WO2016056473A1 - 秘密計算システム、中継装置、それらの方法、プログラム、および記録媒体 - Google Patents
秘密計算システム、中継装置、それらの方法、プログラム、および記録媒体 Download PDFInfo
- Publication number
- WO2016056473A1 WO2016056473A1 PCT/JP2015/078009 JP2015078009W WO2016056473A1 WO 2016056473 A1 WO2016056473 A1 WO 2016056473A1 JP 2015078009 W JP2015078009 W JP 2015078009W WO 2016056473 A1 WO2016056473 A1 WO 2016056473A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- original data
- secret
- relay device
- fragment
- result
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0464—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
Definitions
- the present invention relates to cryptographic application technology, and more particularly to secret calculation technology.
- a data holder sends a plurality of fragments obtained by secretly sharing original data to a plurality of secret calculation devices, and an analysis request from an analyst. Accordingly, the secret calculation device performs processing while keeping it secret by the secret calculation, and the analyst obtains the analysis result using the responses from the plurality of secret calculation devices.
- the present invention has been made in view of these points, and provides a technique capable of obtaining a correct analysis result regardless of the start timing of processing.
- a plurality of original data fragments corresponding to a plurality of secret sharing values of the original data are transferred to a plurality of secret calculation devices, and a result fragment transmission request based on a secret calculation result corresponding to any one of the original data fragments is sent.
- a relay device is provided for transferring the result fragment to each of the secret computing devices. The relay device controls the timing for transferring the original data fragment and the timing for transferring the transmission request.
- the relay device since the relay device controls the timing of transferring the original data fragment and the transmission request, a correct analysis result can be obtained regardless of the timing of starting the processing.
- FIG. 1 is a block diagram illustrating a functional configuration of a secret calculation system according to an embodiment.
- 2A is a block diagram illustrating a functional configuration of the registration apparatus according to the embodiment
- FIG. 2B is a block diagram illustrating a functional configuration of the analysis apparatus according to the embodiment.
- FIG. 3 is a block diagram illustrating a functional configuration of the relay apparatus according to the embodiment.
- FIG. 4 is a block diagram illustrating a secret calculation apparatus according to the embodiment.
- FIG. 5 is a flowchart for explaining a registration process in the registration apparatus of the embodiment.
- FIG. 6 is a flowchart for explaining the registration processing in the relay apparatus according to the embodiment.
- FIG. 7 is a flowchart for explaining a registration process in the secret computing device of the embodiment.
- FIG. 1 is a block diagram illustrating a functional configuration of a secret calculation system according to an embodiment.
- 2A is a block diagram illustrating a functional configuration of the registration apparatus according to the embodiment
- FIG. 2B is
- FIG. 8A is a flowchart for explaining the analysis processing in the analyzer of the embodiment
- FIG. 8B is a flowchart for explaining the analysis processing in the relay device of the embodiment
- FIG. 8C is the flowchart of the embodiment. It is a flowchart for demonstrating the analysis process in a secret calculation apparatus.
- FIG. 9 is a sequence diagram for explaining a specific example of the registration process (normal time) according to the third embodiment.
- FIG. 10 is a sequence diagram for explaining a specific example of the registration processing (normal time) of the third embodiment.
- Secret sharing means that data can be converted into multiple shared values (secret shared values) and the original data can be restored by using more than a certain number of secret shared values. This technology makes it impossible to restore anything.
- K, n secret sharing is a kind of secret sharing. The secret sharing value obtained by dividing the input plaintext into n pieces is distributed to n calculation subjects, and any k secret sharing values are obtained. Plain text can be restored if it is aligned, and secret sharing is such that no information about plaintext can be obtained from less than k secret sharing values.
- n and k are integers of 1 or more (however, when n and k are integers of 2 or more, they function as secret sharing), and n ⁇ k.
- a typical example of (k, n) -secret sharing is “A. Shamir,“ How to share a secret ”, Communications of the ACM, Volume 22 Issue 11, pp. 612-613, 1979. ) ”, Shamir secret sharing.
- the secret sharing used in each embodiment may be any method as long as a secret calculation described later can be used.
- secret calculation technology In the secret calculation, the data to be calculated (original data) is secretly distributed and stored in multiple calculation entities, and the function value of the original data is secretly distributed in cooperation with other calculation entities without restoring the original data.
- Secret calculation uses secret sharing as an elemental technology.
- Secret sorting technology that sorts secret distribution values of data strings in secret is, for example, “Hirota Hirota, Dai Igarashi, Koji Senda, Katsumi Takahashi,“ Linear time sorting on secret function calculation ”, Computer Security Symposium 2011, 2011 (Reference Document 4) ”.
- a plurality of original data fragments corresponding to a plurality of secret sharing values of the original data are transferred to a plurality of secret computing devices, and a result fragment based on the secret calculation result corresponding to any of the original data fragments
- a relay device is provided for transferring the transmission request (analysis request) to each of the secret computing devices and transferring the result fragment.
- the relay device controls the timing of transferring the original data fragment and the timing of transferring the analysis request. Thereby, a correct analysis result can be obtained regardless of the timing of starting the processing.
- the relay device holds the transfer of the analysis request until the transfer of the original data fragment is completed, and when the transfer of the analysis request is started, the relay device Hold the transfer of the original data fragment until the transfer is completed.
- the transfer of the analysis request is started after the transfer of all the original data fragments is completed or the analysis request is started.
- the transfer of the original data fragment is started after the transfer of all result fragments for the request is completed.
- the relay device further transfers, for example, a plurality of second original data fragments corresponding to a plurality of secret sharing values of the second original data to the secret computing device, and corresponds to any one of the second original data fragments.
- the transmission request for the second result fragment based on the secret calculation result is transferred to each of the secret calculation devices, and the second result fragment is transferred.
- the relay device holds the transfer of the second original data fragment until the transfer of the original data fragment is completed. Thereby, the transfer of the second original data fragment is started after the transfer of all the original data fragments is completed irrespective of the timing when the registration process of the original data fragment is started and the registration process of the second original data fragment.
- the as a result there is no inconsistency in the order of arrival of the original data fragment and the second original data fragment between the secret computing devices, and a correct analysis result can be obtained.
- the secret calculation system 1 of this embodiment includes a registration device 11, a relay device 12, a plurality of secret calculation devices 13-1 to 13 -N, and an analysis device 14.
- N is an integer of 2 or more.
- the relay device 12 of this embodiment is configured to be able to communicate with the registration device 11 and the analysis device 14 via the network 151, and is configured to be able to communicate with the secret calculation devices 13-1 to 13-N via the network 152. ing.
- communication via a network 152 may be possible between a plurality of secret calculation devices 13-1 to 13-N.
- the networks 151 and 152 may be the same network or different networks.
- the registration device 11, the relay device 12, the secret calculation devices 13-1 to 13-N, and the analysis device 14 are, for example, a processor (hardware processor) such as a CPU (central processing unit) or a RAM (random-access memory).
- the computer may include a single processor and memory, or may include a plurality of processors and memory. This program may be installed in a computer, or may be recorded in a ROM or the like in advance.
- processing units are configured using an electronic circuit that realizes a processing function without using a program, instead of an electronic circuit (circuitry) that realizes a functional configuration by reading a program like a CPU. May be.
- an electronic circuit constituting one device may include a plurality of CPUs.
- the registration device 11 of this embodiment includes a control unit 111, an interface unit 112, a storage unit 113, a fragmentation unit 114, and a communication unit 115, and the fragmentation unit 114 is a secret sharing unit 1141.
- the registration device 11 executes each process based on the control of the control unit 111.
- the relay device 12 includes communication units 1211, 1212, 1221, 1222, a transaction management unit 123, and a control unit 124.
- the transaction management unit 123 includes storage units 1231, 1234.
- the relay device 12 executes each process based on the control of the control unit 124.
- Each secret computing device 13-i executes each process based on the control of the control unit 137-i.
- the analysis device 14 of this embodiment includes a control unit 141, an interface unit 142, an analysis unit 144, and a communication unit 145, and the analysis unit 144 includes a restoration unit 1441.
- the analysis device 14 executes each process based on the control of the control unit 141.
- the registration device 11 secretly distributes the original data to be calculated and stores it in the secret calculation devices 13-1 to 13-N.
- the registration process may be executed any number of times, and there is no restriction on the timing of starting each registration process.
- the registration processing of this embodiment will be described with reference to the flowcharts of FIGS.
- the original data is input to the interface unit 112 of the registration device 11 (FIG. 2A) and stored in the storage unit 113.
- the original data is the operand of some or all of the operations that are subject to the secret calculation. For example, text data (such as CSV (comma-separated values) files), image data, acoustic data, etc. (FIG. 5: Step S1101).
