JP2020016739A - Security calculation conversion system, security calculation conversion method, and security calculation conversion program - Google Patents

Abstract

To provide a security calculation conversion system that performs a predetermined operation while keeping contents of the input data concealed using data from multiple institutions as input without requiring large computational costs such as exponentiation, and uses the obtained operation result.SOLUTION: In a security calculation conversion system 1, a data processing unit acquires impartially a piece of secret information by confidentially performing an operation that is guaranteed to produce the same result as when another operation is performed using data from multiple institutions as input. The data processing unit further performs confidential calculations at low computational costs on the basis of the confidentiality of the acquired secret information while keeping the confidentiality of both secret data completely.SELECTED DRAWING: Figure 1

Description

  The present invention confidentially calculates a plurality of inputs to another operation B that can obtain the same result as the result of performing the operation A using the secret data held by a plurality of institutions as inputs, and each of the institutions Confidential operation conversion system, confidential operation conversion method, and confidential operation conversion program.

2. Description of the Related Art There is known a method of performing a predetermined operation while inputting data held by a plurality of organizations while concealing the contents of the input data, and using the obtained operation result. For example, the data vector becomes the data having two engine from n data blocks _{X = (X 1, X 2} , ..., X n), Y = (Y 1, Y 2, ..., Y n) and each The result of multiplying the vector elements at the vector position i (1 ≦ i ≦ n) by adding all the results X _i Y _i Σ _{1 ≦ i ≦ n} X _i Y _i (hereinafter sometimes abbreviated as the inner product value) Non-Patent Document 1 discloses a method of deriving an association rule by obtaining the following.

  Hereinafter, with reference to FIG. 26, an online shop P1 (hereinafter sometimes abbreviated as an institution P1) and an online shop P2 (hereinafter sometimes abbreviated as an institution P2) shown in Non-Patent Document 1. Describes how to derive a correlation between a customer's purchase of goods without violating a privacy agreement with the customer.

First, the institutions P1 and P2 prepare a "credit card number table" as shown in FIG. 2 and FIG. 3, and use two vectors "vector X" to record the usage amount of the customer with the same credit number at the same position. "Vector Y" is prepared.
Hereinafter, the length n of the vectors X and Y is referred to as a vector order.

If the inner product value obtained by inputting the vector X and the vector Y is larger than a certain threshold value, it can be determined that there is a positive correlation between the purchase behaviors of the customers of the institutions P1 and P2, and the customer preference Are likely to be similar, and by jointly developing products, there is a possibility that products that better meet customer needs may be developed.

At this time, the institution P1 and the institution P2 respectively create a vector X and a vector Y composed of a large number of purchase information, and do not clarify the contents of the vector X and the vector Y mutually. If it can be calculated, it does not violate the privacy agreement between the customer and the institution.

In FIG. 26, both the institution P1 and the institution P2 previously know, as common information, an n × n coefficient matrix C and a division number r for dividing the vector X and the vector Y into r vectors having a vector order smaller than n. Suppose In the institution P1, each element Xi (i = 1, 2,..., N) of the vector X has a coefficient matrix C and n random numbers Ri (i = 1, 2,. vector CA = (CA _1, CA ₂ ,..., CA _n ) obtained by adding the values calculated using n) and concealing the vector X, CAi = Xi + C _{i, 1} × R ₁ + Pass C _{i, 2} × R ₂ + ... + C _{i, n} × R _n to the engine P2. In institutions P2, using the C ^T is a transposed matrix of C, n-dimensional vector equal to C ^T Y becomes n-dimensional vectors are consecutive n / r or by _{<R 1 ', R 1'} , ..., R ₁ ', R ₂ ',…, R ₂ ',…, R _r ',… R _r '> vector CB = (CB ₁ , CB ₂ ,…, CB _n ), CB _i = C _{1, i} × Y ₁ + C _{2, i} × Y ₂ + ... + C _{n, i} × Y _n + R ₁ ', ..., CB _{n / r} = C _{1, n / r} × Y ₁ + C _{2, n / r} × Y ₂ +… + C _{n, n / r} × Y _n + R ₁ ', CB _{n / r + 1} = C _{1, (n / r + 1)} × Y ₁ + C _{2, ( n / r + 1)} × Y ₂ + ... + C _{n, (n / r + 1)} × Y _n + R ₂ ', ..., CB ₂ n / r = C _{1,2n / r} × Y ₁ + C _{2,2n / r} × Y ₂ + ... + C _{n, 2n / r} × Y _n + R ₂ ', ..., CB _{(r−1) n / r + 1} = C _{1, ((r−1 ) n / r + 1)} × Y ₁ + C _{2, ((r−1) n / r + 1)} × Y ₂ +… + C _{n, ((r−1) n / r + 1)} × Y _n + R _r ', ..., CB _n = C _{1, n} × Y ₁ + C _{2, n} × Y ₂ + ... + C _{n, n} × Y _n + R _r ' I do. Further, the institution P2 calculates an inner product CA · Y of the vector CA and the vector Y of the institution P2. The institution P1 calculates an inner product R · CB of its own random number vector R = <R ₁ , R ₂ ,..., R _n > and the received vector CB, and calculates Φ = −R · CB by multiplying by minus one. . Then, the engine P1 adds its own random vector R n / r pieces each, r-dimensional vector _{DA = (DA 1, DA 2} , ···, DA r), DA 1 = R 1 + R 2 + ... + R _{n / r} , DA ₂ = R _{n / r + 1} + Rn / r + ₂ + ... + R _{2n / r} , ..., DA _r = R _{(r-1) n / r + 1} + _{R (r-1)} calculates the _{n / r + 2 + ··· +} R n, and transmits to the engine P2. The institution P2 calculates the inner product value CA · Y calculated earlier, the r-dimensional vector R ′ = <R ₁ ′, R ₂ ′,..., R _r ′> of its own and the r-dimensional vector DA received from the institution P1. The value Ψ = CA ・ Y + DA ・ R 'is calculated by adding the value of the inner product DA ・ R'. The engine P1 and the engine P2 can obtain the inner product value by exchanging the values Φ and Ψ to obtain Φ + Ψ.

In the above method, it seems that the value before addition cannot be restored by notifying only the result after addition of a plurality of confidential data, and the security of the value of each vector can be guaranteed, but there is a problem. That is, the institution P1 can use the information received from the institution P2 to obtain information that holds for the vector Y, and can clarify at least half of the information that holds for the vector Y. For example, institution P1 knows that institution P2 uses the same random number R ₁ ′ to create CB _{n / r} information from CB ₁ . Therefore, CB ₁ −CB ₂ = (C _1,1 −C _2,1 ) Y ₁ + (C _1,2 −C _2,2 ) Y ₂ + ・ ・ ・ + (C _{1, n} −C _{2, n} It can be seen that the relational expression of) Y _n holds. If there are n different relational expressions, the institution P1 can clarify all the information of the vector Y. In the method of FIG. 26, the institution P1 can create at least n / 2 relational expressions.
Further, when the institution P1 repeatedly uses the vector X, there is a safety problem that the institution P2 can extract information on the vector X. In addition, since n / r times of transmission and reception of n-dimensional vectors are required, a large amount of information is transmitted and received in an attempt to improve security, and there is a problem in efficiency.

  To solve the above problem, Non-Patent Document 2 proposes a secure calculation protocol using a public key cryptosystem. In this method, a probabilistic public key cryptosystem that is a probabilistic cipher that can encrypt one plaintext into a plurality of different ciphertexts and has homomorphism that can also perform an operation on a plaintext by performing an operation on the ciphertext. Used.

  Here, since the public key encryption method uses a different key for encryption and a different key for decryption, anyone can create a ciphertext by disclosing the key used for encryption, but decryption is not possible. This is an encryption method that uses an asymmetric key that is difficult for anyone except the person who knows the key (secret key) for decryption. Also, unlike probabilistic encryption, such as RSA encryption, which always generates the same ciphertext when the same plaintext is encrypted with the same key, the same random text can use different random numbers for each encryption, This is an encryption method that can convert the same plaintext into ciphertexts of the same number as the key type. One of the public key cryptosystems satisfying the above properties is the ElGamal cryptosystem (hereinafter sometimes abbreviated as ElGamal system). The secret vector inner product calculation method using the probabilistic public key cryptosystem uses homomorphism, in which an operation is applied to a plaintext by applying an operation to the ciphertext, and changes the ciphertext stochastically. Thus, while making it difficult to specify what calculation has been performed on the ciphertext, the arithmetic is performed on the plaintext to calculate the inner product of the secret vector.

Hereinafter, as in the previous example, the institutions P1 and P2 determine the amount of use of each customer as shown in FIGS. 2 and 3 by using secret data X _i , Y _i (i = 1, 2,..., N). It is assumed that it is held as
The institution P1 has its own public key K = g ^S (mod P) (where g is a primitive element, P is a prime number, and S is a secret key. Hereinafter, (mod P) shall be omitted in the calculation of ciphertext. is.) on which to publish, encryption value of spending X _i of each customer ^{_{(2 X i K r i,}} g r i) ( here, r _i create the ciphertext vector composed of a random number) And sends it to the institution P2.

Each i-th 1 Attribute ciphertext engine P2 that has received the ciphertext vector than the engine P1 encryption vector, after multiplication index vector elements Y _i to two items both multiplies all the elements of one item of each ciphertext , One ciphertext (2 ^X ₁ ^Y ₁ ^{+ X} ₂ ^Y ₂ ⁺ ... ^{+ X} _n ^Y _n K ^r ₁ ^Y ₁ ^{+ r} ₂ ^Y ₂ ⁺ ... ^{+ R} _N ^Y _N , g ^r ₁ ^Y ₁ ^{+ r} ₂ ^Y ₂ ⁺ ... ^{+ r} _n ^Y _n ), and finally a ciphertext (2 ^X ₁ ^Y ₁ ^{+ X} ₂ ^Y ₂ ) that has been disturbed by random numbers Ψ and r ⁺・ ・ ・^{+ X} _N ^Y _N ^{+ Ψ} K ^r ₁ ^Y ₁ ^{+ r} ₂ ^Y ₂ ⁺・ ・ ・^{+ r} _N ^Y _N ^{+ r} , g ^r ₁ ^Y ₁ ^{+ r} ₂ ^Y ₂ ⁺・ ・ ・^{+ r} _n It is converted to ^Y _n ^{+ r),} and transmits the ciphertext converted into engine P1.
Engine P1 that received the ciphertext is decrypted using the private key of its own two-tuple ciphertext obtained to obtain the second log by the value Φ = Σ _{1 ≦ i ≦} plaintext _n X _i Y _i + Get R. By exchanging the value Φ and the value Ψ between the engine P1 and the engine P2, the inner product value can be obtained from each other.

However, the method of Non-Patent Document 2 also has a problem. The institution P1 needs to encrypt data for each vector information, and the encryption requires a large calculation cost such as calculation of exponentiation. In addition, in order to multiply the information of its own by the degree of the vector, the institution P2 also consumes a large calculation cost of raising the ciphertext to the power of an exponent, and needs to calculate a large cost depending on the value of the input vector. Furthermore, since the multiplication is calculated by exponentiation, the upper limit of the value Φ is log ₂ P. For example, if P is a prime number of 2048 bits, the upper limit of the value Φ is 2048 bits, and an accurate result is obtained. Is limited to the calculation of a small range.

In recent years, a method of performing confidential calculation using the Paillier encryption method (hereinafter, sometimes abbreviated as Paillier method), which is a kind of homomorphic public key encryption in Non-Patent Document 3, has been generally used. .
In the Paillier scheme, a public key provider selects two large prime numbers p and q serving as secret keys, selects N and a random number k that satisfy N = p × q, and g that satisfies g = (1 + kN) modN ² To generate a public key Pk = (N, g).
To encrypt the plaintext m by using a random number ^r, creating a cipher text C by calculating C ^{= g} m r N modN. Meanwhile, decoding is performed by calculating the ^{m = (L (C λ modN} 2) / L (g λ modN 2)) modN. Here, the function L (U) is defined as L (U) = (U−1) / N, and λ is equal to the least common multiple 1cm (p−1, q−1) of p−1 and q−1. I do. λ can be efficiently obtained by the Euclidean algorithm.

Random number _{r 1} plaintext _{m 1} in Paillier method for creating ciphertext _{C 1} encrypts and indicated as _C 1 ₌ E Pk _(m 1, _{r 1)} by the public key _{P k.} When C ₂ = C ₁ × g ^m2 modN is calculated using the ciphertext C ₁ , C ₂ becomes C ₂ = g ^{m1 + m2} r ₁ ^N mod ^N = E _Pk (m ₁ + m ₂ , r ₁ ), and is additive homomorphism. the by meeting, you can create a ciphertext C ₂ obtained by adding m ₂ to m ₁ by using the ciphertext C _1.
Similarly, by using the ciphertext _{C 1,} C ₃ ⁼ Calculating the _C 1 m2 modN, C ₃ is ^{_{C 3 = g m1m2 (r 1}} m2) N mod N = E Pk (m 1 m 2, r 1 m2 ) was filled, from satisfying the multiplicative homomorphism, can create a ciphertext C ₃ multiplied by m ₂ to m ₁ by using the C _1.

As described above, in the Paillier scheme, similar to the ElGamal scheme, confidential calculation can be executed by applying multiplication and exponentiation to ciphertext. In encryption, calculation r ^N using random number r, and in decryption, L (g ^λ modN ² ) can be calculated before the plaintext is determined. Therefore, exponentiation calculation that depends on plaintext and ciphertext for both encryption and decryption One time is required, and decoding requires an additional division. Although the plaintext m is expressed in the exponent part, the value range that m can take in the Paillier method is a large multiple of a constant multiple of N unlike the ElGamal method.

