JP2015108682A - Secrecy comparison method, program, and system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable the comparison results of each other's to be known to each other without revealing the values of each other's in a secrecy comparison technique in order for two parties holding numeric data to know whether each other's values are close without revealing each other's values.SOLUTION: An element decomposition unit 102 (A, B) of a computer 100 (A, B) converts each of a first numeric value and a second numeric value which are the objects to be compared into a first set and a second set of elements each other's values of which can be compared for determination by the number of common elements. An encryption unit 103 (A, B) of the computer 100 (A, B) and a common element counting unit 109, etc., of a computer 100 (S) calculate, by secrecy calculation, the number of common elements in the first set and second set. A comparison result calculation unit 104 (A, B) of the computer 100 (A, B) converts the number of common elements into a comparison result and outputs the converted result.

Description

  The present invention relates to a secret comparison method, a program, and a system.

  There are cases where two numerical data holders do not disclose their values and want to know whether their values are close.

  For example, if Company A and Company B, both competitors, use the products and services of Company C, they would like to know whether the usage price is the same or both, but if they are not the same, the usage price of each other Suppose you don't want to teach.

In the following, the numerical values are denoted as r _A and r _B , respectively. For example, if the usage price of Company A is 50,000 yen, r _A = 50000.

Since both companies are competitors, as long as they can get the right answer, they want to provide as little information as possible to other companies. Thus, for example, tell the r _A A company to company B, company B teach r _A and r _B is whether the same degree in Company A, does not hold a simple methods such as. This is because, B company is because there is no incentive to teach the truth of the information in Company A, who teach the bogus information that it is not necessary to divulge information about the r _B. Even if r _A and r _B are not comparable, it is also a problem that the correct value of r _A is transmitted to B company.

  Conventionally, there is a method called SFE (Secure Function Evaluation) in which the client does not leak its own input, the server does not leak its own function, and the client can obtain the function output for the input (for example, non-patent literature) 1).

With this SFE, B company, input is by preparing a determining function or about the same as the r _B, A Company is r _A and r _B to know whether the same degree without informing the information of its own Can be built. For example, if company _B prepares a function f (x) = (r _B -d <x <r _B + d) (d = 10,000, etc.) and becomes company A, then client A becomes r _A Without letting B know, B wants to get f (r _A ) (ie, r _A is within r _B ± d) without telling f (x) to A be able to.

  However, this method has a problem that Company B cannot obtain any information. Company A has already obtained the correct answer and has no motivation to tell Company B the correct result.

  In addition, there is a technique for speeding up the calculation using homomorphic encryption by limiting functions, but this problem has not been solved (for example, Patent Document 1).

  In addition, there is a method for determining whether or not the values of the two parties are approximately the same by using a third party on the premise that they do not collide with others (for example, Patent Document 2).

  In this method, the two parties share a random number and encrypt it using it, so that the value cannot be understood by a third party. This encryption uses homomorphism, and a third party can determine whether or not the original values match while being encrypted.

However, if the third party knows the random number as a collusion with one, the other value can be known (by brute force). For example, since Company A it is possible to obtain the correct information it is possible to know the r _B by collusion with a third party, A company there is no incentive to use the correct r _A for Company B, only Company B The correct information cannot be obtained.

  As described above, homomorphic encryption can be calculated while encrypted, but one of the two who can obtain a private key (decryption key) (by collusion if necessary) is unilaterally advantageous. There is a problem.

  On the other hand, there is a method of performing a match determination while encrypting each other with its own private key (for example, Non-Patent Document 2).

This method is useful for obtaining each other the number of common elements of each other's set without revealing each other's set. First, as Step 1, secret keys are prepared for each other, and each element of its own set is encrypted and transmitted to the other party. Here, encryption is performed by a hash function with a commutative key. For example, h (k, m) = m ^k mod p (k is a key, m is an element value, and p is an appropriate natural number shared in advance by both). In step 2, each received element is similarly encrypted and transmitted (with the element order being random). In step 3, the number of common elements between the received set and the set encrypted in step 2 is calculated. This makes it possible to calculate the number of common elements with the other party set while keeping the own data secret from an arbitrary person who does not know his secret key.

  However, this method can only know the number of common elements in each other's set, and cannot know whether the numbers are similar. There is also a problem that there is no motivation to transmit a correct value in Step 2 (the user can obtain correct information even if a random value is transmitted).

  As described above, in the prior art, the two numerical data holders cannot know whether their values are close to each other while preventing their own values from being known even if they are collaborated.

JP 2011-114392 A JP 2010-237653 A

Andrew C. Yao. Protocols for Secure Computations.Proceedings of 23rd Annual Symposium on Foundations of Computer Science (FOCS 1982), IEEE Computer Society, pp.160-164, 1982. Rakesh Agrawal, Alexandre Evfimievski, and Ramakrishnan Srikant.Information Sharing Across Private Databases.Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data, pp.86-97, 2003.

  Therefore, an object of one aspect of the present invention is to make it possible to obtain a comparison result of each other's values without revealing each other's values.

  In an example of the aspect, the first numerical value and the second numerical value to be compared are respectively converted into a first set and a second set of elements that can be compared and determined by the number of common elements. The processing includes calculating the number of common elements of the set and the second set by a secret calculation, comparing the calculated number of common elements of the first set and the second set, and outputting a comparison result.

  It becomes possible to obtain a comparison result of each other's value without revealing each other's value.

