WO2016129363A1

WO2016129363A1 - Calculating device relating to concealment computation system employing distribution of secrets

Info

Publication number: WO2016129363A1
Application number: PCT/JP2016/051934
Authority: WO
Inventors: 惠市岩村
Original assignee: 学校法人東京理科大学
Priority date: 2015-02-12
Filing date: 2016-01-22
Publication date: 2016-08-18
Also published as: JPWO2016129363A1

Abstract

Distributed values of concealed secret information are obtained from secret information by concealing the secret information. A combined value α is generated from random numbers α₁ to α_k, which are k or more items of secret information (42). The combined value α is multiplied by new secret information a to generate concealed secret information αa, and distributed values Wa'(x_i) of the concealed secret information, and distributed values Wa₁(x_i) to Wa_k(x_i) of each of the random numbers, which are the k or more items of secret information, are calculated (44). The distributed values Wa'(x_i) and Wa₁(x_i) to Wa_k(x_i) are transmitted to first to nth servers (46). The distributed values Wa'(x_i) of the concealed secret information α_a, obtained by concealing the secret information α₁ to α_k, can be obtained from the secret information α₁ to α_k.

Description

A computing device for a secret computation system using secret sharing

The present invention relates to a calculation apparatus related to a secret calculation system using secret sharing.

In recent years, cloud computing has attracted attention as a new network technology. With cloud computing, users' data is distributed and stored in a virtual large-capacity storage consisting of multiple servers on the network called the cloud, and the user accesses the data from anywhere via the network as needed. It is a technology that makes it possible. Furthermore, in order to make effective use of stored data, it is not only simply storing data, but also a technology that realizes a secret calculation that performs arbitrary calculations while concealing individual data using data distributed and stored in the cloud Is required.

The use of the secret sharing method is attracting attention as one of the technologies for realizing this secret calculation. The secret sharing method is a technique in which one piece of secret information is distributed into n pieces, and the original secret information can be restored by collecting k pieces (k ≦ n) of the distributed values distributed into n pieces. Also, no information about secret information can be obtained from less than k variance values. As this secret sharing method, the (k, n) secret sharing method by Shamir is well known. A conventional secret sharing system including Shamir's (k, n) secret sharing method includes n data servers that store the distributed values and a dealer that distributes the secret information or a restoration terminal that restores the secret information. In other words, when the secret is shared, the owner asks the dealer to distribute the secret information he owns, and the dealer calculates the n distributed values using the secret sharing method and distributes the values to each of the n data servers. store. In general, a dealer exists only when secrets are shared. On the other hand, a user who wishes to restore collects the distributed values for the secret information to be restored from the k data servers and restores them. This restoration terminal also generally exists only at the time of data restoration.

Specifically, Shamir's (k, n) secret sharing scheme sets k-1 degree polynomials as in equation (1) (s is secret information, a 1 to a k-1 are random numbers), and n W (xj) when the ID of each of the servers is xj (j = 1,..., N) is stored in each server and used as a distributed value. This k−1 degree polynomial can be solved (the secret information s is obtained) if k variance values W (x1),..., W (xk) are collected. On the other hand, if the variance is less than k, the solution is indefinite and cannot be determined at all.
W (x) = s + a1x + a2x ² +… + ak-1x ^k-1 (1)

Furthermore, for the two secrets a and b, two distributed values Wa (xj) (Equation (2)) and Wb (xj) (Equation (3)) were distributed and stored in n servers ( When j = 1,..., n), the addition of the dispersion values (formula (4)) is considered.
Wa (xj) = a + a1xj + a2xj ² +… + ak-1xj ^k-1 (2)
Wb (xj) = b + b1xj + b2xj ² +… + bk-1xj ^k-1 (3)
Wa (xj) + Wb (xj) = (a + b) + (a1 + b1) xj + (a2 + b2) xj ² + ... + (ak-1 + bk-1) xj ^k-1 (4)

In this case, equation (4), which is the addition result, is also expressed by a k−1 degree polynomial, so that k, the sums Wa (xj) + Wb (xj) of the variance values are collected to solve the polynomial a, The sum of secret information a + b is obtained instead of individual information b. Similarly for multiplication, the constant term of the product of Wa (xj) and Wb (xj) is a product of secret informations a and b, so if you calculate the product of variance values and solve the polynomial, the secret The product of information comrades is obtained [1]. In this way, a calculation that obtains a result such as a sum or product without obtaining individual information a and b is called a secret calculation, and it is known that the secret sharing method can be applied to the secret calculation with respect to addition / subtraction and multiplication. However, it is known that the following problems are unsolved in the secret calculation using secret sharing.

(I) The problem that the number of servers required only for multiplication changes The result of multiplication of k-1 degree polynomials is a 2k-2 degree polynomial. Therefore, in order to solve the polynomial (each coefficient is obtained), 2k-1 variance values are required, and there arises a problem that the number of variance values to be collected increases only in the case of multiplication. That is, when one shared value is stored in one server in the (k, n) secret sharing method, if there are k servers, restoration of secret information and concealment addition / subtraction are possible. Requires 2k-1 servers, and the number of servers required for restoration increases only in the case of multiplication. For example, in the case of (3,5) secret sharing method and (2,3) secret sharing method, it is only necessary to collect three and two shared values for restoration and addition / subtraction of secret information. If two or one of these servers breaks, there is no problem. However, when (3,5) secret sharing method or (2,3) secret sharing method is used for multiplication, 2k-1 = 5 servers and 2k-1 = 3 servers are required, respectively. Therefore, although multiplication can be realized, damage to one server is not allowed. Also, when using the (3,4) secret sharing method, there is no problem in restoring and adding / subtracting secret information, but 2k-1 = 5 shared values are required for multiplication, so a system composed of four servers Then multiplication cannot be realized. That is, it is necessary to change the system configuration or change the damage resistance only in the case of multiplication. Therefore, if there is a method that can perform multiplication without changing the degree of the polynomial, these problems can be solved. [2] has been proposed as a multiplication method without changing the number of servers. In this method, as described below, one server has two distributed values, one distributed value is concealed, multiplication is performed, and then random numbers are deleted, so that it is not necessary to change the number of servers.

Secret multiplication [2]
[dispersion]
(1) The owner A having the secret information a generates a random number α and secretly distributes the following for the server xi (i = 1,..., N) (ai and j are random numbers).
Wa (xi) = a + a0,1xi + ... + a0, k-1xi ^k-1
Wa '(n + xi) = α (a + a0,1 (n + xi) + ··· + a0, k-1 (n + xi) k-1)
Wa1 (xi) = α + a1,1xi + ・・・ + a1, k-1xik-1

(2) Owner B having the secret information b generates a random number β and secretly distributes the following for the server xi (i = 1,..., N).
Wb (xi) = b + b0,1xi + ··· + b0, k-1xi k-1
Wb '(n + xi) = β (b + b0,1 (n + xi) + ... + b0, k-1 (n + xi) ^k-1 )
Wb1 (xi) = β + b1,1xi + ・・・ + b1, k-1xi ^k-1

[Multiplication]
Each server calculates Wab (xi) = Wa (xi) Wb (xi) and Wab ′ (xi) = Wa ′ (n + xi) Wb ′ (n + xi) (i = 1,..., N).
[Restore]
(1) The server j (j = 1,..., K) sends Wab (xj), Wab ′ (xj), Wa1 (xj), Wb1 (xj) to the restorer.
(2) The restoring terminal of the restoring person restores α from Wa1 (xj), β from Wb1 (xj), and divides Wab ′ (xj) by α and β to create Wab (n + xj).
(3) The restorer's restoration terminal restores ab using 2k-1 variance values from Wab (xj) and Wab (n + xj).

[2] is safe against external attackers. However, it is not safe if an attacker from the inside, that is, a restorer who can know only the operation result of ab becomes an attacker to know the original secret information a and b itself. Because the restorer knows α and β separately in [Restore] (2), if the restorer eavesdrops on the server, if k / 2 servers are eavesdropped, the k distributed values of a and Since k distributed values of b are obtained, the original secret information is leaked. Therefore, when an attacker who knows nothing about the confidential calculation to the attacker and a restorer who knows the calculation result become an attacker to know the secret information that is the original information of the calculation result There are two types. For the latter attacker, [2] proposes the following countermeasures in which each server changes the transmission information by exchanging random numbers rj and qj at the time of restoration. Hereinafter, an attacker refers to an attacker from the outside, and when referring to the latter attacker, the name “restorer” is used as it is. The external attacker cannot leak the calculation result, but the latter is in a position to know the calculation result.

[Restore]
(1) Each server j (j = 1,..., N) generates one random number rj and qj and exchanges them to generate r = r1... Rn, q = q1. .
(2) The server j (j = 1,..., K) sends Wab (xj) and Wab ′ (xj) to rq, Wa1 (xj) to r, and Wb1 (xj) to q and sends it to the restorer.
(3) The restorer's restoration terminal restores rα from r ・ Wa1 (xj), qβ from q ・ Wb1 (xj), divides Wab '(xj) by rα and rβ, and then Wab (n + xj) create.
(4) The restorer's restoration terminal restores ab using 2k-1 variance values from Wab (xj) and Wab (n + xj).

In this method, if the restorer can eavesdrop only on the distributed value storage other than [multiplication] or [restoration] processing in the above-mentioned secret multiplication, it depends on the k distributed values that the restorer eavesdropped on save. Since the correspondence between the random number and the random number obtained at the time of [restoration] is different, the original secret information cannot be restored. However, if the restorer can eavesdrop on a single server during [Restore], all servers will know r and q. Therefore, by dividing the restored rα and qβ by r and q, α and β can be obtained separately. Therefore, the restorer can still obtain the secret information a and b, which is not safe. Therefore, the method [2] allows multiplication without changing the number of servers in the (k, n) secret sharing method, but if the restorer is an attacker, the secret information itself is leaked, which is not safe. Therefore, in the (k, n) secret sharing method, it can be said that there is no method that does not change the number of servers and does not leak secret information. In addition, this method does not take into account (III) the problem related to the continuation of the secret calculation described later. That is, if one server has two distributed values and one is kept secret, the degree conversion described below cannot be applied and continuous calculation cannot be performed. Further, the problem relating to the division of (II) is not considered at all. Furthermore, the reduction of the dispersion value of (VI) and the speeding up by the multi-value method of (VII) are not considered.

(II) Problems related to division Next, consider division. By multiplying (2) and (3) above, a variance value having a · b in the constant term can be created, but even if (2) is divided by (3), a variance value having b / a in the constant term is obtained. Absent. That is, it is known that it is difficult to achieve a division between secret information using a variance value, and at least not the same method as multiplication. Therefore, it is necessary to prepare a special means for division in the conventional method and the method [2]. Therefore, if the division can be realized by the same means as the multiplication, the efficiency of the secret calculation can be realized.

(III) Problems Concerning Concealment Calculation Continuation Consider the above-described concealment calculation continuation. As an example, a polynomial b (x) having secret information a as a constant term, a polynomial Wb (x) having secret information b as a constant term, and a polynomial Wc (x) having secret information c as a constant term, a · b When calculating a product-sum operation of + c, generally, multiplication of Wa (x) Wb (x) is first performed, and then addition of Wa (x) Wb (x) + Wc (x) is continuously performed. In this case, if the order of each polynomial is k-1 order, the order of Wa (x) Wb (x) is 2k-2, so the addition with k-1 order Wc (x) is consistent. not good. If possible, it is desirable to convert Wa (x) Wb (x) into a k-1 order polynomial and add it to Wc (x). For this, the following order conversion methods are known for product polynomials [1]. Here, for simplicity, a case where a 2k-order polynomial is converted to a k-order polynomial is shown. Here, h (x) is a 2k degree polynomial, and f (x) and g (x) are k degree polynomials. Furthermore, the variance of h (x) for n servers is W = (W1, W2,..., Wn).
h (x) = h0 + h1x + ... + h2kx ^2k
Wi = h (xi) = f (xi) g (xi) (i = 1, ..., n)

That is, h (x), which is the multiplication result of f (x) g (x), can be solved if there are 2k Wis. Here, if a polynomial composed of coefficients up to the kth order of h (x) is h ′ (x) and its variance is Ri, W = (W1, W2,..., Wn) and R = (R1, R2,..., Rn) have a relationship of R = W · A. However, xi is a server ID and B and P are defined below.
h '(x) = h0 + h1x + ... + hkx ^k
Ri = h '(xi)

A is a pre-computable matrix that does not contain secret information. If A is known, R can be obtained by multiplying W by A. That is, since the i-th server i (i = 1,..., N) has Wi obtained as a variance value of h (x) as a multiplication result, multiply the Wi by A, that is, , Ri (i = 1,..., N), which is a new dispersion value, is obtained. Since this variance value Ri is a variance value for a k-1 order polynomial h '(x) having the same constant term as h (x), it can be solved if there are k.

Therefore, a and b can be restored by collecting k variance values from R. That is, if f (x) = Wa (x) and g (x) = Wb (x), h (x) = Wa (x) Wb (x), but (7) or (8) Can be converted to h ′ (x) = Wa (x) Wb (x) having the lower half order of h (x), and R is a variance value of h ′ (x). Therefore, k dispersion values for Wa (x) Wb (x) + Wc (x) can be obtained by adding k dispersion values for Wc (x) to k dispersion values for R. However, when the Wis distributed to n servers are collected in one device for the calculation of (8), and that device performs the calculation of Eq. (8) for each i (the calculation of W · A), If the device is wiretapped, the multiplication result ab may be leaked. Also, server i sends Ri = Wi · aii, which is aii multiplied by its own distributed value Wi, to the next server, and next server i + 1 multiplies its own Wi + 1 by ai + 1, i Ri = Wi ・ aii + Wi + 1 ・ ai + 1, i = Ri + Wi + 1 ・ ai + 1, i is calculated by adding to the sent value, and further sent to the next server i + 2, If you go through all the servers, you can get Ri for server i. However, even at this time, if the attacker eavesdrops on one server, all Wi (i = 1,..., N) can be obtained as follows. For example, if the attacker is eavesdropping on the server i + 1, the attacker knows the variance value Wi + 1 that the server i + 1 originally has. Next, Wi is obtained by dividing Wi · aii sent from server i by known aii. Next, if Wi-1 ・ ai-1, i + 1 + Wi ・ ai, i + 1 comes, Wi is obtained, so Wi in combination with known ai-1, i + 1 and ai, i + 1 Get -1. By repeating this, the attacker can obtain all Wi (i = 1, ..., n). Therefore, the attacker can obtain ab as a calculation result by using the obtained n variance values. There is a problem that ab, which is an intermediate result in a product calculation of ab + c, leaks to an attacker other than the restorer. Therefore, when performing multiplication and addition continuously as in the product-sum operation, in addition to making the algorithm capable of continuous operation, it is important to conceal the intermediate result and connect to the next operation.

(IV) Problems related to confidential search (I) to (III) are problems related to the confidential calculation including the confidential multiplication. As described above, the confidential information is distributed and stored in the large-capacity storage as a distributed value. When the user accesses the distributed value via the network, the following problem relating to search also occurs. For example, suppose that an application that performs accounting processing of a company is used, and the above secret sharing method is used in order to conceal the amount related to the deposit and withdrawal. In other words, company employee A secretly distributes the deposits and withdrawals generated in his / her business to n servers of the company, and the company uses the variance value for deposits and withdrawals from all employees to calculate the total and average Suppose you are calculating and managing variances. In this case, the n servers need to store the date and time when the amount of money is generated as a search ID together with the variance value of the amount related to deposit and withdrawal. Thus, for example, if employee A wants to confirm deposits and withdrawals at a certain date and time, and sends that date to k servers as the search ID, each server searches the corresponding distributed value using that search ID and sends it to employee A. Employee A can restore it and check the amount information. In addition, when using a secret calculation of the application, if a certain period is specified, the application collects the distributed values in the period as the search ID, the sum of the amount in the period, the average value, Various statistical values such as variance can be calculated without the server knowing the amount of money, which is confidential information, and can be communicated to the accounting staff of the company. However, conversely, it is not possible to perform a search by specifying an amount and specifying the date and time when the amount occurred. For example, only the amount of money generated by employee A is stored, and even if an attempt is made to search for the date and time when it occurred, the amount is secretly shared, so if the distribution value is not known, the search ID cannot be reversed. . Furthermore, even when searching for an amount from the date and time, the date and time information is not concealed, so the server can know which date and time information is being searched. That is, when the company A outsources a server system for data storage, the outsourcing destination company can know the date on which an important transaction was made in the company A (the day that is often searched). On the other hand, if the date and time of the search ID are encrypted and stored, the server does not know when the date and time of the data is being searched, but only the encrypted user can search the amount. In the case of monetary data related to corporate transactions, the data is considered to be accessed by multiple people, but in this case, the encryption key used for encryption needs to be shared by multiple people, reducing security To do. Therefore, there is a need for a mechanism that does not allow the server to know what the user is searching for, and can search for a secret value shared without sharing special information such as an encryption key. Also, since the secret information and the search ID may be searched for each other, it is desirable that the distributed value of the search ID has the same form as long as the distributed value of the secret information can be concealed. .

(V) Problems related to secret update of distributed value Furthermore, when a system that can implement secret calculation and secret search by secret sharing can be realized on the network, updating the information stored in the system improves safety. This is another big challenge that needs to be done. That is, when a system consisting of n servers is configured on the network, the secret information is safe even if there is information leakage (unauthorized access) up to k-1 by the secret sharing method, but k-1 If there is information leakage below the table, if it is left as it is, if it continues to be attacked, there is a possibility that k items of information will be leaked sometime. Therefore, safety can be maintained if the stored information can be updated regularly or whenever the information is used. Specifically, if the random numbers a 1 to a k-1 can be updated to new random numbers without changing the secret information s of the distributed values stored in the form (1), the distributed values leaked by the previous unauthorized access Can be disabled. Also, when increasing the threshold value k in equation (1) in order to improve security, the order of the polynomial and the random number must be changed without changing the secret information s. Furthermore, it is necessary to update the distributed value when the secret information s itself is changed every time it is used. As a self-evident method, it is conceivable that the system once collects k variance values, restores the secret information s, and creates a new polynomial for redistribution. Since the secret information s is restored, the security is lowered. On the other hand, although [3] is known for updating the variance value, this method is not efficient because nk servers perform restoration processing of difference information of variance values. Furthermore, since the nk servers know the difference information necessary for updating all the servers, if one of the nk servers is wiretapped, the update values of the other servers are leaked and the safety is lowered. Therefore, there is a need for a method that can efficiently update the variance value without reducing the safety. Also, the conventional method is an update method that assumes the case where the secret information and each coefficient are not concealed, that is, the distributed value is not concealed, and the secret information and each coefficient shown in the embodiment described later are concealed. However, there is no known update method in the case where the variance value is concealed. Therefore, an update method that can be applied to a concealed distributed value is desired.

(VI) Problems concerning miniaturization of storage capacity Since the secret sharing method distributes one secret information to n pieces, a large storage capacity is required. In order to reduce the storage capacity, the (k, L, n) ramp-type secret sharing method that reduces the size of the shared information and the (k, n) asymmetric secret sharing method that reduces the number of shared information [4 ] Is known. While the ramp-type secret sharing method achieves the largest reduction in storage capacity, the restoration of secret information can be performed if there are k servers, so if companies providing servers collect information on k servers, etc. The secret information can be restored regardless of the intention of the user who is the owner of the secret information. On the other hand, asymmetric secret sharing has the feature of reducing the storage capacity and allowing users to participate in the restoration of secret information. Secret information is not restored unless the user participates. Play a role. Therefore, if a secret calculation, a secret search, and a secret update having the features (I) to (V) described above can be realized with respect to the ramp-type secret sharing method and the asymmetric secret sharing, the same effect can be obtained for the secret calculation of personal information. Expected to bring. Furthermore, a combination of these methods is not considered, and an optimum miniaturization can be expected by the combination.

(VII) Problem of speeding up processing The above description is based on Shamir's (k, n) secret sharing method. However, the Shamir method requires processing of polynomial synthesis and polynomial solving, and processing is not efficient. On the other hand, a method (hereinafter referred to as XOR method) that performs (k, n) secret sharing at high speed using only XOR operation without performing polynomial processing is also known. However, since the XOR method treats secret information as a bit string, an operation that treats secret information as a numerical value, that is, a secret operation, cannot be realized. Therefore, in the present invention, the XOR method is extended so that secret information is handled as a numerical value instead of a bit string, so that a secret calculation can be performed. However, a method for performing secret addition by treating secret information of the XOR method as a numerical value instead of a bit string has already been proposed [5], but secret multiplication is not proposed. Since the XOR method extension method (hereinafter referred to as the multi-value method) can restore the secret information only by adding and subtracting the variance value, the calculation can be performed at a higher speed than the Shamir method that requires solving the polynomial. Therefore, regarding the XOR method expansion method, if a secret operation, a secret search, and a secret update having the features (I) to (V) can be realized, a very efficient process can be realized.

(VIII) It is important to realize a technique suitable for the (k, n) secret sharing method that realizes all of the above characteristics due to problems related to comprehensive secret sharing and secret calculation. In particular, a ramp-type secret sharing method for the XOR method has been proposed, but a ramp-type secret sharing method corresponding to a multilevel method that extends the XOR method has not been proposed. In addition, a combination of the asymmetric secret sharing method and the multilevel method, a combination of the asymmetric secret sharing method and the ramp type secret sharing method, and a combination of the asymmetric secret sharing method and the ramp type secret sharing method of the multilevel method have not been proposed. Furthermore, there is no proposal for a concealment operation using them. In particular, the combination of the asymmetric secret sharing method and the multilevel method, the asymmetric secret sharing method and the ramp type secret sharing method, and the combination of the asymmetric secret sharing method and the ramp type secret sharing method corresponding to the multilevel method reduce the storage capacity. And high speed at the same time.

As one aspect, the purpose is to solve any of the above problems.

In order to achieve the above object, according to the first aspect of the present invention, n is an integer, k is an integer of n or less, L is an integer of 1 to k, and secret information is distributed into n, k of n Secret information can be recovered by collecting the distributed values of the secret information, and a computing device for calculating the distributed value in a system that performs a secret operation using means that cannot recover the secret information if kL or less, and k or more secret information Means for calculating each variance value, means for generating a composite value from the k or more pieces of secret information, and means for generating concealed secret information obtained by applying the composite value to new secret information. Prepare.

In the invention of claim 2, n is an integer, k is an integer of n or less, L is an integer of 1 to k, secret information is distributed to n, and k of the n distributed values can be collected. A computing device that performs a secret operation in a system that performs a secret operation using means that can restore secret information and cannot restore the secret information with kL or less,
The distributed value of the first partial random number, which is one of a plurality of random numbers constituting the first random number used for the first concealment secret information, and the second used for the second concealment secret information. Means for collecting a variance value of a second partial random number that is one of a plurality of random numbers constituting a random number of 2, and restoring the first partial random number and the second partial random number;
Means for synthesizing the restored first partial random number and second partial random number;
A computing device comprising:

In the invention according to claim 3, n is an integer, k is an integer of n or less, L is an integer of 1 to k, secret information is distributed to n, and k of the n distributed values can be collected. A computing device that performs a secret operation in a system that performs a secret operation using means that cannot restore secret information if kL or less, and is concealed using k or more random numbers Means for restoring the concealed secret information, and means for performing a predetermined calculation based on the restored concealed secret information and other values.

In the invention according to claim 4, n is an integer, k is an integer of n or less, L is an integer of 1 to k, the secret information is distributed to n, and k of the n distributed values can be collected. A computing device that restores secret information in a system that performs secret computation using means that cannot restore secret information if kL or less, and is concealed using k or more random numbers Means for restoring the concealed secret information, means for combining the random numbers, and means for releasing the concealment of the restored secret information using the combined random numbers.

In the invention of claim 5, n is an integer, k is an integer of n or less, L is an integer of 1 to k, secret information is distributed to n pieces, and k of the n distributed values can be collected. A computing device that performs a secret operation in a system that performs a secret operation using means that cannot restore secret information if kL or less, and is concealed using k or more random numbers Means for converting the first synthesized random number by combining the first synthesized random number in the confidential information and the k or more random numbers constituting the second synthesized random number.

In the invention according to claim 6, n is an integer, k is an integer of n or less, L is an integer of 1 to k, secret information is distributed to n pieces, and k of the n distributed values can be collected. Is a computing device that performs a secret operation in a system that performs a secret operation using means that cannot restore secret information with k−L or less, and it is possible to restore another concealment value to a non-confidential distributed value. There is provided means for concealing by applying k or more random numbers constituting the structured secret information.

In the invention according to claim 7, n is an integer, k is an integer of n or less, L is an integer of 1 to k, secret information is distributed to n pieces, and k of the n distributed values can be collected. A computing device that calculates a distributed value in a system that performs a secret operation using means that can restore secret information and cannot restore secret information with k−L or less, and conceals a plurality of new secret information to Means for calculating a variance value of the plurality of variance values, and means for designating the arrangement order of each of the plurality of variance values in accordance with a predetermined arrangement order of the plurality of new secret information before the concealment .

In the invention according to claim 8, n is an integer, k is an integer of n or less, L is an integer of 1 to k, secret information is distributed to n, and k of the n distributed values can be collected. A computer that specifies secret information to be searched in a system that performs a secret calculation using means that cannot restore secret information with kL or less pieces, and allows a random number to act on the search secret information. Means for concealing, and means for applying the random number to a value received from the system.

The invention according to claim 9 is such that n is an integer, k is an integer of n or less, L is an integer of 1 to k, and secret information is distributed to n, and k of the n distributed values can be collected. A computing device that retrieves secret information designated in a system that performs a ciphering operation using means that cannot restore secret information when kL or less, and the first information corresponding to the secret information. The search secret information is concealed with the first random number, the inputted second search secret information is concealed with the second random number, and the concealed first search secret Based on the difference between the first value based on information and the second value based on the concealed second search secret information, the first search secret information and the second search secret Means for obtaining a difference from the information.

The invention according to claim 10 is such that n is an integer, k is an integer of n or less, L is an integer of 1 to k, and secret information is distributed to n, and k distributed values of n can be collected. A computing device that updates a distributed value in a system that performs a secret operation using a means that can restore secret information and cannot restore secret information with kL or less, and is obtained by concealing secret information with a random number. A means for generating a new random number for the distributed value and storing the generated new random number as a new distributed value is provided.

The invention according to claim 11 is such that n is an integer, k is an integer of n or less, L is an integer of 1 to k, the secret information is distributed to n, and k of the n distributed values can be collected. A computing device that updates a distributed value in a system that performs a secret operation using means that cannot restore secret information with kL or less, and obtains secret information from k or more correction information. Means for calculating an update value to be updated are provided.

The invention according to claim 12 is such that n is an integer, k is an integer of n or less, L is an integer of 1 to k, and secret information is distributed to n, and k distributed values of n can be collected. A calculation device for calculating a distributed value in a system that performs a secret calculation using means that cannot restore secret information with kL or less, and generates h (1 to k−1) Integer) random numbers are defined as variance values, and n−h variance values are calculated based on the h variance values and the secret information, and a composite value is obtained from k or more secret information. Means for generating, and means for calculating concealed secret information obtained by applying the combined value to new secret information.

The invention according to claim 13 is such that n is an integer, k is an integer of n or less, L is an integer of 1 to k, the secret information is distributed to n, and k of the n distributed values can be collected. A computing device that calculates a distributed value in a system that performs a secret operation using means that cannot restore secret information if kL or less, and the secret information is a numerical value of e-adic and d digits A means for dividing the secret information into L (n-1) divisions to obtain numerical values of e-adic d / L (n-1) digits, and for the distribution, restoration, and concealment of the secret information converted into the numerical values. At least one,

Means for performing only addition and subtraction without decomposing multiplication and division into addition and subtraction, using a larger prime number as a modulus.

