KR101260673B1 - Set operation method for protecting privacy - Google Patents

Abstract

The present invention relates to a set operation method that can protect privacy, and more particularly, to a set operation that can protect the privacy of at least one participating module belonging to an encryption environment to which a set operation is applied. A method comprising: a tuple obtaining step of each participating module performing a privacy preserving set union to obtain a shuffled tuple; A union determining step of determining a union of the tuples by removing a plain text of 0 from the tuples obtained by the participant module; A union delivery step of delivering the union determined by the participation module to another participation module; And a decoding step of the participation module decoding only elements belonging to the elements belonging to the union.
The set operation method disclosed in the present specification includes a predetermined number of participations among the participating modules among the elements of the secret set that each of the modules (hereinafter, referred to as 'participation modules') that participate in the encryption environment to which the set operation is applied. Protection of the privacy of the participating modules is prevented by exposing the remaining elements except for the elements of the modules.

Description

Set operation method for protecting privacy}

The present invention relates to a set operation method that can protect privacy, and more particularly has a module (hereinafter referred to as a 'participation module') that participates in an encryption environment to which a set operation is applied. A set calculation method that protects the privacy of each participating module by preventing unnecessary exposure to other participating modules for elements other than elements of a certain number of participating modules among the existing secret sets. It is about.

Set operations to protect the privacy of participating modules can be useful in many environments where encryption is applied, such as data mining. Union set operations and intersection sets are used to protect the privacy of participating modules. ) Set operations, such as arithmetic operations and sub set operations, can be applied, but there is a problem that the privacy protection of participating modules can not be fully secured due to unnecessary exposure of information about their own secret sets depending on the encryption environment. do.

The present invention was devised to solve the above problems, and the problem to be solved by the present invention is to prevent unnecessary exposure of information about a secret set when performing a set operation to protect the privacy of the participating module. It is to suggest a set operation method that can ensure the privacy protection of participation module.

In order to solve the above problems, a set operation method for protecting the privacy of at least one participating module belonging to an encryption environment to which a set operation is applied according to an embodiment of the present invention is a combination of each participating module. A tuple obtaining step of obtaining a shuffled tuple based on a privacy preserving set union; A union determining step of determining a union of the tuples by removing a plain text of 0 from the tuples obtained by the participant module; A union delivery step of delivering the union determined by the participation module to another participation module; And a decoding step of the participation module decoding only elements belonging to the elements belonging to the union.

More preferably, the participant module may include a tuple acquisition step of obtaining a shuffled tuple as the order is changed through a shuffle protocol from its secret set.

More preferably, the participant module determines that the union of the tuples is removed by removing the plain text of 0 from the tuples acquired based on a range test protocol for determining whether the plain text is within a predetermined range. It may include a union confirmation step.

More preferably, when one participant module has two ciphertexts, the participant module is based on an equality test protocol that only one participant module checks whether the plaintext of the two ciphertexts is the same. It may include a union transfer step of delivering this confirmed union to other participating modules.

More preferably, according to a range test protocol, a participant module belonging to a predetermined number range is searched, and the found participant module includes a decoding step of decoding only elements belonging to the elements belonging to the union. Can be.

According to the present invention, when n participating modules have their own secret sets in an encryption environment to which a set operation is applied, the elements of each of the secret sets have elements other than the elements of a certain number of participating modules. In this regard, it is possible to prevent unnecessary exposure to other participating modules, thus ensuring the privacy protection of each participating module.

1 is a view showing the flow of the present invention.
2 is a flow chart according to the implementation of the union protocol.
3 is a flow chart according to the execution of a range test protocol.
4 is a flowchart illustrating performance of an equality test protocol.

