WO2021149106A1 - 秘密計算装置、秘密計算方法、およびプログラム - Google Patents
秘密計算装置、秘密計算方法、およびプログラム Download PDFInfo
- Publication number
- WO2021149106A1 WO2021149106A1 PCT/JP2020/001683 JP2020001683W WO2021149106A1 WO 2021149106 A1 WO2021149106 A1 WO 2021149106A1 JP 2020001683 W JP2020001683 W JP 2020001683W WO 2021149106 A1 WO2021149106 A1 WO 2021149106A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- secret
- value
- calculation
- public
- program
- Prior art date
Links
- 238000000034 method Methods 0.000 title description 34
- 238000004364 calculation method Methods 0.000 claims description 87
- 230000006870 function Effects 0.000 description 31
- 238000010586 diagram Methods 0.000 description 3
- 239000000654 additive Substances 0.000 description 2
- 230000000996 additive effect Effects 0.000 description 2
- 239000006185 dispersion Substances 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000007418 data mining Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/46—Secure multiparty computation, e.g. millionaire problem
Definitions
- the present invention relates to a technique for multiplying real values in secret calculation.
- Non-Patent Document 1 discloses a secret calculation method for multiplying a published real value by a secret sharing value.
- Non-Patent Document 1 has a problem that the calculation cost is high because the right shift is performed by the secret calculation in addition to the multiplication every time the multiplication is performed so as not to overflow.
- the present invention has been made in view of such a point, and an object of the present invention is to reduce the calculation cost of a secret calculation for multiplying a published real value by a secret sharing value.
- x is a real number
- [ ⁇ ] is the secret sharing value of ⁇
- ⁇ is a positive integer that is the number of bits representing the right shift amount
- m is a real number
- a public value of 2 ⁇ / m is obtained and secret.
- a secret calculation [x] / (2 ⁇ / m) of the public value division using the distributed value [x] and the obtained public value 2 ⁇ / m is performed, and mx is shifted to the right by ⁇ bits.
- the multiplication of the real number m and the right shift of the ⁇ bit are executed at the same time, so that the calculation cost can be reduced.
- FIG. 1A is a block diagram illustrating the secret calculation device of the embodiment.
- FIG. 1B is a flow chart for exemplifying the secret calculation method of the embodiment.
- FIG. 2 is a table illustrating the calculated parameters for each elementary function.
- FIG. 3 is a block diagram for explaining a hardware configuration.
- the secret computing device inputs the secret sharing value [x] of the real number x, the real number m which is a multiplier, and the positive integer ⁇ which is the number of bits representing the right shift amount, and shifts mx to the right by ⁇ bits.
- the secret sharing value [mx] r of the value is obtained and output.
- the secret sharing method of the secret sharing value is not limited, and examples thereof include an additive secret sharing method and a Shamir secret sharing method.
- An example of [ ⁇ ] is a secret sharing value (share) in which elements on the quotient ring are linearly secret-shared.
- the public decimal point position for an integer on the ring it can be regarded as a fixed-point real number. In the embodiment, the fixed-point real number represented on the ring in this way is simply expressed as a real number.
- the secret calculation device 1 of the embodiment has a public value calculation unit 11, a secret calculation unit 12, and a control unit 19.
- the secret calculation device 1 executes each process under the control of the control unit 19.
- the secret sharing value [x], the real number m, and the positive integer ⁇ are input to the secret calculation device 1 (step S10).
- the secret sharing value [x] is sent to the secret calculation unit 12, and the real number m and the positive integer ⁇ are sent to the public value calculation unit 11.
- the real number m and the positive integer ⁇ are input to the public value calculation unit 11.
- the public value calculation unit 11 calculates and outputs a public value of 2 ⁇ / m (step S11).
- the secret sharing value [x] and the public value 2 ⁇ / m output from the public value calculation unit 11 are input to the secret calculation unit 12.
- the secret calculation unit 12 performs a secret calculation [x] / (2 ⁇ / m) of the public value division using the secret distribution value [x] and the public value 2 ⁇ / m obtained by the public value calculation unit 11. Then, the secret sharing value [mx] r of the value obtained by right-shifting mx by ⁇ bits is obtained and output (step S12).
