Device and system

Abstract

A device according to one aspect of the present disclosure achieves confidential data linkage with another device connected thereto such that communication is possible therebetween, and executes a first protocol including: executing a Symmetric OPRF protocol with the other device using a first key set held by the device and a second key set held by the other device; executing a PSU protocol with the other device using the execution result of the Symmetric OPRF protocol; creating a first associative array in which the execution result of the PSU protocol is, in the case of a key included in the first key set and the second key set, associated with the value corresponding to the key, or is, in the case of a key included in the second key set and not included in the first key set, associated with a default value; and executing a Keyword PIR protocol with the other device using the first associative array and the second key set.

Description

Devices and Systems 【0001】 This disclosure relates to devices and systems. 【0002】 A protocol called confidential data sharing has been known for some time (for example, Non-Patent Document 1). The confidential data sharing protocol is a technology related to confidential set operation protocols (for example, Non-Patent Documents 2-4), which have made remarkable progress in recent years, in that it "processes databases held by both parties participating in the protocol." 【0003】 Furthermore, a protocol called PC (Permuted Characteristic) is also known as a confidential computation protocol related to confidential data sharing protocols (for example, Non-Patent Document 5). 【0004】Koji Chida et al. "Communication-Efficient Inner Product Private Join and Compute with Cardinality." 2022. Yu Chen et al. "Private Set Operations from Multi-Query Reverse Private Membership Test." 2022. Yanxue Jia et al. "Shuffle-Based Private Set Union: Faster and More Secure". In: 31st USENIX Security Symposium (USENIX Security 22). 2022, pp. 2947-2964.Binbin Tu et al. "Fast Unbalanced Private Set Union from Fully Homomorphic Encryption". In:Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. CCS '23. New York, NY, USA: Association for Computing Machinery, Nov. 21, 2023, pp. 2959-2973.Gayathri Garimella et al. "Private Set Operations from Oblivious Switching". In: Public-Key Cryptography (PKC) 2021. Ed. by Juan A. Garay. Lecture Notes in Computer Science. Cham: Springer International Publishing, 2021, pp. 591-617. 【0005】 While the development of confidential data sharing protocols is expected due to the many practical scenarios they present, existing confidential data sharing protocols often have configurations that make them difficult to apply. 【0006】This disclosure is made in view of the above points and aims to realize secure data sharing that is easy to apply. 【0007】 An apparatus according to one aspect of the present disclosure is an apparatus for enabling secure data exchange with another apparatus that is communicably connected, and it executes a first protocol which includes: executing a Symmetic OPRF protocol with the other apparatus using a first key set held by the apparatus and a second key set held by the other apparatus; executing a PSU protocol with the other apparatus using the result of executing the Symmetic OPRF protocol; creating a first associative array which associates the result of executing the PSU protocol with a value corresponding to the key for each key included in the first key set and the second key set, and a default value for each key included in the second key set but not included in the first key set; and executing a Keyword PIR protocol with the other apparatus using the first associative array and the second key set. 【0008】 This enables the integration of secure data that is easy to apply. 【0009】 This figure shows an example of the overall configuration of the confidential data sharing system according to this embodiment. This figure shows an example of the hardware configuration of the participant device according to this embodiment. This figure shows an example of the functional configuration of the participant device according to this embodiment. This is a sequence diagram showing an example of the confidential data sharing protocol according to Embodiment 1. This is a sequence diagram showing an example of the confidential data sharing protocol according to Embodiment 2. This is a sequence diagram showing an example of the confidential data sharing protocol according to Embodiment 3. 【0010】 One embodiment of the present invention will be described in detail below with reference to the drawings. 