However, the method of Non-Patent Document 3 also has a problem. In this method based on public key cryptography, when performing multiplication, exponentiation is required after the input is determined, and furthermore, large division requires a large bit length. And

Further, methods using public key cryptosystems such as the methods of Non-Patent Documents 2 and 3 guarantee only relative confidentiality based on their respective assumptions. That is, the ElGamal scheme, which is highly likely to be used in the method proposed in Non-Patent Document 2, has been proved to be safe unless a problem considered to be difficult called the Diffie-Hellman problem is efficiently solved, It has not been proven to date whether the Diffie-Hellman problem can be solved really efficiently. Similarly, the method proposed in Non-Patent Document 3 has been proved to be safe unless a problem that is considered to be difficult called a composite number remainder problem is efficiently solved. It has not been proven that it cannot be solved. In the current computer environment, it is necessary to prepare a key having a length of 4096 bits in order to guarantee the security of the modular remainder problem, and the key length required in the future will increase exponentially, increasing the calculation cost. there's a possibility that. It is predicted that if a new generation of computer such as a quantum computer is developed, these assumptions cannot be maintained.

Jaideep Vaidya and Chris Clifton, “Privacy preserving association rule mining in vertically partitioned data,” Proceeding of the 8th ACM SIGMOD International Conference on Knowledge Discovery and Data Mining (KDD2002), pp.639-644, 2002. Bart Goethals, Sven Laur, Helger Lipman and Taneli Mielikainen, “On privacy scalar product computation for privacy-preserving data mining,” Proceeding of the 7th Annual Information Security and Cryptology (ICISC2004), pp.104-120, 2004. Pascal Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” Proceeding of International Conference on the Theory and Applications of Cryptographic Techniques (EURO CRYPT'99), pp.223-238, 1999.

The present invention has been made in view of these problems of the background art, and the basis of confidentiality is different from confidential calculation using conventional homomorphic public key cryptography. By performing the conversion, it is possible to obtain fairly secret information meaningful to both parties (hereinafter, sometimes referred to as negotiation secret information). In addition, based on the confidentiality of the obtained negotiation secret information, a confidential calculation that can perform confidential calculations by calculating inexpensive costs using negotiation secret information and secret data while completely protecting the confidentiality of secret data It is an object to provide a conversion system and a confidential operation conversion method.

In order to solve the above-mentioned object, a confidential operation conversion system according to the present invention includes two or more data processing devices, wherein the data processing device stores secret data storage means for storing respective secret data, and stores respective output data. Output data storage means, and an operation conversion method for specifying a combination of the secret data, the output data, a pre-conversion operation type A to be applied to the secret data and a post-conversion operation type B to be applied to the output data A negotiation secret information storage unit that stores a type as negotiation secret information, and an arithmetic processing unit that receives the secret data as input, calculates the output data in a secret manner in cooperation with another data processing device,
The arithmetic processing unit is configured to execute the operation of the pre-conversion operation type A by using the secret data and the secret data stored in the other data processing device as an input, the output data, and the other data processing device. Guarantees that the result when the post-conversion operation type B is performed with the output data of the input as the same,
It is characterized by the following.

  The pre-conversion operation type A may be addition, and the post-conversion operation type B may be multiplication.

  The pre-conversion operation type A may be a multiplication, and the post-conversion operation type B may be an addition.

  The arithmetic processing means may perform a part of the arithmetic processing before the actual arithmetic processing.

  The arithmetic processing means may calculate output data using the secret data and the negotiation secret information stored in the negotiation secret information storage unit as a result of the arithmetic processing performed prior to the arithmetic processing. Good.

  The negotiation secret information storage means may store output data obtained by using the secret data and the negotiation secret information as new negotiation secret information.

  The arithmetic processing means is an arithmetic processing in which the pre-conversion operation type A is addition and the post-conversion operation type B is multiplication, and the pre-conversion operation type A is multiplication and the post-conversion operation type B is addition. In combination with the arithmetic processing, both the base and the exponent may be used as secret data, and the arithmetic conversion processing before conversion A may be exponentiation and the arithmetic processing after conversion B may be multiplication or addition. .

In order to solve the above object, in the confidential operation conversion method according to the present invention, the data processing device includes: a secret data storage step of storing respective secret data; an output data storage step of storing respective output data; A negotiation secret information storing step of storing information; and an arithmetic processing step of receiving the secret data as input and calculating the output data in secret in accordance with the arithmetic conversion scheme in cooperation with the other data processing apparatus. ,
The operation processing step is a step of performing the operation of the pre-conversion operation type A by using the secret data and the secret data of another data processing device as inputs, the output data, and the output data of the other data processing device. Ensure that the result of performing the operation of the post-conversion operation type B as an input is the same value,
It is characterized by the following.

  The pre-conversion operation type A may be addition, and the post-conversion operation type B may be multiplication.

  The pre-conversion operation type A may be a multiplication, and the post-conversion operation type B may be an addition.

  In the arithmetic processing step, a part of the arithmetic processing may be performed before the actual arithmetic processing.

  The arithmetic processing step may calculate output data using the secret data and the negotiation secret information stored in the negotiation secret information storage unit as a result of the arithmetic processing performed prior to the arithmetic processing. Good.

  The negotiation secret information storing step may store the secret data and output data obtained using the negotiation secret information as new negotiation secret information.

  The operation processing step is an operation in which the pre-conversion operation type A is addition and the post-conversion operation type B is multiplication, and the pre-conversion operation type A is multiplication and the post-conversion operation type B is addition. In combination with the arithmetic processing, both the base and the exponent may be used as secret data, and the arithmetic conversion processing before conversion A may be exponentiation and the arithmetic processing after conversion B may be multiplication or addition. .

In order to achieve the object, the confidential operation conversion program of the present invention is a program used by a computer that processes data in cooperation with another computer,
The data processing device stores a secret data storing step of storing respective secret data, an output data storing step of storing respective output data, a negotiation secret information storing step of storing the negotiation secret information, and inputs the secret data. As, in cooperation with the other data processing device, according to an arithmetic conversion method type, having an arithmetic processing step of calculating the output data confidentially,
The arithmetic processing step includes, when the secret data and the secret data of another data processing device are input, the result of performing the operation of the pre-conversion operation type A and the output data and the output data of the data processing device. Ensure that the result of performing the operation of the post-conversion operation type B as an input is the same value,
It is characterized by the following.

  The pre-conversion operation type A may be addition, and the post-conversion operation type B may be multiplication.

  The pre-conversion operation type A may be a multiplication, and the post-conversion operation type B may be an addition.

  In the arithmetic processing step, a part of the arithmetic processing may be performed before the actual arithmetic processing.

  The arithmetic processing step may calculate output data using the secret data and the negotiation secret information stored in the negotiation secret information storage unit as a result of the arithmetic processing performed prior to the arithmetic processing. Good.

  The negotiation secret information storing step may store the secret data and output data obtained using the negotiation secret information as new negotiation secret information.

  The operation processing step is an operation in which the pre-conversion operation type A is addition and the post-conversion operation type B is multiplication, and the pre-conversion operation type A is multiplication and the post-conversion operation type B is addition. In combination with the arithmetic processing, both the base and the exponent may be used as secret data, and the arithmetic conversion processing before conversion A may be exponentiation and the arithmetic processing after conversion B may be multiplication or addition. .

ADVANTAGE OF THE INVENTION According to this invention, it becomes possible to obtain negotiation secret information which satisfies the relationship mutually agreed fairly. Further, based on the confidentiality of the obtained negotiation secret information, the confidential calculation is performed by calculating inexpensive costs such as addition and multiplication using the secret data and the negotiation secret information while completely protecting the confidentiality of the secret data. It is possible to realize a secret arithmetic exchange system.

1 is a block diagram illustrating a configuration of a confidential operation conversion system according to the present invention. 9 is a table in which the usage amounts of each customer of the institution P1 are arranged in a row by ordering the card numbers of the customers determined based on a prior agreement by a plurality of institutions. It is a table in which the usage amounts for each customer of the institution P2 are arranged in a row by ordering the card numbers of the customers determined based on a prior agreement by a plurality of institutions. It is a functional block diagram showing the function of the component of the confidential operation conversion system of the present invention. It is a process outline figure for demonstrating the outline | summary of the procedure of "operation conversion processing (negotiation secret information non-addition multiplication conversion processing)". It is a process outline figure explaining the outline of the procedure of "operation conversion processing (negotiation secret information non-addition multiplication conversion processing)" using the ElGamal method. It is a process outline figure explaining the outline of the procedure of “operation conversion processing (negotiation secret information non-addition multiplication conversion processing)” using the Paillier method. It is a process outline figure for demonstrating the outline | summary of the procedure of "operation conversion processing (negotiation secret information no multiplication addition conversion processing)". It is a process outline figure explaining the outline of the procedure of “operation conversion processing (negotiation secret information non-multiplication addition conversion processing)” using the ElGamal method. It is a process outline figure explaining the outline of the procedure of "operation conversion processing (negotiation secret information non-multiplication addition conversion processing)" using the Paillier method. It is a process schematic diagram for demonstrating the outline | summary of the procedure of "calculation conversion process (conversion process with negotiation secret information)". It is a flowchart for demonstrating the procedure of "confidential operation conversion processing." It is a flowchart for demonstrating the procedure of a "negotiation secret information use designation | designated process." It is a flowchart for demonstrating the procedure of "negotiation conversion processing with confidential information". It is a processing outline figure explaining the procedure of “negotiation secret information multiplication addition conversion processing”. It is a process outline figure explaining the procedure of “negotiation multiplication conversion processing with secret information”. It is a flowchart for demonstrating the procedure of a "negotiation secret information no-operation conversion process." It is a flowchart for demonstrating the selection procedure of the calculation method implemented in "negotiation private information non-multiplication addition conversion processing." It is a flowchart for demonstrating the selection procedure of the calculation method implemented in "negotiation secret information no addition multiplication conversion processing." It is a flowchart for demonstrating the procedure of "negotiation secret information acquisition processing." It is a flowchart explaining the procedure of a "negotiation secret information update process." FIG. 14 is a schematic processing diagram illustrating processing using input pre-calculation and division, which is an example of “two-step negotiation secret information no-addition multiplication conversion processing” executed in “negotiation secret information no-operation conversion processing” shown in FIG. 13. . FIG. 14 is a process outline diagram illustrating a process using input pre-calculation and division, which is an example of “two-stage negotiation secret information no-multiplication addition conversion process” executed in “negotiation secret information no-operation conversion process” shown in FIG. 13. . It is a process outline figure explaining "secret multiplication addition operation conversion processing (exponential part multiplication)." It is a process outline figure explaining "the secret multiplication addition operation conversion processing (exponent part addition)." It is a processing conceptual diagram for demonstrating the outline | summary of the procedure of the secret inner product calculation method shown by the nonpatent literature 1.

(Configuration of the present invention)
The confidential operation conversion system of the present invention is applied to a case where the operation A is applied to the confidential data X and the confidential data Y without the help of a third party for the confidential data X and the confidential data Y of the institution P1 or the institution P2. An information exchange system for fairly obtaining meaningful confidential information that both institutions P1 and P2 have agreed on by calculating secretly the combination of inputs OutputX and OutputY for another operation B that can obtain the same result. It is. Hereinafter, the basic configuration of the confidential operation conversion system will be described with reference to the drawings.

As shown in FIG. 1, the confidential operation conversion system 1 of the present invention includes two data processing devices 100 installed in each of an institution P1 and an institution P2, and a communication line 200 connecting them. The two data processing apparatuses 100 cooperate with each other by transmitting and receiving data to and from each other through the communication line 200 to execute a confidential operation conversion process.

The data processing device 100 is built in, for example, a PC server or a mainframe, and includes a control unit 110, a communication unit 120, a storage unit 130, an operation unit 140, an interface unit 150, and an arithmetic processing unit 160.

The control unit 110 includes a CPU (Central Processing Unit) and controls and controls each unit of the data processing device 100. That is, in response to the “confidential operation conversion process start signal” from the operation unit 140, the operation conversion method type (hereinafter, may be abbreviated as Type) defined corresponding to the operations A and B. Is specified, information necessary for the arithmetic processing stored in the storage unit 130 is read in advance, and the arithmetic processing in the arithmetic processing unit 160 is executed. If necessary, the result of the arithmetic processing in the arithmetic processing unit 160 is stored in the storage unit 130. 130, the information necessary for the confidential operation conversion is transmitted to the partner organization via the communication unit 120, and the operation result of the operation processing unit 160 is displayed and output via the I / F unit 150. Carry.

The communication unit 120 includes a LAN connector, a processor for transmission / reception processing, and the like, and communicates with the data processing device 100 of the partner organization through the communication line 200 under the control of the control unit 110.

The storage unit 130 is configured by a storage device such as a hard disk or a RAM (Random Access Memory), and stores data such as its own secret data and operation conversion processing data necessary for the operation processing in the operation processing unit 160 in advance. Also, the calculation result in the calculation processing unit 160 is stored as negotiation secret information as needed.

Here, “secret data” refers to non-public information such as “customer information” and “secret vector”. Further, "customer information" is information of a customer who has used each institution, and "secret vector" is that customer information is rearranged according to an ID commonly known by a plurality of organizations, and a certain organization has Provide information on each vector position of the secret vector that is present and arrange with the common recognition of both institutions so that the customer who provided the information on the same vector position of the secret vector held by another institution is the same And the information that was given.

  Here, the “operation conversion processing method data” is data for determining various confidential operation processing methods to be executed by the operation processing unit 160, and includes information for designating the operation conversion method type Type and whether or not negotiation secret information is used. There is information for designating, for example.

