JP7240037B2 - Input person device, calculation support device, device, confidential calculation device, and program - Google Patents

Description

The present invention relates to an input person device, a calculation support device, a device, a secure calculation device, and a program.

Arithmetic support device and secure computing device relate to distributed management technology for safely distributing and managing information. The present invention also relates to a concealed computation technique for performing computation while concealing distributed managed information.

In recent years, along with advances in AI and the like, utilization of neural networks (hereinafter referred to as NN) is expected. However, in the utilization of NN, if the problem to be solved is leaked, it may affect the privacy of individuals and the confidential information of companies. Therefore, in the utilization of NN, it is desired that the input information and the problem to be solved can be kept secret.

Confidential computation technology is being researched as a technique for realizing computation while keeping input information confidential. Secrecy computation technology can be broadly classified into homomorphic encryption based on public key cryptography that uses keys to keep data confidential, and secure computation that uses secret sharing to keep data confidential without using keys. However, homomorphic encryption generally requires a large amount of calculations, and there is a problem that it takes a long time to process operations. On the other hand, when secret sharing is used, at least two devices are required. There is a problem of increasing the scale. Therefore, there is a need for a mechanism that enables high-speed secure computation and allows secure computation to be performed with as few units as possible or with a small device scale.

SUMMARY OF THE INVENTION It is an object of the present invention to provide an input person's device, a computation support device, and a secure computation device that can efficiently perform secure computation with a small device scale.

In the arithmetic support device of the invention described in claim 1, n is an integer of 2 or more, k is an integer with a minimum value of 2 and a maximum value of n, L is an integer of 1 or more and k or less, and n secret information In a system in which secret information can be restored by collecting k out of n distributed values, and secret information cannot be restored with kL or less, the secret information is a non-zero value means for secretly adding the random numbers, and means for sending the result of the secret addition as it is to all the secret arithmetic units participating in the secret arithmetic.

In the program of the invention described in claim 2 , n is an integer of 2 or more, k is an integer with a minimum value of 2 and a maximum value of n, L is an integer of 1 or more and k or less, and secret information is distributed to n pieces. Then, the secret information can be restored by collecting k out of n distributed values, and the computer of the calculation support device in the system that performs the secret calculation using a means that cannot restore the secret information with kL or less is the secret information. function as means for secretly adding a random number not equal to 0, and means for transmitting the result of the secret addition as it is to all the secret arithmetic units participating in the secret arithmetic.

The present invention is computationally efficient.

1 is a configuration diagram of a confidential information distribution and confidentiality computing system according to a first embodiment; FIG. 2 is a block diagram of the input person device 12 according to the first embodiment; FIG. 3 is a functional block diagram of a CPU 22 of the input person's device 12; FIG. 2 is a functional block diagram of CPUs 22 of machines 14N0 to 14Nn-1; FIG. 10 is a flow chart of a distribution 1 program; 10 is a flowchart of a program of secure product-sum operation 1; 3 is a flow chart of a secret sharing 1 program; 10 is a flowchart of a program for secure division 1; It is a flow chart of the program of distribution 1'. FIG. 10 is a flowchart of a program of secure product-sum operation 1′; FIG. FIG. 10 is a flowchart of a program of secure product-sum operation 1′; FIG. 3 is a functional block diagram of a CPU 22 of the input person's device 12; FIG. 10 is a flow chart of a program for distribution 2; 4 is a flow chart of a sum-of-products program; 10 is a flowchart of a program for computation support 2; It is a flowchart of the program of operation support 2'. 10 is a flow chart of a program for secure division 2; FIG. 11 is a configuration diagram of a confidential information distribution and confidentiality computing system according to a third embodiment; 3 is a functional block diagram of a CPU 22 of the input person's device 12; FIG. 2 is a functional block diagram of CPUs 22 of machines 14N0 to 14Nn-1; FIG. FIG. 11 is a sequence diagram of conversion random number generation 3; FIG. 10 is a sequence diagram of a conversion random number generator 3'; 10 is a flow chart of a program for distribution 3; 10 is a flow chart of a program for secure product-sum operation 3; FIG. 11 is a configuration diagram of a confidential information distribution and confidentiality computing system having a configuration according to a fourth embodiment; 10 is a flow chart of a program for distribution 4; 10 is a flowchart of a program for sum-of-products operation 4; 4 is a flow chart of a program of computation support 4; 10 is a flow chart of a program of distribution 5 of the input person's device 12A. 10 is a flow chart of a program of distribution 5 of the input person's device 12B. 10 is a flow chart of a program of distribution 5 of the input person's device 12C. 3 is a flow chart of a program of distribution 5 of the arithmetic support device 16. FIG. Fig. 10 is a flow chart of the Distributed 5 program of Machine 14NN; FIG. 10 is a sequence diagram of dispersion 5; 10 is a flowchart of a program for secure product-sum operation 5; 10 is a flowchart of a program for secure product-sum operation 5; 4 is a flow chart of a program for computation support 5;

An example of an embodiment of the present invention will be described in detail below with reference to the drawings.
<First embodiment>
First, the configuration of the first embodiment will be described.
As shown in FIG. 1, the confidential information distribution and confidentiality computing system of the first embodiment comprises an input person device 12, a plurality of (N) machines 14N0 to 14Nn-1, which are interconnected via a network 10. It has Machines 14N0 to 14Nn-1 are neural network machines (NN machines). Incidentally, hereinafter, each of the machines 14N0 to 14Nn-1 may be indicated by the machine 14Ni.

Since the input person's apparatus 12 and the machines 14N0 to 14Nn-1 have the same configuration, only the configuration of the input person's apparatus 12 will be described with reference to FIG. As shown in FIG. 2, the input person's device 12 includes a computer, a CPU 22, a ROM 24, a RAM 26, a memory 28, an input device 30, a transmission/reception device 32, and a display device 34, which are interconnected via a bus 36. It is A program described later is stored in the memory 28 of the input person apparatus 12 and the machines 14N0 to 14Nn-1.

Next, with reference to FIG. 3, the functions realized by executing the program by the CPU 22 of the input person's device 12 will be described. The program has distributed functionality. By executing the program having this function, the CPU 22 functions as the distribution unit 42 as shown in FIG. The program has a restoring function, and when the CPU 22 executes the program having this function, the CPU 22 functions as a restoring unit (not shown).

Next, with reference to FIG. 4, the functions realized by the CPU 22 of each of the machines 14N0 to 14Nn−1 executing the program will be described. The program has a secret multiply-add operation function and a secret division function. When the CPU 22 executes a program having this function, the CPU 22 functions as a secure sum-of-products operation unit 44 and a secure division unit 46, as shown in FIG.

Next, the operation of this embodiment will be described.

In this embodiment, a secret sharing method is used. First, the secret sharing method will be explained. Shamir's (k, n) threshold secret sharing method (hereinafter referred to as Shamir method), which is a typical secret sharing method, converts one secret information into n distributed values and distributes them to n servers. A feature of the Shamir method is that if k distributed values are collected from n distributed values, the original secret information can be restored. It means you can't get it. The Shamir method algorithm is shown below. Moreover, there is a TUS method shown below as a secure calculation method using the secret sharing method.

Shamir's (k, n) threshold secret sharing method (distributed processing)
The user selects any prime number p that satisfies the conditions s<p and n<p.

The user selects n x _i (i=0, 1, 2, .

The user selects k−1 random numbers a _l (l=1, 2, . . . , k−1) from the elements of GF(p) and generates the following variance formula.

W _i =s+a ₁ x _i +a ₂ xi ² + . . . +a _k−1 x _i ^k−1 (mod p)

The user substitutes each server ID for x _i in the above equation, calculates the variance value _Wi , and transmits it to each server _Si .

(restore processing)
Let the shared information used for restoration be W _i (i=0, 1, 2, . . . , k−1), and let the server ID corresponding to the shared information be x _i .

The original secret information s is restored by substituting x _i and W _i into the dispersion formula and solving k simultaneous equations. However, when restoring the secret information s, it is convenient to use the Lagrangian interpolation formula.

Also known is a ramp-type secret sharing scheme in which secret information is divided into L pieces and included as coefficients of a distributed formula. This makes it possible to reduce the dispersion value.

TUS method In the conventional secret multiplication, since the variance values obtained by the Shamir method are used as they are for multiplication, the order of the polynomial changes, and the number of variance values required for restoration increases to 2k-1. However, the TUS method proposed in Document 1 below multiplies secret information by a random number to generate anonymized secret information and secret-shares it. When the concealment multiplication is performed, the concealed secret information is temporarily restored, treated as a scalar quantity, and multiplied with other distributed values. As a result, since the degree of the polynomial does not increase upon multiplication, it is possible to perform confidential multiplication without changing the threshold. However, since secret information may be leaked in secret multiplication, secret information a and b do not contain 0, and random numbers do not contain 0 (secret information may contain 0 except for secret multiplication). In the TUS method, all confidential calculations including secret sharing processing are performed modulo p.

Literature 1: Takeshi Jingu, Keiichi Iwamura: “Proposal of secure calculation method using secret sharing method applicable to four arithmetic operations including division”, IEICE Technical Report 115 (122), 51-57, 2015-07- 02.

Literature 2: Ken Aoi, Takeshi Jingu, Keiichi Iwamura: “Investigation of Security of Secure Computation with n < 2k-1 and Application to Asymmetric Secret Sharing”, IEICE Technical Report 116 (129), 237-243, 2016- 07-14.

Problems of the TUS Method The TUS method is configured separately for secure addition/subtraction and secure multiplication/division, and it is shown in Document 2 above that security is ensured if they are used alone. However, it is not safe to perform a sum-of-products operation such as f(x)=ab+c by combining secret multiplication and secret addition. The following shows a case where the TUS method of secure multiplication ab is performed in procedures 1 to 5, and the secure addition ab+c is performed in procedures 6 to 10. FIG. Note that secret information a, b, c is a, b, c∈Z/pZ, and random numbers α _{j ,} β _j , λ _j , γ _j generated by distributed processing and secret addition are also α _j, β _j, λ _j, γ _j ∈ Z/pZ (however, once restored in multiplication, a and the random number are not 0). In the following

represents the variance value for a. All confidential operations, including secret sharing processing, are performed modulo p.

(secret operation of ab+c)
input:

output:

を収集し、一時的にαａのスカラー量を復元し、全サーバＳ_ｉに送信する。 Step 1: Server S ₀ is from k servers

, temporarily restore the scalar quantity of αa, and send it to all servers S _i .

を計算する。

Step 2: All servers S _i use the following formula to

to calculate

と

を収集し、α_ｊとβ_ｊを復元し、α_ｊβ_ｊを計算する。 Step 3: k servers S _j

and

, recover α _j and β _j , and compute α _j β _j .

Procedure 4: k servers S _j distribute random numbers α _j β _j to all servers S _i by Shamir's (k, n) threshold secret sharing method.

を保持する。 Procedure 5: Server S _i (i=0, 1, 2, . . . , n−1) distributes secret information ab as distributed information

hold.

と

を収集し、α_ｊβ_ｊとλ_ｊを復元する。それから、ｋ台のサーバＳ_ｊは乱数γ_ｊを生成し、サーバＳ_０にγ_ｊ／α_ｊβ_ｊ、γ_ｊ／λ_ｊを送信する。 Step 6: k servers S _j

and

and recover α _j β _j and λ _j . Then, k servers S _j generate random numbers γ _j and send γ _j /α _j β _j , γ _j /λ _j to server S ₀ .

