WO2021149104A1 - 秘密計算装置、秘密計算方法、およびプログラム - Google Patents

秘密計算装置、秘密計算方法、およびプログラム Download PDF

Info

Publication number
WO2021149104A1
WO2021149104A1 PCT/JP2020/001681 JP2020001681W WO2021149104A1 WO 2021149104 A1 WO2021149104 A1 WO 2021149104A1 JP 2020001681 W JP2020001681 W JP 2020001681W WO 2021149104 A1 WO2021149104 A1 WO 2021149104A1
Authority
WO
WIPO (PCT)
Prior art keywords
secret
value
secret sharing
sharing value
calculation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2020/001681
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
大 五十嵐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NTT Inc
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Priority to JP2021572126A priority Critical patent/JP7290177B2/ja
Priority to CN202080093455.6A priority patent/CN114981861B/zh
Priority to US17/791,907 priority patent/US12452042B2/en
Priority to EP20915962.3A priority patent/EP4095832B1/en
Priority to AU2020425196A priority patent/AU2020425196B2/en
Priority to PCT/JP2020/001681 priority patent/WO2021149104A1/ja
Publication of WO2021149104A1 publication Critical patent/WO2021149104A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation

Definitions

  • the present invention relates to a technique for approximating a real elementary function in secret calculation.
  • Non-Patent Document 1 discloses a method of calculating elementary functions such as the reciprocal, the square root and its reciprocal, and the exponential function in secret calculation.
  • the present invention has been made in view of these points, and an object of the present invention is to provide a secret calculation technique that can be universally used for many elementary functions only by changing parameters.
  • Secret sharing values by a secret calculation using the secret sharing value [x] real x [y] give [ ⁇ x 2 + ax], real by secret calculation using the secret sharing value [x] and the secret variance [y]
  • x, y, z are real numbers
  • a, b, c, ⁇ , and ⁇ are real number coefficients
  • the secret sharing value of ⁇ is [ ⁇ ].
  • FIG. 1A is a block illustrating the secret calculation device of the first embodiment.
  • FIG. 1B is a flow chart for explaining the secret calculation method of the first embodiment.
  • FIG. 2A is a block illustrating the secret calculation device of the second embodiment.
  • FIG. 2B is a flow chart for explaining the secret calculation method of the second embodiment.
  • FIG. 3A is a block illustrating the secret calculation device of the third embodiment.
  • FIG. 3B is a flow chart for explaining the secret calculation method of the third embodiment.
  • FIG. 4 is a block illustrating the secret calculation device of the fourth embodiment.
  • FIG. 5 is a flow chart for explaining the secret calculation method of the fourth embodiment.
  • FIG. 6 is a table illustrating the calculated parameters for each elementary function.
  • FIG. 7 is a block diagram for explaining a hardware configuration.
  • the elementary function is approximated by a polynomial to perform a secret calculation.
  • many elementary functions can be secretly calculated for general purposes only by changing parameters.
  • the elementary functions handled in this embodiment are not limited, but when the exponential function or logarithmic function is approximated by a polynomial, the higher-order coefficients become very small. In such a case, if the approximation is performed using only one polynomial, the approximation accuracy of the coefficients will decrease. Therefore, in the present embodiment, a plurality of polynomials are used to gradually reduce the degree of higher order.
  • An elementary function is a one-variable function of a real number or a complex number, and it is obtained by repeating the creation of an algebraic function, an exponential function, a logarithmic function, a triangular function, an inverse triangular function, and a composite function thereof a finite number of times.
  • Examples of elementary functions are reciprocals, square root functions, exponential functions, logarithmic functions, and so on.
  • the secret calculation device 1 of the first embodiment has secret calculation units 11 and 12 and a control unit 19.
  • the secret calculation device 1 executes each process under the control of the control unit 19.
  • x, y, and z are real numbers
  • a, b, c, ⁇ , and ⁇ are real numbers.
  • the real number coefficients a, b, c, ⁇ , and ⁇ are set according to the desired elementary function.
  • -The secret sharing value of is [ ⁇ ].
  • the secret sharing method is not limited, and examples thereof include an additive secret sharing method and a Shamir secret sharing method.
  • An example of [ ⁇ ] is a secret sharing value (share) in which elements on the quotient ring are linearly secret-shared.
  • shares shares
  • the public decimal point position for an integer on the ring it can be regarded as a fixed-point real number.
  • the fixed-point real number represented on the ring in this way is simply expressed as a real number.
  • the secret sharing value [x] of the real number x is input to the secret calculation device 1 (step S10).
  • the secret sharing value [x] is input to the secret calculation unit 11.
  • the secret sharing values [x] and [y] are input to the secret calculation unit 12.
  • the secret calculation unit 11 outputs the secret sharing value [func (x)] (step S13).
  • the elementary function is approximated by the fourth-order polynomial, but in the second embodiment, the elementary function is approximated by the eighth-order polynomial.
  • the differences from the items described so far will be mainly explained, and the common items will be simplified.
  • the secret calculation device 2 of the second embodiment has secret calculation units 11, 22, 23 and a control unit 19.
  • the secret calculation device 2 executes each process under the control of the control unit 19.
  • x, y, z, w are real numbers
  • a, b, c, d, f, g, ⁇ , ⁇ , ⁇ , ⁇ , and ⁇ are real numbers.
