JP6693834B2 - Concealment calculation technology and method - Google Patents

Description

  The present invention relates to a secret calculation method capable of performing a numerical calculation in an encrypted state, in which individual encrypted data can be registered in a server on the cloud from a plurality of registration devices, and the encrypted state can be maintained on the server. The present invention relates to a secret calculation method in which a correct calculation can be performed as it is, and a plurality of user terminal devices can obtain and decrypt the previous encryption calculation result.

  In the situation where confidential data (especially numerical data) such as personal information and company information is managed by a server on the cloud, data is encrypted in advance to prevent information leakage from the cloud server and at the same time utilize the information. There is known a cryptographic technique that can be stored in a cloud server after being encrypted and can be operated in the encrypted state when using the encrypted data deposited in the cloud server.

  For example, there is known a public key cryptography-based secret arithmetic technique that can perform addition, subtraction, multiplication, and division operations in an encrypted state by using a cryptographic function having homomorphic properties for addition and subtraction. (Patent Document 1).

JP, 2011-227193, A

  However, in the prior art, each data is encrypted with the public key of the device that obtains the calculation result, and the calculation process is performed in the state of being encrypted with the public key. At this time, since the calculation result is also encrypted with the public key, the encrypted calculation result can be decrypted only by the device that holds the private key corresponding to the public key. That is, in the prior art, if the public key is known, it is possible to encrypt individual data from a plurality of devices and operate the encrypted data in an encrypted state. The calculation result cannot be decrypted. Of course, if the same decryption private key is distributed to multiple devices in advance, the encrypted calculation result can be decrypted by multiple devices, but multiple devices that have different private keys will encrypt it. There is a problem that the calculation result cannot be decrypted.

  To explain the above-mentioned problem more specifically, confidential data such as personal information and corporate information (especially numerical data) is managed in an encrypted state on a cloud server, and statistical values etc. are checked from the encrypted data. , When each encrypted data is calculated on the cloud server and the calculation result is used, only one device that holds the corresponding secret key can use the calculation result, and the cloud server can be accessed. There is a problem in that the plurality of devices cannot utilize the calculation result.

  In the present invention which solves the above-mentioned subject, a system public key is generated from two secret keys managed separately by a user terminal unit and a computing unit. Then, each data is encrypted using this system public key. After that, for each data encrypted with the system public key, the confidential arithmetic processing is performed in the encrypted state, the result is re-encrypted with the secret key of the user terminal device, and the encrypted data is used for the user terminal device. To send to. The user terminal device decrypts using the private key managed by itself.

  According to the present invention, a secret arithmetic method capable of performing a numerical operation in an encrypted state can be acquired by a plurality of user terminal devices in an encrypted state only for a requested arithmetic result.

It is a figure which shows the system structural example of this embodiment. It is a figure which shows the hardware structural example of a totaling apparatus, a reception apparatus, a registration apparatus, and a user terminal device in this embodiment. It is a figure which shows the whole image of a process in this embodiment. It is a sequence diagram which shows the security calculation processing procedure in this embodiment. It is a flowchart which shows the preparation process such as key generation in this embodiment. It is a flowchart which shows the encryption process of the data in this embodiment. It is a flowchart which shows the arithmetic processing in the encryption state in this embodiment. It is a flowchart which shows the decoding process of the encryption calculation result in this embodiment.

--- System configuration ---
Embodiments of the present invention will be described below in detail with reference to the drawings.

  FIG. 1 is a diagram showing an example of the overall configuration of a confidential calculation system 1 according to this embodiment. In this figure, an example of the functional configuration of each computer that configures the confidential computing system 1 is shown together with the overall configuration. In the confidential operation system 1 shown in FIG. 1, encrypted data registered in the aggregation device 10 by each registration device 30 is encrypted by the aggregation device 10 according to a request from the user terminal device 40 via the reception device 20. The addition / subtraction arithmetic processing is performed as it is, and the arithmetic result is returned in the encrypted state to the user terminal device 40, and the user terminal device 40 decrypts the encrypted arithmetic result to obtain the arithmetic result. System.

  The confidential system 1 according to the present embodiment is a computer configured by an aggregating device 10, a receiving device 20, a registration device 30, and a user terminal device 40 communicatively connected via an appropriate network 50 such as the Internet. It is a network system. There are a plurality of registration devices 30 and user terminal devices 40.

  As illustrated in FIG. 1, the aggregation device 10 includes an information generation unit 101, an encryption processing unit 102, a data transmission / reception unit 103, an information input unit 104, an information output unit 105, a primary storage unit 106, a data storage unit 107, and a key storage unit. 108.

