } _i .

(1 ′) The organization B selects a random number sequence {b _i } _i and holds it in the concealment parameter holding unit 220, and calculates {y _i + b _i } _i by the data transformation processing unit 210, Send to a tripartite organization. This modification is equivalent to encryption using random numbers having the same amount of information as input, even if data ({y _i + b _i } _i ) handled by a third party leaks alone. , Information theoretical safety is guaranteed for the original data {y _i } _i .

(2) The third-party organization uses the inner product calculation unit 310 to calculate Z = Σ (x _i + a _i ) (y _i + b _i ) = Σx from {x _i + a _i } _i and {y _i + b _i } _{i. i} y _i + Σb _i x _i + Σa _i y _i + Σa _i b _i = z + s ₃ + s ₄ + s ₅ is calculated.

  (3) The third-party organization transmits the value of Z to organization A.

  (3 ') The third party transmits the value of Z to the organization B.

(4) After confirming that the third party has deleted all the information, the organization A and the organization B have the values of {a _i } _i held in the respective confidential parameter holding units 120 and 220. , {B _i } _i exchange each value.

(5) the inner product calculation unit 140 of the tissue A has a {x _{i} i} stored in the data storage unit 100, and {a _{i} i} held in the hidden parameter holding unit 120, a communication from the tissue B From {b _i } _i received via the unit 130, s ₃ = Σb _i x _i and s ₅ = Σa _i b _i are calculated.

(5 ′) The inner product calculation unit 240 of the organization B includes {y _i } _i stored in the data holding unit 200, {b _i } _i stored in the concealment parameter holding unit 220, and the organization A S ₄ = Σa _i y _i and s ₅ = Σa _i b _i are calculated from {a _i } _i received via the communication unit 230.

(6) Organization A sends the calculated value of s ₃ to organization B, and organization B sends the calculated value of s ₄ to organization A.

(7) The inner product calculation unit 140 of the organization A calculates the values of s ₃ and s ₅ previously calculated, the value of Z received from the third party via the communication unit 130, and the organization B via the communication unit 130. Z = Σx _i y _i is obtained by calculating Z−s ₃ −s ₄ −s ₅ from the received value of s ₄ .

(7 ′) The inner product calculation unit 240 of the organization B calculates the previously calculated values of s ₄ and s ₅ , the Z value received from the third party via the communication unit 230, and the organization A via the communication unit 230. Z = Σx _i y _i is obtained by calculating Z−s ₃ −s ₄ −s ₅ from the value of s ₃ received in step S2.

In the third and fourth examples described above, even if each value constituting the original vectors {x _i } _i and {y _i } _i is limited to 0 or 1, the random vector { By making each value constituting a _i } _i and {b _i } _{i an} arbitrary real number other than 0, the information of the original vector can be concealed.

However, for example, with respect to the vector {x _i } _{i of} the organization A, the organization B has a vector {y _i } in which only one element (for example, the k-th element) is set to 1 and all other elements are set to 0. _{When i} is inputted, the obtained z = Σx _i y _i becomes equal to the value of x _k , and if the inner product is calculated by changing the input for k = 1 to N, the malicious organization B becomes the vector of the organization A { _Xi } _i can be known.

  In order to prevent such an attack, a third-party computer may use an inner product if an input is received from an organization where only a certain number of elements have a value and the other elements are zero. It is desirable to have a configuration that rejects the calculation.

Further, for example, the organization B calculates the inner product with the input of the vector {y _i } _{i in} which all the elements are 1, and only one element (for example, the k-th element) is 2 and all other elements are If the vector {y _i } _{i of 1} is input and the inner product is calculated and the former result is subtracted from the latter result, the value of x _k is obtained. A vector {x _i } _i of A can be known.

  In order to prevent such an attack, it is only necessary to refuse to obtain the inner product a plurality of times for the same input of the opponent. For example, when requesting an inner product operation to a third party organization, the organization B designates an inner product operation with a data string in a specific ID space of the organization A. If the same designation is made within the period retroactive to the past period and the inner product operation is performed, the third party computer may be configured to reject the request.