It is a figure which shows the structural example of this embodiment. It is a flowchart which shows the process example of the decomposition | disassembly of the nonnegative integer which an element decomposition | disassembly part performs. It is a flowchart which shows the example of a process of the encryption and shuffle which an encryption part performs. It is a flowchart which shows the process example of the comparison result calculation which a comparison result calculation part performs. It is a flowchart which shows the process example of conversion of the list | wrist M which a comparison result calculation part performs. It is a flowchart which shows the process example of the magnitude determination which a comparison result calculation part performs. It is a sequence diagram which shows the example of the processing relationship between three computers in this embodiment. It is a block diagram of the hardware system which can implement | achieve the system of this embodiment.

Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the drawings.
In the embodiment of the present invention, two numerical data holders convert their numerical values into sets that can be compared and determined by the number of common elements, calculate the number of common elements by a secret calculation, and each converts the result. This is a method for obtaining a comparison result.

  An embodiment realized by software will be described as an embodiment of the present invention.

The input to this embodiment is as follows.
・ Numeric r _x
・ Encryption key k _x
-Share conversion method f (r)
-Shared bit length b
・ Shared encryption method h (k, m)

r _x is a secret numerical value held by each of A company and B company. x is A or B, which represents the data of Company A and Company B, respectively. For example, r _A is a numerical value held by company _A.

k _x is each secret encryption key. For example, k _A is an encryption key that only company _A knows.
f (r) is a conversion method from a real number to a non-negative integer shared by A company and B company.

b is the shared bit length.
h (k, m) is a shared encryption method and a hash function with a commutative key.

The output of this embodiment is as follows.
• The opponent's numerical range R _x .

Company A can know the value range RB of Company _B. Similarly, Company B can know _RA . Also, the closer the values are, the narrower the range of R.

FIG. 1 is a diagram illustrating a configuration example of a secret comparison system according to the present embodiment.
Assume that the computer holding the data of company A is 100 (A), and the computer holding the data of company B is 100 (B).

In the following description, r _A = 50000 and r _B = 30000 will be described as an example.
First, at an appropriate time, the conversion method f (r), bit length b, and encryption method h (k, m) are determined in advance by some means between the computers 100 (A) and 100 (B) and shared. Keep it. For example, the employees of Company A and Company B will discuss and decide. Further, the computer 100 (S) may provide a communication support service to both employees.

For example, the following equation is used for the conversion method f (r).
n _x = f (r _x ) = floor (sr _x + t)
Where floor (x) is a floor function.
As an example, s = 1/10000 and t = 0. At this time, n _A = 5 and n _B = 3.

If len (x) is a function that returns the length of a non-negative integer binary number, b ≧ max (len (n _A ), len (n _B )) is required. Therefore, in this example, b ≧ max (len (5), len (3)) = max (len (101 ₂ ), len (11 ₂ )) = max (3, 2) = 3.

For example, b = 4 and h (k, m) = m ^k mod p (p is an appropriate natural number as described in Non-Patent Document 2).

  The computer 100 (A) or the computer 100 (B) includes a storage unit 101 (A) or 101 (B), an element decomposition unit 102 (A) or 102 (B), an encryption unit 103 (A) or 103 (B) The comparison result calculation unit 104 (A) or 104 (B) and the communication unit 105 (A) or 105 (B) are provided.

  The computer 100 (S) includes a storage unit 106, a data transfer unit 107, a set reception unit 108, a common element number counting unit 109, a result output unit 110, and a communication unit 105 (S).

The storage units 101 (A), 102 (B), and 106 store input values, intermediate progress values, output values, and the like used in the present embodiment. Moreover, the control program of each process shown by the flowchart of FIGS. 2-6 is memorize | stored.
Other portions will be described in detail in the following description.

  The detailed operation of the present embodiment having the above configuration will be described below.

  The secret comparison system of FIG. 1 according to the present embodiment performs the following processing. Computers 100 (A) and 100 (B) are separated from two integer values in different places into n-th order prefix arrays (arrays shifted by 1 bit at a time from the higher bits) Create an array with 1 added or subtracted depending on whether it is an even number or not, and encrypt the resulting two arrays. Then, the third party computer 100 (S) compares the encrypted sequences to calculate the number of common elements that is an integer matching degree. The computers 100 (A) and 100 (B) receive the number of common elements, convert it into a comparison result, and output it.

The element decomposition units 102 (A) and 102 (B) decompose the input r _x into elements. More specifically, it performs a conversion to non-negative integer n _x, the degradation of the element.

Conversion to non-negative integer n _x are as defined above, carried out by applying f (r) to the r _x.
Then, they decomposed in the computer 100 (A) and each computer 100 (B), a non-negative integer n _x, by the same method b. Use

  FIG. 2 is a flowchart showing an example of the disassembly process executed by the element disassembly unit 102 (102 (A) or 102 (B)) in FIG. An example of processing in the computer 100 (B) for each step will be described.

n = n _B = 3 and b = 4 are accepted as inputs (step S1 in FIG. 2).
A list L storing a prefix array of n in binary representation of length b is created (step S2 in FIG. 2). The prefix array is an all partial character string including the first character of the character string, and refers to an array that is decomposed by shifting bit by bit from the upper bits. Since n = 3 = 0011 ₂ , L = [0011, 001, 00, 0].

i = 0 is prepared (step S3 in FIG. 2).
It is determined whether i <b (step S4 in FIG. 2).
Now, since b = 4 and i <b, the determination in step S4 in FIG. 2 is YES, and the control is transferred to step S5.

i is incremented by 1 and i = 1 (step S5 in FIG. 2).
The i-th element of L is copied, and e = 0011 (step S6 in FIG. 2).

