The present invention relates to secret computation and, more particularly, to an operation in which a sequence of an array is concealed.
A hash table is a data structure for performing high-speed data retrieval based on a key value of data by encoding the key value using a hash function or the like and associating the encoded key value with an address value in a data array. This is useful when, for example, data is deposited on an external server or the like to be retrieved based on a key value as needed.
However, a normal hash table is not expected to conceal data and, for example, there is a problem in that a server entrusted with data (or a hash table) by a user can identify a table structure and thereby observe an access tendency of the user. As an existing method for solving such a problem, there is a secret hash table (for example, refer to References [4 and 1]). Note that names of references are collectively described at the end of the specification. A secret hash table is a technique for making a server construct a hash table while keeping a table structure secret and enables the access tendency of a user to be hidden from the server.
While secret hash table construction methods self-evidently include a method in which a user encrypts all data items at hand, constructs a hash table, and entrusts the hash table to a server, in this case, a storage area of O(n) is required with respect to n as the number of items of data. Reference [4] and Reference [1] described above represent methods of constructing a secret hash table on a server by a coordination protocol between a user and a server on the assumption that the server has all the encrypted data and the methods have an advantage that O(1) suffices as the storage area of the user when the server has all the encrypted data.
However, the techniques according to References [4 and 1] have a problem in that a significantly large amount of communication is required between the user and the server when constructing a secret hash table. In practice, since there is no guarantee that a communication environment or a computation performance of the user is satisfactory, it is desirable that the above-mentioned cost is reduced as much as possible. One method of solving this problem is a technique disclosed in NPL 1. This document shows methods of constructing a secret hash table without requiring communication between a user and a server at all by secret computation using a plurality of servers and, therefore, stable performance can be implemented regardless of a communication environment and a computation performance of a user terminal.
In particular, a secret hash method called “Oblivious Greedy Hashing” among the methods shown in NPL 1 implements a table construction algorithm which, by giving each item of data to be stored two kinds of address values (that is, values indicating at which position of a table the item of data should be stored), each item of data is stored in whichever has more free space between two storage destinations. Accordingly, there is an advantage that the table size can be reduced as compared with other existing methods.
While the Oblivious Greedy Hashing disclosed in NPL 1 has a small table size and advantageously does not require communication between the user and the server unlike the techniques disclosed in References [4 and 1], there is also a disadvantage that an extremely large amount of communication is required for table construction when simply comparing amounts of communication of systems as a whole. Specifically, if n denotes a total number of items of data stored in the table, while O(n log2n) bits of communication is required when constructing a secret hash table by the method according to Reference [4] or [1], Oblivious Greedy Hashing requires O(Z×n log2n) bits of communication. Here, Z denotes a parameter related to safety of a system and Z=2 logεn is exemplified in NPL 1.
The present invention has been made in consideration of the points described above and an object thereof is to provide a technique for constructing a secret hash table with a smaller table size without increasing an amount of communication.
The disclosed technique provides a secret hash table construction apparatus for constructing a secret hash table capable of storing up to a maximum of Z items of data in each of B kinds of address values by secret computation from a real data stream including a plurality of items of data each having a key and a flag indicating whether or not the data is dummy data, the secret hash table construction apparatus including a computing unit which:
According to the disclosed technique, a technique for constructing a secret hash table with a smaller table size without increasing an amount of communication is provided.
Hereinafter, an embodiment of the present invention (the present embodiment) will be described with reference to the drawings. The embodiment to be described below is merely exemplary and embodiments to which the present invention is applied are not limited to the following embodiment.
In the present embodiment, an efficient secret hash table construction method and an operation method for reducing user-server communication cost by using a plurality of servers will be described. Due to a technique according to the present embodiment, by giving each item of data two storage destinations, a table can be constructed only with an amount of inter-server communication of O(n log2n) bits while suppressing a table size to be as small as in the case of Oblivious Greedy Hashing. Hereinafter, a system configuration and processing procedures of the present embodiment will be described.
(System Configuration)
A user terminal 300 shown in
In the present embodiment, processing related to the construction of a secret hash table is executed by secret computation according to a coordination protocol among the plurality of servers 100-1 to 100-N. However, the use of the coordination protocol among the plurality of servers is simply an example when implementing the present invention and the present invention is not limited thereto. The present invention is also applicable to any technique that enables secret computation to be performed. For example, when secret computation can be performed by one server, the technique according to the present invention can be executed by the server.
