WO2021149098A1 - 秘密平方根計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム - Google Patents
秘密平方根計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム Download PDFInfo
- Publication number
- WO2021149098A1 WO2021149098A1 PCT/JP2020/001674 JP2020001674W WO2021149098A1 WO 2021149098 A1 WO2021149098 A1 WO 2021149098A1 JP 2020001674 W JP2020001674 W JP 2020001674W WO 2021149098 A1 WO2021149098 A1 WO 2021149098A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- value
- secret
- variance
- variance value
- bit
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
- H04L9/16—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/38—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation
- G06F7/48—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices
- G06F7/544—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices for evaluating functions by calculation
- G06F7/552—Powers or roots, e.g. Pythagorean sums
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
Definitions
- the present invention relates to a technique for calculating a square root in secret calculation.
- Secret calculation is a cryptographic technology that calculates an arbitrary function while keeping data secret. Taking advantage of this feature, it is expected to be a form of data utilization that does not leak data to both system operators and data users.
- secret calculation There are several methods for secret calculation, and it is known that the one that uses secret sharing as a component has a small data processing unit and can perform high-speed processing.
- Secret sharing is a method of converting confidential information into several fragments called shares. For example, n shares can be generated from secret information, and secrets can be restored from k or more shares, but secret information is not leaked from shares less than k (k, n). A secret called the threshold method. There is dispersion. Shamir secret sharing, duplicate secret sharing, and the like are known as specific methods for configuring secret sharing. In the present specification, one fragment of the value distributed by secret sharing is referred to as "share”. Also, the entire set of all shares is called the "variance value”.
- Non-Patent Document 1 discloses a method of calculating a square root by using the reciprocal of the square root in secret calculation.
- various function calculations including the square root may require processing to normalize the numerical value so that it falls within a certain range.
- secret calculation the numerical value is normalized by moving the leftmost bit (msb: most significant bit).
- Non-Patent Document 1 has a problem that the calculation cost is large because the reciprocal of the square root is obtained and then the multiplication is performed.
- An object of the present invention is to provide a secret calculation technique capable of calculating a square root at high speed in view of the above technical problems.
- the secret square root calculation system of the first aspect of the present invention includes a plurality of secret calculation devices, inputs the variance value [a] of the value a, and the variance value of the square root of the value a.
- a secret square root calculation system that calculates [ ⁇ a], where ⁇ is the decimal position of the value a, ⁇ 'is the smallest integer greater than or equal to ⁇ / 2, and the secret calculator is the leftmost bit of the value a.
- a public value multiplier that sets a public value multiplier r'that finds the variance value ⁇ r ⁇ of the division flag r that calculates the sum, and becomes ⁇ 2 when ⁇ is an odd number and 1 when ⁇ is an even number.
- An inverse-normalized multiplier generator that generates the variance value [c'] of the inverse-normalized multiplier c', which is a combination of the setting unit and the sequence of variance values ⁇ y 0 ⁇ ,..., ⁇ y ⁇ '-1 ⁇ in forward order.
- a normalized multiplier generator that generates the variance value [c] of the normalized multiplier c by bit-coupling the variance value columns ⁇ x 0 ⁇ ,..., ⁇ x ⁇ -1 ⁇ in reverse order, and the variance value [a].
- the secret normalization system of the second aspect of the present invention includes a plurality of secret calculators and normalizes the variance value [a] of the value a in order to calculate the variance value [ ⁇ a] of the square root of the value a.
- ⁇ is the decimal position of the value a
- ⁇ ' is the smallest integer greater than or equal to ⁇ / 2
- the secret calculator has a flag string x 0 representing the leftmost bit of the value a.
- the variance value ⁇ y i ⁇ of the bit y i By calculating the variance value ⁇ y i ⁇ of the bit y i , the variance value of the bit string y 0 ,..., y ⁇ '-1
- the bit string generator that generates the columns ⁇ y 0 ⁇ ,..., ⁇ y ⁇ '-1 ⁇ , and the division that calculates the exclusive logical sum of all the variance values ⁇ x j ⁇ for each odd j that is greater than or equal to 0 and less than ⁇ .
- a flag calculation unit that calculates the variance value ⁇ r ⁇ of the flag r, and a public value multiplier setting unit that sets the public value multiplier r'that becomes ⁇ 2 when ⁇ is an integer and 1 when ⁇ is an even number.
- An inverse-normalized multiplier generator that generates the variance value [c'] of the inverse-normalized multiplier c', which is a bit-bonded sequence of variance values ⁇ y 0 ⁇ ,..., ⁇ y ⁇ '-1 ⁇ in forward order, and a variance value.