The "negotiation confidential information" is confidential information obtained by performing arithmetic processing in the arithmetic processing unit 160 and created by mutual agreement. The institutions P1 and P2 transmit the secret data X and the secret data Y The secret data SecretX [Id] and SecretY [Id] stored in the storage unit 130 by the institution P1 and the institution P2 with the same index Id on the information including the output data OutputX and OutputY. In the “confidential operation conversion process” described later, the operation conversion process may be performed using previously created negotiation secret information stored in the storage unit 130, but the details will be described later.

The operation unit 140 includes various buttons and the like configured on the outer surface of the data processing device 100. When a predetermined button is pressed by the user, a “secret calculation conversion process start notification” is transmitted to control unit 110. The secret calculation conversion process start notification is a signal that serves as a trigger for starting the secret calculation conversion process.

The I / F unit 150 includes, for example, a USB (Universal Serial Bus) connector and a video output terminal, and transmits a processing result to an external device (for example, a PC or a monitor).

(Embodiment 1 of the present invention)
The configuration of the confidential operation conversion system 1 and the function of each unit have been described above. Next, referring to FIG. 4, the “confidential operation conversion process” and “negotiation” in the operation processing unit 160 according to the first embodiment of the present invention will be described. An outline of the “secret information acquisition process” will be described.
Although the control unit 110 is omitted in FIG. 4 for simplification, it is needless to say that the transmission and reception of information between the components and the transmission and reception between the institutions P1 and P2 are controlled and controlled by the control unit 110. It is.

The “confidential calculation conversion process” in the calculation processing unit 160 is started by a “notification of start of the confidential calculation conversion process” from the operation unit 140.
The confidential operation conversion processing units 161 of the institution P1 and the institution P2 cooperate to input the operation B to obtain the same result as the result obtained by applying the operation A to its own secret data and the secret data of the partner institution. The pair OutputX and OutputY are each calculated secretly, and the institution P1 acquires only its own secret output data OutputX, and the institution P2 acquires only its own secret data output OutputY.

The negotiation secret information acquisition processing unit 162 of the institution P1 specifies the secret output data OutputX and the secret data X acquired by the secret operation conversion processing unit 161 and information specifying the operation conversion method type (for example, if Type = 1, multiplication to addition is performed). , And if Type ≠ 1, information indicating conversion from addition to multiplication) is collected as ObjectX.
Similarly, the negotiation secret information acquisition processing unit 162 of the institution P2 collects the secret output data OutputY, the secret data Y, and the operation conversion method type Type as ObjectY.
Further, the institution P1 and the institution P2 cooperate to determine the same index Id to be attached to ObjectX and ObjectY, and store the same in each storage unit 130 as negotiation secret information SecretX [Id].
Hereinafter, the secret data X and the secret data Y used in the operation conversion process in the secret operation conversion processing unit 161 are distinguished from the secret data X and the secret data Y stored in the storage unit 130 in the negotiation secret information acquisition processing unit 162. For the purpose, the secret data X and the secret data Y stored in the storage unit 130 as the negotiation secret information may be referred to as an operation conversion input InputX and an operation conversion input InputY, respectively.
Also, the purpose of discriminating the secret output data OutputX and secret output data OutputY obtained by the institutions P1 and P2 and the secret output data OutputX and secret output data OutputY stored in the storage unit 130 by the negotiation secret information acquisition processing unit 162. The secret output data OutputX and the secret output data OutputY stored in the storage unit 130 as negotiation secret information may be referred to as an operation conversion output OutputX and an operation conversion output OutputY, respectively.

FIG. 5 specifically shows an example of the confidential operation conversion process in the confidential operation conversion processing unit 161 and the negotiation secret information acquisition process in the negotiation secret information acquisition processing unit 162. The secret data X held by the institution P1 is shown. The figure shows the procedure for changing the operation A for obtaining X + Y to another operation B for the secret data Y held by the institution P2.
The confidential calculation conversion processing unit 161 of the institution P1 converts the values CA ₁ , CA ₂ , CA ₃ , DA ₁ , DA ₂ , and DA ₃ shown in (Equation 1) and (Equation 2) that include the own secret data X. Calculate and send to institution P2.
(CA ₁ , CA ₂ , CA ₃ ) = (α ₁ KA ₁ , α ₃ KA ₁ , g ^γ1 ) (1)
(DA ₁ , DA ₂ , DA ₃ ) = (α ₂ KA ₂ , α ₄ KA ₂ , g ^γ 2) (2)
Here, α ₁ , α _2, α ₃ , and α ₄ are the relations of X ₁ = α ₁ + α ₂ and X ₂ = α ₃ + α ₄ when secret data X is expressed as X = X ₁ / X _2. KA ₁ and KA ₂ are determined by using the public key Z (= g ^x ) and the primitive element g known by the institution P1 and the organization P2, and the random numbers γ ₁ and γ ₂ known only by the organization P1. , KA ₁ = Z ^γ1 , KA ₂ = Z ^γ2 , x is a secret key of the institution P1 and is stored in advance in the storage unit 130 of the institution P1.
Security operation conversion processing unit 161 of the engine P2 receives the _{CA 1, CA 2, CA 3} , DA 1, DA 2, DA 3 from the engine P1, (Equation 3), represented by (Equation 4), secret data Y stored in the storage unit 130 in advance engine P2, its random number _{Ψ, λ 1, λ 2,} λ 3, λ 4, λ 5, λ 6, λ 7, λ 8, containing the values CB calculate the _{1, CB 2, CB 3,} CB 4, CB 5, CB 6, CB 7, CB 8, DB 1, DB 2, DB 3, DB 4, DB 5, DB 6, DB 7, DB 8 Send to institution P1.
_{(CB 1, CB 2, CB} 3, CB 4, CB 5, CB 6, CB 7, CB 8)
^{_{= (Θ 1 Z λ1, θ}} 2 Z λ2, β 1 Z λ3, θ 3 Z λ4, β 2 Z λ5, β 3 Z λ6, θ 4 Z λ7, β 4 Z λ8) (3)
_{(DB 1, DB 2, DB} 3, DB 4, DB 5, DB 6, DB 7, DB 8)
_{^{= (G λ1 DA 3, g}} λ2 DA 3, g λ3 CA 3, g λ4 DA 3, g λ5 CA 3, g λ6 CA 3, g λ7 DA 3, g λ8 CA 3,)
(4)
Here, θ ₁ , θ ₂ , θ ₃ , θ ₄ , β ₁ , β ₂ , β ₃ , β ₄ are represented by CA ₁ Y ₁ + CA ₂ when secret data Y is represented as Y = Y ₂ / Y ₁ These values satisfy Y ₂ = β ₁ + β ₂ + β ₃ + β ₄ and DA ₁ Y ₁ + DA ₂ Y ₂ = θ ₁ + θ ₂ + θ ₃ + θ ₄ .
The institution P1 receives the data CB _i and DB _i from the institution P2, and obtains a value OutputX represented by (Equation 5).
OutputX = Σ _{1 ≦ i ≦ 8} CB _i DB _i ^-x / X ₂
(= (Σ _{1 ≦ i ≦ 4} β _i CA ₃ ^-1 + Σ _{1 ≦ i ≦ 4} θ _i DA ₃ ^-1 ) / X ₂ ))
(= (ΓB ₁ CA ₃ ^-1 + ΓB ₂ DA ₃ ^-1 ) / X ₂ ))
(= ((Α ₁ Y1 + α ₃ Y2) + (α ₂ Y1 + α ₄ Y2)) / X ₂ ))
(= ((Α ₁ + α ₂ ) Y1 + (α ₃ + α ₄ ) Y2)) / X ₂ ))
≡ (X ₁ Y ₁ + X ₂ Y ₂ ) / X ₂ (5)
Institution P2 obtains a value OutputY represented by (Equation 6).
_{OutputY = 1 / Y 1 (6} )
As can be seen from (Expression 5) and (Expression 6), by exchanging OutputX and OutputY calculated by the respective institutions, a value X + Y obtained by adding the secret data X and the secret data Y by (Expression 7) Is found.
_{OutputX × OutputY = (X 1 Y} 1 + X 2 Y 2) / (X 2 Y 1)
(= X ₁ / X ₂ + Y ₂ / Y ₁ )
= X + Y (7)
As can be seen from (Equation 7), the operation conversion process shown in FIG. 5 is the same as when the operation A (X + Y) is performed with the secret data X and the secret data Y held by the institutions P1 and P2 as inputs. A plurality of inputs OutputX and OutputY for the operation B (OutputX × OutputY) from which a result can be obtained can be calculated confidentially.
Hereinafter, the operation conversion schemes shown in (Equation 1) to (Equation 7) may be abbreviated as a division addition multiplication operation conversion method.
FIG. 5 shows a case where the secret data X of the institution P1 and the secret data Y of the institution P2 are one-dimensional (when the number of data of X or Y is one) for the sake of simplicity. Is CA _1i , CA _2i , CA _3i , DA _1i , DA _2i , DA _3i , CB _1i , CB _2i , CB _3i , CB _4i , CB _5i , CB _6i , CB _7i , CB _8i ,
By performing similar calculations and exchanging information for DB _1i , DB _2i , DB _3i , DB _4i , DB _5i , DB _6i , DB _7i , DB _8i (i = 1,2,3,... N), _{1 ≦ i ≦ n} (X _i + Y _i ) can be obtained.
The negotiation secret information acquisition processing unit 162 of the institution P1 obtains ObjectX including the operation conversion input InputX, the operation conversion output OutputX, and Type (in FIG. 5, information indicating that the addition which is operation A is converted to the multiplication which is operation B). The negotiation secret information is set as SecretX [Id] and stored in the storage unit 130.
Similarly, in the negotiation secret information acquisition processing unit 162 of the institution P2, the operation conversion input InputY, the operation conversion output OutputY, and the type of the operation conversion process (in FIG. 5, the addition of operation A is converted to the multiplication of operation B) InformationY) is obtained, set as negotiation secret information SecretY [Id], and stored in the storage unit 130.
Note that Id in the negotiation secret information SecretX [Id] and the negotiation secret information SecretY [Id] have the same number.

In FIG. 5, a plurality of operations B (OutputX × OutputY) that can obtain the same result as when the operation A (X + Y) is performed with the secret data X and the secret data Y held by the institutions P1 and P2 as inputs are obtained. It was shown that input OutputX and OutputY can be calculated secretly.
The same arithmetic conversion can be realized by using the well-known ElGamal method which is excellent in confidentiality, and will be described with reference to FIG.
In FIG. 6, the confidential operation conversion processing unit 161 of the institution P1 calculates values CA ₁ and CA _{2 including} its own secret data X shown in (Equation 8) and (Equation 9) and transmits the calculated values to the institution P2. .
CA ₁ = 2 ^X PK ^γ1 (8)
CA ₂ = g ^γ1 (9)
Here, g is a primitive element shared by the institution P1 and the institution P2, PK (= g ^SK ) is a public key, SK is a secret key of the institution P1, and γ1 is a random number known only to the institution P1. It is stored in the unit 130.
The confidential operation conversion processing unit 161 of the institution P2 receives CA ₁ and CA ₂ from the institution P1, and converts the values CB ₁ and CB _{2 including the} own secret data Y shown in (Equation 10) and (Equation 11). Calculate and send to agency P1.
CB ₁ = (2 ^Y CA ₁ ) ^{1 / Ψ} PK ^γ2 (10)
CB ₂ = (CA ₂ ) ^{1 / Ψ} g ^γ2 (11)
Here, Ψ and γ2 are random numbers known only to the institution P2, and are stored in advance in the storage unit 130 of the institution P2.
In the engine P1, it receives data CB _1, CB ₂ from engine P2, determines the value OutputX represented by (Equation 12).
OutputX = log ₂ (CB ₁ / (CB ₂ ) ^SK )
(= Log ₂ (2 ^{(X + Y) /} Ψ ⁾ PK ^{(γ1 + γ2) /} Ψ / (g ^{(γ1 + γ2) /} Ψ) ^SK )
(= Log ₂ (2 ( ^{X + Y) /} Ψ))
(= (X + Y) / Ψ)
≡ Φ (12)
Institution P2 obtains a value OutputY represented by (Equation 13).
OutputY = Ψ (13)
As can be seen from (Equation 12) and (Equation 13), by exchanging OutputX calculated by the institution P1 and OutputY of the institution P2, the value X obtained by adding the secret data X and the secret data Y is obtained by (Equation 14). + Y is obtained.
OutputX × OutputY = Φ × Ψ
= X + Y (14)
As can be seen from (Equation 14), the operation conversion process shown in FIG. 6 is the same as the operation A (X + Y) with the secret data X and the secret data Y held by the institutions P1 and P2 as inputs. A plurality of inputs OutputX and OutputY for the operation B (OutputX × OutputY) from which a result can be obtained can be calculated confidentially.
Hereinafter, the operation conversion schemes shown in (Equation 8) to (Equation 14) may be abbreviated as ElGamal addition multiplication operation conversion method.
FIG. 6 shows a case where the secret data X of the institution P1 and the secret data Y of the institution P2 are one-dimensional (when the number of data of X or Y is one) for simplicity. By performing similar calculations and exchanging information for CA _1i , CA _2i , CB _1i , and CB _2i (i = 1, 2, 3,... N), Σ _{1 ≦ i ≦ n} (X _i + Y _i ) Can be requested.
The negotiation secret information acquisition processing unit 162 of the institution P1 obtains ObjectX including the operation conversion input InputX, the operation conversion output OutputX, and Type (in FIG. 6, information indicating that the addition of operation A is converted to the multiplication of operation B), It is set as negotiation secret information SecretX [Id] and stored in the storage unit 130.
Similarly, in the negotiation secret information acquisition processing unit 162 of the institution P2, ObjectY including the operation conversion input InputY, operation conversion output OutputY, and Type (in FIG. 6, information indicating that the addition which is operation A is converted into the multiplication which is operation B). Is set as negotiation secret information SecretY [Id] and stored in the storage unit 130.
Note that Id in the negotiation secret information SecretX [Id] and the negotiation secret information SecretY [Id] are set to the same number.

