Patent Application
20230359439
The present invention relates to a technique for performing modulus transformation in secure computation.
Modulus transformation for transforming the modulus of secret sharing value is a basic process frequently used in performing secure computation. Therefore, the efficiency of the modulus conversion greatly affects the speed up of the entire secure computation.
As a prior art of an efficient modulus conversion method in the case of satisfying the condition of quotient transfer, NPL 1 is known.
However, the prior art has a problem that it cannot be used when the condition of the quotient transfer is not satisfied.
An object of the present invention is to provide a secure modulus conversion system, a distributed processing apparatus, a secure modulus conversion method, and a program that can efficiently perform modulus conversion even when a condition of quotient transfer is not satisfied.
In order to solve the above problem, according to one embodiment of the present invention, the secure modulus conversion system includes n distributed processing apparatuses. Each of the n distributed processing apparatuses includes a first secret sharing conversion unit, a bit decomposition unit, an addition unit, a first modulus conversion unit, a second modulus conversion unit, a second secret sharing conversion unit, and a sure computation unit. Two distributed processing apparatuses p0, p1 of the n distributed processing apparatuses each include the second modulus conversion unit. Let a plain text a be a (k,n)-secret-sharing share [[a]]p by modulo p, where n in (k,n)-secret-sharing share is any one of an integer of 3 or more, k is any one of an integer of 2 or more and less than n, and let a plain text a be a (k,k)-additive secret-sharing share <a>p, the n pieces of first secret sharing conversion units converts (k,n)-secret-sharing share [[a]]p into (k,k)-additive-secret-sharing share <a>p of shares which distributed processing apparatuses p0 and p1 have; the bit decomposition unit of the distributed processing apparatus p0 calculates a′0:=<a>p0+(2|p|−p) by using share <a>p0; n pieces of bit decomposition units execute (k,n)-secret-sharing for each bit of a′0 to obtain a bit representation share [[a′0]]2{circumflex over ( )}|p|, and execute (k,n)-secret-sharing for each bit of the share <a>p1 to obtain a bit representation share [[a]]2{circumflex over ( )}|9|; the n pieces of addition units obtain a bit representation share [[a′0+a1]]2{circumflex over ( )}(|p|+1) of a′0+a1 from the share [[a′0]]2{circumflex over ( )}|p| and the share [[a1]]2{circumflex over ( )}|p| by an addition circuit, and let the most significant bit of the share [[a′0+a1]]2{circumflex over ( )}(|p|+1) be the share [[q]]2; the n pieces of first modulus conversion units obtains a share [[q]]Q from the share [[q]]2 by mod 2→mod Q conversion; the two second modulus conversion units obtain <a>p0 mod Q and <a>p1 mod Q from <a>p0 and <a>p1, respectively, and set a share <a′>Q; the n pieces of second secret sharing conversion units convert the share <a′>Q into (k,n)-secret-sharing to obtain a (k,n)-secret-sharing share [[a′]]Q; the n pieces of sure computation units calculate [[a]]Q=[[a′]]Q−p[[q]]Q from the share [[a′]]Q and the share [[q]]Q.
In order to solve the above problem, according to another embodiment of the present invention, the distributed processing apparatus is included in a secure modulus conversion system. The distributed processing apparatus includes: the first secret sharing conversion unit which, let a plain text a be a (k,n)-secret-sharing share [[a]]p by modulo p, where n in (k,n)-secret-sharing share is any one of an integer of 3 or more, k is any one of an integer of 2 or more and less than n, and let a plain text a be a (k,k)-additive-secret-sharing share <a>p, together with (n−1) distributed processing apparatuses, converts (k,n)-secret-sharing share [[a]]p into (k,k)-additive secret-sharing share <a>p of shares which distributed processing apparatuses p0 and p1 have; the bit decomposition unit which, a′0:=<a>p0+(2|p|−p) and together with (n−1) pieces of distributed processing apparatuses, executes (k,n)-secret-sharing for each bit of a′0 to obtain a bit representation share [[a′0]]2{circumflex over ( )}|p|, and executes (k,n)-secret-sharing for each bit of the share <a>p1 to obtain a bit representation share [[a1]]2{circumflex over ( )}|p|; the addition unit which together with (n−1) pieces of distributed processing apparatuses, obtains a bit representation share [[a′0+a1]]2{circumflex over ( )}(|p|+1) of a′0+a1 from the share [[a′0]]2{circumflex over ( )}|p| and the share [[a1]]2{circumflex over ( )}|p| by an addition circuit; let the most significant bit of the share [[a′0+a1]]2{circumflex over ( )}(|p|+1) be the share [[q]]2, the first modulus conversion unit which together with (n−1) pieces of distributed processing apparatuses, obtains a share [[q]]Q from the share [[q]]2 by mod 2→mod Q conversion; the second modulus conversion unit which sets <a>p0 mod Q and <a>p1 mod Q to a share <a′>Q, and together with (n−1) pieces of distributed processing apparatuses, converts the share <a′>Q into (k,n)-secret-sharing to obtain a (k,n)-secret-sharing share [[a′]]Q; and the sure computation unit which together with (n−1) pieces of distributed processing apparatuses, calculates [[a]]Q=[[a′]]Q−p[[q]]Q from the share [[a′]]Q and the share [[q]]Q.