- a normalized multiplier generator that generates the variance value [c] of the normalized multiplier c by bit-connecting the columns ⁇ x 0 ⁇ ,..., ⁇ x ⁇ -1 ⁇ in reverse order, and the variance value [a] and the variance value [ Includes a normalization part that calculates the variance value [b] multiplied by c].
- the square root can be calculated at high speed in secret calculation.
- FIG. 1 is a diagram illustrating a functional configuration of a secret square root calculation system.
- FIG. 2 is a diagram illustrating the functional configuration of the secret calculation device.
- FIG. 3 is a diagram illustrating the functional configuration of the square root calculation unit.
- FIG. 4 is a diagram illustrating a processing procedure of the secret square root calculation method.
- FIG. 5 is a diagram illustrating a processing procedure of the square root calculation unit.
- FIG. 6 is a diagram illustrating a functional configuration of a computer.
- [ ⁇ ] is the data that hides the numerical value.
- distributed values such as Shamir secret sharing and duplicate secret sharing can be used.
- a distribution value such as replication secret sharing on Z 2 can be used.
- ⁇ represents the decimal point position. It is assumed that the number of bits of the ring or field used in the secret calculation is about half of
- the public decimal point position for an integer on the ring By setting the public decimal point position for an integer on the ring, it can be regarded as a fixed-point real number.
- the fixed-point real number represented on the ring in this way is simply referred to as a real number.
- An embodiment of the present invention is a secret square root calculation system and method in which the variance value [a] of the value a is input and the variance value [ ⁇ a] of the square root of the value a is calculated while keeping the value a concealed.
- the outline of the square root protocol executed by the secret square root calculation system of the embodiment will be described below.
- ⁇ a is directly calculated in order to calculate more efficiently.
- the inverse operation of normalization after approximation is division. Therefore, in order to divide by ⁇ 2 e , the process is to multiply by ⁇ 2 ⁇ -e and divide by ⁇ 2 ⁇ .
- the reduction of the decimal point position executed in steps 1 and 3 of Algorithm 1 can be efficiently performed by using, for example, the divisor public division disclosed in Non-Patent Document 1.
- Simultaneous execution of public value multiplication and decimal point descent executed in step 5 of algorithm 1 can be efficiently performed by using, for example, the following algorithm.
- Parameters L, R, a, b, c, d, f, g, H, i, j, k, l, m, n, o, p, q, ⁇ , ⁇ , ⁇ , ⁇ , ⁇ used in Algorithm 1 Is set according to the approximate function func.
- each parameter may be set as shown in the following table, for example.
- algorithm 3 The algorithm for calculating the square root in secret calculation using algorithm 1 is shown below.
- algorithm 3 an algorithm for normalizing the input to be calculated for square root calculation
- algorithm 4 an algorithm for calculating the square root using the algorithm
- the generation of the flag string representing the leftmost bit executed in step 2 of the algorithm 3 can be efficiently performed by using, for example, the following algorithm.
- ⁇ f ⁇ -1 ⁇ : ⁇ a ⁇ -1 ⁇ .
- ⁇ f 0 ⁇ ,..., ⁇ f ⁇ -1 ⁇ is a bit string in which 01s are lined up with msb as the boundary, such as 0,0,0,1,1,1,..., 1.
- ⁇ x ⁇ -1 ⁇ : ⁇ a ⁇ -1 ⁇ .
- ⁇ x 0 ⁇ ,..., ⁇ x ⁇ -1 ⁇ is a bit string such as 0,0,0,1,0,0,..., 0 where only the msb position is 1.
- the selective public multiplication executed in step 4 of the algorithm 4 can be efficiently performed by using, for example, the following algorithm.
- the public value multiplication executed in step 1 of the algorithm 6 can be efficiently performed, for example, by combining the algorithm 2 and the following algorithm.
- the quotient obtained in step 1 of algorithm 7 can be efficiently obtained by quotient transfer (see Reference 1).
- the secret square root calculation system 100 of the embodiment is an information processing system that executes the above square root protocol.
- the secret square root calculation system 100 includes N ( ⁇ 3) secret calculation devices 1 1 , ..., 1 N.
- the secret computing devices 1 1 , ..., 1 N are connected to the communication network 9, respectively.
- the communication network 9 is a circuit-switched or packet-switched communication network configured so that each connected device can communicate with each other.
- the Internet LAN (Local Area Network), WAN (Wide Area Network). Etc. can be used. It should be noted that each device does not necessarily have to be able to communicate online via the communication network 9.