In the invention described in claim 14, n is an integer, k is an integer of n or less, L is an integer of 1 to k, and secret information is distributed to n, and k of the n distributed values can be collected. A computing device that performs a secret calculation or restoration in a system that performs a secret calculation using a means that can restore secret information and cannot restore secret information below k−L, and is concealed and divided into a plurality of digits Means for performing a predetermined calculation in accordance with the digit of the concealment secret information is provided.

The invention according to claim 15 is such that n is an integer, k is an integer of n or less, L is an integer of 1 to k, the secret information is distributed to n, and k of the n distributed values can be collected. A computing device that performs a ciphering operation in a system that performs a ciphering operation using means that cannot restore the secret information with k−L or less, wherein the secret information is an integer less than or equal to p1, and a random number is p2 A computing device comprising means for secretly sharing or decrypting the secret information of p1 * p2 or less multiplied by the following integers using a prime number larger than p1 * p2 as a modulus.

In the invention according to claim 16, n is an integer, k is an integer smaller than n, L is an integer not less than 1 and not more than k, the secret information is distributed into n pieces, and k pieces of distributed values among n pieces can be collected. Is a computing device that performs secret computation or restoration in a system that performs secret computation using means that cannot restore secret information with kL or less, and that conceals secret information by adding random numbers Means for adding / subtracting the secret information and the distributed value obtained by secretly distributing the random number.
The invention according to claim 17 is such that n is an integer, k is an integer of n or less, L is an integer of 1 to k, and secret information is distributed to n, and k distributed values of n can be collected. A computing device that searches for a storage location of system secret information that performs a ciphering operation using means that cannot restore secret information with kL or less pieces. Means for obtaining the difference between the two search secret information, and means for determining the storage position according to the difference.
In the invention of claim 18, n is an integer, k is an integer of n or less, L is an integer of 1 to k, the secret information is distributed to n, and k of the n distributed values can be collected. A calculation device that updates secret information in a system that performs a secret calculation using means that cannot restore secret information with kL or less, and a predetermined value is set in a distributed value of the secret information. Means for multiplying the first random number and adding a predetermined second random number are provided.

The present invention can perform multiplication safely without changing the number of necessary servers.
In the present invention, division can be realized by means similar to multiplication.
The present invention can realize a continuous secret calculation without contradiction.
The present invention can realize, for example, a bidirectional search from the search ID to the secret information and from the secret information to the search ID.
The present invention can update the variance value efficiently and safely.
The present invention can realize a reduction in storage capacity.
The present invention can realize high-speed processing.
According to the present invention, it is possible to reduce the storage capacity and increase the processing speed.

1 is a diagram showing a system according to first to tenth embodiments. FIG. It is a block diagram which shows the structure of 12 A of 1st dealer apparatuses. It is a flowchart which shows a distributed processing program. It is a figure which shows the distributed value of each server. It is a flowchart which shows a distributed processing program. It is a figure which shows the distributed value of each server. 10 is a flowchart showing an αa restoration / transmission processing program. It is a figure which shows the content of the decompression | restoration / transmission process of FIG. (A) is a flowchart which shows a multiplication process program, (B) is a figure which shows the distributed value of each server. It is a flowchart which shows the decompression _| restoration / calculation / transmission processing program of (alpha) _{j (} beta) _j . It is a figure which shows the content of the decompression | restoration / calculation / transmission process of FIG. It is a flowchart which shows a multiplication result acquisition process program. It is a figure which shows the content of the multiplication result acquisition process of FIG. It is a flowchart which shows a distributed processing program. It is a figure which shows the distributed value of each server. It is a flowchart which shows the decompression | restoration / transmission process program of (gamma) c. It is a figure which shows the content of the decompression | restoration / transmission process of (gamma) c of FIG. (A) is a flowchart which shows a multiplication process program, (B) is a figure which shows the distributed value of each server. It is a flowchart which shows the decompression _| restoration / calculation / transmission processing program of (alpha) _{j (} beta) _{j (} gamma) _j . It is a figure which shows the content of the decompression _| restoration / calculation / transmission process of (alpha) _{j (} beta) _{j (} gamma) _j of FIG. It is a flowchart which shows a multiplication result acquisition process program. It is a figure which shows the content of the multiplication result acquisition process of FIG. It is a flowchart which shows a distributed processing program. It is a flowchart which shows a distributed processing program. It is a flowchart which shows the decompression _| restoration / transmission processing program of (alpha) _{j (} beta) _j . It is a flowchart which shows a restoration process program. It is a flowchart which shows the transmission processing program of (alpha) (beta) ab. (A) is a flowchart which shows a division processing program, (B) is a figure which shows the distributed value of each server. It is a flowchart which shows the decompression _| restoration / calculation / transmission processing program of (alpha) _j / (beta) _j . It is a figure which shows the content of the decompression _| restoration / calculation / transmission process of (alpha) _j / (beta) _j of FIG. It is a flowchart which shows a division result acquisition process program. It is a figure which shows the content of the division result acquisition process of FIG. (A) is a flowchart which shows a division processing program, (B) is a figure which shows the distributed value of each server. It is a flowchart which shows the decompression _| restoration / calculation / transmission processing program of (alpha) _{j (} beta) _j . It is a figure which shows the content of the decompression _| restoration / calculation / transmission process of (alpha) _{j (} beta) _j of FIG. It is a flowchart which shows a multiplication result acquisition process program. It is a figure which shows the content of the multiplication result acquisition process of FIG. It is a flowchart which shows the decompression _| restoration / calculation / transmission processing program of (beta) _j / (alpha) _j . It is a figure which shows the content of the decompression _| restoration / calculation / transmission process of (beta) _j / (alpha) _j of FIG. It is a flowchart which shows the calculation / transmission processing program of (beta) _j / (alpha) _j . (A) is a flowchart which shows the calculation / transmission processing program of βa, βb, and (B) is a diagram showing the contents of the calculation / transmission processing of βa, βb. It is a flowchart which shows a product-sum processing program. It is a flowchart which shows a restoration process program. It is a flowchart which shows a multiplication process program. It is a flowchart which shows the decompression _| restoration / transmission processing program of (alpha) _{j (} beta) _j . It is a flowchart which shows a restoration process program. It is a flowchart which shows a distributed processing program. It is a flowchart which shows a distributed processing program. It is a flowchart which shows a multiplication process program. It is a flowchart which shows an order conversion process program. It is a flowchart which shows the calculation transmission process program of (alpha) (beta). It is a flowchart illustrating a decompression transmitting program of r _j g _j. It is a flowchart which shows a restoration process program. Is a flowchart showing the calculation and transmission processing program U _i. It is a flowchart which shows the calculation / transmission processing program of _Wj '. It is a flowchart which shows the storage processing program of a new dispersion value. It is a flowchart which shows the production | generation / transmission process program of (delta) _i . It is a flowchart which shows an update process program. It is a flowchart which shows an update process program. (A) is a flowchart showing an update processing program, and (B) is a flowchart showing a restoration processing program. (A) is a flowchart showing a distributed processing program, and (B) is a flowchart showing a restoration processing program. It is a flowchart which shows a distributed processing program. (A), which exhibit (B), the storage state of the dispersion values stored in the first server 14X ₁ storage device 34. It is a flowchart which shows a search processing program. It is a flowchart showing the calculation and transmission processing program distribution value F _j '(x _i). Is a flowchart showing the calculation and transmission processing program of the difference t _j. It is a flowchart showing the calculation and transmission processing program distribution value Fu (x _i). It is a flowchart showing the calculation and transmission processing program distribution value Fo (x _i). It is a flowchart which shows the calculation / transmission processing program of a difference. It is a flowchart which shows a search processing program. It is a flowchart which shows a distributed processing program. It is a flowchart which shows a multiplication process program. It is a flowchart which shows a multiplication process program. It is a flowchart which shows the calculation and transmission processing program of (alpha) _{j (} beta) _j . It is a flowchart which shows a restoration process program. It is a flowchart which shows a restoration process program. It is a flowchart which shows a product-sum process and a restoration process program. It is a flowchart which shows a secret multiplication (multiplication and decompression | restoration) processing program. It is a flowchart which shows the calculation / transmission processing program of a dispersion value. It is a flowchart which shows the calculation / transmission processing program of a difference. It is a flowchart which shows a search processing program. It is a flowchart which shows a distributed processing program. It is a flowchart which shows a distributed processing program. It is a flowchart which shows a restoration process program. It is a flowchart which shows a restoration process program. (A) is a flow chart showing a distributed processing program, (B) is a diagram showing a storage state of the dispersion values stored in the first server 14X ₁ storage device 34. It is a flowchart which shows the instruction | indication processing program of j. It is a flowchart showing the calculation transmitting program of F _j '(xi). It is a flowchart which shows a search processing program. It is a flowchart which shows a distributed processing program. It is a flowchart which shows a restoration process program. It is a flowchart which shows a restoration process program. It is a flowchart which shows a distributed processing program. It is a flowchart which shows a distributed processing program. It is a flowchart which shows the calculation transmission processing program of (alpha) _{j (} beta) _j .

<First Embodiment>
(overall structure)
First, the overall configuration of the first to tenth embodiments will be described.
Consider the system shown in FIG. 1 that performs distributed storage of secret information, secret calculation, secret search, and secret update using the (k, n) secret sharing method. The system includes a plurality of dealer devices that distribute secret information. FIG. 1 shows an example in which three dealer devices, that is, a first dealer device 12A, a second dealer device 12B, and a third dealer device 12C are provided. The system also has n servers that independently store the distributed n distributed values, ie, the first server 14x ₁ , the second server 14x ₂ ,. A server 14x _n (hereinafter also referred to as a server system) is provided. Further, the system includes a restoration device 16 that restores the secret information or the result of the secret calculation. In FIG. 1, only one restoration device 16 is shown, but a plurality of restoration devices 16 may be provided. Even when a plurality of restoration devices 16 are provided, each restoration device 16 performs the following processing. The system may also include a search server 18. The first dealer device 12A to the third dealer device 12C, the first server 14x ₁ to the nth server 14x _n , and the restoration device 16 are connected via a network 10 such as the Internet. Are connected to each other. In contrast, the search server 18, networks - without using the click 10, the first service - are directly connected to each of the bar 14x _n - bar 14x ₁ ~ the n number of service.

The first dealer device 12A to the third dealer device 12C, the first server 14x ₁ to the nth server 14x _n , the restoration device 16, and the search server 18 have the same configuration. Hereinafter, the configuration of the first dealer device 12A will be described, and description of other devices will be omitted.

FIG. 2 is a block diagram showing a configuration of the first dealer apparatus 12A. As shown in FIG. 2, the first dealer device 12 </ b> A includes a CPU 22, a ROM 24, and a RAM 26. The first dealer 12 </ b> A includes a display device 30, an input device 32, a storage device 34, and an interface (I / F) 36. These devices are connected to each other via a bus 28. The interface (I / F) 36 is connected to the network 10. Note that the interface (I / F) 36 of the search server 18 is not connected to the network 10, and is the interface (I / F) 36 of the first server 14 x ₁ to the n-th server 14 x _n. It is connected to the. The ROM 24 stores a program for each process described later.

The owner having the secret information operates the first dealer device 12A to the third dealer device 12C. A user (restorer) who can know the calculation result operates the restoration device 16. The first server 14x ₁ to the n-th server 14x _n accept only communication from a valid owner or a restorer, and reject unauthorized communication. Further, the communication between the first dealer device 12A to the third dealer device 12C and the first server 14x ₁ to the nth server 14x _n and the restoration device 16 is a secure communication path by encryption or the like. Has been built. Generally, each owner or restorer has the first dealer device 12A to the third dealer device 12C and the restoration device 16 individually. The first dealer device 12A to the third dealer device 12C may be provided as an input port of the server system, and the restoration device 16 may be provided as an output port of the server system.

First, the secret search function of the system shown in FIG. 1 will be described. Consider the case where the owner uses the first dealer device. The owner calculates the distributed value of his / her secret information by the first dealer 12A, and stores the distributed value in the area of each server assigned to himself / herself. However, each distributed value is stored in the server system together with identification data for searching for it, that is, a search ID or a distributed value related to the search ID.

When performing a secret search, the owner distributes the search IDs using the method described in the sixth embodiment. A legitimate restorer who wishes to search and restore information shows the search ID to the restoration device 16, and the restoration device 16 sends the corresponding information to the server system using the method described in the sixth embodiment. The server system transmits the secret information distributed value corresponding to the sent information to the restoration device 16, and if there is no secret information distributed value, informs that there is no secret information distributed value. . The restoration device 16 that has obtained the distributed value of the secret information corresponding to the search ID then restores the secret information or the result of the secret calculation. Here, the system performs the confidential search shown in the sixth embodiment. However, since the system has a plurality of functions, when the function of the confidential search is not required, the function of the confidential search is not used. You can also search for.

Next, a secret calculation function for secretly performing calculation including addition / subtraction / division / division in the system of FIG. 1 will be described. When the restorer indicates the computation target and the computation method for the computation target by the search ID (or its conditional expression) to the restoration device 16, the restoration device 16 uses the above-described secret search function (the normal search function when the secret search is not used). The search ID is concealed using () to obtain a distributed value to be calculated and stored in the server system corresponding to the ID. The server system performs a secret calculation on the specified operation using it, and obtains a variance value of the final result. The restoration device 16 that obtained the variance value of the final result restores it to obtain the final result. In the first to fourth embodiments, each of the dealer apparatus and the server system for the secret multiplication method, the secret division method, and the continuous secret calculation method (including the secret addition method and the secret subtraction method) according to the present invention. A process performed by the restoration device 16 will be described. However, in the present invention, the server system is mainly responsible for the secret operation, but the restoration device 16 or each dealer device may cooperate with the secret operation. Generally, the concealment calculation is performed on the secret information. However, if it is performed on the search ID, the conditional expression concealment calculation based on the search ID is performed. Therefore, this secret calculation function is also used when calculating the conditional expression while keeping the search ID secret. However, when only functions such as secret search and secret update are to be used, this secret calculation function is not used and a normal calculation function is provided.

Also, the server system of FIG. 1 has a secret update function for stored information that is performed periodically or at a predetermined timing such as when a distributed value for certain secret information is used. In the fifth embodiment, an updating method for various cases will be described. However, this function may not be used if secret update is not performed.

Further, the first to sixth embodiments will be described by taking Shamir's (k, n) secret sharing scheme as an example. In the seventh embodiment, while reducing the storage capacity, A technique for simultaneously reducing the storage capacity and the calculation amount is shown for the asymmetric secret sharing method that performs secret search, secret calculation, and secret update. That is, the present invention is effective for the asymmetric secret sharing method. However, the overall configuration is the same as in FIG.

Compared to the ramp-type secret sharing method, which reduces the storage capacity in a manner different from the asymmetric secret sharing method in the eighth embodiment, the secret search and the secret are performed while simultaneously reducing the storage capacity and the calculation amount. A method for calculating and updating confidentiality is shown. That is, the present invention is also effective for the lamp-type secret sharing method. However, the overall configuration is the same as in FIG.

Furthermore, in the ninth embodiment, the secret information is handled as a bit string, the secret information is distributed and restored only by XOR (k, n), and the secret sharing method is extended to handle the secret information as a numerical value (multi-valued) Method). By using this, the calculation amount is reduced, and it is shown that the secret search, secret search, and secret update functions of the first to sixth embodiments can be performed at high speed. That is, it shows that the present invention is also effective for the multilevel method. However, the overall configuration is the same as in FIG.

Finally, the tenth embodiment shows that the proposal of the present invention is effective for a method combining the asymmetric secret sharing method and the multi-value method or the ramp-type multi-value method. As a result, a system (first embodiment) in which the functions shown in the first to sixth embodiments can be performed in a small size and at high speed is realized, and the effectiveness of the present invention is shown.

(Specific contents of the first embodiment)
The secret multiplication method that does not change the threshold k with respect to the Shamir (k, n) secret sharing method is shown below. The first dealer device 12A has secret information a, and the second dealer device 12B has secret information b. Hereinafter, a case where the multiplication result of a · b is obtained while a and b are kept secret will be described.
As a prerequisite, random number generation and not including 0, first sub - server 14x ₁ ~ the n number of sub - Bas 14x _n identification data - _x 1 ~ _{x n} is the public is (mackerel ID) It is a value, that is, another device stores each server ID. Further, a and b are integers less than or equal to a prime number p, and an operation is q (> p ^u , u is an integer greater than or equal to 1. However, if p is originally large, p = q may be used). For values that exceed, this is done using a modulo operation that takes the remainder. Random numbers such as α _i and β _i (i = 1,..., k) are integers equal to or less than the prime number q. Furthermore, even if the parameter is a real number, it can be handled as an integer by doing the following. First, let's assume that real numbers have a decimal place. For example, in the case of up to the second decimal place, if it is multiplied by 100, it can be handled as an integer. Therefore, when a real number is secretly shared, the real number is carried and represented as an integer (this is called an integer representation of a real number). It is assumed that the decimal point position is stored separately or predetermined according to regulations. Therefore, the sum of integer representations of real numbers can be handled in the same way as the sum of integers, and the decimal point position does not change. On the other hand, the product of integer representations of real numbers can be handled in the same way as the product of integers, but the decimal point position changes. For example, when calculating the product of real numbers having the second decimal place, the real number having the fourth decimal place is obtained. As described above, when all the real numbers are determined to have a decimal place, the third decimal place is rounded down or rounded off, and the product is also a second decimal place real number. In this way, adjusting the decimal point position according to the definition of the decimal point position and returning it to a real number is called realization. In general, a real number has a fixed-point representation and a floating-point representation on a computer. However, since these are representations only, both of them can be handled if the above rules are defined. The above premise is common to all the embodiments.

(Concealment multiplication 1 (basic form))
Hereinafter, the secret multiplication 1 (basic form) will be described. The concealment multiplication 1 (basic form) is executed by each process of distribution, multiplication, and restoration.
[dispersion]
First, dispersion (secret sharing) will be described with reference to FIGS.
The CPU 22 of the first dealer apparatus 12A executes the distributed value processing shown in FIG.
In step 42, k random numbers α _i are generated, and a product α = α ₁ · α ₂ ... Α _k is calculated.
In step 44, the following variance values are calculated.
Wa ′ (x _i ) = α (a + a _0,1 x _i +... + A _{0, k−1} x _i ^k−1 )
Wa1 (x _i ) = α ₁ + a _1,1 x _i +... + A _{1, k−1} x _i ^k−1
:
Wak (x _i ) = α _k + a _{k, 1} x _i +... + A _{k, k−1} x _i ^k−1
However, a _{h, j} (h = 0,..., K, j = 1,..., K−1) is a random number, and x _i is a server ID (i = 1, ..., n).

In step 46, the dispersion values Wa ′ (x _i ) to Wak (x _i ) are transmitted to the _first server 14x ₁ to the n-th server 14x _n .
When n = 4 and k = 3, the dispersion values Wa ′ (x _i ) to Wak (x _i ) of the _first server 14x ₁ to the nth server 14x _n are as shown in FIG. is there.

The CPU 22 of the second dealer apparatus 12B executes the distributed processing shown in FIG.
In step 52, k random numbers β _i are generated, and the product β = β ₁ · β ₂ ... Β _k is calculated.
In step 54, the following variance values are calculated.
Wb ′ (x _i ) = β (b + b _0,1 x _i +... + B _{0, k−1} x _i ^k−1 )
Wb ₁ (x _i ) = β ₁ + b _1,1 x _i +... + B _{1, k−1} x _i ^k−1
:
Wb _k (x _i ) = β _k + b _{k, 1} x _i +... + B _{k, k−1} x _i ^k−1
_{However, b h, j (h =} 0, ···, k, j = 1, ···, k-1) is a random number, _{x i} difference - server ID (i = 1, ..., n)

In step 56, the dispersion values Wb ′ (x _i ) to Wb _k (x _i ) are transmitted to the _first server 14x ₁ to the n-th server 14x _n .
Assuming that n = 4 and k = 3, the dispersion values Wb ′ (x _i ) to Wb _k (x _i ) of the _first server 14x ₁ to the nth server 14x _n are as shown in FIG. It is.

[Multiplication]
Next, multiplication will be described with reference to FIGS.
Sa - in server system, for example, predetermined 1 Tsunosa - server, for example, the first sub - CPU 22 of server 14x ₁ executes the decompression process of transmitting αa shown in FIG. Step 62 of FIG. 7 (see also FIG. 8) collects Wa ′ (x _i ) _k from its own server 14x ₁ and other servers 14x ₂ to 14x _k , and restores αa in Step 64. In step 66, αa is transmitted to other servers participating in the operation, for example, all other servers 14x ₂ to 14x _n . This is shown in FIG.

Sa - server j (j = 1, ..., n), for example, each of the CPU22 of all the servers (server 14x _n of first server 14x ₁ ~ No. n) is a multiplication process shown in FIG. 9 (A) Execute. That is, in step 68, the following Wab ′ (x _j ) is generated by multiplying αa sent to Wb ′ (x _j ) of the user.
Wab ′ (x _j ) = αβa (b + b _0,1 x _j +... + B _{0, k−1} x _j ^k−1 )
Wab ′ (x ₁ ) to Wab ′ (x ₄ ) in the first server 14x ₁ to the fourth server 14x ₄ when n = 4 and k = 3 are as shown in FIG. 9B. .

[Restore]
Next, restoration will be described with reference to FIGS.
The servers j participating in the restoration (j = 1,..., K), that is, for example, the CPUs 22 of the _first server 14x ₁ to the kth server 14x _k determined in advance, Ten α _j β _j are restored, calculated, and transmitted. That is, in step 72 (see also FIG. 11), Wa _j (x _i ) and Wb _j (x _i ) corresponding to the designated j are collected (i = 1,..., K), and in step 74 α _j And β _j are restored one by one. In Figure 11, the first sub - server 14x ₁ restores the alpha ₁ and beta ₁ and j = 1 is specified, the second sub - server 14x ₂ is j = 2 is designated by alpha ₂ and beta ₂ restore, third sub - server 14x ₃ restores the alpha ₃ and beta ₃ is specified j = 3.

In step 76 (see also FIG. 11), the product α _j β _j is calculated, and in step 78 Wab ′ (x _j ) and α _j β _j are transmitted to the restoration device 16. In FIG. 11, the first server 14x ₁ has Wab ′ (x ₁ ) and α ₁ β ₁ , the second server 14x ₂ has Wab ′ (x ₂ ) and α ₂ β ₂ , and the third Sa - server 14x ₃ transmits Wab 'a (x ₃₎ and the alpha ₃ beta ₃ to restore device 16. Therefore, in the above example, the data shown in FIG.

The CPU 22 of the restoration device 16 executes the multiplication result acquisition process of FIG. That is, in step 82 (see also FIG. 13), αβab is restored from k Wab ′ (x _j ).
In step 84 (see also FIG. 13), αβ is synthesized from α _j β _j (j = 1,..., K), and in step 86 (see also FIG. 13), αβab is divided by αβ to obtain ab. .

The first feature of the above calculation will be described. First, as shown in claim 1, k random numbers α _i and β _i (i = 1,..., K) are individually obtained in steps 42 (FIG. 3) and step 52 (FIG. 5) of [dispersion]. After the generation, the variance value is calculated in step 44 (FIG. 3) and step 54 (FIG. 5), and distributed in step 46 (FIG. 3) and step 56 (FIG. 5). As shown in claim 2, one random number is restored for each server in [Restore] step 74 (FIG. 10), and the product is calculated and transmitted to the restorer 16 in steps 76 to 78 of FIG. To do. Thus, if the random numbers of all the servers are not known, the combined value α or β cannot be known. In other words, α and β cannot be individually restored even if eavesdropping on k−1 servers. Therefore, αa to a or βb to b are not known.

Next, the second feature of the above calculation will be described. As shown in claim 1, the secret information is distributed by applying a composite value in steps 44 to 46 (FIG. 3) and steps 54 to 56 (FIG. 5) of [distribution], and as shown in claim 3, Multiplication] is restored once in steps 62 to 64 (FIG. 7), and calculation is performed using the restored values in step 76 (FIG. 10). This enables multiplication without changing the order k−1 of the variance value.

The third feature is that, as shown in claim 4, in steps 82 to 86 of FIG. 12 in [restoration], the operation result (αβab) concealed from the variance value Wab ′ (x _i ) is restored and synthesized. The point is that it is divided by αβ.

In the above, for the sake of simplicity, in Step 44 (FIG. 3) and Step 54 (FIG. 5) of [Dispersion], the concealment dispersion values such as the dispersion values Wa ′ (x _i ) and Wb ′ (x _i ) are Although a random number is applied to the distributed value, it may be secretly distributed by applying a random number to the secret information.

In step 64 (FIG. 7) of Multiply, is service - in the server 14x _d, the example has a first server 14x ₁ restores the .alpha.a, multiple service - to restore the .alpha.a in bar, It may be transmitted to a server other than the restored server. When αa is restored on all servers, it is not necessary to transmit the value of αa to other servers. Furthermore, service - server 14x _d other service - was a convey αa the server, if the k stand participating in restoration is determined, at least that k stand service - may tell the server. Further, βb may be restored instead of αa.

In step 72 (FIG. 10) of [Restore], the server j collects Waj (x _i ) and Wbj (x _i ) corresponding to the designated j. It may be determined as follows. For example, j may be defined as 1, 2,..., K according to the ascending order of the server IDs participating, or may be determined in descending order. Also, each server may determine its own j value in the order from the earliest.

In step 78 of FIG. 10 of [Restore], each server sends α _j β _j to the restorer, and the restoration device 16 restores αβ in step 82 of FIG. . That is, for example, in step 78 of FIG. 10, the server 14x ₁ repeatedly sends α ₁ β ₁ to the server 14x ₂ , and the server 14x ₂ repeats sending α ₂ β ₂ to the next server, so that the last server Restore αβ at 14x _k . Thereafter, the server 14x _k transmits αβ to the other servers, and each server calculates Wab ′ (x _i ) / αβ. In this case, in step 82 in FIG. 12, the restoring device 16 collects Wab ′ (x _i ) / αβ from k servers and restores ab, and steps 84 and 86 are omitted. Also, each server sends α _j β _j to the search server instead of the restorer, the search server restores αβ and returns it to each server, and each server calculates Wab ′ (x _i ) / αβ, and the result May be sent to the restorer.

In step 68 of FIG. 9 Multiply, server 14x _d is Wb '(x _i) gathering restore the .beta.b, it may be sent to restore device 16 to calculate the αβab over the .alpha.a. In that case, step 82 of FIG. 12 in [Restore] is deleted.

In addition, k random numbers αi and the like are generated and each server decodes one of them, but k or more random numbers may be generated, and each server may restore and combine a plurality of random numbers. . For example, t · k random numbers are generated in Step 42 of FIG. 3 of [Distribution], and the product α is calculated using q as a modulus. In Step 74 of FIG. The random numbers are restored and multiplied in step 76.
The same applies to the following embodiments.

(Concealment multiplication 2 (repetition))
Next, a case where abc is calculated by repeating multiplication will be described. A case where addition is performed after multiplication is shown in the third embodiment.
[dispersion]
In [Distribution], it is assumed that a and b are distributed in the same manner as the secret multiplication 1. That is, the first dealer apparatus 12A and the second dealer apparatus 12B execute the distributed processing of FIGS. 3 and 5, respectively.
The CPU 22 of the third dealer apparatus 12C executes the distributed processing of FIG. That is, in step 92, k random numbers γi are generated, and the product γ = γ1, γ2,.

In step 94, the following variance values are calculated.
Wc ′ (x _i ) = γ (c + c _0,1 x _i +... + C _{0, k−1} x _i ^k−1 )
Wc1 (x _i ) = γ1 + c _1,1 x _i +... + C _{1, k−1} x _i ^k−1
:
Wck (x _i ) = γk + c _{k, 1} x _i +... + C _{k, k−1} x _i ^k−1
In step 96, the dispersion values Wc ′ (x _i ) to Wck (x _i ) are transmitted to the n _first servers 14x ₁ to the n th server 14x _n .
In the case of n = 4, k = 3, the dispersion value _{Wc '(x i) ~ Wck} (x i) is as shown in FIG. 15.