Step 7: The server S ₀ uses γ _j /α _j β _j and γ _j /λ _j to calculate γ/αβ and γ/λ from the following formulas, and transmits them to all the servers _Si .

を計算する。

Step 8: All servers S _i use the following formula to

to calculate

Procedure 9: k servers S _j distribute the random number γ _j to all servers S _i by Shamir's (k, n) threshold secret sharing method.

を保持する。 Procedure 10: Server S _i (i=0, 1, 2, . . . , n−1) distributes secret information ab+c as distributed information

hold.

(Decryption processing)
Procedure a: The restorer collects k pieces of distributed information [ab+c] _j from K servers.

からγ（ａｂ＋ｃ）、γ_０、・・・、γ_ｋ－１を復元し、乱数

を計算する。 Step b: Collected distributed information

restore γ(ab+c), γ _0, . . . , γ _k−1 from the random number

to calculate

Procedure c: Using the restored secret information γ(ab+c) and the random number γ, restore the secret information ab+c from the following equation.
γ(ab+c)×γ ⁻¹ =ab+c

Since the sum-of-products operation is a three-input one-output operation, it is assumed that there are three input persons and one output person. Here, consider a case where the attacker is a restorer and an inputter of one value. For example, if an attacker is an input person and a restorer of secret information b, the attacker receives the secret information b input by the input person, a random number β, a random number γ for restoring the calculation result, the calculation results ab+c and k−1 It has information on αa, γ/αβ, and γ/λ leaked from servers. An attacker can obtain the random number α using the information on the random numbers β, γ, and γ/αβ. The attacker can calculate the secret information a from the obtained random number α and αa obtained during the calculation. Then, the attacker can learn the secret information c by using the secret information a, b and the operation result ab+c. As a result, if the attacker has the input information of the input person B, the information held by the restorer, and the information leaked from the k-1 servers, the remaining input person's information will be leaked. .

Generally, in secure computation for big data, etc., there are multiple people who input confidential information, and the restorer who restores the results of secure computation is different from the input person, or partially the same as the input person, and the interests are other people. assumed to be in conflict with On the other hand, in NN, the input person is often one person or the same organization (hereinafter referred to as the input person) who is trying to solve a certain problem, and the input person prepares a lot of learning data, and all the secrets Know the information and the result of the operation. Here, it is assumed that the input person wants to keep the input and the problem to be solved confidential from the NN machine and an attacker who can monitor the NN machine. When secret sharing is used, the minimum n=2, but in the following, we will aim at n=1 and propose an effective secure calculation method for n=1 and 2 cases.

First, when trying to solve a problem with an NN machine using secret sharing, even if the minimum threshold value of n = k = 2 is used other than the TUS method, if confidential multiplication is included, the number of NN machines corresponding to n is 3. It is known to require more than one unit. In addition, the TUS method cannot realize a safe sum-of-products operation.

Therefore, as a first embodiment, consider a case where the input person and the restorer are the same person, and at least two NN machines realize secure computation. In this case, the TUS method, in which the input person and the restorer are different and have conflicting interests, should be streamlined according to the above situation, and it is not guaranteed that the input information does not contain 0, so the TUS method cannot handle it. The problem is to realize a sum-of-products operation that includes 0 in the secret information that was not there before.

The four arithmetic operations can be realized by a combination of sum-of-products operations ab+c. In the TUS method, the sum-of-products operation could not be executed safely, but if the secure sum-of-products operation could be safely realized, any four arithmetic operations could be realized by combining them. However, in this embodiment, it is assumed that one input person inputs all the confidential information a, b, and c. In the following, n NN machines will be described as an example, but n=k=2 can be used to minimize the number of NN machines. In the TUS method, the secret information is directly multiplied by a random number and distributed. Therefore, when αa is restored as a scalar quantity in the secret multiplication, when the secret information is a=0, αa=0, so the secret information includes 0. I couldn't. In addition, since αa is not restored in the secret addition, a=0 may be set, but αa must be secret-sharing. All information, including Therefore, a great deal of time and effort was required to distribute and restore all the secret information. In the following, the secret information is simply multiplied by a random number without being dispersed, and 1 is added to the secret information a. Therefore, α(a+1) can be distributed as it is without being distributed. Also, the input person can use α directly to know all the secrets. That is, there is no need to decompose into α0, α1, .

In the following, the secret information a, b, c is a, b, c<p−1 to add 1, and the generated random numbers α, β, γ, δ are α, β, γ, δ∈Z/pZ (however, 0 is not selected as a random number). In addition, all calculations including secret sharing processing are performed modulo p. Also, the following symbols are defined. Also, to publish a value means to send that value to all machines that perform confidential operations.

(symbol definition)
[a]i indicates the variance value for the value a held by the machine 14Ni.

[Dispersion 1]
Next, distribution 1 executed by the distribution unit 42 in the CPU 22 of the input person's device 12 will be described with reference to FIG.

At step 52, the distribution unit 42 generates random numbers α, β, γ. The random numbers α, β, and γ may be true random numbers or pseudorandom numbers. The same applies to each random number below.

At step 54, the distribution unit 42 calculates α(a+1), β(b+1), γ(c+1) as follows.

α(a+1)=α×(a+1)
β(b+1)=β×(b+1)
γ(c+1)=γ×(c+1)

At step 56, the distribution unit 42 transmits α(a+1), β(b+1), γ(c+1) to all machines 14N0 to 14Nn-1.

At step 58, the distributing unit 42 generates a random number δ, at step 60, the distributing unit 42 calculates δ/αβ, δ/α, δ/β, δ/γ, δ, and at step 62, the variance The unit 42 calculates the secret sharing values [δ/αβ] _i , [δ/α] _i , [δ/β] _i , [δ/γ] _i , [δ] _i (i=0, , k−1).

At step 64, the distribution unit 42 distributes the distributed values [δ/αβ] _i , [δ/α] _i , [δ/β] _i , [δ/γ] _i , [δ] _i to the corresponding machines 14N0 to Send to machine 14Ni in 14Nn-1.

Note that the distribution unit 42 in the CPU 22 of the input person's apparatus 12 stores δ in the memory 28 of the input person's apparatus 12 .

[Confidential multiply-add operation 1]
Next, referring to FIG. 6, the secret sum-of-products operation unit in the CPU 22 of a predetermined k or more machines 14N0 to 14Nn-1 (machine 14Ni (i = 0, ..., k-1)) The secure multiply-add operation 1 executed by 44 will be described.
At step 72, the secure sum-of-products operation unit 44 calculates the following.
[δ (ab + c + 1)] _i = α (a + 1) x β (b + 1) x [δ / α β] _i - α (a + 1) x [δ / α] _i - β (b + 1) x [δ / β] _i + γ ( c+1)×[δ/γ] _i +[δ] _i

At step 74, the secure sum-of-products operation unit 44 restores δ(ab+c+1) with the cooperation of k or more predetermined machines.

At step 76, the secure sum-of-products operation unit 44 stores δ(ab+c+1) in the memory 28 of each of the machines 14N0 to 14Nn−1.

When the input person obtains the calculation result, the input person device 12 obtains δ(ab+c+1) from any machine, divides it by the stored δ and subtracts 1, thereby obtaining ab+c, which is the result of the sum-of-products operation. . Alternatively, collect [δ] _i to restore, divide by δ and subtract 1. Also, although 1 is added to a variance of 1, the value to be added is not limited to 1, and other values, such as 2, may be calculated using the following sum-of-products operation.

[δ(ab+c+2)] _i = α(a+2)×β(b+2)×[δ/αβ] _i −2α(a+2)×[δ/α] _i −2β(b+2)×[δ/β] _i +γ( c+2)×[δ/γ] _i +4[δ] _i

Other values may be values on Z/pZ corresponding to -1, -2, for example. The input person's device 12 may divide δ(ab+c−1) by the stored δ and add 1 (or 2, etc.) to obtain the sum-of-products operation result, ab+c.

In addition, if c=0 in the secure sum-of-products operation 1, it becomes a secure multiplication, and if a=1, it becomes a secure addition. Also, if +γ(c+1) in step 72 of FIG. 6 is set to −γ(c+1), the secret subtraction is obtained. In the secret sum-of-products calculation 1, the information necessary for the secret sum-of-products calculation in step 72 other than the disclosed α(a+1), β(b+1), and γ(c+1) is distributed, and only the input person's device 12 knows it. It is information-theoretically safe because people cannot know anything other than the information that has been made public.

[Secret Sharing 1]

Also, the secret division is performed as follows. FIG. 7 shows a flowchart of secret sharing 1 executed by the distributing unit 42 in the CPU 22 of the input person's device 12 for secret division.

At step 82, the distributing unit 42 generates a random number α', and at step 84, the distributing unit 42 calculates α'/α.

At step 86, the distribution unit 42 calculates the secret sharing value of α'/α and the secret sharing value of α'.

At step 88, the distribution unit 42 transmits the secret sharing value of α'/α and the secret sharing value of α' to the corresponding machine 14Ni.

[Secret division 1]
FIG. 8 shows a flowchart of the secret division calculation 1 executed by the secret division section 46 in the CPU 22 of each of the machines 14N0 to 14Nn-1.

At step 92, the secure division unit 46 calculates:
[α′a] _i =α(a+1)×[α′/α] _i −[α′] _i

At step 94, the secure division unit 46 cooperates with other machines to restore [α'a]i.

At step 96, the confidential division unit 46 determines whether or not α'a=0. If α'a=0, the secret division 1 ends.

If α'a=0 is not true, at step 98, the secure division unit 46 calculates 1/α'a.

At step 100 , the secure division unit 46 sends 1/α′a as α(a+1) to the secure sum-of-products operation unit 44 for secure sum-of-products operation 1 . As a result, the secret sum-of-products operation unit 44 obtains a result obtained by changing the multiplication to the division. However, the calculation of -β(b+1)×[δ/β] _i in step 72 of the secure sum-of-products operation 1 is omitted because 1/α'a is not added to 1.

When α′a=0 in the above secret division, the fact that a=0 is leaked out. There is no problem in knowing that is 0. Therefore, the input person may generate [α'a] _i in advance and input it when necessary.

In the case of continuous operations, the restored δ(ab+c+1) is one of α(a+1), β(b+1), and γ(c+1), and other confidential operation results calculated by similar operations are α(a+1). , β(b+1), and γ(c+1). Alternatively, δ may be newly generated, and δ/αβ, δ/α, δ/β, δ/γ, δ may be calculated for the random numbers α, β, and γ.

In addition, the input can be concealed by the above, but since the four arithmetic operations can be expressed by combining product-sum operations, the problem to be solved is a dummy product-sum operation (if a = b = c = 0, a dummy for addition The problem to be solved by repeating the fixed secret product-sum operation including the product-sum operation processing, and if a = b = 0 and c = 1, it becomes a dummy product-sum operation processing for multiplication. can also be hidden.

Further, when repeating the calculation, the distribution unit 42 in the CPU 22 of the input person's device 12 newly generates δ in the distribution 1 (see FIG. 5), and δ/ αβ, δ/α, δ/β, δ/γ, and δ are calculated, but if the calculation procedure is known in advance, they can be calculated in advance.

