JP7171113B1 - SECURE COMPUTING SYSTEM, SERVER, INFORMATION PROCESSING DEVICE, COMPUTER PROGRAM AND SECURE COMPUTING METHOD - Google Patents

Abstract

A secure computation system, a server, an information processing device, a computer program, and a secure computation method capable of appropriately supplying random numbers used for secure computation are provided. A client (10) has random number supply means for generating random numbers based on necessary random number information and transmitting them to a plurality of servers (30, 40). Random number estimating means for estimating the number and transmitting to the client 10 as required random number information, random number pooling means for pooling random numbers for executing the confidential calculation, and confidential calculation means for executing the confidential calculation and transmitting the execution result to the client 10. Then, the lack of random numbers in the execution of the secret calculation by the secret calculation means is detected, and when there is an inquiry by the shortage random number inquiry means of the client 10, the type and number of the lack of random numbers are answered to the client 10 as necessary random number information. and random number detection means, wherein the client 10 inquires at regular intervals whether or not there is a shortage of random numbers during the execution of confidential calculations, and when the lack of random number detection means responds with necessary random number information, the necessary random number information is sent. It further comprises an insufficient random number inquiry means for sending to the random number pool means. [Selection drawing] Fig. 1

Description

The present invention relates to a secure computing system that executes secure computation, a server that configures the secure computing system, an information processing apparatus, a computer program, and a secure computing method.

2. Description of the Related Art In recent years, with increasing awareness of information leakage, a secure computation (also called secure computation; the same shall apply hereinafter) technology for performing computation while encrypting data has attracted attention. As a method of confidential calculation, there is mainly a method of fully homomorphic encryption using an encryption key, and a method of dividing data into encrypted information called shares and storing the divided shares in multiple servers. Secrecy calculation with a secret sharing method is known in which data (shares) are calculated while each server encrypts them. Compared to fully homomorphic cryptography, the secret-sharing method requires communication control and synchronization processing between multiple servers, making it more difficult to build a system, but the calculation speed is faster.

In secret-sharing secure computation, many protocols have been proposed that implement secure computation by using random numbers that are correlated between servers. As a method of generating correlated random numbers, a method of generating random numbers only between servers that perform secure computation is known. However, in this case, public key encryption and a large number of communications between servers and a large amount of communications are required, resulting in a problem of a decrease in computation speed.
Therefore, in Non-Patent Document 1, a random number generation server is provided as a reliable third party for generating the random numbers necessary for the confidential calculation separately from the server for the confidential calculation, and the random numbers necessary for the confidential calculation are estimated in advance. A technique for generating random numbers to be used in secure calculation in advance by storing data is disclosed. In such a configuration, correlated random numbers can be generated internally by a trusted third party. As a result, public key cryptography and accompanying communication are no longer necessary between servers for secure computation in random number generation, and the computation speed is improved.
In addition, in Non-Patent Document 2, the client plays the role of a reliable third party, and the client transmits a random number that has a correlation with secret information to the server, similarly reducing the load on the server for secure calculation, A method for increasing the efficiency of secure computation is disclosed.

Yusuke Ishida et al., "Design and Implementation of Random Number Generation Server for Secure Computation", Proceedings of Symposium on Cryptography and Information Security 2021 (SCIS 2021), 2021 Toshinori Araki et al., "Usefulness of Three-Party Secure Computation Using Secret Sharing Method", Information Processing Vol. 59 No. 10 October 2018

In confidential calculations, random numbers are not required for addition and subtraction, but in addition to multiplication and division, numerical comparisons, filtering calculations for extracting data that meets predetermined conditions from table-structured data, and table-structured data alignment Random numbers are used in cases such as switching. However, when performing confidential calculations on table-structured data, a number of random numbers corresponding to the number of rows in the table-structured data is required. Estimates may not be available in advance. For example, in table-structured data, after extracting (filtering) row data that matches a certain condition, if the extracted data is to be sorted, a random number corresponding to the number of extracted row data is required at the time of sorting. However, the number of required random numbers cannot be estimated because the number of extracted row data is not determined until the extraction of row data is completed. In this way, there are cases where the necessary random numbers cannot be estimated in advance, and there is a risk that the random numbers will run short during the secure calculation. Then, when the random numbers run short, the concealed computation that has been performed so far is interrupted, and there are cases where the computation results cannot be obtained.

The present invention provides a secure computation system, a server, an information processing device, a computer program, and a secure computation method that can prevent the processing of the secure computation from being interrupted due to a shortage of random numbers in the secure computation. With the goal.