As shown in
(Hardware Configuration Example)
The server 100 (secret hash table construction apparatus) according to the present embodiment can be implemented by, for example, causing a computer to execute a program describing processing contents described in the present embodiment. Note that the “computer” may be a physical machine or a virtual machine on the cloud. When using a virtual machine, “hardware” as described herein is virtual hardware.
The program described above can be recorded on a computer-readable recording medium (a portable memory or the like) to be stored, distributed, and the like. The program can also be provided through a network such as the Internet or e-mail.
A program for implementing processing in the computer is provided by, for example, a recording medium 1001 such as a CD-ROM or a memory card. When the recording medium 1001 storing the program is set in the drive apparatus 1000, the program is installed in the auxiliary storage apparatus 1002 from the recording medium 1001 via the drive apparatus 1000. However, the program does not necessarily have to be installed from the recording medium 1001, and may be downloaded from another computer via a network. The auxiliary storage apparatus 1002 stores the installed program and also stores necessary files, data, and the like.
The memory apparatus 1003 reads and stores the program from the auxiliary storage apparatus 1002 when an instruction to start the program is given. The CPU 1004 implements the functions related to the server 100 in accordance with the program stored in the memory apparatus 1003. The interface apparatus 1005 is used as an interface to connect to a network. The display apparatus 1006 displays a GUI (Graphical User Interface) and the like according to the program. The input apparatus 1007 is constituted with a keyboard and a mouse, a button, a touch panel, or the like and is used to input various operation instructions. The output apparatus 1008 outputs a computation result.
(Basic Processing Related to Secret Computation)
First, basic processing steps related to secret computation, as a premise in processing steps of the construction and operation of a secret hash table executed by the computing unit 120 of the server 100, will be described. The basic processing steps themselves are existing techniques.
<Concealment/Restoration>
Hereinafter, a secret value of a value x will be expressed as [[x]], processing x→[[x]] will be referred to as concealment of x, and processing [[x]]→x will be referred to as restoration of x. Although the present embodiment assumes that a secret sharing method (References [6 and 5]) is to be used as a technique for performing the concealment/restoration processing, any technique of concealment/restoration processing may be used as long as equivalent functionality and safety are provided.
<Basic Operations>
Addition, subtraction, and multiplication of secret values are expressed, respectively, as follows.
[[a+b]]←[[a]]+[[b]]
[[a−b]]←[[a]]−[[b]]
[[a×b]]←[[a]]×[[b]]
If a and b are in a space represented by len bits, the technique according to Reference [7] enables addition and subtraction to be executed at a communication cost of 0 and multiplication to be executed at a communication cost of O(len) bits.
<Comparison>
Comparisons between secret values are expressed as follows.
[[c]]←[[[a]]=?[[b]]]
The above comparison indicates that a result of a determination as to whether a and b are equal is c (a 1-bit number). c is 1 when the determination is correct and 0 when the determination is not correct.
[[d]]←[[[a]]≤?[[b]]]
The above comparison indicates that a result of a determination as to whether or not a is equal to or less than b is d (a 1-bit number). d is 1 when the determination is correct and 0 when the determination is not correct.
If a and b are in a space represented by len bits, the technique according to Reference [7] enables an operation of comparison to be executed at a communication cost of O(len) bits.
<Inner Product>
An inner product of vectors or arrays [[a]]=([[a0]], . . . , [[an-1]]), [[b]]=([[b0]], . . . , [[bn-1]]) of a secret value is expressed as follows:
[[c]]←<[[a]],[[b]]>
If each element of vectors a, b is in a space represented by len bits, the technique according to Reference [7] enables an inner product to be executed at a communication cost of O(len) bits.
<Shuffling of Array>
Processing for shuffling a secret array [[A]] is expressed as follows.
[[A′]]←Shuffle([[A]])
When A is an array including n items of len-bit elements, the technique according to Reference [3] enables the processing to be executed at a communication cost of O(len-n) bits.
<Stable Sort>
With respect to a secret key array [[K]] and an array to be sorted [[A]], processing of sorting [[A]] based on each value of [[K]] is expressed as follows.
