JP2022059675A - Search request program, search request method, and confidential information management system - Google Patents

Abstract

To improve safety against frequency analysis attacks.SOLUTION: A data utilization device 3 acquires search conditions for the database registering multiple records, in which the value of the second item of the record where the value of the first item in multiple records is the first item value is limited to the second item value. When the first item value is specified as the value of the first item in the search condition, the data utilization device 3 adds the condition that the value of the second item is the second item value to the search condition by logical product.SELECTED DRAWING: Figure 1

Description

The present invention relates to a search request program, a search request method, and a confidential information management system.

Computer systems can handle large amounts of data called big data. For example, by analyzing big data with a computer, it is possible to obtain various findings. The larger the amount of big data used for analysis, the more diverse knowledge can be obtained from the big data, and the higher the reliability of the obtained knowledge. Therefore, instead of constructing a unique database (DB) for big data for each organization such as a company, it is conceivable to use a DB that integrates data of a plurality of organizations in a plurality of organizations. Such an integrated DB service can be realized by using, for example, a cloud computing system (hereinafter referred to as "cloud").

When managing a DB that integrates data of a plurality of organizations in the cloud, the data provider organization may want to limit the use of the provided data to only other organizations permitted by the data provider organization. In addition, the organization that provides the data and the organization that uses the data may not want the cloud administrator to know the content of the provided data or the search content for the data in the DB. In these cases, the cloud that manages big data receives encrypted data from each organization, for example, and stores the encrypted data in a DB. Then, the cloud searches the data in the DB in response to a search request encrypted with the key passed from the organization that provides the data, using a collation technology that can determine the identity of the data as it is. As a result, the organization that provides the data can allow the provided data to be used only by the organization that has given the key. Also, in the cloud, the provided data and the search request remain encrypted, so it is possible to prevent the contents of the data from being known to the cloud administrator.

As a technology related to concealment of data in a DB, for example, even when the variation of possible values of attribute data is limited, a data generation device that makes frequency analysis in concealment search more difficult and enhances safety. Has been proposed. In addition, a search system has been proposed that allows both database holders and database users to check whether the database contains data similar to the search conditions while keeping their information secret from each other. There is.

Japanese Unexamined Patent Publication No. 2012-248940 International Publication No. 2013/038698

Even if a secret search technology that can perform a search with encrypted data is used, the security of the encrypted data cannot be said to be sufficient. That is, a frequency analysis attack is possible against the DB that stores the encrypted data, and the content of the search query or the search result may be inferred.

On one side, the case aims to improve security against frequency analysis attacks.

One idea is to provide a search request program that causes the computer to perform the following processing:
The computer sets a search condition for the database in which a plurality of records are registered and the value of the second item of the record in which the value of the first item among the plurality of records is the value of the first item is limited to the value of the second item. get. Then, when the first item value is specified as the value of the first item in the search condition, the computer adds the condition that the value of the second item is the second item value to the search condition by logical product.

According to one aspect, it is possible to improve the security against frequency analysis attacks on encrypted data.

It is a figure which shows an example of the confidential information management system which concerns on 1st Embodiment. It is a figure which shows an example of a confidential information management system. It is a figure which shows one configuration example of the hardware of a data management server. It is a figure which shows an example of a frequency analysis attack. It is a figure which shows the generation example of the transformation set using a dummy element. It is a figure which shows the conversion example of the item value when the dummy element is used. It is a figure which shows the generation example of the dummy value when the dummy element is used. It is a figure which shows an example of the registration data when the dummy element is used. It is a figure explaining the equalization of a ciphertext. It is a figure explaining an appropriate group number G. It is a figure which shows an example of the frequency distribution after frequency disturbance. It is a figure which shows an example of the attack method using structural zero. It is a figure which shows an example of the disturbance of a search condition. It is a block diagram which shows the function of a secret information management system. It is a figure which shows an example of the disturbance processing of the appearance frequency using the dummy data. It is a figure which shows an example of the DB of the patient data in plain text. It is a figure which shows an example of the information stored in the conversion information storage part. It is a figure which shows an example of a keyword list. It is a figure which shows an example of the conversion set list. It is a figure which shows an example of the registration data. It is a figure which shows an example of a concealment DB. It is a flowchart which shows an example of the procedure of a data registration process. It is a flowchart which shows an example of the procedure of a dummy data generation process. It is a figure which shows an example of the search condition input screen. It is a figure which shows an example of the non-structural zero information stored in the non-structural zero information storage part. It is a flowchart which shows an example of the procedure of a search process. It is a figure which shows an example of the inverse conversion of a dummy value. It is a figure which shows an example of the search result display screen.

Hereinafter, the present embodiment will be described with reference to the drawings. It should be noted that each embodiment can be implemented by combining a plurality of embodiments within a consistent range.
[First Embodiment]
First, the first embodiment will be described.

FIG. 1 is a diagram showing an example of a confidential information management system according to the first embodiment. FIG. 1 shows an example of realizing a confidential information management method using a confidential information management system. The confidential information management system includes a data registration device 1, a server 2, and a data utilization device 3. Each of the data registration device 1, the server 2, and the data utilization device 3 of each device in the confidential information management method, for example, by executing a program in which the processing procedure in each device for realizing the confidential information management method is described. Processing can be carried out.

The data utilization device 3 has a storage unit 3a and a processing unit 3b in order to realize a search request method for transmitting a data search request managed by the confidential information management method. The storage unit 3a is, for example, a memory or a storage device included in the data utilization device 3. The processing unit 3b is, for example, a processor or an arithmetic circuit included in the data utilization device 3. Although not shown, the data registration device 1 and the server 2 also have a storage unit and a processing unit. For example, the storage unit of the server 2 stores the concealment database (DB) 2a.

The data registration device 1 stores a concealed record group 5 including one or more concealed records to be concealed. Item values for each of a plurality of items are set in the secret record. When the value of the first item is the value of the first item among the plurality of items of the secret record, the value of the second item is limited to the value of the second item. For example, when the value of the first item is the value of the first item and it is not possible in the common sense that the value of the second item is other than the value of the second item, the value of the first item is the value of the first item. When the value of the second item is limited to the value of the second item. For example, in a secret record whose occupation value is "midwife", the gender value is limited to "female". In this case, "occupation" is the first item value, "midwife" is the first item value, "gender" is the second item value, and "female" is the second item value.

Such a value that cannot be set in the second item when the value of the first item is the value of the first item can be called structural zero. On the other hand, when the value of the first item is the value of the first item, the only value that can be set in the second item can be called non-structural zero.

The data registration device 1 corresponds to each of a plurality of item values that can be set for each of the first item and the second item in the secret record, at least one item value group 4a, 4b corresponding to each of the first item and the second item. (Step S1). In the example of FIG. 1, the item values that can be set for occupations are "midwife" and "doctor", and the item values that can be set for gender are "male" and "female". The item value group 4a corresponding to the occupation includes "midwife" and "doctor". The item value group 4b corresponding to gender includes "male" and "female". In the example of FIG. 1, one item value group 4a and 4b are provided for each occupation and gender, but when the number of types of item values that can be set for an item is large, two or more for one item. Item value group of may be provided.

Next, the data registration device 1 performs a process of generating a dummy record group (step S2). For example, the data registration device 1 bijects the item values in the item value groups 4a and 4b to different item values in the same item value groups 4a and 4b, respectively, according to the bijective relationship, the first item of each concealed record and The existing item value set in the second item is converted into a dummy value. Next, the data registration device 1 generates a dummy record group 6 having the same number of dummy records as the number of secret records whose dummy values are set in the first item and the second item.

In the example of FIG. 1, the existing item value “midwife” set in the secret record is converted into the dummy value “doctor”. The existing item value "doctor" set in the secret record is converted to the dummy value "midwife". The existing item value "male" set in the secret record is converted to the dummy value "female". The existing item value "female" set in the secret record is converted to the dummy value "male".

Next, the data registration device 1 performs flag setting processing for each of the secret record and the dummy record (step S3). For example, the data registration device 1 sets a first flag indicating true in the secret record and sets a second flag indicating false in the dummy record. In the example of FIG. 1, an identifier (ID) is randomly assigned to a secret record and a dummy record, a value twice the ID is set as the flag value for the secret record, and 1 is set to twice the ID for the dummy record. The added value is used as the flag value.

Next, the data registration device 1 encrypts the existing item value and the first flag set in the secret record, and the dummy value and the second flag set in the dummy record (step S4). The data registration device 1 sorts the encrypted secret record and the dummy record in ascending order by ID to generate the registration data 7. In the example of FIG. 1, the record with the ID “1,3,5” of the registration data 7 is a secret record, and the record with the ID “2,4,6” is a dummy record.

The ciphertext obtained by encrypting a certain plaintext in FIG. 1 is referred to as "H (plaintext)". In the following description, the ciphertext is expressed in the same notation method.
Then, the data registration device 1 outputs the registration data 7 (step S5). For example, the data registration device 1 stores the concealed record group and the dummy record group in the concealed DB 2a of the server 2.

The storage unit 3a of the data utilization device 3 stores non-structural zero information 8 indicating a combination of item values that becomes non-structural zero. For example, the combination of occupation "midwife" and gender "female" is non-structural zero information 8.

The processing unit 3b of the data utilization device 3 acquires the search condition for the concealment DB 2a based on the input from the searcher. Next, the processing unit 3b adds a condition that the value of the second item is the second item value to the search condition by logical product when the first item value is specified as the value of the first item in the search condition. (Step S6).

For example, it is assumed that the occupation "midwife" is specified as a search condition. In this case, the processing unit 3b refers to the non-structural zero information 8 and determines that the gender value of the secret record of the occupation “midwife” is limited to “female”. That is, the processing unit 3b determines that the first item value "midwife" is specified as the value of the first item "occupation" in the search condition. Therefore, the processing unit 3b adds the second item value "female" of the second item "gender" to the search condition as a logical product.

When the processing unit 3b detects that the first item value is specified as the value of the first item in the search condition, the processing unit 3b may randomly determine whether or not to add the second item value. For example, the processing unit 3b generates a random number, and determines that the second item value is added when the random number is larger than or smaller than a predetermined threshold value. The processing unit 3b adds the condition that the value of the second item is the second item value to the search condition by logical product when it is determined to add.

