SECRET COMPUTATION SYSTEM AND METHOD

Information

  • Patent Application
  • 20200387616
  • Publication Number
    20200387616
  • Date Filed
    December 14, 2018
    5 years ago
  • Date Published
    December 10, 2020
    3 years ago
Abstract
A secret computation system is a secret computation system for performing computation while keeping data concealed, and comprises a cyphertext generation device that generates cyphertext by encrypting the data, a secret computation device that generates encrypted basic statistics by performing secret computation of predetermined basic statistics using the cyphertext while keeping the cyphertext concealed, and a computation device that generates decrypted basic statistics by decrypting the encrypted basic statistics and performs predetermined computation using the decrypted basic statistics.
Description
TECHNICAL FIELD

The present invention relates to a technical field of secret computation that performs data processing while keeping data concealed. For example, the present invention relates to a technique of secret multivariate analysis.


BACKGROUND ART

As a conventional art of secret computation for performing data processing while keeping data concealed, a technique described in Patent literature 1 is known. In the conventional art of secret computation, the following three phases are performed.


1. Encryption phase: to encrypt data to make it concealed.


2. Secret computation phase: to use an algorithm or a protocol capable of target computation for the original data while keeping the encrypted data, that is, cyphertext as is and to process the cyphertext.


3. Decryption phase: to decrypt the cyphertext obtained as a result of processing in the secret computation phase to obtain a target computation result.


PRIOR ART LITERATURE
Patent Literature

Patent literature 1: Japanese Patent Application Laid-Open No. 2017-028617


SUMMARY OF THE INVENTION
Problems to be Solved by the Invention

The above conventional art performs all of target computation processing in “2. Secret computation phase.”


In general, secret computation algorithms are more complicated in processing than algorithms that compute data without encrypting. For this reason, time necessary for processing computation by secret computation algorithms is longer than time necessary for processing computation by plaintext computation algorithms. Therefore, if all algorithms that use complicated computation such as linear regression that requires solving linear equations and principal component analysis that requires computing eigenvalues and eigenvectors of matrices are processed by secret computation, the time required for the processing may become enormous.


An object of the present invention is to provide a secret computation system and method that can perform secret computation at faster speed than before while keeping data concealed.


Means to Solve the Problems

A secret computation system according to one aspect of the present invention is a secret computation system for performing computation while keeping data concealed, comprising a cyphertext generation device that generates cyphertext by encrypting the data, a secret computation device that generates encrypted basic statistics by performing secret computation of predetermined basic statistics using the cyphertext while keeping the cyphertext concealed, and a computation device that generates decrypted basic statistics by decrypting the encrypted basic statistics and performs predetermined computation using the decrypted basic statistics.


Effects of the Invention

It is possible to perform secret computation at faster speed than before while keeping data concealed.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is a block diagram showing an example of a secret computation system;



FIG. 2 is a flowchart for illustrating an example of a secret computation method;



FIG. 3 is a diagram for illustrating a first embodiment.





DETAILED DESCRIPTION OF THE EMBODIMENTS

Hereinafter, an embodiment of the present invention will be described with reference to the drawings.


[Notation]


Each of “m” and “L” is a natural number of one or more. A single piece of data is described as “a.” An mth order vector is described as a=(a1, . . . , am). A matrix of m rows and L columns is described as A=(aj,k)1≤j≤m, 1≤k≤L or A=(a1T, . . . , aLT). Furthermore, ai(i=1, . . . , L) is an m-dimensional vector. T means transportation of a vector or matrix.


A character “n” is a natural number of one or more. Cyphertext of “a” is described as [a]=([a]1, . . . , [a]n). Here, [a]i is referred to as an “i-th share.” However, when n=1, [a]=[a]1. In addition, [a]=([a]1, . . . , [a]m) is cyphertext of an mth order vector a. Similarly, [A]=([aj,k])1≤j≤m, 1≤k≤L is cyphertext of a matrix A of in rows and L columns.


The sum Sa of the elements in the vector a is described as the following formula:






s
aj=1maj.


In addition, a product ab of the elements of the vector a and a vector b is described as the following formula:






ab=(a1b1, . . . ,ambm).


Furthermore, a2=aa.


[Statistic]


A quantity indicating a property of “a” or “A” is referred to as a statistic. FIG. 3 shows an example of statistics used in the present invention. FIG. 3 shows the symbol and notation, definition, and formula equivalent to the definition of each statistic.


Among the statistics of FIG. 3, at least one of five statistics of a number of records, a number of attributes, the sum, the sum of squares, and the sum of products is referred to as a basic statistic.


In FIG. 3, the number of records, the number of attributes, the sum, the sum of squares, and the sum of products are defined as follows:


the number of records m: the number of elements of “a” or the number of rows of “A;”


the number of attributes L: the number of columns of “A;”


the sum sa: Σj=1maj;


the sum of squares s(a{circumflex over ( )}2): Σj=1maj2; and


the sum of products sab: Σj=1majbj.


[Outline of Technique]


The embodiment described later safely computes basic statistics (that is, for example, at least one of the number of records, the number of attributes, the sum, the sum of squares, and the sum of products) by secret computation, and decrypts the basic statistics into plaintext to perform computation such as analysis at high speed. The embodiment described later performs processing divided into the following three phases.


1. Encryption phase: to encrypt data to make it concealed.


2. Secret computation phase: to process computation of the basic statistics from individual pieces of data while keeping cyphertext as is.


3. Computation phase: to decrypt cyphertext of the computed basic statistics and use the decrypted basic statistics to process target computation in plaintext.


The embodiment described later is different from a conventional approach in that secret computation is applied only to computation processes of the basic statistics. By applying this approach, computation, such as linear regression and principal component analysis, that relatively takes time for processing can be processed at higher speed than before.


A linear equation used in linear regression is composed of basic statistics as shown, for example, in the following formula (1).















[

Formula





1

]


















(



m



s

a
1








s

a
L







s

a
1





s

a
1
2








s


a
1



a
L






















s

a
L





s


a
L



a
1









s


a
L



a
L






)



(




w
0






w
1











w
L




)


=

(




s
b






s


a
1


b












s


a
L


b





)





(
1
)








Therefore, it is possible to efficiently estimate parameters by, for example, solving a linear equation in plaintext after safely computing basic statistics by secret computation.


In addition, it is possible to implement principal component analysis by performing computation of eigenvalues and eigenvectors for, for example, a variance covariance matrix V=(σas,at)1≤s, t≤L or a correlation coefficient matrix C=(ρas,at)1≤s, t≤L of “A”.


It is understood from FIG. 3 that variance covariance matrices can be calculated from the basic statistics. Furthermore, also correlation coefficient matrices can be calculated from variance and covariance. Consequently, in the case of using any matrix, if basic statistics can be computed safely, principal component analysis can be achieved by using the computed basic statistics after that.


[Encryption Method]


The present invention uses an encryption method that can carry out, for example, the following arithmetic without decrypting cyphertext. As a measure for implementing such an encryption method, Reference literatures 1 and 2 are known.


1. Addition: to generate a cyphertext [a+b] of addition a+b using [a] and [b] as input.


2. Multiplication: to generate a cyphertext [ab] of multiplication ab using [a] and [b] as input.


3. Sum: to generate a cyphertext [sa] of sum sa using [a] as input.


4. Sum of products: to generate a cyphertext [sab] of sum of products sab using [a] and [b] as input.

  • [Reference literature 1] SHAMIR, Adi. “How to share a secret”, Communications of the ACM, 1979, 22.11: p. 612-613.
  • [Reference literature 2] GENTRY, Craig, et al. “Fully homomorphic encryption using ideal lattices”, In: STOC. 2009. p. 169-178.


Embodiment

The embodiment of a secret computation system includes a cyphertext generation device 1, a management server 2, a secret computation device 3, and a computation device 4 as shown in FIG. 1 as an example. In this example, the cyphertext generation device 1 is a plurality of registered terminals TH. The secret computation device 3 is n secret computation servers M1, . . . , Mn. The character “n” is a predetermined integer of two or more. Furthermore, the computation device 4 is an analysis terminal TA.


The cyphertext generation device 1, management server 2, secret computation device 3, and computation device 4 can communicate with each other through a network, and can transmit and receive data to/from each other.