- the secret calculation device 1 outputs the secret distribution value [mx] r (step S13).
- the value obtained by this secret calculation is equivalent to the secret sharing value [mx] r of the value obtained by right-shifting the multiplication result mx by ⁇ bits.
- multiplication and right shift are realized at the same time by the secret calculation of public value division with low calculation cost.
- the calculation cost can be significantly reduced.
- division is recognized as a process in which the calculation cost is higher than that of multiplication, and it does not lead to the idea of using division for the process of multiplication.
- the public value 2 ⁇ / m is calculated by paying attention to the fact that the right shift is equivalent to the division, and the secret calculation [x] / (2 ⁇ / m) of the public value division is performed.
- Examplementation example An algorithm that can implement the above method is illustrated below.
- one of the two public values m 0 and m 1 is multiplied by the secret sharing value [x] of the real number x according to the condition c ⁇ ⁇ 0, 1 ⁇ . If the size of the published values m 0 and m 1 is large, the effective number of bits of the multiplied value (the number of bits required to express that number in binary) increases, and the number cannot be multiplied any more. Therefore, it may be necessary to shift to the right. In the first embodiment, such processing is made more efficient.
- the secret computing device obtains and outputs secret sharing values [m 0 x] and [m 1 x] by secret calculation using the secret sharing value [x] and the multipliers m 0 , m 1 , and the method p (step S21). ). A specific example of the process in step S21 will be described later.
- step S21 A specific example of processing in step S21 will be described.
- p is the method of positive integers
- q is the quotient of positive integers.
- the secret calculation device obtains and outputs the secret sharing value [q] of the quotient q of x / p by the secret calculation using the secret sharing value [x] and the method p (step S211).
- the public value calculating unit 212a is a multiplier m 0, m 1 and a positive integer .sigma.0, to obtain a public value 2 ⁇ 0 / m 0, 2 ⁇ 1 / m 1 outputs using .sigma.1.
- ⁇ 0 and ⁇ 1 are positive integers which are the number of bits representing the right shift amount required when the multipliers m 0 and m 1 are large (step S212a).
- the secret calculator is a secret of the public value division using the secret sharing values [x], [q] and the method p and the public values 2 ⁇ 0 / m 0 and 2 ⁇ 1 / m 1 obtained by the public value calculation unit 212a.
- Calculation [x + qp] / (2 ⁇ 0 / m 0 ), [x + qp] / (2 ⁇ 1 / m 1 ) is performed, and (x + qp) m 0 is right-shifted by ⁇ 0 bits. 0 ] and (x + qp) m 1 are right-shifted by ⁇ 1 bit to obtain a secret sharing value [(x + qp) m 1 ] and output (step S212b).
- Example 2 any function (e.g., elementary function) is approximated to a polynomial function f t (x), further right shift before the function f t (x) and the approximation function f of the function f t (x) ' calculate the u 'secret dispersion value of t (x) [f t ( x) -f' difference f t (x) -f of the (x) t (x)] , f t (x) -f 't (x) was right shift (f t (x) -f ' t (x)) secret sharing values of r [f t (x) -f ' to obtain a t (x)] r, secret dispersion value [f t the sum of t (x) 'f to t (x)' f t ( x) -f by secure computing of (x) -f 't (x )] r and secret variance
- x is a real number
- [ ⁇ ] is a secret distribution value of ⁇
- n is an integer of 1 or more (for example, n is an integer of 2 or more)
- t 0, ..., N-1.
- f 't (x) is an approximation of the function f t (x)
- ct, 0 are public values, and ct, 1 , ..., Ct, n + 1 are coefficients.
- ct, 1 , ..., ct, n + 1 are values with a small effective number of bits, and even if ct, 1 , ..., ct, n + 1 are multiplied, a shift is required due to overflow. Is a value that does not have.
- f t (x) -f 't (x) is a positive.
- the secret sharing method is not limited, and examples thereof include an additive secret sharing method and a Shamir secret sharing method.
- the size of t (x) is smaller than the size of the f t (x), a secret sharing value [f t (x) -f' where f t (x) -f overflow of t (x)] It can be suppressed.
