JP5995749B2 - Secret set operation apparatus and method - Google Patents

Description

  The present invention relates to encryption technology. In particular, the present invention relates to a technique for performing a set operation while keeping information secret by a secret calculation.

  As a method for obtaining a specific calculation result without restoring the encrypted numerical value, a technique called secret calculation is known (for example, see Non-Patent Document 1). In the technique described in Non-Patent Document 1, encryption is performed such that numerical fragments are distributed to three secret calculation devices, and these three secret calculation devices perform cooperative calculation without restoring the numerical values. , Addition / subtraction, constant sum, multiplication, constant multiple, logical operation (negation, logical product, logical sum, exclusive logical sum), data format conversion (integer, binary) results distributed to three secret computing devices That is, it can be kept encrypted.

  Further, as a method for realizing a set operation while keeping the true size of a set of input and output on secret calculation, the technique of Non-Patent Document 2 is known.

Koji Senda, Hiroki Hamada, Igarashi Univ., Katsumi Takahashi, “Reconsideration of Lightweight Verifiable 3-Party Secret Function Calculation”, In CSS, 2010. Masamichi Shimura, Tsukasa Endo, Kunihiko Miyazaki, Hiroshi Yoshiura, “Relational Algebra Operation Using Multi-Party Protocol for Realizing Safe and Unrestricted Databases”, IPSJ Research Report. CSEC, Vol.2008, No.71, pp.187-193, 2008.

  However, since the prior art requires a direct product operation, if the number of rows of the two input matrices is m and n, respectively, the calculation time is as large as O (mn).

  An object of the present invention is to provide a secret set operation apparatus and method for realizing a set operation in a shorter calculation time than in the past.

The secret set calculation device according to one aspect of the present invention is configured by at least one record including dummy records arranged in a first direction, where each set is a matrix, where <a> is information concealing a Each record is composed of at least one attribute value arranged in the second direction corresponding to at least one attribute and an empty flag indicating whether each record is a dummy, If it is 1, each record is a dummy, and if the empty flag is 0, each record is not a dummy. The number of records that make up the matrix of the set S is m, and the number of records that make up the matrix of the set T is As n, at least one secret computing device constituting the secret set computing device uses a collaborative calculation to combine a matrix of the set T and a matrix of the set S in the first direction as U, and <T> And <U> is calculated based on <S>, and U is stably sorted in the first direction as U ₁ , <U ₁ > is calculated based on <U>, and i is 2 or more n + m following a respective integer, first the value of the element as a 0, i-1-th second in the first direction i th second direction vector in the first direction for constituting the U ₁ constitutes a U ₁ if they are the same as the direction of the vector and the value of i-th element and 1, i th second direction vector in the first direction for constituting the U ₁ is (i-1) -th in the first direction for constituting the U ₁ If the vector in the first direction is different from the vector in the second direction, the vector with the value of the i-th element in the first direction as 0 is set as e, <e> is calculated based on <U ₁ >, and e itself is calculated according to the operation to be performed. Or , let f be the modified vector of the element value of e, calculate <f> based on <e>, and let i be an integer between ₁ and n + m, and the i-th record of U ₁ Empty flag value and f's i If at least one value of eye elements 1 a matrix to 1 the value of the empty flag in the U ₁ as V, based on the <U _1> and <f> to calculate the <V>.

  A set operation can be realized in a shorter calculation time than in the past.

The functional block diagram of the example of a secret set arithmetic device. The figure for demonstrating the example of a matrix.

  Embodiments of the present invention will be described below.

[Definition]
Information that conceals a by encryption or secret sharing is expressed as <a>. <a> is sometimes called a secret sentence of a. a is a scalar value, vector, or matrix. When a is a vector, <a> is information obtained by concealing each element of the vector. When a is a matrix, <a> is information in which each element of the matrix is concealed. It is assumed that the information for restoring <a> is divided into a plurality of fragments, and the plurality of fragments are held by at least one secret computing device that performs cooperative calculation.