It is determined whether or not the least significant bit of e is 0 (step S7 in FIG. 2).
Now, since the least significant bit of e is 1 and the determination in step S7 is NO, control is transferred to step S12 in FIG.

  e is increased by 1, and e = 0100 is obtained (step S12 in FIG. 2). At this time, calculation is performed while maintaining the character string length.

It is determined whether or not all the bits of e are 0 (step S13 in FIG. 2).
Since e includes 1 bit and the determination in step S13 is NO, control is transferred to step S11.

  e is added to the end of L (step S11 in FIG. 2). As a result, L = [0011, 001, 00, 0, 0100]. Thereafter, control is passed to step S4 in FIG.

  Since i = 1 and b = 4 and i <b and the determination in step S4 in FIG. 2 is YES, control is transferred to step S5. Similarly, the process is repeated until step S14, and i = 2 is obtained. At this time, L = [0011, 001, 00, 0, 0100, 010]. When returning to this step again, since i = 2 and b = 4 and i <b and the determination in step S4 is YES, control is transferred to step S5.

i is increased by 1, i = 3 (step S5 in FIG. 2).
The i-th element of L is copied and e = 00 (step S6 in FIG. 2).

  Since the least significant bit of e is 0, the determination in step S7 in FIG. 2 is YES, and control is transferred to step S8.

  e is decreased by 1 and e = 11 (step S8 in FIG. 2). At this time, calculation is performed while maintaining the character string length. This is a result of underflow.

It is determined whether or not all the bits of E are 1 (step S9 in FIG. 2).
Now, since all the bits of e are 1, the determination in step S9 is YES, and control is transferred to step S10 in FIG.

  The padding is performed on e, so that e = 00111 (step S10 in FIG. 2). In the present embodiment, padding uses a method in which 1 is first added to the head and 0 is further added until the overall length becomes b + 1. In general, it can be discriminated whether it is padded, and any type of injection is acceptable. It can be seen that the method of this embodiment is padded only when the overall length is b + 1, and in this case, the first 1 is padded so that it is injection.

  e is added to the end of L (step S11 in FIG. 2). As a result, L = [0011, 001, 00, 0, 0100, 010, 00111]. Thereafter, control is passed to step S4 in FIG.

  Since i = 3 and b = 4 and i <b, the determination in step S4 is YES, and the control is transferred to step S5. Similarly, the process is repeated until step S14, and i = 4. At this time, L = [0011, 001, 00, 0, 0100, 010, 00111, 00011]. When i = b = 4 again when returning to this step, the determination in step S4 is NO, and the control is transferred to step S14 in FIG.

L is output (step S14 in FIG. 2). That is, L _B = [0011, 001, 00, 0, 0100, 010, 00111, 00011].

Similarly, in the computer 100 (A), n _A = 5 is decomposed as L _A = [0101, 010, 01, 0, 0110, 001, 10, 00011].

Next, the number of common elements of L _A and L _B is obtained from each other by using the method of obtaining the number of common elements of each other's set without revealing each other's set.

In the present embodiment, this is performed as follows.
First, each element of L is converted to a non-negative integer. It is necessary to be injective. For example, it can be realized by adding "1" to the beginning of each element and considering it as a binary number.

For example, when L _A is converted, L _A = [10101 ₂ , 1010 ₂ , 101 ₂ , 10 ₂ , 10110 ₂ , 1001 ₂ , 110 ₂ , 100011 ₂ ] = [21, 10, 5, 2, 22, 9, 6, 35]. Similarly, L _B = [10011 ₂ , 1001 ₂ , 100 ₂ , 10 ₂ , 10100 ₂ , 1010 ₂ , 100111 ₂ , 100011 ₂ ] = [19, 9, 4, 2, 20, 10, 39, 35] Become.

  Next, the encryption unit 103 (103 (A) or 103 (B)) in FIG. 1 encrypts each element of the list L, shuffles it, and transmits it.

  FIG. 3 is a flowchart showing an example of encryption and shuffle processing executed by the encryption unit 103 (103 (A) or 103 (B)) of FIG. A process in the computer 100 (A) will be described for each step.

The key k = k _A , the encryption method h (k, m), and the list L = L _A are accepted as input (step S1 in FIG. 3).

A list L ′ obtained by encrypting each element of L is created (step S2 in FIG. 3). Therefore, L _A '= (h (k _A , 21), h (k _A , 10), h (k _A , 5), h (k _A , 2), h (k _A , 22), h (k _A , 9), h (k _A , 6), h (k _A , 35)].

A list M in which integer values of 0 or more and less than 8 (the number of elements of L) are randomly arranged is created (step S3 in FIG. 3). This is referred to as M _1. For example, make M _A1 = [2, 6, 7, 0, 3, 1, 4, 5].

The original L ′ [M [i]] is re-stored in L ′ [i] (step S4 in FIG. 3). Here, L [i] means the i + 1-th element of L. That is, for example, 'The elements of the first (1st) _{of, L A' L A [M} A1 [0]] = L A '[2] = h (k A, 5) is re-stored. This is done for all elements and L _A '= [h (k _A , 5), h (k _A , 6), h (k _A , 35), h (k _A , 21), h (k _A , 2), h (k _A , 10), h (k _A , 22), h (k _A , 9)].

M _A1 and L _A ′ are output (step S5 in FIG. 3).
Similarly, in computer 100 (B), for example, M _B1 = [1, 6, 4, 2, 0, 3, 7, 5] is created, and L _B '= [h (k _B , 9), h (k _B , 39), h (k _B , 20), h (k _B , 4), h (k _B , 19), h (k _B , 2), h (k _B , 35), h (k _B , 10)] is output.

