JP7073295B2 - Concealment calculation device, concealment calculation method and concealment calculation program - Google Patents

Description

The present invention relates to a secret calculation device for a two-variable function, a secret calculation method, and a secret calculation program.

Conventionally, a secret calculation method has been proposed in which plaintext is calculated while being encrypted.
For example, in Non-Patent Documents 1 to 3, when the input integer is converted into a bit value, that is, when the plaintext is a bit value (hereinafter, referred to as bit-wise), the code is written by a completely quasi-isomorphic encryption method. The four plaintext algorithms (secret addition, secret subtraction, secret multiplication, secret division) have been proposed.
Further, in Non-Patent Document 4, when the input integer is not converted into a bit value, that is, when the plaintext is an integer value (hereinafter referred to as an integer-wise), 2 on the ciphertext by the fully homomorphic encryption method is used. An algorithm for value comparison operation has been proposed.
Further, Non-Patent Document 5 proposes a secret division method in a two-way protocol using additive homomorphic encryption.

Yao Chen and Guang Gong. Integer arithmetic over ciphertext and homomorphic data aggregation. In 2015 IEEE Conference on Communications and Network Security (CNS), pages 628-632, Sept 2015. Chen Xu, Jingwei Chen, Wenyuan Wu, and Young Feng. Homomorphically encrypted arithmetic operations over the integer ring. In Feng Bao, Liquun Chen, Robert H. Deng, and Guojun Wang, editors, Information Security Practice and Experience, pages 167-181, Springer, 2016. Jingwei Chen, Young Feng, Yang Liu, and Wenyuan Wu. Faster arithmetic operations on encrypted integers. In the 7th International Workshop on Computer Science and Engineering, 2017. H. Narumanchi, D.M. Goyal, N.M. Emmadi, and P.M. Gauravaram. Performance analysis of sorting of the data: Integer-wise comparison vs bit-wise comparison. In 2017 IEEE 31st International Conference on Advanced Information Networking and Applications (AINA), pages 902-908, March 2017. Morten Dahl, Chao Ning, and Tomas Toft. On secure two-party integer division. In Angelos D. Keromytis, editor, Financial Cryptography and Data Security, pages 164-178. Springer, 2012.

By the way, in the confidential calculation of integer-wise, since it is not necessary to encrypt the input integer for each bit of the binary number, the number of times of encryption is smaller than that of bit-wise, which is advantageous. Further, for example, bit-wise addition / subtraction requires processing using multiplication, which is a bottleneck in processing speed in fully homomorphic encryption, such as carry processing in binary arithmetic. On the other hand, the addition / subtraction of integer-wise is fast because the ciphertexts can be added together without using multiplication.
As described above, while confidential calculation by integer-wise is desired, the following problems exist.

For example, Non-Patent Document 4 proposes an algorithm for integer-wise binary comparison operation, but it is slower than bit-wise operation due to the amount of calculation and the depth of the multiplication circuit. Further, the division can be realized by using the binary comparison operation as a submodule and repeating the binary comparison and the subtraction, but the speed is further reduced by repeating the binary comparison.
Further, in the above-mentioned concealment division method of Non-Patent Document 5, the speed is increased by adding a restriction that the number to be divided is an integer of l-bit, whereas the number to be divided is an integer of log l-bit. However, the number of divisions is limited to integers of l-1 or less, and it lacks versatility.
As described above, a high-speed integer-wise division algorithm with fully homomorphic encryption, and a high-speed integer-wise concealment calculation algorithm applicable to any two-variable function have not been proposed.

An object of the present invention is to provide a secret calculation device, a secret calculation method, and a secret calculation program capable of performing secret calculation of a two-variable function in a general and high-speed manner.