- the secret sharing value of the approximation of the right shift before the function f t (x) and the function f t (x) function f 'u (x) and the difference f t (x) -f' t (x) [f t (x) for computing -f 't (x)] it is possible to maintain high accuracy.
- Overflow is a problem based on the performance of the processor that implements the secret calculation, and this method provides a method for solving the problem based on this hardware constraint.
- this method does not solve a pure mathematics problem, but solves a hardware implementation problem and has technical features. For example, notably the technical features in the processor but overflows Calculating the secret variance [f t (x)] that does not overflow in the calculation of the secret sharing value [f t (x) -f ' t (x)] Is.
- the secret computing device takes the secret sharing value [x] ⁇ [L, R) of the real number x as an input, performs the following secret calculation, and performs the following secret calculation to perform the secret sharing value [f n-1] of the target function f n-1 (x). (X)] is output.
- L and R are real numbers satisfying L ⁇ R, and [L, R) represents a left-closed right-open interval of L or more and less than R.
- n 3 and a, b, c, d, f, g, h, i, j, k, s, m, n, o, p, q, ⁇ , ⁇ , ⁇ , ⁇ , ⁇ .
- exp ⁇ is the published value, exp 2 -t x 0 , ..., exp 2 u-t-1 x u-1 is the place calculated by the table.
- Exp x ⁇ is the part calculated by approximation and is normalized to [0,2-t].
- Input: [x] Output: [exp (x)]
- secure computing apparatus the secure computing, for each 0 ⁇ i ⁇ u, mantissa f i, epsilon i respectively exp (2 i-t), and exponent.
- the secret calculation device obtains [w] [f'] [ ⁇ '] exp ( ⁇ ) by secret calculation and outputs it.
- exp ( ⁇ ) and the decimal point are performed.
- the position is lowered at the same time to obtain [w] [f'] [ ⁇ '] exp ( ⁇ ).
- FIG. 2 illustrates the calculated parameters when the elementary function is an inverse function, a square root function, a square root inverse function, an exponential function, or a logarithmic function.
- ey, and ez indicate the decimal point positions of x, y, and z, respectively.
- e'x, e'y, and e'z indicate the decimal point positions of x', y', and z'before the right shift, respectively.
- These decimal point positions represent the bit positions of the decimal point positions counted from the lower bits. The value representing this bit position starts from 0, and when the e1st bit represents 1 counting from the lower bits, it is described that the decimal point position is e1.
- the secret computing device 1 in the embodiment is, for example, a general-purpose or general-purpose computer including a processor (hardware processor) such as a CPU (central processing unit) and a memory such as a RAM (random-access memory) and a ROM (read-only memory). It is a device configured by a dedicated computer executing a predetermined program.
- This computer may have one processor and memory, or may have a plurality of processors and memory.
- This program may be installed in a computer or may be recorded in a ROM or the like in advance.
- a part or all of the processing units may be configured by using an electronic circuit that realizes a processing function independently, instead of an electronic circuit (circuitry) that realizes a function configuration by reading a program like a CPU. ..
- the electronic circuit constituting one device may include a plurality of CPUs.
- FIG. 3 is a block diagram illustrating the hardware configuration of the secret calculation device 1 in the embodiment.
- the secret computing device 1 of this example includes a CPU (Central Processing Unit) 10a, an output unit 10b, an output unit 10c, a RAM (RandomAccessMemory) 10d, a ROM (ReadOnlyMemory) 10e, and an auxiliary. It has a storage device 10f and a bus 10g.
- the CPU 10a of this example has a control unit 10aa, a calculation unit 10ab, and a register 10ac, and executes various arithmetic processes according to various programs read into the register 10ac.
- the output unit 10b is an output terminal, a display, or the like on which data is output.
- the output unit 10c is a LAN card or the like controlled by the CPU 10a that has read a predetermined program.
- the RAM 10d is a SRAM (Static Random Access Memory), a DRAM (Dynamic Random Access Memory), or the like, and has a program area 10da in which a predetermined program is stored and a data area 10db in which various data are stored.
- the auxiliary storage device 10f is, for example, a hard disk, MO (Magneto-Optical disc), a semiconductor memory, or the like, and has a program area 10fa for storing a predetermined program and a data area 10fb for storing various data. There is.
