WO2022185391A1 - Random number generation system, random number generation device, random number generation method, and program - Google Patents

Random number generation system, random number generation device, random number generation method, and program Download PDF

Info

Publication number
WO2022185391A1
WO2022185391A1 PCT/JP2021/007775 JP2021007775W WO2022185391A1 WO 2022185391 A1 WO2022185391 A1 WO 2022185391A1 JP 2021007775 W JP2021007775 W JP 2021007775W WO 2022185391 A1 WO2022185391 A1 WO 2022185391A1
Authority
WO
WIPO (PCT)
Prior art keywords
random number
ciphertext
terminal
bootstrap
algorithm
Prior art date
Application number
PCT/JP2021/007775
Other languages
French (fr)
Japanese (ja)
Inventor
真昇 紀伊
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2021/007775 priority Critical patent/WO2022185391A1/en
Publication of WO2022185391A1 publication Critical patent/WO2022185391A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system

Definitions

  • the present invention relates to a random number generation system, a random number generation device, a random number generation method, and a program.
  • Non-Patent Documents 1 to 6 are known as techniques for generating encrypted random numbers that follow Bernoulli distribution.
  • Non-Patent Literatures 1 to 6 above include the following: Bernoulli distribution Ber (1/2 ) can be safely generated.
  • Bernoulli distribution Ber (1/2 ) can be safely generated.
  • An embodiment of the present invention has been made in view of the above points, and aims to safely generate random numbers following the Bernoulli distribution Ber(p) with a small amount of communication for various p.
  • a random number generation system includes a first terminal that generates a ciphertext of random numbers that follow Bernoulli distribution, and a second terminal that is communicably connected to the first terminal. wherein the second terminal uses a shared parameter with the first terminal to generate a bootstrap key used in bootstrapping of the TFHE method.
  • a transmitter that transmits the bootstrap key to the first terminal, the first terminal using the shared parameter to randomly generate a ciphertext
  • a random number generation unit that generates the ciphertext of the random number by executing an algorithm based on the TFHE bootstrap on the ciphertext using the bootstrap key and the shared parameter;
  • the algorithm changes the input of the BlindRotate algorithm included in the bootstrap of the TFHE method into a predetermined polynomial, and the output of the SampleExtract algorithm is the ciphertext of the random number.
  • FIG. 4 is a diagram showing a functional configuration example of a first participant terminal in one embodiment
  • FIG. 10 is a diagram showing an example of the functional configuration of a second participant terminal in one embodiment
  • FIG. 10 is a sequence diagram for explaining random number generation processing in one embodiment
  • It is a figure which shows the hardware configuration example of the computer in one Example.
  • Homomorphic encryption is encryption that can perform calculation processing on encrypted data, and is described, for example, in Reference 1 below.
  • the function f that can be evaluated in homomorphic encryption has restrictions for each specific scheme.
  • a homomorphic encryption scheme that does not have such restrictions and can perform “evaluation of function f” for any computable function f(x 1 , x 2 ) is called a fully homomorphic encryption scheme.
  • the TFHE scheme which is one of the fully homomorphic encryption schemes described in References 2 to 4 below, is used.
  • Reference 2 Ilaria Chillotti et al. "Faster Fully Homomorphic Encryption: Bootstrapping in Less Than 0.1 Seconds”. In: Advances in Cryptology - ASIACRYPT 2016. Ed. by Jung Hee Cheon and Tsuyoshi Takagi. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer, 2016, pp. 3-33. isbn: 978-3-662-53887-6. doi: 10.1007/978-3-662-53887-6_1.
  • Reference 3 Ilaria Chillotti et al. "Faster Packed Homomorphic Operations and Efficient Circuit Bootstrapping for TFHE”. In: Advances in Cryptology - ASIACRYPT 2017. Ed.
  • n and N are parameters of the TFHE method, and N is a sufficiently large power of 2.
  • a torus is a module of Z coefficients obtained as a remainder by an integer ring Z of the real number field R, and is represented by T.
  • a real number in the interval (-1/2, 1/2) is taken as a representative element of the torus T.
  • TLWE type ciphertext Of the three types of ciphertext formats used in the TFHE scheme, the TLWE type is the main one.
  • a TLWE-type ciphertext key is a sequence of n 0s or 1s (s 1 , . . . , s n ).
  • a method of creating a TLWE-type ciphertext corresponding to the plaintext m is as follows. First, randomly select n elements a 1 , . . . , a n of the torus. Also, a torus element e (this e is called noise) whose representative element is a very small real number is selected. At this time,
  • a TLWE type ciphertext (a 1 , . . . , an , b) corresponding to the plaintext m is obtained.
  • TRLWE-type ciphertext is used as an intermediate representation when performing various processes.
  • T N [X] is the module of Z[X]/(X N +1) coefficients.
  • TGSW-type ciphertext is a plaintext that is an element of Z[X]/(X N +1).
  • the TGSW type ciphertext of 0 or 1 is often used.
  • the TFHE method can calculate the product of a TLWE-type ciphertext and a TGSW-type ciphertext. For example, the product of a TLWE type 1/2 ciphertext and a TGSW type 0 ciphertext results in a TLWE type 0 ciphertext.
  • bootstrapping In some fully homomorphic encryption including the TFHE scheme, it is necessary to perform a process called bootstrapping for each calculation (evaluation). A bootstrap key is used for this process. This bootstrap key is a TGSW type ciphertext of a TLWE type ciphertext key. Note that even if the bootstrap key is known, the TLWE-type ciphertext key cannot be known.
  • SampleExtract Let the plaintext corresponding to the TRLWE-type ciphertext c be an element m 0 +m 1 X+ . . . +m N ⁇ 1 X N ⁇ 1 of T N [X]. Each coefficient m 0 , m 1 , . . . , m N ⁇ 1 is an element of the torus T. At this time, the TLWE type ciphertext corresponding to the constant term m0 can be obtained by using SampleExtract for the TRLWE type ciphertext c.
  • the SampleExtract algorithm is executed for the TRLWE type ciphertext cR, and the TLWE type ciphertext (0, . . . , 0, 1/4) is added to the TLWE type ciphertext thus obtained. If the initial TLWE-type ciphertext c corresponds to an element in the interval (-1/4, 1/4], then the final result is 1/2 ciphertext, otherwise 0 ciphertext sentence is obtained.
  • the random number generation system 1 executes random number generation processing between two participant groups, one participant group is a random number encrypted with the other participant group's key, And we get random numbers following Bernoulli distribution. Therefore, in this embodiment, these two participant groups are A and B, and the participant group A is a random number encrypted with the key of the participant group B and is a random number that follows the Bernoulli distribution.
  • the term "participant group" is used, the number of participants belonging to each participant group may be one or more, and may not necessarily be plural.
  • FIG. 1 is a diagram showing an example of the overall configuration of a random number generation system 1 in one embodiment.
  • the random number generation system 1 in this embodiment includes one or more first participant terminals 10 used by each participant belonging to the participant group A, and each participant belonging to the participant group B. and one or more second participant terminals 20 used by each participant.
  • the first participant terminal 10 and the second participant terminal 20 are communicably connected via a communication network such as the Internet.
  • FIGS. 2 and 3 are diagrams showing functional configuration examples of the first participant terminal 10 and the second participant terminal 20, respectively, in one embodiment.
  • the first participant terminal 10 in this embodiment has a preparation unit 101, a random number generation unit 102, and a storage unit 103.
  • the preparation unit 101 executes various preparation-related processes such as sharing parameters with the second participant terminal 20 and generating polynomials to be given to the BlindRotate algorithm.
  • the random number generation unit 102 generates encrypted random numbers that follow the Bernoulli distribution using an algorithm partially modified from the bootstrap algorithm.
  • the storage unit 103 stores parameters shared with the second participant terminal 20, random numbers generated by the random number generation unit 102, and the like.
  • the second participant terminal 20 in this embodiment has a preparation section 201 and a storage section 202 .
  • the advance preparation unit 201 executes various preparation-related processes such as sharing parameters with the first participant terminal 10 and generating a bootstrap key.
  • the storage unit 202 stores parameters shared with the first participant terminal 10, bootstrap keys generated by the preparation unit 201, and the like.
  • FIG. 4 is a sequence diagram for explaining random number generation processing in one embodiment.
  • N is a parameter of the TFHE scheme mentioned in the above preparation. It is assumed that the participants belonging to the participant group A know this probability p.
  • the pre-preparation unit 101 of each first participant terminal 10 and the pre-preparation unit 201 of each second participant terminal 20 share the parameters of the TFHE method (for example, n, N, etc.) (step S101). .
  • This parameter sharing may be done in any way.
  • the preparation unit 101 of each first participant terminal 10 uses a polynomial
  • the advance preparation unit 201 of each second participant terminal 20 generates a secret key (TLWE-type ciphertext key) and a bootstrap key (step S103).
  • the bootstrap key is a private key (TLWE ciphertext key) converted to TGSW ciphertext.
  • each second participant terminal 20 transmits the bootstrap key generated in step S103 above to the first participant terminal 10 (step S104).
  • the preparation unit 201 of each second participant terminal 20 sends the bootstrap key to the first participant terminals 10 of one or more participants. Send.
  • each second participant terminal 20 may transmit the bootstrap key in any way. For example, if each first participant terminal 10 can receive one or more bootstrap keys, there are second participant terminals 20 that do not transmit the bootstrap key among the plurality of second participant terminals 20. You may
  • the preparation unit 101 of each first participant terminal 10 that has received the bootstrap key selects one bootstrap key (step S105). That is, the preparation unit 101 of each first participant terminal 10 selects one bootstrap key from one or more bootstrap keys received from the second participant terminals 20 .
  • steps S101 to S105 are preparatory processes, which need to be executed before the following steps S106 to S107. It should be noted that the amount of communication required for this preparatory processing is independent of how many random numbers are generated.
  • the random number generation unit 102 of each first participant terminal 10 generates the real numbers a 1 , . , a partially modified TFHE bootstrap algorithm is executed (step S107). That is, the random number generator 102 of each first participant terminal 10, in the TFHE bootstrap algorithm, gives the polynomial v to the BlindRotate algorithm as follows:
  • the TLWE type ciphertext obtained by executing the SampleExtract algorithm is output as it is (that is, it is output without adding the TLWE type ciphertext (0, . . . , 0, 1/4)).
  • FIG. 5 is a diagram showing a hardware configuration example of the computer 300 in one embodiment.
  • a computer 300 shown in FIG. Each of these pieces of hardware is communicably connected via a bus 307 .
  • the input device 301 is, for example, a keyboard, mouse, touch panel, or the like.
  • the display device 302 is, for example, a display. Note that the computer 300 may not have at least one of the input device 301 and the display device 302 .
  • the external I/F 303 is an interface with an external device such as a recording medium 303a.
  • the computer 300 can perform reading, writing, etc. of the recording medium 303 a via the external I/F 303 .
  • Examples of the recording medium 303a include CD (Compact Disc), DVD (Digital Versatile Disk), SD memory card (Secure Digital memory card), USB (Universal Serial Bus) memory card, and the like.
  • a communication I/F 304 is an interface for connecting the computer 300 to a communication network.
  • the processor 305 is, for example, various arithmetic devices such as a CPU (Central Processing Unit).
  • the preparation unit 101 and the random number generation unit 102 included in the first participant terminal 10 are realized, for example, by processing that one or more programs installed in the first participant terminal 10 cause the processor 305 to execute. be.
  • the preparatory unit 201 of the second participant terminal 20 is implemented by, for example, processing that one or more programs installed in the second participant terminal 20 cause the processor 305 to execute.
  • the memory device 306 is, for example, various storage devices such as HDD (Hard Disk Drive), SSD (Solid State Drive), RAM (Random Access Memory), ROM (Read Only Memory), and flash memory. Note that the storage unit 103 of the first participant terminal 10 and the storage unit 202 of the second participant terminal 20 are realized by the memory device 306, for example.
  • the first participant terminal 10 and the second participant terminal 20 in this embodiment have the hardware configuration of the computer 300 shown in FIG. 5, thereby realizing the random number generation process described above.
  • the hardware configuration of the computer 300 shown in FIG. 5 is an example, and other hardware configurations may be used.
  • computer 300 may have multiple processors 305 and may have multiple memory devices 306 .
  • the random number generation system 1 applies the TFHE method to randomly generated ciphertext (that is, a set of n+1 random numbers is regarded as a ciphertext of random numbers).
  • a set of n+1 random numbers is regarded as a ciphertext of random numbers.
  • random number generation system 10 first participant terminal 20 second participant terminal 101 preparation unit 102 random number generation unit 103 storage unit 201 preparation unit 202 storage unit 301 input device 302 display device 303 external I/F 303a recording medium 304 communication I/F 305 processor 306 memory device 307 bus