Of these, the information generation unit 101 is for generating information such as the secret key of the aggregation device 10 and the system public key of the confidential calculation system 1, and is received by, for example, the signal input from the information input unit 104 or the data transmission / reception unit 103. Information is generated based on the created data. The cryptographic processing unit 102 mainly performs arithmetic operations on the encrypted data received from the registration device 30 in the encrypted state. The key storage unit 108 securely manages the private key generated by the information generation unit 101. The primary storage unit 106 is a primary storage area using a semiconductor.
The data storage unit 107 also manages the encrypted data received from the registration device 30 in the encrypted state. The data transmitting / receiving unit 103 also transmits / receives encrypted data. Further, the information input unit 104 receives a signal corresponding to the input of information generated by the information generation unit 101. The information output unit 105 also displays a signal or the like input from the information input unit 104.

  The aggregation device 10 having such a function can be realized by a general information processing device 60 as illustrated in FIG. For example, the information generation unit 101, the encryption processing unit 102, the data transmission / reception unit 103, the information input unit 104, and the information output unit 105 can be realized as a computer program executed by the CPU 605 such as a CPU (CENTRAL PROCESSING UNIT). Such a computer program can be stored and held in the storage device 604 such as a hard disk in advance, or can be used by being distributed from the network 50. The data storage unit 107 and the key storage unit 108 can also be realized as the storage device 604 described above. The key storage unit 108 may be implemented by using a secure module device called HSM (Hardware Security Module).

  Further, the primary storage unit 106 can be realized by the memory 603. The information output unit 105 can be realized as an input / output device 601 such as a liquid crystal display device or an organic EL (ELECTRO LUMINENCE) display. Further, the information input unit 104 can be realized as an input / output device 601 such as a keyboard or a mouse that receives instructions and inputs from the user.

  In addition, the aggregation device 10 includes a communication device 602 that communicates with other devices via the network 50, and is configured on the information processing device 60 connected by an internal communication line (hereinafter referred to as a bus) 606 such as a bus. You can

  Further, as shown in FIG. 1, the reception device 20 includes an information generation unit 201, an encryption processing unit 202, a data transmission / reception unit 203, an information input unit 204, an information output unit 205, a primary storage unit 206, a data storage unit 207, and a key. It can be configured from the storage unit 208.

  Of these, the information generation unit 201 generates information such as a secret key and a public key of the reception device 20 and information such as an access right to the user terminal device 40. For example, a signal input from the information input unit 204. And information is generated based on the data received by the data transmission / reception unit 203. The cryptographic processing unit 202 mainly processes the encrypted calculation result received from the aggregation device 10. Further, the key storage unit 208 safely manages the secret key generated by the information generation unit 201. The primary storage unit 206 is a primary storage area using a semiconductor. Further, the data storage unit 207 manages information such as an access right to the user terminal device 40. The data transmitting / receiving unit 203 also transmits / receives encrypted data. The information input unit 204 also receives a signal for inputting information generated by the information generation unit 201. The information output unit 205 also displays a signal or the like input by the information input unit 204.

  The reception device 20 having such a function can be realized by a general information processing device 60 as illustrated in FIG. For example, the information generation unit 201, the encryption processing unit 202, the data transmission / reception unit 203, the information input unit 204, and the information output unit 205 can be realized as a computer program executed by the CPU 605 such as a CPU (CENTRAL PROCESSING UNIT). Such a computer program can be stored and held in the storage device 604 such as a hard disk in advance, or can be used by being distributed from the network 50. The data storage unit 207 and the key storage unit 208 can also be realized as the storage device 604 described above. The key storage unit 208 may be realized by using a secure module device called an HSM (Hardware Security Module).

  Further, the primary storage unit 206 can be realized by the memory 603. The information output unit 205 can be realized as an input / output device 601 such as a liquid crystal display device or an organic EL (ELECTRO LUMINENCE) display. Further, the information input unit 204 can be realized as an input / output device 601 such as a keyboard or a mouse that receives instructions and inputs from the user.

  In addition, the reception device 20 includes a communication device 602 that communicates with another device via the network 50, and is configured on the information processing device 60 connected by an internal communication line (hereinafter, referred to as a bus) 606 such as a bus. You can

  As shown in FIG. 1, the registration device 30 includes an information generation unit 301, an encryption processing unit 302, a data transmission / reception unit 303, an information input unit 304, an information output unit 305, a primary storage unit 306, and a data storage unit 307. You can

  Of these, the information generating unit 301 is for generating information such as numerical data to be registered in the totaling device 10, and for example, based on a signal input from the information input unit 304 or data received by the data transmitting / receiving unit 303, information is generated. To generate. Further, the encryption processing unit 302 is for performing encryption processing of the numerical data. The primary storage unit 306 is a primary storage area using a semiconductor. Further, the data storage unit 307 manages numerical data registered in the aggregation device 10 and the system public key of the secret computing system 1. The data transmission / reception unit 303 also receives the system public key of the secret computing system 1 from the aggregation device 10 and transmits encrypted data to the aggregation device 10. In addition, the information input unit 304 receives a signal corresponding to the input of information generated by the information generation unit 301. Further, the information output unit 305 displays a signal or the like input by the information input unit 304.