  In any of the above example calculation procedures, it is necessary to confirm that all relevant information has been deleted from the third party computer after the third party calculation, and then proceed to the next step. After that, there is no need to consider the risk of leakage related to information handled by third-party organizations. That is, since the third party that performs the calculation does not perpetuate the information, the risk of information leakage accompanying a certain calculation is limited to a short time until the calculation is completed.

  Moreover, since the calculation procedure of any of the above examples has a simple protocol and the calculation cost is only four arithmetic operations, the data concealed inner product calculation can be realized with a small amount of calculation.

  Hereinafter, application examples of the present system will be described. In statistics, the correlation coefficient takes a real value from -1 to 1. For example, if the correlation coefficient for two numerical sets is close to −1, it can be determined that there is a negative correlation, and if it is close to 1, there is a positive correlation. When the correlation coefficient is close to 0, it can be determined that the correlation is weak. Therefore, although it is difficult to disclose information held by two organizations, this system can be applied to cases where some knowledge can be obtained by obtaining the correlation.

  In the following example, the same individual is a user of two organizations, and the two organizations share the same user ID. For example, a personal identification number such as an SSN (Social Security Number) in the United States, a mobile phone number, or the like can be used as the user ID. If the ID only identifies the user and does not relate to information that identifies the individual user, even if the data sent from the organizations A and B to the third party leaks and the information is estimated Therefore, it is impossible to determine which user it corresponds to, and it is safer. As in the second example described above, the data sent from the organizations A and B to the third party is changed in order with a different function each time, and the function is assumed to be known only to the organizations A and B. Safer.

  The first application relates to travel history and medical history. Assume that organization A is an airline and has a travel history to a specific country. Assume that organization B is a database in the medical industry and has a record of having a specific disease. Both are information related to privacy, and each information cannot be disclosed, but correlation analysis is possible with this system. If the correlation coefficient required by this system indicates that there is a strong correlation between travel history and medical history, it is possible to alert travelers, discuss the necessity of vaccination, or determine whether travel is prohibited. It is.

  The next application relates to aptitude tests and accident histories. It is assumed that organization A is a company that conducts aptitude tests, and has accumulated aptitude test results from entrance examinations and employee training from many companies. Assume that organization B is an insurance company and has a database of customer accident histories. Both deal with privacy information and cannot disclose such information, but correlation analysis is possible with this system. If the correlation coefficient required by this system indicates that there is a correlation between specific items of aptitude test (for example, thoughtful, judgmental, awkward, etc.) and the accident history, it is appropriate to issue a driver's license. It is also significant to conduct tests and to call attention and give guidance according to the results. In addition, an insurance company can also perform a device such as performing aptitude tests when contracting automobile insurance and adjusting insurance premiums based on the results.

  The next application example relates to online game connection time and results. In relation to education, many parents care about the relationship between their child's performance and time spent playing games. Assume that organization A is a game maker that provides an online game and has information about the time spent by the child on the game. Assume that organization B is a school or a cram school and has information about the child's performance. Information that the organizations A and B have cannot be disclosed, but correlation analysis can be performed by this system. If the correlation coefficient obtained by the present system reveals that there is a high correlation, it can be used as a basis for the parent to stop the game. Conversely, if it is clear that the correlation is low, the game maker can appeal that the online game does not affect the child's performance.

  As a final application example, there are things related to magazine purchase history and restaurant usage history. Assume that the organization A is a site having book purchase information, and the purchase history of books and magazines belonging to a certain category (for example, those related to France) can be understood. Assume that the organization B is a card company and has information on the use history of a restaurant (for example, a restaurant that handles French cuisine). Information held by both parties is privacy-related information and cannot be disclosed, but correlation analysis can be performed by this system. If the correlation coefficient required by this system shows that a person who purchases a magazine of a certain category has a correlation with the use of a restaurant of a specific category, it is effective to conduct advertising and targeted marketing. I understand that.

  As mentioned above, although embodiment of this invention was described exemplarily, it cannot be overemphasized that those skilled in the art can implement the above-mentioned embodiment in various deformation | transformation and application within the scope of the present invention.