In FIG. 6, a plurality of operations B (OutputX × OutputY) that can obtain the same result as when the operation A (X + Y) is performed by using the secret data X and the secret data Y held by the institutions P1 and P2 as inputs. It was shown that input OutputX and OutputY can be calculated using ElGamal method which is excellent in secrecy.
The same arithmetic conversion can be realized by using the well-known Paillier method which is excellent in confidentiality, and will be described with reference to FIG.
7, security operation conversion processing unit 161 of the engine P1 sends indicated by, the engine P2 to calculate the value CA ₁ including the own secret data X (Equation 15).
^{_{CA 1 = g X γ1 N modN}} (15)
Here, .gamma.1 random number, N, g to know only the engine P1 is a public key that satisfies N = p × q, g = (1 + kN) modN 2 relations, pre-stored in the engine P1 and engine P2 It is stored in the unit 130.
Here, p and q are large prime numbers, which are stored in advance in the storage unit 130 of the institution P1 as secret keys, and k is a random number known only to the institution P1.
Security operation conversion processing unit 161 of the engine P2 sends the engine P1 to calculate the value CB ₁ including the own secret data Y represented by receives CA ₁ from the engine P1 (Equation 16).
CB ₁ = (g ^Y CA ₁ ) ^{1 / Ψ} modN (16)
Here, Ψ is a random number known only to the institution P2, and is previously stored in the storage unit 130 of the institution P2.
In the engine P1, it receives data CB ₁ from engine P2, determines the value OutputX represented by (Equation 17).
OutputX = (L (CB ₁ modN ² / L (g ^λ modN ² )) modN
(= (X + Y) / Ψ)
≡ Φ (17)
Here, λ is a secret key known only to the institution P1, and is the least common multiple of (p-1) and (q-1) for large prime numbers p and q, and is stored in advance in the storage unit 130 of the institution P1. I have.
L (U) is a function that satisfies L (U) = (U−1) / N.
Institution P2 obtains a value OutputY represented by (Equation 18).
OutputY = Ψ (18)
As can be seen from (Equation 17) and (Equation 18), by exchanging OutputX calculated by the institution P1 and OutputY of the institution P2, the value X obtained by adding the secret data X and the secret data Y is obtained by (Equation 19). + Y is obtained.
OutputX × OutputY = Φ × Ψ
= X + Y (19)
As can be seen from (Equation 19), the operation conversion process shown in FIG. 7 is the same as when the operation A (X + Y) is performed with the secret data X and the secret data Y held by the institutions P1 and P2 as inputs. A plurality of inputs OutputX and OutputY for the operation B (OutputX × OutputY) from which a result can be obtained can be calculated confidentially.
Hereinafter, the operation conversion schemes shown in (Equation 15) to (Equation 19) may be abbreviated as Paillier addition multiplication operation conversion method.
FIG. 7 shows a case where the secret data X of the institution P1 and the secret data Y of the institution P2 are one-dimensional (when the number of data of X or Y is one) for simplicity. CA _{1 ≦ i ≦ n} (X _i + Y _i ) can be obtained by performing similar calculations and exchanging information on CA _1i and CB _1i (i = 1, 2, 3,... N). .
The negotiation secret information acquisition processing unit 162 of the institution P1 obtains ObjectX including the operation conversion input InputX, the operation conversion output OutputX, and Type (in FIG. 7, information indicating that the addition as the operation A is converted into the multiplication as the operation B). It is set as negotiation secret information SecretX [Id] and stored in the storage unit 130.
Similarly, the negotiation secret information acquisition processing unit 162 of the institution P2 obtains ObjectY including the operation conversion input InputY, operation conversion output OutputY, and Type (in FIG. 7, information indicating that the addition, which is operation A, is converted into the multiplication, which is operation B). Is set as negotiation secret information SecretY [Id] and stored in the storage unit 130.
Note that Id in the negotiation secret information SecretX [Id] and the negotiation secret information SecretY [Id] are set to the same number.

As described above, the operation A (X + Y) using the secret data X and the secret data Y held by the institution P1 and the institution P2 by the division addition multiplication operation conversion method, the ElGamal addition multiplication operation conversion method, and the Paillier addition multiplication operation conversion method A method has been described in which a plurality of inputs OutputX and OutputY for a calculation B (OutputX × OutputY) that can obtain the same result as when the calculation is performed are concealed. However, it is also possible to execute a calculation conversion combining these methods. Of course.
That is, for example, at the time of the operation on the secret data X ₁ and the secret data Y _{1, the} operation conversion by the Paillier addition multiplication operation conversion method is performed, and the secret data X ₂ , X ₃ , X ₄ ,... And the secret data Y ₂ , Y At the time of the operation relating to ₃ , Y ₄ ,..., Any combination such as performing operation conversion by a division addition multiplication operation conversion method is possible.

In FIG. 5, a plurality of operations B (OutputX × OutputY) that can obtain the same result as when the operation A (X + Y) is performed with the secret data X and the secret data Y held by the institutions P1 and P2 as inputs are obtained. It was shown that input OutputX and OutputY can be calculated secretly.
Next, referring to FIG. 8, an operation B (OutputX + OutputY) that can obtain the same result as when the operation A (X × Y) is performed using the secret data X and the secret data Y held by the institutions P1 and P2 as inputs. ) Indicates that multiple inputs OutputX and OutputY can be calculated confidentially.

The confidential calculation conversion processing unit 161 of the institution P1 converts the values CA ₁ , CA ₂ , CA ₃ , DA ₁ , DA ₂ , and DA ₃ including the own secret data X shown in (Equation 20) and (Equation 21). Calculate and send to institution P2.
(CA ₁ , CA ₂ , CA ₃ ) = (α ₁ KA ₁ , α ₃ KA ₁ , g ^γ1 ) (20)
_{(DA 1, DA 2, DA} 3) = (α 2 KA 2, α 4 KA 2, g γ2) (21)
Here, α ₁ and α ₂ are random numbers known only to the institution P1 satisfying the relationship of X = α ₁ + α ₂ , and α ₃ and α ₄ are random numbers known only to the institution P1 satisfying the relationship of α ₃ + α ₄ = 1 , KA ₁ , KA ₂ are obtained by using a public key Z (= g ^x ) known to the institution P1 and the institution P2, a primitive element g, and random numbers γ ₁ , γ ₂ known only to the institution P1 to obtain KA ₁ = Z ^γ1 , KA ₂ = ^Zγ2 , x is a secret key of the institution P1, and is stored in the storage unit 130 of the institution P1 in advance.
The confidential calculation conversion processing unit 161 of the institution P2 receives CA ₁ , CA ₂ , CA ₃ , DA ₁ , DA ₂ , and DA ₃ from the institution P1, and is represented by (Expression 22) and (Expression 23). secret data Y stored in the storage unit 130 in advance engine P2, its random number _{Ψ, λ 1, λ 2,} λ 3, λ 4, λ 5, λ 6, λ 7, λ 8, containing the values CB calculate the _{1, CB 2, CB 3,} CB 4, CB 5, CB 6, CB 7, CB 8, DB 1, DB 2, DB 3, DB 4, DB 5, DB 6, DB 7, DB 8 Send to institution P1.
_{(CB 1, CB 2, CB} 3, CB 4, CB 5, CB 6, CB 7, CB 8)
^{_{= (Θ 1 Z λ1, θ}} 2 Z λ2, β 1 Z λ3, θ 3 Z λ4, β 2 Z λ5, β 3 Z λ6, θ 4 Z λ7, β 4 Z λ8) (22)
_{(DB 1, DB 2, DB} 3, DB 4, DB 5, DB 6, DB 7, DB 8)
_{^{= (G λ1 DA 3, g}} λ2 DA 3, g λ3 CA 3, g λ4 DA 3, g λ5 CA 3, g λ6 CA 3, g λ7 DA 3, g λ8 CA 3,)
(23)
Here, θ ₁ , θ ₂ , θ ₃ , θ ₄ , β ₁ , β ₂ , β ₃ , β ₄ are CA ₁ Y + CA ₂ Ψ = β ₁ + β ₂ + β ₃ + β ₄ , DA ₁ Y + DA ₂ Ψ = θ ₁ + θ ₂ + θ ₃ + θ ₄
The institution P1 receives the data CB _i and DB _i from the institution P2 and obtains a value OutputX represented by (Equation 24).
OutputX = Σ _{1 ≦ i ≦ 8} CB _i DB _i ^-x
(= Σ _{1 ≦ i ≦ 8} CB _i DB _i ^-x = Σ _{1 ≦ i ≦ 4} β _i CA ₃ ^-1 + Σ _{1 ≦ i ≦ 4} θ _i DA ₃ ^-1 = ΓB ₁ CA ₃ ^-1 + ΓB ₂ DA ₃ ^-1 = (α ₁ Y &#8722; α ₃ ψ) + (α ₂ Y &#8722; α ₄ ψ) = (α ₁ + α ₂ ) Y &#8722; (α ₃ + α ₄ ) ψ)
(= X × Y &#8722; ψ)
≡ Φ (24)
Institution P2 obtains a value OutputY represented by (Equation 25).
OutputY = Ψ (25)
As can be seen from (Expression 24) and (Expression 25), by exchanging OutputX and OutputY calculated by the respective institutions, a value X + Y obtained by adding the secret data X and the secret data Y by (Expression 26) Is found.
OutputX + OutputY = Φ + Ψ
= X x Y (26)
As can be seen from (Equation 26), in the operation conversion process shown in FIG. 8, when the operation A (X × Y) is performed with the secret data X and the secret data Y held by the institutions P1 and P2 as inputs. A plurality of inputs OutputX and OutputY for the operation B (OutputX + OutputY) that can obtain the same result as the above can be confidentially calculated.
Hereinafter, the operation conversion method shown in (Equation 20) to (Equation 26) may be abbreviated as a division multiplication addition operation conversion method.
FIG. 8 shows a case where the secret data X of the institution P1 and the secret data Y of the institution P2 are one-dimensional (when the number of data of X or Y is one) for simplicity. Is
CA _1i , CA _2i , CA _3i , DA _1i , DA _2i , DA _3i , CB _1i , CB _2i , CB _3i , CB _4i , CB _5i , CB _6i , CB _7i , CB _8i ,
_{DB 1i, DB 2i, DB 3i} , DB 4i, DB 5i, DB 6i, DB 7i, DB 8i (i = 1,2,3, ··· n) Σ by the exchange of similar calculation and information about _{1 ≦ i ≦ n} (X _i × Y _i ) can be obtained.
In the negotiation secret information acquisition processing unit 162 of the institution P1, the operation conversion input InputX, the operation conversion output OutputX, and the type of the operation conversion process (in FIG. 8, information indicating that the multiplication that is the operation A is converted to the addition that is the operation B) Is obtained, set as negotiation secret information SecretX [Id], and stored in the storage unit 130.
Similarly, the negotiation secret information acquisition processing unit 162 of the institution P2 includes the operation conversion input InputY, the operation conversion output OutputY, and the type (in FIG. 8, information that the multiplication that is the operation A is converted to the addition that is the operation B). ObjectY is obtained, set as negotiation secret information SecretY [Id], and stored in the storage unit 130.
Note that Id in the negotiation secret information SecretX [Id] and the negotiation secret information SecretY [Id] are set to the same number.

In FIG. 8, a plurality of operations B (OutputX + OutputY) that can obtain the same result as when the operation A (X × Y) is performed using the secret data X and the secret data Y held by the institutions P1 and P2 as inputs are obtained. It was shown that input OutputX and OutputY can be calculated secretly.
The same operation conversion can be realized by using the well-known ElGamal method which is excellent in confidentiality, and will be described with reference to FIG.