【0011】<Existing Confidential Data Exchange Protocols> Below, we will briefly explain the confidential data exchange protocols described in Non-Patent Document 1 and Reference Document 1. Here, the confidential data exchange protocol described in Reference Document 1 is a protocol based on the confidential data exchange protocol described in Non-Patent Document 1. A confidential data exchange protocol is a protocol that realizes confidential data exchange. Furthermore, confidential data exchange is a secure computation function that combines data from a sender's database and a receiver's database while keeping each other's data confidential, and obtains some kind of statistical quantity. 【0012】 The participants in the confidential data sharing protocol will be referred to as Alice and Bob. Alice and Bob each have a database, which is an associative array; that is, the database stores pairs of keys and values. In this case, the existing confidential data sharing protocol performs the following steps 1-1 to 1-4. 【0013】 Step 1-1: Bob has a key that Alice does not have. ｊ Ｂ＼Ａ As for Alice, key k ｊ Ｂ＼Ａ A set (k) that associates the value 0 with the given value. ｊ Ｂ＼Ａ Add 0) to your own database. 【0014】 Step 1-2: Alice, in step 1-1 above (k ｊ Ｂ＼Ａ All values ​​in the database to which ,0) have been added are encrypted using homomorphic encryption, and this encrypted database is then sent to Bob. 【0015】 Step 1-3: Bob associates the key in his own database with the corresponding value in his database and the corresponding value in the database received from Alice (i.e., the encrypted value). 【0016】 Step 1-4: Bob compiles the results of the correspondence in Step 1-3 above. 【0017】 This makes it possible to combine data from Alice's and Bob's respective databases while keeping them confidential from each other, and to obtain certain statistical measures. 【0018】 Existing secure data sharing protocols use a commutative one-way function and elliptic curve cryptography to implement steps 1-1 to 1-4 above (especially step 1-1). 【0019】 In addition to the secure data sharing protocol described above, for example, Reference 2 describes a secure data sharing protocol that utilizes a secure computation function called PIR-with-Default. Note that the secure data sharing protocol described in Reference 1 and the secure data sharing protocol described in Reference 2 differ significantly, particularly in the details of step 1-1 described above. 【0020】 <Challenges of Existing Confidential Data Sharing Protocols> Confidential data sharing protocols are related to confidential set computation protocols (e.g., Non-Patent Documents 2-4), which have made remarkable progress in recent years, in that they "process databases held by both parties participating in the protocol." While the development of confidential data sharing protocols is expected due to the many practical scenarios, research on them is scarce, and the few studies that exist often have tricky configurations that are difficult to apply. Therefore, it is thought that constructing a better confidential data sharing protocol in the future will require constructing it almost from scratch, which is hindering the development of confidential data sharing protocols. 【0021】 As described above, existing confidential data sharing protocols are difficult to apply, and this is hindering their development. 【0022】<Proposed Method> To solve the above problems, in the following embodiments, a method for constructing a secure data sharing protocol using homomorphic encryption, OPRF (Oblivious Pseudorandom Functions), Keyword PIR (Private Information Retrieval), and PSU (Private Set Union) as elemental technologies is proposed. 【0023】 Since each of the above elemental technologies has a wide range of applications, it is possible to construct a secure data sharing protocol that is easy to apply. In addition, since each of the above elemental technologies is expected to further develop in the future, when each of the above elemental technologies is improved in the future, it will also be possible to easily improve the secure data sharing protocol. 【0024】 <Preparation> Hereinafter, for a non - negative integer n, the set {0, ···, n - 1} will be denoted as [n]. 