  • the real number coefficients a, b, c, d, f, g, ⁇ , ⁇ , ⁇ , ⁇ , ⁇ , ⁇ are set according to the desired elementary function.
  • the secret sharing value [x] of the real number x is input to the secret calculation device 2 (step S10).
  • the secret sharing value [x] is input to the secret calculation unit 11.
  • the secret sharing values [x] and [y] are input to the secret calculation unit 22.
  • the secret sharing values [x], [y], and [z] are input to the secret calculation unit 23.
  • [Func (x)] [ ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx)] is obtained and output (step S23).
  • the secret calculation device 2 outputs the secret distribution value [func (x)] (step S13).
  • the elementary function is approximated by a fourth-order polynomial as in the first embodiment, but it differs from the first embodiment in that the highest-order coefficient can be set.
  • the secret calculation device 3 of the third embodiment has secret calculation units 11 and 32 and a control unit 19.
  • the secret calculation device 3 executes each process under the control of the control unit 19.
  • x, y, and z are real numbers
  • a, b, c, ⁇ , ⁇ , and ⁇ are real numbers.
  • the real number coefficients a, b, c, ⁇ , ⁇ , ⁇ are set according to the desired elementary function.
  • the secret sharing value [x] of the real number x is input to the secret calculation device 3 (step S10).
  • the secret sharing value [x] is input to the secret calculation unit 11.
  • the secret sharing values [x] and [y] are input to the secret calculation unit 32.
  • the secret calculation unit 31 outputs the secret sharing value [func (x)] (step S13).
  • Desired elementary function a polynomial function f t (x) is approximated by func (x), further right shift before the function f t (x) and the approximation function f 'u of the function f t (x) (x) of 'secret sharing values of t (x) [f t ( x) -f' difference f t (x) -f to calculate the t (x)], the right the f t (x) -f 't (x) shifted (f t (x) -f ' t (x)) secret sharing values of r [f t (x) -f ' to obtain a t (x)] r, secret dispersion value [f t (x) -f 't (x)] r and secret variance [f' t (x) f t (x) with the secret calculations] -f 't (x) to f' function by adding
  • x is a real number
  • [ ⁇ ] is a secret distribution value of ⁇
  • n is an integer of 1 or more (for example, n is an integer of 2 or more)
  • t 0, ..., N-1.
  • f 't (x) is an approximation of the function f t (x)
  • ct, 0 are public values, and ct, 1 , ..., Ct, n + 1 are coefficients.
  • ct, 1 , ..., ct, n + 1 are values with a small effective number of bits, and even if ct, 1 , ..., ct, n + 1 are multiplied, a shift is required due to overflow. Is a value that does not have.
  • f t (x) -f 't (x) is a positive.
  • the secret sharing method is not limited, and examples thereof include an additive secret sharing method and a Shamir secret sharing method.
  • the size of t (x) is smaller than the size of the f t (x), a secret sharing value [f t (x) -f' where f t (x) -f overflow of t (x)] It can be suppressed.
  • the secret sharing value of the approximation of the right shift before the function f t (x) and the function f t (x) function f 'u (x) and the difference f t (x) -f' t (x) [f t (x) for computing -f 't (x)] it is possible to maintain high accuracy.
  • Overflow is a problem based on the performance of the processor that implements the secret calculation, and this method provides a method for solving the problem based on this hardware constraint.
  • this method does not solve a pure mathematics problem, but solves a hardware implementation problem and has technical features. For example, notably the technical features in the processor but overflows Calculating the secret variance [f t (x)] that does not overflow in the calculation of the secret sharing value [f t (x) -f ' t (x)] Is.
  • modifications of the first to third embodiments will be specifically shown.
  • the secret sharing value [x] is input to the secret calculation device 1 (step S10).
  • the secret calculation unit 12 outputs the obtained secret sharing value [func (x)] (step S13).
  • n 3
  • the secret sharing value [x] is input to the secret calculation device 2 (step S10).
  • Secret sharing value [w '] is not limited to the process for obtaining, for example, secure computing unit 23 to obtain a public value 2 sigma / gamma, public value 2 sigma / gamma and secret variance [w' / gamma ] May be used to obtain the secret sharing value [w'] r by the secret calculation [w'/ ⁇ ] / (2 ⁇ / ⁇ ) of the public value division.
  • is a positive integer representing the amount of right shift.
  • the secret calculation unit 23 outputs the obtained secret sharing value [func (x)] (step S13).
  • the secret sharing value [x] is input to the secret calculation device 3 (step S10).
  • secure computing unit 32 secure computing unit 32, a secret sharing value [z of r 'z right-shifted by a predetermined number of bits a' to z obtained by multiplying the gamma to / ⁇ '/ ⁇ ] a z a secret calculation using' secret The dispersion value [z'] r is obtained (step S32).
  • Secret sharing value [z '] is not limited to the process for obtaining the r, for example, secure computing unit 32 to obtain a public value 2 sigma / gamma, public value 2 sigma / gamma and secret variance [z' /
  • the secret sharing value [z'] r may be obtained by the secret calculation [z'/ ⁇ ] / (2 ⁇ / ⁇ ) of the public value division using [ ⁇ ]. As a result, the multiplication of ⁇ and the secret calculation of the right shift can be executed at the same time, so that the processing cost can be reduced.
  • the secret calculation unit 32 outputs the obtained secret sharing value [func (x)] (step S13).
  • the secret calculation device 4 of the fourth embodiment is any one of the secret calculation units 45, 46, 47, 48, 49, 410, 411, and the secret calculation devices 1 to 3 or the above-mentioned one. It has a secret calculation device of a modified example.