  The registration device 30 having such a function can be realized by a general information processing device 60 as illustrated in FIG. For example, the information generation unit 301, the encryption processing unit 302, the data transmission / reception unit 303, the information input unit 304, and the information output unit 305 can be realized as a computer program executed by a CPU 605 such as a CPU (CENTRAL PROCESSING UNIT). Such a computer program can be stored and held in the storage device 604 such as a hard disk in advance, or can be used by being distributed from the network 50. The data storage unit 307 can also be realized as the storage device 604 described above. Further, the primary storage unit 306 can be realized by the memory 603. The information output unit 305 can be realized as an input / output device 601 such as a liquid crystal display device or an organic EL (ELECTRO LUMINENCE) display. Further, the information input unit 304 can be realized as an input / output device 601 such as a keyboard or a mouse that receives instructions and inputs from the user.

  In addition, the registration device 30 includes a communication device 602 that communicates with other devices via the network 50, and is configured on the information processing device 60 connected by an internal communication line (hereinafter referred to as a bus) 606 such as a bus. You can

  Further, as shown in FIG. 1, the user terminal device 40 includes an information generation unit 401, an encryption processing unit 402, a data transmission / reception unit 403, an information input unit 404, an information output unit 405, a primary storage unit 406, and a data storage unit 407. , Key storage unit 408.

  Of these, the information generation unit 401 generates information such as a secret key and a public key of the user terminal device 40 and information such as a confidential calculation request sent to the aggregation device 10 via the reception device 20. Information is generated based on the signal input from the input unit 404. The cryptographic processing unit 402 mainly performs a decryption process on the encrypted calculation result received from the totaling device 10 via the reception device 20. The key storage unit 408 securely manages the private key generated by the information generation unit 401. The primary storage unit 406 is a primary storage area using a semiconductor. The data storage unit 407 manages information such as the decrypted calculation result. The data transmission / reception unit 403 also transmits a confidential calculation request to the aggregation device 10 via the reception device 20 and receives an encrypted calculation result from the aggregation device 10 via the reception device 20. The information input unit 404 receives a signal for inputting information generated by the information generation unit 401. The information output unit 405 also displays a signal or the like input by the information input unit 404.

  The user terminal device 40 having such a function can be realized by a general information processing device 60 as illustrated in FIG. For example, the information generation unit 401, the encryption processing unit 402, the data transmission / reception unit 403, the information input unit 404, and the information output unit 405 can be realized as a computer program executed by the CPU 605 such as a CPU (CENTRAL PROCESSING UNIT). Such a computer program can be stored and held in the storage device 604 such as a hard disk in advance, or can be used by being distributed from the network 50. The data storage unit 407 and the key storage unit 408 can also be realized as the storage device 604 described above. The key storage unit 408 may be implemented by using a secure module device called HSM (Hardware Security Module).

  Further, the primary storage unit 406 can be realized by the memory 603. Further, the information output unit 405 can be realized as an input / output device 601 such as a liquid crystal display device or an organic EL (ELECTRO LUMINESCENCE) display. Further, the information input unit 404 can be realized as an input / output device 601 such as a keyboard or a mouse that receives instructions and inputs from the user.

  In addition, the user terminal device 40 includes a communication device 602 that communicates with other devices via the network 50, and is configured on the information processing device 60 connected by an internal communication line (hereinafter referred to as a bus) 606 such as a bus. can do.

--- Example of processing procedure ---
The procedure in this embodiment will be described below with reference to the drawings. Various operations corresponding to the confidential calculation processing described below are executed by the respective devices constituting the confidential calculation system 1, that is, the totaling device 10, the reception device 20, the registration device 30, and the user terminal device 40, which are respectively read into a memory or the like. It is realized by the program.

FIG. 3 is a diagram showing an overall image of the processing in this embodiment. In FIG. 3, there are a plurality of registration devices 30 and user terminal devices 40. Here, the message m _jk is an integer value, and, for example, the registration device 30 _k (k = 1, 2, ... One of the user terminal devices 40 _i (i = 1, 2, ..., N) is encrypted and registered in the table 109 in the data storage unit 107 of the above aggregation device 10 and is accepted by the reception device on the cloud. The confidential calculation request is made via 20 to calculate the value obtained by subtracting the income amount from the medical expenses and nursing expenses paid by the individual (herein, ID ₁ ), and the aggregation device 10 makes the confidential information based on the request. A calculation is performed and the encrypted calculation result is transmitted to the requesting user terminal device 40 _i via the reception device 20, and the user terminal device 40 _i decrypts the encrypted calculation result to obtain the calculation result. ..

At this time, the user terminal device 40 _i does not know the individual payment amount or income amount of the corresponding individual, but can obtain only the calculation result obtained by subtracting the income amount from the medical expenses and the nursing care expenses. It is possible to reduce the risk of unnecessary information leakage by concealing not only the individual values but also the calculation results in the aggregation device 10 and the reception device 20.

  This mechanism can be expected to be applied to, for example, a high-cost medical care cost / high-cost care total medical care cost system that exempts payment of medical costs and long-term care costs when the calculation result exceeds a certain upper limit. In addition, it can be expected to be applied to a system in which individual values are kept secret and only the total value is provided to multiple users who have the decryption authority, such as counting the voting results in the electronic election system and counting in the questionnaire system. ..

