The present invention relates to secret computation techniques, and more specifically, to a technique that computes, while concealing data, a power of the data.
Secret computation technology for analyzing sensitive data while concealing it, in order to share and analyze the data, has been researched. One type of such a technology uses a method called secret sharing in which data is divided into a plurality of pieces called shares. In order to perform various analyses while the data is concealed, protocols have been proposed to perform operations on the concealed data, such as multiplication, addition, and sorting (see Non-Patent Literature 1 and Non-Patent Literature 2, for example).
Suppose that a power of data is computed while the data is concealed. The Binary method is usually used to compute a power, for example, to compute [a9] from [a], wherein [a] indicates data “a” being concealed. The Binary method repeats multiplication to compute a desired power. The Binary method computes [a9] in the following way, wherein Mult indicates the procedure of multiplication.
1. [a2]←Mult([a], [a])
2. [a4]←Mult([a2], [a2])
3. [a8]←Mult([a4], [a4])
4. [a9]←Mult([a8], [a])
To compute a power with the Binary method, it is necessary to perform multiplication O(log m) times to compute the m-th power. In secret computation, communication is required for multiplication, which serves as a bottleneck for performance. Therefore, it is desirable that a power be computed with a smaller number of multiplication calls.
An object of the present invention is to provide secret computation technology that computes a power of data while concealing the data, with a small number of communication rounds.
To solve the problems described above, a secret computation method according to a first aspect of the present invention is a secret computation method in which GF(pk) is an extended field having a characteristic of p and a degree k of field extension, a is data that is an element of the extended field GF(pk), [a] is a share obtained by applying additive secret sharing to data a, ν is an integer equal to or larger than 2, and u and t are integers equal to or larger than 1 and satisfy t*pu≤ν, the secret computation method computing a share [aν] of the ν-th power of data a from a share [a] of data a while data a is concealed and being executed by a secret computation system that includes three or more secret computation apparatuses. The secret computation method includes computing the pu-th power of a share [at] of the t-th power of data a in a local operation unit of one of the three or more secret computation apparatuses without communication with the other secret computation apparatuses; and obtaining the share [aν] in a secret computation unit of the one of the three or more secret computation apparatuses by computing a multiplication in which at least one of the multiplicands is
the computation result of the local operation unit, using secret computation that requires communication with the other secret computation apparatuses.
A secret computation method according to a second aspect of the present invention is a secret computation method in which GF(pk) is an extended field having a characteristic of p and a degree k of field extension, a is data that is an element of the extended field GF(pk), r is a random number that is an element of the extended field GF(pk), [a] is a share obtained by applying additive secret sharing to data a, <a>:=([a], [ra]) is a randomized shared value of data a, ν is an integer equal to or larger than 2, and u and t are integers equal to or larger than 1 and satisfy t*pu≤ν, the secret computation method computing a randomized shared value <aν>:=([aν], [raν]) of the ν-th power of data a from a randomized shared value [a] of data a while data a is concealed and being executed by a secret computation system that includes three or more secret computation apparatuses. The secret computation method includes computing the pu-th power of a share [at] of the t-th power of data a in a local operation unit of one of the three or more secret computation apparatuses without communication with the other secret computation apparatuses; obtaining a randomized shared value
of the computation result of the local operation unit in a randomizing unit of the one of the three or more secret computation apparatuses by multiplying
the computation result of the local operation unit, with a share [r] of the random number r using secret computation that requires communication with the other secret computation apparatuses; and obtain the randomized shared value <aν> in a secret computation unit of the one of the three or more secret computation apparatuses by computing a multiplication in which at least one of the multiplicands is a randomized shared value
of the computation result of the local operation unit using secret computation that requires communication with the other secret computation apparatuses.
According to the present invention, since some operations are performed locally when a power of data is computed while the data is concealed, the power is computed at high speed with a small number of communication rounds.
Embodiments of the present invention will be described below in detail. Components having identical functions will be denoted by the same reference numbers in the figures, and duplication of description thereof will be omitted.
Notation
A superscript indicates a power and the sign {circumflex over ( )} in a superscript also means a power. For example, ab means the b-th power of a, and
means the bc-th power of a.
Data obtained by concealing data “a” with encryption or secret sharing is called the secure text of “a” and is indicated by [a]. “a” is called the plaintext of [a]. When secret sharing is used in concealment, [a] is called a share or a shared value of data “a”.
A randomized shared value of data “a” is indicated by <a>. A randomized shared value is a pair of a share [a] of data “a” and a share [ra] of the product “ra” of data “a” and a random number “r”. Therefore, a randomized shared value of data “a” can be defined as: <a>:=([a], [ra]). In the randomized shared value <a>:=([a], [ra]), [a] is called the 0-th component and [ra] is called the first component. See Non-Patent Literature 1 for detecting secret falsification with randomized shared values.