[[A′]]←Sort([[K]],[[A]])
This processing can be performed in both ascending order and descending order with respect to K. When K is an array including n items of len-bit elements and A is an array including n items of m-bit elements, the technique according to Reference [3] enables the processing to be executed at a communication cost of O(len·n log n+mn) bits.
<Ranking of Same Data>
Let an array [[A]]=([[a0]], . . . , [[an-1]]) denote an array of sorted arrays. In this case, a ranking operation with respect to same data is expressed as follows.
[[B]]←Rank([[A]]),
where [[B]]=([[b0]], . . . , [[bn-1]]) and each bi satisfies the following:
Let values a, s denote an input and a private key of a pseudo-random function, respectively. With respect to secret values [[a]], [[s]], an operation of computing a secret pseudo-random value is expressed as follows.
[[r]]←PRF([[a]],[[s]])
If the bit length of a is len, then the secret computation processing can be implemented using the technique according to Reference [2] at a communication cost of O(len).
<Encryption by Secret Computation>
Let values a, s denote a plain text and a private key of a block cipher, respectively. With respect to secret values [[a]], [[s]], an operation for generating a cipher text by secret computation is expressed as follows.
[[c]]←Enc([[a]],[[s]])
If the bit length of a is len, then the secret computation processing can be implemented using the technique according to Reference [2] at a communication cost of O(len).
Hereinafter, specific examples of processing executed by the server 100 according to the present embodiment will be described using first to fifth examples. The following processing is executed by the computing unit 120 of the server 100. In addition, data to be prepared in advance, arrays obtained by computation, tables and the like are stored in the data storage unit 140. The computing unit 120 advances processing by repetitively computing data read from the data storage unit 140 and storing a computation result in the data storage unit 140.
The processing in each example described below is simply an example. For example, the meanings of 1 and 0, ascending order/descending order, and the like may be reversed relative to those in the following examples.
First, a first example will be described. In the present first example, a method will be described by which the server 100 constructs a secret hash table using data ai=(ki, ei) made up of a key ki and a flag ei stored in the data storage unit 140. The key ki is an identifier unique to each item of data and is used for the purpose of uniquely specifying data when accessing the data or the like.
The flag ei is a 1-bit value for determining whether or not the data is dummy data and, in this case, the data is regarded as actual data when ei=0 but regarded as dummy data when ei=1.
When a total number of items of data is denoted by n, while a minimum bit length of ki is expressed as ceil(log n), there may be redundancy. In addition to the key and the flag, each item of data may be given arbitrary information vi, in which case ai may be expressed as ai=(ki, ei, vi).
As a premise, the server 100 is assumed to store, in the data storage unit 140, a concealed data stream [[A]]=([[a0]], . . . , [[an-1]]); [[ai]]=([[ki]], [[ei]]).
In addition, while the following description assumes that a private key [[s0]], [[s1]] concealed in advance is generated and stored in the data storage unit 140, the private key may be generated when necessary during a protocol.
It is assumed that the secret hash table constructed in the present first example is a data array with a size of B×Z and that, and in another expression, it is assumed that the secret hash table is a data structure capable of storing up to a maximum of Z items of data in each of B kinds of address values. In addition, a pseudo-random function used in the present first example is assumed to satisfy PRF=([[k]], [[s]])∈{0, . . . , B−1}.
Under the premises described above, the server 100 constructs a secret hash table by processing described below. The processing executed by the server 100 will be described following procedures shown in the flowchart of
<S101 (step 101)>
In S101, the server 100 performs shuffling with respect to [[A]] so that [[A]] Shuffle ([[A]]). However, this operation does not need to be executed depending on a state of [[A]] to be an input and safety to be satisfied.
<S102>
In S102, with respect to [[A]], the server 100 computes a storage destination data array [[ADDR]]=(([[addr00]], [[addr10]], [[e0]], ([[rank00]], [[rank10]]), . . . , ([[addr0n-1]], [[addr1n-1]], [[en-1]], [[rank0n-1]], [[rank1n-1]])).
However, it is assumed that [[addrpi]]←PRF ([[ki]], [[sp]]); i∈(0, . . . , n−1), p∈[0, 1] and initialization is performed such that [[rankpi]]←[[0]]. In this case, addr0i and addr1i respectively correspond to the two kinds of address values corresponding to an i-th item of data ai=(ki, ei) of A, and rankpi denotes a rank holding area used when ranking is to be performed later.
