Secret computation device and method

Abstract

A secret computation device 10 comprises: an equivalence determination processing unit 1 that derives an output result of a secret computation equivalence determination function using [→y], the secret computation equivalence determination function being a function which outputs [1] if yj=i is true and outputs [0] if yj=i is not true, where i=1, …, c; and an aggregation computation unit 2 that performs a secret aggregation computation using the output result and [X]. With n and m being positive integers of 2 or greater, n records are included in a matrix [x] representing data, and m values included in each record are shares. [→y]=([y1], …, [yj], …, [yn]) is an n-dimensional vector representing the class to which each record belongs. The class to which each record belongs is one of 1, 2, ..., c.

Description

Secure computing device and method 【0001】 Disclosure technology relates to information security technology that applies cryptographic techniques. Disclosure technology, in particular, relates to statistical analysis using secure computation. 【0002】 Secure computation technology, which allows for data analysis while keeping data confidential, is expected to be useful in fields that handle highly confidential information, such as the medical field (see, for example, Non-Patent Document 1). 【0003】 Aggregate functions, which perform statistical operations on key attributes, are crucial in secure computation, where data analysis is performed while keeping the data confidential. Therefore, methods for accelerating the calculation of secure computation aggregate functions have been proposed. 【0004】 The calculation of an aggregate function using secure computation is the process of performing an aggregate function calculation while keeping the data confidential. 【0005】 Dai Igarashi, Koji Chida, Koki Hamada, Katsumi Takahashi, "Efficiency Improvement of Lightweight Verifiable Three-Party Secret Function Calculation and Secure Database Processing Using the Same," 2011 Symposium on Cryptography and Information Security. 【0006】 While existing methods for calculating aggregate functions using secure computation are fast, they assume that the data is sorted. Therefore, if the number of groups to which the data belongs is small, this sorting process can become an unnecessary overhead. 【0007】 The disclosed technology aims to provide a secure computing device and method that eliminates the need for sorting when performing secure computation aggregate functions. 【0008】 A secure computing device, which is one aspect of the disclosure technology, has i=1,...,c, and the secure computing equivalence determination function is y j If =i, output [1], y j This is a function that outputs [0] if it is not =i, →An equivalence determination processing unit that obtains an output result of the secret calculation equivalence determination function using [y], and an aggregation calculation unit that performs a secret aggregation calculation using the output result and [X]. [] is a symbol representing a share, n and m are positive integers of 2 or more, the matrix [x] representing data includes n records, and the m values included in each record are shares. → [y] = ([y1], …, [y j , …, [y n ) is an n-dimensional vector representing the class to which each record belongs, and the class to which each record belongs is one of 1, 2, …, c. 【0009】 According to the disclosed technology, sorting processing becomes unnecessary when calculating the secret calculation aggregation function. 【0010】 FIG. 1 is a diagram showing an example of the functional configuration of a secret calculation device. FIG. 2 is a diagram showing an example of the processing procedure of a secret calculation method. FIG. 3 is a diagram showing another example of the functional configuration of a secret calculation device. FIG. 4 is a diagram showing an example of the functional configuration of a computer. 【0011】 Hereinafter, embodiments of the disclosed technology will be described with reference to the drawings. In the drawings, components having the same function are given the same reference numerals, and redundant description will be omitted. 【0012】 [Secret Calculation Device and Method] As shown in FIG. 1, the secret calculation device 10 includes, for example, an equivalence determination processing unit 1 and an aggregation calculation unit 2. 【0013】 The secret aggregation calculation method is realized, for example, when each component of the secret calculation device 10 performs the processing from step S1 to step S2 shown in FIG. 2. 【0014】 A vector is → described as x. The i-th element of the vector is represented by x i . The symbol “→” used in the text should be described directly above the following character, but due to the limitations of the text notation, it is described immediately before the character. In mathematical formulas, these symbols are described in their original positions, that is, directly above the characters. For example, “ → X” in the text is described as follows in the mathematical formula. 【0015】 Secret sharing is an encryption technique that divides data into multiple values ​​and distributes them among multiple parties. For example, the data is encrypted using (k,n) threshold secret sharing. (k,n) threshold secret sharing is a secret sharing method that divides data into n random values ​​(shares). The original data can be reconstructed by collecting k or more shares, while information from the original data cannot be obtained with fewer than k shares. Examples include Shamir secret sharing and replication secret sharing. For example, Z p The share generated by the above secret sharing is denoted as, for example, [x]. 【0016】 To perform the share calculation, the secure computing device 10 may be composed of multiple devices. In other words, each of the equivalence determination processing unit 1 and the aggregation calculation unit 2 may be composed of multiple devices. 【0017】 On the other hand, the calculation of secret sharing may be implemented using homomorphic cryptography performed by a single device. 【0018】 The matrix [X] representing the data to be analyzed contains n records. Each record contains m values, which are shares. The elements of matrix [X] are expressed as follows: 【0019】 The j-th record is ([x j,1 ],…,[x j,k ],…,[x j,m ]) Each record belongs to one of the classes 1, 2, ..., c. An n-dimensional vector representing the class [ → y]=([y1],…,[y j ],…,[y n ]) T It is written as follows: y j is an integer between 1 and c, where c is a given integer greater than or equal to 2. The superscript T of a matrix or vector signifies its transpose. 