JP2022147342A - Secret information management program, secret information management method, data registration device and secret information management system - Google Patents

Abstract

To improve safety for frequency analysis attack of encrypted data.SOLUTION: A data registration device 1 associates each of a plurality of first item values that can be set to one item within a secret record in a secret record group 4 which includes one or more secret record of a secret target, with n (n is a natural number) second item values. Next, the data registration device 1 classifies each of the second item values into a plurality of item value sets 5a-5c such that each of a plurality of item value sets 5a-5c includes any number of one through n-1 of two or more second item values associated with the same first item value. Further, the data registration device 1 stochastically converts the first item value which is set to the secret record to any of the associated second item values, and generates a scrambled record group 6 in which a hit number of searching for the second item value belonging to the same item value set is equalized. Then, the data registration device 1 encrypts the scrambled record group 6.SELECTED DRAWING: Figure 1

Description

The present invention relates to a confidential information management program, a confidential information management method, a data registration device, and a confidential information management system.

Computer systems can handle large amounts of data called big data. For example, if a computer analyzes big data, it is possible to obtain various findings. The larger the amount of big data used for analysis, the more diverse knowledge can be obtained from the big data, and the more reliable the obtained knowledge is. Therefore, instead of constructing a unique database (DB) for big data for each organization such as a company, it is conceivable that a plurality of organizations use a DB that integrates data of a plurality of organizations. Such an integrated DB service can be implemented using, for example, a cloud computing system (hereinafter referred to as "cloud").

When a database that integrates data from multiple organizations is managed in the cloud, the data provider organization may want to limit the use of the provided data to only other organizations that the data provider organization permits. In addition, the organization that provides the data and the organization that uses the data sometimes do not want the cloud administrator to know the contents of the provided data and the contents of searches for the data in the DB. In these cases, a cloud that manages big data receives encrypted data from each organization, for example, and stores the encrypted data in a DB. Then, the cloud searches the data in the DB in response to the search request encrypted with the key passed from the organization that provided the data, using a collation technique that can determine the identity of the encrypted data. As a result, the data provider organization can permit use of the provided data only to the organization that has passed the key. Moreover, in the cloud, since the provided data and the search request remain encrypted, it is possible to prevent the administrator of the cloud from knowing the contents of the data.

As a technique related to concealment of data in a DB, for example, a search system that realizes concealed search that is resistant to frequency analysis has been proposed. A data aggregation analysis system has also been proposed that can improve the processing efficiency of analysis while protecting the privacy of the information provider through encryption.

International Publication No. 2012/115031 International Publication No. 2016/120975

Encrypted data cannot be said to be sufficiently secure even if a confidential search technique is used, which allows searching encrypted data as it is. In other words, a frequency analysis attack is possible against a DB storing encrypted data, and the content of a search query or search results may be inferred.

In one aspect, this application aims to improve security against frequency analysis attacks on encrypted data.

In one proposal, a confidential information management program is provided that causes a computer to perform the following processes.
The computer provides n (n is a natural number) second items for each of a plurality of first item values that can be set for one item in a confidential record in a confidential record group including one or more confidential records to be confidential. Map values. Next, the computer determines that each of the plurality of item value sets is any of 1 to n-1 of the two or more second item values associated with the same first item value. Each second item value is classified into one of a plurality of item value sets so as to contain the item value. Next, the computer probabilistically converts the first item value set in one item in the confidential record to one of the associated second item values. Next, the computer generates a disturbance record group in which the number of search hits for the second item value belonging to the same item value set is equalized by adding a dummy second item value based on the confidential record group. . Next, the computer attaches a flag indicating whether the second item value included in the record is true or false to the record in the disturbance record group. The computer then encrypts the disturbed records.

According to one aspect, security against frequency analysis attacks on encrypted data can be improved.

1 is a diagram showing an example of a confidential information management system according to a first embodiment; FIG. It is a figure which shows an example of a confidential information management system. It is a figure which shows one structural example of the hardware of a data management server. FIG. 11 illustrates an example of a frequency analysis attack; FIG. 10 is a diagram illustrating an example of generating a transformation set using dummy elements; FIG. 10 is a diagram showing an example of conversion of item values when dummy elements are used; FIG. 10 is a diagram showing an example of generating dummy values when dummy elements are used; FIG. 10 is a diagram showing an example of registration data when dummy elements are used; It is a figure explaining equalization of a ciphertext. FIG. 4 is a diagram for explaining an appropriate number of groups G; It is a figure which shows an example of the frequency distribution after frequency perturbation. FIG. 10 is a diagram showing an example of combination frequencies when dummy elements are used; FIG. 10 is a diagram showing an example of narrowing down search targets using structural zeros; It is a figure which shows an example of the probabilistic conversion to a division keyword. FIG. 10 is a diagram showing an example of conversion from a split keyword to a dummy value by a conversion set; FIG. 11 is a first diagram showing another example of generating a transformation set; FIG. 11 is a second diagram showing another example of generating a transformation set; It is a block diagram which shows the function of a confidential information management system. FIG. 10 is a diagram showing an example of disturbance processing of the appearance frequency using dummy data; It is a figure which shows an example of DB of patient data of a plaintext. It is a figure which shows an example of the information stored in the conversion information storage part in a data registration server. It is a figure which shows an example of a keyword list. FIG. 10 is a diagram illustrating a first generation example of a transformation set; FIG. 11 is a diagram illustrating a second generation example of a transformation set; It is a figure which shows an example of the registration data produced|generated using the division|segmentation keyword. It is a figure which shows an example of an anonymization DB. 6 is a flow chart showing an example of a procedure of data registration processing; 9 is a flowchart illustrating an example of the procedure of transformation set generation processing; 7 is a flowchart illustrating an example of a procedure of dummy data generation processing; It is a figure which shows an example of a search condition input screen. It is a figure which shows an example of the information stored in the conversion information storage part in a terminal device. It is a figure which shows an example of conversion into a division keyword. It is a figure which shows an example of generation of a disturbance query. It is a figure which shows an example of search processing. 6 is a flowchart illustrating an example of a search processing procedure; FIG. 10 is a diagram showing an example of inverse transformation of dummy values; It is a figure which shows an example of a search result display screen. It is a figure which shows an example of frequency disturbance by a division|segmentation keyword. FIG. 11 illustrates an example of a frequency analysis attack; It is a figure which shows an example of conversion to a common keyword. FIG. 11 is a first diagram showing another example of generating shared sets; FIG. 12 is a diagram showing an example of information stored in a conversion information storage unit of a data registration server according to the third embodiment; FIG. FIG. 10 is a diagram illustrating an example of generating a shared set; It is a figure which shows an example of the anonymization DB in which the shared keyword was stored. 6 is a flow chart showing an example of a procedure of data registration processing; 10 is a flow chart showing details of a processing procedure for conversion into a shared keyword. It is a figure which shows an example of conversion from a division keyword to a shared keyword. It is a figure which shows an example of the record of registration data. FIG. 12 is a diagram showing an example of information stored in a conversion information storage unit of a terminal device according to the third embodiment; FIG. FIG. 10 is a diagram showing an example of anonymized search queries; FIG. FIG. 11 is a diagram showing an example of anonymized search using shared keywords; 6 is a flowchart illustrating an example of a search processing procedure; FIG. 10 is a diagram showing the difficulty of a frequency analysis attack when using shared keywords; FIG. 10 is a diagram showing an example of a numerical range search; FIG. 11 is a diagram showing an example (comparative example) of generation of a shared set of ages; FIG. 10 is a diagram showing an example of generating a shared set of ages; FIG. 10 is a diagram showing an example of generating a shared set when the number of groups is 3;

Hereinafter, this embodiment will be described with reference to the drawings. It should be noted that each embodiment can be implemented by combining a plurality of embodiments within a consistent range.
[First embodiment]
First, a first embodiment will be described. In the first embodiment, a keyword is stochastically converted into a plurality of divided keywords, and the divided keywords are encrypted and registered in a database (DB), thereby realizing frequency disturbance of keywords managed as secret information. is. A confidential information management method including a method of registering data whose frequency is disturbed in this way and a method of retrieving that data can be called SCPDK (Share Ciphertext with Probabilistically Divided Keywords).

FIG. 1 is a diagram showing an example of a confidential information management system according to the first embodiment. FIG. 1 shows an implementation example of a confidential information management method using a confidential information management system. The confidential information management system has a data registration device 1 , a server 2 and a data utilization device 3 . Each of the data registration device 1, the server 2, and the data utilization device 3 executes a program describing a processing procedure in each device for realizing the confidential information management method, for example. Processing can be performed.

The data registration device 1 has a storage section 1a and a processing section 1b in order to implement a secret information management method. The storage unit 1a is, for example, a memory included in the data registration device 1 or a storage device. The processing unit 1b is, for example, a processor or an arithmetic circuit that the data registration device 1 has. Although not shown, the server 2 and the data utilization device 3 also have a storage section and a processing section. For example, the storage unit of the server 2 stores an anonymization database (DB) 2a.

The storage unit 1a of the data registration device 1 stores a confidential record group 4 including one or more confidential records to be confidential.
The processing unit 1b of the data registration device 1 generates and classifies second item values (step S1). Specifically, the processing unit 1b first selects n ( n is a natural number) is associated with the second item value. In the example of FIG. 1, the first item value "Pediatrics" is associated with the second item values "Pediatrics 0" and "Pediatrics 1", and the first item value "Gynecology" is associated with the second item value "Gynecology 0". , “gynecology 1”, and the first item value “internal medicine” is associated with the second item values “internal medicine 0” and “internal medicine 1”.

It is also permissible for some first item values to have one corresponding second item value. When there is one corresponding second item value, the first item value and the second item value may be the same value.

The processing unit 1b selects any number from 1 to n-1 of two or more second item values associated with the same first item value for each of the plurality of item value sets 5a to 5c Each second item value is classified into one of a plurality of item value sets 5a to 5c so as to include the second item values of . For example, the processing unit 1b classifies "pediatrics 0" and "internal medicine 0" into the item value set 5a, classifies "pediatrics 1" and "gynecology 0" into the item value set 5b, and classifies "gynecology 0" into the item value set 5c. Department 1” and “Internal Medicine 1”. At this time, the processing unit 1b prevents the combination of the first item values corresponding to the belonging second item values from becoming the same in a plurality of item value sets.

Next, the processing unit 1b probabilistically converts the first item value set in one item in the confidential record to one of the associated second item values (step S2). For example, each second item value is set with a randomly determined selection probability. The processing unit 1b selects one of the second item values associated with the first item value with a probability according to the respective selection probabilities, and selects the second item value that selects the first item value. Convert to item value.

Based on the secret record group 4, the processing unit 1b generates a disturbance record group 6 in which the number of search hits for the second item values belonging to the same item value set is equalized by adding dummy second item values. Generate (step S3). For example, the processing unit 1b is set to one item of each confidential record according to a bijective relationship in which each second item value belonging to the item value set is bijected to a different second item value belonging to the same item value set. A dummy value corresponding to each second item value is generated. Next, the processing unit 1b generates a dummy record group having the same number of dummy records as the confidential records, in which one item is set with a dummy value. Then, the processing unit 1b generates a disturbance record group 6 including the secret record group and the dummy record group.

Further, the processing unit 1b attaches a flag indicating whether the second item value included in the record is true or false to the record in the disturbance record group 6 (step S4). For example, the processing unit 1b assigns a first flag indicating true to the confidential record, and assigns a second flag indicating false to the dummy record.

The processing unit 1b encrypts the disturbance record group (step S5). For example, the processing unit 1b encrypts the second item value set to one item of each of the secret record and the dummy record, the first flag given to the secret record, and the second flag given to the dummy record.

Then, the processing unit 1b stores the encrypted disturbance record group 6 in the anonymization DB 2a of the server 2, for example.
In this way, the disturbance record group 6 with improved security against frequency analysis attacks by adding dummy records is stored in the anonymization DB 2 a of the server 2 . The server 2 provides the data utilization device 3 with a search service for the data stored in the anonymization DB 2a.

The data utilization device 3 has information on the item value sets 5a to 5c generated by the data registration device 1 and information indicating the correspondence relationship between the first item values and the second item values. For example, the data utilization device 3 acquires these pieces of information from the data registration device 1 . The data utilization device 3 may also generate second item values based on the first item values and classify the second item values into item value groups using the same algorithm as the processing unit 1b of the data registration device 1 .

The data utilization device 3 receives input of search conditions from the searcher. The search condition indicates, for example, a search item value of one item in the anonymization DB 2a. The data utilization device 3 transmits a search query according to the search conditions to the server 2 . For example, the data utilization device 3 converts the search item value of one item indicated in the search condition into second item values corresponding to the first item value having the same value as the search item value. The data utilization device 3 transmits to the server 2 a search query for searching the second item value obtained by the conversion as it is in encrypted text. For example, the data utilization device 3 transmits to the server 2 a search query including the logical sum of the ciphertexts of the second item values.

The server 2 searches the received search query with the ciphertext as it is. For example, the server 2 compares the ciphertext second item value in the search query with the ciphertext item value of each record in the anonymization DB 2a. The server 2 transmits to the data utilization device 3 search results including records in which item values matching the search item values are set.

The data utilization device 3 acquires from the server 2 the detection record hit by the search query in the anonymization DB 2a. Based on the flag attached to the detected record, the data utilization device 3 judges whether the value that hits the second item value in the detected record is true or false, and displays the true search result.

For example, the data utilization device 3 stores the item value set in one item of each of the confidential records and the dummy records included in the search result, the first flag assigned to the confidential records, and the second flag assigned to the dummy records. Decrypt. Next, the data utilization device 3 removes dummy records from the search results based on the first flag and the second flag, and obtains confidential records that satisfy the search conditions. Then, the data utilization device 3 displays the true search result on the display screen, for example.

In this way, the frequency of appearance of each first item value in the confidential record group 4 can be disturbed, and the security against frequency analysis attacks on the confidential DB 2a can be improved.
Note that, when there are a plurality of dummy record groups, the processing unit 1b sets the dummy record groups so that the second item value set in one item of the confidential record is converted into a different second item value for each dummy record group. Different bijective relations can be used for each This can further improve security against frequency analysis attacks.

The processing unit 1b may set a second flag having a value that is different for each dummy record group that is generated one or more and that is different from the value of the first flag, to each dummy record included in each dummy record group. For example, the processing unit 1b attaches a first flag including a value indicating the identifier of the confidential record and the group number of the confidential record group to the confidential record, and a first flag including the identifier of the dummy record and the group number of the dummy record group to which it belongs. 2 flags are set to dummy records. Thereby, the dummy record group to which the dummy record belongs can be identified based on the value of the second flag. As a result, by inversely converting the second item value in the dummy record to the first item value, it is possible to reproduce the original record based on the dummy record.

The data registration device 1 can also implement frequency disturbance without using dummy records. For example, the processing unit 1b associates the second item value set in one item in the confidential record with the item value set to which the second item value belongs, and determines which second item value belongs to the same item value set. A disturbance record is generated by converting to a third item value that also hits a search for . Then, the processing unit 1b generates a disturbance record group including the generated disturbance records. As a result, the amount of data to be registered in the anonymization DB 2a can be reduced without using dummy records.

When converting the second item value into the third item value, the processing unit 1b gives the disturbance record, for example, a third flag including information indicating the second item value before conversion. The processing unit 1b gives the confidential record a third flag including, for example, the identifier of the confidential record and the element number in the item value set of the element corresponding to the second item value before conversion. Further, the processing unit 1b encrypts the third item value set in one item of the disturbance record and the attached third flag.

The data utilization device 3 can use the third flag to restore the third item value to the original second item value, and acquire the first item value corresponding to the second item value. For example, the data utilization device 3 converts the search item value of one item indicated in the search condition into one or a plurality of second item values corresponding to the first item value having the same value as the search item value, and then converts the second item value to the second item value. Convert the item value to a third item value corresponding to the second item value. The data utilization device 3 then transmits to the server 2 a search query containing the encrypted text of the third item value.

After that, the data utilization device 3 acquires from the server 2 the search result of the search query in the anonymization DB 2a. Next, the data utilization device 3 decodes the third item value and the third flag set in each disturbance record included in the search result. Furthermore, the data utilization device 3 determines the second item value from which the third item value is converted based on the third flag. Then, the data utilization device 3 extracts, from the search result, a disturbance record in which the ciphertext of the second item value corresponding to the first item value that satisfies the search condition is stored.

When the first item value is a numerical value, a sequence of numerical values in the original plaintext of the ciphertext may be analyzed by performing a numerical range search and used to narrow down the search target. When the plurality of first item values are numerical values, the processing unit 1b classifies the second item values into one of the plurality of item value sets 5a to 5c by considering the continuity of the numerical values. For example, when a plurality of first item values are numerical values, the processing unit 1b adds a set of item values that do not overlap with the first numerical range to an item value set that includes second item values corresponding to each of a plurality of continuous numerical values within the first numerical range. A second item value corresponding to each consecutive numeric value within the second numeric range is included. This prevents an attacker from narrowing down candidates for the numerical value to values within a narrow numerical range when a numerical value is searched.

[Second embodiment]
Next, a second embodiment will be described. The second embodiment effectively utilizes patient data possessed by many medical institutions using a patient data collection and utilization platform. For example, the patient data collection and utilization platform integrates data from multiple hospitals into big data so that it can be used by multiple pharmaceutical companies. As a result, pharmaceutical companies and hospitals will be able to easily grasp surveys for new drug development (number of patients with target diseases, location, etc.).

It is efficient to implement the patient data collection and utilization platform using a cloud managed by an ICT (Information and Communications Technology) company. Using the cloud will facilitate access to big data from hospitals and pharmaceutical companies. However, patient data is personal information that requires special care, and even if legally allowed to refer to it, it should be kept confidential even from the cloud administrator in consideration of the risk of leaks and unintended use. Appropriate. In addition, since the content of searches by pharmaceutical companies is linked to important trade secrets related to strategies of pharmaceutical companies, it is desirable to keep the content of searches confidential as well. Therefore, the cloud that realizes the patient data collection and utilization platform manages encrypted patient data in a DB, for example, using an encryption method that allows searching while encrypted, and uses encrypted search keywords. , data retrieval is performed with the ciphertext as it is. As a result, patient data and the content of search queries can be kept secret even from the cloud administrator.

When data of multiple organizations (for example, hospitals) are used with the same mechanism, specifications of the DB format and attribute names and values to be stored are published as common specifications. Moreover, cloud administrators, who are also responsible for system development, are familiar with encryption algorithms. Then, if there is a person with malicious intent among the cloud administrators, it may not be enough to manage patient data as it is in ciphertext.

Here, it is assumed that data is stored in a matrix format in order to perform efficient retrieval using narrowed retrieval or the like. In this case, for example, in the column labeled with the item “gender”, there are only two types of plaintext candidates, “male” and “female”, and there are many ciphertexts based on the same plaintext in the anonymization DB. Become. A cloud administrator, who could be an attacker, can then compare and refer to these ciphertexts.

In addition, large hospitals disclose information such as the number of patients by disease as part of public relations. Similarly, for any information, such frequency information may be published. Therefore, the frequency distribution of all data may be publicly known. For example, the combination frequency of the values of multiple items (the number of men with lung cancer, etc.) can also be publicly known. In addition, new information is added to medical information on a daily basis, and users demand the latest information. Therefore, it is important that the anonymization DB can reflect the difference from the latest plaintext DB sequentially.