Then, the processing unit 3b transmits a search query 9 including a search condition to which the condition that the value of the second item is the second item value is added to the server 2 (step S7).
The server 2 performs a search according to the search query 9 (step S8). For example, the server 2 collates the search item value of the ciphertext in the search query 9 with the item value of the ciphertext of each record in the concealment DB 2a. The server 2 transmits the search result 10 including the record in which the item value matching the search item value is set to the data utilization device 3.

The data utilization device 3 acquires the search result 10 by the search query 9 for the concealment DB 2a from the server 2. Then, the data utilization device 3 displays the true search result excluding the dummy record from the search result 10 (step S9). For example, the data utilization device 3 has an item value set for each item of the secret record and the dummy record included in the search result 10, a first flag given to the secret record, and a second flag given to the dummy record. To decrypt. Next, the data utilization device 3 removes the dummy record from the search result 10 based on the first flag and the second flag, and acquires a secret record satisfying the search condition. Then, the data utilization device 3 displays the true search result on, for example, the display screen 11.

When an item value that becomes unstructured zero in combination with other item values is specified in the search condition in this way, the condition is added so that it becomes a combination of unstructured zero. For example, when the searcher inputs the occupation "midwife", the search query 9 is generated with the logical sum of the occupation "midwife" and the gender "female" as the search condition. As a result, it is possible to prevent the attacker from estimating the search content depending on whether or not the search condition includes the item value of the gender.

For example, "midwife" or "doctor" is set for the occupation of the secret record group 5. Of these, the gender of "midwives" is limited to "female". A searcher who knows this has no reason to specify a gender item value other than the occupation "midwife" as a search condition when examining the number of women whose occupation is a midwife. Therefore, when the occupation "midwife" is specified as a search condition, the gender is not specified.

On the other hand, the gender of a doctor can be both "male" and "female", so for example, when examining the number of women whose occupation is a doctor, the occupation "doctor" and gender "female" are specified as search conditions. Will be done. In addition, when examining the number of people whose occupation is a doctor regardless of gender, only the occupation "doctor" is specified as a search condition.

Then, when the occupation "doctor" is specified as the search condition, the gender may or may not be specified, whereas when the occupation "midwife" is specified as the search condition, the gender is specified. It is never specified. Attackers are also aware of this situation.

For example, the attacker analyzes a large number of search queries 9 transmitted from the data utilization device 3, and determines the type of the ciphertext of the item value for the occupation of the search query 9 and the frequency of specifying the item value for each type. You can get statistics. At this time, if the condition addition process of step S6 is not performed, the attacker can estimate the item value of the occupation. For example, if a profession ciphertext has a certain value and no gender item value is specified, the attacker can presume that the ciphertext is a "midwife" ciphertext. That is, the searcher's attempt to find out the number of midwives is leaked to the attacker.

On the other hand, by performing the condition addition process in step S6, even if the searcher specifies only the occupation "midwife" as the search condition, the occupation "midwife" and the gender "female" are specified in the search query 9. Will be done. As a result, it is possible to prevent the attacker from presuming the content of the item value specified as the occupation depending on whether or not the item value of the gender is specified.

Moreover, the processing unit 3b can randomly determine whether or not to add the second item value. As a result, when the searcher specifies only the occupation "midwife" as the search condition, the designation of the gender "female" is added or not added to the search query 9. By this, even if the frequency of the case where the item value of gender in the search condition is specified and the case where it is not specified is analyzed, it is possible to estimate what the item value specified as the occupation at that time is. Becomes difficult.

Further, when the non-structural zero information 8 is stored in the storage unit 3a of the data utilization device 3, the search condition includes an item value that becomes non-structural zero in combination with another item value. , It is possible to reliably perform additional processing of conditions.

The condition addition process in step S6 is particularly effective when the appearance frequency of each item value of the record in the concealment DB 2a is leveled by the dummy record. For example, in the example of FIG. 1, a plurality of encrypted concealed records and a plurality of encrypted dummy records having a dummy value for leveling the appearance frequency of item values are registered in the concealment DB2a. The frequency of occurrence is leveled in order to deter frequency analysis attacks from attackers. For example, the data registration device 1 makes the appearance frequency of a predetermined number of item values included in the item value groups 4a and 4b uniform. As a result, even if the attacker analyzes the appearance frequency of a certain ciphertext, there are a predetermined number of ciphertexts with the same appearance frequency, and even if the ciphertext is compared with the appearance frequency of the plaintext item value in the secret record group, the ciphertext is displayed. It is not possible to narrow down which plaintext item value corresponds to less than a predetermined number.

At this time, if a search query specifying an item value that constitutes a combination of non-structural zero item values (for example, a search query in which only the occupation "midwife" is specified) is repeatedly transmitted, it corresponds to a certain ciphertext. Candidates for plaintext item values may be narrowed down to less than the specified number. By performing the condition addition process in step S6 in the data utilization device 3, such a search is performed even if a search condition specifying an item value constituting a combination of non-structural zero item values is input. Can be disturbed. As a result, the deterrent effect of frequency analysis attacks by leveling the current frequency can be maintained.

[Second Embodiment]
Next, the second embodiment will be described. The second embodiment effectively utilizes patient data possessed by a large number of medical institutions by using a patient data collection and utilization platform. For example, the patient data collection and utilization platform will integrate data from multiple hospitals into big data so that big data can be used by multiple pharmaceutical companies. This will enable pharmaceutical companies and hospitals to easily grasp surveys for new drug development (number of patients with target diseases, location area, etc.).

It is efficient to realize the patient data collection and utilization platform by using the cloud managed by the ICT (Information and Communications Technology) company. The cloud makes it easier for hospitals and pharmaceutical companies to access big data. However, patient data is sensitive personal information, and even if it is legally permitted to be referred to, it is recommended to keep it secret from the cloud administrator in consideration of the risk of leakage and unintended use. Appropriate. In addition, since the content of the search by the pharmaceutical company is linked to important trade secrets regarding the strategy of the pharmaceutical company, it is desirable to keep the content of the search confidential. Therefore, the cloud that realizes the platform for collecting and utilizing patient data manages the encrypted patient data in the DB by using an encryption method that can be searched while it is encrypted, and also uses the encrypted search keyword. , Perform data search with the ciphertext as it is. As a result, the patient data and the contents of the search query can be kept secret even from the cloud administrator.

Here, when the data of a plurality of organizations (for example, a hospital) are used by the same mechanism, the DB format and the attribute names and values to be stored are disclosed as common specifications. Moreover, the cloud administrator, who is also responsible for system development, is familiar with the concealment algorithm. Then, if there is a malicious person among the cloud administrators, it may not be enough to manage the patient data as a ciphertext.

Here, it is assumed that the data is stored in a matrix format in order to perform an efficient search using a refined search or the like. In this case, for example, in the column labeled with the item "gender", there are only two types of plaintext candidates, "male" and "female", and there are many ciphertexts based on the same plaintext in the concealment DB. Become. And cloud administrators who can be attackers can compare and refer to these ciphertexts.

In addition, large hospitals disclose information such as the number of patients by disease as part of public relations. Similarly, for all information, such frequency information may be published. Therefore, the frequency distribution of all data may be publicly known. In addition, new information is added to medical information every day, and users demand the latest information. Therefore, it is important that the concealment DB can reflect the difference from the latest plaintext DB.

As described above, in the second embodiment, the contents of the concealed DB and the search contents can be concealed from the attacker including the cloud administrator who manages the concealed DB even under the following conditions (i) to (v). Is a security requirement.
(I) The types and values of plaintext are known, and there may be very few types.
(Ii) The attacker can refer to all the ciphertexts existing in the concealment DB, the encrypted search query, and all the ciphertexts in the concealment DB matching the same.
(Iii) Algorithms for encryption and collation other than information (secret key) that is intentionally managed as secret information are known.
(Iv) The frequency distribution of all data is known.
(V) The concealment DB is updated sequentially, and the attacker can refer to the difference information.

When there is a concealed DB that satisfies the conditions (i) to (v), a brute force attack can be considered as an easily assumed attack method. Since there are few types of plaintext and it is publicly known, if the encryption key is known, the attacker encrypts all types of plaintext and creates a plaintext and ciphertext dictionary to create data and search queries in the concealment DB. Can be easily deciphered. Therefore, in order to meet the security requirements, the encryption key must be a private key.

In addition, an attacker who is also the administrator of the concealment DB can refer to the result of the collation determination. Therefore, it can be seen that all the ciphertexts that are determined to match a certain search query correspond to the same plaintext. Therefore, even if the same plaintext is encrypted and a different ciphertext is used each time, an attacker can convert the same plaintext into a deterministic ciphertext in which the same ciphertext is used. Since the attacker knows the frequency distribution of the data, the content of the confidential data can be easily estimated by comparing it with the frequency of the ciphertext. Even if you do not know the frequency distribution accurately, for example, by referring to the gender data of obstetrics and gynecology, you can easily identify the plaintext of the more ciphertext as "female". Therefore, it is important to take measures such as frequency disturbance as well as encryption.

Therefore, in the second embodiment, a confidential information management system capable of concealing the contents of the concealment DB and the search contents from the attacker is provided even under the conditions (i) to (v). In the confidential information management system according to the second embodiment, frequency disturbance is realized by adding dummy data. At this time, the confidential information management system keeps the data growth rate constant and prevents unnecessary storage and search processing from increasing. Then, the confidential information management system is a dummy record so that there are at least k-1 item values (k is an integer of 2 or more) of other types having the same frequency of appearance for one type of item value. To add. As a result, it becomes possible to narrow down only to the fact that a certain ciphertext is one of k plaintexts. That is, the secret information management system makes sure that the number of ciphertexts having the same frequency of appearance is at least k.

FIG. 2 is a diagram showing an example of a confidential information management system. In the second embodiment, the patient data collection and utilization platform 12 is constructed by the cloud. The patient data collection and utilization platform 12 has a data management server 100. The data management server 100 is a computer that manages patient data as a ciphertext. The data management server 100 is connected to the data registration servers 200 and 300 of the hospitals 13 and 14 and the terminal devices 400 and 500 of the pharmaceutical companies 15 and 16 via the network 20.

The data registration server 200 of the hospital 13 is a computer that stores patient data such as an electronic medical record of a patient who has been examined at the hospital 13, encrypts the patient data, and provides the patient data to the data management server 100. Similarly, the data registration server 300 of the hospital 14 accumulates patient data such as an electronic medical record of a patient who has been examined at the hospital 14, encrypts the patient data, and provides the patient data to the data management server 100.