【0020】 [y j ] is the j-th record ([x j,1 ],…,[x j,k ],…,[xj,m [X] and [ → y] is stored in memory unit 0. In this case, [X] and [ → The following processing is performed using y]. In the example in Figure 1, the storage unit 0 is located outside the secure computing device 10, but the storage unit 0 may also be located inside the secure computing device 10. 【0021】 The following describes each component of the secure computing device 10. <Equivalence Determination Processing Unit 1> The equivalence determination processing unit 1 includes [ → The input is 'y'. 【0022】 Equivalence determination processing unit 1 is [ → The output result of the secure computation equivalence determination function using y is obtained (Step S1). The output result is output to the aggregation calculation unit 2. 【0023】 The secret computation equivalence determination function is y j If =i, output [1], y j This function outputs [0] if i is not equal to i. i=1, ..., c. The equality determination processing unit 1 performs the calculation of the secure computation equality determination function for each of i=1, ..., c. 【0024】 <<Example 1>> When the secure computing device 10 performs the calculation of the sum, the equivalence determination processing unit 1 performs [ → Using y, we perform secure computation on [F] defined by the following equation. In this case, [F] becomes the output of the secure computation equivalence test function. 【0025】 [y j =i] is y j If =i then [1], and y j If it is not =i then it is [0]. <<Example 2>> When the secret computing device 10 performs a sum of products calculation, the equivalence determination processing unit 1 is, → Using y, [ → f (i) ]=([y1=i],…,[y n =i]) T We will perform a secure computation on this. In this case, [ → f (i)This is the output of the secure computation equivalence determination function. 【0026】 As mentioned earlier, [y j =i] is y j If =i then [1], and y j If it is not equal to i, then it is [0]. 【0027】 <Aggregation Calculation Unit 2> The aggregation calculation unit 2 receives the output result of the equivalence determination processing unit 1 and [X] as input. 【0028】 The aggregation calculation unit 2 performs a secret aggregation calculation using the output result and [X] (step S2). As shown in the following example, the aggregation calculation unit 2 performs a secret sum of products calculation using the output result of the equivalence determination processing unit 1 and [X]. 【0029】 <<Example 1>> When the secure computing device 10 performs a sum calculation, the aggregation calculation unit 2 uses [F] and [X] to determine [S] = [F T X] is computed using secure computation. 【0030】 Let [S] be represented as a matrix as follows: 【0031】 In this case...s i,j ] is written as follows: 【0032】 Here, ProdSum([ → a],[ → b) is a vector of two shares [ → a],[ → From [b], [c] = [Σ i=1 {a i ・b i This is the operation to find}]. Note that [ → y=1]=([y1=1],…,[y j =1],…,[y n =1]) and [ → x k ]=([x 1,k ],…,[x j,k ],…,[x n,k ]) 【0033】 <<Example 2>> When the secure computing device 10 performs a sum-of-products calculation, the aggregation calculation unit 2 performs [→ f (i) Using ] and [X], secure computation is performed on [X'] defined by the following formula, and [P (i) ]=[X' T X'] is computed using secure computation. 【0034】 Here, → f (i) The j-th element of ] is [ → f j (i) ] and the k-th value of the j-th record in [x] is [x j,k Let's assume that this is the case. 【0035】 i = 1, ..., c. The aggregation unit 2 performs the above secure computation process for each of i = 1, ..., c. 【0036】 As mentioned earlier, the secure computation equivalence determination function is y j If =i, output [1], y j This function outputs [0] if it is not equal to i. Therefore, multiplying the output of the secure computation equality test function for a key attribute by the corresponding data attribute is equivalent to extracting data belonging to a specific class from the data attribute. Thus, by performing a sum of products on the output of the secure computation equality test function and the data attribute, it is possible to achieve summation in an aggregate function while keeping the data confidential. 【0037】 Similarly, by performing a sum of products calculation on data obtained by multiplying the output result of a secure computation equivalence determination function with data attributes, it is possible to achieve a sum of products in an aggregate function while keeping the data secure. 【0038】 As a result of the above process, the calculation of the secure computation aggregate function becomes dependent on the number of classes, but sorting is no longer required. Therefore, when the number of classes is small, the calculation of the secure computation aggregate function can be performed more efficiently than before. 【0039】[Variations] The specific configuration of the embodiments of the disclosed technology is not limited to the configuration described above. The specific configuration of the embodiments of the disclosed technology can be modified as appropriate, without departing from the spirit of the embodiments of the disclosed technology. 【0040】 As illustrated in Figure 4, the equivalence determination processing unit 1 may be composed of a plurality of equivalence determination processing units 11, ..., 1N, where N is a predetermined positive integer of 2 or more. Similarly, the aggregation calculation unit 2 may be composed of a plurality of aggregation calculation units 21, ..., 2N. 【0041】 For example, let i = 1, ..., N, and assume that the equivalence determination processing unit 1i and the aggregation calculation unit 2i are provided in the secret calculation device Ai. 【0042】 In this case, multiple equality determination processing units 11, ..., 1N may cooperate to perform the processing of the equality determination processing unit 1. Similarly, multiple aggregation calculation units 21, ..., 2N may cooperate to perform the processing of the aggregation calculation unit 2. 