DETAILED DESCRIPTION OF EMBODIMENTS Hereinafter, specific details for carrying out the present invention will be described in detail with reference to the accompanying drawings, based on the preferred embodiments of the present invention. Although the same reference numerals have been given in the drawings, it will be noted that in the description of the drawings may refer to components of other drawings if necessary. In the following description, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

In the crypto environment where aggregation is applied, the most important and strict fact of aggregation operation to protect the privacy of each of the participating modules is that each participating module has other elements besides certain elements of its own secret set. It should not be exposed unnecessarily. The biggest problem of the existing aggregation operation to protect the privacy of participating modules is that the risk of such unnecessary exposure is very high.

In order to solve this problem of the existing set operation (to prevent unnecessary exposure), the gist of the present invention is as follows.

According to the present invention, when n participating modules have their own secret sets in an encryption environment to which a set operation is applied, t ₁ of elements of each secret set is included. It is about how to find out which elements have more than t and less than t ₂ modules, that is, a certain number of participating modules, and prevent unnecessary exposure to other participating modules for the other elements. Protect the privacy of each participating module.

On the other hand, t ₁ If there are more than t and less than t ₂ participating modules, i.e., what elements of a certain number of participating modules are found, then the so-called t over-threshold union is used, with t ₁ over -threshold to use a union t ₁ by using more than the number of modules involved have t ₂ +1 over-threshold union looking element which finds the elements with the participation module than t ₂ +1 dog has. And if you remove the elements in the second calculated set from the elements in the first calculated set, you can find out which elements have more than t ₁ participating modules and less than t ₂ participating modules. have.

However, in this case, there is a problem in that unnecessary exposure occurs even for information other than the information that must be known, that is, elements having more than t ₂ +1 elements. According to the present invention it is to prevent such exposure to achieve the desired result. The desired result is that you want to get only the elements that have more than t ₁ participating modules and less than t ₂ participating modules.

The present invention is a privacy preserving set union (PPSU) protocol to prevent such exposure, when only one participating module has two cipher texts, only the participating module can know whether the two plain texts are the same. It consists of an equality test (ET) protocol and a range test (RT) protocol in which everyone knows whether the plaintext of the cipher text is within a predetermined range. Herein, the predetermined range means a range of elements (values) that allow other participating modules other than the participating module to know whether there is a plain text of the participating module even without decrypting the cipher text of the participating module. For example, given a ciphertext E_pk (5) and a range (3,6) encrypting an element (plain text) 5 of a specific participating module, other participating modules other than the specific participating module correspond to the ciphertext E_pk (5). It is possible to know whether plaintext 5 is included in the range (3,6) without decrypting the ciphertext.

1 is a view showing the flow of the present invention.

Default setting: There are n participating modules in the encryption environment to which set operations apply. Each participating module P _i has a secret set _{S i (1 = i = n} ) having one element k _i, S k _{i i} has a one element _{S i, j (1 = j} = k i).

,

) (1 = i = m)을 획득한다(S11). 여기서 각 튜플들은

이거나 a_i=b_i=0이며, m은 셔플링된 튜플들의 개수를 의미한다. 그리고 U는 합집합 프로토콜을 수행하여 계산된 합집합이며, E_pk(a)는 평문(plain text) a를 암호화한 암호문을 의미한다. 즉 E_pk(a_i)와 E_pk(b_i)는 각각 참여모듈 P_i가 가진 두 개의 평문 a_i와 b_i의 암호문을 의미한다.First, each participating module P _i of the n participating modules is randomly changed and shuffled tuples C _i = (A _i , B _i ) = using the Privacy Preserving Set Union protocol. (

,

) (1 = i = m) is obtained (S11). Where each tuple

Or a _i = b _i = 0, and m means the number of shuffled tuples. U is a union calculated by performing a union protocol, and E _pk (a) means a ciphertext that encrypts plain text a. That is, E _pk (a _i ) and E _pk (b _i ) refer to the cipher text of two plain texts a _i and b _i of the participating module P _i , respectively.

The union protocol is a known protocol and is presented by reference in FIG. 2 for an understanding of the present invention.

2 is a flow chart according to the implementation of the union protocol.

