JP2021140299A - Data matching system, information processing apparatus, and data matching method - Google Patents

Abstract

To secure secrecy of personal information in matching using information on a user.SOLUTION: An information processing apparatus 1 requests, when sketching data 21 is identified as a result of matching sketching data 21, 22, 23 and the like stored in a storage unit 3 with reference data 31, to provide a user corresponding to the sketching data 21 with user information 11 corresponding to the user. When receiving agreement operation that agrees to provide the user information 11, a terminal apparatus 2 generates signature data 11a based on the user information 11, and transmits the user information 11 to which the signature data 11a is added to the information processing apparatus 1. When receiving the user information 11 to which the signature data 11a is added, the information processing apparatus 1 performs matching the received user information 11 with the reference data 31 to verify the result of matching using the sketching data 21.SELECTED DRAWING: Figure 1

Description

The present invention relates to a data matching system, an information processing apparatus and a data matching method.

In recent years, with the spread of mobile devices and IoT (Internet of Things) devices, it has become possible to collect various information about users such as user behavior history. Then, it is expected to realize a matching service that extracts users suitable for a specific purpose by using the information collected in this way.

In addition, stochastic data structures are used for analysis and collation using a large amount of data. By using the probabilistic data structure, the size of the target data can be compressed and the processing efficiency can be improved, although the processing result may contain some error for the query related to the target data for analysis or collation.

As a technique using such a probabilistic data structure, for example, an identification system using a probabilistic data structure such as hyperlog has been proposed in order to estimate the degree of coincidence between data in a plurality of data streams. ..

Regarding the technology for selecting and outputting information, for example, an information collection application that collects files and data managed by a file management system and selects and outputs necessary information from the collected items. Proposed. According to this information accumulation application, information about the item specified in the sketch information is output according to the layout specified in the sketch information.

JP-A-2018-506107 Japanese Unexamined Patent Publication No. 2010-204897

By the way, in the matching service as described above, since the information about the user is provided to the service side, there is a risk that personal information may be leaked. On the other hand, a method of converting information about the user into sketching data having a stochastic data structure and providing it to the service side can be considered. By converting the information about the user into sketching data, the information is provided to the service side in a state where it is difficult to identify the personal information, so that the confidentiality of the personal information can be enhanced. However, on the service side, if matching is performed using only sketching data, there is a problem that the matching accuracy is lowered.

As described above, in the matching service using information about the user, there is a problem in how to ensure the confidentiality of personal information while maintaining the matching accuracy.
In one aspect, it is an object of the present invention to provide a data matching system, an information processing device, and a data matching method capable of ensuring the confidentiality of personal information in matching using information about a user.

One proposal provides the following data matching system having an information processing device and a terminal device. In this data matching system, the information processing device receives a plurality of sketching data each having a probabilistic data structure obtained by converting a plurality of user information about each individual user, and the information processing device receives the data. It is stored in the storage unit provided, matching is performed between a plurality of sketching data and a predetermined reference data, and when one sketching data is specified as a matching result from the plurality of sketching data, one sketching is performed. A provision request for requesting the provision of one user information corresponding to one user among a plurality of user information is transmitted to one user corresponding to the data, and the one user information is used as the signature data of one user. Is received with the data added, and the matching result is verified by performing matching between the received user information and the reference data. The terminal device accepts a consent operation from one user who consents to the provision of one user information in response to the provision request, generates signature data based on the one user information in response to the consent operation, and generates the signature data. The added user information is transmitted to the information processing device.

Further, in one plan, the following information processing apparatus having a storage unit and a processing unit is provided. In this information processing device, the processing unit receives a plurality of sketching data each having a probabilistic data structure obtained by converting a plurality of user information related to each individual user, and stores the data in the storage unit. , Matching a plurality of sketching data with a predetermined reference data is performed, and when one sketching data is specified as a matching result from the plurality of sketching data, one corresponding to the one sketching data. A provision request is sent to a user requesting the provision of one user information corresponding to one user among a plurality of user information, and one user consents to the provision of one user information. The matching result is verified by receiving the data with the signature data of one user added in response to the consent operation and performing matching between the received user information and the reference data.

Further, one proposal provides a data matching method in which a computer executes the same processing as the above-mentioned information processing apparatus.

On one aspect, the confidentiality of personal information can be ensured in matching using information about the user.

It is a figure which shows the configuration example and the processing example of the data matching system which concerns on 1st Embodiment. It is a figure which shows the structural example of the data matching system which concerns on 2nd Embodiment. It is a figure which shows the hardware configuration example of the operator server. It is a figure which shows the comparative example of the operation of a data matching system. It is a figure which shows the outline of the operation of the data matching system which concerns on 2nd Embodiment. It is a figure which shows the calculation example of the sketching data based on the attribute information. It is a figure which shows the example of the transmission data transmitted to the business operator server. It is a figure which shows the configuration example of the processing function provided in each apparatus in a data matching system. This is an example of a sequence diagram showing a processing procedure at the time of registering sketching data. It is a figure which shows the display example of a service registration screen. It is a figure which shows the display example of the provision request screen of sketching data. This is an example of a sequence diagram (No. 1) showing a processing procedure when requesting volunteer activities. This is an example of a sequence diagram (No. 2) showing a processing procedure when requesting volunteer activities. It is a figure which shows the display example of the request screen of a volunteer activity. It is a figure which shows the display example of the consent operation screen for the source data provision.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[First Embodiment]
FIG. 1 is a diagram showing a configuration example and a processing example of the data matching system according to the first embodiment. The data matching system shown in FIG. 1 includes an information processing device 1 and a terminal device 2.

The information processing device 1 is a device that extracts a specific user by performing matching using user information 11, 12, 13, ... Regarding each individual user. For example, the information processing device 1 acquires the action history of each user as user information 11, 12, 13, ..., And extracts a user suitable for a specific purpose based on the action history.

However, the information processing device 1 does not acquire the user information as it is from each user to be matched, but acquires it in the form of sketching data having a stochastic data structure. When a certain user is identified as a result of matching using the sketching data, the information processing apparatus 1 acquires user information which is the original data of the sketching data from the user. Then, the information processing device 1 verifies the matching result using the sketching data by performing matching again using the acquired user information.

In the example of FIG. 1, it is assumed that sketching data 21, 22, 23, ... Can be obtained by converting user information 11, 12, 13, ....
The terminal device 2 is one of the terminal devices operated by the user. In FIG. 1, as an example, it is assumed that the terminal device 2 is operated by the user A corresponding to the user information 11.

Hereinafter, the processing of the data matching system according to the present embodiment will be described step by step.
First, the information processing device 1 receives sketching data 21, 22, 23, ... (Step S1). Of these, the sketching data 21 corresponding to the user A is transmitted from the terminal device 2 to the information processing device 1, for example. The information processing device 1 includes a storage unit 3, and stores the received sketching data 21, 22, 23, ... In the storage unit 3. The storage unit 3 is realized as a storage area of a storage device (not shown) included in the information processing device 1.

Next, the information processing apparatus 1 executes matching of each of the stored sketching data 21, 22, 23, ... With the predetermined reference data 31 (step S2). The reference data 31 is data for extracting a specific user. Actually, the sketching data converted from the reference data 31 is matched with the sketching data 21, 22, 23, ... In the storage unit 3.

In step S2, for example, the degree of similarity between each of the sketching data 21, 22, 23, ... And the sketching data based on the reference data 31 is calculated. Then, when there is sketching data having the highest degree of similarity and the degree of similarity being equal to or higher than a predetermined threshold value, the user corresponding to the sketching data is specified as the matching result.

In FIG. 1, as an example, it is assumed that user A is specified as a matching result. In this case, the information processing device 1 transmits a provision request requesting the provision of the user information 11 corresponding to the user A to the user A (step S3).