The secret computation system uses the secret computation servers M1, . . . , M capable of processing the arithmetic described in [Encryption Method]. Each secret computation server Mi (i=1, . . . , n) can access another secret computation server Mj through the network, and can transmit and receive data to/from each other.


A secret computation method is implemented by, for example, the devices included in the secret computation system performing processes of steps S1 to S11 described below and in FIG. 2.


The cyphertext generation device 1 generates cyphertext by encrypting data (step S1). The generated cyphertext is transmitted to the management server 2 (step S2).


The cyphertext generation device is, for example, a plurality of registered terminals TH. In this case, each of the plurality of registered terminals TH generates a share of data by performing secret distribution of the data held by the own terminal by, for example, an approach described in Reference literatures 1 and 2. The generated share is an example of cyphertext.


The management server 2 transmits the received cyphertext to the secret computation device 3 (step S3).


The secret computation device 3 causes a storage part to store the received cyphertext (step S4). For example, the received cyphertext is stored in an unshown storage part of the secret computation server Mi (i=1, . . . , n) of the secret computation device 3.


The computation device 4 transmits a computation request to the management server 2 (step S5). The computation device 4 is, for example, an analysis terminal TA. In this case, the analysis terminal TA transmits an analysis request as the computation request to the management server 2.


The management server 2 transmits a basic statistic computation request which is a computation request for basic statistics necessary for performing computation corresponding to the received computation request to the secret computation device 3 (step S6).


The secret computation device 3 generates encrypted basic statistics by performing secret computation of predetermined basic statistics using the cyphertext read from the storage part while keeping the cyphertext concealed (step S7).


The secret computation device 3 is, for example, secret computation servers M1, . . . , Mn. In this case, the secret computation servers M1, . . . , Mn jointly use, for example, the approach described in Reference literatures 1 and 2 and use the cyphertext read from the storage part to perform secret computation of the predetermined basic statistics while keeping the cyphertext concealed.


The generated encrypted basic statistics are transmitted to the management server 2 (step S8).


The predetermined basic statistics are basic statistics corresponding to the received basic statistic computation request.


The management server 2 transmits the received encrypted basic statistics to the computation device 4 (step S9).


The computation device 4 generates decrypted basic statistics by decrypting the received encrypted basic statistics (step S10).


The computation device 4 uses the decrypted basic statistics to perform predetermined computation (step S11). One of points of the above embodiment lies in a combination of features of analysis that can be calculated only with statistics and the character of secret computation.


Statistics such as the number of records, sum, mean, and variance are not individual pieces of data but numerical values indicating features of a data set. Therefore, analysis that performs computation only using these statistics only needs to solve the data set but does not need individual pieces of data themselves. However, computation of statistics is inevitable from the algorithm of analysis and individual pieces of data must be touched for computing the statistics.


On the other hand, secret computation can safely compute while data is kept concealed by cyphertext, but is generally slower than computation by plaintext. In particular, since speed difference appears remarkably for a complicated computation process such as division, it is costly to implement by secret computation all of analysis requiring complicated computation. On the contrary, the addition and multiplication indicated in the paragraphs of [Encryption Method] are sufficiently fast even in secret computation, and basic statistics based on the arithmetic can be processed at high speed by secret computation.


Therefore, in analysis that can be computed from statistics based on the basic statistics, contents of individual pieces of data are kept concealed by processing only a part where the basic statistics are computed by secret computation, the computed basic statistics are decrypted into plaintext, and thereby the computation of analysis can be processed at high speed. Thereby, analysis with both safety and high speed can be achieved.


In the above embodiment, the management server 2 and computation device 4 are described as separate devices, but the management server 2 and computation device 4 may be implemented in the same device.


EXAMPLE
Example 1

Example 1 is an example in which linear single regression analysis is performed. More specifically, Example 1 is an example in which the analysis terminal TA, which is the computation device 4, uses the n secret computation servers M1, . . . , which is Mn, the secret computation device 3, to estimate parameters w0 and w1 for the following linear model






b=w
0
+w
1
a


between in households' income data a and expenditure data b held by the registered terminals TH, which is the cyphertext generation device 1.


<Encryption Phase>


As the encryption phase, the following processes are performed in steps S1 to S3.


The registered terminals TH encrypt “a,” “b,” and “m” using, for example, the encryption method in Reference literatures 1 and 2.


The registered terminals TII transmit shares [a]i, [b]i, and [m]i, which are cyphertext, and plaintext in to the secret computation servers M1, . . . Mn.


<Secret Computation Phase>


As the secret computation phase, the following processes are performed in steps S7 to S9.


Each secret computation server Mi uses [a]i and [b]i to find [sa]i and [sb]i by the secret computation of the sum indicated in the paragraphs of [Encryption Method]. Here, saj=1maj assuming that a=(a1, . . . , am) and sbj=1mbj assuming that b=(b1, . . . , bm).


Each secret computation server Mi uses [a]i and [b]i to find [sa{circumflex over ( )}2]i and [sab]i by the secret computation of the sum of products indicated in the paragraphs of [Encryption Method]. Here, sa{circumflex over ( )}2j=1maj2 and sabj=1majbj assuming that a=(a1, . . . , am) and b=(b1, . . . , bm).


Each secret computation server Mi transmits the found [sa]i, [sb]i, [sa{circumflex over ( )}2]i, [sab]i, and [m]i to the analysis terminal TA.


<Computation Phase>


As the computation phase, the following processes are performed in steps S10 and S11.


The analysis terminal TA uses the received shares to decrypt sa, sb, sa{circumflex over ( )}2, sab, and m.


The analysis terminal TA uses sa, sb, and in to compute μa=(1/m)sa and μb=(1/m)sb.


The analysis terminal TΛ uses sa, sb, sa{circumflex over ( )}2, sab, and in to compute σa2=(1/m)sa{circumflex over ( )}2−(1/m2)sa2 and σa,b=(1/m)sab−(1/m2)sasb.


The analysis terminal TA calculates W1=(σa,b)/(θa2).


The analysis terminal TΛ calculates w0b−w1μa.


Example 2

Example 2 is an example in which linear regression analysis is performed. More specifically, Example 2 is an example in which the analysis terminal TA, which is the computation device 4, uses the n secret computation servers M1, . . . , Mn, which is the secret computation device 3, to estimate a parameter w=(w0, w1, . . . , wL) for the following linear model






b=w
0
+w
1
a
1
+ . . . +w
L
a
L


between a matrix A of a number of records in and a number of attributes L and a vector b of the number of records in held by the registered terminals TH, which is the cyphertext generation device 1.


<Encryption Phase>


As the encryption phase, the following processes are performed in steps S1 to S3.


The registered terminals TH encrypt “A,” “b,” “m,” and “L” using, for example, the encryption method in Reference literatures 1 and 2.


The registered terminals TH transmit shares [A]i, [b]i, [m]i, and [L]i, which are cyphertext, and plaintext m and L to the secret computation servers M1, . . . , Mn.


<Secret Computation Phase>


As the secret computation phase, the following processes are performed in steps S7 to S9.


Each secret computation server Mi uses [A]i and [b]i to find [sΛ]i=([sa1]i, . . . , [saL]i) and [sb]i by the secret computation of the sum indicated in the paragraphs of [Encryption Method]. Here, saqj=1maj,q assuming that q=1, . . . , L, and sbj=1mbj assuming that b=(b1, . . . , bm).


Each secret computation server Mi uses [A]i and [b]i to calculate [SA]i=([sajak]i)1≤j,k≤L and [sAb]i ([sa1b]i, . . . , [saLb]i) by the sum of products indicated in the paragraphs of [Encryption Method]. Here, sajakr=1mar,jar,k, and assuming that q=1, . . . , L, saqbr=1mar,qbr.


Each secret computation server Mi transmits the found [sA]i, [sb]i, [SA]i, and [sAb]i, and [m]i and [L]i to the analysis terminal TA.


<Computation Phase>


As the computation phase, the following processes are performed in steps S10 and S11.


The analysis terminal TA uses the received shares to decrypt sA, sb, SA, sAb, m, and L.


The analysis terminal TA uses sa, sb, SA, sAb, m, and L to compose the linear equation of Formula (1).