For the sake of convenience of describing an image of data, if describing without using the concealment symbol [[ ]], ADDR at this point is an array (an array of n items of items of data) such as ADDR=((3, 1, 0, 0, 0), (18, 95, 0, 0, 0), . . . , (8, 78, 0, 0, 0)). Hereinafter, descriptions may be given without [[ ]] when appropriate.
<S103>
In S103, the server 100 generates a dummy storage destination data array [[ADDRd]]=([[d0]], . . . , [[dBZ-1]]); di=(floor(i/Z), floor(i/Z), 1, 0, 0).
This is an array in which two kinds of address values addr0i and addr1i hold Z items of dummy storage destination data indicating a same value floor(i/Z)∈{0, . . . , B−1} for each address value 0, . . . , B−1.
The server 100 connects the dummy [[ADDRd]] to an end of a storage destination data array [[ADDR] related to real data to obtain an array [[ADDR′]]=[[ADDR]]∥[[ADDRd]] with a length of n+BZ.
ADDR′ at this point is an array (an array of n+BZ items of data) such as ADDR′=((3, 1, 0, 0, 0), (18, 95, 0, 0, 0), . . . , (8, 78, 0, 0, 0), (0, 0, 1, 0, 0), (0, 0, 1, 0, 0), . . . , (8, 8, 1, 0, 0)).
In the following description, with respect to the storage destination data array [[ADDR′]], a notation [[ADDR′·addr0]] is defined as an array ([[addr00]], . . . , [[addr0n+BZ-1]]) created by extracting only a first address value [[addr0i]] from [[ADDR′]]. Similarly, notations [[ADDR′·addr1]], [[ADDR′·rank0]], and [[ADDR′·rank1]] are defined as arrays created by respectively extracting [[addr1i]], [[rank0i]], and [[rank1i]] from [[ADDR′]].
Furthermore, notations [[ADDR′·pos0]] and [[ADDR′·pos1]] denote arrays obtained by respectively extracting a pair ([[addr0i]], [[ei]]) and a pair ([[addr1i]], [[ei]]) from [[ADDR′]].
For example, if ADDR′=((3, 1, 0, 0, 0), (18, 95, 0, 0, 0), (8, 78, 0, 0, 0), (0, 0, 1, 0, 0), (0, 0, 1, 0, 0), . . . , (8, 8, 1, 0, 0)), then ADDR′·pos0=((3, 0), (18, 0), . . . , (8, 0), (0, 1), (0, 1), . . . , (8, 1)).
<S104>
In S104, the server 100 generates a dummy data stream [[Ad]]=([[ad0]], . . . , [[adBZ-1]]); adi=(dummy, 1), where “dummy” takes a value that differs from any of predetermined keys ki. [[Ad]] is connected to the end of a real data stream [[A]] to obtain an array [[A′]]=[[A]]∥[[Ad]] with a length of n+BZ.
A′ at this point is, for example, an array (an array of n+BZ items of data) such as A′=((11, 0), (101, 0), . . . , (3, 0), (dummy, 1), (dummy, 1), . . . , (dummy, 1)).
<S105>
In S105, the server 100 first respectively sorts the data array and the storage destination data array based on the first address value addr0i and the flag ei. In other words, [[A′]]←Sort [[ADDR′·pos0]], [[A′]]) and [[ADDR′]]←Sort ([[ADDR′·pos0]], [[ADDR′]]) are computed.
At this point, although the data array and the storage destination data array are to be rearranged in ascending order of address values and, with respect to a same address value, in an order of real data>dummy data, the sorting order can be changed by adjusting ascending order/descending order of subsequent sorting and ranking.
A′ after the sort is an array (an array of n+BZ items of data) such as A′=((3, 0), (dummy, 1), (dummy, 1), . . . , (11, 0), (dummy, 1), . . . ,).
<S106>
In S106, the server 100 performs ranking based on the sorted address values. In other words, the server 100 computes [[ADDR′·rank0]]←Rank ([[ADDR′·addr0]]).
ADDR′·rank0 is, for example, an array (an array of n+BZ items of data) such as ADDR′·rank0=(1, 2, 3, 4, . . . , 1, 2, 3, . . . , 1, 2, 3, 4, 5).
<S107>
In S107, the server 100 sorts the data array and the storage destination data array in descending order based on the first rank. In other words, [[A′]]←Sort ([[ADDR′·rank0]], [[A′]]) and [[ADDR′]]←Sort ([[ADDR′·rank0]], [[ADDR′]]) are computed to be sorted in descending order of rank0i. This operation can be similarly implemented by simply sorting the respective arrays in ascending order and then rearranging the arrays in the reverse order.
<S108>
In S108, the server 100 performs sorting based on the second address value addrii and the flag in a similar manner to the processing in S105. In other words, the server 100 computes [[A′]]←Sort ([[ADDR′·pos1]], [[A′]]) and [[ADDR′]]←Sort ([[ADDR′·pos1]], [[ADDR′]]). At this point, using a stable sort enables sorting to be implemented in the orders of real data>dummy data and high rank>low rank with respect to a same address value.
<S109>
In S109, the server 100 performs ranking based on the second sorted address value in a similar manner to the processing in S106. In other words, the server 100 computes [[ADDR′·rank1]]←Rank ([[ADDR′·addr1]]).
<S110>
In S110, with respect to each element [[bi]]=([[addr0i]], [[addr1i]], [[ei]], [[rank0i]], [[rank1i]]) of the storage destination data array [[ADDR′]], the server 100 extracts an address value of a lower rank. In other words, based on a magnitude comparison [[zi]]←[[[rank0i]]≤?[[rank1i]]], the server 100 computes [[addri]]←[[addr1i]]+[[zi]]×([[addr0i]]←[[addr1i]]). Thereafter, an array [[ADDRfin]]=(([[addr0]], [[e0]]), . . . , ([[addrn+BZ-1]], [[en+BZ-1]])) integrating the selected address value and the flag is computed.
<S111>
In S111, the server 100 sorts each item of data in ascending order based on the newly obtained array [[ADDRfin]]. In other words, the server 100 computes [[A′]]←Sort ([[ADDRfin]], [[A′]]) and [[ADDRfin]] Sort ([[ADDRfin]], [[ADDRfin]]).
<S112>
In S112, the server 100 computes a rank array [[R]]=Rank ([[ADDRfin·addr]]) using an array [[ADDRfin·addr]] created by only extracting an address value portion of [[ADDRfin]], and further obtains an array [[Y]]=([[y0]], . . . , [[yn+BZ-1]]) as a result of computing a magnitude comparison [[yi]]←[[[ri]]≤?Z] with respect to each element [[ri]] of [[R]]. At this point, it is shown that data of yi=1 is to be stored in the table while data of yi=0 is to be deleted.
<S113>
In S113, the server 100 sorts the data array in ascending order using [[Y]]. In other words, the server 100 computes [[A′]]←Sort ([[Y]], [[A′]]). Subsequently, only BZ elements at the end are outputted as a hash table and other elements are deleted. Two private keys [[s0]] and [[s1]] are also output as access information to accompany the hash table.
In the present first example, if [[ki]] has O(log N) bits and BZ=O(n) is satisfied, then an amount of inter-server communication is O(n log2n) bits due to sorting, ranking, and comparing.
Next, a second example will be described. The present second example shows a more efficient method of constructing a table equivalent to that of the first example. In the first example, due to a data array [[A]] (or [[A′]]) being always sorted together with a storage destination data array, in addition to simply increasing the number of executions of sorting, there is a possibility of a decline in efficiency due to sorting a data array when large data vi is added to a key and a flag.
While the present second example follows the algorithm of the first example in principle, the present second example uses encryption in secret computation to reduce the number of executions of sorting and constructs a secret hash table as follows. Hereinafter, a description will be provided following the procedures shown in the flow chart of
<S201>
In S201, the server 100 performs shuffling with respect to [[A]] in a similar manner to S101 in the first example so that [[A]]←Shuffle ([[A]]). However, this operation does not need to be executed depending on a state of [[A]] to be an input and safety to be satisfied.
<S202>
In S202, the server 100 generates a private key [[s]] of a concealed block cipher and computes a secret tag array [[Tag]]=([[tag0]], . . . , [[tagn-1]]); [[tag;]]←Enc([[i]], [[s]]) that corresponds to [[A]]. Note that the private key [[s]] can also be generated before start of the protocol.
<S203>
In S203, the server 100 computes a storage destination data array [[ADDR]]=(([[addr00]], [[addr10]], [[e0]], [[rank00]], [[rank10]], [[tag0]], . . . , ([[addr0n-1]], [[addr1n-1]], [[en-1]], [[rank0n-1]], [[rank1n-1]], [[tagn-1]])) in a similar manner to S102 in the first example. The only difference from the first example is inclusion of the tag [[tag]].
<S204>
In S204, the server 100 generates a dummy storage destination data array [[ADDRd]]=([[d0]], . . . , [[dBZ-1]]); di=(floor(i/Z), floor(i/Z), [[1]], [[0]], [[0]], [[tagdi]]) in a similar manner to S103 in the first example to obtain [[ADDR′]]=[[ADDR]]∥[[ADDRd]], where [[tagdi]]←PRF([[n+i]], [[s]]).
<S205>
In S205, the server 100 generates a dummy data stream [[Ad]]=([[ad0]], . . . , [[adBZ-1]]); adi=(dummy, 1) in a similar manner to S104 in the first example to obtain [[A′]]=[[A]]∥[[Ad]]. In addition, using the tag array [[Tagd]]=([[tagd0]], . . . , [[tagdBZ-1]]) computed in S204 in the present second example, [[Tag′]]←[[Tag]]∥[[Tagd]] is set.
<S206>
In S206, in order to conceal and randomize an arrangement order of the arrays [[A′]] and [[Tag′]], the server 100 computes ([[A′]], [[Tag′]])←Shuffle ([[A′]], [[Tag′]]). In this operation, the same shuffle processing is executed in parallel in order to randomize the two arrays while maintaining a correspondence relation between the two arrays.
<S207>
In S207, the server 100 performs processing steps similar to those in S105 to S113 in the first example. However, in the second example, the array [[A′]] is left untouched and only the storage destination data array is operated in the respective procedures corresponding to S105 to S112 in the first example, and when obtaining a new storage destination data array in the procedure corresponding to S110 in the first example, tag information is carried over by regarding each element of [[ADDRfin]] as ([[addri]], [[ei]], [[tagi]]).
<S208>
In S208, the server 100 sorts [[ADDRfin]] in ascending order using [[Y]] obtained in a procedure corresponding to S112 in the first example. In other words, the server 100 computes [[ADDRfin]]←Sort ([[Y]], [[ADDRfin]]). Subsequently, only BZ elements at the end are retained and the other elements are deleted.
<S209>
In S209, the server 100 restores all the elements of the tag array [[Tag′]] and returns the elements to plain text. At the same time, all the tags included in [[ADDRfin]] are restored and returned to plain text. From the data array [[A′]], BZ elements of which corresponding tags are included in [[ADDRfin]] are extracted and arranged in an arrangement order of [[ADDRfin]] to form a hash table. Finally, the hash table and the private keys [[s0]], [[s1]] are output.
In the present second example, if [[ki]] has O(log n) bits and BZ=O(n) is satisfied, then an amount of inter-server communication is O(n log2n) bits due to sorting, ranking, and comparing. Compared to an amount of inter-server communication becoming ω(n log2n) bits when a data size of a set (ki, ei, vi) including any data vi is ω(log n) bits in the first example, the present example has an advantage that O(n log2n) bits will suffice regardless of the size of vi.
Next, a third example will be described. In the third example, a data reference method to the secret hash tables constructed in the first and second examples will be described. As a premise, the server 100 is assumed to store, in the data storage unit 140, the secret hash table (size: B×Z) and the private keys [[s0]], [[s1]] constructed in the first or second example. In addition, although the user terminal 300 is assumed to have a key k to be accessed, the key k may be selected by the server itself based on an agreement between servers. Hereinafter, a description will be provided following the procedures shown in the flow chart of
<S301>
In S301, the user terminal 300 sends a secret value [[k]] of a key corresponding to data to be accessed to the server 100. However, besides making a request to the server 100 from the user terminal 300, the secret key value can be generated by the server itself based on an agreement between servers.
<S302>
In S302, the server 100 computes two address values [[addri]]←PRF ([[k]], [[s0]]) and [[addr1]]←PRF ([[k]], [[s1]]) using a pseudo-random function, and restores the address values to obtain addr0 and addr1.
<S303>
In S303, the server 100 extracts 2Z elements corresponding to addr0 and addr1 from a hash table stored in a data storage unit 140. In other words, when the hash table is replaced with an array [[Table]]=([[a0]], . . . , [[aBZ-z]]), then [[a]]=([[aZ×addr0]], . . . , [[aZ×addr0+Z-1]], [[aZ×addr1]], . . . , [[aZ×add1+Z-1]]) is acquired.
<S304>
In S304, with respect to each item of data [[aj]] in [[a]], the server 100 compares keys and computes [[c]]=([[c0]], . . . , [[c2Z-1]]); [[cj]]=[[[kj]]=? [[k]]].
<S305>
In S305, the server 100 computes an inner product [[a]]←<[[a]], [[c]]> and either returns the inner product to the user terminal 300 or restores the inner product based on an agreement between servers. Alternatively, the inner product may not be restored and may be used for completely different secret computation processing.
In the present third example, a communication amount between the user and the server is O(log n) bits and an amount of inter-server communication is O(Z log n) bits.
In the present fourth example, a method of deleting data in the secret hash tables constructed in the first and second examples will be described. As a premise, the server 100 is assumed to store, in the data storage unit 140, the secret hash table (size: B×Z) and the private keys [[s0]], [[s1]] constructed in the first or second example. In addition, although the user is assumed to have a key k of data to be deleted, the key k may be selected by the server itself based on an agreement between servers. Hereinafter, a description will be provided following the procedures shown in the flow chart of
<S401>
In S401, the user terminal 300 sends a secret value [[k]] of a key to be deleted to the server 100. However, besides making a request to the server 100 from the user terminal 300, the secret key value can be generated by the server itself based on an agreement between servers.
<S402>
In S402, the server 100 computes two address values [[addr0]]←PRF ([[k]], [[s0]]) and [[addr1]]←PRF ([[k]], [[s1]]) using a pseudo-random function, and restores the address values to obtain addr0 and addr1.
<S403>
In S403, the server 100 extracts 2Z elements corresponding to addr0 and addr1 from a hash table stored in the data storage unit 140. In other words, when the hash table is replaced with an array [[Table]]=([[a0]], . . . , [[aBZ-1]]), then [[a]]=([[aZ×addr0]], . . . , [[aZ×addr0+Z-1]], [[aZ×addr1]], . . . , [[aZ×addr1+Z-1]]) is acquired.
<S404>
In S404, with respect to each item of data [[aj]] of [[a]], the server 100 performs deletion processing of data ([[k]], [[e]]) based on a comparison of keys. In other words, with respect to all j, [[kj]]=[[kj]]+[[[kj]]=? [[k]]]×(dummy-[[kj]]), [[ej]]=[[ej]]+[[[kj]]=? [[k]]] is computed.
<S405>
Finally, the server 100 overwrites the respective elements of [[a]] at original positions in the hash table. Communication amounts in the present fourth example are equivalent to those in the third example.
In the present fifth example, a method of disassembling the hash table constructed in the first and second examples and a method of extracting all data items will be described. As a premise, the server 100 is assumed to store, in the data storage unit 140, the secret hash table (size: B×Z) constructed in the first or second example. Hereinafter, a description will be provided following the procedures shown in the flow chart of
<S501>
In S501, the server 100 sorts all data items of the hash table in ascending order based on flags thereof. In other words, when the table is replaced with an array [[Table]]=([[a0]], . . . , [[aBZ-1]]) and an array obtained by extracting only flags from the table is [[E]]=([[e0]], . . . , [[eBZ-1]]), then [[Table]]=Sort ([[E]], [[Table]]) is created.
<S502>
In S502, the server 100 adopts top n-items of data of [[Table]] as an array [[A]] and deletes remaining data.
In the present example, since sorting based on 1-bit information is performed only once, an amount of inter-server communication is O(n log n).
According to the present embodiment, using secret computation enables a secret hash table to be constructed without communication with a user. In doing so, by using secret computation processing of ranking the number of executions of secret sorting to be performed in order to construct a table, can be significantly reduced, and the communication cost to can be significantly reduced as compared with conventional methods.
Specifically, by allocating two kinds of address values to each item of data when constructing a secret hash table, an amount of inter-server communication can be reduced from j(n log2.5n) to O(n log2n) while retaining an advantage of a conventional method of a reduced table size. Operations can also be performed on a constructed table.
(Supplementary Items)
The present specification discloses at least a secret hash table construction apparatus, a secret hash table construction system, a secret hash table construction method, and a program according to each of the following supplementary items.
(Item 1)
A secret hash table construction apparatus for constructing a secret hash table capable of storing up to a maximum of Z items of data in each of B kinds of address values by secret computation from a real data stream including a plurality of items of data each having a key and a flag indicating whether or not the data is dummy data, the secret hash table construction apparatus including a computing unit which:
The secret hash table construction apparatus according to item 1, wherein
The secret hash table construction apparatus according to item 1 or 2, wherein
The secret hash table construction apparatus according to any one of items 1 to 3, wherein
The secret hash table construction apparatus according to any one of items 1 to 4, wherein
A secret hash table construction system for constructing a secret hash table capable of storing up to a maximum of Z items of data in each of B kinds of address values by secret computation from a real data stream including a plurality of items of data each having a key and a flag indicating whether or not the data is dummy data, the secret hash table construction system including a computing unit which:
A secret hash table construction method executed by a secret hash table construction system for constructing a secret hash table capable of storing up to a maximum of Z items of data in each of B kinds of address values by secret computation from a real data stream including a plurality of items of data each having a key and a flag indicating whether or not the data is dummy data, the secret hash table construction method including the steps of:
A program causing a computer to function as the computing unit of the secret hash table construction apparatus according to any one of items 1 to 5.
While the present embodiment has been described above, it is to be understood that the present invention is not limited to the specific embodiment and that various modifications and changes can be made within the scope of the gist of the present invention described in the claims.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2020/046125 | 12/10/2020 | WO |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2022/123744 | 6/16/2022 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
20050240943 | Smith | Oct 2005 | A1 |
20090254572 | Redlich | Oct 2009 | A1 |
20140304505 | Dawson | Oct 2014 | A1 |
20190147770 | Yoshino | May 2019 | A1 |
20230039723 | Ichikawa | Feb 2023 | A1 |
Entry |
---|
Asharov et al.: “OptORAMa: Optimal Oblivious RAM”, Journal of the ACM, vol. 70, No. 1, Article 4. Publication date: Dec. 2022 (Year: 2022). |
Chan et al.: “Perfectly Secure Oblivious Parallel RAM”, The University of Hong Kong (Year: 2018). |
Kushilevitz et al.: “Sub-logarithmic Distributed Oblivious RAM with Small Block Size”, arXiv.org e-Print archive as arXiv:1802.05145 [cs.CR] (Year: 2018). |
Atsunori Ichikawa et al., “Optimal Secret Hash in 3-Party Computation and Oblivious RAM with Sublogarithmic Efficiency”, 2020 Symposium on Cryptography and Information Security (SCIS), Proceedings (2020). |
T-H.H.Chan et al., “Oblivious hashing revisited, and applications to asymptotically efficient ORAM and OPRAM”, Cryptology ePrint Archive, Report 2017/924, 2017. |
K. Chida et al., “High-throughput secure AES computation”, In WAHC@CCS 2018, pp. 13-24, 2018. |
K. Chida et al., “An efficient secure threeparty sorting protocol with an honest majority”, CryptologyePrint Archive, Report 2019/695 (2019), https://eprint.iacr.org/2019/695. |
O. Goldreich et al., “Software protection and simulation on oblivious RAMs”, J. ACM, 43(3):1-44, Nov. 1993. |
M. Ito et al., “Secret sharing schemes realizing general access structures”, Proceedings of the IEEE Global Telecommunication Conference, Globecom 87, pp. 99-102, 1987. |
A. Shamir, “How to share a secret”, Commun. ACM, vol. 22, No. 11, pp. 612-613, 1979. |
Naoto Kiribuchi et al., “MEVAL3: A Library for Programmable Secret Computation”, Symposium on Cryptography and Information Security (SCIS), 2018. |
Number | Date | Country | |
---|---|---|---|
20240028576 A1 | Jan 2024 | US |