  FIG. 4 is a sequence diagram showing the procedure of the confidential calculation processing in this embodiment.

  In the present embodiment, it is roughly divided into two phases, one is a preliminary preparation phase (steps S001 to S002, S101 to S103, S201 to S202), and the other is a confidential calculation processing phase (steps S301 to S307). Is.

  First, the advance preparation phase will be described. The advance preparation phase is further divided into system public key generation processing (steps S001 to S002), encrypted data registration processing (steps S101 to S103), and user terminal device initial registration processing (steps S201 to S202).

  In the system public key generation processing, the reception device 20 generates a key pair (public key and secret key) of the reception device 20 and transmits the public key of the reception device 20 to the totaling device 10 (step S001). The aggregation device 10 generates the secret key of the aggregation device 10, and inputs the public key of the reception device 20 and the secret key of the aggregation device 10 to generate the system public key of the confidential arithmetic system 1. Then, the system public key is transmitted to all the registration devices 30 (step S002).

  In the encrypted data registration process, the registration device 30 encrypts each data (integer value) with the system public key (step S101), and registers the encrypted data in the aggregation device 10 (step S102). The aggregation device 10 stores the encrypted data in the data storage unit 107 (step S103). This encrypted data registration process is performed at any time according to the necessity of data registration.

  In the user terminal device initial registration processing, each user terminal device 40 generates a key pair (public key and private key) in public key cryptography such as widely used RSA cryptography (step S201), The public key of the user terminal device 40 is sent to the reception device 20. The secret key generated in step S201 is stored in the key storage unit 408 of the user terminal device 40. The accepting device 20 that has received the public key of the user terminal device 40 stores the public key of the user terminal device 40 in the data storage unit 207 (step S202).

  Next, the confidential calculation processing phase will be described.

  The user terminal device 40 requests the reception device 20 to perform a confidential calculation operation (step S301). The reception device 20 relays the confidential calculation request to the aggregation device 10 (step S302). Based on the confidential calculation request, the aggregation device 10 selects the corresponding encrypted data from the encrypted data stored in step S103, and performs the calculation process in the encrypted state (step S303). Then, the encrypted calculation result is transmitted to the reception device 20. The accepting device 20 partially decrypts the encrypted calculation result with the secret key of the accepting device 20 (step S304), and transmits it as the processed data 1 to the totaling device 10. The aggregation device 10 partially decrypts the processed data 1 with the secret key of the aggregation device 10 (step S305), and transmits the processed data 1 to the reception device 20 as the processed data 2. The reception device 20 partially decrypts the processed data 2 with the secret key of the reception device 20 (step S306), and transmits it as the processed data 3 to the user terminal device 40. The user terminal device 40 decrypts the processed data 3 with the secret key of the user terminal device 40, and acquires the requested calculation result. Note that steps S304 to S307 are processes in which each device performs decryption via communication using the secret key of the aggregation device 10, the secret key of the reception device 20, and the secret key of the user terminal 40. Will be described later with reference to the flowchart of FIG.

  5 to 8 are flow charts for explaining the details of each processing in the present embodiment.

  FIG. 5 is a flowchart of the system public key generation process (steps S001 to S002) in the advance preparation phase.

  FIG. 6 is a flowchart of the encrypted data registration process (steps S101 to S103) in the advance preparation phase.

  FIG. 7 is a flow chart from the confidentiality calculation request (step S301) to the confidentiality calculation process (step S303) in the confidentiality calculation processing phase.

  FIG. 8 is a flowchart of the decryption processing (steps S304 to S307) in the confidential calculation processing phase.

  In the user terminal device initial registration process, the user terminal device 40 generates a key pair (public key and secret key) in public key cryptography such as widely used RSA cryptography, and the user terminal device This is a process of registering the public key of the device 40 in the reception device 20, and the description using the flow diagram will be omitted.

  First, the flow of the system public key generation processing (steps S001 to S002) in the advance preparation phase will be described with reference to FIG.

  The reception device 20 selects large prime numbers p and q (flow F001). At this time, p '= (p-1) / 2 and q' = (q-1) / 2 are also selected to be prime numbers.

  Next, the accepting device 20 calculates n = p · q (flow F002). The operator "." Means multiplication here.

Next, the accepting device 20 arbitrarily selects a random number kεZ _n (flow F003) and calculates g = 1 + k · n mod n ² (flow F004).

  Then, the accepting device 20 stores the prime numbers p and q selected in the flow F001 in the key storage unit 208 as a secret key of the accepting device 20 (flow F005).

  In addition, the reception apparatus 20 transmits the n and g calculated in the flow F002 and the flow F004 to the aggregation apparatus 10 as the public key of the reception apparatus 20 (flow F006).

The aggregation device 10 that has received the public key (n, g) of the reception device 20 (flow F007) arbitrarily selects aεZ _n (flow F008), and obtains a ′ that is a ′ · a = 1 mod n. Usually, this calculation can obtain a ′ by performing a calculation called Euclidean mutual division method (flow F009).