  If a is a vector, <a> [i] means the i-th element of vector a. When a is a matrix, <a> [i] means an i-th second direction vector of the matrix a. The i-th vector in the second direction means the i-th row vector when the first direction is the row direction and the second direction is the column direction, as will be described later.

Let x || y be the concatenation of vectors x and y in a given direction. When a is a scalar value, a vector in which n secret sentences <a> are arranged in a predetermined direction is expressed as <a> ⁿ .

  Set operations are union operations, difference set operations, and intersection operations.

  For example, it is assumed that the set X is a matrix composed of different row vectors a, b, d, e, and f, and the set Y is a matrix composed of row vectors a, c, and d.

  At this time, the union set X∪Y, the difference set X \ Y, and the product set X∩Y are as follows.

  As illustrated in FIG. 1, the secret set calculation device includes N secret calculation devices, where N is an integer of 1 or more. The N secret calculation devices can perform operations of concealment, restoration, logical sum, negation, stable sorting, and equality determination by cooperative calculation.

  The concealment calculation is a process of calculating a concealment sentence <a> of a based on the inputted a. The restoration calculation is a process of calculating a based on the secret sentence <a>. For details of the concealment and decryption operations, see Non-Patent Document 1, for example.

  The OR operation is a collaborative calculation by N secret computing devices. The a and b secret texts <a> and <b> are input, and the c secret text <c> that is the calculation result of a∨b. Is the process of calculating>.

  The negative operation is a collaborative calculation by N secret calculation devices, and the secret sentence <a> of a is input, and the secret sentence <c> of c, which is the negative result of ¬a, is calculated. It is processing.

  See, for example, Non-Patent Document 1 for details of the logical sum and negation operations.

The stable sorting operation is a process of rearranging the concealed vector or matrix elements in a predetermined order in the first direction. The first direction is, for example, the row direction, and the predetermined order is, for example, the dictionary order. In this case, the stable sorting of the matrix X means that the n row vectors X [1],..., X [n] constituting the matrix X are rearranged in the dictionary order. Note that the dictionary order is x <y iff (x ₁ ) when the order of a row vector x = (x ₁ ,..., X _m ) and a row vector y = (y ₁ ,..., Y _m ) is determined. <y ₁ ) ∨ ((x ₁ = y ₁ ) ∧ ((x ₂ <y ₂ ) ∨ (...)))) determines the order of x and y. iff means if and only if. Note that when stable sorting, a row vector and a row vector are the same, and the order of these row vectors in the original matrix X is determined when the order of the dictionary order cannot be determined for these row vectors. Assume that the order of these row vectors is determined. In this case, the operation of the stable sorting in the row direction of the vector or matrix Y using the matrix X as a key corresponds to the stable sorting in the row direction of the matrix X, where n is the number of rows of X and Y. This means a process of replacing row vectors constituting Y based on bijective predetermined substitution π _s : {1,..., N} → {1,..., N}. See, for example, Reference 1 for details of stable sorting operations.

  [Reference 1] Hiroki Kajita, Dai Igarashi, Koji Senda, Katsumi Takahashi, “Linear time sorting on secret function calculation”, In SCIS, pp.1-7, 2011.

  For example, when the matrices X and Y are given as follows, the matrix X ′ after the stable sorting and the Y ′ after the stable sorting using the matrix X as a key are as follows.

The calculation for equality determination is a process of calculating the secret sentence <c> of the truth value c of a = b with the secret sentences <a> and <b> of a and b as inputs. The truth value is 1 when true and 0 when false. The execution of this operation is expressed as (<a> = ^? <B>). For details of the calculation of the equal sign determination, see Reference Document 2, for example.

  [Reference 2] Takashi Nishide, Kazuo Ohta, “Multiparty computation for interval, equality, and comparison without bitdecomposition protocol”, In PKC, pp.343-360, 2007.

[Embodiment of superordinate concept]
As will be described later, for the set <S> whose size is concealed and the set <T> whose size is concealed, the first embodiment performs the union operation, and the second embodiment performs the difference set operation. In the third embodiment, a product set operation is performed.