- the secret sharing unit 1141 of the fragmentation unit 114 secretly distributes the original data read from the storage unit 113 to obtain N secret sharing values, which are converted into the original data fragments ⁇ 1 ,..., ⁇ N It is output as (a plurality of original data fragments) (step S1102).
- the original data fragments ⁇ 1 ,..., ⁇ N are sent to the communication unit 115, and the communication unit 115 transmits the original data fragments ⁇ 1 ,..., ⁇ N to the relay device 12 via the network 151 (steps). S1104).
- the original data fragments ⁇ 1 ,..., ⁇ N are received by the communication unit 1211 of the relay device 12 (FIG. 3) and stored in the storage unit 1231 of the transaction management unit 123 (FIG. 6: step S1201).
- the registration management unit 1232 exchanges information with the analysis management unit 1233 and determines whether it is in a “waiting state” in any process.
- the “waiting state” means a state in which processing suspension is instructed. This “waiting state” occurs in the registration process or the analysis process described later. In the initial state, no process is in the “waiting state” (step S1203). If it is determined that the state is “waiting state”, the processing is suspended until the state is resolved, and the determination in step S1203 is repeated.
- the timing for transferring the original data fragments ⁇ 1 ,..., ⁇ N is controlled.
- the registration management unit 1232 performs waiting setting. As a result, a new “waiting state” occurs, and other processes thereafter are put on hold (step S1204).
- the registration management unit 1232 reads the original data fragments ⁇ 1 ,..., ⁇ N from the storage unit 1231 and sends them to the communication unit 1221.
- the communication unit 1221 (first communication unit) transmits a plurality of original data fragments ⁇ 1 ,..., ⁇ N (a plurality of original data fragments corresponding to a plurality of secret sharing values of the original data) via the network 152.
- the communication unit 1221 of this embodiment transfers each original data fragment ⁇ i to each secret computing device 13-i (step S1205).
- the original data fragment ⁇ i transferred from the relay device 12 is received by the communication unit 131-i of the secret calculation device 13-i (FIG. 4) (FIG. 7: step S1301-i) and is sent to the reflection management unit 134-i. Sent.
- the reflection management unit 134-i overwrites and saves the original data fragment ⁇ i in the storage unit 135-i (step S1307-i).
- the communication unit 1221 of the relay device 12 determines whether all the original data fragments ⁇ 1 ,..., ⁇ N have been transferred to the secret computing devices 13-1,. (FIG. 6: Step S1208). If all the original data fragments ⁇ 1 ,..., ⁇ N have not been transferred, the process returns to step S1205. On the other hand, when all the original data fragments ⁇ 1 ,..., ⁇ N have been transferred, the registration management unit 1232 sends a registration notification to the communication unit 1211, and the communication unit 1211 sends the registration notification via the network 151. It transmits to the registration apparatus 11 (step S1214). The registration notification is received by the communication unit 115 of the registration device 11 (FIG. 2A) (FIG.
- Step S1105) Thereafter, the registration management unit 1232 of the relay device 12 (FIG. 3) cancels the waiting setting in step S1204. Thereby, the “waiting state” generated in step S1204 is canceled (FIG. 6: step S1215).
- the analysis device 14 requests transmission of a result fragment and restores the analysis result from the plurality of result fragments sent.
- Each result fragment is based on the secret calculation result for the original data fragments ⁇ 1 ,..., ⁇ N stored in the secret calculation devices 13-1 to 13-N.
- the analysis process may be executed any number of times, and there is no restriction on the timing of starting each analysis process.
- the analysis processing of this embodiment will be described with reference to the flowcharts of FIGS. 8A to 8C.
- the communication unit 145 of the analysis device 14 transmits an analysis request (result fragment transmission request (information)) to the relay device 12 via the network 151 (FIG. 8A: Step S1111).
- the analysis request is received by the communication unit 1212 of the relay device 12 (FIG. 3) and stored in the storage unit 1234 (FIG. 8B: step S1231).
- the analysis management unit 1233 exchanges information with the registration management unit 1232, and determines whether it is in the “waiting state” of the above-described registration processing (steps S1204 to S1215) (step S1232). If it is determined that the registration process is “waiting”, the process is suspended until it is resolved, and the determination in step S1232 is repeated.
- the timing for transferring the analysis request is controlled.
- the analysis management unit 1233 performs waiting setting. It should be noted that although it is in the “waiting state” in the analysis process (the state in steps S1233 to S1237), it is determined as “not in the“ waiting state ”in the registration process” even when it is not the “waiting state” in the registration process. Due to this waiting setting, a new “waiting state” occurs, and the subsequent registration processing is put on hold (step S1233).
- the analysis management unit 1233 reads the analysis request from the storage unit 1231 and sends it to the communication unit 1222.
- the communication unit 1222 (second communication unit) sends an analysis request (transmission request for a result fragment based on a secret calculation result corresponding to any of the original data fragments) via the network 152 to N secret calculation devices 13-1, .., 13-N are transferred (transmitted) (step S1234).
- the secret computing device 13-i (FIG. 4) to which the analysis request has been transferred receives the analysis request at the communication unit 132-i and sends it to the computing unit 136-i (FIG. 8C: step S1321-i).
- Secure computing unit 1361-i of the arithmetic unit 136-i reads the original data fragment alpha i from the storage unit 135-i, performs a secure computing to the original data fragment alpha i, outputs the secret calculation result resulting fragment beta i To do.
- the secure computing may be performed using only the data fragments alpha i, may be performed further using a value other than the original data fragment alpha i, other secure computing apparatus 13-m (where m ⁇ i, m ⁇ ⁇ 1,..., N ⁇ ) may be performed in cooperation with each other (step S1323-i).
- the result fragment ⁇ i is sent to the communication unit 132-i, and the communication unit 132-i transmits the result fragment ⁇ i to the relay device 12 via the network 152 (step S1325-i).
- the result fragment ⁇ ⁇ (j) transmitted from each secret computing device 13- ⁇ (j) (where j ⁇ 1,..., K ) is received by the communication unit 1222 of the relay device 12 (FIG. 3). Sent to the analysis management unit 1233.
- ⁇ (1),..., ⁇ (K) ⁇ ⁇ ⁇ 1,..., N ⁇ , and K is an integer of 2 or more and N or less (K ⁇ N).
- the size of K depends on the secret sharing scheme used, and the result can be restored if K secret sharing values (result fragments) are aligned.
- the analysis management unit 1233 sends each result fragment ⁇ ⁇ (j) to the communication unit 1212, and the communication unit 1212 (third communication unit) sends each result fragment ⁇ ⁇ (j) (a secret corresponding to one of the original data fragments ).
- the result fragment based on the calculation result is transferred (transmitted) to the analyzer 14 via the network 151 (FIG. 8B: step S1235).
- the analysis management unit 1233 determines whether all result fragments ⁇ ⁇ (j) (where j ⁇ 1,..., K) have been transferred to the analysis device 14 (step S1236). If any result fragment ⁇ ⁇ (j) has not been transferred, the process returns to step S1235.
- step S1237 the “waiting state” generated in step S1233 is canceled.
- the communication unit 145 of the analysis device 14 receives the result fragment ⁇ ⁇ (j) transferred from the relay device 12 and sends it to the analysis unit 144 (FIG. 8A: step S1112).
- the restoration unit 1441 of the analysis unit 144 uses the result fragments ⁇ ⁇ (1) ,..., ⁇ ⁇ (K) sent to restore and output the analysis result by the secret sharing restoration process.
- the output restoration result is output from the interface unit 142 (step S1114).
- the relay device 12 is arranged on the communication path between the registration device 11 and the analysis device 14 and the secret calculation devices 13-1 to 13-N to perform transaction management. Thereby, a correct analysis result can be obtained irrespective of the timing of starting each process. That is, the relay device 12 transfers the original data fragments ⁇ 1 ,..., ⁇ N sent from the registration device 11 to the secret computing devices 13-1 to 13-N at the time of registration processing, and performs analysis at the time of analysis processing. The analysis request sent from the device 14 is transferred to the secret computing device 13- ⁇ (1),..., 13- ⁇ (K), and the timing of the transfer is controlled.
- the relay device 12 suspends the transfer of the analysis request until the transfer of the original data fragment is completed (FIG. 6: Steps S1204, S1215, FIG. 8B: Step S1232),
- the transfer of the analysis request is started, the transfer of the original data fragment is suspended until the transfer of the result fragment is completed (FIG. 8B: steps S1233, S1237, and step S1203).
- the relay device 12 controls the timing of the transfer even when a plurality of registration processes are executed.