According to the present invention, the modulus conversion can be efficiently performed even when the condition of the quotient transfer is not satisfied.
Hereinafter, embodiments of the present invention will be described. In the drawings used for the following description, the same reference numerals are given to components having the same functions or steps of performing the same processing, and repeated description thereof will be omitted. In the following descriptions, symbols “→” or the like that will be used in the text should be originally placed directly above the character immediately following them, but are instead placed immediately before the character due to the limitation of the text notation. In formulas, these symbols are written at the original positions. Further, processing performed in units of respective elements such as vectors and matrices will be applied to all the elements of the vector or the matrices unless otherwise specifically noted.
First, the notation in the present embodiment will be described.
Next, two secret sharings, i.e., (k,n)-secret-sharing and (k,k)-additive-secret-sharing used in this embodiment, will be described.
<(k,n)-secret-sharing>
(k,n)-secret-sharing is a security technique in which an input plain text is divided into n pieces of fragments (called shares), and each of the fragments is shared to n different subjects (called parties) P=(p0, . . . , pn-1), and any k pieces of shares can restore the plain text, and no information about the plain text can be obtained when less than k−1 pieces of shares. For example, there are the Shamir secret sharing, the duplicate secret sharing or the like. In the present embodiment, a set obtained by collecting all shares shared by (k,n)-secret sharing under modulo y and having a certain value x in a plain text is expressed as [[x]]y. For each share, the share of the party pr is expressed as [[x]]yr. It is assumed herein that r=0, . . . , n−1.
<(k,k)-additive-secret-sharing>
(k,k)-secret-sharing is the case where n=k, in (k,n)-secret-sharing. The plain text cannot be restored unless shares of all parties are collected. (k,k)-secret-sharing by duplicated secret sharing is particularly called additive secret sharing, which is the simplest method for restoring a plain text only by adding k pieces of shares. In the present embodiment, a set obtained by collecting all shares shared by (k,k)-additive-secret-sharing under modulo y and having a certain value x in a plain text is expressed as <x>r, a share of the party pr is expressed as <x>yr.
Next, the non-quotient transfer modulus conversion protocol used in this embodiment will be described.
The non-quotient transfer modulus conversion protocol used in the present embodiment can efficiently perform modulus conversion on a prime field even when the condition of quotient transfer is not satisfied. The condition of the quotient transfer herein means that the number of empty bits is a predetermined number of bits. In the protocol, let a′0+a1=a+qp+2|p|−p=a+2|p|−(1−q)p be satisfied. When q=0, a′0+a1=2|p|−(p−a) is satisfied, and from a<p, a′0+a1 is smaller than 2|p|. In other words, q=0↔a′0+a1<2|p|. On the other hand, when q=1, a′0+a1=2|p|+a is satisfied, and from a≥0, and a′0+a1 is 2|p| or more. In other words, q=1↔a′0+a1≥2|p|. Therefore, the most significant bit of a′0+a1, the |p|th bit, is equal to q.
In the following, A non-quotient-transfer modulus conversion protocol utilizing the above-mentioned relationship will be described.
Input: (k,n)-secret-sharing share [[a]]P.
Parameter: the number of bits|p| of p.
Output: (k,n)-secret-sharing share [[a]]Q by different modulo Q.
Step 1: The share [[a]]p is converted into (k,k)-additive-secret-sharing share <a>p. Assuming that k=2, and the parties p0, p1 have a share <a>p. The conversion from (k,n)-secret-sharing to (k,k)-additive-secret-sharing can be carried out by a known technique. For example, any of the methods described in NPL 1 is used.
Step 2: As for the party p0, a′0:=<a>p0+(2|p|−p) is calculated without mod p by addition on Z, and the each bit of a′0 is shared by (k,n)-secret-sharing to obtain a bit representation share [[a′]]2{circumflex over ( )}|p|. The bit decomposition can be performed by a known technique. For example, any of the methods described in NPL 1 is used.
Step 3: As for the party p1, each bit of <a>p1 is shared by (k,n)-secret-sharing to obtain a bit representation share [[a1]]2{circumflex over ( )}|p|.