【0043】 Furthermore, the secure computing device 10 may perform the processing of the equivalence determination processing unit 1 and the aggregation calculation unit 2 only when c ≤ θ. For this purpose, the secure computing device 10 may be equipped with a control unit 3 that controls the processing of the equivalence determination processing unit 1 and the aggregation calculation unit 2 only when c ≤ θ. θ is a predetermined threshold. θ is set appropriately so that the desired result is obtained. θ is, for example, 2 to 5. θ may also be, for example, 2 to 3. 【0044】 In the case where c ≤ θ, in other words, by performing the equality determination processing unit 1 and the aggregation calculation unit 2 only when the number of classes is small, the calculation of the secure computation aggregate function can be performed more efficiently than before. 【0045】 Furthermore, if c ≤ θ is not true, i.e., if c > θ, the secure computing device 10 may perform calculations of existing secure computing aggregate functions. An example of calculating existing secure computing aggregate functions is the method described in Reference 1. [Reference 1] WO2019 / 208484 【0046】The various processes described in the embodiments of the disclosed technology may be performed not only in chronological order according to the order described, but also in parallel or individually as required by the processing capacity of the device performing the processes. 【0047】 For example, when a secure computing device performs the calculation of the sum of products of a sum, the equivalence determination processing unit 1 may process each of i=1,...,c, and then the aggregation calculation unit 2 may process each of i=1,...,c. Alternatively, the equivalence determination processing unit 1 and the aggregation calculation unit 2 may process a certain i and then process another i. 【0048】 For example, data exchange between components of a secure computing device may occur directly, or it may occur via a storage unit not shown in the diagram. 【0049】 Furthermore, the present invention may also include a device (terminal) for using the apparatus, system, or method of the present invention via a network (telecommunication line). The "device (terminal) for use" may be equipped with functions necessary to obtain the effects of implementing the apparatus, system, or method of the present invention (for example, control functions, decoding functions, restoration functions, input / output functions, etc.). 【0050】 It goes without saying that the invention may be modified as appropriate without departing from its spirit. 【0051】 All documents, patent applications, and technical standards described herein are incorporated by reference to the same extent as if each individual document, patent application, and technical standard were specifically and individually described as being incorporated by reference. 【0052】[Programs, Recording Media] The functions realized by the components described herein may be implemented in a circuitry or processing circuitry, including a general-purpose processor, an application-specific processor, an integrated circuit, an ASIC (Application Specific Integrated Circuit), a CPU (a Central Processing Unit), conventional circuits, and / or a combination thereof, programmed to realize the functions described herein. A processor includes transistors and other circuits and is considered a circuitry or processing circuitry. A processor may be a programmed processor that executes a program stored in memory. 【0053】 In this specification, circuitry, unit, and means are hardware programmed to perform or execute the functions described herein. Such hardware may be any hardware disclosed herein, or any hardware known to be programmed to perform or execute the functions described herein. 【0054】 If the hardware is a processor that is considered to be a type of circuitry, then the circuitry, means, or unit is a combination of hardware and software used to constitute the hardware and / or processor. 【0055】 The various processes described above can be carried out by loading a program that executes each step of the above method into the recording unit 2020 of the computer 2000 shown in Figure 4, and then causing the control unit 2010, input unit 2030, output unit 2040, display unit 2050, etc. to operate. 【0056】 The program describing this process can be recorded on a computer-readable recording medium. Any computer-readable recording medium can be used, such as a magnetic recording device, optical disc, magneto-optical recording medium, or semiconductor memory. 【0057】 A program describing this process may be included in a computer program product. 【0058】 Furthermore, this program may be distributed, for example, by selling, transferring, or lending portable recording media such as DVDs or CD-ROMs on which the program is recorded. Alternatively, the program may be stored in the storage device of a server computer and distributed by transferring the program from the server computer to other computers via a network. 【0059】 A computer executing such a program may, for example, first store the program recorded on a portable storage medium or a program transferred from a server computer in its own storage device. Then, when processing is to be executed, the computer reads the program stored on its own storage medium and executes the processing according to the read program. Alternatively, the computer may directly read the program from the portable storage medium and execute the processing according to that program, or it may sequentially execute the processing according to the received program each time a program is transferred to it from a server computer. Furthermore, the processing may be executed using a so-called ASP (Application Service Provider) type service, where the processing function is realized only by issuing execution instructions and obtaining results, without transferring the program from the server computer to this computer.In addition, the processing may be executed using a so-called SaaS (Software as a Service) type service, where a part of the server computer is made available to the user along with the program. Furthermore, the term "program" in this form includes information used for processing by an electronic computer that is equivalent to a program (data, etc., that is not a direct instruction to the computer but has the property of defining the processing of the computer). 【0060】Furthermore, in this configuration, the device is configured by executing a predetermined program on a computer, but at least a part of these processes may be implemented in hardware.