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

A random number generation system according to an embodiment includes a first terminal for generating random number ciphertext following the Bernoulli distribution and a second terminal connected to the first terminal so as to be communicable therewith. The second terminal comprises a key generation unit that generates a bootstrap key to be used in TFHE bootstrap using a shared parameter with the first terminal, and a transmission unit that transmits the bootstrap key to the first terminal. The first terminal comprises a cipher generation unit that randomly generates ciphertext using the shared parameter, and a random number generation unit that, by executing an algorithm based on the TFHE bootstrap on the ciphertext using the bootstrap key and the shared parameter, generates the random number ciphertext. The algorithm changes the input of a BlindRotate algorithm included in the TFHE bootstrap into a predetermined polynomial, and makes the output of a SampleExtract algorithm the random number ciphertext.

Description

乱数生成システム、乱数生成装置、乱数生成方法、及びプログラムRandom number generation system, random number generation device, random number generation method, and program
 本発明は、乱数生成システム、乱数生成装置、乱数生成方法、及びプログラムに関する。 The present invention relates to a random number generation system, a random number generation device, a random number generation method, and a program.
 昨今、個人情報や売上情報等の秘密情報を活用したいという需要が高まっている。そのため、各参加者がそれぞれの秘密情報を他者に漏洩させずに、秘密情報に対して統計処理等の処理を施すことを可能にする秘密計算技術への注目が高まっている。秘密計算技術は、秘密分散や準同型暗号といった技術で実現される。  In recent years, there has been an increasing demand for the use of confidential information such as personal information and sales information. Therefore, attention is increasing to a secure computation technology that enables each participant to perform processing such as statistical processing on confidential information without leaking the confidential information to others. Secure computation technology is realized by techniques such as secret sharing and homomorphic encryption.
 秘密計算技術で処理した結果をそのまま参加者に公開すると、出力結果から各参加者の秘密情報の一部が漏れる危険性があることが知られている。そのため、秘密計算の処理結果に対してノイズを加えて差分プライバシを達成する手法が研究されている。このような手法を実現するには安全な乱数、すなわち、いずれの参加者も事前に定めた分布以上のことは知らない乱数を生成する必要がある。特に、離散乱数を安全に生成することは、様々なpについてベルヌーイ分布Ber(p)に従う乱数を安全に生成することに帰着される。 It is known that if the results processed by secure computation technology are disclosed to the participants as they are, there is a risk that some of the confidential information of each participant may be leaked from the output results. Therefore, a method of adding noise to the processing result of secure computation to achieve differential privacy is being researched. To implement such an approach, it is necessary to generate secure random numbers, i.e., random numbers that neither participant knows beyond a predetermined distribution. In particular, safely generating discrete numbers reduces to safely generating random numbers that follow a Bernoulli distribution Ber(p) for various p.
 ベルヌーイ分布に従う暗号化された乱数を生成する技術としては、非特許文献1~6に記載された技術が知られている。 Techniques described in Non-Patent Documents 1 to 6 are known as techniques for generating encrypted random numbers that follow Bernoulli distribution.
 しかしながら、上記の非特許文献1~6に記載された技術には、乱数を安全に生成できるが通信量が大きい、通信量は小さいが生成された乱数が安全でない、ベルヌーイ分布Ber(1/2)に従う乱数しか安全に生成できない、のいずれかの課題が存在する。つまり、従来技術としては、多くの通信量を必要とする技術か、安全性が損なわれる技術か、制約の大きい技術か、の3つしか存在しない。 However, the techniques described in Non-Patent Literatures 1 to 6 above include the following: Bernoulli distribution Ber (1/2 ) can be safely generated. In other words, there are only three conventional technologies: a technology that requires a large amount of communication, a technology that impairs security, and a technology that imposes large restrictions.
 本発明の一実施形態は、上記の点に鑑みてなされたもので、様々なpに対して、少ない通信量でベルヌーイ分布Ber(p)に従う乱数を安全に生成することを目的とする。 An embodiment of the present invention has been made in view of the above points, and aims to safely generate random numbers following the Bernoulli distribution Ber(p) with a small amount of communication for various p.
 上記目的を達成するため、一実施形態に係る乱数生成システムは、ベルヌーイ分布に従う乱数の暗号文を生成する第1の端末と、前記第1の端末と通信可能に接続される第2の端末とが含まれる乱数生成システムであって、前記第2の端末は、前記第1の端末との間の共有パラメータを用いて、TFHE方式のブートストラップで利用されるブートストラップ鍵を生成する鍵生成部と、前記ブートストラップ鍵を前記第1の端末に送信する送信部と、を有し、前記第1の端末は、前記共有パラメータを用いて、ランダムに暗号文を生成する暗号生成部と、前記ブートストラップ鍵と前記共有パラメータとを用いて、前記TFHE方式のブートストラップに基づくアルゴリズムを前記暗号文に対して実行することで、前記乱数の暗号文を生成する乱数生成部と、を有し、前記アルゴリズムは、前記TFHE方式のブートストラップに含まれるBlindRotateアルゴリズムの入力を所定の多項式に変更し、SampleExtractアルゴリズムの出力を前記乱数の暗号文とする。 To achieve the above object, a random number generation system according to one embodiment includes a first terminal that generates a ciphertext of random numbers that follow Bernoulli distribution, and a second terminal that is communicably connected to the first terminal. wherein the second terminal uses a shared parameter with the first terminal to generate a bootstrap key used in bootstrapping of the TFHE method. and a transmitter that transmits the bootstrap key to the first terminal, the first terminal using the shared parameter to randomly generate a ciphertext; a random number generation unit that generates the ciphertext of the random number by executing an algorithm based on the TFHE bootstrap on the ciphertext using the bootstrap key and the shared parameter; The algorithm changes the input of the BlindRotate algorithm included in the bootstrap of the TFHE method into a predetermined polynomial, and the output of the SampleExtract algorithm is the ciphertext of the random number.
 様々なpに対して、少ない通信量でベルヌーイ分布Ber(p)に従う乱数を安全に生成することができる。 For various p, it is possible to safely generate random numbers following the Bernoulli distribution Ber(p) with a small amount of communication.
一実施例における乱数生成システムの全体構成例を示す図である。It is a figure which shows the whole structural example of the random-number generation system in one Example. 一実施例における第1の参加者端末の機能構成例を示す図である。FIG. 4 is a diagram showing a functional configuration example of a first participant terminal in one embodiment; 一実施例における第2の参加者端末の機能構成例を示す図である。FIG. 10 is a diagram showing an example of the functional configuration of a second participant terminal in one embodiment; 一実施例における乱数生成処理を説明するためのシーケンス図である。FIG. 10 is a sequence diagram for explaining random number generation processing in one embodiment; 一実施例におけるコンピュータのハードウェア構成例を示す図である。It is a figure which shows the hardware configuration example of the computer in one Example.
 以下、本発明の一実施形態について説明する。本実施形態では、完全準同型暗号方式の1つであるTFHE方式に基づいて、様々なpに対して、少ない通信量でベルヌーイ分布Ber(p)に従う乱数を安全に生成することができる乱数生成システム1について説明する。 An embodiment of the present invention will be described below. In this embodiment, based on the TFHE scheme, which is one of the fully homomorphic encryption schemes, a random number generator that can safely generate random numbers following the Bernoulli distribution Ber(p) for various p with a small amount of communication. System 1 will be described.