A secure computation system according to a first aspect of the present invention comprises a plurality of servers that execute secure computation, and a client that supplies random numbers necessary for executing the secure computation to the plurality of servers, The client includes query input means for transmitting a query of data input by the user to at least one of the plurality of servers, and random number supply means for generating random numbers based on the received required random number information and transmitting the data to the plurality of servers. and the server estimates the type and number of random numbers required for secure calculation based on the query received from the client, and transmits the estimated type and number of random numbers to the client as required random number information. random number estimating means; random number pooling means for pooling random numbers for executing secure calculation based on the query received from the client; executing secure calculation based on the query received from the client; a secure calculation means to be sent to the client, and detecting a shortage of random numbers in the execution of the secure calculation by the secure calculation means, and when an inquiry is made by the shortage random number inquiry means of the client, the type and number of the shortage of random numbers are provided as necessary random number information and a missing random number detection means for responding to the client as the It further comprises insufficient random number inquiry means for transmitting the required random number information to the random number pool means when a response to the required random number information is received.
In the secure calculation system, when the insufficient random number detection means detects a shortage of random numbers during the execution of secure calculation, the secure calculation means continues the secure calculation until the shortage of random numbers is received from the random number supply means. It can be configured to have a function of temporarily interrupting calculation.
A secure computation system according to a second aspect of the present invention includes a plurality of servers that execute secure computation, and a client that supplies random numbers necessary for the secure computation to the plurality of servers, wherein the server receives a request from the client. A secure calculation system that performs the secure calculation using supplied random numbers, wherein the server repeatedly detects whether the random numbers used for the secure calculation are insufficient, and the random numbers required for the secure calculation are insufficient. In this case, random number request information including information on the type and number of the missing random numbers is sent to the client, and when the client receives the request information, the client sends the type and number of random numbers based on the request information to the client. It can be configured to be sent to a server.
A server according to the present invention is a server for executing secure computation configured to be communicable with a client that supplies random numbers necessary for executing secure computation, wherein the client receives data input by a user. a query input means for transmitting a query to at least one of the plurality of servers; and a random number supply means for generating a random number based on the received required random number information and transmitting it to the plurality of servers, wherein the server random number estimating means for estimating the type and number of random numbers required for secure calculation based on the query received from the client, and transmitting the estimated type and number of random numbers to the client as required random number information; random number pooling means for pooling random numbers for executing a secure calculation based on the query received from the client; secure calculation means for executing the secure calculation based on the query received from the client and transmitting the execution result to the client; Insufficient random number detection for detecting a shortage of random numbers in the execution of secure calculation by the secure calculation means, and replying to the client with the type and number of the shortage of random numbers as necessary random number information when an inquiry is made by the shortage random number inquiry means of the client. a means;
An information processing apparatus according to the present invention is an information processing apparatus configured to be able to communicate with a plurality of servers for executing secure computation, wherein a query for data input by a user is sent to at least one of the plurality of servers. and random number supply means for generating a random number based on the received necessary random number information and transmitting it to the plurality of servers, wherein the server is based on the query received from the information processing device. random number estimating means for estimating the type and number of random numbers required for secure calculation by using the method, and transmitting the estimated type and number of random numbers to the information processing device as required random number information; random number pooling means for pooling random numbers for executing secure calculation; secure calculation means for executing secure calculation based on the query received from the information processing device and transmitting the execution result to the information processing device; insufficient random number detection means for detecting shortage of random numbers in the execution of confidential calculation by the calculation means, and replying as necessary random number information with the type and number of the shortage of random numbers when an inquiry is made by the shortage random number inquiry means of the information processing apparatus; and further inquiring at regular intervals whether or not there is a shortage of random numbers at the time of executing the secure calculation based on the query to the server, and when there is a reply of the necessary random number information from the shortage random number detection means, An insufficient random number inquiry means for transmitting required random number information to the random number pool means is provided.
A computer program according to the present invention causes a processor of an information processing apparatus configured to be communicable with a server for executing secure computation to send a query of data input by a user to at least one of the plurality of servers. A computer program for functioning as input means and random number supply means for generating a random number based on received required random number information and transmitting the random number to the plurality of servers, wherein the server receives data from the information processing apparatus. random number estimating means for estimating the type and number of random numbers required for confidential calculation based on the query, and transmitting the estimated type and number of random numbers to the information processing apparatus as required random number information; and receiving from the information processing apparatus. random number pooling means for pooling random numbers for executing a secure calculation based on the query received from the information processing device; and secure calculation for executing the secure calculation based on the query received from the information processing device and transmitting the execution result to the information processing device. means for detecting a shortage of random numbers in the execution of secure calculation by the secure calculation means, and replying the type and number of the shortage of random numbers as required random number information when an inquiry is made by the shortage random number inquiry means of the information processing device. Insufficient random number detection means, further, the processor inquires the presence or absence of insufficient random numbers from the server at regular intervals when the secure calculation based on the query is executed, and the necessary random number information is obtained from the insufficient random number detection means. When there is an answer, it functions as insufficient random number inquiry means for transmitting the required random number information to the random number pool means.
A secure computation method according to the present invention is a secure computation method using a plurality of servers that execute secure computation and a client that supplies random numbers necessary for executing the secure computation to the plurality of servers, said client sending a query for user-entered data to at least one of said plurality of servers; estimating the number and transmitting the estimated type and number of random numbers to the client as necessary random number information; and generating random numbers based on the received necessary random number information and transmitting the generated random numbers to the plurality of servers. , pooling random numbers for performing secure computation based on the query received from the client; and performing the secure computation based on the query received from the client by the server, and sending an execution result to the client. and, when the server detects a shortage of random numbers in executing the secure calculation, the server responds with the type and number of the shortage of random numbers as required random number information upon receiving an inquiry from the client. , the client inquires of the server at regular intervals whether or not there is a shortage of random numbers during the execution of the confidential calculation based on the query, and if the server replies with the necessary random number information, the necessary random number information is generating a missing random number based on and transmitting to the plurality of servers.

According to the present invention, when a client receives request information for random numbers from a server, the client appropriately provides the server with random numbers used for secure calculation by transmitting the type and number of random numbers based on the request information to the server. be able to.

1 is a configuration diagram of a secure computing system according to this embodiment; FIG. FIG. 4 is a schematic diagram for explaining random number supply processing according to the present embodiment; It is a flowchart which shows the confidential multiplication process in a 1st server. It is a flowchart which shows the confidential multiplication process in a 2nd server. FIG. 10 is a schematic diagram for explaining a secret multiplication process; It is a flow chart which shows confidential data extraction processing. It is a schematic diagram for demonstrating a secret data extraction process. 6 is a flowchart showing client-side random number supply processing according to the present embodiment; 5 is a flowchart showing server-side random number supply processing according to the present embodiment. FIG. 4 is a diagram for explaining exchange of information between a client and a server in random number supply processing according to the present embodiment;

An embodiment of a secure computing system according to the present invention will be described with reference to the drawings. FIG. 1 is a configuration diagram showing a secure computing system 1 according to this embodiment. As shown in FIG. 1, the secure computing system 1 according to this embodiment includes a client 10, a gateway 20, a first server 30, and a second server . Further, as shown in FIG. 1, the client 10 is arranged within a LAN (Local Area Network) where communication is restricted by a gateway 20 . Also, the client 10 and the gateway 20 , the first server 30 and the second server 40 can communicate with each other via the Internet 2 . Although only one client 10 and one gateway 20 are shown in FIG. 1, a plurality of clients 10 and gateways 20 may be provided. In addition, although the example shown in FIG. 1 illustrates a configuration in which two servers 30 and 40 are used to perform secure computation between two parties, the configuration is not limited to this. can be used to perform secure computation.

In this embodiment, unencrypted data (hereinafter referred to as “plaintext data”) is secret-sharingly stored in the servers 30 and 40 . Secret sharing (method) is an encryption technology that divides plaintext data into fragments called shares that do not make sense on their own and distributes them to multiple servers. According to secret sharing (method), information is distributed into a plurality of fragments, and the original information cannot be restored unless a predetermined number or more of fragments are collected. Each of the servers 30 and 40 performs a secure calculation to calculate the share of the calculation result of plaintext data without converting the share back to plaintext data. Among the secure calculations, calculations such as multiplication and division, size comparison, filtering and sorting of table structure data require random numbers in the secure calculations. Conventionally, a method has been proposed in which each server that performs confidential calculation communicates with each other to generate random numbers, but in this case, it is necessary to use public key cryptography, etc., and the problem is that the calculation speed decreases. there were. Therefore, in this embodiment, the client 10 generates a random number necessary for secure calculation and transmits the generated random number to the servers 30 and 40 (also called a client-aided model).

Further, in this embodiment, instead of the client 10 predicting the required random numbers in advance and transmitting the random numbers to the servers 30 and 40 before the start of the secure calculation, when the secure calculation starts, the random number shown in FIG. As shown in (A), the client 10 inquires of the servers 30 and 40 whether or not there is a missing random number in the secure calculation. , the servers 30 and 40 send random number request information. Then, as shown in FIG. 2C, the client 10 is characterized by generating random numbers based on the received request information and supplying the generated random numbers to the servers 30 and 40 . FIG. 2 is a schematic diagram for explaining the random number supply process according to this embodiment. Each device constituting the secure computing system 1 will be described below.

The client 10 is an information terminal device such as a personal computer operated by a user, and has an arithmetic device, a storage device, and a communication device. In the present embodiment, the client 10 transmits a secure computation instruction to the servers 30 and 40 by user operation, and the servers 30 and 40 perform secure computation. Further, in the secure computation system 1 according to the present embodiment, the client 10 transmits a secure computation instruction, and when the servers 30 and 40 start the secure computation, the servers 30 and 40 periodically inquire about the supply of random numbers. 40, and if a random number is required, it also has a function of generating a random number to be used in confidential calculation and supplying the generated random number to the servers 30 and 40. FIG. The details of the random number supply method from the client 10 to the servers 30 and 40 will be described later.

Gateway 20 controls communications between client 10 and servers 30 and 40 . Specifically, the gateway 20 permits transmission of a connection establishment request from the client 10 to the servers 30 and 40 , but prohibits transmission of a connection establishment request from the servers 30 and 40 to the client 10 . Once a connection is established between the client 10 and the servers 30, 40, they can communicate with each other while the connection is active. In this embodiment, the gateway 20 transmits a connection establishment request from the client 10 to the servers 30 and 40, and after the connection is established, a random number supply inquiry is sent from the client 10 to the servers 30 and 40 using the connection. , in response to this, random number request information is sent from the servers 30 and 40 to the client 10 using the same connection. Also, when the gateway 20 transmits the calculation result of the secure calculation from the servers 30 and 40 to the client 10, the client 10 establishes a connection with the servers 30 and 40 according to the same procedure. 40 transmits the calculation result to the client 10 using the connection based on the instruction of the client 10 .
Such a function of the gateway 20 is a function generally possessed by a gateway, and is a general network configuration introduced to prevent intrusion into the client 10 from outside the LAN. In this embodiment, it can be said that the security computing system 1 according to this embodiment has high versatility for existing systems, because the function and general network configuration that the gateway 20 generally has can be used.

The servers 30 and 40 each have an arithmetic device, a storage device, a communication device, and a database, and secret-sharing data is stored in the database as a share. The shares cannot decrypt the plaintext data unless a specific number of secret-sharing shares are gathered. is not leaked, the plaintext data cannot be decrypted and the confidential state can be secured. In this embodiment, the servers 30 and 40 store a server-side program for performing secure computation in the storage device, and the secure computation can be performed by executing the program on the arithmetic device. In particular, in this embodiment, the first server 30 and the second server 40 can communicate with each other via the Internet 2, and the servers 30 and 40 can keep the data secret without decrypting the secret-shared shares. Multi-Party Computation (MPC) is performed to obtain a desired calculation result by performing secure calculation while exchanging the calculation results performed by the servers 30 and 40 with each other. In the secure computation, the servers 30 and 40 receive random numbers from the client 10 and perform secure computation using the received random numbers in secure computation such as multiplication, size comparison, filtering calculation, and data rearrangement.

Furthermore, the servers 30 and 40 store in their storage units a program for estimating the random numbers required for the secure computation, and by executing the random number estimation program, the random numbers required for the secure computation can be estimated in advance. can. Specifically, the servers 30 and 40 acquire calculation information for the secure calculation to be executed from the client 10, and execute a random number estimation program to generate a random number Estimate. The calculation information is not particularly limited as long as it is information indicating the secure calculation executed by the servers 30 and 40, but in the present embodiment, the query information output from the client 10 (for example, select syntax having a where clause) is calculated. As information, it is transmitted from the client 10 and acquired by the servers 30 and 40 . The random numbers that can be estimated by this random number estimation program are the random numbers used in the calculation before the number of rows of the table structure data to be calculated changes, and the random numbers used in the calculation after the number of rows changes. cannot be estimated. For example, since the number of rows in the table-structured data does not change in the secret multiplication, even if two secret multiplications are performed, the random numbers used in these calculations can be estimated. In the calculation in which the secrecy multiplication is performed after performing the clause), it is not possible to estimate the random number used in the secrecy multiplication after filtering.

An example of secure multiplication using random numbers among the secure calculations by the servers 30 and 40 will be described below with reference to FIGS. 3 to 6. FIG. 3 is a flowchart showing the confidential multiplication process executed by the first server 30, FIG. 4 is a flowchart showing the confidential multiplication process executed by the second server 40, and FIG. FIG. 4 is a schematic diagram for explaining processing;

(Anonymous multiplication processing)
The confidential multiplication process is a process in which the calculation result can be obtained without knowing any information about the input/output in the integer multiplication of 2 inputs and 1 output. Specifically, it is a calculation process in which two encrypted data are input, a predetermined calculation (predetermined secret multiplication algorithm) described later is performed without decrypting them at all, and the multiplication result is obtained as encrypted data. In the confidential multiplication process, as shown in FIG. 5, shares [[x]] ₁ , [[x]] ₂ , [[y]] ₁ , [ [y]] ₂ are stored respectively. In the confidential multiplication process shown in FIGS. 3 to 5, the servers 30 and 40 use the shares of x and y as they are to multiply x×y=z, and the share of z, which is the calculation result, is [[z]] ₁ and [[z]] ₂ are obtained. In the following description, the share of x stored in the first server 30 is [[x]] ₁ , and the share of y is [[y]] ₁ . Similarly, let the shares of x stored on the second server 40 be [[x]] ₂ and the shares of y be [[y]] ₂ . Further, let the share of z stored on the first server 30 be [[z]] ₁ and the share of z stored on the second server 40 be [[z]] ₂ . The plaintext data and the shared secret share have the following relationship. For example, plaintext data x and its shares [[x]] ₁ and [[x]] ₂ have a relationship of x = [[x]] ₁ + [[x]] ₂ and [[x] ] ₁ =r and [[x]] ₂ =x−r. Here, x and r are integers represented by the remainder ring of 2 ^l , and r is a uniform random number. l is the number of bits representing the value range of the operation target, l=1 in the case of a 1-bit integer operation, and l=32 in the case of a 32-bit integer operation. Since the plaintext data and the shares have such a relationship, it is possible to decrypt the plaintext data x by [[x]] ₁ +[[x]] ₂ .

In the secret multiplication process, calculation is performed using three random numbers a, b, and c generated by the client 10 . These three random numbers are correlated random numbers having a relationship of c=a×b. The client 10 secret-shares the random number a to generate random number shares [[a]] ₁ and [[a]] ₂ , and secret-shares the random number b to generate random number shares [[b]] ₁ , [[b] ] ₂ , and secret sharing the random number c to generate the random number shares [[c]] ₁ , [[c]] ₂ . Then, the client 10 transmits shares [[a]] ₁ , [[b]] ₁ , [[c]] ₁ obtained by secret sharing the random numbers a, b, and c to the first server 30 , and the random numbers a, b , c are secret-sharing shares [[a]] ₂ , [[b]] ₂ , [[c]] ₂ to the second server 40 . This allows the first server 30 to perform secure multiplication using the shares [[a]] ₁ , [[b]] ₁ , [[c]] ₁ of the random numbers a, b, and c, and , the second server 40 can perform a secure multiplication using the shares [[a]] ₂ , [[b]] ₂ , [[c]] ₂ of the random numbers a, b, c.

First, with reference to FIG. 3, the confidential multiplication process executed by the first server 30 will be described. In the following, the shares [[x]] and [[y]] of the plaintext data x are the primary shares, and the shares [[x' ]] and [[y']] are called secondary shares. First, in step S101, the number obtained by subtracting the share [[a]] ₁ of the random number a from the primary share [[x]] ₁ of the plaintext data x is calculated by the first server 30 as the secondary share [[x']]. calculated as ₁ . Further, in step S102, the first server 30 subtracts the share [[b]] ₁ of the random number b from the primary share [[y]] ₁ of the plaintext data y to obtain the secondary share [[y']] calculated as ₁ .

Further, in steps S103 and S104, as shown in FIG. 5, mutual communication between the servers 30 and 40 allows the processing of transmitting and receiving the calculation results performed by one of the servers 30 and 40 to and from the other server 30 and 40. will be Specifically, in step S103, the first server 30 calculates the secondary share [[x']] ₁ calculated in step S101 and the secondary share [[y']] ₁ calculated in step S102 as It is sent to the second server 40 . Also, in step S104, the secondary shares [[x']] ₂ and secondary shares [[y']] ₂ generated by the second server 40 are received by the first server 30 . The secondary share [[x']] ₂ is a number obtained by subtracting the share [[a]] ₂ of the random number a from the primary share [[x]] ₂ of the plaintext data x in the second server 40. be. Also, the secondary share [[y']] ₂ is obtained by subtracting the share [[b]] ₂ of the random number b from the primary share [[y]] ₂ of the plaintext data y calculated in the second server 40. number. The method of calculating the secondary share [[x']] ₂ and the secondary share [[y']] ₂ will also be described in the secret multiplication process performed by the second server 40 shown in FIG. 4 to be described later.

Subsequently, in step S105, the first server 30 adds the secondary share [[x']] ₁ calculated in step S101 and the secondary share [[x']] ₂ obtained in step S104, Data x' is calculated. Further, in step S106, the first server 30 adds the secondary share [[y']] ₁ calculated in step S102 and the secondary share [[y']] ₂ acquired in step S104 to obtain data y' is calculated. Data x' and data y' are data obtained by encrypting plaintext data x and plaintext data y using random numbers a and b, and are meaningless data by themselves.

In step S107, the shares [[a]] ₁ , [[ b]] ₁ and [[c]] ₁ are used to compute the share of z, [[z]] ₁ , which is the result of the x×y computation. Specifically, the first server 30 divides the calculation result of x′×y′+x′×[[b]] ₁ +y′×[[a]] ₁ +[[c]] ₁ into the share [[z ]] can be calculated as ₁ . The first server 30 then stores the calculated share [[z]] ₁ in a database, or transmits it to the client 10 based on an instruction from the client 10 .

FIG. 4 is a flow chart showing the confidential multiplication process executed by the second server 40. As shown in FIG. As shown in FIG. 4, first, in step S201, the number obtained by subtracting the share [[a]] ₂ of the random number a from the primary share [[x]] ₂ of the plaintext data x is obtained by the second server 40 as the secondary share. It is calculated as [[x']] ₂ . In step S202, the second server 40 obtains the secondary share [[y']] by subtracting the share [[b]] ₂ of the random number b from the primary share [[y]] ₂ of the plaintext data y. ₂ .

In steps S203 and S204, similar to steps S103 and S104 in FIG. is done. That is, in step S203, the secondary share [[x']] ₂ calculated in step S201 and the secondary share [[y']] ₂ calculated in step S202 are transferred to the first server 40 by the second server 40. 30. As described above, the secondary share [[x']] ₂ and the secondary share [[y']] ₂ received by the first server 30 in step S104 of FIG. _{2 secondary shares [[x′]] and [[y′]] 2 transmitted} from 40 . Also, in step S204, the secondary share [[x']] ₁ and the secondary share [[y']] ₁ generated by the first server 30 are received by the second server 40 . Note that the secondary share [[x']] ₁ and the secondary share [[y']] ₁ are the secondary share [[x']] transmitted by the first server 30 in step S103 of FIG. ₁ and the secondary share [[y']] is ₁ .

Then, in step S205, the secondary share [[x']] ₂ calculated in step S201 and the secondary share [[x']] ₁ obtained in step S204 are added by the second server 40, Data x' is decoded. In step S206, the secondary share [[y']] ₂ calculated in step S202 and the secondary share [[y']] ₁ obtained in step S204 are added by the second server 40, Data y' is decoded.

In step S207, the data x' calculated in step S205, the data y' calculated in step S206, and the shares [[a]] ₂ , [[ Using b]] ₂ and [[c]] ₂ , the share [[z]] ₂ of data z, which is the result of the multiplication x×y, is calculated. Specifically, the second server 40 calculates the share [[z]] ₂ as the calculation result of x′×[[b]] ₂ +y′×[[a]] ₂ +[[c]] ₂ . The second server 40 then stores the calculated share [[z]] ₂ in a database, or transmits it to the client 10 based on the client 10's instruction.

As a result, the first server 30 stores the share of z [[z]] ₁ , which is the result of multiplication of plaintext data x and y, and the second server 40 stores the share of z [[z] ] ₂ is stored. Also, the client 10 obtains share [[z]] ₁ from the first server 30, obtains share [[z]] ₂ from the second server 40, and obtains share [[z]] ₁ and share [[ By adding z]] ₂ , the plaintext data z resulting from the multiplication of the plaintext data x and y can be calculated.

Thus, in one secret multiplication, the shares of three correlated random numbers a, b, and c [[a]] ₁ , [[b]] ₁ , [[c]] ₁ , [[a]] ₂ , [[b]] ₂ , [[c]] ₂ are required. Further, when the data is table-structured data having a plurality of rows (the number of rows n), when the data of each row is secretly multiplied, the share [[a]] ₁ of the three correlation random numbers a, b, and c , [[b]] ₁ , [[c]] ₁ , [[a]] ₂ , [[b]] ₂ , and [[c]] ₂ for n rows. In this way, in confidential multiplication, if the number of times of confidential multiplication and the number of rows n of the table structure data are known in advance, the required number of random numbers can also be known. In this embodiment, the client 10 has a function of generating random numbers, and by generating and pooling the shares of these correlated random numbers before starting calculation, the generated correlated random numbers are sent to the server as needed. 30, 40, or, as will be described later, upon request of the servers 30, 40, the shares of the correlation random numbers can be generated and sent to the servers 30, 40 as well.

(Confidential data extraction processing)
Next, confidential data extraction processing will be described with reference to FIGS. 6 and 7. FIG. 6 is a flow chart showing the secret data extraction process executed by the first server 30 and the second server 40, and FIG. 7 is a schematic diagram for explaining the secret data extraction process. The data extraction process according to the present embodiment is a process of extracting row data that satisfies a certain condition from secret-sharing table structure data using SQL statements or the like. In the following, out of the table structure data having n rows of row data having column data of numerical attributes X and Y, it is said that the data x in the X column is smaller than the data y in the Y column (x<y). An example of calculation for extracting the numerical value x of the X column data in the row data satisfying the condition will be described. That is, the calculation of "select x from table structure data where x<y" described in SQL sentences will be described as an example. It is assumed that each of the servers 30 and 40 stores in advance the share of the table structure data to be calculated, as shown in FIG. More specifically, the servers 30 and 40 store the share [[x[i]]] of the X column data x and the share [[y[i]]] of the Y column data y for the number of rows n. shall be Below, the sequence of shares [[x[i]]] of X column data x in each row of n rows of table-structured data is referred to as share [[x]], and Y column data of each row of n rows of table-structured data The sequence of shares of y[[y[i]]] is called shares[[y]]. Also, i is an integer and means the i-th row data in the table structure data, and 0≦i<n.

The secret data extraction process shown in FIG. 6 is mainly performed by two processes. That is, there is a process of comparing x<y and a filtering process of extracting X column data x of rows that match the filtering condition (x<y in the example shown in FIG. 6). In the magnitude comparison process, the number of correlation random numbers required varies depending on the number of representation bits of the integer to be compared. 163 sets of [[a]], [[b]], [[c]]) are required. Furthermore, when the table structure data has n rows, a combination of shares of n times the correlation random numbers is required. In the filtering process, if the data to be extracted (the data in the data string to be extracted, or the data described in the select statement in the SQL statement) is a string of 32-bit integers, a random number called shuffle ( Hereinafter, simply referred to as shuffle) and a combination of correlated random number sequences ((r1, r1', a1, a1', b1, b1'), (r2, r2', a2, a2', b2, b2')) One set is required. The shuffles r1, r1′, r2, r2′ are n number sequences (random number sequences) that constitute random permutation. number (the number of elements in the random number sequence) increases. Also, a1, a1', b1, b1', a2, a2', b2, and b2' are sequences of correlated random numbers. In this embodiment, since the extraction target is only one of the X column data x, the correlation random numbers are a, b (specifically, a1, a1′, b1, b1′, a2, a2′, b2, b2′ ), but as the number of columns to be extracted increases, the number of combinations of correlated random numbers increases to a, b, c, and so on. In this way, in the confidential data extraction process, the type of random number changes according to the calculation process to be executed, and the random number required according to the number of rows n of the table structure data to be calculated and the number of columns to be extracted number of changes. Furthermore, in this embodiment, the number of rows of the table-structured data is a disclosed (non-confidential) value, but the number of rows of the table-structured data of the filtering result is unknown until the filtering process is completed. . Therefore, in data analysis, there are many cases where some calculation such as aggregation is performed after the filtering process, but until the filtering process in the previous stage is completed, it is recommended to pre-estimate and pool the random numbers necessary for subsequent confidential calculations. There is a problem of difficulty. In this embodiment, the client 10 generates a random number as necessary and provides it to the servers 30 and 40, thereby solving such a problem. The secret data extraction process according to this embodiment will be described below based on the flowchart of the secret data extraction process shown in FIG.

As shown in FIG. 6, in step S301, the servers 30 and 40 evaluate filtering conditions. In this embodiment, since the calculation is to extract row data where x<y from the table structure data to be calculated, the servers 30 and 40 share the table structure data stored by themselves, more specifically In the table structure data, based on the share [[x]] of X column data x and the share [[y]] of Y column data y, the magnitude relationship between x and y is evaluated by confidential calculation, and the evaluation result Take as output the share of f [[f]]. Specifically, using the share [[x[i]]] of the X column data x in each row of the table structure data and the share [[y[i]]] of the Y column data y, x and The size relation of y is evaluated by confidential calculation. The method of evaluating the size relationship between the X column data x and the Y column data y in each row based on the share [[x]] and the share [[y]] by confidential calculation is already stored in the servers 30 and 40. 1-bit correlated random number share combinations ([[a]], [[b]], [[c]]) can be used (for example, Yukiya Ohata and Koji Nuita , "Efficient Secret Size Comparison Protocols and Their Applications," Symposium on Cryptography and Information Security (SCIS 2019) Proceedings, 2019).

In step S302, servers 30 and 40 generate [[Π(f)]] _P (the number of elements is the number of rows n) is generated. Here, in the filtering condition evaluation in step S301, for each row of the table structure data, if x<y, a secret-sharing value of 1 is output as a share [[f(i)]], and x<y Otherwise, a numerical value obtained by secret sharing 0 is output as a share [[f(i)]]. In this way, [[Π(f)]] _P is obtained by randomly permuting the 0 or 1 share [[f]] output according to the evaluation of x<y in each row. Note that i indicates that the data is in the i-th row of the table structure data. Also, [[Π(f)]] _P is obtained by randomly permuting the share [[f(i)]] of 1 or 0, which is the evaluation result of all rows of the table structure data, and the number of elements is the number of elements in the table It becomes the number of rows of structure data n. In this way, in [[Π(f)]] _P , by obtaining the evaluation result f as the share [[f]] in the secure calculation, it becomes unclear whether or not the filtering condition (x<y) is satisfied. By applying random permutation to the share [[f]] instead of Security can be enhanced. Note that the random permutation described above is a combination of sequences of shuffle and correlated random numbers stored in the servers 30 and 40 ((r1, r1', a1, a1', b1, b1'), (r2, r2', a2, a2′, b2, b2′))) (see, for example, N. Attrapadung et al., “Oblivious Linear Group Actions and Applications”, In Proceedings of CCS 2021, pp. 630-650 .).

6 are executed by the first server 30 and the second server 40, respectively, so in FIG. The share calculated in 1 is indicated using “Q” (the same shall apply hereinafter). For example, the evaluation result of the filtering condition evaluation is a share [[Π(f)]] obtained by applying random permutation to the evaluation result held by the first server 30 and a share of ₁ obtained by applying random permutation to the evaluation result held by the second server 40. However, when the first server 30 performs the secret data extraction process shown in _FIG . 6, the share [[ Π(f)]] _P indicates the share [[Π(f)]] ₁ obtained by applying random permutation to the evaluation result held by the first server 30, and the secret data shown in FIG. When the extraction process is performed, the share [[Π(f)]] _P obtained by applying random permutation to the evaluation result is the share [[Π(f) ]] ₂ .

In step S303, the servers 30 and 40 apply random permutation Π to the share [[x]] of the X column data x, which is the data to be extracted, to generate the share [[Π(x)]] _P . The X column data x used in step S303 is the X column data x of all rows of the table structure data (data whose number of elements is the number of rows n of the table structure data). The share [[Π(x)]] obtained by randomly permuting the share [[x]] of _P is also unclear as to which row of data corresponds to which row of the original table structure data, and the number of elements is It becomes the number of rows n of the table structure data. Random permutation of shares [[x]] of X column data x can be performed in a similar manner to step S302.

In steps S304 and S305, as shown in FIG. 7, mutual communication between the servers 30 and 40 is performed to transmit/receive the calculation results performed by one server 30/40 to the other server 30/40. That is, in step S304, the servers 30 and 40 output the share [[Π(f)]] _P obtained by applying random permutation to the evaluation result generated in step S302 to the other server. In step S305, the server 30 or 40 receives the share [[Π(f)]] _Q obtained by applying random permutation to the evaluation result generated by the other server. Then, in step S306, the servers 30 and 40 prepare the list [[L]] _P . The list [[L]] _P is a list for inserting shares of X column data x of rows satisfying the condition x<y in the table structure data, and is empty at the time of step S306.

Steps S307 to S309 are performed for each row of the table structure data to be calculated, and the process is repeated until steps S307 to S309 are performed for all rows. In this embodiment, since the number of rows of the table structure data is n, the processes of steps S307 to S309 are repeated n times.

Specifically, in step S307, the servers 30 and 40 generate the m _- th A share [[Π(f)[m]]] _P that is an element of and a share [[Π(f)]] _Q obtained by applying random permutation to the evaluation result received in step S305 (the number of elements is the number of rows n) Based on the share [[Π(f)[m]]] _Q , which is the m-th element of , the evaluation result of the m-th row data is decoded. Note that m means the data of the m-th row (row number m) of the share [[Π (f)] after random replacement, and the number of row numbers (i-th row) of the original table structure data are different. In this embodiment, in the filtering condition evaluation in step S301, for the m-th row data that satisfies x<y, the evaluation result is shared [[Π(f)[m]]] so that the decoding result is 1. _P and [[Π(f)[m]]] _Q are generated, and for the m-th row data that does not satisfy x<y, the evaluation result share [[Π (f)[m]]] _P and [[Π(f)[m]]] _P are generated. Therefore, in step S307, the decoding result is calculated as 1 for row data that satisfies x<y, and the decoding result is calculated as 0 for row data that does not satisfy x<y.

In step S308, the servers 30 and 40 determine whether or not the target row data conforms to the filtering conditions. As described above, in the present embodiment, the decoding result is calculated as 1 for row data that satisfies x<y, and the decoding result is calculated as 0 for row data that does not satisfy x<y. Therefore, if the composite result obtained in step S307 is 1, the servers 30 and 40 determine that the filtering condition x<y is satisfied, and proceed to step S309. If the result is 0, it is determined that the filtering condition x<y is not satisfied, and the process proceeds to step 310 .