  • is a real number
  • p is a positive integer
  • L is an integer of 2 or more
  • [ ⁇ ] is a secret sharing value obtained by linearly secret sharing the elements on the quotient ring modulo p.
  • the secret distribution value [ ⁇ ] of the real number ⁇ is input to the secret calculation device 4 (step S40).
  • the secret sharing value [ ⁇ ] is input to the secret calculation unit 45.
  • the secret calculation unit 45 obtains the secret distribution values ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ of the L-bit representation ⁇ 0 ... ⁇ L-1 of the real number ⁇ by the secret calculation using the secret distribution value [ ⁇ ]. And output (step S45).
  • ⁇ 0 , ..., ⁇ L-1 are integers.
  • the secret sharing values ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ are input to the secret calculation unit 46.
  • the secret calculation unit 46 performs a secret calculation using the secret distribution values ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ , and the bits corresponding to the most significant bit (msb) ⁇ msb of the bit string ⁇ 0 ... ⁇ L-1.
  • the secret distribution value ⁇ of the msb flag sequence ⁇ 0 , ..., ⁇ L- 1 in which ⁇ msb is 1 and the bits ⁇ ⁇ ( ⁇ ⁇ ⁇ 0, ..., L-1 ⁇ ) other than the bit ⁇ msb are 0. 0 ⁇ , ..., ⁇ L-1 ⁇ are obtained and output (step S46). The details of step S46 will be described later.
  • the secret sharing values ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ are input to the secret calculation unit 47.
  • step S47 The details of step S47 will be described later.
  • the secret sharing values ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ are input to the secret calculation unit 48.
  • the secret calculation unit 48 performs a secret calculation using the secret sharing values ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ , and is a count value representing the number of elements that are 1 out of ⁇ 0 , ..., ⁇ L-1.
  • the secret sharing value [ ⁇ ] of ⁇ is obtained and output (step S48).
  • the secret sharing values ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ are input to the secret calculation unit 49.
  • the secret sharing values [ ⁇ ] and [ ⁇ ] are input to the secret calculation unit 410.
  • the secret sharing value [x] is input to any of the secret computing devices 1 to 3.
  • the secret computing device of any of the secret computing devices 1 to 3 or a modification thereof in which the secret sharing value [x] is input is subjected to the processing of the first to third embodiments or the modified example thereof, and the secret sharing value [func (x). ] And output (step S420).
  • the secret sharing values [func (x)] and [ ⁇ ] are input to the secret calculation unit 411.
  • the secret calculation device 4 outputs the secret distribution value [log ⁇ ] (step S412).
  • Example 1 Example of reciprocal function>
  • the secret sharing value of the reciprocal function value 1 / ⁇ of the real number ⁇ is calculated.
  • e be a positive integer that represents the difference between the decimal point position of the 0.5 bit string and the most significant bit (msb) of ⁇ when the input real number ⁇ is expressed in binary, and perform the following transformations on the real number ⁇ . .. That is, multiply by 2 e to normalize to the interval [0.5, 1) and reciprocal. The performs a process of multiplying the 2 e in secret calculation after obtaining.
  • normalization to the standard [0.5, 1) gives an accuracy of about 21 bits in an eighth-order polynomial approximation.
  • ⁇ L-1 bit representation chi 0 for, ..., chi L- Obtain a secret sharing value of 1 ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ .
  • the secret calculator corresponds to the most significant bit (msb) ⁇ msb of the bit string ⁇ 0 ... ⁇ L-1 by secret calculation using the secret distribution values ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ .
  • the secret distribution value of the msb flag sequence ⁇ 0 , ..., ⁇ L-1 in which the bit ⁇ msb is 1 and the bits ⁇ ⁇ ( ⁇ ⁇ ⁇ 0, ..., L-1 ⁇ ) other than the bit ⁇ msb are 0 ⁇ Obtain ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ . This process is the same as in step S46 described above. 3: The secret calculation device performs a secret calculation using the secret sharing values ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ , ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ , and 2 ⁇ i ⁇ L.
  • the upper and lower digits of ⁇ 0 ⁇ , ⁇ 1 ⁇ , ⁇ 2 ⁇ , ..., ⁇ L-1 ⁇ are reversed and combined, so here the upper and lower digits are reversed and the secret sharing value ⁇ ⁇ 0 ⁇ , ⁇ 1 ⁇ , ⁇ 2 ⁇ , ..., ⁇ L-1 ⁇ are set.
  • secure computing apparatus secure computing apparatus, the secret distribution value ⁇ 0 ⁇ , ⁇ 1 ⁇ , ⁇ 2 ⁇ , ..., by bit connection by secret calculation using ⁇ L-1 ⁇ , ⁇ ⁇ L-1 ⁇ , ..., ⁇ 0 ⁇ is combined to obtain [ ⁇ ] and output.
  • the secret calculation device obtains and outputs secret sharing values [w] [ ⁇ ] by secret calculation using secret sharing values [w] and [ ⁇ ].
  • Example 2 Example of reciprocal function of square root>
  • the reciprocal function of the square root is normalized to [0.5, 1) in the same way as the reciprocal function described above. However, the 2 e rather ⁇ (2 e) is multiplied by.
  • the following modification is performed on the real number ⁇ . In other words, it normalized by multiplying the 2 e in real chi, the inverse of the square root of the 2 e chi After finding, the process of multiplying by ⁇ (2 e ) is performed by secret calculation.
  • ⁇ L-1 bit representation chi 0 for, ..., chi L- Obtain a secret sharing value of 1 ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ .
  • floor is a floor function.
  • the secret calculation unit bites the msb flag string ⁇ L'-1 , ..., ⁇ 0 by bit coupling in the secret calculation using the secret sharing values ⁇ 0 ⁇ , ..., ⁇ L'-1 ⁇ .
  • the secret sharing value [ ⁇ '] of the combined msb flag value ⁇ ' is obtained and output.