A field to which data and shares belong to is called GF(pk), and hereinafter, all operations are performed on GF(pk), wherein p is called a characteristic and k is called a degree of field extension. For example, when a, b∈GF(7), a+b is obtained by adding a and b and applying mod 7 to the sum. When a, b∈GF(28), a+b is obtained by applying XOR to the corresponding bits of a and b expressed in bits.
Additive Secret Sharing
Additive secret sharing is a secret sharing method in which data “a” is divided into the sum or difference of a plurality of shares ai (i=0, 1, . . . , m−1), as shown in the formula below, and sharing and reconstructing are performed only by addition and subtraction.
In additive secret sharing, when all of m shares a0, a1, . . . , and am−1 are obtained from some servers, the original data “a” can be reconstructed; if any of the shares a0, a1, . . . , and am−1 is not obtained, the original data “a” cannot be reconstructed.
Replicated Secret Sharing
Replicated secret sharing formed of the following Share and Rec protocols can be used as additive secret sharing. The Share protocol divides plaintext into shares, and the Rec protocol reconstructs the plaintext from the shares. In the present invention, however, any method can be used as long as the method has the characteristics of additive secret sharing, even if the method is not replicated secret sharing.
It is assumed that [a] indicates the whole share of data “a” and [a]i indicates a share held by a server “i” among the share [a]. When data “a” is divided and held by three servers (servers 0, 1, and 2), data “a” is divided into a0, a1, and a2 in advance according to the following Share protocol, and servers 0, 1, and 2 respectively store [a]0:=(a0, [a]1:=(a1 a2), and [a]2:=(a2, a0). When data “a” is reconstructed, at least two of the shares [a]0, [a]1, and [a]2 are collected to obtain a0, a1, and a2, and they are added to compute data “a” according to the following Rec protocol.
The Share protocol is, for example, the following protocol.
Input: a
Output: ([a]0, [a]1, [a]2)
1. a1, a2←GF(pk)
2. a0:=a−(a1+a2)
3. [a]i:=(ai, ai+1 mod 3) for i∈{0, 1, 2}
4. return ([a]0, [a]1, [a]2)
The Rec protocol is, for example, the following protocol.
Input: [a]i0, [a]i1 (i0, i1∈{0, 1, 2})
Output: a
1. Obtain a0, a1, a2 from [a]i0, [a]i1
2. return a:=a0+a1+a2
Modification of Replicated Secret Sharing
The following secret sharing can be used as a modification of replicated secret sharing.
The Share protocol is, for example, the following protocol.
Input: a
Output: ([a]0, [a]1, [a]2)
1. a1, a2←GF(pk)
2. a0:=−(a1+a2)
3. [a]i:=(ai, ai−1 mod 3−a) for i∈{0, 1, 2}
4. return ([a]0, [a]1, [a]2)
The Rec protocol is, for example, the following protocol.
Input: [a]i0, [a]i1 (i0, i1∈{0, 1, 2})
Output: a
1. Obtain ai mod 3, ai+1 mod 3, (ai+2 mod 3−a) from [a]i0, [a]i1 for some i∈{0, 1, 2}
2. return a:=−(a0+a1+a2)
Definition of Operations
Mult indicates multiplication in additive secret sharing. More specifically, Mult is a protocol in which, when three servers (servers 0, 1, and 2) respectively store two shares of additive secret sharing, ([a]0, [b]0), [b]1), and ([a]2, [b]2), servers 0, 1, and 2 respectively perform communication and computation to finally obtain [ab]0, [ab]1, and [ab]2. Such an operation is indicated by [ab]←Mult([a], [b]). Mult can be performed by a multiplication protocol in a known secret computation. For example, the protocol described in Scheme 11 in Non-Patent Literature 1 may be used in replicated secret sharing, and a protocol described in Non-Patent Literature 2 may be used in the modification of replicated secret sharing. In the following embodiments, Scheme 11 described in Non-Patent Literature 1 is used as Mult. In that case, every time Mult is called, it is counted as one communication round.
LocalExp indicates an operation in which each server computes a power of a share owned by the server. More specifically, when servers 0, 1, and 2 respectively store [a]0=(a0, a1), [a]1=(a1 a2), and [a]2=(a2, a0), servers 0, 1, and 2 respectively compute [au]0=(au0, au1), [au]1=(au1 au2), and [au]2=(au2, au0) in this protocol. Such an operation is indicated by [au]:=LocalExp([a], u). Since LocalExp only computes a power of a value locally held, communication with another server does not occur.