- the relay device 12 determines that another second original data fragment ⁇ 1 ′,. .., ⁇ N 'transfer is suspended (FIG. 6: Steps S1203, S1204, S1215). Thereby, the original data fragments ⁇ 1 ,..., ⁇ N and the second original data fragments ⁇ 1 ′,..., ⁇ N ′ arrive between the secret computing devices 13-1 to 13-N. There is no inconsistency in order, and a correct analysis result can be obtained. Even when a plurality of analysis processes are started, timing control between these analysis processes is not performed (FIG. 8B: step S1232). This is because there is no inconsistency in the data stored in the secret computing devices 13-1 to 13-N due to a plurality of analysis processing conflicts. Thereby, it is possible to prevent a delay in processing due to an unnecessary waiting setting.
- the relay device can obtain a plurality of original data fragments and result fragments, and in the case of a vulnerable relay device, there is a possibility that the original data and analysis results may be leaked.
- the communication path between the registration device and the secret computing device is encrypted. That is, the ciphertext obtained by encrypting each secret sharing value so that it can be decrypted by each secret computing device is defined as “original data fragment” (Countermeasure 1). Thereby, leakage of the original data can be prevented. Further, the communication path between the analysis device and the secret computing device is encrypted.
- the ciphertext obtained by encrypting the secret calculation results so that they can be decrypted by the analyzer is defined as “result fragment” (Countermeasure 2).
- the leakage of the analysis result can be prevented.
- the ciphertext obtained by encrypting each secret sharing value so that it can be decrypted by each of the secret computing devices is not used as the “original data fragment” instead of the secret sharing value of the ciphertext as “original data fragment”. " In the former case, the secret calculation device cannot perform the secret calculation using the “original data fragment” unless special measures are taken in the encryption method and the secret sharing method.
- a ciphertext obtained by encrypting each secret sharing value so that it can be decrypted by each of the secret computing devices is referred to as an “original data fragment”.
- the secret calculation can be performed by the secret calculation device. It is desirable that both the countermeasures 1 and 2 are performed, but only one of the countermeasures 1 and 2 may be performed. In the following, an example in which both countermeasures 1 and 2 are performed will be described. Hereinafter, with respect to the parts common to the already described matters, the reference numbers used so far are used and the description is omitted.
- the secret calculation system 2 of the present embodiment is obtained by replacing the registration device 11 and the analysis device 14 of the secret calculation system 1 of the first embodiment with a registration device 21 and an analysis device 24, respectively. It has a registration device 21, a relay device 12, a plurality of secret calculation devices 23-1 to 23-N, and an analysis device 24.
- the relay device 12 of this embodiment is configured to be able to communicate with the registration device 21 and the analysis device 24 via the network 151, and is configured to be able to communicate with the secret calculation devices 23-1 to 23-N via the network 152. ing.
- communication via a network 152 may be possible between a plurality of secret calculation devices 23-1 to 23-N.
- the registration device 21, the secret calculation devices 23-1 to 23-N, and the analysis device 24 are, for example, devices configured by the above-described computer executing a predetermined program.
- the registration device 21 of this embodiment includes a control unit 111, an interface unit 112, a storage unit 113, a fragmentation unit 214, and a communication unit 115.
- the fragmentation unit 214 includes a secret sharing unit 1141, an encryption unit 2142, and a decryption unit 2143.
- the registration device 21 executes each process based on the control of the control unit 111.
- the calculation unit 136-i includes a secret calculation unit 1361-i, a decryption unit 2363-i, and an encryption unit 2364-i.
- Each secret computing device 23-i executes each process based on the control of the control unit 137-i.
- the analysis device 24 of this embodiment includes a control unit 141, an interface unit 142, an analysis unit 244, and a communication unit 145.
- the analysis unit 244 includes a restoration unit 1441, a decryption unit 2442, and an encryption unit 2443.
- the analyzer 24 executes each process based on the control of the control unit 141.
- the registration device 21 (FIG. 2A) performs the processing of steps S1101 and S1102 (FIG. 5) described in the first embodiment.
- the N secret sharing values a 1 obtained in S1102, ⁇ , a N are sent to the encryption unit 2142.
- Encryption unit 2142, the secret sharing values a i (except i 1, ..., N) to encrypt so as to be decoded in the secure computing apparatus 13-i, the ciphertext of the secret distribution values a i Enc1 ( a i ) is output as the original data fragment ⁇ i .
- the encryption method used for this encryption is not limited, and a known common key encryption method, public key encryption method, ID-based encryption method, or the like can be used.
- the encryption unit 2142 and the secret computing device 23-i share the common key K1 (i), and the encryption unit 2142 conforms to a predetermined common key cryptosystem and uses a common key.
- the ciphertext ⁇ i is, for example, a ciphertext of a request including the secret sharing value a i (step S2103).
- Original data fragment ⁇ 1, ⁇ , ⁇ N (a plurality of original data fragments) is sent to the communication unit 115, the communication unit 115, the original data fragment alpha 1, ⁇ ⁇ ⁇ , the alpha N via the network 151
- the data is transmitted to the relay device 12 (step S1104).
- the relay device 12 performs the processing of steps S1201 to S1215 (FIG. 6).
- the original data fragment ⁇ i transferred from the relay device 12 is received by the communication unit 131-i of the secret calculation device 23-i (FIG. 3) and sent to the decryption unit 2363-i of the calculation unit 236-i.
- the value a i is obtained (FIG. 7: step S2306-i).
- the secret sharing value a i is sent to the reflection management unit 234-i, and the reflection management unit 234-i overwrites and stores the secret sharing value a i in the storage unit 135-i (step S2307-i).
- the reflection management unit 234-i generates a registration notification (response) and sends it to the encryption unit 2364-i of the calculation unit 236-i.
- the encryption unit 2364-i encrypts the registration notification so that it can be decrypted by the registration device 21, and outputs the encrypted registration notification.
- the method used for this encryption is not limited, and a known common key encryption method, public key encryption method, ID-based encryption method, or the like can be used.
- the encryption unit 2364-i and the analysis device 24 share the common key K2 (i), and the encryption unit 2364-i is shared in accordance with a predetermined common key cryptosystem.
- the secret registration notification is encrypted with the key K2 (i) to obtain an encrypted registration notification.
- the encrypted registration notification is transmitted from the communication unit 132-i to the relay device 12 (step S2308-i).
- the encrypted registration notification is received by the communication unit 1222 of the relay device 12 and transmitted (transferred) from the communication unit 121 to the registration device 21 (FIG. 6: step S2214).
- the registration notification is received by the communication unit 115 of the registration device 21 (FIG. 2A) (FIG. 5: step S2105) and sent to the decoding unit 2143 of the fragmentation unit 214.
- the decryption unit 2143 decrypts the encrypted registration notification to obtain a registration notification (step S2106).
- the encryption unit 2443 of the analysis unit 244 of the analysis device 24 (FIG. 2B) encrypts the analysis request so that it can be decrypted by each secret computing device 23-i, and generates an encrypted analysis request (step) S2110).
- the encrypted analysis request is transmitted from the communication unit 145 to the relay device 12 (step S2111).
- the relay device 12 performs the processes of steps S1231 to S1234 (FIG. 8B).
- “encrypted analysis request” is used instead of “analysis request”.
- the secret computing device 23-i (FIG.
- the decryption unit 2363-i of the computation unit 236-i decrypts the encrypted analysis request to restore the analysis request (step S2322-i), and reads the secret sharing value a i from the storage unit 135-i accordingly.
- the secret calculation unit 1361-i performs a secret calculation on the secret sharing value a i instead of the data fragment ⁇ i as described in the first embodiment, and outputs the secret calculation result b i (step S1323- i).
- the secret calculation result b i is sent to the encryption unit 2364-i.
- the encryption unit 2364-i encrypts the secret calculation result b i so that it can be decrypted by the analysis device 24, and converts the ciphertext Enc2 (b i ) of the secret calculation result b i into the result fragment ⁇ i (any of the original data fragments) As a result fragment based on the result of the secret calculation.
- the method used for this encryption is not limited, and a known common key encryption method, public key encryption method, ID-based encryption method, or the like can be used.
- the encryption unit 2364-i and the analysis device 24 share the common key K2 (i), and the encryption unit 2364-i is shared in accordance with a predetermined common key cryptosystem.
- the result fragment ⁇ ⁇ (j) Enc2 (b ⁇ (j) ) transmitted from each secret computing device 23- ⁇ (j) (where j ⁇ 1,..., K) is transmitted to the relay device 12 (FIG. 3) and is sent to the analysis management unit 1233. Thereafter, as described in the first embodiment, the relay device 12 performs the processing of steps S1235 to S1237 (FIG. 8B).
- the secret calculation result b ⁇ (j) is sent to the restoration unit 1441, and the process of step S1114 described in the first embodiment is executed.
