JP2024033698A - Secure calculation system, server, information processing device, computer program, and secure calculation method - Google Patents

Abstract

The present invention provides a secure calculation system, a server, an information processing device, a computer program, and a secure calculation method that appropriately supply random numbers used in secure calculations. In a secure calculation system 1, a client 10 inquires at regular intervals as to whether there is a missing random number, and when there is a response with necessary random number information, the missing random number inquiry means sends the necessary random number information to a random number pool means. and random number supply means for generating random numbers based on the necessary random number information and transmitting them to the plurality of servers 30 and 40. Each server includes a random number estimation means that estimates the type and number of random numbers required for secure calculation and sends it to the client as necessary random number information, a random number pool means that pools random numbers to perform secure calculation, and executes secure calculation. and a secret calculation means for transmitting the execution result to the client, and a missing random number detection means for detecting the missing random numbers in the execution of the secret calculation and replying to the client the type and number of the missing random numbers as necessary random number information. [Selection diagram] Figure 1

Description

The present invention relates to a secure computation system that performs secure computation, a server that constitutes the secure computation system, an information processing device, a computer program, and a secure computation method.

In recent years, as awareness of information leaks has increased, secure computation (also referred to as secret computation, hereinafter the same) technology that performs calculations while encrypting data has been attracting attention. The main methods of secure computation are a completely homomorphic encryption method using an encryption key, and a method in which data is divided into encrypted information called shares and the divided shares are distributed and stored on multiple servers. A secret sharing method is known in which calculations are performed while data (shares) are encrypted on each server. Compared to completely homomorphic encryption-based secure calculations, secret-sharing secret computation requires communication control and synchronization between multiple servers, making it more difficult to construct a system, but it is characterized by faster calculation speed.

In secret sharing type secure computation, many protocols have been proposed that realize secure computation by using random numbers that are correlated between servers. A known method for generating correlated random numbers is to generate random numbers only between servers that perform secure calculations. However, in this case, public key cryptography and a large number of communication times and amount of communication between the servers are required, resulting in a problem that the calculation speed decreases.
Therefore, in Non-Patent Document 1, a random number generation server is provided separately from the secure calculation server as a reliable third party to generate the random numbers necessary for secure calculation, and the random numbers necessary for secure calculation are estimated in advance. A technique has been disclosed in which random numbers used in secure calculation are generated in advance. With such a configuration, correlated random numbers can be generated internally by a trusted third party. As a result, public key cryptography and associated communication are no longer required between the secure calculation servers during random number generation, improving calculation speed.
In addition, in Non-Patent Document 2, the client assumes the role of a trusted third party, and the client transmits correlated random numbers along with secret information to the server, thereby reducing the load on the secure calculation server. A method for increasing the efficiency of secure computation is disclosed.

Yusuke Ishida et al., “Design and implementation of random number generation server for secure computation”, Proceedings of the 2021 Symposium on Cryptography and Information Security (SCIS 2021), 2021 Toshinori Araki et al., “Usefulness of three-party secure computation using secret sharing method”, Information Processing Vol. 59 No. 10 October 2018

In secure calculations, random numbers are not required for addition and subtraction, but in addition to multiplication and division, they can also be used to compare the magnitude of numerical values, filtering calculations to extract data that meets predetermined conditions from table-structured data, and arrangement of table-structured data. Random numbers are used in cases such as when changing numbers. However, when performing secure calculations on table-structured data, random numbers are required according to the number of rows in the table-structured data, and if the number of rows to be calculated changes during secure calculations, the number of random numbers It may not be possible to make an estimate in advance. For example, in table-structured data, if you want to sort the extracted data after extracting (filtering) row data that meets certain conditions, you will need random numbers according to the number of extracted row data when sorting. However, until the extraction of row data is completed, the number of row data after extraction is not determined, so the number of necessary random numbers cannot be estimated. In this way, it may not be possible to estimate the required random numbers in advance, and there is a risk that the random numbers will run out during the secure calculation. If there is a shortage of random numbers, the secret calculations that have been performed so far are interrupted, and results may not be obtained.

The present invention provides a secure calculation system, a server, an information processing device, a computer program, and a secure calculation method that can prevent the secure calculation process from being interrupted due to a shortage of random numbers in the secure calculation. With the goal.

A secure calculation system according to a first aspect of the present invention includes a plurality of servers that execute secure calculations, and a client that supplies random numbers necessary for executing secure calculations to the plurality of servers, The client includes a query input means for transmitting a query of data input by a user to at least one of the plurality of servers, and a random number supply means for generating a random number based on the received necessary random number information and transmitting it to the plurality of servers. and, the server estimates the type and number of random numbers required for secure calculation based on the query received from the client, and transmits the estimated type and number of random numbers to the client as necessary random number information. a random number estimating means; a random number pooling means for pooling random numbers for performing a secure calculation based on the query received from the client; Detects missing random numbers in execution of secret calculation by said secret calculation means, and detects the type and number of missing random numbers when an inquiry is made by said client's missing random number inquiry means, and provides required random number information. and a missing random number detecting means for replying to the client as a result, the client inquires the server at regular intervals as to whether there is a missing random number when performing a secure calculation based on the query, and the missing random number detecting means replies to the client. The apparatus further includes insufficient random number inquiry means for transmitting the necessary random number information to the random number pool means when there is a response regarding the necessary random number information.
In the above-mentioned secure calculation system, when the insufficient random number detection means detects an insufficient random number in execution of the secure calculation, the secure calculation means continues to perform the ongoing concealment until the insufficient random number is received from the random number supply means. The configuration may include a function to temporarily interrupt calculation.
A secure calculation system according to a second aspect of the present invention includes a plurality of servers that execute secure calculations, and a client that supplies random numbers necessary for secure calculations to the plurality of servers, and the server receives a request from the client. A secure computation system that performs the secure computation using supplied random numbers, wherein the server repeatedly detects whether there is a shortage of random numbers used for the secure computation, and that the random numbers necessary for the secure computation are insufficient. In this case, random number request information including information on the type and number of random numbers that are missing is transmitted to the client, and when the client receives the request information, the client transmits the random number type and number based on the request information. It can be configured to send to a server.
A server according to the present invention is a server for executing secure calculations that is configured to be able to communicate with a client that supplies random numbers necessary for executing secure calculations, and the client is configured to be able to communicate with a client that supplies random numbers necessary for performing secure calculations. The server comprises: a query input means for transmitting a query to at least one of the plurality of servers; and a random number supply means for generating a random number based on the received necessary random number information and transmitting it to the plurality of servers; random number estimating means for estimating the type and number of random numbers required for secure calculation based on the query received from the client, and transmitting the estimated type and number of random numbers to the client as necessary random number information; random number pooling means for pooling random numbers for performing a secure calculation based on the query received from the client; a secure calculation means for performing a secure calculation based on the query received from the client and transmitting the execution result to the client; Insufficient random number detection for detecting insufficient random numbers in execution of confidential calculation by the confidential calculation means, and replying to the client as required random number information the type and number of the insufficient random numbers when an inquiry is made by the insufficient random number inquiry means of the client. and means.
An information processing device according to the present invention is an information processing device configured to be able to communicate with a plurality of servers for executing secure calculation, and transmits a query of data input by a user to at least one of the plurality of servers. a query input means for transmitting a query; and a random number supply means for generating a random number based on the received necessary random number information and transmitting the generated random number to the plurality of servers; random number estimating means for estimating the type and number of random numbers necessary for secure calculation and transmitting the estimated type and number of random numbers to the information processing device as necessary random number information; and random number pooling means for pooling random numbers for executing a secure calculation; a secure calculation means for executing a secure calculation based on the query received from the information processing device and transmitting an execution result to the information processing device; Insufficient random number detection means for detecting insufficient random numbers in execution of secret calculation by the calculation means, and responding with the type and number of the insufficient random numbers as necessary random number information when an inquiry is made by the insufficient random number inquiry means of the information processing device; , further comprising: inquiring the server at regular intervals as to whether or not there are insufficient random numbers when performing secure calculation based on the query, and when there is a response from the missing random number detection means with the necessary random number information, Insufficient random number inquiry means is provided for transmitting necessary random number information to the random number pool means.
A computer program according to the present invention causes a processor of an information processing device configured to be able to communicate with a server for executing secure calculation to send a query of data input by a user to at least one of the plurality of servers. A computer program for functioning as an input means and a random number supply means for generating random numbers based on received necessary random number information and transmitting the generated random numbers to the plurality of servers, wherein the server receives information from the information processing device. random number estimating means for estimating the type and number of random numbers required for secure calculation based on the query, and transmitting the estimated type and number of random numbers to the information processing device as necessary random number information; random number pooling means for pooling random numbers for performing a secure calculation based on the query received from the information processing device; and a secure calculation for performing the secure calculation based on the query received from the information processing device and transmitting the execution result to the information processing device. detecting a missing random number in the execution of a secret calculation by the secret calculation means, and responding as necessary random number information with the type and number of the missing random number when an inquiry is made by the missing random number inquiry means of the information processing device; Insufficient random number detection means, further causing the processor to inquire of the server at regular intervals as to whether or not there are insufficient random numbers when performing secure calculation based on the query, and to detect the required random number information from the insufficient random number detection means. If there is a response, the necessary random number information is sent to the random number pooling means to function as a missing random number inquiry means.
A secure calculation method according to the present invention is a secure calculation method using a plurality of servers that perform secure calculations, and a client that supplies random numbers necessary for performing secure calculations to the plurality of servers, The client transmits a query for data input by a user to at least one of the plurality of servers, and the server determines the types of random numbers necessary for secure calculation based on the query received from the client. estimating the number, and transmitting the estimated type and number of random numbers to the client as necessary random number information; and the client generating random numbers based on the received necessary random number information and transmitting them to the plurality of servers. , pooling random numbers for performing a secure calculation based on the query received from the client, and the server performing a secure calculation based on the query received from the client, and transmitting the execution result to the client. and, when the server detects a missing random number in executing the secure calculation, the server responds with the type and number of missing random numbers as necessary random number information when an inquiry is received from the client. , the client inquires of the server at regular intervals whether there are any random numbers missing when performing secure calculation based on the query, and if there is a response from the server with the necessary random number information, the necessary random number information is The method further includes generating a missing random number based on the random number and transmitting the generated random number to the plurality of servers.