DoubleMult indicates an operation in which two pairs of secure text are input, and the secure text in the different pairs are multiplied to obtain the resultant secure text. More specifically, ([a], [a′]) and ([b], [b′]) are input, and ([ab], [a′b′]) is output. Such an operation is indicated by ([ab], [a′b′])←DoubleMult(([a], [a′]), ([b], [b′])). DoubleMult can be performed by any known protocol. For example, such a protocol is described in Non-Patent Literature 1. In that case, every time DoubleMult is called, it is counted as one communication round. DoubleMult can be performed by performing Mult twice. More specifically, [ab]←Mult([a], [b]) and [a′b′]←Mult([a′], [b′]) may be performed. In that case, since the two Mult operations can be executed in parallel, one communication round is required as in DoubleMult.
Principle of the Invention
The present invention uses a characteristic called Frobenius endomorphism. This means that the following formula holds on GF(pu) for any u∈Z, wherein Z is a set of integers.
(a+b)p
For simplicity,
is assumed here. However,
also holds even if the plus and minus signs are randomly used.
When this relationship is applied to the relationship between plaintext and shares in additive secret sharing, (a=a0+a1+ . . . +am−1), the following formula holds.
The left side of Formula (1) is plaintext “a” raised to the power of a power of a characteristic, and the right side is the sum of the shares a0, a1, . . . , am−1, of plaintext “a”, each raised to the power of a power of the characteristic. When
and
for i=0, 1, . . . , m−1 are defined, it is found from Formula (1) that the relationship, a′=a′0+a′1+ . . . +a′m−1, between plaintext and shares in additive secret sharing holds. In other words, in order to compute
from [a], each party just needs to compute the pu-th power of its share and does not need any communication at all.
By using this method, a power of any number can be computed at a higher speed. For example, in order to compute [a96] from [a] in GF(28),
and
are locally computed, and Mult ([a64], [a32]) is computed to obtain [a96], as shown below. The required number of communication times is one for the Mult operation.
1. [a64]:=LocalExp([a], 26)
2. [a32]:=LocalExp([a], 25)
3. [a96]←Mult([a64], [a32])
Since the conventional Binary method requires seven Mult operations, as shown below, the above-described method achieves a much higher speed.
1. [a2]←Mult([a], [a])
2. [a4]←Mult([a2], [a2])
3. [a8]←Mult([a4], [a4])
4. [a16]←Mult([a8], [a8])
5. [a32]←Mult([a16], [a16])
6. [a64]←Mult([a32], [a32])
7. [a96]←Mult([a64], [a32])
For Detecting Falsification
It has been confirmed that, in order to compute the power of a power of a characteristic
from a share [a] obtained in additive secret sharing, each party needs to compute the pu-th power of its share. However, when it is assumed that an attacker who tries to perform falsification in secret computation exists and the method for detecting falsification, described in Non-Patent Literature 1 is used, each party holds a randomized shared value <a>:=([a], [ra]), which is a pair of a share [a] obtained in additive secret sharing and a randomized share [ra]. Each party also holds a share [r] separately, which is obtained by applying additive secret sharing to a random number.
The input and output of the computation of the power of a power of a characteristic used when it is assumed that an attacker who tries to perform falsification exists are <a>:=([a], [ra]) and
respectively. If the above-described computation of the power of a power of a characteristic is directly applied to the randomized share [ra], since the first component would be
not
the desired output is not obtained. Therefore, the computation of the power of a power of a characteristic is not applied to the randomized share [ra], but the computation of the power of a power of a characteristic is applied to [a], and the resultant
is multiplied with [r] to obtain
In short, to obtain
from <a>=([a], [ra]), [a] is raised to the pu-th power to obtain
and then Mult
[r]) is computed to obtain
A secret computation system according to a first embodiment includes n (≥3) secret computation apparatuses 11 to 1n, as exemplified in
The secret computation apparatus 1 includes an input unit 11, a local operation unit 12, a secret computation unit 14, and an output unit 15, as exemplified in
The secret computation apparatus 1 is, for example, a special apparatus configured by reading a special program into a known or special computer having a central processing unit (CPU), a main memory (a random access memory: RAM), and other components. The secret computation apparatus 1 executes processing under the control of the central processing unit, for example. Data input to the secret computation apparatus 1 or data obtained by processing is stored in the main memory, for example, and the data stored in the main memory is read into the central processing unit and used for other processing when necessary. At least some of the processing sections of the secret computation apparatus 1 may be configured by hardware such as integrated circuits.
The processing procedure of the secret computation method in the first embodiment will be described below with reference to
In step S11, a share [a] obtained by applying additive secret sharing to data “a”, which is subjected to operations, and the exponent ν (≥2) of a power to be applied to data “a” are input to the input unit 11. The share [a] and the exponent ν are sent to the local operation unit 12.