In response to the transmitted provision request, the terminal device 2 accepts the consent operation from the user A to consent to the provision of the user information 11 of the user A (step S4). For example, the provision request notifies the user of the content of the information requested to be provided. This notification is performed, for example, by sending an e-mail addressed to the user A or by displaying information on a display device (not shown) of the terminal device 2. Further, in this notification, for example, the type of information requested to be provided, the purpose of use of the information, and the like are notified. Then, based on this notification, the user A confirms the content of the information requested to be provided, and performs the consent operation only when he / she agrees to provide the information.

The terminal device 2 generates the signature data 11a of the user A based on the user information 11 in response to the consent operation by the user A (step S5). The signature data 11a is generated, for example, by encrypting a hash value based on transmission information including at least the user information 11 using the private key of the user A. Then, the terminal device 2 adds the signature data 11a to the user information 11 and transmits it to the information processing device 1 (step S6).

When the information processing device 1 receives the user information 11 to which the signature data 11a is added, the information processing device 1 matches the received user information 11 with the reference data 31 used in step S2 (step S7). By this matching, the result of matching in step S2 is verified. For example, if the degree of similarity between the user information 11 and the reference data 31 is equal to or greater than a predetermined threshold value, it is determined that the matching result in step S2 is correct.

According to the above processing, the user information 11, 12, 13, ... For each user is converted into sketching data 21, 22, 23, ... And stored in the information processing device 1. Then, matching is performed using the sketching data 21, 22, 23, ..., And user information is provided to the information processing device 1 only for the user specified as a result of the matching.

The sketching data is data in which it is difficult to identify personal information as compared with the user information which is the original data. Since the user information 11, 12, 13, ... Of each user is stored in the information processing device 1 as such sketching data 21, 22, 23, ..., There is a risk that personal information will be leaked. descend. Further, by providing only the user information of the user specified by matching using sketching data, the opportunity for the user information to be provided to the information processing apparatus 1 and used is limited.

Moreover, the user information is provided in response to a clear consent operation by the user. Then, the signature data of the user generated in response to the consent operation is added to the provided user information. In the information processing device 1, since the user's signature data is added to the user information, the user information can be used for matching after clearly confirming that the user has agreed to the provision of the user information. For example, matching using the user information is executed only when it is confirmed that the received user information has not been tampered with based on the signature data. Therefore, the confidentiality of personal information is increased, and the strength of privacy protection of the user is improved.

In addition, matching using sketching data is less accurate than matching using original data because some error occurs. In the process of FIG. 1, the matching accuracy can be maintained by verifying the matching result using the sketching data by the matching using the original data.

Therefore, according to the present embodiment, the confidentiality of the user's personal information can be ensured when performing highly accurate matching using the information about the user.
[Second Embodiment]
FIG. 2 is a diagram showing a configuration example of a data matching system according to the second embodiment. The data matching system shown in FIG. 2 includes a business server 100, user terminals 200, 200a, 200b, ..., And an administrator server 300. The business server 100, the user terminals 200, 200a, 200b, ..., And the administrator server 300 are connected to each other via the network 50.

The business operator server 100 is a server computer operated by the business operator. The business server 100 provides a matching service that extracts users suitable for a specific purpose and users who meet a specific condition by performing matching using the attribute information of the user.

User terminals 200, 200a, 200b, ... Are terminal devices operated by the user. By operating any of the user terminals 200, 200a, 200b, ..., The user registers the attribute information about the user himself / herself in the business server 100, and receives the information indicating the matching result by the business server 100. be able to. By using the user terminals 200, 200a, 200b, ..., The attribute information of a large number of users can be registered in the business server 100.

The administrator server 300 is a server computer operated by an administrator who manages user attribute information. The administrator server 300 transmits the attribute information of the user to the business server 100 via the user terminal of the request source in response to the request from the user terminals 200, 200a, 200b, ....

The administrator server 300 may be individually provided for each type of user attribute information. For example, an administrator server 300 that manages a user's behavior history (location information, purchase history, etc.) and an administrator server 300 that manages copyrighted works (books and treatises by the user, newspaper articles in which the user is described, etc.) related to the user. And may be provided individually. When the administrator server 300 is provided for each type of attribute information in this way, the attribute information of the user is distributed and managed by a plurality of administrator servers 300.

Further, a node group 401 for constructing the blockchain 400 is connected to the network 50. The node group 401 includes a plurality of computer nodes such as servers. The blockchain 400 provides a digital ID service using a DID (Decentralized IDentifier). The DID is a decentralized ID that is managed decentralized.

From the digital ID service, at least individual IDs are issued to each user, the business operator operating the business operator server 100, and the data administrator operating the administrator server 300. Hereinafter, the IDs issued to the user, the business operator, and the data administrator will be described as the user ID, the business operator ID, and the administrator ID, respectively. In the blockchain 400, for example, a public key is associated with each issued ID and managed.

FIG. 3 is a diagram showing a hardware configuration example of the operator server. The operator server 100 is realized as, for example, a computer as shown in FIG. The operator server 100 shown in FIG. 3 includes a processor 101, a RAM (Random Access Memory) 102, an HDD (Hard Disk Drive) 103, a graphic interface (I / F) 104, an input interface (I / F) 105, and a reading device 106. And network interface (I / F) 107.

The processor 101 comprehensively controls the entire operator server 100. The processor 101 is, for example, a CPU (Central Processing Unit), an MPU (Micro Processing Unit), a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), or a PLD (Programmable Logic Device). Further, the processor 101 may be a combination of two or more elements of the CPU, MPU, DSP, ASIC, and PLD.

The RAM 102 is used as the main storage device of the operator server 100. The RAM 102 temporarily stores at least a part of an OS (Operating System) program or an application program to be executed by the processor 101. Further, the RAM 102 stores various data necessary for processing by the processor 101.

The HDD 103 is used as an auxiliary storage device of the operator server 100. The OS program, application program, and various data are stored in the HDD 103. As the auxiliary storage device, other types of non-volatile storage devices such as SSD (Solid State Drive) can also be used.

A display device 104a is connected to the graphic interface 104. The graphic interface 104 causes the display device 104a to display an image according to an instruction from the processor 101. Display devices include liquid crystal displays and organic EL (ElectroLuminescence) displays.

An input device 105a is connected to the input interface 105. The input interface 105 transmits a signal output from the input device 105a to the processor 101. The input device 105a includes a keyboard, a pointing device, and the like. Pointing devices include mice, touch panels, tablets, touchpads, trackballs, and the like.

A portable recording medium 106a is attached to and detached from the reading device 106. The reading device 106 reads the data recorded on the portable recording medium 106a and transmits it to the processor 101. Examples of the portable recording medium 106a include an optical disk, a magneto-optical disk, and a semiconductor memory.

The network interface 107 transmits / receives data to / from other devices via the network 50.
With the above hardware configuration, the processing function of the operator server 100 can be realized. The user terminals 200, 200a, 200b, ... And the administrator server 300 can also be realized as, for example, a computer having the configuration shown in FIG. In addition to the configuration shown in FIG. 3, the user terminals 200, 200a, 200b, ... May be realized as, for example, a notebook computer, a tablet terminal, or a smartphone in which the display device 104a is integrated.

Next, a specific example of the matching process in the data matching system will be described.
As described above, the administrator server 300 manages user attribute information such as a user's action history and copyrighted works related to the user. The administrator server 300 can collect such attribute information from each user, for example.

In the following description, it is assumed that the administrator server 300 manages the user's action history, particularly the user's location information history, as attribute information. In this case, for example, the user's position information is measured in the terminal device carried by the user. As the position information, GPS (Global Positioning System) data is measured. The administrator server 300 collects the measured user position information from the user's terminal device and stores it in association with the user ID. The user terminals 200, 200a, 200b, ... Shown in FIG. 2 may be used as the terminal device for measuring the user's position information.