 [準備]
 以下、本実施形態で前提となる技術について準備する。 [Preparation]
The technology that is the premise of the present embodiment will be prepared below.
 <完全準同型暗号>
 準同型暗号は暗号化されたデータに計算処理を施すことができる暗号であり、例えば、以下の参考文献1等に記載されている。 <Fully homomorphic encryption>
Homomorphic encryption is encryption that can perform calculation processing on encrypted data, and is described, for example, in Reference 1 below.
 参考文献1:「林卓也. "準同型暗号を用いた秘密計算とその応用". In: システム/制御/情報63.2 (2019), pp. 64-70.doi: 10.11509/isciesci.63.2_64.」
 準同型暗号では、暗号文に対して「関数の評価」と呼ばれる操作を行える。例えば、鍵kでデータa,aを暗号化したものをそれぞれEnc(a),Enc(a)とする。更に、2変数関数f(x,x)を選ぶ。その上で、暗号文Enc(a),Enc(a)に対して「関数fの評価」を行うと、一度も暗号文を復号することなく、計算結果の暗号文Enc(f(a,a))が得られる。 Reference 1: "Takuya Hayashi. "Secret computation using homomorphic cryptography and its applications". In: System/Control/Information 63.2 (2019), pp. 64-70.doi: 10.11509/isciesci.63.2_64."
In homomorphic encryption, an operation called "function evaluation" can be performed on the ciphertext. For example, Enc k (a 1 ) and Enc k (a 2 ) are obtained by encrypting data a 1 and a 2 with a key k. Furthermore, choose a two-variable function f(x 1 , x 2 ). Then, when the ciphertexts Enck (a 1 ) and Enck (a 2 ) are subjected to “evaluation of the function f”, the ciphertext Enck ( f(a 1 , a 2 )) is obtained.
 一般に、準同型暗号で評価できる関数fには具体的な方式ごとに制約がある。例えば、関数fとして和しか使えない準同型暗号方式もある。こういった制約がなく、計算可能な任意の関数f(x,x)に対して「関数fの評価」を行うことができる準同型暗号方式は完全準同型暗号方式と呼ばれる。 In general, the function f that can be evaluated in homomorphic encryption has restrictions for each specific scheme. For example, there is also a homomorphic encryption scheme in which only sums can be used as the function f. A homomorphic encryption scheme that does not have such restrictions and can perform “evaluation of function f” for any computable function f(x 1 , x 2 ) is called a fully homomorphic encryption scheme.
 <TFHE方式>
 本実施形態では、以下の参考文献2~4等に記載されている完全準同型暗号方式の1つであるTFHE方式を用いる。 <TFHE method>
In this embodiment, the TFHE scheme, which is one of the fully homomorphic encryption schemes described in References 2 to 4 below, is used.
 参考文献2:Ilaria Chillotti et al. "Faster Fully Homomorphic Encryption: Bootstrapping in Less Than 0.1 Seconds". In: Advances in Cryptology - ASIACRYPT 2016. Ed. by Jung Hee Cheon and Tsuyoshi Takagi. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer, 2016, pp. 3-33. isbn: 978-3-662-53887-6. doi: 10.1007/978-3-662-53887-6_1.
 参考文献3:Ilaria Chillotti et al. "Faster Packed Homomorphic Operations and Efficient Circuit Bootstrapping for TFHE". In: Advances in Cryptology - ASIACRYPT 2017. Ed. by Tsuyoshi Takagi and Thomas Peyrin. Lecture Notes in Computer Science. Cham: Springer International Publishing, 2017, pp. 377-408. isbn: 978-3-319-70694-8. doi: 10.1007/978-3-319-70694-8_14.
 参考文献4:Ilaria Chillotti et al. TFHE: Fast Fully Homomorphic Encryption over the Torus. 421. Apr. 2, 2019. url: http://eprint.iacr.org/2018/421 (visited on 11/26/2020).
 TFHE方式には、「トーラスを用いる」、「暗号文の形式が3種類(TLWE型暗号文、TRLWE型暗号文、TGSW型暗号文)ある」、「ブートストラップという処理を持つ」、という3つの特徴がある。以下、この3つの特徴について説明する。なお、以下でn,NはTFHE方式のパラメータであり、Nは十分に大きい2の累乗数である。 Reference 2: Ilaria Chillotti et al. "Faster Fully Homomorphic Encryption: Bootstrapping in Less Than 0.1 Seconds". In: Advances in Cryptology - ASIACRYPT 2016. Ed. by Jung Hee Cheon and Tsuyoshi Takagi. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer, 2016, pp. 3-33. isbn: 978-3-662-53887-6. doi: 10.1007/978-3-662-53887-6_1.
Reference 3: Ilaria Chillotti et al. "Faster Packed Homomorphic Operations and Efficient Circuit Bootstrapping for TFHE". In: Advances in Cryptology - ASIACRYPT 2017. Ed. by Tsuyoshi Takagi and Thomas Peyrin. Lecture Notes in Computer Science. Cham: Springer International Publishing, 2017, pp. 377-408. isbn: 978-3-319-70694-8. doi: 10.1007/978-3-319-70694-8_14.
Reference 4: Ilaria Chillotti et al. TFHE: Fast Fully Homomorphic Encryption over the Torus. 421. Apr. 2, 2019. url: http://eprint.iacr.org/2018/421 (visited on 11/26/2020 ).
In the TFHE method, there are three types of ``using a torus'', ``three types of ciphertext formats (TLWE ciphertext, TRLWE ciphertext, and TGSW ciphertext)'', and ``bootstrap processing''. Characteristic. These three features are described below. In the following description, n and N are parameters of the TFHE method, and N is a sufficiently large power of 2.
 ・トーラスT
 TFHE方式では、平文や暗号文にトーラスという代数構造を用いる。トーラスは実数体Rの整数環Zによる剰余として得られるZ係数の加群で、Tと表される。トーラスTの元の代表元として区間(-1/2,1/2]の実数をとる。 ・Taurus T
The TFHE method uses an algebraic structure called a torus for plaintext and ciphertext. A torus is a module of Z coefficients obtained as a remainder by an integer ring Z of the real number field R, and is represented by T. A real number in the interval (-1/2, 1/2) is taken as a representative element of the torus T.
 ・TLWE型暗号文
 TFHE方式で用いられる3種類の暗号文の形式のうち、中心となるのはTLWE型である。TLWE型暗号文の鍵は、n個の0又は1の列(s,・・・,s)である。平文mに対応するTLWE型暗号文の作成方法は次の通りである。まず、トーラスのn個の元a,・・・,aをランダムに選ぶ。また、代表元がごく小さい実数であるようなトーラスの元e(このeはノイズと呼ばれる。)を選ぶ。このとき、 • TLWE type ciphertext Of the three types of ciphertext formats used in the TFHE scheme, the TLWE type is the main one. A TLWE-type ciphertext key is a sequence of n 0s or 1s (s 1 , . . . , s n ). A method of creating a TLWE-type ciphertext corresponding to the plaintext m is as follows. First, randomly select n elements a 1 , . . . , a n of the torus. Also, a torus element e (this e is called noise) whose representative element is a very small real number is selected. At this time,
Figure JPOXMLDOC01-appb-M000001
 とすると、平文mに対応するTLWE型暗号文(a,・・・,a,b)が得られる。
Figure JPOXMLDOC01-appb-M000001
 Then, a TLWE type ciphertext (a 1 , . . . , an , b) corresponding to the plaintext m is obtained.
 ・TRLWE型暗号文
 TRLWE型暗号文は、様々な処理をする際の中間表現として用いられる。TRLWE型暗号文の平文の集合は、多項式加群T[X]の多項式X+1による剰余加群T[X]=T[X]/(X+1)である。T[X]は、Z[X]/(X+1)係数の加群である。 - TRLWE-type ciphertext TRLWE-type ciphertext is used as an intermediate representation when performing various processes. The set of plaintexts of TRLWE-type ciphertexts is the remainder module T N [X]=T[X]/(X N +1) of the polynomial module T [X] by the polynomial X N +1. T N [X] is the module of Z[X]/(X N +1) coefficients.
 ・TGSW型暗号文
 TGSW型暗号文は、Z[X]/(X+1)の元を平文とする。特に0又は1のTGSW型暗号文を使うことが多い。TFHE方式では、TLWE型暗号文とTGSW型暗号文の積を計算することができる。例えば、TLWE型の1/2の暗号文とTGSW型の0の暗号文との積は、TLWE型の0の暗号文となる。 TGSW-type ciphertext TGSW-type ciphertext is a plaintext that is an element of Z[X]/(X N +1). In particular, the TGSW type ciphertext of 0 or 1 is often used. The TFHE method can calculate the product of a TLWE-type ciphertext and a TGSW-type ciphertext. For example, the product of a TLWE type 1/2 ciphertext and a TGSW type 0 ciphertext results in a TLWE type 0 ciphertext.