  • the secret calculation unit is required for the secret sharing value [x] of the value x obtained by normalizing the real number ⁇ to [0.5, 1] by the reciprocal normalization protocol for the square root described above, and the inverse calculation of the normalization. Obtain secret sharing values [ ⁇ '] and [ ⁇ ]. 2: The secret calculation unit obtains a secret sharing value [func (x)] from the secret sharing value [x] by secret calculation using the method of the second embodiment or the third embodiment or a modification thereof. However, func (x) is a polynomial that approximates the reciprocal function of the square root of x.
  • steps S23'and S32' are illustrated below.
  • step S23' When the method of the second embodiment is used (step S23') >> The secret calculation unit executes steps S10, S11, and S22 of the second embodiment described above for the secret sharing value [x] of the value x normalized to [0.5, 1) as described above. After that, the secret calculation unit executes the following process of step S232 instead of step S23.
  • the secret calculator uses the secret sharing values [x], [y], [z] and the public values 2 ⁇ 0 / m 0 , 2 ⁇ 1 / m 1 obtained in step S232a for secret calculation of the public value division [ ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx)] / (2 ⁇ 0 / m 0), performs [ ⁇ (z ( ⁇ z + d ) + y ( ⁇ x + f) + gx)] / (2 ⁇ 1 / m 1), m 0
  • the secret sharing value of ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx) shifted to the right by ⁇ 0 bits [m 0 ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx)] r and m 1 ⁇ (z ( ⁇ z + d)) + Y ( ⁇ x + f) + gx) is right-shifted
  • secret sharing values [ ⁇ ], [m 0 ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx)] r , [m 1 ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx)] r were used.
  • the secret sharing value of m ⁇ ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx) [func (x)] [ ⁇ ?
  • the secret calculation unit executes the process of step S232'as follows (steps S232a'to S232e').
  • the secret calculator uses the secret sharing value [w'/ ⁇ ] and the public value 2 ⁇ 0 / m 0 , 2 ⁇ 1 / m 1 obtained in step S232b'to be used for the secret calculation [w'/ ⁇ ] of the public value division. ] / (2 ⁇ 0 / ⁇ m 0 ), [w'/ ⁇ ] / (2 ⁇ 1 / ⁇ m 1 ), and the secret sharing value [m 0 w'] of the value obtained by right-shifting m 0 w'by ⁇ 0 bits.
  • the secret sharing value [m 1 w'] r of the values obtained by right-shifting r and m 1 w'by ⁇ 1 bit is obtained and output (step S232c').
  • step S32' When the method of the third embodiment is used (step S32') >> The secret calculation unit executes steps S10 and S11 of the third embodiment described above for the secret sharing value [x] of the value x normalized to [0.5, 1) as described above. After that, the secret calculation unit executes the following process of step S323 instead of step S32.
  • the secret calculation unit executes the process of step S323 as follows (steps S323a to S323c), for example.
  • Secure computing apparatus secret sharing value [x], [y] and step public value obtained in S323a 2 ⁇ 0 / m 0, 2 ⁇ 1 / m 1 and public value secure computing the division using the [gamma (y ( ⁇ y + b) + cx)] / (2 ⁇ 0 / m 0 ), [ ⁇ (y ( ⁇ y + b) + cx)] / (2 ⁇ 1 / m 1 ), and m 0 ⁇ (y ( ⁇ y + b) + cx) is only ⁇ 0 bits.
  • the secret sharing value of the right-shifted value [m 0 ⁇ (y ( ⁇ y + b) + cx)]
  • the secret sharing value of the value obtained by right-shifting r and m 1 ⁇ (y ( ⁇ y + b) + cx) by ⁇ 1 bit [m 1 ⁇ (y) ( ⁇ y + b) + cx)] r is obtained and output (step S323b).
  • step S32' When the method of the modified example of the third embodiment is used (step S32') >> The secret calculation unit executes steps S10 and S11 of the modified example of the third embodiment described above with respect to the secret sharing value [x] of the value x normalized to [0.5, 1) as described above. After that, the secret calculation unit executes the following process of step S323'instead of step S32.
  • the secret calculation unit executes the process of step S323'as follows (steps S323a' to S323c').
  • the secret sharing value [w '/ ⁇ ] a step S323b' public value 2 ⁇ 0 / m 0 obtained in, 2 ⁇ 1 / m 1 and secure computing the public value division using the [w '/ gamma ] / (2 ⁇ 0 / ⁇ m 0 ), [w'/ ⁇ ] / (2 ⁇ 1 / ⁇ m 1 ), and the secret sharing value [m 0 w'] of the value obtained by right-shifting m 0 w'by ⁇ 0 bits.
  • the secret sharing value [m 1 w'] r of the values obtained by right-shifting r and m 1 w'by ⁇ 1 bit is obtained and output (step S323c').
  • Example 3 Example of square root function>
  • the secret sharing value of the square root ⁇ of the real number ⁇ is calculated.
  • the reciprocal function of the square root is normalized to [1, 2] in the same way as the reciprocal function described above.
  • the following modification is performed on the real number ⁇ . In other words, normalized by multiplying the 2 e in real chi, performs a process of dividing ⁇ after obtaining the square root of 2 e ⁇ ⁇ (2 e ⁇ ) (2 e) in secure computing.
  • ⁇ L-1 bit representation chi 0 for, ..., chi L- Obtain a secret sharing value of 1 ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ .
  • the secret calculator corresponds to the most significant bit (msb) ⁇ msb of the bit string ⁇ 0 ... ⁇ L-1 by secret calculation using the secret distribution values ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ .
  • the secret computing device converts the secret sharing value ⁇ into the secret sharing value [ ⁇ ].
  • the secret computing device uses the secret sharing values ⁇ 0 ⁇ , ⁇ 1 ⁇ , ⁇ 2 ⁇ , ..., By bit coupling by secret calculation using ⁇ L-1 ⁇ , ⁇ 0 ⁇ , ..., Combine ⁇ L'-1 ⁇ to obtain [ ⁇ '] and output.
  • the secret calculation device combines ⁇ L-1 ⁇ , ..., ⁇ 0 ⁇ by secret calculation using the secret sharing values ⁇ 0 ⁇ , ..., ⁇ L-1 ⁇ [ ⁇ ].
  • func (x) is a polynomial that approximates the square root function of x.
  • steps S23 "and S32" are illustrated below.