In addition, the business operator that operates the business operator server 100 conducts a dispatch business that dispatches volunteers to guide the area. Regarding this dispatch business, the business server 100 provides a volunteer matching service. In the matching service, the business server 100 accepts user registration for the service, identifies an appropriate user for each region from the registered users, and requests the user to volunteer for regional guidance. .. In the user identification, a user who frequently acts in a certain area or who acts for a long time is specified as a volunteer who guides a certain area based on the history of the user's location information.

Here, FIG. 4 is used to show a comparative example of system operation including matching using the user's position information, and subsequent FIGS. 5 and 5 will describe the system operation in the second embodiment.

FIG. 4 is a diagram showing a comparative example of the operation of the data matching system.
The administrator server 300 includes a user data storage unit 310 in which user attribute information is stored. The administrator server 300 collects attribute information from the user as described above, and registers it in the collected user data storage unit 310. The user data storage unit 310 stores position information (GPS data) as attribute information in association with the user ID of each user.

The user registers in advance for the volunteer matching service. In this registration, the user's own attribute information is registered in the business server 100 using the user terminal. Hereinafter, a case where the user who operates the user terminal 200 registers the attribute information will be described.

In the attribute information registration process, the user terminal 200 requests the administrator server 300 to specify the user ID of the user and transmit the attribute information. In response to this transmission request, the administrator server 300 reads the attribute information corresponding to the user ID from the user data storage unit 310 and transmits it to the user terminal 200 (step S11). The user terminal 200 transfers the transmitted attribute information to the business server 100, specifies a user ID, and requests registration of the attribute information. The business server 100 includes a user data storage unit 110, and registers the attribute information requested to be registered from the user terminal 200 in the user data storage unit 110 in association with the user ID (step S12).

The operator server 100 includes a reference data storage unit 120 in which reference data to be referred to when matching with the attribute information of the user is registered. The reference data is data that is registered for each region and indicates conditions for identifying a user who guides the corresponding region. For example, in the reference data, the position information of the landmark to be guided in the corresponding area and the position information indicating the point on the movement route between the landmarks are described.

The business server 100 matches the attribute information of each user registered in the user data storage unit 110 with each reference data registered in the reference data storage unit 120, and selects a user suitable as a volunteer who provides regional guidance. Identify by region. However, the data size of the attribute information is large, and if matching is performed using a large amount of attribute information as it is, the matching processing load becomes excessive. Therefore, in the example of FIG. 4, sketching data of attribute information is calculated, and matching is performed using the sketching data.

The sketching data is data having a stochastic data structure. By converting the original data to sketching data, the data size is reduced. Although there is some error in the processing result for the query when the converted sketching data is used, the efficiency of processing for the query can be improved.

The sketching data calculation algorithm can be selected according to the content of matching. For example, MinHash is suitable for calculating the similarity between sets. The Count-Min Sketch is suitable for determining the coincidence of the appearance frequency of elements. Bloom filters are suitable for determining whether an element is included in a set.

The business server 100 performs matching according to the following procedure. First, the business operator server 100 calculates sketching data for each user based on the attribute information of each user registered in the user data storage unit 110. At the same time, the operator server 100 calculates sketching data based on each reference data registered in the reference data storage unit 120 (step S13). The calculation of each sketching data may be executed at the time of registration for each storage unit.

The operator server 100 matches the sketching data based on each attribute information with the sketching data based on each reference data (step S14). For example, if the sketching data based on a certain reference data and the sketching data based on each attribute information are matched, the operator server 100 uses this matching to match the attribute information with high similarity to the reference data. To identify. For example, if there is sketching data that has the maximum similarity to the sketching data based on the reference data and is equal to or higher than a predetermined threshold among the sketching data based on the attribute information, the sketching data is supported. Attribute information to be specified is specified as a matching result.

Next, the business operator server 100 reads the specified attribute information from the user data storage unit 110 and reads the matched reference data from the reference data storage unit 120. Then, the operator server 100 matches the attribute information with the reference data (step S15). This matching is for confirming whether the result of matching using sketching data (step S14) is correct. For example, when the similarity is equal to or higher than a predetermined threshold value, it is determined that the matching result is correct. .. In this case, the business server 100 determines that the user corresponding to the attribute information is suitable as a volunteer to guide the area corresponding to the reference data, and requests the user to perform the volunteer activity (step S16).

The volunteer request is notified to the user terminal 200 by, for example, e-mail. When accepting the volunteer request, the user who has received the notification notifies the operator server 100 of accepting the request via the user terminal 200 (step S17).

In the above comparative example, first, matching is performed using the sketching data, and then matching is performed using the original data of the sketching data. According to such a procedure, the matching using the attribute information registered in the user data storage unit 110 as it is is performed only for the attribute information specified by the matching using the sketching data among the registered attribute information. It is said. Therefore, the processing load of matching can be reduced. Further, since the correctness of the matching result using the sketching data is verified by the matching using the original data, it is possible to prevent the matching accuracy from being lowered.

By the way, since the attribute information of the user is the personal information of the user, careful handling is required. In the procedure shown in FIG. 4, it is preferable that the administrator server 300 provides the attribute information to the operator server 100 at least in a state where the consent of the user is surely obtained. For example, the transmission of the attribute information from the administrator server 300 is executed in response to the operation of the user's clear consent to the user terminal 200 (step S12a). Further, the transfer of the attribute information to the business server 100 is performed in a state where the business server 100 can confirm that the user has agreed.

The attribute information can be transmitted by using, for example, a VC (Verifiable Credential) mechanism standardized by the W3C (World Wide Web Consortium). The VC defines the data format of attribute information and the transfer procedure. In VC, secure data transfer using a private key / public key is performed.

For example, when the administrator server 300 is requested to send the attribute information by the operation of the user, the administrator server 300 signs the attribute information of the user by using the private key associated with the administrator ID, and signs the signature. The attribute information is transmitted to the user terminal 200. The user terminal 200 further signs the received data using the private key associated with the user ID, and transmits the signed data to the business server 100.

The business server 100 acquires the public key associated with the user ID from the repository (not shown) on the blockchain 400, and decrypts the user's signature using the acquired public key to receive the received data. Check that the contents of are not tampered with. At this time, since the data has the user's signature, it can be confirmed whether or not the data has been tampered with and that the user has consented to the provision of information. Further, the operator server 100 acquires the public key associated with the administrator ID from the above repository, and decrypts the signature of the data administrator using the acquired public key to obtain the contents of the received data. Check further for tampering.

However, from the viewpoint of handling personal information, there are also the following problems. In the procedure shown in FIG. 4, the user attribute information is provided to the operator server 100 as it is and stored. For this reason, there is a concern that personal information may be leaked to the user, and there is a great deal of psychological resistance to the provision of information. This point also causes the number of registered attribute information for the business server 100 not to increase, and leads to a decrease in the service quality of the business server 100.

Further, in the procedure shown in FIG. 4, the attribute information having a larger size than the sketching data is transmitted to the operator server 100 as it is and accumulated. Therefore, there is also a problem that the load on the network 50 and the capacity for accumulating data on the business server 100 side increase.

Therefore, instead of providing the attribute information to the business server 100 as it is, it is conceivable to convert the attribute information into sketching data and then provide the attribute information to the business server 100. According to this method, since the attribute information is provided in the state of sketching data in which it is difficult to identify personal information, the confidentiality of the data is increased and the psychological resistance of the user when providing the information is also reduced. In addition, the size of the data transmitted to the business server 100 can be reduced. On the other hand, since the operator server 100 only performs matching using sketching data, there is a problem that the matching accuracy is lowered.