- each original data fragment is a ciphertext obtained by encrypting each secret sharing value
- / or each result fragment is a ciphertext obtained by encrypting the secret calculation result.
- the relay apparatus 12 is weak, it can suppress that original data and an analysis result leak to a third party.
- the original data fragment that is the ciphertext is decrypted and then stored in each secret computing device 23-i.
- each secret computing device 23-i that has received the original data fragment that is the ciphertext may store it as it is.
- the secret calculation device may decrypt the original data fragment to generate a secret sharing value and perform the secret calculation during the analysis process.
- the relay apparatus of this embodiment performs transaction control using two-phase commit in the registration process.
- this registration process first, the relay device transfers the original data fragment to each secret computing device. When all the original data fragments to be registered are correctly reflected on the secret computing device, the registration of the original data fragments to each secret computing device is completed. On the other hand, if any of the transferred original data fragments is not correctly reflected in the secret computing device, the relay device instructs all the secret computing devices that stored the original data fragments in this registration process to cancel them. This eliminates the inconsistency of the original data fragments between the secret computing devices without manually performing processing such as system shutdown, failure data deletion, original data fragment re-registration request, etc. To prevent it from being obtained.
- transaction control using two-phase commit is applied to the first embodiment will be described.
- the secret calculation system 3 uses the relay device 12 and the secret calculation devices 13-1 to 13-N according to the first embodiment as the relay device 32 and the secret calculation devices 33-1 to 33-. Each of them is replaced with N, and includes a registration device 11, a relay device 32, a plurality of secret calculation devices 33-1 to 33-N, and an analysis device 14.
- the relay device 32 according to this embodiment is configured to be able to communicate with the registration device 11 and the analysis device 14 via the network 151, and is configured to be able to communicate with the secret calculation devices 33-1 to 33-N via the network 152.
- the relay device 32 and the secret computing devices 33-1 to 33-N are devices configured by the above-described computer executing a predetermined program, for example.
- the relay device 32 of this embodiment includes communication units 3211, 1212, 3221, 1222, a transaction management unit 323, and a control unit 124, and the transaction management unit 323 includes storage units 1231, 1234.
- the relay device 32 executes each process based on the control of the control unit 124.
- the storage units 1231 and 1234 are storage areas realized on a memory such as a semiconductor memory.
- the registration device 11 performs the processing of steps S1101 to S1104 (FIGS. 5, 6, 9, and 11) described in the first embodiment, and transmits the original data fragments ⁇ 1 ,..., ⁇ N to the relay device 32. To do.
- the original data fragments ⁇ 1 ,..., ⁇ N are received by the communication unit 1211 of the relay device 32 (FIG. 3) and stored in the storage unit 1231 of the transaction management unit 123 (FIGS. 6, 9, and 11: Steps). S1201).
- the registration management unit 3232 starts creating a log representing the processing content. Thereafter, the created log is stored in a temporary memory (not shown) of the registration management unit 3232 (step S3202).
- the registration management unit 3232 reads the original data fragments ⁇ 1 ,..., ⁇ N from the storage unit 1231, and the communication unit 1221.
- the communication unit 1221 transfers (transmits) the original data fragments ⁇ 1 ,..., ⁇ N to the plurality of secret computing devices 33-1 to 33-N via the network 152.
- the communication unit 1221 of this embodiment transfers each original data fragment ⁇ i to each secret computing device 33-i (step S1205).
- the original data fragment ⁇ i transferred from the relay device 32 is received by the communication unit 131-i of the secret computing device 33-i (FIG. 4) (FIGS. 7, 9, and 11: Step S1301-i) and temporarily stored. It is temporarily stored in 333-i (step S3302-i).
- the reflection management unit 334-i determines whether the original data fragment ⁇ i has been successfully stored (reflected) in the temporary storage unit 333-i (step S3303-i). Here, when it is determined that the original data fragment ⁇ i has been successfully stored in the temporary storage unit 333-i, the reflection management unit 334-i reflects the reflection result (information indicating “reflection success”).
- the reflection management unit 334-i reflects the reflection result (information indicating “reflection failure”). Is transmitted to the communication unit 331-i, and the communication unit 331-i transmits the reflection result (reflection failure) to the relay device 32 via the network 152 (step S3311-i).
- the reflection result (reflection success or reflection failure) is received by the communication unit 3221 of the relay device 32 (FIG. 3) and sent to the registration management unit 3232 (FIG. 6: step S3206).
- the registration management unit 3232 determines whether or not the sent reflection result indicates that the reflection is successful (step S3207).
- step S1208 If all the original data fragments ⁇ 1 ,..., ⁇ N have not been transferred, the process returns to step S1205.
- the registration management unit 3232 displays the log created so far (at least the relay device 32 has the original data fragment ⁇ 1 ,..., ⁇ N (logs from when the N is received until it is output to all the secret computing devices 33-1 to 33-N) are stored in the log storage unit 3235 (FIG. 6, 9: step S3209).
- the registration management unit 3232 sends a commit request to the communication unit 3221.
- the communication unit 3221 transmits a commit request to each secret computing device 33-i via the network 152 (FIG. 6, 10: step S3210).
- the commit request is received by the communication unit 331-i of each secret computing device 33-i (FIG. 4) and sent to the reflection management unit 334-i.
- the reflection management unit 334-i to which the commit request has been sent (FIG. 7: Steps S3305-i, S3306-i) stores the original data fragment ⁇ i temporarily stored in the temporary storage unit 333- i into the storage unit 135-i. (FIG. 7, 10: Step S1307-i). Thereafter, the reflection management unit 334-i sends a commit completion notification to the communication unit 331-i, and the communication unit 331-i transmits a commit completion notification to the relay device 32 via the network 152 (step S3308-i).
- the commit completion notification is received by the communication unit 3221 of the relay device 32 (FIG. 3) and sent to the registration management unit 3232 (FIG. 6, 10: step S3211).
- the registration management unit 3232 determines whether commit completion notifications have been sent from all the secret computing devices 33-1 to 33-N (step S3212). Here, if at least some of the commit completion notifications have not been sent, the registration management unit 3232 waits for all the commit completion notifications. On the other hand, if a commit completion notification has been sent from all the secret computing devices 33-1 to 33-N, the registration management unit 3232 deletes the log from the log storage unit 3235 (step S3213). Thereafter, the processes in steps S1214 and 1215 described in the first embodiment are performed.
- step S3207 the registration management unit 3232 displays the log created so far (at least the relay device 32 has the original data fragment ⁇ ). 1 ,..., ⁇ N and the logs from the receipt of ⁇ N to the output of any one of the secret computing devices 33-i are stored in the log storage unit 3235 (FIG. 6, 11: step S 3216).
- the registration management unit 3232 sends a rollback request to the communication unit 3221.
- the communication unit 3221 transmits a rollback request to each secret computing device 33-i via the network 152. At this time, the rollback request may or may not be transmitted to the secret computing device 33-i determined to be unsuccessful (step S3217).
- the rollback request is received by the communication unit 331-i of each secret computing device 33-i (FIG. 4) and sent to the reflection management unit 334-i.
- the reflection management unit 334-i to which the rollback request is sent (FIG. 7, 12: Step S3305-i) deletes (rolls back) the original data fragment ⁇ i temporarily stored in the temporary storage unit 333-i. (Step S3309-i). Thereafter, the reflection management unit 334-i sends a rollback completion notification to the communication unit 331-i, and the communication unit 331-i transmits the rollback completion notification to the relay device 32 via the network 152 (step S3310-i). ).
- the rollback completion notification is received by the communication unit 3221 of the relay device 32 (FIG. 3) and sent to the registration management unit 3232 (FIG. 6, 12: step S3218).
- the registration management unit 3232 determines whether a rollback completion notification has been sent from all the secret computing devices 33-i that have transmitted the rollback request (step S3219). If at least a part of the rollback completion notification has not been sent, the registration management unit 3232 waits for another rollback completion notification. On the other hand, if a rollback completion notification is sent from all the secret computing devices 33-i that transmitted the rollback request, the registration management unit 3232 deletes the log from the log storage unit 3235 (step S3220). Thereafter, the registration management unit 3232 sends an error notification to the communication unit 3211, and the communication unit 3211 sends an error notification to the registration device 11 (step S3221). Thereafter, the process of step 1215 described in the first embodiment is performed.
- the relay device 32 is arranged on the communication path between the registration device 11 and the analysis device 14 and the secret calculation devices 33-1 to 33-N to perform transaction management. Thereby, a correct analysis result can be obtained irrespective of the timing of starting each process. By performing transaction control using two-phase commit, even if the registration process of the original data fragment partially fails, the service can be continued without human intervention.