【0025】 <<Associative Array>> An associative array is a data structure that associates values with some elements of a set Key (these elements are called "keys"). Hereinafter, for each i ∈ [n], an associative array in which a value v is associated with a key k ｉ is denoted as A = {k ｉ : v ｉ}. ｉ Also, hereinafter, the value corresponding to the key k is denoted as A[k]. ｉ∈［ｎ］ <<Homomorphic Encryption>> Homomorphic encryption is a type of high - performance encryption. In homomorphic encryption, when there is a k - argument circuit C(x 【0026】 ,..., x １ ),..., x ｋ ) and ciphertexts Enc(a １ ),..., Enc(a ｋ ), without decrypting the ciphertexts, C(a １ ,..., a ｋThe ciphertext is obtained. Homomorphic encryption is classified according to the type of circuit that can be handled by the homomorphic encryption. In this embodiment, it is necessary to select an appropriate homomorphic encryption depending on the analysis to be performed after data linking by the confidential data linkage protocol. From a security standpoint, any homomorphic encryption is sufficient as long as it is an IND-CPA secure symmetric-key probabilistic encryption. 【0027】 ≪OPRF≫ Let F be a family of pseudorandom functions that take a key as the first argument and an input value as the second argument. In this case, only the first argument of the pseudorandom function family F is a certain key k. Ｈ F(k) fixed Ｈ ,・) can be considered an example of a pseudorandom function. OPRF is a sender with no input and a set {x ｉ} ｉ∈［ｎ］ A receiver possessing a key k of a pseudorandom function family F communicates and performs calculations, and the sender has a key k of a pseudorandom function family F. Ｈ The receiver obtains a pseudo-random function F(k Ｈ Set of output values ​​{F(k) Ｈ , x ｉ )} ｉ∈［ｎ］ This is a secure computation function that obtains [the result]. Note that the choice of pseudorandom function family F to be used must be agreed upon in advance between the sender and receiver. 【0028】 ≪Symmetric OPRF≫ Symmetic OPRF is a set {x ｉ} ｉ∈［ｎ］ Alice has a set {y ｊ} ｊ∈［ｍ］ Bob, who has a certain ability, communicates and performs calculations, and Alice generates a set of output values ​​{H(x)} from some pseudorandom function H. ｉ )} ｉ∈［ｎ］ Obtaining this, Bob has a set of output values ​​{H(y)} from the pseudo-random function H. ｊ )} ｊ∈［ｍ］ This is a secure computation function that obtains [the result]. Note that the pseudo-random function (or family of functions) can also be constructed using hash functions. 【0029】 The protocol for implementing Symmetic OPRF can be constructed according to the following steps 2-1 to 2-5. 【0030】Step 2-1: Alice and Bob agree on which pseudorandom function H to use. 【0031】 Step 2-2: Alice acts as the sender and Bob as the receiver, executing the protocol to implement OPRF, with Alice providing the key k of the pseudorandom function H. Ａ Obtaining this, Bob has a set of output values ​​{H(k)} from the pseudorandom function H. Ａ , y ｊ )} ｊ∈［ｍ］ To obtain. 【0032】 Step 2-3: Alice is the set of output values ​​of the pseudo-random function H {H(k)}. Ａ , x ｉ )} ｉ∈［ｎ］ Calculate. 【0033】 Step 2-4: Alice, as the receiver, and Bob, as the sender, execute the protocol to implement OPRF, and Alice generates a set of output values ​​{H(k)} from a pseudo-random function H. Ｂ , H(k Ａ , x ｉ ))} ｉ∈［ｎ］ Obtaining this, Bob has the key k of the pseudorandom function H. Ｂ To obtain. 【0034】 Step 2-5: Bob calculates the set of output values ​​of the pseudo-random function H {H(k)}. Ｂ , H(k Ａ , y ｊ ))} ｊ∈［ｍ］ Calculate. 【0035】 Therefore, Alice is {H(k Ｂ , H(k Ａ , x ｉ ))} ｉ∈［ｎ］ Obtaining this, Bob is {H(k Ｂ , H(k Ａ , y ｊ ))} ｊ∈［ｍ］ To obtain. 【0036】 ≪PSU≫ PSU is a set {x ｉ} ｉ∈［ｎ］ A sender who has a set {y ｊ} ｊ∈［ｍ］ A receiver with a set {x} communicates and performs calculations, the sender receives nothing, and the receiver receives the union {x}.ｉ} ｉ∈［ｎ］ ∪{y ｊ} ｊ∈［ｍ］ This is a secure computation function that obtains the union {x ｉ} ｉ∈［ｎ］ ∪{y ｊ} ｊ∈［ｍ］ Instead, set difference {x ｉ} ｉ∈［ｎ］ \ {y ｊ} ｊ∈［ｍ］ The content of PSU remains unchanged even as a secure computation function. 【0037】 ≪Keyword PIR≫ Keyword PIR is an associative array A := {k ｉ :v ｉ} ｉ∈［ｎ］ (However, Key := {k ｉ} ｉ∈［ｎ］ Keyword PIR is a secure computation function in which a sender with a key k' ∈ Key and a receiver communicate and compute, with the sender receiving nothing and the receiver receiving the value A[k']. In Keyword PIR, it is necessary that the sender receives nothing, but the receiver may know other values ​​in the associative array A besides A[k']. A variant of Keyword PIR is Batched Keyword PIR, in which the receiver inputs multiple keys at once and receives multiple values. 【0038】 With the above preparations in place, we will now describe a secure data sharing system 1 that uses homomorphic encryption, OPRF, Keyword PIR, and PSU as elemental technologies to constitute a secure data sharing protocol. 