JP2016109891A - Secret calculation information exchange system, data processing device, secret calculation information exchange method, secret calculation information exchange program, and recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To secretly calculate a result of application of an arithmetic operation, which is performed using as an input secret data preserved by plural organizations, without transmitting or receiving a ciphertext and causing unrelated information to be learned by others.SOLUTION: Two or more data processing devices 100 are included. One of the data processing devices 100 includes a memory unit 130 that stores secret data and a fixed ciphertext string, a transmission parameter string calculation unit 111 that calculates a transmission parameter string and first result using the secret data and fixed ciphertext string, and a final result calculation unit 112 that acquires a second result produced by any other data processing device, and calculates a final result on the basis of the first result and second result. The other data processing devices 100 include a fixed ciphertext decoder 113 that uses a decoding key to decode part of the fixed ciphertext string and calculates a fixed ciphertext decoding result, and a partial result calculation unit 114 that acquires the transmission parameter string produced by any other data processing device, and produces the second result by applying an arithmetic operation together with the fixed ciphertext decoding result.SELECTED DRAWING: Figure 6

Description

The present invention relates to a secret calculation information exchange system, a data processing device, a secret calculation information exchange method, and a secret calculation for calculating the result of applying calculation with data held by each of the plurality of organizations as input The present invention relates to an information exchange program and a recording medium.

There is shown a method of calculating a result obtained by applying a calculation using data held by a plurality of institutions as input and using the result while keeping the contents of the data secret. Non-Patent Document 1 discloses a method for deriving an association rule using a secret vector inner product calculation when data of each institution is a data vector composed of a plurality of data blocks and an applied operation is an inner product calculation.

Here, the inner product calculation is an operation in which two vectors having the same length are input, two vector elements at the same vector position are multiplied, a multiplication result is calculated, and a sum of multiplication results at all vector positions is obtained. When the input vector of the inner product operation is X and Y, the inner product operation result is expressed as X · Y.

Hereinafter, an example in which the online shop P1 and the online shop P2 derive the customer's purchase relationship without violating the privacy agreement with the customer will be described with reference to the schematic diagram in FIG.

First, online shops P1 and P2 prepare a “credit card number table” as shown in FIG. 2 and FIG. 3, and two vectors “vector X” for recording the usage amount of the customer with the same credit number at the same position. , “Vector Y” is prepared.

When the above-mentioned vector X and vector Y are input and the inner product operation is applied and the result is larger than a certain threshold value, it can be determined that there is a positive correlation between the purchase behaviors of online shop P1 and online shop P2 customers. Since the customer's tastes are similar, it can be seen that by jointly developing products, it is possible to develop products that better meet customer needs.

At this time, if “vector X” and “vector Y” consisting of purchasing information for a large number of people are created, the contents of “vector X” and “vector Y” are not clarified, and only the result of the inner product operation can be calculated. , Do not violate privacy agreements between customers and businesses. Hereinafter, the length of the vectors X and Y is assumed to be n, and the length is referred to as a vector order.

Non-Patent Document 1 discloses a method for executing the above-described confidential calculation. First, in the online shop 1, the vector X ′ obtained by transforming the vector X into a concealed form with n random numbers randomly determined by the online shop 1 for each element of the vector X is delivered to the online shop 2. The online shop 2 calculates the inner product of the vector X ′ and its own vector Y. N-dimensional vector <R1 ', R1', ..., R1 ', R2', ..., R2 ', Rr', ... Rr '> with n / r consecutive values of n th order vector of C ^T Y The vector V created by adding is sent to the online shop 1. The online shop 1 calculates the inner product of its own random number vector R and the received vector V as J. Next, the engine P1 adds its own random number vector by n / r, and the r-dimensional vector Q = <R1 + R2 + ... + Rn / r, Rn / r + 1 + ... + R2n / r, ..., R ( nn / r + 1) +... + Rn> is calculated and transmitted to the online shop 2. Online shop 2 subtracts the inner product value of its own r-th order vector T = (R1 ', R2', ..., Rr ') and the r-th order vector Q received from online shop 1 from the inner product value calculated previously. To calculate the value K. The engine P1 and the engine P2 can calculate the inner product result X · Y by exchanging the values J and K.

In the above method, only the result after addition of a plurality of secret data is informed, so that the value before addition cannot be restored and it seems that the safety of the value of each vector can be guaranteed.

However, this method has problems. When the number of non-zero elements of the vector Y is small, the online shop 1 can clarify half of the coefficients of the vector Y. Further, when the online shop 1 repeatedly uses the same vector X, there is a safety problem that the partner can specify a variable and extract information about the vector X. Further, n / r transmission / reception of n-dimensional vectors is required, and there is also an efficiency problem that a large amount of vector information is transmitted / received in order to improve safety.

In order to solve the above problem, Non-Patent Document 2 proposes a secret calculation protocol using a public key cryptosystem. This method uses a stochastic cipher that can encrypt a single plaintext into a plurality of different ciphertexts, and uses a stochastic public key cryptosystem that has homomorphism that can also perform operations on plaintext by performing operations on the ciphertext. .

Here, since the key used for encryption and the key used for decryption are different from the public key cryptosystem, anyone can create ciphertext by publicizing the key used for encryption. This is an asymmetric encryption method that is difficult for anyone other than those who know the key (secret key) for decryption. In addition, unlike stochastic encryption such as the RSA encryption method that always generates the same ciphertext when the same plaintext is encrypted with the same key, a random number different from each other can be used for encryption. This is an encryption method that can convert the same plaintext into as many ciphertexts as the key type. One of the public key cryptosystems satisfying the above properties is the ElGamal cryptosystem. In the secret vector inner product method using the stochastic public key cryptosystem, the ciphertext is changed probabilistically by using the homomorphism that the operation can be performed on the plaintext by applying the operation to the ciphertext. Thus, while making it difficult to specify what kind of operation is applied to the ciphertext, the plaintext is operated and the inner product of the secret vectors is calculated.

  Hereinafter, similarly to the previous example, the institutions P1 and P2 are assumed to be an online shop P1 and an online shop P2 that know the usage amount of each customer as shown in FIGS. It is assumed that each organization holds the usage amount of each customer as secret data.

First, the institutions P1 and P2 prepare secret vectors X and Y as shown in FIGS. Here, the institution P1 has the usage amount of each customer, and the institution P2 has the usage amount of each customer as a vector element. Hereinafter, customers are numbered from 1 to n, the vector size is n, and the elements of each vector are represented as Xi and Yi (where i is an integer between 1 and n).

Next, the institution P1 has its own public key K = g ^S (mod P) (where g is an atomic element, P is a prime number, and S is a secret key, and (mod P) is omitted in the calculation of encryption). After publishing, a ciphertext vector composed of a cipher value (2 ^X] K ^ri , g ^ri ) (where ri is a random number) of the usage amount Xi of each customer is created and transmitted to the institution P2.