The secret computing device according to the present invention is the first variable when the second variable in a two-variable function having the first variable and the second variable as inputs is fixed to a constant in the space in a plain text space. The first storage unit that stores the coefficient of the first polymorphic code that defines the function value according to the above constants for each of the constants, and the value of the first variable and the value of the second variable are stored by a quasi-identical encryption method. An input unit that accepts the input of the first and second encrypted texts, and a secret power calculation unit that calculates the power of the first cryptographic text in the space of the encrypted text by the quasi-same type encryption method. And a secret function calculation unit that fixes the second variable to one of the constants and calculates the value of the first polypoly by the internal product of the coefficient of the first polymorphism and the cube of the first cipher statement. , A secret equal number calculation unit that calculates a determination value that becomes 0 when the plain text before encryption of the second encrypted text and the constant are different from each other, and one in the space that the second variable can take. By summing up the product of the calculation result by the concealment function calculation unit and the calculation result by the concealment equivalence calculation unit for each constant of the unit, the first cipher sentence and the second cipher sentence are input to the two variables. It has an output unit that outputs the value of the function.

The first storage unit may store the coefficients of the first polynomial only for some of the constants.

The secret calculation device stores the coefficients of the second polynomial, which defines a function that becomes 1 when the second variable is equal to the constant and 0 when the second variable is different, by polynomial interpolation, for each of the constants. The secret power calculation unit further calculates the power of the second code, and the secret power calculation unit is based on the inner product of the coefficient of the second polynomial and the power of the second code. , The value of the second polynomial may be calculated as a code statement of the determination value.

The second storage unit may store the coefficients of the second polynomial only for some of the constants.

The second storage unit defines the second polynomial with an order corresponding to a space of values that the second variable can take, and the concealed exponentiation calculation unit determines the exponentiation of the second ciphertext. 1 The order may be calculated to be lower than the power of the ciphertext.

The two-variable function may be a division in which the first variable is a divisor and the second variable is a divisor.

The secret calculation method according to the present invention is the first variable when the second variable in a two-variable function having the first variable and the second variable as inputs is fixed to a constant in the space in a plain text space. The first storage step in which the coefficient of the first polymorphic code in which the function value corresponding to the above is defined by polymorphic interpolation is stored for each of the constants, and the value of the first variable and the value of the second variable are stored by a quasi-isomorphic encryption method, respectively. An input step that accepts the input of the first encrypted text and the second cipher, and a secret power calculation step that calculates the power of the first cipher in the space of the cipher by the quasi-same cryptographic method. And a secret function calculation step in which the second variable is fixed to one of the constants and the value of the first polypoly is calculated by the internal product of the coefficient of the first polypoly and the cube of the first cipher. , A secret equalization calculation step for calculating a determination value that becomes 0 when the plain text before encryption of the second encrypted text and the constant are different from each other, and one in the space that the second variable can take. By summing up the product of the calculation result in the concealment function calculation step and the calculation result in the concealment equivalence calculation step for each constant of the unit, the first cipher sentence and the second cipher sentence are input to the two variables. The computer performs an output step that outputs the value of the function.

The secret calculation program according to the present invention is for operating a computer as the secret calculation device.

According to the present invention, the concealment calculation of a two-variable function can be performed universally and at high speed.

It is a block diagram which shows the functional structure of the concealment calculation apparatus which concerns on embodiment. It is a flowchart which illustrates the algorithm of the secret exponentiation operation which concerns on embodiment. It is a flowchart which illustrates the pre-calculation algorithm before executing the concealment constant equal sign operation which concerns on embodiment. It is a flowchart which illustrates the algorithm of the concealment constant equal sign operation which concerns on embodiment. It is a flowchart which illustrates the pre-calculation algorithm before executing the concealment constant function operation which concerns on embodiment. It is a flowchart which illustrates the algorithm of the concealment constant function operation which concerns on embodiment. It is a figure which shows the algorithm of the secret two-variable function operation which concerns on embodiment. It is a figure which shows the experimental result which compared the execution speed when the secret two-variable function operation which concerns on embodiment is applied to a secret division operation, with or without limitation. It is a figure which shows the depth of the homomorphic multiplication and the number of calls of the homomorphic operation when the limitation by the subset which concerns on embodiment is not provided. It is a figure which shows the depth of the homomorphic multiplication and the number of calls of the homomorphic operation when the limitation by the subset which concerns on embodiment is provided.