[Multiplication]
The processing (FIGS. 7, 9) of the concealed multipliers 1 running, to calculate the Wab _{'(x i).}
Predetermined service - server, for example, the first sub - CPU 22 of server 14x ₁ executes the decompression process of transmitting γc in FIG. That is, at step 102 (see also FIG. 16), k Wc ′ (x _j ) are collected, γc is restored at step 104 (also see FIG. 16), and γc is restored at step 106 (see also FIG. 16). Send to other servers. In the above example, γc is transmitted to the servers 14x ₂ to 14x ₄ . This is shown in FIG.

The CPU 22 of each server 14x ₁ to 14x _n executes the multiplication process of FIG. That is, in Step 108, Wabc ′ (x _j ) is generated by multiplying the Wab ′ (x _j ) of the user by γc.
Wabc ′ (x _j ) = αβγc (ab + ab _0,1 x _i +... + Ab _{0, k−1} x _i ^k−1 )
When n = 4 and k = 3, Wabc ′ (x ₁ ) to Wabc ′ (x ₄ ) in the first server 14x ₁ to the fourth server 14x ₄ are as shown in FIG.

[Restore]
A predetermined server j (j = 1,..., K) participating in the restoration, that is, for example, the CPU 22 of each of the first server 14x ₁ to the kth server 14x _k is represented by α _{j in} FIG. β _j γj is restored, calculated, and transmitted. That is, in step 112, Waj (x _i ), Wbj (x _i ), Wcj (x _i ) (i = 1,..., K) corresponding to the designated j are collected (n = 4, k = 3 See also FIG. 20 for an example of the case). In step 114, α _j ^, β _j ^{, and} γ _j are restored one by one per server. In step 116, the product α _j β _j γj is calculated, and in step 118, Wabc ′ (x _j ) and α _j β _j γj are transmitted to the restoration device 16.

The CPU 22 of the restoration device 16 executes the multiplication result acquisition process of FIG. That is, in step 122 (see also FIG. 22), to restore the αβγabc of k WABC _{'(x j),} at step 124 (see FIG. _{_{22), α j β j γj (}} j = 1, ··· , k) to synthesize αβγ, and in step 126 (see also FIG. 22), αβγabc is divided by α _j β _j γj (j = 1,..., k) to obtain abc.

From the above, it can be understood that the repetition of the secret multiplication can be realized with a slight modification on the basis of the [multiplication] of the secret multiplication 1. Further, since Wab ′ (x _i ) obtained by the [multiplication] process of the secret multiplication 1 is still subjected to a random number, the result is not leaked until restoration is performed.

From the above, it can be said that this embodiment is effective for concealment multiplication and its repetition.

Also, when a real number is targeted, secret sharing is performed for the decimal point position, and the process of shifting the decimal point can be executed as a secret calculation. For example, when all decimal point positions are the second decimal place, as described above, the decimal point position does not change by addition / subtraction, and the decimal point position changes only by multiplication / division. However, since the change of the decimal point position can be calculated by addition and subtraction, the secret-distributed decimal point position may be added secretly. That is, when the number A to the second decimal place and the number B to the third decimal place are multiplied, the number is the fifth decimal place, a = 2 representing the decimal point position of A, and b representing the decimal point position of B Obviously, if the secret sharing is performed on = 3 and the secret addition is performed, a dispersion value of 5 representing the sum is obtained.

Therefore, the real number-based concealment multiplication is shown below. The flow of processing is almost the same as the secret multiplication 1, but the following secret multiplication 3 is shown in order to understand the details corresponding to the real number. However, when a real number is targeted, secret information and random numbers are real numbers as follows, and all operations other than the secret sharing part are performed by real number calculation without using q as a modulus. That is, if a and b, random numbers α _i , β _i (i = 1,..., K) and α in [dispersion] are converted to integers, real numbers (α _i , β _i are not p but less than p) However, here, it is set to p or less including the decimal point position), and if αa and βb are converted to integers, they are real numbers that are less than or equal to the prime number q. Thus, Dispersion] dispersion of αi and beta _i are secret sharing in was dispersed by an integer the modulo p, variance of αa and βb are secret sharing with integer modulo q. In this case, the restoration process of α _i and β _i in [Restore] is performed with p as the modulus, and the restoration process of αa and βb is performed with the modulus of q, but the restored α _i , β _i , α, β Related operations are not modulo q, but are calculated as real numbers. In this case, βb is restored in addition to αa, and then a real number is calculated.

The added processing is to secretly distribute the value indicating the decimal point position in [Distribution] and to calculate the new decimal point position by performing the secret addition as described above in [Multiplication].

Secret multiplication 3 (real number correspondence)
[dispersion]
The CPU 22 of the first dealer apparatus 12A having the secret information a (real number) executes the distributed processing shown in FIG. That, CPU 22 of the first dealer apparatus 12A in step 101, generates k pieces of random number alpha _i as a real number to a real number calculation that product _{_{α = α 1 · α 2 ···}} α k. The random number α _i is expressed as a real number having a predetermined decimal point position.

In step 103, the CPU 22 of the first dealer apparatus 12A calculates the following variance value. However, a, α _i (i = 1,..., K), and α are real numbers having a predetermined decimal point position that can be expressed by an integer equal to or less than p if expressed as an integer. α = α ₁ · α ₂ · · · α _k is shifted by the rounding method, but for simplicity here, α is calculated α ₁ · α ₂ ... α _k , then adjust the decimal point position Then. That is, for example, if all parameters are real numbers with 2 decimal places, α will have 2k decimal place, but the decimal place will be adjusted and rounded off or rounded off to 2 decimal places and expressed as an integer. For example, an integer less than or equal to p In addition, if αa is expressed as an integer, αa is expressed as an integer as a real number with a fixed decimal point position that can be expressed as an integer less than or equal to q (here, the second decimal place), and the following variance is calculated using prime number q as the modulus To do. Also, α _i (i = 1,..., K) is also an integer less than or equal to p, and the following is calculated using p as a modulus. Further, a value d ₁ (an integer less than or equal to p) representing the decimal point position of αi and a value d3 representing the decimal point position of αa are also secretly distributed using p as a modulus.
Wa ′ (x _i ) = α (a + a _0,1 x _i +... + A _{0, k−1} x _i ^k−1 )
Wa ₁ (x _i ) = α ₁ + a _1,1 x _i +... + A _{1, k−1} x _i ^k−1
:
Wa _k (x _i ) = α _k + a _{k, 1} x _i +... + _{Ak, k−1} x _i ^k−1
Wd ₁ (x _i ) = d ₁ + d _1,1 x _i +... + D _{1, k−1} x _i ^k−1
Wd ₃ (x _i ) = d ₃ + d _3,1 x _i +... + D _{3, k−1} x _i ^k−1
However, a _{h, j} and d _{1, j} , d _{3, j} (h = 0,..., K, j = 1,..., K−1) are random numbers (integers), and x _i is a service. ID (i = 1, ..., n)

In step 105, the data are transmitted to the _first server 14x ₁ to the nth server 14x _n .

The CPU 22 of the second dealer apparatus 12B of the owner B having the secret information b (real number) executes the distributed processing shown in FIG. That is, in step 111, k random numbers β _i are generated as real numbers, and the product β = β ₁ · β ₂ ... Β _k is calculated as a real number. Let β _i be represented as a real number with a fixed decimal point position.

In step 113, the following variance value is calculated. In this case, if b, βi, and β are expressed as integers, they are real numbers having a predetermined decimal point position that can be expressed by an integer less than or equal to p. If βb is expressed as an integer, a real number having a predetermined decimal point position that can be expressed as an integer less than or equal to q The following variance value is calculated by expressing βb as an integer and modulo the prime number q. Also, β _i (i = 1,..., K) is also an integer less than or equal to p, and the following is calculated using p as a modulus. Further, the value d ₂ (integer of p or less) representing the decimal point position of βi and the value d4 representing the decimal point position of βba are also secretly distributed using p as a modulus.
Wb ′ (x _i ) = β (b + b _0,1 x _i +... + B _{0, k−1} x _i ^k−1 )
Wb ₁ (x _i ) = β ₁ + b _1,1 x _i +... + B _{1, k−1} x _i ^k−1
:
Wb _k (x _i ) = β _k + b _{k, 1} x _i +... + B _{k, k−1} x _i ^k−1
Wd ₂ (x _i ) = d ₂ + d _2,1 x _i +... + D _{2, k−1} x _i ^k−1
Wd ₄ (x _i ) = d ₄ + d _4,1 x _i +... + D _{4, k−1} x _i ^k−1
However, b _{h, j} and _{_{d 2, j, d 4,}} j (h = 0, ···, k, j = 1, ···, k-1) is a random number, _{x i} is Sa - server ID ( i = 1, ..., n)

In step 115, the data is transmitted to the _first server 14x ₁ to the n-th server 14x _n .

[Restore]
The servers participating in the restoration, for example, the CPUs 22 of the first server 14x ₁ to the k-th server 14x _k determined in advance, execute the restoration / transmission processing of α _j β _j shown in FIG. . That is, in step 121, Wa _j (x _j ) and Wb _j (x _j ) corresponding to the designated j are collected from the server corresponding to j, and in step 123, α _j and β _j are modulo prime p. Restore one by one. In step 125, α _j β _j is calculated as a real number using α _{j and} β _j converted to real numbers, and the calculated α _j β _j is transmitted to the restoring device 16 in step 127.

The CPU 22 of the restoration device 16 executes the restoration process shown in FIG. That is, in step _{_{131, α j β j (j}} = 1, ..., k) receives, at step 133, by multiplying the alpha _j beta _j in real operation to calculate the .alpha..beta. If necessary, the following processing is performed.

Each server calculates Wd1 (xi) + Wd3 (xi) and sends it to the restoration device.
The restoration device restores Wd1 (xi) + Wd3 (xi), knows the decimal point position of αβ from the value obtained by multiplying it by k, and adjusts the decimal point position of αβ.

The CPU 22 of the _first server x ₁ executes αβab transmission processing shown in FIG. That is, in step 141, k corresponding Wa ′ (x _i ) are collected from each server, and in step 143, αa is restored modulo the prime number q. In step 145, k corresponding Wb ′ (x _i ) are collected from each server, and in step 147, βb is restored modulo the prime number q. In step 149, αβab is calculated as a real number, and in step 151, αβab is transmitted to the restoration device 16. If necessary, the following processing is performed.

Each server calculates Wd2 (xi) + Wd4 (xi) and sends it to the restoration device.
The restoration device restores Wd2 (xi) + Wd4 (xi), knows the decimal point position of αβab from the value, and adjusts the decimal point position of αβab.

The restoration device 16 receives αβab at step 135 in FIG. 26, and obtains ab by dividing by αβ at step 137.

The above feature is that if a and α are expressed as integers, they are real numbers of p or less, and if αa is expressed as an integer, they are real numbers of q or less. For example, when p = 11 and q = 127, and α and a are integers, α and a are limited to a combination of 7 and 3 if αa = 21. However, if α and a are real numbers with 1 decimal point and αa is real number with 0 decimal point, even if αa = 21, (α, a) is (7.1,2.9), ( 6.9,3.0), ..., (1.1,19.1), ..., (30.0,0.7), ..., etc., and various combinations exist, making it unspecified. Therefore, when α and a are integers, limiting the combination of α and a by preventing the random number α from being an integer equal to or less than q, but if α and a are real numbers, α and a are less than p, By making αa less than or equal to q, both secret sharing and real number calculation are made compatible. Therefore, it can be said that it is safe to disclose αa and βb. This feature is indicated in claim 15.
In the above, the value representing the decimal point position is also secretly distributed and the decimal point position of the calculation result is adjusted. For example, when the decimal point position is fixed to a certain value, the distributed value representing the decimal point position and the secret calculation can be omitted. For example, if all parameters are defined as real numbers with the second decimal place, it is clear that the decimal point position of αβ is 2k and the decimal point position of αβab is 4 in the above algorithm.

The concealment multiplication can be realized by the concealment multiplication 1 regardless of an integer or a real number. However, as described in the second embodiment, concealment division cannot be realized only by making concealment multiplication 1 correspond to division (concealment division 1). Therefore, the secret multiplication 3 is for making the secret multiplication and the secret division the same form (corresponding to the secret division 3). The feature will be described in the second embodiment.
The same applies to the following embodiments.

<Second Embodiment>
Next, a case in which concealment division is performed will be described. Here, consider a case where the secret information b held by the second dealer apparatus 12B is divided by the secret information a held by the first dealer apparatus 12A, that is, b / a is calculated.
(Concealment division 1 (basic form))
First, the secret division 1 (basic form) will be described. The concealment division 1 (basic form) is executed by processing of distribution, division, and restoration.
[dispersion]
Since the distribution of the concealment division 1 (basic form) is the same as the distribution processing of the concealment multiplication 1 (FIGS. 3 and 5), the description thereof is omitted.
[division]
Next, division will be described. A certain server 14x _d , for example, the CPU 22 of the predetermined _first server 14x1, executes the restoration / transmission processing of αa shown in FIG. 7 (see also FIG. 8). Specifically, k Wa ′ (x _i ) are collected (step 62), αa is restored (step 64), and αa is distributed to other servers (step 66).

Each server j (j = 1,..., N), that is, each CPU 22 of the first server 14x ₁ to the n-th server 14x _n executes the division process shown in FIG. To do. That is, in step 128, Wb ′ (x _j ) that it owns is divided by αa to generate Wab ′ (x _j ).
Wab ′ (x _j ) = (β / αa) (b + b _0,1 x _j +... + B0, k−1x _j ^k−1 )
n = 4. Wab ′ (x _j ) in the first server 14x ₁ to the fourth server 14x ₄ in the case of k = 3 is as shown in FIG.

[Restore]
Next, restoration will be described.
The servers j (j = 1,..., K) participating in the restoration, that is, for example, each CPU 22 of the first server 14x ₁ to the kth server 14x _k restores β _j / α _{j in} FIG.・ Calculation / transmission processing is executed. That is, in step 132 (see also FIG. 30), Wa _j (x _i ) and Wb _j (x _i ) (i = 1,..., K) corresponding to j specified in advance are collected, and step 134 (FIG. 30) is collected. Also, α _j and β _j are restored one by one per server.

In step 136 (see also FIG. 30), the quotient β _j / α _j is calculated, and in step 138 (see also FIG. 30), Wab ′ (x _j ) and β _j / α _j are transmitted to the restoration device 16.
When n = 4 and k = 3, the data shown in FIG. 30 is transmitted to the restoration device 16 by the above processing.

The CPU 22 of the restoring device 16 of the restoring person executes the division result acquisition process of FIG. That is, in step 142 (see also FIG. 32), βb / αa is restored from k Wab ′ (x _j ), and in step 144 (see also FIG. 32), β _j / α _j (j = 1,... , k) to synthesize β / α. In step 146 (also see FIG. 32), βb / αa is divided by β / α to obtain b / a.

From the above, it can be understood that the concealment division can be realized by a process very similar to the concealment multiplication. Thus, the variance is expressed in claim 1. The second aspect is the same as the second aspect, but specifically, the method of “synthesize the restored first partial random number and the second partial random number” is different. That is, α _j β _j is synthesized from α _j and β _j in the secret multiplication, but β _j / α _j is synthesized in the secret division. Claim 3 is also the same, but the specific calculation to be performed is different. Claim 4 is also the same, but specifically, the random numbers to be combined are different.

However, in the above, each server calculates β _j / α _j in step 136 and sends it to the restoration device in step 138, but calculates α _j / β _j in step 136 and sends it to the restoration device in step 138. In step 144, the restoration device may synthesize α / β from α _j / β _j , and in step 146, α / β may be multiplied by βb / αa to obtain b / a.

(Confidential division 2 (repetition))
Next, secret division 2 (repetition) will be described. In secrecy division 2 (repetition), secrecy division by secret information c is continued. In this case, it can be executed by making the following changes in [Multiplication] and [Restoration] of the secret multiplication 2 of the first embodiment.

[dispersion]
Since the distribution in the secrecy division 2 (repetition) is the same as the distribution process of the secrecy multiplication 2 (FIGS. 3, 5, and 14), description thereof is omitted.
[division]
The CPU 22 (A) of each of the servers 14x ₁ to 14x _n executes the division process shown in FIG. 23 (A) to calculate Wab ′ (x _i ) (FIG. 23 (B)).

Further, there is Sa - server, for example, the first sub - CPU 22 of server 14x ₁ executes the decompression distributed processing of γc shown in FIG. 16 described above. That is, k pieces of Wc ′ (x _j ) are collected (step 102), γc is restored (step 104), and γc is transmitted to another server (step 106) (see also FIG. 17).

The server j (j = 1,..., N), that is, for example, the CPUs 22 of the first server 14x ₁ to the nth server 14x _n execute the division process of FIG. To do. That is, in step 148, Wabc _'(x j) for generating a Wab that I have' _{(x j)} obtained by dividing by Wabc _{'(x j)} with γc = (β / αaγc) ( b +

b

0,1 x i + · .. + b _{0, k-1} x _i ^k-1 )
FIG. 33B shows Wabc ′ (x ₁ ) to Wabc ′ (x ₄ ) of the first server 14x ₁ to the fourth server 14x ₄ when n = 4 and k = 3. .

[Restore]
The servers participating in the restoration, for example, the CPUs 22 of the servers 14x ₁ to 14x _k determined in advance, execute the restoration / calculation / transmission processing of α _j β _j in FIG. That is, in step 152 (see also FIG. 35), Waj (x _i ), Wbj (x _i ), Wcj (x _i ) corresponding to the designated j are collected (i = 1,..., K), and step 154 is performed. in (see FIG. 35 also), 1 Sa - server per alpha _^j, .beta.j, restoring one at a .gamma.j.

In step 156 (see also FIG. 35), β _j / α _j γj is calculated, and in step 158, Wabc ′ (x _j ) and β _j / α _j γj are transmitted to the restoration device 16.

Through the above processing, each data shown in FIG. 35 is transmitted to the restoration device 16.

The CPU 22 of the restoration device 16 executes the multiplication result acquisition process of FIG. That is, at step 162 (see also FIG. 37), (β / αγ) (b / ac) is restored from k Wabc ′ (x _j ), and at step 164 (see also FIG. 37), β / αγ is restored. In step 166 (see also FIG. 37), (β / αγ) (b / ac) is divided by β / αγ to obtain b / ac.
It is clear that the same extension is possible in the case of continuous combination of concealment division and multiplication.

(Concealment division 3 (corresponding to real number))
Next, the secret division when the parameter is a real number will be described. As described above, addition / subtraction and multiplication can be handled by expressing a real number as an integer and setting a parameter corresponding to the prime number p or q.

In the above secret division 1, when b / a is always divisible, there is no problem as described above. However, when b / a is not divisible, the secret division 1 cannot be used unless the real number is supported (when the prime number q is modulo, the value is different from the actual quotient because it is always divisible). Therefore, it is as follows. As described in the secret multiplication 3, a, b, α, and β are also real numbers, and the integer values are set to be equal to or less than the prime number p. In the following, the decimal point position is fixed and the processing related to the decimal point position is omitted.

[dispersion]
The CPU 22 of the first dealer 12A having the secret information a (real number) executes the distributed processing shown in FIG. That is, the CPU 22 of the first dealer 12A generates k random numbers α _i as real numbers and calculates the product α = α ₁ · α ₂ ... Α _k (step 42). The random number α _i is expressed as a real number having a predetermined decimal point position.

The CPU 22 of the first dealer 12A calculates the following variance value at step 44 in FIG. In this case, if a and α are expressed as integers, they are real numbers with a fixed decimal point position that can be expressed by integers less than or equal to p, αa is calculated as a real number, αa is expressed as an integer, and the following variance is modulo prime number q. calculate. Also, α _i (i = 1,..., K) is also an integer less than or equal to p, and the following is calculated using p as a modulus.
Wa ′ (x _i ) = α (a + a _0,1 x _i +... + A _{0, k−1} x _i ^k−1 )
Wa1 (x _i ) = α ₁ + a _1,1 x _i +... + A _{1, k−1} x _i ^k−1
:
Wak (x _i ) = α _k + _{ak, 1} x _i +... + _{Ak, k−1} x _i ^k−1
_{However, a h, j (h =} 0, ···, k, j = 1, ···, k-1) is a random number (integer), _{x i} difference - server ID (i = 1, ..., n )

In step 46 of FIG. 3, the data is transmitted to the _first server 14x ₁ to the nth server 14x _n .

The CPU 22 of the second dealer apparatus 12B of the owner B having the secret information b (real number) generates k random numbers β _i as real numbers in step 52 of FIG. 5, and the product β = β ₁ · β ₂ ... Β _k is a real number calculation. Let β _i be represented as a real number with a fixed decimal point position.
In step 54, the following variance values are calculated. In this case, if b and β are expressed as integers, they are real numbers having a predetermined decimal point position that can be expressed by an integer less than or equal to p. Calculate Also, β _i (i = 1,..., K) is also an integer less than or equal to p, and the following is calculated using p as a modulus.
Wb ′ (x _i ) = β (b + b _0,1 x _i +... + B _{0, k−1} x _i ^k−1 )
Wb1 (x _i ) = β ₁ + b _1,1 x _i +... + B _{1, k−1} x _i ^k−1
:
Wbk (x _i ) = β _k + b _{k, 1} x _i +... + B _{k, k−1} x _i ^k−1
_{However, bh, j (h = 0} , ···, k, j = 1, ···, k-1) is a random number, _{x i} difference - server ID (i = 1, ..., n)
In step 56, the data is transmitted to the _first server 14x ₁ to the n-th server 14x _n .

[Restore]
The servers participating in the restoration, for example, the CPUs 22 of the first server 14x ₁ to the k-th server 14x _k determined in advance execute the restoration / transmission process of β _j / α _{j in} FIG. . That is, in step 172 (see also FIG. 39), Wa _j (x _j ) and Wb _j (x _j ) corresponding to the designated _j are collected, and in step 174 (see also FIG. 39), α _j and β _j Are restored one by one using the prime number q as the modulus. In step 176 (see also FIG. 39), a real number q is calculated from β _j / α _j using realized α _j and β _j , and the calculated β _j / α _j is calculated in step 178 (see also FIG. 39). The data is transmitted to the restoration device 16.

The CPU 22 of the restoration device 16 executes β / α calculation / transmission processing of FIG. That is, in Step 182, β / α is calculated by multiplying β _j / α _j (j = 1,..., K) by a real number calculation.

The CPU 22 of the _first server x ₁ collects k Wa ′ (x _i ) and restores αa modulo the prime number q in step 192 of FIG. 41A (see also FIG. 41B). To do. In step 94, k Wb ′ (x _i ) are collected and βb is restored using the prime number q as the modulus. In step 196, βb / αa is calculated as a real number, and in step 198, βb / αa is transmitted to the restoration device 16.

The restoration device 16 receives βb / αa in step 186 in FIG. 40, and in step 188 divides βb / αa by β / α to obtain b / a.

The characteristics of secrecy division 3 (corresponding to real numbers) are as follows. In secret multiplication 1 or secret division 1, the random number α that acts on the secret information a (an integer less than or equal to p) is an integer that is less than or equal to q (a prime number greater than p ² ) that performs the modulo operation. Therefore, αa which is the confidential information is different from the actual value. However, as a result, the confidential information αa is randomized and becomes secure. Thereafter, αβab is calculated by multiplication, but this value is also different from the actual value. When deleting a random number, αβab is divided by αjβj, but the value of αjβj is also a legal operation and is different from the actual value. However, since the operation of dividing αβab by αjβj is also performed using q as the modulus, αβ is correctly removed and the resulting ab is correctly restored. Therefore, the above-described concealment multiplication and concealment division are not executed correctly unless the operation is modulo q. Therefore, in the secret multiplication 1 and the secret division 1, calculations are performed modulo q to the end. However, in the case of division, as mentioned above, division b / a modulo q is an operation of multiplying b by 1 / a, but 1 / a is different from the actual value, so only when b is a multiple of a. It is not a correct real b / a. Further, even if βb / αa is directly calculated using αa and βb whose restored dispersion values are restored, since the restored βb and αa are different from the actual values, they are not correct b / a. Here, if the random number α is a value equal to or less than p, which is the same as a, αa is always a value equal to or less than q, and thus becomes an actual value. However, if prime factorization is used in this case, α and a constituting αa are narrowed down, which is not safe. Therefore, in general, secret sharing is not performed modulo q larger than the combined value of two values less than or equal to p (usually either or both are integers less than or equal to q). Therefore, α and a cannot be narrowed down by combining with real number arithmetic. This feature is indicated in claim 15.

The concealment multiplication 3 is adapted to support multiplication using the same variance value when concealment division 3 is performed.

Further, when the multiplication with the real number c is continued, the following is performed. That is, a process of restoring γj from Wch (x _i ) is added between

steps

172 and 174 in FIG. 38 of [Restore], and β _j / α _j γ _j is set at

steps

176 and 178 in FIG. Calculate and send. Step 182 in FIG. 40, in step 184, the CPU22 of the reconstruction apparatus 16 calculates the β / αγ service - send to the server _{x d,} between step 194 and step 196 in FIG. 41, Wc _{'(x i} ) To restore γc, and in step 196 of FIG. 41, the CPU 22 of the _first server 14x1 calculates βb / (αaγc) using αa, βb, and γc as real numbers, and the restoring device 16 Send to. The CPU 22 of the terminal device 16 obtains b / ac by dividing βb / (αaγc) by β / αγ in step 188 of FIG. However, it is assumed that c and values related thereto are also converted into integers and distributed as real numbers similar to a and b. Furthermore, it is clear that both the concealment division 2 and the real continuous division are possible as well.

From the above, it can be understood that the secret division can be performed by the same processing as the secret multiplication, and the basic calculation and the repetition calculation can be performed, and all the real numbers can be handled.
In the above, since the server _xd in [restoration] cannot obtain information on the secret information a and b and the calculation result b / a, any server can be used.

<Third Embodiment>
Next, a product-sum operation ab + c that continuously performs multiplication and addition will be described as an example of continuous operation. The basic operation is four arithmetic operations. Addition and subtraction can be replaced. Multiplication and division can be easily replaced by the first and second embodiments. It can be said that it can cope with a combination of operations. If a = de + f, it becomes (de + f) b + c, and if f = 0, it becomes deb + c. If c = de + f, ab + de + f is obtained, and various calculations are possible. Here, consider a case where ab + c is calculated using the secret information a held by the first dealer device 12A, the secret information b held by the second dealer device 12B, and the secret information c held by the third dealer device 12C. However, this time, the restoration device 16 cooperates with the confidential calculation in [multiply-sum]. However, the restoration device 16 does not know anything about confidential information and intermediate results like the _first server 14x1 of the second embodiment. No information is available.

(Secret product sum 1 (basic form))
First, the secret product sum 1 (basic form) will be described. The secret product sum 1 (basic form) is executed by distribution, product sum, and restoration.
[dispersion]
Each of the owners A, B, and C uses the first dealer device 12A to the third dealer device 12C to calculate the following variance values independently for the secret information a, b, and c, and n units (I = 1,..., N) (FIGS. 3, 5, and 14).
Wa ′ (x _i ) = α (a + a _0,1 x _i +... + A _{0, k−1} x _i ^k−1 )
Wb ′ (x _i ) = β (b + b _0,1 x _i +... + B _{0, k−1} x _i ^k−1 )
Wc ′ (x _i ) = γ (c + c _0,1 x _i +... + C _{0, k−1} x _i ^k−1 )
Wa1 (x _i ) = α ₁ + a _1,1 x _i +... + A _{1, k−1} x _i ^k−1
:
Wak (x _i ) = α _k + ak, 1x _i +... + A _{k, k−1} x _i ^k−1
Wb1 (x _i ) = β1 + b _1,1 x _i +... + B _{1, k−1} x _i ^k−1
:
Wbk (x _i ) = β _k + b _{k, 1} x _i +... + B _{k, k−1} x _i ^k−1
Wc1 (x _i ) = γ1 + c _1,1 x _i +... + C _{1, k−1} x _i ^k−1
:
Wck (x _i ) = γk + c _{k, 1} x _i +... + C _{k, k−1} x _i ^k−1

[Product sum] and [Restore]
For example, the first sub - server 14x ₁ executes the decompression distributed processing αa in FIG. The first server 14x ₁ to the k-th server 14x _k execute the multiplication process of FIG. Therefore, the first server 14x ₁ to the k-th server 14x _k obtain the following Wab ′ (x _j ) (see FIG. 9B).
Wab ′ (x _j ) = αβa (b + ab _0,1 x _i +... + Ab _{0, k−1} x _i ^k−1 )

The CPUs 22 of the first server 14x ₁ to the k-th server 14x _k execute the product-sum process of FIG. That is, at step 200, Wa _j (x _i ), Wb _j (x _i ), Wc _j (x _i ) (i = 1,..., K) corresponding to the designated j are collected, and at step 202, α _{j 1} , β _j , and γ _j are restored one by one.