Claims (17)

A device of the first organization having storage means for storing a first data string to be kept secret in the first organization;
A second organization apparatus having storage means for storing a second data string to be concealed within the second organization;
A device of a third organization having a calculation means for calculating an inner product between input data strings;
A data concealed inner product calculation system comprising:
The first organization apparatus performs a first modification for concealment of the first data string, and outputs the modified first data string to the third organization apparatus. With
The second organization apparatus performs a second modification for concealment of the second data string, and outputs the modified second data string to the third organization apparatus. With
The apparatus of the third organization calculates an inner product of the deformed first data string and the deformed second data string by the calculating means, and calculates the inner product of at least the second organization. Equipped with return means to return to the device,
The device of the first tissue further includes a transmission means for transmitting information on the first deformation performed by the device to the device of the second tissue,
The second tissue device is based on information about the second deformation performed by the device, information received from the first tissue device, and the inner product received from the third tissue device. A data concealed inner product calculation system, further comprising calculation means for obtaining an inner product of the first data string and the second data string. The third tissue device returns the calculated inner product to the first tissue device;
The first tissue device is based on information about the first deformation performed by the device, information received from the second tissue device, and the inner product received from the third tissue device. And a calculation means for obtaining an inner product of the first data string and the second data string,
2. The data according to claim 1, wherein the second organization apparatus further includes a transmission unit configured to transmit information on the second deformation performed by the first apparatus to the first organization apparatus. A secret inner product calculation system.   3. The data concealment according to claim 1, wherein each data of the first data string and each data of the second data string are associated with the same data ID. In-mold product calculation system.   The transmission means of the first tissue apparatus erased the deformed first data string and the deformed second data string used by the third tissue apparatus for calculation by the calculation means. The data concealed inner product calculation system according to any one of claims 1 to 3, wherein the information is transmitted after being confirmed. The third organization apparatus calculates the inner product of the deformed first data string and the deformed second data string by the calculating means, and leaves the inner product to leave the deformed first data string. Erasing one data string and the transformed second data string, and after erasing, returning the inner product to at least the second tissue device;
5. The transmission means of the first tissue device transmits the information after the inner product from the third tissue device is received. The data concealment type inner product calculation system according to item 1. The third organization apparatus calculates the inner product of the deformed first data string and the deformed second data string by the calculating means, and then calculates the deformed first data string and Means for erasing the deformed second data string, determining whether or not these data strings may have leaked out of the organization before erasure, and notifying at least the first organization apparatus of the determination result; In addition,
The transmission means of the device of the first organization transmits the information after the determination result that the possibility does not exist is notified from the device of the third organization. The data confidential inner product calculation system according to any one of 1 to 5.   At least communication between the first tissue device and the third tissue device, and communication between the second tissue device and the third tissue device; The data concealed inner product according to any one of claims 1 to 6, wherein the data confidential inner product is protected so that it cannot be intercepted by anyone other than the two who perform it and a third party cannot impersonate a communication partner. Calculation system.   The apparatus of the third organization does not calculate the inner product when a value of data more than a predetermined number among the plurality of data constituting the modified first or second data string is zero. 8. The data concealed inner product calculation system according to claim 1, wherein a calculation rejection notification is returned instead of the inner product.   The device of the third organization stores which data ID set of which organization the transformed data string used for the calculation of the inner product is related to within the predetermined period. When receiving the modified data string related to the same data ID set from a device of the organization, the calculation of the inner product is not performed, and a notification of calculation refusal is returned instead of the inner product. Item 10. The data concealed inner product calculation system according to any one of Items 1 to 8. The first modification performed by the device of the first organization is to generate a first random number, and multiply each data constituting the first data string by the first random number,
The second modification performed by the device of the second organization is to generate a second random number and multiply each data constituting the second data string by the second random number,
The information related to the first deformation is the first random number,
10. The data concealed inner product calculation system according to any one of claims 1 to 9, wherein the information related to the second modification is the second random number. The first modification performed by the device of the first organization is to generate a first random number sequence and add each data constituting the first random number sequence to each data constituting the first data sequence. Is what
The second modification performed by the second organization apparatus generates a second random number sequence, and adds each data constituting the second random number sequence to each data constituting the second data sequence. Is what
The information regarding the first deformation is the first random number sequence,
The information regarding the second modification is the second random number sequence,