The computer 100 (A) transmits L _A ′ to the computer 100 (B), and the computer 100 (B) transmits L _B ′ to the computer 100 (A) via the communication units 105 (A) and 105 (B). . At this time, the data may not be transmitted directly, but may be transferred by being mediated by the computer 100 (S).

When the computer 100 (S) mediates, the data transfer unit 107 in FIG. 1 executes the process. The data transfer unit 107 receives L _A 'from the computer 100 (A) and transmits it to the computer 100 (B), and receives L _B ' from the computer 100 (B) and transmits it to the computer 100 (A). Due to the mediation, there is an effect that the computer 100 (A) and the computer 100 (B) may not be able to communicate directly.

The encryption unit 103 (A) or 103 (B) further encrypts each element of the received list L, shuffles it, and transmits it to the computer 100 (S). The processing is the same as the processing example shown in the flowchart of FIG. 3, but the computer 100 (A) receives L _B 'as an input and outputs M _A2 , L _B ″, and the computer 100 (B) outputs L _A '. M _B2 , L _A ″ is output as input.

For example, computer 100 (A) creates M _A2 = [4, 3, 0, 6, 7, 2, 1, 5] and L _B '' = [h (k _c , 19), h (k _c , 4), h (k _c , 9), h (k _c , 35), h (k _c , 10), h (k _c , 20), h (k _c , 39), h (k _c , 2)] is output. Here, h (k _c , m) = h (k _A , h (k _B , m)) = h (k _B , h (k _A , m)). Further, the computer 100 (B) creates M _B2 = [6, 2, 7, 1, 3, 4, 0, 5], and L _A '' = [h (k _c , 22), h (k _c , 35), h (k _c , 9), h (k _c , 6), h (k _c , 21), h (k _c , 2), h (k _c , 5), h (k _c , 10)] is output.

Then, the computer 100 (A) transmits L _B ″ and the computer 100 (B) transmits L _A ″ to the computer 100 (S).

The set reception unit 108 of the computer 100 (S) receives L _A ″ and L _B ″.
The common element number counting unit 109 of the computer 100 (S) calculates the common element number c of L _A ″ and L _B ″. In this case, since four elements h (k _c , 2), h (k _c , 9), h (k _c , 10), h (k _c , 35) are common, c = 4.

  The result output unit 110 of the computer 100 (S) transmits c to the computer 100 (A) and the computer 100 (B) via the communication unit 106.

  Finally, the computer 100 (A) and the computer 100 (B) are respectively received by the comparison result calculation units 104 (A) and 104 (B) via the communication units 105 (A) and 105 (B). From this, the range N or R of the opponent's numerical value is obtained.

  FIG. 4 is a flowchart showing a comparison result calculation processing example executed by the comparison result calculation unit 104 (104 (A) or 104 (B)) of FIG. Each step will be described from the viewpoint of the computer 100 (A).

n _A = 5, b = 4, and c = 4 are accepted as inputs (step S1 in FIG. 4).
It is determined whether c = 2b (step S2 in FIG. 4).

Since c <2b, the determination in step S2 is NO, and the control is transferred to step S4 in FIG. When c = 2b, it can be seen that n _A = n _B , in which case the determination in step S2 is YES and N = [n] (meaning [n, n]) (Step S3 in FIG. 2).

Range [0, n], [n, 2 ^b ) By each binary search, a range N of values in which the number of common elements is c is calculated (step S4 in FIG. 2). According to the above decomposition method, c gets larger as the opponent's value gets closer. For example, the range [0, n _A ] will be described. In the range, c is a monotonically increasing in a narrow sense with respect to n _B ∈ [0, n _A ]. Therefore, the binary search can efficiently calculate the range N of values in which the number of common elements is c. For example, consider obtaining the maximum value x of n _{B in} the range [0, n _A ]. Since the number of common sets of a set created by decomposing n _A = 5 and a set created by decomposing (almost) midpoint 2 in the range [0, n _A ] is 4 (= c) , 2 ≦ x. Similarly, since the number of common sets with (almost) midpoint 3 in the range [2, n _A ] is 4 (= c), it can be seen that 3 ≦ x. Furthermore, since the number of common sets with the midpoint 4 of the range [3, n _A ] is 6 (> c), it can be seen that 3 ≦ x <4, that is, x = 3. By calculating the minimum value in the same way, it can be calculated that the range of possible values of n _B in the range [0, n _A ] is [2, 3]. Range [n, 2 ^b) by calculating similarly _{for, n A = 5, b =} 4, the range of values of c = 4 when _{n B N B = [2,} 3] is ∪ [7] Can be calculated. By the way, as explained that c gets larger as the opponent's value gets closer, in fact, if c = 2, which has fewer common elements, N _B = [0, 1], [8, 11] N _B can be limited only within a wide range.

N is output (step S5 in FIG. 2). N _B = [2, 3] ∪ [7].
Similarly, N _A = [0, 1] ∪ [5] is obtained by calculation of the computer 100 (B).

Further, the range R of r may be calculated by applying the inverse transformation of the transformation method f (r).
For example, when r _B is an integer, N _B = [2, 3] ∪ [7] ⇔R _B = [20000, 39999] ∪ [70000, 79999]. In other words, Company A can know that the usage price of Company B is 20 to 60% different from the usage price of Company A, which is 50,000 yen. Similarly, Company B can know that the price of Company A is 33-100% different.

By the above method, two numerical data holders can know whether each value is close without revealing each other's value. The closer the values are, the more limited the value range of the opponent. In principle, the values of each other are disclosed only in the range, but each other's values may be uniquely known only when the values are very close (n _A = n _B ).