The terminal device 400 of the pharmaceutical company 15 is a computer used by the employees of the pharmaceutical company 15 to search patient data managed by the data management server 100. The terminal device 500 of the pharmaceutical company 16 is a computer used by the employees of the pharmaceutical company 16 to search patient data managed by the data management server 100.

Such a confidential information management system is useful for improving the efficiency of new drug development utilizing medical information, for example. For example, when pharmaceutical companies 15 and 16 conduct a clinical trial, the success rate of the clinical trial can be improved by formulating a plan in consideration of the number of patients with the target disease. Therefore, by centrally managing patient data extracted from the electronic medical records of patients distributed in a large number of hospitals 13 and 14 on the patient data collection and utilization platform 12, it is possible to easily obtain information on patients with the desired disease. Become.

FIG. 3 is a diagram showing an example of a configuration of hardware of a data management server. The entire device of the data management server 100 is controlled by the processor 101. A memory 102 and a plurality of peripheral devices are connected to the processor 101 via a bus 109. The processor 101 may be a multiprocessor. The processor 101 is, for example, a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or a DSP (Digital Signal Processor). At least a part of the functions realized by the processor 101 executing a program may be realized by an electronic circuit such as an ASIC (Application Specific Integrated Circuit) or a PLD (Programmable Logic Device).

The memory 102 is used as the main storage device of the data management server 100. At least a part of an OS (Operating System) program or an application program to be executed by the processor 101 is temporarily stored in the memory 102. Further, various data used for processing by the processor 101 are stored in the memory 102. As the memory 102, a volatile semiconductor storage device such as a RAM (Random Access Memory) is used.

Peripheral devices connected to the bus 109 include a storage device 103, a graphic processing device 104, an input interface 105, an optical drive device 106, a device connection interface 107, and a network interface 108.

The storage device 103 electrically or magnetically writes and reads data to and from the built-in recording medium. The storage device 103 is used as an auxiliary storage device for a computer. The storage device 103 stores an OS program, an application program, and various data. As the storage device 103, for example, an HDD (Hard Disk Drive) or an SSD (Solid State Drive) can be used.

A monitor 21 is connected to the graphic processing device 104. The graphic processing device 104 causes the image to be displayed on the screen of the monitor 21 according to the instruction from the processor 101. The monitor 21 includes a display device using an organic EL (Electro Luminescence), a liquid crystal display device, and the like.

A keyboard 22 and a mouse 23 are connected to the input interface 105. The input interface 105 transmits signals sent from the keyboard 22 and the mouse 23 to the processor 101. The mouse 23 is an example of a pointing device, and other pointing devices can also be used. Other pointing devices include touch panels, tablets, touchpads, trackballs and the like.

The optical drive device 106 reads the data recorded on the optical disk 24 by using a laser beam or the like. The optical disk 24 is a portable recording medium on which data is recorded so that it can be read by reflection of light. The optical disk 24 includes a DVD (Digital Versatile Disc), a DVD-RAM, a CD-ROM (Compact Disc Read Only Memory), a CD-R (Recordable) / RW (ReWritable), and the like.

The device connection interface 107 is a communication interface for connecting peripheral devices to the data management server 100. For example, a memory device 25 or a memory reader / writer 26 can be connected to the device connection interface 107. The memory device 25 is a recording medium equipped with a communication function with the device connection interface 107. The memory reader / writer 26 is a device that writes data to the memory card 27 or reads data from the memory card 27. The memory card 27 is a card-type recording medium.

The network interface 108 is connected to the network 20. The network interface 108 transmits / receives data to / from another computer or communication device via the network 20.

The data management server 100 can realize the processing function of the second embodiment by the hardware configuration as described above. The data registration servers 200, 300 and the terminal devices 400, 500 can also be realized by the same hardware as the data management server 100. Further, the data registration device 1, the server 2, and the data utilization device 3 shown in FIG. 1 can also be realized by the same hardware as the data management server 100.

The data management server 100 realizes the processing function of the second embodiment, for example, by executing a program recorded on a computer-readable recording medium. The program describing the processing content to be executed by the data management server 100 can be recorded on various recording media. For example, a program to be executed by the data management server 100 can be stored in the storage device 103. The processor 101 loads at least a part of the program in the storage device 103 into the memory 102 and executes the program. Further, the program to be executed by the data management server 100 can be recorded on a portable recording medium such as an optical disk 24, a memory device 25, and a memory card 27. The program stored in the portable recording medium can be executed after being installed in the storage device 103 by control from the processor 101, for example. The processor 101 can also read and execute the program directly from the portable recording medium.

Next, a frequency analysis attack against a DB (confidential DB) that stores encrypted data will be described.
FIG. 4 is a diagram showing an example of a frequency analysis attack. It is assumed that the concealment DB 32 is generated based on the DB 31 that stores the plaintext data. For example, the item value for each item included in each record of the DB 31 is individually encrypted and stored in the concealed DB 32. In the second embodiment, the item value set for each item may be referred to as a keyword.

In the example of FIG. 4, it is assumed that encryption is performed by a deterministic encryption technique in which the same encrypted data is generated from the same plaintext. Further, the attacker 33 includes all the item names ("clinical department", "gender", "age group") used in the original DB31 item and all the keyword candidates (keyword list) that can be stored in each item. Suppose you know.

The attacker 33 can infer the plaintext corresponding to the ciphertext by comparing the appearance frequency of the ciphertext with the known frequency information. For example, only two types of values are registered in the second column of the concealment DB 32. Therefore, it can be inferred that the attacker 33 corresponds to the item "gender" in the second column of the concealment DB 32.

Further, the attacker 33 compares the appearance frequencies of the values "tumesf" and "uylgm" in the second column of the concealment DB 32, and can confirm that "uylgm" is more common. Then, the attacker 33 can infer that the "uylgm", which appears more frequently in consideration of the population distribution, is the encrypted data corresponding to the "female".

The attacker 33 can also infer the contents by combining a plurality of item values. For example, the attacker 33 can confirm that the value in the second column corresponding to the value “sEfgsr” in the first column of the concealment DB 32 is only “uylgm”. Then, the attacker 33 can infer that the value only in combination with one gender is "gynecology" in the clinical department, and can be strongly convinced that the plaintext of "uylgm" is "female".

Further, the attacker 33 can confirm that the value in the third column corresponding to the value ": opfyy" in the first column of the concealment DB 32 is only "jr8olt". Then, the attacker can infer that the remaining third column is the age group, the clinical department that has only a combination with a specific age group is "pediatrics", and the corresponding age group is "children".

In the example of FIG. 4, it is assumed that the encryption is performed by deterministic encryption, but a frequency analysis attack is also possible against the confidential DB encrypted by probabilistic encryption. Probabilistic encryption is an encryption technology that encrypts the same plaintext into a different ciphertext each time it is encrypted. When probabilistic encryption is performed, the values of the plurality of ciphertexts generated from the same plaintext are different, so that the frequency of appearance of the original plaintext cannot be counted only by referring to the concealment DB. Therefore, encryption by probabilistic encryption makes frequency analysis attacks more difficult than deterministic encryption.

However, even if probabilistic encryption is used, if the concealed search targeting the concealed DB is allowed, the attacker finds that all the ciphertexts that match the search query are the same plaintext ciphertexts. Those ciphertexts can be converted to deterministic encryption. Therefore, even if probabilistic encryption is used, an attacker can convert a large number of ciphertexts in the concealment DB into deterministic encryption as the data is utilized, and the frequency is the same as when encrypted with deterministic encryption. Analytical attacks are possible.

In this way, the frequency analysis attack is an attack method that infers plaintext by analogy with the appearance frequency of characters and character strings used in plaintext and ciphertext, and snoops on it. Then, when the item value of the original plaintext is biased, the ciphertext that encrypts the plaintext becomes vulnerable to a frequency analysis attack.

Therefore, in order to improve the security against frequency analysis attacks, it is conceivable to use dummy data to disturb the appearance frequency of the original plaintext. At this time, even if the item value (dummy value) of each item in the dummy data is added without considering the type of item value in the original plaintext and the appearance frequency of each item value, the appearance frequency is appropriately disturbed. I can't let you.

For example, by considering the frequency of appearance of item values in the original plaintext data and registering dummy data having dummy values with appropriate contents, reliable frequency disturbance can be realized. In this case, the data registration servers 200 and 300 generate a dummy record group having the same distribution as the frequency distribution of true data, but each value is converted into another value. Each dummy record in this dummy record group is associated with a record of true data and has a one-to-one correspondence. Then, the data registration servers 200 and 300 convert the item value of the record of true data into another item value and set it as the dummy value of the corresponding dummy record. The one that defines this conversion rule is called a conversion set.

The meanings of the characters or terms used in the second embodiment will be described below.
“K” is a preset security parameter, and an integer of 2 or more is set. The system administrator sets k to the minimum number of keywords that an attacker can narrow down when receiving a frequency analysis attack among a plurality of keywords of one item.

"True data" is data stored in a plaintext DB. A "record of true data" is a record that contains keywords in the true data. The record of true data is an example of a secret record of the first embodiment. The "dummy value" is a value added to disturb the frequency distribution of the item values (existing item values) set in the true data. A "dummy record" is a record containing a dummy value. "True value" is a keyword that can be set in the plaintext DB.

“G” is the number of groups, and is also a value indicating how many times the amount of data is multiplied by the plaintext data by adding dummy data. A "group" is a set of multiple records. The set of records of true data is the group "0". A group of G-1 "1, 2, ..., G-1" including the same number of dummy records as the number of records of true data is generated. One G-1 dummy record is generated for one record included in the group "0", and one G-1 dummy record is generated in the group "1, 2, ..., G-1", respectively. Will be added one by one. The "flag" is a value given to each record so that the terminal devices 400 and 500 can distinguish the dummy record.

A "conversion set" is a set containing k or more true values and a dummy element or a split keyword (a keyword generated from one or more true values) for each column (item). The split keyword is an example of the second item value in the first embodiment. The transformation set represents a rule for deciding what value dummy record to add for one true value. The number of elements in the transformation set is equal to the number of groups G. The transformation set is also used to disturb plaintext search queries and restore disturbed search results.

"J" is a column number. j is used as an index for specifying the item of the value registered in the record. "X _j " is the number of types of item values (keywords) that can be set in the field of the jth column in the record.