Therefore, in the second embodiment, as shown in FIG. 5 below, sketching data based on the attribute information, not the user's attribute information, is provided and registered in the business server 100. The business server 100 performs matching using sketching data, and when a user is tentatively identified by the matching, the attribute information of the user is provided to the business server 100. In the operator server 100, the validity of the matching result using the sketching data is confirmed by executing the matching using the provided attribute information. By such a procedure, it is possible to improve the efficiency of a series of processes including matching while increasing the confidentiality of the user's personal information and maintaining the matching accuracy.

FIG. 5 is a diagram showing an outline of the operation of the data matching system according to the second embodiment.
As shown in FIG. 5, the administrator server 300 includes a user data storage unit 310 similar to that in FIG. On the other hand, the operator server 100 includes the same reference data storage unit 120 as in FIG. 4, but instead of the user data storage unit 110 in FIG. 4, sketching data storage for accumulating sketching data based on attribute information. A unit 111 is provided.

When registering for the matching service, first, the administrator server 300 reads the user attribute information from the user data storage unit 310, and the sketching data is calculated based on the attribute information (step S21). The calculated sketching data is transmitted to the user terminal 200, transferred from the user terminal 200 to the operator server 100, and registered in the sketching data storage unit 111 (step S22). The provision of sketching data from the administrator server 300 to the operator server 100 is performed with the consent of the user obtained.

The operator server 100 performs matching using the sketching data of each user registered in the sketching data storage unit 111 (step S23). In this matching, the similarity between the sketching data based on the reference data registered in the reference data storage unit 120 and the sketching data registered in the sketching data storage unit 111 is calculated.

Here, it is assumed that the sketching data corresponding to the user who operates the user terminal 200 is specified by the matching. In this case, the user has been tentatively identified as a volunteer to guide the area corresponding to the reference data. Then, the business server 100 requests the user to act as a volunteer (step S24). At the time of this request, the user is clearly notified that the source data corresponding to the sketching data, that is, the request for the provision of attribute information is requested in order to verify the result of matching using the sketching data. NS.

When the user performs the operation of accepting the request (step S25), the user terminal 200 requests the administrator server 300 to provide the attribute information. This consent operation indicates that the user has consented to the provision of the attribute information. In response to this request, the administrator server 300 transmits user attribute information (original data) and transfers the user attribute information (original data) to the operator server 100 via the user terminal 200 (step S26). By such a procedure, the attribute information is provided with the consent of the user.

The business operator server 100 executes matching between the provided attribute information and the reference data used in step S23, and confirms the matching result in step S23 (step S27). If it is determined that the matching result is correct, the process of requesting the volunteer activity to the user is completed, and it is confirmed that the user has accepted the volunteer activity (step S28).

According to the above procedure, the attribute information of each user is converted into sketching data having a small data size and whose personal information is difficult to identify, provided to the business server 100, and registered. Then, the attribute information which is the original data of the sketching data is provided to the business operator server 100 only for the user specified by the matching using the sketching data.

As a result, the amount of data transmitted to the business server 100 can be reduced as compared with the case where the attribute information of each user is provided to the business server 100, and the capacity for storing the information on the business server 100 side can be increased. Can be reduced. Moreover, since the number of times of matching using the attribute information itself is reduced, the processing load of matching can be reduced. Further, since the correctness of the matching result using the sketching data is verified by the matching using the original data, it is possible to prevent the matching accuracy from being lowered.

Further, since the attribute information is not accumulated on the business server 100 side, the possibility of leakage of the attribute information can be reduced. Further, since the attribute information is provided only for a specific user based on matching, the confidentiality of the attribute information can be improved as a whole. In addition, the provided attribute information is used only at the time of one matching with the specific reference data. Therefore, since the purpose and opportunity of using the attribute information are limited, the confidentiality of the attribute information can be improved and the security of the personal information can be strengthened in this respect as well.

Further, when the information is registered by the user, the attribute information is registered in the business server 100 in the state of sketching data, so that the user's psychological resistance to the information registration can be reduced. Therefore, information registration to the business server 100 is promoted, and the service quality of the business server 100 can be improved.

Further, the user can consent to the provision of the attribute information in a state where the opportunity to use the attribute information is limited as described above and the purpose of use thereof is recognized. Therefore, the psychological resistance of the user to the provision of information can be reduced. In addition, regarding this point, with such consent, since the attribute information is used for a limited purpose and opportunity, the confidentiality of the attribute information is improved and the security of personal information is strengthened. You can also do it.

FIG. 6 is a diagram showing an example of calculating sketching data based on attribute information. FIG. 6 illustrates a case where sketching data is calculated by the MinHash method.
In the MinHash method, by applying a certain hash function to each element of two sets, a plurality of hash values are calculated for each set, and the minimum value is extracted from the plurality of hash values for each set. .. At this time, the idea that the probability that the two minimum values match is equal to the similarity between the sets is used.

Actually, for example, the hash value is calculated as described above by using each of a plurality of hash functions (assuming k hash functions). As a result, k minimum hash values are extracted for each set. Then, the k minimum values for one set and the k minimum values for the other set are compared, and the number of matching values is calculated as an approximate value of the degree of similarity.

FIG. 6 illustrates a case where sketching data is calculated based on attribute information on the administrator server 300. In the example of FIG. 6, the action history 321 is collected as the attribute information of the user. The action history 321 includes a set of position information (for example, GPS data indicating longitude / latitude) indicating the movement locus of the user. Then, a numerical array 322 indicating the feature amount is calculated from this action history 321 (step S31). For example, based on the action history 321, the position information of a predetermined landmark close to the movement locus of the user is calculated as a numerical array 322. In FIG. 6, the position information of n landmarks is described in the numerical array 322. In the numerical array 322, for example, the landmark identification number may be described instead of the landmark position information.

As the attribute information registered in the user data storage unit 310, the information of the action history 321 may be registered, or the information indicating the feature amount calculated based on the action history 321 as in the numerical array 322. May be registered. In the former case, when the attribute information is provided from the administrator server 300 to the operator server 100, the information indicating the feature amount recalculated from the action history 321 may be provided to the operator server 100.

On the other hand, a hash function sequence 323 having the number of elements k is generated using the business ID of the business and the user ID of the user corresponding to the attribute information as seed values (step S32). That is, the hash function sequence 323 includes k hash functions h1 (), h2 (), ..., Hk (). Then, hash values corresponding to each of the elements (position information) included in the numerical array 322 are calculated using k hash functions h1 (), h2 (), ..., Hk (), respectively ( Step S33). As a result, k numerical arrays 324_1, 324_2, ..., 324_k each containing n hash values are calculated.

By using the business operator ID and the user ID as seed values, a hash function shared only between the business operator and the user is generated. This increases the difficulty of inferring the original data from the sketching data and improves the confidentiality of the data.

Next, the minimum value of the hash value is extracted from each of the k numerical sequences 324_1, 324_2, ..., 324_k, and the extracted minimum value array 325 is generated (step S34). This array 325 becomes sketching data based on the attribute information.

By the way, in the data matching system according to the present embodiment, information is transmitted according to the procedure specified by VC. In this information transmission, signature data is added stepwise to the transmitted information by using the encryption key associated with the ID. As a result, the correctness of the transmitted information is guaranteed, and information indicating the correctness can be added stepwise for each device on the transmission path.

FIG. 7 is a diagram showing an example of transmission data transmitted to the business operator server. FIG. 7 illustrates the transmission data 210 generated by the VC method when the sketching data is transmitted.
The administrator server 300 generates the "claim" information of the area 211 of the transmission data 210. In "claim", the user ID of the user is described in "id". Further, in the "sketch" in the "claim", "values" indicating the transmission target data, "type" indicating the type of the transmission target data, and "length" indicating the size of the transmission target data are described. When the sketching data is provided, the sketching data (array of minimum hash values) requested to be provided is described in the item of "values".

Further, in the present embodiment, when the sketching data is provided, "hash" is described in "sketch". In "hash", a hash value of the original data (that is, the corresponding attribute information) of the sketching data is described. As will be described later, this hash value is used to confirm the validity of the correspondence between the sketching data and the original data before the matching using the original data is performed.

Further, in "claim", "signatureValue" is described. In the "signature Value", the signature data of the data administrator calculated by encrypting the hash value based on the data described in the "sketch" with the private key corresponding to the administrator ID is described.

When the user terminal 200 receives the above-mentioned "claim" information from the administrator server 300, it adds predetermined header information such as the generation date and time to this information and also adds "signature" (area 212 in FIG. 7). .. The signature data of the user is described in the "signature". The user's signature data is calculated by encrypting the hash value based on the data described in "claim" with the private key corresponding to the user ID.

The transmission data 210 generated as described above is transmitted from the user terminal 200 to the business server 100. Based on the user's signature data, the operator server 100 can confirm whether or not the received transmission data 210 has been tampered with in the "claim" area. In addition, the business server 100 can confirm the presence or absence of falsification in the "sketch" area based on the signature data of the data manager.

Further, when the original data (that is, attribute information) is provided, the "claim" in which the original data is described in "values" and the signature data of the data administrator is described in "signatureValue" is the administrator server 300. Is generated by. However, "claim" does not include "hash". When such a "claim" is transmitted to the user terminal 200, predetermined header information is added to this information, and a "signature" in which the user's signature data is described is added to the operator server 100. Will be sent.

In this way, by generating and transmitting the transmission data in accordance with the VC regulations, the information about the user requested to be provided is gradually distributed in an appropriate data format. For example, the user receives information about the user himself / herself with the signature of the data administrator who provides the information. As a result, the user can surely receive the user's information in a state where the information provider and its contents are guaranteed. Then, the user can add the user's own signature to the received information and provide it to the business operator who is the user of the information in response to the operation of the user's own clear consent. The business operator can confirm the validity of the content of the provided information based on the signatures of the data administrator and the user, and can clearly confirm that the consent of the provision has been obtained from the user's signature. For the user, only the information that the user has agreed to provide can be reliably passed to the business operator who is the user of the information.

Further, in the present embodiment, when the sketching data is provided, the hash value based on the original data is also provided to the operator server 100. The operator server 100 registers the provided hash value together with the sketching data in the sketching data storage unit 111 in association with the user ID. Then, when the operator server 100 receives the attribute information from the user based on the matching result using the sketching data, the received attribute information is the original data of the sketching data by using the corresponding hash value. Can be verified. This makes it possible to increase the certainty of the matching process using the attribute information.

Hereinafter, the operation of the data matching system according to the second embodiment will be described in more detail.
FIG. 8 is a diagram showing a configuration example of a processing function included in each device in the data matching system.

First, the repository server 410 shown in FIG. 8 is a server computer realized as one of the nodes included in the node group 401 shown in FIG. The repository server 410 includes a public key storage unit 411 and a key management unit 412.

The public key storage unit 411 is realized, for example, as a storage area of a storage device (not shown) included in the repository server 410. The public key storage unit 411 stores the public key in association with the ID issued by the digital ID service described above. The processing of the key management unit 412 is realized, for example, by executing a predetermined program by a processor (not shown) included in the repository server 410. When the ID is issued, the key management unit 412 accepts the registration of the public key among the asymmetric key type key pairs (private key and public key) generated by the ID holder and associates it with the ID. And register it in the public key storage unit 411. In the present embodiment, at least the public key corresponding to the user ID, the business operator ID, and the administrator ID is registered in the public key storage unit 411. In addition, the key management unit 412 provides a public key corresponding to the ID in response to a request for specifying the ID.

The administrator server 300 includes a secret key storage unit 330, a data provision unit 341, a sketching data calculation unit 342, and a signature engine 343 in addition to the user data storage unit 310 described above.

The user data storage unit 310 and the private key storage unit 330 are realized, for example, as storage areas of a storage device (not shown) included in the administrator server 300. Attribute information collected about the user is registered in the user data storage unit 310 in association with the user ID. The private key storage unit 330 stores the private key corresponding to the administrator ID of the data administrator.

The processing of the data providing unit 341, the sketching data calculation unit 342, and the signature engine 343 is realized, for example, by executing a predetermined program by a processor (not shown) included in the administrator server 300.

The data providing unit 341 executes a process for providing attribute information and sketching data corresponding to the designated user ID in response to a request from the user terminal 200. The sketching data calculation unit 342 calculates sketching data based on the attribute information read from the user data storage unit 310. The signature engine 343 uses the data administrator's private key to generate the data administrator's signature data.

The user terminal 200 includes a private key storage unit 220, a data registration unit 231 and an original data transmission unit 232 and a signature engine 233.
The private key storage unit 220 is realized, for example, as a storage area of a storage device (not shown) included in the user terminal 200. The private key storage unit 220 stores the private key corresponding to the user ID of the user who operates the user terminal 200.

The processing of the data registration unit 231 and the original data transmission unit 232 and the signature engine 233 is realized, for example, by the processor (not shown) included in the user terminal 200 realizing a predetermined program. The data registration unit 231 executes a process of registering sketching data based on the user's attribute information in the operator server 100 in order to register the user in the matching service. The original data transmission unit 232 acquires the original data (attribute information) of the sketching data from the administrator server 300 in response to the request from the operator server 100, and executes a process of providing the original data (attribute information) to the operator server 100. The signature engine 233 uses the user's private key to generate the user's signature data.

Although not shown, the other user terminals 200a, 200b, ... Also have the same processing function as the user terminal 200.
The business server 100 includes a registration reception unit 131, a matching unit 132, a request processing unit 133, and a signature verification unit 134, in addition to the sketching data storage unit 111 and the reference data storage unit 120 described above.

The sketching data storage unit 111 and the reference data storage unit 120 are realized as storage areas of a storage device included in the operator server 100, such as a RAM 102 and an HDD 103.

Information about the user registered from the user terminals 200, 200a, 200b, ... Is registered in the sketching data storage unit 111. In the sketching data storage unit 111, at least the sketching data and the hash value based on the original data are stored in association with the user ID of each user.

In the reference data storage unit 120, reference data to be collated with the attribute information of the user in the matching process is registered for each area to be guided by the volunteer. For example, as the reference data, the position information of the landmark to be guided in the area and the position information indicating the point on the movement route between the landmarks are described for each area. Further, the reference data may describe identification information indicating a landmark or a point on the movement route.

The registration reception unit 131 executes a process of accepting the registration of the user's sketching data from the user terminals 200, 200a, 200b, .... The matching unit 132 executes a matching process of the sketching data registered in the sketching data storage unit 111 or the original data thereof and the reference data registered in the reference data storage unit 120.

When a user requesting volunteers is tentatively identified by matching using sketching data, the request processing unit 133 requests the user to perform volunteer activities and requests the provision of original data. When the original data is provided by the user, the request processing unit 133 causes the matching unit 132 to perform matching using the original data, and notifies the user of the matching result. The signature verification unit 134 verifies the validity (presence or absence of falsification) of the data based on the signature data added to the data received from the user terminals 200, 200a, 200b, ....

FIG. 9 is an example of a sequence diagram showing a processing procedure at the time of registering sketching data.
[Step S41] At the user terminal 200, an application for receiving a volunteer matching service is executed. As a result, the data registration unit 231, the original data transmission unit 232, and the signature engine 233 are started, and the data registration unit 231 first executes the registration process for the matching service.

The data registration unit 231 accesses, for example, the Web server of the business server 100 and acquires the information on the registration screen for the service for receiving the volunteer request. As a result, the browser is displayed on the display device of the user terminal 200, and the registration screen is displayed in the browser.

