JP7100563B2 - Anonymization system and anonymization method - Google Patents

Description

The present invention relates to an anonymization system and anonymization method, and detects falsification when providing anonymization of personal information such as medical information for use in medical research and the like, and the validity of the provided information. Concerning anonymization systems and methods suitable for verifying.

In recent years, with the full enforcement of the revised Personal Information Protection Law in May 2017, the use and utilization of anonymously processed information on the premise of appropriate protection of personal information is progressing. In May 2018, the Next Generation Medical Infrastructure Law was enacted, which stipulates a mechanism for anonymously processing public medical information so that it can be used in research and development by universities and pharmaceutical companies. Due to these laws and regulations, anonymized data can be used for research and development in the medical field.

In the medical field, the validity of medical data used in research is verified, which is called "validation". In the future, it is considered that the same verification of legitimacy will be an issue for anonymous processing.

As a technique for anonymizing and providing personal information such as clinical information, for example, there is disclosure in Patent Document 1. According to the information management system described in Patent Document 1, after the anonymization processing of the subject information (personal information) such as clinical information, the owner of the subject information and the owner of the viewing authority have anonymized the information. It makes it possible to identify the information accumulated in association with.

International Publication No. 2008/069011

In Patent Document 1 of the above-mentioned prior art, since the object of the validity guarantee is a part of the original data (combination of identifiers or quasi-identifiers), the validity of anonymization cannot be guaranteed for the entire data.

Generally, there is a digital signature technique as a technique for guaranteeing the correctness of data. However, the legitimacy cannot be verified by simply applying a digital signature and performing anonymization processing such as deletion or replacement of data. If unauthorized anonymized data is used, there is a risk that the research results will be incorrect.

An object of the present invention is to provide an anonymization system and anonymization method capable of verifying the validity of anonymization that can verify the validity of anonymization processing for data even after performing anonymization processing such as deletion or replacement. There is something in it.

The configuration of the anonymization system of the present invention is preferably an anonymization system in which confidential information is anonymized by an information processing device and provided to a user, and the confidential information storage means for storing the confidential information and the confidential information are abstracted. Abstraction candidate group information storage means that is a candidate group of information to be converted, extended secret data storage means that stores extended secret data by adding candidate information to be abstracted to secret information, and some information from secret information Anonymized data storage means that stores anonymized data that has been deleted or replaced, extended secret data generation means that generates extended secret data using confidential information and abstraction candidate group information, and extended secret data or anonymized data. Verification of the validity of given anonymized data, a signature generation means that uses the hash value of confidential information as an intermediate value to generate a digital signature, an anonymization means that generates anonymized data using extended secret data, and anonymization means. The extended secret data generation means includes a means for verifying the validity of anonymized data, and the extended secret data generation means is a candidate for information that abstracts the secret information stored by the secret information storage means and a group of abstraction candidates. With reference to the group, extended secret data is generated, and the anonymization means performs a process of replacing the extended secret data with a hash value that is the same as the intermediate value of the signature generation of the signature generation means, and the anonymized data. The signature generation means generates the first signature value from the extended secret data generated by the extended secret data generation means and the second signature value from the anonymized data generated by the anonymization means. However, the anonymized data validity verification means verifies the validity of the given anonymized data by comparing the first signature value and the second signature value.

INDUSTRIAL APPLICABILITY According to the present invention, there is provided an anonymization system and an anonymization method capable of verifying the validity of anonymization that can verify the validity of anonymization processing for data even after performing anonymization processing such as deletion or replacement. be able to.

It is an overall configuration diagram of the anonymization system. It is a functional block diagram of the anonymized data providing server. It is a functional block diagram of the anonymized data user terminal. It is a hardware software block diagram of the anonymized data providing server and the anonymized data user terminal. It is a figure which shows an example of the data structure of a patient data table. It is a figure which shows an example of the data structure of the abstraction pattern group. It is a figure which shows an example of the data structure of the extended patient data table. It is a figure which shows an example of the data structure of a signature data table. It is a figure which shows an example of the data structure of anonymized data. It is a sequence diagram which shows a series of processing until a user acquires anonymized data from an anonymized data providing server and verifies it. It is a flowchart which shows the patient data record expansion processing. It is a flowchart which shows the signature generation process (the 1). It is a flowchart which shows the signature generation process (the second). It is a flowchart which shows the verifiable anonymization process. It is a flowchart which shows the record deletion process. It is a flowchart which shows the attribute deletion process. It is a flowchart which shows the attribute replacement process. It is a flowchart which shows the signature verification process.

Hereinafter, an embodiment of the present invention will be described with reference to FIGS. 1 to 17.
In this embodiment, an example provided by a hospital or the like for anonymizing a patient's medical information and utilizing it for medical research, statistical data, etc. will be described.
First, the configuration of the anonymization system will be described with reference to FIGS. 1 to 4.

First, the overall configuration of the anonymization system will be described with reference to FIG.
The anonymized data providing system is a system for a data owner (data holder) who holds information including personal information to anonymize the information and then provide the information to a data user. As shown in FIG. 1, the anonymized data providing system is composed of an anonymized data providing server 1 and an anonymized data user terminal 2, and is connected by a network 3.

The anonymized data providing server 1 is a server that provides a function of a data holder to store personal information and perform anonymization processing for provision. The anonymized data user terminal 2 is a client terminal in which the data user downloads the anonymized data and verifies the validity. The network 3 may be a global network such as the Internet, or may be a LAN (Local Network) installed on the premises.

Next, the functional configuration of the anonymized data providing server will be described with reference to FIG.
As shown in FIG. 2, the anonymized data providing server 1 includes a Web server function unit 101, a record extension function unit 102, an anonymization processing function unit 103, a random number generation unit 104, a hash value generation unit 105, and a signature generation unit 106. , Consists of a storage unit 110.

The Web server function unit 101 is a function unit that performs a process of disclosing a patient data name and a digital signature value to a data user on a Web page. The record extension function unit 102 is a function unit that performs preprocessing for expanding patient data prior to the anonymization process. The anonymization processing function unit 103 is a function unit that performs verifiable anonymization processing. The random number generation unit 104 is a functional unit that generates a random number to be given in order to enhance the security of the hash value. The hash value generation unit 105 is a functional unit that generates a hash value by a one-way function or the like. The signature generation unit 106 is a functional unit that generates a digital signature by inputting extended patient data. The storage unit 110 is a functional unit that stores data used by the anonymized data providing server 1.

The storage unit 110 stores a patient data table 301, an abstraction pattern group 302, an extended patient data table 303, a signature data table 304, and anonymization data 305.