FIG. 9 shows a calculation method using the ElGamal method as another example of the confidential calculation conversion processing in the confidential calculation conversion processing section 161 and the negotiation secret information acquisition processing in the negotiation secret information acquisition processing section 162. A procedure is shown in which the operation A (X × Y) is changed to another operation B (OutputX + OutputY) for the secret data X held by P1 and the secret data Y held by the institution P2.
Security operation conversion processing unit 161 of the engine P1 is (formula 27), and transmits represented by (Equation 28), the values including its own secret data X CA _1, CA ₂ and calculated by the engine P2.
CA ₁ = 2 ^X PK ^γ1 (27)
CA ₂ = g ^γ1 (28)
Here, g is a primitive element shared by the institution P1 and the institution P2, PK (= g ^SK ) is a public key, SK is a secret key of the institution P1, and γ1 is a random number known only to the institution P1. It is stored in the unit 130.
The confidential operation conversion processing unit 161 of the institution P2 receives the CA ₁ and CA ₂ from the institution P1 (Equation 29), and receives the values CB ₁ and CB _{2 including its} own secret data Y shown in (Equation 30). Is calculated and transmitted to the institution P1.
CB ₁ = 2 ^-Ψ (CA ₁ ) ^Y PK ^γ2 (29)
CB ₂ = (CA ₂ ) ^Y g ^γ2 (30)
Here, Ψ and γ2 are random numbers known only to the institution P2, and are stored in advance in the storage unit 130 of the institution P2.
The institution P1 receives the data CB ₁ and CB ₂ from the institution P2 and obtains a value OutputX represented by (Equation 31).
OutputX = log ₂ (CB ₁ / (CB ₂ ) ^SK )
(= Log ₂ (2 ^{(X × Y−Ψ)} PK ^{(γ1 + γ2) Y} / (g ^{(γ1 + γ2) Y} ) ^SK ))
(= Log ₂ (2 ^{(X × Y−Ψ)} ))
= X × Y-Ψ (31)
Institution P2 obtains a value OutputY represented by (Equation 32).
OutputY = Ψ (32)
As can be seen from (Equation 31) and (Equation 32), the secret data X and the secret data Y were multiplied by (Equation 33) by exchanging OutputX calculated by the institution P1 and OutputY calculated by the institution P2. The value X × Y is obtained.
OutputX + OutputY = X × Y (33)
As can be seen from (Equation 33), in the operation conversion process shown in FIG. 9, when the operation A (X × Y) is performed with the secret data X and the secret data Y held by the institutions P1 and P2 as inputs. A plurality of inputs OutputX and OutputY for the operation B (OutputX + OutputY) that can obtain the same result as the above can be confidentially calculated.
Hereinafter, the operation conversion schemes shown in (Equation 27) to (Equation 33) may be abbreviated as ElGamal multiplication-addition operation conversion method.
FIG. 9 shows a case where the secret data X of the institution P1 and the secret data Y of the institution P2 are one-dimensional (when the number of data of X or Y is one) for simplicity. Is CA _1i ,
By performing similar calculations and exchanging information on CA _2i , CB _1i , and CB _2i (i = 1, 2, 3,... N), Σ1 _{≦ i ≦ n} X _i Y _i can be obtained.
The negotiation secret information acquisition processing unit 162 of the institution P1 obtains ObjectX including the operation conversion input InputX, the operation conversion output OutputX, and Type (in FIG. 9, information indicating that the multiplication that is operation A is converted to the addition that is operation B). , Is set as negotiation secret information SecretX [Id] and stored in the storage unit 130.
Similarly, in the negotiation secret information acquisition processing unit 162 of the institution P2, the operation conversion input InputY, the operation conversion output OutputY, and the type of the operation conversion process (in FIG. 9, the multiplication that is the operation A is converted to the addition that is the operation B) ObjectY including the information to be processed is set as negotiation secret information SecretY [Id] and stored in the storage unit 130.
Note that Id in the negotiation secret information SecretX [Id] and the negotiation secret information SecretY [Id] are set to the same number.

In FIG. 9, a plurality of inputs OutputX to the operation B (OutputX + OutputY) that can obtain the same result as when the operation A (X × Y) is performed using the secret data X and Y held by the institutions P1 and P2 as inputs. It was shown that OutputY can be calculated using the ElGamal method which is excellent in secrecy.
The same arithmetic conversion can be realized by using the well-known Paillier method which is excellent in confidentiality, and will be described with reference to FIG.
10, security operation conversion processing unit 161 of the engine P1 sends indicated by, the engine P2 to calculate the value CA ₁ including the own secret data X (Equation 34).
CA ₁ = g ^X γ1 ^N modN (34)
Here, N, g is a public key that satisfies N = p × q, g = (1 + kN) modN 2 relations, pre-stored in the storage unit 130 of the engine P1 and engine P2.
Note that p and q are large prime numbers, which are stored in advance in the storage unit 130 of the institution P1 as secret keys, and k is a random number known only to the institution P1.
Security operation conversion processing unit 161 of the engine P2 sends the engine P1 to calculate the value CB ₁ including the own secret data Y represented by receives CA ₁ from the engine P1 (Formula 35).
CB ₁ = (g ^−Ψ CA ₁ ) ^Y modN (35)
Here, Ψ is a random number known only to the institution P2, and is previously stored in the storage unit 130 of the institution P2.
In the engine P1, it receives data CB ₁ from engine P2, determines the value OutputX represented by (Equation 36).
OutputX = (L (CB ₁ modN ² / L (g ^λ modN ² )) modN
= (X × Y) -Ψ (36)
Here, λ is a secret key known only to the institution P1, and is stored in advance in the storage unit 130 of the institution P1.
L (U) is a function that satisfies L (U) = (U−1) / N.
Institution P2 obtains a value OutputY represented by (Equation 37).
OutputY = Ψ (37)
As can be seen from (Equation 36) and (Equation 37), by exchanging OutputX calculated by the institution P1 and OutputY calculated by the institution P2, the secret data X and the secret data Y are added by (Equation 38). The value X + Y is obtained.
OtputX + OutputY = X × Y (38)
As can be seen from (Equation 38), in the operation conversion processing shown in FIG. 10, when the operation A (X × Y) is performed with the secret data X and the secret data Y held by the institutions P1 and P2 as inputs. A plurality of inputs OutputX and OutputY for the operation B (OutputX + OutputY) that can obtain the same result as the above can be confidentially calculated.
Hereinafter, the operation conversion schemes shown in (Equation 34) to (Equation 38) may be abbreviated as Paillier multiplication-addition operation conversion method.
FIG. 10 shows a case where the secret data X of the institution P1 and the secret data Y of the institution P2 are one-dimensional (when the number of data of X or Y is one) for simplicity. _{こ と が 1 ≦ i ≦ n} (X _i × Y _i ) can be obtained by performing the same calculation and information exchange for CA _1i and CB _1i (i = 1, 2, 3,... N). it can.
The negotiation secret information acquisition processing unit 162 of the institution P1 obtains ObjectX including the operation conversion input InputX, the operation conversion output OutputX, and Type (in FIG. 10, information indicating that the multiplication that is operation A is converted to the addition that is operation B). , Is set as negotiation secret information SecretX [Id] and stored in the storage unit 130.
Similarly, in the negotiation secret information acquisition processing unit 162 of the institution P2, the operation conversion input InputY, the operation conversion output OutputY, and the type of the operation conversion process (in FIG. 10, the multiplication that is the operation A is converted to the addition that is the operation B) ObjectY including the information to be processed is set as negotiation secret information SecretY [Id] and stored in the storage unit 130.
Note that Id in the negotiation secret information SecretX [Id] and the negotiation secret information SecretY [Id] are set to the same number.

As described above, the operation A (X × Y) using the secret data X and Y held by the institution P1 and the institution P2 by the division multiplication addition operation conversion method, the ElGamal multiplication addition operation conversion method, and the Paillier multiplication addition operation conversion method A method has been described in which a plurality of inputs OutputX and OutputY for the operation B (OutputX + OutputY) that can obtain the same result as when they are performed are concealed. However, it is also possible to execute an operation conversion combining these methods. Of course.
That is, for example, at the time of operations on secret data X ₁ and secret data Y ₁ performs arithmetic conversion by Paillier multiply-add arithmetic transformation method, the secret data _{X 2, X 3, X 4} , and ..., secret data Y _2, Y At the time of the operation relating to ₃ , Y ₄ ,..., Any combination such as performing operation conversion by a division multiplication addition operation conversion method is possible.

As described above, in the first embodiment, the division addition multiplication operation conversion method, the ElGamal addition multiplication operation conversion method, the Paillier addition multiplication operation conversion method, and the division described in FIG. 5, FIG. 6, FIG. 7, FIG. The institution P1 and the institution P2 respectively hold by a multiplication addition operation conversion method, an ElGamal multiplication addition operation conversion method, and a Paillier multiplication addition operation conversion method (hereinafter, these may be abbreviated as a protocol type PType or PType). OutputX to another operation B (OutputX × OutputY or OutputX + OutputY) that can obtain the same result as the result of performing operation A (X + Y or X × Y) with the input secret data X and secret data Y , And OutputY are confidentially calculated and returned to the respective organizations as confidential outputs, so that it is possible to obtain the desired operation result in a state where the confidential data X and the confidential data Y are concealed, but there is one problem.
That is, in each of the operation conversion methods, in the operation processing in the confidential operation conversion unit 161 in the institution P1 and the institution P2, “power calculation” with a large operation load is performed, and the secret vector X and the secret vector Y to be operated are used. When the dimension n of becomes large, the calculation load increases, and the operation speed of the entire system decreases.

(Embodiment 2 of the present invention)
In order to solve the above problems, in the second embodiment of the present invention, the division addition multiplication operation conversion method and the ElGamal addition multiplication operation conversion described in FIGS. 5, 6, 7, 8, 9, and 10 are described. , A Paillier addition multiplication operation conversion method, a division multiplication addition operation conversion method, an ElGamal multiplication addition operation conversion method, and a Paillier multiplication addition operation conversion method, which are excellent in confidentiality but have a large calculation load. , A secret calculation conversion process that balances the confidentiality of the whole system and the calculation load by combining the calculation method of performing a calculation with a small calculation load using the highly confidential negotiation secret information stored in the storage unit 130 during the calculation of Execute

  FIG. 11 shows an outline of a data processing procedure in the arithmetic processing unit 160 according to the second embodiment, which is largely described as a confidential operation conversion process (hereinafter sometimes abbreviated as S1000) in the confidential operation conversion processing unit 161. ), And subsequent negotiation information acquisition processing (hereinafter sometimes abbreviated as S2000) in the negotiation secret information acquisition processing unit 162.

FIG. 12 is a flowchart showing an outline of the processing procedure S1000 in the concealment operation conversion unit processing 161. The concealment operation conversion processing unit 161 receives the “notification of start of concealment operation conversion processing” from the operation unit 140 and returns to S1100. In S1200, based on the value of the variable Negotiation previously stored in the storage unit 130, it is determined whether or not to perform an arithmetic process using the negotiation secret information. ) Or negotiation secret information no-operation conversion processing (S1400) to be described later.

FIG. 13 shows details of the negotiation secret information use designation process in S1100.
Hereinafter, for the sake of simplicity, only the processing operation of the engine P1 will be described, and the description of the same processing operation of the engine P2 as the engine P1 may be omitted.
In the following description, the operation conversion input InputX and the operation conversion input InputY stored in the storage unit 130 may be abbreviated as InputX and InputY, respectively.
In S1110, the secret data X, Type, the value of the variable Negotiation indicating whether or not to use negotiation secret information, and the value of PType (the value of PType is determined in advance by the division addition multiplication operation conversion method or the division multiplication method). PType = 1 for addition operation conversion method, PType = 2 for ElGamal addition / multiplication operation conversion method or ElGamal multiplication / addition operation conversion method, PType = 3 for Paillier addition / multiplication operation conversion method Is set from the storage unit 130, and it is determined in S1120 whether the value of Negotiation is 1 or not. If Negotiation is 1, it is determined that the operation uses the negotiation secret information, the negotiation secret information Id is read from the storage unit 130, and the negotiation secret information SecretX [Id] (= (operation conversion input InputX, operation Conversion output (OutputX, Type)) is also read, and the Type is set to S_type. In S1140, it is determined whether or not the Type (that is, S_type) of the negotiation secret information in SecretX [Id] and the Type, which is the type of the negotiation secret information to be used in the operation, match, and the two match. In this case, InputX is substituted for the first negotiation information Secret_In_X and OutputX is substituted for the second negotiation information Secret_Out_X in S1150. If they do not match, in S1160, OutputX is substituted for the first negotiation information Secret_In_X and InputX is substituted for the second negotiation information Secret_Out_X.
If the negotiation is not 1 in S1120, it is determined that the calculation does not use the negotiation secret information, and the process returns to S1200 (FIG. 12), and the negotiation secret information no-operation conversion process is performed in S1400.

FIG. 14 shows a pre-processing procedure of the negotiation secret information existence operation conversion processing in S1300 when the variable Negotiation is 1 in S1200.
In S1300, the secret data X, the first negotiation secret information Secret_In_X, the second negotiation secret information Scret_Out_X, and the operation conversion type are input, and the operation conversion result OutputX is calculated. In S1310, the operation conversion is conversion from multiplication to addition, A Type value indicating whether the conversion is from addition to multiplication is determined. If the value of Type is 1, the negotiation secret multiplication addition multiplication processing (S1320) is performed. If not, the negotiation secret multiplication addition multiplication conversion is performed. Proceed to processing (S1330).
After the calculation processing in S1320 or S1330, the process proceeds to S1340.