The collection apparatus 10 ^calculates the G = g a mod ^{n 2} (Flow F010).

Further, the aggregation device 10 arbitrarily selects uεZ _N. For the sake of convenience, n ² is described as N here (flow F011).

  Then, the aggregation device 10 stores a ′ obtained in the flow F009 and u selected in the flow F011 in the key storage unit 108 as a secret key of the aggregation device 10 (flow F012).

  Further, the aggregation device 10 selects the parameter b from natural numbers smaller than n / 2 (flow F013). The parameter b is the maximum value of the number of terms to be calculated. That is, in this embodiment, up to b additions or subtractions can be performed.

  Then, the aggregation device 10 transmits n received from the reception device 20 in the flow F007 and G calculated in the flow F010 to each registration device 30 as a system public key of the confidential calculation system 1. Further, b selected in the flow F013 is also transmitted to each registration device 30 as a public parameter of the confidential computing system 1 (flow F014).

  Next, a flow of encrypted data registration processing (steps S101 to S103) in the advance preparation phase will be described with reference to FIG.

The registration device 30 selects mεZ _{((n / 2b) −1)} as the data (integer value) to be encrypted (flow F101).

Next, the registration device 30 arbitrarily selects a random number rεZ _n (flow F102), and with respect to the data m selected in flow F101, the confidential arithmetic system sent from the aggregation device 10 to the registration device 30 in flow F014. Using the system public key (n, G) of No. 1 and the random number r selected in the flow F102, encrypted data c = G ^m · r _n mod n ² is calculated (flow F103).

Then, the registration device 30 sends attribute information indicating what the encrypted data c is for (for example, information indicating that the data is “medical expenses” of “ID ₁ ” (see FIG. 3, table 109)). In addition, the encrypted data c is transmitted to the collection device 10 (flow F104).

The aggregation device 10 having received the encrypted data c (flow F105) extracts the secret key u stored in the key storage unit 108 in flow F012, converts the encrypted data c into c = c + u mod n ^2, and converts the encrypted data c into c = c + u mod n ^2. The converted c is registered in the data storage unit 107 of the aggregation device 10 according to the attribute information (for example, information indicating that the data is “medical expenses” of “ID ₁ ” (see FIG. 3, table 109)). Flow F106).

  Next, the flow of the confidentiality calculation processing (step S301) to the confidentiality calculation processing (step S303) in the confidentiality calculation processing phase will be described with reference to FIG.

The user terminal device 40 specifies a calculation range (for example, information indicating that the user wants to know the sum of “medical expenses” and “nursing expenses” of “ID ₁ ” (see FIG. 3, table 109)), and accepts The confidential calculation request is transmitted to the device 20 (flow F201).

  The reception device 20 that has received the confidential calculation request from the user terminal device 40 (flow F202) determines whether the user terminal device 40 is initially registered in the user terminal device initial registration process (step S202). It is confirmed whether the access is from an apparatus that can use the system 1 (flow F203). If the access is from an unauthorized device, the confidential calculation request is rejected. If the access is from a valid device, the relevant public key of the user terminal device 40 stored in the data storage unit 207 is retrieved in step S202, and the public key of the user terminal device 40 is received in the flow F202. The confidential calculation request is transmitted to the totaling device 10 (flow F204).

Upon receiving the confidential calculation request from the reception device 20 (flow F205), the aggregation device 10 acquires the corresponding encrypted data from the data storage unit 107 based on the calculation range specified in the flow F201 (flow F206). Here, it is assumed that "encrypted data for medical expenses of ID ₁ " is "c ₁ " and "encrypted data for nursing expenses of ID ₁ " is "c ₂ ".

The aggregating apparatus 10 that has obtained the corresponding encrypted data retrieves the secret key u of the aggregating apparatus 10 from the key storage unit 108 and stores c ₁ and c ₂ as c ₁ = c ₁ -u mod n ² and c ₂ =, respectively. It is replaced with c ₂ −u mod n ² (flow F207).

Here, the aggregation device 10 determines whether the requested operation is a sum or a difference (flow F208), and if it is a sum, calculates c ′ = (c ₁ · c ₂ ) mod n ² ( Flow F209 ₁ ), and if it is a difference, c ′ = (c ₁ / c ₂ ) mod n ² is calculated (flow F209 ₂ ).

In addition, the aggregation device 10 that has calculated c ′ arbitrarily selects sεZ _n , obtains s ′ such that s ′ · s = 1 mod n, and stores it in the primary storage unit 106 or the data storage unit 107. (Flow F210).

Further, the aggregation device 10 arbitrarily selects vεZ _n and also obtains v ′ such that v ′ · v = 1 mod n (flow F211). Then, the aggregation device 10 encrypts v ′ with the public key of the corresponding user terminal 40 transmitted from the reception device 20 in flow F204 (flow F212).

Further, the aggregation device 10 calculates the encryption operation result C = (c ′) ^{s · v} mod n ² from c ′ calculated in the flow F209 and s and v selected in the flow F210 and the flow F211 and the flow F212 It is transmitted to the accepting device 20 together with v ′ encrypted in (Flow F213).

  Finally, the flow of decryption processing (steps S304 to S307) in the confidential calculation processing phase will be described with reference to FIG.

The accepting device 20 that has received the encryption operation result C and v ′ encrypted with the public key of the corresponding user terminal 40 is M = L ((C ^λ mod n ² ) / L (g ^λ mod n ² )). Calculate mod n. Here, L (x) = (x−1) / n and λ = 1 cm (p−1, q−1) (flow F301).

Further, the accepting device 20 arbitrarily selects tεZ _n , obtains t ′ such that t ′ · t = 1 mod n, and stores it in the primary storage unit 206 or the data storage unit 207 (flow F302). ..

  Then, the reception apparatus 20 calculates C ′ = M · t mod n using M calculated in the flow F301 and t selected in the flow F302, and transmits C ′ as the processing data 1 to the aggregation apparatus 10 (flow). F303).

  Upon receiving C ′ (flow F304), aggregator 10 stores a ′ stored in key storage unit 108 in flow F012 and s ′ stored in primary storage unit 106 or data storage unit 107 in flow F210. It is taken out and C ″ = a ′ · s ′ · C ′ mod n is calculated (flow F304). Then, the aggregation device 10 transmits C ″ as the processing data 2 to the reception device 20 (flow F306).

  The accepting device 20 that has received C ″ (flow F307) takes out t ′ stored in the primary storage unit 206 or the data storage unit 207 in flow F302, and sets C ″ ′ = t ′ as the processing data 3. -Calculate C '' mod n (flow F308).

  Then, the accepting apparatus 20 performs a confidential operation on v ′ encrypted by the public key of the corresponding user terminal 40 transmitted from the aggregation apparatus 10 in flow F213 and C ″ ′ (process data 3) calculated in flow F304. It is transmitted to the user terminal 40 that is the request source of the request (flow F309).

  The user terminal 40 that has received v ′ encrypted with the public key of the user terminal 40 and C ′ ″ that is the process data 3 (flow F310) first of all uses the user terminal device 40 generated in step S201. The private key is retrieved from the key storage unit 408, and v ′ encrypted with the public key of the user terminal 40 is decrypted to obtain v ′ (flow F311).

  Then, the user terminal device 40 calculates m ′ = v ′ · C ″ ″ mod n from C ″ ″ received in the flow F310 and v ′ decoded in the flow F311 (flow F312).

If m '<n / 2, m' = m 'is set (flow F314 ₁ ), and if m' ≧ n / 2, m '= m'-n is set (flow F314 ₂ ).

  Then, the user terminal device 40 acquires m ′ as the requested calculation result (flow F315).

It will be understood from the following that the calculation result of m'is obtained.
Each encrypted data c ₁ and c ₂ ,
c ₁ = G ^m1 · r ₁ ⁿ = g ^{a · m1} · r ₁ ⁿ mod n ² ,
When c ₂ = G ^m2 · r ₂ ⁿ = g ^{a · m2} · r ₂ ⁿ mod n ² ,
c ′ = c ₁ · c ₂ = g ^{a · (m1 + m2)} · (r ₁ · r ₂ ) ⁿ mod n ² ,
C = (c ′) ^{s · v} = ga ^{· (m1 + m2) · s · v} · (r ₁ · r ₂ ) ^{n · s · v} mod n ² .
Then, since the calculation of L ((C ^λ mod n ² ) / L (g ^λ mod n ² )) mod n outputs the value of the exponential part of g,
M = a · (m1 + m2) · s · v mod n,
C ′ = a · (m1 + m2) · s · v · t mod n.
Then C ″ = (a ′ · s ′) · C ′ = (m1 + m2) · v · t mod n,
C ″ ′ = t ′ · C ″ = (m1 + m2) · v mod n.
And
m ′ = v ′ · C ′ ″ = (m1 + m2) mod n.

Since m1 and m2εZ _{((n / 2b) -1)} , m1 + m2 <n / 2, and
It can be seen that m ′ is obtained m ′ = m1 + m2.

  With the configuration described above, in the present embodiment, each data encrypted using the system public key generated from the two secret keys can be operated in the encrypted state on the server on the cloud. Is.

  Further, by managing the two secret keys by different devices, the confidentiality of each data and the operation result can be maintained from the server unless there is a collusion of each device.

  In addition, a part of the calculation result calculated in the encrypted state (partial information generated when performing the calculation) is further encrypted with the public key of the user terminal device that uses the calculation result, so that the corresponding user Only the terminal device can decrypt the encrypted operation result. In other words, in other words, the same decryption secret key is distributed in advance by encrypting a part of the calculation result (partial information generated when performing the calculation) with the public key of the destination user terminal. The calculation result can be safely provided to a plurality of user terminal devices.