Looking at the basic configuration that must be preceded before performing the union protocol as follows. Set operation there are n number of participating modules for encryption environment is applied, each of the participating modules P _i has a secret set _{S i (1 = j = k} i) having the k _i of the elements, S _i has k _i of element S _{i , j} (1 = j = k _i ) and shares the secret key sk corresponding to the public key pk of the homomorphic encryption.

가 다항식

를 계산하고, 상기 다항식을 암호화하여

를 연산한다(S21).As shown in Figure 2, each participating module

Polynomial

By computing the polynomial and

Calculate (S21).

를 계산한다(S22). Then, each participating module P _i (2 = i = n)

Calculate (S22).

가 튜플들

을 게시하고, 각각의 참여모듈

가 튜플들

을 게시한다(S23).Subsequently, the participation module

Autumn tuples

Post each of the participating modules

Autumn tuples

Post it (S23).

가 각각의 튜플

에 대해 차례대로 랜덤한 수

를 선택하고, 튜플들값에

를 곱한 후,

를 게시한다(S24).After that, each participating module

Each tuple

Random numbers in turn for

Select the value of tuples

Lt; / RTI >

Post it (S24).

가 모든 튜플들에 대해 셔플 프로토콜을 수행한다(S25). After that, all participating modules

Performs a shuffle protocol for all tuples (S25).

1 again, next, all participating modules perform a range test protocol on the obtained tuples A _i and B _i to find that a _i = 0 (S12). That is, step S12 is a step of determining the union of the secret set of all n participating modules. The union is revealed in the form of Γ because all elements must not be exposed. Where Γ is the form of each element of the union. If If the a _i is zero or more in the union Γ (A _i, B _i), and, a _i is 0, a _i are discarded. In conclusion, Γ = (C ₁ ,…, C _{| U |} ). Γ means the union where each element is in an encrypted state, C _i = (A _i , B _i ), and | U | is the number of union elements. Performing a range test protocol removes tuples with a _i = 0. In this case, the above-mentioned predetermined range is (0,0), and those having a _i = 0 must be removed to find an element of the correct union. On the other hand, if a _i = 0, then b _i = 0.

A range test protocol is shown in FIG. 3 for ease of understanding.

3 is a flow chart according to the execution of a range test protocol.

Looking at the basic configuration that should be preceded before performing the range test protocol as follows. There are n participant modules to which the set operation is applied, and each participant module P _i knows one ciphertext E _pk (a) and the range t _i , t ₂ , where t ₁ ≤ t ₂ . In addition, the participation module P _i shares a secret key sk corresponding to the public key pk of the homomorphic encryption.

이

개의 랜덤한 수

를 선택하고,

를 계산한 후,

를 참여모듈

로 전달한다(S31).As shown in Figure 3, the participation module

this

Random numbers

Select the

After calculating

Join the module

Transfer to (S31).

가 차례대로

개의 랜덤한 수

를 선택하고,

를 계산한 후, 참여모듈

으로

를 전달하며, 참여모듈

이

를 다른 참여모듈로 전달한다(S32). After that, each participating module

In turn

Random numbers

Select the

After calculating the participation module

to

Delivering, participating module

this

To transmit to another participating module (S32).

에 대해 셔플 프로토콜을 수행하여

를 획득한다(S33).Therefore, all participating modules

By doing a shuffle protocol against

Obtain (S33).

에 대해 그룹복호화를 수행한다. 만약, 복호화된 값 중 하나의 값이라도 0이면, 모든 참여모듈이

임을 판단한다(S34). After that, all participating modules

Perform group decoding on. If any one of the decoded values is 0, all participating modules are

It is determined that (S34).

를 선택하고, 각각의 원소

와 C_k=(A_k, B_k)

Γ에 대해

를 산출한 후,

를 다른 모든 참여모듈에게 배포한다(S13). 여기서

는 참여모듈 P_i가 가지고 있는 비밀 집합 S_i의 j번째 원소를 의미하며,

는

와 B_k의 곱셈(Mult) 알고리즘을 수행하고, 그 알고리즘의 결과값을 랜덤화시킨 다음 A_k를 연결(concatenation)한 것을 의미한다. A_k와 B_k는 Γ에 포함된 암호화된 각각의 원소 C_k에 대해 C_k=(A_k, B_k)=(

,

)를 만족하는 원소를 의미한다.