According to the present invention, when a client receives random number request information from a server, it sends random numbers of the type and number based on the request information to the server, thereby appropriately providing the server with random numbers used for secure calculation. be able to.

FIG. 1 is a configuration diagram of a secure calculation system according to the present embodiment. FIG. 2 is a schematic diagram for explaining random number supply processing according to the present embodiment. It is a flowchart which shows the secret multiplication process in a 1st server. It is a flowchart which shows the secret multiplication process in a 2nd server. FIG. 3 is a schematic diagram for explaining secure multiplication processing. It is a flowchart which shows secret data extraction processing. FIG. 3 is a schematic diagram for explaining confidential data extraction processing. 7 is a flowchart showing client-side random number supply processing according to the present embodiment. 7 is a flowchart showing server-side random number supply processing according to the present embodiment. FIG. 6 is a diagram for explaining the exchange of information between the client and the server in the random number supply process according to the present embodiment.

An embodiment of a secure calculation system according to the present invention will be described with reference to the drawings. FIG. 1 is a configuration diagram showing a secure calculation system 1 according to this embodiment. As shown in FIG. 1, the secure computing system 1 according to the present embodiment includes a client 10, a gateway 20, a first server 30, and a second server 40. Further, as shown in FIG. 1, the client 10 is located within a LAN (Local Area Network) where communication is restricted by a gateway 20. Further, the client 10, the gateway 20, the first server 30, and the second server 40 can communicate with each other via the Internet 2. Note that although only one client 10 and one gateway 20 are illustrated in the diagram shown in FIG. 1, a configuration including a plurality of clients 10 and gateways 20 is possible. Furthermore, although the example shown in FIG. 1 illustrates a configuration in which two-party secure computation is performed using two servers 30 and 40, the configuration is not limited to this, and for example, three or more servers It is possible to have a configuration in which secure calculation is performed using .

In this embodiment, unencrypted data (hereinafter referred to as "plaintext data") is stored in the servers 30 and 40 with a shared secret. Secret sharing is an encryption technology that divides plaintext data into pieces called shares, which have no meaning on their own, and distributes them to multiple servers. According to the secret sharing method, information is dispersed into multiple fragments, and the original information cannot be recovered unless a predetermined number of fragments or more are collected. Each server 30, 40 executes a secret calculation to calculate the share of the calculation result of the plaintext data without converting the share back to the plaintext data. Here, among the secure calculations, calculations such as multiplication and division, size comparison, and filtering and sorting of table structure data require random numbers in the secure calculations. Conventionally, a method has been proposed in which servers performing secure calculations communicate with each other to generate random numbers, but in this case, it is necessary to use public key cryptography, which poses the problem of slowing down the calculation speed. there were. Therefore, this embodiment adopts a configuration (also referred to as a Client-Aided model) in which the client 10 generates random numbers necessary for secure calculation and sends the generated random numbers to the servers 30 and 40.

Furthermore, in this embodiment, instead of the client 10 predicting the necessary random numbers in advance and transmitting the random numbers to the servers 30 and 40 before the secure computation is started, the client 10 predicts the necessary random numbers in advance and sends the random numbers to the servers 30 and 40 when the secure computation is started. As shown in FIG. 2(A), the client 10 makes an inquiry to the servers 30 and 40 about whether there are any random numbers missing in the secure calculation, and in response to the inquiry, as shown in FIG. 2(B), , have the servers 30 and 40 send random number request information. As shown in FIG. 2C, the client 10 is characterized in that it generates a random number based on the received request information and supplies the generated random number to the servers 30 and 40. Note that FIG. 2 is a schematic diagram for explaining the random number supply processing according to this embodiment. Each device constituting the secure calculation system 1 will be explained below.

The client 10 is an information terminal device such as a personal computer operated by a user, and includes a computing device, a storage device, and a communication device. In this embodiment, a secure calculation instruction is transmitted from the client 10 to the servers 30 and 40 by a user's operation, and thereby the servers 30 and 40 perform secure calculation. In the secure computation system 1 according to the present embodiment, the client 10 transmits a secure computation instruction, and when the secure computation is started at the servers 30 and 40, the client 10 periodically sends inquiries regarding the supply of random numbers to the servers 30 and 40. 40, and if a random number is required, it also has a function of generating a random number to be used in the secure calculation and supplying the generated random number to the servers 30, 40. Note that details of the method of supplying random numbers from the client 10 to the servers 30 and 40 will be described later.

Gateway 20 controls communication between client 10 and servers 30 and 40. Specifically, the gateway 20 allows connection establishment requests to be transmitted from the client 10 to the servers 30 and 40, while prohibiting transmission of connection establishment requests from the servers 30 and 40 to the client 10. Once a connection is established between the client 10 and the servers 30, 40, they can communicate with each other while the connection is valid. In this embodiment, the gateway 20 transmits a connection establishment request from the client 10 to the servers 30 and 40, and after establishing the connection, the client 10 sends a random number supply inquiry to the servers 30 and 40 using the connection. , in response, random number request information is sent from the servers 30 and 40 to the client 10 using the same connection. Also, when transmitting the calculation result of secure calculation from the servers 30, 40 to the client 10, the gateway 20 follows the same procedure, and after the client 10 establishes a connection with the servers 30, 40, the server 30, 40, 40 uses the connection to transmit the calculation results to the client 10 based on instructions from the client 10.
Such a function of the gateway 20 is a function that a gateway generally has, and is a general network configuration introduced to prevent intrusion into the client 10 from outside the LAN. In this embodiment, it is possible to utilize the functions that the gateway 20 generally has and the general network configuration, so it can be said that the secure calculation system 1 according to this embodiment has high versatility to existing systems.