 ・ブートストラップ
 TFHE方式を含むいくつかの完全準同型暗号では、演算(評価)のたびにブートストラップと呼ばれる処理を行う必要がある。この処理の際にブートストラップ鍵というものを用いる。このブートストラップ鍵は、TLWE型暗号文の鍵をTGSW型の暗号文にしたものである。なお、ブートストラップ鍵を知ったとしても、TLWE型暗号文の鍵は知りえない。 - Bootstrapping In some fully homomorphic encryption including the TFHE scheme, it is necessary to perform a process called bootstrapping for each calculation (evaluation). A bootstrap key is used for this process. This bootstrap key is a TGSW type ciphertext of a TLWE type ciphertext key. Note that even if the bootstrap key is known, the TLWE-type ciphertext key cannot be known.
 ・BlindRotate
 上記の参考文献3及び4では、BlindRotateというアルゴリズムが定義されている。T[X]の元vのTRLWE型暗号文cと、n+1個のZ/2NZの元 ・Blind Rotate
References 3 and 4 above define an algorithm called BlindRotate. TRLWE-type ciphertext c v of element v of T N [X] and elements of n+1 Z/2NZ
Figure JPOXMLDOC01-appb-M000002
 と、ブートストラップ鍵とをBlindRotateに与えると、T[X]の元
Figure JPOXMLDOC01-appb-M000002
 and the bootstrap key to BlindRotate, the element of T N [X]
Figure JPOXMLDOC01-appb-M000003
 のTRLWE型暗号文が得られる。ここで、
Figure JPOXMLDOC01-appb-M000003
 of TRLWE type ciphertext is obtained. here,
Figure JPOXMLDOC01-appb-M000004
 は整数である。
Figure JPOXMLDOC01-appb-M000004
 is an integer.
 ・SampleExtract
 上記の参考文献2~4では、SampleExtractというアルゴリズムが定義されている。TRLWE型暗号文cに対応する平文を、T[X]の元m+mX+・・・+mN-1N-1とする。各係数m,m,・・・,mN-1はトーラスTの元である。このとき、SampleExtractをTRLWE型暗号文cに用いることで、定数項mに対応するTLWE型暗号文を得ることができる。 ・Sample Extract
References 2-4 above define an algorithm called SampleExtract. Let the plaintext corresponding to the TRLWE-type ciphertext c be an element m 0 +m 1 X+ . . . +m N−1 X N−1 of T N [X]. Each coefficient m 0 , m 1 , . . . , m N−1 is an element of the torus T. At this time, the TLWE type ciphertext corresponding to the constant term m0 can be obtained by using SampleExtract for the TRLWE type ciphertext c.
 ・ブートストラップのアルゴリズム
 TLWE型暗号文c=(a,・・・,a,b)にブートストラップを施すアルゴリズムを説明する。最初に、トーラスTの元a,・・・,a,bの代表元をすべて2N倍し、最も近い整数に丸める。こうして得られる整数を Bootstrap Algorithm An algorithm for bootstrapping the TLWE-type ciphertext c = (a 1 , . . . , an , b) will be described. First, all representative elements of elements a 1 , . . . , an , b of torus T are multiplied by 2N and rounded to the nearest integer. The integer thus obtained is
Figure JPOXMLDOC01-appb-M000005
 とする。次に、これらn+1個の整数
Figure JPOXMLDOC01-appb-M000005
 and Then these n+1 integers
Figure JPOXMLDOC01-appb-M000006
 と、多項式
Figure JPOXMLDOC01-appb-M000006
 and the polynomial
Figure JPOXMLDOC01-appb-M000007
 と、ブートストラップ鍵とを用いて、BlindRotateアルゴリズムを実行する。すると、
Figure JPOXMLDOC01-appb-M000007
 and the bootstrap key to run the BlindRotate algorithm. Then,
Figure JPOXMLDOC01-appb-M000008
 のTRLWE型暗号文cが得られる。ここで、上述したように、
Figure JPOXMLDOC01-appb-M000008
 of TRLWE -type ciphertext cR is obtained. where, as mentioned above,
Figure JPOXMLDOC01-appb-M000009
 は整数である。
Figure JPOXMLDOC01-appb-M000009
 is an integer.
 最後に、TRLWE型暗号文cに対してSampleExtractアルゴリズムを実行し、これにより得られたTLWE型暗号文に対してTLWE型暗号文(0,・・・,0,1/4)を加える。最初のTLWE型暗号文cが区間(-1/4,1/4]の元に対応していれば、最後に得られる結果は1/2の暗号文であり、そうでなければ0の暗号文が得られる。 Finally, the SampleExtract algorithm is executed for the TRLWE type ciphertext cR, and the TLWE type ciphertext (0, . . . , 0, 1/4) is added to the TLWE type ciphertext thus obtained. If the initial TLWE-type ciphertext c corresponds to an element in the interval (-1/4, 1/4], then the final result is 1/2 ciphertext, otherwise 0 ciphertext sentence is obtained.
 <ベルヌーイ分布>
 実数p(ただし、0≦p≦1)について、ベルヌーイ分布Ber(p)は、確率pで1を、確率1-pで0を生じる分布である。 <Bernoulli distribution>
For real numbers p, where 0≤p≤1, the Bernoulli distribution Ber(p) is a distribution that yields 1 with probability p and 0 with probability 1-p.
 [実施例]
 以下、本実施形態の実施例について説明する。本実施形態に係る乱数生成システム1は、2つの参加者群の間で乱数生成処理を実行し、一方の参加者群が、他方の参加者群の鍵で暗号化された乱数であって、かつ、ベルヌーイ分布に従う乱数を得る。そこで、本実施例では、これら2つの参加者群をA,Bとし、参加者群Aが、参加者群Bの鍵で暗号化された乱数であって、かつ、ベルヌーイ分布に従う乱数を得る場合について説明する。なお、「参加者群」という用語を用いているが、各参加者群にそれぞれ属する参加者の数は1以上であればよく、必ずしも複数でなくてもよい。 [Example]
Examples of the present embodiment will be described below. The random number generation system 1 according to the present embodiment executes random number generation processing between two participant groups, one participant group is a random number encrypted with the other participant group's key, And we get random numbers following Bernoulli distribution. Therefore, in this embodiment, these two participant groups are A and B, and the participant group A is a random number encrypted with the key of the participant group B and is a random number that follows the Bernoulli distribution. will be explained. Although the term "participant group" is used, the number of participants belonging to each participant group may be one or more, and may not necessarily be plural.
 <全体構成>
 まず、本実施例における乱数生成システム1の全体構成例について、図1を参照しながら説明する。図1は、一実施例における乱数生成システム1の全体構成例を示す図である。 <Overall composition>
First, an example of the overall configuration of the random number generation system 1 according to this embodiment will be described with reference to FIG. FIG. 1 is a diagram showing an example of the overall configuration of a random number generation system 1 in one embodiment.
 図1に示すように、本実施例における乱数生成システム1には、参加者群Aに属する各参加者がそれぞれ利用する1以上の第1の参加者端末10と、参加者群Bに属する各参加者がそれぞれ利用する1以上の第2の参加者端末20とが含まれる。なお、第1の参加者端末10と第2の参加者端末20は、例えば、インターネット等の通信ネットワークを介して通信可能に接続される。 As shown in FIG. 1, the random number generation system 1 in this embodiment includes one or more first participant terminals 10 used by each participant belonging to the participant group A, and each participant belonging to the participant group B. and one or more second participant terminals 20 used by each participant. The first participant terminal 10 and the second participant terminal 20 are communicably connected via a communication network such as the Internet.
 <機能構成>
 次に、本実施例における第1の参加者端末10及び第2の参加者端末20の機能構成例について、それぞれ図2及び図3を参照しながら説明する。図2及び図3は、それぞれ一実施例における第1の参加者端末10及び第2の参加者端末20の機能構成例を示す図である。 <Functional configuration>
Next, functional configuration examples of the first participant terminal 10 and the second participant terminal 20 in this embodiment will be described with reference to FIGS. 2 and 3, respectively. 2 and 3 are diagrams showing functional configuration examples of the first participant terminal 10 and the second participant terminal 20, respectively, in one embodiment.
 図2に示すように、本実施例における第1の参加者端末10は、事前準備部101と、乱数生成部102と、記憶部103とを有する。 As shown in FIG. 2, the first participant terminal 10 in this embodiment has a preparation unit 101, a random number generation unit 102, and a storage unit 103.
 事前準備部101は、第2の参加者端末20との間でパラメータを共有したり、BlindRotateアルゴリズムに与える多項式を生成したり等といった各種事前準備に関する処理を実行する。 The preparation unit 101 executes various preparation-related processes such as sharing parameters with the second participant terminal 20 and generating polynomials to be given to the BlindRotate algorithm.