- the secret calculation device 1 n included in the secret square root calculation system 100 of the embodiment is, for example, as shown in FIG. 2, a bit decomposition unit 11, a flag string generation unit 12, a bit string generation unit 13, a flag calculation unit 14, and a flag conversion.
- a unit 15, a public value multiplier setting unit 16, an inverse normalized multiplier generation unit 17, a normalized multiplier generation unit 18, a normalization unit 19, a square root calculation unit 20, an inverse normalization unit 21, and a right shift unit 22 are provided.
- the square root calculation unit 20 includes a parameter storage unit 200, a first product sum unit 201, a first addition unit 202, a second product sum unit 203, a second addition unit 204, and a third product sum.
- a unit 205, a selective product calculation unit 206, and a third addition unit 207 are provided.
- the calculation method is realized.
- the secret computing device 1 n is configured by loading a special program into a known or dedicated computer having, for example, a central processing unit (CPU), a main storage device (RAM: Random Access Memory), or the like. It is a special device.
- the secret calculation device 1 n executes each process under the control of the central processing unit, for example.
- the data input to the secret computing device 1 n and the data obtained by each process are stored in, for example, the main storage device, and the data stored in the main storage device is read out to the central arithmetic processing unit as needed. It is used for other processing.
- At least a part of each processing unit of the secret calculation device 1 n may be configured by hardware such as an integrated circuit.
- Each storage unit included in the secret computing device 1 n is, for example, a main storage device such as RAM (Random Access Memory), an auxiliary storage device composed of a hard disk, an optical disk, or a semiconductor memory element such as a flash memory. Alternatively, it can be configured by middleware such as a relational database or a key value store.
- a main storage device such as RAM (Random Access Memory)
- auxiliary storage device composed of a hard disk, an optical disk, or a semiconductor memory element such as a flash memory.
- middleware such as a relational database or a key value store.
- step S11 the bit decomposition unit 11 of each secret calculation device 1 n bit-decomposes the variance value [a] of the value a input to the secret square root calculation system 100, so that the bit representation of the value a a 0 , ... , a A sequence of variance values of ⁇ -1 ⁇ a 0 ⁇ ,..., ⁇ a ⁇ -1 ⁇ is obtained.
- the bit decomposition unit 11 outputs a sequence of dispersion values ⁇ a 0 ⁇ , ..., ⁇ a ⁇ -1 ⁇ to the flag sequence generation unit 12.
- the flag string generation unit 12 of each secret computing device 1 n uses a sequence of distributed values ⁇ a 0 ⁇ , ..., ⁇ a ⁇ -1 ⁇ to represent a flag sequence x representing the leftmost bit of the value a. Generate a sequence of variance values of 0 ,..., x ⁇ -1 ⁇ x 0 ⁇ ,..., ⁇ x ⁇ -1 ⁇ .
- the flag string representing the leftmost bit is, for example, a flag string in which only the position of the leftmost bit obtained by using the above algorithm 5 is 1.
- the flag string generation unit 12 outputs a sequence of variance values ⁇ x 0 ⁇ , ..., ⁇ x ⁇ -1 ⁇ to the bit string generation unit 13, the flag calculation unit 14, and the normalized multiplier generation unit 18.
- ⁇ ' is the smallest integer greater than or equal to ⁇ / 2.
- the bit string generation unit 13 outputs a sequence of variance values ⁇ y 0 ⁇ , ..., ⁇ y ⁇ '-1 ⁇ to the inverse normalization multiplier generation unit 17.
- step S14 the flag calculation unit 14 of the secure computing apparatus 1 n is the column of the dispersion value ⁇ x 0 ⁇ , ..., using ⁇ x ⁇ -1 ⁇ , whether the calculation result is divided by ⁇ 2 Calculate the distribution value ⁇ r ⁇ of the representative flag r (hereinafter, also referred to as "division flag"). Specifically, for each odd number j greater than or equal to 0 and less than ⁇ , the exclusive OR of all variance values ⁇ x j ⁇ is calculated. The flag calculation unit 14 outputs the variance value ⁇ r ⁇ to the flag conversion unit 15.
- step S15 the flag converter 15 of the secure computing apparatus 1 n is, mod by p conversion, converts the variance value of the division flag r ⁇ r ⁇ in dispersion value [r].
- the flag conversion unit 15 outputs the variance value [r] to the square root calculation unit 20.
- Set r' (hereinafter also referred to as "public value multiplier").
- the public value multiplier setting unit 16 outputs the public value multiplier r'to the square root calculation unit 20.