The servers 30 and 40 have a computing device, a storage device, a communication device, and a database, and secretly share and store data in the database. Plaintext data cannot be decrypted unless a specific number of secretly shared shares are collected, and even if a share is leaked from only one of the first server 30 or the second server 40, the other If the share of the data is not leaked, the plaintext data cannot be decrypted and the confidentiality can be guaranteed. In this embodiment, the servers 30 and 40 have server-side programs for performing secure calculations stored in their storage devices, and can perform secure calculations by executing the programs on their arithmetic devices. In particular, in this embodiment, the first server 30 and the second server 40 can communicate with each other via the Internet 2, and the servers 30 and 40 can conceal data without decrypting the secret shared share. Multi-Party Computation (MPC) is performed to obtain a desired computation result by performing secret computation while exchanging the computation results performed by the servers 30 and 40 with each other. Furthermore, in secure calculations such as multiplication, size comparison, filtering calculations, and data rearrangement, the servers 30 and 40 receive random numbers from the client 10 and execute secure calculations using the received random numbers.

Furthermore, the servers 30 and 40 have a program for estimating random numbers required for secure calculations stored in their storage units, and by executing the random number estimation program, it is possible to estimate in advance the random numbers required for secure calculations. can. Specifically, the servers 30 and 40 acquire the calculation information of the secure calculation to be executed from the client 10 and run the random number estimation program, thereby obtaining the random numbers for performing the secure calculation in the calculation information acquired from the client 10. Estimate. The calculation information is not particularly limited as long as it is information indicating a secure calculation executed by the servers 30 and 40, but in this embodiment, the calculation information is calculated based on query information output from the client 10 (for example, a select syntax with a where clause). The information is transmitted from the client 10 and acquired by the servers 30 and 40. Note that the random numbers that can be estimated by this random number estimation program are the random numbers used in calculations before the number of rows of the table structure data to be calculated changes, and the random numbers used in calculations after the number of rows changes. cannot be estimated until then. For example, in a secure multiplication, the number of rows in the table structure data does not change, so even if two secure multiplications are performed, it is possible to estimate the random numbers used in these calculations, but in a filtering calculation where the number of rows changes (where In calculations in which a secret multiplication is performed after performing a filtering process, it is not possible to estimate the random numbers used in the secret multiplication after filtering.

In the following, an example of secure multiplication using random numbers among the secure calculations performed by the servers 30 and 40 will be described first with reference to FIGS. 3 to 6. Note that FIG. 3 is a flowchart showing the secure multiplication process executed by the first server 30, FIG. 4 is a flowchart showing the secure multiplication process executed by the second server 40, and FIG. FIG. 2 is a schematic diagram for explaining processing.

(Secret multiplication process)
The secret multiplication process is a process in which the result of integer multiplication with two inputs and one output can be obtained without knowing any information regarding input and output. Specifically, it is an arithmetic process in which two pieces of encrypted data are input, a predetermined operation (predetermined secret multiplication algorithm) described below is performed on them without decrypting them at all, and the multiplication result is obtained as encrypted data. In the secret multiplication process, as shown in FIG. 5, the servers 30 and 40 share [[x]] ₁ , [[x]] ₂ , [[y]] ₁ , [ [y]] ₂ are stored respectively. In the secure multiplication processing shown in FIGS. 3 to 5, the servers 30 and 40 use the shares of x and y as they are to perform multiplication of x×y=z, and the share of z that is the calculation result [[z]] ₁ , [[z]] ₂ will be explained as an example. Note that in the following, the share of x stored in the first server 30 is assumed to be [[x]] ₁ and the share of y is assumed to be [[y]] ₁ . Similarly, assume that the share of x stored in the second server 40 is [[x]] ₂ and the share of y is [[y]] ₂ . Further, let the share of z stored in the first server 30 be [[z]] ₁ , and the share of z stored in the second server 40 be [[z]] ₂ . Note that the plaintext data and the secret-distributed share have the following relationship. For example, plaintext data x and its shares [[x]] ₁ and [[x]] ₂ have the relationship x = [[x]] ₁ + [[x]] ₂ , and [[x] ] ₁ = r and [[x]] ₂ = x−r. Here, x and r are integers expressed by a coset ring of 2 ^l , and r is a uniform random number. l is the number of bits representing the range of the operation target; l=1 in the case of an operation on a 1-bit integer, and l=32 in the case of an operation on a 32-bit integer. Since the plaintext data and shares have such a relationship, it becomes possible to decrypt the plaintext data x by [[x]] ₁ + [[x]] ₂ .

In the secure multiplication process, calculation is performed using three random numbers a, b, and c generated by the client 10. Note that these three random numbers are correlated random numbers having a relationship of c=a×b. The client 10 distributes the secret of random number a to generate random number shares [[a]] ₁ , [[a]] ₂ , and distributes the secret of random number b to generate random number shares [[b]] ₁ , [[b] ] ₂ and secretly share the random number c to generate random number shares [[c]] ₁ and [[c]] ₂ . Then, the client 10 transmits the secret sharing shares [[a]] ₁ , [[b]] ₁ , [[c]] 1 of the random numbers a, b, and _c to the first server 30, and shares the random numbers a, b, and c. , c are secretly shared, and the shares [[a]] ₂ , [[b]] ₂ , and [[c]] ₂ are transmitted to the second server 40 . As a result, the first server 30 can perform secure multiplication using the shares [[a]] ₁ , [[b]] ₁ , [[c]] ₁ of the random numbers a, b, and c, and , the second server 40 can perform secure multiplication using the shares [[a]] ₂ , [[b]] ₂ , [[c]] ₂ of the random numbers a, b, and c.

First, with reference to FIG. 3, the secure multiplication process executed by the first server 30 will be described. In addition, in the following, shares [[x]], [[y]] of plaintext data x are expressed as primary shares, and shares [[x'] calculated based on primary shares [[x]], [[y]] are expressed as ]], [[y']] are called secondary shares. First, in step S101, the first server 30 determines that the number obtained by subtracting the share [[a]] ₁ of the random number a from the primary share [[x]] ₁ of the plaintext data x is the secondary share [[x']] It is calculated as ₁ . Further, in step S102, the first server 30 determines that the number obtained by subtracting the share [[b]] ₁ of the random number b from the primary share [[y]] ₁ of the plaintext data y is the secondary share [[y']] It is calculated as ₁ .

Further, in steps S103 and S104, as shown in FIG. 5, processing is performed to transmit and receive calculation results performed by one server 30 and 40 to and from the other server 30 and 40 through mutual communication between the servers 30 and 40. be exposed. Specifically, in step S103, the first server 30 calculates that the secondary share [[x']] ₁ calculated in step S101 and the secondary share [[y']] ₁ calculated in step S102 are It is transmitted to the second server 40. Further, in step S104, the first server 30 receives the secondary share [[x']] ₂ and the secondary share [[y']] ₂ generated by the second server 40. Note that the secondary share [[x']] ₂ is the number obtained by subtracting the share [[a]] ₂ of the random number a from the primary share [[x]] ₂ of the plaintext data x in the second server 40. be. Further, the secondary share [[y']] ₂ is calculated by subtracting the share [[b]] ₂ of the random number b from the primary share [[y]] ₂ of the plaintext data y calculated in the second server 40. This is the number. The method for calculating the secondary share [[x']] ₂ and the secondary share [[y']] ₂ will also be described in the secure multiplication process executed by the second server 40 shown in FIG. 4, which will be described later.