 乱数生成部102は、ブートストラップアルゴリズムを一部改変したアルゴリズムによりベルヌーイ分布に従う暗号化された乱数を生成する。 The random number generation unit 102 generates encrypted random numbers that follow the Bernoulli distribution using an algorithm partially modified from the bootstrap algorithm.
 記憶部103は、第2の参加者端末20との間で共有するパラメータや乱数生成部102で生成された乱数等を記憶する。 The storage unit 103 stores parameters shared with the second participant terminal 20, random numbers generated by the random number generation unit 102, and the like.
 図3に示すように、本実施例における第2の参加者端末20は、事前準備部201と、記憶部202とを有する。 As shown in FIG. 3, the second participant terminal 20 in this embodiment has a preparation section 201 and a storage section 202 .
 事前準備部201は、第1の参加者端末10との間でパラメータを共有したり、ブートストラップ鍵を生成したり等といった各種事前準備に関する処理を実行する。 The advance preparation unit 201 executes various preparation-related processes such as sharing parameters with the first participant terminal 10 and generating a bootstrap key.
 記憶部202は、第1の参加者端末10との間で共有するパラメータや事前準備部201で生成されたブートストラップ鍵等を記憶する。 The storage unit 202 stores parameters shared with the first participant terminal 10, bootstrap keys generated by the preparation unit 201, and the like.
 <乱数生成処理>
 次に、本実施例における乱数生成処理について、図4を参照しながら説明する。図4は、一実施例における乱数生成処理を説明するためのシーケンス図である。以下では、確率pを0=0/N,1/N,2/N,・・・,N/N=1のいずれかとする。ここで、Nは上記の準備で述べたTFHE方式のパラメータである。この確率pは参加者群Aに属する参加者が知っているものとする。 <Random number generation processing>
Next, random number generation processing in this embodiment will be described with reference to FIG. FIG. 4 is a sequence diagram for explaining random number generation processing in one embodiment. Below, the probability p is assumed to be one of 0=0/N, 1/N, 2/N, . . . , N/N=1. where N is a parameter of the TFHE scheme mentioned in the above preparation. It is assumed that the participants belonging to the participant group A know this probability p.
 まず、各第1の参加者端末10の事前準備部101と各第2の参加者端末20の事前準備部201は、TFHE方式のパラメータ(例えば、nやN等)を共有する(ステップS101)。このパラメータの共有は任意の方法で行われればよい。 First, the pre-preparation unit 101 of each first participant terminal 10 and the pre-preparation unit 201 of each second participant terminal 20 share the parameters of the TFHE method (for example, n, N, etc.) (step S101). . This parameter sharing may be done in any way.
 各第1の参加者端末10の事前準備部101は、多項式 The preparation unit 101 of each first participant terminal 10 uses a polynomial
Figure JPOXMLDOC01-appb-M000010
 を生成する(ステップS102)。ここで、Npは0からNまでの整数である。なお、Np=0のときは、上記の多項式は0を表す。
Figure JPOXMLDOC01-appb-M000010
 is generated (step S102). where Np is an integer from 0 to N; Note that the above polynomial expresses 0 when Np=0.
 また、各第2の参加者端末20の事前準備部201は、秘密鍵(TLWE型暗号文の鍵)とブートストラップ鍵とを生成する(ステップS103)。なお、上述したように、ブートストラップ鍵は、秘密鍵(TLWE型暗号文の鍵)をTGSW型の暗号文にしたものである。 Also, the advance preparation unit 201 of each second participant terminal 20 generates a secret key (TLWE-type ciphertext key) and a bootstrap key (step S103). As described above, the bootstrap key is a private key (TLWE ciphertext key) converted to TGSW ciphertext.
 そして、各第2の参加者端末20の事前準備部201は、上記のステップS103で生成したブートストラップ鍵を第1の参加者端末10に送信する(ステップS104)。このとき、参加者群Aに属する参加者が複数存在する場合、各第2の参加者端末20の事前準備部201は、1以上の参加者の第1の参加者端末10にブートストラップ鍵を送信する。なお、各第1の参加者端末10が1つ以上のブートストラップ鍵を受信できれば、各第2の参加者端末20がどのようにブートストラップ鍵を送信しても構わない。例えば、各第1の参加者端末10が1つ以上のブートストラップ鍵を受信できれば、複数の第2の参加者端末20の中に、ブートストラップ鍵を送信しない第2の参加者端末20が存在してもよい。 Then, the preparation unit 201 of each second participant terminal 20 transmits the bootstrap key generated in step S103 above to the first participant terminal 10 (step S104). At this time, if there are a plurality of participants belonging to the participant group A, the preparation unit 201 of each second participant terminal 20 sends the bootstrap key to the first participant terminals 10 of one or more participants. Send. As long as each first participant terminal 10 can receive one or more bootstrap keys, each second participant terminal 20 may transmit the bootstrap key in any way. For example, if each first participant terminal 10 can receive one or more bootstrap keys, there are second participant terminals 20 that do not transmit the bootstrap key among the plurality of second participant terminals 20. You may
 一方で、ブートストラップ鍵を受信した各第1の参加者端末10の事前準備部101は、1つのブートストラップ鍵を選ぶ(ステップS105)。すなわち、各第1の参加者端末10の事前準備部101は、第2の参加者端末20から受信した1又は複数のブートストラップ鍵のうちの1つのブートストラップ鍵を選ぶ。 On the other hand, the preparation unit 101 of each first participant terminal 10 that has received the bootstrap key selects one bootstrap key (step S105). That is, the preparation unit 101 of each first participant terminal 10 selects one bootstrap key from one or more bootstrap keys received from the second participant terminals 20 .
 上記のステップS101~ステップS105が事前準備処理であり、以下のステップS106~ステップS107の前に実行しておく必要がある。なお、この事前準備処理で必要な通信量は、乱数を何個生成するかに関わらない。 The above steps S101 to S105 are preparatory processes, which need to be executed before the following steps S106 to S107. It should be noted that the amount of communication required for this preparatory processing is independent of how many random numbers are generated.
 各第1の参加者端末10の乱数生成部102は、それぞれ独立に区間(-1/2,1/2]からn+1個の実数a,・・・a,bをランダムに選ぶ(ステップS106)。このn+1個の実数a,・・・a,bは、各第1の参加者端末10の事前準備部101が選んだブートストラップ鍵に対応する秘密鍵(第2の参加者端末20の事前準備部201が生成した秘密鍵)で乱数を暗号化したTLWE型暗号文c=(a,・・・a,b)とみなすことができる。 The random number generator 102 of each first participant terminal 10 independently selects n +1 real numbers a 1 , . S106) These n+1 real numbers a 1 , . . . a n , b are private keys (second participant It can be regarded as TLWE type ciphertext c = (a 1 , .
 次に、各第1の参加者端末10の乱数生成部102は、上記のステップS106で自身が選んだ実数a,・・・a,b(つまり、TLWE型暗号文c)に対して、TFHE方式のブートストラップアルゴリズムの一部を改変したアルゴリズムを実行する(ステップS107)。すなわち、各第1の参加者端末10の乱数生成部102は、TFHE方式のブートストラップアルゴリズムにおいて、BlindRotateアルゴリズムに与える多項式vを、 Next, the random number generation unit 102 of each first participant terminal 10 generates the real numbers a 1 , . , a partially modified TFHE bootstrap algorithm is executed (step S107). That is, the random number generator 102 of each first participant terminal 10, in the TFHE bootstrap algorithm, gives the polynomial v to the BlindRotate algorithm as follows:
Figure JPOXMLDOC01-appb-M000011
 ではなく、事前準備処理で生成した多項式
Figure JPOXMLDOC01-appb-M000011
 instead of the polynomial generated in the preparatory process
Figure JPOXMLDOC01-appb-M000012
 にすると共に、SampleExtractアルゴリズムの実行により得られたTLWE型暗号文をそのまま出力(つまり、TLWE型暗号文(0,・・・,0,1/4)を加えずに出力)する。
Figure JPOXMLDOC01-appb-M000012
 At the same time, the TLWE type ciphertext obtained by executing the SampleExtract algorithm is output as it is (that is, it is output without adding the TLWE type ciphertext (0, . . . , 0, 1/4)).