In step S309, since the target row data satisfies the filtering condition x<y, the X column data in the m-th row data after shuffling generated in step S303 is generated by the servers 30 and 40. The shares of x [[Π(x)[m]]] _P are inserted into the list [[L]] _P generated in step S306. That is, in this embodiment, only the shares [[Π(x)[m]]] _P of the X column data x of the rows that meet the filtering condition are substituted into the list [[L]] _P , and the The shares [[Π(x)[m]]] _P of the X column data x of the rows that are not in the list will be eliminated from the list [[L]] _P .

In step S310, the servers 30 and 40 determine whether the processes of steps S307 to S309 have been executed for all rows of the table structure data. If the processes of steps S307 to S309 have been executed for all rows of the table structure data, the process proceeds to step S311, and the servers 30 and 40 generate list [[L]] _P is output.

As a result, the first server 30 and the second server 40 calculate the share [[L]] _P of the list of the X column data x among the row data that satisfies x<y from the table structure data. can be stored in Also, the client 10 obtains a list share [[L]] ₁ from the first server 30, a list share [[L]] ₂ from the second server 40, and a list share [[L]] By adding ₁ and share [[L]] ₂ and decoding, it is possible to calculate a list L of X column data x among row data satisfying x<y.

As described above, in the secret data extraction according to the present embodiment, the type of random number changes depending on the calculation process to be executed, and the number of rows n of table structure data to be calculated and the number of columns of extraction target data The number of random numbers required for Therefore, in particular, if you want to start another process after a calculation that changes the number of rows in the output table structure data, such as filtering, the random number is difficult to estimate and pool in advance. However, in this embodiment, the client 10 generates random numbers necessary for each process and provides them to the servers 30 and 40, so that the type and number of random numbers required for the secret data extraction process can be estimated in advance. Even if it is difficult, it is possible to appropriately provide random numbers necessary for secure computation. Random number supply processing performed between the client 10 and the servers 30 and 40 will be described below.

FIG. 8 is a flowchart showing client-side random number supply processing according to this embodiment. Also, FIG. 9 is a flowchart showing server-side random number supply processing according to the present embodiment. Furthermore, FIG. 10 is a diagram for explaining the random number supply process according to this embodiment. 8 and 9, the client-side random number supply process and the server-side random number supply process will be described below, and then, based on FIG. Explain how information is exchanged.

FIG. 8 shows processing executed by the client 10 in the random number supply processing according to this embodiment. As shown in FIG. 8, in step S401, a random number estimation request is made. Specifically, the client 10 sends an estimation request to the first server 30 together with calculation information for the secure calculation to be executed by the first server 30 and an instruction to execute an estimation program for estimating the random numbers required for the secure calculation. 30. As a result, the first server 30 executes a random number estimating program for estimating the random numbers required to carry out the confidential calculation of the calculation information transmitted from the client 10 (step S502 described later). In this embodiment, the client 10 transmits query information for performing secure calculation to the first server 30 and the second server 40 as calculation information.

In step S402, the random number estimation result estimated by the random number estimation program of the first server 30 is received. Then, in step S403, a random number is generated based on the random number estimation result received in step S402. Random numbers can be generated by the client 10 by a known method. In subsequent step S404, a process of supplying the random number generated in step S403 to the servers 30 and 40 is performed. Thus, in this embodiment, only the first server 30 executes the random number estimation program, but the random numbers generated based on the estimation results are supplied to the first server 30 and the second server 40 . Then, in step S405, an execution instruction for secure calculation is transmitted to the first server 30 and the second server 40. FIG. For example, the client 10 can transmit an SQL statement describing the details of the secure computation to the first server 30 and the second server 40 as an execution instruction for the secure computation.

In step S406, it is determined whether or not a predetermined time has passed since the random number was supplied in step S404, the inquiry information was sent in step S407, or the random number was sent in step S411. The process waits in step S406 until a certain period of time elapses, and proceeds to step S407 when the certain period of time elapses. Instead of supplying the random number in step S404, it may be configured to determine whether or not a certain period of time has passed since the instruction to execute the confidential calculation in step S405.

In step S407, the first server 30 is inquired about the lack of random numbers. Upon receiving the inquiry, the first server 30 detects the currently missing random numbers (step S509, which will be described later), and transmits the required random number information to the client 10 as random number request information (step S510, which will be described later). In step S408, the random number request information transmitted from the first server 30 is received, and in subsequent step S409, it is determined whether or not the random number is insufficient based on the received random number request information. If it is determined that the random number is insufficient, the process proceeds to step S410, the missing random number is generated, and in step S411 the generated random number is transmitted to the first server 30 and the second server 40. After that, the process proceeds to step S412. On the other hand, if it is determined in step S409 that the random number is sufficient, the process proceeds to step S412 without performing the processes of steps S410 and S411. As described above, in this embodiment, the client 10 transmits an inquiry as to whether the random numbers are insufficient and receives the random number request information only between the first server 30 and when the random numbers are insufficient, the client 10 A random number is supplied to the first server 30 and the second server 40 . Normally, the first server 30 and the second server 40 perform the same type of secure calculation using the same type and number of random numbers. , random numbers of the same type and number are in short supply.

In step S412, it is determined whether or not the secure computation has ended. For example, the client 10 can acquire information indicating that the secure calculation has ended from the first server 30, and in this case, can determine that the secure calculation has ended. If the secure computation has not ended, the process returns to step S406, and the processes of steps S406 to S411 are repeated. On the other hand, if the confidential calculation has ended, the client-side random number supply processing shown in FIG. 8 ends.

Next, server-side random number supply processing will be described with reference to FIG. The server-side random number supply process shown in FIG. 9 is a process executed by each of the servers 30 and 40 among the random number supply processes according to the present embodiment (note that steps S501 to S503, S508, and S509 are performed in the present embodiment). is executed only by the first server 30).

As shown in FIG. 9, in step S501, the first server 30 receives a random number estimation request transmitted from the client 10. In step S502, the first server 30 receives the random number estimation request. In step S502, the random number estimation program is executed by the first server 30, triggered by the estimation request received in step S501. Here, the random number estimation request sent from the client 10 includes calculation information of the confidential calculation to be executed, and the random number estimation program estimates the random numbers required for the confidential calculation in the calculation information. In this embodiment, the first server 30 stores a random number estimation program in advance in the storage unit, and executes the random number estimation program based on the calculation information of the confidential calculation included in the random number estimation request of the client 10. .

In step S503, the random number estimation result estimated in step S502 is transmitted to the client 10 by the first server 30. FIG. As a result, a random number corresponding to the estimate is generated in the client 10 (step S403), and the generated random number is transmitted to the first server 30 and the second server 40 (step S404). Therefore, in step S504, the random numbers generated and transmitted by the client 10 are received by the servers 30 and 40. FIG.

In step S505, confidential calculation is performed using the random number received in step S504. However, since random number estimation can only estimate random numbers used in calculations until the number of rows changes in the secure calculation, the secure calculation may not be completed with only the random numbers received in step S504, depending on the content of the secure calculation. can't Therefore, there may be a shortage of random numbers required for the secure calculation during the secure calculation (step S506=Yes). interrupted.