  First, an embodiment of a superordinate concept that is an embodiment of a part common to the first to third embodiments will be described.

  Each set to be input and output is represented by a matrix as illustrated in FIG. 2, and includes at least one record including dummy records arranged in the first direction. Each record is composed of at least one attribute value arranged in the second direction corresponding to at least one attribute and an empty flag indicating whether or not each record is a dummy. For example, if the empty flag is 1, the record is a dummy, and if the empty flag is 0, the record is not a dummy.

  Hereinafter, a case where the first direction is the row direction and the second direction is the column direction will be described as an example.

  The matrix illustrated in FIG. 2 includes three records including dummy records arranged in the row direction. In this example, the record in the third row is a dummy. Each record includes attribute values and empty flags arranged in the column direction corresponding to the four attributes. In this example, the empty flag is arranged in the first column. The attributes of this matrix are ID, age, gender, and occupation. Thus, by including a dummy record, the true size of the set can be concealed.

  As illustrated in FIG. 1, the secret set calculation device includes N secret calculation devices, where N is an integer of 1 or more.

  Let m be the number of records that make up the set S that is a matrix, and n be the number of records that make up the set T that is a matrix. Examples of S and T are given below.

<Step S1>
The N secret calculation apparatuses calculate <U> based on <T> and <S> by cooperative calculation (step S1).

  Here, U is a matrix obtained by combining the matrix of the set T and the matrix of the set S in the first direction (in this example, the row direction).

  U is as follows.

<Step S2>
The N secret calculation apparatuses calculate <U ₁ > based on <U> by cooperative calculation (step S2).

Here, U ₁ is a matrix obtained by stably sorting U in the first direction.

U ₁ is as follows.

<Step S3>
The N secret calculation devices calculate <e> based on <U ₁ > through cooperative calculation (step S3).

Here, i is an integer of 2 to n + m, the value of the first element is 0, and the i-th vector in the first direction that forms U ₁ is the first vector that forms U ₁ if i-1 th the same as the second direction of the vector in one direction and the value of i-th element and 1, i th second direction vector in the first direction for constituting the U ₁ is configured the U ₁ If the vector is different from the (i−1) th second direction vector in the first direction, the vector in which the value of the i th element in the first direction is 0 is set to e. In this example, the first direction is the row direction, and the vector in the second direction is the row vector.

  e is as follows.

  That is, the N secret calculation devices calculate <e> defined by the following equation by cooperative calculation. Here, i is an integer of 1 ≦ i ≦ m + n.

<Step S4>
The N secret calculation devices calculate <f> based on <e> by cooperative calculation (step S4).

  Here, let f be a vector obtained by changing the value of the element e according to the operation to be performed. For example, when performing a union operation, e is directly set to f. That is, let f [i] = e [i] where i is an integer of 1 ≦ i ≦ m + n. The definition of f in step S4 is different in each embodiment described later.

  For example, when f = e is used to perform a union operation, f is as follows.

<Step S5>
The N secret calculation apparatuses calculate <V> based on <U ₁ > and <f> by cooperative calculation (step S5).

Here, i is an integer between 1 and n + m, and if at least one of the value of the empty flag of the i-th record of U ₁ and the value of the i-th element of f is 1, then the value in U ₁ Let V be the matrix whose empty flag value is 1.

  In step S4, for example, when f = e to perform the union operation, V is as follows.

  Since the prior art requires a direct product operation, if the number of rows of the two input matrices is m and n, respectively, it is necessary to create a matrix with the number of rows mn during the calculation. The present invention is configured without using a direct product operation, and only needs to create a matrix having the number of rows O (m + n) in the middle of the calculation. Therefore, the calculation time is shorter than that of the prior art. Specifically, a set operation on a secret calculation with a calculation time of O ((m + n) log (m + n)) can be realized.

  In addition, the input matrix and the size (number of rows) of the output matrix are concealed by the empty flag.