In step S12, without performing communication with another secret computation apparatus, the local operation unit 12 computes the power of a power of a characteristic, that is, the pu-th power, of a share [at] obtained by applying additive secret sharing to the t-th power of data “a” and obtains a share
by applying additive secret sharing to the pu-th power of data “at”. That is,
is computed, wherein “u” and “t” are integers equal to or larger than 1 and satisfy t*pu≤ν. The local operation unit 12 may perform executions a plurality of number of times to obtain a share [aν] by applying additive secret sharing to the ν-th power of data “a”, but “t” equals 1 at least for the first time of execution, and the pu-th power of a share [a] obtained by applying additive secret sharing to data “a” is computed.
In step S13, the secret computation unit 14 performs secret computation in cooperation with other secret computation apparatuses to multiply a share [aα] obtained by applying additive secret sharing to the α-th power of data “a”, with a share [aβ] obtained by applying additive secret sharing to the β-th power of data “a”. That is, [aα+β]←Mult([aα], [bβ]) is computed, wherein α and β are integers equal to or larger than 1 and satisfy α+β≤ν. Either [αa] or [aβ] is a share
obtained in the local operation unit 12 by applying additive secret sharing to the pu-th power of data “at”. That is, α=t*pu or β=t*pu. The secret computation unit 14 may perform executions a plurality of number of times to obtain a share [aν] by applying additive secret sharing to the ν-th power of data “a”.
In step S14, when the computational result of the local operation unit 12 or the secret computation unit 14 becomes a share [aν] obtained by applying additive secret sharing to the ν-th power of data “a”, the output unit 15 outputs the share [aν].
In a second embodiment, a secret computation system can detect falsification made in power computation using secret computation. The secret computation system of the second embodiment includes n (≥3) secret computation apparatuses 21, . . . , and 2n, as exemplified in
The secret computation apparatus 2 includes an input unit 11, a local operation unit 12, a randomizing unit 13, a secret computation unit 14, and an output unit 15, as exemplified in
The processing procedure of the secret computation method in the second embodiment will be described below with reference to
In step S21, a randomized shared value <a>:=([a], [ra]) obtained by applying additive secret sharing to data “a”, which is subjected to operations, a share [r] obtained by applying additive secret sharing to the random number “r” used when the randomized shared value <a> was generated, and the exponent ν of a power to be applied to data “a” are input to the input unit 11. The randomized shared value <a>, the share [r], and the exponent ν are sent to the local operation unit 12.
In step S22, without performing communication with another secret computation apparatus, the local operation unit 12 computes the power of a power of a characteristic, that is, the pu-th power, of a share [at] obtained by applying additive secret sharing to the t-th power of data “a” and obtains a share
by applying additive secret sharing to the pu-th power of data “at”. That is,
is computed. The share
is sent to the randomizing unit 13.
In step S23, the randomizing unit 13 performs secret computation in cooperation with other secret computation apparatuses to multiply the computation result
of the local operation unit 12 with a share [r] obtained by applying additive secret sharing to a random number “r”. That is,
←Mult
[r]) is computed. With this, a randomized shared value
of the pu-th power of data at is generated. The randomizing unit 13 may also multiply the computation result
of the local operation unit 12 with the first component [ras] of another randomized shared value <as>:=([as], [ras]). That is,
←Mult
[ras]) may be computed, wherein “s” is an integer equal to or larger than 1 and satisfies t*pu+s≤ν. At the same time, the secret computation unit 14 can multiply the computation result
of the local operation unit 12 with the 0th component [as] of another randomized shared value <as>:=([as], [ras]) to obtain
←Mult
[as]) to generate a randomized shared value
of the product of the pu-th power of data “at” and data “as”.
In step S24, the secret computation unit 14 performs secret computation in cooperation with other secret computation apparatuses to multiply a randomized shared value <aα>:=[aα], [raα]) obtained by applying additive secret sharing to the α-th power of data “a”, with a randomized shared value <aβ>:=([aβ], [raβ]) obtained by applying additive secret sharing to the β-th power of data “a”. The above-described DoubleMult can be used for this multiplication. That is, <aα+β>←DoubleMult(([aα], [aα]), ([aβ], [raβ])) is computed. The above-described Mult may be executed twice in parallel. That is, [aα+β]←Mult([aα], [aβ]) and [raα+β]←Mult([aα], [raβ]) are computed, and [aα+β] and [raα+β] are combined to generate <aα+β>:=([aα+β], [raα+β]). Either <aα> or <aβ> is a randomized shared value
obtained by applying additive secret sharing to the pu-th power of data “at”. That is, α=t*pu or β=t*pu. The secret computation unit 14 may execute these operations a plurality of number of times to obtain a randomized shared value <aν> obtained by applying additive secret sharing of the ν-th power of data “a”.