Hereinafter, an example of the embodiment of the present invention will be described.
FIG. 1 is a block diagram showing a functional configuration of the secret calculation device 1 according to the present embodiment.
The secret calculation device 1 is an information processing device (computer) such as a server device or a personal computer, and includes a control unit 10 and a storage unit 20, as well as various data input / output devices and communication devices.

The control unit 10 is a part that controls the entire secret calculation device 1, and realizes each function in the present embodiment by appropriately reading and executing various programs stored in the storage unit 20. The control unit 10 may be a CPU.

The storage unit 20 is a storage area for various programs and various data for making the hardware group function as the secret calculation device 1, and may be a ROM, RAM, flash memory, hard disk (HDD), or the like. Specifically, the storage unit 20 stores a program (confidential calculation program) for causing the control unit 10 to execute each function of the present embodiment and data in the middle of execution.

Further, the storage unit 20 is the first when the second variable in the two-variable function g having the first variable and the second variable as inputs is fixed to a constant in the space _Zp of the plain sentence modulo the prime number p. The coefficient vector of the first polynomial in which the function value corresponding to the variable is defined by polynomial interpolation is stored for each constant.
In this embodiment, the space of the second variable (eg, the number to divide in division) is limited to a subset of Z _p . Therefore, if this subset is fixed in advance, the coefficient vector of the first polynomial for each constant may be stored only for some constants in _Zp . If the subset is changed each time the calculation is performed, the coefficient vector is stored for all the constants in _Zp .

Further, the storage unit 20 sets the coefficient vector of the second polynomial, which defines a function that becomes 1 when a variable is equal to a constant and 0 when it is different, by polynomial interpolation in the space _Zp of the plain text for each constant. Remember.
In this embodiment, the space of the second variable that is the input of this function is limited to the subset of _Zp . Therefore, if this subset is fixed in advance, the coefficient vector of the second polynomial for each constant may be stored only for some constants in _Zp , and the second polynomial is the second polynomial. Compared with one polynomial, the degree may be reduced according to the size of the subset. When the subset is changed every time the calculation is performed, the coefficient vector is stored for all the constants in _Zp , and the degree of the second polynomial is p-1 like the degree of the first polynomial. ..

The control unit 10 includes an input unit 11, a concealed exponentiation calculation unit 12, a concealment function calculation unit 13, a concealment equal sign calculation unit 14, and an output unit 15.

The input unit 11 inputs the input of the first ciphertext C _a and the second ciphertext C _b in which the value a of the first variable and the value b of the second variable in the two-variable function g are encrypted by the homomorphic encryption method, respectively. accept.

The concealed exponentiation calculation unit 12 is a exponentiation vector of the first exponentiation C _a (C _a , C _a ² , C _a ³ , ..., C _a ^{p -1} ) and the exponentiation vector (C _b , C _b ² , C _b ³ , ..., C _b ^{| S | -1} ) of the second cipher sentence C _b are calculated. Note that | S | is the size of the set S consisting of possible values of the second variable, and | S | <p.

The secret function calculation unit 13 fixes the second variable to one of the constants, and the coefficient vector of the first polynomial stored in advance in the storage unit 20 and the vector in which the power of the first code sentence _Ca is arranged. The value of the first polynomial is calculated from the inner product.

The secret equal sign calculation unit 14 calculates a determination value of 0 in the ciphertext when the plaintext b before encryption and the constant of the second ciphertext C _b are different.
Specifically, the concealment equality arithmetic unit 14 is a second polynomial based on the inner product of the coefficient vector of the second polynomial stored in advance in the storage unit 20 and the vector obtained by arranging the powers of the second ciphertext C _b . The value of is calculated as a ciphertext of the determination value.