The user inputs the user ID of the user and auxiliary information (for example, name, e-mail address, etc.) about the user on the registration screen, and performs the registration operation. As a result, the data registration unit 231 transmits the registration request for the service to the business server 100 together with the input information.

[Step S42] The registration reception unit 131 of the operator server 100 registers the received user ID and auxiliary information in the sketching data storage unit 111, and transmits a provision request requesting the provision of sketching data to the user terminal 200. do. In this process, for example, the business operator ID, the data type (location information, time, etc.) indicating the type of data requested to be provided (data required for matching), the algorithm name used for each data type, and the number of requested data ( (Corresponding to n in FIG. 6) and other auxiliary information (data acquisition period, parameters required for calculating sketching data, etc.) are transmitted together with the provision request.

[Step S43] The data registration unit 231 of the user terminal 200 displays at least the content of the data requested to be provided indicated by the received data type in the browser and causes the user to confirm it. The user confirms the displayed contents, and if he / she agrees to provide the information, he / she performs the consent operation. In that case, the process proceeds to step S44.

[Step S44] The data registration unit 231 transmits the information received from the business server 100 to the administrator server 300 together with the user ID of the user, and requests the provision of sketching data.

Here, FIG. 10 is a diagram showing a display example of the service registration screen. The screen 240 shown in FIG. 10 is displayed on the browser of the user terminal 200 in step S41 of FIG.
On the screen 240, input fields 241,242 for inputting the user's name and the user's e-mail address, and a registration button 243 for requesting registration are displayed. When the information is input to the input fields 241, 242 and the selection operation for the registration button 243 is performed, the user ID corresponding to the name is transmitted to the business server 100 together with the input name and e-mail address.

FIG. 11 is a diagram showing a display example of a screen for requesting provision of sketching data. The screen 250 shown in FIG. 11 is displayed on the browser of the user terminal 200 in step S43 of FIG.

In the area 251 of the screen 250, a sentence explaining the content of the information requested by the business operator is displayed. In the example of FIG. 9, the user's activity information is processed into a statistically processed format and provided in a state in which an individual cannot be identified, and the provided information is used only for the purpose of matching. It is displayed that the information provided includes time information and GPS information.

Further, the consent button 252 and the disagreement button 253 are displayed on the screen 250. When the user agrees to provide the information after confirming the display content of the area 251, a selection operation for the consent button 252 is performed. In this case, the process of step S44 of FIG. 9 is executed. That is, the sketching data provision process is executed in response to an operation indicating clear consent by the user who has confirmed the content of the provided information. On the other hand, if the information provision is not agreed, the registration process is completed by performing the selection operation for the disagreement button 253.

Hereinafter, the description will be continued with reference to FIG.
[Step S45] The data providing unit 341 of the administrator server 300 passes the information received from the user terminal 200 to the sketching data calculation unit 342 and requests the calculation of the sketching data. When the MinHash method is used as shown in FIG. 6, the sketching data calculation unit 342 acquires attribute information corresponding to the user ID from the user data storage unit 310 for the number of requested data (n). According to the example of FIG. 6, the position information of n landmarks is acquired. At this time, n location information included in the designated data acquisition period is acquired from the operator server 100.

The sketching data calculation unit 342 generates k hash functions using the user ID and the administrator ID as seed values, calculates the hash values of n attribute information using each hash function, and performs the hash function. Extract the minimum hash value for each. As a result, a numerical array including n minimum values is calculated as sketching data.

[Step S46] The data providing unit 341 performs a hash calculation using the n attribute information acquired from the user data storage unit 310 in step S45, and calculates the hash value of the original data.

[Step S47] The data providing unit 341 generates "sketch" data (see FIG. 7) including the sketching data calculated in step S45 and the hash value of the original data calculated in step S46. In addition, the data providing unit 341 notifies the signature engine 343 of the generated "sketch" data, and requests the data manager to generate the signature data.

The signature engine 343 acquires the private key of the data administrator from the private key storage unit 330. The data providing unit 341 calculates the hash value of the data of "sketch" using a predetermined hash function, and encrypts the calculated hash value with the private key of the data administrator to sign the data of the data administrator. ("SignatureValue", see FIG. 7) is generated.

The data providing unit 341 generates "claim" data including "sketch" data and signature data, and transmits the data to the user terminal 200. The transmitted data may be encrypted using the private key of the data administrator.

[Step S48] The data registration unit 231 of the user terminal 200 receives the data of "claim". When the received data is encrypted, the received data is decrypted using the public key of the data administrator, and the "claim" data is acquired. The public key of the data administrator is obtained from the key management unit 412 of the repository server 410.

The data registration unit 231 notifies the signature engine 233 of the "claim" data and requests the user to generate the signature data. The signature engine 233 acquires the user's private key from the private key storage unit 220. The signature engine 233 calculates the hash value of the data of "claim" using a predetermined hash function, and encrypts the calculated hash value with the user's private key to obtain the user's signature data ("signature", (See FIG. 7) is generated.

The data registration unit 231 adds predetermined header information such as the generation date and time to the "claim" data, and transmits the data together with the user's signature data to the business server 100. The transmitted data may be encrypted using the user's private key.

[Step S49] When the registration reception unit 131 of the operator server 100 receives the data from the user terminal 200, the registration reception unit 131 verifies the received data using the signature data.
First, the registration reception unit 131 specifies the user ID of the user and requests the public key of the user from the repository server 410. In response to this request, the public key corresponding to the user ID is transmitted from the key management unit 412 of the repository server 410, and the registration reception unit 131 of the business server 100 receives the public key.

When the received data from the user terminal 200 is encrypted, the registration receiving unit 131 decrypts the received data using the user's public key. The registration reception unit 131 extracts the user's signature data from the received data and decrypts it using the user's public key. The registration reception unit 131 calculates the hash value of the "claim" data in the received data, and compares the calculated hash value with the hash value obtained by decoding the signature data.

When these hash values match, it is confirmed that the data of "claim" has not been tampered with, and it is confirmed that the user has consented to the provision of sketching data. Then, the registration reception unit 131 next specifies the administrator ID and requests the public key of the data administrator from the repository server 410. In response to this request, the public key corresponding to the administrator ID is transmitted from the key management unit 412 of the repository server 410, and the registration reception unit 131 of the business server 100 receives the public key.

The registration reception unit 131 extracts the signature data of the data manager from the data of "claim" and decrypts it using the public key of the data manager. The registration reception unit 131 calculates the hash value of the "sketch" data in the received data, and compares the calculated hash value with the hash value obtained by decoding the signature data. When these hash values match, it is confirmed that the data of "sketch" has not been tampered with. Then, the process proceeds to step S50.

If the data is falsified by verification using either the user's signature or the data administrator's signature, the user terminal 200 is notified of the registration error, and the registration process ends.

[Step S50] The registration receiving unit 131 registers the sketching data included in the received data and the hash value of the original data in the sketching data storage unit 111 in association with the user ID.

[Step S51] The registration reception unit 131 notifies the user terminal 200 that the registration has been completed normally. In response to this notification, the browser of the user terminal 200 displays that the registration has been completed normally.

Next, FIGS. 12 and 13 are examples of sequence diagrams showing a processing procedure when requesting volunteer activities.
[Step S61] The matching unit 132 of the operator server 100 between the sketching data of the user registered in the sketching data storage unit 111 and the sketching data based on the reference data registered in the reference data storage unit 120. Execute the matching process with. Here, a hash function for calculating sketching data based on the reference data is generated for each user corresponding to the sketching data to be collated. That is, the hash function is calculated using the user ID corresponding to the sketching data to be collated and the business operator ID as seeds.