In step S25, when the computational result of the randomizing unit 13 or the secret computation unit 14 becomes a randomized shared value <aν> obtained by applying additive secret sharing to the ν-th power of data “a”, the output unit 15 outputs the randomized shared value <aν>.
Specific protocols implemented by the foregoing embodiments will be shown below. In the following specific examples, three-party secret computation is assumed. However, secret computation technology according to the present invention is not limited to three-party secret computation. In the following specific examples, GF(28) and GF(33) are used as examples. However, the characteristic is not limited to 2 or 3, nor is the degree of field extension limited to 8 or 3.
In a first specific example, the protocol computes a power in secret computation on a field GF(28). Here, a protocol that computes [a21] from [a] is shown.
Input: [a]
Output: [a21]
1. [a16]:=LocalExp([a], 24)
2. [a4]:=LocalExp([a], 22)
3. [a20]←Mult([a16], [a4])
4. [a21]←Mult([a20], [a1])
5. return [a21]
In the above-described protocol, Mult is performed twice, and the number of communication rounds is two. In contrast, when [a21] is computed with the Binary method, Mult is required to be performed six times, as shown in the protocol below. It is found that the number of communication rounds is greatly reduced.
Input: [a]
Output: [a21]
1. [a2]←Mult([a], [a])
2. [a4]←Mult([a2], [a2])
3. [a5]←Mult([a4], [a])
4. [a10]←Mult([a5], [a5])
5. [a20]←Mult([a10], [a10])
6. [a21]←Mult([a20], [a])
7. return [a21]
In a second specific example, the protocol obtains an inverse element in secret computation on a field GF(28). Here, a protocol that computes the inverse element [a−1] from [a] is shown. Since [a−1] [a254] from the Fermat's little theorem, obtaining the inverse element is equal to computing the 254th power.
Input: [a]
Output: [a−1]=[a254]
1. [a2]:=LocalExp([a], 2)
2. [a3]←Mult([a2], [a])
3. [a12]:=LocalExp([a3], 22)
4. [a151←Mult(ra12], [a3])
5. [a14]←Mult([a12], [a2])
6. [a240]:=LocalExp([a15], 24)
7. [a254]←Mult([a240], [a14])
8. return [a254]
In the above-described protocol, since line 4 and line 5 can be executed in parallel, the number of communication rounds is three. In contrast, when [a−1] is computed with the Binary method, Mult is required to be performed 13 times, as shown in the protocol below. It is found that the number of communication rounds is greatly reduced.
Input: [a]
Output: [a−1]=[a254]
1. [a2]←Mult([a], [a])
2. [a3]←Mult([a2], [a])
3. [a6] ←Mult([a3], [a3])
4. [a7]←Mult([a6], [a])
5. [a14]←Mult([a7], [a7])
6. [a15]←Mult([a14], [a])
7. [a30]←Mult([a30], [a30])
8. [a31]←Mult([a30], [a])
9. [a62]←Mult([a32], [a32])
10. [a63]←Mult([a62], [a])
11. [a126]←Mult([a63], [a63])
12. [a127]←Mult([a126], [a])
13. [a254]←Mult([a127], [a127])
14. return [a254]
In a third specific example, the power protocol in secret computation on the field GF(28) is applied to falsification detection. Here, a protocol that computes <a21>=([a21], [ra21]) from <a>=([a], [ra]) is shown. In the following protocol, in order to avoid computing a power of a randomized share, the multiplication of a random number is performed by Mult after local operations.
Input: <a>=([a], [ra]), [r]
Output: <a21>=([a21], [ra21])
1. [a16]:=LocalExp([a], 24)
2. [a4]:=LocalExp([a], 22)
3. [ra4]←Mult([a4], [r])
4. ([a20], [ra20])←DoubleMult(([a16], [a16]), ([a4], [ra4]))
5. ([a21], [ra21])←DoubleMult(([a], [a]), ([a20], [ra20]))
6. return <a21>=([a21], [ra21])
In a fourth specific example, the inverse-element protocol in secret computation on the field GF(28) is applied to falsification detection. Here, a protocol that computes <a−1>=<a254>=([a254], [ra254]), the inverse element of <a>=([a], [ra]), is shown. In the following protocol, in order to avoid computing a power of a randomized share, the multiplication of a random number is performed by Mult after local operations.