Subsequently, in step S105, the first server 30 adds the secondary share [[x']] ₁ calculated in step S101 and the secondary share [[x']] ₂ obtained in step S104, Data x' is calculated. Further, in step S106, the first server 30 adds the secondary share [[y']] ₁ calculated in step S102 and the secondary share [[y']] ₂ obtained in step S104, and the data y' is calculated. Note that data x' and data y' are data obtained by encrypting plaintext data x and plaintext data y using random numbers a and random numbers b, and are meaningless data on their own.

In step S107, the first server 30 calculates the data x' calculated in step S105, the data y' calculated in step S106, and the shares [[a]] ₁ , [[ of the random numbers a, b, and c received from the client 10. b]] ₁ and [[c]] ₁ , the share [[z]] ₁ of z, which is the calculation result of x×y, is calculated. Specifically, the first server 30 shares the calculation result of x'×y'+x'× [[b]] ₁ +y'× [[a]] ₁ +[[c]] ₁ by sharing [[z ]] It can be calculated as ₁ . Then, the first server 30 stores the calculated share [[z]] ₁ in the database or transmits it to the client 10 based on an instruction from the client 10.

Further, FIG. 4 is a flowchart showing the secure multiplication process executed by the second server 40. As shown in FIG. 4, first, in step S201, the second server 40 determines that the secondary share is the number obtained by subtracting the share [[a]] ₂ of the random number a from the primary share [[x]] ₂ of the plaintext data x. [[x']] is calculated as ₂ . Further, in step S202, the second server 40 determines that the number obtained by subtracting the share [[b]] ₂ of the random number b from the primary share [[y]] ₂ of the plaintext data y is the secondary share [[y']] It is calculated as ₂ .

In steps S203 and S204, similarly to steps S103 and S104 in FIG. will be held. That is, in step S203, the second server 40 transfers the secondary share [[x']] ₂ calculated in step S201 and the secondary share [[y']] ₂ calculated in step S202 to the first server 40. 30. Note that, as described above, the secondary share [[x']] ₂ and the secondary share [[y']] ₂ that the first server 30 receives in step S104 of FIG. The secondary share [[x']] ₂ and the secondary share [[y']] ₂ are sent from 40. Further, in step S204, the second server 40 receives the secondary share [[x']] ₁ and the secondary share [[y']] ₁ generated by the first server 30. Note that the secondary share [[x']] ₁ and the secondary share [[y']] ₁ are the secondary share [[x']] transmitted by the first server 30 in step S103 of FIG. 3 described above. ₁ and the quadratic share [[y']] ₁ .

Then, in step S205, the second server 40 adds the secondary share [[x']] ₂ calculated in step S201 and the secondary share [[x']] ₁ obtained in step S204, Data x' is decoded. Further, in step S206, the second server 40 adds the secondary share [[y']] ₂ calculated in step S202 and the secondary share [[y']] ₁ obtained in step S204, Data y' is decoded.

In step S207, the second server 40 calculates the data x' calculated in step S205, the data y' calculated in step S206, and the shares [[a]] ₂ , [[ of the random numbers a, b, and c received from the client 10. b]] ₂ and [[c]] ₂ , the share [[z]] ₂ of the data z, which is the calculation result of the multiplication x×y, is calculated. Specifically, the second server 40 calculates the calculation result of x' x [[b]] ₂ + y' x [[a]] ₂ + [[c]] ₂ as a share [[z]] ₂ . . Then, the second server 40 stores the calculated share [[z]] ₂ in the database or transmits it to the client 10 based on an instruction from the client 10.

As a result, the first server 30 stores the share [[z]] ₁ of z, which is the calculation result of multiplying the plaintext data x and y, and the second server 40 stores the share [[z]] 1 of z. ] ₂ is stored. Further, the client 10 acquires share [[z]] ₁ from the first server 30 and share [[z]] ₂ from the second server 40, and shares share [[z]] ₁ and share [[ z]] ₂ , it is possible to calculate the plaintext data z, which is the result of multiplying the plaintext data x and y.

In this way, in one secret multiplication, the shares of three correlated random numbers a, b, c are [[a]] ₁ , [[b]] ₁ , [[c]] ₁ , [[a]] ₂ , [[b]] ₂ and [[c]] ₂ are required. In addition, when the data is table-structured data with multiple rows (number of rows n), when performing secret multiplication on the data in each row, the share of three correlated random numbers a, b, and c [[a]] ₁ , [[b]] ₁ , [[c]] ₁ , [[a]] ₂ , [[b]] ₂ , [[c]] ₂ are required for the number of lines n. In this way, in secure multiplication, if the number of secure multiplications and the number of rows n of the table structure data are known in advance, the number of random numbers required can also be known. In this embodiment, the client 10 has a function of generating random numbers, and generates and pools a share of these correlated random numbers before starting calculation, so that the generated correlated random numbers can be sent to the server as needed. 30, 40, or, as will be described later, a share of correlated random numbers can be generated and transmitted to the servers 30, 40 in response to a request from the servers 30, 40.

(Confidential data extraction process)
Next, the secret data extraction process will be explained based on FIGS. 6 and 7. Note that FIG. 6 is a flowchart showing the secret data extraction process executed by the first server 30 and the second server 40, and FIG. 7 is a schematic diagram for explaining the secret data extraction process. The data extraction process according to this embodiment is a process of extracting row data that satisfies a certain condition from table structure data whose secrets have been shared, using an SQL statement or the like. In the following, data x in column X is smaller than data y in column Y (x<y) from among table structure data having n rows of row data with column data of numerical attributes X, Y. Calculation for extracting the numerical value x of the X column data in the row data that satisfies the conditions will be described by way of example. That is, the calculation of "select x from table structure data where x<y" described in an SQL statement will be explained as an example. It is assumed that each server 30, 40 stores in advance the share of table structure data to be calculated, as shown in FIG. More specifically, the servers 30 and 40 store the share [[x[i]]] of the X column data x and the share [[y[i]]] of the Y column data y for the number of rows n. It is assumed that In the following, the number sequence of share [[x[i]]] of X column data x in each row of table structure data with n rows is called share [[x]], and the Y column data of each row of table structure data with n rows. The sequence of shares [[y[i]]] of y is called share [[y]]. Further, i is an integer and means the i-th row data of the table structure data, and 0≦i<n.

The secret data extraction process shown in FIG. 6 is mainly performed by two processes. That is, a process of comparing the magnitude of x<y, and a filtering process of extracting the X column data x of the row that matches the filtering condition (in the example shown in FIG. 6, x<y). In the size comparison process, the number of correlated random numbers required differs depending on the number of representation bits of the integer to be compared. For example, in the case of a 32-bit integer, the combination of shares of 1-bit correlated random numbers ( 163 sets of [[a]], [[b]], [[c]]) are required. Furthermore, if the table structure data has n rows, a combination of shares of n-times correlated random numbers is required. In addition, in filtering processing, if the data to be extracted (the data of the data string to be extracted, the data written in the select statement in SQL statements) is a string of 32-bit integers, random numbers called shuffle ( (hereinafter simply referred to as shuffle) and the combination of correlated random number sequences ((r1, r1', a1, a1', b1, b1'), (r2, r2', a2, a2', b2, b2')) One set is required. Note that shuffle r1, r1', r2, r2' is a sequence of n numbers (random number sequence) that constitutes random permutation, and the more rows of table structure data to be calculated, the more random numbers included in the shuffle. The number (number of elements in the random number sequence) increases. Further, a1, a1', b1, b1', a2, a2', b2, b2' are a sequence of correlated random numbers. In this embodiment, since there is only one extraction target, the X column data x, the correlation random numbers are a, b (specifically, a1, a1', b1, b1', a2, a2', b2, b2' ), but as the number of columns to be extracted increases, the number of combinations of correlated random numbers also increases, such as a, b, c, and so on. In this way, in the secret data extraction process, the type of random number changes depending on the calculation process to be performed, and the random number required changes depending on the number of rows n of the table structure data to be calculated and the number of columns to be extracted. The number of changes. Furthermore, in this embodiment, the number of rows in the table structure data is a public (non-concealed) value, but the number of rows in the table structure data as a result of filtering is unknown until the filtering process is completed. . Therefore, in data analysis, some calculations such as aggregation are often performed after filtering processing, but until the previous stage of filtering processing is completed, it is recommended to estimate and pool the random numbers required for subsequent confidential calculations in advance. The problem is that it is difficult. In this embodiment, such a problem can be solved by the client 10 generating random numbers as needed and providing them to the servers 30 and 40. The secret data extraction process according to this embodiment will be explained below based on the flowchart of the secret data extraction process shown in FIG.

As shown in FIG. 6, in step S301, the servers 30 and 40 evaluate filtering conditions. In this embodiment, since the calculation is to extract row data where x < y from the table structure data to be calculated, the servers 30 and 40 share the table structure data stored by themselves, To do this, based on the share [[x]] of X column data x and the share [[y]] of Y column data y in the table structure data, the magnitude relationship between x and y is evaluated by secret calculation, and the evaluation result is Get the share [[f]] of f as output. Specifically, using the share [[x[i]]] of the X column data x in each row of the table structure data and the share [[y[i]]] of the Y column data y, x and Evaluate the magnitude relationship of y by secret calculation. Note that the method of evaluating the magnitude relationship between X column data x and Y column data y of each row based on share [[x]] and share [[y]] by secret calculation is already stored in the servers 30 and 40. A known method using a combination of shares of 1-bit correlated random numbers ([[a]], [[b]], [[c]]) can be used (for example, Yukiya Ohata and Koji Nuita , “Efficient secrecy size comparison protocol and its applications”, Proceedings of Symposium on Cryptography and Information Security (SCIS 2019), 2019).

In step S302, the servers 30 and 40 apply random permutation Π to the share [[f]] of the evaluation results of the filtering condition evaluation obtained in step S301 [[Π(f)]] _P (the number of elements is the number of rows) n) is generated. Here, in the filtering condition evaluation in step S301, for each row of the table structure data, if x<y, a value obtained by secretly sharing 1 is output as a share [[f(i)]], and x<y If not, a value obtained by secret sharing 0 is output as a share [[f(i)]]. In this way, the share [[f]] of 0 or 1 output according to the evaluation of x<y in each row is further randomly permuted to become [[Π(f)]] _P. Note that the above i indicates data in the i-th row of the table structure data. In addition, [[Π(f)]] _P is a random permutation of the share [[f(i)]] of 1 or 0, which is the evaluation result of all rows of the table structure data, and the number of elements is the same as the table The number of rows of structural data is n. In this way, in [[Π(f)]] _P , by calculating the evaluation result f as a share [[f]] by secret calculation, it becomes unclear whether or not the filtering condition (x<y) is satisfied. Instead, by applying random permutation to share [[f]], it becomes unclear which row of data in share [[f]] corresponds to which row of data in the original table structure data, It becomes possible to increase security. Note that the above-mentioned random permutation is a combination of the shuffle and correlated random number sequences stored in the servers 30 and 40 ((r1, r1', a1, a1', b1, b1'), (r2, r2', a2, a2', b2, b2')) (for example, N. Attrapadung et al., "Oblivious Linear Group Actions and Applications", In Proceedings of CCS 2021, 630 -See page 650 ).

Note that the confidential data extraction calculation process shown in FIG. 6 is executed by the first server 30 and the second server 40, so in FIG. The share calculated in is indicated using "Q" (the same applies below). For example, the evaluation results of the filtering condition evaluation are the share [[Π(f)]] ₁ obtained by applying random substitution to the evaluation results held by the first server 30 and the share [[Π(f)]] 1 obtained by applying random substitution to the evaluation results held by the second server 40. The secret is shared between the applied share [[Π(f)]] ₂ , but when the first server 30 performs the secret data extraction process shown in FIG. Π(f)]] _P represents the share [[Π(f)]] ₁ obtained by applying random permutation to the evaluation results held by the first server 30, and the second server 40 stores the confidential data shown in FIG. When performing extraction processing, the share [[Π(f)]] _P obtained by applying random substitution to the evaluation results is the share [[Π(f)] P obtained by applying random substitution to the evaluation results held by the second server 40. ]] ₂ .

In step S303, the servers 30 and 40 apply random permutation Π to the share [[x]] of the X-column data x, which is the extraction target data, to generate the share [[Π(x)]] _P. Note that the X column data x used in step S303 is the X column data x of all rows of the table structure data (data whose number of elements is the number of rows n of the table structure data), and the X column data x of the number n of rows. For the share [[Π(x)]] _P obtained by randomly replacing the share [[x]], it is unclear which row of data corresponds to which row of the original table structure data, and the number of elements is The number of rows in the table structure data is n. Random replacement of the share [[x]] of the X column data x can be performed in the same manner as in step S302.

In steps S304 and S305, as shown in FIG. 7, a process of transmitting and receiving calculation results performed by one server 30 and 40 to and from the other server 30 and 40 is performed through mutual communication between the servers 30 and 40. That is, in step S304, the servers 30 and 40 output the share [[Π(f)]] _P obtained by applying random permutation to the evaluation result generated in step S302 to the other server. Further, in step S305, the servers 30 and 40 receive the share [[Π(f)]] _Q obtained by applying random substitution to the evaluation result generated by the other server. Then, in step S306, the servers 30 and 40 prepare the list [[L]] _P . List [[L]] _P is a list for inserting the share of X column data x of the row satisfying the condition x<y in the table structure data, and is empty at step S306.

Steps S307 to S309 are performed for each row of the table structure data to be calculated, and the processing is repeated until steps S307 to S309 are performed for all rows. In this embodiment, since the number of rows in the table structure data is n, the processes of steps S307 to S309 are repeated n times.

Specifically, in step S307, the servers 30 and 40 apply random permutation to the evaluation result generated in step S302 to obtain the mth share [[Π(f)]] _P (the number of elements is the number of rows n). Share [[ _Π (f)[ _m ]]] which is an element of The evaluation result of the data in the m-th row is decoded based on the share [[Π(f)[m]]] _Q , which is the m-th element of . Note that m means the data in the m-th row (row number m) of the share [[Π(f)] after random replacement, and is the same as the number of row numbers (i-th row) in the original table structure data. are different. In this embodiment, in the filtering condition evaluation in step S301, for the m-th row data that satisfies x<y, the evaluation result is shared [[Π(f)[m]]] so that the decoding result is 1. _P and [[Π(f)[m]]] _Q have been generated, and for the m-th row data that does not satisfy x < y, the evaluation result share [[Π (f) [m]]] _P and [[Π(f) [m]]] _P are generated. Therefore, in step S307, the decoding result is calculated as 1 for row data that satisfies x<y, and the decoding result is calculated as 0 for row data that does not satisfy x<y.

In step S308, the servers 30 and 40 determine whether the target row data conforms to the filtering conditions. As described above, in this embodiment, the decoding result is calculated as 1 for row data that satisfies x<y, and the decoding result is calculated as 0 for row data that does not satisfy x<y. Therefore, if the composite result obtained in step S307 is 1, the servers 30, 40 determine that the filtering condition x<y is met and proceed to step S309; If the result is 0, it is determined that the filtering condition x<y is not met, and the process proceeds to step 310.

In step S309, since the target row data satisfies the filtering condition x<y, the server 30, 40 generates X column data in the shuffled m-th row data generated in step S303. The share [[Π(x)[m]]] _P of x is inserted into the list [[L]] _P generated in step S306. That is, in this embodiment, only the share [[Π(x)[m]]] _P of column X data x in the row that meets the filtering condition is assigned to the list [[L]] _P , and The share [[Π(x)[m]]] _P of the X-column data x in the row that is not listed will be excluded from the list [[L]] _P .

In step S310, the servers 30 and 40 determine whether the processes in steps S307 to S309 have been executed for all rows of the table structure data. If the processes of steps S307 to S309 have been executed for all rows of the table structure data, the process advances to step S311, and the servers 30 and 40 generate the list [[L]] _P as the calculation result of the secret data extraction process. is output.

As a result, the first server 30 and the second server 40 calculate the share [[L]] _P of the list of X column data x among the row data satisfying x<y from the table structure data, and can be memorized. Further, the client 10 obtains list share [[L]] ₁ from the first server 30, obtains list share [[L]] ₂ from the second server 40, and obtains list share [[L]] By adding ₁ and share [[L]] ₂ and decoding it, it is possible to calculate a list L of X column data x of the row data satisfying x<y.

In this way, in secret data extraction according to this embodiment, the type of random number changes depending on the calculation process to be performed, and also depends on the number of rows n of the table structure data to be calculated and the number of columns of the data to be extracted. The number of random numbers required changes. Therefore, especially when you want to start another process after a calculation in which the number of rows in the output table structure data changes, such as filtering, the random numbers necessary for subsequent confidential calculations are It is difficult to estimate and pool them in advance. However, in this embodiment, the client 10 generates random numbers necessary for each process and provides them to the servers 30 and 40, thereby making it possible to estimate in advance the type and number of random numbers necessary for confidential data extraction processing. Even in difficult cases, it is possible to appropriately provide random numbers necessary for secure calculations. The random number supply process performed between the client 10 and the servers 30 and 40 will be described below.

FIG. 8 is a flowchart showing client-side random number supply processing according to this embodiment. Further, FIG. 9 is a flowchart showing server-side random number supply processing according to this embodiment. Furthermore, FIG. 10 is a diagram for explaining random number supply processing according to this embodiment. In the following, first, the client-side random number supply process and the server-side random number supply process will be explained based on FIGS. 8 and 9, and then based on FIG. Explain the exchange of information.

FIG. 8 shows a process executed by the client 10 in the random number supply process according to this embodiment. As shown in FIG. 8, in step S401, a random number estimate request is made. Specifically, the client 10 sends the first server 30, as an estimate request, calculation information for a secure calculation to be executed by the first server 30, as well as an instruction to execute an estimation program for estimating random numbers required in the secure calculation. Output for 30. As a result, the first server 30 executes a random number estimation program that estimates random numbers necessary to perform confidential calculation of the calculation information transmitted from the client 10 (step S502, which will be described later). Note that in this embodiment, the client 10 transmits, as calculation information, query information that causes the first server 30 and the second server 40 to perform secret calculations.

In step S402, the random number estimation result estimated by the random number estimation program of the first server 30 is received. Then, in step S403, a random number is generated based on the random number estimation result received in step S402. Note that the client 10 can generate random numbers using a known method. In the following step S404, processing is performed to supply the random numbers generated in step S403 to the servers 30 and 40. In this manner, in this embodiment, only the first server 30 executes the random number estimation program, but the random numbers generated based on the estimation results are supplied to the first server 30 and the second server 40. Then, in step S405, a secure calculation execution instruction is transmitted to the first server 30 and the second server 40. For example, the client 10 can send an SQL statement describing the contents of the secure calculation to the first server 30 and the second server 40 as an instruction to execute the secure calculation.

In step S406, it is determined whether a certain period of time has elapsed since the random number was supplied in step S404, the inquiry information was transmitted in step S407, or the random number was transmitted in step S411. The process waits in step S406 until a predetermined period of time has elapsed, and then proceeds to step S407. Note that instead of supplying the random number in step S404, a configuration may be adopted in which it is determined whether a certain period of time has elapsed since the instruction to perform the secret calculation in step S405.

In step S407, an inquiry is made to the first server 30 regarding the lack of random numbers. The first server 30, which has received the inquiry, detects the currently insufficient random numbers (step S509, described later), and transmits information on the necessary random numbers as random number request information to the client 10 (step S510, described later). In step S408, the random number request information transmitted from the first server 30 is received, and in the subsequent step S409, it is determined whether there is a shortage of random numbers based on the received random number request information. If it is determined that the random numbers are insufficient, the process proceeds to step S410, where the missing random numbers are generated, and the generated random numbers are transmitted to the first server 30 and the second server 40 in step S411. After that, the process advances to step S412. On the other hand, if it is determined in step S409 that there is no shortage of random numbers, the process proceeds to step S412 without performing steps S410 and S411. As described above, in this embodiment, the client 10 sends an inquiry as to whether there is a shortage of random numbers and receives random number request information only with the first server 30, and when there is a shortage of random numbers, A random number is supplied to the first server 30 and the second server 40. Normally, the first server 30 and the second server 40 perform the same type of secure calculation using the same type and number of random numbers, so if the first server 30 lacks random numbers, the second server 40 also performs the same type of secure calculation. , there is a shortage of random numbers of the same type and number, so by configuring the inquiry to be sent only to the first server 30, it is possible to reduce the amount of communication.

In step S412, it is determined whether the secure calculation has ended. For example, the client 10 can obtain information indicating that the secure calculation has ended from the first server 30, and in this case, it can determine that the secure calculation has ended. If the secure calculation has not been completed, the process returns to step S406 and the processes of steps S406 to S411 are repeated. On the other hand, if the secure calculation has been completed, the client-side random number supply process shown in FIG. 8 is completed.

Next, the server-side random number supply process will be explained based on FIG. 9. The server-side random number supply process shown in FIG. 9 is a process executed by the servers 30 and 40, respectively, among the random number supply processes according to this embodiment (in this embodiment, steps S501 to S503, S508, S509 is executed only by the first server 30).

As shown in FIG. 9, in step S501, the first server 30 receives a random number estimate request sent from the client 10. In step S502, the first server 30 executes a random number estimate program using the estimate request received in step S501 as a trigger. Here, the random number estimation request sent from the client 10 includes calculation information of the secret calculation scheduled to be executed, and the random number estimation program estimates the random number required for the secret calculation included in the calculation information. Note that in this embodiment, the first server 30 stores a random number estimation program in the storage unit in advance, and executes the random number estimation program based on the calculation information of the confidential calculation included in the random number estimation request from the client 10. .

In step S503, the first server 30 transmits the random number estimation result estimated in step S502 to the client 10. As a result, the client 10 generates a random number according to the estimate (step S403), and the generated random number is transmitted to the first server 30 and the second server 40 (step S404). Therefore, in step S504, the random numbers generated and transmitted by the client 10 are received by the servers 30 and 40.

In step S505, a secure calculation is performed using the random numbers received in step S504. However, when estimating random numbers, it is possible to estimate only the random numbers used in calculations until the number of rows changes in secure calculations, so depending on the content of secure calculations, secure calculations may not be completed with only the random numbers received in step S504. I can't. Therefore, a shortage of random numbers necessary for the secure calculation may occur during the secure calculation (step S506=Yes). In such a case, the process proceeds to step S507, and the secure calculation is temporarily interrupted due to the lack of random numbers. is interrupted.

In this embodiment, when the secure calculation is started, the client 10 periodically sends an inquiry about the shortage of random numbers to the first server 30 (step S407). Then, in step S508, the first server 30 receives the inquiry sent from the client 10, and in the subsequent step S509, the first server 30 receives the inquiry about the type of random number that is missing in the secure calculation. , number information, and confidential calculation progress information are transmitted to the client 10 as random number request information. In this embodiment, the first server 30 internally updates the missing random number information and progress information at a relatively short cycle, and updates the latest missing random number information and progress information at the time of receiving an inquiry from the client 10. is sent to the client 10 as random number request information. Upon receiving the random number request information from the first server 30, the client 10 generates the missing random numbers and sends them to both the first server 30 and the second server 40 (steps S410, S411). As a result, in step S510, the servers 30 and 40 receive the random numbers sent from the client 10, and continue secure calculation using the received random numbers.

Furthermore, in step S511, the servers 30 and 40 determine whether or not the secure calculation has ended. If the secure calculation has not been completed, the process returns to step S506 and the processes of steps S506 to S510 are repeated. On the other hand, if the secure calculation has ended, the server-side random number supply process shown in FIG. 9 ends.

Next, based on FIG. 10, the exchange of information between the client 10 and the servers 30 and 40 in the random number supply process will be described. First, when the random number supply process is started, at time T1, the client 10 transmits a random number estimate request including secure calculation information to the first server 30 (step S401). As a result, the first server 30 executes the random number estimation program, and estimates the random numbers necessary to perform the secure calculation included in the secure calculation information (step S502). Then, at time T2, the random number estimation result is transmitted from the first server 30 to the client 10 (step S503). In response, the client 10 generates a random number according to the random number estimation result from the first server 30 (step S403), and transmits the generated random number to the first server 30 and the second server 40 at time T3. (Step S404). Then, at time T4, the client 10 instructs the first server 30 and the second server 40 to execute the secure calculation, and the first server 30 and the second server 40 start the secure calculation.

Furthermore, at time T5 when a certain period of time has elapsed since the start of the secure calculation, the client 10 transmits a random number inquiry to the first server 30 (step S407). In response, at time T6, the first server 30 transmits the information on the missing random numbers together with progress information to the client 10 as random number request information (step S509). For example, in the example shown in FIG. 10, at time T6, random number request information indicating that the progress is 10% and the missing random number is "None" is transmitted from the first server 30 to the client 10. Since the required random number in the random number request information is "None", the client 10 does not generate or supply a random number.

Furthermore, at time T7, when a certain period of time has elapsed since the previous inquiry, the client 10 again sends a random number inquiry to the first server 30 (step S407). On the other hand, at time T8, the first server 30 transmits information on the missing random numbers to the client 10 as random number request information together with progress information (step S509). Assume that at time T8, the first server 30 lacks 1000 random numbers of type "A2" used for secure calculation. In this case, at time T8, the first server 30 transmits to the client 10 random number request information indicating that the progress is 30% and the missing random numbers are "A2: 1000". As a result, at time T9, the client 10 performs processing to generate 1000 random numbers of type "A2" (step S410) because the missing random numbers are "A2: 1000", and the generated type " 1000 random numbers of "A2" are transmitted to the first server 30 and the second server 40 (step S411). In this embodiment, "A2" means one type of correlated random number (for example, a correlated random number corresponding to a 32-bit length).

Furthermore, at time T10 when a certain period of time has passed since the previous random number supply, the client 10 again sends a random number inquiry to the first server 30 (step S407). On the other hand, at time T11, the first server 30 transmits information on the missing random numbers to the client 10 as random number request information together with progress information (step S509). It is assumed that at time T11, the first server 30 lacks three random numbers of the type "SR" used for secure calculation. In this case, at time T11, the first server 30 transmits to the client 10 random number request information indicating that the progress is 50% and the missing random number is "SR: 3 pieces." As a result, at time T12, the client 10 performs processing to generate three random numbers of the type "SR" (step S410) because the missing random numbers are "SR: 3", and the generated type "SR" is generated. SR" are sent to the first server 30 (step S411). Note that in this embodiment, "SR" means a shuffle random number for shuffling designated columns (columns) consisting of n rows.

Also, after time T12, the servers 30, 40 and the client 10 continue to make inquiries about random numbers, send random number request information in response to inquiries, and send random number requests based on the random number request information until the secure calculation between the servers 30 and 40 is completed. When the random number supply is repeated and the secure calculation is completed, the random number supply process is terminated.

As described above, the secure calculation system 1 according to the present embodiment includes a plurality of servers 30 and 40 that perform secure calculations, and a client 10 that supplies random numbers necessary for secure calculations to the multiple servers 30 and 40. Then, at least one first server 30 among the plurality of servers 30 and 40 transmits random number request information including the type and number of random numbers necessary for secure calculation to the client 10, and the client 10 transmits the random number request information to the client 10. When the information is received, random numbers are generated based on the random number request information and transmitted to the plurality of servers 30 and 40. In this manner, in the secure calculation system 1 according to the present embodiment, the client 10 periodically makes inquiries regarding the supply of random numbers to the first server 30, and the first server 30 repeatedly requests random number information to the client 10. By transmitting the random numbers, when there is a shortage of random numbers and it is necessary to supply random numbers, the client 10 generates the necessary number of random numbers of the necessary type and supplies them to all the servers 30 and 40 that perform secure calculations. Therefore, it is possible to prevent a shortage of random numbers during secure calculation.

Although preferred embodiments of the present invention have been described above, the technical scope of the present invention is not limited to the description of the above embodiments. Various changes and improvements can be made to the embodiments described above, and forms with such changes and improvements are also included within the technical scope of the present invention.

For example, in the embodiment described above, the gateway 20 is exemplified as a device for controlling communication between the client 10 and the servers 30 and 40, but the configuration is not limited to this, and a configuration using communication control components such as a firewall and a router You can also use it as

In addition, in the above-described embodiment, an example of the algorithm of the secret multiplication process and the secret data extraction process is illustrated and explained in FIGS. 3 to 6, but the algorithm is not limited to the above algorithm, and other known algorithms Algorithms can also be used. Further, when the algorithm changes, the number and type of random numbers required also change, but in the secure calculation system 1 according to the present invention, the client 10 generates the type and number of random numbers requested by the first server 30. This is true no matter what algorithm is used.

Furthermore, in the embodiment described above, the secure calculation system 1 illustrated a configuration including the gateway 20, but it can also be configured without the gateway 20. In this case, the client 10 can directly send a random number supply inquiry to the first server 30 without going through the gateway 20, and the first server 30 can also respond to the request from the client 10 without going through the gateway 20. Then, necessary information (random number request information and secret calculation results) can be transmitted to the client 10.

In addition, in the embodiment described above, multiplication, division, magnitude comparison, filtering and sorting of table structure data are illustrated as examples of secure computations using random numbers, but secure computations using random numbers are limited to these. Not done. For example, as secret calculations that require random numbers that do not depend on the number of rows n, such as multiplication, division, and size comparison, inner joins that correspond to the join syntax of queries, calculation of the average value of aggregate function Avg, Trim, LTrim, etc. String manipulation functions such as RTrim, Upper, Lower, Replace, Split, ZenToHan, HanToZen, string evaluation functions such as Contains and NotContains, mathematical operations such as Argmax and Dot, LinregFit, LinregPredi Analytical operations such as ct, columns such as Expand Examples include operations and logical operations such as "&" (AND) and "|" (OR). In addition, calculation of the total corresponding to the group by clause, Min and Max An example of this is calculating the minimum value or maximum value corresponding to .

Further, in the above-described embodiment, the first server 30 executes the random number estimation program, but the configuration is not limited to this, and the second server 40 may execute the random number estimation program.

Furthermore, in the above-described embodiment, when the client 10 inquires about random numbers, the first server 30 replies to the client 10 with information about the currently missing random numbers as random number request information; however, the present invention is not limited to this configuration. First, it may be configured to send random number request information to the client 10, including random numbers that are expected to become insufficient in the future. For example, when the first server 30 receives a random number inquiry from the client 10 (step S407), by running the random number estimation program, the first server 30 calculates not only the currently insufficient random numbers but also the random numbers that can be estimated at the present time. Estimates can be sent as random number request information. In particular, if the first server 30 is short of random numbers while the client 10 is generating random numbers, the secure calculation at the first server 30 is stopped until random numbers are supplied from the client 10. Therefore, by identifying and requesting random numbers that will be in short supply in the future, it is possible to speed up the secret calculation. However, even in this case, if the number of rows changes due to filtering or the like, it is not possible to estimate the random number required after the number of rows changes.

In addition, in the above-described embodiment, a correlated random number corresponding to a 32-bit length represented by "A2" and a shuffled random number represented by "SR" were exemplified as random numbers, but the types of random numbers are not limited to the above, and are 64-bit long. It is also possible to use a correlated random number having a length of 128 bits, 32 sets of 1 bit length, or a shuffle random number other than the above.

Furthermore, in the embodiment described above, the client 10 sends an inquiry as to whether there is a shortage of random numbers only to the first server 30, and receives random number request information from the first server 30 in response to the inquiry. , without being limited to this configuration, the client 10 sends an inquiry as to whether there is a shortage of random numbers to the first server 30 and the second server 40, and sends random number request information in response to the inquiry to the first server 30 and the second server. The configuration may be such that the information is received from 40.

1...Secret computing system 10...Client 20...Gateway 30...First server 40...Second server 2...Internet

Claims (7)

A secure calculation system comprising a plurality of servers that execute secure calculations, and a client that supplies random numbers necessary for executing secure calculations to the plurality of servers,
The client includes a query input means for transmitting a query of data input by a user to at least one of the plurality of servers;
Random number supply means for generating random numbers based on the received necessary random number information and transmitting them to the plurality of servers,
The server estimates the type and number of random numbers required for secure calculation based on the query received from the client, and transmits the estimated type and number of random numbers to the client as necessary random number information;
random number pooling means for pooling random numbers for performing a secure calculation based on the query received from the client;
a secure calculation means for executing a secure calculation based on the query received from the client and transmitting the execution result to the client;
A missing random number that detects a missing random number in execution of a secret calculation by the secret calculation means, and replies to the client with the type and number of the missing random number as necessary random number information when an inquiry is made by the missing random number inquiry means of the client. a detection means;
The client inquires of the server at regular intervals as to the presence or absence of a random number that is insufficient when performing a secure calculation based on the query, and if the missing random number detection means returns the necessary random number information, the necessary random number is A secure calculation system further comprising missing random number inquiry means for transmitting information to the random number pool means. When the missing random number detection means detects a missing random number during execution of a secret calculation, the secret calculation means temporarily suspends the secret calculation that is being executed until the missing random number is received from the random number supply means. The secure calculation system according to claim 1, having the function of: A secure method comprising a plurality of servers that perform secure calculations and a client that supplies random numbers necessary for secure calculations to the plurality of servers, and wherein the server performs the secure calculations using the random numbers supplied from the clients. A calculation system,
The server repeatedly detects whether there is a shortage of random numbers used for secure calculations, and when there is a shortage of random numbers necessary for secure calculations, the server sends random number request information including information on the type and number of the missing random numbers to the server. send to client,
The secure computing system is characterized in that, when the client receives the request information, the client transmits a random number of a type and number based on the request information to the server. A server for executing secure calculations configured to be able to communicate with a client that supplies random numbers necessary for executing secure calculations,
The client includes a query input means for transmitting a query of data input by a user to at least one of a plurality of servers;
Random number supply means for generating random numbers based on the received necessary random number information and transmitting them to the plurality of servers,
The server estimates the type and number of random numbers required for secure calculation based on the query received from the client, and transmits the estimated type and number of random numbers to the client as necessary random number information;
random number pooling means for pooling random numbers for performing a secure calculation based on the query received from the client;
a secure calculation means for executing a secure calculation based on the query received from the client and transmitting the execution result to the client;
A missing random number that detects a missing random number in execution of a secret calculation by the secret calculation means, and replies to the client with the type and number of the missing random number as necessary random number information when an inquiry is made by the missing random number inquiry means of the client. A server comprising a detection means. An information processing device configured to be able to communicate with multiple servers for executing secure calculations,
query input means for transmitting a query of data input by a user to at least one of the plurality of servers;
Random number supply means for generating random numbers based on the received necessary random number information and transmitting them to the plurality of servers,
The server estimates the type and number of random numbers required for secure calculation based on the query received from the information processing device, and transmits the estimated type and number of random numbers to the information processing device as necessary random number information. estimation means,
random number pooling means for pooling random numbers for performing a secure calculation based on the query received from the information processing device;
a secure calculation means for executing a secure calculation based on the query received from the information processing device and transmitting the execution result to the information processing device;
Missing random number detection for detecting missing random numbers in execution of secret calculation by the secret calculation means, and responding with the type and number of missing random numbers as necessary random number information when an inquiry is made by the missing random number inquiry means of the information processing device. equipped with the means and
Furthermore, the server is inquired at regular intervals as to whether there are any missing random numbers when performing secure calculation based on the query, and if the missing random number detection means returns the necessary random number information, the necessary random number information is sent to the server. An information processing device comprising: a missing random number inquiry means for transmitting to the random number pool means. A processor of an information processing device configured to be able to communicate with multiple servers for executing secure calculations,
query input means for transmitting a query of data input by a user to at least one of the plurality of servers;
A computer program for functioning as a random number supply means for generating random numbers based on received necessary random number information and transmitting the generated random numbers to the plurality of servers, the computer program comprising:
The server estimates the type and number of random numbers required for secure calculation based on the query received from the information processing device, and transmits the estimated type and number of random numbers to the information processing device as necessary random number information. estimation means,
random number pooling means for pooling random numbers for performing a secure calculation based on the query received from the information processing device;
a secure calculation means for executing a secure calculation based on the query received from the information processing device and transmitting the execution result to the information processing device;
Missing random number detection for detecting missing random numbers in execution of secret calculation by the secret calculation means, and responding with the type and number of missing random numbers as necessary random number information when an inquiry is made by the missing random number inquiry means of the information processing device. equipped with the means and
Furthermore, the processor inquires of the server at regular intervals whether there is a random number that is insufficient when executing a secure calculation based on the query, and if there is a response with the necessary random number information from the missing random number detection means, the corresponding A computer program that functions as a missing random number inquiry means for transmitting necessary random number information to the random number pool means. A secure calculation method using a plurality of servers that perform secure calculations, and a client that supplies random numbers necessary for performing secure calculations to the plurality of servers, the method comprising:
the client sending a query for user-entered data to at least one of the plurality of servers;
The server estimates the type and number of random numbers required for secure calculation based on the query received from the client, and transmits the estimated type and number of random numbers to the client as necessary random number information;
The client generates a random number based on the received necessary random number information and transmits it to the plurality of servers;
pooling random numbers for performing a secure calculation based on the query received from the client;
The server executes a secure calculation based on the query received from the client, and transmits the execution result to the client,
When the server detects a missing random number in executing the secure calculation, the server responds with the type and number of the missing random number as necessary random number information when an inquiry is received from the client;
The client inquires of the server at regular intervals as to whether or not there are insufficient random numbers when performing secure calculation based on the query, and if there is a response from the server with the necessary random number information, then The method further comprises: generating a missing random number and transmitting it to the plurality of servers.