Referring to FIG. 15, as an example, using the negotiation secret information obtained when the operation A is (X × Y) and the operation B is (OutputX + OutputY), the Type value is 1, and the same operation conversion method is used. The procedure of the arithmetic processing in S1320 for performing the multiplication-addition conversion processing of the negotiation secret information in which a certain arithmetic A is (X × Y) and an arithmetic B is (OutputX + OutputY) is shown.
Using the secret data X of the institution P1 and the first negotiation secret information Secret_In_X stored in the storage unit 130, the confidential operation conversion unit 161 creates a CA represented by (Equation 39) and sends it to the institution P2. .
CA = X + Secret_In_X (39)
Similarly, the concealment operation conversion unit 161 of the institution P2 creates a CB represented by (Equation 40) using its own secret data Y and the first negotiation secret information Secret_In_Y stored in the storage unit 130, and Send to P1.
CB = Y + Secret_In_Y (40)
Thereafter, the institution P1 and the institution P2 calculate the secret outputs OutputX and OutputY represented by (Equation 41) and (Equation 42), respectively.
OutputX = CB ・ X + Secret_Out_X
(= (Y + Secret_In_Y) × X + Secret_Out_X)
(= X ・ Y + X ・ Secret_In_Y + Secret_Out_X)
≡ Φ (41)
OutputY = −CA × Secret_In_Y + Secret_Out_Y
(= − (X + Secret_In_X) × Secret_In_Y + Secret_Out_Y)
(= −X ・ Secret_In_Y−Secret_In_X ・ Secret_In_Y + Secret_Out_Y)
≡ Ψ (42)
In (Equation 39), (Equation 40), (Equation 41), and (Equation 42), Secret_In_X and Secret_Out_X are secret information of the institution P1, and Secret_In_Y and Secret_Out_Y are secret information of the institution P2. 26), the relationship of (Expression 43) holds.
Secret_In_X ・ Secret_In_Y = Secret_Out_X + Secret_Out_Y (43)
As can be seen from (Equation 41), (Equation 42), and (Equation 43), the relationship shown in (Equation 44) holds for the secret output OutputX, the secret output OutputY, the secret data X, and the secret data Y, It can be seen that the conversion from multiplication to addition is simply performed using the negotiation secret information.
X x Y = OutputX + OutputY (44)

FIG. 15 shows, as an example, the case where operation A is (X × Y) and operation B is (OutputX + OutputY). In the description above, the multiplication-addition conversion process with the negotiation secret information in which the operation B is (OutputX + OutputY) is performed, but the value of Type is ≠ 1, the operation A is (X + Y), and the operation B is (OutputX × OutputY). It is also possible to use the negotiation secret information acquired in a certain case and perform a multiplication-addition conversion process of the negotiation secret information in which the operation A, which is different from the operation conversion method, is (X × Y) and the operation B is (OutputX + OutputY). is there.
In this case, as described above, assuming that Secret_In_X = OutputX, Secret_Out_X = X, Secret_In_Y = OutputY, Secret_Out_Y = Y, and performing the operations corresponding to (Expression 39) to (Expression 42), the operation A becomes (X + Y), When the operation B is (OutputX × OutputY), the relation of Secret_In_X + Secret_In_Y = Secret_Out_X × Secret_Out_Y is satisfied, and thus (Equation 44) is similarly obtained.

Referring to FIG. 16, as an example, the same operation conversion method is performed using the negotiation secret information acquired when Operation A is (X + Y) and Operation B is (OutputX × OutputY) where the Type value is ≠ 1. This shows the procedure of the arithmetic processing in S1330 which performs the negotiation secret information addition multiplication conversion processing in which the arithmetic A is (X + Y) and the arithmetic B is (OutputX × OutputY).
Using the secret data X of the institution P1 and the first negotiation secret information Secret_In_X and Secret_Out_X stored in the storage unit 130, the confidential operation conversion unit 161 creates a CA represented by (Equation 45) and uses the institution P2. Send to
CA = (X-Secret_In_X) / (Secrt_Out_X) (45)
Similarly, the concealment operation conversion unit 161 of the institution P2 creates a CB represented by (Equation 46) using its own secret data Y and the first negotiation secret information Secret_In_Y and Secret_Out_Y stored in the storage unit 130. , Sent to institution P1.
CB = (Y-Secret_In_Y) / (CA + Secret_Out_Y) (46)
Thereafter, the institution P1 and the institution P2 calculate the secret output OutputX and the secret output OutputY represented by (Equation 47) and (Equation 48), respectively.
OutputX = CB + Secret_Out_X
(= (Y−Secret_In_Y) / Ψ + Secret_Out_X)
≡ Φ (47)
OutputY = CA + Secret_Out_Y
(= − (X + Secret_In_X) × Secret_In_Y + Secret_Out_Y)
(= (X-Secret_In_X) / Secret_Out_X + Secret_Out_Y)
≡ ４８ (48)
In (Equation 45), (Equation 46), (Equation 47), and (Equation 48), Secret_In_X and Secret_Out_X are secret information of the institution P1, and Secret_In_Y and Secret_Out_Y are secret information of the institution P2. As can be seen from 7), the relationship of (Equation 49) holds.
Secret_In_X + Secret_In_Y = Scret_Out_X ・ Secret_Out_Y (49)
As can be seen from (Equation 47), (Equation 48), and (Equation 49), the secret output OutputX, OutputY, secret data X, and secret data Y have the relationship shown in (Equation 50). It can be seen that the conversion to multiplication is performed simply using the negotiation secret information.
X + Y = OutputX x OtputY (50)

FIG. 16 shows an example in which, when the operation A is (X + Y) and the operation B is (OutputX × OutputY), the obtained negotiation secret information is used, and the operation A, which is the same operation conversion system as the operation, is (X + Y). The case where the operation conversion in which B is (OutputX × OutputY) is performed has been described, but the negotiation secret obtained when the operation A is (X × Y) and the operation B is (OutputX + OutputY) in which the value of Type is 1 is Using the information, it is also possible to perform the negotiation secret information addition-addition multiplication conversion processing in which the operation A, which is different from the operation conversion method, is (X + Y) and the operation B is (OutputX × OutputY).
In this case, as described above, assuming that Secret_In_X = OutputX, Secret_Out_X = X, Secret_In_Y = OutputY, and Secret_Out_Y = Y, the operations corresponding to (Expression 45) to (Expression 48) are performed, whereby the operation A becomes (X × Y ), And when the operation B is (OutputX + OutputY), the relation (Secret_In_X × Secret_In_Y = Secret_Out_X + Secret_Out_Y) holds, so that (Equation 50) is similarly obtained.

In S1340, the confidential calculation conversion unit 161 of the institution P1 and the confidential calculation conversion unit 161 of the institution P2 respectively use the secret data X and the secret data Y used for the calculation, the secret output OutputX calculated in S1320 or S1330, and the secret output OutpuY. Are stored in its own storage unit 130 as an operation conversion input InputX, an operation conversion input InputY, an operation conversion output OutputX, and an operation conversion output OutputY, respectively, and the operation conversion processing with negotiation secret information is completed.

  As can be understood from the above description, in the conversion process with negotiation secret information, the negotiation secret information stored in the storage unit 130 is used to perform the divisional addition multiplication operation conversion method requiring a power operation and having a large calculation load. Compared with the ElGamal addition multiplication operation conversion method, the Paillier addition multiplication operation conversion method, the division multiplication addition operation conversion method, the ElGamal multiplication addition operation conversion method, and the simple addition / subtraction multiplication / division operation with a small calculation load compared to the Paillier multiplication addition operation conversion method, The result of the operation A (X × Y, X + Y) on the secret data X and the secret data Y is obtained.

From the above description, the first negotiation secret information Secret_In_X, the first negotiation secret information Secret_In_Y, and the second negotiation secret information Secret_Out_X, which are negotiation secret information used in the negotiation secret information addition / multiplication addition conversion process or the negotiation secret information addition / multiplication conversion process. The second negotiation secret information Secret_Out_Y can be said to be dummy data for maintaining the confidentiality of the operation, and does not affect the actual operation result.
Therefore, the first negotiation secret information Secret_In_X, the first negotiation secret information Secret_In_Y, the second negotiation secret information Secret_Out_X, and the second negotiation are negotiation secret information used in the negotiation secret information multiplication-addition conversion process or the negotiation secret information addition-multiplication conversion process. Acquisition of secret information Secret_Out_Y does not need to be performed using the actual secret data X and secret data Y held by the institution P1 and the institution P2. Prior to the actual operation, the division addition multiplication operation conversion method, ElGamal addition multiplication operation conversion method, Paillier addition multiplication operation conversion method, division multiplication addition operation conversion method, ElGamal multiplication addition operation conversion method, Paillier multiplication addition operation conversion method, etc. It is also possible to acquire using dummy data.

FIG. 17 shows details of the negotiation secret information no-operation conversion processing in S1400 when the variable Negotiation is not 1 in S1200.
If the value of the operation conversion type variable Type stored in each storage unit 130 is 1, the confidential operation conversion units 161 of the institutions P1 and P2 proceed to S1420 and perform negotiation secret information non-multiplication addition conversion processing with the partner organization. Cooperate and execute. If the value of Type is not 1, both confidential operation conversion units 161 proceed to S1430 and proceed to negotiation secret information non-addition multiplication conversion processing.
After the calculation processing in S1420 or S1430, the process proceeds to S1440.

FIG. 18 shows an outline of the processing procedure in S1420, and shows a procedure for determining which PType is used when performing the negotiation secret information no-multiplication addition conversion processing. In step S1421, the value of PType is determined. If PType = 1, the division multiplication addition operation conversion method is used.If PType = 2, the ElGamal multiplication addition operation conversion method is used.If PType = 3, the Paillier multiplication addition operation conversion method is used. Is used.
The institution P1 and the institution P2 cooperate to obtain the secret outputs OutputX and OutputY satisfying (Equation 51) by the designated arithmetic conversion method.
OuputX + OutputY = X × Y (51)

FIG. 19 shows an outline of the processing procedure in S1430, and shows a procedure for determining which PType to use when performing the negotiation secret information non-addition multiplication conversion processing. In S1421, the value of PType is determined.If PType = 1, the division addition multiplication operation conversion method is used.If PType = 2, the ElGamal addition multiplication operation conversion method is used.If PType = 3, the Paillier addition multiplication operation conversion method is used. Used.
The institution P1 and the institution P2 cooperate to obtain secret outputs OutputX and OutputY satisfying (Equation 52) by a designated operation conversion method.
OutputX × OutputY = X + Y (52)

In S1440, the confidential calculation conversion unit 161 of the institution P1 and the confidential calculation conversion unit 161 of the institution P2 output the secret data X, the secret data Y, and the OutputX and OutoutY calculated in S1420 or S1430 used in the calculation in S1420 or S1430, respectively. They are stored in their own storage unit 130 as the operation conversion input InputX, the operation conversion input InputY, the operation conversion output OutputX, and the operation conversion output OutputY, respectively, and complete the negotiation secret information no operation conversion process in which the negotiation value is ≠ 1. .

Here, the reason for preparing two types of processing, ie, the negotiation secret information operation conversion processing and the negotiation secret information non-operation conversion processing will be described. In the negotiation confidential information operation conversion protocol shown in FIGS. 15 and 16, the confidential operation conversion process can calculate the secret outputs OupyX and OutputY by applying only the operations with small calculation costs of addition, multiplication, and division. . The confidentiality of the calculation of the negotiation secret information operation conversion protocol depends on the confidentiality of the negotiation secret information, and if negotiation secret information with high confidentiality can be used, the confidentiality of the calculation can be guaranteed.
Negotiation secret information no-operation conversion protocol such as ElGamal addition / multiplication operation conversion method, Paillier addition / multiplication operation conversion method, Paillier multiplication / addition operation conversion method shown in FIGS. 6, 7, 9 and 10 In this method, confidential calculation conversion processing is performed using a public key, and a power calculation using a secret input is required. Thus, it is possible to obtain highly airtight negotiation secret information with high calculation cost.
Therefore, by combining the two types of processing, that is, creating negotiation secret information with high confidentiality by negotiation secret information no operation conversion, and performing negotiation secret information operation conversion using the information. In addition, it is possible to perform arithmetic conversion using a secret input at high speed and with high secrecy.

Next, S2000, which is a procedure for acquiring and updating negotiation secret information in the negotiation secret information acquisition unit 162, will be described in detail with reference to FIG.
When the process of S1000 in the confidential operation conversion unit 161 is completed, the negotiation secret information acquisition unit 162 starts the negotiation secret information acquisition process of S2000.
In step S2100, in cooperation with the data processing apparatus 100 of the partner organization, the secret output set (operation conversion input InputX, operation conversion output OutputX, Type) created in step S1000 is later sorted by index and used as secret information. Set an index on Id. Also, it is determined whether to combine the new negotiation secret information with the old negotiation secret information, and set the variable Combine.
Here, Combine = 1 if the created secret information is combined with other negotiation secret information, and Combine = 0 otherwise.

Next, in S2200, the negotiation secret information SecretX [Id having information including an operation conversion input InputX which is an input of the confidential operation conversion process in S1000, an operation conversion output OutputX which is an output, and an operation conversion type Type as a common index Id is provided. ] Is stored in the storage unit 130. Similarly, the institution P2 stores the operation conversion input InputY, which is an input of the confidential operation conversion process, the operation conversion output OutputY, which is the output, and the negotiation secret information SecretY [Id] having, as a common index Id, information including the operation conversion type Type. 130.

Next, in S2300, it is determined whether or not the variable Combine is 0. If the variable is 0, the negotiation secret information acquisition process is ended. If the combine is 1, the process proceeds to S2400.

Next, in S2400, an index Id_Old to be combined with other information is determined by communicating with the institution P2.
Further, in S2500, the negotiation secret acquisition unit 162 of the institution P1 reads the old negotiation secret information SecretX [Id_Old] having the index Id_Old from the storage unit 130, and the negotiation secret acquisition unit 162 of the institution P2 uses the old negotiation secret information SecretY [Id_Old]. From the storage unit 130.

Next, in S2600, new negotiation secret information is created using SecretX [Id] and SecretX [Id_Old] as inputs. Execute the negotiation secret information update process, receive InputX, OutputX, and Type as outputs, and return to S2100.

FIG. 21 shows details of the negotiation secret information exchange processing in S2600.
In S2600, it is first determined in S2610 whether the Type of the secret information is 1 indicating conversion from multiplication to addition. If Type is 1, in S2620, the institution P1 inputs SecretX [Id to InputX and OutputX, respectively. ] .InputX, SecretX [Id] .OutputX are set. Otherwise, in Step S2630, SecretX “Id” .Output and SecretX [Id] .InputX are set in InputX and OutputX, respectively. In the case of the institution P2, InputY and OutputY are similarly set.

In S2640, S2650, and S2660, as in S2610, S2620, and S2630, values are read from the existing negotiation secret information SecretX [Id_Old] and SecretY [Id_Old], and values are set in O_InputX, O_OutputX, O_InputY, and O_OutputY.
The institution P2 similarly sets values in O_InputX, O_OutputX, O_InputY, and O_OutputY.