  • step S23 When the method of the second embodiment is used (step S23 ") >> The secret calculation unit executes steps S10, S11, and S22 of the second embodiment described above for the secret sharing value [x] of the value x normalized to [1, 2] as described above. After that, the secret calculation unit executes the following process of step S234 instead of step S23.
  • the secret calculation unit executes the process of step S234 as follows (steps S234a to S234c).
  • the secret calculator uses the secret sharing values [x], [y], [z] and the public values 2 ⁇ 0 / m 0 , 2 ⁇ 1 / m 1 obtained in step S234a to perform secret calculation of public value division [ ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx)] / (2 ⁇ 0 / m 0), performs [ ⁇ (z ( ⁇ z + d ) + y ( ⁇ x + f) + gx)] / (2 ⁇ 1 / m 1), m 0
  • the secret sharing value of ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx) shifted to the right by ⁇ 0 bits [m 0 ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx)] r and m 1 ⁇ (z ( ⁇ z + d)) + Y ( ⁇ x + f) + gx) is right-
  • secret sharing values [ ⁇ ], [m 0 ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx)] r , [m 1 ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx)] r were used.
  • the secret sharing value of m ⁇ ⁇ (z ( ⁇ z + d) + y ( ⁇ x + f) + gx) [func (x)] [ ⁇ ?
  • step S23 When the method of the modified example of the second embodiment is used (step S23 ")"
  • the secret calculation unit executes steps S10, S11, and S22 of the modified example of the second embodiment described above with respect to the secret distribution value [x] of the value x normalized to [1, 2] as described above. After that, the secret calculation unit executes the following process of step S234'instead of step S23.
  • the secret calculation unit executes the process of step S234'as follows (steps S234a'to S234e').
  • the secret calculation device uses the secret distribution value [w'/ ⁇ ] and the secret calculation [w'/ ⁇ ] of the public value division using the public values 2 ⁇ 0 / m 0 and 2 ⁇ 1 / m 1 obtained in step S234b'. ] / (2 ⁇ 0 / ⁇ m 0 ), [w'/ ⁇ ] / (2 ⁇ 1 / ⁇ m 1 ), and the secret sharing value [m 0 w'] of the value obtained by right-shifting m 0 w'by ⁇ 0 bits.
  • the secret sharing value [m 1 w'] r of the values obtained by right-shifting r and m 1 w'by ⁇ 1 bit is obtained and output (step S234c').
  • step S32 When the method of the third embodiment is used (step S32 ") >> The secret calculation unit executes steps S10 and S11 of the third embodiment described above for the secret sharing value [x] of the value x normalized to [1 and 2] as described above. After that, the secret calculation unit executes the following process of step S325 instead of step S32.
  • the secret calculation unit executes the process of step S325 as follows (steps S325a to S325c), for example.
  • Secure computing apparatus secret sharing value [x], [y] and step public value obtained in S325a 2 ⁇ 0 / m 0, 2 ⁇ 1 / m 1 and public value secure computing the division using the [gamma (y ( ⁇ y + b) + cx)] / (2 ⁇ 0 / m 0 ), [ ⁇ (y ( ⁇ y + b) + cx)] / (2 ⁇ 1 / m 1 ), and m 0 ⁇ (y ( ⁇ y + b) + cx) is only ⁇ 0 bits.
  • the secret sharing value of the right-shifted value [m 0 ⁇ (y ( ⁇ y + b) + cx)]
  • the secret sharing value of the value obtained by right-shifting r and m 1 ⁇ (y ( ⁇ y + b) + cx) by ⁇ 1 bit [m 1 ⁇ (y) ( ⁇ y + b) + cx)] r is obtained and output (step S325b).
  • step S32 When the method of the modified example of the third embodiment is used (step S32 ")"
  • the secret calculation unit executes steps S10 and S11 of the modified example of the third embodiment described above with respect to the secret sharing value [x] of the value x normalized to [1, 2] as described above. After that, the secret calculation unit executes the following process of step S325'instead of step S32.
  • the secret calculation unit executes the process of step S325'as follows (steps S325a'to S325c').
  • the secret sharing value [w '/ ⁇ ] a step S325b' public value 2 ⁇ 0 / m 0 obtained in, 2 ⁇ 1 / m 1 and secure computing the public value division using the [w '/ gamma ] / (2 ⁇ 0 / ⁇ m 0 ), [w'/ ⁇ ] / (2 ⁇ 1 / ⁇ m 1 ), and the secret sharing value [m 0 w'] of the value obtained by right-shifting m 0 w'by ⁇ 0 bits.
  • the secret sharing value [m 1 w'] r of the values obtained by right-shifting r and m 1 w'by ⁇ 1 bit is obtained and output (step S325c').
  • Example 4 Example of exponential function>
  • exp ⁇ is a public value, exp 2 -t x 0 , ..., exp 2 u-t-1 x u-1 is a table calculation. exp x ⁇ is the place to be calculated by approximation, and is normalized to [0,2-t].
  • Input: [x] Output: [exp (x)]
  • secure computing apparatus the secure computing, for each 0 ⁇ i ⁇ u, mantissa f i, epsilon i respectively exp (2 i-t), and exponent.
  • the secret calculation device obtains [w] [f'] [ ⁇ '] exp ( ⁇ ) by secret calculation and outputs it.
  • the secret calculator obtains a public value of 2 ⁇ / exp ( ⁇ ) by secret calculation, and obtains a secret distribution value [w] [f'] [ ⁇ '] and a public value of 2 ⁇ / exp ( ⁇ ).
  • FIG. 6 illustrates the calculated parameters when the elementary function is an inverse function, a square root function, a square root inverse function, an exponential function, or a logarithmic function.
  • ey, and ez indicate the decimal point positions of x, y, and z, respectively.
  • e'x, e'y, and e'z indicate the decimal point positions of x', y', and z'before the right shift, respectively.
  • These decimal point positions represent the bit positions of the decimal point positions counted from the lower bits. The value representing this bit position starts from 0, and when the e1st bit represents 1 counting from the lower bits, it is described that the decimal point position is e1.
  • the secret computing devices 1 to 4 in each embodiment and the secret computing devices in each embodiment are, for example, a processor (hardware processor) such as a CPU (central processing unit), a RAM (random-access memory), or a ROM (read-).
  • a processor such as a CPU (central processing unit), a RAM (random-access memory), or a ROM (read-).
  • a device configured by a general-purpose or dedicated computer equipped with a memory such as "only memory”) executing a predetermined program.
  • This computer may have one processor and memory, or may have a plurality of processors and memory.
  • This program may be installed in a computer or may be recorded in a ROM or the like in advance.
  • a part or all of the processing units may be configured by using an electronic circuit that realizes a processing function independently, instead of an electronic circuit (circuitry) that realizes a function configuration by reading a program like a CPU. ..
  • the electronic circuit constituting one device may include a plurality of CPUs.
  • FIG. 5 is a block diagram illustrating the hardware configurations of the secret calculation devices 1 to 4 in each embodiment and the secret calculation devices in each embodiment.
  • the secret computing devices 1 to 4 of this example include a CPU (Central Processing Unit) 10a, an output unit 10b, an output unit 10c, a RAM (RandomAccessMemory) 10d, and a ROM (ReadOnlyMemory) 10e. , Auxiliary storage device 10f and bus 10g.
  • the CPU 10a of this example has a control unit 10aa, a calculation unit 10ab, and a register 10ac, and executes various arithmetic processes according to various programs read into the register 10ac.
  • the output unit 10b is an output terminal, a display, or the like on which data is output.
  • the output unit 10c is a LAN card or the like controlled by the CPU 10a that has read a predetermined program.
  • the RAM 10d is a SRAM (Static Random Access Memory), a DRAM (Dynamic Random Access Memory), or the like, and has a program area 10da in which a predetermined program is stored and a data area 10db in which various data are stored.
  • the auxiliary storage device 10f is, for example, a hard disk, MO (Magneto-Optical disc), a semiconductor memory, or the like, and has a program area 10fa for storing a predetermined program and a data area 10fb for storing various data.
  • the bus 10g connects the CPU 10a, the output unit 10b, the output unit 10c, the RAM 10d, the ROM 10e, and the auxiliary storage device 10f so that information can be exchanged.
  • the CPU 10a writes the program stored in the program area 10fa of the auxiliary storage device 10f to the program area 10da of the RAM 10d according to the read OS (Operating System) program.
  • the CPU 10a writes various data stored in the data area 10fb of the auxiliary storage device 10f to the data area 10db of the RAM 10d. Then, the address on the RAM 10d in which this program or data is written is stored in the register 10ac of the CPU 10a.
  • the control unit 10ab of the CPU 10a sequentially reads out these addresses stored in the register 10ac, reads a program or data from the area on the RAM 10d indicated by the read address, and causes the arithmetic unit 10ab to sequentially execute the operations indicated by the program.
  • the calculation result is stored in the register 10ac.
  • the above program can be recorded on a computer-readable recording medium.
  • a computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disk, a photomagnetic recording medium, a semiconductor memory, and the like.
  • the distribution of this program is carried out, for example, by selling, transferring, renting, etc., a portable recording medium such as a DVD or CD-ROM on which the program is recorded.
  • the program may be stored in the storage device of the server computer, and the program may be distributed by transferring the program from the server computer to another computer via a network.
  • the computer that executes such a program first temporarily stores, for example, the program recorded on the portable recording medium or the program transferred from the server computer in its own storage device. Then, when the process is executed, the computer reads the program stored in its own storage device and executes the process according to the read program.
  • a computer may read the program directly from a portable recording medium and execute processing according to the program, and further, the program is transferred from the server computer to this computer. Each time, the processing according to the received program may be executed sequentially.
  • the above processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition without transferring the program from the server computer to this computer. May be.
  • the program in this embodiment includes information to be used for processing by a computer and equivalent to the program (data that is not a direct command to the computer but has a property of defining the processing of the computer, etc.).
  • the present device is configured by executing a predetermined program on a computer, but at least a part of these processing contents may be realized by hardware.
  • the present invention is not limited to the above-described embodiment.
  • the present invention may be used when performing secret calculations on elementary functions other than those shown in specific examples.
  • the various processes described above are not only executed in chronological order according to the description, but may also be executed in parallel or individually as required by the processing capacity of the device that executes the processes.
  • changes can be made as appropriate without departing from the spirit of the present invention.
  • the present invention can be used, for example, for the calculation of elementary functions such as inverse function, square root function, exponential function, and logarithmic function in machine learning and data mining performed by secret calculation while concealing data.
  • elementary functions such as inverse function, square root function, exponential function, and logarithmic function

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Complex Calculations (AREA)
  • Devices For Executing Special Programs (AREA)
  • Pharmaceuticals Containing Other Organic And Inorganic Compounds (AREA)
  • Hardware Redundancy (AREA)
PCT/JP2020/001681 2020-01-20 2020-01-20 秘密計算装置、秘密計算方法、およびプログラム Ceased WO2021149104A1 (ja)

Priority Applications (6)

Application Number Priority Date Filing Date Title
JP2021572126A JP7290177B2 (ja) 2020-01-20 2020-01-20 秘密計算装置、秘密計算方法、およびプログラム
CN202080093455.6A CN114981861B (zh) 2020-01-20 2020-01-20 秘密计算装置、秘密计算方法及计算机程序产品
US17/791,907 US12452042B2 (en) 2020-01-20 2020-01-20 Secure computation apparatus, secure computation method, and program
EP20915962.3A EP4095832B1 (en) 2020-01-20 2020-01-20 Secure computation device, secure computation method, and program
AU2020425196A AU2020425196B2 (en) 2020-01-20 2020-01-20 Secure computation apparatus, secure computation method, and program
PCT/JP2020/001681 WO2021149104A1 (ja) 2020-01-20 2020-01-20 秘密計算装置、秘密計算方法、およびプログラム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/001681 WO2021149104A1 (ja) 2020-01-20 2020-01-20 秘密計算装置、秘密計算方法、およびプログラム

Publications (1)

Publication Number Publication Date
WO2021149104A1 true WO2021149104A1 (ja) 2021-07-29

Family

ID=76992096

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/001681 Ceased WO2021149104A1 (ja) 2020-01-20 2020-01-20 秘密計算装置、秘密計算方法、およびプログラム

Country Status (6)

Country Link
US (1) US12452042B2 (https=)
EP (1) EP4095832B1 (https=)
JP (1) JP7290177B2 (https=)
CN (1) CN114981861B (https=)
AU (1) AU2020425196B2 (https=)
WO (1) WO2021149104A1 (https=)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024228296A1 (ja) * 2023-05-01 2024-11-07 エヌ・ティ・ティ・コミュニケーションズ株式会社 分析装置、分析方法及び分析プログラム
WO2024241366A1 (ja) * 2023-05-19 2024-11-28 日本電信電話株式会社 秘密計算装置、秘密計算方法、プログラム

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019225531A1 (ja) * 2018-05-25 2019-11-28 日本電信電話株式会社 秘密一括近似システム、秘密計算装置、秘密一括近似方法、およびプログラム