Step 4: A bit representation share [[a′0+a1]]22{circumflex over ( )}(|p|+1) of a′0+a1 is obtained by an addition circuit. After the addition circuit computation, the bit length increases by 1 from |p| to |p|+1.
Step 5: The most significant bit of [[a′0+a1]]22{circumflex over ( )}(|p|+1) is set to [[q]]2. q is the quotient of share <a>p, that is, q of the expression <a>0+<a>1=a+qp.
Step 6: [[q]]Q is obtained from [[q]]2 by mod 2→mod Q conversion. For example, the mod 2→mod Q conversion can be performed by a known technique. For example, any of the methods described in NPL 1 is used.
Step 7: As for the parties p0, p1, <a>p0 mod Q, <a>p1 mod Q are obtained from <a>p0, <a>p1 respectively, and set to <a′>Q. Here, a′=a+qp mod Q is established.
Step 8: (k,k)-secret-sharing share <a′>Q is converted into (k,n)-secret-sharing share, to obtain a (k,n)-secret-sharing share [[a′]]Q. The conversion from (k,k)-additive-secret-sharing to (k,n)-secret-sharing can be performed by a known technique. For example, any of the methods described in NPL 1 is used.
Step 9: [[a]]Q=[[a′]]Q−p[[q]]Q is calculated and outputted.
In the following, a secure modulus conversion system for realizing the above-mentioned non-quotient-transfer modulus conversion protocol will be described.
The secure modulus conversion system 1 includes n pieces of distributed processing apparatuses 100-r. Here, n is any integer of 3 or more, and r=0, 1, . . . , n−1. The n distributed processing apparatuses 100-r can communicate with each other via the communication line 2.
The secure modulus conversion system 1 takes as input a share [[a]]p obtained by (k,n)-secret-sharing a numerical value a by modulo p, obtains and outputs a share [[a]]Q obtained by (k,n)-secret-sharing the numerical value a by modulo Q different from the modulo p by using the number of bits |p| of p. Note that, p and Q are disclosed.
The distributed processing apparatus is a special device that consists of a special program loaded into a known or dedicated computer with, for example, a central processing unit (CPU), main memory (RAM: Random Access Memory), etc. The distributed processing apparatus executes each processing under the control of a central processing unit, for example. The data input to the distributed processing apparatus and the data obtained by each processing are stored in a main storage device, for example, and the data stored in the main storage device is read out to the central processing unit as necessary and used for other processing. At least a part of each processing part of the distributed processing apparatus may be constituted of hardware such as an integrated circuit. Each storage unit provided in the distributed processing apparatus can be constituted by a main storage device such as a RAM (Random Access Memory), or middle-ware such as a relational database or a key value store. However, each storage unit is not necessarily provided with the distributed processing apparatus inside, and may be constituted by an auxiliary storage device constituted by a hard disk, an optical disk or a semiconductor memory element such as a flash memory, or provided outside the distributed processing apparatus.
<Distributed Processing Apparatus 100-r>
The distributed processing apparatus 100-r includes a first secret sharing conversion unit 101, a bit decomposition unit 103, an addition unit 105, a first modulus conversion unit 109, a second modulus conversion unit 111, a second secret sharing conversion unit 115, and a sure computation unit 117.
In the present embodiment, k in (k,k)-additive-secret-sharing is set to k=2, n in (k,n)-secret-sharing is set to any of integers of 3 or more, and k is set to any of integers of 2 or more and n or less, for example, k=2 and n=3.
In the following, processing that is performed by each unit will be described with reference to
N pieces of first secret sharing conversion units 101 convert (k,n)-secret-sharing shares [[a]]p into (k, k)-additive-secret-sharing shares <a>p (step S101). As described above, k in (k,k)-additive-secret-sharing is set to k=2, the distributed processing apparatus 100-0 corresponding to the party p0 has share <a>p0, and the distributed processing apparatus 100-1 corresponding to the party p1 has share <a>p1.
A bit decomposition unit 103 of the distributed processing apparatus 100-0, using share <a>p0 and p, calculates a′0:=<a>p0+(2|p|−p) without mod p by addition on Z. Note that, when <a>p0 is a scalar value, <a>p0+(2|p|−p) means addition of the scalar value, and when <a>p0 is a vector, <a>p0+(2|p|−p) means addition of (2|p|−p) to each element of <a>p0.
N pieces of bit decomposition units 103 perform (k,n)-secret-sharing of each bit of a′0 to obtain a bit representation share [[a′0]]2{circumflex over ( )}|p| (step S103-0).
Further, n pieces of bit decomposition units 103 perform (k,n)-secret-sharing of each bit of share <a>p1 of the distributed processing apparatus 100-1, and obtain a bit representation share [[a1]]2{circumflex over ( )}|p| (step S103-1).
N pieces of addition units 105 obtain a bit representation share [[a′0+a1]]2{circumflex over ( )}(|p|+1) of a′0+a1 by an additive circuit from the share [[a′0]]2{circumflex over ( )}|p| and the share [[a1]]2{circumflex over ( )}|p| obtained by S103-0, 103-1 (step S105).
The most significant bit of [[a′0+a1]]2{circumflex over ( )}(|p|+1) is set to a share [[q]]2. Note that, q is the quotient of the share <a>p, that is, q of a expression <a>0+<a>1=a+qp.
N pieces of first modulus conversion units 109 obtain a share [[q]]Q from the share [[q]]2 by mod 2→mod Q conversion.
The two second modulus conversion units 111 (the second modulus conversion units 111 of the distributed processing apparatus 100-0 and the distributed processing apparatus 100-1) obtain <a>p0 mod Q, <a>p1 mod Q from <a>p0, <a>p1 respectively, and set share <a′>Q (step S111). Here, a′=a+qp mod Q is established.
For example, (i) when <a>p0, <a>p1 is smaller than Q, <a>p0, <a>p1 are obtained as it is as <a>p0 mod Q and <a>p1 mod Q, when <a>p0, <a>p1 is Q or more, <a>p0 mod Q and <a>p1 mod Q may be calculated and obtained, (ii) regardless of the magnitude relation between <a>p0, <a>p1 and Q, <a>p0 modQ and <a>p1 mod Q may be calculated.
Since only the second modulus conversion units 111 of the distributed processing apparatus 100-0 and the distributed processing apparatus 100-1 perform S111, only the distributed processing apparatus 100-0 and the distributed processing apparatus 100-1 may include the second modulus conversion units 111.
N pieces of second secret sharing conversion units 115 convert (k,k)-secret-sharing share <a′>Q into (k,n)-secret-sharing share, to obtain (k,n)-secret-sharing share [[a′]]Q (step S115).
N pieces of the sure computation units 117 calculate [[a]]Q=[[a′]]Q−p[[q]]Q from the share [[a′]]Q and the share [[q]]Q (step S117), and output it as an output value of the secure modulus conversion system.
With the above-described configuration, the modulus conversion can be efficiently performed even when the condition of the quotient transfer is not satisfied.
The processing efficiency of the algorithm is evaluated. In the secure modulus conversion system according to the present embodiment, the communication amount is |Q|+|q| bits, |p| rounds.
Three scales of 1000 items, 1 million items, and 10 million items, and the actual number of rounds were measured by maximizing the delay to 100 ms. The throughput was [M op/s] and the number of round was dimensionless. The performance of active models was also shown in addition to the passive model (expansion from passive version). The security parameter of the active model is 8 bits, and the attack detection rate is about 99%. This probability is sufficient to suppress the attack because the off-line attack is impossible differently from the computational safety.
The present invention is not limited to the foregoing embodiments and modified examples. For example, the above-described various kinds of processing may be performed chronologically, as described above, and may also be performed in parallel or individually in accordance with a processing capability of a device performing the processing or as necessary. In addition, changes can be made appropriately within the scope of the present invention without departing from the gist of the present invention.
The various kinds of processing described above can be implemented by loading a program that executes each step of the above method into a storage unit 2020 of the computer shown in
The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any of a magnetic recording device, an optical disc, a magneto-optical recording medium, and a semiconductor memory may be used.
In addition, the distribution of this program is carried out by, for example, selling, transferring, or lending a portable recording medium such as a DVD or a CD-ROM on which the program is recorded. Further, the program may be distributed by storing the program in a storage device of a server computer and transmitting the program from the server computer to other computers via a network.
A computer executing such a program is configured to, for example, first, temporarily store a program recorded on a portable recording medium or a program transferred from a server computer, and stores the data in its own storage device. Then, at the time of executing the processing, the computer reads the program stored in its own recording medium and executes the processing according to the read program. As another execution form of the program, the computer may directly read the program from the portable recording medium and execute processing according to the program, each time a program is transferred from the server computer to the computer, processing according to the received program may be executed sequentially. In addition, by a so-called ASP (Application Service Provider) type service which does not transfer a program from the server computer to the computer and realizes a processing function only by the execution instruction and the result acquisition, the above-mentioned processing may be executed. It is assumed that the program in this embodiment includes data which is information to be provided for processing by the electronic computer and equivalent to program (data or the like which is not a direct command to the computer conforming to the program but has a property to specify the processing of the computer).
In this aspect, the device is configured by executing a predetermined program on a computer, but at least a part of the processing content may be implemented by hardware.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2020/039079 | 10/16/2020 | WO |
