The present invention relates to a secure computation technique, and, particularly, relates to a technique of computing an aggregate function while keeping confidentiality.
An aggregate function is an operation for obtaining statistics grouped based on a value of a key attribute when a table includes a key attribute and a value attribute. The aggregate function is also referred to as a group-by operation. The key attribute is an attribute to be used for grouping records of the table, and, examples of the key attribute can include, for example, an official position, gender, or the like. The value attribute is an attribute to be used for computing statistics, and, examples of the value attribute can include, for example, salary, body height, or the like. The group-by operation is, for example, an operation for obtaining average body height by gender in a case where the key attribute is gender, or the like. The key attribute may be a composite key including a plurality of attributes, and, for example, in a case where the key attributes are gender and age, the group-by operation may be an operation for obtaining average body height of males in their teens, average body height of males in their twenties, . . . . Non-patent literature 1 discloses a method for performing the group-by operation using secure computation.
Aggregate order is one of aggregate functions and is an operation for obtaining at which order within a group, a value of a desired value attribute is positioned, when a table is grouped based on a value of a key attribute. The aggregate order is also referred to as order within the group, and includes ascending order within the group which is order when the value attributes are sorted in ascending order, and descending order within the group which is order when the value attributes are sorted in descending order. For example, when the key attributes are age and gender, and the value attribute is salary, the ascending order within the group is an operation for obtaining at which order the salary is positioned when counting from the lowest among males in their twenties, at which order the salary is positioned when counting from the lowest among males in their thirties, . . . , and the descending order within the group is an operation for obtaining at which order the salary is positioned when counting from the highest among males in their twenties, at which order the salary is positioned when counting from the highest among males in their thirties, . . . .
In a conventional secure computation technique, the number of times of communication required to obtain order within a group is log(n) where n is the number of subjects to be computed, which is inefficient.
In view of the technical problem as described above, an object of the present invention is to provide a technique which is capable of efficiently obtaining order within a group while keeping confidentiality.
To solve the above-described problem, a secure aggregate order system according to a first aspect of the present invention is a secure aggregate order system comprising a plurality of secure computation apparatuses, m being an integer equal to or greater than 2, [v]:=[v0], . . . , [vm−1] being a share obtained by secret sharing a cross tabulation v:=v0, . . . , vm−1 in which the number of records of each group when a table including a key attribute and a value attribute is grouped based on a value of the key attribute is set at elements corresponding to the number of groups from the head, and {{σ}} being a share obtained by secret sharing a permutation σ which moves elements so that last elements of each group are sequentially arranged from beginning when the table is grouped based on the value of the key attribute, each of the secure computation apparatuses comprising, an inverse permutating part configured to generate a share [u]:=[σ−1(v)] which becomes an inversely permutated cross tabulation u:=σ−1(v) obtained by inversely applying the permutation σ to the cross tabulation v, when reconstructed, using the share [v] and the share {{σ}}, a partial summing part configured to generate a share [s] which becomes a vector s:=s0, . . . , em−1∈F, when reconstructed, by setting a sum from [u0] to [ui] at [si] for each integer i equal to or greater than 0 and equal to or less than m−1 using the share [u], and an order computing part configured to generate a share [x] which becomes a vector x:=x0, . . . , xm−1 representing ascending order within a group, when reconstructed, by setting [xi]:=[i−si−1] for each integer i equal to or greater than 1 and equal to or less than m−1 and setting [x0]:=[0] using the share [s].