Upon receiving the ciphertext vector from the institution P1, the institution P2 multiplies the elements of each ciphertext by multiplying the parameters Yi exponentially by 1 and 2 of the ciphertext, and multiplies all the elements of the two items. 1 ciphertext (2 ^{X1Y1 + X2Y2 + ... + XnYn} K ^{r1Y1 + r2Y2 + ... + rnYn} , g ^{r1Y1 + r2Y2 + ... + rnYn} ), and finally the ciphertext (2 ^{X1Y1 + X2Y2 + ...} K ^{r1Y1 + r2Y2 +... + RnYn + R} , g ^{r1Y1 + r2Y2 +... + RnYn + R} ), and transmits the converted ciphertext to the institution P2.

The organization P1 that has received the ciphertext obtains the value E = Σ1 _{≦ i ≦ n} XiYi + R by decrypting the ciphertext binary set. By exchanging the value E and the value R between the engines P1 and P2, the inner product result can be calculated.

Jaideep Vaidya and Chris Clifton, “Privacy preserving association rule mining in vertically partitioned data,” Proceeding of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD2002), pp.639-644, 2002. Bart Goethals, Sven Laur, Helger Lipmann ad Taneli Mielikainen, “On privacy scalar product computation for privacy-preserving data mining,” Priceeding of the 7th Annual Information Security and Cryptology (ICISC2004), pp.104-120, 2004.

However, the method of Non-Patent Document 2 also has a problem. The institution P1 needs to encrypt data for each vector information, and its impatient is a problem that requires a large calculation cost such as exponentiation. Also, the institution P2 has to multiply the information of its own number of vector orders with the public key of the institution P2, spending a large computational cost, and then multiply it with the ciphertext of the vector order received from the institution p1. However, a large calculation cost is required.

Furthermore, a method using a public key cryptosystem such as the method of Non-Patent Document 2 has only a guarantee of relative confidentiality. The ElGamal cryptosystem that is likely to be used in the method proposed in Non-Patent Document 2 has been proved to be safe unless the difficult problem called Diffie-Hellman problem is solved efficiently. It has not been proved to date whether the Diffie-Hellman problem can be solved really efficiently. Also, the discrete logarithm problem is known as a problem that is likely to be a more difficult problem than the Diffie-Hellman problem, and the cryptographic protocol based on the ElGamal cryptosystem may have only weak confidentiality even in relative terms. is there.

The present invention has been made in view of these problems, and does not require a large calculation cost such as exponentiation multiplication, and by not transmitting ciphertext, the calculation result is not leaked to the other party. It is an object to provide a secret calculation information exchange system, a data processing apparatus, a secret calculation information exchange method, a secret calculation information exchange program, and a recording medium on which the secret calculation information exchange program is recorded.

In order to achieve the above object, a secret calculation information exchange system according to the first aspect of the present invention is provided as follows:
A secret computation information exchange system composed of two or more data processing devices,
Each of the data processing devices is
Secret data storage means for storing secret data;
Fixed ciphertext string storage means for storing a fixed ciphertext string that can be regarded as a ciphertext string;
Have
The data processor is responsible for either process A or process B,
The data processing apparatus in charge of the processing A is further
A transmission parameter sequence that is a sequence of values and the transmission parameter sequence calculation means for calculating a first result by using the secret data held by itself and the fixed ciphertext sequence as input;
A final result calculating means for acquiring a second result generated by another data processing apparatus, integrating the first result and the second result, and calculating a final result;
Have
The data processing apparatus in charge of the processing B is further
Fixed ciphertext decryption means for decrypting a fixed ciphertext string with a decryption key from the secret data held by itself and the fixed ciphertext string, and generating a fixed ciphertext decryption result;
Partial result calculation means for calculating a second result by using the transmission parameter string generated by the transmission parameter string calculation means of the other data processing device and the fixed ciphertext decryption result as inputs;
Have
The fixed ciphertext string stored in the data processing apparatus in charge of the processing A is:
It is the same as the fixed ciphertext string stored in the data processing device in charge of the processing B.
It is characterized by that.

The transmission parameter string calculation means includes:
For all secret data that may be stored by the secret data storage means,
The fixed ciphertext string and the secret data are input, and a value string that is the transmission parameter string and a value that is the first result are calculated,
It may be possible.

The fixed ciphertext decryption means includes:
For all secret data that may be stored by the secret data storage means,
The fixed ciphertext string and the secret data can be input to calculate a value to be the decryption key and a value to be the fixed ciphertext decryption result,
There may be.

The data processing apparatus in charge of the processing A is
Random number data storage means for storing random number data;
The transmission parameter string calculation means includes:
The secret data held by itself, the fixed ciphertext sequence, and the random number data are input to calculate a sequence of values to be the transmission parameter sequence and a value to be the first result.
It is good.

The fixed ciphertext string is
The random number data that can be converted into a sequence of desired values to be input together with a value that may be the secret data calculated by the transmission parameter sequence calculation means by the data processing device in charge of the processing A. A ciphertext string that makes it impossible to calculate,
It is good.

The secret data is
Vector data composed of a plurality of data blocks,
It is good.

The final result calculation means includes
An output of a function when the result of the inner product calculation of the vector data corresponding to the secret data held by itself and the vector data corresponding to the secret data held by the data processing apparatus in charge of the process B is applied as an input; The final results are equal;
It is good.

The final result calculation means includes
Create a transmission parameter ciphertext string by encrypting the transmission parameter string with its own encryption key,
The partial result calculation means includes:
The fixed ciphertext decryption result is encrypted with its own encryption key and sent to another data processing device,
Both the data processing device in charge of processing A and the data processing device in charge of processing B obtain calculation results,
It is good.

In order to achieve the above object, a data processing apparatus according to the second aspect of the present invention provides:
A data processing device that processes data in cooperation with other data processing devices,
Each of the data processing devices is
Secret data storage means for storing secret data;
Fixed ciphertext string storage means for storing a fixed ciphertext string that can be regarded as a ciphertext string;
Have
The data processor is responsible for either process A or process B,
The data processing apparatus in charge of the processing A is further
A transmission parameter sequence that is a sequence of values and the transmission parameter sequence calculation means for calculating a first result by using the secret data held by itself and the fixed ciphertext sequence as input;
A final result calculating means for acquiring a second result generated by another data processing apparatus, integrating the first result and the second result, and calculating a final result;
Have
The data processing apparatus in charge of the processing B is further
Fixed ciphertext decryption means for decrypting a fixed ciphertext string with a decryption key from the secret data held by itself and the fixed ciphertext string, and generating a fixed ciphertext decryption result;
Partial result calculation means for calculating a second result by using the transmission parameter string generated by the transmission parameter string calculation means of the other data processing device and the fixed ciphertext decryption result as inputs;
Have
The fixed ciphertext string stored in the data processing apparatus in charge of the processing A is:
It is the same as the fixed ciphertext string stored in the data processing device in charge of the processing B.
It is characterized by that.