The patient data table 301 is a table for storing patient data including personal information. The abstraction pattern group 302 is the data of the pattern group of the replacement process in the anonymization of patient data. The extended patient data table 303 is a table for storing patient data that has undergone extended processing as a preprocessing for anonymization processing. The signature data table 304 is a table that stores a pair of a patient data name and a digital signature value of the extended patient data of the patient data. The anonymized data 305 is data obtained by anonymizing patient data.
The specific structure of the data will be described in detail later.

Next, the functional configuration of the anonymized data user terminal will be described with reference to FIG.
As shown in FIG. 3, the anonymized data user terminal 2 includes a browser function unit 201, a signature verification processing unit 202, a hash value generation unit 203, a signature generation unit 204, and a storage unit 210. The Web browser function unit 201 is a function unit that performs a process of referencing a Web page. The signature verification processing unit 202 is a functional unit that verifies the validity of anonymization by comparing the signature value acquired from the Web page with the signature value of the received anonymization data. The hash value generation unit 203 is a functional unit that generates a hash value by a one-way function or the like. The signature generation unit 204 has the same function as the signature generation unit 106 of the anonymization data providing server 1, and is a functional unit that generates a digital signature by inputting the anonymized data. The storage unit 210 is a functional unit that stores data used in the anonymized data user terminal 2.

Anonymized data 305 and signature value 311 are stored in the storage unit 210. The anonymized data 305 and the patient data are anonymized and are received from the anonymized data providing server 1 via the network 3. The signature value 311 is a digital signature value for verification acquired from the Web page and a digital signature value generated from the anonymized data 305.

Next, the hardware configuration and software configuration of the anonymized data providing server and the anonymized data user terminal will be described with reference to FIG.
The hardware configuration of the anonymized data providing server 1 is realized by, for example, a general information processing device such as the server device shown in FIG. It may also be a virtual machine built on an actual computer.

The anonymized data providing server 1 has a CPU (Central Processing Unit) 401, a main memory 402, a network interface 403, a display device 410, and an input device 420 connected by a bus.

The CPU 401 controls each part of the anonymized data providing server 1, loads and executes a program required for the main memory 402.

The main memory 402 is usually composed of a volatile memory such as a RAM, and stores a program executed by the CPU 401 and data to be referred to.

The network interface 403 is an interface for connecting to the network 3.

The display device 410 is a device that displays information such as an LCD (Liquid Crystal Display).

The input device 420 is a device for inputting information such as commands and data and inputting for controlling the device, and is, for example, a keyboard or a mouse of a pointing device.

The hard disk drive (HDD) 430 has a large storage capacity, and stores a program for executing the present embodiment. A Web server function program 601, a record extension function program 602, an anonymization processing function program 603, a random number generation program 604, a hash value generation program 605, and a signature generation program 606 are installed on the hard disk drive 430 of the anonymization data providing server 1. ing. The Web server function program 601 and the record extension function program 602, the anonymization processing function program 603, the random number generation program 604, the hash value generation program 605, and the signature generation program 606 are the Web server function unit 101 and the record extension function unit 102, respectively. This is a program that executes the functions of the anonymization processing function unit 103, the random number generation unit 104, the hash value generation unit 105, and the signature generation unit 106.

Further, the hard disk drive 430 stores a patient data table 301, an abstraction pattern group 302, an extended patient data table 303, a signature data table 304, and anonymization data 305.

The hardware configuration of the anonymized data user terminal 2 is realized by, for example, a general information processing device such as the personal computer shown in FIG. Further, it may be a smartphone or a dedicated terminal.

Each part of the hardware configuration of the anonymized data user terminal 2 is the same as that of the anonymized data providing server 1.

A browser function program 701, a signature verification processing program 702, a hash value generation program 703, and a signature generation program 704 are installed in the hard disk drive 530 of the anonymized data user terminal 2. The browser function program 701, the signature verification processing program 702, the hash value generation program 703, and the signature generation program 704 execute the functions of the browser function unit 201, the signature verification processing unit 202, the hash value generation unit 203, and the signature generation unit 204, respectively. It is a program to do.

Further, the hard disk drive 530 stores the anonymized data 305 and the signature value 311.

Next, the data structure used in the anonymization system will be described with reference to FIGS. 5 to 9.
The patient data table 301 is a table for storing personal information and related data of a patient, and is composed of a "name", an "address (prefecture name)", and a "gender" as shown in FIG. For example, record 3011 shows that a patient's name is "Hitachi Taro", his address is "Tokyo", and his gender is "male".

The abstraction pattern group 302 is data used when abstracting the attributes represented by the columns of the patient data table 301, and as shown in FIG. 6A, for example, has a tree structure called a generalized hierarchical tree 302a. Expressed in data.

In the generalized hierarchical tree 302a, the leaf node of the tree structure is arranged with the lowest abstract value, the root node is arranged with the highest abstract value, and the intermediate node is from the node closest to the leaf node. A value with a higher degree of abstraction is arranged as the node becomes closer to the root node. For example, in the generalized hierarchical tree 302a of the attribute "address" shown in FIG. 6 (a), the leaf node is a "prefecture name" such as "Tokyo" or "Kanagawa prefecture", and the intermediate node has a higher degree of abstraction. It is a high "local name" such as "Kanto region" and "Kinki region", and indicates a generalized hierarchical tree whose root node is the "country name" of "Japan", which has the highest degree of abstraction among them.

The abstraction pattern group 302 may be represented in the form of the abstraction pattern table 302b shown in FIG. 6 (b). For example, the abstraction pattern table 302b of the attribute "address" is represented by data having a table structure composed of columns of "address" and "abstraction pattern". In the abstraction pattern table 302b, for each "prefecture name" that is currently the value in the "address" column, the values of "local name" and "country name" that are candidates for replacement in the anonymization process with a higher degree of abstraction. To associate. For example, in the abstraction pattern of the value "Tokyo" of the "address" of the abstraction pattern table 302b, "Kanto region" indicating "local name" and "Japan" indicating "country name" are anonymized with a higher degree of abstraction. It indicates that it is a candidate for replacement in processing.

The extended patient data table 303 is a table in which the patient data in the patient data table 301 is preprocessed to realize a verifiable anonymization process. The extended patient data table 303 adds each value of the abstract pattern group 302 that is a replacement candidate when executing anonymization by substitution to the patient data, and further executes the hash as an alternative process of the anonymization process of deletion or substitution. It has a data structure with random numbers added to enhance the safety of the conversion. For example, in the example shown in FIG. 7, the values of "address 3" and "address 4", which are abstract patterns of the attribute "address", are added to the patient data table 301, and further, for each attribute. Random numbers of "name 1", "address 1", and "gender 1", which are random numbers for enhancing the security of hashing, are added.

With a data structure that adds a random number for each attribute and an algorithm that generates a hash value step by step for each attribute described later, the data size is reduced compared to the case where random numbers are given to all elements, and the random numbers are used. Hashing security improvements can be applied to the entire data.

The signature data table 304 is a table that holds signature values for patient data, and is composed of "target data" and "signature value" as shown in FIG. The "target data" is a column for storing the patient data name, and the "signature value" is a column for storing the signature value generated by the signature generation process for each patient data.

In the present embodiment, the data in the signature data table 304 is read by the Web server function unit 101 of the anonymized data providing server 1, and is used as a Web page from the anonymized data user terminal 2 via the network 3 by a Web browser or the like. Allows viewing and downloading.

The anonymization data 305 is data obtained by performing anonymization processing on the extended patient data table 303. For example, FIG. 9 shows an example of the result of performing anonymization processing on the data in the extended patient data table 303 shown in FIG. 7. For example, the deleted record 3051 indicates a label "Delete_R" indicating that the record is deleted, a record hash value "22891F" generated by hashing performed as an alternative process of deletion, and a null value. It is composed of "-" (Null). Further, for example, the record 3052 in which the attribute is deleted and the attribute is replaced is "Delete_A", which is a label indicating that the attribute "name" has been deleted, and the attribute hash generated by hashing executed as an alternative process of the attribute deletion. It is composed of a value "465FC4", an "Replace" indicating that the attribute "address" has been replaced, and an attribute hash value "B0D8C7" generated by hashing executed as an alternative process of the attribute replacement.
Details of each process of record deletion, attribute deletion, and attribute replacement will be described later.

These hash values are values of intermediate processing in the signature generation processing, and this data structure can reduce the amount of data processing in the signature generation processing in the signature verification processing of the anonymized data user terminal 2, so that the signature verification processing can be performed. It can be speeded up.

Next, the processing of the anonymization system will be described with reference to FIGS. 10 to 17.

First, a series of processes from the user acquiring the anonymized data from the anonymized data providing server and verifying it will be described with reference to FIG.
First, the record expansion function unit 102 of the anonymization data providing server 1 inputs the patient data table 301 and the abstraction pattern group 302, performs the patient data record expansion processing as a preprocessing of the anonymization processing, and performs the extended patient data table 303. The processing result is stored in (S01). The patient data record expansion process will be described in detail later with reference to FIG.

Next, the signature generation unit 106 of the anonymized data providing server 1 takes the data of the extended patient data table 303 as an input, performs a signature generation process to generate a digital signature, and performs a signature generation process based on the generated signature value. It is stored in the signature data table 304 together with (S02). The signature generation process will be described in detail later with reference to FIGS. 12A and 12B.

Next, the Web server functional unit 101 of the anonymized data providing server 1 reads the patient data name and the signature value stored in the signature data table 304, generates a Web page accessible from the network 3, and generates the URL of the Web page. (Uniform Resource Locator) is notified to the Web browser function of the anonymized data user terminal 2 (S03).

Next, the Web browser function unit 201 of the anonymized data user terminal 2 acquires a Web page including the patient data name and the signature value, and displays a list of the patient data name and the signature value to the data user as a display device such as a display. Displayed by 510 (S06).

Next, the data user of the anonymized data operates an input device 520 such as a mouse of the anonymized data user terminal 2 and downloads a signature value corresponding to the patient data name of the patient data to be used from the Web page. , The data is stored in the main memory 502 of the anonymized data user terminal 2 or the hard disk drive 530 as a verification signature value 311 (S05).

Next, the data user inputs the patient data name to be used and the anonymization condition into the Web browser function unit 201 of the anonymization data user terminal 2. In this embodiment, the following three anonymization conditions are input.

Anonymization condition 1: Delete records whose attribute "address" is not "Japan" Anonymization condition 2: Delete attribute "name" Anonymization condition 3: Attribute "address" changed from "prefecture name" to "local name" Replacement

Then, the Web browser function unit 201 notifies the Web server function unit 101 of the anonymization data providing server 1 of the anonymization data acquisition request consisting of the patient data name and the anonymization condition (S06).

Next, the Web server function unit 101 of the anonymization data providing server 1 transmits the notified patient data name and the anonymization condition to the anonymization processing function unit 103. The anonymization processing function unit 103 executes verifiable anonymization processing by inputting the patient data name and the anonymization condition, generates anonymization data 305, and transmits the anonymization data 305 to the Web server function unit 101. Then, the Web server function unit 101 registers the anonymized data 305 in the download Web page for the data user, and notifies the URL to the Web browser function of the anonymized data user terminal 2 (S07). The details of the verifiable anonymization process will be described later with reference to FIG.

Next, the Web browser function unit 201 of the anonymized data user terminal 2 accesses the download Web page for the data user by inputting the notified URL, acquires the anonymized data by downloading, and anonymizes the data. It is stored as anonymized data 305 in the main memory 502 or the hard disk drive 530 of the user terminal 2 (S08).

Finally, the signature verification processing unit 202 of the anonymized data user terminal 2 executes the signature verification process for verifying the validity of the anonymization by inputting the anonymized data 305 and the signature value 311 for verification, and the validity. If is verified, "OK" is displayed to the data user, and if it is not valid, "NG" is displayed to the data user by the display device 510 such as the display of the anonymized data user terminal 2 (S09). The details of the signature verification process will be described later with reference to FIG.

Through a series of processes from the above-mentioned user acquisition of anonymized data from the anonymized data providing server and verification, the data user can determine whether or not the obtained anonymized data has been anonymized by a legitimate anonymization process. Can be confirmed. As a result, for example, in the medical field, the validity of anonymization of anonymized data of patients, subjects, etc. used in research can be verified, so that it is possible to avoid a situation in which the research result is erroneous due to incorrect anonymization data.

Next, the patient data record expansion process will be described with reference to FIG.
This is the process corresponding to S01 in FIG.

First, the record extension function unit 102 of the anonymized data providing server 1 counts the number of records in the patient data table and sets the number of records to N (S101). The initial value of the variable m (m is a record counter) used in the process shown in FIG. 11 is 1.

Next, the record extension function unit 102 reads one record of the patient data table (S102).

For example, when the read record is the record 3011 shown in FIG. 5, the element of the attribute "name" is "Hitachi Taro", the element of the attribute "address" is "Tokyo", and the element of the attribute "gender" is "gender". It becomes "male".

Next, the record extension function unit 102 reads out the abstraction pattern group of the read record from the abstraction pattern group 302 (S103). For example, when the abstraction pattern of "Tokyo" of the attribute "address" of the record is read from the abstraction pattern table 302b of the abstraction pattern group of the attribute "address" shown in FIG. 6 (b), it is used as an abstraction pattern. , The element of the attribute "address" in FIG. 6B is "Tokyo", and the "Kanto region" and "Japan" of the record 3021 are read out.

Next, the record extension function unit 102 adds each element of the acquired abstraction pattern to the record (S104). For example, when the record 3011 in FIG. 5 is the record, the elements "Kanto region" and "Japan" read from the record 3021 of the abstraction pattern in S103 are added. As a result, a record containing candidates for the replacement destination value at the time of anonymization by replacement is generated.

Next, the record extension function unit 102 adds one random number acquired from the random number generation unit 104 to each attribute of the record (S105). For example, when the record 3011 in FIG. 5 is the record, three different random numbers are acquired for the three attributes and added to the record. By assigning one random number to each attribute in this way, the data size of the record can be reduced as compared with the case where random numbers are assigned to all the elements (columns).

Next, the record expansion function unit 102 outputs a record in which the attribute is replaced and a random number is added as a record in the expansion patient data table 303 (S106). For example, when the record 3011 in FIG. 5 is the record, the record generated by S103 to S105 is the value of the attribute “name 1” indicating the random number added to the attribute “name” as shown in 3031 in FIG. Is "5EF4BE", the value of the attribute "Name 2" indicating the original value of the attribute "Name" is "Hitachi Taro", and the value of the attribute "Address 1" indicating the random number added to the attribute "Address" is "A754B9". , The value of the attribute "Address 2" indicating the original value of the attribute "Address" is "Tokyo", and the value of the attribute "Address 3" indicating the first element of the abstraction pattern added to the attribute "Address" is "Kanto region", the value of the attribute "Address 4" indicating the second element of the abstraction pattern added to the attribute "Address" is "Japan", and the attribute "Gender 1" indicating the random number added to the attribute "Gender" The value of "770E67" is "770E67", and the value of the attribute "gender 2" indicating the original value of the attribute "gender" is "male".

Next, the record extension function unit 102 increments the value of the variable m by 1 (S107).

Finally, the record extension function unit 102 compares the value of the variable m with the number of records N of the patient data, and if m is N or less (S108: No), executes the processes of S102 to S107, and m is If it is larger than N (S108: Yes), the process ends.

Next, the signature verification process will be described with reference to FIGS. 12A and 12B.
This is a process corresponding to S02 and S09 in FIG. 10, and is a common process of both performed by the signature generation unit 106 of the anonymized data providing server 1 and the signature generation unit 204 of the anonymized data user terminal 2. be. In the present embodiment, the signature generation unit 106 of the anonymized data providing server 1 outputs the digital signature value by inputting the extended patient data, while the signature generation unit 204 of the anonymized data user terminal 2 anonymizes. The data is input and the digital signature value is output.

In the following, it is assumed that the signature verification process is performed by the signature generation unit 106 of the anonymized data providing server 1, but the same applies to the signature verification process by the signature generation unit 204 of the anonymized data user terminal 2.

First, the signature generation unit 106 acquires the number of records N and the number of attributes n from the target data (S201). The initial values of the variables i, j, t, q, k, l, and m used in this flowchart are all set to 1.

Next, the signature generation unit 106 reads one record from the target data (S202). For example, when the target data is the extended patient data table 303 of FIG. 7, the record to be read is the record 3031. When the target data is the anonymized data 305 of FIG. 9, the target record to be read is the record 3052.

Next, when the first element of the read record is “Delete_R” indicating that the record has been deleted (S203: Yes), the signature generation unit 106 executes the process of S204. In other cases (S203: No), the process of S205 is executed (S203). For example, when the record is the record 3051 of the anonymized data 305, since the first element of the record is "Delete_R", the process of S204 is executed next. On the other hand, when the record is the record 3031 of the extended patient data table 303, the first element of the record is "5EF4BE", so the process of S205 is executed next.

Next, the signature generation unit 106 sets the value of the second element of the record as the hash value Hri of the i-th (i is an attribute counter) record, and then executes the process of S215 (S204). Then, the process of S216 is executed. For example, when the record is the record 3051 of the anonymized data 305, the value "22891F" of the second element is set as the value of Hri.

Next, the signature generation unit 106 acquires the number of elements of the i-th attribute Ai of the record and sets it as Ein (S205). For example, when the first attribute "name" of the record 3031 of the extended patient data table 303 is A1, the value of Ein is "2" because it is composed of two extended attributes "name 1" and "name 2". ".

Next, the signature generation unit 106 executes the process of S207 when the first element of the attribute Ai is “Delete_A” (S206: “Delete_A”), and when it is “Replace”. (S206: "Replace"), then the process of S208 is executed, and if neither is the case (S206: Otherwise), the process of S209 is executed next (S206). For example, when the record is the record 3052 of the anonymized data 305 and the attribute Ai is the "name", the first element is the "Delete_A" of the attribute "name 1", so the process of S207 is executed next. .. Further, for example, when the record is the record 3052 of the anonymized data 305 and the attribute Ai is the "address", the first element is the "Replace" of the attribute "address 1", so the process of S208 is executed next. do. Further, for example, when the record is 3031 of the extended patient data table 303 and the attribute Ai is "name", the first element is "5EF4BE" of the attribute "name 1", so the process of S209 is executed next. do.

Next, the signature generation unit 106 sets the value of the second element of the attribute Ai as the value of the hash value Hri (S207), and then executes the process of S216. For example, when the record is the record 3052 of the anonymized data 305 and the attribute Ai is the "name", the value of "465FC4" which is the value of the attribute "name 2" of the second element is set as the value of Hri.

Next, the signature generation unit 106 sets the value of the second element of the attribute Ai as the value of the hash value Hri, and then executes the process of S210 (S208). For example, when the record is the record 3052 of the anonymized data 305 and the attribute Ai is the "address", the value of "B0D8C7" which is the value of the attribute "address 2" of the second element is set as the value of Hri.

Next, the signature generation unit 106 increments the value of the variable j (j is an element counter) by 1 (S210).

Next, the signature generation unit 106 obtains a hash value from the hash value generation unit 105 by inputting the j-th element Aij and the (j + 1) -th element Ai (j + 1) of the attribute Ai, and the hash value of the record. Let it be Hri (S209). For example, when the record is the record 3031 of the extended patient data table 303 and the attribute Ai is "name", i = 1, j = 1, the jth element of the attribute Ai is the value of the attribute "name 1". 5EF4BE ”, the (j + 1) th element is the value“ Hitachi Taro ”of the attribute“ name 2 ”, and the hash value“ A8E0C2 ”obtained by inputting these two values into the hash value generation unit 105 is used as the Hri value. ..

Next, when the value of the j-th element of the attribute Ai is "-" (Null) (S212: Yes), the signature generation unit 106 then executes the process of S213, and in other cases, the signature generation unit 106 executes the process of S213. In (S212: No), the process of S212 is executed next. For example, when the record is the record 3051 of the anonymized data 305, the attribute Ai is the "address", and the jth element is the value "-" of the attribute "address 1", the process of S213 is executed next.

Next, the signature generation unit 106 increments the value of the variable j by 1, and then executes the process of S213 (S212).

Next, the signature generation unit 106 compares the number of elements Ein of the attribute Ai with the value of the variable j, and if Ein is larger than j (S213: Yes), then executes the process of S216, and Ein In the case of j or less (S213: No), the process of S214 is executed next.

Next, the signature generation unit 106 obtains a new hash value from the hash value generation unit 105 by inputting the j-th element Aij of the attribute Ai and the hash value Hri of the record at that time, and the new Hri. (S214). For example, the record is record 3031 of the extended patient data table 303, the attribute Ai is "address", j = 3, and the third element of the attribute Ai is the value of the attribute "address 3", "Kanto region". When the value of Hri at that time is "B7EF14", "7C648B" obtained by inputting "Kanto region" and "B7EF14" into the hash value generation unit 105 is used as a new Hri value.

Next, the signature generation unit 106 increments the value of the variable j by 1, and then executes the process of S211 (S215).

Next, the signature generation unit 106 increments the value of the variable i by 1 in S215, and then executes the process of S217 (S216).

Next, the signature generation unit 106 compares the number of attributes n with the variable i, and if i is n or less (S217: Yes), then executes the process of S203, and if i is larger than n (S217). : No), the process of S218 is executed next.

Next, n and q (q is an attribute counter) are compared, and if n is larger than q (S218: Yes), then S219 is executed, and if n is q or less (S218: No). Next, S221 is executed.

Next, the signature generation unit 106 takes the hash value Hrq and the hash value Hr (q + 1) as inputs, generates a hash value, and sets it as a new Hr (q + 1) (S219).

Next, q is incremented by 1 (S220), and the process returns to S218.

Next, the signature generator 106 sets the hash value HRt (t is the counter of the record) to the value of the hash value Hrn (note that this is equal to the value of Hr (q + 1) when n ≧ 2). Substitute (S221).

Next, the signature generation unit 106 increments the value of the variable t by 1, sets the values of the variable i and the variable j to 1, and then executes the process of S218 (S217).

Next, the signature generation unit 106 compares the number of records N of the target data with the value of the variable t, and if t is N or less (S223: No), then executes the processes of S202 to S222, t. If is greater than N (S223: Yes), then the process of S251 in FIG. 12B is executed.

The subsequent process is the process of generating the hash value of the root from the hash tree of the binary tree structure consisting of the record hash values.

Next, the signature generation unit 106 sets the value of m (m is a counter of the number of remaining items in the record processing) as the number of remaining items in the record hash value HRi as the number of records N of the target data, and then performs the processing of S252. Execute (S251 in FIG. 12B).

Next, the signature generation unit 106 compares the number of remaining items m with the value of the variable l, and if they are not equal (S252: No), then the process of S253 is executed, and if they are equal (S252: Yes). Next executes the process of S260.

Next, in S253, the signature generation unit 106 inputs the hash value HRk of the kth (k is a record counter) record and the (k + 1) th hash value HR (k + 1) from the hash value generation unit 105. A new hash value is acquired and used as a new value of the l-th (l is a record counter) record hash value HRl (S253). For example, when k = 1 and l = 1, the hash value newly acquired from the hash value generation unit 105 with HR1 and HR2 as inputs is used as the new value of HR1.

Next, when the value of the number of remaining items m is other than 2 (S254: No), the signature generation unit 106 then executes the process of S255, and when the value of the number of remaining items m is 2 (S254: No). : Yes), then the process of S260 is executed.

Next, the signature generation unit 106 sets 2k + 1 as a new value of k and increments the value of l by 1 (S255).

Next, the signature generation unit 106 compares the number of remaining items m with the value of the variable k, and if m is larger than k (S256: Yes), then executes the process of S253, and m is k or less. In the case of (S256: No), the process of S257 is executed next.

Next, the signature generation unit 106 compares the number of remaining items m with the value of the variable k, and if m and k are different (S257: No), then executes the process of S258, and m and k are equal. In the case (S257: Yes), the process of S259 is executed next.

The signature generation unit 106 sets the value of (m / 2 + m% 2) as the value of the new number of remaining items m, sets the values of k and l to 1, and then executes the process of S253 (S258). Here, m% 2 represents a remainder obtained by dividing m by 2.

Next, the signature generation unit 106 substitutes the value of Hrk as the new value of Hrl (S259).

Next, the signature generation unit 106 sets the value of Hrl at that time as the value of the total hash value Hd of the target data (S260).

Finally, the signature generation unit 106 generates and outputs a signature value δ from Hd by a digital signature algorithm such as RSA (S261), and ends the process. As the digital signature algorithm, an existing algorithm can be used.

With respect to the anonymized data subjected to the verifiable anonymization process described later using FIGS. 13 to 16 by the signature generation process described above, the extended patient before the anonymization even after the anonymization process. If the data are the same, the value of the signature generated for the extended patient data and the value of the signature generated for the anonymized data will be the same, so it is possible to verify the validity of the anonymization. It becomes.

Next, the verifiable anonymization process will be described with reference to FIG.
This is the process corresponding to S07 in FIG.

First, the anonymization processing function unit 103 of the anonymization data providing server 1 reads out the extended patient data corresponding to the patient data name transmitted from the Web server function unit 101 from the extended patient data table 303 (S301). For example, in S06 of FIG. 10, the data of the extended patient data table 303 of FIG. 7 is acquired as the corresponding extended patient data.

Next, the anonymization processing function unit 103 reads the anonymization condition transmitted from the Web server function unit 101 (S302). For example, in this embodiment, the following three anonymization conditions are read out.

Anonymization condition 1: Delete records whose attribute "address" is not "Japan" Anonymization condition 2: Delete attribute "name" Anonymization condition 3: Attribute "address" changed from "prefecture name" to "local name" Replacement

Next, when there is an anonymization condition for deleting the record, the anonymization processing function unit 103 does not simply delete the record, but hashes the entire target record for the extended patient data. Is executed (S303). For example, in the case of the present embodiment, since the anonymization condition 1 is the anonymization condition for deleting the record, the record deletion process is executed for the extended patient data read from the extended patient data table 303. The details of the record deletion process will be described later with reference to FIG.

Next, when there is an anonymization condition for deleting the attribute, the anonymization processing function unit 103 executes an attribute deletion process for hashing the entire target attribute to the extended patient data, instead of simply deleting the attribute. (S304). For example, in the case of the present embodiment, since the anonymization condition 2 is the anonymization condition for deleting the attribute "name", the attribute deletion process is executed for the extended patient data. The details of the attribute deletion process will be described later with reference to FIG.

Next, when the anonymization processing function unit 103 has an anonymization condition for replacing the element of the attribute, the hashing of a part of the element of the target attribute is converted into the extended patient data instead of simply replacing the element of the attribute. The attribute replacement process to be executed is executed (S305). For example, in the case of the present embodiment, since the anonymization condition 3 is an anonymization condition in which the element of the attribute "address" is replaced from the "prefecture name" to the "local name", the attribute replacement process is performed for each patient data. To execute. The details of the attribute replacement process will be described later with reference to FIG.

Finally, the anonymization processing function unit 103 outputs the extended patient data after executing the processing of S303 to S305 to a file as anonymization data 305 (S306), sends it to the Web server function unit 101, and ends the processing. ..

Next, the record deletion process will be described with reference to FIG.
This is the process corresponding to S303 in FIG.

First, the anonymization processing function unit 103 of the anonymization data providing server 1 reads out the anonymization condition for record deletion. For example, in the case of this embodiment, the anonymization condition 1 is read out (S401). The initial values of the variables i, j, and t are set to 1 (anonymization condition 1: records whose attribute "address" is other than "Japan" are deleted).

Next, the anonymization processing function unit 103 identifies the record group Rd to be deleted from the extended patient data, sets the number of records of Rd to N, and sets the number of attributes of the Rd attribute to n. For example, in the present embodiment, from the extended patient data read from the extended patient data table 303 of FIG. 7, the record 3032 whose attribute “address” is “America” other than “Japan” is set as Rd, and N = 1, n =. 3 (attributes "name", "address", "gender") (S402).

Next, the anonymization processing function unit 103 reads one t-th (t is a record counter) record from the record group Rd to be deleted. For example, in the present embodiment, the record 3032 specified as Rd in S402 is read out (S403).

Next, the anonymization processing function unit 103 acquires the number of elements Ein of the attribute Ai of the i-th (i is the attribute counter) of the read record. For example, when the record is record 3032 and i = 1, the number of elements 2 of the first attribute "name" is set as the value of Ein (S404).

Next, the anonymization processing function unit 103 inputs the j-th element Aij and the (j + 1) -th element Ai (j + 1) of the attribute Ai into the hash value generation unit 105 to acquire the hash value, and the record hash value Hri. The value of. For example, when the record is record 3032 and the attribute Ai is the attribute "name" and j = 1, the first element "741DC3" and the second element "Tom" of the attribute "name" are input to the hash value generation unit 105. Then, the hash value is obtained and used as the Hri value (S405).

Next, the anonymization processing function unit 103 compares the values of Ein and the variable j, and if Ein is larger than j (S406: Yes), then executes the processing of S407, and Ein is j or less. In the case (S406: No), the process of S410 is then executed (S409).

Next, the anonymization processing function unit 103 increments the value of j by 1 (S407).

Next, the anonymization processing function unit 103 inputs the value of the second element Aij of the attribute Ai and the value of Hri at that time into the hash value generation unit 105, acquires a new hash value, and sets it as a new Hri value. (S408).

Next, the anonymization processing function unit 103 compares the values of Ein and the variable j, and if Ein is larger than j (S409: Yes), then executes the processing of S407, and Ein is j or less. In the case (S09: No), the process of S410 is executed next.

Next, the anonymization processing function unit 103 increments the value of the variable i by 1, and then executes the processing of S411 (S410).

Next, in S411, the anonymization processing function unit 103 compares the number of attributes n with the value of the variable i, and if n is smaller than i (S411: No), then executes the processing of S404. When n is i or more (S411: Yes), the process of S412 is executed next.

Next, n and k (k is an attribute counter) are compared, and if n is larger than k (S412: Yes), then S413 is executed, and if n is not larger than k (S412: No). ), Then S415 is executed.

Next, the anonymization processing function unit 103 takes the hash value Hrk and the hash value Hr (k + 1) as inputs, generates a hash value, and sets it as a new Hr (k + 1) (S413).

Next, k is incremented by 1 (S414), and the process returns to S412.

Next, the anonymization processing function unit 103 increments the value of the variable t (t is a record counter) by 1, and sets the values of the variable i and the variable j to 1 (S415).

Next, the anonymization processing function unit 103 sets the value of the first element of the record to be deleted as “Delete_R”, which is a label indicating that the record has been deleted, and sets the value of the second element of the record as the value. The record hash value at that time is Hrn (note that this is equal to the value of Hr (k + 1) when n ≧ 2), and all the values of the third and subsequent elements of the record are “-” indicating no value. Then, the process of S414 is executed as (Null) (S416). For example, when the record is the record 3032 of FIG. 7, the result of this processing is that the first element shown in the record 3051 of FIG. 9 is the record hash value “Delete_R” and the second element is the record hash value “22891f”. All subsequent elements are "-".

Finally, the anonymization processing function unit 103 compares the number of records N of Rd with the value of the variable t, and if N is t or more (S417: No), then executes the processing after S403, and N If is less than t (S417: Yes), the process ends.

Next, the attribute deletion process will be described with reference to FIG.
This is the process corresponding to S304 in FIG.

First, the anonymization processing function unit 103 of the anonymization data providing server 1 reads out the anonymization condition for deleting the attribute (S501). For example, in the case of this embodiment, the anonymization condition 2 is read (anonymization condition 2: the attribute "name" is deleted). The initial values of the variables i, j, and t are set to 1.

Next, the anonymization processing function unit 103 sets the number of records of the extended patient data to N, the number of attributes to n, the attribute group to be deleted to Ad, and the number of attributes of Ad to an. For example, when the extended patient data is the data of the extended patient data table 303 shown in FIG. 7, the elements of N = 4, n = 3, and Ad are the attribute “name” and the number of attributes of Ad is an = 1. (S502).

Next, the anonymization processing function unit 103 reads out the t-th (t is a record counter) record of the extended patient data (S503).

Next, the anonymization processing function unit 103 reads one attribute from Ad and sets it as Adi (i is an attribute counter) (S504).

Next, the anonymization processing function unit 103 sets the number of elements of the attribute Adi to the value of Ein (S505).

Next, the anonymization processing function unit 103 inputs the j-th element Adig and the (j + 1) -th element Adi (j + 1) of the attribute Adi into the hash value generation unit 105, acquires a new hash value, and attributes. The hash value is Ha (S506). For example, when the record is the record 3031 in FIG. 7, the attribute Adi is the attribute "name", and j = 1, the first element "5EF4BE" and the second element "Hitachi Taro" are input to the hash value generation unit 105. Then, a new hash value "465FC4" is acquired and used as a Ha value.

Next, the anonymization processing function unit 103 compares the values of Ein and the variable j, and if Ein is larger than j (S507: Yes), then executes the processing of S508, and if Ein is j or less. In (S507: No), the process of S510 is then executed.

Next, the anonymization processing function unit 103 increments the value of the variable j by 1 (S508).

Next, the anonymization processing function unit 103 inputs the j-th element Adig and Ha of the attribute Adi into the hash value generation unit 105, acquires a new hash value, and sets it as a new Ha value ( S509).

Next, the anonymization processing function unit 103 compares the values of Ein and the variable j, and if Ein is larger than j (S510: Yes), then executes the processing of S508, and if Ein is j or less. In (S510: No), the process of S511 is then executed.

Next, in S511, the anonymization processing function unit 103 sets the value of the first element of the attribute Adi of the record to "Delete_A", which is a label indicating that the attribute has been deleted, and sets the value of the second element. The attribute hash value Ha at that time is set, and the value of the third and subsequent elements is set to “−” (Null) (S511). For example, when the record is record 3031 in FIG. 7 and the attribute to be deleted is "name", as a result of this processing, as shown in record 3052 in FIG. 9, the first element of the attribute "name" is "name". The value of "Name 1" is "Delete_A", the value of "Name 2" which is the second element of the attribute "Name" is "465FC4" which is the value of the attribute hash value Ha at that time, and the attribute is "Name". Do not use the value of "-" because there is no element after the third.

Next, the anonymization processing function unit 103 increments the value of the variable i by 1 (S512).

Next, the anonymization processing function unit 103 compares the number of attributes an of Ad with the value of the variable i, and if an is i or more (S513: No), then executes the processing of S504, and an If it is smaller than i (S513: Yes), the process of S514 is executed next.

Next, the anonymization processing function unit 103 increments the value of the variable t by 1, and sets the values of the variable i and the variable j to 1 (S514).

Finally, the anonymization processing function unit 103 compares the number of records N of the extended patient data with the value of the variable t, and if N is t or more (S515: No), then executes the processing after S503. , N is less than t (S515: Yes), the attribute deletion process is terminated.

Next, the attribute replacement process will be described with reference to FIG.
This is the process corresponding to S305 in FIG.

First, the anonymization processing function unit 103 of the anonymization data providing server 1 reads out the anonymization condition for attribute substitution (S601). For example, in the case of the present embodiment, the anonymization condition 3 is read (the anonymization condition 3 attribute "address" is replaced from the "prefecture name" (address 2) to the "local name" (address 3)). The initial values of the variables i, j, and t are set to 1.

Next, the anonymization processing function unit 103 sets the number of records of the extended patient data to N, the number of attributes to n, the attribute group to be replaced to Ar, and the number of attributes of Ar to rn. For example, when the extended patient data is the data of the extended patient data table 303, the elements of N = 4, n = 3, Ar are the attribute “address”, and the number of attributes of Ar is rn = 1 (S602).

Next, the anonymization processing function unit 103 reads out the t-th (t is a record counter) record of the extended patient data (S603).

Next, the anonymization processing function unit 103 reads one attribute from Ar and sets it as Ari (i is an attribute counter) (S604).

Next, the anonymization processing function unit 103 sets the number of elements to be replaced by the attribute Ari as the value of Air (S605). For example, when the attribute Ar is "address", Er = 2 is set to replace the "prefecture name" (address 2).

Next, the anonymization processing function unit 103 newly inputs the j-th (j is an element counter) element Arij and the (j + 1) -th element Ari (j + 1) of the attribute Ari into the hash value generation unit 105. Hash value is acquired and used as the value of the attribute hash value Ha (S606). For example, when the record is the record 3031 in FIG. 7, the attribute Ari is the attribute "address", and j = 1, the value "A754B9" of the first element "address 1" and the value of the second element "address 2". The new hash value "B0D8C7" obtained by inputting "Tokyo" into the hash value generation unit 105 is used as the Ha value.

Next, the anonymization processing function unit 103 compares the value of the Air with the value of the variable j + 1, and if the Air is larger than j + 1 (Yes: S607), then executes the processing of S608, and if the Air is j or less. In (No: S607), the process of S611 is next executed.

Next, the anonymization processing function unit 103 increments the value of the variable j by 1 (S608).

Next, the anonymization processing function unit 103 inputs the j-th element Arij and Ha of the attribute Ari into the hash value generation unit 105, acquires a new hash value, and sets it as a new Ha value (S609). ).

Next, the anonymization processing function unit 103 compares the values of the Air and the variable j, and if the Air is larger than j + 1 (S610: Yes), then executes the processing of S608, and if the Air is j + 1 or less. In (S610: No), the process of S611 is then executed.

Next, the anonymization processing function unit 103 sets the value of the first element of the attribute Ari of the record as "Replace", which is a label indicating that the attribute has been replaced, and sets the value of the second element at that time. The attribute hash value Ha is set, and if the Air is larger than 3, the values of the elements from the third to the Erth of the attribute Ari are set to "-" (Null), and then the processing of S612 is executed (S611). For example, when the record is record 3031 in FIG. 7 and the attribute to be replaced is "address", as a result of this processing, as shown in record 3052 in FIG. 9, the first element of the attribute "address" is ". The value of "address 1" is "Replace", and the value of the second element "address 2" is "B0D8C7" which is the value of the attribute hash value Ha at that time.

Next, the anonymization processing function unit 103 increments the value of the variable i by 1 (S612).

Next, the anonymization processing function unit 103 compares the number of attributes rn of Ar with the value of the variable i, and if rn is i or more (S613: No), then executes the processing of S604, and rn is If it is smaller than i (S613: Yes), the process of S614 is executed next (S613).

Next, the anonymization processing function unit 103 increments the value of the variable t (t is a record counter) by 1, and sets the values of the variable i and the variable j to 1 (S614).

Finally, the anonymization processing function unit 103 compares the number of records N of the extended data with the value of the variable t, and if N is t or more (S615: No), then executes the processing after S603. If N is less than t (S615: Yes), the attribute replacement process is terminated.

Next, the signature verification process will be described with reference to FIG.
This is the process corresponding to S09 in FIG.

First, in S108 of FIG. 10, the signature verification processing unit 202 of the anonymized data user terminal 2 has anonymized data 305 and verification data stored in the main memory 502 or the hard disk drive 530 of the anonymized data user terminal 2. The signature value 311 which is the signature value is read (S701, S702).

Next, the signature verification processing unit 202 inputs the anonymized data 305 into the signature generation unit 204 of the anonymized data user terminal 2 and acquires the generated signature value δ (S703).

Finally, the signature verification processing unit compares the signature value 311 which is the verification signature value with δ, and when the two values are the same (S704: Yes), the anonymized data is valid. It is certified as, and "OK" is displayed to the data user by the display device 510 or the like of the anonymized data user terminal 2 (S705). On the other hand, when the two values are different (S704: No), the anonymized data is certified as not legitimate due to falsification or mistake, and the data is determined by the display device 510 of the anonymized data user terminal 2. "NG" is displayed to the user (S706), and the process is terminated.

As described above, in the anonymized data providing system of the embodiment, the value of the replacement candidate of the target data is added to the target data in advance, and then the intermediate process of the signature generation process is performed instead of simply deleting or replacing. Since the data is replaced with the hash value by hashing, it is possible to verify the validity of the anonymization by the signature value even after performing anonymization processing such as deletion or replacement.

Also, in the hashing process, after adding a random number to the original data, hashing is performed using the value of each attribute and the random number as the input value, and the calculation required to identify the original data from the hash value. Since the amount is huge, the risk of recovering the original data from the anonymized data can be reduced.

Further, when adding a random number to the original data, one random number is added to each attribute, and then hashing including the random number is performed step by step in each attribute in the algorithm shown in FIGS. 12A to 16. Therefore, the data size of the anonymized data can be reduced as compared with the case of adding random numbers to all the elements of the original data.

Further, since the hashing process is the same as the intermediate process of the signature generation process, the signature generation process in the signature verification process of the anonymized data can be reduced and the signature verification process can be speeded up.

As described above, according to the present embodiment, when anonymizing data is used for research and development in the medical field, the legitimacy of anonymization is obtained even when anonymization processing such as deletion or replacement of data is performed. Since verification is possible, it is possible to avoid situations where research results are fraudulent due to the use of fraudulent anonymized data.

1 ... Anonymized data providing server, 2 ... Anonymized data user terminal, 3 ... Network, 102 ... Record extension function unit, 103 ... Anonymization processing function unit, 105 ... Hash value generation unit, 106 ... Signature generation unit, 110 ... storage unit, 301 ... patient data table, 302 ... abstract pattern group, 303 ... extended patient data table, 304 ... signature data table, 305 ... anonymized data, 201 ... browser function unit, 202 ... signature verification processing unit, 203 ... Hash value generation unit, 204 ... Signature generation unit, 210 ... Storage unit, 311 ... Signature value

Claims (6)

An anonymization system that anonymizes confidential information using an information processing device and provides it to users.
Confidential information storage means for storing confidential information,
The abstraction candidate group information storage means, which is a candidate group of information that abstracts the secret information,
An extended secret data storage means for storing extended secret data in which candidate groups of information to be abstracted are added to the secret information, and
Anonymized data storage means for storing anonymized data in which some information is deleted or replaced from the confidential information, and
An extended secret data generation means for generating the extended secret data using the secret information and the abstraction candidate group information, and
A signature generation means that uses the extended secret data or anonymized data to generate a digital signature having a hash value of the secret information as an intermediate value.
Anonymization means for generating anonymized data using the extended secret data, and
Equipped with anonymized data legitimacy verification means to verify the legitimacy of given anonymized data,
The extended secret data generation means refers to the secret information stored by the secret information storage means and the candidate group of information that abstracts the secret information stored by the abstraction candidate group information storage means. Generate secret data,
The anonymization means generates anonymization data by executing a process of replacing the extended secret data with a hash value having the same hash value as the intermediate value of the signature generation of the signature generation means.
The signature generation means generates a first signature value from the extended secret data generated by the extended secret data generation means and a second signature value from the anonymization data generated by the anonymization means. ,
The anonymized data validity verification means is an anonymization system characterized in that the validity of a given anonymized data is verified by comparing the first signature value with the second signature value. Further, a random number generation means for adding a random number to the extended secret data is provided.
The anonymization system according to claim 1, wherein the signature generation means generates a hash value as an intermediate value from the extended secret data to which a random number generated by the random number generation means is added. The random number generation means adds one random number to each attribute of the extended secret data.
The anonymization system according to claim 2, wherein the signature generation means generates an intermediate value of a hash value including a random number as an input for each attribute. It is an anonymization method that anonymizes confidential information by an information processing device and provides it to users.
Confidential information storage step to memorize confidential information and
The abstraction candidate group information storage step, which is a candidate group of information that abstracts the secret information,
An extended secret data storage step for storing extended secret data in which candidate groups of information to be abstracted are added to the secret information, and an extended secret data storage step.
Anonymized data storage step of storing anonymized data in which some information is deleted or replaced from the confidential information, and
An extended secret data generation step for generating the extended secret data using the secret information and the abstraction candidate group information, and
A signature generation step of using the extended secret data or the anonymized data to generate a digital signature having a hash value of the secret information as an intermediate value.
Anonymization step to generate anonymized data using the extended secret data,
It has an anonymized data validation step to verify the validity of a given anonymized data,
In the extended secret data generation step, the secret information stored from the secret information storage step and the candidate group of information that abstracts the secret information stored by the abstraction candidate group information storage step are referred to, and the extension is performed. Generate secret data,
In the anonymization, the extended secret data is replaced with a hash value that is the same as the intermediate value of the signature generation of the signature generation means to generate the anonymization data.
In the signature generation step, the first signature value is generated from the extended secret data generated by the extended secret data generation means, and the second signature value is generated from the anonymized data generated by the anonymization means. ,
A method for anonymizing data, comprising verifying the validity of a given anonymized data by comparing the first signature value and the second signature value in the anonymization data validity verification step. Further, it has a random number generation step for adding a random number to the extended secret data.
The anonymization method according to claim 4, wherein in the signature generation step, a hash value as an intermediate value is generated from the extended secret data to which a random number generated by the random number generation means is added. In the random number generation step, one random number is added to each attribute of the extended secret data.
The anonymization method according to claim 5, wherein the signature generation means generates an intermediate value of a hash value including a random number in the input for each attribute.

Images