The output unit 15 is a product of the calculation result by the concealment function calculation unit 13 and the calculation result by the concealment equality calculation unit 14 for each constant included in the set S of the values that the second variable, which is a subspace of Z _p , can take. By summing up, the value g (C _a , C _b ) of the two-variable function with the first code C _a statement and the second code C _b as inputs is output.

Hereinafter, the procedure of the integer-wise concealment calculation method applicable to any two-variable function will be described in detail.
Here, p is a prime number, plaintext space is _Zp , and ciphertext space is polynomial ring _Rp . Further, let C _a and C _b be ciphertexts in which plaintexts a and b ∈ Z _p are encrypted by a completely homomorphic encryption method.

FIG. 2 is _a flowchart illustrating an algorithm of secret power operation Powers (Ca, p), which is one of the submodules constituting the secret two-variable function calculation algorithm according to the present embodiment.

The concealed exponentiation operation Powers (C _a , p) is executed by the concealed exponentiation arithmetic unit 12, with the cipher statement C _a of the first variable a and the size (method) p of the plain sentence as arguments, and C _a . The powers of each of the powers and C _b are calculated using the multiplication of the ciphers, and the power sequence vector C _a ^power : = (C _a , C _a ² , C _a ³ , ..., C _a ^p-1 ). ) And C _b ^power : = (C _a , C _a ² , C _a ³ , ..., C _a ^l-1 ) are returned.

In step S1, the concealed exponentiation calculation unit 12 calculates the maximum integer l that does not exceed log p.
In step S2, the concealed exponentiation calculation unit 12 performs loop processing while incrementing the index i from 0 to l-1.
In step S3, the concealed exponentiation calculation unit 12 performs loop processing while incrementing the index ^j from 1 to 2i.

In step S4, the concealed power calculation unit 12 calculates the (2i + ^j ) power of the ciphertext Ca by homomorphic multiplication ( _FHE.Mult ) of the _2i power of C and the ^j power of _Ca. ..
By repeating this process, ^{Ca is calculated from the square to the square of 2 l} _.

In step S5, the concealed exponentiation calculation unit 12 determines whether or not 2 ^l is smaller than p-1. If this determination is YES, the process proceeds to step S6, and if the determination is NO, the process proceeds to step S8.

In step S6, the concealed exponentiation calculation unit 12 performs loop processing while incrementing the index j from 1 to p-1-2 ^l .
In step S7, the concealed power calculation unit 12 calculates the (2 _l + j) power of the ciphertext Ca by homomorphic multiplication ( _FHE . Multi) of the 2 ^l power of ^Ca and the j power of _Ca. ..
By repeating this process, ^{Ca is calculated from the (2 l} ₊ 1) power to the (p-1) power.

In step S8, the concealed exponentiation calculation unit 12 outputs the exponentiation vector of the ciphertext C _a (C _a , C _a ² , C _a ³ , ..., C _a ^p-1 ).

In this algorithm, the depth of multiplication is suppressed to O (log (p)). For example, when p = 17, C _a ² = C _a x C _a , C _a ⁴ = C _a ² x C _a ² , C _a ⁸ = C _a ⁴ x C _a ⁴ and C _a ¹⁶ = C _a ⁸ x It can be calculated as C a8, and the depth of multiplication is log (16) ₌ ⁴ .

FIG. 3 is a flowchart illustrating a pre-calculation algorithm before executing ^ConstEq ( _Capow , y), which is one of the submodules constituting the concealed two-variable function calculation algorithm according to the present embodiment. Is.

In step S11, the concealment equal sign calculation unit 14 defines a one-variable function gy (x) = 1 (when x = _y ) and 0 (when x ≠ y) of the equal sign operation with the constant y. Get the data point gy (x) for all x, _y ∈ Z _p .