In step 204, a random number μj is generated, α _j β _j / μj and γj / μj are calculated, and in step 206, α _j β _j / μj and γj / μj are transmitted to the restoration device 16.

The CPU 22 of the restoration device 16 executes the restoration process of FIG. That is, α _j β _j / μj and γj / μj are received at step 222, and αβ / μ and γ / μ are calculated by multiplying α _j β _j / μ _j and γ _j / μ _j at step 224. In step 226, αβ / μ and γ / μ are transmitted to each server, that is, the first server 14x ₁ to the kth server 14x _k .

The CPUs 22 of the _first server 14x ₁ to the kth server 14x _k receive αβ / μ and γ / μ in step 208 of FIG. 42, and in step 210, Wab ′ (x _j ) By αβ / μ, Wc ′ (x _j ) is divided by γ / μ, and Wab ′ (x _j ) = μ (ab + ab _0,1 x _j +... + ab _{0, k−1} x _j ^ ^k−1 ) And Wc ′ (x _j ) = μ (c + c _0,1 x _i +... + C _{0, k−1} x _i ^k−1 ).

In step 212, Wabc ′ (x _j ) = Wab ′ (x _j ) + Wc ′ (x _j ) = μ {(ab + c) + abc _0,1 x _i +... + Abc _{0, k−1} x _i ^k−1 }, And in step 214, Wabc ′ (x _j ) is transmitted to the restoration device 16, and in step 216, μj is transmitted to the restoration device 16.

The CPU 22 of the restoring device 16 receives Wabc ′ (x _j ) from the first server 14x ₁ to the kth server 14x _k at step 228 in FIG. 43, and at step 230 μ (ab + c) ).

In step 232, μj is received from the first server 14x ₁ to the k-th server 14x _k , and in step 234, μ = μ1, μ2,... Μk is synthesized, and in step 236, μ (ab + c ) Divided by μ to obtain (ab + c).

Further, although a new random number μj is used here, μ _j is not generated, αjβj / γj is calculated in step 204 of FIG. 42 and transmitted in 205, and the restoring device 16 returns it in step 222 of FIG. , Synthesize αβ / γ at 224 and return the value to each server at 226, receive it at step 208 of FIG. 42, divide Wab ′ (xi) by αβ / γ at 210, or Wc By multiplying (xi) by αβ / γ, the random numbers related to the two dispersion values can be matched with αβ or γ instead of μ.

It can be seen that the sum of a + c can be calculated if the processing related to b is omitted without executing the above-described [α-β restoration / distribution processing of FIG. 7] and multiplication processing of FIG. Further, the product of ab can be calculated if the processing related to c is not performed in the product-sum processing of FIG. Furthermore, if the processing is repeated with Wabc ′ (x _j ) obtained in step 212 of FIG. 42 in [Product sum] as Wa ′ (x _i ), the secret calculation of (ab + c) b + c is performed by Wabc ′ (x _j ). It can be seen that a secret calculation of ab + ab + c can be realized by repeating the processing with Wc ′ (x _i ).

In the second processing, Wabc ′ (x _j ) is set to Wa ′ (x _i ), Wb ′ (x _j ) is set to Wd ′ (x _i ), and Wc ′ (x _j ) is set to We ′ (x _i ). (Ab + c) d + e is obtained, and it can be seen that various operations can be realized. Furthermore, if the processing related to a and c in the secret product sum 1 is omitted, the random number β applied to Wb ′ (x _i ) can be changed to μ.

Μj can be made disposable, but if server j secretly distributes μj and stores the distributed value in all servers, it can be used when necessary. Further, it is clear that even if the parameter is a real number, it is possible to cope with the continuation of calculation from the embodiments so far.

The above feature is that, as shown in claim 5, random numbers such as α, β, and γ independently set by owners A, B, and C use αj, βj, and γj, or newly use μj and the like. To convert it into a convenient form for the next secret operation.

As described above, it has been shown that the four arithmetic operations can be realized by the secret calculation according to the first to third embodiments.

<Fourth embodiment>
The concealment multiplication shown in the first embodiment is concealed by applying a random number to the secret information, and the concealment operation without changing the threshold value k is made possible by restoring the concealment information once. The problem of the first embodiment is that, when the secret information is 0, once the concealment secret information is restored, the value becomes 0 and it can be seen that the secret information is 0 (confidential Because the random number used for conversion is not 0).
However, in the case of the concealment division shown in the second embodiment, this property is effective because it can be seen that division cannot be performed when the concealment secret information once restored is 0.

(Concealment multiplication 4 (corresponding to 0))
Hereinafter, a method in the case where secret information includes 0 in the secret multiplication will be described below.
[dispersion]
The CPU 22 of the first dealer device 12A of the owner A having the secret information a executes the distributed processing of FIG. 3 to generate k random numbers α _i and the product α = α ₁ · α _2. Calculate α _k (step 42).

The CPU 22 of the first dealer 12A calculates the following distribution value (step 44) and distributes it to n servers (step 46).
Wa (x _i ) = a + a _0,1 x _i +... + A _{0, k−1} x _i ^k−1
Wa ′ (x _i ) = α (a + a _0,1 (n + x _i ) +... + A _{0, k−1} (n + x _i ) ^k−1 )
Wa1 (x _i ) = α ₁ + a _1,1 x _i +... + A _{1, k−1} x _i ^k−1
:
Wak (x _i ) = α _k + a _{k, 1} x _i +... + A _{k, k−1} x _i ^k−1
_{However, a h, j (h =} 0, ···, k, j = 1, ···, k-1) is a random number, _{x i} difference - server ID (i = 1, ..., n)

The CPU 22 of the second dealer apparatus 12B of the owner B having the secret information b executes the distributed processing of FIG. 5 to generate k random numbers βi, and the product β = β ₁ · β _2. β _k is calculated (step 52).

The CPU 22 of the second dealer 12B executes the distribution process shown in FIG. 5, calculates the following distribution value (step 54), and distributes it to n servers (step 56).
Wb (x _i ) = b + b _0,1 x _i +... + B _{0, k−1} x _i ^k−1
Wb ′ (x _i ) = β (b + b _0,1 (n + x _i ) +... + B _{0, k−1} (n + x _i ) ^k−1 )
Wb ₁ (x _i ) = β ₁ + b _1,1 x _i +... + B _{1, k−1} x _i ^k−1
:
Wbk (x _i ) = β _k + b _{k, 1} x _i +... + B _{k, k−1} x _i ^k−1
_{However, b h, j (h =} 0, ···, k, j = 1, ···, k-1) is a random number, _{x i} difference - server ID (i = 1, ..., n)

[Multiplication]
Each of the CPUs 22 of the first server 14x ₁ to the nth server 14x _n executes the multiplication process of FIG. That is, in step 242, Wab (x _i ) = Wa (x _i ) Wb (x _i ) and Wab ′ (x _i ) = Wa ′ (x _i ) Wb ′ (x _i ) are calculated.
[Restore]
The servers participating in the restoration, for example, the CPUs 22 of the first server 14x ₁ to the k-th server 14x _k determined in advance, execute the restoration process of α _j β _j in FIG. That is, in step 244, Wa _j (x _i ) and Wb _j (x _i ) corresponding to the designated j are collected, and in step 246, α _j and β _j are restored one by one.

In step 248, α _j β _j is calculated, and in step 250, Wab (x _j ), Wab ′ (x _j ), and α _j β _j are transmitted to the restoration device 16.

The CPU 22 of the restoration device 16 executes the restoration process of FIG. That is, Wab (x _j ), Wab ′ (x _j ), α _j β _j are received at step 252, and αβ = α ₁ · α ₂ ... Α _k is multiplied by all α _j β _j at step 254. β ₁ · β ₂ ... β _k is calculated, and Wab ′ (x _j ) / αβ is calculated.

In step 256, the CPU 22 of the restoration device 16 restores ab using 2k−1 variance values from Wab (x _j ) and Wab ′ (x _j ) / αβ.

This method is an improved version of the method described in document [2]. Therefore, in [Share], one server has two share values Wa (x _i ) and Wb (x _i ), and one share value is concealed by a random number α or β. . The difference from document [2] is that, as shown in claim 1, each owner generates k random numbers and distributes the synthesized values α and β over the secret information. In reference [2], random numbers α and β are not synthesized from αi and βi, but are directly distributed, so α and β are known directly to the restorer. Therefore, claim 1 is a feature not found in the conventional method.

In Document [2], after the restorer knows α and β, if k / 2 servers are wiretapped, k distributed values related to a and b are collected. Leaks. [2] proposes that each server generates and exchanges random numbers, generates a composite random number, and updates the variance value by applying it to the variance value in order to respond to this attack by the restorer. However, this random number is leaked because the attacker knows all the processes just by eavesdropping on one server. Therefore, the technique of document [2] is not safe. On the other hand, in the secret multiplication 4, as shown in claim 2, each of the k servers restores different secret information one by one, and each server has If it is safe (impossible to eavesdrop), the attacker cannot directly know α and β, so the attacker cannot obtain secret information and is safe. Therefore, claim 2 is also a feature not found in the conventional method.

(Concealment multiplication 5 (repetition))
The concealment multiplication 4 is a multiplication of the variance values, so that an order change occurs. Next, consider a case where order conversion is performed in order to support continuous calculation.
[dispersion]
The CPU 22 of the first dealer apparatus 12A executes the distributed processing shown in FIG. That is, in step 262, k random numbers α _i and ri other than 0 (hereinafter α _i and ri are other than 0) are generated, and the product α = α ₁ · α ₂ ... Α _k , r = r to calculate the ₁ · _{_r} 2 ··· _r _k.

In step 264, the following variance value is calculated. The dispersion values for the n + _{x i} is service - are sent to the bar - bar 14x _i Sa. Thus, each server 14x _i has a variance value for x _i and n + x _i .
Wa (x _i ) = r (a + a _0,1 x _i +... + A _{0, k−1} x _i ^k−1 )
Wa ′ (x _i ) = rα (a + a _0,1 (n + x _i ) +... + A _{0, k−1} (n + x _i ) ^k−1 )
Wa ₁ (x _i ) = α ₁ + a _1,1 x _i +... + A _{1, k−1} x _i ^k−1
:
Wa _k (x _i ) = α _k + a _{k, 1} x _i +... + A _{k, k−1} x _i ^k−1
Wr ₁ (x _i ) = r ₁ + ak + _1,1 x _i +... + A _{k + 1} , k−1x _i ^k−1
:
Wr _k (x _i ) = rk + a2 _{k, 1} x _i +... + A2 _{k, k} −1x _i ^k−1
_{However, a h, j (h =} 0, ···, k, j = 1, ···, k-1) is a random number, the _{x i} support - server ID (i = 1, ..., n) is .
In step 266, the dispersion value is transmitted to the _first server 14x ₁ to the n-th server 14x _n .

The CPU 22 of the second dealer device 12B of the owner B having the secret information b executes the distributed processing of FIG. That is, in step 272, k random numbers β _i and q _i other than 0 (hereinafter β _i and q _i are other than 0) are generated, and the product β = β ₁ · β ₂ ... Β _k , q = Q ₁ · q ₂ ... Q _k is calculated.

In step 274, the following variance value is calculated.
Wb (x _i ) = q (b + b _0,1 x _i +... + B _{0, k−1} x _i ^k−1 )
Wb ′ (x _i ) = qβ (b + b _0,1 (n + x _i ) +... + B _{0, k−1} (n + x _i ) ^k−1 )
Wb ₁ (x _i ) = β ₁ + b _1,1 x _i +... + B _{1, k−1} x _i ^k−1
:
Wb _k (x _i ) = β _k + b _{k, 1} x _i +... + B _{k, k−1} x _i ^k−1
Wq ₁ (x _i ) = q ₁ + b _{k + 1,1} x _i +... + B _{k + 1, k−1} x _i ^k−1
:
Wq _k (x _i ) = qk + b2 _{k, 1} x _i +... + B2 _{k, k−1} x _i ^k−1
_{However, b h, j (h =} 0, ···, k, j = 1, ···, k-1) is a random number, _{x i} difference - server ID (i = 1, ..., n) is .

In step 276, the distributed value is distributed to the first server 14x ₁ to the n-th server 14x _n .

[Multiplication]
Each CPU 22 of the first server 14x ₁ to the n-th server 14x _n executes the multiplication process of FIG. That is, in step 278, Wab (x _i ) = Wa (x _i ) Wb (x _i ) and Wab ′ (x _i ) = Wa ′ (x _i ) Wb ′ (x _i ) are calculated (i = 1, ..., n).

[Order conversion]
Each CPU 22 of the first server 14x ₁ to the k-th server 14x _k performs the order conversion process of FIG. That is, in step 282, Wa _j (x _i ) and Wb _j (x _i ) corresponding to the designated j are collected (i = 1,..., K), and in step 284, α _j and β _j are set to one. In step 286, α _j β _j is calculated. In step 288, α _j β _j is transmitted to the restoring device 16.

The CPU 22 of the restoration device 16 executes the calculation transmission process of αβ in FIG. That is, in step 322, α _j β _j is received from the _first server 14x ₁ to the n th server 14x _n , and in step 324, αβ is calculated by multiplying all α _j β _j , In step 326, αβ is transmitted to the _first server 14x ₁ to the nth server 14x _n .

Each CPU 22 of the _first server 14x ₁ to the k-th server 14x _k receives αβ in step 290 in FIG. 50, divides Wab ′ (x _j ) by αβ in step 292, and sets Wab ( x _j + n) = Wab ′ (x _j ) / αβ is calculated.

To secretly calculate Rj shown in equation (8), the following is calculated. First, in step 294, R _{j, j} = a _{xj, j} Wab (x _j ) + a _{n + xj, j} Wab obtained by multiplying Wab (x _j ) and Wab (x _j + n) by a _{xj, j} and a _{xj + n, j.} R _{j, j + n} = a _{xj, j + n} Wab (x _j ) + an _{+ xj, j + n} Wab (n + x _j ) obtained by multiplying (n + x _j ) by a _{xj, j + n} and a _{n + xj, j + n} is calculated.

Here, _i in R _{i, j} represents the first position in the vertical direction of Equation (7), and j represents the position in the horizontal direction. Therefore, the vertical sum of i from 1 to n is R _j = Σ (R _{j, j} + R _{j, j + n} ).

In step 296, random numbers r _1j and r _2j are generated, R ′ _{j, j} = R _{j, j} + r _1j and R ′ _{j, j + n} = R _{j, j + n} + r _{2, j} are calculated, and in step 298 R ' _{j, j} and _{R'j, j + n} are transmitted to the next server 14x _{(j + 1)} in the predetermined order.

In step 300, two h-th (h = 1,..., N−1) values transmitted from the previous server 14x _(j−1) , ie, R ′ _{j−h, j−h} and R ′ _{j -H, j + n-h} is received, and in step 302, the h-th (h = 1,..., N−1) two values R ′ _{j−h, j−h} and R ′ _{j−h, j + n−h} R ′ _{j, j−h} = a _{xj, j−h} Wab (x _j ) + a _{n + xj, j−h} Wab (n + x _j ) + r _1j and R _{j + n, j−h} = a _{xj, j + n−h} Wab ( x _j ) + a _{n + xj, j + n−h} Wab (n + x _j ) + r _2j is added to calculate R ′ _{j, j} and R ′ _{j, j + n} , and in step 304 R ′ _{j, j} and R ′ _{j, j + n} Are transmitted to the next server 14x _{(i + 1)} in the predetermined order.

In step 306, two values R ′ _{j, j} and R ′ _{j, j + n} that have traveled all the servers are received. In step 308, R ′ _{j, j} and R ′ _{j, j + n} are _converted into r _1j. And r _2j are subtracted, and R ′ _{j, j} and R ′ _{j, j + n} are transmitted to the next server _{14 x (i + 1)} in the predetermined order in step 310.

In step 312, the two values R ′ _{j−h, j−h} and R ′ _{j−h, j + n−h} sent from the previous server 14x _(j−1) are received, and in step 314, _{R 'j-h, j-} h and _{R' j-h,} pulling respectively _{r 1j} and _{r 2j} from _{j + n-h,} at step _{316, R 'j-h,} j-h and _{R' j-h, j + n−h} is transmitted to the next server 14x _{(i + 1)} .

In step 318, all sub - two that have around the bus values R _{'j, j} and R' _j, receives the _{j + n,} in step 320, R _{'j, j} and R' _{j, j + n} of R _{'j , j + n} is multiplied by αβ, and each is stored as R _j , R _{j + n} .

[Restore]
The CPUs 22 of the first server 14x ₁ to the k-th server 14x _k execute r _j g _j restoration / transmission processing of FIG. That is, in step 332, Wr _j (x _i ) and Wq _j (x _i ) corresponding to the designated j are collected (i = 1,..., K), and in step 334, r _j per _server is Restore q _j one by one.

In step 336, the product r _j q _j is calculated, and in step 338, R _j and r _j q _j are transmitted to the restoration device 16.

The CPU 22 of the restoration device 16 receives R _j and r _j q _j at step 342 in FIG. 53, calculates rq by multiplying all r _j q _j at step 344, and calculates R _j at step 346. Divide by rq to calculate Wab (x _j ) = R _j / rq.

In step 348, ab is restored using k−1 pieces from Wab (x _j ).

A feature of [Distribution] of the present invention is that, in order to conceal secret information a and b to the end, random numbers r and q that are concealed to the end are multiplied by a and b (included in claim 1). Thus, Wab (x _i ) and Wab ′ (n + x _i ) are always associated with a common random number rq, and αβ is known to be calculated by the restoration device 16 in step 324 of FIG. 51 of [Order Transformation]. It is not known to the restoration device 16 until the end. Therefore, even if an attacker or a restorer obtains Rj, Rj + n as intermediate results, ab as an intermediate result does not leak. However, in the case where the same safety as in the conventional case is sufficient, that is, when the intermediate value acquisition by the restorer is permitted, it is not necessary to use r and q, and [Distribution] can be made the same as the secret multiplication 1. In this case, α and β can be used instead of r and q by multiplying Wab (x _j ) by αβ in step 292 of FIG. 50 instead of dividing Wab ′ (x _j ) by αβ.

Further, the first feature in [order conversion] is that one server has two variance values having different shapes, so that steps 282 to 288 in FIG. 50 of [order conversion] and step 322 in FIG. In step 324, random number conversion is performed to make the random numbers related to the distributed values the same (included in claim 5). Here, αβ is deleted, but rq is always applied. Further, as described above, r = q = 1 can be set when the same safety as the conventional one is sufficient. This feature is shown in claim 6.

In step 292 of FIG. 50 of [Order Transformation], the server divides Wab ′ (x _i ) by αβ, but multiplies Wab (x _i ) by αβ, and Wab (x _i ) = αβWab (x _i ), Wab (n + x _i ) = Wab ′ (x _i ). In step 320 of FIG. 50 of [Order conversion], each server is multiplied by αβ, but another random number may be multiplied.

The second feature is that rq is finally known to the restorer (rq is known, but r and q are not known individually, so secret information a and b are not leaked). If stored, the restoration device 16 may know the value obtained by removing the random number rq from Wab (x _i ) and Wab ′ (n + x _i ). Therefore, in order to hide Wab and _{(x i)} Wab 'a _(x i + n), the random number _{r 1j} in Wab _{(x i),} summing a random number _{r 2j} in Wab _(x i + n), the original Wab ( x _i ) and Wab (x _i + n) are not understood, and the server is turned. As a result, Σr1j is added to the values R ′ _{j, j} that have traveled through all the servers obtained in step 306 of FIG. 50 of [order conversion], and Σr2j is added to R ′ _{j, j + n} . In the [order conversion] step 312 to step 316 in FIG. 50, Σr1j and Σr2j can be removed and normal Ri can be obtained.

Further, if the added random numbers Σr _1j = 0 and Σr _2j = 0, the second server visit is unnecessary. Further, it may be transmitted to the restoring person without going around the server, and the restoring person performs addition and sends the result back to each server.

Furthermore, in order to conceal the Wab _{(x i)} and _{Wab '(x i + n)} , the random number _{r 1j} in Wab _{(x i),} summing a random number _{r 2j} in Wab _(x i + n), the original Wab ( x _i ) and Wab (x _i + n) are concealed, and the server is turned to release it, but random numbers r _1j and r _2j for concealing secret information are secretly distributed to Also distributed to the server, each server adds the distributed values, calculates Σr _1j and Σr _2j , and also subtracts r _1j and r by subtracting from the final result R ′ _{j, j} or R ′ _{j, j + n} _2j can be deleted. This feature is indicated in claim 16.

Finally, R ′ _{j, j + n} corresponding to Rj (j = n + 1 to 2n) is multiplied by αβ at steps 318 and 320 in FIG. 50 of [order conversion] to return to the form shown in [dispersion]. As a result, even if the attacker eavesdrops on k-1 servers, only 2k-2 Wis can be obtained, and a and b, which are intermediate results, are not leaked.

Although only the secret multiplication has been described so far, when dispersion is performed as in the case of the secret multiplication 4, addition / subtraction may be added to Wa (x _i ) and Wb (x _i ) as is. For '(x _i ) and Wb' (x _i ), as described in the product-sum operation, addition may be performed together with random numbers applied to the variance values. Further, division is performed using Wa ′ (x _i ) and Wb ′ (x _i ) as described in the second embodiment. In this case, when Wa ′ (xi) is restored and αa is restored, if αa = 0, it is divided by 0, so the division is stopped. Also, 'for the (x _i) Wb' αa is not equal 0 Wb (x _i) / αa After calculations, restoration apparatus α _{_j} / _{β j} each server to restore the alpha _j and beta _j To obtain α / β, and if it is applied to Wb '(xi) / αa, a dispersion value having b / a in the constant term is completed. At that time, if Wb (x _i ) is also divided by αa and α / β is written, a variance value having b / a in the constant term and 1 / β as a random number is obtained. In these cases, the final removal of random numbers can be made unnecessary if the restoration is performed using a distributed value to which no random numbers are applied. From the above, it can be seen that the four arithmetic operations can also be realized by the secret calculation according to the present embodiment.

<Fifth embodiment>
First, a case where the variance value is updated without changing the threshold value k for the _n servers 14x ₁ to 14x _n will be described. Consider a case where the random number α is applied to the secret information a and distributed as shown in the first to fourth embodiments. Up to now, there is no known update method for distributed values with random numbers.

(Concealment Update 1 (Distributed Value Update with Random Number))
From the first server 14x ₁ to the k-th server 14x _k , a server that performs the restoration process, for example, the k-th server 14x _k is randomly selected in advance.

Each CPU 22 of the (k−1) th server 14x ₁ to the (k−1) th server 14x _(k−1) other than the kth server 14x _k is represented by U _{i in} FIG. The calculation / transmission process is executed. That is, the server 14xi is to have the following Wa 'as the current dispersion value _{(x j).}

Wa ′ (x _i ) = α (a + a ₁ x _i + a ₂ x _i ² +... + A _k−1 x _i ^k−1 ) (i = 1,..., K−1)

In step 356, a random number Wa′i is generated as the following new variance value. a _{j ′} (j = 1,..., k−1) is a random number obtained by solving the polynomial in (4).
Wa′i = α (a + a _{1 ′} x _i + a _{2 ′} x _i ² +... + A _{k−1 ′} x _i ^k−1 )

In step 358, the difference U _i 'between the previous variance value Wa' (x _i ) and the newly generated Wa'i is calculated as follows.
U _i ′ = Wa ′ (x _i ) −Wa ′ _i = α {(a ₁ −a _{1 ′} ) x _i + (a ₂ −a _{2 ′} ) x _i ² +... + (A _k−1 − a _{k-1 ′} ) x _i ^k−1 }

In step 360, the difference U _i 'is transmitted to the _kth server 14xk.

Of the k sub - server 14x _k performs the calculation and transmission processing of Wj in FIG 55 '. That is, the difference Uj is received at step 362, and k-1 polynomials are solved at step 364, and α (a ₁ −a ₁ ′), α (a ₂ −a ₂ ′),. (A _k-1 -a _k-1 ') is obtained, and in step 366, the following difference values for the remaining nk servers are obtained.
Wj ′ = α {(a ₁ −a _{1 ′} ) x _j + (a ₂ −a _{2 ′} ) x _j ₂ +... + (A _k−1 −a _{k−1 ′} ) x _j ^k−1 } ( However, j = k, ..., n)

In step 368, the difference value Wj ′ is transmitted to the (k + 1) -th server 14x _{(k + 1)} to the n-th server 14x _n .

The (k + 1) -th server 14x _{(k + 1)} to the n-th server 14n execute the new dispersion value storage process of FIG. That is, in step 370, Wj ′ is received, and in step 372, Wj ′ is added to the previously provided variance value to obtain a new variance value.

The above feature is that a new random number can be updated as a new distributed value composed of a polynomial having a new coefficient without changing the random number with respect to the distributed value applied with the random number. This feature is shown in claim 10.

The conventional method shown in the document [3] is an update method for a normal distributed value without the random number α, but there are the following differences. In document [3], there is no processing in step 370 in FIG. 56, and the first server 14x ₁ to the (k−1) th server 14x _(k−1) are the remaining (k + 1) th servers. Ba _{14x (k + 1)} ~ n-th sub - sends the difference to server 14x _n, the difference in the corresponding processing to the processing of step 364 and step 366 in FIG. 55 the (k + 1) - server _{14x (k + 1)} ~ the n Sa - updating the dispersion value by server 14x _n is performed. K-th sub do it against the secret update 1 process - specifies the server 14x _k to one of the k sub - communication because only bus 14x _k performs the processing of step 358 and step 360 in FIG. 54 It also has the feature that the amount and amount of calculation can be reduced.

Document [3] requires (k−1) (n−k + 1) communication because k−1 servers send difference values to n−k + 1 servers, and there are n−k + 1 units. (N−k + 1) polynomial processing is necessary to perform the processing corresponding to the processing in step 358 and step 360 in FIG. On the other hand, in the present invention, only the k-th server 14xk performs the processing of step 358 and step 360 in FIG. 54 and sends the result to the _nk server. -1) communication, (nk) communication occurs in step 370, and a total of n + 1 communication is sufficient. In the present invention, the calculation needs only one polynomial process.

The method of document [3] makes no mention of a method for selecting nk + 1 servers for restoration processing. However, if nk + 1 servers are fixed, an attacker can make n- If one of the k + 1 servers continues to be wiretapped, the updated value will always leak. In order to prevent the leakage, a server for performing the restoration process is randomly selected. Assuming that the server that the attacker is eavesdropping on is the o-th server 14x _i x _o , if another k- _th server 14x _k is designated, the attacker at that point in time will be the other server 14x _i x _o . Even if the variance value is known, a new variance value other than the o-th server 14x _i cannot be known by the update by the _k- _th server 14x _k . Even if the o-th server 14x _i is selected as the _k-th other server 14x k at a certain point in time, if the distribution value of the other server is not known, the difference value is obtained. However, the new variance value is not known. Therefore, the above method gives general versatility to the document [3], and realizes efficiency improvement and safety improvement at the same time.