As described above, in the second embodiment, even under the following conditions (i) to (v), the content of the anonymization DB and the search content can be concealed from attackers including the cloud administrator who manages the anonymization DB. is a security requirement.
(i) Plaintext types and values are publicly known, and there may be cases where there are very few types.
(ii) An attacker can refer to all ciphertexts and encrypted search queries existing in the anonymization DB and all matching ciphertexts in the anonymization DB.
(iii) Algorithms for encryption and verification other than information (secret key) intentionally managed as secret information are publicly known.
(iv) The frequency distribution of all data, including combinations, is publicly known.
(v) The anonymization DB is updated sequentially, and the attacker can refer to the difference information.

When there is an anonymized DB that satisfies the conditions (i) to (v), a brute force attack can be considered as an attack method that can be easily assumed. Since the types of plaintext are few and publicly known, if the encryption key is known, an attacker can encrypt all types of plaintext and create a dictionary of plaintext and ciphertext. can be easily deciphered. Therefore, in order to satisfy the security requirements, the encryption key should be a private key.

In addition, the attacker who is also the administrator of the anonymization DB can refer to the result of the collation determination. Therefore, it turns out that all the ciphertexts determined to match a certain search query correspond to the same plaintext. Therefore, even if a probabilistic cipher is used in which even the same plaintext has different ciphertexts each time it is encrypted, an attacker can convert the same plaintext into ciphertexts such as deterministic ciphers in which the same ciphertexts are the same. Since the attacker knows the frequency distribution of the data, he/she can easily estimate the content of the secret data by comparing it with the frequency of the ciphertext. Even if the frequency distribution is not accurately known, for example, by referring to gynecological sex data, it is easy to identify that the plaintext of the more frequent ciphertexts is "female." Therefore, it is important to take countermeasures such as frequency disturbance in addition to encryption.

Therefore, the second embodiment provides a confidential information management system that can conceal the contents of the anonymized DB and the search contents from an attacker even under the conditions (i) to (v). In the confidential information management system according to the second embodiment, frequency disturbance is realized by adding dummy data. At this time, the secret information management system keeps the data growth rate constant to prevent unnecessary increases in storage and search processing. By adding a dummy record, the secret information management system suppresses narrowing down of other types of item values that have similar appearance frequencies to one type of item value. For example, the secret information management system prevents an attacker from easily narrowing down candidates for item values specified by a search query based on the number of records hit by the search query.

FIG. 2 is a diagram showing an example of a confidential information management system. In the second embodiment, the patient data collection and utilization platform 12 is constructed by cloud. The patient data collection and utilization platform 12 has a data management server 100 . The data management server 100 is a computer that manages patient data in encrypted form. The data management server 100 is connected to data registration servers 200 and 300 of hospitals 13 and 14 and terminal devices 400 and 500 of pharmaceutical companies 15 and 16 via a network 20 .

The data registration server 200 of the hospital 13 is a computer that accumulates patient data such as electronic medical charts of patients who have been examined at the hospital 13 , encrypts the patient data, and provides the data management server 100 with the encrypted patient data. Similarly, the data registration server 300 of the hospital 14 accumulates patient data such as electronic medical charts of patients examined at the hospital 14 , encrypts the patient data, and provides the data management server 100 with the encrypted patient data.

The terminal device 400 of the pharmaceutical company 15 is a computer used by employees of the pharmaceutical company 15 to retrieve patient data managed by the data management server 100 . A terminal device 500 of the pharmaceutical company 16 is a computer used by an employee of the pharmaceutical company 16 to retrieve patient data managed by the data management server 100 .

Such a secret information management system is useful, for example, in improving the efficiency of new drug development utilizing medical information. For example, when the pharmaceutical companies 15 and 16 conduct a clinical trial, they can improve the success rate of the clinical trial by considering how many patients with the target disease are present in the plan. Therefore, by centrally managing the patient data extracted from the patient's electronic medical records distributed in many hospitals 13 and 14 on the patient data collection and utilization platform 12, it is possible to easily obtain the information of the patient with the target disease. Become.

The data registration servers 200 and 300 are examples of the data registration device 1 in the first embodiment. The data management server 100 is an example of the server 2 in the first embodiment. Terminal devices 400 and 500 are examples of data utilization device 3 in the first embodiment.

FIG. 3 is a diagram showing a configuration example of hardware of the data management server. The data management server 100 is entirely controlled by a processor 101 . A memory 102 and a plurality of peripheral devices are connected to the processor 101 via a bus 109 . Processor 101 may be a multiprocessor. The processor 101 is, for example, a CPU (Central Processing Unit), MPU (Micro Processing Unit), or DSP (Digital Signal Processor). At least part of the functions realized by the processor 101 executing the program may be realized by an electronic circuit such as an ASIC (Application Specific Integrated Circuit) or a PLD (Programmable Logic Device).

The memory 102 is used as the main storage device of the data management server 100 . The memory 102 temporarily stores at least part of an OS (Operating System) program and application programs to be executed by the processor 101 . In addition, the memory 102 stores various data used for processing by the processor 101 . As the memory 102, for example, a volatile semiconductor memory device such as a RAM (Random Access Memory) is used.

Peripheral devices connected to the bus 109 include a storage device 103 , a GPU (Graphics Processing Unit) 104 , an input interface 105 , an optical drive device 106 , a device connection interface 107 and a network interface 108 .

The storage device 103 electrically or magnetically writes data to and reads data from a built-in recording medium. The storage device 103 is used as an auxiliary storage device for the computer. The storage device 103 stores an OS program, application programs, and various data. As the storage device 103, for example, an HDD (Hard Disk Drive) or an SSD (Solid State Drive) can be used.

A monitor 21 is connected to the GPU 104 . The GPU 104 displays an image on the screen of the monitor 21 according to instructions from the processor 101 . GPU 104 is sometimes called a graphics controller. Examples of the monitor 21 include a display device using an organic EL (Electro Luminescence), a liquid crystal display device, and the like.

A keyboard 22 and a mouse 23 are connected to the input interface 105 . The input interface 105 transmits signals sent from the keyboard 22 and mouse 23 to the processor 101 . Note that the mouse 23 is an example of a pointing device, and other pointing devices can also be used. Other pointing devices include touch panels, tablets, touchpads, trackballs, and the like.

The optical drive device 106 reads data recorded on the optical disc 24 using laser light or the like. The optical disc 24 is a portable recording medium on which data is recorded so as to be readable by light reflection. The optical disc 24 includes DVD (Digital Versatile Disc), DVD-RAM, CD-ROM (Compact Disc Read Only Memory), CD-R (Recordable)/RW (ReWritable), and the like.

The device connection interface 107 is a communication interface for connecting peripheral devices to the data management server 100 . For example, the device connection interface 107 can be connected to the memory device 25 and the memory reader/writer 26 . The memory device 25 is a recording medium equipped with a communication function with the device connection interface 107 . The memory reader/writer 26 is a device that writes data to the memory card 27 or reads data from the memory card 27 . The memory card 27 is a card-type recording medium.

Network interface 108 is connected to network 20 . Network interface 108 transmits and receives data to and from other computers or communication devices via network 20 .

The data management server 100 can implement the processing functions of the second embodiment with the hardware configuration described above. The data registration servers 200 and 300 and the terminal devices 400 and 500 can also be realized by hardware similar to the data management server 100. FIG. Further, the data registration device 1, the server 2, and the data utilization device 3 shown in FIG. 1 can also be realized by hardware similar to the data management server 100.

The data management server 100 implements the processing functions of the second embodiment by executing a program recorded in a computer-readable recording medium, for example. A program describing the contents of processing to be executed by the data management server 100 can be recorded in various recording media. For example, a program to be executed by the data management server 100 can be stored in the storage device 103 . The processor 101 loads at least part of the program in the storage device 103 into the memory 102 and executes the program. The program to be executed by the data management server 100 can also be recorded in a portable recording medium such as the optical disk 24, memory device 25, memory card 27, or the like. A program stored in a portable recording medium can be executed after being installed in the storage device 103 under the control of the processor 101, for example. Alternatively, the processor 101 can read and execute the program directly from the portable recording medium.

Next, a frequency analysis attack on a DB (anonymized DB) that stores encrypted data will be described.
FIG. 4 is a diagram showing an example of a frequency analysis attack. It is assumed that an anonymization DB 32 is generated based on the DB 31 that stores plaintext data. For example, an item value for each item included in each record of the DB 31 is individually encrypted and stored in the anonymization DB 32 . Note that in the second embodiment, the item value set for each item may be called a keyword.

In the example of FIG. 4, it is assumed that encryption is performed by a deterministic encryption technique that generates the same encrypted data from the same plaintext. In addition, the attacker 33 obtains all the item names (“medical department”, “sex”, “age group”) used in the items of the original DB 31 and keyword candidates (keyword list) that can be stored in each item. assume you know.

The attacker 33 can infer the plaintext corresponding to the ciphertext by comparing the appearance frequency of the ciphertext and known frequency information. For example, only two types of values are registered in the second column of the anonymization DB 32 . Therefore, it can be inferred that the attacker 33 corresponds to the item “sex” in the second column of the anonymization DB 32 .

Furthermore, the attacker 33 can compare the frequency of appearance of the values "tmuesf" and "uylgm" in the second column of the anonymization DB 32 and confirm that "uylgm" is more common. Then, the attacker 33 can infer that "uylgm", which appears more frequently, is the encrypted data corresponding to "woman", considering the population distribution.

The attacker 33 can also infer the contents by combining multiple item values. For example, the attacker 33 can confirm that the second column value corresponding to the first column value "sEfgsr" in the anonymization DB 32 is only "uylgm". Then, the attacker 33 can infer that the value with only one gender combination is "Gynecology" in the clinical department, and can be strongly convinced that the plaintext of "uylgm" is "female".

Also, the attacker 33 can confirm that the third column value corresponding to the first column value ":opfyy" in the anonymization DB 32 is only "jr8olt". Then, the attacker 33 can infer that the remaining third column is the age group, the clinical department that is only combined with a specific age group is "Pediatrics", and the corresponding age group is "Children".

In the example of FIG. 4, it is assumed that the DB is encrypted by deterministic encryption, but a frequency analysis attack is also possible for an anonymized DB encrypted by probabilistic encryption. Probabilistic encryption is an encryption technology that encrypts the same plaintext into different ciphertext each time it is encrypted. When probabilistic encryption is performed, multiple ciphertexts generated from the same plaintext have different values, so the appearance frequency of the original plaintext cannot be counted simply by referring to the encryption DB. Therefore, encryption using probabilistic encryption makes frequency analysis attacks more difficult than deterministic encryption.

However, even if probabilistic encryption is used, if anonymized searches for anonymized DBs are allowed, the attacker 33 will be able to find that all the ciphertexts that match the search query are the same plaintext ciphertexts. , their ciphertexts can be transformed into deterministic ciphers. Therefore, even if the probabilistic encryption is used, the attacker 33 can convert a large number of ciphertexts in the anonymization DB into deterministic encryption as the data is used, and the same as the encryption with the deterministic encryption A frequency analysis attack becomes possible.

In this way, the frequency analysis attack is an attack technique in which the appearance frequency of characters and character strings used in plaintext and ciphertext is used as a clue to infer the plaintext and to steal a glance. If the item values of the original plaintext are biased, the ciphertext obtained by encrypting the plaintext becomes vulnerable to frequency analysis attacks.

Therefore, in order to increase security against frequency analysis attacks, it is conceivable to use dummy data to disturb the appearance frequency of the original plaintext. At this time, even if the item value (dummy value) of each item in the dummy data is added without considering the type of item value in the original plaintext and the appearance frequency of each item value, the appearance frequency is appropriately disturbed. I can't let you.

For example, by registering dummy data having dummy values with appropriate contents in consideration of the appearance frequency of item values in the original plaintext data, reliable frequency disturbance can be realized. In this case, the data registration servers 200 and 300 generate a group of dummy records having the same distribution as the true data frequency distribution, but in which each value is converted to a different value. Each dummy record in this dummy record group is linked to a record of true data and corresponds one-to-one. Then, the data registration servers 200 and 300 convert the item value of the true data record into another item value and set it as the dummy value of the corresponding dummy record. A set of transformation rules is called a transformation set.

The meanings of characters and terms used in the second embodiment will be explained below.
“k” is a preset security parameter and is set to an integer of 2 or more. The system administrator sets k to be the minimum number of keywords that the attacker 33 can narrow down when subjected to a frequency analysis attack, among a plurality of keywords for one item.

"True data" is data stored in the plaintext DB. A "true data record" is a record that contains keywords in the true data. Note that the true data record is an example of the confidential record of the first embodiment. A "dummy value" is a value added to disturb the frequency distribution of true data. A "dummy record" is a record that contains dummy values. "True value" is a keyword that can be set in the plaintext DB. A true value is an example of the first item value in the first embodiment.

"G" is the number of groups, and is also a value indicating how many times the amount of data becomes the plaintext data due to the addition of dummy data. A "group" is a set of multiple records. The set of true data records is group "0". G−1 groups “1, 2, . G−1 dummy records are generated for one record included in group “0”, and G−1 dummy records are assigned to group “1, 2, . . . , G−1” respectively. added one by one. A "flag" is a value given to a dummy record so that the terminal devices 400 and 500 can distinguish the dummy record.

A “transformation set” is a set including true values, split keywords (one or more keywords generated from true values), or dummy elements for each column (item). The conversion set expresses rules for determining what values of dummy records to add for one true value. The number of elements in the transformation set is equal to the number G of groups. Transformation sets are also used to perturb split queries and restore anonymized search results.

"j" is the column number. j is used as an index specifying the item of the value registered in the record. “X _j ” is the number of types of item values (keywords) that can be set in the field of the j-th column in the record.

A "dummy element" is a dummy element to fill in the missing elements for inclusion in the transform set when X _j is less than G or not a multiple of G. A dummy element is a value that is not included in the keyword list.

Next, a method of registering dummy data in consideration of the appearance frequency of item values in the original plaintext data will be described.
As an example of a method of registering dummy data, a method using dummy elements is conceivable. When dummy elements are used, the data registration servers 200 and 300 generate a conversion set with G arbitrarily selected keywords or dummy values of each item as elements. Then, the data registration servers 200 and 300 generate conversion sets until one of the possible keywords of each item is included as an element of the conversion set.

FIG. 5 is a diagram illustrating an example of generating a transformation set using dummy elements. In the example of FIG. 5, it is assumed that the true data record includes the items "blood pressure" and "blood type." Keywords that can be set for each item are registered in the keyword list 34 . In the example of FIG. 5, there are three types of item values (normal, hypotensive, hypertensive) that can be set for "blood pressure", and eight types (A+, B+, O+, AB+) that can be set for "blood type". , A-, B-, O-, AB-).

In the conversion set list 35 of FIG. 5, in the case of k=3 and G=4, there are two items corresponding to the item "blood pressure" having three types of keywords and the item "blood type" having eight types of keywords. Transformation sets 35a, 35b, 35c generated by For the item "blood pressure", only one conversion set 35a including {normal, low blood pressure, high blood pressure, D1} as elements is generated. "D1" is a dummy element. For the item "blood type", a transformation set 35b containing {A+, B+, O+, AB+} as elements and a transformation set 35c containing {A-, B-, O-, AB-} as elements. Two are generated.

The conversion sets 35a, 35b, and 35c have a circular list structure, and the elements are arranged in order. Each element in the transformation sets 35a, 35b, and 35c is assigned an element number in ascending order from 0, starting from the top. For example, in the conversion set 35a, "normal" is the first element (element number "0") and "hypotension" is the next element (element number "1"), starting from the left end in the figure. Because of the circular list structure, for example, the element following the last element "D1" is "normal".

The data registration servers 200 and 300 generate dummy values to be set in dummy records by converting the keywords of the true data records based on the conversion sets 35a, 35b, and 35c. For example, the data registration servers 200 and 300 generate one dummy value to be set in the dummy record in each dummy record group based on one keyword of the true data record.

FIG. 6 is a diagram showing an example of conversion of item values when dummy elements are used. For example, the data registration servers 200 and 300 refer to the keyword registered for each item of the true data record, and identify the conversion set containing the keyword and the element b _a corresponding to the keyword. a is an integer element number equal to or greater than 0, and the element b _a is the element with the element number a. Then, the data registration servers 200 and 300 convert the dummy values c _{a ,g} of the dummy record group with the group number g to to determine.
c _a,g =b _mod(a+g,G) (1)
In the example of FIG. 6, it is assumed that the item value appearing in the true data record is "hypotension". Since there are three dummy record groups (G=4), the data registration servers 200 and 300 create three dummy record groups (g=1, 2, 3 ) generate a dummy value to set in each dummy record. First, the data registration servers 200 and 300 acquire the element number "1" (a=1) in the conversion set 35a of the element corresponding to the keyword "hypotension".

When the data registration servers 200 and 300 generate the dummy value c _1,1 of the dummy record group with the group number “1” (g=1), first, mod (1+1,4)=2 is calculated. Then, the data registration servers 200 and 300 register the keyword "hypertension" corresponding to the element b2 in the conversion set 35a with the calculated value " ₂ " as the element number into the dummy record group with the group number "1". Decide on a dummy value to be set to

The data registration servers 200 and 300 first calculate mod (1+2,4)=3 when generating the dummy value _c1,2 of the dummy record group with the group number "2" (g=2). Then, the data registration servers 200 and 300 register the dummy element "D1" corresponding to the element b3 in the conversion set 35a whose element number is the calculated value " ₃ " as the dummy record of the group number "2". Determine the dummy value to be set for the group.

The data registration servers 200 and 300 first calculate mod (1+3,4)=0 when generating the dummy value _c1,3 of the dummy record group with the group number "3" (g=3). Then, the data registration servers 200 and 300 register the keyword "normal" corresponding to the element b ₀ in the conversion set 35a with the calculated value "0" as the element number into the dummy record group with the group number "3". Decide on a dummy value to be set to

Note that the relationship between the conversion source and the conversion destination of a keyword as shown in FIG. 6 is an example of a bijective relationship. As long as the bijective relationship is satisfied, the relationship between the conversion-source keyword and the conversion-destination keyword or dummy element may be defined by rules other than the example shown in FIG.

The data registration servers 200 and 300 generate dummy values as shown in FIG. 6 for each item value appearing in the true data. In the following description, a ciphertext corresponding to a certain plaintext is represented as H (plaintext).

FIG. 7 is a diagram illustrating an example of generating dummy values when dummy elements are used. In the example of FIG. 7, in the true data 36, "normal" appears twice as a keyword for the item "blood pressure", and "hypotension" and "hypertension" appear once each. As the item value of the item "blood type", "A+" appears twice, and "O-" and "AB-" appear once each.

A dummy value to be set in each dummy record group is generated based on each keyword appearing in the true data 36 . For example, based on the blood pressure “normal”, the dummy value “hypotension” for the dummy record group of group number 1 (g=1), the dummy value “hypertension” for the dummy record group of group number 2 (g=2), A dummy value "D1" for a dummy record group with group number 3 (g=3) is generated. Also, for example, based on the blood type "A+", the dummy value "B+" for the dummy record group of group number 1 (g=1) and the dummy value "O+" for the dummy record group of group number 2 (g=2) , a dummy value "AB+" for a dummy record group with group number 3 (g=3) is generated.