In step S12, the secret equal sign calculation unit 14 performs loop processing while incrementing the index i from 0 to p-1.
In step S13, the concealment equal sign arithmetic unit 14 performs polynomial equi (x): Z _p → Z _p that satisfies _{fi (x) = g i ( x} ) for all x ∈ Z _p by polynomial interpolation. The coefficient vector a _fi ^ConstEq of is obtained.
By repeating this process, the coefficient vector a _fyConstEq of the polynomial f _y (x) ^can be obtained for all y ∈ Z _p .

In step S14, the concealment equal sign calculation unit 14 stores the coefficient vector a _fyConstEq for all y ^∈ Z _p in the storage unit 20 (second storage unit) as a constant matrix.

In this algorithm, if p = 17 and the candidate set S = {2,3,5} of the second argument, for example, for y = 2 ∈ S, the concealment equality arithmetic unit 14 is a data point group (2, 1), (3,0), (5,0) are acquired, and (log p) -1 = third-order polynomial f _y (x) is obtained by polynomial interpolation. The concealment equal sign arithmetic unit 14 performs polynomial interpolation in the same manner for y = 3,5 ∈ S, and stores each coefficient vector.

FIG. 4 is a flowchart illustrating an algorithm of the secret constant equal sign operation ^ConstEq ( _Capow , y), which is one of the submodules constituting the secret two-variable function calculation algorithm according to the present embodiment.

The concealed constant equality calculation ^ConstEq (C _a power, y) is executed by the concealed equality arithmetic unit 14, and the argument is the ciphertext vector C _a ^pow of the ciphertext C _a of the first variable a and the plain sentence y of the constant. And returns C _{(a = y)} which is a ciphertext of the value of the conditional expression (a = y) (for example, TRUE = 1, FALSE = 0).

In step S21, the concealment equal ^{sign calculation unit 14 acquires the coefficient vector afyConstEq} _{corresponding} to the constant y as an argument from the constant matrix stored by the pre-calculation.

In step S22, the concealment equal sign calculation unit 14 uses the ciphertext C _{(a = y)} of the conditional expression (a = y) by the inner product of the coefficient vector and the power sequence vector of the ciphertext a as follows. Calculate and output.
C _{(a = y)} = f _y (C _a )
= (A _fyConstEq ) ^TC _a ^{power modd} p

FIG. 5 is a flowchart illustrating a pre-calculation algorithm before executing the concealed constant function operation ^ConstFunc (C _a power, y), which is a submodule constituting the concealed two-variable function operation algorithm according to the present embodiment.

In step S31, the concealment function calculation unit 13 has a one-variable function gy (x) with y as a constant for a predetermined two-variable function g (x, _y ): Z _p × Z _p → Z _p . = G (x, _y ) is defined, and the data point gy (x) is acquired for all x, y ∈ Z _p .

In step S32, the secret function calculation unit 13 performs loop processing while incrementing the index i from 0 to p-1.
In step S33, the concealment function arithmetic unit 13 uses polynomial _{interpolation} to satisfy the polynomial _{fi (x) = g i ( x} ) for all x _∈ Z _p . Find the coefficient vector a _fi ^ConstFunc .
By repeating this process, the coefficient vector a _fyConstFunc of the polynomial f _y (x) ^can be obtained for all y ∈ Z _p .

In step S34, the concealment function calculation unit 13 stores the coefficient vector a _fyConstFunc for all y ^∈ Z _p in the storage unit 20 (first storage unit) as a constant matrix.

In this algorithm, f _y (0) = g (0, y), f _y (1) = g (1, y), ..., f _y (p-1) = g (p-1, y). When is given, f _y (x) is polynomial interpolated to " _fy (x) = a _{{1, y}} · x + a _{{2, y}} · x ² + ... + a _{{p-1, y}.} -X ^p-1 mod p "is obtained. As a result, the coefficient vector (a _{{1, y}} , a _{{2, y}} , ..., a _{{p-1, y}} ) is stored in association with y (0 ≦ y <p).
Assuming that p = 17, the candidate set S of the second argument S = {2,3,5}, for example, for y = 2 ∈ S, the concealment equal number arithmetic unit 14 is {0,1, ..., 16 } Divide 2 data point groups (0,0), (1,0), (2,1), ..., (16,8) are acquired, and p-1 = 16th-order polynomial by polynomial interpolation. Find f _y (x). The concealment equal sign arithmetic unit 14 performs polynomial interpolation in the same manner for y = 3,5 ∈ S, and stores each coefficient vector.