To solve the above-described problem, a secure aggregate order system according to a second aspect of the present invention is a secure aggregate order system comprising a plurality of secure computation apparatuses, m being an integer equal to or greater than 2, [v]:=[v0], . . . , [vm−1] being a share obtained by secret sharing a cross tabulation v:=v0, . . . , vm−1 in which the number of records of each group when a table including a key attribute and a value attribute is grouped based on a value of the key attribute is set at elements corresponding to the number of groups from the head, and {{σ}} being a share obtained by secret sharing a permutation σ which moves elements so that last elements of each group are sequentially arranged from beginning when the table is grouped based on the value of the key attribute, each of the secure computation apparatuses comprising, a count shifting part configured to generate a share [v′] which becomes a shifted cross tabulation v′:=v′0, . . . , v′M−1, when reconstructed, by setting [v′i]:=[vi+1] for each integer i equal to or greater than 0 and equal to or less than m−2 and setting [v′m−1]:=[0] using the share [v], an inverse permutating part configured to generate a share [u′]:=[σ−1(v′)] which becomes an inversely permutated cross tabulation u′:=σ−1(v′) obtained by inversely applying the permutation σ to the shifted cross tabulation v′, when reconstructed, using the share [v′] and the share {{σ}}, a partial summing part configured to generate a share [s′] which becomes a vector s′:=s′0, . . . , s′m−1∈F, when reconstructed, by setting a sum from [u′1] to [u′m−1] at [s′i] for each integer i equal to or greater than 0 and equal to or less than m−1 using the share [u′], and an order computing part configured to generate a share [x′] which becomes a vector x′:=x′0, . . . , x′m−1 representing descending order within a group, when reconstructed, by setting [x′i]:=[m−i−s′i−1] for each integer i equal to or greater than 1 and equal to or less than m−1 using the share [s′].
According to a secure aggregate order technique according to the present invention, it is possible to efficiently obtain order within a group with the number of times of communication of O(1) while keeping confidentiality.
Embodiments of the present invention will be described in detail below. Note that the same reference numerals will be assigned to components having the same functions in the drawings, and overlapped description will be omitted.
[x]∈[F] indicates that a certain value x is concealed through secret sharing, or the like, on an arbitrary ring F. {b}∈{B} indicates that a certain value b of one bit is concealed through secret sharing, or the like, on a ring B which can represent one bit. {{s}}∈{{S}} indicates that a certain permutation s which belongs to a set Sm of permutations of m elements is concealed through secret sharing, or the like. Hereinafter, a secret shared value will be referred to as a “share”.
<<Ascending Order within Group>>
A first embodiment of the present invention is a secure aggregate order system and method for obtaining ascending order within a group. A configuration example of a secure aggregate order system 100 of the first embodiment will be described with reference to
A configuration example of the secure computation apparatus 1n (n=1, . . . , N) included in the secure aggregate order system 100 of the present embodiment will be described with reference to
The secure computation apparatus 1n is a special apparatus configured by a special program being loaded to a publicly-known or dedicated computer having, for example, a central processing unit (CPU), a main memory (RAM: random access memory), or the like. The secure computation apparatus 1n, for example, executes respective kinds of processing under control by the central processing unit. Data input to the secure computation apparatus 1n and data obtained through the respective kinds of processing are stored in, for example, the main memory, and the data stored in the main memory is read out to the central processing unit as necessary and is utilized for other processing. At least part of respective processing parts of the secure computation apparatus 1n may be configured with hardware such as an integrated circuit.
A processing procedure of the secure aggregate order method (ascending order) to be executed by the secure aggregate order system 100 of the first embodiment will be described with reference to
In step S10, the input part 10 of each secure computation apparatus 1n receives a share [v]∈[F]m obtained by concealing a cross tabulation v∈Fm through secret sharing, and a share {(a)}∈{{Sm}} obtained by concealing a permutation σ through secret sharing, as an input. m is an integer equal to or greater than 2. The input part 10 outputs the share [v] of the cross tabulation v and the share {{σ}} of the permutation σ to the inverse permutating part 12.
The cross tabulation v is a result obtained by counting the number of records of each group. For example, the cross tabulation v is a vector in which, when a table is stably sorted with a key attribute, records having the same value of the key attribute are put into the same group, a result obtained by counting the number of records of each group is set at elements corresponding to the number of groups from the head, and 0 is set at subsequent elements. The number of groups is an integer equal to or greater than 1 and equal to or less than m, and is not necessarily equal to m. The number of groups is a secret value, and a configuration is employed so that a value of the number of groups is not referred to in the subsequent processing, and processing can be performed even if the number of groups is unknown. Note that stable sort is an operation of storing order of elements of the same value in a case where elements of the same value exist, among sort operations. For example, if a table sorted in order of employee number is stably sorted with gender, a sort result in which order of the employee number is kept in each type of gender can be obtained.