 このようにして得られたTLWE型暗号文は、確率pで1/2(=-1/2)の暗号文で、確率1-pで0の暗号文である。すなわち、ベルヌーイ分布Ber(p)に従う乱数の暗号文である。 The TLWE type ciphertext obtained in this way is a ciphertext with probability p of 1/2 (=-1/2) and a ciphertext with probability 1-p of 0. That is, it is a ciphertext of random numbers following Bernoulli distribution Ber(p).
 <ハードウェア構成>
 次に、本実施例における第1の参加者端末10及び第2の参加者端末20のハードウェア構成について説明する。本実施例における第1の参加者端末10及び第2の参加者端末20は、例えば、図5に示すコンピュータ300のハードウェア構成により実現される。図5は、一実施例におけるコンピュータ300のハードウェア構成例を示す図である。 <Hardware configuration>
Next, the hardware configuration of the first participant terminal 10 and the second participant terminal 20 in this embodiment will be described. The first participant terminal 10 and the second participant terminal 20 in this embodiment are implemented by, for example, the hardware configuration of the computer 300 shown in FIG. FIG. 5 is a diagram showing a hardware configuration example of the computer 300 in one embodiment.
 図5に示すコンピュータ300は、入力装置301と、表示装置302と、外部I/F303と、通信I/F304と、プロセッサ305と、メモリ装置306とを有する。これらの各ハードウェアは、それぞれがバス307により通信可能に接続される。 A computer 300 shown in FIG. Each of these pieces of hardware is communicably connected via a bus 307 .
 入力装置301は、例えば、キーボードやマウス、タッチパネル等である。表示装置302は、例えば、ディスプレイ等である。なお、コンピュータ300は、入力装置301及び表示装置302のうちの少なくとも一方を有していなくてもよい。 The input device 301 is, for example, a keyboard, mouse, touch panel, or the like. The display device 302 is, for example, a display. Note that the computer 300 may not have at least one of the input device 301 and the display device 302 .
 外部I/F303は、記録媒体303a等の外部装置とのインタフェースである。コンピュータ300は、外部I/F303を介して、記録媒体303aの読み取りや書き込み等を行うことができる。なお、記録媒体303aとしては、例えば、CD(Compact Disc)、DVD(Digital Versatile Disk)、SDメモリカード(Secure Digital memory card)、USB(Universal Serial Bus)メモリカード等が挙げられる。 The external I/F 303 is an interface with an external device such as a recording medium 303a. The computer 300 can perform reading, writing, etc. of the recording medium 303 a via the external I/F 303 . Examples of the recording medium 303a include CD (Compact Disc), DVD (Digital Versatile Disk), SD memory card (Secure Digital memory card), USB (Universal Serial Bus) memory card, and the like.
 通信I/F304は、コンピュータ300を通信ネットワークに接続するためのインタフェースである。プロセッサ305は、例えば、CPU(Central Processing Unit)等の各種演算装置である。なお、第1の参加者端末10が有する事前準備部101及び乱数生成部102は、例えば、当該第1の参加者端末10にインストールされた1以上のプログラムがプロセッサ305に実行させる処理により実現される。同様に、第2の参加者端末20が有する事前準備部201は、例えば、当該第2の参加者端末20にインストールされた1以上のプログラムがプロセッサ305に実行させる処理により実現される。 A communication I/F 304 is an interface for connecting the computer 300 to a communication network. The processor 305 is, for example, various arithmetic devices such as a CPU (Central Processing Unit). The preparation unit 101 and the random number generation unit 102 included in the first participant terminal 10 are realized, for example, by processing that one or more programs installed in the first participant terminal 10 cause the processor 305 to execute. be. Similarly, the preparatory unit 201 of the second participant terminal 20 is implemented by, for example, processing that one or more programs installed in the second participant terminal 20 cause the processor 305 to execute.
 メモリ装置306は、例えば、HDD(Hard Disk Drive)やSSD(Solid State Drive)、RAM(Random Access Memory)、ROM(Read Only Memory)、フラッシュメモリ等の各種記憶装置である。なお、第1の参加者端末10が有する記憶部103や第2の参加者端末20が有する記憶部202は、例えば、メモリ装置306により実現される。 The memory device 306 is, for example, various storage devices such as HDD (Hard Disk Drive), SSD (Solid State Drive), RAM (Random Access Memory), ROM (Read Only Memory), and flash memory. Note that the storage unit 103 of the first participant terminal 10 and the storage unit 202 of the second participant terminal 20 are realized by the memory device 306, for example.
 本実施例における第1の参加者端末10及び第2の参加者端末20は、図5に示すコンピュータ300のハードウェア構成を有することにより、上述した乱数生成処理を実現することができる。なお、図5に示すコンピュータ300のハードウェア構成は一例であって、他のハードウェア構成であってもよい。例えば、コンピュータ300は、複数のプロセッサ305を有していてもよいし、複数のメモリ装置306を有していてもよい。 The first participant terminal 10 and the second participant terminal 20 in this embodiment have the hardware configuration of the computer 300 shown in FIG. 5, thereby realizing the random number generation process described above. Note that the hardware configuration of the computer 300 shown in FIG. 5 is an example, and other hardware configurations may be used. For example, computer 300 may have multiple processors 305 and may have multiple memory devices 306 .
 <まとめ>
 以上のように、本実施形態に係る乱数生成システム1は、ランダムに生成した暗号文(つまり、n+1個の乱数で構成される組を乱数の暗号文とみなしたもの)に対して、TFHE方式で利用されているブートストラップの一部を改変したアルゴリズムを適用することで、ベルヌーイ分布Ber(p)に従う乱数の暗号文を生成することができる。このとき、完全準同型暗号方式の1つであるTFHE方式の特性を活かすことで、安全性、通信量、パラメータpを変えられない、といった従来技術の問題点を克服することが可能となった。 <Summary>
As described above, the random number generation system 1 according to the present embodiment applies the TFHE method to randomly generated ciphertext (that is, a set of n+1 random numbers is regarded as a ciphertext of random numbers). By applying an algorithm obtained by partially modifying the bootstrap used in , it is possible to generate ciphertexts of random numbers following Bernoulli distribution Ber(p). At this time, by taking advantage of the characteristics of the TFHE method, which is one of the fully homomorphic encryption methods, it became possible to overcome the problems of the conventional technology such as security, communication volume, and the inability to change the parameter p. .
 したがって、本実施形態に係る乱数生成システム1を用いることで、p=1/2とは限らない様々なpに関するベルヌーイ分布Ber(p)に従う乱数を、秘密計算技術に用いることができる形で生成することが可能となる。また、この際には、従来技術と同程度の安全性とより少ない通信量で暗号化された乱数を生成することが可能となる。 Therefore, by using the random number generation system 1 according to the present embodiment, random numbers according to the Bernoulli distribution Ber(p) for various p, not limited to p = 1/2, can be generated in a form that can be used for secure calculation technology. It becomes possible to Also, in this case, it is possible to generate an encrypted random number with the same level of security as the conventional technology and with a smaller amount of communication.
 本発明は、具体的に開示された上記の実施形態に限定されるものではなく、請求の範囲の記載から逸脱することなく、種々の変形や変更、既知の技術との組み合わせ等が可能である。 The present invention is not limited to the specifically disclosed embodiments described above, and various modifications, alterations, combinations with known techniques, etc. are possible without departing from the scope of the claims. .
 1    乱数生成システム
 10   第1の参加者端末
 20   第2の参加者端末
 101  事前準備部
 102  乱数生成部
 103  記憶部
 201  事前準備部
 202  記憶部
 301  入力装置
 302  表示装置
 303  外部I/F
 303a 記録媒体
 304  通信I/F
 305  プロセッサ
 306  メモリ装置
 307  バス 1 random number generation system 10 first participant terminal 20 second participant terminal 101 preparation unit 102 random number generation unit 103 storage unit 201 preparation unit 202 storage unit 301 input device 302 display device 303 external I/F
303a recording medium 304 communication I/F
305 processor 306 memory device 307 bus