Here, it is assumed that a user who operates the user terminal 200 is specified as sketching data of a user who has the highest degree of similarity to a certain reference data and whose degree of similarity is equal to or more than a threshold value. In this case, it is tentatively determined that the user is suitable as a volunteer to guide the area corresponding to the reference data.

[Step S62] The request processing unit 133 of the business operator server 100 notifies the user specified by matching of the activity request requesting to act as a volunteer. Here, as an example, the request processing unit 133 acquires the e-mail address of the specified user from the sketching data storage unit 111, and sends an e-mail for notifying the activity request to the acquired e-mail address. In addition, the information for notifying the activity request includes the activity content of the volunteer requested and the guidance information for applying for the request.

[Step S63] The transmitted e-mail is received by the user terminal 200, and the user browses the contents of the e-mail. When the user confirms the contents of the volunteer request, accepts the request, and wishes to apply for the volunteer, the user performs the application operation according to the contents notified by e-mail.

[Step S64] The request processing unit 133 of the operator server 100 transmits the original data of the sketching data, that is, the information requesting the provision of the attribute information of the user. The information to be transmitted includes the business operator ID, the data type of the data requested to be provided, the algorithm name used, the number of requested data n, and other auxiliary information (data acquisition period, etc.) as the request information of the attribute information. Is done. Further, the transmitted information includes information for asking the user to confirm the content of the attribute information for which the provision is requested, and information for requesting the consent of the provision.

[Step S65] The original data transmission unit 232 of the user terminal 200 displays an consent operation screen for providing the original data on the browser based on the received information. This consent operation screen includes information indicating the content of the attribute information for which provision is requested, operation buttons for performing the provision consent operation, and the like. When the user confirms the displayed information and performs an operation of consenting to the provision, the process proceeds to step S66.

[Step S66] The original data transmission unit 232 transmits the request information of the attribute information included in the transmission information in step S64 to the administrator server 300.
Here, FIG. 14 is a diagram showing a display example of a volunteer activity request screen. The screen 260 shown in FIG. 14 shows an example of the information notified to the user from the operator server 100 in step S62 of FIG. Screen 260 of FIG. 12 illustrates an example of displaying an e-mail when an activity request is notified by an e-mail addressed to the user.

The screen 260 includes an area 261 in which the contents of the volunteer request are displayed, a button 262 for applying to the requested volunteer, and a button 263 for notifying the volunteer not to apply. The user confirms the contents displayed in the area 261 and decides whether to apply for volunteering.

When the selection operation for the button 262 is performed, the URL (Uniform Resource Locator) associated with the button 262 is linked, and the consent operation screen for the provision of the original data (attribute information) is displayed from the business server 100. Display information to be sent is sent. On the other hand, when the selection operation for the button 263 is performed, the business server 100 is notified that the volunteer does not apply, and the process ends.

The content requested on the screen 260 of FIG. 14 is requested by matching using sketching data based on attribute information. Therefore, the request content does not always match the user. For example, a volunteer activity may be requested to guide an area that the user has rarely visited.

When the content of the request is inappropriate, the user can notify the business server 100 that he / she does not apply for volunteers by performing a selection operation on the button 263. As a result, the user can prevent the personal information of the user from being unnecessarily provided to the business operator.

FIG. 15 is a diagram showing a display example of the consent operation screen for providing the original data. When the selection operation for the button 262 of FIG. 14 is performed, the request processing unit 133 of the operator server 100 transmits a request for providing the original data of the sketching data (step S64 of FIG. 12). When the original data transmission unit 232 of the user terminal 200 receives the provision request, for example, the screen 270 as shown in FIG. 15 is displayed on the browser. That is, the screen 270 is an example of the consent operation screen displayed in step S65 of FIG.

On the screen 270, an area 271 indicating the content of the attribute information requested to be provided, an area 272 indicating the purpose of use of the provided attribute information, a button 273 for agreeing to provide the information, and consenting to the information provision are provided. It also includes a button 274 to cancel the volunteer application. The user can visually check the area 271 to confirm the content of the information requested to be provided, further visually check the area 272 to confirm the purpose of use of the information, and then decide whether or not to consent to the provision of the information. can. Further, for example, by performing a selection operation of the button 275 included in the area 271, it is possible to display and confirm more detailed contents of the information requested to be provided.

When the selection operation for the button 273 is performed, the request information of the attribute information is transmitted from the user terminal 200 to the administrator server 300 (step S66 in FIG. 12). On the other hand, when the selection operation for the button 274 is performed, the business server 100 is notified that the volunteer application is canceled without agreeing to the information provision.

In this way, when the user is requested to provide the original data of the sketching data, that is, the attribute information itself, the user confirms the content and purpose of use of the provided information, and then obtains the attribute information from the business operator. Can be provided to. As a result, the opportunity to provide the attribute information can be restricted by the user's will according to the content of the information requested to be provided and the purpose of use thereof, and the confidentiality of the attribute information can be improved.

Hereinafter, the description will be continued with reference to FIG.
[Step S67] The data providing unit 341 of the administrator server 300 receives the user attribute information from the user data storage unit 310 for the number of requested data (n) based on the attribute information request information received from the administrator server 300. get. As a result, the original data corresponding to the sketching data is acquired.

[Step S68] The data providing unit 341 generates "sketch" data (see FIG. 7) including the acquired original data. For example, when the amount of data of the original data is excessive, a URL that can be temporarily used for acquiring the original data is generated, and the URL is described in "sketch" instead of the original data. You may. In addition, the data providing unit 341 notifies the signature engine 343 of the generated "sketch" data, and requests the data manager to generate the signature data.

The signature engine 343 generates the data administrator's signature data (“signatureValue”, see FIG. 7) based on the “sketch” data and the data administrator's private key in the same procedure as in step S47 of FIG. .. The data providing unit 341 generates "claim" data including "sketch" data and signature data, and transmits the data to the user terminal 200. The transmitted data may be encrypted using the private key of the data administrator.

[Step S69] The original data transmission unit 232 of the user terminal 200 receives the data of "claim". When the received data is encrypted, the received data is decrypted using the public key of the data administrator, and the "claim" data is acquired. The original data transmission unit 232 displays information indicating the content of the provided information on the browser based on the content of the "claim". By confirming the displayed contents, the user can confirm whether the information contents agreed to be provided are correctly provided.

[Step S70] The display information in step S69 includes a button for notifying whether or not to continue the process, the user agrees to provide the information, and a selection operation for the button for continuing the process is performed. Then, the process proceeds to step S71.

[Step S71] The original data transmission unit 232 notifies the signature engine 233 of the "claim" data and requests the user to generate the signature data. The signature engine 233 generates the user's signature data (“signature”, see FIG. 7) based on the “claim” data and the user's private key in the same procedure as in step S48 of FIG. The original data transmission unit 232 adds predetermined header information such as the generation date and time to the "claim" data, and transmits the data together with the user's signature data to the business server 100. The transmitted data may be encrypted using the user's private key.

[Step S72] When the request processing unit 133 of the operator server 100 receives the data from the user terminal 200, the request processing unit 133 verifies the received data using the signature data.
First, the request processing unit 133 specifies the user ID of the user and requests the public key of the user from the repository server 410. In response to this request, the public key corresponding to the user ID is transmitted from the key management unit 412 of the repository server 410, and the request processing unit 133 of the operator server 100 receives the public key.

When the received data from the user terminal 200 is encrypted, the request processing unit 133 decrypts the received data using the user's public key. The request processing unit 133 extracts the user's signature data from the received data and decrypts it using the user's public key. The request processing unit 133 calculates the hash value of the "claim" data in the received data, and compares the calculated hash value with the hash value obtained by decoding the signature data.