【0039】<Example of the overall configuration of the confidential data sharing system 1> Figure 1 is a diagram showing an example of the overall configuration of the confidential data sharing system 1 according to this embodiment. As shown in Figure 1, the confidential data sharing system 1 according to this embodiment includes a participant device 10A that acts as a sender or receiver of the confidential data sharing protocol, and a participant device 10B that acts as a receiver or sender of the confidential data sharing protocol. In addition, participant device 10A and participant device 10B are connected in a way that allows them to communicate via a communication network 20, for example, the Internet. Hereinafter, when participant device 10A and participant device 10B are not distinguished, they will be referred to as "participant device 10". 【0040】 The participant device 10 is various devices that become participants (senders or receivers) in the confidential data sharing protocol. Any computer (information processing device) or computer system (information processing system) can be used as the participant device 10. Specific examples include general-purpose servers, personal computers, smartphones, tablet terminals, wearable devices, game consoles, in-vehicle devices, IoT (Internet of Things) devices, communication devices, etc., which can be used as participant devices 10. 【0041】 <Example of Hardware Configuration of Participant Device 10> Figure 2 is a diagram showing an example of the hardware configuration of the participant device 10 according to this embodiment. As shown in Figure 2, the participant device 10 according to this embodiment includes an input device 101, a display device 102, an external I / F 103, a communication I / F 104, a RAM (Random Access Memory) 105, a ROM (Read Only Memory) 106, an auxiliary storage device 107, and a processor 108. Each of these hardware components is connected to each other so as to be able to communicate via a bus 109. 【0042】 The input device 101 is, for example, a keyboard, mouse, touch panel, or physical button. The display device 102 is, for example, a display or display panel. The participant device 10 does not necessarily have to have at least one of the input device 101 and the display device 102. 【0043】The external I / F 103 is an interface with external devices such as the recording medium 103a. Examples of recording media 103a include CDs (Compact Discs), DVDs (Digital Versatile Disks), SD memory cards (Secure Digital memory cards), and USB (Universal Serial Bus) memory cards. 【0044】 The communication interface 104 is an interface for connecting to the communication network 20. The RAM 105 is a volatile semiconductor memory (storage device) that temporarily holds programs and data. The ROM 106 is a non-volatile semiconductor memory (storage device) that can retain programs and data even when the power is turned off. The auxiliary storage device 107 is a non-volatile storage device such as an HDD (Hard Disk Drive), SSD (Solid State Drive), or flash memory. The processor 108 is an arithmetic unit such as a CPU (Central Processing Unit). 【0045】 Note that the hardware configuration shown in Figure 1 is just one example, and the hardware configuration of the participant device 10 is not limited to this. For example, the participant device 10 may have multiple auxiliary storage devices 107 and multiple processors 108, it may not have some of the hardware shown, or it may have various other hardware besides the hardware shown. 【0046】<Functional Configuration Example of Participant Device 10>FIG. 3 is a diagram showing an example of the functional configuration of the participant device 10 according to the present embodiment. As shown in FIG. 3, the participant device 10 according to the present embodiment includes a protocol execution unit 201 and a storage unit 202. The protocol execution unit 201 is realized, for example, by processing in which one or more programs installed in the participant device 10 are executed by a processor 108 or the like. The storage unit 202 is realized, for example, by a storage area such as an auxiliary storage device 107. Hereinafter, the protocol execution unit 201 included in the participant device 10A will be referred to as "protocol execution unit 201A", and the protocol execution unit 201 included in the participant device 10B will be referred to as "protocol execution unit 201B". Similarly, the storage unit 202 included in the participant device 10A will be referred to as "storage unit 202A", and the storage unit 202 included in the participant device 10B will be referred to as "storage unit 202B". 【0047】 The protocol execution unit 201 executes a confidential data cooperation protocol with other participant devices 10. 【0048】 The storage unit 202 stores a database (DB: database) that is the target of the confidential data cooperation protocol. The database is assumed to be represented as an associative array. 【0049】 <Example of Confidential Data Cooperation Protocol><<Example 1>>In Example 1, the case of realizing PIR-DC (PIR with Default and Cardinality) as confidential data cooperation will be described. PIR-DC is a variant of PIR-with-Default (Reference 2). 【0050】 - Function In PIR-DC, a sender having an associative array A := {k ｉ Ｓ : v ｉ} ｉ∈［ｎ］ (where Key Ｓ := {k ｉ Ｓ} ｉ∈［ｎ］ ) and a set D of default values, and a set Key Ｒ = {k ｊ Ｒ } ｊ∈［ｍ］communicates and performs calculations with the recipient who has it, and the sender obtains the cardinality of the union set |Key Ｓ ∪ Key Ｒ |, and the recipient obtains the cardinality of the union set |Key Ｓ ∪ Key Ｒ | and an output value o that satisfies the following ｊ to obtain a set {o ｊ} ｊ∈［ｍ］ This is a secure computing function 【0051】 【0052】 Note that the set of keys Key Ｓ is, for example, the set of keys in the database held by the sender. On the other hand, the set of keys Key Ｒ is, for example, the set of keys in the database held by the recipient. Also, the default value may be called a default value or the like 【0053】 ・Protocol diagram 4 is a sequence diagram showing an example of the secure data linking protocol according to Example 1. Hereinafter, the sender of the secure data linking protocol according to Example 1 is the participant device 10A, the recipient is the participant device 10B, and the associative array A and the set of keys Key Ｓ are stored in the storage unit 202A, and it is assumed that at least the set of keys Key Ｒ is stored in the storage unit 202B 【0054】 The protocol execution unit 201A of the participant device 10A and the protocol execution unit 201B of the participant device 10B execute a protocol that realizes Symmetric OPRF with the protocol execution unit 201A taking Key Ｓ and the protocol execution unit 201B taking Key Ｒ as inputs respectively (step S101). As a result, the protocol execution unit 201A obtains a set of output values of the pseudo-random function H {H(k ｉ Ｓ )} ｉ∈［ｎ］ , and the protocol execution unit 201B obtains a set of output values of the pseudo-random function H {H(k ｊ Ｒ )} ｊ∈［ｍ］ . Hereinafter, for convenience, {H(k ｉ Ｓ )}ｉ∈［ｎ］ H (Key Ｓ ), {H(k ｊ Ｒ )} ｊ∈［ｍ］ H (Key Ｒ ) is written as . 【0055】 The protocol execution unit 201A of participant device 10A and the protocol execution unit 201B of participant device 10B are configured such that participant device 10A is the receiver and participant device 10B is the sender, and the protocol execution unit 201A is H(Key) Ｓ ), the protocol execution unit 201B is H (Key Ｒ The protocol that implements the PSU is executed with H (Key) as input (step S102). As a result, the protocol execution unit 201A executes the protocol that implements the PSU. Ｒ ) \ H (Key Ｓ ) is obtained. Hereafter, for convenience, H (Key Ｒ ) \ H (Key Ｓ ) to H (Key Ｒ＼Ｓ ) is written as . 【0056】 The protocol execution unit 201A of the participant device 10A creates the following associative array A' (step S103). 【0057】 【0058】 Here, d ｊ It is one of the elements included in the set of default values ​​D. That is, H(Key Ｓ The elements of ) include the original key k ｉ Ｓ The corresponding value A[k] ｉ Ｓ ] is made to correspond to H (Key Ｒ＼Ｓ Let A' be an associative array that corresponds to the default values ​​for the elements of ). Below, v ｉ Ｓ :=A[k] ｉ Ｓ ] 【0059】 The protocol execution unit 201A of participant device 10A and the protocol execution unit 201B of participant device 10B are configured such that participant device 10A is the sender and participant device 10B is the receiver, with the protocol execution unit 201A being an associative array A' and the protocol execution unit 201B being a set of keys KeyＲ The protocol that realizes Keyword PIR is repeatedly executed using each element as input (step S104). As a result, the protocol execution unit 201B outputs an output value o that satisfies the following: ｊ set {o ｊ} ｊ∈［ｍ］ To obtain. 【0060】 【0061】 In step S104 above, a Batched Keyword PIR may be used instead of a Keyword PIR. Furthermore, among the protocols designed to realize PSUs, there are variants that output additional information such as the number of elements in a set, in addition to the union (Reference 3). For this reason, if it is determined that such additional information does not significantly impair the security of the overall protocol, a variant of the protocol may be used instead of a PSU to construct a secure data exchange protocol. 【0062】 As described above, the confidential data exchange protocol according to Example 1 is configured using Symmetic OPRF, PSU, and Keyword PIR as elemental technologies. In this case, the confidential data exchange protocol according to Example 1 associates default values ​​with keys that the receiver possesses but the sender does not, creating an associative array. This makes it possible for the receiver to obtain either the value held by the sender corresponding to the key they possess or the default value as the value corresponding to the key they possess. 【0063】 <<Example 2>> Example 2 describes the case where Private Join and Compute with Cardinality is implemented as a confidential data linkage. 【0064】 - A set consisting of the set of possible values ​​in the database held by the function sender is V Ｓ V is a set composed of the set of possible values ​​in the recipient's database. Ｒ Let V Ｓ ×V ＲLet M represent a set composed of a multiset whose underlying set is a subset of the set. Let q be a predetermined process that takes elements of M (i.e., multisets) as input. The process q is implemented by an algorithm or function that performs the process. 【0065】 The associative arrays S and R are defined as follows: 【0066】 S := {k ｉ Ｓ :v ｉ Ｓ} ｉ∈［ｎ］ (However, Key Ｓ :={k ｉ Ｓ} ｉ∈［ｎ］ , {v ｉ Ｓ} ｉ∈［ｎ］ ⊆V Ｓ ) R := {k ｊ Ｒ :v ｊ Ｒ} ｊ∈［ｍ］ (However, Key Ｒ :={k ｊ Ｒ} ｊ∈［ｍ］ , {v ｊ Ｒ} ｊ∈［ｍ］ ⊆V Ｒ Private Join and Compute with Cardinality is a communication and computation between a sender with an associative array S and a receiver with an associative array R, where the sender determines the cardinality of the union |Key Ｓ ∪Key Ｒ The receiver obtains the cardinality of the union |Key Ｓ ∪Key Ｒ This is a secure computation function that obtains the following: | 【0067】 【0068】 Note that {{}} is a symbol representing a multiset. 【0069】 In the following, the process q that takes an element of M as input shall have the following property: some element e ∈ V Ｓ There exists an element b ∈ V Ｒ and any multiset M １ For ∈ M, q(M１ ) and q(M ２ ) yields the same result. Here, M ２ is a multiset M １ For elements (e, b) ∈ V Ｓ ×V Ｒ It is a multiset with one additional element. 【0070】 An example of a process q having the above properties is V Ｓ When any element of is considered an n-dimensional vector, the multiset M １ V included Ｓ One example is the process of aggregating (adding) the elements of . In this case, e is an element that is considered to be the n-dimensional zero vector. 【0071】 • Protocol diagram 5 is a sequence diagram showing an example of the confidential data sharing protocol according to Embodiment 2. In the following, the receiver of the confidential data sharing protocol according to Embodiment 2 will be referred to as participant device 10A, and the sender as participant device 10B. However, the storage unit 202A contains an associative array S and a set of keys Key Ｓ The memory unit 202B contains a collection of keys. Ｒ Assume that at least this is remembered. 【0072】 In this case, below, the protocol execution unit 201A of the participant device 10A is q({{o ｊ , S[k ｊ Ｒ ]}} ｊ∈［ｍ］ ) (However, o ｊ Enc(S[k ｊ Ｒ The case where you obtain ) or the default value Enc(e)) will be explained. Here, Enc(•) is a probabilistic algorithm used for encryption in homomorphic encryption. In the following, the process q will be assumed to have the above properties. 【0073】 The protocol execution unit 201A of the participant device 10A generates a homomorphic encryption key (step S201). 【0074】The protocol execution unit 201A of the participant device 10A encrypts the value of the associative array S using homomorphic encryption with the key generated in step S201 (step S202). That is, the protocol execution unit 201A encrypts the value of the associative array {k ｉ Ｓ : Enc(v ｉ Ｓ )} ｉ∈［ｎ］ Create. 【0075】 The protocol execution unit 201A of the participant device 10A uses the key generated in step S201 above to perform homomorphic encryption on the set of default values ​​{Enc(e)}. ｊ∈［ｍ］ Create (step S203). Here, {Enc(e)} ｊ∈［ｍ］ For the probabilistic algorithm Enc(•), e∈V Ｓ This is a set of m outputs obtained by inputting m times. 【0076】 The protocol execution unit 201A of participant device 10A and the protocol execution unit 201B of participant device 10B are configured such that participant device 10A is the sender and participant device 10B is the receiver, and the protocol execution unit 201A is configured to use an associative array {k ｉ Ｓ : Enc(v ｉ Ｓ )} ｉ∈［ｎ］ and the set of default values ​​{Enc(e)} ｊ∈［ｍ］ The protocol execution unit 201B receives a set of keys. Ｒ Using k as input, the confidential data sharing protocol according to Example 1 is executed (step S204). As a result, the protocol execution unit 201B executes k ｊ Ｒ ∈Key Ｓ If so, Enc(S[k ｊ Ｒ ]), otherwise it is Enc(e) ｊ {o ｊ} ｊ∈［ｍ］ To obtain. 【0077】 The protocol execution unit 201B of participant device 10B is multiple set J = {{(o ｊ , S[k ｊ Ｒ ])}}ｊ∈［ｍ］ Create (step S205). 【0078】 The protocol execution unit 201B of the participant device 10B calculates Enc(q(J)) under homomorphic encryption using the multiset J created in step S205 (step S206). At this time, the protocol execution unit 201B calculates S[k ｊ Ｒ By taking advantage of the fact that [ ] is not encrypted, it is possible to perform aggregation processing on the multi-set J, etc. 【0079】 The protocol execution unit 201B of the participant device 10B transmits Enc(q(J)) calculated in step S206 to the participant device 10A (step S207). 【0080】 The protocol execution unit 201A of the participant device 10A decrypts Enc(q(J)) using the key generated in step S201 (step S208). As a result, the protocol execution unit 201A calculates q(J) = q({{(o ｊ , S[k ｊ Ｒ ])}} ｊ∈［ｍ］ ) obtain. 【0081】 Furthermore, in the confidential data sharing protocol described above, a process q that satisfies differential privacy may be used. This makes q(J) obtained in step S208 secure in terms of differential privacy. 【0082】 As described above, the confidential data sharing protocol according to Embodiment 2 is constructed using homomorphic encryption, Symmetic OPRF, PSU, and Keyword PIR as elemental technologies. In this case, the confidential data sharing protocol according to Embodiment 2 uses an element e, which is like an "identity element," to create a set of default values. This makes it possible to apply the confidential data sharing protocol according to Embodiment 1, and the recipient can obtain q(J). 【0083】 <<Example 3>> Example 3 describes the case where the de-identification process (Reference 1) is applied to the confidential data sharing protocol according to Example 1 or 2. 【0084】Figure 6 is a sequence diagram showing an example of a confidential data sharing protocol according to Example 3. 【0085】 The protocol execution unit 201A of participant device 10A and the protocol execution unit 201B of participant device 10B share random numbers (hereinafter also referred to as "salt") (step S301). Any known method can be used for generating and sharing random numbers. 【0086】 The protocol execution unit 201A of the participant device 10A uses the salt shared in step S301 to convert the keys of the associative array stored in the storage unit 202A using a salted hash function (step S302). 【0087】 The protocol execution unit 201A of the participant device 10A discards the key before the conversion in step S302 and the salt shared in step S301 (step S303). 【0088】 The protocol execution unit 201B of the participant device 10B uses the salt shared in step S301 to convert the keys of the associative array stored in the storage unit 202B using a salted hash function (step S304). 【0089】 The protocol execution unit 201B of the participant device 10B discards the key before the conversion in step S303 and the salt shared in step S301 (step S305). 【0090】 The protocol execution unit 201A of the participant device 10A performs known anonymization processing on the associative array stored in the storage unit 202A as needed (step S306). 【0091】 The protocol execution unit 201B of the participant device 10B performs known anonymization processing on the associative array stored in the storage unit 202B as needed (step S307). 【0092】 The protocol execution unit 201A of participant device 10A and the protocol execution unit 201B of participant device 10B execute the confidential data exchange protocol according to Example 1 or 2 (step S308). 【0093】 <Summary> As described above, in the secure data sharing system 1 according to this embodiment, homomorphic encryption, OPRF, Keyword PIR, and PSU are used as elemental technologies, and a secure data sharing protocol can be constructed using these elemental technologies. All of these elemental technologies have a wide range of applications and are expected to develop further in the future. For this reason, compared to cases where a secure data sharing protocol is constructed using very complex technologies such as elliptic curve groups or PC (Non-Patent Literature 5) as elemental technologies, it is possible to realize a secure data sharing protocol that is easy to apply and improve. Furthermore, it is possible to realize a secure data sharing protocol that meets various requirements (e.g., "I want to shorten the computation time," "Even if the computation time is long, I want to reduce memory usage," etc.). 【0094】 Please note that the specific implementation methods for homomorphic encryption, OPRF (including Symmetric OPRF), Keyword PIR, and PSU are not limited to any particular method. 【0095】 The present invention is not limited to the embodiments specifically disclosed above, and various modifications, changes, and combinations with known technologies are possible without departing from the spirit of the claims. 【0096】[References] Reference 1: Kazuma Nozawa et al. "Proposal and Evaluation of a Data Linkage Method Suitable for Cross-Organizational Personal Data Integration". In: Proceedings of the Computer Security Symposium 2022 (Oct. 17, 2022), pp. 333-340. Reference 2: Tancrede Lepoint et al. "Private Join and Compute from PIR with Default". In: Advances in Cryptology - ASIACRYPT 2021. Ed. by Mehdi Tibouchi and Huaxiong Wang. Vol. 13091. Cham: Springer International Publishing, 2021, pp. 605-634. Reference 3: Yanxue Jia et al. The Ideal Functionalities for Private Set Union, Revisited. 2022. 【0097】 1. Confidential Data Sharing System 10. Participant Device 20. Communication Network 101. Input Device 102. Display Device 103. External Interface 103a. Recording Medium 104. Communication Interface 105. RAM 106. ROM 107. Auxiliary Storage Device 108. Processor 109. Bus 201. Protocol Execution Unit 202. Memory Unit

Claims

1. A device that enables secure data exchange with other devices that are connected to it in a communicable manner, the device executing a first protocol which includes: executing a Symmetic OPRF protocol with the other device using a first key set held by the device and a second key set held by the other device; executing a PSU protocol with the other device using the result of executing the Symmetic OPRF protocol; creating a first associative array which associates the result of executing the PSU protocol with values ​​corresponding to keys included in the first key set and the second key set, and default values ​​for keys included in the second key set but not included in the first key set; and executing a Keyword PIR protocol with the other device using the first associative array and the second key set.

2. The apparatus according to claim 1, which performs a second protocol that includes: encrypting values ​​corresponding to keys included in the first key set using homomorphic encryption, creating a set of default values ​​by encrypting predetermined values ​​using homomorphic encryption; executing the first protocol with the other device using a second associative array composed of keys included in the first key set and encrypted values ​​corresponding to those keys, and the set of default values; and decrypting the result of a predetermined process that takes a multiset created from the results of executing the first protocol as input using homomorphic encryption.

3. A system for realizing secure data exchange between a first device and a second device that are communicated with each other, the system executing a first protocol which includes: executing a Symmetic OPRF protocol between the first device and the second device using a first key set held by the first device and a second key set held by the second device; executing a PSU protocol between the first device and the second device using the result of executing the Symmetic OPRF protocol; the first device creating a first associative array which associates the result of executing the PSU protocol with values ​​corresponding to keys included in the first key set and the second key set, and default values ​​for keys included in the second key set but not included in the first key set; and executing a Keyword PIR protocol between the first device and the second device using the first associative array and the second key set.

4. The system according to claim 3, wherein the first device encrypts values ​​corresponding to keys included in the first key set using homomorphic encryption, and encrypts predetermined values ​​using homomorphic encryption to create a set of default values; the first device and the second device execute the first protocol using a second associative array composed of keys included in the first key set and encrypted values ​​corresponding to those keys, and the set of default values; the second device calculates the result of a predetermined process that takes a multiset obtained by associating the execution result of the first protocol with the second key set as input; and the first device decrypts the result of the process using homomorphic encryption.

Images