JP2022059239A - Confidential Information Management Program, Confidential Information Management Method, and Confidential Information Management System - Google Patents

Abstract

To improve the safety of encrypted data against frequency analysis attacks.SOLUTION: A data registration unit 1 generates multiple second item values which are associated with any one of multiple first item values settable to one item in a secret record in a secret record group 5. The data registration unit 1 classifies each multiple second item value into one of the item value groups 4a and 4b. The data registration unit 1 converts the first item values which are set in one item in the secret record into at least one of the second item values corresponding to the first item values. The data registration unit 1 generates dummy record groups 6a, 6b each having a dummy record set to one item converted value of existing second item value set to one item of the secret record according to the bijective relationship of the second item value in groups 4a, 4b. The data registration unit 1 encrypts the item value set in each item of the secret record and the dummy record and outputs the same.SELECTED DRAWING: Figure 1

Description

The present invention relates to a confidential information management program, a confidential information management method, and a confidential information management system.

Computer systems can handle large amounts of data called big data. For example, by analyzing big data with a computer, it is possible to obtain various findings. The larger the amount of big data used for analysis, the more diverse knowledge can be obtained from the big data, and the higher the reliability of the obtained knowledge. Therefore, instead of constructing a unique database (DB) for big data for each organization such as a company, it is conceivable to use a DB that integrates data of a plurality of organizations in a plurality of organizations. Such an integrated DB service can be realized by using, for example, a cloud computing system (hereinafter referred to as "cloud").

When managing a DB that integrates data of a plurality of organizations in the cloud, the data provider organization may want to limit the use of the provided data to only other organizations permitted by the data provider organization. In addition, the organization that provides the data and the organization that uses the data may not want the cloud administrator to know the content of the provided data or the search content for the data in the DB. In these cases, the cloud that manages big data receives encrypted data from each organization, for example, and stores the encrypted data in a DB. Then, the cloud searches the data in the DB in response to a search request encrypted with the key passed from the organization that provides the data, using a collation technology that can determine the identity of the data as it is. As a result, the organization that provides the data can allow the provided data to be used only by the organization that has given the key. Also, in the cloud, the provided data and the search request remain encrypted, so it is possible to prevent the contents of the data from being known to the cloud administrator.

As a technique related to concealment of data in a DB, for example, a system for configuring and improving the privacy of a database system has been proposed. We also propose a secret partial match search technology that ensures high security against attacks such as frequency analysis for storage encryption tags and search encryption tags, and has a small data size and a small amount of communication. Has been done.

Special Table 2017-204277 Gazette International Publication No. 2017/126000

Even if a secret search technology that can perform a search with encrypted data is used, the security of the encrypted data cannot be said to be sufficient. That is, a frequency analysis attack is possible against the DB that stores the encrypted data, and the content of the search query or the search result may be inferred.

On one side, the case aims to improve security against frequency analysis attacks on encrypted data.

One idea is to provide a confidential information management program that causes a computer to perform the following processes.
When the number of types of a plurality of first item values that can be set for one item in a secret record group including one or more secret records to be hidden is not an integral multiple of a predetermined value, the computer performs a plurality of first items. Generates a plurality of second item values that are integral multiples of a predetermined value, with at least one associated with each item value and each associated with any one of the plurality of first item values. Next, the computer classifies each of the plurality of second item values into at least one item value group corresponding to one item by the same number as the predetermined value. Next, the computer converts the first item value set in one item in the secret record into at least one second item value corresponding to the first item value. Next, the computer sets each of the second item values in the item value group to one item of each secret record according to the bijective relationship of bijection to different second item values in the same item value group. Convert the second item value to a dummy value. Next, the computer generates a dummy record group having the same number of dummy records as the number of secret records in which the dummy value is set to one item. The computer then sets a first flag indicating true for the secret record. The computer then sets a second flag on the dummy record to indicate false. Next, the computer encrypts the item value set for each item of the secret record and the dummy record, the first flag given to the secret record, and the second flag given to the dummy record. Then, the computer outputs a secret record group and a dummy record group.

According to one aspect, it is possible to improve the security against frequency analysis attacks on encrypted data.

It is a figure which shows an example of the confidential information management system which concerns on 1st Embodiment. It is a figure which shows an example of a confidential information management system. It is a figure which shows one configuration example of the hardware of a data management server. It is a figure which shows an example of a frequency analysis attack. It is a figure which shows the generation example of the transformation set using a dummy element. It is a figure which shows the conversion example of the item value when the dummy element is used. It is a figure which shows the generation example of the dummy value when the dummy element is used. It is a figure which shows an example of the registration data when the dummy element is used. It is a figure explaining the equalization of a ciphertext. It is a figure explaining an appropriate group number G. It is a figure which shows an example of the frequency distribution after frequency disturbance. It is a figure which shows an example of the combination frequency when a dummy element is used. It is a figure which shows an example of the combination frequency when the dummy element is not used. It is a block diagram which shows the function of a secret information management system. It is a figure which shows an example of the disturbance processing of the appearance frequency using the dummy data. It is a figure which shows an example of the DB of the patient data in plain text. It is a figure which shows an example of the information stored in the conversion information storage part. It is a figure which shows an example of a keyword list. It is a figure which shows an example of the generation method of the conversion set list. It is a figure which shows the generation example of the split keyword list. It is a figure which shows an example of the conversion set list. It is a figure which shows an example of the split keyword list. It is a figure which shows the conversion example of the item value when the division keyword is used. It is a figure which shows an example of the registration data when the division keyword is used. It is a figure which shows an example of a concealment DB. It is a flowchart which shows an example of the procedure of a data registration process. It is a flowchart which shows an example of the procedure of a dummy data generation process. It is a figure which shows an example of the search condition input screen. It is a flowchart which shows an example of the procedure of a search process. It is a figure which shows an example of the inverse conversion of a dummy value. It is a figure which shows an example of the search result display screen.

Hereinafter, the present embodiment will be described with reference to the drawings. It should be noted that each embodiment can be implemented by combining a plurality of embodiments within a consistent range.
[First Embodiment]
First, the first embodiment will be described.

FIG. 1 is a diagram showing an example of a confidential information management system according to the first embodiment. FIG. 1 shows an example of realizing a confidential information management method using a confidential information management system. The confidential information management system includes a data registration device 1, a server 2, and a data utilization device 3. Each of the data registration device 1, the server 2, and the data utilization device 3 of each device in the confidential information management method, for example, by executing a program in which the processing procedure in each device for realizing the confidential information management method is described. Processing can be carried out.

The data registration device 1 has a storage unit 1a and a processing unit 1b in order to realize a confidential information management method. The storage unit 1a is, for example, a memory or a storage device included in the data registration device 1. The processing unit 1b is, for example, a processor included in the data registration device 1 or an arithmetic circuit. Although not shown, the server 2 and the data utilization device 3 also have a storage unit and a processing unit. For example, the storage unit of the server 2 stores the concealment database (DB) 2a.

The storage unit 1a of the data registration device 1 stores a concealed record group 5 including one or more concealed records to be concealed.
The processing unit 1b of the data registration device 1 first generates a plurality of second item values based on a plurality of first item values that can be set for one item in the secret record, and uses the generated second item value as one. Classify into item value groups 4a and 4b corresponding to the items (step S1). For example, the processing unit 1b determines whether the number of types of a plurality of first item values that can be set for one item in the secret record group 5 in the secret record group 5 is an integral multiple of a predetermined value. The predetermined value is a value preset as the number of types of item values having the same appearance frequency in the concealment DB 2a. In the example of FIG. 1, the predetermined value is "3".

When the number of types of the first item value is not an integral multiple of the predetermined value, the processing unit 1b is associated with at least one of the first item values, and each of the first item values is associated with any one of the plurality of first item values. Generates a plurality of associated second item values of a type that is an integral multiple of a predetermined value. On the other hand, in the processing unit 1b, when the number of types of the first item value is an integral multiple of a predetermined value, at least one is associated with each of the first item values, and each is one of a plurality of first item values. Generates a plurality of second item values of the same number of types as the first item value associated with.

In the example of FIG. 1, the number of types of the first item value of the item “gender” is “2”, which is different from the predetermined number “3”. Therefore, the processing unit 1b generates three second item values, "male_1", "male_1", and "female". The second item value "male _1" and "male _1" are both associated with the first item value "male". The second item value "female" is associated with the first item value "female". That is, by dividing the first item value "male" into two second item values "male_1" and "male_1", the number of types of the second item value becomes an integral multiple of the predetermined value "3". There is.

Further, the number of types of the first item value of the item "blood pressure" is "3", which is equal to the predetermined number "3". Therefore, the processing unit 1b generates three second item values, "normal", "hypotension", and "hypertension". The second item values "normal", "hypotension", and "hypertension" correspond to the first item values "normal", "hypotension", and "hypertension", respectively.

In this way, the number of types of the second item value is equal to or greater than the number of types of the first item value. If the number of types of the first item value of a certain item is "4", six types of second item values are generated for that item.

Next, the processing unit 1b classifies each of the plurality of second item values into at least one item value group 4a or 4b corresponding to the item of the second item value. In the example of FIG. 1, one item value group 4a corresponds to the item "gender", and one item value group 4b corresponds to the item "blood pressure". Therefore, the second item values of gender "male_1", "female", and "male_2" are classified into the item value group 4a, and the second item values of blood pressure "normal", "hypotension", and "hypertension" are item values. It is classified into group 4b.

Further, the processing unit 1b converts the first item value set in one item in the secret record into at least one second item value corresponding to the first item value (step S2). When there are a plurality of second item values corresponding to the first item value, the processing unit 1b randomly selects, for example, the second item value of the conversion destination. In the example of FIG. 1, there are two second item values corresponding to the first item value “male”, “male _1” and “male _1”. The first item value "male" of the gender of the secret record in the first line of the secret record group 5 is converted to the second item value "male_1", and the first item value "male" of the gender of the secret record in the second line. Is converted to the second item value "male_2". In this way, the secret record group 5a whose value is converted into the second item value is generated. For example, the group number "0" is assigned to the secret record group 5a.

The processing unit 1b generates dummy record groups 6a and 6b based on the secret record group 5a whose value is converted into the second item value (step S3). For example, the processing unit 1b bijects each of the second item values in the item value groups 4a and 4b to different second item values in the same item value groups 4a and 4b according to the bijective relationship. Converts the existing second item value set in the item of to a dummy value. Bijection is a map, and for any element of the set that is the codomain of the map, there is always only one element that is the image of the map in the set that is the domain of the map. It is something to do. Then, the processing unit 1b generates dummy record groups 6a and 6b having the same number of dummy records as the number of secret records in which the dummy value is set to one item. For example, a group number "1" is assigned to the dummy record group 6a, and a group number "2" is assigned to the dummy record group 6b.

Hereinafter, the secret record group 5a and the dummy record groups 6a and 6b are collectively referred to as a record group. In addition, secret records and dummy records are collectively called records.
The dummy record groups 6a and 6b are generated by a number "1" less than the number of the second item values (predetermined value "3") in the item value groups 4a and 4b. For the generation of each of the dummy record groups 6a and 6b, different bijections are performed so that the existing second item value set in one item of the secret record is converted into a different second item value for each dummy record group. Relationships are used. For example, in the item value groups 4a and 4b, the second item value on the right side of the second item value corresponding to the existing second item value by the group number becomes the dummy value of the dummy record group to which the group number is assigned. In this case, the item value groups 4a and 4b have a circular list structure. That is, the right side of the second item value at the right end is the second item value at the left end.