In order to achieve the above object, a secret calculation information exchange method according to a third aspect of the present invention includes:
A secret calculation information exchange method used by a data processing device that processes data in cooperation with another data processing device,
A secret data storage step for storing secret data;
A fixed ciphertext storage step for storing a fixed ciphertext string that can be regarded as a ciphertext string;
Have
The method for exchanging confidential calculation information used by the data processing apparatus in charge of the processing A,
A transmission parameter sequence that is a sequence of values with the secret data and the fixed ciphertext sequence held by itself as input and a transmission parameter sequence calculation step of calculating a first result;
A final result calculation step of acquiring a second result generated by another data processing apparatus, integrating the first result and the second result, and calculating a final result;
Have
The confidential information exchanging method used by the data processing device in charge of the processing B is further,
A fixed ciphertext decryption step of decrypting a fixed ciphertext string with a decryption key from the secret data held by itself and the fixed ciphertext string, and generating a fixed ciphertext decryption result;
A partial result calculation step of calculating a second result by using the transmission parameter string generated by the transmission parameter string calculation means of the other data processing apparatus and the fixed ciphertext decryption result as inputs;
Have
The fixed ciphertext string stored in the data processing apparatus in charge of the processing A is:
It is the same as the fixed ciphertext string stored in the data processing device in charge of the processing B.
It is characterized by that.

In order to achieve the above object, a secret calculation information exchange program according to the fourth aspect of the present invention is provided as follows:
A secret calculation information exchange program executed by a computer that processes data in cooperation with another computer,
A secret data storage step for storing secret data;
A fixed ciphertext storage step for storing a fixed ciphertext string that can be regarded as a ciphertext string;
Have
The secret calculation information exchange program used by the computer in charge of the processing A is further
A transmission parameter sequence that is a sequence of values with the secret data and the fixed ciphertext sequence held by itself as input and a transmission parameter sequence calculation step of calculating a first result;
A final result calculation step of acquiring a second result generated by another data processing apparatus, integrating the first result and the second result, and calculating a final result;
Have
The secret information exchange program used by the computer in charge of the processing B is further
A fixed ciphertext decryption step of decrypting a fixed ciphertext string with a decryption key from the secret data held by itself and the fixed ciphertext string, and generating a fixed ciphertext decryption result;
A partial result calculation step of calculating a second result by using the transmission parameter string generated by the transmission parameter string calculation means of the other data processing apparatus and the fixed ciphertext decryption result as inputs;
Have
The fixed ciphertext string stored in the data processing apparatus in charge of the processing A is:
It is the same as the fixed ciphertext string stored in the data processing apparatus in charge of the process B.

In order to achieve the above object, a recording medium according to the fifth aspect of the present invention provides:
The secret calculation information exchange program is recorded.

According to the present invention, it is possible to perform calculation in a secret manner without performing any transmission / reception of ciphertext and without knowing other irrelevant information.

It is a block diagram which shows the structural example of the secret calculation information exchange system concerning Embodiment 1 of this invention. It is a table in which the usage amounts for each customer possessed by the institution P1 are arranged in a column by ordering the customer card numbers determined based on prior arrangements by a plurality of institutions. It is the table which arranged the amount of money for every customer which organization P2 has by arranging in order by order of the customer's card number determined based on the prior arrangement by a plurality of organizations. This is the secret vector X possessed by the institution P1 created by summarizing the table shown in FIG. This is the secret vector Y of the institution P2 created by summarizing the table shown in FIG. It is a functional block diagram which shows the function implement | achieved by the control part shown in FIG. It is a premise explanatory drawing which shows the conditions which the parameter of "information exchange process A" and "information exchange process B" concerning Embodiment 1 of this invention and a fixed ciphertext string should satisfy | fill. It is a process outline figure for explaining an outline of "information exchange process A" and "information exchange process B" concerning Embodiment 1 of the present invention. It is a flowchart for demonstrating "information exchange process A" and "information exchange process B" concerning Embodiment 1 of this invention. 10 is a flowchart for explaining “transmission parameter string calculation processing” executed in “information exchange processing A” shown in FIG. 9 and “fixed ciphertext decryption processing” executed in “information exchange processing B”. 10 is a flowchart for explaining a “final result calculation process” executed in the “information exchange process A” shown in FIG. 9 and a “partial result calculation process” executed in the “information exchange process B”. It is a block diagram which shows the structural example of the secret calculation information exchange system concerning Embodiment 2 of this invention. It is a flowchart for demonstrating "information exchange process A" and "information exchange process B" concerning Embodiment 2 of this invention. It is a flowchart for demonstrating the "transmission parameter calculation process" and the "fixed ciphertext decoding process" concerning Embodiment 2 of this invention. It is a flowchart for demonstrating the "partial result 1 calculation process" and the "partial result 2 calculation process" concerning Embodiment 2 of this invention. It is a flowchart for demonstrating the "final result calculation process" concerning Embodiment 2 of this invention.

(Embodiment 1)
The secret calculation information exchange system 1 according to the present embodiment uses the secret data X and Y of the institution P1 or the institution P2 without the aid of a third party and without sending and receiving ciphertext at all. It is an information exchange system for calculating secretly the result of applying a function as an input. Hereinafter, the secret calculation information exchange system 1 will be described with reference to the drawings. First, the configuration of the secret calculation information exchange system 1 will be described with reference to FIG.

As shown in FIG. 6, the secret calculation information exchange system 1 includes two data processing devices 100 installed in each of the institutions P1 and P2, and a communication line 200 that connects them. The two data processing apparatuses 100 execute one process in cooperation by transmitting and receiving data to and from each other through the communication line 200.

The data processing apparatus 100 is composed of, for example, a PC server or a mainframe, and stores secret data such as customer information. As shown in FIG. 1, the data processing apparatus 100 includes a control unit 110, a communication unit 120, a storage unit 130, an operation unit 140, and an interface unit 150.

The control unit 110 includes a CPU (Central Processing Unit) and the like, and controls each unit of the data processing apparatus 100. When the control unit 110 receives an “information exchange process A start notification” from the operation unit 140, the control unit 110 receives an “information exchange process A” notification described later, and receives an “information exchange process B start notification”. Perform “B”. “Information exchange processing A” is executed by one of the two data processing devices, and “information exchange processing B” is executed by another data processing device.

The communication unit 120 includes a LAN connector, a transmission / reception processor, and the like, and communicates with an external device (for example, a personal computer) through the communication line 200.

The storage unit 130 includes a storage device such as a hard disk or a RAM (Random Access Memory), and stores data (for example, “secret data” and “fixed ciphertext string”) necessary for the operation of the data processing device 100.