- step S17 inverse normalization multiplier generation unit 17 of the secure computing apparatus 1 n is the column of the dispersion value ⁇ y 0 ⁇ , ..., by combining bits in forward order the ⁇ y ⁇ '-1 ⁇ , the normalization Generate the variance value [c'] of the multiplier c'(hereinafter, also referred to as "inverse normalized multiplier") to be multiplied by the calculation result in order to perform the inverse operation.
- the inverse normalization multiplier generation unit 17 outputs the variance value [c'] to the inverse normalization unit 21.
- step S18 the normalization multiplier generation unit 18 of each secret computing device 1 n is used to normalize the sequence of variance values ⁇ x 0 ⁇ ,..., ⁇ x ⁇ -1 ⁇ by bit-coupling them in reverse order. Generates the variance value [c] of the multiplier c (hereinafter also referred to as the "normalized multiplier") that multiplies the input.
- the normalized multiplier generation unit 18 outputs the variance value [c] to the normalized unit 19.
- step S19 the normalization unit 19 of each secret calculator 1 n normalizes the value a by multiplying the variance value [a] of the value a by the variance value [c] of the normalized multiplier c. Calculate the variance value [b] of b.
- the normalization unit 19 outputs the variance value [b] to the square root calculation unit 20.
- step S20 the square root calculation unit 20 of each secret computing device 1 n executes the algorithm 1 using a parameter that approximates the square root function with an eighth degree polynomial, so that the square root is obtained with respect to the variance value [b] of the value b.
- the condition is set to the variance value [r] of the division flag r, and the options are r' ⁇ and (r'/ ⁇ 2) ⁇ , respectively, and the algorithm 6 is executed. Do it by doing.
- the square root calculation unit 20 outputs the variance value [w] to the inverse normalization unit 21.
- step S21 inverse normalization unit 21 of the secure computing apparatus 1 n is 'variance of [c' variance value of the calculation result w [w] and denormalization multiplier c] and multiplying.
- the denormalization unit 21 outputs the multiplication result [w] [c'] to the right shift unit 22.
- step S22 the right shift unit 22 of each secret calculation device 1 n shifts the multiplication result [w] [c'] to the right by ⁇ 'bit and outputs it as a variance value [ ⁇ a] of the square root of the value a.
- the parameter storage unit 200 contains parameters a, b, c, d, f, g, H, i, j, k, l, m, n, o, p, q for approximating the square root function with an eighth degree polynomial. , ⁇ , ⁇ , ⁇ , ⁇ are stored. Each parameter is predetermined according to the function to be approximated, and when approximating the square root function, the values illustrated in Table 1 may be set.
- the first sum-of-product unit 201 outputs [y'] to the first addition unit 202.
- the first addition unit 202 outputs [y] to the second product sum unit 203.
- the second sum-of-product unit 203 outputs [z'] to the second addition unit 204.
- the second addition unit 204 outputs [z] to the third product sum unit 205.
- the third sum-of-product unit 205 outputs [w'/ ⁇ ] to the selective product calculation unit 206.
- the selective product calculation unit 206 outputs [w'] to the third addition unit 207.
- the secret square root calculation system 100 of the embodiment is configured to perform both normalization (algorithm 3) and square root calculation (algorithm 4) for square root calculation.
- the secret normalization system of the modified example is configured to execute only the part of the secret square root calculation system 100 that performs normalization (algorithm 3) for square root calculation. That is, the secret normalization system takes the variance value [a] of the value a as input, and the variance value [b] of the value b normalized to the value a to [1, 2) and the variance of the inverse normalized multiplier c'. The value [c'] and the variance value [r] of the division flag r are output.
- the secret calculation device 1 n included in the secret normalization system of the modified example includes a bit decomposition unit 11, a flag string generation unit 12, a bit string generation unit 13, a flag calculation unit 14, a flag conversion unit 15, and an inverse normalization.
- a normalized multiplier generation unit 17, a normalized multiplier generation unit 18, and a normalized multiplier 19 are provided.
- the program that describes this processing content can be recorded on a computer-readable recording medium.
- the computer-readable recording medium may be, for example, a magnetic recording device, an optical disk, a photomagnetic recording medium, a semiconductor memory, or the like.
- the distribution of this program is carried out, for example, by selling, transferring, or renting a portable recording medium such as a DVD or CD-ROM on which the program is recorded.
- the program may be stored in the storage device of the server computer, and the program may be distributed by transferring the program from the server computer to another computer via a network.