(Concealment Update Method 2 (for u ≧ k))
Next, an updating method when the threshold value is increased from k to u (u ≧ k) for n servers will be described.
The CPU 22 of the _i-th server 14xi executes the generation / transmission process of δi in FIG. That is, in step 382, u-1 random numbers d _i1 ,..., D _iu-1 are generated, and in step 384, the following polynomial is generated.
δi (x) = d _i1 x + d _i2 x ₂ +... d _iu−1 x ^u−1

In step 386, values δi (x ₁ ), δi (x ₂ ),..., Δi (x _n ) are generated by adding all server IDs to x of δi (x). _{(x j)} of the j-th sub - server _14x j transmits (j = 1, ···, n ) to.

Server 14x _j of the j, i.e., the first sub - server 14x ₁ ~ n-th sub - each CPU22 Bas 14x _n performs the updating process in FIG. 58. That is, in step 392, δi (x _i ) is received, and in step 394, all values are added to the variance value Wa ′ (x _i ) with respect to the threshold value k held by itself, and the following is calculated.
Wa ′ (x _i ) = Wa ′ (x _i ) + Σδj (x _i )
= Α (a + a ₁ x _i + a ₂ x _i ² +... + A _k−1 x _i ^k−1 ) + Σδj (x _i )
= Α {a + (a ₁ + Σd _i1 / α) x _i + ... + (a _k-1 + Σd _ik-1 / α) x _i ^k-1 + ... + (Σd _iu-1 / α) x _i ^u-1 }
In step 396, Wa ′ (x _i ) is stored as a new variance value.

The feature of the proposed method is to construct δi (x) by constructing a u−1 degree polynomial for u instead of k. Since the proposed method does not perform the polynomial processing in Step 364 of [Secret Update Method 1] in FIG. 55, the processing is simple and no matter which server is eavesdropped, the eavesdropping of one server is the same. -It has the safety that the updated values other than the bar are not known.

In Concealment Update 1, only the polynomial was changed without changing the random number for the distributed value. In the following, consider the case where the random number related to the variance value is changed and updated. In the

secret updates

1 and 2, the secret information itself is not changed, so there is no information that the server obtains by this update. However, if the random number relating to the distributed value is directly changed, the server obtains information on how many times the secret information has been multiplied. In view of this, an updater collects and updates the distributed values from the server, and shows a method of updating without knowing how many times the secret information has been multiplied by the server.

(Concealment Update Method 3 (Distributed Value Update with Random Number Change))
Predetermined server, for example, the first sub - CPU 22 of server 14x ₁ performs the updating process in FIG. 59. That is, in step 402, the first sub - server 14x ₁ ~ n-th sub - from server 14x _n, the first sub - server 14x ₁ ~ n-th sub - dispersion value W stored in the server 14x _n Collect (x _i ), generate a random number β and k−1 random numbers d ₁ to d _k−1 at step 404, and calculate the following at step 406:
_{Wa '(x i) = βWa} ' (x i) + δ (x i) = αβ {a + (a 1 + d 1 / β) x i + ··· + (a k-1 + d k-1 / β) x _i ^k-1 }
δ (x) = d ₁ x + d ₂ x ₂ +... d _k−1 x ^k−1

In step 408, Wa ′ (x _i ) is transmitted to each server, that is, the first server 14x ₁ to the n-th server 14x _n . The first server 14x ₁ to the n-th server 14x _n store the received Wa ′ (x _i ) as a new dispersion value.

The feature in the above is that W (x _i ) is multiplied by α, but by adding δ (x _i ), W ′ (x _i ) / W (x _i ) does not become α, that is, how many times The server is not sure. δ (x _i ) is a random number that cannot be solved unless k−1 are collected, but since the server does not know α, the integrated W ′ (x _i ) only knows α _s even if k pieces are collected. It is. This feature is shown in claim 18.

Secret update method 4
In the above updating method, the constant term is always set to 0. Therefore, even if a k-1 degree polynomial is used, the polynomial used for the update can be solved if there are k-1 variance values. That is, there is a problem with safety. Therefore, by updating as follows, it is possible to prevent the value used for updating from being known unless k variance values are present.

[update]
In the i-th server 14xi, xi is the first ID and xi ′ is the second ID, and all the servers out of x ₁ to x _n have no overlap between the first ID and the second ID, and k− It is determined at random so that the combination does not close within one server. For example, if n = k, the combination is not closed in any k−1 servers. This is because if the first ID and the second ID of the i-th server are the same, the ID combination is closed in the remaining k-1 servers. The condition that the second ID does not overlap is not satisfied. Therefore, when n = k, selection may be made so that there is no overlap between the first ID and the second ID in all servers. On the other hand, if n> k, even if the combination is closed in k−1 servers, the first ID and the second ID are reversed in all servers if the first and second IDs of the remaining two servers are reversed. The condition that there is no overlap of the second ID is satisfied. Therefore, first, the server of x1 randomly selects a server ID xj2 other than x1, the selected server of xj2 randomly selects the server ID xj3, and the server selected before becoming the k-1th server. May not be a server that has already selected the second ID. This is because a server that has already selected the second ID cannot select a new second ID, and will close there. Information on each ID is made public.

The CPU 22 of the i-th server 14xi executes the update process of FIG. That is, in step 381, k random numbers d _i0 , d _i1 ,..., D _ik-1 and r _i1 _,.
δi (x) = d _i0 + d _i1 x + d _i2 x ² + ・・・ d _iu-1 x ^u-1
λi (x) = d _i0 + r _i1 x + r _i2 x ² + ・・・ r _iu-1 x ^u-1

In step 383, values δi (x ₁ ), δi (x ₂ ),..., Δi (x _n ) including the first IDs of all the servers are formed. In step 385, δ _i (x _j ) is j to the server 14x _j (j = 1,..., n). Thereby, the i-th server 14xi receives δ _j (x _i ) transmitted from another server.

In step 387, values λ _i (x ₁ ′), λ _i (x ₂ ′),..., Λ _i (xn ′) are generated by putting the second IDs of all servers in x, and in step 389, λ _i a (x _j '), and transmits the j server _{14x j (j = 1, ···} , n) to. Thereby, the i-th server 14xi receives λ _j (x _i ') transmitted from the other server.

In step 401, the following is calculated by adding all received δ _j (x _i ) to the variance value Wa ′ (x _i ) that the user has, and storing it as a new variance value.
Wa '(xi) = Wa (xi) + Σδj (xi) = a + a ₁ xi + a ₂ xi ² + ... + a _k-1 xi ^k-1 + Σδj (xi)
= (a + Σd _i0 ) + (a ₁ + Σd _i1 ) xi + ・・・ + (a _k-1 + Σd _ik-1 ) xi ^k-1

In step 403, all received λ _j (x _i ′) are added and the following is calculated and stored.
λ (xi ') = Σλj (xi') = (Σd _i0 ) + (Σr _i1 ) xi '+ ... + (Σr _ik-1 ) xi' ^k-1

[Restore]
The CPU 22 of the restoration device 16 executes the restoration process of FIG. That is, in step 411, Wa ′ (x _i ) is collected from k servers and solved to calculate (a + Σd _i0 ). In step 413, λ (xi ′) is collected from k servers and solved to calculate (Σd _i0 ).
In step 415, secret information a is calculated by subtracting (Σd _i0 ) from (a + Σd _i0 ).

The above feature has been updated by a polynomial in which the constant term is conventionally 0, but the constant term is not 0. In the above, not only the update process but also the process is required for restoration. Further, since λ (x _i ) is stored, the storage capacity increases. However, even if the attacker can eavesdrop on k−1 servers, the secret information of Wa ′ (x _i ) and λ (x _i ′) cannot be obtained at all, and the updated value is not known.

This update method can handle expansion of k if k is u (> k). [Restore] can also be as follows.

(1) Each server transmits λ _i (x _j ′) to the server x _j ′.
(2) Each server calculates Wa ′ (x _i ) + λ (x _i ) and transmits it to the restoration device 16.
(3) The restoration device 16 collects Wa ′ (x _i ) + λ (x _i ) from k servers, solves it, and calculates a.

Moreover, even without choosing a first 2ID randomly example, the 2ID the x _i + c with respect to x _i (c is an integer of 1 or more) may be a. Furthermore, the method corresponding to the secret update method 1 is shown below.

Secret update 5
[dispersion]
With reference to FIG. 61A, the distributed processing executed by the server will be described. In this process, each server has a first ID and a second ID as in the case of the secret update 4. In the following description, the server ID indicates the first ID unless otherwise specified.

Of the first server 14x1 to the nth server 14xn, one server that performs the restoration process is selected at random. The selected server, and the server 14x _d of the d. For example, it is assumed that the (k + 1) th server 14x _{(k + 1)} .

While the server 14x _d of the d can also be included in the k stand server follows, k stand servers to simplify the description will be other than the server 14x _d of the d. K stand server other than the server 14x _d of the d, for example, the server 14x _k of first server 14x ₁ ~ k th, in step 421, generates a random number Wa _'i. In step 423, the first server 14x ₁ to the k-th server 14x _k calculate the difference Ui ′ between the variance value Wa ′ (x _i ) that they already have and the newly generated Wa ′ _i .
Wa '(x _i ) = α (a + a ₁ xi + a ₂ xi ² + ... + a _k-1 xi ^k-1 ) (i = 1, ..., k-1)
Wa ' _i = α (a' + a ₁ 'xi + a ₂ ' xi ² + ... + a _k-1 'xi ^k-1 )
U _i '= Wa' (xi) -Wa'i = α {(a-a ') + (a ₁ -a ₁ ') xi + (a ₂ -a ₂ ') xi ² + ... + (a _{k -1} -a _k-1 ') xi ^k-1 }

Note that a _j ′ (j = 1,..., K−1) is a random number obtained by solving the polynomial in step 427.

In step 425, the first server 14x ₁ to the k-th server 14x _k transmit the difference U _i ′ to the d-th server 14x _d .

Server 14x _d of the d is, at step 427, to solve the k-number of polynomial, α (a-a ') , α (a 1 -a 1'), ···, α (a k-1 -a k _-1 ') is obtained, remaining n- (k + 1) stage of the server 14x _j, for example, the (k + 2) of the server 14x _{(k + 2)} ~ and the server 14x _n of the n, of the d own server 14x _The following difference value W _j ′ with respect to _d is calculated.
W _j '= α {(a ₁ -a ₁ ') xj + (a ₂ -a ₂ ') xj ² + ... + (a _k-1 -a _k-1 ') xj ^k-1 } (where j = k + 1, ..., n)

In step 429, the d-th server 14x _d transmits the difference value W _j ′ to the server 14x _j (j = k + 1,..., N). Server 14x _j is sent Wj by adding a 'and already got to have the dispersion value Wa' (x _i) as a new variance value Wa '(x _i).

Server 14x _d of the d is, at step 433, distributed as follows α a (a _₁ -a ₁ ').
Wd '(xi') = α (a-a ') + d ₁ xi' + d ₂ xi ' ² + ... + d _k-1 xi' ^k-1

In step 435, the _d-th server 14xd transmits Wd ′ (x _i ′), which is the value of the second ID, to the server 14xi (i = 1,..., N). The server 14x _d of the d is its _{Wa '(x k + 1'} ), is stored in its own storage device 34.

[Restore]
Next, with reference to FIG. 61B, a restoration process executed by each server (first server 14x ₁ to nth server 14x _m ) will be described. That is, at step 437, Wd '(x _i ') is transmitted to the server 14x _i ', and therefore at step 439, Wd' (x _i ) is received.

In step 441, Wd ′ (xi) + Wa ′ (xi) = α {a + (d ₁ + a ₁ ′) xi + (d ₂ + a ₂ ′) xi ² +... + (D _k−1 + a _{k -1} ') xi ^k-1 } is calculated.
Of the first server 14x ₁ to the n-th server 14x _m , k servers designated by the restoration device 16 transmit Wd ′ (xi) + Wa ′ (xi) to the restoration device 16 in step 443. To do.
Then, the restoration device 16 receives Wa ′ (xi) + Wd ′ (xi) from k servers and solves to calculate αa.
In this case, it is obvious that the secret calculation can be continued with Wd ′ (xi) + Wa ′ (xi) as a new variance value.
The

secret updates

4 and 5 are characterized in that the update information Σδj (xi) or Wj ′ of the variance value is calculated from k pieces of correction information δj (xi) or Uj ′ whose constant term is not 0. -Update information cannot be obtained even if one device is wiretapped. Such an approach has not been proposed so far, and this feature is indicated in claim 11.

<Sixth Embodiment>
Next, a secret search will be described. Here, the owner who has the secret information distributes the search ID corresponding to the secret information and stores it in the server system together with the distributed value of the secret information. The search IDs corresponding to are distributed and searches are performed with distributed values.
(Confidential search 1 (basic form: the search server 18 is not used))
[dispersion]
In the first dealer apparatus 12A, m pieces of secret information (distributed as described above by the dispersion of any of the first to fifth embodiments described above) are provided. The search ID is kj (j = 1,..., M). The CPU 22 of the first dealer device 12A executes the distributed processing of FIG. That is, in step 412, a random number rj for each search ID is generated, and in step 414, the following distributed values F _j (x _i ) and R _j (x _i ) are calculated.
F _j (x _i ) = rj (k _j + a _j1 x _i + a _j2 x _i ² +... + A _jk−1 x _i ^k−1 ) (i = 1,..., N)
_{_{R j (x i) = r}} j + r j1 x i + r j2 x i 2 + ... + r jk-1 x i k-1

In step 416, the variance values F _j (x _i ) and R _j (x _i ) are transmitted to the i-th server 14x _i (i = 1,..., N) for storage.

Thus, each service - server, for example, a first service - the storage device 34 of the server 14x _1, as shown in FIG. 63 (A), a search _{ID k j (j = 1,2 ...} , m / 2,... M), dispersion values F _j (x _i ) and R _j (x _i ) are stored. However, the variance values F _j (x _i ) and R _j (x _i ) are arranged in ascending order according to the search ID = kj. Furthermore, the variance value for the secret information corresponding to the search ID is also stored along with Fj (xi) and Rj (xi).

[Search]
Each server starts the search from the median value of the stored variance values, that is, the variance value identified by j = m / 2.

The CPU 22 of the restoration device 16 executes the search process of FIG. That is, in step 420, the search ID = k _j ′ is input according to the operation of the user who desires the search. In step 422, q · kj ′ obtained by multiplying the search ID = kj ′ by the random number q is set to the owner. Transmit to the first dealer device 12A.

The first dealer apparatus 12A executes the calculation / transmission processing of the variance value F _j (x _i ) in FIG. That is, in step 452, q · kj ′ is received, and in step 454, a variance value F _j ′ (x _i ) for secretly sharing q · k _j ′ as follows is calculated.
F _{j ′} (x _i ) = q · k _j ′ + b _j1 x _i + b _j2 x _i ² +... + B _jk−1 x _i ^k−1 (i = 1,..., K)

In step 456, the variance value F _j ′ (x _i ) is transmitted to the _i-th server 14x _i .
Each CPU 22 of the _i -th server 14x _i , that is, the first server 14x _i to the k-th server 14x _k executes the calculation / transmission processing of the difference tj in FIG. That is, in step 462, the variance value Fj ′ (x _i ) is received, and in step 464, the search ID j is set. When this process is first executed, in step 464, j is set to m / 2. In step 466, the variance values F _j (x _i ) and R _j (x _i ) corresponding to j are read from the storage device 34, and in step 468, the variance values F (x _i ) (i = 1,..., K). ) To the user's restoration device 16. Thereby, the restoration device 16 receives the variance value F _j (x _i ) in step 424 in FIG.

In step 426 of FIG. 64, a polynomial δ (x) that satisfies δ (0) = 0 is generated, and in step 428, the following variance value F _j (x _i ) is calculated.
F _j (x _i ) = q · F _j (x _i ) + δ (x _i ) (i = 1,..., K)

In step 430, the variance value F _j (x _i ) is transmitted to the _{i th} server 14x _i . Accordingly, the i-th server 14x _i receives the variance value F _j (x _i ) in step 470 of FIG.
In step 472, r _j is restored from the k variance values R _j (x _i ).
In step 474, a random number tj is generated, and the following difference t _j {F _j (x _i ) −r _j F _j ′ (x _i )} is calculated.
t _j {F _j (x _i ) −r _j F _j ′ (x _i )} = tj · rj · q {(k _j −k _j ′) + (a _j1 −b _j1 ) x _i +... + (a _jk-1 -b _jk-1 ) x _i ^k-1 }
In step 476, the difference t _j {F _j (x _i ) −r _j F _j ′ (x _i )} is transmitted to the restoration device 16.

The restoration device 16 receives the difference t _j {F _j (x _i ) −r _j F _j ′ (x _i )} in step 432 of FIG. 64, and in step 434, the difference t _j {F _j (x _i ) −r _j F _j ′ (x _i )} is solved to obtain a constant term, and it is determined in step 436 whether or not the constant term r _j · q (k _j −k _{j ′} ) is zero. If it is determined that the constant term r _j · q (k _j −k _{j ′} ) is 0, the search IDs match and the search ID is set to the current j in step 438. If it is determined that the constant term r _j · q (k _j −k _{j ′} ) is not 0, whether or not the present process (steps 424 to 436) has been executed a predetermined number of times, for example, log ₂ m times in step 440. Judging. If it is determined that this process (steps 424 to 436) has been executed log ₂ m times, it is determined in step 442 that there is no search ID.

If it is not determined that this process (steps 424 to 436) has been executed log ₂ m times, it is determined in step 444 whether or not the constant term r _j · q (k _j −k _{j ′} ) is positive. . If it is determined that the constant term r _j · q (k _j −k _{j ′} ) is positive, in step 446, j is set to a value smaller than j, and the i th server 14xi is instructed. For example, the search area of the search ID is set as an area smaller than j, the median value of the set search area is set to j, and the set j is instructed to the i-th server 14xi. Thereafter, the search process returns to step 424.

If it is not determined that the constant term r _j · q (k _j −k _{j ′} ) is positive, in step 448, j is set to a value larger than the j and the i th server 14xi is instructed. . For example, the search area of the search ID is set as an area larger than j, the median of the set search area is set to j, and the set j is instructed to the i-th server 14xi. Thereafter, the search process returns to step 424.

For example, when this process (steps 424 to 436) is executed first and the constant term rj · q (kj−kj ′) is determined to be positive, the search area of the search ID is smaller than j in step 442. The area is set as 1 to (m / 2) -1, and the median value of the set search area is set to 3m / 4. When this process (steps 424 to 436) is executed again and the constant term rj · q (kj−kj ′) is not determined to be positive, in step 448, the search ID search area (1 to (m / 2) -1) is set as an area larger than j = 3 m / 4, (3m / 4) +1 to (1 to (m / 2) -1), and the median value of the set search area is set to j.

When the value of j is instructed to the i-th server 14xi as described above, the determination result of whether or not j in step 478 in FIG. 66 is affirmative, and the calculation process of the difference tj is Return to step 464. Thereby, in step 464 of FIG. 66, the instructed value is set as j of the search ID. Subsequent processing (steps 466 to 476) is executed based on the set j.

The first feature is [Distribution]. As an example of claim 7, the dispersion values are arranged in ascending order according to the search ID = kj. In [Search], the first search is the median of m search IDs, that is, j. = Start with m / 2.

As an example of claim 9, the constant term rj · q (kj−kj ′) obtained by [Search] is output. Since rj · q is a positive value, if the value is positive, it means kj−kj ′> 0, that is, kj> kj ′. Therefore, the smaller median value of kj, that is, j = 3m / 4 Search again. If the constant term in the next search is also positive, it means kj> kj ', so that the median with the smaller kj is searched. On the other hand, if the constant term in the next search is negative, it means kj <kj ', so the median with the larger kj is searched. That is, even if m is large, the search is completed in log 2m times. Therefore, if there is no matching search ID even after searching log 2m times in [Search], it can be determined that the search ID is not stored.

The second feature is that in [search], the owner obtains q · kj ′ from the user, but since the random number q is applied, the user's search ID kj ′ is not known. Further, the user obtains Fj (x _i ) from the server, but since rj is applied, kj which is the server search ID is not known. In addition, the user also obtains t _j {F _j (x _i ) −r _j F _{j ′} (x _i )}, but r _j cannot be obtained because it is unknown except for F _j (x _i ). Also, the server obtains F _j (x _i ), F _{j ′} (x ⁱ ), and r _j , but the secret information is not restored unless k pieces are collated.

In [Dispersion], the dispersion values are arranged in ascending order of k _j , but they may be arranged in descending order and the direction of [Search] may be reversed. In [Search], the owner disperses q · kj ′, but the user may disperse.

Secret search 1 is simple, but both owners and users participate in the search every time. Therefore, it is necessary to perform a maximum of log 2m operations for a search for one k _{j ′,} and the maximum burden is large. . Therefore, the following shows a method in which a search unit specializing in search (high calculation capability) is provided, and only one operation is performed for one search ID for both the owner and the user. The search unit may be a separate device from the dealer device, the server system, and the restoration device, but may be present in the server system.

(Secret search 2 (using search server 18))
[dispersion]
The owner's first dealer apparatus 12A corresponds to m pieces of secret information (distributed as described above by the distribution of any of the first to fifth embodiments described above). The m search IDs to be performed are k _j (j = 1,..., M), a common random number r and a random number r _j for each search ID are generated, and the following distributed values F _j (x _i ) and R _j ( x _i ) is calculated and distributedly stored in the i- _th server 14x _i (i = 1,..., n), that is, the first server 14x ₁ to the n-th server 14x _n (a _ji , r _ji , and t _ji are also random numbers). Thus, for example, the first server 14x ₁ storage device 34, as shown in FIG. 63 (B), the variance _{_{F j (x i), R}} j (x i) is stored. Furthermore, the variance value for the secret information corresponding to the search ID is also stored along with Fj (xi) and Rj (xi).

F _j (x _i ) = rj · (k _j + t ′ _j1 x _i + t ′ _j2 x _i ² +... + T ′ _jk−1 x _i ^k−1 ) (i = 1,..., N)
Rj (x _i ) = r · r _j + r _j1 x _i + r _j2 x _i ² +... + R _jk −1x _i ^k−1
However, it is assumed that the distributed values are arranged in ascending order according to the search ID k _j .

[Search]
Each server starts the search with the median of the stored variance values, i.e. the variance value identified by j = m / 2.

The CPU 22 of the restoration device 16 executes the calculation / transmission processing of the variance value Fu (x _i ) in FIG. That is, in step 482, according to the operation of the user who desires the search, the search ID k _j ′ is input, and in step 484, the search ID k _j ′ is multiplied by the random number q q · k _j ′. Is transmitted to the first dealer 12A.

The CPU 22 of the first dealer 12A executes the calculation / transmission processing of the variance value Fo (x _i ) in FIG. That is, in step 502, q · k _j ′ is received.

In step 504, tj is generated, t _j · r is calculated in step 506, and t _j · r is transmitted to the restoration device 16 in step 508. Thereby, the restoring device 16 receives t _j · r in step 486 of FIG.

Further, the first dealer 12A calculates the following variance value Fo (x _i ) in step 510 of FIG.

Fo (x _i ) = t _j · q · k _j '+ b _j1 x _i + b _j2 x _i ² +... + B _jk-1 x _i ^k-1 (i = 1,..., N)

In step 512, the first dealer apparatus 12A transmits the variance value F _o (x _i ) to each server (14x ₁ to 14x _n ).

Each server executes the difference calculation / transmission process of FIG. That is, in step 522, the variance value Fo (x _i ) is received.

On the other hand, the restoration device 16 calculates the following variance value F _u (x _i ) in step 488 of FIG.
F _u (x _i ) = t _j · r · q + c _j1 x _i + c _j2 x _i ² +... + C _jk−1 x _i ^k−1 (i = 1,..., N)

In step 490, the variance value F _u (x _i ) is transmitted to each server. Thereby, each server receives the variance value F _u (x _i ) in step 524 of FIG.

In step 525, each server transmits R _j (x _i ), T _j (x _i ) to the search server 18. The CPU 22 of the search server 18 executes the search process of FIG. That is, in step 542, each server transmits and collects R _j (x _i ) and T _j (x _i ) k. In step 544, r · r _j and r _j · k _j are restored, and step 546 To each server. As a result, each server receives r · r _j and r _j · k _j in step 526 of FIG.

Each server calculates the following differences at step 528:
_{_{_{_{r j · k j · F u}}}} (x i) -r · r j · F o (x i) = t j · r · r j · q {(k j -k j ') + (c j1 -b j1 ) X _i +... + (C _jk−1 −b _jk−1 ) x _i ^k−1 }

In step 530, the difference is transmitted to the search server 18. Thereby, the search server 18 receives the difference in step 548 of FIG.

In step 550, the search server 18 solves the difference polynomial, obtains a constant term, and executes steps 552 to 564. Steps 552 to 564 are the same as steps 436 to 448 in FIG.

When the above instruction is given in

steps

562 and 564 in FIG. 70, step 532 in FIGS. 68 and 67 is affirmative, and the processing in steps 525 to 532 is executed. Search processing is executed.

In order to finish the user's processing at once, the user generates a random number q, conceals his / her search ID kj and shows it to the owner, and the random number tj · r related to the search ID sent from the owner Is multiplied by a random number q determined by me. This feature is shown in claim 8.
When the first owner or a different owner adds a search ID, the owner is used as a user, and the additional ID is searched as the user's search ID. If there is a matching ID, the user changes the search ID. Otherwise, the adjacent ID at the final position (if the additional ID is not in the search ID, it will not match until the end, but the search result of the adjacent ID will be reversed at the final position, and the additional ID should be in the middle position. Add the dispersion value of the additional ID to the intermediate position. However, this is sufficient when the first owner adds, but when different owners add data, even if the data is arranged in ascending order, the order of the owners will be different, so the owner's permission will be granted for each search. Necessary. Therefore, in this case, it becomes efficient if the owner indicates the conditions of the user who permits the search to the system and entrusts the search permission to the system. The above characteristics are shown in claim 17.
By the way, in the example shown in the first to fourth embodiments, α = α ₁ ... Α _k is generated, but α is a random number that differs for each secret information, so α = rj Then, Tj (x _i ) in the confidential search is an expression in the same format as Wa ′ (x _i ) of the confidential calculation. However, since the distributed value Rj (x) with respect to r · rj increases for the secret search, each server must perform a secret calculation in order to perform a mutual search between the secret information and the search ID. As shown in [Distribution] in the first to fourth embodiments, k + 1 distributed values for one secret information, and a distributed value corresponding to Rj (x _i ) for a confidential search. , K + 2 variance values need to be stored. As a result, both the secret calculation and the secret search can be realized simultaneously.

<Seventh embodiment>
Secret multiplication 1 '(Asymmetric secret sharing)
A secret multiplication method suitable for asymmetric secret sharing described in the literature [4] is shown below. Here, h represents the number of key servers for realizing miniaturization among integers from 1 to k-1. Here, it is assumed that the owner has the key server. The secret multiplication i ′ described below is a method corresponding to the secret multiplication i. In the following, a case where the owner A having the secret information a executes the processing of the h key servers by the first dealer apparatus 12A will be described. It is also possible to execute. Further, the dealer B 12B also processes the owner B having the secret information b, but it can be executed even if the key server is external and a random number is obtained therefrom. Further, when the dealer apparatus executes processing of h key servers, the key server ID is assigned to each key managed by the dealer apparatus by using one key managed by the dealer apparatus (a total of h keys). It may be encrypted and used as the key of each key server. In this case, the dealer device can play the role of h key servers by managing only one key (refer to the feature described later for a specific example).

[dispersion]
The CPU 22 of the first dealer device 12A of the owner A having the secret information a executes the distributed processing of FIG. That is, in step 572, h random numbers are generated from one key to be managed as variance values Wa (x ₁ ) to Wa (x _h ) (h is an integer equal to or less than k−1). The generated random numbers are stored in the storage device 34 of the first dealer 12A as the variance values Wa (x ₁ ) to Wa (x _h ).