FIG. 6 is a flowchart illustrating the algorithm of the secret constant function calculation ^ConstFunc (C _a power, y), which is a submodule constituting the secret two-variable function calculation algorithm according to the present embodiment.

The concealed constant function operation ^ConstFunc (C _a power, y) is executed by the concealed function calculation unit 13, and takes as arguments the quadrature column vector C _a ^pow of the cryptographic sentence C _a of the first variable a and the plain sentence y of the constant. Returns C _{(a, y)} = g (C _a , y), which is a code statement of the one-variable function g (a, y) in which the second variable of the two-variable function is fixed to y.

In step S41, the concealment function calculation unit 13 ^{acquires the coefficient vector a fyConstFunc} _{corresponding} to the constant y as an argument from the constant matrix stored by the pre-calculation.

In step S42, the secret function calculation unit 13 calculates the ciphertext C _{g (a, y)} of g (a, y) by the inner product of the coefficient vector and the power sequence vector of the ciphertext a as follows. And output.
C _{g (a, y)} = f _y (C _a )
= (A _fyConstFunc ) ^T・ C _a ^{power mod} p

FIG. 7 is a diagram showing an algorithm of the secret two-variable function operation Func (C _a , C _b , S) according to the present embodiment.

The secret two-variable function operation Func (C _a , C _b , S) sets the cipher statement C a of the first variable a, the cipher statement C _b of the second variable _b , and the set S of possible values of the second variable b. As an argument, C _{g (a, b)} = g (C _a , C _b ), which is a cipher statement of g (a, b), is returned.
The concealed two-variable function operation Func (C _a , C _b , S) is configured by using the above-mentioned three submodules Powers, ConstFunk, and ConstEq.

In step S51, the control unit 10 initializes the internal variable C _sum to 0.
In step S52, the control unit 10 (confidential exponentiation calculation unit 12) uses Powers (C _a , p) to form _a power sequence consisting of power values having 1 to p-1 as exponents for the argument Ca. ^Calculate the vector C _a power.
In step S53, the control unit 10 (confidential exponentiation unit 12) uses Powers (C _b , | S |) to control the argument C _b from a power value having 1 to | S | -1 as an exponent. The exponentiation vector C _b ^power is calculated.

In step S54, the control unit 10 performs a loop process of repeating the subsequent steps S55 to S57 for each of the elements i of the set S.
In step S55, the control unit 10 (confidential function calculation unit 13) calculates C _{g (a, i)} = g (C _a , i) = ^ConstFunc (C _a power, i) with i as a constant.
In step S56, the control unit 10 (confidential equal sign calculation unit 14) calculates C _{(b = i)} = ^ConstEq (C _b power, i) with i as a constant.

In step S57, the control unit 10 (output unit 15) adds the homomorphic multiplication (FHE.Mult) of C _{g (a, i)} and C _{(b = i)} to C _sum .
Here, C _{g (a, i)} × C _{(b = i)} becomes C _{g (a, b)} when i = b, and C ₀ when i ≠ b. Therefore, when the loop processing is completed and the product of C _{g (a, i)} and C _{(b = i)} is summed, C _sum = C _{g (a, b)} .
In step S58, the control unit 10 (output unit 15) outputs the resulting C _{g (a, b)} = C _sum .

FIG. 8 is a diagram showing experimental results comparing the execution speeds when the secret two-variable function operation Func according to the present embodiment is applied to the secret division operation, with or without restriction by the subset S.
Here, the size | S | of the second argument (divided number) d is limited to l with respect to the plaintext space p = 2 ^l .