- the bus 10g connects the CPU 10a, the output unit 10b, the output unit 10c, the RAM 10d, the ROM 10e, and the auxiliary storage device 10f so that information can be exchanged.
- the CPU 10a writes the program stored in the program area 10fa of the auxiliary storage device 10f to the program area 10da of the RAM 10d according to the read OS (Operating System) program.
- the CPU 10a writes various data stored in the data area 10fb of the auxiliary storage device 10f to the data area 10db of the RAM 10d.
- the address on the RAM 10d in which this program or data is written is stored in the register 10ac of the CPU 10a.
- the control unit 10ab of the CPU 10a sequentially reads out these addresses stored in the register 10ac, reads a program or data from the area on the RAM 10d indicated by the read address, and causes the arithmetic unit 10ab to sequentially execute the operations indicated by the program.
- the calculation result is stored in the register 10ac.
- the above program can be recorded on a computer-readable recording medium.
- a computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disk, a photomagnetic recording medium, a semiconductor memory, and the like.
- the distribution of this program is carried out, for example, by selling, transferring, renting, etc., a portable recording medium such as a DVD or CD-ROM on which the program is recorded.
- the program may be stored in the storage device of the server computer, and the program may be distributed by transferring the program from the server computer to another computer via a network.
- the computer that executes such a program first temporarily stores, for example, the program recorded on the portable recording medium or the program transferred from the server computer in its own storage device. Then, when the process is executed, the computer reads the program stored in its own storage device and executes the process according to the read program.
- a computer may read the program directly from a portable recording medium and execute processing according to the program, and further, the program is transferred from the server computer to this computer. Each time, the processing according to the received program may be executed sequentially.
- the above processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition without transferring the program from the server computer to this computer. May be.
- the program in this embodiment includes information to be used for processing by a computer and equivalent to the program (data that is not a direct command to the computer but has a property of defining the processing of the computer, etc.).