Here, “secret data” refers to non-public information such as “customer information” and “secret vector”. In addition, “customer information” is information about customers using each organization, and “secret vector” is information sorted by customer according to an ID that is shared by multiple organizations. Provide information on each vector position of the secret vector you have About the information stored for each vector position where the customer and the customer who provided the same vector position information of the secret vector that another organization has are the same , And obtain information that is shared by both organizations, and make it aligned.

The “fixed ciphertext sequence” is a sequence of numerical values used by each data processing apparatus 100 to calculate information to be transmitted to the other party when performing the confidential calculation, and includes “information exchange processing A” and “information exchange processing”. Before starting “B”, both data processing apparatuses 100 store a common numeric string in the storage unit 130 as a “fixed ciphertext string”. The “fixed ciphertext string” is selected so as to satisfy several conditions (details will be described later).

The operation unit 140 includes various buttons configured on the outer surface of the data processing apparatus 100. When the user presses a predetermined button, “information exchange process A start notification” or “information exchange process B start notification” is transmitted to the control unit 110. The information exchange process A start notification and the information exchange process B start notification are data serving as triggers for starting the secret calculation information exchange process.

The interface unit 150 includes, for example, a USB (Universal Serial Bus) connector, a video output terminal, and the like, and transmits a processing result to an external device (for example, a PC or a monitor).

The configuration of the secure calculation information exchange system 1 has been described above. Next, the functions of the control unit 110 will be described with reference to the functional block diagram of FIG. 6 and the process overview diagram of FIG.

The control unit 110 executes “secret calculation information exchange processing” in order to execute secret calculation in a plurality of institutions. The confidential calculation information exchange process is started by “information exchange process A start notification” and “information exchange process B start notification” from the operation unit 140. Each function described below is a function for realizing the secret calculation information exchange process. The secret calculation information exchange process includes an information exchange process A and an information exchange process B. First, a function for realizing the information exchange process A will be described first, and then a function for realizing the information exchange process B will be described.

The transmission parameter string calculation unit 111 transmits the transmission parameter string σ to be transmitted to the data processing apparatus 100 of another organization from its own secret data and a fixed ciphertext string known in advance, and the first result used by itself to obtain the final result. Calculate J.

The final result calculation unit 112 cooperates with the data processing apparatus 100 of another organization, and the result of the inner product operation of its own transmission parameter sequence σ and the calculation parameter sequence calculated by the counterpart organization, and the counterpart organization is a part of the fixed ciphertext sequence The final result NEW_XY is calculated by integrating the second result I obtained by performing an operation on the value obtained by decrypting the decryption key with the decryption key of the partner organization and the first result J held by the self, and the interface unit The final result is transmitted to an external device through 150.

For the fixed ciphertext decryption unit 113 for decrypting the Gi is a part of the fixed encryption Bunretsu know in advance, using the decryption key K _B by using the secret vector Y held by the remaining fixed encryption Bunretsu and self Then, a part Gi of the fixed ciphertext string is decrypted to generate a fixed ciphertext decryption value H. Also, a calculation parameter string is calculated.

The partial result calculation unit 114 cooperates with the data processing apparatus 100 of the other organization to integrate the result of the inner product operation of the transmission parameter sequence of the partner organization and the calculation parameter sequence calculated by itself and the fixed ciphertext decryption value H to obtain the second result. Generate I.

The function of the control unit 110 has been described above. Next, the “secret calculation information exchange process” executed by the data processing apparatus 100 will be described. Since the secret calculation information exchange process includes “information exchange process A” and “information exchange process B”, the information exchange process A will be described first, and then the information exchange process B will be described. The data processing device 100 installed in the institution P1 executes “information exchange processing A”, and the data processing device 100 installed in the institution P2 executes “information exchange processing B”, so that no information regarding confidential data is obtained. The secret calculation is executed without being known to the other party and without transmitting / receiving the ciphertext, and the institution P1 is obtained when the desired function is applied to the secret vector of the institution P1 and the secret vector of the institution P2. Get the same value for the wax.

When the control unit 110 receives the “information exchange process A start notification” from the operation unit 140, the control unit 110 starts the “information exchange process A” shown in FIG. This “information exchange process A” is mainly composed of two steps. The outline of the “information exchange process A” will be described below with reference to the process outline diagram of FIG. Each step described below is executed by one of the two data processing apparatuses 100 (engine P1 in FIG. 8). The outline of “information exchange process B” will be described following the outline of “information exchange process A”.

First, the transmission parameter string calculation process in step S100 will be described. The control unit 110 is its own secret data, and “secret vector X” and a known ciphertext string (C1i, C2i, C3i, C4i, D1i, D2i, D3i D4i, F1i, F2i, F3i, F4i, C5i, C6i, C7i, C8i, D5, D6i, D7i, D8i, F5, F6i, F7i, F8i, Gi) (1 ≦ i ≦ n) are input. Here, n is a vector order which is the length of the vector. The control unit 110 calculates the transmission parameter string σ and the first result J using the above as inputs.

One question arises here. Ciphertext string (C1i, C2i, C3i, C4i, D1i, D2i, D3i D4i, F1i, F2i, F3i, F4i, C5i, C6i, C7i, C8i, D5, D6i, D7i, D8i, F5, F6i, F7i, F8i , Gi) (1 ≦ i ≦ n), the transmission parameter string σ, and the first result J are questions. In the present embodiment, the transmission parameter string σ and the first result are calculated by calculating a secret parameter such as an encryption key for obtaining the ciphertext string as if the fixed ciphertext string was transmitted / received by two institutions. Calculate J. The specific method will be described in detail later.

Next, the final result calculation process in step S400 will be described. The control unit 110 transmits the calculated transmission parameter sequence σ to the counterpart organization, and calculates the inner product operation result and the fixed ciphertext decryption result H, which are input from the counterpart organization with the transmission parameter sequence σ and the calculation parameter sequence calculated by the counterpart organization. The final result New_XY is calculated by acquiring the second result I which is a value obtained by applying the first result J and integrating the first result J owned by the second result I acquired from the partner organization.

With the above processing (steps S100 and S400), the information exchange processing A is completed. Next, the information exchange process B will be described.

First, the fixed ciphertext decryption process in step S200 will be described. The control unit 110 decrypts a part Gi of a known fixed ciphertext string with a decryption key K _B i (1 ≦ i ≦ n), and calculates a value H obtained by calculating the decrypted value. Further, a calculation parameter sequence δ is calculated.

Again, one question arises. Since the decryption key K _B i has not been previously stored in the institution P2, and there is no guarantee that it is a decryption key corresponding to a key obtained by encrypting Gi that is a part of the fixed ciphertext string, the fixed ciphertext string is decrypted. It is a question that there is no point in decrypting with the key K _B i. However, in this embodiment, the decryption key K _B i that generates the same ciphertext string as the fixed ciphertext string corresponding to the current secret vector Y is calculated by using a cryptographic protocol with complete confidentiality as a basis. be able to. The specific method will be described in detail later.