However, in this case, the distributing unit 42 needs to perform calculations in advance according to the calculation procedure, which may impose a heavy burden on the distributing unit 42 . Therefore, when it is desired to reduce the load on the distribution unit 42, the distribution unit 42 only needs to generate and distribute random numbers as follows, and the subsequent processing can be executed only by the machines 14N0 to 14Nn-1. In the following description, it is assumed that the machine 14Ni that performs the operation is fixed among the n machines with n=k, and the random numbers forming α are sent directly to the machine. If the variance 1' and the secret product-sum operation 1' are not performed consecutively and the machine 14Ni that performs the operation is not determined, α _i , β _i , γ _i (i=0, . . . , k−1) etc. may be secret-shared among n machines, and the machines participating in the computation at the time of confidential computation may collect and restore k distributed values of the corresponding random numbers from among them.

[Dispersion 1′]
Next, distribution 1' executed by the distribution section 42 in the CPU 22 of the input person's device 12 in the above case will be described with reference to FIG.

At step 102, _{the distribution unit} 42 _generates k random number sets α ₀ , _{α 1} , _. , . . . , γ _k−1 .

At step 104, distribution unit 42 calculates:

First, the distribution unit 42 calculates α=α ₀ ×α ₁ × . . . ×α _k−1 and calculates α(a+1)=α×(a+1).

The distribution unit 42 calculates β=β ₀ ×β ₁ × . . . ×β _k−1 and β(b+1)=β×(b+1).

The distribution unit 42 calculates γ=γ ₀ ×γ ₁ × . . . ×γ _k−1 and γ(c+1)=γ×(c+1).

At step 106, distribution unit 42 transmits α(a+1), β(b+1), γ(c+1) to all machines 14N0 to 14Nn−1.

At step 110, the distribution unit 42 transmits αi, βi, γi (i=0, . . . , k−1) to the corresponding machines 14Ni.

At step 112, _{distribution unit 42} generates _k random number sets ε _{0 ,} ε ₁ , _. , λ _k-1 , η ₀ , η ₁ , . . . η _k-1 , μ ₀ , μ _{1 ,} .

At step 114, distribution unit 42 calculates:

ε=ε ₀ ×ε ₁ × . . . ×ε _k−1
φ=φ ₀ ×φ ₁ ×・・・×φ _k−1
λ=λ ₀ ×λ ₁ × . . . ×λ _k−1
η = η ₀ × η ₁ × … × η _k-1
μ=μ ₀ ×μ ₁ ×・・・×μ _k−1
At step 116, the distribution unit 42 calculates the variance values [ε] i , [φ] _i , [λ] _i , [η] _i , [μ _{] i} of ε, φ, λ, η, and μ.

At step 118, the distribution unit 42 divides the variance values [ε] _i , [φ] _i , [λ] i , [η] _{i ,} [μ] _i and ε _i , φ _i , λ _i , η _i , μ _i to the corresponding machine.

[Confidential multiply-add operation 1']
Next, the secure sum-of-products operation 1' executed by the secure sum-of-products operation unit 44 in the CPU 22 of each of the machines 14N0 to 14Nn-1 will be described with reference to FIG.

At step 122, the secure sum-of-products operation unit 44 generates a random number _δi .

In step 124, the secure sum-of-products operation unit 44 _calculates δi _{/ αiβiεi , δi / αiφi} , _δi / _{βiλi , δi / γiηi , δiμi} to calculate

At step 126, the secure sum-of-products operation unit 44 _calculates δi _{/ αiβiεi , δi / αiφi} , _δi / _{βiλi , δi / γiηi , δiμi} to a predetermined machine 14N0 (may be exchanged between two machines when n=k=2).

As shown in FIG. 11, in step 142, the secret sum-of-products operation unit 44 in the CPU 22 of the predetermined machine 14N0 calculates the following δ/αβε, δ/αφ, δ/βλ, δ/γη, μ , in step 146, each value calculated in step 142 is transmitted to all machines (if the values are exchanged with each other in step 126, the processing of FIG. 11 is unnecessary, and all machines can obtain δ/αβε, δ/αφ , .delta./.beta..lambda., .delta./.gamma..eta., .mu.. That is, step 128 is changed to ``compute .delta./.alpha..beta..epsilon., .delta./.alpha..phi., .delta./.beta.

とは同じである。 In addition, "φ" and

is the same as

At step 128, the secure sum-of-products operation unit 44 receives δ/αβε, δ/αφ, δ/βλ, δ/γη, μ transmitted from the predetermined machine 14N0.

At step 130, the secure sum-of-products operation unit 44 calculates the following.
[αβε(a+1)(b+1)] _i =α(a+1)×β(b+1)×[ε] _i
[αφ(a+1)] _i =α(a+1)×[φ] _i , [βλ(b+1)] _i =β(b+1)×[λ] _i , [γη(c+1)] _i =γ(c+1)×[ η] _i

At step 132, the secure sum-of-products operation unit 44 calculates the following.
[δ(ab+c+1)] _i = δ/αβε×[αβε(a+1)(b+1)] _i −δ/αφ×[αφ(a+1)] _i −δ/βλ×[βλ(b+1)] _i +δ/γη× [γη(c+1)] _i + δ/μ×[μ] _i

([ε] _i , ε _i ), ([φ] _i , φ _i ), ([λ] _i , λ _i ), ([η ] _i , η _i ) and ([μ] _i , μ _i ) are referred to as conversion random numbers as will be described later. It may be generated between machines or by other machines. Also, ([ε] _i , ε _i ), ([φ] _i , φ _i ), ([λ] _i , λ _i ), ([η] _i , η _i ), ([μ] _i , μ _i ) may be prepared in advance. In the secret sum-of-products operation 1′, δ corresponding to the following α, β, γ is distributed during the operation, and new δ is also generated by the machines 14N0 to 14Nn−1 during the operation. Calculation can be continued without processing.

In recent years, there has been a growing movement to make NN machines open to the public for free use. When there are two such public NN machines, the first embodiment is safe as long as the information of all the NN machines is not leaked, and only two NN machines are prepared, which is an advantage that cannot be realized by the conventional method. can be realized. In addition, it is possible to efficiently obtain a secret operation result while concealing a problem solved by a fixed combination of sum-of-products operations, which cannot be done safely in the TUS method. In addition, since the input person's device is the restorer's device and all information is known, the efficiency of many processes can be improved. This allows an individual or the same organization to utilize a public NN machine to perform any desired hidden operation without revealing their secret information and the problem they are trying to solve to the NN machine or an attacker.

<Second Embodiment>
Since the secret information sharing and confidentiality computing system of the second embodiment has the same configuration as that of the first embodiment, the same constituent parts are denoted by the same reference numerals, and the explanation thereof is omitted. However, the input person's device 12 is also a calculation support device.

Further, in the second embodiment, one predetermined machine 14NN among the machines 14N0 to 14Nn-1 performs the secure operation.

In the secret sharing method, the number of secret information to be distributed is the same as the number of machines performing calculations. In the present embodiment, since the number of machines that perform calculations and the number of shares in secret sharing are different, the number of machines that perform calculations is N (1 in this embodiment), and the number of shares and the threshold for secret sharing are n and It is represented by k (although n and k can be arbitrary numbers, the minimum value of n=k=2 is assumed below for the sake of simplicity of explanation).

It is a big problem how to safely execute the confidential calculation using secret sharing by one machine 14NN, or how to perform the confidential calculation when the number of machines performing the calculation and the number of secret information sharing are different. There is no example that has achieved it so far.

In the second embodiment, two random numbers δ ₀ and δ ₁ are introduced in order to safely execute secret sharing by one NN machine, and a different random number is used for each distributed value, although the details will be described later. It is characterized by performing calculation by multiplying.

Next, functions realized by executing a program by the CPU 22 of the input person's device 12 according to the second embodiment will be described. The program has distributed functions and computational support functions. By executing a program having these functions, the CPU 22 functions as the distribution unit 42 and the calculation support unit 150 as shown in FIG. 12 .

[Dispersion 2]
First, with reference to FIG. 13, distribution 2 executed by the distribution unit 42 in the CPU 22 of the input person's device 12 will be described.

At step 152, the distribution unit 42 generates random numbers α, β, γ.

At step 154, the distribution unit 42 calculates α(a+1), β(b+1), γ(c+1) as follows.
α(a+1)=α×(a+1)
β(b+1)=β×(b+1)
γ(c+1)=γ×(c+1)

At step 156, the distribution unit 42 transmits α(a+1), β(b+1), γ(c+1) to one machine 14NN.

At step 158, the distribution unit 42 generates random numbers δ ₀ and δ ₁ .

At step 160, the distributing unit 42 calculates secret sharing values of δ ₀ /αβ, δ ₀ /α, δ ₀ /β, δ ₀ /γ, [δ ₀ /αβ] ₀ , [δ ₀ / α] ₀ , [δ ₀ /β] ₀ , [δ ₀ /γ] ₀ and δ ₀ /αβ] ₁ , [δ ₀ /α] ₁ , [δ ₀ /β] ₁ , [δ ₀ /γ] ₁ get

At step 162, distribution unit 42 calculates (δ=δ ₀ δ ₁ ).
[δ/αβ] ₁ = δ ₁ × [δ ₀ /αβ] ₁
[δ/α] ₁ = δ ₁ × [δ ₀ /α] ₁
[δ/β] ₁ = δ ₁ × [δ ₀ /β] ₁
[δ/γ] ₁ = δ ₁ × [δ ₀ /γ] ₁
At step 164, the distribution unit 42 performs [δ ₀ /αβ] ₀ , [δ ₀ /α] ₀ , [δ ₀ /β] ₀ , [δ ₀ /γ] ₀ and [δ/αβ] ₁ , [δ /α] ₁ , [δ/β] ₁ , [δ/γ] ₁ to machine 14NN.

[Multiply-sum operation 2]

Next, the sum-of-products operation 2 executed by the confidential sum-of-products operation unit 44 in the CPU 22 of the machine 14NN will be described with reference to FIG.

At step 172, the secure sum-of-products operation unit 44 calculates the following.
[δ ₀ (ab + c)] ₀ = α (a + 1) x β (b + 1) x [δ ₀ / α β] ₀ - α (a + 1) x [δ ₀ / α] ₀ - β (b + 1) x [δ ₀ / β ] ₀ +γ(c+1)×[δ ₀ /γ] ₀
[δ(ab+c)] ₁ =α(a+1)×β(b+1)×[δ/αβ] ₁ −α(a+1)×[δ/α] ₁ −β(b+1)×[δ/β] ₁ +γ( c+1)×[δ/γ] ₁

[Calculation support 2]

Next, calculation support 2 executed by the calculation support unit 150 in the CPU 22 of the input person's device 12 when continuing or ending the calculation will be described with reference to FIG.

At step 182, the computation support unit 150 collects [δ ₀ (ab+c)] ₀ and [δ(ab+c)] ₁ .

At step 184, the calculation support unit 150 calculates [δ(ab+c)] ₀ = _δ1 [ _δ0 (ab+c)] ₀ .

At step 186, the computation support unit 150 restores δ(ab+c).

At step 187, the calculation support unit 150 determines whether or not to continue the calculation. This is determined by whether the arithmetic processing being executed ends there or whether there is a continuation of the processing, that is, it depends on the program set by the input person. When continuing the calculation, in step 188, the calculation support unit 150 calculates δ(ab+c+1)=δ(ab+c)+δ.