The data registration servers 200 and 300 assign the generated dummy values to the dummy records and encrypt the item values to generate registration data.
FIG. 8 is a diagram showing an example of registration data when dummy elements are used. The registered data 37 includes a record group 37a of true data 36 and dummy record groups 37b, 37c, and 37d. Each record in the registration data 37 is given a flag. Keywords (including flag values) included in the registration data 37 are encrypted.

The flag value is used to distinguish between true data records and dummy records. For example, a true data record can be set with a flag value of "0", and a dummy record can be set with a flag value of "1". In this case, when G≧3, there are more ciphertexts (H(1)) with flag value “1” than ciphertexts (H(0)) with flag value “0”. Then, the attacker 33 can determine whether the record is a true data record based on the appearance frequency of the ciphertext of the flag value. Therefore, the data registration servers 200 and 300 perform frequency perturbation on the ciphertext of the flag value as well.

For example, the data registration servers 200 and 300 can use the group number of the group to which each record belongs as the flag of that record, as shown in FIG. Since the number of records belonging to each group is equal, this ensures that all flag values appear with equal frequency.

In order to determine the flag value, the data registration servers 200 and 300 may prepare different functions for outputting different values for the same variable value for each of the true data record group and the dummy record group. good. In this case, the data registration servers 200 and 300 use the value obtained by inputting the value of the ID column as the variable x into the prepared function as the flag value.

Assuming that the flag value generation function of the group of group number g (true data record group or dummy record group) is f _g (x), for example, the following flag value generation function can be used.
f _g (x)=(G+1)x+g (2)
In the example of FIG. 8, G=4. Therefore, the flag value generation function of the true data record group 37a (group number "0") is "f ₀ (x)=4x+0". The flag value generation function of the dummy record group 37b (group number "1") is "f ₁ (x)=4x+1". The flag value generation function of the dummy record group 37c (group number "2") is "f ₂ (x)=4x+2". The flag value generation function of the dummy record group 37d (group number "3") is "f ₃ (x)=4x+3".

When searching, the terminal devices 400 and 500 issue a search query specifying the true data record group 37a or any one of the dummy record groups 37b, 37c, and 37d as a search target. As a response to the search query, the data management server 100 responds with records matching the search conditions as search results. At that time, the data management server 100 includes the ID column and the flag value of the flag column in the search result. The terminal devices 400 and 500 input the ID of the record shown in the search result to each flag value generation function for each group, and encrypt the obtained function value. Terminal devices 400 and 500 then compare the ciphertext of the function value of the flag value generating function with the flag value (ciphertext) of the record. The terminal devices 400 and 500 determine that the group corresponding to the flag value generation function with which the comparison results match is the group to which the record belongs.

In the registration data 37 generated in this manner, the frequency of appearance of ciphertexts corresponding to elements belonging to the same transformation set is made uniform.
FIG. 9 is a diagram for explaining uniformization of ciphertexts. For example, all the keywords that can be set for the blood pressure item belong to one conversion set 35a (see FIG. 5). The appearance frequency of the keyword "normal" in the true data 36 is "2", the appearance frequency of the keyword "hypotension" is "1", and the appearance frequency of the keyword "hypertension" is "1".

In the registration data 37, the frequency of appearance of each ciphertext for each keyword and dummy element value is uniformed. For example, the ciphertext "H (normal)" for the keyword "normal", the ciphertext "H (low blood pressure)" for the keyword "hypotension", the ciphertext "H (hypertension)" for the keyword "hypertension", and the value of the dummy element The frequency of occurrence of each of the ciphertexts "H(D1)" of "D1" is "4".

As can be seen from the conversion set generation example shown in FIG. 5, each conversion set includes k (k=3 in the example of FIG. 5) or more keywords. Therefore, even if the attacker 33 knows the appearance frequency of a specific ciphertext, it is impossible to specify which keyword of the keywords belonging to the same transformation set the ciphertext belongs to. That is, the attacker 33 can only narrow down the number of keyword candidates corresponding to the ciphertext to k. As a result, security against frequency analysis attacks is improved.

It should be noted that it is important to appropriately determine the value of the number of groups G so that the number of keyword candidates corresponding to the ciphertext can be narrowed down to k.
FIG. 10 is a diagram illustrating an appropriate number G of groups. The number of groups G is determined according to k. As described above, k is a security parameter set in advance so that the number of keyword candidates corresponding to the ciphertext can be narrowed down to k. Therefore, k is determined according to the degree of security required for the system against frequency analysis attacks.

At this time, there are also items where the number of types of settable keywords X _j <k. Such an item cannot contain more than k keywords in the transform set. Therefore, the attacker 33 knows that the keyword corresponding to the ciphertext of the corresponding item is one of the X _j (k<) keywords. However, it is publicly known information that the keyword corresponding to the ciphertext of such an item is one of X _j pieces, and there is no problem even if the attacker 33 knows it. For example, in the example of FIG. 10, there are only two keywords, "male" and "female", that can be set for the item "sex". However, there is no problem even if the attacker 33 knows that the gender is either "male" or "female".

On the other hand, if the number of types of settable keywords X _j ≥k, it is appropriate to include k or more keywords in the conversion set. Therefore, if there are items where X _j is not a multiple of k, the data registration servers 200 and 300 adjust G so that k or more keywords are included in each conversion set.

For example, in the "blood type" example of FIG. 10, X _j =4 for k=3. At this time, if G = 3 as in the conversion set list 38, when the searcher searches for "O" or "AB", the attacker 33 who sees the search results will see that the search targets are "O" and "AB ”, it will be understood that it is one of the two. Therefore, in order for each conversion set to include k or more keywords that can be set for the item of X _j ≧k, G is determined such that G≧k other than G=3. be. For example, if G=4 as in the conversion set list 39, any conversion set includes three or more keywords that can be set in the corresponding item.

FIG. 11 is a diagram showing an example of frequency distribution after frequency perturbation. The frequency distribution table 40 shown in FIG. 11 has five types of keywords "A", "B", "C", "D", and "E" that can be set for each keyword and dummy keywords after frequency disturbance in the DB. It represents the appearance frequency of the element value “F”. In the example of FIG. 11, G=3. There are two transformation sets, 'A, B, C' and 'D, E, F'.

The dummy values of the dummy record group with the group number "1" are converted from the item values of the true data to "A→B", "B→C", "C→A", "D→E", It is generated by converting “E→F” and “F→D”. The dummy values of the dummy record group with the group number "2" are converted from the item values of the true data to "A→C", "B→A", "C→B", "D→F", It is generated by converting "E→D" and "F→E".

In the true data, the appearance frequency of "A" is "10", the appearance frequency of "B" is "7", the appearance frequency of "C" is "2", the appearance frequency of "D" is "1", and "E is "5", and the frequency of appearance of "F" is "0". Then, the appearance frequency of each keyword included in the conversion set "A, B, C" after the frequency disturbance is all "19". Also, the frequency of appearance of each keyword or dummy element value included in the conversion set "D, E, F" after the frequency disturbance is "6". That is, for each set of three item values, the frequency of appearance of the item values within the set is made uniform.

The dummy value of each dummy record group is generated by converting the keywords of the true data on a one-to-one basis. Therefore, the degree of variation in the frequency of appearance of the keywords does not change. For example, when the values of the frequency of appearance are arranged in descending order of appearance frequency, they are "10, 7, 5, 2, 1, 0" for both the true data record group and the two dummy record groups. In this way, the degree of variation in the frequency of occurrence of item values for each dummy record group is equal to the true data for all dummy record groups. As a result, it becomes difficult to determine which record group is the true data record group from the degree of variation in keyword appearance frequency. In addition, all dummy record groups have dummy records corresponding to each record of true data on a one-to-one basis. Therefore, by deleting a corresponding dummy record when deleting a record containing true data, any record containing true data can be deleted while maintaining the confidentiality of the data.

By using dummy elements in this way, it is possible to improve security against frequency analysis attacks. However, even if dummy elements are used, there is a possibility that the number of keyword candidates included in the search condition will be narrowed down to less than k for the attacker 33 who knows the combination frequency between keywords of multiple items. There is

For example, assume that "conversion set 2" in FIG. 11 is a conversion set for the item "gender". If the only gender keywords are "male" and "female," it is permissible to generate a transformation set as shown in FIG. 11 even when k=3. At this time, if a frequency analysis attack using the combination frequency between keywords of a plurality of items is performed, the keywords included in "transformation set 1" may also be narrowed down to less than k.

FIG. 12 is a diagram showing an example of combination frequencies when dummy elements are used. FIG. 12 shows a transformation set list 41 when k=G=3 and a combination frequency table 42 at that time.

A conversion set list 41 shows conversion sets for blood pressure and sex. The transform set for blood pressure includes "normal," "hypotensive," and "hypertensive." The gender transform set includes "male", "female", and a dummy element value of "D1".

The combination frequency table 42 shows the frequency of occurrence of records corresponding to combinations (logical products) of blood pressure values and gender values. The true frequency is the number of relevant records in the true data record set. The post-perturbation frequency is the number of corresponding records in the true data record group and the dummy record group.

For example, “n1” records of “normal” blood pressure and “male” gender are included in the true data record group. "n2" records of "low blood pressure" for blood pressure and "female" for sex are included in the true data record group. Records with the blood pressure of "hypertension" and the sex of "D1" are included in the true data record group of "n3" (n3=0) records. "n4" records of "normal" blood pressure and "female" gender are included in the true data record group. "n5" (n5=0) records with "hypotension" as the blood pressure and "D1" as the sex are included in the true data record group. "n6" records of "hypertension" for blood pressure and "male" for sex are included in the true data record group. Records with "normal" blood pressure and "D1" sex are included in the record group of true data with "n7" (n7=0) records. "n8" records of "hypotension" for blood pressure and "male" for sex are included in the true data record group. "n9" records of "hypertension" for blood pressure and "female" for sex are included in the true data record group.

Here, in the dummy record group with the group number “1” (g=1), the record in which the blood pressure dummy value is “normal” and the gender dummy value is “male” is the blood pressure in the true data record group. It is generated based on records with "hypotension" and gender of "female". Therefore, “n2” records of “normal” blood pressure and “male” gender are included in the dummy record group of group number “1” (g=1). In the dummy record group with the group number “2” (g=2), the record in which the blood pressure dummy value is “normal” and the gender dummy value is “male” is the true data record group in which the blood pressure is “high blood pressure.” ” is generated based on the record whose gender is “D1”. Therefore, “n3” (n3=0) records of “normal” blood pressure and “male” sex are included in the dummy record group of group number “2” (g=2).

Then, the appearance frequency (post-disturbance frequency) of the record with "normal" blood pressure and "male" sex in the anonymized DB is "n1+n2". Similarly, the appearance frequency (post-disturbance frequency) of records with “low blood pressure” and “female” as the blood pressure in the anonymized DB, and the appearance frequency of records with “high blood pressure” as the blood pressure and “D1” as the gender in the anonymized DB. (Frequency after disturbance) is also "n1+n2".

When a searcher searches an anonymized DB having post-disturbance frequencies as shown in FIG. can be narrowed down to less than k (three in the example of FIG. 12). For example, it is assumed that a searcher performs a search for "normal ∧ male" (∧ is a logical product) or a search for "low blood pressure ∧ female". The post-confusion frequency of any of these search results is "n1+n2". That is, the number of records that hit the search condition is "n1+n2". Note that the searcher never searches for dummy elements.

Here, the attacker 33, who knows the combination frequency (true frequency) between the keyword of blood pressure and the keyword of gender, assumes that the post-disturbance frequency is "n1+n2" for "normal male" or "hypotensive male". ∧ I also know that it is only a woman. Then, the attacker 33 can at least recognize that "hypertension" is not a search target. This means that the attacker 33 will know that the target of interest of the searcher is "normal" or "low blood pressure" for blood pressure, and that "high blood pressure" is not the target of interest. That is, the search target is narrowed down to less than k (=3).

In this way, when the number of types of keywords X _j (two types of “male” and “female”) is small and an item value satisfying X _j <k is combined with other item values, the other item values also is narrowed down to X _j values of .

In the example of FIG. 12, the fact that no dummy element is searched is used to narrow down the search target. When the combinations of elements are taken into consideration, there are combinations of elements that are not searched for other than searches that include dummy elements. For example, there may be a case where the items of the DB in which records for each patient are registered include "medical department" and "age group". Adults and the elderly do not visit pediatrics here. Therefore, in a record with the department value of "Pediatrics", the age group value is not "adult" or "elderly".

Such a value that cannot be set to another item when the value of one item is a certain item value can be called structural zero. In contrast, the only value that can be set in another item when the value of one item is an item value (for example, the age group "child" for the clinical department "pediatrics") is defined as the unstructured zero can be called Structural zeros can also be used to narrow down your search.

FIG. 13 is a diagram illustrating an example of narrowing down search targets using structural zeros. In the example of FIG. 13, the DB 43 has items of "medical department", "gender", and "age group". An anonymization DB 44 is generated in which the values of each item of this DB 43 are encrypted. Here, it is assumed that one conversion set including "internal medicine", "gynecology", and "pediatrics" is generated for clinical departments. For the age group, a transformation set including "elderly", "adult" and "D2" (dummy elements) and a transformation set including "youth", "child" and "D3" (dummy elements) are generated. shall be

In this case, the appearance frequencies after the frequency perturbation are the same for the combinations of "internal medicine/adult", "gynecology/D2", and "pediatrics/elderly". In the example of FIG. 13, the appearance frequency of these combinations is "133".

Here, it is assumed that the searcher 45 searches the anonymized DB 44 for “internal medicine/adult”. This search hits 133 records. When the attacker 33 monitors the search by the searcher 45, the attacker 33 combines the appearance frequencies of the values that can be set for each item, and checks the combination of values with the appearance frequency of "133". As a result, the attacker 33 can narrow down the search target candidates to three: "internal medicine/adults", "gynecology/D2", and "pediatrics/elderly".

Next, the attacker 33 excludes "Gynecology ∧D2" from the search target candidates because the dummy element "D2" will never be a search target. In addition, the attacker 33 excludes "Pediatrics ∧ Geriatrics" from the search target candidates because there is no search for "Geriatrics" in Pediatrics (there is no reason to search for structural zero). As a result, the attacker 33 can recognize that the search query sent by the searcher 45 is "internal medicine/adult".

The presence of dummy elements and structural zeros narrows down the keywords included in the search query. Assuming this, there is a problem in that the number of keyword combinations that can be set for each item is narrowed down to about k in the initial stage based on the appearance frequency of the combination of keywords. Therefore, when registering data, the data registration servers 200 and 300 are designed so that even if the frequency of appearance of keywords that can be set for each item is known, the keywords included in the search query cannot be sufficiently narrowed down from that information. to Specifically, it is as follows.

The data registration servers 200 and 300 stochastically convert a keyword that can be registered in the DB 43 into one of a plurality of keywords. A keyword to be converted is hereinafter referred to as a split keyword.

FIG. 14 is a diagram showing an example of probabilistic conversion into split keywords. For example, the data registration server 200 has a DB 210 containing items such as clinical department, gender, and age group. The data registration server 200 generates a split keyword selection table 233 based on keywords that can be registered in each item of the DB 210 .

In the split keyword selection table 233, for each item in the DB 210, split keywords corresponding to keywords that can be registered in the corresponding item and selection probabilities of the split keywords are set. For example, there are "pediatrics 0" and "pediatrics 1" as divided keywords corresponding to the keyword "pediatrics" that can be registered in the item "medical department".

The selection probabilities of the divided keywords are determined by generating random numbers and are managed confidentially outside the data registration server 200 . Therefore, even if there are two split keywords for each keyword that can be registered in the DB 210, the selection probabilities differ for each split keyword. For example, the selection probability of the divided keyword “pediatrics 0” is “0.72”, and the selection probability of “pediatrics 1” is “0.28”. The selection probability of the segmented keyword "gynecology 0" is "0.60", and the selection probability of "gynecology 1" is "0.40". Note that the sum of the selection probabilities of a plurality of divided keywords corresponding to one keyword that can be registered in the DB 210 is "1".

When registering the data in the DB 210 in the data management server 100, the data registration server 200 refers to the split keyword selection table 233 to set the item value of each record in the DB 210 to one of the corresponding split keywords stochastically. Convert to For example, when "Pediatrics" is converted, it is converted into "Pediatrics 0" with a probability of 72%, and is converted into "Pediatrics 1" with a remaining probability of 28%. The divided data 211 is generated by converting the keywords in the DB 210 .

In the example of FIG. 14, all keywords are converted into split keywords, but it is also possible to anonymize some of the keywords as they are, without conversion, as they can be registered in the DB 210 .

The data registration server 200 generates a conversion set containing the split keywords shown in the split keyword selection table 233 as elements, and uses the conversion set to create dummy data. At that time, the data registration server 200 satisfies the following generation conditions for each transformation set.

The conditions for generating a transformation set are that at least one of the elements of the transformation set is a split keyword, and that the other transformation set contains another split keyword that shares the split keyword with the conversion source keyword. . In other words, the conversion set includes n-1 or less split keywords out of n split keywords corresponding to one keyword.

FIG. 15 is a diagram showing an example of conversion from split keywords to dummy values by a conversion set. The conversion set list 232 includes three conversion sets 232a-232c for departments, three conversion sets 232d-232f for gender, and four conversion sets 232g-232j for age groups. Each transform set 232a-232j contains two elements. Elements included in conversion sets 232a-232j are, for example, split keywords or dummy elements. Also, if there is a keyword that is not divided, that keyword is also an element of the conversion sets 232a-232j.

Note that the numbers to the left of ":" in the conversion sets 232a to 232j in FIG. 15 are element numbers. The character string to the right of ":" is a split keyword set as an element.
In the example of FIG. 15, all the keywords that can be registered in the DB 210 are split, so split keywords and dummy elements are included as elements in the conversion sets 232a to 232j. For example, the conversion set 232a of clinical departments includes the segmented keywords "pediatrics 0" and "internal medicine 0". The gender conversion set 232d also includes the segmented keyword "male 0" and the dummy element "D1".

Each of conversion sets 232a-232j includes at least one split keyword as an element. A conversion set different from the conversion set containing the divided keyword contains another divided keyword that shares the same conversion source keyword as the divided keyword. For example, the conversion set 232a includes the split keyword "pediatrics 0". The keyword from which "pediatrics 0" is converted is "pediatrics". "Pediatrics 1" exists in addition to "Pediatrics 0" as a division keyword of "Pediatrics". "Pediatrics 1" is included in a transform set 232b different from the transform set 232a. Therefore, the transformation set 232a satisfies the generation condition of the transformation set. Also, the conversion set 232d includes only the split keyword "male 0", and another element is the dummy element "D1". However, another divided keyword "man 1" having a common conversion source keyword with "man 0" is included in another conversion set 232e. Therefore, the transformation set generation condition is also satisfied for the transformation set 232d.

Data registration server 200 generates dummy data according to transformation sets 232a-232j. Dummy data is a group of G-1 dummy records. The method of generating dummy values to be set in dummy records is as described with reference to FIG.

By mixing true data records and dummy records in the divided data 211, registration data 46 for registration in the anonymization DB is generated. Registration data 46 is an example of disturbance record group 6 in the first embodiment.