For example, when p = 17, the execution time with limitation is 0.87 seconds, which is significantly shorter than 3.15 seconds with no limitation. In addition, p = 37,67, Similarly, in all cases 131 and 257, the execution time was significantly reduced.

9 and 10 show the depth of the homomorphic multiplication in the secret two-variable function operation Func and the submodule according to the present embodiment, and the homomorphic multiplication (FHE.Multi), (homomorphic addition FHE.Add) and. It is a figure which shows the number of calls of a homomorphic constant multiplication (FHE.multConst).
Here, FIG. 9 shows a case where the limitation by the subset S is not provided, and FIG. 10 shows a case where the limitation by the subset S is provided.

When the number of elements of the subset S | S | = l, the depth of multiplication for the input of the l-bit length and the number of calls of the homomorphic operation are reduced as compared with the case where no limit is provided.
As a result, the theoretical complexity was reduced from O (22 ^l ) to O (l 2 ^l ).

According to the present embodiment, the concealment calculation device 1 expresses a one-variable function in the case where the second variable is fixed for any two-variable function (for example, division, binary comparison, etc.) by polynomial interpolation. The concealment calculation device 1 can universally realize the concealment calculation of an arbitrary two-variable function by the concealment constant function operation ConstFunc using the coefficient of this polynomial and the power of the argument, and the concealment constant equal number operation ConstEq.

Here, the concealment calculation device 1 realizes concealment calculation of an arbitrary two-variable function by fully homomorphic encryption. For example, in the method using the bilateral protocol of Non-Patent Document 5, at least the number of log rounds of communication between the user and the server is required, but the number of communications of the present embodiment is only one round.
Further, the secret calculation device 1 limits the second variable to an arbitrary subset S with respect to the plaintext space _Zp . As a result, the concealment calculation device 1 reduces the number of executions of the concealment constant equal sign operation ConstEq, the concealment constant function operation ConstFunc, and the homomorphic multiplication with a large processing load while maintaining the versatility for the entire _Zp . Realized high speed.
Further, in the concealment calculation device 1, since the value that the second variable can take is only the element of the subset S, the second polynomial in the concealment constant equal sign operation ConstEq becomes a | S | -1 linear expression, and the amount of calculation can be reduced. ..

Once the concealment calculation device 1 calculates the exponentiation sequence vector of the ciphertext as an argument by the concealment exponentiation operation Powers, the number of multiplications between the ciphertexts is suppressed by reusing this vector.
Further, the concealment calculation device 1 enables reuse by storing the coefficient vector by pre-calculation in the concealment constant equal sign operation ConstEq and the concealment constant function operation ConstFunc. Further, by storing the coefficient vectors in the concealed constant equal number operation ConstEq and the concealed constant function operation ConstFunc only for the constants included in the set S, the processing load of the pre-calculation can be reduced.

In particular, the secret calculation device 1 can realize the secret division calculation of integer-wise at a higher speed than the conventional one.
As a result, the concealment calculation device 1 can realize various concealment calculations including division, for example, concealment average value calculation, concealment machine learning, and the like at high speed.

Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments. Moreover, the effects described in the above-described embodiments are merely a list of the most suitable effects resulting from the present invention, and the effects according to the present invention are not limited to those described in the embodiments.

The secret calculation method by the secret calculation device 1 is realized by software. When realized by software, the programs that make up this software are installed in the information processing device (computer). Further, these programs may be recorded on a removable medium such as a CD-ROM and distributed to the user, or may be distributed by being downloaded to the user's computer via a network. Further, these programs may be provided to the user's computer as a Web service via a network without being downloaded.