Input: <a>=([a], [ra]), [r]
Output: <a−1>=<a254>=([a254], [ra254])
1. [a2]:=LocalExp([a], 2)
2. [ra2]←Mult([a2], [r])
3. ([a3], [ra3])←DoubleMult(([a], [a]), ([a2], [ra2]))
4. [a12]:=LocalExp([a3], 22)
5. ([a15], [ra15])←DoubleMult(([a12], [a12]), ([a3], [ra3]))
6. ([a14], [ra14])←DoubleMult(([a12], [a12]), ([a2], [ra2]))
7. [a240]:=LocalExp([a15], 24)
8. ([a254], [ra254])←DoubleMult(([a240], [a240]), ([a14], [ra14]))
9. return <a254>=([a254], [ra254])
In a fifth specific example, the protocol computes a power in secret computation on a field GF(33). Here, a protocol that computes [a10] from [a] is shown.
Input: [a]
Output: [a10]
1. [a9]:=LocalExp([a], 32)
2. [a10]←Mult([a9], [a])
3. return [a10]
In the above-described protocol, Mult is performed once and the number of communication rounds is one. In contrast, when [a10] is computed with the Binary method, Mult is required to be performed four times, as shown in the protocol below. It is found that the number of communication rounds is greatly reduced.
Input: [a]
Output: [a10]
1. [a2]←Mult([a], [a])
2. [a4]←Mult([a2], [a2])
3. [a5]←Mult([a4], [a])
4. [a10]←Mult([a5], [a5])
5. return [a10]
In a sixth specific example, the protocol obtains an inverse element in secret computation on a field GF(33). Here, a protocol that computes the inverse element [a−1] from [a] is shown. Since [a−1]=[a25] from the Fermat's little theorem, obtaining the inverse element is equal to computing the 25th power.
Input: [a]
Output: [a−1]=[a25]
1. [a9]:=LocalExp([a], 32)
2. [a3]:=LocalExp([a], 3)
2. [a12]←Mult([a9], [a3])
4. [a24]←Mult([a12], [a12])
5. [a25]←Mult([a24], [a])
8. return [a25]
In the above-described protocol, Mult is performed three times, and parallel operations are not possible. Therefore, the number of communication rounds is three. In contrast, when [a−1] is computed with the Binary method, Mult is required to be performed six times, as shown in the protocol below. It is found that the number of communication rounds is greatly reduced.
Input: [a]
Output: [a−1]=[a25]
1. [a2]←Mult([a], [a])
2. [a3]←Mult([a2], [a])
3. [a6]←Mult([a3], [a3])
4. [a12]←Mult([a6], [a6])
5. [a24]←Mult([a12], [a12])
6. [a25] ←Mult([a24], [a])
7. return [a25]
In a seventh specific example, the power protocol in secret computation on the field GF(33) is applied to falsification detection. Here, a protocol that computes <a10>=([a10], [ra10]) from <a>=([a], [ra]) is shown. In the following protocol, in order to avoid computing a power of a randomized share, the multiplication of a random number is performed by Mult after local operations.
Input: <a>=([a], [ra]), [r]
Output: <a10>=([a10], [ra10])
1. [a9]:=LocalExp([a], 32)
2. ([a10], [ra10])←DoubleMult(([a9], [a9]), ([a], [ra]))
3. return <a10>=([a10], [ra10])
In an eighth specific example, the inverse-element protocol in secret computation on the field GF(33) is applied to falsification detection. Here, a protocol that computes <a−1>=<a25>=([a25], [ra25]), the inverse element of <a>=([a], [ra]), is shown. In the following protocol, in order to avoid computing a power of a randomized share, the multiplication of a random number is performed by Mult after local operations.
Input: <a>=([a], [ra]), [r]
Output: <a−1>=<a25>=([a25], [ra25])
1. [a9]:=LocalExp([a], 32)
2. [a3]:=LocalExp([a], 3)
3. [ra3]←Mult([a3], [r])
4. ([a12], [ra12])←DoubleMult(([a9], [a9]), ([a3], [ra3]))
5. ([a24], [ra24])←DoubleMult(([a12], [a12]), ([a12], [ra12]))
6. ([a25], [ra25])←DoubleMult(([a24], [a24]), ([a], [ra]))
7. return <a25>=([a25], [ra25])
According to secret computation technology of the present invention, the following formula on the extended field is used to locally compute the power of a power of a characteristic, reducing the number of communication rounds used in the entire power computation. Therefore, a power can be computed at high speed while data is concealed. By applying this technology, inverse-element computation that uses a power can be executed at high speed.
Embodiments of the present invention have been described above. However, a specific configuration of the present invention is not limited to those in the above described embodiments. Even if a design change is made to the above embodiments, if necessary, without departing from the scope of the present invention, it is needless to say that those changes are included in the present invention. Each type of processing described in the above embodiments may be executed not only time sequentially according to the order of description but also in parallel or individually when necessary or according to the processing capabilities of the apparatuses that execute the processing.