For example, when generating the dummy record group 6a of the group number "1", the processing unit 1b is the item value group 4a of the second item value (existing second item value) set in each secret record of the secret record group 5a. , Specify the position within 4b. Then, the processing unit 1b sets the second item value on the right side of the specified position as a dummy value in the dummy record in the dummy record group 6a.

When generating the dummy record group 6b of the group number "2", the processing unit 1b is the item value group 4a of the second item value (existing second item value) set in each secret record of the secret record group 5a. , Specify the position within 4b. Then, the processing unit 1b sets the second item value on the right side only two from the specified position as a dummy value in the dummy record in the dummy record group 6a.

In this way, for example, based on the second item value "male_1" in the secret record group 5a, the dummy record of the dummy record group 6a of the group number "1" has a dummy value "female" and a group number "2". A dummy value "male _1" is set in the dummy record of the dummy record group 6b. That is, dummy values are generated based on the bijective relations that are different for each of the dummy record groups 6a and 6b.

Next, the processing unit 1b sets a flag for each record (step S4). For example, the processing unit 1b sets a first flag indicating true in the secret record and sets a second flag indicating false in the dummy record. For example, in the setting of the second flag, the processing unit 1b sets a second flag having a value different from that of the first flag, which is different for each one or a plurality of generated dummy records, in the dummy records included in each of the dummy records. ..

The processing unit 1b can use a function for each record group to generate the flag value of each record. For example, the processing unit 1b sets the value of the first function whose variable is the identifier of the secret record in the secret record as the first flag. Further, the processing unit 1b uses the identifier of the dummy record as a variable, and sets the value of the second function, which is different from the first function for the value of the same variable and outputs a different value for each dummy record group to which the dummy record belongs, as the second function. Set to a dummy record as a flag.

As a function that generates a flag value, for example, a function that uses a record identifier (ID: Identification) as a variable can be used. In the function for each record group, the group number is used for the constant included in the function. For example, the processing unit 1b assigns an ID for identifying each record to each record in a set of a set of a secret record and a dummy record. The processing unit 1b multiplies the ID by a predetermined value "3" for each record, and sets a value obtained by adding the group number of the record group to which the ID belongs as a flag. In this case, if the value of the flag is a multiple of the ID, the flag is the first flag indicating true. If the value of the flag is not a multiple of the ID, the flag is a second flag indicating false.

When the group number is used to generate the flag, not only whether the record is a secret record or a dummy record but also the group number of the record group to which the record belongs can be specified based on the value of the flag of the record. For example, the remainder when the value of the flag of the record is divided by the predetermined value "3" is the group number of the record group to which the record belongs.

Next, the processing unit 1b encrypts the item value set for each item of the secret record and the dummy record, the first flag given to the secret record, and the second flag given to the dummy record (step). S5). In the example of FIG. 1, the processing unit 1b has a flag as one item, and the item values of "gender", "blood pressure", and "flag" are encrypted for each item value. Hereinafter, the ciphertext obtained by encrypting a certain plaintext shall be referred to as "H (plaintext)". The set of records in which each item value is encrypted becomes the registration data 7 in the concealment DB 2a.

Then, the processing unit 1b outputs the registration data 7 including the secret record group and the dummy record group (step S6). For example, the processing unit 1b stores the registration data 7 in the concealment DB 2a of the server 2.

In this way, the registration data 7 whose security against frequency analysis attacks is improved by adding a dummy record is stored in the concealment DB 2a of the server 2. The server 2 provides the data utilization device 3 with a search service for the registered data 7 stored in the concealment DB 2a.

The data utilization device 3 has information on the item value groups 4a and 4b generated by the data registration device 1 and information indicating the correspondence between the first item value and the second item value. For example, the data utilization device 3 acquires such information from the data registration device 1. Further, the data utilization device 3 may generate the second item value based on the first item value and classify the second item value into the item value group by the same algorithm as the processing unit 1b of the data registration device 1.

The data utilization device 3 accepts input of search conditions from the searcher. In the search condition, for example, the search item value of one item of the concealment DB 2b is shown. In the example of FIG. 1, the searcher inputs the item value "male" of the item "gender" as a search condition.

The data utilization device 3 transmits a search query according to the search condition to the server 2 (step S7). For example, the data utilization device 3 converts the search item value of one item shown in the search condition into one or a plurality of second item values corresponding to the first item value having the same value as the search item value. For example, the gender "male" is converted into "male_1" and "male_1". The data utilization device 3 encrypts the search item values and transmits the search queries 8a and 8b including the second item values obtained by the conversion to the server 2.

The server 2 performs a search according to the search queries 8a and 8b (step S8). For example, the server 2 collates the search item value of the ciphertext in the search queries 8a and 8b with the item value of the ciphertext of each record in the concealment DB 2a. The server 2 transmits the search result 9 including the record in which the item value matching the search item value is set to the data utilization device 3.

The data utilization device 3 acquires the search result 9 by the search queries 8a and 8b for the concealment DB from the server 2. Then, the data utilization device 3 displays the true search result obtained by removing the dummy record from the search result 9 (step S9). For example, the data utilization device 3 has an item value set for each item of the secret record and the dummy record included in the search result 9, a first flag given to the secret record, and a second flag given to the dummy record. To decrypt. Next, the data utilization device 3 removes the dummy record from the search result 9 based on the first flag and the second flag, and acquires a secret record satisfying the search condition. Then, the data utilization device 3 displays the true search result on, for example, the display screen 10.

In this way, even when the number of types of item values that can be set for the item is small, the number of types of item values can be increased to a predetermined value to generate the registration data 7. Moreover, in the registered data, the frequency of appearance of the same number of types of item values as the predetermined values is equalized. As a result, it is possible to improve the safety against frequency analysis attacks using item values with a small number of types of item values that can be set.

The data utilization device 3 can also send a search query to search for dummy records and generate a secret record satisfying the search condition from the dummy records included in the search result. In that case, the data utilization device 3 converts the search item value shown in the search condition according to the bijective relationship used by the data registration device 1 to generate any of the dummy record groups 6a and 6b. Then, the data utilization device 3 transmits a search query including the conversion item value obtained by the conversion to the server 2.

When the data utilization device 3 receives the search result from the server 2, the data utilization device 3 extracts a matching dummy record having a conversion item value from the search result based on the first flag and the second flag. For example, the data utilization device 3 has a record having a second flag corresponding to the dummy record group 6a when the search query has a conversion item value converted by the bijection relationship used to generate the dummy record group 6a. Is extracted as a conforming dummy record. Further, the data utilization device 3 has a record having a second flag corresponding to the dummy record group 6b when the search query has a conversion item value converted by the bijection relationship used for generating the dummy record group 6b. Is extracted as a conforming dummy record.

Then, the data utilization device 3 acquires a secret record satisfying the search condition by converting the decoded already decoded item value of one item of the conforming dummy record according to the inverse mapping relationship of the bijection relationship.

By searching for dummy records and making it possible to generate a secret record from the dummy records included in the search results, it is possible to prevent the search item values included in the search conditions from being leaked.

[Second Embodiment]
Next, the second embodiment will be described. The second embodiment effectively utilizes patient data possessed by a large number of medical institutions by using a patient data collection and utilization platform. For example, the patient data collection and utilization platform will integrate data from multiple hospitals into big data so that big data can be used by multiple pharmaceutical companies. As a result, pharmaceutical companies and hospitals will be able to easily grasp surveys for new drug development (number of patients with target diseases, location area, etc.).

It is efficient to realize the patient data collection and utilization platform by using the cloud managed by the ICT (Information and Communications Technology) company. The cloud makes it easier for hospitals and pharmaceutical companies to access big data. However, patient data is sensitive personal information, and even if it is legally permitted to be referred to, it is recommended to keep it secret from the cloud administrator in consideration of the risk of leakage and unintended use. Appropriate. In addition, since the content of the search by the pharmaceutical company is linked to important trade secrets regarding the strategy of the pharmaceutical company, it is desirable to keep the content of the search confidential. Therefore, the cloud that realizes the platform for collecting and utilizing patient data manages the encrypted patient data in the DB by using an encryption method that can be searched while it is encrypted, and also uses the encrypted search keyword. , Perform data search with the ciphertext as it is. As a result, the patient data and the contents of the search query can be kept secret even from the cloud administrator.

Here, when the data of a plurality of organizations (for example, a hospital) are used in the same mechanism, the DB format and the attribute names and values to be stored are disclosed as common specifications. Moreover, the cloud administrator, who is also responsible for system development, is familiar with the concealment algorithm. Then, if there is a malicious person among the cloud administrators, it may not be enough to manage the patient data as a ciphertext.

Here, it is assumed that the data is stored in a matrix format in order to perform an efficient search using a refined search or the like. In this case, for example, in the column labeled with the item "gender", there are only two types of plaintext candidates, "male" and "female", and there are many ciphertexts based on the same plaintext in the concealment DB. Become. And cloud administrators who can be attackers can compare and refer to these ciphertexts.

In addition, large hospitals disclose information such as the number of patients by disease as part of public relations. Similarly, for all information, such frequency information may be published. Therefore, the frequency distribution of all data may be publicly known. In addition, new information is added to medical information every day, and users demand the latest information. Therefore, it is important that the concealment DB can reflect the difference from the latest plaintext DB.

As described above, in the second embodiment, the contents of the concealed DB and the search contents can be concealed from the attacker including the cloud administrator who manages the concealed DB even under the following conditions (i) to (v). Is a security requirement.
(I) The types and values of plaintext are known, and there may be very few types.
(Ii) The attacker can refer to all the ciphertexts existing in the concealment DB, the encrypted search query, and all the ciphertexts in the concealment DB matching the same.
(Iii) Algorithms for encryption and collation other than information (secret key) that is intentionally managed as secret information are known.
(Iv) The frequency distribution of all data is known.
(V) The concealment DB is updated sequentially, and the attacker can refer to the difference information.

When there is a concealed DB that satisfies the conditions (i) to (v), a brute force attack can be considered as an easily assumed attack method. Since there are few types of plaintext and it is publicly known, if the encryption key is known, the attacker encrypts all types of plaintext and creates a plaintext and ciphertext dictionary to create data and search queries in the concealment DB. Can be easily deciphered. Therefore, in order to meet the security requirements, the encryption key must be a private key.

In addition, an attacker who is also the administrator of the concealment DB can refer to the result of the collation determination. Therefore, it can be seen that all the ciphertexts that are determined to match a certain search query correspond to the same plaintext. Therefore, even if the same plaintext is encrypted and a different ciphertext is used each time, an attacker can convert the same plaintext into a deterministic ciphertext in which the same ciphertext is used. Since the attacker knows the frequency distribution of the data, the content of the confidential data can be easily estimated by comparing it with the frequency of the ciphertext. Even if you do not know the frequency distribution accurately, for example, by referring to the gender data of obstetrics and gynecology, you can easily identify the plaintext of the more ciphertext as "female". Therefore, it is important to take measures such as frequency disturbance as well as encryption.

Therefore, in the second embodiment, a confidential information management system capable of concealing the contents of the concealment DB and the search contents from the attacker is provided even under the conditions (i) to (v). In the confidential information management system according to the second embodiment, frequency disturbance is realized by adding dummy data. At this time, the confidential information management system keeps the data growth rate constant and prevents unnecessary storage and search processing from increasing. Then, the confidential information management system is a dummy record so that there are at least k-1 item values (k is an integer of 2 or more) of other types having the same frequency of appearance for one type of item value. To add. As a result, it becomes possible to narrow down only to the fact that a certain ciphertext is one of k plaintexts. That is, the secret information management system makes sure that the number of ciphertexts having the same frequency of appearance is at least k.