  Finally, a method of obtaining a magnitude comparison result by the comparison result calculation unit 104 (104 (A) or 104 (B)) in FIG. 1 will be described.

  The size comparison can be realized by using a part of the above-described proximity determination method. Although processing may be performed from the beginning for the purpose of size comparison, in the present embodiment, a method in which size comparison is continuously performed in the determination after the proximity determination will be described.

  For example, after two numerical data holders know that their values are close to each other, they want to perform a size comparison. In the above example, we know the difference in price between the two companies, so we want to know again which is higher. The realization method will be described below.

First, the computer 100 (S) stores L _A ″ and L _B ″.
Then, the computer 100 (A) and the computer 100 (B) convert M _A1 and M _B1 , respectively.

  FIG. 5 is a flowchart illustrating an example of a process of converting M, which is executed by the comparison result calculation unit 104 (104 (A) or 104 (B)) of FIG. Each step will be described from the viewpoint of the computer 100 (A).

M = M _A1 = [2, 6, 7, 0, 3, 1, 4, 5] is accepted as an input (step S1 in FIG. 5).
A value half the length of the list M is entered in b (step S2 in FIG. 5). Now b = 4.

For each element of M, a list M ′ is created in which 1 is stored if it is less than b, and 0 is stored otherwise (step S3 in FIG. 5). Therefore, M _A1 '= [1, 0, 0, 1, 1, 1, 0, 0].

M ′ is output (step S4 in FIG. 5).
Similarly, in the computer 100 (B), since M _B1 = [1, 6, 4, 2, 0, 3, 7, 5], M _B1 '= [1, 0, 0, 1, 1, 1, 0, 0].

Next, the computer 100 (A) transmits M _A1 ′ and M _A2 , and the computer 100 (B) transmits M _B1 ′ and M _B2 to the computer 100 (S).

The computer 100 (S) creates the list M _A 'so that M _A ' [i] = M _A1 '[M _B2 [i]]. Since M _A1 '= [1, 0, 0, 1, 1, 1, 0, 0], M _B2 = [6, 2, 7, 1, 3, 4, 0, 5], M _A ' = [0 , 0, 0, 0, 1, 1, 1, 1]. Similarly, the list M _B 'is created so that M _B ' [i] = M _B1 '[M _A2 [i]], and M _B ' = [1, 1, 1, 0, 0, 0, 0 , 1].

Subsequently, the common element counting unit 109 of the computer 100 (S) in FIG. 1 has the elements of M _A ′ and M _B ′ at the position 1 among the elements of L _A ″ and L _B ″. Extract elements and count the number c of common elements. Then, the result output unit 110 transmits c to the computer 100 (A) and the computer 100 (B). In the above example, L _A '' = [h (k _c , 22), h (k _c , 35), h (k _c , 9), h (k _c , 6), h (k _c , 21), h (k _c , 2), h (k _c , 5), h (k _c , 10)] to M _A '= [0, 0, 0, 0, 1, 1, 1, 1] Extracting the element at position 1 of [h (k _c , 21), h (k _c , 2), h (k _c , 5), h (k _c , 10)] Also, L _B '' = (h (k _c , 19), h (k _c , 4), h (k _c , 9), h (k _c , 35), h (k _c , 10), h ( k _c , 20), h (k _c , 39), h (k _c , 2)] to M _B '= [1, 1, 1, 0, 0, 0, 0, 1] Is extracted as [h (k _c , 19), h (k _c , 4), h (k _c , 9), h (k _c , 2)]. Therefore, since these common elements are only h (k _c, 2), c = 1 is transmitted to the computer 100 (A) and the computer 100 (B).

  Finally, the comparison result calculation units 104 (A) and 104 (B) of the computers 100 (A) and 100 (B) perform size determination using c, respectively.

  FIG. 6 is a flowchart of a size determination processing example executed by the comparison result calculation unit 104 (104 (A) or 104 (B)) of FIG. Each step will be described from the viewpoint of the computer 100 (A).

The number of bits b = 4, the non-negative integer n = n _A = 5, and the number of common elements c = 1 are accepted as inputs (step S1 in FIG. 6).

It is determined whether or not b = c (step S2 in FIG. 6).
Now, since b> c, the determination in step S2 is NO, and the control is transferred to step S4 in FIG.

n is converted into a binary representation z of length b (step S4 in FIG. 6). Now, z = 0101.
It is determined whether or not the c + 1-th bit of z is 1 (step S5 in FIG. 6).

Since the c + 1 = 2th bit of z is now 1, control is transferred to step S6 in FIG.
“Large” is output (step S6 in FIG. 6).

Similarly, a description will be given from the viewpoint of the computer 100 (B).
b = 4, n = n _B = 3, and c = 1 are accepted as inputs (step S1 in FIG. 6).

Since b> c, the determination in step S2 in FIG. 6 is NO, and control is transferred to step S4 in FIG.
z = 0011 (step S4 in FIG. 6).

Since the c + 1 = 2th bit of z is 0, the determination in step S5 in FIG. 6 is NO, and the control is transferred to step S7 in FIG.
“Small” is output (step S7 in FIG. 6).

  In this way, “large” and “small” of the output correspond to the magnitude of one's own numerical value compared with the other's numerical value. If the numerical values are the same (YES in step S2 in FIG. 6), “etc.” is output (step S3 in FIG. 6).

That is, since the computer 100 (A) knew that N _B = [2, 3] ∪ [7, 7] and knew that N _B <n _A = 5, N _B = [2, 3 It was possible to limit to. Similarly, the computer 100 (B) was able to specify that n _A = 5.