는 B_k=

에 대해서

를 만족하는 암호문을 만드는 것을 말하며,

는 비밀키 sk를 가지고 있는 사람이 암호문 E_pk(ㅇ)을 복호화하는 것을 말한다.1 again, P _i (1 = i = n) of each of the participating modules is then | U | random numbers.

Select each element

And C _k = (A _k , B _k )

About Γ

After calculating

Distribute to all other participating modules (S13). here

Means the j th element of the secret set S _i of the participating module P _i ,

The

It means to perform a multiplication algorithm of and B _k , randomize the result of the algorithm, and then concatenate A _k . A _k and B _k are C _k = (A _k , B _k ) = (for each encoded element C _k contained in Γ.

,

Means an element that satisfies

Is B _k =

about

To create a ciphertext that satisfies

Means that the person with the secret key sk decrypts the ciphertext E_pk (ㅇ).

는 결과적으로 자신이 가지고 있는 원소에다가 b_k를 곱하고, a_k를 연결시킨 것에 대한 암호문이 된다. 즉, 참여모듈 P_i가 자신의 j번째 원소

를 사용하여

를 계산하게 되는데, 이 경우

가 합집합에 정말 포함되어 있는 값이라면

이 된다. 즉, 1에 대한 암호문과 같아진다.The original a _i / b _i forms the union element. here

The result is a ciphertext that multiplies b _k by its elements and concatenates a _k . That is, the participating module P _i has its jth element

use with

Will be calculated, in which case

If is really a value in the union

. That is, it is the same as the ciphertext for 1.

에 대하여

이면 상기 다른 모든 참여모듈들의 각각의 참여모듈 P_i는

을 생성하고, 그렇지 않으면 참여모듈 P_i는

을 생성한다.

는 암호화되지 않은 평문 상태의 합집합의 원소를 의미하며,

은 참여모듈 P_i의 어떤 원소가 암호화되지 않은 평문 상태의 합집합의 k(=|U|)번째 원소를 가지고 있다는 의미이고,

은 참여모듈 P_i의 어떤 원소가 암호화되지 않은 평문 상태의 합집합의 k번째 원소를 가지고 있지 않다는 의미이다.Next, all of the other participating modules perform an equality test protocol (S14).

about

If, each participating module P _i of all the other participating modules

If not, the participating module P _i

.

Means the element of the union of unencrypted plaintext states,

Means that any element of the participating module P _i has the k (= | U |) th element of the union of the unencrypted plaintext state,

Means that no element of the participating module P _i has the kth element of the union of the unencrypted plaintext state.

For ease of understanding, an equality test protocol is shown in FIG. 4.

4 is a flowchart illustrating performance of an equality test protocol.

Looking at the basic configuration that must be preceded before performing the equality test protocol as follows. There are n participant modules to which the set operation is applied, and each participant module P _i knows two ciphertexts, E _pk (a) and E _pk (b), and corresponds to the public key pk of quasi-dynamic encryption. Share the private key sk.

이 랜덤한 수

을 선택하고, 선택한

을

에 곱한 후, 참여모듈

로

을 전송한다(S41).As shown in Figure 4, the participation module

This random number

, Select

of

After multiplying by, join module

in

It transmits (S41).

가 차례대로 랜덤한 수

를 선택하고, 선택한

를 암호문

에 곱한 후, 참여모듈

으로

를 전송한다(S42).Each participating module

Random numbers in turn

, Select

Ciphertext

After multiplying by, join module

to

Transmit (S42).

가 랜덤한 수

를 선택하고,

을 계산하여 을

획득한 후, 획득한

을 다른 모든 참여모듈로 전송한다(S43).Afterwards, participation module

Is a random number

Select the

By calculating

Acquired, acquired

To transmit to all other participating modules (S43).

을 획득한다. 만약

이면,

은

임을 알 수 있게 된다(S44).Accordingly, all participating modules perform group decoding.

Acquire. if

If so,

silver

It can be seen that (S44).

를 배포한다(S15).1 again, each participating module P _i is _assigned to all other participating modules.

Distribute the (S15).

를 생성한다(S16).

알고리즘은 암호문들의 합을 각 암호문에 대응하는 평문을 합한 결과의 암호문을 생성해주는 알고리즘으로 Add(E_pk(a), E_pk(b))=E_pk(a+b)이다. 즉,

들은 모두 0 또는 1을 암호화한 값을 의미한다.

는 이 값들의 평문을 더한 값을 암호화한 것과 동일하고, j번째 원소를 가지고 있는 참여모듈이 몇 개인지가 암호화된 상태로 저장되어 있는 값을 의미한다.Next, each participating module P _i

To generate (S16).

The algorithm is an algorithm that generates a cipher text that is the sum of cipher texts and the plain text corresponding to each cipher text. Add (E _pk (a), E _pk (b)) = E _pk (a + b). In other words,

These are all zeros or ones encrypted.

Is the same as encrypting the sum of the plain text and the number of participating modules with the j th element stored in the encrypted state.

가

인지 판단한다. 즉,

가 소정 개수 범위의 참여모듈만이 갖는 것인지 판단한다. 여기서 T_j=E_pk(m_j)이다. 즉, m_j는 T_j의 평문이다. 상기

이 이 부등식을 만족하는 경우에만 모든 참여모듈들에 의해 그때의 튜플 (A_j, B_j)=(

,

)에 대하여 복호화가 허용된다.Finally, all participating modules perform the range test protocol (S17).

end

Determine if it is. In other words,

It is determined whether has only a participation module of a predetermined number range. Where T _j = E _pk (m _j ). M _j is the plain text of T _j . remind

Only when this inequality is satisfied is the tuple at that time (A _j , B _j ) = (

,

Decryption is allowed.

The method of the present invention can also be embodied as computer readable code on a computer readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored.

Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like, and also implemented in the form of a carrier wave (for example, transmission over a wired or wireless network) . The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

The present invention has been described above with reference to preferred embodiments thereof. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is shown in the claims rather than the foregoing description, and all differences within the equivalent scope will be construed as being included in the present invention.

Claims (6)

In the set operation method that can protect the privacy of at least one participating module belonging to an encryption environment to which a set operation is applied,
A tuple acquisition step of each participating module performing a privacy preserving set union to obtain a shuffled tuple;
A union determining step of determining a union of the tuples by removing a plain text of 0 from the tuples obtained by the participant module;
A union delivery step of delivering the union determined by the participation module to another participation module; And
A decoding step of the participation module decoding only the elements belonging to the elements belonging to the union;
Set operation method that can protect the privacy, characterized in that it comprises a.
The method of claim 1,
The tuple acquisition step is
And the participating module performs a shuffle protocol from its secret set to obtain a shuffled tuple as the order is changed.
The method of claim 1,
The union determination step is
The participation module determines a union of the tuples by removing a plain text of 0 from the tuples obtained by performing a range test protocol for determining whether the plain text is within a preset range. Set operation method to protect privacy.
The method of claim 1,
The union transfer step is
When one participant module has two ciphertexts, the participant module is determined by performing an equality test protocol in which only one participant module checks whether the plaintexts of the two ciphertexts are the same. The set operation method for protecting privacy, characterized in that the transfer to another participating module.
The method of claim 1,
The decoding step
Participation modules belonging to a predetermined number range are searched by performing a range test protocol, and the searched participation module decodes only the elements belonging to the elements belonging to the union. Can set operations.
A computer-readable recording medium having recorded thereon a program for executing the method of any one of claims 1 to 5 on a computer.

Images