Next, in S2670, the negotiation secret information acquisition unit 162 of the institution P1 determines whether InputX and O_InputX are equal, and sets 1 to CombineX if they are equal, and otherwise sets 0. Similarly, the negotiation secret information acquisition unit 162 of the institution P2 determines whether InputY and O_InputY are equal, and sets Combine to 1 if they are equal, and 0 otherwise.

When the inputs InputX and O_InputX of the multiplication transform of the two negotiation secret information are equal, the two conditions of InputX × InputY = OutputX + OutputY and O_InputX × O_InputY = O_OutputX + O_OutputY hold, and (Equation 53) holds.
Since InputX × (InputY + O_IputY) = OutputX + OutputY + O_OutputX + O_OutputY (53), the institution P1 can use InputX, OutputX + O_OutputX, Type = 1 as new secret information, and the institution P2 can use InputY + O_InpuY, OutputY + O_OutputY, Type = 1 as new secret information.

The creation of the new secret information as described above is performed by either S2691 or S2692 after being classified according to the combination of CombineX and CombineY of S2690. The above creation example corresponds to S2691.

After the negotiation secret information update process is completed, the negotiation secret information acquisition unit 162 returns to S2100 of the negotiation secret information acquisition process to store new secret information, and stores the secret information as negotiation secret information and further updates the negotiation secret information. Execute.

According to the present embodiment, by combining two types of operation conversion processing, the secret data X and the secret data Y can be subjected to low-cost operations, such as four arithmetic operations, to achieve confidentiality. It is possible to perform high operation conversion, and to create fairly meaningful secret information.

Furthermore, by performing the conversion of the basic operations of multiplication and addition and addition and multiplication, it is possible to create new secret information with excellent confidentiality by combining the obtained secret information by addition. It is also possible to improve the confidentiality of information.

Thus, the method of the present embodiment differs from the conventional confidential calculation method in that information having meaning agreed by both parties is fairly created as negotiation secret information, and confidentiality similar to that of the public key cryptosystem is used. This is an efficient method of creating the data without using exponentiation while maintaining

(Embodiment 3 of the present invention)
In the arithmetic conversion method according to the first embodiment, “exponentiation calculation” with a large arithmetic load is performed in the arithmetic processing in the confidential arithmetic conversion unit 161 in the engines P1 and P2. Further, there is a problem that the exponentiation calculation cannot be executed unless the secret data X and Y are determined. In the third embodiment of the present invention, in the division addition multiplication operation conversion method and the division multiplication addition operation conversion method shown in FIGS. 5 and 8, all the operations to be executed after the secret data X and Y are determined are performed with a small calculation load. A two-stage negotiation secret information no-operation conversion process of "addition, subtraction, multiplication and division" is executed.

FIG. 22 shows an outline of the two-stage negotiation secret information no-operation conversion process in the division addition multiplication conversion method. In the two-step negotiation secret information no-operation conversion process, each institution calculates and exchanges information that can be exchanged before the secret data X and Y are determined as input pre-processing, and calculates and exchanges information that depends on the secret data X and Y. Exchange is performed after secret data X and Y are determined. By employing the above two-stage method, all exponentiation operations in the division addition multiplication operation conversion method described with reference to FIG. 5 can be performed as pre-input calculations, and post-input calculations are only addition, subtraction, multiplication and division operations. By making the pre-input calculation offline processing, the online processing time performed after the input determination can be significantly reduced.

In the two-step negotiation secret information non-addition multiplication operation conversion process, the operation conversion process is performed in two stages of pre-input calculation and post-input calculation. In FIG. 22, the institution P1 calculates CA ₁ , CA ₂ , CA ₃ , and DA ₃ shown in (Equation 53) and (Equation 54) as preprocessing before the secret data X is determined, and sends it to the institution P2. Send. Here, unlike the division addition multiplication operation conversion method described with reference to FIG. 5, transmission of DA ₁ and DA ₂ is not performed at this stage.
(CA ₁ , CA ₂ , CA ₃ ) = (α ₁ KA ₁ , α ₃ KA ₁ , g ^γ1 ) (53)
DA ₃ = g ^γ2 (54)
Here, α ₁ , α ₃ , γ ₁ , γ ₂ are random numbers known only to the institution P1, g is a primitive element known to the institution P1 and the institution P2, x is a secret key known only to the institution P1, and KA ₁ , KA ₂ is a value that can be expressed as KA ₁ = Z ^γ1 and KA ₂ = Z ^γ2 using the public key Z (= g ^x ) and the random numbers γ ₁ and γ _2, and is stored in the storage unit 130 of the institution P 1 in advance. I have.
_{CA 1, CA 2, CA 3} , DA 3 institutions receiving the P2 is CA _3, two random division DA ₃ and itself has been determined (N _1, N _2), a random number parameter β _1, ··· β _{(| N1 | -1), θ 1,} ···, θ (| N2 | -1), λ 1, ···, using lambda] n, (wherein 55), CB ₁ represented by the formula (56), ... , CB _(n-2) and DB ₁ ,..., DB _n and transmit them to the institution P1. Here, unlike the division addition multiplication operation conversion method described with reference to FIG. 5, at this stage, CB _(n-1) and CB _n are not transmitted.
CBi = β _{# 1 (i)} Z ^λi (if i∈N _1- {n-1, n}), θ _{# 2 (i)} Z ^λi (if i∈N ₂ ) (55)
DBi = Z ^λi CA ₃ (if i∈N ₁ ), Z ^λi DA ₃ (if i∈N ₂ ) (56)
Here, # 1 (i) denotes the order of appearance when the number i is listed increasing order of elements in the set N _1, and the order having the same defined for the set N ₂ also # 2 (i). The parameters β ₁ ,..., Β _{(| N1 | -1)} , θ ₁ ,..., Θ _{(| N2 | -1)} may be random numbers completely selected by the institution P2.
The institution P1 that has received the ciphertext sequence (CB ₁ ,..., CB _(n−2) ) and (DB ₁ ,..., DB _n ) from the institution P2 becomes (Equation 57), (Equation 58), and (Equation 59). ), Three parameters EA ₁ , FA ₁ and FA ₂ are calculated.
EA ₁ = Σ _{1 ≦ i ≦ n-2} CBi DBi ^-x (57)
FA ₁ = DB _(n-1) ^-x (58)
FA ₂ = DB _n ^-x (59)
The calculations performed by the institutions P1 and P2 and the information exchange are referred to as pre-input calculations.

When the secret input data X is determined at the institution P1, the institution P1 determines the random numbers X ₁ and X ₂ (here, X ₁ / X ₂ = X) determined from the secret input data, and the random number parameters used in the previous pre-input calculation. Using α ₁ and α ₃ , calculation is performed as α ₂ = X ₁ −α ₁ , α ₄ = X ₂ −α ₂ , and DA ₁ = α ₂ KA ₂ , DA ₂ = α ₄ KA ₂ and ciphertext DA _1, the DA ₂ calculates and transmits the DA _1, DA ₂ institutional P2.
Received from engine P1 ciphertext DA _1, DA _2, engine P2 secret input data Y has determined its own random number Y _1, Y ₂ (where, Y ₂ / Y ₁ = Y) selected from Y from, An internal calculation of と い う B ₁ = CA ₁ Y ₁ + CA ₂ Y ₂ , ΓB ₂ = DA ₁ Y ₁ + DA ₂ Y ₂ is performed, and values of the parameters ΓB ₁ , ΓB ₂ are obtained. Further, using the values of ΓB ₁ and ΓB _2, the value of the parameter β _{| N1 |} is calculated by β _{| N1 |} = ΓB ₁ −Σ _{1 ≦ i ≦ | N1 | -1} βi, and θ _{| N2 |} = ΓB ₂ −値_{1 ≦ i ≦ | N2 | −1} The value of the parameter θ _{| N2 |} is calculated based on θi. Parameter _{β | N1 |, θ | N2} | CB (n-1) from the ciphertext _{CB n-1 CB n-1} = β | | N1 ' , the ciphertext _{CB n CB n = θ | N2} | CBn' And transmits (CB _n−1 , CB _n ) to the institution P2.
The institution P1 that has received (CB _n−1 , CB _n ) from the institution P2 calculates the secret output Φ by (Equation 60) using the values EA ₁ , FA ₁ and FA ₂ obtained in the input pre-calculation. .
Φ = (EA ₁ + CB _(n-1) FA ₁ + CB ₂ FA ₂ ) / X ₂ (60)
The institution P2 calculates the secret output Ψ represented by (Equation 61), and the institutions P1 and P2 exchange the secret output Φ and the secret output Ψ. (X + Y) can be obtained.
Ψ = 1 / Y ₁ (61)
Φ × Ψ = (X ₁ Y ₁ + X ₂ Y ² ) / (X ₂ Y ₁ )
= X1 / X2 + Y2 / Y1
= X + Y (62)

FIG. 23 shows an outline of the two-stage negotiation secret information no-operation conversion process in the division multiplication addition conversion method. The pre-input calculation is the same as the two-stage negotiation secret information non-addition multiplication conversion processing of FIG.
Hereinafter, the processing after the secret input data is determined will be described.

When the secret input data X is determined by the institution P1, the institution P1 uses the secret input data and the random number parameters α ₁ and α ₃ used in the previous input pre-calculation to obtain α ₂ = X−α ₁ , α ₄ = &#8722; 1−α ₂ , calculate DA ₁ = α ₂ KA ₂ , DA ₂ = α ₄ KA ₂ , calculate ciphertexts DA ₁ , DA ₂ , and transmit DA ₁ , DA ₂ to agency P ₂ .
Received from engine P1 ciphertext DA _1, DA _2, engine P2 secret input data Y has determined itself than the random number [psi _{selected, ΓB 1 = CA 1 Y +} CA 2 Ψ, ΓB 2 = DA 1 Y + An internal calculation called DA ₂行 い is performed to obtain values of parameters ΓB ₁ and ΓB ₂ . Further, using the values of ΓB ₁ and ΓB _2, the value of the parameter β _{| N1 |} is calculated by β _{| N1 |} = ΓB ₁ −Σ _{1 ≦ i ≦ | N1 | -1} βi, and θ _{| N2 |} = ΓB ₂ −値_{1 ≦ i ≦ | N2 | −1} The value of the parameter θ _{| N2 |} is calculated based on θi. Parameter _{β | N1 |, θ | N2} | CB (n-1) from the ciphertext _{CB n-1 CB n-1} = β | | N1 ' , the ciphertext _{CB n CB n = θ | N2} | CBn' And transmits (CB _n−1 , CB _n ) to the institution P2.
The institution P1 that has received (CB _n−1 , CB _n ) from the institution P2 calculates the secret output Φ by (Equation 63) using the values EA ₁ , FA ₁ and FA ₂ obtained in the input pre-calculation. .
Φ = (EA ₁ + CB _(n-1) FA ₁ + CB ₂ FA ₂ ) (63)
The institution P2 selects the secret output と し て as a random number, and the institutions P1 and P2 exchange the secret output Φ and the secret output Ψ to obtain the calculation result (X × Y) as can be seen from (Equation 64). Can be obtained.
Φ + Ψ = (X × Y &#8212; 1 × Ψ) + Ψ
= X x Y (64)

The above-mentioned post-input calculations performed after the secret input data X and Y are determined by the institutions P1 and P2 are only addition, subtraction, multiplication and division, and do not require exponentiation, so that online calculations can be performed at high speed. it can. The feature that all the exponentiation calculations are completed before the input is determined by the above-described two-step negotiation secret information no-operation conversion processing is characterized by the ElGamal addition / multiplication operation conversion method other than the division addition / multiplication operation conversion method in the first embodiment. Method, Paillier addition multiplication operation conversion method, ElGamal multiplication addition operation conversion method, and Paillier multiplication addition operation conversion method cannot be utilized. This is because both the ElGamal encryption method and the Paillier encryption method require exponentiation using the secret inputs X and Y as exponents. On the other hand, in the operation conversion method by division, the exponent part of the exponentiation calculation is a value that does not depend on a secret input such as a random number or a secret key, and such a calculation process before input determination is possible.

Here, the confidentiality of the two-step negotiation secret information no-operation conversion method will be considered. The confidentiality of the institution P1 is set to any value so that if the CA ₃ and DA ₃ are not disclosed in public key cryptography, the ciphertext of the given CA ₁ , CA ₂ , DA ₁ and DA ₂ can be obtained. KA ₁ and KA ₂ can be selected for the value of the secret input X. Therefore, if only CA ₁ , CA ₂ , DA ₁ , and DA ₂ , no information on the secret input X of the institution P 1 is leaked, and information on KA ₁ , KA ₂ by CA ₃ , DA ₃ is transmitted to the institution P ₂ It is the information of the institution P1 disclosed in. The problem of estimating KA ₁ and KA ₂ from CA ₃ and DA ₃ cannot be solved when it is assumed that the Diffie-Hellman calculation problem which is estimated to be simpler than the discrete logarithm problem cannot be solved. If the above assumption is true, confidentiality of secret information input data X is the ratio of X ₁ and X ₂ are protected.

On the other hand, if ΓB ₁ and ΓB ₂ are known for the engine P2, the values of Y ₁ and Y ₂ can be derived to the engine P1 by obtaining the solution of the simultaneous equations, and Y becomes clear. However, in the division method, ΓB ₁ and ΓB ₂ are divided into | N ₁ | + | N ₂ | and are ambiguous by the random number λi. _A real combination must be selected from 2 ^{n -1} different combinations of _i (1 ≦ i ≦ n) created using CA ₃ or DA ₃ . Therefore, the probability that the institution P1 can accurately infer the information of Y of the institution P2 is a larger value of 2− ^{(n + 1)} or the reciprocal p− ¹ of the prime number p used in the remainder operation.