  In this way, it is possible to determine the size by reusing the data used for the proximity determination. This can be realized by re-encrypting for size determination, but there is an effect that the encryption process can be omitted by reuse.

The common element number calculation is performed when the common element number counting unit 109 of the computer 100 (S) in FIG. 1 uses L _A ″ and L _B ″ as input, so that either is false data. There is a high probability that it will not result. Therefore, it is possible that it is difficult for only the computer 100 (A) or the computer 100 (B) to obtain a correct result by not following this method.

In addition, it is possible for computer 100 (S) to collaborate with one side, so that only one of computer 100 (A) or computer 100 (B) can obtain the correct result. Knowing one of the data can be difficult. For example, the key k _A can be obtained by collaborating with the computer 100 (A), but even if it is used, each element of L _B '= [h (k _B , 9), ...] is encrypted with the key k _B Since it is a sentence, plaintext cannot be known. Further, since L _B ′ and L _B ″ are shuffled by M which only the computer 100 (B) knows, it is impossible to infer plaintext from the element order. Since the computer 100 (A) and the computer 100 (B) do not increase the data that can be known even when collaborating with the computer 100 (S), there are few motives to collaborate and this embodiment can be realized with peace of mind. The system can be used.

  In the present embodiment, all the prefix arrays are used in FIG. 2, but only a part of them may be used. For example, you can prevent N = [n] from happening by not using the original string itself, which is the longest prefix.

  FIG. 7 is a sequence diagram illustrating an example of a processing relationship between the three computers of the computer 100 (A), the computer 100 (B), and the computer 100 (S) of FIG. 1 in the above-described embodiment.

  First, the element decomposing units 102 (A) and 102 (B) of the computers 100 (A) and 100 (B) execute non-negative integer decomposition processing according to the processing example of the flowchart shown in FIG. Steps S1 (A) and S1 (B)).

Next, the encryption units 103 (A) and 103 (B) of the computers 100 (A) and 100 (B) execute encryption and shuffle processing according to the processing example of the flowchart shown in FIG. Then, the computer 100 (A) transmits L _A ′ to the computer 100 (B), and the computer 100 (B) transmits L _B ′ to the computer 100 (A) (the steps S2 (A) and S2 in FIG. (B)).

The encryption units 103 (A) or 103 (B) of the computers 100 (A) and 100 (B) further encrypt and shuffle each element of the received list L in accordance with the processing example of the flowchart shown in FIG. To do. Then, the computer 100 (A) transmits L _B ″ and the computer 100 (B) transmits L _A ″ to the computer 100 (S), respectively (steps S3 (A) and S3 (B )).

In the computer 100 (S), the set reception unit 108 receives L _A '' and L _B '', the common element number counting unit 109 calculates the common element number c of L _A '' and L _B '', The result output unit 110 transmits c to the computer 100 (A) and the computer 100 (B) (step S1 (S) in FIG. 7).

  The comparison result calculation units 104 (A) and 104 (B) of the computers 100 (A) and 100 (B) execute the comparison result calculation process according to the processing example of the flowchart shown in FIG. 4 (step of FIG. 7). S4 (A) and S4 (B)).

The comparison result calculation units 104 (A) and 104 (B) of the computers 100 (A) and 100 (B) further execute processing for converting the list M in accordance with the processing example of the flowchart shown in FIG. As a result, the computer 100 (A) transmits M _A1 ′, M _A2 and B transmits M _B1 ′, M _B2 to the computer 100 (S) (steps S5 (A) and S5 (in FIG. 7). B)).

The computer 100 (S) creates lists M _A ′ and M _B ′ (step S2 (S) in FIG. 7).
After that, the common element counting unit 109 extracts the element at the position where the elements of M _A ′ and M _B ′ are 1 from the elements of L _A ″ and L _B ″, and common among the elements. The result output unit 110 transmits c to the computer 100 (A) and the computer 100 (B) (step S3 (S) in FIG. 7).

  The comparison result calculation units 104 (A) and 104 (B) of the computers 100 (A) and 100 (B) execute the size determination process according to the processing example of the flowchart shown in FIG. 6 (step S6 in FIG. A) and S6 (B)).

  FIG. 8 is a diagram illustrating an example of a hardware configuration of the computer 100 (A), the computer 100 (B), and the computer 100 (S) that can implement the functions illustrated in FIG. 1 as software processing.

  A computer shown in FIG. 8 includes a CPU (central processing unit) 801, a memory 802, an input device 803, an output device 804, an external storage device 805, a portable recording medium driving device 806 into which a portable recording medium 809 is inserted, And a communication interface 807. These components are connected to each other via a bus 808. The configuration shown in the figure is an example of a computer 100 (A), a computer 100 (B), and a computer 100 (S) that can realize the above system, and such a computer is not limited to this configuration.

  The CPU 801 controls the entire computer. The memory 802 is a memory such as a RAM (Random Access Memory) that temporarily stores a program or data stored in the external storage device 805 (or portable recording medium 809) when executing a program, updating data, or the like. It is. The CUP 801 performs overall control by reading the program into the memory 802 and executing it.

  The input device 803 detects an input operation by a user using a keyboard, a mouse, or the like, and notifies the CPU 801 of the detection result.

  The output device 804 outputs data sent under the control of the CPU 801 to a display device or a printing device.

  The external storage device 805 is, for example, a hard disk storage device. Mainly used for storing various data and programs.

  The portable recording medium driving device 806 accommodates a portable recording medium 809 such as an optical disc, SDRAM, and Compact Flash (registered trademark), and has an auxiliary role for the external storage device 805.

  The communication interface 807 is a device for connecting, for example, a LAN (local area network) or WAN (wide area network) communication line.