A "dummy element" is a dummy element to fill in the shortage of elements to be included in the transformation set if X _j is less than G or not a multiple of G. The dummy element is a value that is not included in the keyword list.

Next, a method for registering dummy data in consideration of the frequency of appearance of item values in the original plaintext data will be described.
As an example of the dummy data registration method, a method using a dummy element can be considered. When a dummy element is used, the data registration servers 200 and 300 generate a conversion set with G arbitrarily selected from possible keywords or dummy values of each item as elements. Then, the data registration servers 200 and 300 generate the conversion set until the possible keywords of each item are included as the elements of any one conversion set.

FIG. 5 is a diagram showing an example of generating a transformation set using dummy elements. In the example of FIG. 5, it is assumed that the record of true data includes the items of "blood pressure" and "blood type". In the keyword list 34, keywords that can be set for each item are registered for each item. In the example of FIG. 5, there are 3 types of item values that can be set for "blood pressure" (normal, hypotension, and hypertension), and 8 types of item values that can be set for "blood type" (A +, B +, O +, AB +). , A-, B-, O-, AB-).

In the conversion set list 35 of FIG. 5, when k = 3 and G = 4, the item “blood pressure” having three kinds of keywords and the item “blood type” having eight kinds of keywords correspond to each of the two items. The transformation sets 35a, 35b, 35c generated in the above are shown. For the item "blood pressure", only one conversion set 35a including {normal, hypotension, hypertension, D1} is generated. "D1" is a dummy element. For the item "blood type", a conversion set 35b containing {A +, B +, O +, AB +} as an element and a conversion set 35c containing {A-, B-, O-, AB-} as elements. Two have been generated.

The transformation sets 35a, 35b, and 35c have a circular list structure, and the elements are arranged in order. Each element in the conversion set 35a, 35b, 35c is assigned an element number in ascending order from 0 in order from the beginning. For example, in the conversion set 35a, assuming that the left end in the figure is the head, "normal" is the head element (element number "0"), and "hypotension" is the next element (element number "1"). Since it has a circular list structure, for example, the element next to the last element "D1" is "normal".

The data registration servers 200 and 300 generate a dummy value to be set in the dummy record by converting the keyword of the true data record based on the conversion sets 35a, 35b, 35c. For example, the data registration servers 200 and 300 generate one dummy value to be set in the dummy record in the dummy record group for each dummy record group based on one keyword of the true data record.

FIG. 6 is a diagram showing an example of conversion of item values when a dummy element is used. _For example, the data registration servers 200 and 300 refer to the keyword registered for each item for the record of true data, and specify the conversion set including the keyword and the element ba corresponding to the keyword. a is an element number of an integer of 0 or more, and element b _a is an element of element number a. Then, the data registration servers 200 and 300 convert the dummy values c _{a and g} of the dummy record group of the group number g by the following equation (1) based on the element ba of the keyword included in the true data. To determine by referring to.
c _{a, g} = b _{mod (a + g, G)} (1)
In the example of FIG. 6, it is assumed that the item value appearing in the record of true data is "hypotension". Since there are three dummy record groups (G = 4), the data registration servers 200 and 300 have three dummy record groups (g = 1, 2, 3) based on the conversion set 35a including the keyword “hypotension”. ) Generate a dummy value to be set for each dummy record. First, the data registration servers 200 and 300 acquire the element number "1" (a = 1) in the conversion set 35a of the elements corresponding to the keyword "hypotension".

When the data registration servers 200 and 300 generate dummy values c _1,1 of a dummy record group having a group number "1" (g = 1), they first calculate mod (1 + 1,4) = 2. Then, the data registration servers 200 and 300 use the keyword "hypertension" corresponding to the element b ₂ in the conversion set 35a having the calculated value "2" as the element number, and the dummy record group of the group number "1". Determine the dummy value to be set in.

When the data registration servers 200 and 300 generate the dummy values c1 and ₂ of the dummy record group of the group number "2" (g = 2), they first calculate mod (1 + 2,4) = 3. Then, the data registration servers 200 and 300 set the dummy element "D1" corresponding to the element b ₃ in the conversion set 35a having the calculated value "3" as the element number, and the dummy record of the group number "2". Determine the dummy value to be set for the group.

When the data registration servers 200 and 300 generate the dummy values c 1, ₃ of the dummy record group of the group number "3" (g = 3), first, mod (1 + 3, 4) = 0 is calculated. Then, the data registration servers 200 and 300 use the keyword "normal" corresponding to the element b ₀ in the conversion set 35a whose element number is the calculated value "0", and the dummy record group of the group number "3". Determine the dummy value to be set in.

The relationship between the conversion source and the conversion destination of the keyword as shown in FIG. 6 is an example of the bijective relationship. As long as the bijective relationship is satisfied, the relationship between the conversion source keyword and the conversion destination keyword or dummy element may be defined by a rule different from the example shown in FIG.

The data registration servers 200 and 300 generate dummy values as shown in FIG. 6 for each item value appearing in the true data.
FIG. 7 is a diagram showing an example of generating a dummy value when a dummy element is used. In the example of FIG. 7, in the true data 36, “normal” appears twice and “hypotension” and “hypertension” appear once each as the keyword of the item “blood pressure”. Further, as the item value of the item "blood type", "A +" appears twice, and "O-" and "AB-" appear once each.

Dummy values to be set for each dummy record group are generated based on each of the keywords appearing in the true data 36. For example, based on the blood pressure "normal", the dummy value "hypotension" for the dummy record group of group number 1 (g = 1), the dummy value "hypertension" for the dummy record group of group number 2 (g = 2), A dummy value "D1" for a dummy record group of group number 3 (g = 3) is generated. Further, for example, based on the blood type "A +", the dummy value "B +" for the dummy record group of group number 1 (g = 1) and the dummy value "O +" for the dummy record group of group number 2 (g = 2). , A dummy value "AB +" for a dummy record group of group number 3 (g = 3) is generated.

The data registration servers 200 and 300 allocate the generated dummy values to the dummy records and generate the registration data by encrypting the item values.
FIG. 8 is a diagram showing an example of registration data when a dummy element is used. The registered data 37 includes a record group 37a of the true data 36 and a dummy record group 37b, 37c, 37d. A flag is given to each record in the registration data 37. And the keyword (including the flag value) included in the registration data 37 is encrypted.

The flag value is used to distinguish between a record of true data and a dummy record. For example, a flag value "0" can be set for a record of true data, and a flag value "1" can be set for a dummy record. In this case, when G ≧ 3, the ciphertext (H (1)) having the flag value “1” is larger than the ciphertext (H (0)) having the flag value “0”. Then, the attacker can determine whether the record is a record of true data based on the frequency of occurrence of the ciphertext of the flag value. Therefore, the data registration servers 200 and 300 also disturb the frequency of the ciphertext of the flag value.

For example, the data registration servers 200 and 300 prepare different functions that output different values for the same variable value for each of the true data record group and the dummy record group in order to determine the flag value. Then, the data registration servers 200 and 300 use the value input in the ID column value as the variable x in the prepared function as the flag value.

When the flag value generation function of the group of group number g (record group of true data or dummy record group) is f _g (x), the flag value generation function used in the example of FIG. 8 is as follows. ..
f _g (x) = (G + 1) x + g (2)
In the example of FIG. 8, G = 4. Therefore, the flag value generation function of the record group 37a (group number “0”) of the true data is “f ₀ (x) = 4x + 0”. The flag value generation function of the dummy record group 37b (group number "1") is "f ₁ (x) = 4x + 1". The flag value generation function of the dummy record group 37c (group number "2") is "f ₂ (x) = 4x + 2". The flag value generation function of the dummy record group 37d (group number "3") is "f ₃ (x) = 4x + 3".

At the time of the search, the terminal devices 400 and 500 issue a search query in which the record group 37a of the true data or any one of the dummy record groups 37b, 37c, 37d is designated as the search target. As a response to the search query, the data management server 100 responds with a record that matches the search condition as a search result. At that time, the data management server 100 includes the ID column and the flag value of the flag column in the search result. The terminal devices 400 and 500 input the ID of the record shown in the search result into each of the flag value generation functions for each group, and encrypt the obtained function value. Then, the terminal devices 400 and 500 compare the ciphertext of the function value of the flag value generation function with the flag value (ciphertext) of the record. The terminal devices 400 and 500 determine that the group corresponding to the flag value generation function whose comparison results match is the group to which the record belongs.

In the registration data 37 generated in this way, the appearance frequency of the ciphertexts corresponding to the elements belonging to the same conversion set is made uniform.
FIG. 9 is a diagram illustrating the homogenization of ciphertext. For example, all the keywords that can be set for the blood pressure item belong to one conversion set 35a (see FIG. 5). The frequency of appearance of the keyword "normal" in the true data 36 is "2", the frequency of appearance of the keyword "hypotension" is "1", and the frequency of appearance of the keyword "hypotension" is "1".

In the registration data 37, the frequency of appearance of the ciphertext for each keyword and the value of the dummy element is made uniform. For example, the ciphertext "H (normal)" for the keyword "normal", the ciphertext "H (hypotension)" for the keyword "hypotension", the ciphertext "H (hypotension)" for the keyword "hypotension", and the value of the dummy element. The frequency of appearance of each of the ciphertexts "H (D1)" of "D1" is "4".

As can be seen from the conversion set generation example shown in FIG. 5, each conversion set contains k or more keywords (k = 3 in the example of FIG. 5). Therefore, even if the attacker knows the frequency of occurrence of a specific ciphertext, it cannot identify which of the keywords belonging to the same conversion set is the ciphertext. That is, the attacker can narrow down the candidate keywords corresponding to the ciphertext to only k. As a result, it is more secure against frequency analysis attacks.

In order to narrow down the candidate keywords corresponding to the ciphertext to only k, it is important to appropriately determine the value of the group number G.
FIG. 10 is a diagram illustrating an appropriate group number G. The group number G is determined according to k. As described above, k is a security parameter set in advance so that only k keyword candidates corresponding to the ciphertext can be narrowed down. Therefore, k is determined according to the degree of safety against frequency analysis attacks required for the system.

At this time, there is also an item in which the number of types of keywords that can be set X _j <k. Such an item cannot contain more than k keywords in the conversion set. Therefore, the attacker knows that the keyword corresponding to the ciphertext of the corresponding item is one of X _j (k <) keywords. However, it is publicly known information that the keyword corresponding to the ciphertext of such an item is any of _Xj , and there is no problem even if the attacker knows it. For example, in the example of FIG. 10, there are only two keywords that can be set for the item "gender", "male" or "female". However, the fact that the gender is either "male" or "female" is information that the attacker knows without any problem.

On the other hand, if the number of types of keywords that can be set is X _j ≧ k, it is appropriate to include k or more keywords in the conversion set. Therefore, when there is an item in which X _j is not a multiple of k, the data registration servers 200 and 300 adjust G so that k or more keywords are included in each conversion set.

For example, in the example of "blood type" in FIG. 10, X _j = 4 for k = 3. At this time, if G = 3 as shown in the conversion set list 38, when the searcher searches for "O" or "AB", the attacker who sees the search result finds "O" and "AB". It turns out that it is either of the two. Therefore, in order to include k or more keywords that can be set in the corresponding item for the item of X _j ≧ k in each conversion set, G is determined so that G ≧ k. For example, if G = 4 as in the conversion set list 39, each conversion set contains three or more keywords that can be set for the corresponding items.

FIG. 11 is a diagram showing an example of frequency distribution after frequency disturbance. The frequency distribution table 40 shown in FIG. 11 shows each keyword and dummy after frequency disturbance in a DB having items in which five types of keywords “A”, “B”, “C”, “D”, and “E” can be set. It represents the frequency of appearance of the element value "F". In the example of FIG. 11, G = 3. There are two conversion sets, "A, B, C" and "D, E, F".

The dummy value of the dummy record group of the group number "1" is "A → B", "B → C", "C → A", "D → E", based on the conversion set of the item values of the true data. It is generated by converting "E → F" and "F → D". The dummy value of the dummy record group of the group number "2" is "A → C", "B → A", "C → B", "D → F", based on the conversion set of the item values of the true data. It is generated by converting "E → D" and "F → E".

In true data, the frequency of appearance of "A" is "10", the frequency of appearance of "B" is "7", the frequency of appearance of "C" is "2", and the frequency of appearance of "D" is "1", "E". The appearance frequency of "" is "5", and the appearance frequency of "F" is "0". Then, the appearance frequency of each keyword included in the conversion set "A, B, C" after the frequency disturbance becomes "19". The frequency of appearance of the values of each keyword or dummy element included in the conversion set "D, E, F" after frequency disturbance is "6". That is, the frequency of appearance of item values in the set is made uniform for each set of three item values.

Further, the dummy value of each dummy record group is generated by converting the keyword of true data on a one-to-one basis. Therefore, the degree of variation in the frequency of appearance of keywords does not change. For example, when the values of the frequency of appearance are arranged in descending order of frequency of appearance, it is "10,7,5,2,1,0" in both the record group of true data and the two dummy record groups. In this way, the degree of variation in the appearance frequency of the item values for each dummy record group is equal to the true data for all the dummy record groups. As a result, it becomes difficult to determine which record group is the true data record group from the degree of variation in the frequency of appearance of the keywords. In addition, there is a one-to-one correspondence dummy record for each record of true data in all dummy record groups. Therefore, when deleting a record with true data, by deleting the corresponding dummy record together, it is possible to delete any record of true data while maintaining the confidentiality of the data.

By using the dummy element in this way, it is possible to improve the security against frequency analysis attacks. However, for an attacker who knows the frequency of combination between keywords of a plurality of items, the number of keyword candidates included in the search condition may be narrowed down to less than k.

For example, under Japanese law, only women are midwives. Therefore, there is no record that satisfies the search condition "midwife ∧ male" (∧ is a logical product). When there are no combinations of item values in the real world, these combinations are structurally zero. A searcher who knows the information of structural zero does not bother to specify the item value of the item "gender" as a condition when searching efficiently by the combination of "occupation" and "gender", and "occupation: midwife". Search only by. This is also known to attackers. Then, when a search related to a combination of item values that becomes structural zero is performed, the attacker may narrow down to less than k search keywords included in the search condition.

FIG. 12 is a diagram showing an example of an attack method using structural zero. In the example of FIG. 12, an example of the transformation set list 41 in the case of k = G = 2 is shown. In the conversion set list 41, the conversion set of occupation includes "midwife" and "doctor", and the conversion set of gender includes "male" and "female".

The search condition list 42 shows search conditions that can be generated when performing a combination search of occupation and gender. The search conditions that can be generated are four patterns: "midwife ∧ man", "midwife ∧ woman", "doctor ∧ man", and "doctor ∧ woman".

At this time, it is known that the record satisfying the condition of "midwife ∧ man" corresponds to structural zero, and the corresponding record does not exist. In this case, if a search is performed by designating only the occupation as "midwife", the same search result as the search for "midwife ∧ woman" can be obtained. Then, the search conditions that the searcher may actually enter when performing a search are three patterns of "midwife", "doctor ∧ male", and "doctor ∧ female".

If the attacker also knows the structural zero information, the attacker also knows that the occupation "midwife" does not contain a gender value. Therefore, if a gender value is included, the attacker narrows down the search condition "occupation" to "doctors" other than "midwives." That is, even though the appearance frequency is leveled by dummy data so that the appearance frequency of two or more item values is equalized with k = 2, the item values included in the search condition are narrowed down to less than k by the attacker. Will end up.

Therefore, in the terminal devices 400 and 500, the search condition is disturbed so that the candidates for the values (search keywords) included in the search condition are not narrowed down to less than k.
Here, the inside out of structural zero is a combination that exists in the real world, and such a combination of item values is non-structural zero. For example, structural zero is "midwife ∧ male", while non-structural zero is "midwife ∧ female".

When the search condition is input, the terminal devices 400 and 500 refer to the list of non-structural zero information, and if there is an item value uniquely determined with respect to the input search condition item value, The value is automatically added to the search criteria. For example, when the occupation "midwife" is not specified as the search condition, the terminal devices 400 and 500 add the gender "female" to the search condition by logical product, and the search condition is "midwife ∧ woman".

By disturbing the search conditions in this way, it is possible to suppress the estimation of the search keywords included in the search conditions by the attacker. However, always adding the gender "female" to the occupation "midwife" is not sufficient as an effect of suppressing the estimation of the search keyword.

For example, an attacker knows the algorithm for generating a transformation set and also knows the contents of the transformation set. The attacker also knows the combination of item values that is structurally zero.

Here, in the case of a non-structural zero occupation "doctor", the gender can be either "male" or "female". Therefore, the searcher may or may not set a gender condition, and the correspondence varies. On the other hand, if the gender "female" is always added to the occupation "midwife", the attacker always gives the gender item value by analyzing the pattern regarding the presence or absence of the gender value. It can be determined that the item value of the occupation of the search condition is "midwife". Then, the attacker can narrow down the search keyword candidates included in the search condition to less than k.

Therefore, when the item values included in the search condition are included in the combination of the item values having non-structural zeros, the terminal devices 400 and 500 randomly add the item values so as to be the combination of non-structural zeros. This can disturb the search conditions.

FIG. 13 is a diagram showing an example of disturbance of search conditions. For example, it is assumed that the search condition 43 with the occupation "midwife" as the search keyword is input. At this time, the terminal devices 400 and 500 refer to the non-structural zero information 44 in which the combination of item values that becomes non-structural zero is shown. For example, the non-structural zero information 44 shows that the combination of occupation "midwife" and gender "female" is non-structural zero.

Based on the non-structural zero information 44, the terminal devices 400 and 500 determine that the item value of the search condition 43 corresponds to the non-structural zero when combined with other item values. Then, the terminal devices 400 and 500 randomly add a search keyword of gender "female" to the search condition. As a result of such additional processing of the item value, the search condition 45 for the occupation "midwife" and the gender "female" or the search condition 46 for the occupation "midwife" is randomly generated.

At this time, the terminal devices 400 and 500 may randomly determine the number of search conditions to which the item value is automatically added when a certain number of search conditions to be disturbed are input. The number of search conditions for which an item value is added can be controlled, for example, by the probability of determining that the item value is to be added. The terminal devices 400 and 500 generate a random number between 0 and 1, for example, and use the value of the random number as the probability of determining that the item value is to be added. Then, when the terminal devices 400 and 500 detect a search condition that becomes non-structural zero when combined with other item values, the terminal devices 400 and 500 determine whether or not to add the item values with a probability determined at random. As a result, the number of search conditions for which item values are automatically added becomes random.

Next, the functions of each device of the confidential information management system that disturbs the search conditions and improves the security against frequency analysis attacks will be described.
FIG. 14 is a block diagram showing the functions of the confidential information management system. The data management server 100 has a concealment DB 110, a data registration unit 120, a key provision request unit 130, and a search unit 140. The concealment DB 110 is realized by the memory 102 or the storage device 103 of the data management server 100. The data registration unit 120, the key provision request unit 130, and the search unit 140 are realized by the processor 101 included in the data management server 100.

The concealment DB 110 is a DB that manages the patient data of the ciphertext collected from the data registration servers 200 and 300 as the ciphertext.
The data registration unit 120 registers the patient data of the ciphertext in the concealment DB 110 in response to the data registration request from the data registration servers 200 and 300.

When the key provision request unit 130 receives the key acquisition request from the terminal devices 400 and 500, the key provision request unit 130 transmits the key provision request to the terminal devices 400 and 500 to the data registration servers 200 and 300.
The search unit 140 searches for patient data registered in the concealment DB 110 in response to a data search query including encrypted search keywords from the terminal devices 400 and 500. At this time, the search unit 140 collates the patient data with the search keyword as a ciphertext, and extracts a record matching the search keyword from the concealment DB 110. Then, the search unit 140 transmits the extracted records to the terminal devices 400, 500 that are the transmission sources of the search query.

The data registration server 200 includes a DB 210, a key storage unit 220, a conversion information storage unit 230, a key generation unit 240, a data registration request unit 250, and a key provision unit 260. The DB 210, the key storage unit 220, and the conversion information storage unit 230 are realized by the memory or storage device included in the data registration server 200. Further, the key generation unit 240, the data registration request unit 250, and the key provision unit 260 are realized by the processor included in the data registration server 200.

The DB 210 is a DB that stores patient data in plain text.
The key storage unit 220 stores an encryption key used for encrypting patient data registered in the data management server 100. The encryption key is managed so as not to be accessible from the data management server 100.

The conversion information storage unit 230 stores information used for converting the keyword shown in the record group of true data into a dummy value registered in the dummy record. For example, information such as a conversion set list is stored in the conversion information storage unit 230.

The key generation unit 240 generates an encryption key. The key generation unit 240 stores the generated encryption key in the key storage unit 220.
The data registration request unit 250 transmits a data registration request including a ciphertext of patient data to be registered in the data management server 100 to the data management server 100. For example, the data registration request unit 250 first acquires the patient data to be registered from the DB 210, and processes the patient data according to the format of the concealed DB 110. At this time, the data registration request unit 250 includes dummy data in the data registration request to be transmitted. Dummy data includes multiple dummy records. A dummy value is registered in the dummy record. The data registration request unit 250 converts the value in the true data into a dummy value by using the information stored in the conversion information storage unit 230, and registers the value in the dummy record.

Further, the data registration request unit 250 uses the encryption key to encrypt the value included in the patient data for each item value registered in the concealment DB 110. Then, the data registration request unit 250 transmits a data registration request including the patient data of the ciphertext encrypted for each item value to the data management server 100.

In response to the key provision request from the data management server 100, the key providing unit 260 transmits the encryption key to the terminal devices 400 and 500 of the pharmaceutical company that permit the use of the registered patient data. The key providing unit 260 transmits the encryption key to the terminal devices 400 and 500 without going through the data management server 100. By transmitting the encryption key without going through the data management server 100, the encryption key is isolated from the data management server 100. As a result, the administrator of the data management server 100 is prevented from decrypting the data in the concealed DB 110.

Although the functions of the data registration server 200 have been described above, the data registration server 300 also has the same functions as the data registration server 200.
The terminal device 400 has a key storage unit 410, a conversion information storage unit 420, a key acquisition unit 430, a search request unit 440, and a non-structural zero information storage unit 450. The key storage unit 410, the conversion information storage unit 420, and the non-structural zero information storage unit 450 are realized by the memory or storage device included in the terminal device 400. Further, the key acquisition unit 430 and the search request unit 440 are realized by the processor included in the terminal device 400.

The key storage unit 410 stores the encryption key used for encrypting the search keyword to be included in the search query. The encryption key is managed so as not to be accessible from the data management server 100.
The conversion information storage unit 420 stores information used for converting the keyword shown in the search condition specified by the searcher into a dummy value. The information stored in the conversion information storage unit 420 is the same as the information stored in the conversion information storage unit 230 of the data registration server 200.

The key acquisition unit 430 acquires the encryption key provided by the data registration servers 200 and 300. For example, the key acquisition unit 430 transmits a key acquisition request to the data management server 100. Then, the key provision request unit 130 of the data management server 100 transmits the key provision request to the data registration servers 200 and 300. In response to the key provision request, for example, the key providing unit 260 of the data registration server 200 transmits the encryption key to the terminal device 400. Then, the key acquisition unit 430 acquires the encryption key transmitted from the terminal device 400. The key acquisition unit 430 stores the acquired encryption key in the key storage unit 410.

The search request unit 440 acquires the search keyword input by the user (searcher) of the patient data. Next, the search request unit 440 encrypts the acquired search keyword using the encryption key, and sends a search query including the search keyword of the ciphertext to the data management server 100. When the search request unit 440 receives the search result from the data management server 100, the search request unit 440 displays the content of the search result (for example, the number of records of true data matching the search keyword).

The search request unit 440 can also send a search query targeting dummy data. In that case, the search request unit 440 converts the search keyword into a dummy value using the information stored in the conversion information storage unit 420, and transmits a search query including the encrypted dummy value. In this case, the search request unit 440 extracts a predetermined dummy record from the record shown in the search result, and uses the information stored in the conversion information storage unit 420 to set the dummy value in the dummy record to be true. Convert to the value set in the data. Then, the search request unit 440 displays the contents of the record having the converted value as the search result.

The non-structural zero information storage unit 450 stores information indicating a combination of two or more item values that becomes non-structural zero in the world. The non-structural zero information is used, for example, to determine whether or not the search keyword included in the search condition becomes unstructural zero when combined with other keywords. Non-structural zero information is also used to determine additional search keywords to disturb the search criteria.

Although the functions of the terminal device 400 have been described above, the terminal device 500 also has the same functions as the terminal device 400.
With the function shown in FIG. 14, the patient data is managed by the data management server 100 while the patient data and the contents of the search query are kept secret from the administrator of the data management server 100, and the patients by the pharmaceutical companies 15 and 16 are managed. Data can be made available. The function of each element shown in FIG. 14 can be realized, for example, by causing a computer to execute a program module corresponding to the element.

Next, the outline of the appearance frequency disturbance treatment by the system shown in FIG. 14 will be described.
FIG. 15 is a diagram showing an example of appearance frequency disturbance processing using dummy data. The data registration server 200 transmits the encryption key 51 generated by the key generation unit 240 to the terminal device 400 of the pharmaceutical company (for example, the pharmaceutical company 15) that permits the use of the data 54 (step S11). For example, the key acquisition unit 430 of the terminal device 400 transmits a key acquisition request to the data management server 100. In the data management server 100, the key provision requesting unit 130 requests the data registration server 200 to provide the encryption key 51. Upon receiving the request for providing the encryption key 51, the key providing unit 260 of the data registration server 200 accepts an input indicating permission for the provision of the encryption key 51 by the administrator. When the key providing unit 260 is input to permit the provision of the encryption key 51, the key providing unit 260 acquires the encryption key 51 from the key storage unit 220, and obtains the same encryption key 52 as the acquired encryption key 51 in the data management server 100. Is transmitted to the terminal device 400 without going through. In the terminal device 400, the encryption key 52 received by the key acquisition unit 430 is stored in the key storage unit 410. As a result, the encryption key can be shared between the data registration server 200 and the terminal device 400.

After that, the data registration server 200 adds dummy data 55 to the data 211 in the DB 210 (step S12). For example, the data registration request unit 250 adds a dummy record G-1 times the number of records included in the true data 54 acquired from the DB 210 as the dummy data 55. At this time, the data registration request unit 250 uses the item value set in the true data 54 as the item value (dummy value) of the added dummy record, and reduces the bias of the appearance frequency of each item value. Further, the data registration request unit 250 assigns a flag 56 to each record to identify whether it is a record of true data 54 or a dummy record, and if it is a dummy record, which dummy record group it belongs to.

The data registration request unit 250 encrypts the item values (including flags) in each record of the true data 54 and the dummy data 55 with the encryption key 51 to generate the registration data 53 (step S13). Then, the data registration request unit 250 transmits a data registration request including the registration data 53 to the data management server 100 (step S14). In the data management server 100, the data registration unit 120 receives the registration data 53 and stores the received registration data 53 in the concealment DB 110.

When the person in charge of the pharmaceutical company 15 uses the data 54, the person in charge inputs a search keyword into the terminal device 400 as a search condition. Then, the search request unit 440 performs a non-structural zero disturbance process for the search condition (step S15). For example, when the search keyword shown in the search condition corresponds to non-structural zero when combined with other keywords, the search request unit 440 probabilistically determines whether or not the search keyword is added. Then, when adding a search keyword, the search request unit 440 adds a keyword that becomes non-structural zero by combining with the input search keyword as a search keyword by logical product.

The terminal device 400 encrypts the search keyword in the search requirement subjected to the non-structural zero disturbance processing with the encryption key 52, and generates the search query 57 including the search keyword of the ciphertext (step S16). When the search request unit 440 targets any of the dummy record groups, the search request unit 440 converts the input search keyword into a dummy value corresponding to the search keyword in the dummy record group. Then, the search request unit 440 generates a search query 57 including a value obtained by encrypting the dummy value obtained by the change. Then, the search request unit 440 sends the search query 57 to the data management server 100 (step S17).

In the data management server 100, the search unit 140 collates the registered data 53 with the search query 57 while keeping the data confidential (step S18). Then, the search unit 140 transmits the record hit by the search by the search query 57 to the terminal device 400 as the search result 58 (step S19). The search result 58 includes a record of true data 54 and a dummy record of dummy data 55.

In the terminal device 400, the search request unit 440 receives the search result 58. When the true data 54 is the search target, the search request unit 440 discards the dummy record from the search result 58, for example, based on the flag (step S20). Then, the search request unit 440 displays the true result 59 including only the record of the true data 54 in the search result 58 on a monitor or the like.

When the dummy record group is the search target, the search request unit 440 extracts the dummy record belonging to the dummy record group to be searched from the search result 58, for example, based on the flag, and discards the other records. The search request unit 440 converts the dummy value in the dummy record into the keyword from which the dummy value was generated. Then, the search request unit 440 displays the record including the value converted into the original keyword as the true result 59.

By adding the dummy data 55 in this way, it is possible to disturb the frequency of each item value. Further, when the terminal device 400 performs non-structural zero disturbance processing and an item value that becomes non-structural zero when combined with other item values is input as a search condition, an item constituting non-structural zero It can disturb the search by value.

Next, the plaintext patient data DB 210 possessed by the data registration servers 200 and 300 will be described.
FIG. 16 is a diagram showing an example of a DB of plaintext patient data. The true data 211 is stored in the DB 210 in plain text. In the true data 211, for example, a record for each patient is registered in association with the identifier (ID) of the record. In each record, a keyword corresponding to the item is set in the column for each item. In the example of FIG. 16, there are "clinical department", "gender", "age group", and "occupation" as items. The item value set in the "clinical department" item is the name of the clinical department that the patient visited. The item value set in the "gender" item is the gender of the patient. The item value set in the item of "age group" is the age group corresponding to the age of the patient. The item value set in the "occupation" item is the occupation of the patient. The value in each record registered in the DB 210 is, for example, a plaintext character code.

When the data registration request unit 250 registers the patient record in the data management server 100, the data registration request unit 250 encrypts the value (plain text) set in the record by the deterministic encryption technique. Then, the encrypted record is registered in the concealment DB 110 of the data management server 100. At that time, the data registration request unit 250 refers to the conversion information storage unit 230 and generates dummy data for disturbance against the frequency analysis attack.

FIG. 17 is a diagram showing an example of information stored in the conversion information storage unit. The conversion information storage unit 230 stores the keyword list 231 and the conversion set list 232. The keyword list 231 is data showing a list of keywords that can be set for each item. The conversion set list 232 is data indicating the contents of the conversion set. The conversion set list 232 is data generated by the data registration request unit 250 based on the keyword list 231.

FIG. 18 is a diagram showing an example of a keyword list. In the keyword list 231, a list of keywords that can be set for the corresponding item is registered for each item of the DB 210. In the example of FIG. 18, the number of keywords that can be set in the “gender” item is two, and the number of keywords that can be set in the “age group” item is four. Keywords that can be set in the items of "clinical department" and "occupation" exist in addition to the six keywords shown in FIG. A conversion set list is generated based on the keyword list 231.

FIG. 19 is a diagram showing an example of a list of conversion sets. The conversion set list 232 includes conversion sets 232a to 232g generated for each item. The conversion set list 232 is generated under the conditions of k = 2 and G = 3. Therefore, each of the conversion sets 232a to 232g contains at least k or more elements corresponding to the keywords included in the keyword list. Further, each of the conversion sets 232a to 232g includes G elements including a dummy element.

In the example of FIG. 19, the first conversion set 232a of the clinical department includes "pediatrics", "internal medicine", and "gynecology". The second transformation set 232b of the clinical department includes "surgery", "otolaryngology", and "ophthalmology". The gender conversion set 232c includes "male", "female", and "D1" (dummy element). The first transformation set 232d of the age group includes "old man", "adult", and "D2" (dummy element). The second transformation set 232e of the age group includes "youth", "children", and "D3" (dummy elements). The first conversion set of occupations, 232f, includes "unemployed," "lawyer," and "doctor." The second conversion set of professions, 232g, includes "midwives," "singers," and "wrestlers."

By converting each keyword included in each record of the data 211 registered in the DB 210 according to the conversion set including the corresponding keyword in the conversion set list 232, a dummy value to be set in the dummy record is generated. Then, registration data including a dummy record in which a dummy value is set is generated.

FIG. 20 is a diagram showing an example of registered data. The registered data 60 includes a record group 60a of true data and a dummy record group 60b, 60c. An ID is randomly assigned to each record. A flag is given to each record in the registration data 60. And the keyword (including the flag value) included in the registration data 60 is encrypted. The flag value is generated by the flag value generation function shown in the above equation (2) using a randomly assigned ID.

The data registration request unit 250 sorts the registered data 60 by ID and then registers the registered data 60 in the concealment DB 110 of the data management server 100.
FIG. 21 is a diagram showing an example of a concealment DB. The records registered in the concealment DB 110 are sorted by ID, and true data records and dummy records are mixed and registered.

Next, the procedure of the data registration process will be described in detail.
FIG. 22 is a flowchart showing an example of the procedure of the data registration process. Hereinafter, the process shown in FIG. 22 will be described along with the step numbers.

[Step S101] The data registration request unit 250 receives a setting input of the number of types of item values k having the same appearance frequency. The larger the value of k, the better the security, but the number of dummy records to be registered also increases. Therefore, the value of k is determined by the administrator of the data registration server 200 in consideration of the degree of security against the frequency analysis attack required for the concealment DB 110 and the number of dummy records allowed for the concealment DB 110.

[Step S102] The data registration request unit 250 determines the number of groups G and the number of conversion sets for each item. For example, assuming that the number of types of keywords that can be set for the j-th item in the keyword list is X _j , the optimum group number G _j for the j-th item is the following equation (3) using the floor function and ceiling function. ).

The data registration request unit 250 sets G to the maximum value of X _j obtained for all items. Further, the data registration request unit 250 calculates the number of conversion sets for each item based on the number of groups G. The optimum number of conversion sets M _j for the jth item is expressed by the following equation (4).

[Step S103] The data registration request unit 250 generates conversion sets for the number of conversion sets determined in step S102 for each of the items.
[Step S104] The data registration request unit 250 reads plain text data (a record group of true data) from the DB 210.

[Step S105] The data registration request unit 250 generates dummy data including a dummy record group having a group number G-1 determined in step S102. The details of the dummy data generation process will be described later (see FIG. 23).

[Step S106] The data registration request unit 250 randomly assigns an ID to each of the records of the true data and the dummy data.
[Step S107] The data registration request unit 250 adds a flag to each of the true data record and the dummy record. The data registration request unit 250 assigns a flag to each record, for example, a value calculated by using the flag value generation function shown in the equation (2) as a flag value.

[Step S108] The data registration request unit 250 sorts each record by ID.
[Step S109] The data registration request unit 250 encrypts the sorted record group and registers it in the concealment DB 110. For example, the data registration request unit 250 encrypts each item value in the record, and transmits the record group having the encrypted value to the data management server 100 as registration data. In the data management server 100, the data registration unit 120 receives the registration data and stores the received registration data in the concealment DB 110.

Next, the dummy data generation process will be described in detail.
FIG. 23 is a flowchart showing an example of the procedure of the dummy data generation process. Hereinafter, the process shown in FIG. 23 will be described along with the step numbers.

[Step S121] The data registration request unit 250 acquires the group number G calculated in step S102.
[Step S122] The data registration request unit 250 copies G-1 true data and generates a dummy record group of G-1.

[Step S123] The data registration request unit 250 executes the processes of steps S124 to S126 for all the items of true data.
[Step S124] The data registration request unit 250 executes the process of step S125 for each of all dummy records.

[Step S125] The data registration request unit 250 converts the item value of the dummy record. For example, the data registration request unit 250 selects a conversion set including the item value of the processing target (conversion target item value) in the dummy record from the conversion set corresponding to the item to be processed. Next, the data registration request unit 250 acquires the group number of the dummy record group to which the dummy record to be processed belongs. The data registration request unit 250 cyclically acquires the right element from the conversion set by the group number from the elements corresponding to the conversion target item values in the selected conversion set. Then, the data registration request unit 250 converts the conversion target item value in the dummy record to be converted into the value (dummy value) of the acquired element.

[Step S126] When the processing of step S125 is completed for each of the dummy records, the data registration requesting unit 250 advances the processing to step S127.
[Step S127] The data registration request unit 250 ends the dummy data generation process when the processes of steps S124 to S126 are completed for each of the items.

In this way, dummy data is generated by replacing the item values of the true data with other elements in the transformation set. Then, the data registration request unit 250 encrypts the generated dummy data and the registration data including the flag value and registers them in the concealment DB 110.

A searcher who wants to search the data in the concealment DB 110 inputs a search keyword into the terminal device 400, for example, via a search condition input screen of the terminal device 400.
FIG. 24 is a diagram showing an example of a search condition input screen. On the search condition input screen 61, for example, the name of each item in the DB 210 is set as a search variable. Then, a designated value input area 62 for inputting the designated value of the search variable as a search keyword is provided in association with the search variable. When the searcher inputs the specified value of the item shown as the search variable in the specified value input area 62, the terminal device 400 performs a search using the input specified value as a search keyword.

In the example of FIG. 24, "midwife" is designated as a profession, but gender is not designated. In this case, the search request unit 440 of the terminal device 400 acquires the occupation "midwife" as a search condition. When the search request unit 440 acquires the search condition, the search request unit 440 refers to the non-structural zero information storage unit 450 and performs non-structural zero disturbance processing on the acquired search condition.

FIG. 25 is a diagram showing an example of non-structural zero information stored in the non-structural zero information storage unit. In the example of FIG. 25, the non-structural zero information storage unit 450 stores the non-structural zero information 451 to 453 for each combination of items.

The non-structural zero information 451 is information indicating a combination of item values in which the combination of the item value of occupation and the item value of gender is non-structural zero. For example, the non-structural zero information 451 includes non-structural zeros such as "midwife ∧ woman", "wrestler ∧ man", "professional baseball player ∧ man", "Kabuki actor ∧ man", and "priestess ∧ woman". The combination of item values of is set.

The non-structural zero information 452 is information indicating a combination of item values in which the combination of the item value of the clinical department and the item value of the gender is non-structural zero. For example, in the non-structural zero information 452, a combination of non-structural zero item values of "gynecology ∧ woman" is set.

The non-structural zero information 453 is information indicating a combination of item values in which the combination of the item value of the clinical department and the item value of the age group becomes non-structural zero. For example, in the non-structural zero information 453, a combination of non-structural zero item values of "pediatrics ∧ children" is set.

The combination of the item values shown in the non-structural zero information 451 to 453 has a relation that when the item value of the item on the left side is satisfied, the item value of the item on the right side is satisfied. For example, if the occupation "midwife" is established for a certain patient, the gender "female" is established. That is, the item value on the right side is a necessary condition for the item value on the left side, and the item value on the left side is a sufficient condition for the item value on the right side.

The structural zero information 451a to 453a can be grasped based on the non-structural zero information 451 to 453. The combination of the item values shown in the structural zero information 451a to 453a has a relation that when the item value of the item on the left side is satisfied, the item value of the item on the right side is not satisfied. For example, if the occupation "midwife" is established for a certain patient, the gender "male" is not established.

When the searcher searches for a combination of item values of non-structural zero information 451 to 453, it is sufficient to specify the item values that are sufficient conditions shown on the left side. However, if a search query that always specifies only the item value on the left side is sent to the data management server 100, it is estimated that the item value is one of the item values that are sufficient conditions in the non-structural zero information 451 to 453. Will be done.

Therefore, when the item value on the left side in the combination of the item values of the non-structural zero information 451 to 453 is specified in the search condition, the search request unit 440 sets the corresponding item value on the right side as an additional value and ANDs it. Add additional values to the search criteria. For example, when the occupation "midwife" is specified as shown in FIG. 24, the search request unit 440 generates a search query with the search condition of "midwife ∧ female" to which the gender "female" is added.

FIG. 26 is a flowchart showing an example of the procedure of the search process. Hereinafter, the process shown in FIG. 26 will be described along with the step numbers.
[Step S131] The search request unit 440 acquires a search keyword input as a search condition from the user and an item corresponding to the search keyword as a plaintext search query.

[Step S132] The search request unit 440 determines whether or not the item value of non-structural zero is in the plaintext search query. For example, the search request unit 440 refers to the non-structural zero information 451 to 453, and starts from the item value on the left side (sufficient condition) in the combination of the non-structural zero item values, the item included in the plaintext search query and the item. Search for a value. When the search request unit 440 can detect an item included in the plaintext search query and its item value from the non-structural zero information 451 to 453, the search request unit 440 determines that the item value of the non-structural zero is in the plaintext search query.

The search request unit 440 advances the process to step S133 when the item value of non-structural zero is in the plaintext search query. Further, the search request unit 440 advances the process to step S135 when the item value of non-structural zero is not in the plaintext search query.