The device of the first organization calculates an inner product of the first data string and the second random number sequence, and the calculation means of the device of the second organization calculates the calculation result of the first organization. The data concealed inner product calculation according to any one of claims 1 to 9, further comprising means for transmitting to the device of the second organization so that the information can be used as information received from the device. system. The first modification performed by the device of the first organization generates a first random number and a first random number sequence, and multiplies each data constituting the first data sequence by the first random number. Each data constituting the first random number sequence is added to each result,
The second modification performed by the device of the second organization generates a second random number and a second random number sequence, and multiplies each data constituting the second data sequence by the second random number. Each data constituting the second random number sequence is added to each result,
The information regarding the first modification is the first random number and the first random number sequence,
The information regarding the second deformation is the second random number and the second random number sequence,
The device of the first organization calculates an inner product of the first data string and the second random number sequence, and the calculation means of the device of the second organization calculates the calculation result of the first organization. The data concealed inner product calculation according to any one of claims 1 to 9, further comprising means for transmitting to the device of the second organization so that the information can be used as information received from the device. system.   The device of the first organization and the device of the second organization replace the order of each data constituting the data row according to the same rule for the first data row and the second data row, respectively. The first modification and the second modification are respectively performed on the first data string and the second data string that have means and the order is changed. The data confidential inner product calculation system according to any one of -12. A device of a first organization that stores a first data string to be concealed in the first organization, and a device of a second organization that stores a second data string to be concealed in the second organization. A method for obtaining an inner product of the first data string and the second data string while maintaining the confidentiality of the data using a device of a third organization,
The first organization apparatus performs a first modification for concealment on the first data string, and outputs the transformed first data string to the third organization apparatus,
The second organization device performs a second modification for concealment on the second data sequence, and outputs the transformed second data sequence to the third organization device,
The third tissue device calculates an inner product of the deformed first data string and the deformed second data string, and returns the inner product to at least the second tissue device;
The first tissue device transmits information on the first deformation performed by the device to the second tissue device,
The device of the second tissue is based on the information about the second deformation performed by the device, the information received from the device of the first tissue, and the inner product received from the device of the third tissue. A data concealed inner product calculation method, wherein an inner product of the first data string and the second data string is obtained. The third tissue device returns the calculated inner product to the first tissue device;
The second tissue device transmits information on the second deformation performed by the device to the first tissue device,
The first tissue device is based on information about the first deformation performed by the device, information received from the second tissue device, and the inner product received from the third tissue device. The data concealed inner product calculation method according to claim 14, wherein an inner product of the first data string and the second data string is obtained. A device of a first organization that stores a first data string to be concealed in the first organization, and a device of a second organization that stores a second data string to be concealed in the second organization. In the system for obtaining the inner product of the first data string and the second data string while maintaining the confidentiality of data using the device of the third organization, as the device of the first organization, A program for operating a computer, wherein the computer
Performing a first transformation for concealment on the first data sequence, and outputting the transformed first data sequence to the device of the third organization,
Receiving the inner product of the transformed first data string and the data string output from the second tissue device returned from the third tissue device;
Information relating to the second transformation performed on the second data string for concealment from the second organization device before the second organization device outputs to the third organization device. Received
Based on the information relating to the first deformation performed by the device itself, the information received from the device of the second tissue, and the inner product received from the device of the third tissue, the first data string, A program for obtaining an inner product with the second data string. A device of a first organization that stores a first data string to be concealed in the first organization, and a device of a second organization that stores a second data string to be concealed in the second organization. In the system for obtaining the inner product of the first data string and the second data string while maintaining the confidentiality of data using the device of the third organization, as the device of the third organization, A program for operating a computer, wherein the computer
From the device of the first organization, to receive the data string obtained by performing the first transformation for concealment to the first data string,
From the device of the second organization, to receive the data string obtained by performing a second transformation for concealment to the second data string,
Calculating the dot product of the data sequence received from the first organization device and the data sequence received from the second organization device;
The inner product is determined based on the inner product, the first deformation information, and the second deformation information by at least one of the first tissue device and the second tissue device. A program for returning to at least one of the first tissue device and the second tissue device so that an inner product of the second data string and the second data string can be obtained.