1 Concealment calculation device 10 Control unit 11 Input unit 12 Concealed exponentiation calculation unit 13 Concealment function calculation unit 14 Concealment equal sign calculation unit 15 Output unit 20 Storage unit (1st storage unit, 2nd storage unit)

Claims (7)

In a plain space, when the second variable in a two-variable function that inputs the first variable and the second variable is fixed to a constant in the space, the function value corresponding to the first variable is calculated by polynomial interpolation. A first storage unit that stores the defined variables of the first polynomial for each of the constants, and
A second storage unit that stores the coefficients of the second polynomial, which defines a function that becomes 1 when the second variable is equal to the constant and 0 when different, by polynomial interpolation, for each of the constants.
An input unit that accepts input of the first ciphertext and the second ciphertext, in which the value of the first variable and the value of the second variable are encrypted by a homomorphic encryption method, respectively.
A concealed exponentiation calculation unit that calculates the exponentiation of the first ciphertext and the second ciphertext within the space of the ciphertext by the homomorphic encryption method.
The second variable is fixed to one of the constants, and the coefficient vector of the first polynomial is the inner product of the first polynomial of the first polynomial and the power of the first polynomial to the same degree as the power of the first polynomial. A secret function calculation unit that calculates the value of one polynomial,
The value of the second polynomial is encrypted by the second ciphertext by the inner product of the coefficient vector of the second polynomial and the vector obtained by arranging the second polynomial of the second ciphertext and the vector obtained by arranging the cubes up to the same order. A secret code calculation unit that calculates as a ciphertext of a judgment value that becomes 0 when the previous plain text and the constant are different,
The first is calculated by calculating and summing the product of the calculation result by the secret function calculation unit and the calculation result by the secret equality calculation unit for each part of the constants that the second variable can take in the space. A concealment calculation device including a ciphertext and an output unit that outputs the value of the two-variable function with the second ciphertext as an input. The concealment calculation device according to claim 1, wherein the first storage unit stores the coefficients of the first polynomial only for a part of the constants. The concealment calculation device according to claim 1 or 2, wherein the second storage unit stores the coefficients of the second polynomial only for a part of the constants. The second storage unit defines the second polynomial with a degree corresponding to the space of values that the second variable can take.
The concealment calculation device according to claim 3 , wherein the concealment power calculation unit calculates the power of the second ciphertext to the order lower than the power of the first ciphertext. The secret calculation device according to any one of claims 1 to 4, wherein the two-variable function is a division having the first variable as a divisor and the second variable as a divisor. In a plain space, when the second variable in a two-variable function that inputs the first variable and the second variable is fixed to a constant in the space, the function value corresponding to the first variable is calculated by polynomial interpolation. A first storage step in which the defined first polynomial coefficients are stored for each of the constants,
A second storage step in which the coefficients of the second polynomial, which defines a function that becomes 1 when the second variable is equal to the constant and 0 when the second variable is different, is stored for each of the constants.
An input step for accepting input of the first ciphertext and the second ciphertext in which the value of the first variable and the value of the second variable are encrypted by a homomorphic encryption method, respectively.
A concealed exponentiation calculation step for calculating the exponentiation of the first ciphertext and the second ciphertext in the ciphertext space by the homomorphic encryption method,
The second variable is fixed to one of the constants, and the coefficient vector of the first polynomial is the inner product of the first polynomial of the first polynomial and the power of the first polynomial to the same degree as the power of the first polynomial. A secret function calculation step that calculates the value of one polynomial, and
The value of the second polynomial is encrypted by the second ciphertext by the inner product of the coefficient vector of the second polynomial and the vector obtained by arranging the second polynomial of the second ciphertext and the vector obtained by arranging the cubes up to the same order. A secret code calculation step calculated as a ciphertext of a judgment value that becomes 0 when the previous plain text and the constant are different, and
The first is calculated by calculating and summing the product of the calculation result in the concealment function calculation step and the calculation result in the concealment equality calculation step for each part of the constants that the second variable can take in the space. A concealed calculation method in which a computer executes an output step of outputting a value of the two-variable function with the code text and the second code text as input. The secret calculation program for operating a computer as the secret calculation device according to any one of claims 1 to 5 .

Images