Claims

1. [] is a symbol representing a share, where n and m are positive integers greater than or equal to 2, and the matrix [x] representing the data contains n records, with m values ​​in each record representing a share. [ → y]=([y1],…,[y j ],…,[y n ]) is an n-dimensional vector representing the class to which each record belongs, where each record belongs to one of 1, 2, ..., c, i = 1, ..., c, and the secure computation equivalence determination function is y j If =i, output [1], y j This is a function that outputs [0] if it is not =i, → A secure computing device comprising: an equivalence determination processing unit that obtains the output result of the secure computing equivalence determination function using [y]; and an aggregation calculation unit that performs secure aggregation calculations using the output result and [X].

2. The secret computing device according to claim 1, wherein the equivalence determination processing unit j = i] is [1] when y j = i, and is [0] when y j ≠ i, and → using y, secretly computes [F] defined by the following formula: The aggregation operation unit secretly computes [S] = [F T X] using [F] and [X]. The secret computing device.

3. The secure computing device according to claim 1, wherein the equivalence determination processing unit is i=1,...,c, and [y j =i] is y j If =i then [1], and y j If it is not =i then it is [0], [ → Using y, [ → f (i) ]=([y1=i],…,[y n =i]) T The summation unit performs a secure computation, and i=1,...,c, [ → f (i) The j-th element of ] is [ → f j (i) ] and the k-th value of the j-th record in [x] is [x j,k ] and [ → f (i) Using ] and [X], secure computation is performed on [X'] defined by the following formula, and [P (i) ]=[X' T Perform a secure computation on X'. Secret computing device.

4. [] is a symbol representing a share, where n and m are positive integers greater than or equal to 2, and the matrix [x] representing the data contains n records, with m values ​​in each record representing a share. [ → y]=([y1],…,[y j ],…,[y n ]) is an n-dimensional vector representing the class to which each record belongs, and the class to which each record belongs is one of 1, 2, ..., c, the equality determination processing unit is i=1, ..., c, and the secure computation equality determination function is y j If =i, output [1], y j This is a function that outputs [0] if it is not =i, → A secure computation method comprising: an equivalence determination processing step of obtaining the output result of the secure computation equivalence determination function using [y]; and an aggregation calculation step in which an aggregation calculation unit performs a secure aggregation calculation using the output result and [X].

Images