In step 574, k-1-h random numbers a _{0, h + 1} to a _{0, k-1} are determined for the secret information a, and the variance values Wa (x ₁ ) to Wa (x _h ) are set to the following polynomials: To obtain the remaining h random numbers a _0,1 to a _{0, h-1} .
Wa (x _i ) = a + a _0,1 x _i +... + A _{0, k−1} x _i ^k−1 (i = 1,..., H)

In step 576, using the a and _{_{a 0,1 ~ a 0, k-}} 1, from the following formula the (h + 1) of the server _{14x (h + 1)} ~ variance server 14x _n of the n Wa (xi) Ask.
Wa (x _i ) = a + a _0,1 xi +... + A _{0, k−1} x _i ^k−1 (i = h + 1,..., N)

In step 578, the variance value Wa (x _i ) obtained in step 576 is transmitted to the _{(h + 1)} -th server 14x _{(h + 1)} to the n-th server 14x _n .

Further, the CPU 22 of the second dealer apparatus 12B of the owner B having the secret information b executes each of the above-described steps 572 to 578 of FIG. 71 independently to determine its own distributed value Wb (x ₁ ) To Wb (x _h ) and the variance values W _b (x _{h + 1} ) to W _b (x _n ) of the (h + 1) th server 14x _{(h + 1)} to the n th server 14xn, and the (h + 1) th server 14x _{(h + 1)} to the server 14x _n th to n. However, the random number a _{0, i} is b _{0, i} .

[Multiplication]
The CPU 22 of the first dealer 12A executes the multiplication process of FIG. That is, in step 582, k random numbers _{α i (i = 1, ···} , k) to generate, in step 584, calculates the product _{_{α = α 1 · α 2 ·}} ... α k.

In step 586, the variance values Wa (xi) are collected from the k servers including the first dealer device 12A, and in step 588, the k variance values Wa (x _i ) are solved to obtain a. in step 600, determine the αa multiplied by α to a, in step 602, and transmits the αa to the first server 14X1 ~ server 14x _n and second dealer apparatus 12B of the second n. Note that k random numbers α _i are stored in the storage device 34 of the first dealer 12A.

The CPU 22 of the second dealer 12B executes the multiplication process shown in FIG. That is, in step 612, k random numbers _{β i (i = 1, ···} , k) to generate, in step 614, calculates the product _{_{β = β 1 · β 2 ·}} ... β k.

At step 616, the variance value Wb (x _i ) is collected from k or more servers including its second dealer device 12B, and at step 618, the following is calculated. However, δ (x) is a k−1 order polynomial in which δ (0) = 0.
Wab ′ (x _i ) = αa · β · Wb (x _i ) + δ (x _i )

In step 620, the variance value Wab ′ (x _i ) is transmitted to the original server. Note that k random numbers β _i are stored in the storage device 34 of the second dealer 12B.

[Restore]
The first dealer apparatus 12A transmits α _j to k servers x _j (j = 1,..., K) including its own first dealer apparatus 12A and second dealer apparatus 12B. . The second dealer apparatus 12B transmits β _j to k servers xj (j = 1,..., K) including the second dealer apparatus 12B and the first dealer apparatus 12A.

Here, the k servers x _j include the first dealer device 12A, the second dealer device 12B, and the first server 12x ₁ to the (k-2) th server 12x _k-2. . Here, for simplicity, it is assumed that the first dealer apparatus 12A is identified by j = k−1, and the second dealer apparatus 12B is identified by j = k. Therefore, the first dealer device _{_{12A, α j = α k-}} 1, β j = β k-1 is transmitted, the second dealer device _{_{12B, α j = α k,}} β j = β k Is sent.

The CPUs 22 of the k servers xj (j = 1,..., K) execute αjβj calculation / transmission processing of FIG. That is, α _j (= α _k−1 ) is received from the first dealer device at step 622, β _j is received from the second dealer device at step 624, and the product α _j β _j is received at step 626. Calculate In step 628, Wab ′ (x _j ) and α _j β _j are transmitted to the restoration device 16.

The CPU 22 of the restoring device 16 of the restoring person executes the restoring process of FIG. That is, in step 630, Wab ′ (x _j ) and α _j β _j are received from k servers including the first dealer device 12A and the second dealer device 12B, and in step 632, Wab ′ (x Restore αβab from _j ). In step 634, the restoration device 16 divides αβab by α _j β _j (j = 1,..., K) to obtain ab.

The first feature of the proposed method described above is that, in step 572 of [Distribution] in FIG. 71, the first dealer apparatus 12A and the second dealer apparatus 12B only manage one key, respectively. The dispersion value that the server should have saved can be reduced. For example, k _j (j = 1,..., H) obtained by encrypting the server IDs x1 to xh using the key of the first dealer apparatus 12A is set, and the ID of a is set using k _j. The encrypted data can be defined as Wa (x _i ). That is, the first dealer apparatus 12A can realize the [distributed] process of FIG. 71 by only having one key. The same applies to the second dealer 12B. That is, since the first dealer apparatus 12A and the second dealer apparatus 12B are obtained by calculation without storing the variance value, h servers can be eliminated. This is a feature of asymmetric secret sharing, but is also effective in the above-mentioned secret multiplication.

The second feature is that, in the system having the above feature as set forth in claim 12, h random numbers are used as variance values as shown in step 572, and variance values for the remaining servers are calculated in step 574. is there. Therefore, in step 578 of [Distribution] in FIG. 71, for each secret information a, each of the n−h servers only needs to store one distribution value Wa (x _i ) per one. . In the secret multiplication 1, all servers need to store k + 1 variance values (W a (x _i ), Wah (x _i ) (h = 1,... K)) for a. However, in the secret multiplication 1 ′, n−h servers need only store one Wa (xi). The Therefore, when combined with the first feature, the distribution of the seventh embodiment can realize a significant reduction in storage capacity compared to the secret multiplication 1. The above is the feature of the storage capacity reduction by the asymmetric secret sharing. In addition, the amount of communication associated with the reduction in storage capacity can be reduced.

In the secret multiplication 1, in [distribution], the dealer apparatus A needs to send k + 1 dispersion values to n servers. On the other hand, in the secret multiplication 1 ′, the dealer apparatus A only has to send one variance value to n−h servers in step 578 of FIG. Furthermore, in the [restoration] of the secret multiplication 1, it is necessary for the k servers to collect k dispersion values. In the secret multiplication 1 ′, the first dealer 12A performs step 582 as shown in claim 12. It is only necessary to generate k random numbers and transmit one random number to each of k servers. However, the random number is synthesized in step 584 and used in step 600 to generate the concealment secret information αa. As a result, it can be seen that the amount of communication can be greatly reduced. In

Steps

616 and 618 in FIG. 73 of [Multiply], Wb (x _i ) is collected and Wab ′ (x _i ) is transmitted, so that the number of communications increases 2 (n−h) times, but the overall reduction is achieved. .

Regarding the calculation amount, the k α _j distribution processing in the secret multiplication 1 [dispersion] and the restoration processing in the [restoration] are unnecessary, but in the secret multiplication 1 ′, a random number is obtained in step 572 of FIG. 71 of [distribution]. Generation (encryption) and processing to solve the polynomial in step 574 increase. Therefore, the profit and loss are antagonized by the values of k and n with respect to the calculation amount.

In the secret division 1, the [distribution] process of the secret information is executed in the same manner as the secret multiplication 1 ′, and k random numbers such as α _j (j = 1,..., K) and a random number generated by synthesizing them are generated. , And αa and Wab ′ (xi) are generated during computation in the same way as the secret multiplication 1 ′ [multiplication], and if the dealer directly performs distribution of k random numbers in the same manner as [restoration], the secret division is performed as it is. It is clear that 1 'can be realized. However, in step 616, not Wab ′ (x _i ) = αa · β · Wb (x _i ) + δ (x _i ), but Wab ′ (x _i ) = (β / αa) · Wb (x _i ) + δ (x _i ) and β _j / α _j instead of α _j β _j in step 626.

Secret division 3 '(asymmetric secret sharing and real number correspondence)
It is also clear that division by a real number can be realized as follows. Hereinafter, a case where b / a is calculated will be described.
[dispersion]
Referring to FIG. 76, the first dealer apparatus 12A, the restoration process a second dealer device 12B, server _{x j} and decompression apparatus 16 executes will be described. The server x _j includes a specific server x _d described later.
[Distribution] of the concealment division 3 ′ is the same as that for the asymmetric secret distribution (FIG. 71), and the description thereof is omitted.

[Restore]
In step 642, the first dealer device 12A transmits the real number αj generated by its first dealer device 12A to each of the k servers x _j (j = 1,..., K).
In step 644, the second dealer apparatus 12B transmits the real number βj generated by its own second dealer apparatus 12B to each of the k servers x _j (j = 1,..., K).
Each server 14xj (j = 1,..., K) calculates β _j / α _j as a real number at step 646 and transmits β _j / α _j to the restoration device 16 at step 648.

In step 650, the restoration device 16 multiplies β _j / α _j (j = 1,..., K) as a real number to calculate β / α.

The first dealer apparatus 12A collects Wa (x _i ) from the server x _j (a total of k apparatuses) in step 654, restores a to a real number, and in step 656, converts the real number α _j to a real number. In addition, αa is calculated, and αa is transmitted to a specific server _xd in step 658.

Second dealer apparatus 12B, in step 660, collects Wb (xi) from the server _{x j,} and real numbers of restoring the b, in step 662, then real number calculating a beta from real beta _j, further calculates the βb In step 664, βb is transmitted to the specific server _xd .

The specific server _xd divides βb as a real number by αa in step 666 and transmits βb / αa to the restoration device 16 in step 668.

In step 670, the restoring device 16 divides βb / αa by β / α and calculates a real number to obtain b / a.
It is clear that multiplication, addition, and product-sum can be handled in the same way for real number operations.

In the example described above, the first dealer device 12A transmits the real number α _j to the server x _j , and the second dealer device 12B transmits the real number β _j to the server x _j . That is, the first dealer device 12A does not transmit the real number α _j to the second dealer device 12B, and the second dealer device 12B transmits the real number β _j to the first dealer device 12A. Not done. However, the first dealer apparatus 12A transmits the real number α _j to the second dealer apparatus 12B and a total of k−1 servers, and the second dealer apparatus 12B transmits the real number β _j to the first number The same processing as described above may be performed by transmitting to the dealer apparatus 12A and a total of k-1 servers. The same applies to the following.

Secret product sum 1 '(Asymmetric secret sharing)
Since the secret product sum is used for various calculations regarding the repetition of the calculation, a case where asymmetric secret sharing is used again will be shown. As a result, it is clear that the sum of the secret sharing values having different random numbers and the restoration by converting the random numbers can be similarly realized. In addition, it is obvious that the repetition such as the secret multiplication 2 and the secret division 2 can be similarly realized.
Hereinafter, a case where a · b + c is calculated will be described.

[dispersion]
In accordance with each instruction of the owners A, B, and C, each of the first dealer devices 12A to 12C independently calculates the following variance values for the secret information a, b, and c, Distributedly stored in _n servers 14x ₁ to 14x _n (i = 1,..., n). That is, the CPU 22 of the third dealer apparatus 14C also executes the distributed processing of FIG. Note that a _{0, j} is c _{0, j} .
Wa (x _i ) = a + a _0,1 x _i +... + A _{0, k−1} x _i ^k−1
Wb (x _i ) = b + b _0,1 x _i +... + B _{0, k−1} x _i ^k−1
Wc (x _i ) = c + c _0,1 x _i +... + C _{0, k−1} x _i ^k−1

[Product sum]
With reference to FIG. 77, the sum-of-product process and the restoration process executed by the CPU 22 of the first dealer apparatus 14A to the third dealer apparatus 14C, the server x _j , and the restoration apparatus 16 will be described. That is, the [distribution] and [multiplication] of the secret multiplication 1 ′ (the processes in FIGS. 71 and 72) are executed. The server 14x _i (j = 1,..., K) receives αa (step 602 in FIG. 77 (see also FIG. 72)), and Wab ′ (x _j ) = αa · β · Wb (x _i ) + Δ (x _i ) is obtained (see step 620 in FIG. 77).

The third dealer 12C generates k random numbers γi (i = 1,..., K) in step 672 of FIG. 77 and calculates the product γ.

The third dealer 12C collects the variance value Wc (x _i ) from the k servers x _j in Step 674, calculates the following variance value Wc ′ (x _i ) in Step 676, and performs Step 678. Then, the distributed value Wc ′ (x _i ) is transmitted to the server x _j . However, δ2 (x) is a k−1 order polynomial in which δ2 (0) = 0.
Wc ′ (x _i ) = γ · Wc (x _i ) + δ 2 (x _i )

The dealer apparatuses 12A, 12B, and 12C transmit α _j , β _j , and γ _j to the k servers x _j (j = 1,..., K) in

steps

678, 680, and 682, respectively.

The server x _j (j = 1,..., K) generates a random number μ _j in step 684, calculates α _j β _j / μ _j , and in step 686 restores α _j β _j / μ _j. 16 to send. The server xj calculates γ _j / μ _j in step 688 and transmits γ _j / μ _j to the restoration device 16 in step 690.

The restoring device 16 multiplies each α _j β _j / μ _j and α _j β _j / μ _j in step 692 to calculate αβ / μ and γ / μ, and in step 694, αβ / μ and γ / μ and to send to the server _{x j.}

In step 696, the server xj (j = 1,..., K) divides Wab ′ (x _j ) by αβ / μ, Wc ′ (xj) divides by γ / μ, and Wab ′ (x _j ) = μ. (Ab + ab _0,1 x _j +... + Ab _{0, k−1} x _j ^ ^k−1 ) and Wc ′ (x _j ) = μ (c + c _0,1 x _i +... + C _{0, k−1} x _i ^k−1 ) is calculated.

In step 698, the server x _j (j = 1,..., K) is Wabc ′ (x _j ) = Wab ′ (x _j ) + Wc ′ (x _j ) = μ {(ab + c) + abc _0,1 xi +. Calculate + abc _{0, k-1} xi ^k-1 }.

[Restore]
Restoration device 16 for restoring user, at step 701, to obtain Wabc '(xj) from the server _{x j,} in step 703, restores the μ (ab + c).
In step 705, the restoration device 16 obtains μ _j from the server x _j and calculates (ab + c) in step 707.

Even if the secret product sum 1 ′ corresponds to the secret product sum 1, k random numbers such as α _j (j = 1,... K) are unnecessary, and thus a large reduction in storage capacity can be realized. . In addition, the communication amount can be reduced accordingly. In addition, although random number conversion was performed using μ here, for example, by calculating α _j β _j / γ _j , only Wc '(x _j ) converts γ to αβ and aligns the random numbers to αβ. May be.

Secret multiplication 4 '
If the secret multiplication 4 that handles 0 as the secret information is modified as follows, the secret multiplication 4 ′ can be handled.

[dispersion]
Since this is the same as the concealment multiplication 1 ′ (FIG. 71) (see also step 578 in FIG. 78), the description thereof is omitted.
With reference to FIG. 78 (after step 672), the secret multiplication (multiplication and restoration) processing executed by the server _xj and the restoration device 16 will be described.

[Multiplication]
In step 672, the first dealer apparatus 12A generates k random numbers α _i (i = 1,..., K) and calculates the product α. In step 674, the second dealer apparatus 12B generates k random numbers β _i (i = 1,..., K) and calculates the product β.
The first dealer 12A collects the variance value Wa (x _i ) from the k servers x _j in step 676, and in step 678, the variance value Wa (x _{(n + xi)} ) corresponding to the server ID _{n + xi.} In step 680, the variance value Wa ′ (x _i ) obtained by multiplying the variance value Wa (x _{(n + xi)} ) by α is transmitted to the server x _j .

The second dealer 12B collects the variance value Wb (x _i ) from the k servers xj in step 682, and in step 684, the variance value Wb (x (n + x _i ) corresponding to the server ID _{n + xi.} ), And in step 686, the variance value Wb ′ (x _i ) obtained by multiplying the variance value Wb (x _{(n + xi)} ) by β is transmitted to the server xj.

In step 688, the server x _j calculates Wab (x _i ) = Wa (x _i ) · Wb (x _i ) and Wab ′ (x _i ) = Wa ′ (x _i ) · Wb ′ (x _i ). (I = 1,..., N).

[Restore]
In step 690, the first dealer apparatus 12A transmits α _j to k servers x _j (j = 1,..., K) including the second dealer apparatus 12B.

In step 692, the second dealer apparatus 12B transmits β _j to k servers x _j (j = 1,..., K) including the first dealer apparatus 12A.
In step 694, the server x _j (j = 1,..., K) calculates the product α _j β _j .
In step 696, the server x _j (j = 1,..., K) transmits Wab (x _j ), Wab ′ (x _j ), and α _j β _j to the restoring device 16 of the restoring person.

Restoring device 16, at step 698, to calculate the .alpha..beta over all α _{_j} β _j, 'by dividing the _{(x j),} Wab' Wab calculating the _(x j) / αβ.
In step 700, the restoration device 16 restores ab using 2k−1 variance values from Wab (x _j ) and Wab ′ (x _j ) / αβ.
Regarding the secret multiplication 5, r _j and q _j may be processed in the same manner as α _j and β _j during the calculation. Regarding [order conversion], α _j and β _j may be obtained directly from the dealer.
Concealment update 1 is performed as follows. One feature of asymmetric secret sharing is that the owner keeps it secret

It is possible to participate in the calculation. Therefore, if the k-1 servers are the owner, and the owner directly calculates the difference value with respect to the other servers, the server x _k becomes unnecessary. Although the owner's computational load increases, the owner can update by outputting different random numbers using the existing keys, or by changing different keys managed by himself and outputting different random numbers. In the secret updates 2 to 5, if the owner performs update processing (random number generation and calculation processing, etc.), the safety is improved.

Secret search 2 '(using search server 18)
Also for the secret search, since the owner can generate h out of T _j (x _i ) and R _j (x _i ) from one key, h servers can be reduced. Further, since the information stored in each server is only one distributed value obtained by secretly distributing k _j corresponding to the secret information without concealing it, the storage capacity is reduced. Also, the amount of calculation is reduced because R _j (x _i ) is not solved.

However, since the variance value R _j (x _i ) for the random number r _j is required, the case where R _j (xi) is also deleted as in the other embodiments is as follows. Thereby, in asymmetric secret sharing, only one shared value may be stored for one secret information for a secret search. In the following, a practical method for the secret search 2 is shown, but it is obvious that the same correspondence can be applied to the secret search 1.

[dispersion]
The CPU 22 of the owner's first dealer apparatus 12A sets the search ID for m pieces of secret information as k _j (j = 1,..., M), and the secret multiplication 1 ′ of the seventh embodiment (FIG. 71). Steps 572 to 578) are executed. That is, it generates its own distributed values T _j (x ₁ ) to T _j (x _h ) having the following form from one key, and other servers x _{h + 1} to x _n are generated using these and secret information. The distributed values T _j (x _{h + 1} ) to T _j (x _n ) are obtained and sent to each server (h is an integer equal to or less than k−1). However, it is assumed that the distributed values are arranged in ascending order according to the search ID k _j .
T _j (x _i ) = k _j + t ′ _j1 x _i + t ′ _j2 x _i ² +... + T ′ _jk−1 x _i ^k−1
(I = 1, ..., n)

[Search]
The CPU 22 of the user restoration device 16 executes the processing of steps 482 to 490 in FIG. 65, and the CPU 22 of the owner's first dealer device 12A executes the dispersion value calculation / transmission processing of FIG. The CPU 22 of the server 14xi executes the difference calculation / transmission process of FIG. 80, and the CPU 22 of the search server 18 executes the search process of FIG. Note that steps 502 to 512 of the dispersion value calculation / transmission processing in FIG. 79 are substantially the same as steps 502 to 512 in FIG.

The restoring device 16 of the user who wishes to search transmits q · k _j ′ obtained by multiplying the search ID = k _j ′ to the random number q to the owner's first dealer device 12A (step 482 in FIG. 65). 484).

The first dealer 12A receives q · kj ′ in step 502 of FIG. 79, generates t _j and r in step 504, calculates t _j · r in step 506, and in step 508 , T _j · r are transmitted to the restoration device 16. The first dealer 12A calculates the following variance value F ₀ by multiplying q · k _j ′ by t _j in step 510, and transmits the variance value F ₀ to the server in step 512.
F _o (x _i ) = t _j · q · k _j '+ b _j1 x _i + b _j2 x _i ² + ... + b _jk-1 x _i ^k-1
Therefore, the i-th server 14x _i receives the variance value F _o (x _i ) in step 522 of FIG.

The restoration device 16 multiplies t _j · r by q to calculate the following variance value F _u (x _i ) (step 488 in FIG. 65), and transmits the variance value F _u (x _i ) to each server. (Step 490).
F _u (x _i ) = t _j · r · q + c _j1 x _i + c _j2 x _i ² +... + C _jk−1 x _i ^k−1
Accordingly, the i-th server 14x _i receives the variance value F _u (x _i ) in step 524 of FIG.

In step 525A, the i- _th server 14x _i (i = 1, 2,..., K) transmits T _j (xi) to the first dealer 12A. The first dealer 12A collects k T _j (x _i ) in step 513 in FIG. 79, calculates the following variance value T ′ _j (x _i ) in step 515, and in step 517: , And the distributed value T ′ _j (x _i ) is transmitted to the _i- th server 14 x _i .

T ′ _j (x _i ) = r _j · T _j (x _i ) + δ (x _i )
Here, r _j is a random number determined for each k _j , and δ (x _i ) is a k−1 order polynomial in which δ (0) = 0.

The i-th server 14x _i receives the distributed value T ′ _j (x _i ) in step 527 of FIG.

First dealer apparatus 12A transmits r · r _j to i-th server 14xi in step 519 of FIG. The i-th server 14xi receives r · r _j in step 529 of FIG. 80, and transmits the variance T ′ _j (x _i ) to the search server 18 in step 530A.

Search server 18, at step 541 of FIG. 81, receives a T _'j (xi), in step 543, to calculate the r _j · _{k j,} in step 545, the server 14x of the i a r _j · _{k j} send to _i .
The i-th server 14xi receives r _j · k _j in step 531 of FIG. 80, calculates the following difference in step 533, and transmits the difference to the search server 18 in step 535.
r _j · k _j · F _u (x _i )-r · r _j · F _o (x _i ) = t _j · r · r _j · q {(k _j- k _j ') + (c _j1- b _j1 ) X _i +... + (C _jk−1− b _jk−1 ) x _i ^k−1 }

The search server 18 receives the difference at step 547 of FIG. 81, and solves the difference polynomial to obtain a constant term at step 549.
Thereafter, the CPU 22 of the search server 18 executes the processing of steps 551 to 563. Since steps 551 to 563 correspond to steps 552 to 564 in FIG. 68, the description thereof is omitted. When the search server 18 instructs j in

steps

561 and 563 of FIG. 81, the i-th server 14x _i receives the instruction of j, so that an affirmative determination is made in step 537 of FIG. The calculation / transmission process returns to step 525A.

<Eighth Embodiment>
A ramp-type secret sharing method is known as a method for reducing the storage capacity of a distributed value. Ramp secret sharing scheme splits the secret information S to L (≦ k) number s _1, ···, and _{_{s L, a L + 1,}} k-1 ···, the a _k-1 as a random number It is a coefficient of the second polynomial. That is, the following polynomial is established, and W (xi) is set as a variance value of the i-th server 14xi. In this case, if S is a number less than prime p (> 2 ^d ) in d bits, si becomes a number less than prime p '(> 2 ^{d / L} ) in d / L bits, and the operation is modulo p' Since this can be done, the size of the variance value becomes 1 / L and the storage capacity can be reduced.
W (x) = s ₁ + s ₂ x + ... + s _L x ^L + a _{L + 1} x ^{L + 1} + ... + a _k-1 x ^k-1
In this case, even if up to kL distributed values are collected, the random information a _i remains, so the secret information does not leak.However, if distributed values greater than or equal to k-L + 1 are collected, a _i (i = L + 1, .., K-1) is lost, and the relationship between s _i (i = 1,..., L) is known, so information partially leaks. Finally, if k variance values are known, all s _i are specified, and the secret information S is restored.

Concealment multiplication 1 ”(basic lamp type)
A secret multiplication using ramp-type secret sharing corresponding to the secret multiplication 1 is shown below. However, the secret information a, b is an integer less than a prime number p (> e ^d ) expressed in e-adic d digits, and a, b are divided into L, a _{h, j} , b _{h, j} , parameters α, β, αj, βj, etc. are assumed to be integers less than the prime number p ′ (> e ^{(d / L)} ), and operations relating to secret sharing are performed modulo the prime number q ′ (> p ′ ^u : u is an integer of 1 or more). The secret multiplication 1 "shown below is the same as the secret multiplication 1 except for the above. Therefore, the secret information a and b (real numbers) are expressed as integers for real number operations, and the integers are equal to or less than p. Yes.

[dispersion]
The CPU 22 of the first dealer apparatus 12A of the owner A having the secret information a executes the distributed processing shown in FIG. That is, in step 702, k random numbers α _i less than the prime number p ′ are generated, and the product α is calculated modulo q ′.
α = α ₁・ α ₂・・・ α _k
In step 704, the secret information a less than the prime number p is L-dispersed to be a _0,0 ,..., A _{0, L-1} less than the prime number p ′, and the following variance value is calculated.
Wa '(x _i ) = α (a _0,0 + a _0,1 x _i + ... + a _{0, k-1} x _i ^k-1 )
Wa ₁ (x _i ) = α ₁ + a _1,1 x _i + ・・・ + a _{1, k-1} x _i ^k-1
:
Wa _k (x _i ) = α _k + a _{k, 1} x _i + ... + a _{k, k-1} x _i ^k-1
However, a _{h, j} (h = 0, j = L, ..., k-1 and h = 1, ..., k, j = 1, ..., k-1) is less than p ' Random numbers, x _i, are server IDs less than q ′ (i = 1,..., N).

In step 706, the variance values Wa ′ (x _i ) and Wa _k (x _i ) are transmitted to the first server 14x ₁ to the n-th server 14 _n .

The CPU 22 of the second dealer apparatus 12B of the owner B having the secret information b executes the distributed process shown in FIG. That is, in step 712, k random numbers β _i less than the prime number p ′ are generated, and the product β is calculated modulo q ′.
β = β ₁・ β ₂・・・ β _k

In step 714, the secret information b less than the prime number p is L-dispersed into b _0,0 ,..., B _{0, L-1} less than the prime number p ′, and the following variance value is calculated (Wa ′ (xi ) And Wah (xi) modulo q).
Wb '(xi) = β (b _0,0 + b _0,1 xi + ... + b _{0, k-1} xi ^k-1 )
Wb ₁ (xi) = β ₁ + b _1,1 xi + ・・・ + b _{1, k-1} xi ^k-1
:
Wb _k (xi) = β _k + b _{k, 1} xi + ・・・ + b _{k, k-1} xi ^k-1
However, b _{h, j} (h = 0, j = L, ..., k-1 and h = 1, ..., k, j = 1, ..., k-1) is less than p ' A random number, xi, is a server ID (i = 1,..., N) less than q ′.

In step 716, the distributed values Wb ′ (xi), Wb ₁ (x _i ) to Wb _k (x _i ) are transmitted to the first server 14x ₁ to the nth server 14x _n .

[Restore]
With reference to FIG. 84, the restoration process executed by the server of the server system and the restoration device 16 will be described. One d-th server 14xd in the server system collects k Wa ′ (x _i ) from other j-th servers 14x _j (j = 1,..., K) in step 722 of FIG. In step 724, αa _{0, j} (j = 0,..., K−1) is restored using q ′ as a modulus, and αa is calculated while adding αa _{0, j} in consideration of digit alignment.

In step 726, the d-th server 14xd collects k Wb ′ (x _i ) from other j-th servers 14x _j (j = 1,..., K), and modulo q ′ in step 728. Βb _{0, j} (j = 0,..., K−1) is restored, and βb is calculated while adding βb _{0, j} in consideration of digit alignment.

The j-th server 14x _j (j = 1,..., K) participating in the restoration collects Wa _j (xi) and Wb _j (xi) corresponding to the designated j in steps 730 and 734 ( i = 1,..., k), and restores one α _j and one β _j per server modulo q ′ in steps 732 and 736

The j-th server 14x _j (j = 1,..., K) calculates the product α _j β _j in step 738 and transmits it to the restoration device 16 in step 740. In step 742, the restoration device 16 synthesizes αβ from α _j β _j .

The d-th server 14xd calculates a product αaβb of αa and βb in step 744, and transmits αβab to the restoration device 16 in step 746. In step 748, the restoration device 16 divides αβab by αβ to calculate ab.

Below, the specific example of the above process is shown. Consider the case where the secret information is a two-digit decimal number a = 12, b = 20. Therefore, p = 101 (> 10 ² ), p ′ = 11 (> 10), q ′ = 101 (> 10 ² ), and k = n = 2.

[dispersion]
(Step 702 in FIG. 82)
From k = 2, the first dealer 12A of owner A calculates α = α ₁ · α ₂ = 2 × 2 = 4, assuming that two random numbers are α ₁ = 2 and α ₂ = 2.

(Step 704)
If a (= 12) is divided into two and a _0,0 = 2 and a _0,1 = 1, and the random numbers used for Wa1 and Wa2 are a _1,1 = 3 and a _2,1 = 5, Calculated.
Wa '(1) = 4 (2 + 1 * 1) = 12
Wa '(2) = 4 (2 + 1 * 2) = 16
Wa1 (1) = 2 + 3 = 5
Wa1 (2) = 2 + 3 * 2 = 8
Wa2 (1) = 2 + 5 = 8
Wa2 (2) = 2 + 5 * 2 = 12

(Step 712 in FIG. 83)
β ₁ = 1, β ₂ = 2 and β = β ₁ · β ₂ = 1 × 2 = 2 are calculated.

(Step 714)
If b (= 20) is divided into two, b _0,0 = 0, b _0,1 = 2 and the random numbers used for Wb1, Wb2 are b _1,1 = 4, b _2,1 = 6, Calculated.
Wb '(1) = 2 (0 + 2 * 1) = 4
Wb '(2) = 2 (0 + 2 * 2) = 8
Wb1 (x1) = 1 + 4 = 5
Wb1 (x2) = 1 + 4 * 2 = 9
Wb2 (x1) = 2 + 6 = 8
Wb2 (x2) = 2 + 6 * 2 = 14

[Restore]
(Steps 722 and 724 in FIG. 84)
Wa ′ (1) = 12 = s ₁ + s ₂ , Wa ′ (2) = 16 = s ₁ + s ₂ * 2 From Wa ′ (2) −Wa ′ (1), 4 = s2 = From αa _0,1 and s1 = 12-4 = 8 = αa _0,0 , the digits are aligned to obtain αa _0,1 * 10 + αa _0,0 = 8 + 4 * 10 = 48.

(Steps 726 and 728)
βb _0,1 = 4 and βb _0,0 = 4-4 = 0 are restored to obtain βb _0,1 * 10 + b _0,0 = 4 * 10 + 0 = 40.

(Steps 730-736)
First server 14x ₁ is, alpha ₁ = 2, restores the beta ₁ = 1, the second server 14x ₂ is, alpha ₂ = 2, to restore the .beta.2 = 2.

(Steps 738 and 740)
The first server 14x1 is the _{_{α 1 * β 1 = 2 *}} 1 = 2, the second server 14x ₂ calculates the _{_{α 2 * β 2 = 2 *}} 2 = 4, and transmits the restoration apparatus 16.

(Steps 744 and 746)
αa * βb = 48 * 40 = 1920 is transmitted to the restoration device 16.

(Steps 742 and 748)
1920 / (2 * 4) = 240 is calculated.

In the secret multiplication 1, when a is 0 to 999 considering three decimal digits, p can be set to p = 1009 which is larger than 10 ³ . Therefore, since the smallest q is a prime number of q (> 10 ⁶ ), q = 1000003. Therefore, in [dispersion], it is necessary to store k + 1 dispersion values of 1000003 or less.

On the other hand, if L = 3 in the concealment multiplication 1 ″, a _0,0 , a _0,1 , a _0,2 are 0 to 9, and p == from e = 10, d = 3, L = 3 11 (> e ^{(d / L)} ), and q can be set to q = 101 from q (> e ^{(d / L) u} ), if u = 2. In [Dispersion] of “,” it is sufficient to store k + 1 dispersion values of 101 or less, and the storage capacity is reduced.

For example, when a = 583 is set while paying attention to the carry in [Restore], a _0,0 = 5, a _0,1 = 8, a _0,2 = 3. If α = 9, then modulo q = 101, αa _0,0 = 45, αa _0,1 = 72, and αa _0,2 = 27 are restored. Since a _0,0 , a _0,1 , and a _0,2 are shifted by one digit in decimal, adding αa _0,0 * 10 ² + αa ₀ by shifting by one digit in decimal ₀ * 10 + αa _0,0 = 45 * 100 + 72 * 10 + 27 = 5247 = 9 * 583 = αa. These features are set forth in claim 14.

Also, as an advantage other than the storage capacity reduction of the proposed method, each coefficient takes random numbers such as α and β, so unlike the conventional ramp type, even if there are kL or more distributed values, information does not leak, Safety is improved. Further, by using the encryption e_ _r (x) to encrypt the x in key r as follows, it is possible to further improve the safety improved. As a method of creating a ciphertext of the same size, EXOR a random number having the same size as that of the secret information, or multiplying the random number by using q ′ as a modulus.

Concealment multiplication 1 "(lamp type expansion type)
[dispersion]
In the secret multiplication 1 ″ of (lamp-type expansion type), steps 702 and 706 of FIG. 82 of the lamp-type basic form and steps 712 and 716 of FIG. 83 are executed. First, instead of step 704 of FIG. It executes the following processing. that is, making the ciphertext of the same size by encrypting e_ _r1 (αa _{0, j)} the .alpha.a _{0, j} using a key r1, following variance values Wa '(x _i), Wr1 Calculate (x _i ).
Wa '(x _i ) = e_ _r1 (αa _0,0 ) + e_ _r1 (αa _0,1 ) x _i + ... + e_ _r1 (αa _{0, k-1} ) x _i ^k-1
Wr ₁ (x _i ) = r ₁ + r _1,1 x _i + ... + r _{1, k-1} x _i ^k-1
However, a _{h, j} (h = 0, j = L, ..., k-1 and h = 1, ..., k, j = 1, ..., k-1) is less than p ' Random number, xi is server ID less than q '(i = 1, ..., n)
Second, in place of step 714 in FIG. 83, the following processing is executed. That is, create a ciphertext of the same size by encrypting e_ _r1 (αa _{0, j)} the .alpha.a _{0, j} using the key r _1, following dispersion value Wb '(xi), calculates the Wr2 (xi).
Wb '(x _i ) = e_ _r2 (βb _0,0 ) + e_ _r2 (βb _0,1 ) x _i + ... + e_ _r2 (βb _{0, k-1} ) x _i ^k-1
Wr2 (x _i ) = r2 + r _2,1 x _i + ... + r _{2, k-1} x _i ^k-1
However, a _{h, j} (h = 0, j = L, ..., k-1 and h = 1, ..., k, j = 1, ..., k-1) is less than p ' Random number, x _i is server ID less than q '(i = 1, ..., n)

[Restore]
With reference to FIG. 85, the restoration processing executed by the server in the server system and the restoration device 16 will be described.
One d-th server 14xd in the server system collects k Wr ₁ (x _i ) and Wr ₂ (x _i ) from other servers in steps 722 ′ and 726 ′ in FIG. At 724 'and 728', r1 and r2 are restored.

Server 14xd of the d is, "in, Wa 'a (x _i) k pieces collected from other servers, step 724" step _{_{722, e_ r1 (αa 0, j}} ) (j = 0, ···, k -1) is restored, αa _{0, j} is restored using r _1, and αa is calculated while adding αa _{0, j} in consideration of digit alignment.

Server 14x _d of the d is, "in, Wb 'a (x _i) k pieces collected from other servers, step 728" step _{_{726, qe_ r2 (βb 0, j}} ) (j = 0, ···, k-1) is restored, βb _{0, j} is restored using r _2, and βb is calculated while adding βb _{0, j} in consideration of digit alignment.

Thereafter, the same processing as the processing after Step 730 in FIG. 84 of the secret multiplication 1 ”[restoration] is executed to obtain ab.

It is obvious that the repetition of concealment multiplication (concealment multiplication 2) can be similarly expanded if both the basic form and the expansion system are taken into account when the digits are restored in the middle stage.

In addition, regarding the secret division of the second embodiment and the repetition of the calculation of the third embodiment, it is obvious that both the basic form and the extended system can be similarly expanded if considering the digit alignment when restored in the middle stage. is there. However, the addition of the variance values can be applied as it is because it is addition for each digit if random number conversion is performed in the basic form. In the extended system, the random number required for each digit is different, so it is necessary to restore and add the random numbers together while aligning the digits. The basic algorithm is shown below.

[dispersion]
The first dealer apparatus 12A of the owner A calculates the following variance value by dividing the secret information a into L and a _0,0 ,..., A _{0, L−1} . However, a _{h, j} (h = 0, j = L, ..., k-1 and h = 1, ..., k, j = 1, ..., k-1) is less than p ' A random number, xi, is a server ID (i = 1,..., N) less than q ′.
Wa (x _i ) = a _0,0 + a _0,1 x _i + ... + a _{0, k-1} x _i ^k-1

The second dealer apparatus 12B of the owner B calculates the following variance value by dividing the secret information b into L and b _0,0 ,..., B _{0, L−1} . However, b _{h, j} (h = 0, j = L, ..., k-1 and h = 1, ..., k, j = 1, ..., k-1) is less than p ' A random number, xi, is a server ID (i = 1,..., N) less than q ′.
Wb (xi) = b _0,0 + b _0,1 xi + ... + b _{0, k-1} xi ^k-1
The distributed values Wa (x _i ) and Wb (x _i ) are transmitted to the first server 14x _i to the nth server 14x _n .

[Add]
The i-th server 14x _i (i = 1,..., N) calculates:
Wab (x _i ) = Wa (x _i ) + Wb (x _i ) = (a _0,0 + b _0,0 ) + (a _0,1 + b _0,1 ) x _i + ... + (a _{0, k-1} + b _{0, k-1} ) x _i ^k-1

[Restore]
The restoration device 16 collects the sum Wab (xi) of k variance values from k servers in the _i- th server 14x _i , solves it, and (a _0,0 + b _0,0 ),.・, (A _{0, L} + b _{0, L} ) is obtained.

The restoration device 16 adds (a _0,0 + b _0,0 ),..., (A _{0, L} + b _{0, L} ) while aligning digits to obtain a + b.

In the case of multiplication of variance values according to the fourth embodiment, it cannot be applied as it is because it is not restored in the middle. However, for example, when considered in e-adic, the secret information a can be expressed as a = a _0,0 + a _0,1 e + ... + a _{0, k-1} e ^k-1 , and the product of ab is
ab = (a _0,0 + a _0,1 e + ... + a _{0, k-1} e ^k-1 ) (b _0,0 + b _0,1 e + ... + b _{0, k-1} e ^k-1 ) = (a _0,0 b _0,0 ) + (a _0,0 b _0,1 + a _0,1 b _0,0 ) e + ... + (a _{0, k-1} b _{0, k-1} ) e ^2k-1 .
Thus, in the basic form of secret sharing, Wa (x) = a _0,0 + a _0,1 x + ... + a _{0, k-1} x ^k-1 , Wb (x) = b _0,0 + b _{0 , 1} x + ... + b _{0, k-1} x ^k-1 , the product is Wa (x) Wb (x) = (a _0,0 + a _0,1 x + ... + a _{0 , k-1} x ^k-1 ) (b _0,0 + b _0,1 x + ... + b _{0, k-1} x ^k-1 ) = (a _0,0 b _0,0 ) + (a _0,0 b _0,1 + a _0,1 b _0,0 ) x + ... + (a _{0, k-1} b _{0, k-1} ) x ^2k-1 Represents. Therefore, the secret multiplication can be realized as follows. However, digit alignment (steps 724 "and 728") in [Restore] is to treat each coefficient as a value of each digit as described above.

Secret multiplication 3 "(0 correspondence)
[dispersion]
In step 704 of FIG. 82 in the secret multiplication 1 ″, Wa (xi) = a _0,0 + a _0,1 xi +... + A _{0, k−1} xi ^k−1 , and in step 714 of FIG. (xi) = b _0,0 + b _0,1 x _i +... + b _{0, k−1} x _i ^k−1 is added.
[Multiplication]
Since it is the same as the secret multiplication 3, its description is omitted.
[Restore]

The restoring device 16 of the restoring person obtains each coefficient using 2k−1 variance values from Wab (x _j ) and Wab ′ (xj) / αβ, and restores ab while aligning digits.

In the above, Wa (xi) or Wb (x _i ) is secretly distributed without applying a random number. For example, in [Distribution], Wa (x _i ) = γWa (x _i ), Wb (xi) = δWb (x _i ), Γ = γ1 ... γk, δ = δ ₁ ... δ _k , perform [multiplication], and in [restoration], remove αβ from Wa '(x _i ) Wb' (x _i ) In addition, a process of removing γδ from Wa (x _i ) Wb (x _i ) may be performed. In this case, since random numbers are applied to all the distributed values, there is no problem that secret information is partially leaked from the distributed values of k-1 or less of the ramp-type secret sharing, and the safety is improved.

Since the secret information S is not changed in the update of the fifth embodiment, coefficients other than the constant term are manipulated. In the ramp type, the secret information is also present in the coefficient other than the constant term, so that the basic form can be similarly realized by manipulating the coefficient not including the secret information. Therefore, if the secret information is distributed as [Distributed] of the secret multiplication 1, the secret update 1 uses kL units for generating random numbers and n-k + L servers for receiving the difference value. That's fine. Further, the confidentiality update 2 uL random numbers d _iL, · · ·, from _{d iu-1 δi (x)} = d iL x L + d iL + 1 x L + 1 + ··· d iu-1 x u ^Just generate ^-1 . The secret update 3 may also have δ (x) similar to δi (x). In the extended form, the part that needs to be restored is a coefficient including secret information, and this part is not updated. In addition, the random number part is encrypted in form, but it is not necessary to encrypt it. Therefore, the random number part can be updated in the same manner as in the basic form. Further, it is obvious that the

secret updates

4 and 5 can be similarly realized.

Secret search 1 "(basic form: the search device 18 is not used)
In the secret search according to the sixth embodiment, if kj, which is a search ID, is divided into L and a match / mismatch of each coefficient is confirmed, a partial search can be performed as follows.

[dispersion]
The CPU 22 of the first dealer device 12A executes the distributed processing of FIG. 86 (A). That is, in step 752, m search IDs corresponding to m pieces of secret information (distributed by the distribution in the above embodiments) are divided into L and k _j (j = 1,..., M). , K _j0 ,..., K _jL−1 , a random number rj for each kj is generated in step 754, and the following variance values T _j (x _i ) and R _j (x _i ) are calculated in step 756. (R _ji and t _ji are also random numbers).
T _j (x _i ) = r _j · (k _j0 + ... + k _jL-1 x _i ^L-1 + t _jL x _i ^L + ... + t _jk-1 x _i ^k-1 ) (i = 1 , ..., n)
R _j (x _i ) = r _j + r _j1 x _i + r _j2 x _i ² +… + r _jk-1 x _i ^k-1
In step 758, the distributed values T _j (x _i ) and R _j (x _i ) are transmitted to the servers xi (i = 1,..., N) for distributed storage.

It is assumed that the distributed values are arranged in ascending order according to the search ID kj. For example, as shown in FIG. 86 (B), the storage device 34 of the first server 14x1 stores the distributed values T _j (xi) and R _j (x _i ) in ascending order according to kj. ing. Note that a variance value corresponding to the secret information is associated with the variance values T _j (xi) and R _j (x _i ).

[Search]

The CPU 22 of the restoring device 16 executes the instruction processing of j in FIG. 87, and the CPU 22 of the first dealer device 12A executes the calculation transmission processing of Fj ′ (xi) in FIG. 88, and the i-th server 14xi ( The CPU 22 of the first server 14x ₁ to the _n-th server 14x _n ) executes the search process of FIG. The i-th server 14x _i starts the search from the median storage variance value, that is, j = m / 2.

In step 762 of FIG. 87, the restoration device 16 inputs k _j ′, which is a search ID, in accordance with the operation of the user who desires the search, in step 764 divides kj ′ into L, and in step 766, k _j ′ Q · k ′ _ji (i = 0,..., L−1) multiplied by a random number q is calculated, and in step 768, q · k ′ _ji is transmitted to the first dealer 12A.

The first dealer 12A receives q · k ′ _ji in step 804 of FIG. 88, and performs ramp-type secret sharing of q · k ′ _ji in

steps

806 and 808. That is, the first dealer 12A calculates the following F _j ′ (x _i ) in step 806 (a random number of order L or higher is b ′ _ji = q · b _ji ), and in step 808 F _j ′ (x _i ) is transmitted to the _i- th server 14x _i .
F _j ′ (x _i ) = q (k ′ _j0 +... + K _jL-1 x _i ^L-1 + b _jL x _i ^L +... + B _jk-1 x _i ^k-1 ) (i = 1,…, n)

The i-th server 14xi receives F _j ′ (x _i ) from the first dealer 12A at step 812 in FIG. 89, and sets j at step 814. When this process is executed for the first time, j is set to m / 2. In step 816, T _j (xi) (i = 1,..., K) corresponding to _j is read, and in step 818, T _j (x _i ) is transmitted to the user's restoration device 16.

The restoring device 16 receives T _j (x _i ) in step 770 of FIG. 87, and in step 772, δ (x) = d _L x _i ^L +... + D _k-1 x _i ^k-1 In step 774, the following F _j (x _i ) is calculated. In step 776, F _j (x _i ) is transmitted to the _i- th server 14x _i .
F _j (x _i ) = q ・ T _j (x _i ) + δ (x _i ) (i = 1, ..., k)

The i-th server 14x _i receives F _j (x _i ) from the restoration device 16 at step 820 in FIG. 89, and restores r _j from R _j (xi) at step 822.

In step 824, a random number t _j is generated. In step 826, the following difference is calculated, and in step 828, the difference is transmitted to the restoration device 16.
tj {F _j (x _i ) -rjF _j '(x _i )} = tj ・ rj ・ q {(k' _j0 -k _j0 ) + ・・・ + (k ' _jL-1 -k _jL-1 ) x _i ^L-1 + (b _jL -t ' _jL ) x _i ^L + ... + (b _jk-1 -t' _jk-1 ) x _i ^k-1 }
Where t ' _ji = t _ji + d _i / q

In step 778 of FIG. 87, the restoration device 16 receives the difference, and in step 780, solves the difference polynomial to obtain a constant term. In step 782, whether the coefficient difference of any constant term is 0 or not. Judging. If only one partial match is required, processing similar to the processing after step 551 in FIG. 81 can be executed after step 782. However, a process for checking whether the partial search IDs higher than the partial match search IDs that have been found first match is described below. It is assumed that this is also searched from the median. Further, since the difference between the search IDs that are not decomposed into L pieces in the fifth embodiment is dominated by the result of the upper digit, the entire search position is set to the difference value of the most significant digit in the fifth embodiment. The search is performed in the same manner as the entire difference value in. If there is a partial match, for the sake of simplicity, it is assumed that a partial match of the ID of the upper digit of the ID is searched.

As described above, in step 782, a search based on the coefficient difference is performed to determine whether or not there is 0 in any coefficient difference. If some coefficient difference is not 0, the coefficient difference of the most significant digit is set as the overall difference, and similarly to the fifth embodiment, j is incremented by 1, a next search position is determined, and the process returns to step 770. .

(1) If it is determined in step 782 that there is a coefficient difference of 0, the coefficient difference of the lower digit of the ID is viewed. For the sake of simplicity, the partial search ID that is found first is k _ji and the partial search ID of the upper digit is k _ji-1 . That is, in step 786, the variable i for identifying the digit is decremented by one.
In step 788, it is determined whether or not the coefficient difference of the lower digit i is 0. If it is determined that the lower digit i is 0, the search ID is set to j in step 790 and the process is terminated. If the lower digit i is not determined to be 0, it is determined in step 792 whether or not the coefficient difference of k _ji-1 in the lower digit i is positive. If it is determined to be positive, the search position j is incremented by 1 in step 794, and if it is determined to be negative, the search position is decremented by 1 in step 796.
In step 798, it is determined whether or not the coefficient difference of k _ji between the previous time and the current time remains zero.

(2) When the coefficient difference k _ji between the previous and the current is not 0, as the condition is not satisfied, at step 800, as no search ID, and terminates the processing, coefficient difference k _ji between previous and current If 0 is 0, j in step 794 or step 796 is designated, and the process returns to step 770 to perform a search based on the coefficient difference.

The above is a partial match and a continuous match of the upper digits. However, when a matching partial search ID is designated, it may be set at step 782 as “is the specified coefficient difference 0?”. If the upper digits are consecutively matched, the next search direction based on the coefficient difference of k _ji-1 may be reversed (i ← i + 1). Further, if it is not necessary to match continuously, “i ← i−1” in step 786 is set to “i ← r (r = 1,... L, i ≠ r)”, and “lower digit” in step 788) In step 790, “other coefficient difference” is set to “other coefficient difference”, “the coefficient difference of the low-order digit i is 0” is “is there any k _jr whose coefficient difference is 0”, and in step 790, “The search position is shifted by 1 in a predetermined direction and the search is performed using the coefficient difference”. In addition, when it is desired to see three or more matches, the process may be repeated by replacing two matching states with one matching state.

By the way, if the above [search] is the same process as the secret search 1 [search], and a search is performed for a distributed value in which the differences of all search IDs are 0, a normal secret search can be realized. In addition, when a normal secret search is performed and a search ID that completely matches is not found, the process returns to the position where the partial match is the highest in the search process, and the coefficient difference determination process for the constant term (process after step 782) It is also possible to perform the partial search enlargement process. Furthermore, when the user sends q · k ′ _ji (i = 0,..., L−1) to the owner's first dealer device 12A in [Search], the importance is assigned to q · k ′ _ji ( If specified for every i = 0, ..., L-1), partial search according to its importance is possible. For example, 'if _j3 is the most important, before and after the k in the search program' k If a partial match in such _j2 and k _'j4, narrow the k'j3 broad match by searching the intermediate It is also possible to go.

Also, for the expanded form, it is difficult to apply when the cipher e_r (x) is a cipher such as AES. For example, when encrypting by multiplying the coefficient a _i by the random number t ⁱ , the following expansion Is possible.

Secret search 1 "(Extended type: Search device 18 is not used)
[dispersion]
The distributed processing is the same as that in FIG. That is, the first dealer apparatus 12A of the owner, the m-number of search ID corresponding to the m secret _{information, k j (j = 1,} ..., m) and with L divided k _j0, · · ·,
k _jL-1 (step 752), random numbers r _j and t for each k _j are generated (step 754), the following variance value T _j (x _i ) is calculated (step 756), and the variance value T _j (x _i ), R _j (x _i ) are distributed and stored in the i-th server 14xi (i = 1,..., n) (r _ji and t _ji are also random numbers) (step 758).
T _j (xi) = rj · (k _j0 + ... + t ^L-1 k _jL-1 x _i ^L-1 + t ^L t _jL x _i ^L + ... + t ^k-1 t _jk-1 x _i ^k-1 ) (i = 1,…, n)
R _j (x _i ) = rj + r _j1 x _i + r _j2 x _i ² +… + r _jk-1 x _i ^k-1
However, it is assumed that the distributed values are arranged in ascending order according to the search ID kj.
[Search]

The CPU 22 of the restoring device 16 executes the instruction process j shown in FIG. 87, and the CPU 22 of the first dealer 12A executes the calculation / transmission process of F _j ′ (x _j ) shown in FIG. The CPU 22 of the server 14x _i executes the search process of FIG.

The restoration device 16 of the user who desires the search uses q · k ′ _ji (i = 0,..., L−1) obtained by dividing the search ID kj ′ by L and multiplying by the random number q into the first owner. To the dealer apparatus 12A (steps 762 to 768 in FIG. 87).

The owner's first dealer 12A multiplies q · k ′ _ji 0 by t ⁱ and distributes the lamp-type secret and transmits the following to the i-th server 14x _i (the random number of the Lth order or higher is b ′ _ji = t ⁱ q · b _ji ) (steps 804 to 808 in FIG. 88).
Fj '(x _i ) = q (k' _j0 + ... + t ^L-1 k _jL-1 x _i ^L-1 + t ^L b _jL x _i ^L + ... + t ^k-1 b _{jk- 1} x _i ^k-1 ) (i = 1,…, n)

The i-th server 14x _i transmits the stored T _j (x _i ) (i = 1,..., K) to the user restoration device 16 (steps 814 to 818 in FIG. 89).

Restoring device 16, [delta] (x) = generates a _{_{^{d L x i L + ··· +}}} d k-1 x i k-1, to the server 14x _i of the i by calculating the following (FIG. 87 Steps 770 to 776).
F _j (x _i ) = q ・ T _j (x _i ) + δ (x _i ) (i = 1, ..., k)

The i-th server 14x _i restores rj from Rj (x _i ) (step 822 in FIG. 89).

The i-th server 14x _i generates a random number t _j , calculates the following difference, and transmits it to the restoration device 16 (steps 826 and 828).
tj {F _j (x _i ) -rjF _j '(x _i )} = t _j・ r _j・ q {(k' _j0 -k _j0 ) + ... + t ^L-1 (k ' _jL-1- k _jL-1 ) x _i ^L-1 + t ^L (b _jL -t ' _jL ) x _i ^L + ... + t ^k-1 (b _jk-1 -t' _jk-1 ) x _i ^k-1 } Where t ' _ji = t _ji + d _i / q

The subsequent processing (after step 782 in FIG. 87) is the same as the confidential search 1 ″ [search].

Next, it will be explained that the miniaturization of the seventh embodiment and the miniaturization by the lamp type of the eighth embodiment can be compatible. For example, if k = 3, the number of servers to be reduced is k-1 = 2 and the secret information can be divided up to k = 3. Therefore, the secret information is divided into two with L = 2, and the number of servers is reduced by one. Is possible. In other words, if the number of servers to be reduced is h and the number of divisions is L, both can be satisfied if h + L ≦ k. Hereinafter, as an example, a case where h + L = k is shown.

Secret multiplication 1 ”(Asymmetric secret sharing)
[dispersion]
The first dealer apparatus 12A of the owner A having the secret information a generates h random numbers from one key to be managed, and uses them as distributed values Wa (x ₁ ) to Wa (x _h ). (H is an integer equal to or less than k−1) (step 572 in FIG. 71).

The first dealer apparatus 12A divides the secret information a into L = kh to be a _0,0 to a _{0, L-1} and sets the h variance values Wa (x ₁ ) to Wa (x _h ) as follows: The remaining kL = h random numbers a _{0, L 1} to a _{0, k−1} are _{obtained by} solving as a polynomial (step 574 in FIG. 71).
Wa (x _i ) = a _0,0 + a _0,1 xi + ... + a _{0, k-1} xi ^k-1 (i = 1, ..., h)

The first dealer apparatus 12A uses Wa (x _i ) to determine the distributed values of the remaining (h + 1) th servers 14x _{h + 1} to 14x _n and transmits them to the i th server 14x _i (step) 576).
Wa (x _i ) = a _0,0 + a _0,1 xi + ... + a _{0, k-1} x _i ^k-1 (i = h + 1, ..., n)

The second dealer apparatus 12B of the owner B having the secret information b executes the processing of steps 572 to 578 in FIG. 71 independently using one key to be managed, and has its own distributed value Wb (x ₁ ) To Wb (x _h ) and distributed values Wb (x _{h + 1} ) to Wb (x _n ) possessed by the servers x _{h + 1} to x _n are obtained and sent to each server.

[Multiplication]
The first dealer 12A generates k random numbers α _i (i = 1,..., K) and calculates the product α (

steps

582 and 584 in FIG. 72).

The second dealer 12B generates k random numbers β _i (i = 1,..., K) and calculates the product β (steps 612 and 614 in FIG. 73).

The first dealer 12A collects variance values Wa (x _i ) from k servers including itself, solves k variance values Wa (x _i ), finds a _{i, j} and performs digit alignment. Then, a is calculated, and αa multiplied by α is transmitted to the restoration device 16 (steps 586 to 602 in FIG. 72).

The second dealer 12B collects the variance values Wb (x _i ) from the k servers including itself, solves the k variance values Wb (x _i ), finds b _{i, j} and performs digit alignment. Then, b is calculated, and βb multiplied by β is transmitted to the restoration device 16 (616 to 620 in FIG. 73).

[Restore]
The first dealer apparatus 12A transmits α _j to k servers x _j (j = 1,..., K) including itself and the second dealer apparatus 12B (step 622 in FIG. 74).
The second dealer apparatus 12B transmits β _j to k servers x _j (j = 1,..., K) including itself and the first dealer apparatus 12A (step 624).
The k servers x _j (j = 1,..., K) calculate the product α _j β _j (step 626).
The server x _j (j = 1,..., K) transmits Wab ′ (x _j ) and α _j β _j to the restoration device 16 (step 628).
The restoration device 16 calculates αβ by multiplying α _j β _j (j = 1,..., K) (

steps

630 and 632 in FIG. 75).
The restoration device 16 calculates αa · βb / αβ to obtain ab (step 634 in FIG. 75).
Thus, the miniaturization of the seventh embodiment and the miniaturization by the lamp type of the eighth embodiment can be compatible.

<Ninth embodiment>
As a method for reducing the amount of calculation in the (k, n) threshold secret sharing method, a method for treating secret information as a bit string and realizing secret sharing only by an XOR operation (hereinafter referred to as XOR method) has been proposed. Since this XOR method does not have homomorphism, there is a problem that it cannot cope with a secret calculation. On the other hand, the XOR method has been extended to treat secret information as a multi-valued numerical value instead of a bit string, and a method (hereinafter multi-valued method) that can perform secret sharing only by addition and subtraction instead of XOR [5] . However, the method [5] has a large number of modulo and is not efficient. Furthermore, as for this method, a secret information distribution method, restoration method, and addition / subtraction have been proposed, but a multiplication method has not been proposed.

Therefore, the distribution and restoration algorithm of the basic multilevel method with the optimal value of the method is shown below.
Let S (<e ^d ) be an e-decimal d-digit integer less than the prime number p, and Si (<e ^{d / (n-1)} ) obtained by dividing it by n-1 (i = 1, ..., n-1), random number r _i ^j is also an integer of the same size as Si, and the operation is performed using the prime number p '(<e ^{d / (n-1)} ) as the modulo (the method in [5] is modulo p Has been calculated). This feature is indicated in claim 13.
In the ninth embodiment, the nth server 14xn is the 0th server 14x0.

Multilevel method 1 (basic form)
[dispersion]
The CPU 22 of the first dealer apparatus 12A executes the distributed processing of FIG. That is, in step 832, the secret information S is divided into n-1 partial secret information as follows. However, S ₀ = 0.

In step 834, (k−1) n−1 random numbers r ^α _β having the same size as S are generated independently.

In step 836, partial dispersion information W _{(i, j)} is generated by 0 ≦ i ≦ n−1,0 ≦ j ≦ n−2 according to the following equations.

However, the sign of S _ji when i = 1 and j = 2, 3, i ≧ 2 and j = 1 is reversed. {} Means addition (Σ) from h = 0 to k−2.

In

step

838, 0 ≦ i ≦ n- 1 in each partial shared information _{W (i, 0), W} (i, 1), ..., generates the W _{(i, n-2)} connected to the shared information W _i To do.

In step 840, the shared information W _i is transmitted to the i-th server 14x _i .

[Restore]
The CPU 22 of the restoration device 16 executes the restoration process of FIG. That is, in step 842, k pieces of distributed information W _t0 ,..., W _tk-1 (0 ≦ t ₀ ≦... ≦ t _k ≦ n−1) used for restoration are collected from k servers. In step 844, k pieces of shared information W _t0 ,..., W _tk-1 are divided into the following partial shared information.

In step 846, a binary vector V _{(ti, j)} is generated using the divided partial dispersion information.

For example, in the case of the partial dispersion information W (t _i , j), the binary vector V _{(ti, j)} is as follows.

In step 848, the following matrix is generated from the vectors V _(t0,0) ,..., V _{(tk-1, n-2)} .

In step 850, the partial dispersion information is represented as the following vector W _{(t0,..., Tk-1)} .

In step 852, using Gauss-Jordan elimination

The binary number

To obtain a vector S _{(k, n)} of all partial secret information.

G _{(k, n)} is expressed as follows.

At this time, the following equation can be obtained by using Gauss-Jordan elimination in equation (4).
S _{(k, n)} = G _{(k, n)}・ R _{(k, n)}

S _{(k, n)} can be expressed as follows.

S _{(k, n)} = (S ₁ , S ₂ ,…, S _n-1 , *,…, *) ^T

Therefore, all partial secret information is obtained.

In step 854, all pieces of partial secret information are concatenated to obtain secret information S.

Hereinafter, an example for the multilevel method 1 (basic system) will be described.
[dispersion]
As an example for the above, a case where k = 3 and n = 5 will be described. Consider a case where the secret information S is S = 3582 (0 ≦ i ≦ 4, 0 ≦ j ≦ 3) and is divided into n-1 pieces (every digit). Therefore, S (<10 ⁴ ) and Si (<10). Therefore, the operation is performed modulo p ′ = 11 ([5] is modulo p exceeding 10 ⁴ ).
The secret information S (= 3582) is divided as follows (step 832).

The pseudo random number r is set to the following value (step 834).

In step 836, the following is calculated: Since h = 0 to k−2 = 1 are added, r ¹ _{i + j} with r ⁰ _j and j = 1 is added as follows.

However, the sign of S _ji is reversed at the next time. i = 1 and j = 2, 3, i ≧ 2 and j = 1

Table 1 below shows a configuration table of partial shared information distributed to users.

Partially distributed information configuration table

Distributed information _{W 0} of the server _{P 0} is a 6392.
Distributed information _{W 1} of the server _{P 1} is a 106,910.
Distributed information _{W 2} of the server _{P 2} is a 0103.
Distributed information _{W 3} of the server _{P 3} is a 5592.
The shared information W ₀ of the server P ₄ is 24610.

[Restore]
Consider the restoration process when the shared information W ₀ , W ₁ , W _{2 of the} users P ₀ , P ₁ , P ₂ gather (step 842).
A vector W _(0,1,2) representing all partial variance information,

Is as follows (steps 844 to 846).

By using Gauss-Jordan elimination

The

To obtain a vector S _(3,5) of all partial secret information (step 852).

Therefore, since all the partial secret information has been restored, the secret information S is restored by concatenating them (step 854).

Concealment addition 1 "'
Next, the secret addition of secret information by adding the variance values shown in the document [5] will be described below. However, in this case, since Si is an integer less than the prime number p ′ (< ^{ed / (n-1)} ), the prime number q (< ^{ed / (n-1) +1} ) larger than Si + Si 'is modulo. Is calculated as follows.

[dispersion]
The CPU 22 of the owner's first dealer 12A having the secret information a executes steps 832 to 840 of FIG. That is, by dividing the secret information a in place of the secret information S into n-1 pieces of partial secret information A1, · · ·, generates An-1, the dispersion value to the server 14x _i of the i Wai = Wa ( i, 0),..., Wa (i, n-1) are calculated and transmitted to the _i- th server 14xi.

Further, the CPU 22 of the second dealer apparatus 12B of the owner B having the secret information b executes steps 832 to 840 in FIG. 90 of the multi-value quantization method [distribution]. That is, by dividing the secret information b in place of the secret information S into n-1 pieces of partial secret information B1, · · ·, generates Bn-1, the dispersion value to the server 14x _i of the i Wbi = Wb ( i, 0),..., Wb (i, n-1) are calculated and transmitted to the _i- th server 14xi.

[Add]
The i-th server 14x _i calculates:
Wabi = Wai + Wbi = W (i, 0), W (i, 1), ..., W (i, n-1)
Where W (i, j) = Wa (i, j) + Wb (i, j)

[Restore]
The CPU 22 of the restoring device 16 of the restoring person executes the restoring process of FIG. That is, in step 862, Wabi is collected, and in step 864, a binary vector V (t _i , j) is generated based on the following equation using Wabj.

In step 866, the addition result a + b is restored. That is, since the relationship between W (ti, j) and R (k, n) is as described above, by obtaining R (k, n) using the Gauss-Jordan elimination method, (A1 + B1, ..., An-1 + Bn-1, ***) is obtained as S = a + b.

Next, an example of the multivalue conversion method for the secret addition 1 ″ ′ will be described.
An example in the case of k = 2, n = 3, A = 23, and B = 68 is shown below. Here, since both A and B are two-digit values, it is assumed that p = 101, p ′ = 11 and q = 23, and the operation is performed modulo q.

[dispersion]
The first dealer apparatus 12A of user A divides the secret information A = 23 held into two to make A1 = 2 and A2 = 3, and the secret is distributed by the multi-value method (however, A0 = 0) (FIG. 90, step 832 to step 840). Here, (k−1) n−1 = 2 random numbers are assumed to be r0 = 5 and r1 = 4.

Wa0 = (Wa00) (Wa01) = (A0 + r0) a (A1 + r1) = (5 ) (6), and transmits to the 0th server 14x _0.
Wa1 = (Wa10) (Wa11) = (A2 + r0) (A0 + r1) = (8) (4) , and transmits first to the server 14x _1.
Wa2 = (Wa20) (Wa21) = (A1 + r0) (- A2 + r1) = (7) to (1), and transmits the second to the server 14x _2.

The user B divides the secret information B = 68 held in the second dealer apparatus 12B into two to make B1 = 6 and B2 = 8, and the secret is distributed by the multi-value method (however, B0 = 0) (FIG. 90). Step 832 to Step 840). Here, (k−1) n−1 = 2 random numbers are assumed to be t0 = 7 and t1 = 8.
Wb0 = (Wb00) (Wb01) = (B0 + t0) (B1 + t1) = (7) (14) and transmitted to the 0th server 14x _0.
Wb1 = (Wb10) (Wb11) = (B2 + t0) (B0 + t1) = (15) to (8), and transmits first to the server 14x _1.
Wb2 = (Wb20) (Wb21) = (B1 + t0) (- B2 + t1) = (13) (0) , and transmits the second to the server 14x _2.

[Add]
Each server calculates:
The 0th server 14x0 calculates Wab0.
Wab0 = (Wa00 + Wb00) (Wa01 + Wb01) = (W00) (W01) = (5 + 7) (6 + 14) = (12) (20)
The first server 14x1 calculates Wab1.
Wab1 = (Wa10 + Wb20) (Wa11 + Wb21) = (W10) (W11) = (8 + 15) (4 + 8) = (0) (12)

Wab2 = (Wa20 + Wb20) (Wa21 + Wb21) = (W20) (W21) = (7 + 13) (1 + 0) = (20) (0)

[Restore]
W00 = Wa00 + Wb00 = (A0 + r0) + (B0 + t0) = 0 ・ (A1 + B1) +0 ・ (A2 + B2) +1 ・ (r0 + t0) +0 (r1 + t1) V00 = (0010). Similarly, since V01 = (1001), V10 = (0110), V11 = (0001), V20 = (1010), V21 = (0-101), the whole is as follows.

Solving the above using Gauss-Jordan's elimination method gives

Therefore, A1 + B1 = W01-W11 = 20-12 = 8, A2 + B2 = W10-W00 = 0-12 = -12 = 11 (mod23), and when the digits are aligned, 8 * 10 + 11 = 91 = 23 + 68 = A + B.

From the above, it can be said that the secret information can be distributed, restored, and added (and subtracted as well) by the proposed multi-value method.

Secret multiplication 1 "'
Next, secret multiplication is shown.
In the following, when a and b are e-digit d digits and integers less than or equal to prime p (> e ^d ), and a is divided into L and Ai (i = 1, ..., L), Ai is prime p It should be an integer less than '(> e ^{d / L} ). An operation related to secret sharing is performed on a prime number q ′ (> p ′ ^u : u is an integer of 1 or more). First, we show that constant multiplication is possible.

[dispersion]
The CPU 22 of the first dealer device 12A of the owner A having the secret information a executes the distributed processing shown in FIG. That is, in step 872, k random numbers α _i less than the prime number q are generated, and the product α is calculated modulo q ′.
α = α ₁・ α ₂・・・ α _k

In step 874, α is applied to the secret information a distributed, and the multi-value quantization [distribution] process (steps 832 to 840 in FIG. 87) is executed. As a result, the distributed value Wa′i = Wa ′ (i, 0),..., Wa ′ (i, n−1) is transmitted to the server 14x _i (i = 0,..., N−1). In step 876, for each αj (j = 1,..., K), the multi-value quantization [dispersion] process (steps 832 to 840 in FIG. 90) is executed. As a result, the distributed values Wαji = Wαj (i, 0),..., Wαj (i, n-1) (j = 1,..., K) are transmitted to the server 4x _i (i = 1,..., N). To do.

The CPU 22 of the second dealer apparatus 12A of the owner B having the secret information b executes the distributed processing shown in FIG. That is, in step 882, k random numbers β _i less than the prime number q are generated, and the product β is calculated using q ′ as the modulus.
β = β ₁・ β ₂・・・ β _k

In step 848, β is added to the distributed secret information b and the multi-value quantization [distributed] processing (steps 832 to 840 in FIG. 90) is executed. As a result, the distributed value Wb′i = Wb ′ (i, 0),..., Wb ′ (i, n−1) is transmitted to the i- _th server 14x _i (i = 1,..., N). In step 886, the multi-value quantization [dispersion] process (steps 832 to 840 in FIG. 90) is executed for each βj (j = 1,..., K). As a result, the i-th server 14xi (i = 0,..., N−1) has distributed values Wβji = Wβj (i, 0),..., Wβj (i, n−1) (j = 1,. k) Send.

[Multiplication]
CPU22 of one server 14x _d in the server system performs the process of multi-level method Restore (steps 842 through step 854 in FIG. 91). That is, Wa′i is collected from other k servers and αa is restored. Then, the server 14x _d transmits αa to the other server 14x _j (j = 1,..., N).
The server 14x _j (j = 1,..., N) generates Wab′j by multiplying αb by Wb′j held by itself.
Wab'j = Wab '(j, 0), ..., Wab' (j, n-1) where Wab '(j, i) = αaWb' (j, i)

[Restore]
The CPU 22 of the server 14x _j (j = 1,..., K) participating in the restoration executes the calculation transmission process of αjβj in FIG. That is, in step 892, multi-value quantization [restoration] processing (step 842 to step 854 in FIG. 91) is executed for Wαji, and in step 894, multi-value quantization [restoration] processing (FIG. 88). Steps 842 to 854) are executed. That is, k Wαji and Wβji corresponding to the designated j are collected (i = 1,..., K), and αj and βj are restored one by one per server by the multivalue method [restoration].

In step 896, the product α _j β _j is calculated. In step 898, Wab ′ (x _j ) and α _j β _j are transmitted to the restorer.

The restoring device 16 of the restoring person restores αβab _j (j = 1,..., K) from k Wab′j and calculates αβab while aligning digits.

The restoration device 16 synthesizes αβ from αjβj (j = 1,..., K) and divides αβab to obtain ab.

Next, an example for the multi-valued method is shown. An example in the case of k = 2, n = 3, a = 23, and b = 68 will be described below. Assuming that the values are digits and α and β are also integers of the same size, since αa and βb to be distributed are decimal four-digit numbers, p = 10007 is set, and p ′ = 101, q ′ for dividing this into two. = 10007, it is assumed that the calculation is performed modulo q ′ = 10007.

[dispersion]
The first dealer device 12A of user A generates α ₁ = 11, α ₂ = 2 and sets α = α ₁ · α ₂ = 22 (step 872 in FIG. 93).

The first dealer apparatus 12A of user A divides the stored secret information a = 23 into two and sets A2 = 2 and A1 = 3, and multiplies Wa0, Wa1, and Wa2 by α and multiplies the secrets. Wa′0, Wa′1, and Wa′2 are obtained (A0 = 0) (step 874 in FIG. 93). Here, (k−1) n−1 = 2 random numbers are assumed to be r0 = 4 and r1 = 5. In addition, Wαji (i = 1,..., N) is calculated and distributed by the multivalued method of αj (step 876 in FIG. 93).
Wa0 = (Wa00) (Wa01) = (A0 + r0) (A1 + r1) = (4) (8) multiplied by 22, Wa'0 = (88) (176) is obtained as the 0th server 14x ₀ Send to.
Wa1 = (Wa10) (Wa11) = (A2 + r0) (A0 + r1) = (6) to (5), the Wa'1 = (132) (110) multiplied by 22, the first server 14x ₁ Send to.
Wa2 = (Wa20) (Wa21) = (A1 + r0) (-A2 + r1) = (7) (3) and Wa'2 = (154) (66) multiplied by 22 are used as the second server 14x. ₂ to send.

The second dealer 12B of user B generates β ₁ = 61 and β ₂ = 51 and sets β = 3111 (step 882 in FIG. 94).

The second dealer apparatus 12B of the user B divides the stored secret information b = 68 into two to make B2 = 6, B1 = 8, and the secret is distributed by the multi-value method (however, B0 = 0) (FIG. 94 step 884). Here, it is assumed that the random numbers are t0 = 37 and t1 = 18. In addition, βj is calculated and distributed by Wb′0, Wb′2 and Wb′3 by the multivalue method (step 886 in FIG. 94).
Wb0 = (Wb00) (Wb01) = (B0 + t0) (B1 + t1) = (37) (26)
The Wb'0 = (115107 = 5030) ( 80886 = 830) multiplied by 3111, to the server 14x ₀ of the 0.
Wb1 = (Wb10) (Wb11) = (B2 + t0) (B0 + t1) = (43) (18)
3111 multiplied by Wb'1 = (133773 = 3682) ( 55998 = 5963) to the transmission first to the server 14x _1.
Wb2 = (Wb20) (Wb21) = (B1 + t0) (-B2 + t1) = (45) (12)
3111 multiplied by Wb'2 = (139995 = 9904) ( 37332 = 7311) to the transmission second server 14x _2.

[Multiplication]
The server 14xd restores αA1 = 66 and αA2 = 44 from Wa′0 and Wa′1, and calculates αA2 * 10 + αA1 = 506 = αa.

The server 14xj restores βB1 (= 24888) = 4874 (modq ′) and βB2 (= 18666) = 8659 (modq ′) from Wb′0 and Wb′1, and βB2 * 10 + βB1 = 91464 = (211548) =) βb is calculated, and αa * βb = 46280784 = 8416 (modq ′) is sent to the restorer.

[Restore]
Server 14x ₁ restores the _{_{α 1 = 11, β 1 =}} 61, the server 14x2 restores the α2 = 2, β2 = 51.
Server 14x ₁ is a _{_{α 1 β 1 = 11 * 61}} = 671, x2 calculates α2β2 = 2 * 51 = 102.
The server 14 x ₁ sends α ₁ β ₁ and x 2 sends α ₂ β 2 to the restoration device 16.
The restoration device 16 obtains 68442 = 8400 (modq ′) from α ₁ β ₁ α ₂ β ₂ , calculates 1974 which is its reciprocal number modulo q ′, and calculates the modulus with q ′ over αa * βb = 8416. Then, ab = 1564 is obtained.
Although the above corresponds to the secret calculation 1, it can be said that the part of Shamir's secret sharing method is replaced with a multivalued method. Therefore, if Shamir's secret sharing method is replaced with a multilevel method, it is obvious that the methods of the first to eighth embodiments can be handled.

Acceleration in the ninth embodiment is as follows. Since the Shamir method up to the eighth embodiment is a polynomial operation, the restoration always requires simultaneous equations of the polynomial, that is, multiplication or power operation is necessary. However, XOR-type restoration can be processed only with XOR. In the ninth embodiment, XOR is multi-valued, and in the case of concealment multiplication, since restoration only needs to be performed by addition / subtraction, the speed can be increased.

Moreover, the statutory numbers are as follows. Up to the seventh embodiment, calculation is performed with the size of the secret information S or u times the size. On the other hand, in the ninth embodiment, calculation is performed with a size obtained by decomposing S or a size that is u times as large. Therefore, the modulo number is not large. This feature is indicated in claim 13.

In addition, it is obvious that the ramp type secret sharing method in which the magnitude of the variance value of the multilevel method is 1 / L is also possible as in the eighth embodiment in which the Shamir method is a ramp type. In this case, if S (<e ^d ) is an e-decimal d-digit integer less than the prime number p, Si (< ^{ed / L (n-1)} ) divided by ^{L (n-1} ) is used similarly. Is performed. At this time, the random number r _i ^j is also assumed to be an integer of the same size as Si, and the arithmetic is performed using the prime number p ′ (<e ^{du / L (n−1)} ) (u is an integer of 1 or more) as a modulus ([5] Is calculated using p as the modulus). This feature is indicated in claim 13.

As described above, the ramp type multi-value method can be realized in the same manner as the multi-value method. Therefore, if the Shamir's secret sharing method is replaced with the ramp type multi-value method, the first to eighth embodiments are implemented. It is clear that each method of form can be handled.

In addition, the difference between the ramp type multi-value method and the multi-value method is that even if the multi-value method calculates with a size obtained by dividing S, the distributed values return to the same size of the secret information because they are collected at the end. On the other hand, in the ramp type multi-valued method, even if the distributed values are collected, it is 1 / L of the original secret information, and the speed is increased and the storage capacity is reduced at the same time.

The entire disclosure of Japanese Patent Application No. 2015-025825 filed on February 12, 2015 is incorporated herein by reference.

Claims

If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A calculation device that calculates a variance value in a system that performs a secret operation using means that cannot restore secret information with L or less,
means for calculating a variance value for each of the k or more pieces of secret information;
Means for generating a composite value from the k or more pieces of secret information;
Means for generating concealed secret information obtained by applying the composite value to new secret information;
A computing device comprising:
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A computing device that performs a secret calculation in a system that performs a secret calculation using means that cannot restore secret information with L or less,
The distributed value of the first partial random number that is a part of a plurality of random numbers constituting the first random number used for the first concealment secret information, and the first used for the second concealment secret information Means for recovering the first partial random number and the second partial random number by collecting a variance value of a second partial random number that is a part of a plurality of random numbers constituting the random number of 2,
Means for synthesizing the restored first partial random number and second partial random number;
A computing device comprising:
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A computing device that performs a secret calculation in a system that performs a secret calculation using means that cannot restore secret information with L or less,
means for restoring concealment secret information concealed using k or more random numbers;
Means for performing a predetermined calculation based on the restored concealment secret information and other values;
A computing device comprising:
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A computing device that restores secret information in a system that performs a secret calculation using means that cannot restore secret information with L or less,
means for restoring concealment secret information concealed using k or more random numbers;
Means for synthesizing the random number;
Means for releasing the concealment of the restored concealment secret information using the synthesized random number;
A computing device comprising:
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A computing device that performs a secret calculation in a system that performs a secret calculation using means that cannot restore secret information with L or less,
The first synthesized random number is converted by combining the first synthesized random number in the secrecy secret information concealed using k or more random numbers and the k or more random numbers constituting the second synthesized random number. A computing device comprising means for
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A computing device that performs a secret calculation in a system that performs a secret calculation using means that cannot restore secret information with L or less,
A computing device comprising: means for concealing by applying k or more random numbers constituting another concealment secret information to a non-confidential distributed value.
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A calculation device that calculates a variance value in a system that performs a secret operation using means that cannot restore secret information with L or less,
Means for concealing a plurality of new secret information and calculating a plurality of variance values;
Means for designating the order of each of the plurality of distributed values in accordance with a predetermined order of the plurality of new secret information before concealing;
A computing device comprising:
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A computing device for designating secret information to be searched in a system that performs a secret calculation using means that cannot restore secret information with L or less,
Means for concealing the search secret information by applying a random number;
Means for applying the random number to a value received from the system;
A computing device comprising:
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A computing device that searches for secret information specified in a system that performs a secret operation using means that cannot restore secret information with L or less,
Means for concealing the first search secret information corresponding to the secret information with a first random number, and concealing the input second search secret information with a second random number;
Based on the difference between the first value based on the concealed first search secret information and the second value based on the concealed second search secret information, the first value Means for obtaining a difference between the search secret information and the second search secret information;
A computing device comprising:
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A computing device that updates a distributed value in a system that performs a secret operation using means that cannot restore secret information with L or less,
A computing device comprising means for generating a new random number for a distributed value obtained by concealing secret information with a random number and storing the generated new random number as a new distributed value.
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A computing device that updates a distributed value in a system that performs a secret operation using means that cannot restore secret information with L or less,
A calculation device comprising means for calculating an update value for updating secret information from k or more pieces of correction information.
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A calculation device that calculates a variance value in a system that performs a secret operation using means that cannot restore secret information with L or less,
Means for determining the generated h (integer from 1 to k−1) random numbers as a distributed value and calculating n−h distributed values based on the h distributed values and the secret information; ,
means for generating a composite value from k or more pieces of secret information;
Means for calculating concealed secret information obtained by applying the composite value to new secret information;
A computing device comprising:
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed to n. A calculation device that calculates a variance value in a system that performs a secret operation using means that cannot restore secret information with L or less,
Means for dividing the secret information into an e-adic d / L (n-1) digit value by dividing the secret information into L (n-1) digits, when the secret information is an e-decimal digit digit value;
At least one of the secret information distribution, restoration, and concealment calculation, which is the numerical value,

Means for performing only addition and subtraction without decomposing multiplication and division into addition and subtraction modulo a larger prime number;
A computing device comprising:
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A computing device that performs a secret calculation or restoration in a system that performs a secret calculation using means that cannot restore secret information with L or less,
A computing device comprising means for performing a predetermined calculation in accordance with the digit of the secret information that is concealed and divided into a plurality of digits.
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A computing device that performs a secret calculation in a system that performs a secret calculation using means that cannot restore secret information with L or less,
Computation device comprising means for secretly sharing or decrypting the secret information of p1 * p2 or less obtained by multiplying the secret information as an integer of p1 or less and the random number as an integer of p2 or less by using a prime number larger than p1 * p2 as a modulus .
If n is an integer, k is an integer smaller than n, L is an integer not less than 1 and not more than k, secret information is dispersed into n pieces, and k pieces among n pieces can be collected to restore the secret information. A computing device that performs a secret operation or restoration in a system that performs a secret operation using means that cannot restore secret information with L or less,
A computing device comprising means for adding / subtracting concealment secret information in which secret information is concealed by addition of random numbers and a distributed value obtained by secretly distributing the random numbers.
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed into n pieces, and the secret information can be restored by collecting k of the n pieces of shared values. A computing device that searches for a storage location of secret information in a system that performs a secret calculation using means that cannot restore secret information with L or less,
Means for obtaining a difference between the first search secret information and the second search secret information;
Means for determining the storage position according to the difference;
A computing device comprising:
If n is an integer, k is an integer of n or less, L is an integer of 1 to k, and the secret information is distributed to n. A computing device that updates secret information in a system that performs a secret operation using means that cannot restore secret information with L or less,
A computing device comprising: means for multiplying a distributed value of secret information by a predetermined first random number and adding a predetermined second random number.