  The system according to this embodiment is equipped with functions realized by the flowcharts of FIGS. 2 to 6 corresponding to the functions 102, 103, and 104 of FIG. 1 in the computer 100 (A) or the computer 100 (B). This is realized by the CPU 801 executing the program. The program may be distributed by being recorded in, for example, the external storage device 805 or the portable recording medium 809, or may be acquired from the network by the communication interface 807. The memory 802 implements the function of the storage unit 101 in FIG. 1, and the communication interface 807 implements the function of the communication unit 105 (A) or 105 (B) in FIG.

  The computer 100 (S) is realized by the CPU 801 executing a program equipped with the functions 107 to 110 in FIG. The program may be distributed by being recorded in, for example, the external storage device 805 or the portable recording medium 809, or may be acquired from the network by the communication interface 807. The memory 802 implements the function of the storage unit 106 in FIG. 1, and the communication interface 807 implements the function of the communication unit 105 (S) in FIG.

  In the above-described embodiment, the first numerical value and the second numerical value input by the computers 100 (A) and 100 (B) are converted into non-negative integers, respectively, and further converted into the first and second prefix arrays. The number of common elements is calculated by converting and outputting the first and second sets. In addition, any method may be used as long as it is a method of “converting each other's numerical values into a set of elements that can be compared and determined based on the number of common elements”.

  According to the present embodiment described above, it is possible to know each other's value comparison results without revealing each other's values.

  The method of this embodiment is fair. In other words, since it is difficult for only one of them to obtain the correct result, it can be expected that both parties will cooperate.

  By this, for example, in the above example, Company A and Company B of competitors want to know whether the usage price is the same or both, but if they are not the same, do not want to tell each other's usage price Is possible.

Regarding the above embodiment, the following additional notes are disclosed.
(Appendix 1)
The first numerical value and the second numerical value to be compared are respectively converted into a first set and a second set of elements that can be compared and determined by the number of common elements.
Calculating the number of common elements of the first set and the second set by a secret calculation;
Comparing the calculated number of common elements of the first set and the second set, and outputting a comparison result;
A secret comparison method comprising processing.
(Appendix 2)
The first numerical value is input from a computer operated by a first user, the second numerical value is input from a computer operated by a second user, and the calculation of the number of common elements is performed by the first usage. A computer managed by a third party other than the user and the second user,
The secret comparison method according to appendix 1, which includes a process.
(Appendix 3)
The conversion from the first numerical value and the second numerical value to the first set and the second set, respectively,
Converting the first numeric value and the second numeric value to a first non-negative integer and a second non-negative integer, respectively;
The first non-negative integer and the second non-negative integer when the longer value of the binary representation length of each of the first non-negative integer and the second non-negative integer is b bits Are decomposed into b-th order first prefix array and second prefix array, respectively, to obtain the first set and the second set,
The secret comparison method according to any one of Appendix 1 or 2, wherein the method includes a process.
(Appendix 4)
When the first prefix array or the second prefix array is an odd number, 1 is added, and when the first prefix array is an even number, 1 is subtracted, and the result of the addition or subtraction is set to the first prefix array. Output as a prefix array or the second prefix array,
The secret comparison method according to supplementary note 3, including a process.
(Appendix 5)
When the result of the addition or subtraction causes an underflow or overflow, padding is performed so that the result of the addition or subtraction is injective, and the result of the padding is added to the first prefix array. Or output as the second prefix array,
The secret comparison method according to supplementary note 4, including processing.
(Appendix 6)
The conversion from the number of common elements to the comparison result is as follows. For the first non-negative integer or the second non-negative integer, if the b bits are not equal to the number of common elements, the value 0 to the first non-negative integer Alternatively, a common element is obtained by performing a binary search in each of the first range up to the second non-negative integer and the second range from the first non-negative integer or the second non-negative integer to the power of 2b. Calculate each range of values whose number is the number of common elements, output each range as the comparison result, and if the b bit is equal to the number of common elements, the first non-negative integer or the second non-negative integer Perform proximity determination to output an integer as the comparison result.
The secret comparison method according to any one of appendices 3 to 6, further comprising a process.
(Appendix 7)
The conversion from the number of common elements to the comparison result is as follows:
For each of the first list and the second list, the first list or the second list in which integer values that are not less than 0 and less than the number of elements of the first set or the second set are randomly arranged Create a first modification list or a second modification list each replacing an element with a value of 1 if the value of the element is less than half the length of the list, and a value of 0 otherwise.
Among the elements of the first set and the second set, the elements at positions where the elements of the first correction list and the second correction list are 1 respectively are extracted, and the elements of the extracted elements The number of common ones is calculated by the secret calculation as the second common element number,
For the first non-negative integer or the second non-negative integer, if the b bits are not equal to the second common element number, the first non-negative integer or the second non-negative integer is converted into a binary representation. If the value of the bit position corresponding to the value obtained by adding the value 1 to the second common element number in the binary number representation is 1, the first non-negative integer or the second non-negative integer is the second Or a magnitude comparison result indicating greater than the first non-negative integer or greater than the first non-negative integer, otherwise the first non-negative integer or the second non-negative integer is the second non-negative integer or the first non-negative integer. A magnitude comparison result indicating that the first non-negative integer is smaller than 1, and if the b bit is equal to the second common element number, the first non-negative integer and the second non-negative integer are equal in magnitude. The size judgment that outputs the comparison result Cormorant,
The secret comparison method according to any one of appendices 3 to 6, further comprising a process.
(Appendix 8)
The comparison result is output from the proximity determination process described in appendix 7 and the size determination process described in appendix 8.
The secret comparison method according to appendix 6 and 7, characterized in that it includes a process.
(Appendix 9)
Means for converting the first numerical value and the second numerical value to be compared into a first set and a second set of elements that can be compared and determined by the number of common elements, respectively;
Means for calculating the number of common elements of the first set and the second set by a secret calculation;
Means for comparing the calculated number of common elements of the first set and the second set and outputting a comparison result;
A secret comparison system comprising:
(Appendix 10)
The first numerical value and the second numerical value to be compared are respectively converted into a first set and a second set of elements that can be compared and determined by the number of common elements.
Calculating the number of common elements of the first set and the second set by a secret calculation;
Comparing the calculated number of common elements of the first set and the second set, and outputting a comparison result;
A secret comparison program for causing a computer to execute steps.