Program and Recording Medium
When various types of processing functions in each apparatus, described in the embodiments, are implemented by a computer, the processing details of the functions that should be provided by each apparatus are described in a program. When the program is executed by the computer, the processing functions in each apparatus are implemented on the computer.
The program containing the processing details can be recorded in a computer-readable recording medium. The computer-readable recording medium can be any type of medium, such as a magnetic recording device, an optical disc, a magneto-optical recording medium, or a semiconductor memory.
This program is distributed by selling, transferring, or lending a portable recording medium, such as a DVD or a CD-ROM, with the program recorded on it, for example. The program may also be distributed by storing the program in a storage of a server computer and transferring the program from the server computer to another computer through the network.
A computer that executes this type of program first stores the program recorded on the portable recording medium or the program transferred from the server computer in its storage, for example. Then, the computer reads the program stored in its storage and executes processing in accordance with the read program. In a different program execution form, the computer may read the program directly from the portable recording medium and execute processing in accordance with the program, or the computer may execute processing in accordance with the program each time the computer receives the program transferred from the server computer. Alternatively, the above-described processing may be executed by a so-called application service provider (ASP) service, in which the processing functions are implemented just by giving program execution instructions and obtaining the results without transferring the program from the server computer to the computer. The program of this form includes information that is provided for use in processing by the computer and is treated correspondingly as a program (something that is not a direct instruction to the computer but is data or the like that has characteristics that determine the processing executed by the computer).
In the description given above, the apparatuses are implemented by executing the predetermined programs on the computer, but at least a part of the processing details may be implemented by hardware.
Number | Date | Country | Kind |
---|---|---|---|
JP2017-006355 | Jan 2017 | JP | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2018/001135 | 1/17/2018 | WO |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2018/135511 | 7/26/2018 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
4975867 | Weng | Dec 1990 | A |
6038581 | Aoki | Mar 2000 | A |
6810122 | Miyazaki | Oct 2004 | B1 |
7218735 | Coron | May 2007 | B2 |
7415614 | Guillou | Aug 2008 | B2 |
9787472 | Lampkins | Oct 2017 | B1 |
10075288 | Khedr | Sep 2018 | B1 |
10083310 | Lampkins | Sep 2018 | B1 |
20030055858 | Dubey | Mar 2003 | A1 |
20070116283 | Tuyls | May 2007 | A1 |
20080084997 | Lauter | Apr 2008 | A1 |
20090044080 | Michaels | Feb 2009 | A1 |
20090136025 | Kargl | May 2009 | A1 |
20090279688 | Michaels | Nov 2009 | A1 |
20100260333 | Akane | Oct 2010 | A1 |
20110110525 | Gentry | May 2011 | A1 |
20110179098 | Nogami | Jul 2011 | A1 |
20110261955 | Nogami | Oct 2011 | A1 |
20110295918 | Prouff | Dec 2011 | A1 |
20120039463 | Gentry | Feb 2012 | A1 |
20120254605 | Sun | Oct 2012 | A1 |
20130080493 | Gueron | Mar 2013 | A1 |
20130339728 | Ikarashi | Dec 2013 | A1 |
20140294181 | Kamano | Oct 2014 | A1 |
20150358155 | Ikarashi | Dec 2015 | A1 |
20160365973 | van Deventer | Dec 2016 | A1 |
20170012948 | Peeters | Jan 2017 | A1 |
20170365192 | Ikarashi | Dec 2017 | A1 |
20180115415 | Teranishi | Apr 2018 | A1 |
20180276417 | Cerezo Sanchez | Sep 2018 | A1 |
20190212986 | Araki | Jul 2019 | A1 |
20190372768 | Veeningen | Dec 2019 | A1 |
20200186528 | Fan | Jun 2020 | A1 |
Number | Date | Country |
---|---|---|
2 391 052 | Nov 2011 | EP |
WO 2016104476 | Jun 2016 | WO |
Entry |
---|
Peeter Laud (Editor), Applications of Secure Multiparty Computation—(Chapter 5 and 9), © 2015 The authors and IOS Press. (Year: 2015). |
Ishai et al., Secure Multiparty Computation with Minimal Interaction, International Association for Cryptologic Research 2010 (Year: 2010). |
Avanzi, On Multi-Exponentiation in Cryptography; mocenigo@exp-math.uni-essen.de; from scholar.google.com (Year: 2002). |
Nedjah et al.; High-performance SoC-based implementation of modular exponentiation using evolutionary addition chains for efficient cryptography; ScienceDirect.com (Year: 2010). |
Peeter Laud (Editor); Applications of Secure Multiparty Computation—(Chapter 5 and 9), © 2015 The authors andl OS Press. (Year: 2015). |
Ghodosi et al.; Multi-party computation with conversion of secret sharing; Springer (Year: 2011). |
Toft; Primitives and Applications for Multi-party Computation; PhD Dissertation—Department of Computer Science, Universityof Aarhus Denmark (Year: 2007). |
Ishai et al.; Secure Multiparty Computation with Minimal Interaction; International Association for Cryptologic Research (Year: 2010). |
Araki, T. et al., “High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority”, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS' 16), Oct. 2016 (retrieved from the Internet on Mar. 9, 2018) <URL:http://doi.org/10.1145/2976749.2978331>, 13 pages. |
Araki, D. et al., “MEVAL2 vs. CCS Best paper on MPC-AES”, 2017 Symposium on Cryptography and Information Security (SCIS), Naha, Japan, Jan. 24-27, 2017, The Institute of Electronics Information and Communication Engineers, 9 pages, with English Abstract. |
Ivan Damgard, et al., Secure Multiparty AES (full paper), XP61003706, IACR, Dec. 11, 2009, pp. 1-14. |
Joachim Von Zur Gathen, “Processor-Efficient Exponentiation in Finite Fields” Information Processing Letters, vol. 41, No. 2, XP55766522, Feb. 14, 1992, pp. 81-86. |
Extended European Search Report dated May 7, 2020, in Patent Application No. 18741847.0, citing documents AA, AO and AX-AY therein, 9 pages |
Kato, H. et al., “Fast Exponentiation in Extension Field with Frobenius Mappings”, Memoirs of the Faculty of Engineering, vol. 42, Jan. 1, 2008, pp. 36-43. |
Gentry, C. et al., “Fully Homomorphic Encryption with Polylog Overhead”, International Association for Cryptologic Research, XP061005753, vol. 20120405, Apr. 5, 2012, 40 pages. |
International Search Report dated Apr. 3, 2018, in PCT/JP2018/001135 filed on Jan. 17, 2018. |
Ikarashi, D. et al., “Actively Private and Correct MPC Scheme in t <n/2 from Passively Secure Schemes with Small Overhead”, IACR Cryptology ePrint Archive, vol. 2014, May 19, 2014 (retrieved from the Internet on Mar. 9, 2018) <URL:http://ia.cr/2014/304>, 18 pages. |
Araki, T. et al., “High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority”, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS' 16), Oct. 2015 (retrieved from the internet on Mar. 9, 2018) <URL:http://doi.org/10.1145/2976749.2978331>, 13 pages. |
Ikarashi, D.. et al., “MEVAL2 vs. CCS Best paper on MPC-AES”, 2017 Symposium on Cryptography and Information Security (SCIS). Naha, Japan, Jan. 24-27, 2017. The Institute of Electronics Information and Communication Engineers, 9 pages, with English Abstract. |
Ikarashi. D., et al., “MEVAL2 vs. CCS Best paper on MPC-AES”, 2017 Symposium on Cryptography and Information Security (SCIS), Naha. Japan, Jan. 24-27, 2017, The Institute of Electronics Information and Communication Engineers. 9 pages (reference previously filed, now submitting unedited computer generated English translation only). |
Craig Gentry, Shai Halevi and Nigel Smart, “Homomorphic Evaluation of the AES Circuit.” Downloaded by EPO on Jun. 15. 2012. |
Fabrizio De Santis, Tobias Bauer and Georg Sigl. “Hiding Higher-Order Univariate Leakages by Shuffling Polynomial Masking Schemes. A More Efficient, Shuffled, and Higher-Order Masked AES S-box.” DOI:http://dx.doi.org/10.114512996366.2996370. Oct. 24, 2016. Vienna, Austria. |
Ivan Damgard, Marcel Keller Enrique Larraia, Christian Miles, Nigel P. Smart. “Implementing AES via an Actively/Covertly Secure Dishonest-Majority MPC Protocol” Department of Computer Science, University of Aarhus: Department of Computer Science. University of Bristol Visconti and R. De Prisco (Eds.) SCN 2012. LNCS 7485. pp. 241-263, 2012. |
HeeSeok Kim, Seokhie Hong and Jongin Lim “A Fast and Provable Secure Higher-Order Masking of AES S-Box.” Center for Information Security Technologies, Korea University. B. Preneel and T. Takagi (Eds.): CHES 2011, LNCS 694, pp. 95-107, 2011. International Association for Cryptologic Research. |
Number | Date | Country | |
---|---|---|---|
20190349193 A1 | Nov 2019 | US |