In the registration data 46, the appearance frequencies of G elements included in the same transformation set are equal. Moreover, plaintext cannot be identified even by comparing the frequency of occurrence of these elements with the frequency of data in the DB 210 . For example, the correlation between the frequencies of "old man 0" and "child 0" included in the transform set 232g and the frequencies of the respective original data is hidden by secret selection probabilities. Therefore, the sum of the frequencies of the elements of each transformation set does not match the sum of the frequencies of two or more keywords in the true data.

The data registration server 200 also adds a flag value including the group number to each record in the registration data 46 so that the group to which the ciphertext belongs can be identified at the time of retrieval. For example, the data registration server 200 adds the ID of the original record to the flag values to make all the flag values unique in order to prevent group number classification attacks.

The leading record of the registered data 46 is the leading (ID "0") record of the divided data 211 and belongs to the true data record group (group number "0"), so the flag value is "0, 0". is. The second record of the registered data 46 is a dummy record based on the first record (ID "0") of the divided data 211 and belongs to the dummy record group (group number "1"), so the flag value is "0". , 1”.

14 and 15 show an example of converting all keywords that can be registered in the DB 210 into split keywords. It doesn't have to be.

FIG. 16 is a first diagram showing another example of generating a transformation set. The conversion set list 47 shown in FIG. 16 includes three conversion sets 47a to 47c for clinical departments, two conversion sets 47d to 47e for gender, and three conversion sets 47f to 47h for age groups. there is In the example of FIG. 16, conversion into segmented keywords is not performed for the clinical department "internal medicine", the gender keyword "female", and the age group keywords "youth" and "children". Therefore, these keywords are the elements of the transformation set as they are.

Each of the transformation sets 47a to 47h included in the transformation set list 47 satisfies the transformation set generation conditions. For example, the conversion set 47d includes the divided keyword "man 0" and the undivided keyword "female". Among these, the keyword of the conversion source of "male 0" is "male". In addition to "male 0", "male 1" exists as a segmented keyword for "male". "Man 1" is included in a conversion set 47e different from the conversion set 47d. Therefore, the transformation set 47d satisfies the generation condition of the transformation set.

However, if conversion to dummy values is performed using the conversion set list 47, the degree of difficulty of plaintext estimation is lowered compared to the case where the conversion set list 232 shown in FIG. 15 is used. For example, the attacker 33 can attack the anonymized DB that has been converted into dummy values using the conversion set list 47 as follows.

Assume that an attacker 33 attempts to identify a search target for a search for gender. The attacker 33 obtains post-perturbation frequencies for each gender conversion set 47d, 47e. For example, the attacker 33 acquires the number of hit records when the searcher searches for records with the gender “female”, thereby obtaining the post-disturbance frequencies (the frequency of “male 0” and the frequency of “female”) of the transformation set 47d. ) can be obtained. The attacker 33 subtracts the frequency of the plaintext "woman" from the perturbed frequency of the transformation set 47d. Then, the frequency of "male 0" is obtained. Furthermore, the attacker 33 adds the post-disturbance frequency of another transformation set 47e to the subtraction result. The frequency after addition is the sum of the frequency of "Male 0" and the frequency of "Male 1".

If the attacker 33 can confirm that the addition result is equal to the frequency of "male", then if a search is performed with the post-disturbance frequency of the transformation set 47d, the corresponding transformation set 47d will include "female". can be judged. After that, the attacker 33 can identify that the searcher has searched for "woman" when only the search with the post-disturbance frequency of the conversion set 47d is performed by the searcher.

By repeating such attempts, the attacker 33 can narrow down the search target. reduced risk of

As described above, in the conversion sets 47a to 47h shown in the conversion set list 47, security against frequency analysis attacks decreases when there is an item such as gender that has a small number of keywords that can be registered. However, if the number of keywords that can be registered for each item is large, the number of combinations of keywords used in attacks by the attacker 33 (addition and subtraction of the frequency of the relevant keywords in the attacks) becomes enormous. As a result, as shown in the conversion set list 47, some elements are sufficiently safe even if the keywords registered in the DB 210 remain as they are (not converted into split keywords).

Note that even if all keywords are converted into split keywords, security against frequency analysis attacks may be insufficient unless a conversion set is generated appropriately.
FIG. 17 is a second diagram showing another example of generating a transformation set. The conversion set list 48 shown in FIG. 17 includes three conversion sets 48a-48c for clinical departments, three conversion sets 48d-48f for gender, and four conversion sets 48g-48j for age groups. there is In the example of FIG. 17, the elements of the age group transformation sets 48g-48j are different from the transformation sets 232g-232j shown in FIG.

In the conversion sets 48g to 48j, the divided keywords "old man 0" and "old man 1" of "old man" are stored in the conversion set 48g and the conversion set 48h, respectively. Separated keywords "seinen 0" and "seinen 1" of "youth" are stored in the conversion set 48g and the conversion set 48h, respectively. That is, the conversion set 48g and the conversion set 48h have the same combination of keywords ("old man", "young man") as the conversion sources of the divided keywords to which they belong. Similarly, both the conversion set 48i and the conversion set 48j have the same combination of keywords (“adult” and “children”) as the conversion sources of the divided keywords to which they belong.

When such conversion sets 48g to 48j are generated, the sum of the post-disturbance frequencies of the split keywords belonging to the conversion set 48g and the post-disturbance frequencies of the split keywords belonging to the conversion set 48h is the same as the "elderly" and "youth" in the DB 210. is equal to the sum of the occurrence frequencies of . Then, when a search for "old man" or "young man" is performed, the attacker 33 can estimate that the keyword to be searched is "old man" or "young man" from the number of hit records. That is, the search target keyword candidates are narrowed down to two.

In order to make such a frequency analysis attack difficult, the data registration request servers 200 and 300, as shown in FIG. prevent it from occurring.

Next, the function of each device of the secret information management system that improves security against frequency analysis attacks by probabilistic conversion into divided keywords will be described.
FIG. 18 is a block diagram showing functions of the confidential information management system. The data management server 100 has an anonymization DB 110 , a data registration section 120 , a key provision request section 130 and a search section 140 . The anonymization DB 110 is implemented by the memory 102 or storage device 103 of the data management server 100 . Data registration unit 120 , key provision request unit 130 , and search unit 140 are implemented by processor 101 of data management server 100 .

The anonymization DB 110 is a DB that manages ciphertext patient data collected from the data registration servers 200 and 300 in ciphertext form.
The data registration unit 120 registers ciphertext patient data in the anonymization DB 110 in response to data registration requests from the data registration servers 200 and 300 .

Upon receiving a key acquisition request from terminal devices 400 and 500 , key provision requesting section 130 transmits a key provision request for terminal devices 400 and 500 to data registration servers 200 and 300 .
The search unit 140 searches for patient data registered in the anonymization DB 110 in response to data search queries including encrypted search keywords from the terminal devices 400 and 500 . At this time, the search unit 140 compares the patient data and the search keyword as they are in ciphertext, and extracts records matching the search keyword from the anonymization DB 110 . Then, the search unit 140 transmits the extracted records to the terminal devices 400 and 500 that are the source of the search query.

The data registration server 200 has a DB 210 , a key storage section 220 , a conversion information storage section 230 , a key generation section 240 , a data registration request section 250 and a key provision section 260 . The DB 210, the key storage unit 220, and the conversion information storage unit 230 are implemented by a memory or storage device that the data registration server 200 has. Key generation unit 240 , data registration request unit 250 , and key provision unit 260 are implemented by a processor included in data registration server 200 .

The DB 210 is a DB that stores patient data in plain text.
The key storage unit 220 stores encryption keys used for encrypting patient data registered in the data management server 100 . The encryption key is managed so that it cannot be accessed from the data management server 100 .

The conversion information storage unit 230 stores information used to convert the keywords indicated in the true data record group into dummy values to be registered in the dummy records. For example, information such as a conversion set list is stored in the conversion information storage unit 230 .

The key generator 240 generates an encryption key. The key generation unit 240 stores the generated encryption key in the key storage unit 220 .
The data registration request unit 250 transmits to the data management server 100 a data registration request including encrypted text of patient data to be registered in the data management server 100 . For example, the data registration request unit 250 first acquires patient data to be registered from the DB 210 and processes the patient data according to the format of the anonymization DB 110 . At this time, the data registration request unit 250 includes dummy data in the data registration request to be transmitted. The dummy data contains multiple dummy records. A dummy value is registered in the dummy record. The data registration request unit 250 uses the information stored in the conversion information storage unit 230 to convert the value in the true data into a dummy value and registers it in the dummy record.

Furthermore, the data registration requesting unit 250 uses the encryption key to encrypt the values included in the patient data for each item value to be registered in the anonymization DB 110 . Then, the data registration request unit 250 transmits to the data management server 100 a data registration request including patient data in ciphertext encrypted for each item value.

In response to a key provision request from the data management server 100, the key provision unit 260 transmits the encryption key to the terminal devices 400 and 500 of the pharmaceutical company that permit use of the registered patient data. Note that the key providing unit 260 transmits the encryption key to the terminal devices 400 and 500 without going through the data management server 100 . By transmitting the encryption key without going through the data management server 100 , the encryption key is isolated from the data management server 100 . As a result, the administrator of the data management server 100 is prevented from decrypting the data in the anonymization DB 110 .

Although the functions of the data registration server 200 have been described above, the data registration server 300 also has functions similar to those of the data registration server 200 .
Terminal device 400 has key storage unit 410 , conversion information storage unit 420 , key acquisition unit 430 , and search request unit 440 . The key storage unit 410 and the conversion information storage unit 420 are implemented by a memory or storage device that the terminal device 400 has. Also, the key acquisition unit 430 and the search request unit 440 are implemented by a processor included in the terminal device 400 .

The key storage unit 410 stores encryption keys used for encrypting search keywords to be included in search queries. The encryption key is managed so that it cannot be accessed from the data management server 100 .
The conversion information storage unit 420 stores information used to convert a keyword indicated by a search condition specified by a searcher into a dummy value. Information stored in the conversion information storage unit 420 is the same as information stored in the conversion information storage unit 230 of the data registration server 200 .

Key acquisition unit 430 acquires the encryption key provided by data registration servers 200 and 300 . For example, the key acquisition unit 430 transmits a key acquisition request to the data management server 100 . Then, the key provision request unit 130 of the data management server 100 transmits a key provision request to the data registration servers 200 and 300 . In response to the key provision request, for example, the key provision unit 260 of the data registration server 200 transmits the encryption key to the terminal device 400 . The key acquisition unit 430 then acquires the encryption key transmitted from the terminal device 400 . Key acquisition unit 430 stores the acquired encryption key in key storage unit 410 .

The search request unit 440 acquires a search keyword input by a patient data user (searcher). Next, the search request unit 440 encrypts the acquired search keyword using an encryption key, and transmits a search query including the encrypted search keyword to the data management server 100 . Upon receiving search results from the data management server 100, the search request unit 440 displays the contents of the search results (for example, the number of true data records that match the search keyword).

Note that the search request unit 440 can also transmit a search query that searches dummy data. In that case, the search request unit 440 converts the search keyword into a dummy value using information stored in the conversion information storage unit 420, and transmits a search query including the encrypted dummy value. In this case, the search request unit 440 extracts a predetermined dummy record from the records shown in the search result, and uses the information stored in the conversion information storage unit 420 to convert the dummy value in the dummy record into a true value. Convert to the value set in the data. Then, the search request unit 440 displays the content of the record having the converted value as the search result.

Although the functions of the terminal device 400 have been described above, the terminal device 500 also has the same functions as the terminal device 400 .
With the function shown in FIG. 18, patient data is managed in the data management server 100 while patient data and the content of search queries are kept secret even from the administrator of the data management server 100, and patient data is managed by the pharmaceutical companies 15 and 16. Data can be made available. It should be noted that the function of each element shown in FIG. 18 can be realized, for example, by causing a computer to execute a program module corresponding to the element.

Next, an overview of appearance frequency disturbance processing by the system shown in FIG. 18 will be described.
FIG. 19 is a diagram showing an example of the appearance frequency disturbance process using dummy data. The data registration server 200 transmits the encryption key 51 generated by the key generation unit 240 to the terminal device 400 of the pharmaceutical company (for example, the pharmaceutical company 15) that permits the use of the data 54 (step S11). For example, the key acquisition unit 430 of the terminal device 400 transmits a key acquisition request to the data management server 100 . In the data management server 100 , the key provision requesting unit 130 requests the data registration server 200 to provide the encryption key 51 . Upon receiving the request for provision of the encryption key 51 , the key provision unit 260 of the data registration server 200 accepts an input indicating permission to provide the encryption key 51 from the administrator. When the key providing unit 260 receives an input indicating that the provision of the encryption key 51 is permitted, the key providing unit 260 acquires the encryption key 51 from the key storage unit 220, and supplies the same encryption key 52 as the acquired encryption key 51 to the data management server 100. is transmitted to the terminal device 400 without going through. In the terminal device 400 , the encryption key 52 received by the key obtaining section 430 is stored in the key storage section 410 . As a result, the encryption key is shared between the data registration server 200 and the terminal device 400 .

After that, the data registration server 200 adds dummy data 55 to the data 210a in the DB 210 (step S12). For example, the data registration requesting unit 250 adds as dummy data 55 G-1 times as many dummy records as the number of records included in the true data 54 acquired from the DB 210 . At this time, the data registration requesting unit 250 uses the item values set in the true data 54 as the item values (dummy values) of the added dummy record to reduce the bias in appearance frequency of each item value. Furthermore, the data registration requesting unit 250 gives each record a flag 56 for identifying whether it is a record of the true data 54 or a dummy record, and if it is a dummy record, to which dummy record group it belongs.

The data registration request unit 250 encrypts the item values (including flags) in each record of the true data 54 and the dummy data 55 with the encryption key 51 to generate the registration data 53 (step S13). The data registration request unit 250 then transmits a data registration request including the registration data 53 to the data management server 100 (step S14). In the data management server 100 , the data registration unit 120 receives the registration data 53 and stores the received registration data 53 in the anonymization DB 110 .

When the person in charge of the pharmaceutical company 15 uses the data 54 , the person in charge enters a search keyword into the terminal device 400 . Then, the search request unit 440 encrypts the input search keyword with the encryption key 52 and generates a search query 57 including the encrypted search keyword (step S15). If any dummy record group is to be searched, the search request unit 440 converts the input search keyword into a dummy value corresponding to the search keyword in the dummy record group. The search requesting unit 440 then generates a search query 57 containing encrypted values of the dummy values obtained by the change. The search request unit 440 then transmits the search query 57 to the data management server 100 (step S16).

In the data management server 100, the search unit 140 collates the registered data 53 and the search query 57 while keeping the data confidential (step S17). Then, the search unit 140 transmits the records hit by the search by the search query 57 to the terminal device 400 as the search results 58 (step S18). The search results 58 include records of true data 54 and dummy records of dummy data 55 .

In terminal device 400 , search request unit 440 receives search result 58 . The search request unit 440 discards the dummy record from the search result 58 based on the flag, for example, when the true data is to be searched (step S19). Then, the search request unit 440 displays on a monitor or the like a true result 59 containing only records of the true data 54 in the search result 58 .

When the dummy record group is set as a search target, the search request unit 440 extracts dummy records belonging to the dummy record group to be searched from the search result 58 based on flags, for example, and discards other records. The search request unit 440 converts the dummy value in the dummy record into the keyword from which the dummy value was converted. Search requester 440 then displays as true results 59 records containing values converted to the original keywords.

By adding the dummy data 55 in this way, it becomes possible to disturb the frequency of each item value. The terminal device 400 can use the flag to distinguish between the dummy data 55 and the true data 54 to obtain the true result 59 .

Next, the plaintext patient data DB 210 of the data registration servers 200 and 300 will be described.
FIG. 20 is a diagram showing an example of a plaintext patient data DB. The DB 210 stores true data 210a in plain text. In the real data 210a, for example, a record for each patient is registered in association with an identifier (ID) of the record. In each record, a keyword corresponding to the item is set in the column for each item. In the example of FIG. 20, items include "medical department", "gender", and "age group". A value in each record registered in the DB 210 is, for example, a plaintext character code.

When registering a patient's record in the data management server 100, the data registration requesting unit 250 encrypts the value (plaintext) set in the record using deterministic encryption technology. The encrypted record is registered in the anonymization DB 110 of the data management server 100 . At this time, the data registration request unit 250 probabilistically converts the keywords into divided keywords based on the divided keyword selection table 233 (see FIG. 14). Furthermore, the data registration requesting unit 250 refers to the conversion information storage unit 230 and generates dummy data for disturbing the frequency analysis attack.

FIG. 21 is a diagram showing an example of information stored in a conversion information storage unit within the data registration server. A keyword list 231 , a conversion set list 232 , and a split keyword selection table 233 are stored in the conversion information storage unit 230 . The keyword list 231 is data showing a list of keywords that can be set for each item. The conversion set list 232 is data indicating the contents of conversion sets. The split keyword selection table 233 is data showing a list of keywords after splitting (split keywords) when a keyword is split and registered in the anonymization DB 110 . Note that the conversion set list 232 and the split keyword selection table 233 are data generated by the data registration requesting unit 250 based on the keyword list 231 . The conversion set list 232 and the split keyword selection table 233 are secretly managed so that they cannot be accessed from outside the data registration server 200 .

FIG. 22 is a diagram showing an example of a keyword list. In the keyword list 231, a list of keywords that can be set for each item of the DB 210 is registered. In the example of FIG. 22, three keywords can be registered in the item "medical department", two keywords can be registered in the item "sex", and four keywords can be registered in the item "age group". is.

FIG. 23 is a diagram illustrating a first generation example of a transformation set. The keyword list 231a shows four keywords that can be set for age groups. Also, G=2, and each conversion set 232g to 232j includes two divided keywords. When the divided keywords are generated based on the divided keyword selection table 233 shown in FIG. 14, there are eight divided keywords related to age groups.

The data registration request unit 250 first creates storage areas for the elements of the four conversion sets 232g to 232j. The data registration requesting unit 250 sets the identifiers of the conversion sets 232g to 232j to "2-0" to "2-3", respectively. The numerical value on the left side of the identifier is the value corresponding to the "age group", and the numerical value on the right side is the serial number for the conversion sets 232g to 232j of the "age group".

The data registration request unit 250 selects all keywords once from the keyword list 231a, for example, in a predetermined order or in random order. In the example of FIG. 23, the keywords are selected in order from the left of the keyword list 231a.

The data registration request unit 250 stores the divided keywords of the selected keyword in the conversion set storage area in ascending order of number. At this time, the data registration requesting unit 250 stores divided keywords corresponding to the same keyword in different conversion sets. The data registration requesting unit 250 also prevents the occurrence of a plurality of conversion sets in which the combination of the conversion source keywords of the divided keywords in the conversion set is the same.

For example, the data registration requesting unit 250 registers the first divided keyword of the first selected keyword in the first conversion set 232g. Next, the data registration request unit 250 registers the second divided keyword of the keyword in the second conversion set 232h. For example, if "old man" is selected first, "old man 0" is registered in the conversion set 232g and "old man 1" is registered in the conversion set 232h.

The data registration requesting unit 250 registers the first divided keyword of the second selected keyword in the same conversion set 232h as the second divided keyword of the previously selected keyword. Next, the data registration request unit 250 registers the second divided keyword of the keyword in the next conversion set 232i. For example, when "adult" is selected second, "adult 0" is registered in the conversion set 232h and "adult 1" is registered in the conversion set 232i.