100, 100 (A), 100 (B), 100 (S) Calculator
101, 101 (A), 101 (B), 106 Memory
102, 102 (A), 102 (B) Element decomposition part
103, 103 (A), 103 (B) Encryption section
104, 104 (A), 104 (B) Comparison result calculation unit
105, 105 (A), 105 (B) Communication unit
107 Data transfer section
108 Meeting reception
109 Number of common elements
110 Result output section
801 CPU (Central processing unit)
802 memory
803 input device
804 output device
805 External storage device
806 Portable recording medium drive
807 Communication interface
808 bus
809 Portable recording media

Claims (10)

The first numerical value and the second numerical value to be compared are respectively converted into a first set and a second set of elements that can be compared and determined by the number of common elements.
Calculating the number of common elements of the first set and the second set by a secret calculation;
Comparing the calculated number of common elements of the first set and the second set, and outputting a comparison result;
A secret comparison method comprising processing. The first numerical value is input from a computer operated by a first user, the second numerical value is input from a computer operated by a second user, and the calculation of the number of common elements is performed by the first usage. A computer managed by a third party other than the user and the second user,
The secret comparison method according to claim 1, further comprising a process. The conversion from the first numerical value and the second numerical value to the first set and the second set, respectively,
Converting the first numeric value and the second numeric value to a first non-negative integer and a second non-negative integer, respectively;
The first non-negative integer and the second non-negative integer when the longer value of the binary representation length of each of the first non-negative integer and the second non-negative integer is b bits Are decomposed into b-th order first prefix array and second prefix array, respectively, to obtain the first set and the second set,
The secret comparison method according to claim 1, further comprising a process. When the first prefix array or the second prefix array is an odd number, 1 is added, and when the first prefix array is an even number, 1 is subtracted, and the result of the addition or subtraction is set to the first prefix array. Output as a prefix array or the second prefix array,
The secret comparison method according to claim 3, further comprising a process. When the result of the addition or subtraction causes an underflow or overflow, padding is performed so that the result of the addition or subtraction is injective, and the result of the padding is added to the first prefix array. Or output as the second prefix array,
The secret comparison method according to claim 4, further comprising a process. The conversion from the number of common elements to the comparison result is as follows. For the first non-negative integer or the second non-negative integer, if the b bits are not equal to the number of common elements, the value 0 to the first non-negative integer Alternatively, a common element is obtained by a binary search in each of the first range up to the second non-negative integer and the second range from the first non-negative integer or the second non-negative integer to the power of 2 b. Calculate each range of values whose number is the number of common elements, output each range as the comparison result, and if the b bit is equal to the number of common elements, the first non-negative integer or the second non-negative integer Perform proximity determination to output an integer as the comparison result.
The secret comparison method according to claim 3, further comprising a process. The conversion from the number of common elements to the comparison result is as follows:
For each of the first list and the second list, the first list or the second list in which integer values that are not less than 0 and less than the number of elements of the first set or the second set are randomly arranged Create a first modification list or a second modification list each replacing an element with a value of 1 if the value of the element is less than half the length of the list, and a value of 0 otherwise.
Among the elements of the first set and the second set, the elements at positions where the elements of the first correction list and the second correction list are 1 respectively are extracted, and the elements of the extracted elements The number of common ones is calculated by the secret calculation as the second common element number,
For the first non-negative integer or the second non-negative integer, if the b bits are not equal to the second common element number, the first non-negative integer or the second non-negative integer is converted into a binary representation. If the value of the bit position corresponding to the value obtained by adding the value 1 to the second common element number in the binary number representation is 1, the first non-negative integer or the second non-negative integer is the second Or a magnitude comparison result indicating greater than the first non-negative integer or greater than the first non-negative integer, otherwise the first non-negative integer or the second non-negative integer is the second non-negative integer or the first non-negative integer. A magnitude comparison result indicating that the first non-negative integer is smaller than 1, and if the b bit is equal to the second common element number, the first non-negative integer is equal to the second non-negative integer. The size judgment that outputs the comparison result Cormorant,
The secret comparison method according to claim 3, further comprising a process. The comparison result is output from the proximity determination process according to claim 7 and the size determination process according to claim 8.
The secret comparison method according to claim 6, further comprising a process. Means for converting the first numerical value and the second numerical value to be compared into a first set and a second set of elements that can be compared and determined by the number of common elements, respectively;
Means for calculating the number of common elements of the first set and the second set by a secret calculation;
Means for converting and outputting the number of common elements into a comparison result;
A secret comparison system comprising: The first numerical value and the second numerical value to be compared are respectively converted into a first set and a second set of elements that can be compared and determined by the number of common elements.
Calculating the number of common elements of the first set and the second set by a secret calculation;
Converting the number of common elements into a comparison result and outputting it,
A secret comparison program for causing a computer to execute steps.

Images