FIG. 2 is a diagram showing an example of a confidential information management system. In the second embodiment, the patient data collection and utilization platform 12 is constructed by the cloud. The patient data collection and utilization platform 12 has a data management server 100. The data management server 100 is a computer that manages patient data as a ciphertext. The data management server 100 is connected to the data registration servers 200 and 300 of the hospitals 13 and 14 and the terminal devices 400 and 500 of the pharmaceutical companies 15 and 16 via the network 20.

The data registration server 200 of the hospital 13 is a computer that stores patient data such as an electronic medical record of a patient who has been examined at the hospital 13, encrypts the patient data, and provides the patient data to the data management server 100. Similarly, the data registration server 300 of the hospital 14 accumulates patient data such as an electronic medical record of a patient who has been examined at the hospital 14, encrypts the patient data, and provides the patient data to the data management server 100.

The terminal device 400 of the pharmaceutical company 15 is a computer used by the employees of the pharmaceutical company 15 to search patient data managed by the data management server 100. The terminal device 500 of the pharmaceutical company 16 is a computer used by the employees of the pharmaceutical company 16 to search patient data managed by the data management server 100.

Such a confidential information management system is useful for improving the efficiency of new drug development utilizing medical information, for example. For example, when pharmaceutical companies 15 and 16 conduct a clinical trial, the success rate of the clinical trial can be improved by formulating a plan in consideration of the number of patients with the target disease. Therefore, by centrally managing patient data extracted from the electronic medical records of patients distributed in a large number of hospitals 13 and 14 on the patient data collection and utilization platform 12, it is possible to easily obtain information on patients with the desired disease. Become.

FIG. 3 is a diagram showing an example of a configuration of hardware of a data management server. The entire device of the data management server 100 is controlled by the processor 101. A memory 102 and a plurality of peripheral devices are connected to the processor 101 via a bus 109. The processor 101 may be a multiprocessor. The processor 101 is, for example, a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or a DSP (Digital Signal Processor). At least a part of the functions realized by the processor 101 executing a program may be realized by an electronic circuit such as an ASIC (Application Specific Integrated Circuit) or a PLD (Programmable Logic Device).

The memory 102 is used as the main storage device of the data management server 100. At least a part of an OS (Operating System) program or an application program to be executed by the processor 101 is temporarily stored in the memory 102. Further, various data used for processing by the processor 101 are stored in the memory 102. As the memory 102, a volatile semiconductor storage device such as a RAM (Random Access Memory) is used.

Peripheral devices connected to the bus 109 include a storage device 103, a graphic processing device 104, an input interface 105, an optical drive device 106, a device connection interface 107, and a network interface 108.

The storage device 103 electrically or magnetically writes and reads data to and from the built-in recording medium. The storage device 103 is used as an auxiliary storage device for a computer. The storage device 103 stores an OS program, an application program, and various data. As the storage device 103, for example, an HDD (Hard Disk Drive) or an SSD (Solid State Drive) can be used.

A monitor 21 is connected to the graphic processing device 104. The graphic processing device 104 causes the image to be displayed on the screen of the monitor 21 according to the instruction from the processor 101. The monitor 21 includes a display device using an organic EL (Electro Luminescence), a liquid crystal display device, and the like.

A keyboard 22 and a mouse 23 are connected to the input interface 105. The input interface 105 transmits signals sent from the keyboard 22 and the mouse 23 to the processor 101. The mouse 23 is an example of a pointing device, and other pointing devices can also be used. Other pointing devices include touch panels, tablets, touchpads, trackballs and the like.

The optical drive device 106 reads the data recorded on the optical disk 24 by using a laser beam or the like. The optical disk 24 is a portable recording medium on which data is recorded so that it can be read by reflection of light. The optical disk 24 includes a DVD (Digital Versatile Disc), a DVD-RAM, a CD-ROM (Compact Disc Read Only Memory), a CD-R (Recordable) / RW (ReWritable), and the like.

The device connection interface 107 is a communication interface for connecting peripheral devices to the data management server 100. For example, a memory device 25 or a memory reader / writer 26 can be connected to the device connection interface 107. The memory device 25 is a recording medium equipped with a communication function with the device connection interface 107. The memory reader / writer 26 is a device that writes data to or reads data from the memory card 27. The memory card 27 is a card-type recording medium.

The network interface 108 is connected to the network 20. The network interface 108 transmits / receives data to / from another computer or communication device via the network 20.

The data management server 100 can realize the processing function of the second embodiment by the hardware configuration as described above. The data registration servers 200, 300 and the terminal devices 400, 500 can also be realized by the same hardware as the data management server 100. Further, the data registration device 1, the server 2, and the data utilization device 3 shown in FIG. 1 can also be realized by the same hardware as the data management server 100.

The data management server 100 realizes the processing function of the second embodiment, for example, by executing a program recorded on a computer-readable recording medium. The program describing the processing content to be executed by the data management server 100 can be recorded on various recording media. For example, a program to be executed by the data management server 100 can be stored in the storage device 103. The processor 101 loads at least a part of the program in the storage device 103 into the memory 102 and executes the program. Further, the program to be executed by the data management server 100 can be recorded on a portable recording medium such as an optical disk 24, a memory device 25, and a memory card 27. The program stored in the portable recording medium can be executed after being installed in the storage device 103 by control from the processor 101, for example. The processor 101 can also read and execute the program directly from the portable recording medium.

Next, a frequency analysis attack against a DB (confidential DB) that stores encrypted data will be described.
FIG. 4 is a diagram showing an example of a frequency analysis attack. It is assumed that the concealment DB 32 is generated based on the DB 31 that stores the plaintext data. For example, the item value for each item included in each record of the DB 31 is individually encrypted and stored in the concealed DB 32. In the second embodiment, the item value set for each item may be referred to as a keyword.

In the example of FIG. 4, it is assumed that encryption is performed by a deterministic encryption technique in which the same encrypted data is generated from the same plaintext. Further, the attacker 33 includes all the item names ("clinical department", "gender", "age group") used in the original DB31 item and all the keyword candidates (keyword list) that can be stored in each item. Suppose you know.

The attacker 33 can infer the plaintext corresponding to the ciphertext by comparing the appearance frequency of the ciphertext with the known frequency information. For example, only two types of values are registered in the second column of the concealment DB 32. Therefore, it can be inferred that the attacker 33 corresponds to the item "gender" in the second column of the concealment DB 32.

Further, the attacker 33 compares the appearance frequencies of the values "tumesf" and "uylgm" in the second column of the concealment DB 32, and can confirm that "uylgm" is more common. Then, the attacker 33 can infer that the "uylgm", which appears more frequently in consideration of the population distribution, is the encrypted data corresponding to the "female".

The attacker 33 can also infer the contents by combining a plurality of item values. For example, the attacker 33 can confirm that the value in the second column corresponding to the value “sEfgsr” in the first column of the concealment DB 32 is only “uylgm”. Then, the attacker 33 can infer that the value only in combination with one gender is "gynecology" in the clinical department, and can be strongly convinced that the plaintext of "uylgm" is "female".

Further, the attacker 33 can confirm that the value in the third column corresponding to the value ": opfyy" in the first column of the concealment DB 32 is only "jr8olt". Then, the attacker can infer that the remaining third column is the age group, the clinical department that has only a combination with a specific age group is "pediatrics", and the corresponding age group is "children".

In the example of FIG. 4, it is assumed that the encryption is performed by deterministic encryption, but a frequency analysis attack is also possible against the confidential DB encrypted by probabilistic encryption. Probabilistic encryption is an encryption technology that encrypts the same plaintext into a different ciphertext each time it is encrypted. When probabilistic encryption is performed, the values of the plurality of ciphertexts generated from the same plaintext are different, so that the frequency of appearance of the original plaintext cannot be counted only by referring to the encryption DB. Therefore, encryption by probabilistic encryption makes frequency analysis attacks more difficult than deterministic encryption.

However, even if probabilistic encryption is used, if the concealed search targeting the concealed DB is allowed, the attacker finds that all the ciphertexts that match the search query are the same plaintext ciphertexts. Those ciphertexts can be converted to deterministic encryption. Therefore, even if probabilistic encryption is used, an attacker can convert a large number of ciphertexts in the concealment DB into deterministic encryption as the data is utilized, and the frequency is the same as when encrypted with deterministic encryption. Analytical attacks are possible.

In this way, the frequency analysis attack is an attack method that infers plaintext by analogy with the appearance frequency of characters and character strings used in plaintext and ciphertext, and snoops on it. Then, when the item value of the original plaintext is biased, the ciphertext that encrypts the plaintext becomes vulnerable to a frequency analysis attack.

Therefore, in order to improve the security against frequency analysis attacks, it is conceivable to use dummy data to disturb the appearance frequency of the original plaintext. At this time, even if the item value (dummy value) of each item in the dummy data is added without considering the type of item value in the original plaintext and the appearance frequency of each item value, the appearance frequency is appropriately disturbed. I can't let you.

For example, by considering the frequency of appearance of item values in the original plaintext data and registering dummy data having dummy values with appropriate contents, reliable frequency disturbance can be realized. In this case, the data registration servers 200 and 300 generate a dummy record group having the same distribution as the frequency distribution of true data, but each value is converted into another value. Each dummy record in this dummy record group is associated with a record of true data and has a one-to-one correspondence. Then, the data registration servers 200 and 300 convert the item value of the record of true data into another item value and set it as the dummy value of the corresponding dummy record. The one that defines this conversion rule is called a conversion set.

The meanings of the characters or terms used in the second embodiment will be described below.
“K” is a preset security parameter, and an integer of 2 or more is set. The system administrator sets k to the minimum number of keywords that an attacker can narrow down when receiving a frequency analysis attack among a plurality of keywords of one item.

"True data" is data stored in a plaintext DB. A "record of true data" is a record that contains keywords in the true data. The record of true data is an example of a secret record of the first embodiment. The "dummy value" is a value added to disturb the frequency distribution of true data. A "dummy record" is a record containing a dummy value. "True value" is a keyword that can be set in the plaintext DB. The true value is an example of the first item value in the first embodiment.

“G” is the number of groups, and is also a value indicating how many times the amount of data is multiplied by the plaintext data by adding dummy data. This group number G is an example of a predetermined value shown in the first embodiment. A "group" is a set of multiple records. The set of records of true data is the group "0". A group of G-1 "1, 2, ..., G-1" including the same number of dummy records as the number of records of true data is generated. One G-1 dummy record is generated for one record included in the group "0", and one G-1 dummy record is generated in the group "1, 2, ..., G-1", respectively. Will be added one by one. The "flag" is a value given to the dummy record so that the terminal devices 400 and 500 can distinguish the dummy record.

A "conversion set" is a set containing k or more true values and a dummy element or a split keyword (a keyword generated from one or more true values) for each column (item). The split keyword is an example of the second item value in the first embodiment. The transformation set represents a rule for deciding what value dummy record to add for one true value. The number of elements in the transformation set is equal to the number of groups G. The transformation set is also used to disturb plaintext search queries and restore disturbed search results.

"J" is a column number. j is used as an index for specifying the item of the value registered in the record. "X _j " is the number of types of item values (keywords) that can be set in the field of the jth column in the record.

A "dummy element" is a dummy element to fill in the shortage of elements to be included in the transformation set if X _j is less than G or not a multiple of G. The dummy element is a value that is not included in the keyword list.

Next, a method for registering dummy data in consideration of the frequency of appearance of item values in the original plaintext data will be described.
As an example of the dummy data registration method, a method using a dummy element can be considered. When a dummy element is used, the data registration servers 200 and 300 generate a conversion set with G arbitrarily selected from possible keywords or dummy values of each item as elements. Then, the data registration servers 200 and 300 generate the conversion set until the possible keywords of each item are included as the elements of any one conversion set.

FIG. 5 is a diagram showing an example of generating a transformation set using dummy elements. In the example of FIG. 5, it is assumed that the record of true data includes the items of "blood pressure" and "blood type". In the keyword list 34, keywords that can be set for each item are registered for each item. In the example of FIG. 5, there are 3 types of item values that can be set for "blood pressure" (normal, hypotension, and hypertension), and 8 types of item values that can be set for "blood type" (A +, B +, O +, AB +). , A-, B-, O-, AB-).

In the conversion set list 35 of FIG. 5, when k = 3 and G = 4, the item “blood pressure” having three kinds of keywords and the item “blood type” having eight kinds of keywords correspond to each of the two items. The transformation sets 35a, 35b, 35c generated in the above are shown. For the item "blood pressure", only one conversion set 35a including {normal, hypotension, hypertension, D1} is generated. "D1" is a dummy element. For the item "blood type", a conversion set 35b containing {A +, B +, O +, AB +} as an element and a conversion set 35c containing {A-, B-, O-, AB-} as elements. Two have been generated.

The transformation sets 35a, 35b, and 35c have a circular list structure, and the elements are arranged in order. Each element in the conversion set 35a, 35b, 35c is assigned an element number in ascending order from 0 in order from the beginning. For example, in the conversion set 35a, assuming that the left end in the figure is the head, "normal" is the head element (element number "0"), and "hypotension" is the next element (element number "1"). Since it has a circular list structure, for example, the element next to the last element "D1" is "normal".

The data registration servers 200 and 300 generate a dummy value to be set in the dummy record by converting the keyword of the true data record based on the conversion sets 35a, 35b, 35c. For example, the data registration servers 200 and 300 generate one dummy value to be set in the dummy record in the dummy record group for each dummy record group based on one keyword of the true data record.

FIG. 6 is a diagram showing an example of conversion of item values when a dummy element is used. _For example, the data registration servers 200 and 300 refer to the keyword registered for each item for the record of true data, and specify the conversion set including the keyword and the element ba corresponding to the keyword. a is an element number of an integer of 0 or more, and element b _a is an element of element number a. Then, the data registration servers 200 and 300 convert the dummy values c _{a and g} of the dummy record group of the group number g by the following equation (1) based on the element ba of the keyword included in the true data. To determine by referring to.
c _{a, g} = b _{mod (a + g, G)} (1)
In the example of FIG. 6, it is assumed that the item value appearing in the record of true data is "hypotension". Since there are three dummy record groups (G = 4), the data registration servers 200 and 300 have three dummy record groups (g = 1, 2, 3) based on the conversion set 35a including the keyword “hypotension”. ) Generate a dummy value to be set for each dummy record. First, the data registration servers 200 and 300 acquire the element number "1" (a = 1) in the conversion set 35a of the elements corresponding to the keyword "hypotension".

When the data registration servers 200 and 300 generate dummy values c _1,1 of a dummy record group having a group number "1" (g = 1), they first calculate mod (1 + 1,4) = 2. Then, the data registration servers 200 and 300 use the keyword "hypertension" corresponding to the element b ₂ in the conversion set 35a having the calculated value "2" as the element number, and the dummy record group of the group number "1". Determine the dummy value to be set in.

When the data registration servers 200 and 300 generate the dummy values c1 and ₂ of the dummy record group of the group number "2" (g = 2), they first calculate mod (1 + 2,4) = 3. Then, the data registration servers 200 and 300 set the dummy element "D1" corresponding to the element b ₃ in the conversion set 35a having the calculated value "3" as the element number, and the dummy record of the group number "2". Determine the dummy value to be set for the group.

When the data registration servers 200 and 300 generate the dummy values c 1, ₃ of the dummy record group of the group number "3" (g = 3), first, mod (1 + 3, 4) = 0 is calculated. Then, the data registration servers 200 and 300 use the keyword "normal" corresponding to the element b ₀ in the conversion set 35a whose element number is the calculated value "0", and the dummy record group of the group number "3". Determine the dummy value to be set in.

The relationship between the conversion source and the conversion destination of the keyword as shown in FIG. 6 is an example of the bijective relationship. As long as the bijective relationship is satisfied, the relationship between the conversion source keyword and the conversion destination keyword or dummy element may be defined by a rule different from the example shown in FIG.

The data registration servers 200 and 300 generate dummy values as shown in FIG. 6 for each item value appearing in the true data.
FIG. 7 is a diagram showing an example of generating a dummy value when a dummy element is used. In the example of FIG. 7, in the true data 36, “normal” appears twice and “hypotension” and “hypertension” appear once each as the keyword of the item “blood pressure”. Further, as the item value of the item "blood type", "A +" appears twice, and "O-" and "AB-" appear once each.

Dummy values to be set for each dummy record group are generated based on each of the keywords appearing in the true data 36. For example, based on the blood pressure "normal", the dummy value "hypotension" for the dummy record group of group number 1 (g = 1), the dummy value "hypertension" for the dummy record group of group number 2 (g = 2), A dummy value "D1" for a dummy record group of group number 3 (g = 3) is generated. Further, for example, based on the blood type "A +", the dummy value "B +" for the dummy record group of group number 1 (g = 1) and the dummy value "O +" for the dummy record group of group number 2 (g = 2). , A dummy value "AB +" for a dummy record group of group number 3 (g = 3) is generated.

The data registration servers 200 and 300 allocate the generated dummy values to the dummy records and generate the registration data by encrypting the item values.
FIG. 8 is a diagram showing an example of registration data when a dummy element is used. The registered data 37 includes a record group 37a of the true data 36 and a dummy record group 37b, 37c, 37d. A flag is given to each record in the registration data 37. And the keyword (including the flag value) included in the registration data 37 is encrypted.

The flag value is used to distinguish between a record of true data and a dummy record. For example, a flag value "0" can be set for a record of true data, and a flag value "1" can be set for a dummy record. In this case, when G ≧ 3, the ciphertext (H (1)) having the flag value “1” is larger than the ciphertext (H (0)) having the flag value “0”. Then, the attacker can determine whether the record is a record of true data based on the frequency of occurrence of the ciphertext of the flag value. Therefore, the data registration servers 200 and 300 also disturb the frequency of the ciphertext of the flag value.

For example, the data registration servers 200 and 300 prepare different functions that output different values for the same variable value for each of the true data record group and the dummy record group in order to determine the flag value. Then, the data registration servers 200 and 300 use the value input in the ID column value as the variable x in the prepared function as the flag value.

When the flag value generation function of the group of group number g (record group of true data or dummy record group) is f _g (x), the flag value generation function used in the example of FIG. 8 is as follows. ..
f _g (x) = (G + 1) x + g (2)
In the example of FIG. 8, G = 4. Therefore, the flag value generation function of the record group 37a (group number “0”) of the true data is “f ₀ (x) = 4x + 0”. The flag value generation function of the dummy record group 37b (group number "1") is "f ₁ (x) = 4x + 1". The flag value generation function of the dummy record group 37c (group number "2") is "f ₂ (x) = 4x + 2". The flag value generation function of the dummy record group 37d (group number "3") is "f ₃ (x) = 4x + 3".

At the time of the search, the terminal devices 400 and 500 issue a search query in which the record group 37a of the true data or any one of the dummy record groups 37b, 37c, 37d is designated as the search target. As a response to the search query, the data management server 100 responds with a record that matches the search condition as a search result. At that time, the data management server 100 includes the ID column and the flag value of the flag column in the search result. The terminal devices 400 and 500 input the ID of the record shown in the search result into each of the flag value generation functions for each group, and encrypt the obtained function value. Then, the terminal devices 400 and 500 compare the ciphertext of the function value of the flag value generation function with the flag value (ciphertext) of the record. The terminal devices 400 and 500 determine that the group corresponding to the flag value generation function whose comparison results match is the group to which the record belongs.

In the registration data 37 generated in this way, the appearance frequency of the ciphertexts corresponding to the elements belonging to the same conversion set is made uniform.
FIG. 9 is a diagram illustrating the homogenization of ciphertext. For example, all the keywords that can be set for the blood pressure item belong to one conversion set 35a (see FIG. 5). The frequency of appearance of the keyword "normal" in the true data 36 is "2", the frequency of appearance of the keyword "hypotension" is "1", and the frequency of appearance of the keyword "hypotension" is "1".

In the registration data 37, the frequency of appearance of the ciphertext for each keyword and the value of the dummy element is made uniform. For example, the ciphertext "H (normal)" for the keyword "normal", the ciphertext "H (hypotension)" for the keyword "hypotension", the ciphertext "H (hypotension)" for the keyword "hypotension", and the value of the dummy element. The frequency of appearance of each of the ciphertexts "H (D1)" of "D1" is "4".

As can be seen from the conversion set generation example shown in FIG. 5, each conversion set contains k or more keywords (k = 3 in the example of FIG. 5). Therefore, even if the attacker knows the frequency of occurrence of a specific ciphertext, it cannot identify which of the keywords belonging to the same conversion set is the ciphertext. That is, the attacker can narrow down the candidate keywords corresponding to the ciphertext to only k. As a result, it is more secure against frequency analysis attacks.

In order to narrow down the candidate keywords corresponding to the ciphertext to only k, it is important to appropriately determine the value of the group number G.
FIG. 10 is a diagram illustrating an appropriate group number G. The group number G is determined according to k. As described above, k is a security parameter set in advance so that only k keyword candidates corresponding to the ciphertext can be narrowed down. Therefore, k is determined according to the degree of safety against frequency analysis attacks required for the system.

At this time, there is also an item in which the number of types of keywords that can be set X _j <k. Such an item cannot contain more than k keywords in the conversion set. Therefore, the attacker knows that the keyword corresponding to the ciphertext of the corresponding item is one of X _j (k <) keywords. However, it is publicly known information that the keyword corresponding to the ciphertext of such an item is any of _Xj , and there is no problem even if the attacker knows it. For example, in the example of FIG. 10, there are only two keywords that can be set for the item "gender", "male" or "female". However, the fact that the gender is either "male" or "female" is information that the attacker knows without any problem.

On the other hand, if the number of types of keywords that can be set is X _j ≧ k, it is appropriate to include k or more keywords in the conversion set. Therefore, when there is an item in which X _j is not a multiple of k, the data registration servers 200 and 300 adjust G so that k or more keywords are included in each conversion set.

For example, in the example of "blood type" in FIG. 10, X _j = 4 for k = 3. At this time, if G = 3 as shown in the conversion set list 38, when the searcher searches for "O" or "AB", the attacker who sees the search result finds "O" and "AB". It turns out that it is either of the two. Therefore, in order to include k or more keywords that can be set in the corresponding item for the item of X _j ≧ k in each conversion set, G is determined so that G ≧ k. For example, if G = 4 as in the conversion set list 39, each conversion set contains three or more keywords that can be set for the corresponding items.

FIG. 11 is a diagram showing an example of frequency distribution after frequency disturbance. The frequency distribution table 40 shown in FIG. 11 shows each keyword and dummy after frequency disturbance in a DB having items in which five types of keywords “A”, “B”, “C”, “D”, and “E” can be set. It represents the frequency of appearance of the element value "F". In the example of FIG. 11, G = 3. There are two conversion sets, "A, B, C" and "D, E, F".

The dummy value of the dummy record group of the group number "1" is "A → B", "B → C", "C → A", "D → E", based on the conversion set of the item values of the true data. It is generated by converting "E → F" and "F → D". The dummy value of the dummy record group of the group number "2" is "A → C", "B → A", "C → B", "D → F", based on the conversion set of the item values of the true data. It is generated by converting "E → D" and "F → E".

In true data, the frequency of appearance of "A" is "10", the frequency of appearance of "B" is "7", the frequency of appearance of "C" is "2", and the frequency of appearance of "D" is "1", "E". The appearance frequency of "" is "5", and the appearance frequency of "F" is "0". Then, the appearance frequency of each keyword included in the conversion set "A, B, C" after the frequency disturbance becomes "19". The frequency of appearance of the values of each keyword or dummy element included in the conversion set "D, E, F" after frequency disturbance is "6". That is, the frequency of appearance of item values in the set is made uniform for each set of three item values.

Further, the dummy value of each dummy record group is generated by converting the keyword of true data on a one-to-one basis. Therefore, the degree of variation in the frequency of appearance of keywords does not change. For example, when the values of the appearance frequency are arranged in descending order of the appearance frequency, it is "10,7,5,2,1,0" in both the record group of true data and the two dummy record groups. In this way, the degree of variation in the appearance frequency of the item values for each dummy record group is equal to the true data for all the dummy record groups. As a result, it becomes difficult to determine which record group is the true data record group from the degree of variation in the frequency of appearance of the keywords. In addition, there is a one-to-one correspondence dummy record for each record of true data in all dummy record groups. Therefore, when deleting a record with true data, by deleting the corresponding dummy record together, it is possible to delete any record of true data while maintaining the confidentiality of the data.

By using the dummy element in this way, it is possible to improve the security against frequency analysis attacks. However, if a dummy element is used, an attacker who knows the combination frequency between keywords of a plurality of items may be narrowed down to less than k keyword candidates included in the search condition.

For example, it is assumed that "transformation set 2" in FIG. 11 is a transformation set for the item "gender". If the only gender keywords are "male" and "female", it is permissible to generate a transformation set as shown in FIG. 11 even when k = 3. At this time, if a frequency analysis attack using the combination frequency between the keywords of a plurality of items is performed, the keywords included in the "conversion set 1" may be narrowed down to less than k.

FIG. 12 is a diagram showing an example of the combination frequency when a dummy element is used. FIG. 12 shows a conversion set list 41 when k = G = 3 and a combination frequency table 42 at that time.

The conversion set list 41 shows the conversion set between blood pressure and gender. The blood pressure conversion set includes "normal", "hypotension", and "hypertension". Gender conversion elements include "male", "female", and the dummy element value "D1".

The combination frequency table 42 shows the frequency of appearance of records corresponding to the combination (logical product) of the blood pressure value and the gender value. True frequency is the number of applicable records in the set of records for true data. Post-disturbance frequency is the number of applicable records in the true data record set and the dummy record set.

For example, a record having a blood pressure of "normal" and a gender of "male" is included in the true data record group of "n1". Records with a blood pressure of "hypotension" and a gender of "female" are included in the true data record group of "n2". Records with a blood pressure of "hypertension" and a gender of "D1" are included in the true data record group of "n3" (n3 = 0). Records with a blood pressure of "normal" and a gender of "female" are included in the true data record group of "n4". Records with a blood pressure of "hypotension" and a gender of "D1" are included in the true data record group of "n5" (n5 = 0). Records with a blood pressure of "hypertension" and a gender of "male" are included in the true data record group of "n6". Records with a blood pressure of "normal" and a gender of "D1" are included in the true data record group of "n7" (n7 = 0). Records with a blood pressure of "hypotension" and a gender of "male" are included in the true data record group of "n8". Records with a blood pressure of "hypertension" and a gender of "female" are included in the true data record group of "n9".

Here, in the dummy record group of the group number "1" (g = 1), the record in which the dummy value of blood pressure is "normal" and the dummy value of gender is "male" is the blood pressure in the record group of true data. Generated based on the record of "hypotension" and gender of "female". Therefore, the records whose blood pressure is "normal" and whose gender is "male" are included in the dummy record group of the group number "1" (g = 1) by "n2". In the dummy record group of group number "2" (g = 2), the record in which the dummy value of blood pressure is "normal" and the dummy value of gender is "male" is that the blood pressure in the record group of true data is "hypertension". Is generated based on the record whose gender is "D1". Therefore, the records whose blood pressure is "normal" and whose gender is "male" are included in the dummy record group of the group number "2" (g = 2) for "n3" (n3 = 0).

Then, the appearance frequency (post-disturbance frequency) of the record in which the blood pressure is "normal" and the gender is "male" in the concealment DB becomes "n1 + n2". Similarly, the frequency of appearance of records with blood pressure of "hypotension" and gender of "female" in the concealment DB (frequency after disturbance), and the frequency of appearance of records of blood pressure of "hypotension" and gender of "D1" in the concealment DB. (Frequency after disturbance) is also "n1 + n2".

When a searcher searches for a concealed DB having a post-disturbance frequency as shown in FIG. 12, an attacker who knows the combination frequency of a plurality of item values selects a keyword candidate included in the search condition. It is possible to narrow down to less than k (three in the example of FIG. 12). For example, it is assumed that the searcher searches for "normal ∧ male" (∧ is a logical product) or "hypotension ∧ female". The post-confusion frequency of any of these search results is "n1 + n2". That is, the number of records that hit the search condition is "n1 + n2". The searcher does not search for the dummy value.

Here, for an attacker who knows the combination frequency (true frequency) between the blood pressure keyword and the gender keyword, the post-disturbance frequency is "n1 + n2" for "normal ∧ male" or "hypotension ∧". I also know that it is only a woman. The attacker can then recognize that at least "hypertension" is not included in the search. This means that the attacker will know that the searcher's interest is "normal" or "hypotension" for blood pressure and not "hypertension". That is, the search target is narrowed down to less than k (= 3).

In this way, the number of types of keywords X _j (two types of "male" and "female") is small, and when the item value with X _j <k is combined with other item values, the other item values are also in the gender column. It is narrowed down to X _j values of. Therefore, the data registration servers 200 and 300 generate a conversion set without using dummy elements.

FIG. 13 is a diagram showing an example of the combination frequency when the dummy element is not used. FIG. 13 shows a conversion set list 43 generated without using a dummy element when k = G = 3, and a combination frequency table 44 at that time.

If the number of configurable keywords is insufficient in the conversion set generation of the column in which the number of types of keywords that can be set X _j <k, the data registration servers 200 and 300 use another set of at least a part of the configurable keywords. Divide into multiple keywords and add keywords. In the example of FIG. 13, k = 3, and the number of keywords that can be set for the gender item is “X _j = 2”. Therefore, the data registration servers 200 and 300 divide the "male" into two for the gender item, and set the conversion set to {male_1, female, male_2}.

When the keyword in the record of true data is the target of division, the data registration servers 200 and 300 select an arbitrary one from the divided values, convert the keyword into the divided value, and then convert the conversion set. Perform the disturbance treatment used. When the keywords in the search query are the division targets, the terminal devices 400 and 500 search the divided keywords using the respective values after the division.

For example, a record having a blood pressure of "normal" and a gender of "male_1" is included in the true data record group of "n1". Records with a blood pressure of "hypotension" and a gender of "female" are included in the true data record group of "n2". Records with a blood pressure of "hypertension" and a gender of "male_2" are included in the true data record group of "n3". Records with a blood pressure of "normal" and a gender of "female" are included in the true data record group of "n4". Records with a blood pressure of "hypotension" and a gender of "male_2" are included in the true data record group of "n5". Records with a blood pressure of "hypertension" and a gender of "male_1" are included in the true data record group of "n6". Records with a blood pressure of "normal" and a gender of "male_2" are included in the true data record group of "n7". Records with a blood pressure of "hypotension" and a gender of "male_1" are included in the true data record group of "n8". Records with a blood pressure of "hypertension" and a gender of "female" are included in the true data record group of "n9".

In this case, the appearance frequency (post-disturbance frequency) of the record in which the blood pressure is "normal" and the gender is "male_1" in the concealment DB is "n1 + n2 + n3". Similarly, the frequency of appearance of records with blood pressure of "hypotension" and gender of "female" in the concealment DB (frequency after disturbance), and the appearance of records of blood pressure of "hypotension" and gender of "male_2" in the concealment DB. The frequency (frequency after disturbance) is also "n1 + n2 + n3".

It should be noted that, for example, it is randomly determined which keyword to be converted into the keyword to be divided. Therefore, even if the attacker knows the number of records (true frequency) of blood pressure "normal" and gender "male" in the true data, the number of records of blood pressure "normal" and gender "male _1" (true). Frequency "n1") is not exactly known to the attacker.

Even if the attacker could estimate the number of records with true data blood pressure "normal" and gender "male_1" (true frequency "n1"), what is the blood pressure keyword in the search query searched by the searcher? The attacker cannot narrow down to less than k. For example, when the searcher searches for "normal ∧ male", the terminal devices 400 and 500 perform the search using the search queries of "normal ∧ male _1" and "normal ∧ male _1". By taking the logical sum of these search results, the search result of "normal ∧ man" can be obtained. The number of records included in the search result of "normal ∧ man_1" is "n1 + n2 + n3". The frequency after disturbance is "n1 + n2 + n3" in any of "normal ∧ male _1", "hypotension ∧ female", and "hypertension ∧ male _1". Then, the blood pressure keywords included in the search query can be "normal", "hypotension", or "hypertension". That is, the attacker cannot narrow down the keyword candidates used in the search to less than k (k = 3).

Next, the functions of each device of the confidential information management system with improved security against frequency analysis attacks without using dummy elements will be described.
FIG. 14 is a block diagram showing the functions of the confidential information management system. The data management server 100 has a concealment DB 110, a data registration unit 120, a key provision request unit 130, and a search unit 140. The concealment DB 110 is realized by the memory 102 or the storage device 103 of the data management server 100. The data registration unit 120, the key provision request unit 130, and the search unit 140 are realized by the processor 101 included in the data management server 100.

The concealment DB 110 is a DB that manages the patient data of the ciphertext collected from the data registration servers 200 and 300 as the ciphertext.
The data registration unit 120 registers the patient data of the ciphertext in the concealment DB 110 in response to the data registration request from the data registration servers 200 and 300.

When the key provision request unit 130 receives the key acquisition request from the terminal devices 400 and 500, the key provision request unit 130 transmits the key provision request to the terminal devices 400 and 500 to the data registration servers 200 and 300.
The search unit 140 searches for patient data registered in the concealment DB 110 in response to a data search query including encrypted search keywords from the terminal devices 400 and 500. At this time, the search unit 140 collates the patient data with the search keyword as a ciphertext, and extracts a record matching the search keyword from the concealment DB 110. Then, the search unit 140 transmits the extracted records to the terminal devices 400, 500 that are the transmission sources of the search query.

The data registration server 200 includes a DB 210, a key storage unit 220, a conversion information storage unit 230, a key generation unit 240, a data registration request unit 250, and a key provision unit 260. The DB 210, the key storage unit 220, and the conversion information storage unit 230 are realized by the memory or storage device included in the data registration server 200. Further, the key generation unit 240, the data registration request unit 250, and the key provision unit 260 are realized by the processor included in the data registration server 200.

The DB 210 is a DB that stores patient data in plain text.
The key storage unit 220 stores an encryption key used for encrypting patient data registered in the data management server 100. The encryption key is managed so as not to be accessible from the data management server 100.

The conversion information storage unit 230 stores information used for converting the keyword shown in the record group of true data into a dummy value registered in the dummy record. For example, information such as a conversion set list is stored in the conversion information storage unit 230.

The key generation unit 240 generates an encryption key. The key generation unit 240 stores the generated encryption key in the key storage unit 220.
The data registration request unit 250 transmits a data registration request including a ciphertext of patient data to be registered in the data management server 100 to the data management server 100. For example, the data registration request unit 250 first acquires the patient data to be registered from the DB 210, and processes the patient data according to the format of the concealed DB 110. At this time, the data registration request unit 250 includes dummy data in the data registration request to be transmitted. Dummy data includes multiple dummy records. A dummy value is registered in the dummy record. The data registration request unit 250 converts the value in the true data into a dummy value by using the information stored in the conversion information storage unit 230, and registers the value in the dummy record.

Further, the data registration request unit 250 uses the encryption key to encrypt the value included in the patient data for each item value registered in the concealment DB 110. Then, the data registration request unit 250 transmits a data registration request including the patient data of the ciphertext encrypted for each item value to the data management server 100.

In response to the key provision request from the data management server 100, the key providing unit 260 transmits the encryption key to the terminal devices 400 and 500 of the pharmaceutical company that permit the use of the registered patient data. The key providing unit 260 transmits the encryption key to the terminal devices 400 and 500 without going through the data management server 100. By transmitting the encryption key without going through the data management server 100, the encryption key is isolated from the data management server 100. As a result, the administrator of the data management server 100 is prevented from decrypting the data in the concealed DB 110.

Although the functions of the data registration server 200 have been described above, the data registration server 300 also has the same functions as the data registration server 200.
The terminal device 400 has a key storage unit 410, a conversion information storage unit 420, a key acquisition unit 430, and a search request unit 440. The key storage unit 410 and the conversion information storage unit 420 are realized by the memory or storage device included in the terminal device 400. Further, the key acquisition unit 430 and the search request unit 440 are realized by the processor included in the terminal device 400.

The key storage unit 410 stores the encryption key used for encrypting the search keyword to be included in the search query. The encryption key is managed so as not to be accessible from the data management server 100.
The conversion information storage unit 420 stores information used for converting the keyword shown in the search condition specified by the searcher into a dummy value. The information stored in the conversion information storage unit 420 is the same as the information stored in the conversion information storage unit 230 of the data registration server 200.

The key acquisition unit 430 acquires the encryption key provided by the data registration servers 200 and 300. For example, the key acquisition unit 430 transmits a key acquisition request to the data management server 100. Then, the key provision request unit 130 of the data management server 100 transmits the key provision request to the data registration servers 200 and 300. In response to the key provision request, for example, the key providing unit 260 of the data registration server 200 transmits the encryption key to the terminal device 400. Then, the key acquisition unit 430 acquires the encryption key transmitted from the terminal device 400. The key acquisition unit 430 stores the acquired encryption key in the key storage unit 410.

The search request unit 440 acquires the search keyword input by the user (searcher) of the patient data. Next, the search request unit 440 encrypts the acquired search keyword using the encryption key, and sends a search query including the search keyword of the ciphertext to the data management server 100. When the search request unit 440 receives the search result from the data management server 100, the search request unit 440 displays the content of the search result (for example, the number of records of true data matching the search keyword).

The search request unit 440 can also send a search query targeting dummy data. In that case, the search request unit 440 converts the search keyword into a dummy value using the information stored in the conversion information storage unit 420, and transmits a search query including the encrypted dummy value. In this case, the search request unit 440 extracts a predetermined dummy record from the record shown in the search result, and uses the information stored in the conversion information storage unit 420 to set the dummy value in the dummy record to be true. Convert to the value set in the data. Then, the search request unit 440 displays the contents of the record having the converted value as the search result.

Although the functions of the terminal device 400 have been described above, the terminal device 500 also has the same functions as the terminal device 400.
With the function shown in FIG. 14, the patient data is managed by the data management server 100 while the patient data and the contents of the search query are kept secret from the administrator of the data management server 100, and the patients by the pharmaceutical companies 15 and 16 are managed. Data can be made available. The function of each element shown in FIG. 14 can be realized, for example, by causing a computer to execute a program module corresponding to the element.

Next, the outline of the appearance frequency disturbance treatment by the system shown in FIG. 14 will be described.
FIG. 15 is a diagram showing an example of appearance frequency disturbance processing using dummy data. The data registration server 200 transmits the encryption key 51 generated by the key generation unit 240 to the terminal device 400 of the pharmaceutical company (for example, the pharmaceutical company 15) that permits the use of the data 54 (step S11). For example, the key acquisition unit 430 of the terminal device 400 transmits a key acquisition request to the data management server 100. In the data management server 100, the key provision requesting unit 130 requests the data registration server 200 to provide the encryption key 51. Upon receiving the request for providing the encryption key 51, the key providing unit 260 of the data registration server 200 accepts an input indicating permission for the provision of the encryption key 51 by the administrator. When the key providing unit 260 is input to permit the provision of the encryption key 51, the key providing unit 260 acquires the encryption key 51 from the key storage unit 220, and obtains the same encryption key 52 as the acquired encryption key 51 in the data management server 100. Is transmitted to the terminal device 400 without going through. In the terminal device 400, the encryption key 52 received by the key acquisition unit 430 is stored in the key storage unit 410. As a result, the encryption key can be shared between the data registration server 200 and the terminal device 400.

After that, the data registration server 200 adds dummy data 55 to the data 211 in the DB 210 (step S12). For example, the data registration request unit 250 adds a dummy record G-1 times the number of records included in the true data 54 acquired from the DB 210 as the dummy data 55. At this time, the data registration request unit 250 uses the item value set in the true data 54 as the item value (dummy value) of the added dummy record, and reduces the bias of the appearance frequency of each item value. Further, the data registration request unit 250 assigns a flag 56 to each record to identify whether it is a record of true data 54 or a dummy record, and if it is a dummy record, which dummy record group it belongs to.

The data registration request unit 250 encrypts the item values (including flags) in each record of the true data 54 and the dummy data 55 with the encryption key 51 to generate the registration data 53 (step S13). Then, the data registration request unit 250 transmits a data registration request including the registration data 53 to the data management server 100 (step S14). In the data management server 100, the data registration unit 120 receives the registration data 53 and stores the received registration data 53 in the concealment DB 110.

When the person in charge of the pharmaceutical company 15 uses the data 54, the person in charge inputs a search keyword into the terminal device 400. Then, the search request unit 440 encrypts the input search keyword with the encryption key 52, and generates a search query 57 including the search keyword of the ciphertext (step S15). When the search request unit 440 targets any of the dummy record groups, the search request unit 440 converts the input search keyword into a dummy value corresponding to the search keyword in the dummy record group. Then, the search request unit 440 generates a search query 57 including a value obtained by encrypting the dummy value obtained by the change. Then, the search request unit 440 sends the search query 57 to the data management server 100 (step S16).

In the data management server 100, the search unit 140 collates the registered data 53 with the search query 57 while keeping the data concealed (step S17). Then, the search unit 140 transmits the record hit by the search by the search query 57 to the terminal device 400 as the search result 58 (step S18). The search result 58 includes a record of true data 54 and a dummy record of dummy data 55.

In the terminal device 400, the search request unit 440 receives the search result 58. When the search request unit 440 targets true data, the search request unit 440 discards a dummy record from the search result 58, for example, based on a flag (step S19). Then, the search request unit 440 displays the true result 59 including only the record of the true data 54 in the search result 58 on a monitor or the like.

When the dummy record group is the search target, the search request unit 440 extracts the dummy record belonging to the dummy record group to be searched from the search result 58, for example, based on the flag, and discards the other records. The search request unit 440 converts the dummy value in the dummy record into the keyword from which the dummy value was generated. Then, the search request unit 440 displays the record including the value converted into the original keyword as the true result 59.

By adding the dummy data 55 in this way, it is possible to disturb the frequency of each item value. The terminal device 400 can use the flag to discriminate between the dummy data 55 and the true data 54 and obtain the true result 59.

Next, the plaintext patient data DB 210 possessed by the data registration servers 200 and 300 will be described.
FIG. 16 is a diagram showing an example of a DB of plaintext patient data. The true data 211 is stored in the DB 210 in plain text. In the true data 211, for example, a record for each patient is registered in association with the identifier (ID) of the record. In each record, a keyword corresponding to the item is set in the column for each item. In the example of FIG. 16, there are "blood pressure" and "blood type" as items. The value in each record registered in the DB 210 is, for example, a plaintext character code.

When the data registration request unit 250 registers the patient record in the data management server 100, the data registration request unit 250 encrypts the value (plain text) set in the record by the deterministic encryption technique. Then, the encrypted record is registered in the concealment DB 110 of the data management server 100. At that time, the data registration request unit 250 refers to the conversion information storage unit 230 and generates dummy data for disturbance against the frequency analysis attack.

FIG. 17 is a diagram showing an example of information stored in the conversion information storage unit. The conversion information storage unit 230 stores a keyword list 231, a conversion set list 232, and a split keyword list 233. The keyword list 231 is data showing a list of keywords that can be set for each item. The conversion set list 232 is data indicating the contents of the conversion set. The divided keyword list 233 is data showing a list of divided keywords (divided keywords) when the keywords are divided and registered in the concealment DB 110. The conversion set list 232 and the divided keyword list 233 are data generated by the data registration request unit 250 based on the keyword list 231.

FIG. 18 is a diagram showing an example of a keyword list. In the keyword list 231, a list of keywords that can be set for the corresponding item is registered for each item of the DB 210. In the example of FIG. 18, the number of keywords that can be registered in the item of "blood pressure" is three, and the number of keywords that can be registered in the item of "blood type" is eight.

FIG. 19 is a diagram showing an example of a method for generating a conversion set list. In the keyword list 231a, _Xj keywords that can be set in the jth item are shown. It is assumed that m transformation sets 232a (m is an integer of 1 or more) are generated for the jth item. Each conversion set is assigned a number from "1" to "m". Each conversion set is provided with G keyword storage areas.

The data registration request unit 250 selects all the keywords once from the keyword list 231a, for example, in a predetermined order or a random order. The data registration request unit 250 stores the selected keywords in the storage area of the conversion set in order from the conversion set having the smallest number. When one keyword is assigned to each of the plurality of conversion sets 232a, the data registration requesting unit 250, if there is an unselected keyword, again selects the selected keyword in the conversion set in ascending order of the number. Store in the storage area. In FIG. 19, the storage order of the keywords is indicated by arrows.

After the data registration request unit 250 completes the selection of all the keywords once, if there is a free area in any of the plurality of conversion sets 232a, the data registration request unit 250 selects the keywords a second time from the keyword list 231a. Then, the data registration request unit 250 stores the selected keywords in the storage area of the conversion set in order from the conversion set having the smallest number.

The data registration request unit 250 repeats the process of storing the selected keyword in the keyword storage area of the conversion set until there is no space in the keyword storage area of all the conversion sets.

At this time, the number m of the conversion set is determined so that when all the keywords are stored once in the keyword storage area of any of the conversion sets, k or more kinds of keywords are stored in each conversion set. There is. However, when X _j <k, m = 1, and all keywords of X _j type are included in one conversion set.

The data registration request unit 250 changes the keywords stored in the conversion set two or more times so that the values are different for each stored keyword storage area. In the example of FIG. 19, the character string of "_1" is given to the keyword stored by the first selection, and the character string of "_2" is given to the keyword stored by the second selection.

The data registration request unit 250 generates a split keyword list based on the generated conversion set 232a.
FIG. 20 is a diagram showing an example of generating a list of divided keywords. For example, the data registration request unit 250 extracts each keyword registered in the plurality of conversion sets 232a and registers it in the divided keyword list 233a as a divided keyword.

FIG. 21 is a diagram showing an example of a list of conversion sets. The conversion set list 232 includes conversion sets 232b, 232c, and 232d generated for each item. In the example of FIG. 21, "normal_1", "hypotension", "hypertension", and "normal_1" are registered in the blood pressure conversion set 232b.

FIG. 22 is a diagram showing an example of a list of divided keywords. In the split keyword list 233, the split keywords of the keywords are registered in association with the keywords that can be set for each item. For example, in the keyword "normal" of the item "blood pressure", "normal_1" and "normal_1" are registered as division keywords. Since the other keywords have only one split keyword, the same value as the original keyword is registered as the split keyword. A keyword having only one split keyword may be excluded from the registration target in the split keyword list 233. Keywords that are not registered in the split keyword list 233 are not subject to change to split keywords.

Based on such a split keyword list 233, the value included in the true data 211 in the DB 210 is changed to the split keyword. Then, the registration data to be registered in the concealment DB is generated based on the record group of the true data in which the division keyword is set.

FIG. 23 is a diagram showing an example of conversion of item values when a split keyword is used. The conversion method is the same as when the dummy element shown in FIG. 6 is used. That is, the element at the position shifted to the right by the group number of the dummy record group becomes the dummy value set in the dummy record of the dummy record group. This is because for each dummy record group, the mapping from the conversion source set {normal_1, hypotension, hypertension, normal_2} to the conversion destination set {normal_1, hypotension, hypertension, normal_2} is bijective. It has become. Since the conversion destination differs depending on the group number, the bijective relationship is different for each dummy record group.

FIG. 24 is a diagram showing an example of registered data when the divided keyword is used. The keyword "normal" in the item of "blood pressure" in the true data 211 (see FIG. 15) stored in the DB 210 is changed to the divided keyword based on the divided keyword list 233 (see FIG. 22). In the true data 211a after the change to the split keyword, the value of "blood pressure" in the record of ID "1" is changed to "normal_1". Further, the value of "blood pressure" in the record of ID "4" is changed to "normal_2".

The registered data 60 includes a record group 60a of the true data 211a and a dummy record group 60b to 60d. An ID is randomly assigned to each record. A flag is given to each record in the registration data 60. And the keyword (including the flag value) included in the registration data 60 is encrypted. The flag value is generated by the flag value generation function shown in the above equation (2) using a randomly assigned ID.

The data registration request unit 250 sorts the registered data 60 by ID and then registers the registered data 60 in the concealment DB 110 of the data management server 100.
FIG. 25 is a diagram showing an example of a concealment DB. The records registered in the concealment DB 110 are sorted by ID, and true data records and dummy records are mixed and registered.

Next, the procedure of the data registration process will be described in detail.
FIG. 26 is a flowchart showing an example of the procedure of the data registration process. Hereinafter, the process shown in FIG. 26 will be described along with the step numbers.

[Step S101] The data registration request unit 250 receives a setting input of the number of types of item values k having the same appearance frequency. The larger the value of k, the better the security, but the number of dummy records to be registered also increases. Therefore, the value of k is determined by the administrator of the data registration server 200 in consideration of the degree of security against the frequency analysis attack required for the concealment DB 110 and the number of dummy records allowed for the concealment DB 110.

[Step S102] The data registration request unit 250 determines the number of groups G and the number of conversion sets for each item. For example, assuming that the number of types of keywords that can be set for the j-th item in the keyword list is X _j , the optimum group number G _j for the j-th item is the following equation (3) using the floor function and ceiling function. ).

The data registration request unit 250 sets G to the maximum value of X _j obtained for all items. Further, the data registration request unit 250 calculates the number of conversion sets for each item based on the number of groups G. The optimum number of conversion sets M _j of the jth item is expressed by the following equation (4).

[Step S103] The data registration request unit 250 generates conversion sets for the number of conversion sets determined in step S102 for each of the items. Further, the data registration request unit 250 generates the divided keyword list 233 based on the generated conversion set.

[Step S104] The data registration request unit 250 reads plain text data (a record group of true data) from the DB 210.
[Step S105] The data registration request unit 250 converts the keyword registered in the record of the true data in the read plaintext data into the split keyword based on the split keyword list 233. For example, the data registration request unit 250 randomly selects one divided keyword from the set of divided keywords corresponding to the registered keywords. Then, the data registration request unit 250 converts the keyword to be divided into the selected divided keyword.

[Step S106] The data registration request unit 250 generates dummy data including a dummy record group having a group number G-1 determined in step S102. The details of the dummy data generation process will be described later (see FIG. 27).

[Step S107] The data registration request unit 250 randomly assigns an ID to each of the records of the true data and the dummy data.
[Step S108] The data registration request unit 250 adds a flag to each of the true data record and the dummy record. The data registration request unit 250 assigns a flag to each record, for example, a value calculated by using the flag value generation function shown in the equation (2) as a flag value.

[Step S109] The data registration request unit 250 sorts each record by ID.
[Step S110] The data registration request unit 250 encrypts the sorted record group and registers it in the concealment DB 110. For example, the data registration request unit 250 encrypts each item value in the record, and transmits the record group having the encrypted value to the data management server 100 as registration data. In the data management server 100, the data registration unit 120 receives the registration data and stores the received registration data in the concealment DB 110.

Next, the dummy data generation process will be described in detail.
FIG. 27 is a flowchart showing an example of the procedure of the dummy data generation process. Hereinafter, the process shown in FIG. 27 will be described along with the step numbers.

[Step S121] The data registration request unit 250 acquires the group number G calculated in step S102.
[Step S122] The data registration request unit 250 copies G-1 true data and generates a dummy record group of G-1.

[Step S123] The data registration request unit 250 executes the processes of steps S124 to S127 for each of all the items of true data.
[Step S124] The data registration request unit 250 executes the process of step S125 for each of all dummy records.

[Step S125] The data registration request unit 250 converts the item value of the dummy record. For example, the data registration request unit 250 selects a conversion set including the item value of the processing target (conversion target item value) in the dummy record from the conversion set corresponding to the item to be processed. Next, the data registration request unit 250 acquires the group number of the dummy record group to which the dummy record to be processed belongs. The data registration request unit 250 cyclically acquires the right element from the conversion set by the group number from the elements corresponding to the conversion target item values in the selected conversion set. Then, the data registration request unit 250 converts the conversion target item value in the dummy record to be converted into the value (dummy value) of the acquired element.

[Step S126] When the processing of step S125 is completed for each of the dummy records, the data registration requesting unit 250 advances the processing to step S127.
[Step S127] The data registration request unit 250 ends the dummy data generation process when the processes of steps S124 to S126 are completed for each of the items.

In this way, dummy data is generated by replacing the item values of the true data with other elements in the transformation set. Then, the data registration request unit 250 encrypts the generated dummy data and the registration data including the flag value and registers them in the concealment DB 110.

A searcher who wants to search the data in the concealment DB 110 inputs a search keyword into the terminal device 400, for example, via a search condition input screen of the terminal device 400.
FIG. 28 is a diagram showing an example of a search condition input screen. On the search condition input screen 61, for example, the name of each item in the DB 210 is set as a search variable. Then, a designated value input area 62 for inputting the designated value of the search variable as a search keyword is provided in association with the search variable. When the searcher inputs the specified value of the item shown as the search variable in the specified value input area, the terminal device 400 performs a search using the input specified value as a search keyword.

FIG. 29 is a flowchart showing an example of the procedure of the search process. Hereinafter, the process shown in FIG. 29 will be described along with the step numbers.
[Step S131] The search request unit 440 acquires a search keyword input as a search condition from the user and an item corresponding to the search keyword as a plaintext search query.

[Step S132] The search request unit 440 generates a conversion set list. For example, the search request unit 440 performs the same processing as the conversion set generation processing for each item in the data registration request unit 250, and generates a conversion set list. The conversion set list generated by the search request unit 440 is the same as the conversion set list generated by the data registration request unit 250. At this time, the search request unit 440 also calculates the group number G. Then, the search request unit 440 generates a split keyword list based on the conversion set list.

[Step S133] The search request unit 440 divides the acquired plaintext search query. For example, the search request unit 440 divides the search keyword included in the plaintext search query into split keywords. Then, the search request unit 440 generates a plaintext search query for each division keyword obtained by the division. When the split keyword list 233 as shown in FIG. 22 is generated, the search keyword "normal" is divided into "normal_1" and "normal_1". Then, a plaintext search query including the search keyword "normal_1" and a plaintext search query including the search keyword "normal_1" are generated. The logical sum of the search results of the plaintext search query generated by the division is the search result of the obtained plaintext search query.

The obtained plaintext search query may contain multiple search keywords. In the case of a logical sum search of a plurality of search keywords, the search request unit 440 decomposes each search keyword into split keywords and generates a plaintext search query for each split keyword. The logical sum of the search results of the multiple generated plaintext search queries is the search result of the acquired plaintext search query.

Further, in the case of a logical product search of a plurality of search keywords, the search request unit 440 generates all combinations between the divided keywords having different items. In the case of the logical product of the search keywords for each of the three or more items, the search request unit 440 generates all combinations of the divided keywords that can be generated by selecting one divided keyword from each item. Then, the search request unit 440 generates a plaintext search query of the logical product for each combination of the generated split keywords. In this case as well, the logical sum of the search results obtained by the plurality of generated plaintext search queries is the search result of the acquired plaintext search query.

For example, the acquired search query is "A∧B", the search keyword "A" is divided into "A_1" and "A_1", and the search keyword "B" is divided into "B_1" and "B_1". do. In this case, the search request unit 440 generates "A_1∧B_1", "A_1∧B_1", "A_2∧B_1", and "A_2∧B_1" as the plaintext search query after division.

[Step S134] The search request unit 440 selects one of the generated plaintext search queries that has not been selected.
[Step S135] The search request unit 440 probabilistically selects one group from all the groups including the true data record group and the dummy record group. The search request unit 440 searches for the selected record group. It should be noted that all the dummy record groups in the concealment DB 110 have the same frequency distribution as the true data record group, although the values are different. Therefore, even if the dummy record group is the search target, the correct search result can be obtained by inversely converting the dummy value in the dummy record obtained as the search result according to the conversion set.

By transforming (disturbing) the plaintext search query according to the conversion set in this way, the same result as when searching the plaintext data group can be obtained regardless of which group is searched. Therefore, the number of search queries does not increase while disturbing the search queries. Further, by randomly determining the group to be searched by the search request unit 440, it is possible to prevent the attacker from specifying the group number of each record in the concealment DB due to the bias of the searched group.

[Step S136] The search request unit 440 determines whether or not the dummy record group has been selected. If the search request unit 440 selects a dummy record group, the search request unit 440 advances the process to step S137. Further, if the search request unit 440 selects a record group of true data, the process proceeds to step S142.