When the process of step S200 is completed, the control unit 110 next executes the partial result calculation process of step S300. The control unit 110 acquires the transmission parameter string σ generated by the partner engine P1. A second result I is generated by calculating the value obtained by applying the inner product calculation and the fixed ciphertext decryption value H with the transmission parameter string σ and the calculation parameter string δ calculated by itself as inputs. Finally, the second result I is transmitted to the partner organization P1 to complete the process.

The outline of the secret calculation information exchange process has been described above. Next, the information exchange process A and the information exchange process B that constitute the secret calculation information exchange process will be described in detail. First, the “transmission parameter sequence calculation process” in step S100 of the information exchange process A, the “fixed ciphertext decryption process” in step S200 of the information exchange process B, and the “partial result calculation process” in step S300 will be described. Finally, the “final result calculation process” in step S400 of the information exchange process A will be described.

Step S100 corresponds to the “transmission parameter string calculation process” in FIG. Hereinafter, the “transmission parameter string calculation process” will be described with reference to the flowchart of FIG. 10 and the process outline diagram of FIG. The transmission parameter string calculation process is executed by the transmission parameter string calculation unit 111. The preconditions in the transmission parameter string and the fixed ciphertext string will be described with reference to the precondition explanatory diagram of FIG.

The transmission parameter string calculation unit 111 reads the secret vector X from the storage unit 130. Further, the random number vector Γ stored as the secret input is also read from the storage unit 130 (step S101).

Next, the transmission parameter sequence calculation unit 111 receives the secret vector X and the random number vector Γ and calculates the transmission parameter sequence σ and the first result (step S102).

The relationship between the ciphertext string (Fig. 7 (a)) and the parameter group (Fig. 7 (d)) defined by the cryptographic protocol that is the basis for the calculation, the ciphertexts are all constants, the secret vector X The random number vector Γ is regarded as a simultaneous linear equation when all elements are constants, and a parameter group is calculated from the solution of the simultaneous linear equation (FIG. 8 (a)). Next, the calculated value of the parameter group is a basic encryption. The transmission parameter string σ and the first result J are generated in accordance with the protocol (FIG. 8C).

The basic encryption protocol provides complete confidentiality, and parameter groups are set to generate a predetermined ciphertext string for any combination of secret vector X and random number vector Γ. By making the ciphertext known as fixed, the parameter group that obtains the same calculation result as the calculation result obtained when the ciphertext sequence is transmitted / received to / from the other organization can be back-calculated. It is possible to obtain the effect of transmitting information to the other party without transmitting / receiving.

Further, by generating a transmission parameter string σ by combining a plurality of parameter groups calculated in reverse, it is difficult for the partner organization to infer information of the secret vector X from the relationship of simultaneous linear equations from the transmission parameter string. Furthermore, various transmission parameter sequences can be configured with the same secret vector X by using a basic encryption protocol in which the content of the transmission parameter sequence σ varies depending on the combination of the values of the random vector Γ. In this case, it becomes more difficult for the partner organization P2 to guess the information of the secret vector Y from the transmission parameter string σ.

Next, the process of step S200 executed by the data processing apparatus 100 in charge of the information exchange process B will be described. Step S200 corresponds to the “fixed ciphertext decryption process” in FIG. The “fixed ciphertext decryption process” will be described below with reference to the flowchart in FIG. 10 and the process schematic diagram in FIG. 8. Note that the fixed ciphertext decryption process is executed by the fixed ciphertext decryption unit 113. Further, preconditions regarding the parameter group related to the fixed ciphertext string and the calculation parameter string will be described with reference to the precondition explanatory diagram of FIG.

Fixed ciphertext decryption unit 113 reads secret vector Y from storage unit 130 (step S201).

Next, the fixed ciphertext decryption unit 113 receives the secret vector Y and a part of the fixed ciphertext as input, and calculates a decryption key K _B i for decrypting the remaining fixed ciphertext string (step S202).

In order to calculate the decryption key K _B i using the secret vector Y and a part of the fixed ciphertext string as input, the relationship with the parameter group (FIG. 7 (e)) defined by the basic encryption protocol is expressed. , A ciphertext string as a constant vector, a secret vector Y as a constant value vector, and a cryptographic key KBi as a variable, a simultaneous linear equation. And the calculation parameter sequence δ (ρ / γ in FIG. 8) is calculated (FIG. 8B).

Again, if the underlying cryptographic protocol provides complete confidentiality and allows any secret vector Y to be configured with an encryption key that generates a predetermined ciphertext string, the encryption with known statements as fixed, the decryption key K _B i corresponding to the encryption key to obtain the same decoding result as the ciphertext decryption results obtained when the encryption Bunretsu sent and received and other organization, send and receive encrypted Bunretsu It is possible to calculate backward without doing.

In order to provide complete confidentiality as described above, there is a case where an arbitrary ciphertext cannot be set in the fixed ciphertext string. Therefore, the transmission parameter string calculation unit 111 of the information exchange process A can calculate the transmission parameter string σ for any combination of the secret vector X and the random number vector Γ, and the fixed ciphertext decryption of the information exchange process B The unit 113 must be able to calculate the decryption key K _B i for any combination of secret vectors Y. FIG. 7B shows an example of conditions that must be satisfied by the fixed ciphertext string that enables the above in the basic protocol of the process schematic diagram of FIG. It is assumed that the fixed ciphertext string has been created to satisfy these conditions (Fig. 7).

The fixed ciphertext decryption unit 113 decrypts the ciphertext Gi that is a part of the fixed ciphertext string with the calculated decryption key K _B i, calculates the fixed ciphertext decryption value H (S203), and the fixed ciphertext decryption value H And the calculation parameter string δ are recorded in the storage unit 130 (S204). When the decryption of the fixed ciphertext is completed, the control unit 110 returns to the flow of FIG. 9 and starts the partial result calculation process in step S300. The partial result calculation process is executed by the partial result calculation unit 114. Hereinafter, the “partial result calculation process” will be described with reference to the flowchart of FIG. 11 and the process outline diagram of FIG.

The partial result calculation unit 114 acquires a transmission parameter sequence created by the data processing apparatus 100 of another organization (S301). Next, the result of the inner product calculation using the transmission parameter string σ and the calculation parameter string δ calculated by itself is calculated, and the calculated result is set as an inner product value σ · δ (S302).

Next, the partial result calculation unit 114 sets the result obtained by calculating the inner product value σ · δ and the fixed ciphertext decryption value H as the second result I (S303), and transmits the second result I to the partner organization (S304). ).

When the transmission of the second result is completed, the control unit 110 of the data processing apparatus 100 in charge of the information exchange process B returns to the flow of FIG. 9 and ends the process. Next, the process of step S400 executed by the final result calculation unit 112 of the data processing apparatus 100 in charge of the information exchange process A will be described. Step S400 corresponds to the “final result calculation process” in FIG. Hereinafter, the “final result calculation process” will be described with reference to the flowchart of FIG. 11 and the process outline diagram of FIG.

The final result calculation unit 112 transmits the transmission parameter sequence σ calculated by itself to the engine P2 (S401), and acquires the second result I from the partner engine (S402).

Finally, the final result calculation unit 112 integrates the first result J calculated by itself and the second result I acquired from the partner organization, and calculates the final result New_XY (S403).

When the calculation of the final result is completed by the above processing, the control unit 110 returns to the flow of FIG. 9 and outputs the final result to an external device through the interface unit 150 (step S400).

Here, a question arises as to whether there is a risk that the data processing apparatus 100 in charge of each of the information exchange processes A and B uses the information transmitted to the partner organization to allow other organizations to perform confidential calculations without permission. . However, in the present embodiment, the above risk is eliminated by restricting information to be transmitted to the outside and a fixed ciphertext string. A mechanism in which the secret calculation cannot be executed using the information transmitted to the outside in both organizations will be described below with reference to the precondition diagram of FIG.

The information transmitted to the outside by the data processing apparatus 100 in charge of the information exchange process A is only a transmission parameter string. Since the transmission parameter σ and the first result J are required to perform the secret calculation, the calculation result cannot be obtained without permission by an external organization that only knows the transmission parameter string σ.

On the other hand, since the data processing apparatus 100 in charge of the information exchange process A uses only information transmitted to the outside by the data processing apparatus 100 in charge of the information exchange process B, the result of the confidential calculation is calculated. There is a risk that the data processing apparatus 100 in charge of the exchange process A can calculate a calculation result for another combination of secret vector X values. In order to perform such an arbitrary calculation, a parameter group in which the institution P1 in charge of the information exchange process A can fix the transmission parameter sequence and generate a fixed transmission parameter sequence for the combination of secret vector X values to be calculated. It suffices if it can be calculated backward. However, it is possible to create a fixed ciphertext string that can prevent such back calculation.

For example, in the example of the process schematic diagram of FIG. 8, the institution P1 in charge of the information exchange process A fixes the transmission parameter string, and the conditions to be satisfied by the fixed ciphertext string so that the parameter group can be calculated backward (FIG. 7 (c )) And fixed encryption to enable the decryption key K _B i to be set for any combination of values that can be designed for the secret vector Y in order to provide confidentiality by the organization P2 in charge of the information exchange process B The conditions to be satisfied by the sentence string (FIG. 7B) are contradictory. Therefore, if the fixed ciphertext string is determined so as to protect the information of the institution P2 in charge of the information exchange process B, the institution P1 in charge of the information exchange process A uses the fixed ciphertext string and the second calculation result I, Another secret calculation cannot be performed without permission.

According to the present embodiment, it is possible to acquire the same ciphertext decryption value as if the ciphertext was transmitted / received without performing any ciphertext transmission / reception. In addition, it is possible to generate a partial ciphertext suitable for calculating the final result as the intermediary information by using the fixed ciphertext string in the two organizations.

Further, by using not only the secret vector X but also the random vector Γ when creating the transmission parameter sequence, the transmission parameter sequence can be changed stochastically for one secret vector, and the secret vector X is estimated. Make it difficult.

Furthermore, by not revealing the first result of partial decomposition in the engine P1, it is possible to prevent information from being used without permission for other secret calculations. Also in the institution P2, by restricting the ciphertext string that can be used as the fixed ciphertext string, it is possible to prevent the second result, which is a partial decomposition, from being used for other secret calculations without permission. .

As described above, the method according to the present embodiment provides extremely little communication that provides complete confidentiality that overcomes both the weakness of confidentiality in the conventional method and the weakness of increasing the amount of communication and the amount of communication required for transmission and reception by improving confidentiality. It is an information exchange method that executes secret calculation by quantity. Therefore, if the information exchange method of the present embodiment is used, it is possible to execute a high-speed secret calculation with high confidentiality.

(Embodiment 2)
The secret calculation information exchange system 1 of the present embodiment is a system including two data processing devices 100 as shown in FIG. Further, both of the two data processing devices 100 obtain the calculation result. Hereinafter, the secret calculation information exchange system 1 will be described with reference to the drawings. First, the configuration of the secret calculation information exchange system 1 will be described with reference to FIG.

As shown in FIG. 12, the confidential calculation information exchange system 1 includes two data processing devices 100 installed in each of the institutions P1 and P2, and a communication line 200 connecting them. The two data processing apparatuses 100 execute one process in cooperation by transmitting and receiving data to and from each other through the communication line 200. Since the configuration of the data processing apparatus 100 and the functions provided in the blocks excluding the control unit 110 are the same as the configuration of the data processing and the functions provided in the blocks of the first embodiment, description thereof will be omitted.

The secret calculation information exchange method is executed by “information exchange process A” and “information exchange process B” as in the first embodiment. In the following, it is assumed that the institution P1 is in charge of “information exchange processing A” and the institution P2 is in charge of “information exchange processing B”.

The functions of the control unit 110 will be described with reference to the functional block diagram of FIG. The control unit 110 executes “secret calculation information exchange processing” in order to execute secret calculation in a plurality of institutions. The confidential calculation information exchange process is started by “information exchange process A start notification” and “information exchange process B start notification” from the operation unit 140. Each function described below is a function for realizing the secret calculation information exchange process. The secret calculation information exchange process includes an information exchange process A and an information exchange process B. First, a function for realizing the information exchange process A will be described first, and then a function for realizing the information exchange process B will be described.

Since the function of the transmission parameter string calculation unit 111 is the same as the function of the transmission parameter string calculation unit of the first embodiment, the description thereof is omitted.

The partial result 1 calculation unit 112 cooperates with the data processing apparatus 100 of another organization to transmit a transmission parameter sequence ciphertext sequence obtained by encrypting its own transmission parameter sequence σ with its own encryption key Ka and a calculation parameter calculated by the counterpart organization. The ciphertext I1 that is a part of the result of the inner product operation of the sequence, the remaining part of the inner product operation result, and the value obtained by the partner organization decrypting a part of the fixed ciphertext sequence with the decryption key of the partner organization Receive the binary pair (J1, J2) of the ciphertext encrypted with the partner's encryption key Kb, decrypt the I1 with its own encryption key Ka, and subtract the result obtained from the first result as a partial result 1. After decrypting the ciphertext J1 received from the partner organization with its own encryption key Ka, add it to J2 to obtain the ciphertext J3 and send it to the partner organization.

The final result calculation unit 115 calculates the final result NEW_XY by performing an operation on the partial result 1 owned by itself and the partial result 2 acquired from the partner organization in cooperation with the data processing apparatus 100 of another organization, and the interface unit 150 To send the final result to the external device.

The fixed ciphertext decryption unit 113 has the same function as the function of the fixed ciphertext decryption unit of the first embodiment, and thus the description thereof is omitted.

The partial result 2 calculation unit 114 cooperates with the data processing apparatus 100 of the other organization to divide the result of the inner product operation of the transmission parameter ciphertext sequence of the counterpart organization and the calculation parameter sequence calculated by itself into two, and encrypt one of them. Set the value I1, encrypt the encrypted ciphertext H with the same encryption key Kb, and generate the ciphertext binary pair (J1, J2) and the ciphertext string I1, (J1, J2) And the other party receives the ciphertext J3 obtained by performing computation on the ciphertext binary pair (J1, J2), decrypts the ciphertext J3 with its own cipher key Kb, and obtains the partial result 2 Generate.

The function of the control unit 110 has been described above. Next, the “secret calculation information exchange process” executed by the data processing apparatus 100 will be described. Since the secret calculation information exchange process includes “information exchange process A” and “information exchange process B”, the information exchange process A will be described first, and then the information exchange process B will be described. The data processing device 100 installed in the institution P1 executes “information exchange processing A”, and the data processing device 100 installed in the institution P2 executes “information exchange processing B”, so that no information regarding confidential data is obtained. Obtained when a secret calculation is executed without being known to the other party and without transmitting / receiving ciphertext, and a desired function is applied to the secret vector of the institution P1 and the secret vector of the institution P2 in both the institution P1 and the institution P2. Get the same value that would be.

When the control unit 110 receives the “information exchange process A start notification” from the operation unit 140, the control unit 110 starts the “information exchange process A” shown in FIG. This “information exchange process A” is mainly composed of two steps. Hereinafter, the outline of the “information exchange process A” will be described with reference to the flowchart of FIG. Each step described below is executed by one of the two data processing devices 100. The outline of “information exchange process B” will be described following the outline of “information exchange process A”.

First, the transmission parameter string calculation process in step S100 will be described. The control unit 110 is its own secret data, and “secret vector X” and a known ciphertext string (C1i, C2i, C3i, C4i, D1i, D2i, D3i D4i, F1i, F2i, F3i, F4i, C5i, C6i, C7i, C8i, D5, D6i, D7i, D8i, F5, F6i, F7i, F8i, Gi) (1 ≦ i ≦ n) are input. Here, n is a vector order which is the length of the vector. The control unit 110 calculates the transmission parameter string σ and the first result J using the above as inputs (FIGS. 13 and 14).

Next, the partial result 1 calculation process in step S400 will be described. The control unit 110 encrypts the calculated transmission parameter string σ with its own encryption key Ka to create a transmission parameter string ciphertext string, and the result of the inner product operation of the transmission parameter string ciphertext string and the calculated parameter string calculated by the counterpart organization Ciphertext I1 that is a part of the encryption key Kb of the partner organization, and the remaining part of the inner product operation result and the value obtained by the partner organization decrypting a part of the fixed ciphertext sequence with the decryption key of the partner organization Receive the binary pair (J1, J2) of the encrypted ciphertext, decrypt the I1 with its own encryption key Ka, and subtract it from the first result as the partial result 1, and from the partner organization The received ciphertext J1 is decrypted with its own encryption key Ka, and then added to J2 to obtain the ciphertext J3 and transmit it to the partner organization (FIG. 15).

Next, in step S500, the final result calculation process calculates the final result NEW_XY by performing an operation on the partial result 1 and the partial result 2 obtained from the partner engine in cooperation with the data processing apparatus 100 of another organization. The final result is transmitted to an external device through the interface unit 150 (FIG. 16).

The information exchange process A is completed by the above processes (steps S100, S400, and S500). Next, the information exchange process B will be described.

First, the fixed ciphertext decryption process in step S200 will be described. The control unit 110 decrypts a part Gi of a known fixed ciphertext string with a decryption key K _B i (1 ≦ i ≦ n), and calculates a value H obtained by calculating the decrypted value. Further, a calculation parameter sequence δ is calculated (FIG. 14).

When the process of step S200 is completed, the control unit 110 next executes the partial result 2 calculation process of step S300. The partial result 2 calculation unit 114 cooperates with the data processing apparatus 100 of the other organization to divide the result of the inner product operation of the transmission parameter ciphertext sequence of the counterpart organization and the calculation parameter sequence calculated by itself into two, and encrypt one of them. Set the value I1, encrypt the encrypted ciphertext H with the same encryption key Kb, and generate the ciphertext binary pair (J1, J2) and the ciphertext string I1, (J1, J2) And the other party receives the ciphertext J3 obtained by performing computation on the ciphertext binary pair (J1, J2), decrypts the ciphertext J3 with its own cipher key Kb, and obtains the partial result 2 Generate. (Fig. 15)

The information exchange process B is completed by the above processes (steps S200, S300, and S500). The secret calculation information exchange process has been described above.

According to the present embodiment, both organizations can safely obtain the calculation result by only transmitting / receiving ciphertexts created by each institution using one encryption key. In addition, it is possible to generate a partial ciphertext suitable for calculating the final result as the intermediary information by using the fixed ciphertext string in the two organizations.

In the first and second embodiments, the present method is applied to a vector composed of a plurality of data blocks. However, the present method may be applied to a single data block. In this case, the data processing apparatus 100 calculates the multiplication result between the data blocks, but if the final inner product result is calculated, the value of the partner data block is determined, so the value before the final result is calculated by another calculation. The secret data of the institution P2 is added to the inner product result. In addition, when the data block of one institution is set as a unit block (for example, value 1) and this method is applied to a vector in which the data block of the other institution is a secret data block, the data processing apparatus 100 performs a secret addition. Calculations can be performed.

The application of this system is not limited to the secret vector calculation for correlation determination in an online shop. It can be applied to confidential calculations between various organizations such as between research institutions, companies, and departments. Moreover, it is applicable also to the secret calculation between individuals.

The data processing apparatus 100 can be realized using a normal computer system, not a dedicated system. For example, the data processing apparatus 100 is configured by storing and distributing a program for performing the above-described operation in a computer-readable storage medium, installing the program in a computer, and executing the above-described processing. Also good. Further, it may be stored in a disk device provided in a network-type server device such as the Internet so that it can be downloaded to a computer, for example. Further, the above-described functions may be realized by joint operation of the OS and application software. Moreover, you may download to a computer.

  As a recording medium for recording the above program, a computer-readable recording medium such as a USB memory, a CD, a DVD, an MO, an SD card, a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, a magnetic tape, or the like is used. be able to. In addition, it is also possible to use a recording medium that is normally fixed to a system or apparatus, such as an HDD (hard disk) or an SSD (solid state drive).

DESCRIPTION OF SYMBOLS 1 Secret calculation information exchange system 100 Data processor 110 Control part 111 Transmission parameter sequence calculation part 112 Final result calculation part 113 Fixed ciphertext decryption part 114 Partial result calculation part 120 Communication part 130 Storage part 140 Operation part 150 Interface part 200 Communication line

Claims (12)

A secret computation information exchange system composed of two or more data processing devices,
Each of the data processing devices is
Secret data storage means for storing secret data;
Fixed ciphertext string storage means for storing a fixed ciphertext string that can be regarded as a ciphertext string;
Have
The data processor is responsible for either process A or process B,
The data processing apparatus in charge of the processing A is further
A transmission parameter sequence that is a sequence of values and the transmission parameter sequence calculation means for calculating a first result by using the secret data held by itself and the fixed ciphertext sequence as input;
A final result calculating means for acquiring a second result generated by another data processing apparatus, integrating the first result and the second result, and calculating a final result;
Have
The data processing apparatus in charge of the processing B is further
Fixed ciphertext decryption means for decrypting a fixed ciphertext string with a decryption key from the secret data held by itself and the fixed ciphertext string, and generating a fixed ciphertext decryption result;
Partial result calculation means for calculating a second result by using the transmission parameter string generated by the transmission parameter string calculation means of the other data processing device and the fixed ciphertext decryption result as inputs;
Have
The fixed ciphertext string stored in the data processing apparatus in charge of the processing A is:
It is the same as the fixed ciphertext string stored in the data processing device in charge of the processing B.
A secret computation information exchange system characterized by that. The transmission parameter string calculation means includes:
For all secret data that may be stored by the secret data storage means,
The fixed ciphertext string and the secret data can be input to calculate a value string to be the transmission parameter string and a value to be the first result.
The secret calculation information exchange system according to claim 1. The fixed ciphertext decryption means includes:
For all secret data that may be stored by the secret data storage means,
The fixed ciphertext string and the secret data can be input to calculate a value to be the decryption key and a value to be the fixed ciphertext decryption result.
The secret calculation information exchange system according to claim 1 or 2, characterized in that. The data processing apparatus in charge of the processing A is
Random number data storage means for storing random number data;
The transmission parameter string calculation means includes:
The secret data held by itself, the fixed ciphertext sequence, and the random number data are input to calculate a sequence of values to be the transmission parameter sequence and a value to be the first result.
The secret calculation information exchange system according to any one of claims 1 to 3. The fixed ciphertext string is
The random number data that can be converted into a sequence of desired values to be input together with a value that may be the secret data calculated by the transmission parameter sequence calculation means by the data processing device in charge of the processing A. A ciphertext string that makes it impossible to calculate,
The secret calculation information exchange system according to claim 4. The secret data is
Vector data composed of a plurality of data blocks,
The secret calculation information exchange system according to any one of claims 1 to 5, wherein: The final result calculation means includes
An output of a function when the result of the inner product calculation of the vector data corresponding to the secret data held by itself and the vector data corresponding to the secret data held by the data processing apparatus in charge of the process B is applied as an input; The final results are equal;
The secret calculation information exchange system according to claim 6. The final result calculation means includes
Create a transmission parameter ciphertext string by encrypting the transmission parameter string with its own encryption key,
The partial result calculation means includes:
The fixed ciphertext decryption result is encrypted with its own encryption key and sent to another data processing device,
Both the data processing device in charge of processing A and the data processing device in charge of processing B obtain calculation results,
The secret calculation information exchange system according to any one of claims 1 to 7. A data processing device that processes data in cooperation with other data processing devices,
Each of the data processing devices is
Secret data storage means for storing secret data;
Fixed ciphertext string storage means for storing a fixed ciphertext string that can be regarded as a ciphertext string;
Have
The data processor is responsible for either process A or process B,
The data processing apparatus in charge of the processing A is further
A transmission parameter sequence that is a sequence of values and the transmission parameter sequence calculation means for calculating a first result by using the secret data held by itself and the fixed ciphertext sequence as input;
A final result calculating means for acquiring a second result generated by another data processing apparatus, integrating the first result and the second result, and calculating a final result;
Have
The data processing apparatus in charge of the processing B is further
Fixed ciphertext decryption means for decrypting a fixed ciphertext string with a decryption key from the secret data held by itself and the fixed ciphertext string, and generating a fixed ciphertext decryption result;
Partial result calculation means for calculating a second result by using the transmission parameter string generated by the transmission parameter string calculation means of the other data processing device and the fixed ciphertext decryption result as inputs;
Have
The fixed ciphertext string stored in the data processing apparatus in charge of the processing A is:
It is the same as the fixed ciphertext string stored in the data processing device in charge of the processing B.
A data processing apparatus. A secret calculation information exchange method used by a data processing device that processes data in cooperation with another data processing device,
A secret data storage step for storing secret data;
A fixed ciphertext storage step for storing a fixed ciphertext string that can be regarded as a ciphertext string;
Have
The method for exchanging confidential calculation information used by the data processing apparatus in charge of the processing A,
A transmission parameter sequence that is a sequence of values with the secret data and the fixed ciphertext sequence held by itself as input and a transmission parameter sequence calculation step of calculating a first result;
A final result calculation step of acquiring a second result generated by another data processing apparatus, integrating the first result and the second result, and calculating a final result;
Have
The confidential information exchanging method used by the data processing device in charge of the processing B is further,
A fixed ciphertext decryption step of decrypting a fixed ciphertext string with a decryption key from the secret data held by itself and the fixed ciphertext string, and generating a fixed ciphertext decryption result;
A partial result calculation step of calculating a second result by using the transmission parameter string generated by the transmission parameter string calculation means of the other data processing apparatus and the fixed ciphertext decryption result as inputs;
Have
The fixed ciphertext string stored in the data processing apparatus in charge of the processing A is:
It is the same as the fixed ciphertext string stored in the data processing device in charge of the processing B.
The secret calculation information exchange method characterized by the above-mentioned. A secret calculation information exchange program executed by a computer that processes data in cooperation with another computer,
A secret data storage step for storing secret data;
A fixed ciphertext storage step for storing a fixed ciphertext string that can be regarded as a ciphertext string;
Have
The secret calculation information exchange program used by the computer in charge of the processing A is further
A transmission parameter sequence that is a sequence of values with the secret data and the fixed ciphertext sequence held by itself as input and a transmission parameter sequence calculation step of calculating a first result;
A final result calculation step of acquiring a second result generated by another data processing apparatus, integrating the first result and the second result, and calculating a final result;
Have
The secret information exchange program used by the computer in charge of the processing B is further
A fixed ciphertext decryption step of decrypting a fixed ciphertext string with a decryption key from the secret data held by itself and the fixed ciphertext string, and generating a fixed ciphertext decryption result;
A partial result calculation step of calculating a second result by using the transmission parameter string generated by the transmission parameter string calculation means of the other data processing apparatus and the fixed ciphertext decryption result as inputs;
Have
The fixed ciphertext string stored in the data processing apparatus in charge of the processing A is:
It is the same as the fixed ciphertext string stored in the data processing device in charge of the processing B.
A secret computation information exchange program characterized by that. A computer-readable recording medium on which the information exchange program according to claim 11 is recorded.