The data registration requesting unit 250 also registers the divided keywords of the third and subsequent keywords in the conversion set in the same procedure as the second selected keyword. For example, if "young man" is selected third, "young man 0" is registered in conversion set 232i and "young man 1" is registered in conversion set 232j.

The data registration requesting unit 250 registers the divided keyword of the last selected keyword in a conversion set with a free storage area. For example, if "child" is selected last, "child 0" is registered in transform set 232g and "child 1" is registered in transform set 232j.

Transformation sets 232g to 232j are generated by such a procedure. Each of the conversion sets 232g to 232j has at least one of the elements belonging to it being a split keyword, and another split keyword having a common conversion source keyword with the split keyword is included in the other conversion set. Therefore, it satisfies the transformation set generation condition. In addition, there are no multiple conversion sets in which the combination of the conversion source keywords of the divided keywords in the conversion sets 232g to 232j is the same.

FIG. 23 shows an example of generation of transformation sets 232g to 232j for age groups, but transformation sets 232a to 232f can also be generated for departments and genders using the same procedure. As a result, a transformation set list 232 as shown in FIG. 15 is generated.

FIG. 23 shows an example of G=2, L=2, X _j =4, and M _j (the number of transformation sets of the j-th item)=4, but these parameter values are different. A suitable transform set can also be generated for any value of .

FIG. 24 is a diagram illustrating a second generation example of a transformation set. FIG. 24 shows an example of generation of transformation sets 49a to 49f when G=3, L=4, X _j =4 and M _j =6.
For example, the data registration requesting unit 250 registers the first divided keyword of the first selected keyword in the element with the element number "0" of the first conversion set 49a. Next, the data registration requesting unit 250 registers the second and subsequent divided keywords of the keyword in the elements of the corresponding numbers while adding 1 to the conversion set number and the element number. When the element number after addition becomes L, the data registration requesting unit 250 resets the element number to "0".

For example, when "old man" is selected first, "old man 0" is registered in the element with the element number "0" of the conversion set 49a. Subsequently, "old man 1" is registered in the element with element number "1" in the conversion set 49b, "old man 2" is registered in the element with element number "2" in the conversion set 49c, and "old man 3" is registered in the conversion set. It is registered in the element of element number "0" of 49d.

The data registration request unit 250 assigns the first segmented keyword of the second and subsequent keywords to the transformation set storing the first segmented keyword of the previously selected keyword by the transformation set number. Register with the following transformation set. Next, the data registration requesting unit 250 registers the second and subsequent divided keywords of the keyword in the elements of the corresponding numbers while adding 1 to the conversion set number and the element number. When the element number after addition becomes L, the data registration requesting unit 250 resets the element number to "0".

For example, when "adult" is selected as the second keyword, "adult 0" is registered in the element with the element number "0" of the conversion set 49b. Subsequently, "adult 1" is registered in the element with element number "1" of the conversion set 49c, "adult 2" is registered in the element with element number "2" of the conversion set 49d, and "adult 3" is registered in the conversion set. It is registered in the element of element number "0" of 49e.

Next, when "Youth" is selected, "Youth 0" is registered in the element with the element number "0" of the conversion set 49c. Subsequently, "young man 1" is registered in the element with element number "1" in the conversion set 49d, "young man 2" is registered in the element with element number "2" in the conversion set 49e, and "young man 3" is registered in the conversion set. It is registered in the element of element number "0" of 49f.

The data registration requesting unit 250 registers the divided keyword of the last selected keyword in a conversion set with a free storage area. For example, when "child" is selected last, "child 0" is registered in the element with the element number "1" of the conversion set 49a. Subsequently, "child 1" is registered in the element of element number "2" of the conversion set 49b, "child 2" is registered in the element of element number "1" of the conversion set 49e, and "child 3" is registered in the conversion set 49f. is registered in the element with the element number "2".

The data registration request unit 250 registers dummy elements in empty elements after registering all divided keywords. For example, "D0" is registered as the element with the element number "1" in the conversion set 49f, and "D1" is registered as the element with the element number "2" in the conversion set 49a.

Even if the values of G, L, X _j , and M _j increase in this way, an appropriate transformation set can be generated (see FIG. 28 for details of the transformation set generation procedure). After generating the conversion set list 232, the data registration requesting unit 250 generates a split keyword selection table 233 as shown in FIG. The data registration request unit 250 stores the generated conversion set list 232 and split keyword selection table 233 in the conversion information storage unit 230 . The data registration requesting unit 250 then probabilistically converts the keywords in the DB 210 into divided keywords based on the divided keyword selection table 233 , and then generates registration data for registration in the anonymization DB 110 .

FIG. 25 is a diagram showing an example of registration data generated using split keywords. Each keyword shown in the true data stored in the DB 210 is stochastically converted into a split keyword with a selection probability shown in the split keyword selection table 233, and the split data 211 is generated. Registration data 60 is generated based on the divided data 211 .

The registered data 60 includes a true data record group 60a, which is a set of records of the divided data 211, and a dummy record group 60b obtained by converting each divided keyword of the divided data 211 records. there is The group number of the true data record group 60a is "0", and the group number of the dummy record group 60b is "1".

Each record is assigned an ID at random. Each record in the registration data 60 is given a flag. Keywords (including flag values) included in the registration data 60 are then encrypted. Note that the flag value is a set of the ID in the divided data 211 of the conversion source record and the group number of the group to which it belongs.

The data registration request unit 250 encrypts each item value of the registration data 60 , sorts the records of the registration data 60 by ID, and registers them in the anonymization DB 110 of the data management server 100 .

FIG. 26 is a diagram illustrating an example of an anonymization DB; The records registered in the anonymization DB 110 are sorted by ID, and real data records and dummy records are registered together.

Next, the procedure of data registration processing will be described in detail.
FIG. 27 is a flowchart illustrating an example of the procedure of data registration processing. The processing shown in FIG. 27 will be described below along with the step numbers.

[Step S101] The data registration requesting unit 250 receives a setting input of the number of groups G and the number of keyword divisions L. FIG. Both G and L are integers of 2 or more. As the values of G and L are larger, the safety improves, but the number of dummy records to be registered also increases. Therefore, the values of G and L are determined by the administrator of the data registration server 200 in consideration of the degree of security against frequency analysis attacks required of the anonymization DB 110 and the number of dummy records allowed in the anonymization DB 110. do.

[Step S102] The data registration request unit 250 determines the number of conversion sets for each item. For example, the transformation set number M _j of the j-th item is expressed by the following equation (3) using a ceiling function.

The value (L×X _j ) obtained by multiplying the keyword type number X _j of the j-th item by the keyword division number L is the number of divided keywords of the item. The larger one of the ceiling function (minimum integer greater than or equal to the division result) obtained by dividing the number of divided keywords by the number of groups G and "3" is the number of transformation sets.

By setting the number of conversion sets to be "3" or more, in the case of G=2, three conversion sets are generated even for an item such as gender that has only two types of keywords. As a result, it is possible to prevent the combination of the conversion source keywords of the divided keywords from becoming the same in different conversion sets for gender as well.

[Step S103] The data registration requesting unit 250 generates conversion sets for each of the items as many as the number of conversion sets determined in step S102. Note that the data registration requesting unit 250 registers dummy elements as elements of the conversion set when the number of divided keywords is smaller than the number of storage areas of the conversion set. Each conversion set to be generated includes at least one split keyword, and other split keywords that share the same split keyword and conversion source keyword are included in other conversion sets. As a result, conversion sets 232a to 232j as shown in the conversion set list 232 of FIG. 15 are generated. Details of the transformation set generation procedure will be described later (see FIG. 28).

[Step S<b>104 ] The data registration requesting unit 250 generates the divided keyword selection table 233 . For example, the data registration request unit 250 generates L−1 random numbers from “0” to “1” for each keyword shown in the keyword list 231 . Then, the data registration requesting unit 250 uses the generated random number as a boundary value, and determines the size of each of a plurality of numerical ranges obtained by dividing the numerical range of "0" to "1" by the boundary value as the size of each of the divided keywords. be the selection probability.

For example, when L=2, the data registration requesting unit 250 generates one random number for one keyword. For example, in the divided keyword selection table 233 shown in FIG. 14, a random number "0.72" is generated for "pediatrics". Therefore, the data registration requesting unit 250 sets the magnitude of the numerical range of "0.72" from "0" to a random number as the selection probability of the first divided keyword "pediatrics 0". The data registration requesting unit 250 also sets the magnitude of the numerical range of "0.28" from the random number to "1" as the selection probability of the second divided keyword "pediatrics 1".

Since a random number is generated for each keyword, the selection probabilities of all divided keywords are non-uniform values. The data registration request unit 250 sets the selection probability in the divided keyword selection table 233 in association with the divided keyword. Thereby, a divided keyword selection table 233 as shown in FIG. 14 is generated.

[Step S<b>105 ] The data registration request unit 250 reads plaintext data from the DB 210 .
[Step S<b>106 ] The data registration requesting unit 250 probabilistically converts the keywords registered in the record of the read plaintext data into divided keywords with the selection probabilities shown in the divided keyword selection table 233 . For example, the data registration requesting unit 250 selects keywords included in the plaintext data one by one. Next, the data registration requesting unit 250 assigns a numerical value range between "0" and "1" corresponding to the selection probability of the divided keyword of the selected keyword to the divided keyword. For example, when "pediatrics" is selected in the case of the divided keyword selection table 233 shown in FIG. "0.28" to "1" is assigned to "Pediatrics 1". Then, the data registration request unit 250 generates a random number within the range of "0" to "1" and converts the selected keyword into divided keywords assigned to a numerical range including the generated random number.

[Step S107] The data registration requesting unit 250 generates dummy data including dummy record groups of which the number of groups is G-1. Details of the dummy data generation process will be described later (see FIG. 29).

[Step S108] The data registration requesting unit 250 randomly assigns an ID to each record of true data and dummy data.
[Step S109] The data registration request unit 250 adds a flag to each record. For example, the data registration requesting unit 250 generates, for each record, a set of the ID in the DB 210 of the record that is the conversion source of the record and the group number of the group to which the record belongs as a flag value. A unique flag value is generated for each record by using a pair of the original record ID and group number as the flag value.

[Step S110] The data registration request unit 250 sorts the records by ID.
[Step S<b>111 ] The data registration request unit 250 encrypts the sorted record group and registers it in the anonymization DB 110 . For example, the data registration request unit 250 encrypts each item value in the record, and transmits a group of records having the encrypted value to the data management server 100 as registration data. In the data management server 100 , the data registration unit 120 receives the registration data and stores the received registration data in the anonymization DB 110 .

Next, the transformation set generation processing will be described in detail.
FIG. 28 is a flowchart illustrating an example of the procedure of transformation set generation processing. The processing shown in FIG. 28 will be described below along with the step numbers.

[Step S121] The data registration request unit 250 selects one of the items for which conversion set generation processing has not been performed as a processing target item.
[Step S<b>122 ] The data registration requesting unit 250 selects from the keyword list 231 one of the keywords of the item to be processed that has not been set in the conversion set.

[Step S123] The data registration requesting unit 250 sets the split keyword number l indicating the split keyword to be set to the initial value "0" (l=0).
[Step S124] The data registration requesting unit 250 sets the element number of the element with the smallest element number among the elements whose values are not set in the conversion set, to the element number g of the setting destination.

[Step S125] The data registration request unit 250 sets the conversion set number of the element with the smallest conversion set number among the elements with the element number g whose value is not set, to the conversion set number m of the setting destination. .

[Step S126] The data registration request unit 250 sets the l-th divided keyword to the element of x _m,g .
[Step S127] The data registration requesting unit 250 determines whether or not the keyword number l has reached L-1 (l=L-1?). Data registration requesting unit 250 advances the process to step S128 if L-1 has not been reached. If the data registration requesting unit 250 has reached L-1, the process proceeds to step S130.

[Step S128] The data registration request unit 250 updates the destination element number g and the destination conversion set number m. For example, the data registration request unit 250 updates the setting destination element number to "g=mod (g+1, G)". The data registration requesting unit 250 also updates the conversion set number m of the setting destination to "m=mod (m+1, M)". Further, the data registration request unit 250 adds 1 to the divided keyword number l (l=l+1).

[Step S129] The data registration request unit 250 determines whether or not values have not been set for the elements of x _m,g . If the value is not set, data registration requesting unit 250 advances the process to step S126. If the value has already been set, data registration requesting unit 250 advances the process to step S124.

[Step S130] The data registration request unit 250 determines whether or not there are any unset keywords among the keywords of the item to be processed. If there is an unset keyword, data registration requesting unit 250 advances the process to step S122. If there is no unset keyword, data registration requesting unit 250 advances the process to step S131.

Note that the data registration requesting unit 250, after completing the setting of split keywords corresponding to all the keywords of the selected item to the elements of the conversion set, if the conversion set corresponding to the item still has an unset area, Set a dummy element in the relevant area.

[Step S131] The data registration request unit 250 determines whether or not there is an unprocessed item. The data registration request unit 250 ends the conversion set generation processing if the processing for generating the conversion set for all items has been completed. If there is an unprocessed item, the data registration requesting unit 250 advances the process to step S121.

An appropriate conversion set can be generated by generating a conversion set in such a procedure. Next, dummy data generation processing will be described in detail.
FIG. 29 is a flowchart illustrating an example of the procedure of dummy data generation processing. The processing shown in FIG. 29 will be described below along with the step numbers.

[Step S141] The data registration request unit 250 acquires the number of groups G calculated in step S102.
[Step S142] The data registration requesting unit 250 copies G-1 pieces of true data and generates G-1 dummy record groups.

[Step S143] The data registration requesting unit 250 executes the processing of steps S144 to S146 for each item of true data.
[Step S144] The data registration request unit 250 executes the process of step S145 for each dummy record.

[Step S145] The data registration request unit 250 converts the item values of the dummy record. For example, the data registration requesting unit 250 selects a conversion set including the item value to be processed (conversion target item value) in the dummy record from the conversion sets corresponding to the item to be processed. Next, the data registration request unit 250 acquires the group number of the dummy record group to which the dummy record to be processed belongs. The data registration requesting unit 250 cyclically acquires the elements to the right of the group number from the element corresponding to the conversion target item value in the selected conversion set from the conversion set. Then, the data registration request unit 250 converts the conversion target item value in the dummy record to be converted into the acquired element value (dummy value).

[Step S146] When the processing of step S145 is completed for each dummy record, the data registration requesting unit 250 advances the processing to step S147.
[Step S147] When the processes of steps S144 to S146 are completed for all items, the data registration requesting unit 250 ends the dummy data generation process.

In this way, dummy data is generated by replacing the item values of the true data with other elements in the conversion set. Then, the data registration requesting unit 250 encrypts the registration data including the generated dummy data and the flag value and registers it in the anonymization DB 110 .

A searcher who intends to search for data in the anonymized DB 110 inputs a search keyword into the terminal device 400 via a search condition input screen of the terminal device 400, for example.
FIG. 30 is a diagram showing an example of a search condition input screen. For example, the name of each item in the DB 210 is set as a search variable on the search condition input screen 61 . A specified value input area 62 is provided in association with a search variable for entering a specified value of the search variable as a search keyword. When the searcher enters a specified value for an item indicated as a search variable in the specified value input area 62, the terminal device 400 performs a search using the entered specified value as a search keyword.

The terminal device 400 uses the information stored in the conversion information storage unit 420 to perform processing such as conversion of the search keyword into divided keywords in order to perform anonymized search.
31 is a diagram depicting an example of information stored in a conversion information storage unit within a terminal device; FIG. A keyword list 421 , a conversion set list 422 , and a split keyword list 423 are stored in the conversion information storage unit 420 . Of these, the keyword list 421 and the conversion set list 422 are data having the same content as the keyword list 231 and the conversion set list 232 of the data registration server 200, respectively.

The split keyword list 423 is data indicating the correspondence relationship between each keyword that can be registered in the DB 210 and the split keywords. The contents of the split keyword list 423 are the same as those obtained by deleting the selection probability information from the split keyword selection table 233 of the data registration server 200 . The terminal device 400 converts the search keyword into divided keywords based on the divided keyword list 423 .

FIG. 32 is a diagram showing an example of conversion into split keywords. The terminal device 400 divides the plaintext search query 63 indicating the input search condition. For example, it is assumed that the terminal device 400 has received an input of "age group=elderly" (the left side represents the item name and the right side represents the keyword (item value)) as a search condition from the searcher. The terminal device 400 acquires the split keyword associated with the keyword “old man” from the split keyword selection table 233 . In the example of FIG. 32, "old man 0" and "old man 1" are acquired as divided keywords. The terminal device 400 divides the search keyword "old man" into the divided keywords "old man 0" and "old man 1", and generates a divided query 64 indicating the logical sum thereof.

The terminal device 400 generates a perturbed query from the split query 64 based on the transformation set list 422 .
FIG. 33 is a diagram illustrating an example of generation of a disruptive query. The conversion set list 422 of the terminal device 400 has the same contents as the conversion set list 232, and includes conversion sets 422a to 422j corresponding to the items of the DB 210. FIG.

The terminal device 400 randomly determines a search target group for each of the split keywords “elderly 0” and “elderly 1” included in the split query 64 . For example, it is assumed that the search target group for "elderly people 0" is determined to be "1", and the search target group for "elderly people 1" is determined to be "0".

The terminal device 400 refers to the conversion set list 422 and converts the split keywords in the split query 64 based on the determined group to generate the confusion query 65 . For example, "Older 0" is transformed into an element "Child 0" of group "1" according to transformation set 422g. "Old man 1" is not converted because the search target group is "0" (true data record group).

The terminal device 400 then encrypts the keyword in the deranged query 65 . As a result, an anonymized search query 66 including the ciphertext keyword is generated. The terminal device 400 transmits a search request including the anonymized search query 66 to the data management server 100 .

FIG. 34 is a diagram depicting an example of search processing; Upon receiving the anonymized search query 66 , the data management server 100 searches the anonymized DB 110 for records that satisfy the conditions indicated in the anonymized search query 66 . For example, the records satisfying the condition of "H (age group=0 children)" are the records with IDs "9" and "10". Records satisfying the condition of "H (age group=elderly 1)" are records with IDs "3" and "8". Since the anonymized search query 66 is a logical sum of “H (age group=children 0)” and “H (age group=elderly 1)”, a record that satisfies either of these conditions is an anonymized search result. 67 included. The data management server 100 transmits the anonymized search result 67 to the terminal device 400 .

Upon receiving the anonymous search result 67 , the terminal device 400 decrypts the item values in the anonymous search result 67 . By decrypting the terminal device 400, the third and fourth records in the anonymized search result 67 satisfy “age group=children 0”, and the first and second records satisfy “age layer = old man 1" is satisfied.

The terminal device 400 determines the group number of the group to which the record belongs based on the flag of each record obtained by decoding. Then, the terminal device 400 determines whether or not the group to which each record belongs is the search group. For example, since the search group of "age group=child 0" is "1", among the records satisfying "age group=child 0", only the record of group number "1" is the record to be searched. Also, since the search group for "age group=elderly 1" is "0", only records with group number "0" among the records satisfying "age group=elderly 1" are the records to be searched.