[First embodiment]
The secret set calculation device according to the first embodiment performs union calculation on a set <S> whose size is concealed and a set <T> whose size is concealed.

  In the first embodiment, e is set to f as it is in step S4. That is, let f [i] = e [i] where i is an integer of 1 ≦ i ≦ m + n.

  Only this part is different from the embodiment of the highest concept, and the other parts are the same as those of the embodiment of the highest concept, and therefore, redundant description is omitted.

[Second Embodiment]
The secret set calculation apparatus according to the second embodiment performs a difference set calculation on a set <S> whose size is concealed and a set <T> whose size is concealed.

  The following description will focus on the differences from the top-level concept embodiment, and the description of the same portions as the top-level concept embodiment will be omitted.

<Step S1>
The N secret calculation devices not only calculate <U> based on <T> and <S>, but also calculate <r> by cooperative calculation (step S1).

Here, a vector in which n 1s are arranged in the first direction is 1 ⁿ , a vector in which 0 is ^m arranged in the first direction is 0 ^m, and a vector obtained by combining 1 ⁿ and 0 ^m in the first direction is r.

  U and r are as follows.

<Step S2>
The N secret calculation devices not only calculate <U ₁ > based on <U> by collaborative calculation, but also calculate <r ₁ > based on <U> and <r> (step S <b> 2). ).

Here, r ₁ is a vector obtained by stably sorting r using U as a key.

<Step S4>
The N secret calculation devices not only calculate <e> based on <U ₁ >, but also calculate <f> based on <e> and <r ₁ > by cooperative calculation (step S4). ).

Here, if at least one of the value of the i-th element of e and the value of the i-th element of r ₁ is 1, let f be a vector in which the value of the i-th element is 1.

  f is as follows.

  In this case, V after step S5 is as follows.

<Step S6>
After step 5, the N secret calculation devices calculate <V ₁ > based on <V> by cooperative calculation (step S6).
Here, let V ₁ be a matrix in which vectors in the second direction up to the m-th are left in a matrix in which V is stably sorted using the empty flag of V as a key.

V ₁ is as follows.

[Third embodiment]
The secret set calculation device according to the third embodiment performs a product set operation on a set <S> whose size is concealed and a set <T> whose size is concealed.

  In the third embodiment, in step S4, if the value of the i-th element of e is 0, the value of the i-th element is 1, and if the value of the i-th element of e is 1, the i-th element Let f be a vector whose value is 0. That is, i is an integer of 1 ≦ i ≦ m + n, and f [i] = ¬e [i].

  Only this part is different from the embodiment of the highest concept, and the other parts are the same as those of the embodiment of the highest concept, and therefore, redundant description is omitted.

  In the third embodiment, f is as follows.

  Further, V after step S5 is as follows.

[Modification]
The processes described in the above apparatus and method are not only executed in time series according to the description order, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the process.

  Further, when each process in the secret set arithmetic device is realized by a computer, the processing contents of the functions that the secret set arithmetic device should have are described by a program. Then, by executing this program on the computer, the processing means in the secret set arithmetic apparatus is realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  Each processing means may be configured by executing a predetermined program on a computer, or at least a part of these processing contents may be realized by hardware.

  Needless to say, other modifications are possible without departing from the spirit of the present invention.

Claims (2)