- the relay device 32 of this embodiment stores a log from when the original data fragment is received until it is output to the secret computing device 33-i (step S3209), and all the original data fragments are stored in the secret computing device 33-i. If the data is correctly reflected, the log is deleted (step S3213), and if any of the original data fragments is not correctly reflected in the secret computing device 33-i, the original data fragments in all the secret computing devices 33-i. The log is deleted after the cancellation of step S3221). Thereby, even if a failure occurs in the relay device 32 during the registration process, the progress of the registration process can be known by checking the log, and the log is deleted when the log becomes unnecessary. Thus, the storage capacity can be saved.
- each of the original data fragments of the third embodiment is a ciphertext obtained by encrypting each of the secret sharing values so that it can be decrypted by each of the secret computing devices, and / or each of the result fragments.
- it may be a ciphertext obtained by encrypting the secret calculation results so that the analysis apparatus can decrypt them.
- the process of encrypting and decrypting the secret sharing value and the secret calculation result is as described in the second embodiment.
- the present invention is not limited to the embodiment described above.
- at least some of the devices may exchange information via a portable recording medium.
- at least some of the devices may exchange information via a non-portable recording medium. That is, the combination which consists of a part of these apparatuses may be the same apparatus.
- a computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, and the like.
- This program is distributed, for example, by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.
- a computer that executes such a program first stores a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, this computer reads a program stored in its own recording device and executes a process according to the read program. As another execution form of the program, the computer may read the program directly from the portable recording medium and execute processing according to the program, and each time the program is transferred from the server computer to the computer. The processing according to the received program may be executed sequentially.
- the above-described processing may be executed by a so-called ASP (Application Service Provider) type service that does not transfer a program from the server computer to the computer but implements a processing function only by the execution instruction and result acquisition. Good.
- ASP Application Service Provider
- the processing functions of the apparatus are realized by executing a predetermined program on a computer, but at least a part of these processing functions may be realized by hardware.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
[秘密分散技術]
秘密分散とは、データを複数の分散値(秘密分散値)に変換し、一定個数以上の秘密分散値を用いれば元のデータを復元でき、一定個数未満の秘密分散値からは元のデータを一切復元できなくする技術である。秘密分散の一種である(k,n)-秘密分散は、入力された平文をn個に分割した秘密分散値をn個の計算主体に分散しておき、任意のk個の秘密分散値が揃えば平文を復元でき、k個未満の秘密分散値からは平文に関する一切の情報を得られないような秘密分散である。このとき、n,kは1以上の整数(ただし、n,kが2以上の整数のとき秘密分散として機能する)であり、n≧kである。(k,n)-秘密分散の代表的な例は、「A.Shamir, “How to share a secret”, Communications of the ACM, Volume 22 Issue 11, pp. 612-613, 1979.(参考文献1)」に記載されている、Shamir秘密分散である。各実施形態で利用する秘密分散は、後述の秘密計算が利用可能な方法であればどのようなものであってもよい。
秘密計算は、複数の計算主体に計算対象のデータ(元データ)を秘密分散して保存しておき、元データを復元することなく他の計算主体と協力して元データの関数値の秘密分散値を計算する技術である。秘密計算では要素技術として秘密分散を利用する。
[第1実施形態]
本形態では、元データの複数個の秘密分散値に対応する複数個の元データ断片を複数個の秘密計算装置に転送し、当該元データ断片の何れかに対応する秘密計算結果に基づく結果断片の送信要求(分析要求)を当該秘密計算装置のそれぞれに転送し、当該結果断片を転送する中継装置を設ける。中継装置は、元データ断片を転送するタイミングおよび分析要求を転送するタイミングを制御する。これにより、処理を開始するタイミングにかかわらず、正しい分析結果を得ることができる。
<全体構成>
図1に例示するように、本形態の秘密計算システム1は、登録装置11と中継装置12と複数個の秘密計算装置13-1~13-Nと分析装置14とを有する。ただし、Nは2以上の整数である。本形態の中継装置12は、ネットワーク151を介して登録装置11および分析装置14と通信可能に構成されており、ネットワーク152を介して秘密計算装置13-1~13-Nと通信可能に構成されている。秘密計算の方式によっては、複数の秘密計算装置13-1~13-N相互間でネットワーク152を介した通信が可能であってもよい。また、ネットワーク151,152は、互いに同一のネットワークであってもよいし、異なるネットワークであってもよい。登録装置11、中継装置12、秘密計算装置13-1~13-N、および分析装置14は、例えば、CPU(central processing unit)等のプロセッサ(ハードウェア・プロセッサ)やRAM(random-access memory)・ROM(read-only memory)等のメモリや通信装置等を備える汎用または専用のコンピュータが所定のプログラムを実行することで構成される装置である。このコンピュータは1個のプロセッサやメモリを備えていてもよいし、複数個のプロセッサやメモリを備えていてもよい。このプログラムはコンピュータにインストールされてもよいし、予めROM等に記録されていてもよい。また、CPUのようにプログラムが読み込まれることで機能構成を実現する電子回路(circuitry)ではなく、プログラムを用いることなく処理機能を実現する電子回路を用いて一部またはすべての処理部が構成されてもよい。また、1個の装置を構成する電子回路が複数のCPUを含んでいてもよい。
図2Aに例示するように、本形態の登録装置11は、制御部111とインタフェース部112と記憶部113と断片化部114と通信部115とを有し、断片化部114は秘密分散部1141を有する。登録装置11は、制御部111の制御に基づいて各処理を実行する。
図3に例示するように、本形態の中継装置12は、通信部1211,1212,1221,1222とトランザクション管理部123と制御部124とを有し、トランザクション管理部123は、記憶部1231,1234と登録管理部1232と分析管理部1233とを有する。中継装置12は、制御部124の制御に基づいて各処理を実行する。
図4に例示するように、本形態の各秘密計算装置13-i(ただしi=1,…,N)は、通信部131-i,132-iと反映管理部134-iと記憶部135-iと演算部136-iと制御部137-iとを有し、演算部136-iは秘密計算部1361-iを有する。各秘密計算装置13-iは、制御部137-iの制御に基づいて各処理を実行する。
図2Bに例示するように、本形態の分析装置14は、制御部141とインタフェース部142と分析部144と通信部145とを有し、分析部144は復元部1441を有する。分析装置14は、制御部141の制御に基づいて各処理を実行する。
登録処理では、登録装置11が計算対象となる元データを秘密分散して秘密計算装置13-1~13-Nに保存する。登録処理は何回実行されてもよいし、それぞれの登録処理を開始するタイミングにも制約はない。以下、図5~図7のフロー図を参照しつつ、本形態の登録処理を説明する。
分析処理では、分析装置14が、結果断片の送信要求を行い、送られた複数個の結果断片から分析結果を復元する。各結果断片は、秘密計算装置13-1~13-Nに保存された元データ断片α1,・・・,αNに対する秘密計算結果に基づくものである。分析処理は何回実行されてもよいし、それぞれの分析処理を開始するタイミングにも制約はない。以下、図8A~図8Cのフロー図を参照しつつ、本形態の分析処理を説明する。