The permutation σ is a permutation which arranges values of key attributes of each group from the head one by one. For example, the permutation σ is a permutation which moves elements so that, when the table is stably sorted with a key attribute, and when records having the same value of the key attribute are put into the same group, the last elements of each groups are sequentially arranged from beginning, and subsequently, other elements are sequentially arranged.
In step S12, the inverse permutating part 12 of each secure computation apparatus 1n generates a share [u]:=[σ−1(v)]∈[F]m which becomes an inversely permutated cross tabulation u:=σ−1(v) obtained by inversely applying the permutation σ to the cross tabulation v, when reconstructed, using the share [v] of the cross tabulation v and the share {{σ}} of the permutation σ. Because the cross tabulation v is a vector in which the number of records of each group is set at elements corresponding to the number of groups from the head, and the permutation σ is a permutation which arranges last elements of each group sequentially from beginning, the inversely permutated cross tabulation u obtained by inversely applying the permutation σ to the cross tabulation v becomes a vector in which the number of records of the group is set at the last element of each group. Hereinafter, there is a case where each element of [u]∈[F]m is referred to by [ui]∈[F] (i=0, . . . , m−1). The inverse permutating part 12 outputs the share [u] of the inversely permutated cross tabulation u to the partial summing part 13.
In step S13, the partial summing part 13 of each secure computation apparatus 1n generates a share [s]∈[F]m which becomes a vector s:=s0, . . . , sm−1 ∈F, when reconstructed, by computing [s]:=prefix-sum([u]) using the share [u] of the inversely permutated cross tabulation u. Here, prefix-sum is an operation for setting a sum from the 0-th element u0 to the i-th element ui of an input vector u at the i-th element si of an output vector s for each integer i equal to or greater than 0 and equal to or less than m−1, using m as a length of the input vector u. The partial summing part 13 outputs the share [s] of the vector s to the order computing part 14.
In step S14, the order computing part 14 of each secure computation apparatus 1n generates a share [x]∈[F]m which becomes ascending order x:=x0, . . . , xm−1∈F within the group, when reconstructed, by setting [xi]:=[i−si−1] for each integer i equal to or greater than 1 and equal to or less than m−1 and setting [x0]:=[0] using the share [s] of the vectors. It should be noted that the ascending order within the group starts from 0. If it is desired to obtain order starting from 1, it is only necessary to add 1 to each order. In other words, to generate the ascending order x, it is only necessary to set [xi]:=[i−si−1+1] for each integer i equal to or greater than 1 and equal to or less than m−1 and set [x0]:=[1]. The order computing part 14 outputs the share [x] of the ascending order x to the output part 15.
In step S15, the output part 15 of each secure computation apparatus 1n outputs the share [x] of the ascending order x.
<<Descending Order within Group>>
A second embodiment of the present invention is a secure aggregate order system and method for obtaining descending order within a group. A configuration example of a secure aggregate order system 101 of the second embodiment will be described with reference to
A configuration example of the secure computation apparatus 2 (n=1, . . . , N) included in the secure aggregate order system 101 of the present embodiment will be described with reference to
A processing procedure of the secure aggregate order method (descending order) to be executed by the secure aggregate order system 101 of the second embodiment will be described with reference to
In step S10, the input part 10 of each secure computation apparatus 2n receives a share [v]∈[F]m obtained by concealing the cross tabulation v∈Fm through secret sharing, and a share {{σ}}∈{{Sm}} obtained by concealing the permutation σ through secret sharing, as an input. The input part 10 outputs the share [v] of the cross tabulation v to the count shifting part 11. Further, the input part 10 outputs the share {{σ}} of the permutation σ to the inverse permutating part 12.
In step S11, the count shifting part 11 of each secure computation apparatus 2n generates a share [v′]∈[F]m which becomes a shifted cross tabulation v′:=v′0, . . . , v′m−1∈Fm, when reconstructed, by setting [v′i]:=[vi+1] for each integer i equal to or greater than 0 and equal to or less than m−2 and setting [v′m−1]:=[0] using the share [v] of the cross tabulation v. The shifted cross tabulation v′ becomes a vector in which the cross tabulation v which is a vector representing the number of records of each group is shifted forward one by one. The count shifting part 11 outputs the share [v′] of the shifted cross tabulation v′ to the inverse permutating part 12.
In step S12, the inverse permutating part 12 of each secure computation apparatus 2n generates a share [u′]:=[σ−1(v′)]∈[F]m which becomes an inversely permutated cross tabulation u′:=σ−1(v′) obtained by inversely applying the permutation σ to the shifted cross tabulation v′, when reconstructed, using the share [v′] of the shifted cross tabulation v′ and the share {{σ}} of the permutation σ. Because the shifted cross tabulation v′ is a vector obtained by shifting forward one by one, the cross tabulation v in which the number of records of each group is set at elements corresponding to the number of groups from the head, and the permutation σ is a permutation which arranges last elements of each group sequentially from beginning, the inversely permutated cross tabulation u′ obtained by inversely applying the permutation σ to the shifted cross tabulation v′ becomes a vector in which the number of records of a group one group backward is set at the last element of each group. Hereinafter, there is a case where each element of [u′]∈[F]m is referred to by [u′i]∈[F] (i=0, . . . , m−1). The inverse permutating part 12 outputs the share [u′] of the inversely permutated cross tabulation u′ to the partial summing part 13.
In step S13, the partial summing part 13 of each secure computation apparatus 2n generates a share [s′]∈[F]m which becomes a vector s′:=s′0, . . . , s′m−1∈F, when reconstructed, by computing [s′]:=postfix-sum([u′]) using the share [u′] of the inversely permutated cross tabulation u′. Here, postfix-sum is an operation for setting a sum from the i-th element u′ to the m−1-th element u′m−1 of an input vector u′ at the i-th element s′i of an output vector s′ for each integer i equal to or greater than 0 and equal to or less than m−1, using m as a length of the input vector u′. The partial summing part 13 outputs the share [s′] of the vector s′ to the order computing part 14.
In step S14, the order computing part 14 of each secure computation apparatus 2n generates a share [x′]∈[F]m which becomes descending order x′:=x′0, . . . , x′m−1∈F within the group, when reconstructed, by setting [x′i]:=[m−i−s′i−1] for each integer i equal to or greater than 0 and equal to or less than m−1 using the share [s′] of the vector s′. It should be noted that the descending order within the group starts from 0. If it is desired to obtain order starting from 1, it is only necessary to add 1 to each order. In other words, to generate the descending order x′, it is only necessary to set [x′i]:=[m−i−s′i] for each integer i equal to or greater than 0 and equal to or less than m−1. The order computing part 14 outputs the share [x′] of the descending order x′ to the output part 15.
In step S15, the output part 15 of each secure computation apparatus 2n outputs the share [x′] of the descending order x′.
<Modification>
In the above-described embodiments, a configuration has been described where the share [v] of the cross tabulation v and the share {{σ}} of the permutation σ are input to the input part 10. In the modification, a configuration will be described where a share obtained by concealing a table through secret sharing, or the like, is input to the input part 10, and, after the share [v] of the cross tabulation v and the share {{σ}} of the permutation σ are obtained, order within the group is computed in accordance with the procedure described in the above-described embodiments.
For example, as illustrated in
The input part 10 of each secure computation apparatus 3n receives a share [k0], . . . , [knk−1]∈[F]m obtained by concealing each of nk key attributes k0, . . . , knk−1∈Fm through secret sharing, and a share [v0], . . . , [vna−1]∈[F]m obtained by concealing each of na value attributes v0, . . . , vna−1 ∈Fm through secret sharing, as input. However, nk and na are integers equal to or greater than 1. Hereinafter, there is a case where each element of [kj]∈[F]m (j=0, . . . , nk−1) is referred to by [kj,i]∈[F] (i=0, . . . , m−1). The input part 10 outputs shares [k0], . . . , [knk−1] of the key attributes k0, . . . , knk−1 to the bit decomposing part 21.
The bit decomposing part 21 of each secure computation apparatus 3n bit-decomposes and concatenates the shares [k0], . . . , [knk−1] of the key attributes k0, . . . , knk−1 and obtains a share {b}∈{B}λ which becomes a bit string b:=b0, . . . , bm−1∈Bλ which is a concatenated bit expression of the key attributes k0, . . . , knk−1, when reconstructed. Note that X is a bit length of the bit string b, and a sum of bit lengths of respective bi (i=0, . . . , m−1). In other words, {bi} is a bit string obtained by concatenating bit expression of the i-th elements [k0,i], . . . , [knk−,i] of the respective shares [k0], . . . , [knk−1] of the key attributes k0, . . . , knk−1. The bit decomposing part 21 outputs the share {b} of the bit string b to the group sort generating part 22.
The group sort generating part 22 of each secure computation apparatus 3n generates a share {{σ0}}∈{{Sm}} which becomes a permutation σ0 which stably sorts the bit string b in ascending order, when reconstructed, using the share {b} of the bit string b. Because the bit string b is a concatenated bit expression of the key attributes k0, . . . , knk−1, it can be said that the permutation σ0 is an operation of grouping records by rearranging the records so that records having same values of the key attributes k0, . . . , knk−1 are successive. The group sort generating part 22 outputs the share {b} of the bit string b and the share {{σ0}} of the permutation σ0 to the bit string sorting part 23.
The bit string sorting part 23 of each secure computation apparatus 3n obtains a share {b′}∈{B} which becomes a sorted bit string b′:=b′0, . . . , b′m−1∈Bλ obtained by sorting the bit string b with the permutation σ0, when reconstructed, using the share {b} of the bit string b and the share {{σ0}} of the permutation σ0. The bit string sorting part 23 outputs the share {b′} of the sorted bit string b′ to the flag generating part 24.
The flag generating part 24 of each secure computation apparatus 3n generates a share {e}∈{B}m which becomes a flag e:=e0, . . . , em−1∈Bm, when reconstructed, by setting {ei}:={bi′+*b′i+1} for each integer i equal to or greater than 0 and equal to or less than m−2 and setting {em−1}:={1}, using the share {b′} of the sorted bit string b′. Because true is set at the flag ei if the i-th element b′i of the sorted bit string b′ is different from the i+1-th element b′i+1, the flag ei becomes a flag which indicates the last element of each group (that is, an element immediately before the boundary between groups). The flag generating part 24 outputs the share {e} of the flag e to the key aggregate sort generating part 25. Further, the flag generating part 24 outputs the share {e} of the flag e to the flag converting part 31.
The key aggregate sort generating part 25 of each secure computation apparatus 3n first generates a share {e′}∈{B}m which becomes a flag e′ which is a negation ¬e of the flag e, when reconstructed, using the share {e} of the flag e. In other words, the key aggregate sort generating part 25 sets {e′i}:={¬ei} for each integer i equal to or greater than 0 and equal to or less than m−1. Then, the key aggregate sort generating part 25 generates a share {{σ}}∈{{Sm}} which becomes a permutation σ which stably sorts the flag e′ in ascending order, when reconstructed, using the share {e′} of the flag e′. The key aggregate sort generating part 25 outputs the share {{σ}} of the permutation σ to the sorting part 33. Further, the key aggregate sort generating part 25 outputs the share {{σ}} of the permutation σ to the count shifting part 11 or the inverse permutating part 12.
The flag converting part 31 of each secure computation apparatus 3n converts the share {e}∈{B}m of the flag e into a share [e]∈[F]m on an arbitrary ring F through secret sharing. The flag converting part 31 outputs the share [e] of the flag e to the boundary number setting part 32.
The boundary number setting part 32 of each secure computation apparatus 3n generates a share [x″]∈[F]m which becomes a vector x″:=x″0, . . . , x″m−1∈F, when reconstructed, by setting [x″i]:=[ei?i+1:m] for each integer i equal to or greater than 0 and equal to or less than m−1 using the share [e] of the flag e. Here, “?” is a conditional operator (ternary operator). In other words, when [ei] is true (for example, [ei]=[1]), [x″i]:=[i+1] is set, and when [ei] is false (for example, [ei]=[0]), [x″i]:=[m] is set. The vector x″ becomes a vector in which, when the table is stably sorted with the key attribute, records having the same value of the key attribute are put into the same group, at the last element of each group, a position from the head of the next element is set, and, at the other elements, the number of records of the whole table is set. In other words, at the last element of each group, a total value obtained by accumulating the number of records of respective groups from the head group to the group is set. The boundary number setting part 32 outputs the share [x″] of the vector x″ to the sorting part 33.
The sorting part 33 of each secure computation apparatus 3n generates a share [σ(x″)]∈[F]m which becomes a sorted vector σ(x″) obtained by sorting the vector x″ with the permutation σ, when reconstructed, using the share [x″] of the vector x″ and the share {{σ}} of the permutation σ. Hereinafter, there is a case where each element of [σ(x″)]∈[F]m is referred to by [σ(x″)i]∈[F] (i=0, . . . , m−1). The sorting part 33 outputs the share [σ(x″)] of the sorted vector σ(x″) to the count computing part 34.
The count computing part 34 of each secure computation apparatus 3n generates a share [v]∈[F]m which becomes a vector v:=v0, . . . , vm−1∈F representing the number of records of each group (that is, a cross tabulation), when reconstructed, by setting [vi]:=[σ(x″)i−σ(x″)i−1] for each integer i equal to or greater than 1 and equal to or less than min(g, m)−1, setting [vi]:=[0] for each integer i equal to or greater than min(g, m) and equal to or less than m−1, and setting [v0]:=[σ(x″)0] using the share [σ(x″)] of the sorted vector σ(x″). Because a total value obtained by accumulating the number of records of respective groups from the 0-th group to the i-th group is set at the i-th element σ(x″); of the sorted vector σ(x″), the number of records of the i-th group is set at the i-th element vi of the cross tabulation v. The count computing part 34 outputs the share [v] of the cross tabulation v to the count shifting part 11 or the inverse permutating part 12.
While the embodiments of the present invention have been described above, it goes without saying that a specific configuration is not limited to these embodiments, and design change, or the like, within the scope not deviating from the gist of the present invention are incorporated into the present invention. Various kinds of processing described in the embodiments are executed not only in chronological order in accordance with order of description, but also executed in parallel or individually in accordance with processing performance of apparatuses which execute the processing or as necessary.
[Program, Recording Medium]
In a case where various kinds of processing functions of the respective apparatuses described in the above-described embodiments are realized with a computer, a processing content of the functions which should be provided at the respective apparatuses is described with a program. Then, by this program being executed with the computer, various kinds of processing functions at the above-described respective apparatuses are realized on the computer.
The program describing this processing content can be recorded in a computer-readable recording medium. As the computer-readable recording medium, any medium such as, for example, a magnetic recording device, an optical disk, a magnetooptical recording medium and a semiconductor memory can be used.
Further, this program is distributed by, for example, a portable recording medium such as a DVD and a CD-ROM in which the program is recorded being sold, given, lent, or the like. Still further, it is also possible to employ a configuration where this program is distributed by the program being stored in a storage device of a server computer and transferred from the server computer to other computers via a network.
A computer which executes such a program, for example, first, stores a program recorded in the portable recording medium or a program transferred from the server computer in the storage device of the own computer once. Then, upon execution of the processing, this computer reads out the program stored in the storage device of the own computer and executes the processing in accordance with the read program. Further, as another execution form of this program, the computer may directly read a program from the portable recording medium and execute the processing in accordance with the program, and, further, sequentially execute the processing in accordance with the received program every time the program is transferred from the server computer to this computer. Further, it is also possible to employ a configuration where the above-described processing is executed by so-called ASP (Application Service Provider) type service which realizes processing functions only by an instruction of execution and acquisition of a result without the program being transferred from the server computer to this computer. Note that, it is assumed that the program in the present embodiment includes information which is to be used for processing by an electronic computer, and which is equivalent to a program (not a direct command to the computer, but data, or the like, having property specifying processing of the computer).
Further, while, in this embodiment, the present apparatus is constituted by a predetermined program being executed on the computer, at least part of the processing content may be realized with hardware.
Number | Date | Country | Kind |
---|---|---|---|
2018-081095 | Apr 2018 | JP | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2019/016446 | 4/17/2019 | WO | 00 |