(Embodiment 4 of the present invention)
In the first, second, and third embodiments, the arithmetic conversion for changing from multiplication to addition and from addition to multiplication has been described. In the fourth embodiment, a secret multiplication operation conversion method in which both the base and the exponent are changed by both the institutions P1 and P2 is realized by combining operation conversions that change from multiplication to addition and addition to multiplication. In the present embodiment, when the secret input of the institution P1 is a secret input X for the base and a secret input A for the exponent, and the secret input of the institution P2 is a secret input Y for the base and a secret input B for the exponent, (X + Y) ^AB , (X + Y) ^{(A + B)} , (X × Y) ^AB , (X × Y) ^A secret output OutputX, OutputY that can be calculated as a value equivalent to a power calculation that can be expressed in the form ^{(A + B)} By exchanging the outputs as the outputs of the respective institutions P1 and P2, secret exponentiation operation conversion is realized.

First, an outline of a secret exponentiation operation conversion method will be described with reference to FIG. 23, taking a multiplication operation that can be expressed in the form of (X + Y) ^AB as an example.
First, in order to calculate while keeping the base secret, the institutions P1 and P2 cooperate to convert the negotiation secret information no addition multiplication operation conversion method described with reference to FIG. 5 or the negotiation secret information addition multiplication operation conversion described in FIG. The addition and multiplication conversion is performed by the method, and intermediate secret outputs Φ and よ う な such that X + Y = Φ × Ψ are obtained by both the institutions P1 and P2. Thereafter, at each engine P1, engine P2, obtained intermediate secret output [Phi, each secret exponent A in [psi, to power the ^{B, FA = Φ A, FB} = Ψ B becomes ciphertext FA, FB respectively. Next, the institutions P1 and P2 exchange ciphertexts FA and FB, and the agency P1 inputs the secret exponent A to the FB and the agency P2 inputs the value obtained by exponentiating the FA to the secret exponent B. The secret outputs OutputX and OutputY are obtained by performing multiplication and addition conversion by the negotiation secret information non-multiplication addition operation conversion method described with reference to FIG. 8 or the negotiation secret information multiplication addition conversion method described with reference to FIG. Get each.
By exchanging the secret outputs OutputX and OutputY between the institutions P1 and P2, (X + Y) ^AB can be obtained from (Equation 63).
OutputX + OutputY = FB ^A × FA ^B = Ψ ^BA × Φ ^AB = (Ψ × Φ) ^AB = (X + Y) ^AB (63)
FIG. 23 shows an outline of a protocol when negotiation secret information is present (that is, when negotiation secret information is used).

When confidential calculation is performed using the ElGamal public key cryptosystem or the Paillier public key cryptosystem, addition and subtraction to plaintext corresponds to multiplication relating to ciphertext, and multiplication to plaintext corresponds to multiplication relating to ciphertext. Therefore, the exponentiation of the plaintext cannot be converted into the exponentiation with the base kept secret, and thus cannot be realized by the operation on the ciphertext. Therefore, it is necessary to temporarily decrypt the base during the confidential operation. At this time, if one of the organizations, for example, the organization P1 that provides the public key, knows the bottom (X + Y), only the organization P1 has the value of the secret input data Y related to the bottom of the organization P2. And the confidentiality between the institutions P1 and P2 cannot be kept fair.

In the example shown in FIG. 23, in order to solve the above problem, first, by performing division addition multiplication conversion on the secret bases X and Y of the institutions P1 and P2, fair secret information Φ and Ψ are obtained. , Secret information Φ, Ψ raised to the powers ^A , ^B of the institutions P1, P2 by powers Φ ^A , Ψ ^B are exchanged by the institutions P1, P2, and finally the values Φ ^A , Ψ ^B are exchanged by the institutions P1, P2. Performs the division multiplication and addition conversion on the values Φ ^AB and Ψ ^BA raised to the B or A power, so that the secret exponentiation operation with high confidentiality can be performed while keeping the base and the exponent concealed.

As for the exponentiation operation expressed in the form of (X + Y) ^{(A + B)} , as shown in FIG. 25, in the first stage, the relation of Φ × Ψ = X + Y is obtained by the addition multiplication operation conversion for (X + Y). In a second stage, a second intermediate intermediate output φ, を 満 た す satisfying φ × ψ = A + B is obtained by an addition-multiplication operation conversion on (A + B), Φ ^φ , Ψ ^作成 is created and exchanged from the first and second intermediate outputs in the engines P1, P2, and 、 ^ψφ , Φ ^φΨ created in the engines P1, P2 based on the exchanged Φ ^φ , ^{ψ 、,} (X + Y) ^{(A + B)} can be obtained from (Equation 65) by obtaining OutputX and OutputY satisfying the relationship of (Equation 64) by multiplication and addition operation conversion.
OutputX + OutputY = Ψ ^ψφ × Φ ^φΨ (64)
OutputX + OutputY = Ψ ^ψφ × Φ ^φΨ = (Ψ × Φ) ^φψ = (X + Y) ^{(A + B)} (65)
However, when the operation is performed on the remainder ring modulo the prime number p, the negotiation information addition multiplication conversion of the secret input of the exponent part performed in the second stage is performed on the remainder ring modulo p &#8722; 1. (A is an integer that is not a multiple of p because a ^p-1 ≡ 1 (mod p) according to Fermat's little theorem). Therefore, the secret negotiation information SecretX [ID2] and SecretY [ID2] used in the second step must also be information calculated on the remainder ring modulo p-1. At this time, it should be noted that division may not be accurately calculated because p-1 is not a prime number.

(X × Y) for exponentiation represented by the form of ^AB, the engine P1, P2 in X ^A, and replace by creating a Y ^B, exchanged X ^A, the engine based on Y ^B P1, P2 in Y ^BA, to create the X ^AB, Y ^BA, met by multiply-add arithmetic conversion from X ^AB the relation (equation 66) OutputX, by obtaining the outputY, be obtained (X × Y) ^AB from equation (67) it can.
OutputX + OutputY = Y ^BA × X ^AB (66)
OutputX + OutputY = Y ^BA x X ^AB = (X x Y) ^AB (67)

For the exponentiation operation expressed in the form of (X × Y) ^{(A + B)} , the second step satisfies φ × ψ = A + B by the addition multiplication operation conversion for (A + B) in the first stage. Intermediate outputs φ and ψ are obtained, and the institutions P1 and P2 create and exchange X ^φ and Y ^{か ら} from their secret inputs and the first intermediate output, and based on the exchanged X ^φ and Y ^機関 , the institutions P1 and P2 in created ^Y ψφ, OutputX met by multiply-add arithmetic conversion from X ^Faipusai the relation (equation 68), by obtaining the outputY, can be determined from (equation ^{69) (X × Y) (} a + B) .
OutputX + OutputY = X ^ψφ × Y ^φψ (68)
OutputX + OutputY = Y ^ψφ × X ^φψ = (X × Y) ^ψφ = (X × Y) ^{(A + B)} (69)

  Although the process of converting exponentiation into addition has been described above, exponentiation can be converted into multiplication by setting the input of the multiplication-addition conversion process for obtaining OutputX and OutputY as OutputX and OutputY.

  Further, here, the operation conversion method using the negotiation secret information (that is, the operation conversion method with the negotiation secret information) has been described. However, the input conversion information using the exponentiation calculation described with reference to FIGS. It is needless to say that an operation conversion method without negotiation secret information, which is a method for obtaining the value of?

  According to the present invention, a plurality of inputs to another operation B that can obtain the same result as the result of performing the operation A with the secret data held by a plurality of institutions as inputs are provided at a low calculation cost. By performing the calculation confidentially and returning it as a secret output to each institution, it is possible to obtain the calculation result desired by each institution with the secret data of each institution kept secret.

1 confidential operation conversion system, 100 data processing device, 110 control unit, 120 communication unit,
130 storage unit, 140 operation unit, 150 interface unit, 160 arithmetic processing unit,
161 confidential operation conversion processing unit, 162 negotiation secret information acquisition processing unit, 200 communication line

Claims (21)

The data processing device includes two or more data processing devices, wherein the data processing device includes a secret data storage unit that stores respective secret data, an output data storage unit that stores respective output data, the secret data, the output data, Negotiation secret information storage means for storing, as respective negotiation secret information, an operation conversion method type that specifies a combination of a pre-conversion operation type A to be applied to secret data and a post-conversion operation type B to be applied to the output data. An arithmetic processing unit that receives the secret data as input, cooperates with the other data processing device, and calculates the output data in secret.
The arithmetic processing unit is configured to execute the operation of the pre-conversion operation type A by using the secret data and the secret data stored in the other data processing device as an input, the output data, and the other data processing device. Guarantees that the result when the post-conversion operation type B is performed with the output data of the input as the same,
A confidential operation conversion system, characterized in that:   The confidential operation conversion system according to claim 1, wherein the operation type A before conversion is addition, and the operation type B after conversion is multiplication.   The secret operation conversion system according to claim 1, wherein the operation type A before conversion is multiplication, and the operation type B after conversion is addition.   The confidential calculation conversion system according to claim 1, wherein the first calculation processing means performs a part of the calculation processing in advance before the actual calculation processing.   The arithmetic processing means calculates output data using the secret data and the negotiation secret information stored in the negotiation secret information storage unit as a result of the arithmetic processing performed prior to the arithmetic processing. The confidential operation conversion system according to any one of claims 1 to 3.   6. The confidential operation transcoding system according to claim 5, wherein said negotiation secret information storage means stores the secret data and output data obtained using the negotiation secret information as new negotiation secret information.   The first-stage operation processing means includes an operation process in which the pre-conversion operation type A is addition and the post-conversion operation type B is multiplication, and an operation in which the pre-conversion operation type A is multiplication and the post-conversion operation type B is addition A combination of arithmetic processing and an arithmetic conversion processing in which both the base and exponent are secret data and the pre-conversion operation type A is exponentiation and the post-conversion operation type B is multiplication or addition. 7. The confidential operation conversion system according to any one of 6. A secret data storing step of storing respective secret data; an output data storing step of storing respective output data; a negotiation secret information storing step of storing the negotiation secret information; and In cooperation with the data processing device, according to the operation conversion method type, having an operation processing step of calculating the output data secretly,
The operation processing step is a step of performing the operation of the pre-conversion operation type A by using the secret data and the secret data of another data processing device as inputs, the output data, and the output data of the other data processing device. Ensure that the result of performing the operation of the post-conversion operation type B as an input is the same value,
A confidential operation conversion method, characterized in that:   9. The confidential operation conversion method according to claim 8, wherein the operation type A before conversion is addition, and the operation type B after conversion is multiplication.   The confidential operation conversion method according to claim 8, wherein the operation type A before conversion is multiplication, and the operation type B after conversion is addition.   9. The confidential operation conversion method according to claim 8, wherein in the operation processing step, a part of the operation processing is performed in advance before the actual operation processing.   The arithmetic processing step calculates output data using the secret data and the negotiation secret information stored in the negotiation secret information storage unit as a result of the arithmetic processing performed prior to the arithmetic processing. 11. The method according to claim 8.   The confidential operation conversion method according to claim 12, wherein the negotiation secret information storing step stores the secret data and output data obtained by using the negotiation secret information as new negotiation secret information.   The operation processing step is an operation in which the pre-conversion operation type A is addition and the post-conversion operation type B is multiplication, and the pre-conversion operation type A is multiplication and the post-conversion operation type B is addition. 14. An arithmetic conversion process in which both the base and the exponent are used as secret data in combination with arithmetic processing, wherein the arithmetic type A before conversion is exponentiation and the arithmetic type B after conversion is multiplication or addition. The confidential operation conversion method according to any one of the above. A program used by a computer for processing data in cooperation with another computer, the program comprising: a secret data storing step of storing respective secret data; an output data storing step of storing respective output data; A negotiation secret information storage step of storing information; and an operation processing step of receiving the secret data as input and calculating the output data in secret in accordance with the operation conversion method type in cooperation with another data processing device. And
The arithmetic processing step includes, when the secret data and the secret data of another data processing device are input, the result of performing the operation of the pre-conversion operation type A and the output data and the output data of the data processing device. Ensure that the result of performing the operation of the post-conversion operation type B as an input is the same value,
A confidential operation conversion program, characterized in that:   The confidential operation conversion program according to claim 15, wherein the pre-conversion operation type A is an addition, and the post-conversion operation type B is a multiplication.   The confidential operation conversion program according to claim 15, wherein the pre-conversion operation type A is a multiplication, and the post-conversion operation type B is an addition.   The confidential calculation conversion program according to claim 15, wherein the calculation processing step performs a part of the calculation processing in advance before the actual calculation processing.   The arithmetic processing step, the secret data, using the negotiation secret information stored in the negotiation secret information storage unit as a result of the arithmetic processing performed prior to the arithmetic processing, to calculate the output data confidential, The confidential operation conversion program according to any one of claims 15 to 17.   22. The confidential operation conversion program according to claim 21, wherein the negotiation secret information storing step stores the secret data and output data obtained using the negotiation secret information as new negotiation secret information. The operation processing step is an operation in which the pre-conversion operation type A is addition and the post-conversion operation type B is multiplication, and the pre-conversion operation type A is multiplication and the post-conversion operation type B is addition. 21. An arithmetic conversion process in which both the base and the exponent are used as secret data and the arithmetic type A before conversion is exponentiation and the arithmetic type B after conversion is multiplication or addition in combination with arithmetic processing. The confidential operation conversion program according to any one of the above.