本形態では、登録装置11および分析装置14と秘密計算装置13-1~13-Nとの間の通信経路に中継装置12を配置し、トランザクション管理を行う。これにより、各処理を開始するタイミングにかかわらず、正しい分析結果を得ることができる。すなわち、中継装置12は、登録処理時に、登録装置11から送られた元データ断片α1,・・・,αNを秘密計算装置13-1~13-Nに転送し、分析処理時に、分析装置14から送られた分析要求を秘密計算装置13-φ(1),・・・,13-φ(K)に転送し、それらの転送のタイミングを制御する。例えば、中継装置12は、元データ断片の転送が開始された場合に元データ断片の転送が完了するまで分析要求の転送を保留し(図6:ステップS1204,S1215、図8B:ステップS1232)、分析要求の転送が開始された場合には結果断片の転送が完了するまで元データ断片の転送を保留する(図8B:ステップS1233,S1237、ステップS1203)。これにより、秘密計算装置13-1~13-Nの相互間で元データ断片や分析要求が到達する順序に不整合が生じることがなく、正しい分析結果を得ることができる。また、中継装置12は、複数の登録処理が実行された場合でも、それらの転送のタイミングを制御する。例えば、中継装置12は、上述の元データ断片α1,・・・,αNの転送が開始された場合に、それらの転送が完了するまで別の第2元データ断片α1’,・・・,αN’の転送を保留する(図6:ステップS1203,S1204,S1215)。これにより、秘密計算装置13-1~13-Nの相互間で、元データ断片α1,・・・,αNおよび第2元データ断片α1’,・・・,αN’が到達する順序に不整合が生じることがなく、正しい分析結果を得ることができる。なお、複数回の分析処理が開始された場合であっても、それらの分析処理間のタイミングの制御は行われない(図8B:ステップS1232)。複数の分析処理の競合によって秘密計算装置13-1~13-Nに格納されたデータに不整合が生じることはないからである。これにより、不要な待ち設定による処理の遅延を防止できる。
中継装置は複数の元データ断片や結果断片を入手可能であり、脆弱な中継装置の場合、元データや分析結果が漏洩する可能性がある。この問題に対処するため、本形態では、登録装置と秘密計算装置との間の通信経路を暗号化する。すなわち、秘密計算装置のそれぞれで復号可能なように秘密分散値のそれぞれを暗号化して得られた暗号文を「元データ断片」とする(対処1)。これにより、元データの漏洩を防止できる。また、分析装置と秘密計算装置との間の通信経路を暗号化する。すなわち、分析装置で復号可能なように秘密計算結果をそれぞれ暗号化して得られた暗号文を「結果断片」とする(対処2)。これにより、分析結果の漏洩を防止できる。なお、暗号文の秘密分散値を「元データ断片」とするのではなく、秘密計算装置のそれぞれで復号可能なように秘密分散値のそれぞれを暗号化して得られた暗号文を「元データ断片」とする。前者の場合、暗号方式および秘密分散方式に特別な工夫がなされない限り、秘密計算装置が「元データ断片」を用いて秘密計算を行うことができない。本形態では、秘密計算装置のそれぞれで復号可能なように秘密分散値のそれぞれを暗号化して得られた暗号文を「元データ断片」とすることで、登録装置と秘密計算装置との間の通信経路を暗号化しつつ、秘密計算装置での秘密計算を可能にしている。対処1,2の両方がなされることが望ましいが、対処1,2の何れか一方のみがなされてもよい。以下では、対処1,2の両方がなされる例を説明する。以降、すでに説明した事項と共通する部分については、それまで用いた参照番号を流用して説明を省略する。
図1に例示するように、本形態の秘密計算システム2は、第1実施形態の秘密計算システム1の登録装置11および分析装置14を登録装置21および分析装置24にそれぞれ置換したものであり、登録装置21と中継装置12と複数個の秘密計算装置23-1~23-Nと分析装置24とを有する。本形態の中継装置12は、ネットワーク151を介して登録装置21および分析装置24と通信可能に構成されており、ネットワーク152を介して秘密計算装置23-1~23-Nと通信可能に構成されている。秘密計算の方式によっては、複数の秘密計算装置23-1~23-N相互間でネットワーク152を介した通信が可能であってもよい。登録装置21、秘密計算装置23-1~23-N、および分析装置24は、例えば、前述のコンピュータが所定のプログラムを実行することで構成される装置である。
図2Aに例示するように、本形態の登録装置21は、制御部111とインタフェース部112と記憶部113と断片化部214と通信部115とを有する。断片化部214は、秘密分散部1141と暗号化部2142と復号部2143を有する。登録装置21は、制御部111の制御に基づいて各処理を実行する。
図4に例示するように、本形態の各秘密計算装置23-i(ただしi=1,…,N)は、通信部131-i,132-iと反映管理部234-iと記憶部135-iと演算部236-iと制御部137-iとを有する。演算部136-iは、秘密計算部1361-iと復号部2363-iと暗号化部2364-iとを有する。各秘密計算装置23-iは、制御部137-iの制御に基づいて各処理を実行する。
図2Bに例示するように、本形態の分析装置24は、制御部141とインタフェース部142と分析部244と通信部145とを有する。分析部244は、復元部1441と復号部2442と暗号化部2443とを有する。分析装置24は、制御部141の制御に基づいて各処理を実行する。
図5~図7のフロー図を参照しつつ、本形態の登録処理を説明する。まず、登録装置21(図2A)が第1実施形態で説明したステップS1101およびS1102(図5)の処理を行う。S1102で得られたN個の秘密分散値a1,・・・,aNは暗号化部2142に送られる。暗号化部2142は、各秘密分散値ai(ただしi=1,…,N)を各秘密計算装置13-iで復号可能なように暗号化し、各秘密分散値aiの暗号文Enc1(ai)を元データ断片αiとして出力する。この暗号化に使用する暗号化方式に限定はなく、公知の共通鍵暗号方式や公開鍵暗号方式やIDベース暗号方式などを用いることができる。例えば、共通鍵暗号方式を用いる場合、暗号化部2142と秘密計算装置23-iとが共通鍵K1(i)を共有し、暗号化部2142は、所定の共通鍵暗号方式に則り、共通鍵K1(i)で秘密分散値aiを暗号化して暗号文αi=Enc1(ai)を得る。暗号文αiは、例えば秘密分散値aiを含むリクエストの暗号文である(ステップS2103)。元データ断片α1,・・・,αN(複数個の元データ断片)は通信部115に送られ、通信部115は、元データ断片α1,・・・,αNをネットワーク151経由で中継装置12に送信する(ステップS1104)。
図8A~図8Cのフロー図を参照しつつ、本形態の分析処理を説明する。
まず、分析装置24(図2B)の分析部244の暗号化部2443が、分析要求を各秘密計算装置23-iで復号可能なように暗号化し、暗号化された分析要求を生成する(ステップS2110)。暗号化された分析要求は、通信部145から中継装置12に送信される(ステップS2111)。中継装置12はステップS1231~S1234(図8B)の処理を行う。ただし、本形態では「分析要求」に代えて「暗号化された分析要求」が用いられる。秘密計算装置23-i(図4)は、通信部132-iで暗号化された分析要求を受信して演算部236-iに送る(図8C:ステップS2321-i)。演算部236-iの復号部2363-iは、暗号化された分析要求を復号して分析要求を復元し(ステップS2322-i)、それに従って記憶部135-iから秘密分散値aiを読み込んで秘密計算部1361-iに送る。秘密計算部1361-iは、データ断片αiに代えて秘密分散値aiに対し、第1実施形態で説明したように秘密計算を行い、その秘密計算結果biを出力する(ステップS1323-i)。秘密計算結果biは暗号化部2364-iに送られる。暗号化部2364-iは、秘密計算結果biを分析装置24で復号可能なように暗号化し、秘密計算結果biの暗号文Enc2(bi)を結果断片βi(元データ断片の何れかの秘密計算結果に基づく結果断片)として出力する。この暗号化に使用する方式に限定はなく、公知の共通鍵暗号方式や公開鍵暗号方式やIDベース暗号方式などを用いることができる。例えば、共通鍵暗号方式を用いる場合、暗号化部2364-iと分析装置24とが共通鍵K2(i)を共有し、暗号化部2364-iは、所定の共通鍵暗号方式に則り、共通鍵K2(i)で秘密計算結果biを暗号化して暗号文βi=Enc2(bi)を得る(ステップS2324-i)。結果断片βi=Enc2(bi)は通信部132-iに送られ、通信部132-iは結果断片βiをネットワーク152経由で中継装置12に送信する(ステップS1325-i)。
本形態でも、登録装置21および分析装置24と秘密計算装置23-1~23-Nとの間の通信経路に中継装置12を配置し、トランザクション管理を行う。これにより、各処理を開始するタイミングにかかわらず、正しい分析結果を得ることができる。さらに、本形態では、各元データ断片が各秘密分散値を暗号化して得られた暗号文であり、および/または、各結果断片が秘密計算結果をそれぞれ暗号化して得られた暗号文である。これにより、中継装置12が脆弱であったとしても、元データや分析結果が第三者に漏洩することを抑制できる。なお、本形態の登録処理では、暗号文である元データ断片を復号してから各秘密計算装置23-iに保存した。しかしながら、登録処理において、暗号文である元データ断片を受け取った各秘密計算装置23-iがそれをそのまま保存してもよい。この場合、分析処理時に秘密計算装置が元データ断片を復号して秘密分散値を生成し、秘密計算を行えばよい。
元データ断片を秘密計算装置に転送後、秘密計算装置の不具合等によって一部の元データ断片が秘密計算装置に正しく反映されなかった場合、秘密計算装置の相互間の元データ断片に不整合が生じ、誤った分析結果が得られる可能性がある。例えば、ある秘密計算装置xでは、最新の値「5」の秘密分散値に対応する元データ断片αx(5)が格納されたが、他の秘密計算装置yでは、最新の値「5」の秘密分散値に対応する元データ断片αy(5)の格納に失敗し、過去の値「3」の秘密分散値に対応する元データ断片αy(3)が残存していたとする。このような元データ断片の不整合が生じた場合、それらに対応する結果断片にも不整合が生じ、分析結果が誤ってしまう。
図1に例示するように、本形態の秘密計算システム3は、第1実施形態の中継装置12および秘密計算装置13-1~13-Nを中継装置32および秘密計算装置33-1~33-Nにそれぞれ置換したものであり、登録装置11と中継装置32と複数個の秘密計算装置33-1~33-Nと分析装置14とを有する。本形態の中継装置32は、ネットワーク151を介して登録装置11および分析装置14と通信可能に構成されており、ネットワーク152を介して秘密計算装置33-1~33-Nと通信可能に構成されている。中継装置32および秘密計算装置33-1~33-Nは、例えば、前述のコンピュータが所定のプログラムを実行することで構成される装置である。
図3に例示するように、本形態の中継装置32は、通信部3211,1212,3221,1222とトランザクション管理部323と制御部124とを有し、トランザクション管理部323は、記憶部1231,1234とログ記憶部3235と登録管理部3232と分析管理部1233とを有する。中継装置32は、制御部124の制御に基づいて各処理を実行する。記憶部1231,1234は、例えば半導体メモリ等のメモリ上で実現される記憶領域である。
図4に例示するように、本形態の各秘密計算装置33-i(ただしi=1,…,N)は、通信部331-i,132-iと反映管理部334-iと一時記憶部333-iと記憶部135-iと演算部136-iと制御部137-iとを有し、演算部136-iは秘密計算部1361-iを有する。各秘密計算装置33-iは、制御部137-iの制御に基づいて各処理を実行する。
以下、図5~図7および図9~図21を参照しつつ、本形態の登録処理を説明する。