- a computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. Then, when the process is executed, the computer reads the program stored in its own storage device and executes the process according to the read program. Further, as another execution form of this program, a computer may read the program directly from a portable recording medium and execute processing according to the program, and further, the program is transferred from the server computer to this computer. Each time, the processing according to the received program may be executed sequentially. In addition, the above processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition without transferring the program from the server computer to this computer. May be.
- the program in this embodiment includes information to be used for processing by a computer and equivalent to the program (data that is not a direct command to the computer but has a property of defining the processing of the computer, etc.).
- the present device is configured by executing a predetermined program on the computer, but at least a part of these processing contents may be realized by hardware.
Landscapes
- Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Pure & Applied Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Mathematical Optimization (AREA)
- General Engineering & Computer Science (AREA)
- Complex Calculations (AREA)
- Image Processing (AREA)
Abstract
Description
本発明の実施形態は、値aの分散値[a]を入力とし、値aを秘匿したまま、値aの平方根の分散値[√a]を計算する秘密平方根計算システムおよび方法である。以下、実施形態の秘密平方根計算システムが実行する平方根プロトコルの概要について説明する。
入力:[x]∈[L, R)
パラメータ:a, b, c, d, f, g, H, i, j, k, l, m, n, o, p, q, α, β, γ, δ, ζ
出力:目的の関数funcに対応する[func(x)]
入力:[x]、乗数m、シフト量σ
出力:シフト後の[mx]
入力:[a]
出力:[b], [r], [c'](ただし、bはaの最左ビットを小数点位置λに移動した値(すなわち、aを[1, 2)に正規化した値)である。rは、計算結果を√2で除算するか否かを表す真理値である。c'は、正規化の逆演算に用いる2べきの数である。)
入力:[a]
出力:[√a]
入力:ビット表現された整数{a0}, …, {aλ-1}
出力:aのmsb位置のみ1となるビット列{x0}, …, {xλ-1}
入力:[a]、乗数m0, m1、条件[c]
出力:[m1a] if c=1, [m0a] if c=0
入力:[a]、除数d0, d1, …, dn-1
出力:[a/d0], [a/d1], …, [a/dn-1]
実施形態の秘密平方根計算システム100は、上記の平方根プロトコルを実行する情報処理システムである。秘密平方根計算システム100は、図1に示すように、N(≧3)台の秘密計算装置11, …, 1Nを含む。この実施形態では、秘密計算装置11, …, 1Nはそれぞれ通信網9へ接続される。通信網9は、接続される各装置が相互に通信可能なように構成された回線交換方式もしくはパケット交換方式の通信網であり、例えばインターネットやLAN(Local Area Network)、WAN(Wide Area Network)等を用いることができる。なお、各装置は必ずしも通信網9を介してオンラインで通信可能である必要はない。例えば、秘密計算装置1n(n=1, …, N)へ入力する情報を磁気テープやUSBメモリ等の可搬型記録媒体に記憶し、その可搬型記録媒体から秘密計算装置1nへオフラインで入力するように構成してもよい。
実施形態の秘密平方根計算システム100は、平方根計算のための正規化(アルゴリズム3)と平方根計算(アルゴリズム4)を両方とも実行するように構成した。変形例の秘密正規化システムは、秘密平方根計算システム100のうち平方根計算のための正規化(アルゴリズム3)を行う部分のみを実行するように構成する。すなわち、秘密正規化システムは、値aの分散値[a]を入力とし、値aを[1, 2)に正規化した値bの分散値[b]と、逆正規化乗数c'の分散値[c']と、除算フラグrの分散値[r]とを出力する。具体的には、変形例の秘密正規化システムに含まれる秘密計算装置1nは、ビット分解部11、フラグ列生成部12、ビット列生成部13、フラグ計算部14、フラグ変換部15、逆正規化乗数生成部17、正規化乗数生成部18、および正規化部19を備える。
上記実施形態で説明した各装置における各種の処理機能をコンピュータによって実現する場合、各装置が有すべき機能の処理内容はプログラムによって記述される。そして、このプログラムを図6に示すコンピュータの記憶部1020に読み込ませ、制御部1010、入力部1030、出力部1040等に動作させることにより、上記各装置における各種の処理機能がコンピュータ上で実現される。
Claims (7)
- 複数の秘密計算装置を含み、値aの分散値[a]を入力とし、値aの平方根の分散値[√a]を計算する秘密平方根計算システムであって、
λは前記値aの小数点位置であり、λ'はλ/2以上の最小の整数であり、
前記秘密計算装置は、
前記値aの最左ビットを表すフラグ列x0, …, xλ-1の分散値の列{x0}, …, {xλ-1}を生成するフラグ列生成部と、
0以上λ'未満の各整数iについて、前記分散値{x2i}と前記分散値{x2i+1}との排他的論理和を計算したビットyiの分散値{yi}を求めることで、ビット列y0, …, yλ'-1の分散値の列{y0}, …, {yλ'-1}を生成するビット列生成部と、
0以上λ未満の各奇数jについて、すべての前記分散値{xj}の排他的論理和を計算した除算フラグrの分散値{r}を求めるフラグ計算部と、
λが奇数のときは√2となり、λが偶数のときは1となる公開値乗数r'を設定する公開値乗数設定部と、
前記分散値の列{y0}, …, {yλ'-1}を正順にビット結合した逆正規化乗数c'の分散値[c']を生成する逆正規化乗数生成部と、
前記分散値の列{x0}, …, {xλ-1}を逆順にビット結合した正規化乗数cの分散値[c]を生成する正規化乗数生成部と、
前記分散値[a]と前記分散値[c]とを乗算した分散値[b]を計算する正規化部と、
前記分散値[b]と前記分散値{r}と前記公開値乗数r'とを用いて、r=1のときは[√b]*(r'/√2)を計算し、r=0のときは[√b]*r'を計算した分散値[w]を計算する平方根計算部と、
前記分散値[w]と前記分散値[c']との乗算結果をλ'ビット右シフトした前記分散値[√a]を計算する逆正規化部と、
を含む秘密平方根計算システム。 - 請求項1に記載の秘密平方根計算システムであって、
a, b, c, d, f, g, H, i, j, k, l, m, n, o, p, q, α, β, γ, δ, ζは平方根関数を8次多項式で近似するためのパラメータとし、[x]:=[b]とし、
前記平方根計算部は、
[y']:=[x(δx+a-i)-j]を計算する第一積和部と、
[y]:=[y'+(ix+j)]を計算する第一加算部と、
[z']:=[y(ζy+b-k)+(c-l)x-m]を計算する第二積和部と、
[z]:=[z'+(ky+lx+m)]を計算する第二加算部と、
[w'/γ]:=[z(αz+d-n/γ)+(βx+f-o/γ)y+(g-p)x+(H-q)/γ]を計算する第三積和部と、
前記分散値{r}を用いて、r=1のときは[w'/γ]*(r'/√2)γを計算し、r=0のときは[w'/γ]*r'γを計算し、計算結果を[w']とする選択積計算部と、
[w]:=[w'+(nz+op+px+q)]を計算する第三加算部と、
を含む秘密平方根計算システム。 - 複数の秘密計算装置を含み、値aの平方根の分散値[√a]を計算するために、値aの分散値[a]を正規化する秘密正規化システムであって、
λは前記値aの小数点位置であり、λ'はλ/2以上の最小の整数であり、
前記秘密計算装置は、
前記値aの最左ビットを表すフラグ列x0, …, xλ-1の分散値の列{x0}, …, {xλ-1}を生成するフラグ列生成部と、
0以上λ'未満の各整数iについて、前記分散値{x2i}と前記分散値{x2i+1}との排他的論理和を計算したビットyiの分散値{yi}を求めることで、ビット列y0, …, yλ'-1の分散値の列{y0}, …, {yλ'-1}を生成するビット列生成部と、
0以上λ未満の各奇数jについて、すべての前記分散値{xj}の排他的論理和を計算した除算フラグrの分散値{r}を計算するフラグ計算部と、
λが奇数のときは√2となり、λが偶数のときは1となる公開値乗数r'を設定する公開値乗数設定部と、
前記分散値の列{y0}, …, {yλ'-1}を正順にビット結合した逆正規化乗数c'の分散値[c']を生成する逆正規化乗数生成部と、
前記分散値の列{x0}, …, {xλ-1}を逆順にビット結合した正規化乗数cの分散値[c]を生成する正規化乗数生成部と、
前記分散値[a]と前記分散値[c]とを乗算した分散値[b]を計算する正規化部と、
を含む秘密正規化システム。 - 複数の秘密計算装置を含み、値aの分散値[a]を入力とし、値aの平方根の分散値[√a]を計算する秘密平方根計算システムが実行する秘密平方根計算方法であって、
λは前記値aの小数点位置であり、λ'はλ/2以上の最小の整数であり、
各秘密計算装置のフラグ列生成部が、前記値aの最左ビットを表すフラグ列x0, …, xλ-1の分散値の列{x0}, …, {xλ-1}を生成し、
各秘密計算装置のビット列生成部が、0以上λ'未満の各整数iについて、前記分散値{x2i}と前記分散値{x2i+1}との排他的論理和を計算したビットyiの分散値{yi}を求めることで、ビット列y0, …, yλ'-1の分散値の列{y0}, …, {yλ'-1}を生成し、
各秘密計算装置のフラグ計算部が、0以上λ未満の各奇数jについて、すべての前記分散値{xj}の排他的論理和を計算した除算フラグrの分散値{r}を求め、
各秘密計算装置の公開値乗数設定部が、λが奇数のときは√2となり、λが偶数のときは1となる公開値乗数r'を設定し、
各秘密計算装置の逆正規化乗数生成部が、前記分散値の列{y0}, …, {yλ'-1}を正順にビット結合した逆正規化乗数c'の分散値[c']を生成し、
各秘密計算装置の正規化乗数生成部が、前記分散値の列{x0}, …, {xλ-1}を逆順にビット結合した正規化乗数cの分散値[c]を生成し、
各秘密計算装置の正規化部が、前記分散値[a]と前記分散値[c]とを乗算した分散値[b]を計算し、
各秘密計算装置の平方根計算部が、前記分散値[b]と前記分散値{r}と前記公開値乗数r'とを用いて、r=1のときは[√b]*(r'/√2)を計算し、r=0のときは[√b]*r'を計算した分散値[w]を計算し、
各秘密計算装置の逆正規化部が、前記分散値[w]と前記分散値[c']との乗算結果をλ'ビット右シフトした前記分散値[√a]を計算する、
秘密平方根計算方法。 - 複数の秘密計算装置を含み、値aの平方根の分散値[√a]を計算するために、値aの分散値[a]を正規化する秘密正規化システムが実行する秘密正規化方法であって、
λは前記値aの小数点位置であり、λ'はλ/2以上の最小の整数であり、
各秘密計算装置のフラグ列生成部が、前記値aの最左ビットを表すフラグ列x0, …, xλ-1の分散値の列{x0}, …, {xλ-1}を生成し、
各秘密計算装置のビット列生成部が、0以上λ'未満の各整数iについて、前記分散値{x2i}と前記分散値{x2i+1}との排他的論理和を計算したビットyiの分散値{yi}を求めることで、ビット列y0, …, yλ'-1の分散値の列{y0}, …, {yλ'-1}を生成し、
各秘密計算装置のフラグ計算部が、0以上λ未満の各奇数jについて、すべての前記分散値{xj}の排他的論理和を計算した除算フラグrの分散値{r}を求め、
各秘密計算装置の公開値乗数設定部が、λが奇数のときは√2となり、λが偶数のときは1となる公開値乗数r'を設定し、
各秘密計算装置の逆正規化乗数生成部が、前記分散値の列{y0}, …, {yλ'-1}を正順にビット結合した逆正規化乗数c'の分散値[c']を生成し、
各秘密計算装置の正規化乗数生成部が、前記分散値の列{x0}, …, {xλ-1}を逆順にビット結合した正規化乗数cの分散値[c]を生成し、
各秘密計算装置の正規化部が、前記分散値[a]と前記分散値[c]とを乗算した分散値[b]を計算する、
秘密正規化方法。 - 請求項1または2の秘密平方根計算システムまたは請求項3の秘密正規化システムにおいて用いられる前記秘密計算装置。
- 請求項6に記載の秘密計算装置としてコンピュータを機能させるためのプログラム。
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/789,787 US20230044126A1 (en) | 2020-01-20 | 2020-01-20 | Secure square root computation system, secure normalization system, methods therefor, secure computation apparatus, and program |
PCT/JP2020/001674 WO2021149098A1 (ja) | 2020-01-20 | 2020-01-20 | 秘密平方根計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム |
JP2021572120A JP7331951B2 (ja) | 2020-01-20 | 2020-01-20 | 秘密平方根計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム |
CN202080093618.0A CN114981865A (zh) | 2020-01-20 | 2020-01-20 | 秘密平方根计算系统、秘密归一化系统、它们的方法、秘密计算装置以及程序 |
EP20915351.9A EP4095827A4 (en) | 2020-01-20 | 2020-01-20 | SECURE SQUARE ROOT CALCULATION SYSTEM, SECURE NORMALIZATION SYSTEM, METHOD THEREOF, SECURE COMPUTING APPARATUS AND PROGRAM |
AU2020424575A AU2020424575B2 (en) | 2020-01-20 | 2020-01-20 | Secure square root computation system, secure normalization system, methods therefor, secure computation apparatus, and program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2020/001674 WO2021149098A1 (ja) | 2020-01-20 | 2020-01-20 | 秘密平方根計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021149098A1 true WO2021149098A1 (ja) | 2021-07-29 |
Family
ID=76992239
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2020/001674 WO2021149098A1 (ja) | 2020-01-20 | 2020-01-20 | 秘密平方根計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム |
Country Status (6)
Country | Link |
---|---|
US (1) | US20230044126A1 (ja) |
EP (1) | EP4095827A4 (ja) |
JP (1) | JP7331951B2 (ja) |
CN (1) | CN114981865A (ja) |
AU (1) | AU2020424575B2 (ja) |
WO (1) | WO2021149098A1 (ja) |
-
2020
- 2020-01-20 JP JP2021572120A patent/JP7331951B2/ja active Active
- 2020-01-20 WO PCT/JP2020/001674 patent/WO2021149098A1/ja unknown
- 2020-01-20 CN CN202080093618.0A patent/CN114981865A/zh active Pending
- 2020-01-20 EP EP20915351.9A patent/EP4095827A4/en active Pending
- 2020-01-20 AU AU2020424575A patent/AU2020424575B2/en active Active
- 2020-01-20 US US17/789,787 patent/US20230044126A1/en active Pending
Non-Patent Citations (2)
Title |
---|
IGARASHI, DAI: "Secure Real Number Operations for Secure AI - O ( l p l ) - Bit Communication and O (1) - Round Shift Protocol", PROCEEDINGS OF THE 2019 COMPUTER SECURITY SYMPOSIUM, 14 October 2019 (2019-10-14), pages 1557 - 1564, XP009530110 * |
RYO KIKUCHIDAI IKARASHITAKAHIRO MATSUDAKOKI HAMADAKOJI CHIDA: "Efficient bit-decomposition and modulus-conversion protocols with an honest majority", PROCEEDINGS OF INFORMATION SECURITY AND PRIVACY - 23RD AUSTRALASIAN CONFERENCE (ACISP 2018, 11 July 2018 (2018-07-11), pages 64 - 82, XP055932868, DOI: 10.1007/978-3-319-93638-3_5 |
Also Published As
Publication number | Publication date |
---|---|
EP4095827A1 (en) | 2022-11-30 |
EP4095827A4 (en) | 2023-10-11 |
AU2020424575A1 (en) | 2022-07-14 |
US20230044126A1 (en) | 2023-02-09 |
AU2020424575B2 (en) | 2023-08-03 |
JP7331951B2 (ja) | 2023-08-23 |
JPWO2021149098A1 (ja) | 2021-07-29 |
CN114981865A (zh) | 2022-08-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP7067633B2 (ja) | 秘密右シフト演算システム、秘密除算システム、それらの方法、秘密計算装置、およびプログラム | |
Chow et al. | A Karatsuba-based Montgomery multiplier | |
TWI821501B (zh) | 安全處理器、所述安全處理器的操作方法、以及加密或解密資料的方法 | |
Basilakis et al. | Efficient parallel binary operations on homomorphic encrypted real numbers | |
Bardis | Secure, green implementation of modular arithmetic operations for IoT and cloud applications | |
WO2021149098A1 (ja) | 秘密平方根計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム | |
WO2021149099A1 (ja) | 秘密平方根逆数計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム | |
WO2021149100A1 (ja) | 秘密指数関数計算システム、秘密指数関数計算方法、秘密計算装置、およびプログラム | |
WO2021149102A1 (ja) | 秘密逆数計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム | |
WO2021149101A1 (ja) | 秘密選択積計算システム、秘密選択積計算方法、秘密計算装置、およびプログラム | |
WO2022079891A1 (ja) | 秘匿msb正規化システム、分散処理装置、秘匿msb正規化方法、およびプログラム | |
JP7173328B2 (ja) | 秘密除算システム、秘密計算装置、秘密除算方法、およびプログラム | |
Wei | New residue signed-digit addition algorithm | |
Mohan et al. | Modulo Multiplication and Modulo Squaring | |
Tew et al. | Multi-Precision Integer Arithmetic Processing Using Arithmetic Circuit Homomorphic Encryption | |
CN114981860A (zh) | 秘密计算装置、秘密计算方法、以及程序 | |
JP2004151234A (ja) | べき乗演算装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20915351 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2021572120 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2020424575 Country of ref document: AU Date of ref document: 20200120 Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2020915351 Country of ref document: EP Effective date: 20220822 |