Claims (7)

  1.  ベルヌーイ分布に従う乱数の暗号文を生成する第1の端末と、前記第1の端末と通信可能に接続される第2の端末とが含まれる乱数生成システムであって、
     前記第2の端末は、
     前記第1の端末との間の共有パラメータを用いて、TFHE方式のブートストラップで利用されるブートストラップ鍵を生成する鍵生成部と、
     前記ブートストラップ鍵を前記第1の端末に送信する送信部と、を有し、
     前記第1の端末は、
     前記共有パラメータを用いて、ランダムに暗号文を生成する暗号生成部と、
     前記ブートストラップ鍵と前記共有パラメータとを用いて、前記TFHE方式のブートストラップに基づくアルゴリズムを前記暗号文に対して実行することで、前記乱数の暗号文を生成する乱数生成部と、を有し、
     前記アルゴリズムは、前記TFHE方式のブートストラップに含まれるBlindRotateアルゴリズムの入力を所定の多項式に変更し、SampleExtractアルゴリズムの出力を前記乱数の暗号文とする、乱数生成システム。     A random number generation system including a first terminal for generating a ciphertext of random numbers following Bernoulli distribution and a second terminal communicably connected to the first terminal,
    The second terminal is
    a key generation unit that generates a bootstrap key that is used in bootstrapping of the TFHE method using a shared parameter with the first terminal;
    a transmitting unit configured to transmit the bootstrap key to the first terminal;
    The first terminal is
    a cipher generator that randomly generates ciphertext using the shared parameter;
    a random number generation unit that generates the ciphertext of the random number by executing an algorithm based on the TFHE bootstrap on the ciphertext using the bootstrap key and the shared parameter; ,
    The algorithm is a random number generation system in which the input of the BlindRotate algorithm included in the bootstrap of the TFHE method is changed to a predetermined polynomial, and the output of the SampleExtract algorithm is the ciphertext of the random number.
  2.  前記共有パラメータには、前記TFHE方式のパラメータn及びNが少なくとも含まれ、
     前記ベルヌーイ分布のパラメータpは、0/N、1/N,・・・,N/Nのいずれかである、請求項1に記載の乱数生成システム。     The shared parameters include at least parameters n and N of the TFHE scheme;
    2. The random number generating system according to claim 1, wherein the parameter p of said Bernoulli distribution is any one of 0/N, 1/N, . . . , N/N.
  3.  前記所定の多項式は、Npを0からNまでの整数として、(1/2)(1+X+・・・+XNp-1)(ただし、Np=0のときは、0)と表される、請求項2に記載の乱数生成システム。 The predetermined polynomial is expressed as (1/2)(1+X+...+X Np-1 ) where Np is an integer from 0 to N (however, 0 when Np=0). 2. The random number generation system according to 2.
  4.  前記暗号生成部は、
     n+1個の実数a,・・・,a,bをランダムに選択することで、暗号文c=(a,・・・,a,b)を生成する、請求項2又は3に記載の乱数生成システム。     The cipher generator,
    Randomly selecting n +1 real numbers a 1 , . . . , an , b to generate ciphertext c =(a 1 , . A random number generation system as described.
  5.  ベルヌーイ分布に従う乱数の暗号文を生成する乱数生成装置であって、
     前記乱数生成装置との間で共有パラメータを共有している他の装置から、TFHE方式のブートストラップで利用されるブートストラップ鍵を受信する受信部と、
     前記共有パラメータを用いて、ランダムに暗号文を生成する暗号生成部と、
     前記ブートストラップ鍵と前記共有パラメータとを用いて、前記TFHE方式のブートストラップに基づくアルゴリズムを前記暗号文に対して実行することで、前記乱数の暗号文を生成する乱数生成部と、を有し、
     前記アルゴリズムは、前記TFHE方式のブートストラップに含まれるBlindRotateアルゴリズムの入力を所定の多項式に変更し、SampleExtractアルゴリズムの出力を前記乱数の暗号文とする、乱数生成装置。     A random number generator for generating a ciphertext of random numbers following Bernoulli distribution,
    a receiving unit that receives a bootstrap key used in bootstrapping of the TFHE method from another device that shares a shared parameter with the random number generation device;
    a cipher generator that randomly generates ciphertext using the shared parameter;
    a random number generator that generates the ciphertext of the random number by executing an algorithm based on the TFHE bootstrap on the ciphertext using the bootstrap key and the shared parameter; ,
    The algorithm is a random number generator, wherein the input of the BlindRotate algorithm included in the bootstrap of the TFHE method is changed to a predetermined polynomial, and the output of the SampleExtract algorithm is the ciphertext of the random number.
  6.  ベルヌーイ分布に従う乱数の暗号文を生成する第1の端末と、前記第1の端末と通信可能に接続される第2の端末とが含まれる乱数生成システムに用いられる乱数生成方法であって、
     前記第2の端末が、
     前記第1の端末との間の共有パラメータを用いて、TFHE方式のブートストラップで利用されるブートストラップ鍵を生成する鍵生成手順と、
     前記ブートストラップ鍵を前記第1の端末に送信する送信手順と、を実行し、
     前記第1の端末が、
     前記共有パラメータを用いて、ランダムに暗号文を生成する暗号生成手順と、
     前記ブートストラップ鍵と前記共有パラメータとを用いて、前記TFHE方式のブートストラップに基づくアルゴリズムを前記暗号文に対して実行することで、前記乱数の暗号文を生成する乱数生成手順と、を実行し、
     前記アルゴリズムは、前記TFHE方式のブートストラップに含まれるBlindRotateアルゴリズムの入力を所定の多項式に変更し、SampleExtractアルゴリズムの出力を前記乱数の暗号文とする、乱数生成方法。     A random number generation method used in a random number generation system including a first terminal for generating a ciphertext of random numbers following Bernoulli distribution and a second terminal communicably connected to the first terminal,
    the second terminal
    a key generation procedure for generating a bootstrap key used in bootstrapping of the TFHE method using the shared parameters with the first terminal;
    a sending step of sending the bootstrap key to the first terminal;
    the first terminal
    A cipher generation procedure for randomly generating a ciphertext using the shared parameter;
    and a random number generation procedure for generating the random number ciphertext by executing the TFHE bootstrap-based algorithm on the ciphertext using the bootstrap key and the shared parameter. ,
    The algorithm is a method of generating random numbers, wherein the input of the BlindRotate algorithm included in the bootstrap of the TFHE method is changed to a predetermined polynomial, and the output of the SampleExtract algorithm is the ciphertext of the random number.
  7.  請求項1乃至4の何れか一項に記載の乱数生成システムに含まれる第1の端末又は第2の端末としてコンピュータを機能させるプログラム。 A program that causes a computer to function as a first terminal or a second terminal included in the random number generation system according to any one of claims 1 to 4.
PCT/JP2021/007775 2021-03-01 2021-03-01 Random number generation system, random number generation device, random number generation method, and program WO2022185391A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/007775 WO2022185391A1 (en) 2021-03-01 2021-03-01 Random number generation system, random number generation device, random number generation method, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/007775 WO2022185391A1 (en) 2021-03-01 2021-03-01 Random number generation system, random number generation device, random number generation method, and program