[Step S133] The search request unit 440 randomly determines whether or not to add the item values so as to be a combination of the item values of non-structural zero. For example, the search request unit 440 generates a random number of 0 or more and 1 or less, and determines that an item value is added if the generated random number is larger than a preset threshold value (a real number of 0 or more and 1 or less).

The search request unit 440 may randomly determine a threshold value indicating the probability of adding the item value. In this case, the search request unit 440 generates a random number of 0 or more and 1 or less, and uses the generated random number as a threshold value. Next, the search request unit 440 generates a random number of 0 or more and 1 or less, and determines that the item value is added if the generated value is larger than the threshold value. By randomly determining the threshold value, the number of plaintext search queries that add item values when there are many plaintext search queries having non-structural zero item values becomes random.

When the search request unit 440 determines that the item value is to be added, the process proceeds to step S134. Further, when the search request unit 440 determines that the item value is not added, the process proceeds to step S135.

[Step S134] The search request unit 440 adds an item value to the plaintext search query so as to be non-structural zero. For example, the search request unit 440 adds the item value on the right side of the combination of the item values to be non-structural zero detected from the non-structural zero information 451 to 453 in the search in step S132 to the plaintext search query by logical product.

[Step S135] The search request unit 440 generates a conversion set list. For example, the search request unit 440 performs the same processing as the conversion set generation processing for each item in the data registration request unit 250, and generates a conversion set list. The conversion set list generated by the search request unit 440 is the same as the conversion set list generated by the data registration request unit 250.

[Step S136] The search request unit 440 probabilistically selects one group from all the groups including the true data record group and the dummy record group. The search request unit 440 searches for the selected record group. It should be noted that all the dummy record groups in the concealment DB 110 have the same frequency distribution as the true data record group, although the values are different. Therefore, even if the dummy record group is the search target, the correct search result can be obtained by inversely converting the dummy value in the dummy record obtained as the search result according to the conversion set.

By transforming (disturbing) the plaintext search query according to the conversion set in this way, the same result as when searching the plaintext data group can be obtained regardless of which group is searched. Therefore, the number of search queries does not increase while disturbing the search queries. Further, by randomly determining the group to be searched by the search request unit 440, it is possible to prevent the attacker from specifying the group number of each record in the concealment DB due to the bias of the searched group.

[Step S137] The search request unit 440 determines whether or not the dummy record group has been selected. If the search request unit 440 selects a dummy record group, the search request unit 440 advances the process to step S138. Further, if the search request unit 440 selects a record group of true data, the process proceeds to step S143.

[Step S138] The search request unit 440 disturbs the generated plaintext search query based on the conversion set. For example, when the search target item and the split keyword are specified in the plaintext search query, the search request unit 440 first corresponds to the specified split keyword from one or more conversion sets corresponding to the search target item. Identify the transformation set that contains the elements to be. Next, the search request unit 440 acquires the group number of the selected dummy record group. The search request unit 440 periodically acquires the right element from the conversion set by the number of the group number from the elements in the conversion set corresponding to the divided keyword to be searched. Then, the search request unit 440 converts the split keyword to be converted in the plaintext search query into the value (dummy value) of the acquired element.

[Step S139] The search request unit 440 encrypts the plaintext search query converted in step S138 to generate a concealed search query. The search request unit 440 sends the generated concealment search query to the data management server 100.

[Step S140] The search request unit 440 acquires the search result (confidential search result) of the concealed search from the data management server 100. The search request unit 440 extracts only the dummy records belonging to the dummy record group selected in step S137 from the concealment search result. At this time, the search request unit 440 can identify the dummy record belonging to the selected dummy record group based on the flag value of each record. For example, the search request unit 440 uses the flag value generation function corresponding to the selected dummy record group to generate the flag value corresponding to the ID of the record included in the search result. The search request unit 440 encrypts the generated flag value. Then, when the corresponding record has a flag value having the same value as the encrypted flag value, the search request unit 440 determines that the record is a record of the selected group.

[Step S141] The search request unit 440 decodes the item value (dummy value) in the extracted dummy record included in the concealed search result by using the encryption key acquired in advance from the data registration server 200.

[Step S142] The search request unit 440 reversely converts the decoded dummy value of the dummy record belonging to the dummy record group selected in step S137 based on the conversion set, and the search result in which the true value of the plain text is set is set. To restore.

FIG. 27 is a diagram showing an example of the inverse conversion of the dummy value. For example, the search request unit 440 specifies a conversion set including an element corresponding to the dummy value from one or more conversion sets corresponding to the items to which the dummy value belongs. In the example of FIG. 27, it is assumed that the conversion set 232b is specified. Next, the search request unit 440 acquires the group number of the dummy record group selected in step S137. The search request unit 440 periodically acquires the left element from the conversion set 232b by the number of the group number from the elements in the conversion set 232b corresponding to the dummy value.

The relationship of the inverse transformation shown in FIG. 27 is a bijective relationship which is the inverse mapping of the mapping shown in FIG. By performing such an inverse conversion on all the dummy values in the dummy records belonging to the selected dummy record group, the original keyword (true value) corresponding to the dummy value can be obtained. After that, the search request unit 440 advances the process to step S146.

Hereinafter, the description of FIG. 26 will be returned to.
[Step S143] The search request unit 440 encrypts a search query in which a flag value corresponding to a record group of true data is added to the search condition, and sends the search query to the data management server 100.

[Step S144] The search request unit 440 acquires the search result from the data management server 100.
[Step S145] The search request unit 440 decodes the item value in the record of the record group of the true data included in the search result. Note that the search request unit 440 specifies a record (a record of true data) of the selected group, as in step S141.

[Step S146] The search request unit 440 outputs a plaintext search result. The search result is displayed, for example, on the search result display screen.
FIG. 28 is a diagram showing an example of a search result display screen. On the search result display screen 70, for example, a search condition relating to a patient and the number of patients matching the search condition are displayed. Further, on the search result display screen 70, the plain text data of the record hit in the search is displayed.

By such a search, when the search condition includes an item value that becomes unstructural zero in combination with other item values, it disturbs that the item value constitutes unstructural zero. be able to. As a result, the security against frequency analysis attacks from attackers is improved.

[Other embodiments]
In the second embodiment, an example of a confidential search for data possessed by a hospital is shown, but it can also be used in other fields.

Further, in the second embodiment, the data registration servers 200 and 300 and the data management server 100 are separated, but the data registration servers 200 and 300 may have the function of the data management server 100.

Although the embodiment has been illustrated above, the configuration of each part shown in the embodiment can be replaced with another having the same function. Further, any other components or processes may be added. Further, any two or more configurations (features) of the above-described embodiments may be combined.

1 Data registration device 2 Server 2a Concealment DB
3 Data utilization device 3a Storage unit 3b Processing unit 4a, 4b Item value group 5 Confidential record group 6 Dummy record group 7 Registered data 8 Non-structural zero information 9 Search query 10 Search result 11 Display screen

Claims (6)

On the computer
A search condition for a database in which a plurality of records are registered and the value of the second item of the record in which the value of the first item among the plurality of records is the value of the first item is limited to the value of the second item is acquired. ,
When the first item value is specified as the value of the first item in the search condition, the condition that the value of the second item is the second item value is added to the search condition by logical product. ,
A search request program that executes processing. In the addition of the second item value, when it is detected that the first item value is specified as the value of the first item in the search condition, it is randomly determined whether or not to add the second item value. Then, when it is decided to add, the condition that the value of the second item is the value of the second item is added to the search condition by a logical product.
The search request program according to claim 1. In the addition of the second item value,
Based on the non-structural zero information in which the combination of the first item value of the first item and the second item value of the second item is registered, the search item value of the search item included in the search condition is set. Judging whether or not it corresponds to the first item value of the first item,
When the search item value of the search item corresponds to the first item value of the first item, it is determined that the first item value is specified as the value of the first item in the search condition.
When the first item value is specified as the value of the first item in the search condition, the second item value of the second item is acquired from the non-structural zero information.
The condition that the value of the second item obtained from the non-structural zero information is the value of the second item is added to the search condition by a logical product.
The search request program according to claim 1 or 2. In the database, a plurality of secret records in which the item values are encrypted and a plurality of dummy records having a dummy value ciphertext for leveling the appearance frequency of the item values are registered, and the plurality of secret records contain the first. One flag is set, and the second flag is set for the plurality of dummy records.
On the computer,
A search query containing a ciphertext in which each of the first item value and the second item value is encrypted is sent to the server having the database.
The search result by the search query for the database is acquired from the server, and the search result is obtained.
Based on the first flag or the second flag set in each of the secret record and the dummy record included in the search result, the secret record satisfying the search condition is acquired from the search result.
The search request program according to any one of claims 1 to 3, wherein the process is executed. The computer
A search condition for a database in which a plurality of records are registered and the value of the second item of the record in which the value of the first item among the plurality of records is the value of the first item is limited to the value of the second item is acquired. ,
When the first item value is specified as the value of the first item in the search condition, the condition that the value of the second item is the second item value is added to the search condition by logical product. ,
Search request method. A server with a database and
When the value of the first item is the value of the first item, the value of the second item is limited to the value of the second item. And each of the plurality of item values that can be set for each of the second items is classified into one of the item value groups corresponding to at least one for each of the first item and the second item.
Existing set in the first item and the second item of each of the secret records according to the bijective relationship in which each item value in the item value group is bijected to different item values in the same item value group. Convert the item value to a dummy value and
A group of dummy records having the same number of dummy records as the number of secret records whose dummy values are set in the first item and the second item is generated.
Set the first flag indicating true to the secret record, and set it.
A second flag indicating false is set in the dummy record, and the dummy record is set.
The existing item value and the first flag set in the secret record, and the dummy value and the second flag set in the dummy record are encrypted.
A data registration device that stores the secret record group and the dummy record group in the database of the server, and
Acquire the search conditions for the database and
When the first item value is specified as the value of the first item in the search condition, the condition that the value of the second item is the second item value is added to the search condition by logical product. ,
A search query including a ciphertext in which each of the first item value and the second item value is encrypted is sent to the server.
The search result by the search query for the database is acquired from the server, and the search result is obtained.
A data utilization device that acquires the secret record satisfying the search condition from the search result based on the first flag or the second flag set in each of the secret record and the dummy record included in the search result. ,
Confidential information management system with.

Images