  In order to decrypt the encrypted operation result, two private keys corresponding to the system public key that has encrypted each data and a private key of the user terminal device that uses the operation result are required. By processing the encrypted operation result so as to be decrypted by the corresponding user terminal by processing via the communication between the devices, the applicable user terminal device can decrypt the encrypted operation result. ..

1 Confidential Computing System 10 Aggregation Device 20 Receiving Device 30 Registration Device 40 User Terminal Device 50 Network 101 Information Generation Unit 102 Cryptographic Processing Unit 103 Data Transmission / Reception Unit 104 Information Input Unit 105 Information Output Unit 106 Primary Storage Unit 107 Data Storage Unit 108 Key Storage unit 109 Table 201 Information generation unit 202 Cryptographic processing unit 203 Data transmission / reception unit 204 Information input unit 205 Information output unit 206 Primary storage unit 207 Data storage unit 208 Key storage unit 301 Information generation unit 302 Cryptographic processing unit 303 Data transmission / reception unit 304 Information Input unit 305 Information output unit 306 Primary storage unit 307 Data storage unit 401 Information generation unit 402 Encryption processing unit 403 Data transmission / reception unit 404 Information input unit 405 Information output unit 406 Primary storage unit 407 Data storage unit 408 Key storage unit 601 Input / output device 602 Communication device 603 Memory 604 Storage device 605 CPU

Claims (2)