The analysis terminal TA solves Formula (1) using, for example, Gauss' elimination method to find w=(w0, . . . , wL).


Example 3

Example 3 is an example in which principal component analysis is performed. More specifically, Example 3 is an example in which the analysis terminal TA, which is the computation device 4, uses the n secret computation servers M1, . . . , Mn, which is the secret computation device 3, to performs principal component analysis for data A which is a matrix of a number of records m and a number of attributes L held by the registered terminals TH, which is the cyphertext generation device 1, and finds each principal component p=(p1, . . . , pL).


<Encryption Phase>


As the encryption phase, the following processes are performed in steps S1 to S3.


The registered terminals TH encrypt “A,” “m,” and “L” using, for example, the encryption method in Reference literatures 1 and 2.


The registered terminals TH transmit shares [A]i, [m]i, and [L]i, which are cyphertext, and plaintext “m” and “L” to the secret computation servers M1, . . . , Mn.


<Secret Computation Phase>


As the secret computation phase, the following processes are performed in steps S7 to S9.


Each secret computation server Mi uses [A]i to find [s]i=([sa1]i, . . . , [saL]i) by the sum indicated in the paragraphs of [Encryption Method]. Here, saij=1maq,j assuming that q=1, . . . , L.


Each secret computation server Mi uses [A]i to calculate [S]i=([sajak]i)1≤j,k≤L by the sum of products indicated in the paragraphs of [Encryption Method]. Here, sajakr=1mar,jar,k.


Each secret computation server Mi transmits the found [s]i and [S]i, and [m]i and [L]i to the analysis terminal TA.


<Computation Phase>


As the computation phase, the following processes are performed in steps S10 and S11.


The analysis terminal TA uses the received shares to decrypt “s,” “S,” “m,” and “L.”


The analysis terminal TA uses “s,” “S,” “in,” and “L” to find V=(σaj,ak)1≤j,k≤L=((1/m)sajak−(1/m2)sajsak)1≤j,k≤L.


The analysis terminal TA uses “V” to find C=((σaj,ak)/(σaj2ak2)1/2)1≤j,k≤L. Here, σaj2=(1/m)saj{circumflex over ( )}2−(1/m2)saj2 and σak2=(1/m)sak{circumflex over ( )}2−(1/m2)sak2.


The analysis terminal TA performs computation of eigenvalues and eigenvectors for “C” to find p=(p1, . . . , pL).


[Program and Recording Medium]


For example, if processing in each device is implemented by a computer, processing contents of a function which each part of each device should have are written by a program. Then, the program is executed by the computer and thereby the processing of each device is implemented on the computer.


The program describing the processing contents can be recorded on a computer-readable recording medium. The computer-readable recording medium may be any of, for example, a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory.


The processing of each part may be implemented by executing a predetermined program on the computer, or at least part of the processing may be implemented by hardware.


In addition, it goes without saying that modifications are possible as appropriate within a range not departing from the spirit of the present invention.

Claims
  • 1. A secret computation system for performing computation while keeping data concealed, comprising: a cyphertext generation device that generates cyphertext by encrypting the data;a secret computation device that generates encrypted basic statistics by performing secret computation of predetermined basic statistics using the cyphertext while keeping the cyphertext concealed; anda computation device that generates decrypted basic statistics by decrypting the encrypted basic statistics and performs predetermined computation using the decrypted basic statistics.
  • 2. The secret computation system of claim 1, wherein the predetermined basic statistics are at least one of a number of records, a number of attributes, a sum, a sum of squares, and a sum of products of the data.
  • 3. A secret computation method for performing computation while keeping data concealed, comprising: a cyphertext generation device in which a cyphertext generation device generates cyphertext by encrypting the data;a secret computation step in which a secret computation device generates encrypted basic statistics by performing secret computation of predetermined basic statistics using the cyphertext while keeping the cyphertext concealed; anda computation step in which a computation device generates decrypted basic statistics by decrypting the encrypted basic statistics and performs predetermined computation using the decrypted basic statistics.
Priority Claims (1)
Number Date Country Kind
2017-241895 Dec 2017 JP national
PCT Information
Filing Document Filing Date Country Kind
PCT/JP2018/046130 12/14/2018 WO 00