- the present device is configured by executing a predetermined program on a computer, but at least a part of these processing contents may be realized by hardware.
- the present invention can be used, for example, for machine learning performed by secret calculation while concealing data and multiplication of real values in data mining.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Complex Calculations (AREA)
- Storage Device Security (AREA)
- Pharmaceuticals Containing Other Organic And Inorganic Compounds (AREA)
- Hardware Redundancy (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
Description
実施形態では、秘密計算装置が、実数xの秘密分散値[x]、乗数である実数m、および右シフト量を表すビット数である正整数σを入力とし、mxをσビットだけ右シフトした値の秘密分散値[mx]rを得て出力する。秘密分散値の秘密分散方式に限定はなく、例えば、加法的秘密分散方式やシャミア秘密分散方式などを例示できる。[・]の一例は剰余環上の要素・を線形秘密分散した秘密分散値(シェア)である。また環上の整数に公開の小数点位置を定めることで固定小数点の実数と見なすことができる。実施形態ではこのようにして環上で表した固定小数点の実数を単に実数と表記する。
通常、秘密計算において、秘密分散値[x]に公開された実数mの乗算とσビットの右シフトとを行う場合には、乗算を行ってから右シフトを行うか、または右シフトを行ってから乗算を行うことになる。この場合には、乗算を行うための計算コストと右シフトを行うための計算コストが必要となる。これに対し、本実施形態では、右シフトが除算と等価であることに着目し、まず、公開値2σ/mを計算し、秘密分散値[x]と得られた公開値2σ/mとを用いた公開値除算の秘密計算[x]/(2σ/m)を行う。この秘密計算で得られる値は乗算結果mxをσビットだけ右シフトした値の秘密分散値[mx]rと等価である。しかしながら、計算コストの低い公開値除算の秘密計算によって乗算と右シフトを同時に実現している。その結果、演算コストを大幅に削減できる。秘密計算分野の当業者にとって除算は乗算に比べて演算コストが大きい処理と認識されており、乗算の処理にあえて除算を用いるという発想には至らない。それにもかかわらず、本実施形態では、右シフトが除算と等価であることに着目して公開値2σ/mを計算し、公開値除算の秘密計算[x]/(2σ/m)を行うことで、乗算と右シフトとを別個に行う場合よりも計算コストを削減できるといった予測できない顕著な効果を得ることができる。なおオーバーフローは秘密計算を実装したプロセッサの性能に基づく問題であり、本方式はこのハードウェア上の制約に基づく問題を解決するための手法を提供する。このように、本方式は純粋数学上の問題を解決するものではなく、ハードウェア実装上の問題を解決するものであって技術的特徴を有するものである。右シフト量を表すσの値はプロセッサで扱うことが可能なビット数に応じて定められる。すなわち、公開値2σ/mはハードウェア上の要請から定まる値である。
以下に上述した方式を実装可能なアルゴリズムを例示する。
<実施例1>
実施例1では、条件c∈{0,1}に応じて2つの公開値m0,m1のうちどちらかを実数xの秘密分散値[x]に乗じる。公開値m0,m1の大きさが大きいと、乗算後の値の有効ビット数(その数を2進数で表現するのに必要なビット数)が上昇し、これ以上乗算できない数になってしまうため右シフトが必要になる場合がある。実施例1では、このような処理を効率化する。
出力:[m0x] if c=0,[m1x] if c=1
ステップS21の処理の具体例を説明する。ここでは、d0=1/m0およびd1=1/m1が除数であり、pが正整数の法であり、qが正整数の商であるとする。
秘密計算装置は、公開値計算部212aは、乗数m0,m1および正整数σ0,σ1を用いて公開値2σ0/m0,2σ1/m1を得て出力する。ただし、σ0,σ1は、それぞれ乗数m0,m1が大きい場合に必要となる右シフト量を表すビット数である正整数である(ステップS212a)。
実施例2では、任意の関数(例えば、初等関数)を多項式関数ft(x)で近似し、さらに右シフト前の関数ft(x)と当該関数ft(x)の近似関数f’u(x)との差分ft(x)-f’t(x)の秘密分散値[ft(x)-f’t(x)]を計算し、ft(x)-f’t(x)を右シフトした(ft(x)-f’t(x))rの秘密分散値[ft(x)-f’t(x)]rを得、秘密分散値[ft(x)-f’t(x)]rと秘密分散値[f’t(x)]の秘密計算によってft(x)-f’t(x)にf’t(x)を加算した関数ft(x)の秘密分散値[ft(x)]を得る。ただし、xが実数であり、[・]が・の秘密分散値であり、nが1以上の整数(例えば、nは2以上の整数)であり、t=0,…,n-1であり、u=1,…,n-1であり、ft(x)が実数xに対する関数であり、f’t(x)は関数ft(x)の近似関数であり、近似関数f’0(x)の秘密分散値[f’0(x)]が[f’0(x)]=c0,0+c0,1[x]であり、近似関数f’u(x)の秘密分散値[f’u(x)]が[f’u(x)]=cu,0+cu,1[x]+cu,2[f0(x)]+…+[fu-1(x)]であり、ct,0は公開値であり、ct,1,…,ct,n+1は係数である。