Data A secret anonymous calculation method in the security operation system that operation remains encrypted,
The accepting device selects prime numbers p and q, calculates n = p · q , arbitrarily selects a random number kεZ _n , calculates g = 1 + k · n mod n ² , and accepts the selected p and q A first step of transmitting the calculated n and g as a private key of the device to the totalizing device as a public key of the accepting device;
The aggregating device arbitrarily selects a ∈ Z _n , obtains a ′ such that a ′ · a = 1 mod n , calculates G = g ^a mod n ² , and arbitrarily selects u ∈ Z _N (n ² Is described as N), the obtained a ′ and the selected u are used as the secret key of the aggregating device, and the parameter b that is the maximum value of the number of terms to be calculated is selected from natural numbers smaller than n / 2, and the reception is performed. A second step of transmitting n received from the device and the calculated G to the registration device as a system public key of the secret computing system, and also transmitting the selected b to the registration device as a public parameter of the secret computing system; ,
The registration device selects mεZ _{((n / 2b) −1)} as integer value data to be encrypted , randomly selects a random number rεZ _n , and selects the random number rεZ _n for the selected data m. Calculating encrypted data c = G ^m · r _n mod n ² using the system public key sent from the computer and the selected random number r, and transmitting the encrypted data c to the aggregation device. 3 steps,
A fourth step in which the aggregation device uses the selected u to convert the encrypted data c into c = c + u mod n ² , and registers the converted c in the data storage unit;
The third step and the fourth step are performed at any time,
A fifth step in which the user terminal device generates a public key and a secret key of the user terminal device and registers the public key of the user terminal device in the reception device;
A sixth step in which the user terminal device transmits, to the accepting device, a confidential calculation request in which it is specified that the sum or difference between the encrypted data c ₁ and the encrypted data c ₂ is desired to be known;
The reception device receives a confidential calculation request from the user terminal device, extracts a public key of the user terminal device, and sends the public key of the user terminal device to the aggregation device together with the received confidential calculation request. The seventh step of sending,
The aggregation device receives the confidential calculation request from the reception device , acquires the encrypted data c ₁ and the encrypted data c ₂ specified by the confidential calculation request from the data storage unit , and the aggregation device secret The key u is taken out, and the obtained encrypted data c ₁ and encrypted data c ₂ are replaced with c ₁ = c ₁ −u mod n ² and c ₂ = c ₂ −u mod n ² , respectively, and requested. It is determined whether the operation is a sum or a difference, and if it is a sum, c ′ = (c ₁ · c ₂ ) mod n ² is calculated, and if it is a difference, c ′ = (c ₁ / c ₂ ). mod n ² is calculated, sεZ _n is arbitrarily selected, s ′ is obtained as s ′ · s = 1 mod n, vεZ _n is arbitrarily selected, and v ′ · v = 1 mod n is obtained. Also, v ′ is encrypted with the public key of the user terminal device sent from the reception device, and calculation is performed. And c 'and, by using the selected s and v, encryption operation result C = (c' a) ^{s · v} mod n ² is computed, calculated encryption operation result C of the with v 'encrypted An eighth step of transmitting to the accepting device,
The reception device ^calculates M = L ((C ^λ mod n ² ) / L (g ^λ mod n ² )) mod n, where (L (x) = (x−1) / n, and λ = 1 cm. (P−1, q−1)), tεZ _n is arbitrarily selected, and t ′ is obtained as t ′ · t = 1 mod n, and C ′ is calculated using the calculated M and the selected t. = M · t mod n, the ninth step of transmitting the calculated C ′ to the aggregating device,
A tenth step in which the aggregating device extracts the obtained a ′ and s ′, calculates C ″ = a ′ · s ′ · C ′ mod n, and transmits the calculated C ″ to the reception device. ,
The reception device takes out the obtained t ′, calculates C ′ ″ = t ′ · C ″ mod n, and encrypts it with the public key of the user terminal device sent from the aggregation device. an eleventh step of transmitting v ′ and the calculated C ′ ″ to the user terminal device;
The user terminal device decrypts v ′ encrypted with the public key of the user terminal device to obtain v ′, C ″ ′ sent from the accepting device, and decrypted v ′. Then, m ′ = v ′ · C ′ ″ mod n is calculated (if m ′ <n / 2, m ′ = m ′, and if m ′ ≧ n / 2, m ′ = m ′. -N), and a twelfth step of acquiring m'as a calculation result of the confidential calculation request,
Secret anonymous calculation method characterized by comprising a. A secret computing system that computes data encrypted
A reception device, an aggregation device, a registration device, and a user terminal device,
The accepting device selects prime numbers p and q, calculates n = p · q, and generates a random number kεZ _n , G = 1 + k · n mod n ^Two And the selected p and q are used as the secret key of the reception device, and the calculated n and g are transmitted to the aggregation device as the public key of the reception device,
The aggregating device is aεZ _n Is arbitrarily selected to obtain a ′ such that a ′ · a = 1 mod n, and G = g ^a   mod n ^Two And u ∈ Z _N Arbitrarily select (n ^Two Is described as N), the obtained a ′ and the selected u are used as the secret key of the aggregating device, and the parameter b that is the maximum value of the number of terms to be calculated is selected from natural numbers smaller than n / 2, and the reception is performed. The n received from the device and the calculated G are transmitted to the registration device as a system public key of the secret computing system, and the selected b is also transmitted to the registration device as a public parameter of the secret computing system,
The registration device uses mεZ as the integer data to be encrypted. _{((N / 2b) -1)} , A random number r ∈ Z _n For any selected data m, using the system public key sent from the aggregation device and the selected random number r, the encrypted data c = G ^m ・ R _n   mod n ^Two And perform a first process of transmitting the encrypted data c to the aggregation device,
The aggregation device uses the selected u to convert the encrypted data c to c = c + u mod n ^Two A second process of converting the converted c into
The first processing and the second processing are performed at any time,
The user terminal device generates a public key and a secret key of the user terminal device, and registers the public key of the user terminal device in the reception device,
The user terminal device uses the encrypted data c ₁ And encrypted data c _Two Send a confidential calculation request that specifies that you want to know the sum or difference with
The reception device receives a confidential calculation request from the user terminal device, retrieves a public key of the user terminal device, and sends the public key of the user terminal device to the aggregation device together with the received confidential calculation request. Send,
The aggregation device receives the confidential calculation request from the accepting device, and the encrypted data c designated by the confidential calculation request is received from the data storage unit. ₁ And encrypted data c _Two To obtain u, which is the secret key of the aggregation device, and obtain the encrypted data c ₁ And encrypted data c _Two Respectively c ₁ = C ₁ -U mod n ^Two , C _Two = C _Two -U mod n ^Two To determine whether the requested operation is a sum or a difference, and if it is a sum, c ′ = (c ₁ ・ C _Two ) Mod n ^Two Is calculated, and if the difference is c ′ = (c ₁ / C _Two ) Mod n ^Two And s ∈ Z _n , S ′ · s = 1 mod n is obtained, and vεZ _n , V ′ · v = 1 mod n is obtained, v ′ is encrypted with the public key of the user terminal device sent from the reception device, and the calculated c ′ is selected. The encryption operation result C = (c ′) using s and v ^sv   mod n ^Two And transmits the calculated encrypted operation result C to the accepting device together with the encrypted v ′,
The reception device is M = L ((C ^λ   mod n ^Two ) / L (g ^λ   mod n ^Two )) Mod n is calculated (L (x) = (x−1) / n and λ = 1 cm (p−1, q−1)), and tεZ _n , T ′ · t = 1 mod n is calculated, C ′ = M · t mod n is calculated using the calculated M and the selected t, and the calculated C ′ is added to the above. Send to the device,
The aggregating device extracts the obtained a ′ and s ′, calculates C ″ = a ′ · s ′ · C ′ mod n, and transmits the calculated C ″ to the accepting device,
The acceptance device takes out the obtained t ′, calculates C ′ ″ = t ′ · C ″ mod n, and encrypts it with the public key of the user terminal device sent from the aggregation device. v ′ and the calculated C ′ ″ are transmitted to the user terminal device,
The user terminal device decrypts v ′ encrypted with the public key of the user terminal device to obtain v ′, and C ″ ′ sent from the accepting device and decrypted v ′. Then, m ′ = v ′ · C ′ ″ mod n is calculated (if m ′ <n / 2, m ′ = m ′, and if m ′ ≧ n / 2, m ′ = m ′. -N), m'is acquired as the calculation result of the confidential calculation request,
A secret computing system characterized by the above.

Images