Publications (1)

Publication Number Publication Date
WO2022185391A1 true WO2022185391A1 (en) 2022-09-09

Family

ID=83154007

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/007775 WO2022185391A1 (en) 2021-03-01 2021-03-01 Random number generation system, random number generation device, random number generation method, and program

Country Status (1)

Country Link
WO (1) WO2022185391A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020240167A1 (en) * 2019-05-24 2020-12-03 Circagene Ltd Methods for enabling secured and personalised genomic sequence analysis
JP2021026082A (en) * 2019-08-01 2021-02-22 Kddi株式会社 Secure computation device, secure computation method, and secure computation program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020240167A1 (en) * 2019-05-24 2020-12-03 Circagene Ltd Methods for enabling secured and personalised genomic sequence analysis
JP2021026082A (en) * 2019-08-01 2021-02-22 Kddi株式会社 Secure computation device, secure computation method, and secure computation program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ERIGUCHI, REO ET AL.: "Efficient noise generation to achieve differential privacy for application to secret calculations", PROCEEDINGS OF 2020 SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY (SCIS2020); JANUARY 28-31, 2020, IEICE, JP, 21 January 2020 (2020-01-21) - 31 January 2020 (2020-01-31), JP, pages 1 - 8, XP009540709 *

Similar Documents

Publication Publication Date Title
EP3506550B1 (en) Providing security against user collusion in data analytics using random group selection
Cheon et al. A hybrid scheme of public-key encryption and somewhat homomorphic encryption
Liu et al. An efficient privacy-preserving outsourced computation over public data
Boneh et al. Private database queries using somewhat homomorphic encryption
Jiang et al. Lattice‐based multi‐use unidirectional proxy re‐encryption
Baum et al. Better preprocessing for secure multiparty computation
Mohan et al. Homomorphic encryption-state of the art
Tueno et al. Secure Computation of the-Ranked Element in a Star Network
Holz et al. Linear-complexity private function evaluation is practical
Pilaram et al. An efficient lattice‐based threshold signature scheme using multi‐stage secret sharing
Wu et al. Blockchain privacy protection based on post quantum threshold algorithm
Lai et al. Efficient k-out-of-n oblivious transfer scheme with the ideal communication cost
WO2022185391A1 (en) Random number generation system, random number generation device, random number generation method, and program
Wardak et al. Encryption and decryption of signed graph matrices through RSA algorithm
Koç et al. Development of Cryptography since Shannon
US20060104447A1 (en) Discrete logarithm-based cryptography using the Shafarevich-Tate group
Wu et al. Bit-oriented quantum public-key cryptosystem based on bell states
Liu et al. Quantum‐resistant anonymous identity‐based encryption with trable identities
Behera et al. FPGA-based design architecture for fast LWE fully homomorphic encryption
Gritti et al. Empowering personal health records with cloud computing: How to encrypt with forthcoming fine-grained policies efficiently
Wu et al. Identity-based threshold proxy re-encryption scheme from lattices and its applications
Bakas et al. Feel the Quantum Functioning: Instantiating Generic Multi-Input Functional Encryption from Learning with Errors (extended version)?
Bakas et al. Feel the quantum functioning: Instantiating generic multi-input functional encryption from learning with errors
Bhat et al. A novel tamper evident single database information-theoretic private information retrieval for user privacy applications
Hoffstein et al. Pass-encrypt: a public key cryptosystem based on partial evaluation of polynomials

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21928969

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21928969

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP