The present invention relates to a technique for performing approximation calculation for a function through secure computation.
As a method for obtaining a specified operation result without reconstructing encrypted numerical values, there is a method called secure computation (see Non-patent Literature 1, for example). In the method described in Non-patent Literature 1, encryption for distributing shares of a numerical value over three secure computation devices is performed, and the three secure computation devices perform cooperative calculation and are accordingly allowed to hold results of addition-and-subtraction, constant addition, multiplication, constant multiplication, logical operations (a NOT, an AND, an OR, and an XOR), and data format conversion (an integer or a binary) in a state that the results are distributed over the three secure computation devices, that is, in an encrypted state, without reconstructing numerical values.
As a method for realizing calculation of a complicated function such as an exponential function and a logarithmic function on secure computation, calculation is performed by approximating the function to a polynomial which can be calculated through a combination of addition-and-subtraction and multiplication. Non-patent Literature 2, for example, describes a method for performing calculation by approximating an exponential function to a polynomial.
However, in polynomial approximation of a complicated function, the order of the polynomial needs to be increased so as to improve approximation accuracy, in related art. For example, an approximate formula expressed by the fourth-order polynomial is calculated so as to realize calculation of an exponential function in Non-patent Literature 2. Further, a sigmoid function used in logistic regression and a neural network requires at least the tenth-order polynomial so as to secure sufficient accuracy. When the order n of a polynomial is increased, the number of times of addition-and-subtraction and multiplication is increased in O(n), increasing calculation time.
In view of the above-described technical problems, the present invention is aimed to reduce calculation time without degrading approximation accuracy when a complicated function is calculated through secure computation.
In order to solve the above-described problem, a secret batch approximation system according to one aspect of the present invention includes a plurality of secure computation devices, in which a concealed text [z]:=([z1], . . . , [zn]) of an approximate value z:=(z1, . . . , zn) for a function value y (y1, . . . , yn) satisfying yj=f(xj) is calculated for each integer j, the integer j being not less than 1 and not more than n, by using a concealed text [x]:=([x1], . . . , [xn]) of n pieces of values x:=(x1, . . . , xn) as input when n is defined as an integer being not less than 1. m is defined as an integer being not less than 2, g is defined as a polynomial for approximating each section of m sections into which the function f is divided, i is defined as each integer being not less than 1 and not more than m, Ri is defined as the section, and pi is defined as a parameter of the polynomial g corresponding to the section Ri. Each of the secure computation devices comprises: a parameter acquisition unit that acquires a concealed text [a]:=([a1], . . . , [an]) of a parameter a:=(a1, . . . , an) corresponding to the value x:=(x1, . . . , xn) for each integer j, where aj is defined as the parameter pi corresponding to the section Ri including the value xj; and a polynomial calculation unit that calculates the polynomial g([x], [a]) by using the concealed text [x] of the value x as input based on the concealed text [a] of the parameter a so as to obtain the concealed text [z] of the approximate value z for the function value y.
According to the secret batch approximation technique of the present invention, in calculation of a complicated function through secure computation, approximation can be performed by a lower-order polynomial than that of related art and calculation time can be accordingly reduced without degrading approximation accuracy.
Notation and definitions of terms in this specification are first described.
<Notation>
A value obtained by concealing a certain value a through encryption, secret sharing, or the like is referred to as a concealed text of a and expressed as [a]. Further, a is referred to as a plaintext of [a]. When concealment is performed through secret sharing, a set of shares of secret sharing, which are held by each secure computation device, is referred to by [a].
[a, b] (square bracket) in a domain of definition of a variable denotes a closed section and (a, b) (parentheses) denotes an open section. For example, i∈[a, b] represents that i is a value which is not less than a and not more than b. Further, i∈[a, b) represents that i is a value which is not less than a and less than b.
<Addition, Subtraction, Multiplication>
In each operation of addition, subtraction, and multiplication with respect to concealed texts, concealed texts [c1], [c2], and [c3] of respective calculation results c1, c2, and c3 of a+b, a−b, and ab are calculated by using concealed texts [a] and [b] of two values a and b as input. Execution of these operations are respectively expressed as the following formulas.
[c1]←Add([a],[b])
[c2]←Sub([a],[b])
[c3]←Mul([a],[b])
When there is no possibility of misunderstanding, Add([a], [b]), Sub([a], [b]), and Mul([a], [b]) are respectively abbreviated as [a]+[b], [a]−[b], and [a]×[b].
<Batch Mapping>
In an operation of batch mapping, concealed texts ([y1], . . . , [yn]) of n pieces of values (y1, . . . , yn) (here, it is assumed that each yi satisfies yi=aj where j satisfies xi<uj when j=1 and uj-1≤xi<uj otherwise) are calculated by using concealed texts ([x1], . . . , [xn]) of n pieces of values (x1, . . . , xn) (here, it is assumed that each xj satisfies xj<um for later-described um) and tuples of m pieces of values (u1, . . . , um) (here, ui<ui+1) and m pieces of values (a1, . . . , am) as input. Execution of this operation is expressed as the following formula.
([y1], . . . ,[yn])←BatchMap(([x1], . . . ,[xn]),(u1, . . . ,um),(a1, . . . ,am))
Reference Literatures 1 and 2 below describe a secure computation batch mapping algorithm for efficiently calculating batch mapping through secure computation.
The present invention utilizes the fact that even a complicated function can be approximated with sufficient accuracy even by a low-order polynomial if sections of the function are limited. Specifically, a function is divided into a plurality of sections, each of the sections is approximated by a lower-order polynomial, and the whole function is thus approximated by a plurality of low-order polynomials. In practical calculation, a section in which an input is included is specified and a low-order polynomial is calculated by using a parameter corresponding to the section. Accordingly, approximation exhibiting accuracy equivalent to accuracy of related art can be realized by using approximate formulas of a lower order when a number of calculation is performed in batch. Since calculation time of a polynomial is proportional to an order of the polynomial, entire calculation time can be reduced without degrading approximation accuracy.
Embodiments according to the present invention are described in detail below. It is to be noted that components mutually having the same function are identified with the same reference character in the drawings and duplicate description thereof are omitted.
A configuration example of a secret batch approximation system 100 according to a first embodiment will be described with reference to
A configuration example of the secure computation device 1k (k=1, . . . , K) included in the secret batch approximation system 100 according to the present embodiment will be described with reference to
The secure computation device 1k is a special device configured in a manner that a special program is read in a known or dedicated computer including a central processing unit (CPU) and a main storage unit (random access memory: RAM), for example. The secure computation device 1k executes each processing under the control of the central processing unit, for example. Data inputted into the secure computation device 1k and data obtained through each processing are stored, for example, in the main storage unit and the data stored in the main storage unit is read onto the central processing unit as needed and used for other processing. At least part of processing units of the secure computation device 1k may be composed of hardware such as an integrated circuit. Each storage included in the secure computation device 1k may be composed of a main storage unit such as a random access memory (RAM), an auxiliary storage unit composed of a hard disk, an optical disk, or a semiconductor memory element such as a flash memory, or middleware such as relational database and a key-value store, for example.
A processing procedure of the secret batch approximation method executed by the secret batch approximation system 100 according to the present embodiment will be described with reference to
The polynomial g(x, a) and a sequence ((R1, p1), . . . , (Rm, pm)) of tuples of a section and a parameter are stored in the storage 10 of each secure computation device 1k. The polynomial g(x, a) is a polynomial for approximating each of sections obtained by dividing the function f(x), which is a calculation target, into predetermined m sections and is a polynomial of lower order than a polynomial for approximating the whole of the function f(x). a denotes a parameter for defining the polynomial g(x, a) and is an array of coefficients of respective terms, for example. Ri (i=1, . . . , m) denotes information indicating each of the sections obtained by dividing the function f(x) into m sections. pi (i=1, . . . , m) denotes a parameter for approximating the section Ri of the function f(x) by the polynomial g(x, a).
In step S1, the input unit 11 of each secure computation device 1k receives the concealed texts [x]:=([x1], . . . , [xn]) of n pieces of values x:=(x1, . . . , xn) being calculation targets, as input. The input unit 11 outputs the concealed texts [x] of the values x to the parameter acquisition unit 12.
In step S2, the parameter acquisition unit 12 of each secure computation device 1k receives the concealed texts [x] of the values x from the input unit 11, and acquires the concealed texts [a]:=([a1], . . . , [an]) of n pieces of parameters a:=(a1, . . . , an) satisfying ∀j∈[1, n] and ∃i s.t. aj=pi, xj∈Ri from the sequence ((R1, p1), . . . , (Rm, pm)) of tuples of a section and a parameter which are stored in the storage 10, for respective integers j which are not less than 1 and not more than n. That is, the concealed texts [a1], . . . , [an] of the parameters a1, . . . , an respectively corresponding to the values x1, . . . , xn are generated for respective integers j which are not less than 1 and not more than n, where aj is defined as the parameter pi of the section Ri corresponding to the value xj. The parameter acquisition unit 12 outputs the concealed texts [x] of the values x and the concealed texts [a] of the parameters a to the polynomial calculation unit 13.
In step S3, the polynomial calculation unit 13 of each secure computation device 1k receives the concealed texts [x] of the values x and the concealed texts [a] of the parameters a from the parameter acquisition unit 12 and calculates [zj]=g([xj], [aj]) in accordance with the polynomial g(x, a) stored in the storage 10 for respective integers j which are not less than 1 and not more than n. The polynomial calculation unit 13 outputs the concealed texts [z]:=([z1], . . . , [zn]) of the approximate values z:=(z1, . . . , zn) for the function values y (y1, . . . , yn) to the output unit 14.
In step S4, the output unit 14 of each secure computation device 1k receives the concealed texts [z] of the approximate values z for the function values y from the polynomial calculation unit 13 and sets the concealed texts [z] as output of the secure computation device 1k.
A second embodiment describes a more specific example in which the following sigmoid function, a domain of definition of which is expressed as X:=[0, 1000), is approximated by a quadratic function.
Differences from the first embodiment will be mainly described below.
A polynomial g(x, a) and a sequence ((R1, p1), . . . , (Rm, pm)) of tuples of a section and a parameter are stored in the storage 10 of each secure computation device 1k. A parameter of the polynomial g(x, a) of the present embodiment is a:=(b, c, d) and the polynomial g(x, a) is defined as g(x, a)=bx2+cx+d. The section Ri of the present embodiment is defined as Ri:=[1i, ui) for i∈[1, m] (here, 1i=0, um=1000, ui=1i+i, and 1i≤ui for i∈[1, m)). The parameter pi of the present embodiment is defined as pi:=(bi, ci, di).
The parameter acquisition unit 12 of each secure computation device 1k according to the present embodiment executes a secure computation batch mapping algorithm as the following formula by using the concealed texts [x], (u1, . . . , um), and ((b1, c1, d1), . . . , (bm, cm, dm)) as input, acquiring concealed texts [a]:=([a1], . . . , [an]) of the parameters a (a1, . . . , an).
([a1], . . . ,[an])←BatchMap([x],(u1, . . . ,um),((b1,c1,d1), . . . ,(bm,cm,dm)))
Here, aj satisfies aj=(bi, ci, di) for certain i satisfying xj∈Ri.
The polynomial calculation unit 13 of each secure computation device 1k according to the present embodiment calculates the following formula based on [aj]:=([b′j], [c′j], [d′j]) for each integer j which is not less than 1 and not more than n, obtaining a concealed text [zj] of an approximate value zj.
[zj]←[b′i]×[xj]×[xj]+[c′i]×[xj]+[d′i]
The present invention utilizes the fact that even a complicated function can be approximated with sufficient accuracy even by a low-order polynomial if sections of the function are limited. Specifically, a function is divided into the predetermined number of sections to obtain parameters for approximating respective sections by low-order polynomials in advance, and low-order polynomial approximation is performed through acquiring a parameter corresponding to an input value depending on the section including the input value. Accordingly, approximation exhibiting accuracy equivalent to accuracy of related art can be realized by using lower-order polynomials when a number of calculation is performed in batch. Especially, polynomial approximation can be more efficiently performed through acquiring parameters corresponding to respective input values of a plurality of input values by using a secure computation batch mapping algorithm for the input values. For example, it is reported that at least tenth order is experimentally required so as to obtain sufficient accuracy in logistic regression for a sigmoid function which is heavily required in each iterative calculation in learning of logistic regression (see Reference Literature 3). However, if the number of sections is set to 5000, for example, approximation can be realized by a cubic polynomial with almost double accuracy and the number of times of multiplication and addition for real numbers can be reduced by 70 percent.
While the embodiments of the present invention have been described, specific configurations are not limited to these embodiments, but design modifications and the like within a range not departing from the spirit of the invention are encompassed in the scope of the invention, of course. The various processes described in the embodiments may be executed in parallel or separately depending on the processing ability of a device executing the process or on any necessity, rather than being executed in time series in accordance with the described order.
[Program and Recording Medium]
When various types of processing functions in the devices described in the above embodiments are implemented on a computer, the contents of processing function to be contained in each device is written by a program. With this program executed on the computer, various types of processing functions in the above-described devices are implemented on the computer.
This program in which the contents of processing are written can be recorded in a computer-readable recording medium. The computer-readable recording medium may be any medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory.
Distribution of this program is implemented by sales, transfer, rental, and other transactions of a portable recording medium such as a DVD and a CD-ROM on which the program is recorded, for example. Furthermore, this program may be stored in a storage unit of a server computer and transferred from the server computer to other computers via a network so as to be distributed.
A computer which executes such program first stores the program recorded in a portable recording medium or transferred from a server computer once in a storage unit thereof, for example. When the processing is performed, the computer reads out the program stored in the storage unit thereof and performs processing in accordance with the program thus read out. As another execution form of this program, the computer may directly read out the program from a portable recording medium and perform processing in accordance with the program. Furthermore, each time the program is transferred to the computer from the server computer, the computer may sequentially perform processing in accordance with the received program. Alternatively, a configuration may be adopted in which the transfer of a program to the computer from the server computer is not performed and the above-described processing is executed by so-called application service provider (ASP)-type service by which the processing functions are implemented only by an instruction for execution thereof and result acquisition. It should be noted that a program in this form includes information which is provided for processing performed by electronic calculation equipment and which is equivalent to a program (such as data which is not a direct instruction to the computer but has a property specifying the processing performed by the computer).
In this form, the present device is configured with a predetermined program executed on a computer. However, the present device may be configured with at least part of these processing contents realized in a hardware manner.
Number | Date | Country | Kind |
---|---|---|---|
2018-100340 | May 2018 | JP | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2019/019846 | 5/20/2019 | WO | 00 |