In this embodiment, when the secure calculation is started, the client 10 periodically sends an inquiry about the lack of random numbers to the first server 30 (step S407). Then, in step S508, the first server 30 receives the inquiry sent from the client 10, and in subsequent step S509, the first server 30 responds to the inquiry by , and the progress information of the secret calculation are transmitted to the client 10 as random number request information. In the present embodiment, the first server 30 internally updates the missing random number information and the progress information at relatively short intervals, and the latest missing random number information and progress information at the time of receiving the inquiry from the client 10. is sent to the client 10 as random number request information. Upon receiving the random number request information from the first server 30, the client 10 generates the missing random number and transmits it to both the first server 30 and the second server 40 (steps S410, S411). Accordingly, in step S510, the random numbers transmitted from the client 10 are received by the servers 30 and 40, and the secure computation is continued using the received random numbers.

Also, in step S511, the servers 30 and 40 determine whether or not the secure computation has ended. If the confidential calculation has not ended, the process returns to step S506 and the processes of steps S506 to S510 are repeated. On the other hand, if the confidential calculation has ended, the server-side random number supply process shown in FIG. 9 ends.

Next, information transfer between the client 10 and the servers 30 and 40 in the random number supply process will be described with reference to FIG. First, when the random number supply process is started, at time T1, the client 10 transmits a random number estimation request including confidential calculation information to the first server 30 (step S401). As a result, the random number estimation program is executed by the first server 30 to estimate the random numbers necessary for performing the secure computation included in the secure computation information (step S502). Then, at time T2, the estimation result of the random number is transmitted from the first server 30 to the client 10 (step S503). In response to this, the client 10 generates a random number according to the estimation result of the random number from the first server 30 (step S403), and at time T3, transmits the generated random number to the first server 30 and the second server 40. (step S404). At time T4, the client 10 instructs the first server 30 and the second server 40 to perform secure computation, and the first server 30 and the second server 40 start secure computation.

At time T5 after a certain period of time has elapsed since the start of the secure calculation, the client 10 sends a random number inquiry to the first server 30 (step S407). In response to this, at time T6, the first server 30 transmits the missing random number information together with the progress information to the client 10 as random number request information (step S509). For example, in the example shown in FIG. 10, at time T6, random number request information indicating that the progress is 10% and the random number shortage is "None" is transmitted from the first server 30 to the client 10. FIG. Since the required random number in the random number request information is "None", the client 10 does not generate or supply a random number.

Also, at time T7 when a certain period of time has passed since the previous inquiry, the client 10 sends the random number inquiry again to the first server 30 (step S407). In response to this, the first server 30 transmits the missing random number information together with the progress information to the client 10 as random number request information at time T8 (step S509). At time T8, it is assumed that the first server 30 is short of 1000 random numbers of type "A2" used for secure calculation. In this case, at time T8, the first server 30 transmits to the client 10 random number request information indicating that the progress is 30% and the random number shortage is "A2: 1000". As a result, at time T9, the client 10 generates 1000 random numbers of type "A2" because the number of missing random numbers is "A2: 1000" (step S410). A2", 1000 random numbers are sent to the first server 30 and the second server 40 (step S411). In this embodiment, "A2" means one type of correlated random number (for example, a correlated random number corresponding to 32-bit length).

Further, at time T10 after a certain period of time has passed since the previous random number supply, the client 10 again sends the random number inquiry to the first server 30 (step S407). In response to this, the first server 30 transmits the missing random number information to the client 10 as random number request information together with the progress information at time T11 (step S509). At time T11, it is assumed that the first server 30 is short of three random numbers of type "SR" used for secure calculation. In this case, at time T11, the first server 30 transmits to the client 10 random number request information indicating that the progress is 50% and the random number shortage is "SR: 3". As a result, at time T12, the client 10 performs processing to generate three random numbers of type "SR" because the missing random number is "SR: 3" (step S410). SR” are sent to the first server 30 (step S411). In this embodiment, "SR" means a shuffle random number for shuffling designated columns consisting of n rows.

After time T12, the servers 30 and 40 and the client 10 continue to inquire about random numbers, transmit random number request information in response to the queries, and The supply of random numbers is repeated, and when the confidential calculation is completed, the random number supply process is terminated.

As described above, the secure computing system 1 according to the present embodiment includes the plurality of servers 30 and 40 that perform secure computation, and the client 10 that supplies random numbers necessary for secure computation to the multiple servers 30 and 40. At least one of the plurality of servers 30, 40, the first server 30, transmits random number request information including the type and number of random numbers required for secure calculation to the client 10, and the client 10 sends the random number request. When information is received, based on the random number request information, random numbers are generated and transmitted to the plurality of servers 30 and 40 . As described above, in the secure computing system 1 according to this embodiment, the client 10 periodically inquires about the supply of random numbers to the first server 30, and the first server 30 repeats the random number request information to the client 10. By transmitting the random numbers, when the random numbers are insufficient and need to be supplied, the client 10 generates the required number of random numbers of the required type and supplies them to all the servers 30 and 40 that carry out confidential calculations. Therefore, it is possible to prevent the random numbers from running out in the middle of the confidential calculation.

Although preferred embodiments of the present invention have been described above, the technical scope of the present invention is not limited to the description of the above embodiments. Various modifications and improvements can be added to the above-described embodiment examples, and forms with such modifications and improvements are also included in the technical scope of the present invention.

For example, in the above-described embodiment, the gateway 20 was illustrated as a device for controlling communication between the client 10 and the servers 30 and 40, but the present invention is not limited to this configuration, and a configuration using communication control components such as firewalls and routers. may be

Further, in the above-described embodiments, examples of algorithms for the secret multiplication process and the secret data extraction process have been illustrated in FIGS. Algorithms can also be used. Also, when the algorithm changes, the number and type of random numbers required also change. This is the same regardless of which algorithm is used.

Furthermore, in the above-described embodiment, the secure computing system 1 includes the gateway 20 as an example, but a configuration without the gateway 20 is also possible. In this case, the client 10 can directly send a random number supply inquiry to the first server 30 without going through the gateway 20, and the first server 30 also responds to the request of the client 10 without going through the gateway 20. Then, necessary information (random number request information and confidential calculation results) can be sent to the client 10 .

In addition, in the above-described embodiment, multiplication, division, size comparison, filtering and rearrangement of table structure data are exemplified as secure calculations using random numbers, but secure calculations using random numbers are limited to these. not. For example, as secret calculations such as multiplication, division, and size comparison, which require random numbers that do not depend on the number of rows n, inner joins corresponding to the query join syntax, calculation of the average value of the aggregate function Avg, Trim, LTrim, String manipulation functions such as RTrim, Upper, Lower, Replace, Split, ZenToHan, and HanToZen String evaluation functions such as Contains and NotContains Mathematical operations such as Argmax and Dot Analysis operations such as LinregFit and LinregPredict Columns such as Expand Operations include logical operations such as "&" (AND) and "|" (OR). In addition, as confidential calculations that require shuffle random numbers that depend on the number of rows n, such as filtering corresponding to the where clause and sorting corresponding to the order by clause, calculation of the total corresponding to the group by clause, Min and Max Calculation of minimum and maximum values corresponding to .

Further, in the above-described embodiment, the configuration in which the random number estimation program is executed in the first server 30 is illustrated, but the configuration is not limited to this configuration, and the second server 40 may be configured to execute the random number estimation program.