When these hash values match, it is confirmed that the data of "claim" has not been tampered with, and it is confirmed that the user has given consent to provide the original data. Then, the request processing unit 133 next specifies the administrator ID and requests the public key of the data administrator from the repository server 410. In response to this request, the public key corresponding to the administrator ID is transmitted from the key management unit 412 of the repository server 410, and the request processing unit 133 of the business server 100 receives the public key.

The request processing unit 133 extracts the signature data of the data manager from the data of "claim" and decrypts it using the public key of the data manager. The request processing unit 133 calculates the hash value of the "sketch" data in the received data, and compares the calculated hash value with the hash value obtained by decoding the signature data. When these hash values match, it is confirmed that the data of "sketch" has not been tampered with. Then, the process proceeds to step S73.

If the data is falsified by the verification using either the user's signature or the data administrator's signature, the user terminal 200 is notified of the information provision error, and the process ends.

[Step S73] The request processing unit 133 acquires a hash value based on the original data associated with the user ID from the sketching data storage unit 111. In addition, the request processing unit 133 calculates the hash value of the original data included in the received "claim". By comparing these hash values, the request processing unit 133 verifies whether the received original data is the original data of the sketching data of the same user used at the time of matching. If the hash values match, the validity of the received original data is confirmed, and the process proceeds to step S74. On the other hand, if the hash values do not match, the user terminal 200 is notified of an information provision error, and the process ends.

[Step S74] The request processing unit 133 notifies the matching unit 132 of the received original data, and requests the matching unit 132 to execute rematching for confirming the validity of the matching in step S61. The matching unit 132 acquires the reference data matched with the sketching data of the same user in step S61 from the reference data storage unit 120, and the acquired reference data and the source notified from the request processing unit 133. Execute matching process with data.

For example, when these similarities are equal to or higher than a predetermined threshold value, it is determined that the matching result in step S61 is correct, and the process proceeds to step S75. On the other hand, although not shown, when the similarity is less than the above threshold value and it is determined that the matching result in step S61 is incorrect, the user terminal 200 is notified that the user's application has not been received. NS.

[Step S75] The request processing unit 133 notifies the user terminal 200 that the volunteer request to the user has been confirmed and the request processing has been completed. The original data transmission unit 232 of the user terminal 200 displays the notified content on the browser. This completes the request processing.

In the second embodiment described above, as an example of the matching service, a service for identifying an appropriate user as a volunteer who guides a certain area by matching is shown, but the matching service is limited to this example. is not it. For example, a service for introducing or requesting work as a dispatched employee can be applied to a user having an appropriate work history. In this case, for example, information on the work history and skills of each user is collected on the administrator server 300. The business server 100 holds the information on the work history and skills of the dispatched employee to be sought as reference data, and by matching the information of each user with the reference data, identifies an appropriate user as a dispatched employee and assigns the user to that user. Introduce or request work as a dispatched employee.

Further, for example, a service for identifying a driver who is driving safely from among the drivers who drive a car can be applied. In this case, for example, the driving data (speed, route history, etc.) of each driver detected by the on-board unit is collected in the administrator server 300. The operator server 100 holds the driving data of the model driver as reference data, and calculates the degree of similarity between the driving data of each driver and the driving data of the model driver. Then, the operator server 100 identifies a driver having a high degree of similarity in driving data with the model driver as a driver performing safe driving.

The processing functions of the devices (for example, information processing device 1, terminal device 2, business server 100, user terminals 200, 200a, 200b, ..., Administrator server 300) shown in each of the above embodiments are , Can be realized by computer. In that case, a program describing the processing content of the function that each device should have is provided, and the processing function is realized on the computer by executing the program on the computer. The program describing the processing content can be recorded on a computer-readable recording medium. Computer-readable recording media include magnetic storage devices, optical disks, opto-magnetic recording media, semiconductor memories, and the like. Magnetic storage devices include hard disk devices (HDDs), magnetic tapes, and the like. Optical discs include CDs (Compact Discs), DVDs (Digital Versatile Discs), and Blu-ray Discs (Blu-ray Discs: BDs, registered trademarks). The magneto-optical recording medium includes MO (Magneto-Optical disk) and the like.

When a program is distributed, for example, a portable recording medium such as a DVD or a CD on which the program is recorded is sold. It is also possible to store the program in the storage device of the server computer and transfer the program from the server computer to another computer via the network.

The computer that executes the program stores, for example, the program recorded on the portable recording medium or the program transferred from the server computer in its own storage device. Then, the computer reads the program from its own storage device and executes the processing according to the program. The computer can also read the program directly from the portable recording medium and execute the processing according to the program. In addition, the computer can sequentially execute processing according to the received program each time the program is transferred from the server computer connected via the network.

1 Information processing device 2 Terminal device 3 Storage unit 11, 12, 13, ... User information 11a Signing data 21, 22, 23, ... Sketching data 31 Reference data

Claims (6)

A data matching system that has an information processing device and a terminal device.
The information processing device
A plurality of sketching data having probabilistic data structures obtained by converting a plurality of user information related to each individual user are received and stored in a storage unit provided in the information processing apparatus.
Matching the plurality of sketching data with predetermined reference data is performed, and
When one sketching data is specified as a matching result from the plurality of sketching data, the one user among the plurality of user information is referred to the one user corresponding to the one sketching data. Send a request to request the provision of one user information corresponding to
The matching result is verified by receiving the one user information with the signature data of the one user added and performing matching between the received one user information and the reference data.
The terminal device is
In response to the provision request, the consent operation that consents to the provision of the one user information is accepted from the one user, and the consent operation is accepted.
In response to the consent operation, the signature data is generated based on the one user information, and the one user information to which the signature data is added is transmitted to the information processing apparatus.
Data matching system. The information processing device verifies the validity of the received user information using the signature data, and when the validity is confirmed, matches the received user information with the reference data. Run,
The data matching system according to claim 1. When transmitting the provision request, the information processing device transmits notification information indicating the type of information requested to be provided and the purpose of use thereof together with the provision request.
When the terminal device receives the provision request together with the notification information, the terminal device displays the content of the notification information on the display device and accepts the consent operation.
The data matching system according to claim 1 or 2. The information processing device
When receiving the plurality of sketching data, a plurality of hash values calculated based on the plurality of user information are received together with the plurality of sketching data, and the plurality of sketching data and the plurality of hashes are received. The value and the corresponding user are stored in the storage unit, and the value is stored in the storage unit.
When the one user information is received, a hash value based on the one user information is calculated, and the calculated hash value and the hash value corresponding to the one user among the plurality of hash values are the same. In this case, matching the one user information with the reference data is executed.
The data matching system according to any one of claims 1 to 3. An information processing device having a storage unit and a processing unit.
The processing unit
A plurality of sketching data having probabilistic data structures obtained by converting a plurality of user information relating to each individual user are received and stored in the storage unit.
Matching the plurality of sketching data with predetermined reference data is performed, and
When one sketching data is specified as a matching result from the plurality of sketching data, the one user among the plurality of user information is referred to the one user corresponding to the one sketching data. Send a request to request the provision of one user information corresponding to
The one user information is received and received with the signature data of the one user added, which is generated in response to the consent operation in which the one user consents to the provision of the one user information. The matching result is verified by performing matching between one user information and the reference data.
Information processing device. The computer
A plurality of sketching data having probabilistic data structures obtained by converting a plurality of user information related to each individual user are received and stored in a storage unit provided in the computer.
Matching the plurality of sketching data with predetermined reference data is performed, and
When one sketching data is specified as a matching result from the plurality of sketching data, the one user among the plurality of user information is referred to the one user corresponding to the one sketching data. Send a request to request the provision of one user information corresponding to
The one user information is received and received with the signature data of the one user added, which is generated in response to the consent operation in which the one user consents to the provision of the one user information. The matching result is verified by performing matching between one user information and the reference data.
Data matching method.

Images