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012011565A1 (ja) * 2010-07-23 2012-01-26 日本電信電話株式会社 秘密分散システム、分散装置、分散管理装置、取得装置、秘密分散方法、プログラム、及び記録媒体
WO2015107951A1 (ja) * 2014-01-17 2015-07-23 日本電信電話株式会社 秘密計算方法、秘密計算システム、ソート装置及びプログラム
EP3101645B1 (en) * 2014-01-28 2019-09-04 Nippon Telegraph and Telephone Corporation Secure computation method, secure computation system, secure computation server, registrant terminal, user terminal and program
EP3239963B1 (en) * 2014-12-26 2020-07-22 Nippon Telegraph and Telephone Corporation Secret falsification detection system, secret computation apparatus, secret falsification detecting method, and program
WO2016113738A1 (en) * 2015-01-15 2016-07-21 B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University Secret shared random access machine
JP5957126B1 (ja) * 2015-06-24 2016-07-27 日本電信電話株式会社 秘密計算装置、秘密計算方法、およびプログラム
JP6006842B1 (ja) * 2015-07-22 2016-10-12 日本電信電話株式会社 秘密計算装置、その方法、およびプログラム
JP6034927B1 (ja) * 2015-07-27 2016-11-30 日本電信電話株式会社 秘密計算システム、秘密計算装置、およびプログラム
EP3573039B1 (en) * 2017-01-20 2021-08-18 Nippon Telegraph and Telephone Corporation Secure computing system, secure computing device, secure computing method, and program
WO2019005946A2 (en) * 2017-06-27 2019-01-03 Leighton Bonnie Berger OPEN GENOME OUTSOURCING FOR LARGE SCALE ASSOCIATION STUDIES
CN111052205B (zh) * 2017-08-22 2023-03-28 日本电信电话株式会社 份额生成装置、复原装置、秘密计算系统、份额生成方法、复原方法、以及记录介质
US10460234B2 (en) * 2018-01-19 2019-10-29 Microsoft Technology Licensing, Llc Private deep neural network training

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019225531A1 (ja) * 2018-05-25 2019-11-28 日本電信電話株式会社 秘密一括近似システム、秘密計算装置、秘密一括近似方法、およびプログラム

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
CHUAN GUO; AWNI HANNUN; BRIAN KNOTT; LAURENS VAN DER MAATEN; MARK TYGERT; RUIYU ZHU: "Secure multiparty computations in floating-point arithmetic", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 9 January 2020 (2020-01-09), 201 Olin Library Cornell University Ithaca, NY 14853, XP081575971 *
SANSHIN KIBUKI; IGARASHI OHHAMA; HIROKI; KIKUCHI RYO: "Designs and Implementations of Efficient and Accurate Secret Logistic Regression", PROCEEDINGS COMPUTER SECURITY SYMPOSIUM 2018, 22-25 OCTOBER 2018, INFORMATION PROCESSING SOCIETY OF JAPAN, JAPAN, vol. 2018, no. 2, 15 October 2018 (2018-10-15), Japan, pages 1229 - 1236, XP009522747 *
See also references of EP4095832A4 *
TOSHIYUKI TAKADA , HIROYUKI HANADA, ATSUSHI SAKUMA, ICHIRO TAKEUCHI: "Secure Approximation Guarantee for Private Empirical Risk Minimization with Homomorphic Encryption", IEICE TECHNICAL REPORT, vol. 115, no. 323 (IBISML2015-86), 19 November 2015 (2015-11-19), JP, pages 249 - 256, XP009530120, ISSN: 0913-5685 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024228296A1 (ja) * 2023-05-01 2024-11-07 エヌ・ティ・ティ・コミュニケーションズ株式会社 分析装置、分析方法及び分析プログラム
WO2024241366A1 (ja) * 2023-05-19 2024-11-28 日本電信電話株式会社 秘密計算装置、秘密計算方法、プログラム

Also Published As

Publication number Publication date
AU2020425196A1 (en) 2022-07-14
JP7290177B2 (ja) 2023-06-13
EP4095832B1 (en) 2025-03-12
CN114981861A (zh) 2022-08-30
EP4095832A1 (en) 2022-11-30
JPWO2021149104A1 (https=) 2021-07-29
US12452042B2 (en) 2025-10-21
CN114981861B (zh) 2025-06-13
EP4095832A4 (en) 2023-10-18
US20220407682A1 (en) 2022-12-22
AU2020425196B2 (en) 2023-06-08

Similar Documents

Publication Publication Date Title
JP7586604B2 (ja) 大規模並列ニューラル推論エンジン用のマルチモード低精度内積計算回路
CN112434317A (zh) 数据处理方法、装置、设备及存储介质
JP7290177B2 (ja) 秘密計算装置、秘密計算方法、およびプログラム
CN117908835B (zh) 一种基于浮点数计算能力加速sm2国密算法的方法
CN114981858B (zh) 秘密计算装置、秘密计算方法以及计算机程序产品
JP7290178B2 (ja) 秘密計算装置、秘密計算方法、およびプログラム
JP7318743B2 (ja) 秘密計算装置、秘密計算方法、およびプログラム
CN114981865B (zh) 秘密平方根计算系统、秘密归一化系统、它们的方法、秘密计算装置以及程序
JP7331953B2 (ja) 秘密逆数計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム
JP7331952B2 (ja) 秘密平方根逆数計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム
CN114981862B (zh) 秘密指数函数计算系统、秘密指数函数计算方法、秘密计算装置以及计算机程序产品
JP2005128832A (ja) データ処理装置と剰余演算回路
CN120179973A (zh) 一种矩阵计算方法及装置
CN116738494A (zh) 基于秘密分享的多方安全计算的模型训练方法和装置
Ananda Mohan Modulo Multiplication and Modulo Squaring

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20915962

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021572126

Country of ref document: JP

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2020425196

Country of ref document: AU

Date of ref document: 20200120

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2020915962

Country of ref document: EP

Effective date: 20220822

WWG Wipo information: grant in national office

Ref document number: 202080093455.6

Country of ref document: CN

WWG Wipo information: grant in national office

Ref document number: 17791907

Country of ref document: US