Information that conceals a as <a>
Each set is a matrix and includes at least one record including dummy records arranged in the first direction, and each record has at least one arranged in the second direction corresponding to at least one attribute. If the empty flag is 1, each record is a dummy and if the empty flag is 0, each record is not a dummy. The number of records that make up the matrix of the set S is m, and the number of records that make up the matrix of the set T is n,
At least one secret computing device constituting the secret set computing device is
A matrix obtained by combining the matrix of the set T and the matrix of the set S in the first direction is U, and <U> is calculated based on <T> and <S>.
The U-stable sort matrix in a first direction as U _1, based on the <U> Calculate the <U _1>,
The i and 2 above n + m following each integer, in the first direction the value of the first element and 0, the i-th second direction vector in the first direction for constituting the U ₁ constituting U ₁ If it is the same as the vector in the (i-1) second direction, the value of the i-th element is 1, and the i-th second direction vector in the first direction constituting U ₁ is the first in U ₁ the vector to 0 the value of i-th element in the first direction for different and i-1 th second direction vector in the direction e, calculates the <e> based on <U _1>,
Depending on the operation to be performed, e itself or a vector obtained by changing the value of the element of e is f, and <f> is calculated based on <e>.
Let i be an integer between 1 and n + m, and if at least one of the value of the empty flag of the i-th record of U ₁ and the value of the i-th element of f is 1, that empty flag in U ₁ the matrix of the values between 1 as V, based on the <U _1> and <f> to calculate the <V>,
The operation performed above is a difference set operation between a set of non-dummy records of the set S and a set of non-dummy records of the set T.
A vector in which n 1s are arranged in the first direction is 1 ⁿ , a vector in which 0 is ^m arranged in the first direction is 0 ^m, and a vector obtained by combining 1 ⁿ and 0 ^m in the first direction is r. Calculate <r> further,
The r as r ₁ stable sorted vector as a key U, <U>, further calculates a <r _1> based on <r>,
If at least one of the value of the i-th element of e and the value of the i-th element of r ₁ is 1, let f be a vector with the value of the i-th element being 1, and set <e>, <r ₁ > Further calculate <f> based on
Further calculate <V ₁ > based on <V>, where V ₁ is a matrix in which vectors in the second direction up to the m-th are left in a matrix that is stably sorted using the empty flag of V as a key ,
Secret set operation device. Information that conceals a as <a>
Each set is a matrix and includes at least one record including dummy records arranged in the first direction, and each record has at least one arranged in the second direction corresponding to at least one attribute. If the empty flag is 1, each record is a dummy and if the empty flag is 0, each record is not a dummy. The number of records that make up the matrix of the set S is m, and the number of records that make up the matrix of the set T is n,
At least one secret computing device constituting the secret set computing device is
Calculating <U> based on <T> and <S>, where U is a matrix obtained by combining the matrix of the set T and the matrix of the set S in the first direction;
A step of calculating <U ₁ > based on <U>, where U is a matrix that is stably sorted in the first direction as U ₁ ,
The i and 2 above n + m following each integer, in the first direction the value of the first element and 0, the i-th second direction vector in the first direction for constituting the U ₁ constituting U ₁ If it is the same as the vector in the (i-1) second direction, the value of the i-th element is 1, and the i-th second direction vector in the first direction constituting U ₁ is the first in U ₁ Calculating a <e> based on <U ₁ >, where e is a vector in which the value of the i-th element in the first direction is 0 if different from the i-1th second direction vector in the direction;
A step of calculating <f> based on <e>, where f is a vector obtained by changing e itself or a value of an element of e according to an operation to be performed; and
Let i be an integer between 1 and n + m, and if at least one of the value of the empty flag of the i-th record of U ₁ and the value of the i-th element of f is 1, that empty flag in U ₁ Calculating <V> based on <U ₁ > and <f>, where V is a matrix whose value is 1;
The operation performed above is a difference set operation between a set of non-dummy records of the set S and a set of non-dummy records of the set T.
A vector in which n 1s are arranged in the first direction is 1 ⁿ , a vector in which 0 is ^m arranged in the first direction is 0 ^m, and a vector obtained by combining 1 ⁿ and 0 ^m in the first direction is r. further calculating <r>;
The r as r ₁ stable sorted vector as a key U, and a step of further calculating a <r _1> based on <U>, <r>,
If at least one of the value of the i-th element of e and the value of the i-th element of r ₁ is 1, let f be a vector with the value of the i-th element being 1, and set <e>, <r ₁ > Further calculating <f> based on:
A step of further calculating <V ₁ > based on <V>, where V ₁ is a matrix in which a vector in the second direction up to the m-th is left in a matrix in which V is stably sorted using an empty flag of V as a key ;
A secret set calculation method including

Images