The terminal device 400 removes records that do not belong to the search group from among the records included in the anonymized search result 67, and restores the remaining records. Records belonging to the true data record group (group number "0") do not need to be restored. The terminal device 400 stores the item values of the records belonging to the dummy record group (group number “1”) in the conversion set list 422 (see FIG. 15) having the same contents as the conversion set list 232 (see FIG. 33), conversion is performed in the reverse order of the generation of the disturbing query 65 . As a result, "pediatrics 1" in the dummy record belonging to group number "1" is converted to "gynecology 0", "male 1" is converted to "female 0", and "child 0" is converted to "elderly 0". converted.

The terminal device 400 converts the split keywords set as item values in each record into the original keywords, removes the flags, and generates search results 68 . In the example of FIG. 34, by deleting the last number of the split keyword, it can be converted to the original keyword.

FIG. 35 is a flowchart illustrating an example of a search processing procedure. The processing shown in FIG. 35 will be described below along with the step numbers.
[Step S201] The search request unit 440 acquires a search keyword input as a search condition by the user and an item corresponding to the search keyword as a plaintext search query.

[Step S202] The search request unit 440 generates a conversion set list 422 and a split keyword list 423. FIG. For example, the search request unit 440 performs processing similar to the conversion set generation processing for each item in the data registration request unit 250 to generate the conversion set list 422 . A conversion set list 442 generated by the search request unit 440 is the same as the conversion set list 232 generated by the data registration request unit 250 .

If the data registration requesting unit 250 uses random numbers to determine the keyword selection order in step S122 (see FIG. 28), the search requesting unit 440 uses the random number seed used by the data registration requesting unit 250 to generate the random numbers. Obtained from the data registration server 200 . The search request unit 440 generates the same random numbers as those used for the conversion set by the data registration request unit 250 based on the obtained random number seed, and determines the order of keyword selection. As a result, a conversion set list 422 having the same contents as the conversion set list 232 possessed by the data registration server 200 can be generated. Note that the search request unit 440 may acquire the conversion set list 232 from the data registration server 200 and store it in the conversion information storage unit 420 as the conversion set list 422 of the terminal device 400 .

The split keyword list 423 generated by the search request unit 440 is obtained by removing the selection probability information from the split keyword selection table 233 in the data registration server 200 . For example, the search request unit 440 generates split keywords using the same algorithm as the data registration server 200 . For example, the search request unit 440 generates split keywords by adding numbers in ascending order from 0 for identifying split keywords after the keywords shown in the keyword list 421 .

[Step S203] The search request unit 440 divides the obtained plaintext search query. For example, the search request unit 440 divides the search keyword included in the plaintext search query into divided keywords. Then, the search request unit 440 generates a split query for each split keyword obtained by splitting. When the divided keyword list 423 as shown in FIG. 32 is generated, the search keyword "old man" is divided into "old man 0" and "old man 1". Then, a divided query containing the search keyword "old man 0" and a divided query containing the search keyword "old man 1" are generated. The logical sum of the search results of the split queries generated by splitting is the search result of the acquired plaintext search query.

The obtained plaintext search query may contain multiple search keywords. In the case of a logical sum search of multiple search keywords, the search request unit 440 breaks down each search keyword into split keywords and generates split queries for each split keyword. The logical sum of the search results of the multiple generated split queries is the obtained search result of the plaintext search query.

Also, in the case of a logical product search of a plurality of search keywords, the search request unit 440 generates all combinations of divided keywords with different items. In the case of a logical product of search keywords for three or more items, the search request unit 440 selects one split keyword from each item to generate all possible combinations of split keywords. Then, the search request unit 440 generates a plaintext search query of logical product for each combination of the generated divided keywords. Also in this case, the logical sum of the search results of the multiple generated split queries is the obtained search result of the plaintext search query.

For example, the obtained plaintext search query is "A∧B", the search keyword "A" is divided into "A0" and "A1", and the search keyword "B" is divided into "B0" and "B1". and In this case, the search request unit 440 generates "A0 Λ B0", "A0 Λ B1", "A1 Λ B0", and "A1 Λ B1" as split queries.

[Step S204] The search request unit 440 selects one of the generated divided queries that has not yet been selected.
[Step S205] The search request unit 440 stochastically selects one group from all groups including the true data record group and the dummy record group. The search request unit 440 searches the selected record group. All the dummy record groups in the anonymization DB 110 have the same frequency distribution as the true data record group, although the values are different. Therefore, even if a dummy record group is targeted for retrieval, correct retrieval results can be obtained by inversely transforming the dummy values in the dummy records obtained as retrieval results according to the transformation set.

By transforming (disturbing) the split query according to the transform set in this way, the same result as when the plaintext data group is retrieved can be obtained regardless of which group is retrieved. Therefore, the number of search queries does not increase while perturbing search queries. In addition, by randomly determining the group to be searched by the search request unit 440, the attacker 33 is prevented from specifying the group number of each record in the anonymization DB due to the bias of the group to be searched.

[Step S206] The search request unit 440 determines whether or not a dummy record group has been selected. If a dummy record group is selected, search request unit 440 advances the process to step S207. If the selected record group is true data, search request unit 440 advances the process to step S212.

[Step S207] The search request unit 440 disturbs the generated split query based on the transformation set. For example, when a search target item and a split keyword are specified in a split query, the search request unit 440 first selects one or more conversion sets corresponding to the search target item and matches the specified split keyword. Identify the transform set containing the element. Next, the search request unit 440 acquires the group number of the selected dummy record group. The search request unit 440 obtains from the conversion set the elements to the right of the group number cyclically from the element in the conversion set corresponding to the divided keyword to be searched. Then, the search request unit 440 converts the conversion-target split keyword in the split query into the acquired element value (dummy value).

[Step S208] The search request unit 440 encrypts the divided query converted in step S207 to generate an anonymized search query. The search request unit 440 transmits the generated anonymous search query to the data management server 100 .

[Step S<b>209 ] The search request unit 440 acquires search results of the anonymous search (anonymized search results) from the data management server 100 . The search request unit 440 extracts only dummy records belonging to the dummy record group selected in step S206 from the anonymized search results. At this time, the search request unit 440 can specify dummy records belonging to the selected dummy record group based on the flag value of each record.

[Step S<b>210 ] The search request unit 440 decrypts the item values (dummy values) in the extracted dummy records, which are included in the anonymized search results, using the encryption key obtained in advance from the data registration server 200 .

[Step S211] The search requesting unit 440 inversely transforms the decoded dummy values of the dummy records belonging to the dummy record group selected in step S206 based on the transformation set, and the search results in which the true value of the plaintext is set. to restore.

FIG. 36 is a diagram showing an example of inverse transformation of dummy values. For example, the search request unit 440 identifies a conversion set including an element corresponding to the dummy value from among one or more conversion sets corresponding to the item to which the dummy value belongs. In the example of FIG. 36, it is assumed that transformation set 69 has been specified. Next, the search request unit 440 acquires the group number of the dummy record group selected in step S206. The search request unit 440 cyclically acquires from the conversion set 69 the left element by the group number from the element in the conversion set 69 corresponding to the dummy value. Then, the search request unit 440 converts the decoded dummy value into the value of the acquired element (divided keyword of true data). For example, if the dummy value of the dummy record belonging to the dummy record group with the group number "2" is "Child 1", the dummy value is added to the second element "Adult 1" to the left of "Child 1" in the conversion set 69. inversely transformed.

The inverse transformation relationship shown in FIG. 36 is a bijective relationship that is the inverse mapping of the mapping used for the conversion of the item values performed by the data registration server 200 at the time of data registration. By performing such inverse transformation on all dummy values in the dummy records belonging to the selected dummy record group, split keywords corresponding to the dummy values are obtained. The search request unit 440 converts the split keywords into the original keywords (true values) based on the list of split keywords. This produces true search results. After that, search request unit 440 advances the process to step S215.

Hereinafter, the description will return to FIG.
[Step S212] The search request unit 440 encrypts the search query with the flag value corresponding to the true data record group added to the search condition, generates an anonymized search query, and sends the anonymized search query to the data management server 100. Send to

[Step S<b>213 ] The search request unit 440 acquires anonymous search results using the anonymous search query from the data management server 100 .
[Step S214] The search request unit 440 decodes the item values in the records of the true data record group included in the anonymized search results. Similar to step S210, search request unit 440 identifies the selected group of records (true data records). The search request unit 440 converts the split keywords in the record of the true data into the original keywords based on the list of split keywords, and obtains search results in which plain text true values are set.

[Step S215] The search request unit 440 outputs plaintext search results.
[Step S216] The search request unit 440 determines whether or not all divided queries have been selected. If there is an unselected split query, the search request unit 440 advances the process to step S204. Moreover, the search request unit 440 ends the search processing when all the divided queries are selected and the search by the corresponding anonymized search query ends.

Search results are displayed, for example, on a search result display screen.
FIG. 37 is a diagram showing an example of a search result display screen. The search result display screen 70 displays, for example, search conditions related to patients and the number of patients who match the search conditions. The search result display screen 70 also displays plaintext data of records hit by the search.

Such a search equalizes the frequency of appearance of item values for each set of G divided keywords. As a result, bias in appearance frequency for each item value is suppressed, and security against frequency analysis attacks is improved. Moreover, since the appearance frequency of the divided keywords is determined by the secret selection probability, it is difficult to narrow down the keyword candidates based on the appearance frequency of a certain keyword after frequency disturbance.

The difficulty of the anonymized DB 110 frequency analysis attack will be described below with reference to FIGS. 38 and 39. FIG.
FIG. 38 is a diagram showing an example of frequency disturbance by split keywords. For example, regarding the age group items in the DB 210, the appearance frequency of "elderly" is "98", the appearance frequency of "adult" is "35", the appearance frequency of "youth" is "91", and the appearance frequency of children is "63". ” shall be Each keyword is divided into two, and the conversion sets 232g to 232j shown in FIG. 15 convert the item values of the dummy records of the group "1" into dummy values, thereby realizing frequency disturbance.

Data after frequency disturbance is registered in the anonymization DB 110, and the frequency of appearance of divided keywords is equalized for each conversion set. In the figure, the numbers in solid line rectangles are the frequencies of occurrence in group "0" (true data record group), and the numbers in dashed line rectangles are the appearance frequencies in group "1" (dummy record group).

In the example of FIG. 38, the frequency of appearance of both "H (old man 0)" and "H (child 0)" is "65". The frequency of appearance of both "H (old man 1)" and "H (adult 0)" is "81". The frequency of occurrence of both "H (adult 1)" and "H (youth 0)" is "80". The frequency of appearance of both "H (youth 1)" and "H (child 1)" is "61".

FIG. 39 is a diagram illustrating an example of a frequency analysis attack; For example, it is assumed that the attacker 33, by spying on the search status of the anonymized DB 110, is able to grasp the four patterns of post-disturbance frequencies "65, 81, 80, 61" based on the number of records hit by the search. .

When the attacker 33 knows the appearance frequency of each keyword in the DB 210, even if the attacker 33 combines those appearance frequencies, the post-disturbance frequency is not obtained. Therefore, it is conceivable for the attacker 33 to brute-force combinations of division frequencies and conversion set elements to calculate post-disturbance frequencies for each combination.

For example, for "elderly", the ratios of division frequencies for "elderly 0" and "elderly 1" are "0:98", "1:97", "2:96", ..., "98:0". ” exists in 99 ways. Similarly, there are 36 division frequency ratios for "adult", 92 division frequency ratios for "youth", and 64 division frequency ratios for "child".

Also, there are many possible patterns of combinations of split keywords that are elements of the same conversion set. For example, divided keywords belonging to the same conversion set as "old man 0" may be "adult 0" and "youth 0" in addition to "child 0". Even if the transformation set generation algorithm is known, it is possible to keep secret what combinations of transformation sets are generated by randomly rearranging the keywords before generating the transformation set. is.

The attacker 33 considers all of these possible combinations, and searches for the search target keywords of the post-disturbance frequencies “65, 81, 80, 61”. However, there are many patterns of division frequencies and transformation sets that result in post-perturbation frequencies of "65, 81, 80, 61". For example, even if there are conversion sets 232g to 232j as shown in FIG. As shown in 39, there are 35 ways.

Further, there is a case where the post-conversion frequencies of the divided keywords of the conversion sets 232g to 232j are "61, 80, 81, 65" (appearance frequency example 72). The case of appearance frequency example 72 cannot be distinguished from the case (appearance frequency example 71) in which the post-disturbance frequencies of the divided keywords of the conversion sets 232g to 232j are "65, 81, 80, 61". In the case where the post-disturbance frequencies of the divided keywords of the conversion sets 232g to 232j are "61, 80, 81, 65" (appearance frequency example 72), there are many combinations of the post-disturbance frequencies. .

Therefore, even if the attacker 33 tries to narrow down the keywords to be searched based on the number of hit records when the search is executed, any keyword can be included, and narrowing down is difficult. For example, even if the number of records hit by the search is "81", considering that there may be an appearance frequency example 71 or an appearance frequency example 72, any keyword can be used as a keyword to be searched. This makes frequency analysis attacks difficult.

Even when a dummy record is acquired as a search result, the terminal device 400 can acquire the item value of the true data that matches the input search condition based on the dummy value of the dummy record. Therefore, even if the attacker 33 obtains the search results sent from the data management server 100, the attacker 33 determines whether the item values included in the search results are true data item values or dummy values. I can't. As a result, true data confidentiality is improved.

Note that the conversion set list 232 is confidential information, and only the data registration server 200 that registers data in the anonymization DB 110 and the terminal device 400 that is permitted to search the anonymization DB 110 have the conversion set list 232 . Also, by adding/deleting records one record at a time, it becomes possible to associate the added/deleted ciphertext and plaintext. Therefore, the data registration server 200 does not add or delete records for each record since the conversion set is specified for each line. That is, the data registration server 200 collects a predetermined number or more of records and adds or deletes them to the DB 210 and the anonymization DB 110 .

[Third Embodiment]
Next, a third embodiment will be described. The third embodiment performs frequency perturbation without using dummy records.

Since dummy data having a plurality of dummy records is added in the above-described second embodiment, the number of records in the anonymization DB 110 is an integral multiple of the number of original data records. In the third embodiment, instead of generating dummy records, the data registration server 200 collects the divided keywords into a predetermined number of conversion sets, and converts the divided keywords belonging to the same conversion set into a common value (shared keyword). to perform frequency perturbation. That is, by converting a plurality of values into a common value, the frequency of appearance of each value in the anonymization DB becomes a number different from the frequency of appearance of each value of true data. At this time, the data registration server 200 sets, in each record, information indicating the split keyword that is the conversion source of the shared keyword as a flag.

FIG. 40 is a diagram showing an example of conversion to common keywords. In the third embodiment, the data registration server 200 generates a shared set list 234 instead of the conversion set list in the second embodiment.

The sharing set list 234 includes one or more sharing sets 234a-234j for each item. The conditions for generating the shared sets 234a to 234j are that at least one element is a split keyword, and another split keyword that shares the split keyword with the conversion source keyword is included in another conversion set. In other words, each of the shared sets 234a-234j includes n−1 or less divided keywords out of the n divided keywords corresponding to one keyword.

In the example of FIG. 40, the shared set list 234 includes three shared sets 234a-234c for clinical departments, three shared sets 234d-234df for gender, and four shared sets 234g-234j for age groups. is The shared sets 234d and 234f contain one element, and the other shared sets 234a to 234c, 234e and 234g to 234j contain two elements each. The elements contained in shared sets 234a-234j are all split keywords. Also, if there is a keyword that is not divided, that keyword is also an element of the shared set 234a-234j.

As in the second embodiment, the data registration server 200 refers to the divided keyword selection table 233 (see FIG. 14), and divides the keyword stored in the plaintext DB 210 into a plurality of divisions corresponding to the keyword. Convert probabilistically to one of the keywords. The data registration server 200 then generates the divided data 211 .

Furthermore, the data registration server 200 converts the divided keywords in the divided data 211 into shared keywords based on the shared set list 234 . For example, the data registration server 200 converts split keywords corresponding to elements in one shared set into the same shared keyword. In the example of FIG. 40, the shared keyword is a character string listing the elements included in the shared sets 234a to 234j.

Note that the numbers to the left of ":" in shared sets 234a to 234j in FIG. 40 are element numbers. The character string to the right of ":" is a split keyword set as an element.
For example, the shared set 234a includes "pediatrics 0" and "internal medicine 0" as elements. Therefore, the divided keywords “pediatrics 0” and “internal medicine 0” in the divided data 211 are both converted into the common keyword “pediatrics 0, internal medicine 0”. It should be noted that the common set 234d has only "man 0" as an element. Therefore, the shared keyword corresponding to the shared set 234d is "male 0", which is the same as the divided keyword.

A record corresponding to each record in the divided data 211 is generated as registration data 81 . The data registration server 200 then assigns a flag to each record within the registration data 81 . Registration data 81 is an example of disturbance record group 6 shown in the first embodiment.

The flag includes the element number of the element corresponding to the split keyword of the conversion source and the ID of the record of the conversion source. For example, the record with the ID "0" in the divided data 211 includes the clinical department "internal medicine 0", the sex "male 1", and the age group "elderly 1". "Internal Medicine 0" is converted to "Pediatrics 0, Internal Medicine 0". The element number of "internal medicine 0" in the shared set 234a is "1". "Male 1" is converted to "Male 1, Female 0". The element number of "man 1" in the shared set 234d is "0". "Older 1" is converted to "Older 1, Adult 0". The element number of "old man 1" is "0". Then, the converted record contains record ID "0", element number "1" of "internal medicine 0", element number "0" of "man 1", and element number "0" of "old man 1". A flag "0 (1, 0, 0)" is given.

The data registration server 200 encrypts the registration data 81 for each item value (including the flag) and registers it in the anonymization DB 110 . At that time, the data registration server 200 may assign a random ID to each record of the registration data 81 and sort by the ID.

The terminal device 400 has a divided keyword list 423 shown in FIG. 32 and a shared set list having the same content as the shared set list 234 that the data registration server 200 has. When searching the anonymization DB 110, the terminal device 400 converts the search keyword into corresponding divided keywords, and then converts the divided keywords into shared keywords. The terminal device 400 then transmits an anonymized search query including the shared keyword to the data management server 100 .

Note that the shared set list 234 is confidential information, and only the data registration server 200 that registers data in the anonymization DB 110 and the terminal device 400 that is permitted to search the anonymized DB 110 have the shared set list 234 . Also, by adding/deleting records one record at a time, it becomes possible to associate the added/deleted ciphertext and plaintext. Therefore, the data registration server 200 does not add/delete records for each record since the shared set is specified in units of one line. That is, the data registration server 200 collects a predetermined number or more of records and adds or deletes them to the DB 210 and the anonymization DB 110 .

Based on the anonymized search query, the data management server 100 searches the anonymized DB 110 for records containing the relevant shared keyword. The appearance frequency of the shared keyword in the anonymization DB 110 is the total appearance frequency of each divided keyword that is the conversion source of the shared keyword. Also, the split keywords are generated stochastically. Therefore, even if the attacker 33 obtains the appearance frequency of the shared keyword, it is difficult to estimate the original search keyword.

When the terminal device 400 acquires a record hit by the anonymized search query from the data management server 100, the terminal device 400 can convert the common keyword into the split keyword of the conversion source based on the flag of the record. Then, the terminal device 400 converts the split keywords into the original keywords based on the split keyword list 423 . Thereby, the terminal device 400 can acquire a record including the search keyword.

Also, since the flag value includes the ID of the record, the ciphertext when the flag value is encrypted becomes a unique value for each record. This can prevent flag value frequency analysis attacks.

FIG. 40 shows an example in which all keywords that can be registered in the DB 210 are converted into split keywords. good.

FIG. 41 is a first diagram showing another example of generating shared sets. The shared set list 82 shown in FIG. 41 includes three shared sets 82a to 82c for clinical departments, two shared sets 82d to 82e for gender, and three shared sets 82f to 82h for age groups. there is In the example of FIG. 41, the clinical department "internal medicine", the gender keyword "female", and the age group keywords "youth" and "child" are not converted into divided keywords. Therefore, these keywords are elements of the shared set as they are. The number of elements included in the shared sets 82c and 82e is one. Unlike the transformation set in the second embodiment, the shared set may have one element.

Each sharing set 82a to 82h shown in the sharing set list 82 satisfies the sharing set generation conditions. However, if conversion to a shared keyword is performed using the shared set list 82, the degree of difficulty of plaintext estimation is lowered compared to the case where the shared set list 234 shown in FIG. 40 is used. For example, the attacker 33 can make the following attacks against the anonymization DB 110 that has been converted into shared keywords using the shared set list 82 .

Assume, for example, that the attacker 33 attempts to identify a search target for searching for gender. The attacker 33 obtains post-disturbance frequencies for each shared keyword of each of the gender shared sets 82d and 82e. For example, the attacker 33 acquires the number of hit records when the searcher searches for records with the gender “female”, thereby obtaining the post-disturbance frequency of the shared keyword corresponding to the shared set 82d (the frequency of “male 0” and the number of hits). frequency of “female” and the total) can be obtained. The attacker 33 subtracts the frequency of the plaintext "woman" from the post-disturbance frequency of the shared keyword corresponding to the shared set 82d. Then, the frequency of "male 0" is obtained. Furthermore, the attacker 33 adds the post-disturbance frequency of the shared keyword corresponding to another shared set 82e to the subtraction result. The frequency after addition is the sum of the frequency of "Male 0" and the frequency of "Male 1".

If the attacker 33 can confirm that the addition result is equal to the frequency of "male", and if a search with the post-disturbance frequency of the shared keyword corresponding to the shared set 82d is performed, the corresponding shared set 82d includes " It can be judged that "woman" is included. After that, the attacker 33 can identify that the searcher has searched for "female" only when the searcher performs only a search with the post-disruption frequency of the shared keyword corresponding to the shared set 82d.

By repeating such attempts, the attacker 33 can narrow down the search target. reduced risk of

In this way, in the shared sets 82a to 82h shown in the shared set list 82, if there is an item such as gender that has a small number of keywords that can be registered, the security against frequency analysis attacks is lowered. However, if the number of keywords that can be registered for each item is large, the number of combinations of keywords used in attacks by the attacker 33 (addition and subtraction of the frequency of the relevant keywords in the attacks) becomes enormous. As a result, as shown in the shared set list 82, some elements are sufficiently secure even if the keywords registered in the DB 210 remain as they are (not converted into split keywords).

In the third embodiment, as in the conversion set in the second embodiment, if there are a plurality of shared sets in which the combination of the conversion source keywords of the divided keywords is the same, the frequency analysis attack become vulnerable. Therefore, the data registration requesting unit 250 generates a plurality of shared sets so that the combinations of keywords that are the conversion sources of the divided keywords are different from each other.

Elements of each device for realizing the third embodiment are the same as those of each device of the second embodiment shown in FIG. However, in the third embodiment, part of the processing contents of each element or part of the information to be stored differs from the second embodiment.

In the third embodiment, the information stored in the conversion information storage unit 230 of the data registration server 200 differs from that in the second embodiment.
42 is a diagram illustrating an example of information stored in a conversion information storage unit of a data registration server according to the third embodiment; FIG. The conversion information storage unit 230 stores a keyword list 231 , a shared set list 234 and a split keyword selection table 233 . When compared with the conversion information storage unit 230 of the second embodiment shown in FIG. 21, the conversion set list 232 in the second embodiment becomes the shared set list 234 in the third embodiment.

Shared set list 234 is generated by data registration request unit 250 . The data registration request unit 250 can generate a shared set by the same procedure as the transformation set generation procedure in the second embodiment, for example.

FIG. 43 is a diagram illustrating an example of generating a sharing set. The keyword list 231a shows four keywords that can be set for age groups. Also, G=2, and each shared set 234g-234j includes two split keywords. When the divided keywords are generated based on the divided keyword selection table 233 shown in FIG. 14, there are eight divided keywords related to age groups.

The data registration request unit 250 first creates storage areas for the elements of the four shared sets 234g to 234j. The data registration requesting unit 250 sets the identifiers of the shared sets 234g to 234j to "2-0" to "2-3", respectively. The numerical value on the left side of the identifier is the value corresponding to the "age group", and the numerical value on the right side is the serial number for the shared set 234g-234j of the "age group".

The data registration request unit 250 selects all keywords once from the keyword list 231a, for example, in a predetermined order or in random order. In the example of FIG. 43, the keywords are selected in order from the left of the keyword list 231a.

The data registration requesting unit 250 stores the divided keywords of the selected keyword in the shared set storage area in ascending order of number. At this time, the data registration requesting unit 250 stores divided keywords corresponding to the same keyword in different shared sets. The data registration requesting unit 250 also prevents the occurrence of a plurality of shared sets in which the combination of the conversion source keywords of the divided keywords in the shared set is the same.

For example, the data registration requesting unit 250 registers the first divided keyword of the first selected keyword in the leading shared set 234g. Next, the data registration request unit 250 registers the second divided keyword of the keyword in the second shared set 234h. For example, if "old man" is selected first, "old man 0" is registered in shared set 234g and "old man 1" is registered in shared set 234h.

The data registration requesting unit 250 registers the first divided keyword of the second selected keyword in the same shared set 234h as the second divided keyword of the previously selected keyword. Next, the data registration request unit 250 registers the second divided keyword of the keyword in the next shared set 234i. For example, if "adult" is selected second, "adult 0" is registered in shared set 234h and "adult 1" is registered in shared set 234i.

The data registration requesting unit 250 also registers the divided keywords of the third and subsequent keywords in the shared set in the same procedure as the second selected keyword. For example, if "Youth" is selected third, "Youth 0" is registered in shared set 234i and "Youth 1" is registered in shared set 234j.

The data registration requesting unit 250 registers the divided keyword of the last selected keyword in a shared set with a free storage area. For example, if "Child" is selected last, then "Child 0" is registered in shared set 234g and "Child 1" is registered in shared set 234j.

Shared sets 234g to 234j are generated by such a procedure. At least one of the elements belonging to each of the shared sets 234g to 234j is a split keyword, and another split keyword that shares the split keyword with the conversion source keyword is included in the other shared set. Therefore, it satisfies the conditions for generating a shared set. In addition, there are no multiple shared sets in which the combination of the conversion source keywords of the divided keywords in the shared sets 234g to 234j is the same.

Although FIG. 43 shows an example of generation of shared sets 234g to 234j for age groups, shared sets 234a to 234f can also be generated for clinical departments and genders in a similar manner. As a result, a shared set list 234 as shown in FIG. 40 is generated.

Assuming that the number of types of keywords in the j-th item is X _j and the number of shared sets of the _j -th item is M' _j , FIG. This is an example when M' _j =4. Other values for these parameters can be used to generate a suitable shared set as well.

The data registration server 200 assigns a random ID to each record of the registered data 81 generated by converting the divided keywords into shared keywords using the shared set list 234, sorts them by ID, and then hides each record. stored in the transformation DB 110.

FIG. 44 is a diagram showing an example of an anonymization DB storing shared keywords. The records registered in the anonymization DB 110 are sorted by ID, and are registered in an order different from the conversion source records in the true data.

Next, the procedure of data registration processing will be described.
FIG. 45 is a flow chart showing an example of the procedure of data registration processing. The processing shown in FIG. 45 will be described below along with the step numbers.

[Step S301] The data registration requesting unit 250 receives a setting input of the number of groups G and the number of keyword divisions L. FIG. Both G and L are integers of 2 or more. As the values of G and L are larger, the safety improves, but the number of dummy records to be registered also increases. Therefore, the values of G and L are determined by the administrator of the data registration server 200 in consideration of the degree of security against frequency analysis attacks required of the anonymization DB 110 and the number of dummy records allowed in the anonymization DB 110. do.

[Step S302] The data registration request unit 250 determines the number of shared sets for each item. For example, the number of shared sets M' _j of the j-th item is expressed by the following equation (4) using a ceiling function.

The value (L×X _j ) obtained by multiplying the keyword type number X _j of the j-th item by the keyword division number L is the number of divided keywords of the item. The larger one of the ceiling function (minimum integer equal to or greater than the division result) obtained by dividing the number of divided keywords by the number of groups G and "3" is the number of shared sets.

By setting the number of shared sets to be "3" or more, in the case of G=2, three shared sets are generated even for an item such as gender that has only two types of keywords. As a result, it is possible to prevent the same combination of the conversion source keywords of the divided keywords in different shared sets for gender.

[Step S303] The data registration requesting unit 250 generates shared sets for each of the items as many as the number of shared sets determined in step S302. If the number of divided keywords is smaller than the number of shared set storage areas, the data registration request unit 250 leaves part of the shared set element storage areas blank. Each shared set that is generated includes at least one split keyword, and other split keywords that share the split keyword and the conversion source keyword are included in the other shared sets. As a result, shared sets 234a to 234j as shown in the shared set list 234 of FIG. 40 are generated.

[Step S<b>304 ] The data registration request unit 250 generates the split keyword selection table 233 . The details of this process are the same as the process of step S104 shown in FIG.
[Step S<b>305 ] The data registration request unit 250 reads plaintext data from the DB 210 .

[Step S<b>306 ] The data registration requesting unit 250 probabilistically converts the keywords registered in the record of the read plaintext data into divided keywords with the selection probabilities shown in the divided keyword selection table 233 . The details of this process are the same as the process of step S106 shown in FIG.

[Step S307] The data registration request unit 250 converts the divided keywords of each record into shared keywords. Details of the process of converting to a shared keyword will be described later (see FIG. 46).

[Step S308] The data registration requesting unit 250 randomly assigns an ID to each record containing the shared keyword.
[Step S309] The data registration request unit 250 assigns a flag value to each record. For example, the data registration request unit 250 determines, for each record, the ID of the plaintext record in the DB 210 that is the source of conversion of the record, and the shared set of divided keywords that are the sources of conversion of each item into the shared keyword. Create a pair with the element number as a flag value. By including the ID of the record from which the conversion is made, all flag values can be made unique, and frequency analysis attacks on flag values can be prevented. In addition, since the flag value includes the element number in the shared set of the split keyword of the conversion source, the shared keyword can be restored to the original split keyword by referring to the flag value.

[Step S310] The data registration request unit 250 sorts the records by ID.
[Step S<b>311 ] The data registration request unit 250 encrypts the sorted record group and registers it in the anonymization DB 110 . For example, the data registration request unit 250 encrypts each item value in the record, and transmits a group of records having the encrypted value to the data management server 100 as registration data. In the data management server 100 , the data registration unit 120 receives the registration data and stores the received registration data in the anonymization DB 110 .

Next, a detailed description will be given of the process of converting a divided keyword into a shared keyword.
FIG. 46 is a flow chart showing the details of the processing procedure for conversion into shared keywords. The processing shown in FIG. 46 will be described below along with the step numbers.

[Step S321] The data registration request unit 250 selects one split keyword included in the split data 211 (see FIG. 40) whose item values have been converted to split keywords.
[Step S322] The data registration requesting unit 250 identifies from the shared set list 234 the shared set of items to which the selected divided keyword belongs, and searches for shared sets containing the selected divided keyword from the identified shared set.

[Step S323] The data registration requesting unit 250 replaces the selected divided keyword with a shared keyword corresponding to the shared set containing the divided keyword. For example, the data registration requesting unit 250 concatenates all elements of the shared set to which the selected divided keyword belongs, and outputs the result as a shared keyword. The data registration requesting unit 250 may set a specific shared keyword in advance for each shared set, and convert the divided keyword into the shared keyword set for the shared set to which the selected divided keyword belongs.

[Step S324] The data registration request unit 250 determines whether or not there is an unselected split keyword in the split data 211. If there is an unselected split keyword, the data registration requesting unit 250 advances the process to step S321. Further, when the replacement of all the divided keywords with the shared keywords is completed, the data registration requesting unit 250 ends the process of converting to the shared keywords.

FIG. 47 is a diagram showing an example of conversion from divided keywords to shared keywords. For example, it is assumed that the divided keyword "old man 1" is selected. "Old man 1" is included in the shared set 234h. The elements of the shared set 234h are "elderly 1" and "adult 0". Therefore, "old man 1, adult 0" is output as a shared keyword by combining the character strings of "old man 1" and "adult 0" with a comma in between.

By replacing the divided keyword of each record in the divided data 211 (see FIG. 40) with the shared keyword, each record becomes a record of the registration data 81 (see FIG. 40).

FIG. 48 is a diagram showing an example of a record of registration data. A record 83 in which a division keyword is set has an ID of "0", a clinical department of "internal medicine 0", a sex of "male 1", and an age group of "elderly 1". Since the divided keyword "internal medicine 0" is an element of the shared set 234a including "pediatrics 0" and "internal medicine 0", it is converted to the shared keyword "pediatrics 0, internal medicine 0". The divided keyword "male 1" is an element of the shared set 234e including "male 1" and "female 0", so it is converted to the shared keyword "male 1, female 0". The divided keyword "old man 1" is an element of the shared set 234h including "old man 1" and "adult 0", so it is converted to the shared keyword "old man 1, adult 0".

A record 84 having a shared keyword is randomly given an ID of "5". Also, the flag value of record 84 includes the ID “0” of record 83 . The flag value of record 84 also includes the element number of the shared set to which the split keyword in record 83 belongs.

The record 84 generated in this manner is registered in the anonymization DB 110 with the item values and flag values encrypted. A search for the anonymization DB 110 is performed using a shared keyword.

In the third embodiment, information stored in the conversion information storage unit 420 of the terminal device 400 is different from that in the second embodiment.
49 is a diagram illustrating an example of information stored in a conversion information storage unit of a terminal device according to the third embodiment; FIG. The conversion information storage unit 420 stores a keyword list 421 , a shared set list 424 and a split keyword list 423 . Comparing with the conversion information storage unit 420 of the second embodiment shown in FIG. 31, the conversion set list 422 in the second embodiment becomes the shared set list 424 in the third embodiment.

The shared set list 424 is generated, for example, by the search request unit 440 in the same procedure as the generated shared set list 234 by the data registration request unit 250 . The search request unit 440 may also acquire the shared set list 234 from the data registration server 200 and store it in the conversion information storage unit 420 as its own shared set list 424 .

When a search request is input, the search request unit 440 uses the split keyword list 423 and shared set list 424 to generate an anonymized search query.
FIG. 50 is a diagram showing an example of an anonymized search query. When a search condition is input, the search request unit 440 generates a plaintext search query 91 including the search keyword indicated by the search condition. Next, the search request unit 440 refers to the split keyword list 423, splits the search keyword into a plurality of corresponding split keywords, and generates a split query 92 for performing a logical sum search of the split keywords. For example, if the search keyword is "elderly", a split query 92 is generated that performs a logical sum search of "elderly 0" and "elderly 1".

Further, the search request unit 440 refers to the shared set list 424 and converts the divided keyword into a shared keyword corresponding to the shared set to which the divided keyword belongs, thereby generating the disturbance query 93 . For example, a disturbance query 93 is generated that performs a logical sum search of the shared keyword "old man 0, child 0" of the divided keyword "old man 0" and the shared keyword "old man 1, adult 0" of the divided keyword "old man 1".

The search request unit 440 then generates an anonymized search query 94 by encrypting the shared keyword in the disturbing query 93 . The search request unit 440 transmits the anonymized search query 94 to the data management server 100 . Then, in the data management server 100, an anonymized search is performed according to the anonymized search query 94. FIG.

FIG. 51 is a diagram showing an example of anonymous search using a shared keyword. In the data management server 100 that has acquired the anonymized search query 94 , the search unit 140 searches the anonymized DB 110 for a record containing the encrypted text of the shared keyword indicated in the anonymized search query 94 . The search unit 140 then transmits the anonymized search result 95 including the corresponding record to the terminal device 400 .

The search request unit 440 of the terminal device 400 decodes the item values in the anonymized search result 95 to generate the disturbed search result 96 . The search request unit 440 determines the split keyword from which the shared keyword in the record is converted based on the flag of each record of the disturbed search result 96 . Then, the search request unit 440 searches the decrypted anonymized search result 95 for a record having the shared keyword converted based on the split keyword included in the split query 92 .

The search request unit 440 inversely converts the shared keyword of the record having the split keyword indicated in the split query 92 into the split keyword, and further converts the split keyword into a keyword that can be registered in the DB 210 . After removing the flag, the search request unit 440 outputs records having keywords that can be registered in the DB 210 as search results 97 .

FIG. 52 is a flowchart illustrating an example of a search processing procedure. The processing shown in FIG. 52 will be described below along with the step numbers.
[Step S401] The search request unit 440 acquires a search keyword input as a search condition by the user and an item corresponding to the search keyword as a plaintext search query.

[Step S402] The search request unit 440 generates a shared set list 424 and a split keyword list 423. FIG. For example, the search request unit 440 performs processing similar to the shared set generation processing for each item in the data registration request unit 250 to generate the shared set list 424 . The shared set list generated by the search request unit 440 is the same as the shared set list generated by the data registration request unit 250 .

[Step S403] The search request unit 440 divides the obtained plaintext search query. For example, the search request unit 440 divides the search keyword included in the plaintext search query into divided keywords. The search request unit 440 then generates a split query indicating the logical sum of the split keywords obtained by splitting.

The obtained plaintext search query may contain multiple search keywords. In the case of a logical sum search of a plurality of search keywords, the search request unit 440 decomposes each search keyword into split keywords and generates a split query indicating the logical sum of all split keywords. Also, in the case of a logical product search of a plurality of search keywords, the search request unit 440 generates all combinations of divided keywords with different items. In the case of a logical product of search keywords for three or more items, the search request unit 440 selects one split keyword from each item to generate all possible combinations of split keywords. Then, the search request unit 440 generates a logical expression indicating the logical AND for each combination of the generated split keywords. Furthermore, the search request unit 440 generates a split query indicating the logical sum between the logical expressions of the logical product generated for each combination of the split keywords.

For example, the obtained plaintext search query is "A∧B", the search keyword "A" is divided into "A0" and "A1", and the search keyword "B" is divided into "B0" and "B1". and In this case, the search requesting unit 440 generates "(A0∧B0)∨(A0∧B1)∨(A1∧B0)∨(A1∧B1)" as the split query.

[Step S404] The search request unit 440 converts the generated split query into a perturbation query based on the shared set. For example, when a search target item and a split keyword are specified in a split query, the search request unit 440 first selects one or more shared sets corresponding to the search target item and matches the specified split keyword. Identify the shared set containing the element. Next, the search request unit 440 converts the split keyword to be converted in the split query into the shared keyword corresponding to the specified shared set.