[Step S137] The search request unit 440 disturbs the generated plaintext search query based on the conversion set. For example, when the search target item and the split keyword are specified in the plaintext search query, the search request unit 440 first corresponds to the specified split keyword from one or more conversion sets corresponding to the search target item. Identify the transformation set that contains the elements to be. Next, the search request unit 440 acquires the group number of the selected dummy record group. The search request unit 440 periodically acquires the right element from the conversion set by the number of the group number from the elements in the conversion set corresponding to the divided keyword to be searched. Then, the search request unit 440 converts the split keyword to be converted in the plaintext search query into the value (dummy value) of the acquired element.

[Step S138] The search request unit 440 encrypts the plaintext search query converted in step S137 to generate a concealed search query. The search request unit 440 sends the generated concealment search query to the data management server 100.

[Step S139] The search request unit 440 acquires the search result (confidential search result) of the concealed search from the data management server 100. The search request unit 440 extracts only the dummy records belonging to the dummy record group selected in step S136 from the concealment search result. At this time, the search request unit 440 can identify the dummy record belonging to the selected dummy record group based on the flag value of each record. For example, the search request unit 440 uses the flag value generation function corresponding to the selected dummy record group to generate the flag value corresponding to the ID of the record included in the search result. The search request unit 440 encrypts the generated flag value. Then, when the corresponding record has a flag value having the same value as the encrypted flag value, the search request unit 440 determines that the record is a record of the selected group.

[Step S140] The search request unit 440 decrypts the item value (dummy value) in the extracted dummy record included in the concealment search result by using the encryption key acquired in advance from the data registration server 200.

[Step S141] The search request unit 440 reversely converts the decoded dummy value of the dummy record belonging to the dummy record group selected in step S136 based on the conversion set, and the search result in which the true value of the plain text is set is set. To restore.

FIG. 30 is a diagram showing an example of the inverse conversion of the dummy value. For example, the search request unit 440 specifies a conversion set including an element corresponding to the dummy value from one or more conversion sets corresponding to the items to which the dummy value belongs. In the example of FIG. 30, it is assumed that the conversion set 232b is specified. Next, the search request unit 440 acquires the group number of the dummy record group selected in step S136. The search request unit 440 periodically acquires the left element from the conversion set 232b by the number of the group number from the elements in the conversion set 232b corresponding to the dummy value. Then, the search request unit 440 converts the decoded dummy value into the value of the acquired element (true data division keyword). For example, when the dummy value of the dummy record belonging to the dummy record group of the group number "2" is "normal_2", the dummy value is set to the second element "hypotension" on the left side of "normal_2" in the transformation set 232b. Inversely converted.

The relationship of the inverse transformation shown in FIG. 30 is a bijective relationship which is the inverse mapping of the mapping shown in FIG. 23. By performing such an inverse conversion on all the dummy values in the dummy records belonging to the selected dummy record group, the split keyword corresponding to the dummy value is obtained. The search request unit 440 converts the divided keyword into the original keyword (true value) based on the divided keyword list. This will generate true search results. After that, the search request unit 440 advances the process to step S145.

Hereinafter, the description of FIG. 29 will be returned to.
[Step S142] The search request unit 440 encrypts a search query in which a flag value corresponding to a record group of true data is added to the search condition, and sends the search query to the data management server 100.

[Step S143] The search request unit 440 acquires the search result from the data management server 100.
[Step S144] The search request unit 440 decodes the item value in the record of the record group of the true data included in the search result. Note that the search request unit 440 specifies a record (a record of true data) of the selected group, as in step S140. The search request unit 440 converts the divided keyword in the record of the true data into the original keyword based on the divided keyword list, and obtains the search result in which the true value of the plain text is set.

[Step S145] The search request unit 440 outputs a plaintext search result.
[Step S146] The search request unit 440 determines whether or not all the plaintext search queries have been selected. If there is an unselected plaintext search query, the search request unit 440 advances the process to step S134. Further, the search request unit 440 ends the search process when all the plaintext search queries are selected and the search by the corresponding concealed search query is completed.

The search result is displayed, for example, on the search result display screen.
FIG. 31 is a diagram showing an example of a search result display screen. On the search result display screen 70, for example, a search condition relating to a patient and the number of patients matching the search condition are displayed. Further, on the search result display screen 70, the plain text data of the record hit in the search is displayed.

By such a search, the appearance frequency of the item value is equalized for each set of G divided keywords. As a result, the bias of the appearance frequency for each item value is suppressed, and the safety against frequency analysis attacks is improved. Moreover, since no dummy element is used, safety is improved against frequency analysis attacks that combine keywords of multiple items.

Further, in the terminal device 400, even when a dummy record is acquired as a search result, it is possible to acquire an item value of true data that matches the input search condition based on the dummy value of the dummy record. Therefore, even if the attacker acquires the search result transmitted from the data management server 100, the attacker can determine whether the item value included in the search result is a true data item value or a dummy value. Can not. As a result, the confidentiality of true data is improved.

[Other embodiments]
In the second embodiment, an example of a confidential search for data possessed by a hospital is shown, but it can also be used in other fields.

Further, in the second embodiment, the data registration servers 200 and 300 and the data management server 100 are separated, but the data registration servers 200 and 300 may have the function of the data management server 100.

Further, for encryption and decryption of the item value by the encryption key, for example, a corresponding dictionary prepared in advance can be used. When using the corresponding dictionary, each of the data registration servers 200, 300 and the terminal devices 400, 500 encrypts the divided keyword shown in the divided keyword list with an encryption key, and generates a corresponding dictionary between the divided keyword and the ciphertext in advance. Keep it. Then, each of the data registration servers 200, 300 and the terminal devices 400, 500 searches the plaintext to be encrypted (divided keyword or search keyword) from the corresponding dictionary at the time of encryption, and searches for the plaintext to be encrypted. Convert to the ciphertext corresponding to the split keyword hit in. Further, each of the terminal devices 400 and 500 searches the ciphertext to be decrypted from the corresponding dictionary at the time of decryption, and converts the ciphertext to be decrypted into the divided keyword corresponding to the ciphertext hit in the search.

Although the embodiment has been illustrated above, the configuration of each part shown in the embodiment can be replaced with another having the same function. Further, any other components or processes may be added. Further, any two or more configurations (features) of the above-described embodiments may be combined.

1 Data registration device 1a Storage unit 1b Processing unit 2 Server 2a Concealment DB
3 Data utilization device 4a, 4b Item value group 5,5b Confidential record group 6a, 6b Dummy record group 7 Registered data 8a, 8b Search query 9 Search result 10 Display screen

Claims (7)

On the computer
When the number of types of a plurality of first item values that can be set in one item in the secret record in the secret record group including one or more secret records to be hidden is not an integral multiple of a predetermined value, the plurality of first items. Generate a plurality of second item values that are integral multiples of the predetermined value, each of which is associated with at least one of the values and is associated with any one of the plurality of first item values.
Each of the plurality of second item values is classified into at least one item value group corresponding to the one item by the same number as the predetermined value.
The first item value set in the one item in the secret record is converted into one of at least one second item value corresponding to the first item value.
The existing first item set in the first item of each of the secret records according to the bijective relationship in which each of the second item values in the item value group is bijected to different second item values in the same item value group. Convert 2 item values to dummy values and
A dummy record group having the same number of dummy records as the number of secret records in which the dummy value is set in the one item is generated.
Set the first flag indicating true to the secret record, and set it.
A second flag indicating false is set in the dummy record, and the dummy record is set.
The item value set in the one item of each of the secret record and the dummy record, the first flag given to the secret record, and the second flag given to the dummy record are encrypted.
The secret record group and the dummy record group are output.
A secret information management program that executes processing. In the generation of the dummy record group, when there are a plurality of the dummy record groups, the existing second item value set in the one item of the secret record is converted into a second item value different for each dummy record group. As such, the bijection relation, which is different for each dummy record group, is used.
The confidential information management program according to claim 1. In the setting of the second flag, the second flag having a value different from that of the dummy record group generated one or more and different from that of the first flag is set in the dummy record included in each of the dummy record groups. ,
The confidential information management program according to claim 1 or 2. In the setting of the first flag, the value of the first function having the identifier of the secret record as a variable is set in the secret record as the first flag.
In the setting of the second flag, the identifier of the dummy record is used as a variable, and the value of the same variable is different from that of the first function, and a different value is output for each dummy record group to which the dummy record belongs. A value is set in the dummy record as the second flag.
The confidential information management program according to claim 3. The computer
When the number of types of a plurality of first item values that can be set in one item in the secret record in the secret record group including one or more secret records to be hidden is not an integral multiple of a predetermined value, the plurality of first items. Generate a plurality of second item values that are integral multiples of the predetermined value, each of which is associated with at least one of the values and is associated with any one of the plurality of first item values.
Each of the plurality of second item values is classified into at least one item value group corresponding to the one item by the same number as the predetermined value.
The first item value set in the one item in the secret record is converted into one of at least one second item value corresponding to the first item value.
The existing first item set in the first item of each of the secret records according to the bijective relationship in which each of the second item values in the item value group is bijected to different second item values in the same item value group. Convert 2 item values to dummy values and
A dummy record group having the same number of dummy records as the number of secret records in which the dummy value is set in the one item is generated.
Set the first flag indicating true to the secret record, and set it.
A second flag indicating false is set in the dummy record, and the dummy record is set.
The item value set in the one item of each of the secret record and the dummy record, the first flag given to the secret record, and the second flag given to the dummy record are encrypted.
The secret record group and the dummy record group are output.
Confidential information management method. A server with a database and
When the number of types of a plurality of first item values that can be set in one item in the secret record in the secret record group including one or more secret records to be hidden is not an integral multiple of a predetermined value, the plurality of first items. Generate a plurality of second item values that are integral multiples of the predetermined value, each of which is associated with at least one of the values and is associated with any one of the plurality of first item values.
Each of the plurality of second item values is classified into at least one item value group corresponding to the one item by the same number as the predetermined value.
The first item value set in the one item in the secret record is converted into one of at least one second item value corresponding to the first item value.
The existing first item set in the first item of each of the secret records according to the bijective relationship in which each of the second item values in the item value group is bijected to different second item values in the same item value group. Convert 2 item values to dummy values and
A dummy record group having the same number of dummy records as the number of secret records in which the dummy value is set in the one item is generated.
Set the first flag indicating true to the secret record, and set it.
A second flag indicating false is set in the dummy record, and the dummy record is set.
The item value set in the one item of each of the secret record and the dummy record, the first flag given to the secret record, and the second flag given to the dummy record are encrypted.
A data registration device that stores the secret record group and the dummy record group in the database of the server, and
The search item value of the one item shown in the search condition is converted into one or a plurality of the second item values corresponding to the first item value having the same value as the search item value, and obtained by the conversion. A search query containing each of the second item values is transmitted to the server with the search item values encrypted.
The search result by the search query in the database is acquired from the server, and the search result is obtained.
A data utilization device that acquires the secret record satisfying the search condition from the search result based on the first flag or the second flag set in each of the secret record and the dummy record included in the search result. ,
Confidential information management system with. The data utilization device converts the search item value shown in the search condition according to the bijective relationship, and sends the search query including the conversion item value obtained by the conversion.
Based on the second flag set in the dummy record included in the search result, a matching dummy record having the conversion item value is extracted from the search result, and the one item of the matching dummy record is decoded. By converting the already decoded item value according to the inverse mapping relation of the bijective relation, the secret record satisfying the search condition is acquired.
The confidential information management system according to claim 6.

Images