Furthermore, in the above-described embodiment, when the client 10 inquires about the random number, the first server 30 returns the currently lacking random number information to the client 10 as random number request information, but the configuration is limited to this. Instead, it can be configured to transmit to the client 10 as random number request information including random numbers that are expected to run short in the future. For example, even when the first server 30 receives a random number inquiry (step S407) from the client 10, by executing the random number estimation program, not only the currently lacking random numbers but also the currently estimable random numbers are obtained. Estimates can be sent as random number request information. In particular, when the random numbers are insufficient in the first server 30 while the client 10 is generating random numbers, the first server 30 stops the secure calculation until the random numbers are supplied from the client 10. Therefore, by specifying and requesting random numbers that will be insufficient in the future, it is possible to expedite secure computation. However, even in this case, if the number of rows changes due to filtering or the like, it is not possible to estimate the random numbers required after the number of rows changes.

Further, in the above-described embodiment, as random numbers, correlated random numbers corresponding to 32-bit length represented by "A2" and shuffle random numbers represented by "SR" were exemplified. It is also possible to adopt a configuration using correlated random numbers such as 32 sets of 128-bit length, 1-bit length, or shuffle random numbers other than the above.

Furthermore, in the above-described embodiment, the client 10 transmits an inquiry to the first server 30 only as to whether the random numbers are insufficient, and receives random number request information in response to the inquiry from the first server 30 as an example. , but not limited to this configuration, the client 10 sends an inquiry to the first server 30 and the second server 40 as to whether the random numbers are insufficient, and sends random number request information in response to the inquiry to the first server 30 and the second server. 40 may be used.

DESCRIPTION OF SYMBOLS 1... Secure computing system 10... Client 20... Gateway 30... First server 40... Second server 2... Internet

Claims (7)

A secure computing system comprising: a plurality of servers that perform secure computation; and a client that supplies random numbers necessary for performing secure computation to the plurality of servers,
said client comprises query input means for sending a query of data entered by a user to at least one of said plurality of servers;
random number supply means for generating a random number based on the received required random number information and transmitting it to the plurality of servers;
a random number estimating means for estimating the type and number of random numbers required for secure calculation based on the query received from the client, and transmitting the estimated type and number of random numbers to the client as required random number information;
random number pooling means for pooling random numbers for performing secure computation based on the query received from the client;
a secure computation means for executing secure computation based on the query received from the client and transmitting an execution result to the client;
Missing random numbers for detecting shortage of random numbers in the execution of secure calculation by the secure calculation means, and replying to the client with the type and number of the shortage of random numbers as necessary random number information when there is an inquiry by the shortage random number inquiry means of the client. a detection means,
The client inquires of the server at regular intervals whether or not there is a shortage of random numbers during the execution of the secure calculation based on the query, and when there is a reply from the shortage random number detection means of the necessary random number information, the necessary random number A secure computing system, further comprising deficient random number inquiry means for sending information to said random number pool means. When the deficient random number detection means detects a shortage of random numbers during the execution of the secure computation, the secure computation means temporarily interrupts the secure computation being executed until the shortage of random numbers is received from the random number supply means. 2. The secure computing system according to claim 1, having a function of and a client that supplies random numbers necessary for the secure calculation to the plurality of servers, wherein the server performs the secure calculation using the random numbers supplied from the client. A computing system,
The server repeatedly detects whether or not the random numbers used for the secure calculation are insufficient, and when the random numbers required for the secure calculation are insufficient, the random number request information including the type and number of the missing random numbers is sent to the server. send to the client,
The secure computing system, wherein the client transmits a type and number of random numbers based on the request information to the server when the request information is received. A server for performing secure computation configured to communicate with a client that supplies random numbers necessary for performing secure computation,
the client includes query input means for sending a query of data entered by a user to at least one of a plurality of servers;
random number supply means for generating a random number based on the received required random number information and transmitting it to the plurality of servers;
a random number estimating means for estimating the type and number of random numbers required for secure calculation based on the query received from the client, and transmitting the estimated type and number of random numbers to the client as required random number information;
random number pooling means for pooling random numbers for performing secure computation based on the query received from the client;
a secure computation means for executing secure computation based on the query received from the client and transmitting an execution result to the client;
Missing random numbers for detecting shortage of random numbers in the execution of secure calculation by the secure calculation means, and replying to the client with the type and number of the shortage of random numbers as necessary random number information when there is an inquiry by the shortage random number inquiry means of the client. a server comprising a detection means; An information processing device configured to communicate with a plurality of servers for performing secure computation,
query input means for sending a query of user-input data to at least one of the plurality of servers;
random number supply means for generating a random number based on the received required random number information and transmitting it to the plurality of servers;
The server estimates the type and number of random numbers required for confidential calculation based on the query received from the information processing device, and transmits the estimated type and number of random numbers to the information processing device as required random number information. means of estimating;
random number pooling means for pooling random numbers for executing secure calculation based on the query received from the information processing device;
a secure computation means for executing secure computation based on the query received from the information processing device and transmitting an execution result to the information processing device;
Insufficient random number detection for detecting a shortage of random numbers in the execution of secure calculation by the secure calculation means, and responding with the type and number of the shortage of random numbers as required random number information when an inquiry is made by the shortage random number inquiry means of the information processing device. comprising means and
Further, the server is queried at regular intervals for the presence or absence of insufficient random numbers when executing confidential calculation based on the query, and when the necessary random number information is answered from the insufficient random number detection means, the necessary random number information is sent. An information processing apparatus comprising insufficient random number inquiry means for transmitting to the random number pool means. A processor of an information processing device configured to be able to communicate with a plurality of servers for executing secure computation,
query input means for sending a query of user-input data to at least one of the plurality of servers;
A computer program for functioning as random number supply means for generating a random number based on the received required random number information and transmitting it to the plurality of servers,
The server estimates the type and number of random numbers required for confidential calculation based on the query received from the information processing device, and transmits the estimated type and number of random numbers to the information processing device as required random number information. means of estimating;
random number pooling means for pooling random numbers for executing secure calculation based on the query received from the information processing device;
a secure computation means for executing secure computation based on the query received from the information processing device and transmitting an execution result to the information processing device;
Insufficient random number detection for detecting a shortage of random numbers in the execution of secure calculation by the secure calculation means, and responding with the type and number of the shortage of random numbers as required random number information when an inquiry is made by the shortage random number inquiry means of the information processing device. comprising means and
Further, the processor inquires at regular intervals whether or not there is a shortage of random numbers at the time of execution of the secure calculation based on the query to the server, and when there is a reply from the shortage random number detection means of the necessary random number information, A computer program functioning as insufficient random number inquiry means for transmitting necessary random number information to the random number pool means. A secure computation method using a plurality of servers that perform secure computation and a client that supplies random numbers necessary for performing secure computation to the plurality of servers,
the client sending a query for user-entered data to at least one of the plurality of servers;
the server estimating the type and number of random numbers required for secure calculation based on the query received from the client, and transmitting the estimated type and number of random numbers to the client as required random number information;
the client generating a random number based on the received required random number information and transmitting the generated random number to the plurality of servers;
pooling random numbers for performing secure computations based on the query received from the client;
said server performing a secure computation based on said query received from said client and sending a result of said execution to said client;
When the server detects a shortage of random numbers in executing the secure calculation, the server responds to an inquiry from the client with the type and number of the shortage of random numbers as required random number information;
The client inquires of the server at regular intervals whether or not there is a shortage of random numbers during the execution of the confidential calculation based on the query, and if the server replies with the necessary random number information, the necessary random number information is used generating and transmitting to the plurality of servers a random number lacking in the

Images