[Step S405] The search request unit 440 encrypts the shared keyword converted in step S404 to generate an anonymized search query. The search request unit 440 transmits the generated anonymous search query to the data management server 100 .

[Step S<b>406 ] The search request unit 440 acquires search results of the anonymous search (anonymized search results) from the data management server 100 .
[Step S407] The search request unit 440 decrypts the item values (encrypted text) included in the anonymized search results using the encryption key obtained in advance from the data registration server 200, and generates the disturbed search results including the plaintext shared keyword. Generate.

[Step S408] The search request unit 440 searches for a record containing a shared keyword converted based on the split keyword included in the split query from the disturbed search results. For example, the search request unit 440 divides the decrypted shared keyword into divided keywords that are elements of the shared set corresponding to the shared keyword. The search request unit 440 extracts the split keywords corresponding to the element numbers indicated by the flag values from among the split keywords obtained by splitting. The search request unit 440 determines whether the extracted split keyword matches any of the split keywords indicated in the split query. If they match, the search request unit 440 extracts the record containing the split keyword as a true search result. If the extracted split keyword does not match any of the split keywords indicated in the split query, the search request unit 440 deletes the record from which the extracted split keyword is extracted.

[Step S409] The search request unit 440 restores the keywords set in the DB 210 to the shared keywords of the records extracted as true search results. For example, the search request unit 440 converts each shared keyword into a segmented keyword of the element number indicated by the flag value within the shared set corresponding to the shared keyword. The search request unit 440 then converts the divided keyword into a keyword corresponding to the divided keyword in the divided keyword list 423 .

[Step S410] The search request unit 440 outputs plaintext search results.
In this way, the terminal device 400 can be used to obtain search results for the anonymization DB 110 . At this time, the shared keyword is specified in the anonymized search query transmitted to the data management server 100 . Therefore, the appearance frequency of the plaintext of the search keyword input as the search condition in the DB 210 and the number of records hit by the anonymized search query (appearance frequency of the shared keyword in the anonymized DB 110) differ from each other. It is difficult to conduct a frequency analysis attack by

FIG. 53 is a diagram showing the difficulty of frequency analysis attacks when using shared keywords. For example, in the DB 210, the appearance frequency of "pediatrics" is "27", the appearance frequency of "gynecology" is "84", and the appearance frequency of "internal medicine" is "95". "Pediatrics" is stochastically converted into 19 split keywords "Pediatrics 0" and 8 split keywords "Pediatrics 1". "Gynecology" is stochastically converted into 50 split keywords "Gynecology 0" and 34 split keywords "Gynecology 1". "Internal medicine" is stochastically converted into 52 divided keywords "internal medicine 0" and 43 divided keywords "internal medicine 1".

The number of divided keywords is six. Three shared sets each containing two divided keywords are generated, shared keywords are generated based on the shared sets, and encrypted shared keywords are registered in the anonymization DB 110 . In the anonymization DB 110, the frequency of appearance of the shared keyword "pediatrics 0, internal medicine 0" is "71", the appearance frequency of the shared keyword "pediatrics 1, gynecology 0" is "58", and the shared keyword "gynecology 1, internal medicine 1". is "77".

Assume that the attacker 33 knows that the number of keywords is three, the number of shared sets is three, each keyword is divided into two, and the number of divided keywords in the shared set is two. do. However, the attacker 33 does not know at what ratio each keyword is divided into divided keywords. Therefore, even if the attacker 33 learns that the frequency of appearance of each shared keyword is "71", "58", and "77", respectively, he cannot narrow down the divided keywords included in the shared keyword. This makes frequency analysis attacks difficult.

[Fourth Embodiment]
Next, a fourth embodiment will be described. The fourth embodiment is an improvement over the third embodiment to increase the difficulty of frequency analysis attacks against numerical range searches.

The data management server 100 performs a search while encrypting the data. Searching with encrypted data is, in principle, an exact match search. In the case of an exact match search, it is not possible to compare numerical values. Therefore, when searching for records having numerical values within a certain range, the terminal device 400 uses the logical sum of all possible numerical values within the range as a search keyword.

FIG. 54 is a diagram showing an example of numerical range search. Records relating to patients are registered in the DB 210 of the data registration server 200, and each record has item values of clinical department, sex, and age. Each item value is probabilistically converted into a split keyword, further converted into a shared keyword, and registered in the anonymization DB 110 . It is assumed that the segmented keyword is a character string in which "_0" and "_1" are added after each numerical value of age. For example, the divided keywords for age "18" are "18_0" and "18_1".

When a search condition 601 specifying an age range is input, the terminal device 400 generates a split query 602 indicating the logical sum of split keywords for all ages within that range. The terminal device 400 generates a disturbed query 603 by converting a divided keyword in the divided query 602 into a shared keyword, and generates an anonymized search query 604 by encrypting the shared keyword. When the terminal device 400 transmits the anonymized search query 604 to the data management server 100 , the data management server 100 searches the anonymized DB 110 .

FIG. 55 is a diagram illustrating an example (comparative example) of generation of a shared set of ages. In the age keyword list 611, 101 integers "0 to 100" are set. Each keyword has two split keywords. Therefore, the number of divided keywords is 202. 101 shared sets 1-1 to 1-3, . . . , 1-51 to 1-53, . ~1-101 are generated. In the example of FIG. 55, shared sets 1-1 to 1-3, . . . , 1-51 to 1-53, . 1-101 are generated.

, 1-51 to 1-53, . . . , 1-99 to 1-101. converted to keywords. For example, the divided keyword "0_0" of the keyword "0" is converted into the shared keyword "0_0,100_0", and the divided keyword "0_1" is converted into the shared keyword "0_1,1_0". A shared keyword is encrypted and stored in the anonymization DB 110 . Then, anonymized search is performed on the shared keyword of the ciphertext.

A search specifying an age enables a search specifying a numerical range. The numeric range search is replaced by a logical sum search of the numbers within the range, as shown in FIG. Then, the attacker 33 can presume that the search is for numerical items because there are many logical sum terms in the anonymized search queries issued. The attacker 33 can identify the context of the ciphertexts of the shared keywords by assuming that the ciphertexts simultaneously included in the anonymized search query are serial numbers.

For example, when a search is performed in the numerical range of "0 to 1", a record having a ciphertext of one of the shared keywords "0_0, 100_0", "0_1, 1_0", and "1_1, 2_0" is hit. The attacker 33 can presume that the split keywords that are the conversion sources of the shared keywords included in these records include serial numbers. Therefore, the attacker 33 arranges the ciphertexts of the shared keywords "0_0, 100_0", "0_1, 1_0", and "1_1, 2_0" so as to be continuous. The attacker 33 arranges the ciphertexts so that the ciphertexts of the shared keywords included in the hit records are consecutive each time the search is performed in various numerical ranges. The attacker 33 can finally arrange the ciphertexts of the shared keywords in the same order as the arrangement of the shared keywords in FIG.

In the example of FIG. 55, except for the split keyword "100_0", the higher the shared set, the smaller the number of split keywords included. At this time, the attacker 33 can only know the continuous relationship between the shared keywords, and even if the ciphertexts of the shared keywords are arranged, it is possible to determine which of the numbers at the beginning and the end of the array is smaller and which is larger. Can not.

However, if a record containing the middle value of the ciphertext of the shared keyword is retrieved, the attacker 33 can recognize that the middle numerical value within the entire numerical range "0 to 100" has been retrieved. That is, it becomes possible to narrow down the search conditions.

Therefore, in the fourth embodiment, when numerical values are set in the keyword list, the data registration requesting unit 250 of the data registration server 200 adds a shared set containing consecutive numerical values in a certain numerical range to a shared set in which the ranges do not overlap. Generate a shared set such that it contains the consecutive numeric ranges of the numeric ranges of .

FIG. 56 is a diagram illustrating an example of generating a shared set of ages. FIG. 56 shows 102 shared sets 2-1 to 2-6, .

The data registration requesting unit 250 selects numerical values from the keyword list 611 in ascending order of value, for example. The data registration requesting unit 250 sequentially sets the selected numeric divided keywords one by one from the highest shared set 2-1 downward. The second and subsequent numerical division keywords are set in the shared set next to the previously selected numerical value set.

The data registration requesting unit 250 sets a second element for each shared set when one divided keyword is set for each of the shared sets 2-1 to 2-102. However, the highest shared set 2-1 and the lowest shared set 2-102 are excluded from setting of the second divided keyword. Therefore, the data registration requesting unit 250 sequentially sets the selected numeric divided keywords one by one from the second lowest shared set 2-101 to the upper ones.

By generating a shared set in this way, a shared set containing consecutive numbers in a certain numerical range will also contain consecutive numbers in another numerical range whose ranges do not overlap. As a result, even if the attacker 33 were able to arrange the ciphertexts of the shared keywords corresponding to the shared sets 2-1 to 2-102 based on numerical continuity, records containing a certain ciphertext would not be retrieved. It is difficult to narrow down the searched numerical range when For example, the attacker 33 searches around "0-2", searches around "98-100", searches around "48-50", searches around "51-53", searches around "48-53" is difficult to discern.

When the number of groups G (the maximum number of elements in a shared set) is increased, the number of search hits increases due to the influence of other shared keywords. For items with a large number of age keywords, the frequency of each keyword is expected to decrease according to the number of keywords. Therefore, the number of groups corresponding to the applicable item when the item value is a numerical value may be increased.

FIG. 57 is a diagram illustrating an example of generating a shared set when the number of groups is three. FIG. 57 shows 68 shared sets 3-1 to 3-6, .

The data registration requesting unit 250 selects numerical values from the keyword list 611 in ascending order of value, for example. The data registration requesting unit 250 sequentially sets the selected numeric divided keywords one by one from the highest shared set 3-1 downward. , 3-63 to 3-68, the data registration requesting unit 250 sets the second split keyword for each shared set 3-1 to 3-6, . set the elements of However, the shared set 3-68 at the lowest level is excluded from setting of the second divided keyword. Therefore, the data registration requesting unit 250 sequentially sets the selected numeric divided keywords one by one from the second lowest shared set 3-67 to the upper ones. , 3-63 to 3-68, the data registration requesting unit 250 sets a third split keyword for each shared set 3-1 to 3-6, . set the elements of However, the highest shared set 3-1 is excluded from setting of the third divided keyword. Therefore, the data registration requesting unit 250 sets the selected numeric divided keywords one by one in descending order from the second shared set 3-2 from the top.

By increasing the number of groups G in this way, even if a numerical range search is performed, the number of numerical ranges included in hit records will be large, making it more difficult to narrow down the search target.
[Other embodiments]
In the second to fourth embodiments, an example of confidential search for data held by a hospital has been shown, but it can also be used in other fields.

In addition, although the data registration servers 200 and 300 and the data management server 100 are separated in the second to fourth embodiments, the data registration servers 200 and 300 may have the functions of the data management server 100 .

Although the embodiment has been exemplified above, the configuration of each part shown in the embodiment can be replaced with another one having the same function. Also, any other components or steps may be added. Furthermore, any two or more configurations (features) of the above-described embodiments may be combined.

1 data registration device 1a storage unit 1b processing unit 2 server 2a anonymization DB
3 data utilization device 4 secret record group 5a-5c item value set 6 disturbance record group

Claims (17)

to the computer,
n (n is a natural number) second item values for each of a plurality of first item values that can be set for one item in the confidential record in the confidential record group including one or more confidential records to be confidential mapping,
each of the plurality of item value sets is any number of 1 to n-1 of the second item values among the two or more second item values associated with the same first item value Classifying each of the second item values into one of the plurality of item value sets so as to include
probabilistically converting the first item value set in the one item in the confidential record to one of the associated second item values;
Based on the confidential record group, by adding the dummy second item value, a disturbance record group is generated in which the number of search hits for the second item value belonging to the same item value set is equalized,
Giving a flag indicating the truth or falseness of the second item value included in the record to a record in the disturbance record group,
encrypting the disturbance records;
A confidential information management program that causes processing to be performed. In the conversion of the first item value to the second item value, the selection probability of the second item value is randomly determined, and among the second item values associated with the first item value, selecting one with a probability according to the selection probability and converting the first item value to the selected second item value;
The secret information management program according to claim 1. In the classification of the second item values, two or more of the item value sets are prevented from having the same combination of the first item values corresponding to the second item values belonging to them.
3. The confidential information management program according to claim 1 or 2. In the generation of the disturbance record group,
set in the one item of each of the confidential records according to a bijective relationship in which each of the second item values belonging to the item value set is bijected to a different second item value belonging to the same item value set; generating a dummy value corresponding to each of the second item values,
generating a dummy record group having the same number of dummy records as the confidential records, in which the dummy value is set in the one item;
generating the disturbance record group including the confidential record group and the dummy record group;
4. The confidential information management program according to any one of claims 1 to 3. In the generation of the dummy record group, when there are a plurality of the dummy record groups, the second item value set in the one item of the confidential record is converted to a different second item value for each dummy record group. using the bijective relationship that is different for each of the dummy record groups,
5. The confidential information management program according to claim 4. In the provision of the flag, a first flag indicating true is provided to the confidential record, and a second flag indicating false is provided to the dummy record,
In the encryption, the second item value set to the one item of each of the confidential record and the dummy record, the first flag assigned to the confidential record, and the first flag assigned to the dummy record Encrypt 2 flags,
6. The confidential information management program according to claim 4 or 5. In assigning the second flag, the second flag having a value different for each of the dummy record groups generated one or more and different from the first flag is set to the dummy records included in each of the dummy record groups. ,
7. The confidential information management program according to claim 6. In the setting of the first flag, the first flag including the identifier of the confidential record and the value indicating the group number of the confidential record group is given to the confidential record,
In setting the second flag, the second flag including the identifier of the dummy record and the group number of the dummy record group to which it belongs is set in the dummy record.
The secret information management program according to claim 7. In the generation of the disturbance record group,
The second item value before conversion set in the one item in the confidential record is associated with the item value set to which the second item value before conversion belongs, and any item belonging to the same item value set is associated with the item value set to which the second item value before conversion belongs. generating a disturbance record by converting to a third item value that also hits a search for the second item value of , and generating the disturbance record group including the disturbance record;
4. The confidential information management program according to any one of claims 1 to 3. In the addition of the flag, a third flag including information indicating the second item value before conversion is added to the disturbance record;
In the encryption, encrypting the third item value set in the one item of the disturbance record and the given third flag;
10. The confidential information management program according to claim 9. In the addition of the third flag, the third flag containing the identifier of the confidential record and the element number in the item value set of the element corresponding to the second item value before conversion is added to the confidential record Give,
11. The confidential information management program according to claim 10. In the classification, when the plurality of first item values are numerical values, an item value set including the second item values corresponding to each of the plurality of consecutive numerical values within the first numerical range overlaps with the first numerical range. classifying the second item value into one of the plurality of item value sets such that the second item value corresponding to each consecutive numerical value within the second numerical range is included;
12. The confidential information management program according to any one of claims 1 to 11. the computer
n (n is a natural number) second item values for each of a plurality of first item values that can be set for one item in the confidential record in the confidential record group including one or more confidential records to be confidential mapping,
each of the plurality of item value sets is any number of 1 to n-1 of the second item values among the two or more second item values associated with the same first item value Classifying each of the second item values into one of the plurality of item value sets so as to include
probabilistically converting the first item value set in the one item in the confidential record to one of the associated second item values;
Based on the confidential record group, by adding the dummy second item value, a disturbance record group is generated in which the number of search hits for the second item value belonging to the same item value set is equalized,
Giving a flag indicating the truth or falseness of the second item value included in the record to a record in the disturbance record group,
encrypting the disturbance records;
Confidential information management method. a storage unit that stores a confidential record group including one or more confidential records to be confidential;
Associate n (n is a natural number) second item values with each of a plurality of first item values that can be set for one item in the confidential record in the confidential record group,
each of the plurality of item value sets is any number of 1 to n-1 of the second item values among the two or more second item values associated with the same first item value Classifying each of the second item values into one of the plurality of item value sets so as to include
probabilistically converting the first item value set in the one item in the confidential record to one of the associated second item values;
Based on the confidential record group, by adding the dummy second item value, a disturbance record group is generated in which the number of search hits for the second item value belonging to the same item value set is equalized,
Giving a flag indicating the truth or falseness of the second item value included in the record to a record in the disturbance record group,
encrypting the disturbance records;
a processing unit;
A data registration device having a server having a database;
n (n is a natural number) second item values for each of a plurality of first item values that can be set for one item in the confidential record in the confidential record group including one or more confidential records to be confidential mapping,
each of the plurality of item value sets is any number of 1 to n-1 of the second item values among the two or more second item values associated with the same first item value Classifying each of the second item values into one of the plurality of item value sets so as to include
probabilistically converting the first item value set in the one item in the confidential record to one of the associated second item values;
Based on the confidential record group, by adding the dummy second item value, a disturbance record group is generated in which the number of search hits for the second item value belonging to the same item value set is equalized,
Giving a flag indicating the truth or falseness of the second item value included in the record to a record in the disturbance record group,
encrypting the disturbance record group;
storing the disturbance record group in the database;
a data registration device;
converting the search item value of the one item indicated in the search condition into one or more of the second item values corresponding to the first item value having the same value as the search item value;
transmitting to the server a search query for searching the second item value obtained by the conversion as it is in ciphertext;
Obtaining from the server a detection record that hits the search query in the database;
Determining whether the value that hits the second item value in the detection record is true or false based on the flag attached to the detection record;
a data utilization device;
Confidential Information Management System. The data registration device
In the generation of the disturbance record group,
set in the one item of each of the confidential records according to a bijective relationship in which each of the second item values belonging to the item value set is bijected to a different second item value belonging to the same item value set; generating a dummy value corresponding to each of the second item values,
generating a dummy record group having the same number of dummy records as the confidential records, in which the dummy value is set in the one item;
generating the disturbance record group including the confidential record group and the dummy record group;
In the generation of the disturbance record group,
Giving a first flag indicating true to the confidential record,
Giving a second flag indicating false to the dummy record,
In said encryption,
encrypting the second item value set in the one item of each of the secret record and the dummy record, the first flag given to the secret record, and the second flag given to the dummy record; ,
storing the confidential record group and the dummy record group in the database of the server;
The data utilization device is
Sending to the server a search query containing the ciphertext of each of the second item values obtained by the conversion;
obtaining search results from the search query in the database from the server;
acquiring the confidential record satisfying the search condition from the search result based on the first flag or the second flag set in each of the confidential record and the dummy record included in the search result;
16. The confidential information management system according to claim 15. The data registration device
In generating the disturbance record group, the second item value before conversion set in the one item in the confidential record is associated with an item value set to which the second item value before conversion belongs, generating a disturbance record by converting it into a third item value that hits a search for any of the second item values belonging to the same item value set, and generating the disturbance record group including the disturbance record;
The data utilization device is
converting each of the second item values obtained by the conversion into the third item value corresponding to the second item value, and transmitting a search query including encrypted text of the third item value to the server;
obtaining search results from the search query in the database from the server;
decoding the third item value and the third flag set in each of the disturbance records included in the search result;
determining the second item value from which the third item value is converted based on the third flag;
extracting from the search result the disturbance record storing the encrypted text of the second item value corresponding to the first item value satisfying the search condition;
16. The confidential information management system according to claim 15.

Images