まず、登録装置11が第1実施形態で説明したステップS1101~S1104(図5,6,9,11)の処理を行い、元データ断片α1,・・・,αNを中継装置32に送信する。
本形態でも、登録装置11および分析装置14と秘密計算装置33-1~33-Nとの間の通信経路に中継装置32を配置し、トランザクション管理を行う。これにより、各処理を開始するタイミングにかかわらず、正しい分析結果を得ることができる。2相コミットを用いたトランザクション制御を行うことで、元データ断片の登録処理が部分的に失敗した場合でも人手を介さずにサービスを継続することができる。
なお、本発明は上述の実施の形態に限定されるものではない。例えば、各装置がネットワークを通じて情報をやり取りするのではなく、少なくとも一部の組の装置が可搬型記録媒体を介して情報をやり取りしてもよい。或いは、少なくとも一部の組の装置が非可搬型の記録媒体を介して情報をやり取りしてもよい。すなわち、これらの装置の一部からなる組み合わせが、同一の装置であってもよい。また、中継装置によって中継される登録装置や分析装置が複数存在してもよい。この場合でも中継装置の処理は上述の各実施形態と同じでよい。
11,21 登録装置
12,32 中継装置
13-i,23-i,33-i 秘密計算装置
14,24 分析装置
Claims (9)
- 元データの複数個の秘密分散値に対応する複数個の元データ断片を複数個の秘密計算装置に転送する第1通信部と、
前記元データ断片の何れかに対応する秘密計算結果に基づく結果断片の送信要求を前記秘密計算装置のそれぞれに転送する第2通信部と、
前記結果断片を転送する第3通信部と、
前記元データ断片を転送するタイミングおよび前記送信要求を転送するタイミングを制御するトランザクション管理部と、
を有する中継装置。 - 請求項1の中継装置であって、
前記元データ断片のそれぞれは、前記秘密計算装置のそれぞれで復号可能なように前記秘密分散値のそれぞれを暗号化して得られた暗号文であり、および/または、前記結果断片のそれぞれは、分析装置で復号可能なように前記秘密計算結果をそれぞれ暗号化して得られた暗号文である、中継装置。 - 請求項1または2の中継装置であって、
前記トランザクション管理部は、前記元データ断片の何れかが前記秘密計算装置に正しく反映されなかった場合に、すべての前記秘密計算装置に対して前記元データ断片の取り消しを指示する、中継装置。 - 請求項1から3の何れかの中継装置であって、
前記トランザクション管理部は、
前記元データ断片の転送が開始された場合に前記元データ断片の転送が完了するまで前記送信要求の転送を保留し、
前記送信要求の転送が開始された場合に前記結果断片の転送が完了するまで前記元データ断片の転送を保留する、中継装置。 - 請求項1から4の何れかの中継装置であって、
前記第1通信部は、第2元データの複数個の秘密分散値に対応する複数個の第2元データ断片を前記秘密計算装置に転送し、
前記第2通信部は、前記第2元データ断片の何れかに対応する秘密計算結果に基づく第2結果断片の送信要求を前記秘密計算装置のそれぞれに転送し、
前記第3通信部は、前記第2結果断片を転送し、
前記トランザクション管理部は、前記元データ断片の転送が開始された場合に前記元データ断片の転送が完了するまで前記第2元データ断片の転送を保留する、中継装置。 - 登録装置と中継装置と分析装置と複数個の秘密計算装置とを有し、
前記登録装置は、元データの複数個の秘密分散値に対応する複数個の元データ断片を前記中継装置に送信し、
前記中継装置は、前記元データ断片を前記秘密計算装置に転送し、
前記分析装置は、前記元データ断片の何れかに対応する秘密計算結果に基づく結果断片の送信要求を前記中継装置に送信し、
前記中継装置は、前記送信要求を前記秘密計算装置のそれぞれに転送し、
前記秘密計算装置のそれぞれは、前記送信要求に対する前記結果断片を前記中継装置に送信し、
前記中継装置は、前記結果断片を前記分析装置に転送し、
前記中継装置は、前記元データ断片を転送するタイミングおよび前記送信要求を転送するタイミングを制御する、秘密計算システム。 - 請求項1から5の何れかの中継装置または請求項6の秘密計算システムが実行する方法。
- 請求項1から5の何れかの中継装置としてコンピュータを機能させるためのプログラム。
- 請求項1から5の何れかの中継装置としてコンピュータを機能させるためのプログラムを格納したコンピュータ読み取り可能な記録媒体。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/516,319 US11496893B2 (en) | 2014-10-07 | 2015-10-02 | Secure computation system and relay device, and method, program, and recording medium thereof |
CN201580053884.XA CN106796763B (zh) | 2014-10-07 | 2015-10-02 | 秘密计算系统、中继装置、它们的方法、及记录介质 |
JP2016553076A JP6283119B2 (ja) | 2014-10-07 | 2015-10-02 | 秘密計算システム、中継装置、それらの方法、プログラム、および記録媒体 |
EP15848792.6A EP3185234B1 (en) | 2014-10-07 | 2015-10-02 | Secure computation system and relay device, and method, program, and recording medium thereof |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2014206357 | 2014-10-07 | ||
JP2014-206357 | 2014-10-07 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016056473A1 true WO2016056473A1 (ja) | 2016-04-14 |
Family
ID=55653085
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2015/078009 WO2016056473A1 (ja) | 2014-10-07 | 2015-10-02 | 秘密計算システム、中継装置、それらの方法、プログラム、および記録媒体 |
Country Status (5)
Country | Link |
---|---|
US (1) | US11496893B2 (ja) |
EP (1) | EP3185234B1 (ja) |
JP (1) | JP6283119B2 (ja) |
CN (1) | CN106796763B (ja) |
WO (1) | WO2016056473A1 (ja) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPWO2016178291A1 (ja) * | 2015-05-07 | 2018-03-01 | 日本電気株式会社 | 秘密計算データ利用システムと方法と装置並びにプログラム |
US11314506B2 (en) | 2017-05-18 | 2022-04-26 | Nec Corporation | Secure computation device, comparison method, comparison program recording medium, and secure computation system |
WO2023181174A1 (ja) * | 2022-03-23 | 2023-09-28 | 日本電気株式会社 | 秘密分散型計算システム、中継装置、それらの方法、及びプログラム |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6713585B2 (ja) * | 2017-07-05 | 2020-06-24 | 日本電信電話株式会社 | 秘密計算システム、秘密計算装置、秘密計算方法、プログラム、および記録媒体 |
US11296995B2 (en) | 2020-08-31 | 2022-04-05 | Micron Technology, Inc. | Reduced sized encoding of packet length field |
US11418455B2 (en) * | 2020-08-31 | 2022-08-16 | Micron Technology, Inc. | Transparent packet splitting and recombining |
US11539623B2 (en) | 2020-08-31 | 2022-12-27 | Micron Technology, Inc. | Single field for encoding multiple elements |
US11412075B2 (en) | 2020-08-31 | 2022-08-09 | Micron Technology, Inc. | Multiple protocol header processing |
US11360920B2 (en) | 2020-08-31 | 2022-06-14 | Micron Technology, Inc. | Mapping high-speed, point-to-point interface channels to packet virtual channels |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003345679A (ja) * | 2002-05-28 | 2003-12-05 | Nippon Telegr & Teleph Corp <Ntt> | サーバシステム、仲介装置、及び、クライアントサーバ型システムにおける誤り隠蔽方法 |
JP2013026954A (ja) * | 2011-07-25 | 2013-02-04 | Nec Corp | 暗号データ検索システム、装置、方法及びプログラム |
WO2015114947A1 (ja) * | 2014-01-28 | 2015-08-06 | 日本電信電話株式会社 | 秘密計算方法、秘密計算システム、秘密計算サーバ、登録者端末、利用者端末及びプログラム |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6643701B1 (en) | 1999-11-17 | 2003-11-04 | Sun Microsystems, Inc. | Method and apparatus for providing secure communication with a relay in a network |
US7167565B2 (en) * | 2001-03-06 | 2007-01-23 | Arcot Systems, Inc. | Efficient techniques for sharing a secret |
CN1799095A (zh) * | 2003-08-04 | 2006-07-05 | 三菱电机株式会社 | 数字记录装置、数字再现装置和数字记录再现装置、以及加密装置、解调装置、加密方法和解调方法 |
JP2008103936A (ja) * | 2006-10-18 | 2008-05-01 | Toshiba Corp | 秘密情報管理装置および秘密情報管理システム |
JP4827717B2 (ja) * | 2006-12-20 | 2011-11-30 | 三菱電機株式会社 | 通信システム及び発信側端末装置及び着信側端末装置 |
JP5100286B2 (ja) * | 2007-09-28 | 2012-12-19 | 東芝ソリューション株式会社 | 暗号モジュール選定装置およびプログラム |