Then, at step 190, the computation support unit 150 sends .delta.(ab+c+1) to the machine 14NN.

If the calculation result is obtained without continuing the calculation, in step 192, the calculation support unit 150 divides δ(ab+c) by δ to calculate ab+c.

However, when performing an operation that continues addition and subtraction, addition and subtraction may be continued by combining the coefficients with other [δ ₀ (ab+c)] ₀ , [δ(ab+c)] ₁ without performing operation support 2 . Also, the multiplication and division remainder can be directly repeated as α(a+1)×β(b+1). In other words, it is not necessary to carry out the calculation support processing for repeated addition/subtraction or multiplication/division, and it is sufficient to carry out once when combining addition/subtraction and multiplication/division such as product-sum calculation. Since [δ ₀ (ab+c)] ₀ , [δ(ab+c)] ₁ calculated in the sum-of-products operation 2 are multiplied by independently determined different random numbers δ ₀ , δ, even if k=2, they are correct. It cannot be restored, and information-theoretic security can be achieved.

[Calculation support 2']

Next, the calculation support 2' executed by the calculation support unit 150 in the CPU 22 of the inputter's device 12 will be described with reference to FIG.

At step 202, the computation support unit 150 collects [δ ₀ (ab+c)] ₀ and [δ(ab+c)] ₁ .

At step 203, the calculation support unit 150 calculates the following.
[δ ₀ (ab+c+1)] ₀ = [δ ₀ (ab+c+1)] ₀ + [0] ₀ + δ ₀
[δ(ab+c+1)] ₁ =[δ(ab+c+1)] ₁ +[0] ₁ +δ
Here, [0] ₀ and [0] ₁ are the variance values of the constant term 0, which can be prepared in advance.

At step 204, the calculation support unit 150 determines whether or not to continue the calculation.

If the calculation is to be continued, in step 205 the calculation result is sent to the machine 14NN.

If the calculation is not to be continued (step 204: N), in step 206, the calculation support unit 150 multiplies [δ ₀ (ab+c+1)] ₀ by δ ₁ to generate [δ(ab+c+1)] ₀ . Then, in step 207, restore δ(ab+c+1) from [δ(ab+c+1)] ₀ and [δ(ab+c+1)] ₁ , divide by δ and subtract 1 to obtain ab+c.

This saves the trouble of restoring the input person's device 12 except when the final calculation result is obtained by the calculation support 2'.

To continue the operation, the machine 14NN restores δ(ab+c+1) and makes it one of α(a+1), β(b+1), γ(c+1), obviously allowing the operation to continue.

Also, in the secure sum-of-products operation, setting c=0 results in secure multiplication, and setting a=1 results in secure addition. Also, in step 172 of FIG. 14, if + of ab+c is set to - and ab-c is set, that is, if +γ(c+1) is set to −γ(c+1), then confidential subtraction is performed.

[Secret division 2]

Next, with reference to FIG. 17, the confidential division 2 executed by the calculation support unit 150 (or the distribution unit 42) in the CPU 22 of the input person's device 12 will be described. Note that the distributing unit 42 in the CPU 22 of the input person's device 12 executes steps 82 to 86 in FIG. 7 for the secret division.

At step 220, the computation support unit 150 generates a random number α″.

At step 222, computation support unit 150 calculates:
[α″/α] ₁ =(α″/α′)[α′/α] ₁
[α″] ₁ = (α″/α′)[α′] ₁

At step 226, the secret division unit 46 sends [α'/α] ₀ , [α'] ₀ , [α″/α] ₁ , [α″] ₁ to the machine 14NN.

The machine 14NN calculates the following and sends it to the input person device 12.

[α′a] ₀ =α(a+1)×[α′/α] ₀ −[α′] ₀
[α″a] ₁ =α(a+1)×[α″/α] ₁ −[α″] ₁

Therefore, at step 228, the computation support unit 150 receives [α′a] ₀ and [α″a] ₁ .

At step 230, the computation support unit 150 restores α″a from [α″a] ₀ =(α″/α′)[α′a] ₀ and [α″a] ₁ .

At step 232, the computation support unit 150 determines whether or not α″a=0.

If α″a=0 is not true, at step 234 the computation support unit 150 calculates 1/α″a.

In step 236, the computation support unit 150 sends 1/α″a as α(a+1) to the secure product-sum operation unit 44 for secure product-sum operation 2. As a result, the secure product-sum operation unit 44 performs multiplication However, since 1 is not added to 1/α″a, the calculation for subtracting β(b+1) in step 172 of the secure multiply-add operation 2 is omitted.

In the secret division 2, steps 222-228 in FIG. 17 can be performed in advance, and steps 230-236 serve as computation support in the secret division. Further, the processing of steps 228 to 236 may be performed by the machine 14NN without being performed by the calculation support unit.

Further, after step 156 of FIG. 13 for sharing 2, processing for secret sharing α, β, and γ is added, and after step 164, processing for restoring α, β, and γ is added, steps 152 to Even if the execution start times between 156 and steps 158 to 164 are significantly different, the distributing unit 42 in the CPU 22 of the inputter's device 12 stores α, β, and γ used for concealing the secret information. can be performed without precomputation, and steps 158-164 can be processed during computation as a computational aid without having to be precomputed.

According to the second embodiment, even if there is only one machine 14NN, it is possible to prevent leakage of the confidential information of the input person's device 12 and the problem to be solved. Conventionally, when there is only one NN machine, the secret sharing method cannot be applied and there is no choice but to use homomorphic encryption that requires a huge amount of calculation. However, this problem can be solved by the second embodiment.

<Third Embodiment>
Next, a third embodiment will be described. Since the configuration of the third embodiment has the same parts as the configuration of the first embodiment, the same parts are denoted by the same reference numerals and detailed descriptions thereof are omitted.

As shown in FIG. 18, the secret information distribution and confidentiality computing system of the third embodiment includes a plurality of, for example, three input person devices 12A to 12C, a plurality of (N ) of machines 14N0 to 14Nn−1 and a restorer device 18 . The third embodiment differs from the first embodiment in that three input person devices 12A to 12C each having secret information a, b, and c and a restorer device 18 described below are provided. .

Next, the functions realized by the CPU 22 of the restorer's device 18 according to the third embodiment executing the program will be described. The program has a restoration function that collects the distributed values and restores the secret information. As the CPU 22 executes a program having these functions, the CPU 22 of the restorer's device 18 functions as the restorer 242 as shown in FIG.

Next, functions realized by executing programs by the CPUs 22 of the machines 14N0 to 14Nn-1 according to the third embodiment will be described. The program has a conversion random number generation function, a secure multiply-add operation function, and a secure division function. When the CPU 22 executes a program having this function, the CPU 22 functions as a conversion random number generation unit 244, a secure product-sum operation unit 44, and a secure division unit 46, as shown in FIG.

The machines 14N0 to 14Nn-1 also function as conversion random number generators.

In the third embodiment, a plurality of (for example, three) input person devices 12A to 12C and a restorer device 18 that knows the result are different, and a plurality of (minimum n=k=2) machines 14N0 to 14Nn are used. Consider the case of performing secure calculation with −1.

In the TUS method, confidential addition and confidential multiplication are safe when used alone, but it is known that combining multiplication and addition, such as the sum-of-products operation, poses security problems, such as leakage of the confidential information of the input person. . Therefore, generation of conversion random numbers is a problem so that secure computation can be realized even in such a case. In the first and second embodiments, since the same input/output device is assumed, even if the product-sum operation is performed by the TUS method, there are no multiple input/output parties with conflicting interests, so the above problem occurs. didn't.

Here, the input person device having the secret information a, b, c (hereinafter also referred to as "input person" in the third embodiment) is different, and the restorer device (hereinafter, in the third embodiment, (also referred to as a "restorer") are also different, and there is a conflict of interest. It is also assumed that there are a plurality of machines (minimum N=n=k=2). In addition, in order to protect its own confidential information from other inputters and restorers, it generates the following conversion random numbers. There was no known method of secretly generating this conversion random number by multiple untrusted inputters. For example, a method is known in which one input person generates a value of random numbers for conversion as in steps 112 to 118 in FIG. 9 of distribution 1′ of the first embodiment. . Therefore, if the input person's device is an attacker, the secure computation using it is not secure, and the input person's device must be reliable as in the first embodiment. A generation method in which the random number for conversion is not specified even if there is no reliable input person is shown below.

Documents 3 and 4 below disclose a method of converting a variance value generated using a 2k-th order polynomial into a variance value for a k-th order polynomial. For example, in the method of Document 3, using the following matrix A whose elements are constants generated by a certain rule, for a variance value vector W = (W0, W1, ..., W2k-1) for a 2k-order polynomial, can be converted into a variance value vector R=(R0, R1, . realizable). However, the methods of Documents 3 and 4 are effective when the number of machines N is N≧2k−1, but in this embodiment, N<2k−1, that is, the actual number of machines N satisfies N≧2k−1. Handle the case where there is none.

Reference 3: M. Ben-Or, S. Goldwasser, and A. Wigderson, “Completeness theorems for non-cryptographic fault-tolerant distributed computation,” STOC ’88, 1988, pp. 1-10, ACM Press.

Reference 4: Rosario Gennaro, Michael O. Rabin, and Tal Rabin, “Simplified VSS and fast-track multiparty computations with applications to threshold cryptography,” In Brian A. Coen and Yehuda Afek, editors, PODC, 1998, pp. 101- 111, ACM.

A case in which a conversion random number generation unit by u input persons generates a conversion random number using the conversion random number generation units 244 of N=t=k machines will be described below with reference to FIG. . In the following, entrant means the entrant device and _Si can be the machine 14Ni. However, this input person, Si _, etc. need not be the same as each device that performs the secret product-sum operation described later, and may be generated by another secret operation system, or the system itself may be a random number generation system for conversion. can be specialized as

[Generation of random numbers for conversion 3]

(Processing 3 (1))
The input person i (i= ₀ , . . . , u−1) is a random number λ _{i ,0 ,} . Generate β _i,0 , _{. . .} , β _{i ,t-1} , .
_{λ i = λ , 0 × . i, t-1} , ..., _γi = γi _{, 0} × ... x γi _{, t-1}

(Processing 3 (2))
The input person i sets k=t, n=ut (strictly speaking, n=u(k−1)+1 or more), secret-shares λ _i using the Shamir method, and [λ _i ] ₀ , . . . We obtain [λ _i ] _ut−1 .

(Processing 3 (3))

The input person i divides the generated variance value every t and multiplies it by a random number as follows.
[α _i λ _{i ] t} = _{α i × [ λ i ] t , .
[} β _i λ _{i ] 2t} = _{β i × [} λ _{i ] 2t} , _.
:
_[ γ _i λ _i ] _{(u−1) t} = γ _{i ×} [λ _{i ]} (u− _{1 ) t , . 1}

(Processing 3 (4))
Input person i is [λ _{i ] j} , [α _i λ _{i ] j+t ,} [β _i λ _i ] _{j +2t} , . Send _i,j , β _i,j , . . . , γ _i,j to machine S _j (j=0, .

(Processing 3 (5))
S _i (i=0, . . . , t−1) computes: However, since the following multiplication is multiplication of variance values, the multiplication result is equivalent to the variance value by Shamir's method with k=u(t−1)+1 and n=ut.
[λ ₀ λ ₁ . . . λ ₃ ] _i = [λ ₀ ] _{i ×} [λ ₁ ] _{i × .}

_{[ α 0 α 1 . . . α 3 λ 0 λ 1 . 1} ] _{i + t
[ β 0 β 1 . _ _ _ _ _ _ _ _ _ 1} ] _i+2t
:
_{[ γ 0 γ 1 . . .} γ ₃ λ _{0 λ 1 . u−1) t} × . . . × [γ _u−1 λ _u−1 ] _{i+(u−1) t}

(Processing 3 (6))
S _i (i=0, . . . , t− ₁ ) is α _{0, i ×} α _{1, i} . Calculate _{u−1,i ,} . . . γ _{0 ,i} ×γ _1,i . Also, λ' _i =λ _0,i ×λ _1,i ×λ _2,i × . . . ×λ _u−1,i is calculated.

(Processing 3 (7))

S ₀ multiplies all the α _{0, i} × _{α 1 , i .} β ₀ β ₁ … β _u-1 is obtained by multiplying _{1, i} ... x β _u-1 , γ _{0, i} x γ _{1, i} … x γ _{u-1, i} are multiplied to calculate γ ₀ γ ₁ . . . γ _u−1 and sent to all machines.

(Process 3 (8))

S _i (i=0, . . . , t−1) computes: However, λ=λ ₀ λ ₁ . . . λ _u−1 .
[λ] _{i + t} = [α ₀ α ₁ ... α ₃ λ ₀ λ ₁ ... λ ₃ ] _{i + t} / (α ₀ α ₁ ... α ₃ )
_[ λ] _{i +2t} =[ _{β0β1 ... β3λ0λ1 ... λ3} ] _i+2t /( _β0β1 ... _β3 )
:
[λ] _i+(u-1)t =[ _{γ0γ1 ... γ3λ0λ1 ... λ3} ] _{i +(u-1)t /} ( _γ0γ1 ... _γ3 )

(Processing 3 (9))
S _i (i = 0, ..., t-1) calculates [0 _i ] _j with secret sharing using Shamir method with 0 as k = u (t-1) / 2 + 1, n = ut / 2 and send R _i,j , R _i,j+t , . . . , R _i,j+u′t to S _j by calculating: However, h= ₀ , .
R _i,h = a _{i, h} × [λ] _i + a _{i + t, h} × [λ] _{i + t} + a _{i + 2t, h} × [λ] _{i + 2t} + … + a _i + _{(u−1) t, h} × [λ ] _i+(u−1)t +[0 _i ] _h ,

(Processing 3 (10))

S _i (i=0, . . . , t−1) is obtained by halving the order of [λ] _{i ,} . , ut/2). However, u″=u(t−1)/2
[λ] _i =R _0,i + . . . +R _t−1,i ,[λ] _{i +u′} =R _0,i+u′ + .

(Processing 3 (11))

_{S i} (i= ₀ , . ' _i ).

Since the above description is complicated, the case of u=4 and N=t=k=2 will be specifically described below (see also FIG. 22).

[Generation of random numbers for conversion 3']
(Processing 3' (1))
User 0 generates random numbers λ _0,0 , λ _0,1 , α _0,0 , α _0,1 , β _0,0 , β _0,1 , γ _0,0 , γ _0,1 and calculate.
λ ₀ =λ _0,0 ×λ _0,1 ,α ₀ =α _0,0 ×α _0,1 ,β ₀ =β _0,0 ×β _0,1 ,γ ₀ =γ _0,0 ×γ _{0, 1}

(Processing 3' (2))
_Input person _{0 obtains} [λ ₀ ] ₀ , .

(Processing 3' (3))
Input person 0 calculates the following.
[α ₀ λ ₀ ] ₂ = α ₀ × [λ ₀ ] ₂ , [α ₀ λ ₀ ] ₃ = α ₀ × [λ ₀ ] ₃
[β ₀ λ ₀ ] ₄ = β ₀ × [λ ₀ ] ₄ , [β ₀ λ ₀ ] ₅ = β ₀ × [λ ₀ ] ₅
[γ ₀ λ ₀ ] ₆ = γ ₀ × [λ ₀ ] ₆ , [γ ₀ λ ₀ ] ₇ = γ ₀ × [λ ₀ ] ₇

(Processing 3' (4))
Input person 0 has [λ ₀ ] ₀ , [α ₀ λ ₀ ] ₂ , [β ₀ λ ₀ ] ₄ , [γ ₀ λ ₀ ] ₆ , λ _0,0 , α _0,0 , β _0,0 , γ Send _0,0 to machine _S0 .

(Processing 3' (5))
Input person 0 has [λ ₀ ] ₁ , [α ₀ λ ₀ ] ₃ , [β ₀ λ ₀ ] ₅ , [γ ₀ λ ₀ ] ₇ , λ _0,1 , α _0,1 , β _0,1 , γ Send _0,1 to machine _S1 .

(Processing 3' (6))
Input person 1 generates random numbers λ _1,0 , λ _1,1 , α _1,0 , α _1,1 , β _1,0 , β _1,1 , γ _1,0 , γ _1,1 and calculate.
λ ₁ =λ _1,0 ×λ _1,1 ,α ₁ =α _1,0 ×α _1,1 ,β ₁ =β _1,0 ×β _1,1 ,γ ₁ =γ _1,0 ×γ _{1 , 1}

(Processing 3' (7))
_Input person _{1 obtains} [λ ₁ ] ₀ , .

(Processing 3' (8))
Enterer 1 computes:
[α ₁ λ ₁ ] ₂ = α ₁ × [λ ₁ ] ₂ , [α ₁ λ ₁ ] ₃ = α ₁ × [λ ₁ ] ₃
[β ₁ λ ₁ ] ₄ = β ₁ × [λ ₁ ] ₄ , [β ₁ λ ₁ ] ₅ = β ₁ × [λ ₁ ] ₅
[γ ₁ λ ₁ ] ₆ = γ ₁ × [λ ₁ ] ₆ , [γ ₁ λ ₁ ] ₇ = γ ₁ × [λ ₁ ] ₇

(Processing 3' (9))
Input person 1 has [λ ₁ ] ₀ , [α ₁ λ ₁ ] ₂ , [β ₁ λ ₁ ] ₄ , [γ ₁ λ ₁ ] ₆ , λ _1,0 , α _1,0 , β _1,0 , γ Send _1,0 to machine _S0 .

(Processing 3' (10))
Input person 1 has [λ ₁ ] ₁ , [α ₁ λ ₁ ] ₃ , [β ₁ λ ₁ ] ₅ , [γ ₁ λ ₁ ] ₇ , λ _1,1 , α _1,1 , β _1,1 , γ Send _1,1 to machine _S0 .

(Processing 3' (12))
Input persons 2 and 3 also perform the same processing. So S ₀ holds:

[λ ₀ ] ₀ , [λ ₁ ] ₀ , [λ ₂ ] ₀ , [λ ₃ ] ₀ , [α ₀ λ ₀ ] ₂ , [α ₁ λ ₁ ] ₂ , [α ₂ λ ₂ ] ₂ , [α ₃ λ ₃ ] ₂ , [β ₀ λ ₀ ] ₄ , [β ₁ λ ₁ ] ₄ , [β ₂ λ ₂ ] ₄ , [β ₃ λ ₃ ] ₄ , [γ ₀ λ ₀ ] ₆ , [γ ₁ λ ₁ ] ₆ , [γ ₂ λ ₂ ] ₆ , [γ ₃ λ ₃ ] ₆ ,
λ _0,0 , λ _1,0 λ _2,0 λ _3,0 , α 0,0 , α _1,0 , α _2,0 , α _3,0 , _{β 0,0 ,} β _1,0 , β _{2 , 0} , β _3,0 , γ _0,0 , γ _1,0 , γ _2,0 , γ _3,0

(Processing 3' (13))
S ₁ holds:

[λ ₀ ] ₁ , [λ ₁ ] ₁ , [λ ₂ ] ₁ , [λ ₃ ] ₁ , [α ₀ λ ₀ ] ₃ , [α ₁ λ ₁ ] ₃ , [α ₂ λ ₂ ] ₃ , [α ₃ λ ₃ ] ₃ , [β ₀ λ ₀ ] ₅ , [β ₁ λ ₁ ] ₅ , [β ₂ λ ₂ ] ₅ , [β ₃ λ ₃ ] ₅ , [γ ₀ λ ₀ ] ₇ , [γ ₁ λ ₁ ] ₇ , [γ ₂ λ ₂ ] ₇ , [γ ₃ λ ₃ ] ₇ ,
λ _0,1 , λ _1,1 λ _2,1 λ _{3,1 , α 0,1} , α _1,1 , α _2,1 , α _3,1 , _{β 0,1 ,} β _1,1 , β _{2 , 1} , β _3,1 , γ _0,1 , γ _1,1 , γ _2,1 , γ _3,1

(Processing 3' (14))
S ₀ computes: The multiplication result is equivalent to the (5,8) Shamir method variance.
[λ ₀ λ ₁ λ ₂ λ ₃ ] ₀ = [λ ₀ ] ₀ × [λ ₁ ] ₀ × [λ ₂ ] ₀ × [λ ₃ ] ₀ ,
[α ₀ α ₁ α ₂ α ₃ λ ₀ λ ₁ λ ₂ λ ₃ ] ₂ = [α ₀ λ ₀ ] ₂ × [α ₁ λ ₁ ] ₂ × [α ₂ λ ₂ ] ₂ × [α ₃ λ ₃ ] ₂
[β ₀ β ₁ β ₂ β ₃ λ ₀ λ ₁ λ ₂ λ ₃ ] ₄ = [β ₀ λ ₀ ] ₄ × [β ₁ λ ₁ ] ₄ × [β ₂ λ ₂ ] ₄ × [β ₃ λ ₃ ] ₄
[γ ₀ γ ₁ γ ₂ γ ₃ λ ₀ λ ₁ λ ₂ λ ₃ ] ₆ = [γ ₀ λ ₀ ] ₆ × [γ ₁ λ ₁ ] ₆ × [γ ₂ λ ₂ ] ₆ × [γ ₃ λ ₃ ] ₆

(Processing 3' (15))

S ₁ computes: The multiplication result is equivalent to the (5,8) Shamir method variance.
[λ ₀ λ ₁ λ ₂ λ ₃ ] ₁ = [λ ₀ ] ₁ × [λ ₁ ] ₁ × [λ ₂ ] ₁ × [λ ₃ ] ₁ ,
[α ₀ α ₁ α ₂ α ₃ λ ₀ λ ₁ λ ₂ λ ₃ ] ₃ = [α ₀ λ ₀ ] ₃ × [α ₁ λ ₁ ] ₃ × [α ₂ λ ₂ ] ₃ × [α ₃ λ ₃ ] ₃
[β ₀ β ₁ β ₂ β ₃ λ ₀ λ ₁ λ ₂ λ ₃ ] ₅ = [β ₀ λ ₀ ] ₅ × [β ₁ λ ₁ ] ₅ × [β ₂ λ ₂ ] ₅ × [β ₃ λ ₃ ] ₅
[γ ₀ γ ₁ γ ₂ γ ₃ λ ₀ λ ₁ λ ₂ λ ₃ ] ₇ = [γ ₀ λ ₀ ] ₇ × [γ ₁ λ ₁ ] ₇ × [γ ₂ λ ₂ ] ₇ × [γ ₃ λ ₃ ] ₇

(Processing 3' (16))

S ₀ is α _0,0 ×α _1,0 ×α _2,0 ×α _3,0 ,β _0,0 ×β _1,0 ×β _2,0 ×β _3,0 ,γ _0,0 ×γ _{1 , 0} ×γ _2,0 ×γ _3,0 . Also, λ′ ₀ =λ _0,0 ×λ _1,0 ×λ _2,0 ×λ _3,0 is calculated.

(Processing 3' (17))

S ₁ is α _0,1 ×α _1,1 ×α _2,1 ×α _3,1 ,β _0,1 ×β _1,1 ×β _2,1 ×β _3,1 ,γ _0,1 ×γ _{1 , 1} ×γ _2,1 ×γ _3,1 and sent to S ₀ . Also, λ′ ₁ =λ _0,1 ×λ _1,1 ×λ _2,1 ×λ _3,1 is calculated.

(Processing 3' (18))
S ₀ computes and sends to S ₁ :

α ₀ α ₁ α ₂ α ₃ = α _0,0 α _1,0 α _2,0 α _3,0 ×α _0,1 α _1,1 α _2,1 α _3,1 ,
β ₀ β ₁ β ₂ β ₃ = β _0,0 β _1,0 β _2,0 β _3,0 ×β _0,1 β _1,1 β _2,1 β _3,1 ,
γ ₀ γ ₁ γ ₂ γ ₃ = γ _0,0 γ _1,0 γ _2,0 γ _3,0 ×γ _0,1 γ _1,1 γ _2,1 γ _3,1
(Processing 3' (19))
S ₀ computes: However, λ=λ ₀ λ ₁ λ ₂ λ ₃ .

(Processing 3' (20))
S1 computes:

(Processing 3' (21))

S ₀ calculates [0 ₀ ] _j by secret sharing 0 by the (3,4) Shamir method, calculates the following, and sends R _0,1 and R _0,3 to S ₁ . where a _i,j is the element at position i,j in matrix A that transforms a quartic into a quadratic.
R _0,0 =a _0,0 ×[λ] ₀ +a _2,0 ×[λ] ₂ +a _4,0 ×[λ] ₄ +a _6,0 ×[λ] ₆ +[0 ₀ ] ₀ ,
R _0,1 =a _0,1 ×[λ] ₀ +a _2,1 ×[λ] ₂ +a _4,1 ×[λ] ₄ +a _6,1 ×[λ] ₆ +[0 ₀ ] ₁ ,
R _0,2 =a _0,2 ×[λ] ₀ +a _2,2 ×[λ] ₂ +a _4,2 ×[λ] ₄ +a _6,2 ×[λ] ₆ +[0 ₀ ] ₂ ,
R _0,3 =a _0,3 ×[λ] ₀ +a _2,3 ×[λ] ₂ +a _4,3 ×[λ] ₄ +a _6,3 ×[λ] ₆ +[0 ₀ ] ₃ ,

(Processing 3' (22))

S ₁ computes [0 ₁ ] _j by secret sharing 0 by the (3,4) Shamir method, computes the following, and sends R _1,0 and R _1,2 to S ₀ .

R _1,0 =a _1,0 ×[λ] ₁ +a _3,0 ×[λ] ₃ +a _5,0 ×[λ] ₅ +a _7,0 ×[λ] ₇ +[0 ₁ ] ₀ ,
R _1,1 =a _1,1 ×[λ] ₁ +a _3,1 ×[λ] ₃ +a _5,1 ×[λ] ₅ +a _7,1 ×[λ] ₇ +[0 ₁ ] ₁ ,
R _1,2 =a _1,2 ×[λ] ₁ +a _3,2 ×[λ] ₃ +a _5,2 ×[λ] ₅ +a _7,2 ×[λ] ₇ +[0 ₁ ] ₂ ,
R _1,3 =a _1,3 ×[λ] ₁ +a _3,3 ×[λ] ₃ +a _5,3 ×[λ] ₅ +a _7,3 ×[λ] ₇ +[0 ₁ ] ₃ ,

(Processing 3' (23))
S ₀ is [λ] ₀ = R _0,0 + R _1,0 , [λ] ₂ = R _0,2 + R _1,2 is the variance value in the (3,4) Shamir method, and the (2,2) Shamir method Calculate the secret-shared [0 ₀ ] _j and calculate the following. _S0 sends _R'0,1 to _S1 . where a'i _,j is the element at position i,j in the matrix A' that transforms the quadratic to linear.
R′ _0,0 =a′ _0,0 ×[λ] ₀ +a′ _2,0 ×[λ] ₂ +[0 ₀ ] ₀ ,
R′ _0,1 =a′ _0,1 ×[λ] ₀ +a′ _2,1 ×[λ] ₂ +[0 ₀ ] ₁ ,

(Processing 3' (24))

S ₁ is [λ] ₁ = R _0,1 + R _1,1 , [λ] ₃ = R _0,3 + R _1,3 is the variance value in the (3,4) Shamir method, and the (2,2) Shamir method Calculate the secret-shared [0 ₀ ] _j and calculate the following. S ₁ sends R' _1,0 to S ₀ .
R′ _1,0 =a′ _1,0 ×[λ] ₁ +a′ _3,0 ×[λ] ₃ +[0 ₁ ] ₀ ,
R′ _1,1 =a′ _1,1 ×[λ] ₁ +a′ _3,1 ×[λ] ₃ +[0 ₁ ] ₁ ,

(Processing 3' (25))
S ₀ is [λ] ₀ =R′ _0,0 +R′ _1,0 as the variance value in the (2,2) Shamir method, and {λ} ₀ =([λ] ₀ , λ′ ₀ ) as the random number for conversion and

(Processing 3' (26))
S ₁ is [λ] ₁ =R′ _0,1 +R′ _1,1 as the variance value in the (2,2) Shamir method, and {λ} ₁ =([λ] ₁ , λ′ ₁ ) as the random number for conversion. and

If u=2 and k=2 in the _{transformation} random number generator 3, α ₀ α ₁ is restored in (7). It can be seen that the result of dividing α ₀ α ₁ by , is α ₁ of the other input person. Therefore, although the secret information of the other input person is kept secret by _α1 , it is released and the two variance values are known, so the secret information λ1 is restored and leaked. If there are three or more input persons, α ₀ α ₁ α ₂ will be restored, but since the remaining random numbers cannot be decomposed, the confidential information of each input person will not be leaked. However, when it is desired to set u=2, one input person becomes input persons 0 and 1, and another input person becomes input persons 2 and 3. Using four secret information and random numbers, for example, input persons 0 and 1 1 cannot resolve α ₂ α ₃ of input persons 2 and 3, so individual secret information is not leaked. Therefore, if the machines S0 and S1 are the input persons 0 and 1 and the input persons 2 and 3 respectively, the random numbers for conversion can be automatically generated between the machines. Conversely, even if u>4, it is clear that each input person can perform the processes (1) to (4). Also, for example, with u=3, t=4, k=3, the input person i (i=0, 1, 2) secret-shares the secret information λi by the (3, 12) Shamir method, and multiplies the three shared values. As a result, a multiplication result corresponding to the (7, 12) Shamir method is obtained, but if the order conversion process is performed once, conversion random numbers corresponding to the (4, 6) Shamir method can be obtained. When each machine has one conversion random number corresponding to the (4,6) Shamir method, a conversion random number corresponding to the (4,4) Shamir method can be obtained. Therefore, it is not necessary to make the number of machines t and k to be the same, and the finally set k can be changed from the initial k. In addition, the number of times the order conversions of (9) to (10) are performed also varies depending on the settings of u, t, and k and the order of the finally required dispersion formula. The reason why u=4 in the conversion random number generator 3′ is that u must be greater than 2 from the above. This is because it cannot be halved.

In addition, the following can be said about the security of random number generation for conversion. In the conversion random number generator 3′, for example, S ₀ generates [λ ₃ ] ₀ , [ _{α 3 λ 3} ] ₂ , [β ₃ λ ₃ ] ₄ , [γ ₃ λ ₃ ] ₆ and 4 for one secret information λ 3 . However, since they are multiplied by different random numbers, they cannot be solved even if k=2. Also, _the random numbers are removed in process 3 _{' (} 19) and ( ₂₀ ) _. , this variance value is the result of multiplication of the variance values, so it is impossible to solve unless five are collected. Also, in (23), the order is halved and it is sufficient to collect three, but S ₀ has only two, [λ] ₀ and [λ] ₂ . Finally, the order is reduced once again, and we only have to collect two, but S ₀ has only [λ] ₀ , so it is not solvable. Therefore, the value of the conversion random number generated by this method will be a value that no one knows unless two or more input persons collude. Therefore, it can be said that this method has information-theoretic security. However, in the above description, the product of matrices A and A' may be defined as A'', and each element thereof may be multiplied so that the two degree conversions are performed once.

が事前に準備されているとする。 In the following, the conversion random number

is prepared in advance.

[Dispersion 3]

Next, distribution 3 executed by the distribution unit 42 in the CPU 22 of the input person's device 12A will be described with reference to FIG.

At step 402, the distribution unit 42 generates k random numbers α ₀ , α ₁ , . . . , α _k−1 .

At step 404, distribution unit 42 calculates:

α(a+1)=α×(a+1)(α=α ₀ α ₁ . . . α _k−1 )

At step 406, the distribution unit 42 sends the random numbers αi forming α=α ₀ α ₁ . . . α _k−1 to the corresponding machines 14Ni.

The input person's devices 12B and 12C also perform the same processing as in FIG. For example, in step ₄₀₄ , the distributing units _{42 of} the input person's devices _12B and 12C respectively generate β ₀ , β ₁ , . and compute

β(b+1)=β×b(β=β ₀ β ₁ β _k−1 )

γ(c+1)=γ×c(γ=γ ₀ γ ₁ . . . γ _k−1 )

α _i , β _i , γ _i (i=0, . . . , k−1) may be secret shared so that machine S _i restores α _i , β _i , γ _i when needed.

[Confidential multiply-add operation 3]

Next, the secure sum-of-products operation 3 executed by the secure sum-of-products operation unit 44 in the CPU 22 of the machines 14N0 to 14Nn-1 will be described with reference to FIG.

At step 412, the secure sum-of-products operation unit 44 calculates the following.
[φωαβ(a+1)(b+1)] _i =α(a+1)×β(b+1)×[φ] _i
[εηα(a+1)] _i =α(a+1)×[ε] _i
[λμβ(b+1)] _i =β(b+1)×[μ] _i
[τργ(c+1)] _i =γ(c+1)×[ρ] _i

At step 414, the secure sum-of-products operation unit 44 generates a random number δjεZ/pZ.

In step 416, the secure sum-of-products operation unit 44 calculates the following, and in step 418, the secure sum-of-products operation unit 44 transmits the following calculated values to the predetermined machine 14N0.

Since the predetermined machine 14N0 calculates the following and transmits it to other machines, at step 420, the secure sum-of-products operation unit 44 receives the following calculated values.

At step 422, the secure sum-of-products operation unit 44 calculates the following.

At step 424, the secure sum-of-products operation unit 44 stores _δj .

δ _j may be secret shared by S _j and restored when needed by an authorized restorer.

To obtain the calculation result, the restorer 242 of the restorer device 18 collects and restores k [δ(ab+c)] _i , collects the stored _δi , divides by the restored δ, and obtains the result of the sum-of-products operation. ab+c is obtained.

Also, in the secure sum-of-products operation, setting c=0 results in secure multiplication, and setting a=1 results in secure addition. Also, if the + in front of γ(c+1) in step 422 is set to -, then the subtraction is confidential.

(Secret division 3)

Also, the secret division is performed as follows. However, in variance 3, the machine 14Ni has variance values [α'a] _i for division and α' _i that make up α'.

A predetermined machine 14N0 collects [α'a]i from k servers and temporarily restores α'a. At this time, if α'a=0, the divisor is 0, so the calculation is stopped. If α'a=0, then machine 14N0 calculates 1/α'a and sends it to the other machines. After that, by treating 1/α'a as α(a+1) in the sum-of-products operation 3, secure division is performed. However, since 1 is not added to 1/α'a, the process of reducing μβ(b+1) in step 422 is omitted.

It is clear that the continuity of operations and concealment of operations can be realized in the same manner as in the first embodiment. In addition, since no one knows the random number for conversion, even if an attacker who inputs one input and a restorer collude, the random number applied to the secret information cannot be known. Even between input and output parties whose interests are conflicting with each other due to the inability to perform analysis, information-theoretically safe secret sum-of-products operation is realized.

According to the third embodiment, many people or organizations can cooperate to realize learning of the NN machine. As a result, the input information of each input person's device is not leaked to other input person's devices and restorer's devices, and the learning result and the like can be made public. In addition, the third embodiment can be realized by a minimum of n=k=2 NN machines, is safe as long as information of at least one NN machine is not leaked, and can be applied to general big data. . Therefore, according to the third embodiment, a secure confidential operation that can be applied to any case including a sum-of-products operation that could not be realized by the TUS method is realized.

<Fourth Embodiment>

As shown in FIG. 25, the configuration of the fourth embodiment has the same configuration as the configuration of the third embodiment (FIG. 18). The explanation is omitted, and different parts are explained. In the fourth embodiment, an arithmetic support device 16 is provided. The input person's devices 12A0 to 12C0 in the fourth embodiment do not have a computation support unit. The calculation support device 16 has a calculation support unit. In the fourth embodiment, one predetermined machine 14NN (the number of machines N=1, n=k=2) among the machines 14N0 to 14Nn-1 performs the secure operation. However, since the calculation support device 16 can also perform restoration processing as will be described later, the restorer device 18 may be omitted. As in the second embodiment, n and k related to secret sharing are explained as being the minimum value of 2 (any number can be selected).

The functional unit of the CPU 22 of each of the input person's devices 12A to 12C includes a distribution unit 42, as shown in FIG. The functional units of the CPU 22 of the machine 14NN include a secure sum-of-products operation unit 44 and a secure division unit 46, as shown in FIG. The functional unit of the CPU 22 of the calculation support device 16 includes a distribution unit 42 and a calculation support unit 150, as shown in FIG.

In the fourth embodiment, a plurality of secret information input person devices 12A to 12C and a restorer device 18 that knows the results are different, and one computation support device and one machine 14NN execute confidential computation. do.

In the fourth embodiment, it is assumed that there is one reliable calculation support device in order to realize secure calculation by one machine 14NN among the input person devices 12A to 12C having conflicting interests. Further, it is assumed that each input person's device 12A to 12C secures a secure communication path using encryption or the like with the operation support device.

It is assumed that the processing of the computational support device is much smaller than that of the machines 14N0 to 14Nn-1, and that the processing of the machine 14NN can be known by an attacker, but the processing of the computational support device is not leaked.

Although the details will be described later, the major difference from the second embodiment in which one NN machine performs secure computation is that an attack from an input person is assumed. The input person in the second embodiment did not need to attack to know all the information, and only the NN machine and those who could observe it were the attackers. On the other hand, the input person in this embodiment only knows partial information, and there is a possibility of attacking to know other input people and the operation result. Therefore, instead of a constant such as 1, α(a+a1) obtained by adding the first random number a1 to the secret information and multiplying it by the second random number α is made public. This prevents an attack by an inputter.

[Dispersion 4]

Distribution 4 executed by the distribution unit 42 in the CPU 22 of the arithmetic support device for the secret information a, b, and c obtained from each of the input person devices 12A to 12C via a secure communication channel will be described with reference to FIG.

At step 432, the distribution unit 42 generates random numbers α, β, γ and random numbers a1, b1, c1.

At step 434, distribution unit 42 calculates:
α(a+a1)=α×(a+a1)
β(b+b1)=β×(b+b1)
γ(c+c1)=γ×(c+c1)

At step 436, the distribution unit 42 transmits α(a+a1), β(b+b1), and γ(c+c1) to one machine 14NN.

At step 438, the distribution unit 42 generates random numbers δ ₀ and δ ₁ .

At step 440, the distribution unit 42 calculates δ ₀ /αβ, δ ₀ b1/α, δ ₀ a1/β, δ ₀ /γ.

In step 442, the distributing unit _{42 calculates} the following _distributed values _{[ δ0} /αβ] ₀ , [ _δ0b1 /α] ₀ , [δ ₀ a1/β] ₀ , [δ ₀ /γ] ₀ and [δ ₀ /αβ] ₁ , [δ ₀ b1/α] ₁ , [δ ₀ a1/β] ₁ , [δ ₀ /γ] ₁ is calculated.

At step 444, the distribution unit 42 performs the following calculation (δ=δ ₀ δ ₁ ).
[δ/αβ] ₁ =δ ₁ [δ ₀ /αβ] ₁
[δb1/α] ₁ =δ ₁ [δ ₀ b1/α] ₁
[δa1/β] ₁ = _δ1 [ _δ0 a1/β] ₁
[δ/γ] ₁ =δ ₁ [δ ₀ /γ] ₁

At step 446, the distribution unit 42 performs [δ ₀ /αβ] ₀ , [δ ₀ b1/α] ₀ , [δ ₀ a1/β] ₀ , [δ ₀ /γ] ₀ and [δ/αβ] ₁ , [δb1/α] ₁ , [δa1/β] ₁ , [δ/γ] ₁ are sent to one machine 14NN.

[Multiply-sum operation 4]
Next, the sum-of-products operation 4 executed by the confidential sum-of-products operation unit 44 in the CPU 22 of the machine 14NN will be described with reference to FIG.

At step 452, the secure sum-of-products operation unit 44 performs the following calculations.
[δ ₀ {(ab+c)−(a1b1−c1)}] ₀ =α(a+a1)×β(b+b1)×[δ ₀ /αβ] ₀ −α(a+a1)×[δ ₀ b1/α] ₀ −β (b+b1)×[δ ₀ a1/β] ₀ +γ(c+c1)×[δ ₀ /γ] ₀
[δ{(ab+c)−(a1b1−c1)}] ₁ =α(a+1)×β(b+1)×[δ/αβ] ₁ −α(a+1)×[δb1/α] ₁ −β(b+1)× [δa1/β] ₁ + γ(c+1) × [δ/γ] ₁

[Calculation support 4]
Next, the calculation support 4 executed by the calculation support unit in the CPU 22 of the calculation support device 16 will be described with reference to FIG.

At step 462, the computation support unit collects [δ ₀ {(ab+c)-(a1b1-c1)}] ₀ and [δ{(ab+c)-(a1b1-c1)}] ₁ .

At step 464, the computation support unit computes:
[δ{(ab+c)-(a1b1-c1)] ₀ =δ ₁ [δ ₀ {(ab+c)-(a1b1-c1)}] ₀

At step 466, the computation support unit converts [δ{(ab+c)-(a1b1-c1)}]0 and [δ{(ab+c)-(a1b1-c1)}]1 to δ{(ab+c)-(a1b1- c1) is restored.

At step 468, the computation support unit computes δ(ab+c+d1). Here, d1 may be set to (c1-a1b1), or δ(a1b1-c1) may be added to δ{(ab+c)-(a1b1-c1)} to add a newly generated random number δd1.

In step 470, the calculation support unit determines whether to continue the calculation. If not, in step 472, the calculation support unit divides δd1 by δ without adding δd1. Compute ab+c.

When the calculation is continued, the processing of steps 438 to 444 in FIG. 26 of Variance 4 can be executed in advance if the calculation procedure is known. Therefore, the calculation support process 4 is the only necessary calculation support process that is performed during calculation. Further, the calculation support processing may be executed as needed without being executed for each sum-of-products calculation. For example, in processing such as Σδ0(ai+1)(bi+1), it is only necessary to perform calculation support processing once after calculation.

[Secret division 4]
Next, the secret division 4 executed by the calculation support unit 254 in the CPU 22 of the calculation support device 16 will be described. Secrecy division 4 according to the present embodiment is performed by the calculation support unit 254 of the CPU 22 of the calculation support device 16 by performing the processing executed by the calculation support unit 150 of the CPU 22 of the input person device 12 in the above-described secret division 2 ( FIG. Since the only difference is the point of execution, the description thereof is omitted.

According to the fourth embodiment, by combining one machine 14NN and one calculation support device, it is possible to realize safe secure computation even if there is a conflict of interest between the input person's device and the restorer's device. In general, the machine 14NN often operates as a set with an IC chip or a dedicated control device that takes charge of its control. Therefore, by imparting tamper resistance to the IC chip or dedicated control device and adding the operation support function according to the fourth embodiment, the present embodiment can be realized without major system changes. That is, the machine 14NN operates as a high-speed computing unit, and if the IC chip or control device is safe even if its operation is observed, a system can be constructed in which input information and problems to be solved are not leaked. However, since the calculation support device 16 knows all the information as in the case of one input person device in the second embodiment, the secret information and the confidential calculation result are leaked when the calculation support device 16 is analyzed.

<Fifth Embodiment>
Next, a fifth embodiment will be described.
The configuration of the fifth embodiment is the same as the configuration of the fourth embodiment (see FIG. 25), so description thereof will be omitted.

In the fifth embodiment, consider a technique that can realize the safety as in the third embodiment without using an operation support device as in the fourth embodiment. In the fourth embodiment, all confidential information is leaked if the computation support device can analyze it. This is because the arithmetic support device centrally manages all information like the input person in the second embodiment. By adding the elements of the third embodiment to this, it is necessary to analyze both one machine 14NN and the calculation support device while taking advantage of the fact that the amount of processing in the secret sharing is large for the NN machine and the calculation support device is small. The challenge is to prevent confidential information from being leaked. Also in the fifth embodiment, it is assumed that N=1 and n=k=2.

In the fourth embodiment, since the computation support device knows all the confidential information, if only the computation support device can be attacked, all the confidential information will be leaked. Therefore, as in the fourth embodiment, it is possible to perform calculations with one machine even between input person devices having conflicting interests, and as in the third embodiment, one machine and two calculation support devices are required. It shows an embodiment that is safe as long as it is not parsed. In addition, the conversion random numbers are generated in the same manner as in the third embodiment, but since the calculation support device is assumed to be reliable, the conversion random numbers generated by the device. Therefore, it is assumed that transformation random numbers {μ′}i, {ν′}i, {ε′}i, {ρ′}i, and {ω′}i are prepared for variance 5 .

[Dispersion 5]
Distribution 5 is shown in the flow chart of the distribution 5 program of the input person apparatus 12A (FIG. 29A), the flow chart of the distribution 5 program of the input person apparatus 12B (FIG. 29B), and the flow chart of the distribution 5 program of the input person apparatus 12C (FIG. 29C). ), the flow chart of the distribution 5 program of the arithmetic support device 16 (FIG. 29D), the flow chart of the distribution 5 program of the machine 14NN (FIG. 29E), and the sequence diagram of the distribution 5 (FIG. 29F).

(Distribution 5 (1))
The input person's device 12A generates random numbers α' ₀ and α' ₁ , calculates the following, transmits α'(a+1) to the machine 14NN and the calculation support device 16, transmits α' ₀ to the machine 14NN, and calculates Send α' ₁ to support device 16 (see also steps 502A-508A of FIG. 29A, step 512 of FIG. 29D, and step 552 of FIG. 29E).
α'=α' ₀ ×α' ₁ , α'(a+1)=α'×(a+1)

The input person's device 12B generates random numbers β' ₀ and β' ₁ , calculates the following, transmits β'(b+1) to the machine 14NN and the operation support device 16, transmits β' ₀ to the machine 14NN, and performs an operation. Send _β'1 to support device 16 (see also steps 502B-508B of FIG. 29B, step 514 of FIG. 29D, and step 554 of FIG. 29E).
β'=β' ₀ ×β' ₁ , β'(b+1)=β'×(b+1)

The input person's device 12C generates random numbers γ' ₀ and γ' ₁ , calculates the following, transmits γ'(c+1) to the machine 14NN and the operation support device 16, transmits γ' ₀ to the machine 14NN, and performs the operation. Send γ' ₁ to support device 16 (see also steps 502C-508C of FIG. 29C, step 516 of FIG. 29D, and step 556 of FIG. 29E).
γ'=γ' ₀ ×γ' ₁ , γ'(c+1)=γ'×(c+1)

α′ _i , _β ′ _i , γ′ _i (i=0, _{. i} may be restored.

(Distribution 5 (2))

The machine 14NN generates two or more random numbers a0 ₀ , a0 ₁ , calculates a0=a0 ₀ ×a0 ₁ , calculates a0′=a0−1 from a0, random numbers ξ _a0,0 , ξ _{a0 . 1} and ξ′ _a0,0 , ξ′ _a0.1 to calculate ξ _a0 =ξ _a0,0 × ξ _a0.1 , ξ′ _a0 = ξ _a0 ×a0, and ξ′ _a0 ×a0′ and , ξ _a0.1 , ξ′ _a0,1 , a0 ₁ to computation support unit 16 (see steps 558-568 in FIG. 29E and step 518 in FIG. 29D).

(Distribution 5 (3))

Arithmetic support unit 16 generates non-zero random numbers a1 ₀ , a1 ₁ , ξ _a1,0 , ξ _a1.1 and calculates a1=a1 ₀ ×a1 ₁ , ξ _a1 =ξ _a1,0 × ξ _a1.1 and send ξ _a1 ×a1 and ξ _a1,0 to machine 14NN (see steps 520-524 in FIG. 29D and step 570 in FIG. 29E).

Machine 14NN generates random numbers α ₀ , α' ₀ (see step 572 of FIG. 29E), computational support unit 16 generates random numbers α ₁ , α' ₁ (step 526 of FIG. 29D), and machine 14NN: (step 574 of FIG. 29E), and computational support unit 16 computes and sends to machine 14NN (step 528 of FIG. 29D, see step 576 of FIG. 29E) (henceforth machine 14NN i=0, computational support The device 16 performs the calculation corresponding to i=1).

(Distribution 5 (4))

Machine 14NN is

for i=0, 1, (A), (B), (C), (D), (E), i.e., respectively

is calculated and sent to the computation support unit 16 (see steps 578 and 580 in FIG. 29E and step 530 in FIG. 29D).

(Distribution 5 (5))

Machine 14NN computes the following equation for i=0 (step 582 of FIG. 29E) and computation support unit 16 computes the following equation for i=1 (step 532 of FIG. 29D). However, a0+a1=a2.

(Distribution 5 (6))

Arithmetic support unit 16 sends [α″a2] ₁ , [α(a+a2)] ₁ corresponding to i=1 to machine 14NN (see step 534 in FIG. 29D, step 584 in FIG. 29E), and machine 14NN sends α ″Restore a2,α(a+a2) (see step 586 in FIG. 29E).

(Distribution 5 (7))

29D step 536 in FIG. 29E, step 588 in FIG. 29E, see also FIGS. 29A-29C).

(Distribution 5 (8))

The calculation support device 16 generates a random number χ and random numbers ε, τ, ω, λ, κ, and ζ, secret-shares ε, τ, ω, λ, κ, and ζ to calculate the following, and converts random numbers { ε}, {τ}, {ω}, {λ}, {κ}, {ζ} to machine 14N0 (see steps 540, 542 in Figure 29D).
[χε] ₁ =χ×[ε] ₁
[χτ] ₁ =χ×[τ] ₁
[χφω] ₁ =χ×[φ] ₁
[χλ] ₁ = χ × [λ] ₁
[χκ] ₁ = χ×[κ] ₁
[χζ] ₁ = χ×[ζ] ₁
{ε}=([ε] ₀ , [χε] ₁ , ε ₀ )
{ρ}=([ρ] ₀ , [χρ] ₁ , ρ ₀ )
{ω}=([ω] ₀ , [χω] ₁ , ω ₀ )
{μ}=([μ] ₀ , [χμ] ₁ , μ ₀ )
{ν}=([ν] ₀ , [χν] ₁ , ν ₀ )
{ζ}=([ζ] ₀ , [χζ] ₁ , ζ ₀ )

When conversion random numbers are generated using the conversion random number generator 3′ by a plurality of input persons described in the third embodiment, the calculation support device 16 corresponding to S1 is the final result, for example [ε] ₁ and ε ₁ , and machine 14N0 corresponding to S0 has already obtained [ε] ₀ and ε ₀ . In this case, the arithmetic support unit 16 can omit the random number generation in step 538, and after performing the processing in step 540, for example, only [χε] ₁ can be sent to the machine 14N0 in step 542 (the other τ, ω, λ , κ and ζ).
[Confidential multiply-add operation 5]

Next, FIG. 30 and FIG. 31 respectively show the secure sum-of-products operation 5 executed by the secure sum-of-products operation section 44 in the CPU 22 of the machine 14NN and the calculation support 5 executed by the calculation support section 150 in the CPU 22 of the calculation support device 16. will be described with reference to

At step 602 in FIG. 30, the secure sum-of-products operation unit 44 of the machine 14NN generates a random number δ ₀ ∈Z/pZ.

At step 612 in FIG. 31, the computation support unit 150 of the computation support device 16 generates a random number δ ₁ εZ/pZ.

At step 604 in FIG. 30, the secure sum-of-products operation unit 44 of the machine 14NN calculates the following with i=0.

to send.

At step 614 of FIG. 31, the calculation support unit 150 of the calculation support device 16 calculates the following with i=1 and sends it to the machine 14NN at step 616.

At step 606 in FIG. 30, the secure sum-of-products operation unit 44 in the CPU 22 of the machine 14NN multiplies the above two equations (i=0, 1) to calculate the following.

At step 608 in FIG. 30, the secure sum-of-products calculator 44 in the CPU 22 of the machine 14NN calculates the following.

[Calculation support processing 5]
Next, calculation support processing 5 executed by the calculation support unit 150 in the CPU 22 of the calculation support device 16 will be described with reference to FIG.

At step 622, the computation support unit 150 collects [δ ₀ (ab+c)] ₀ and [δ(ab+c)] ₁ .

At step 624, computation support unit 150 calculates:
[δ{(ab+c)] ₀ =δ ₁ [δ ₀ (ab+c)] ₀

At step 626 , the computation support unit 150 restores δ(ab+c) from [δ(ab+c)] ₀ and [δ(ab+c)] ₁ .

When continuing the calculation, the machine 14N0 and the calculation support device 16 newly generate random numbers corresponding to a0 and a1, add them secretly to obtain a new α″a2, and restore δ(ab+c) and α″. A new α(a+a2) may be obtained by secretly adding a2.

Secret division can be realized similarly if a2 is set to a1 in secret division 4. FIG.

In the present embodiment, the computation support device 16 does not know the secret information a, b, and c, and without restoring them, the computation support device 16 secretly adds the random numbers generated by the machine 14NN so that the input person does not know. Addition of the first random number and multiplication of the second random number are performed. Therefore, confidential information will not be leaked if an attacker only attacks the operation support device 16, and confidential information will not be leaked unless the machine 14NN is also analyzed. Therefore, a safe system can be constructed even if only the arithmetic support device is analyzed according to the fifth embodiment.

Further, when continuing the calculation in the second and fourth embodiments, the input person's device 12 generates new _δ0 for new α, β, γ, and _δ0 /αβ, _δ0 /α , δ ₀ /β, and δ ₀ /γ need to be calculated, but as in the present embodiment, for example, {ε}=([ε] ₀ , [χε] ₁ , ε ₀ ) for transformation random numbers is sent to the machine 14NN (other random numbers for conversion are also the same), and if the same calculation as the secret product-sum calculation 5 is performed in the secret product-sum calculations 2 and 4, δ ₀ /αβ, δ ₀ / It becomes unnecessary to calculate α, δ ₀ /β, δ ₀ /γ during the calculation (however, in FIG. 30, a0=b0=0, α″=β″=γ″=0, and 30 and 31 regarding a0, b0, etc. are omitted.) That is, {ε}=([ε] ₀ , [χε] ₁ , ε ₀ ) format for conversion should be prepared in advance.

In the first to fifth embodiments, one or two machines that perform secure calculations were explained as examples, but when performing secure calculations using one or two machines, general-purpose can be used for

From the above, when there is only one machine that performs confidential calculations, the second embodiment is the fastest if there is one input person device, and if there are multiple machines and the calculation support device has tamper resistance. For example, the fifth embodiment is recommended when there is a possibility that the number of persons involved in the analysis of the fourth embodiment is plural and the arithmetic units are also analyzed.

Also, when two machines can be used for confidential calculation, the first embodiment is the fastest if there is one input person's device, and the third embodiment is recommended if there are a plurality of devices.

12 Input person device 14N0 to 14Nn-1 machine

Claims (2)

n is an integer of 2 or more, k is an integer with a minimum value of 2 and a maximum value of n, L is an integer of 1 or more and k or less, secret information is distributed to n pieces, and k pieces of n pieces are distributed values In a system that carries out a confidential operation using a means that can restore confidential information by collecting , but cannot reconstruct confidential information with kL or less, means for confidentially adding a first random number having a value other than 0 to confidential information; means for multiplying the result of the encryption addition by a second random number not equal to 0 and sending the result as it is to all the encryption calculation devices participating in the encryption calculation. n is an integer of 2 or more, k is an integer with a minimum value of 2 and a maximum value of n, L is an integer of 1 or more and k or less, secret information is distributed to n pieces, and k pieces of n pieces are distributed values The secret information can be restored by collecting the secret information, and the secret information can not be restored by kL or less. A program functioning as means for adding, and means for multiplying the result of the secure addition by a second random number not equal to 0 and sending the result as is to all the secure computation devices participating in the secure computation.

Images