ただし、ct,1,…,ct,n+1は有効ビット数の小さな値であり、ct,1,…,ct,n+1が乗じられても桁あふれによってシフトが必要になるようなことがない値である。ft(x)-f’t(x)は正である。秘密分散方式に限定はなく、例えば、加法的秘密分散方式やシャミア秘密分散方式などを例示できる。ここでft(x)-f’t(x)の大きさはft(x)の大きさよりも小さいため、秘密分散値[ft(x)-f’t(x)]のオーバーフローを抑制することができる。また右シフト前の関数ft(x)と当該関数ft(x)の近似関数f’u(x)との差分ft(x)-f’t(x)の秘密分散値[ft(x)-f’t(x)]を計算するため、高い精度を保つことができる。オーバーフローは秘密計算を実装したプロセッサの性能に基づく問題であり、本方式はこのハードウェア上の制約に基づく問題を解決するための手法を提供する。このように、本方式は純粋数学上の問題を解決するものではなく、ハードウェア実装上の問題を解決するものであって技術的特徴を有するものである。例えば、秘密分散値[ft(x)]を計算するとオーバーフローしてしまうが秘密分散値[ft(x)-f’t(x)]の計算ではオーバーフローしないプロセッサではその技術的特徴は顕著である。
設定済のパラメータ:a,b,c,d,f,g,H,i,j,k,s,m,n,o,p,q,α,β,γ,δ,ζ
出力:目的の関数(例えば、初等関数)fn-1(x)に対応する秘密分散値[fn-1(x)]
2:秘密計算装置は、秘密分散値[y’]rを用いた秘密計算により[y]=[y’+(ix+j)]を得る。
3:秘密計算装置は、積和の秘密計算により[z’]=[y(ζy+b-k)+(c-s)x-m]を得、右シフトにより小数点位置を下げたz’rの秘密分散値[z’]rを得る。
4:秘密計算装置は、秘密分散値[z’]rを用いた秘密計算により[z]=[z’+(ky+sx+m)]を得る。
5: 秘密計算装置は、積和の秘密計算により[w’/γ]=[z(αz+d-n/γ)+(βx+f-o/γ)y+(g-p)x+(H-q)/γ]を得、[x]=[w’/γ]かつm=γとおいたステップS10~S13の処理を行い、γによる乗算と小数点位置の下降を同時に行い[w’]を得る。
6:秘密計算装置は、秘密計算により[w]=[w’+(nz+oy+px+q)]を得て出力する。
実施例3では、実数xの秘密分散値[x]の指数関数値exp(x)の秘密分散値を得る。指数関数は入力に加法性があるため、入力を以下の3パートに分解する。
I.想定される入力の最小値μ
II.x-μの小数点以下tビット以上の上位uビットx0,…,xu-1
III.x-μのx0よりも下位ビット全体が表す数xρ
exp x=exp μ exp 2-tx0,…,exp 2u-t-1xu-1exp xρとする。exp μは公開値、exp 2-tx0,…,exp 2u-t-1xu-1は表によって計算される箇所である。exp xρが近似により計算される箇所であり、[0,2-t)に正規化される。
入力:[x]
出力:[exp(x)]
設定済のパラメータ:t=-1
1:秘密計算装置は、秘密計算によって[x’]=[x]-μを得る。ただし、μは想定されるxの最小値である。
2:秘密計算装置は、秘密計算により、小数点以下tビットより上位のビットをビット分解で取り出してmod p変換し、[x’0],…,[x’u-1]を得る。
3:秘密計算装置は、秘密計算により、各0≦i<uで、fi,εiをそれぞれexp(2i-t)の仮数部、指数部とする。
4:秘密計算装置は、秘密計算によって、i=0,…,u-1について、x’i’=0ならばFi=1、x’i’=1ならばFi=fiとした
を得る。
5:秘密計算装置は、秘密計算によって、各0≦i<uで、選択肢公開のif-then-elseゲートにより[ε’i]:=if [x’i] then 2εi else 1を計算する。
6:秘密計算装置は、秘密計算によって、各iに関する[ε’i]の積[ε’]を得る(ε’=ε’0…ε’u-1)。これはexp(x’)の上位ビット部分の指数部の2のべき乗値である。
7:秘密計算装置は、秘密計算によって、
を得る。これはexp(x’)の下位ビット部分の表す数である。
8:秘密計算装置は、秘密計算によって、[x’ρ]から[w]を得る。ただし、wはx’ρの指数関数exp xρを近似する多項式である。秘密計算装置は、例えば、x=x’ρとした実施例2の方法を用いて[w]を得る。
9:秘密計算装置は、秘密計算によって、[w][f’][ε’]exp(μ)を得て出力する。ただし、exp(μ)の乗算では[x]=[w][f’][ε’]かつm=exp(μ)とおいたステップS10~S13の処理を行い、exp(μ)による乗算と小数点位置の下降を同時に行い[w][f’][ε’]exp(μ)を得る。
図2に初等関数が逆数関数、平方根関数、平方根の逆数関数、指数関数、対数関数である場合の計算済みのパラメータを例示する。なお、ex,ey,ezはそれぞれx,y,zの小数点位置を示す。また、e’x,e’y,e’zはそれぞれ右シフト前のx’,y’,z’の小数点位置を示す。これらの小数点位置は、下位ビットから数えた小数点位置のビット位置を表す。このビット位置を表す値は0から始まり、下位ビットから数えてe1ビット目が1を表すときに、小数点位置がe1であると表記する。
実施形態における秘密計算装置1は、例えば、CPU(central processing unit)等のプロセッサ(ハードウェア・プロセッサ)やRAM(random-access memory)・ROM(read-only memory)等のメモリ等を備える汎用または専用のコンピュータが所定のプログラムを実行することで構成される装置である。このコンピュータは1個のプロセッサやメモリを備えていてもよいし、複数個のプロセッサやメモリを備えていてもよい。このプログラムはコンピュータにインストールされてもよいし、予めROM等に記録されていてもよい。また、CPUのようにプログラムが読み込まれることで機能構成を実現する電子回路(circuitry)ではなく、単独で処理機能を実現する電子回路を用いて一部またはすべての処理部が構成されてもよい。また、1個の装置を構成する電子回路が複数のCPUを含んでいてもよい。
Claims (3)
- xが実数であり、[・]が・の秘密分散値であり、σが右シフト量を表すビット数である正整数であり、mが実数であり、
公開値2σ/mを得る公開値計算部と、
秘密分散値[x]と前記公開値計算部で得られた前記公開値2σ/mとを用いた公開値除算の秘密計算[x]/(2σ/m)を行って、mxをσビットだけ右シフトした値の秘密分散値[mx]rを得て出力する秘密計算部と、
を有する秘密計算装置。 - xが実数であり、[・]が・の秘密分散値であり、σが右シフト量を表すビット数である正整数であり、mが実数であり、
公開値計算部が、公開値2σ/mを得る公開値計算ステップと、
秘密計算部が、秘密分散値[x]と前記公開値計算部で得られた前記公開値2σ/mとを用いた公開値除算の秘密計算[x]/(2σ/m)を行って、mxをσビットだけ右シフトした値の秘密分散値[mx]rを得て出力する秘密計算ステップと、
を有する秘密計算方法。 - 請求項1の秘密計算装置としてコンピュータを機能させるプログラム。
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP20915629.8A EP4095830A4 (en) | 2020-01-20 | 2020-01-20 | SECURE COMPUTING DEVICE, SECURE CALCULATION METHOD AND PROGRAM |
AU2020423806A AU2020423806B2 (en) | 2020-01-20 | 2020-01-20 | Secure computation apparatus, secure computation method, and program |
US17/792,148 US20230102267A1 (en) | 2020-01-20 | 2020-01-20 | Secure computation apparatus, secure computation method, and program |
JP2021572128A JP7290178B2 (ja) | 2020-01-20 | 2020-01-20 | 秘密計算装置、秘密計算方法、およびプログラム |
CN202080093276.2A CN114981860A (zh) | 2020-01-20 | 2020-01-20 | 秘密计算装置、秘密计算方法、以及程序 |
PCT/JP2020/001683 WO2021149106A1 (ja) | 2020-01-20 | 2020-01-20 | 秘密計算装置、秘密計算方法、およびプログラム |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2020/001683 WO2021149106A1 (ja) | 2020-01-20 | 2020-01-20 | 秘密計算装置、秘密計算方法、およびプログラム |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021149106A1 true WO2021149106A1 (ja) | 2021-07-29 |
Family
ID=76992097
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2020/001683 WO2021149106A1 (ja) | 2020-01-20 | 2020-01-20 | 秘密計算装置、秘密計算方法、およびプログラム |
Country Status (6)
Country | Link |
---|---|
US (1) | US20230102267A1 (ja) |
EP (1) | EP4095830A4 (ja) |
JP (1) | JP7290178B2 (ja) |
CN (1) | CN114981860A (ja) |
AU (1) | AU2020423806B2 (ja) |
WO (1) | WO2021149106A1 (ja) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2014164144A (ja) * | 2013-02-26 | 2014-09-08 | Nippon Telegr & Teleph Corp <Ntt> | 秘密表除算装置及び方法 |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20050088506A (ko) * | 2004-03-02 | 2005-09-07 | 삼성전자주식회사 | 다중 세정도를 지원하는 확장형 몽고메리 모듈러 곱셈기 |
-
2020
- 2020-01-20 JP JP2021572128A patent/JP7290178B2/ja active Active
- 2020-01-20 WO PCT/JP2020/001683 patent/WO2021149106A1/ja unknown
- 2020-01-20 EP EP20915629.8A patent/EP4095830A4/en active Pending
- 2020-01-20 US US17/792,148 patent/US20230102267A1/en active Pending
- 2020-01-20 AU AU2020423806A patent/AU2020423806B2/en active Active
- 2020-01-20 CN CN202080093276.2A patent/CN114981860A/zh active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2014164144A (ja) * | 2013-02-26 | 2014-09-08 | Nippon Telegr & Teleph Corp <Ntt> | 秘密表除算装置及び方法 |
Non-Patent Citations (4)
Title |
---|
IGARASHI, DAI: "Secure Real Number Operations for Secure A1 - 0(lpl)-Bit Communication and 0(1)-Round Right Shift Protocol", PROCEEDINGS OF COMPUTER SECURITY SYMPOSIUM 2019, 14 October 2019 (2019-10-14), Japan, pages 1557 - 1564, XP009530110, ISSN: 1882-0840 * |
KANAOKA AKIRA, MIYANISHI YOHTARO, HAN XIAOGONG, KITAGAMI SHINJI, SATO FUMIAKI, URANO YOSHIYORI, SHIRATORI NORIO: "A Study of Lightweight Secure Multi-party Computation enabling Real Number Arithmetic", PROCEEDINGS OF THE 2014 COMPUTER SECURITY SYMPOSIUM, 15 October 2014 (2014-10-15), pages 682 - 687, XP055842838 * |
MEHRDAD ALIASGARI ; MARINA BLANTON ; YIHUA ZHANG ; AARON STEELE: "Secure Computation on Floating Point Numbers", IACR, INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH, vol. 20121210:185402, 10 December 2012 (2012-12-10), pages 1 - 31, XP061007014 * |
See also references of EP4095830A4 * |
Also Published As
Publication number | Publication date |
---|---|
JPWO2021149106A1 (ja) | 2021-07-29 |
EP4095830A1 (en) | 2022-11-30 |
AU2020423806A1 (en) | 2022-07-14 |
AU2020423806B2 (en) | 2023-06-08 |
US20230102267A1 (en) | 2023-03-30 |
JP7290178B2 (ja) | 2023-06-13 |
CN114981860A (zh) | 2022-08-30 |
EP4095830A4 (en) | 2023-10-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021149106A1 (ja) | 秘密計算装置、秘密計算方法、およびプログラム | |
US11625225B2 (en) | Applications of and techniques for quickly computing a modulo operation by a Mersenne or a Fermat number | |
WO2021149104A1 (ja) | 秘密計算装置、秘密計算方法、およびプログラム | |
JP6919539B2 (ja) | 演算処理装置および演算処理装置の制御方法 | |
WO2021149105A1 (ja) | 秘密計算装置、秘密計算方法、およびプログラム | |
WO2021149103A1 (ja) | 秘密計算装置、秘密計算方法、およびプログラム | |
JP7205623B2 (ja) | 秘密共役勾配法計算システム、秘密計算装置、共役勾配法計算装置、秘密共役勾配法計算方法、共役勾配法計算方法、およびプログラム | |
JP7331951B2 (ja) | 秘密平方根計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム | |
JP7331953B2 (ja) | 秘密逆数計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム | |
JP7331952B2 (ja) | 秘密平方根逆数計算システム、秘密正規化システム、それらの方法、秘密計算装置、およびプログラム | |
JP7351353B2 (ja) | 秘密指数関数計算システム、秘密指数関数計算方法、秘密計算装置、およびプログラム | |
JP7511525B2 (ja) | 内積計算装置、内積計算方法、および、内積計算プログラム | |
JP7173328B2 (ja) | 秘密除算システム、秘密計算装置、秘密除算方法、およびプログラム | |
WO2021149101A1 (ja) | 秘密選択積計算システム、秘密選択積計算方法、秘密計算装置、およびプログラム | |
JP2022180257A (ja) | 内積計算装置、内積計算方法、および、内積計算プログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20915629 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2021572128 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2020423806 Country of ref document: AU Date of ref document: 20200120 Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2020915629 Country of ref document: EP Effective date: 20220822 |