US20100037056A1 (en) * | 2008-08-07 | 2010-02-11 | Follis Benjamin D | Method to support privacy preserving secure data management in archival systems |
US20100318782A1 (en) * | 2009-06-12 | 2010-12-16 | Microsoft Corporation | Secure and private backup storage and processing for trusted computing and data services |
US9606858B2 (en) * | 2010-04-26 | 2017-03-28 | International Business Machines Corporation | Temporarily storing an encoded data slice |
EP2582086B1 (en) * | 2010-07-23 | 2016-03-23 | Nippon Telegraph and Telephone Corporation | Cryptographic system, cryptographic communication method, encryption apparatus, key generation apparatus, decryption apparatus, content server, program, and storage medium |
IN2014CN04197A (ja) * | 2011-12-20 | 2015-07-17 | Mitsubishi Electric Corp | |
US9424326B2 (en) * | 2012-09-13 | 2016-08-23 | International Business Machines Corporation | Writing data avoiding write conflicts in a dispersed storage network |
CN104904179A (zh) * | 2012-10-16 | 2015-09-09 | 真实数据系统股份有限公司 | 安全通信架构 |
-
2015
- 2015-10-02 WO PCT/JP2015/078009 patent/WO2016056473A1/ja active Application Filing
- 2015-10-02 CN CN201580053884.XA patent/CN106796763B/zh active Active
- 2015-10-02 JP JP2016553076A patent/JP6283119B2/ja active Active
- 2015-10-02 EP EP15848792.6A patent/EP3185234B1/en active Active
- 2015-10-02 US US15/516,319 patent/US11496893B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003345679A (ja) * | 2002-05-28 | 2003-12-05 | Nippon Telegr & Teleph Corp <Ntt> | サーバシステム、仲介装置、及び、クライアントサーバ型システムにおける誤り隠蔽方法 |
JP2013026954A (ja) * | 2011-07-25 | 2013-02-04 | Nec Corp | 暗号データ検索システム、装置、方法及びプログラム |
WO2015114947A1 (ja) * | 2014-01-28 | 2015-08-06 | 日本電信電話株式会社 | 秘密計算方法、秘密計算システム、秘密計算サーバ、登録者端末、利用者端末及びプログラム |
Non-Patent Citations (3)
Title |
---|
KOJI CHIDA ET AL.: "Kokimitsu Data mo Anzen ni Niji Riyo Kano na 'Himitsu Keisan Gijutsu", NTT GIJUTSU JOURNAL, vol. 26, no. 3, 1 March 2014 (2014-03-01), pages 67 - 70, XP009501765, ISSN: 0915-2318 * |
See also references of EP3185234A4 * |
SHINJI KITAGAMI ET AL.: "A Proxy Communication Method in Machine to Machine System to Enable the Device Connection to Different Multiple Services and its Implementation", THE TRANSACTIONS OF THE INSTITUTE OF ELECTRICAL ENGINEERS OF JAPAN . C, A PUBLICATION OF ELECTRONICS, INFORMATION AND SYSTEMS SOCIETY, vol. 132, no. 4, 1 April 2012 (2012-04-01), pages 516 - 525, XP009501766, ISSN: 0385-4221 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPWO2016178291A1 (ja) * | 2015-05-07 | 2018-03-01 | 日本電気株式会社 | 秘密計算データ利用システムと方法と装置並びにプログラム |
US10721063B2 (en) | 2015-05-07 | 2020-07-21 | Nec Corporation | Secure computation data utilization system, method, apparatus and non-transitory medium |
US11314506B2 (en) | 2017-05-18 | 2022-04-26 | Nec Corporation | Secure computation device, comparison method, comparison program recording medium, and secure computation system |
WO2023181174A1 (ja) * | 2022-03-23 | 2023-09-28 | 日本電気株式会社 | 秘密分散型計算システム、中継装置、それらの方法、及びプログラム |
Also Published As
Publication number | Publication date |
---|---|
US11496893B2 (en) | 2022-11-08 |
CN106796763A (zh) | 2017-05-31 |
US20170310473A1 (en) | 2017-10-26 |
JP6283119B2 (ja) | 2018-02-21 |
JPWO2016056473A1 (ja) | 2017-08-17 |
EP3185234A4 (en) | 2018-02-14 |
CN106796763B (zh) | 2020-07-28 |
EP3185234A1 (en) | 2017-06-28 |
EP3185234B1 (en) | 2019-01-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6283119B2 (ja) | 秘密計算システム、中継装置、それらの方法、プログラム、および記録媒体 | |
US20150149763A1 (en) | Server-Aided Private Set Intersection (PSI) with Data Transfer | |
US20140050318A1 (en) | Re-encryption key generator, re-encryption apparatus, and program | |
US11595187B2 (en) | Communication device and communication method used in decentralized network | |
JP6363032B2 (ja) | 鍵付替え方向制御システムおよび鍵付替え方向制御方法 | |
US20180351737A1 (en) | Communication apparatus, communication system, key sharing method, and computer program product | |
CN115242555A (zh) | 一种可监管的跨链隐私数据共享方法及装置 | |
US11431489B2 (en) | Encryption processing system and encryption processing method | |
JP2001244925A (ja) | 暗号化データ管理システム及び方法、記憶媒体 | |
CN112400299A (zh) | 一种数据交互方法及相关设备 | |
Nalinipriya et al. | Extensive medical data storage with prominent symmetric algorithms on cloud-a protected framework | |
CN112003690B (zh) | 密码服务系统、方法及装置 | |
JP4995667B2 (ja) | 情報処理装置、サーバ装置、情報処理プログラム及び方法 | |
JPWO2020255382A1 (ja) | コンテンツ取引システム、コンテンツ取引方法、鍵管理装置、及び鍵管理プログラム | |
JP2016151797A (ja) | 情報処理システム、その制御方法、及びプログラム | |
JP4222132B2 (ja) | ソフトウェア提供方法及びシステム | |
JP4924477B2 (ja) | 着脱式デバイス、ログ収集方法、プログラム及び記録媒体 | |
KR20150002821A (ko) | 복수의 저장 서비스 제공자들에 분산 및 저장된 파일의 기밀성을 보호하기 위한 방법 | |
KR20210036700A (ko) | 트랜잭션에 포함된 평문 데이터의 변경을 지원하는 블록체인 시스템 | |
CN115001719B (zh) | 隐私数据处理系统、方法、装置、计算机设备及存储介质 | |
WO2024045552A1 (zh) | 一种数据处理方法及相关设备 | |
Maram et al. | Dynamic-Committee Proactive Secret Sharing | |
JP2015102692A (ja) | 情報処理装置およびその方法 | |
JP6786836B2 (ja) | データ中継システム、データ中継方法、および、プログラム | |
JP6492832B2 (ja) | 暗号化装置、暗号化方法、暗号化プログラム、データ構造、及び、暗号化システム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15848792 Country of ref document: EP Kind code of ref document: A1 |
|
REEP | Request for entry into the european phase |
Ref document number: 2015848792 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2015848792 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2016553076 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15516319 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |