SECURE COMPUTATION SYSTEM, SECURE COMPUTATION APPARATUS, METHOD, AND PROGRAM

Abstract

A secure computation system includes first, second, and third secure-computation-apparatuses each having a tripartite-share of a concealed input vector. The first secure-computation-apparatus converts its tripartite-share into a bipartite-share with the third secure-computation-apparatus; calculates a third vector obtained by subtracting a second permutation of a first vector and a second vector from its permutation of its bipartite-share; and transmits the third vector and the second permutation to the second secure-computation-apparatus. The third secure-computation-apparatus converts its tripartite-share into a bipartite-share with the first secure-computation-apparatus; calculates a fourth vector obtained by adding the first vector to a first permutation of its bipartite-share; transmits the fourth vector to the third secure-computation-apparatus: set the second vector as a bipartite-share with the second secure-computation-apparatus. The second secure-computation-apparatus sets a vector obtained by adding the second permutation of the fourth vector to the third vector, as a bipartite-share with the third secure-computation-apparatus.

Description

TECHNICAL FIELD

The present invention relates to a secure computation system, a secure computation apparatus, a method, and a program.

BACKGROUND ART

Secure computation is a useful technology that is known to perform various computations at high speed while concealing data. In many analyses, an operation of searching for and extracting data that matches specific conditions from a data set (vector) is important processing that is frequently used. In secure computation, an operation of searching becomes an operation of finding a location matching the conditions by simply searching for an entire vector in each reference since data reference while concealing search conditions (for example, a search keyword) is necessary, and there is a problem that a large amount of calculation and communication are required.

To address this problem, a technology capable of greatly reducing a reference cost by constructing a special data structure in advance using a permutation or sorting is known (for example, Non Patent Literature 1 and Non Patent Literature 2). How to construct and refer to such a data structure at high speed is important for data reference in secure computation.

In construction of the data structure as described above, concealment permutation capable of rearranging a vector while concealing a permutation method for participants (parties) of secure computation plays an important role. Various methods are known as a method of realizing a concealment permutation, but a method of permutating a vector while concealing both the vector and the permutation, for example, under the premise that parties share a pre-concealed permutation and a random number sequence, is known. Further, for example, a method of concealing a vector for all parties under the premise that one party has a permutation as plaintext, and permutating the vector while concealing the permutation for parties other than the party having the permutation is known.

CITATION LIST

Non Patent Literature

• • Non Patent Literature 1: Atsunori Ichikawa, Koki Hamada, Ryo Kikuchi, Dai Ikarashi. Optimal concealment Hash on 3-Party Computation and Sublogarithmically Efficient Oblivious RAM. Symposium on Cryptography and Information Security (SCIS) 2020 Proceedings (2020).
  • Non Patent Literature 2: Koki Hamada, Atsunori Ichikawa. Constant-Round Secure Computation Vector Access Algorithm with Sublinear Local Computation amount. Symposium on Cryptography and Information Security (SCIS) 2019 Proceedings (2019).

SUMMARY OF INVENTION

Technical Problem

However, in the related arts (for example, Non Patent Literature 1 and Non Patent Literature 2), since random permutation (shuffle) or partial sorting of a vector is executed multiple times, there is a problem that actual efficiency is poor, or although actual efficiency is good, there is a vulnerability to unauthorized reference.

An embodiment of the present invention has been made in view of the above points, and an object of the embodiment of the present invention is to perform efficient and safe concealed vector permutation in secure computation by three parties.

Solution to Problem

To achieve the above object, a secure computation system according to an embodiment is a secure computation system including a first secure computation apparatus, a second secure computation apparatus, and a third secure computation apparatus each having a tripartite share of a concealed input vector, wherein the first secure computation apparatus includes a first conversion unit configured to convert its own tripartite share into a bipartite share with the third secure computation apparatus; a first calculation unit configured to calculate a third vector obtained by subtracting, from a result of applying its own permutation to its own bipartite share, a result of applying a second permutation determined according to the permutation to a first vector determined by a predetermined method and a second vector determined by a predetermined method; and a first transmission unit configured to transmit the third vector and the second permutation to the second secure computation apparatus, the third secure computation apparatus includes a second conversion unit configured to convert its own tripartite share into a bipartite share with the first secure computation apparatus; a second calculation unit configured to calculate a fourth vector obtained by adding the first vector to a result of applying a first permutation determined according to the permutation to its own bipartite share; a second transmission unit configured to transmit the fourth vector to the third secure computation apparatus; a first output unit configured to set the second vector as a bipartite share, with the second secure computation apparatus, of a result of applying the permutation to the input vector, and the second secure computation apparatus includes a second output unit configured to set a vector obtained by adding a result of applying the second permutation to the fourth vector to the third vector, as a bipartite share, with the third secure computation apparatus, of the result of applying the permutation to the input vector.

Advantageous Effects of Invention

It is possible to perform efficient and secure concealed vector permutation in secure computation by three parties.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a diagram illustrating an example of an overall configuration of a secure computation system according to an embodiment.

FIG. 2 is a diagram illustrating an example of a hardware configuration of a computer.

FIG. 3 is a sequence diagram illustrating Example 1.

FIG. 4 is a sequence diagram illustrating Example 2.

FIG. 5 is a sequence diagram illustrating Example 3.

FIG. 6 is a sequence diagram illustrating Example 4.

DESCRIPTION OF EMBODIMENTS

Hereinafter, an embodiment of the present invention will be described. In the present embodiment, a secure computation system 1 capable of performing efficient and secure concealed vector permutation by making information obtained by each party asymmetrical in secure computation by three parties will be described. Further, a case in which a construction of any data structure using a concealed vector permutation (a data structure in a vector format in which data and a reference position at the time of accessing the data are concealed (hereinafter also referred to as a reference position concealment vector)), and referring to data structure are performed by the secure computation system 1 according to the present embodiment will be described.

Hereinafter, it is assumed that the three parties are denoted as P₁, P₂, and P₃, and P₁ is a party having a permutation.

Preparation

First, some symbols, terms, concepts, and the like are prepared.

<<Tripartite Data Concealment>>

A result of concealing plaintext x and sharing the plaintext x between three parties is expressed by

x₁, x₂, x₃   [Math. 1]

. In the text of the specification, these are represented as [x]_i, [x]₂, and [x]₃, respectively.

In this case, [x]_i is assumed to be owned by party P_i, but hereinafter, “x in a state shared by each party” is abstracted and simply expressed as [x]. Each [x]_i is called a fragment or share. Further, it is assumed that the plaintext x can be restored using any two of the three shares [x]₁, [x]₂, and [x]₃, and cannot be restored using one of the shares.

Examples of a technology satisfying the above include secret sharing methods (for example, reference 1 and reference 2), but the present invention is not limited thereto, and any method can be used as long as the method satisfies the same function and security as the secret sharing method.

<<Additive Bipartite Data Concealment>>

A result of concealing the plaintext x and sharing the plaintext x between two parties is represented by <x>₁ and <x>₂, and particularly, two values thereof are random values satisfying <x>₁+<x>₂=x. Each of <x>₁ and <x>₂ is assumed to be owned by two parties among P₁, P₂, and P₃, but such a state is abstracted and simply indicated as <x>. It is also assumed that conversion from [x] to <x> is possible without intervening communication between the parties.

Examples of a technology satisfying the above include secret sharing methods (for example, reference 1 and reference 2), but the present invention is not limited thereto, and any method can be used as long as the method satisfies the same function and security as the secret sharing method.

<<Random Share Generation>>

Processing for generating a share [r] of a random number r without any party knowing the plaintext r is called random share generation. This processing can be realized, for example, with the technology described in Reference 3, and the like on the secret sharing method, but the present invention is not limited thereto, and any technology can be used as long as the technology satisfies the same function and security as such a technology.

<<Pseudo-random Function>>

Hereinafter, it is assumed that a pseudo-random function capable of secure computation is denoted by F, and secure computation of the pseudo-random function is denoted by F([a], [s]) for a value [a] of a secret and a key [s]. This secure computation processing can be realized, for example, by the technology described in Reference 4, and the like, but the present invention is not limited thereto, and any technology can be used as long as the technology satisfies the same function and security as such a technology.

<<Permutation of Vector>>

Hereinafter, it is assumed that permutation (rearrangement) for any vector having a length m (not based on secure computation) is represented by a bijection Π: {1, . . . , m}→{1, . . . , m}, and a vector obtained by applying the permutation n to a vector A is represented by ΠA. Here, for A=(A₁, . . . , A_m),

πA=(A_π−1₍₁₎, . . . , A_π−1_(m)   [Math. 2]

. Further, it is assumed that synthesis between two permutations is represented by a symbol ○. For example, when

π=π₁○π₂   [Math. 3]

, ΠA=Π₂(Π₁A) is satisfied.

Overall Configuration of Secure Computation System 1

Next, an overall configuration of the secure computation system 1 according to the present embodiment will be described with reference to FIG. 1. FIG. 1 is a diagram illustrating an example of the overall configuration of the secure computation system 1 according to the present embodiment.

As illustrated in FIG. 1, the secure computation system 1 according to the present embodiment includes a secure computation apparatus 10, a secure computation apparatus 20, and a secure computation apparatus 30. Further, the secure computation apparatus 10, the secure computation apparatus 20, and the secure computation apparatus 30 are communicatively connected to each other via a communication network 40 such as the Internet.

The secure computation apparatus 10 is a computer or computer system that functions as a party P₁ and includes a secure computation processing unit 101 and a storage unit 102. The secure computation processing unit 101 executes various processing for performing concealed vector permutation or construction of a reference position concealment vector. Further, the storage unit 102 stores various types of information (for example, permutation or sharing of vectors) required for execution of various types of processing.

The secure computation apparatus 20 is a computer or computer system that functions as the party P₂ and includes a secure computation processing unit 201 and a storage unit 202. The secure computation processing unit 101 executes various processing for performing concealed vector permutation, construction of a reference position concealment vector, and referencing thereof. Further, the storage unit 202 stores various types of information (for example, shares of the vector) required for execution of the various types of processing.

The secure computation apparatus 30 is a computer or computer system that functions as a party P₃ and includes a secure computation processing unit 301 and a storage unit 302. The secure computation processing unit 301 executes various processing for performing concealed vector permutation, construction of a reference position concealment vector, and referencing thereof. Further, the storage unit 302 stores various types of information (for example, shares of the vector) required for execution of the various types of processing.

Hardware Configuration of Secure Computation System 1

Next, hardware configurations of the secure computation apparatus 10, the secure computation apparatus 20, and the secure computation apparatus 30 included in the secure computation system 1 according to the present embodiment will be described. The secure computation apparatus 10, the secure computation apparatus 20, and the secure computation apparatus 30 can be realized by, for example, a hardware configuration of a computer 500 illustrated in FIG. 2.

The computer 500 illustrated in FIG. 2 includes an input device 501, a display device 502, an external I/F 503, a communication I/F 504, a processor 505, and a memory device 506 as hardware. The respective pieces of hardware are communicatively connected via a bus 507.

The input device 501 is, for example, a keyboard and a mouse, a touch panel, or the like. The display device 502 is, for example, a display. The computer 500 may not include at least one of the input device 501 and the display device 502.

The external I/F 503 is an interface with an external device such as a recording medium 503a. Examples of the recording medium 503a include a compact disc (CD), a digital versatile disk (DVD), a secure digital memory card (SD memory card), and a universal serial bus (USB) memory card.

The communication I/F 504 is an interface for connection to the communication network 40. The processor 505 is, for example, any of various arithmetic devices such as a central processing unit (CPU) and a graphics processing unit (GPU). The memory device 506 is, for example, any of various storage devices such as a hard disk drive (HDD), a solid state drive (SSD), a random access memory (RAM), a read only memory (ROM), and a flash memory.

The secure computation apparatus 10, the secure computation apparatus 20, and the secure computation apparatus 30 according to the present embodiment can realize various processing to be described below by the hardware configuration of the computer 500 illustrated in FIG. 2. The hardware configuration of the computer 500 illustrated in FIG. 2 is an example, and various hardware configurations may be adopted according to, for example, a use of a target to which the secure computation system 1 is applied.

The secure computation processing unit 101 is realized by, for example, processing that one or more programs installed in the secure computation apparatus 10 cause the processor 505 of the computer 500 realizing the secure computation apparatus 10 to execute. Further, the storage unit 102 is realized by the memory device 506 of the computer 500 realizing the secure computation apparatus 10, for example.

Similarly, the secure computation processing unit 201 is realized by, for example, processing that one or more programs installed in the secure computation apparatus 20 cause the processor 505 of the computer 500 realizing the secure computation apparatus 20 to execute. Further, the storage unit 202 is realized by the memory device 506 of the computer 500 realizing the secure computation apparatus 20, for example.

Further, similarly, the secure computation processing unit 301 is realized by, for example, processing that one or more programs installed in the secure computation apparatus 30 cause the processor 505 of the computer 500 realizing the secure computation apparatus 30 to execute. Further, the storage unit 302 is realized by the memory device 506 of the computer 500 realizing the secure computation apparatus 30, for example.

EXAMPLE 1

In the present example, a case in which, when P₁ has a permutation Π of any plaintext and all parties have (or receive) a concealed vector

{right arrow over (D)}:=(D₁, . . . , D_n)   [Math. 4]

, the permutation Π is applied to a share thereof, and only P₂ and P₃ obtains an additive bipartite share of the permuted vector

{right arrow over (T)}; {right arrow over (T)}=π{right arrow over (D)}  [Math. 5]

will be described with reference to FIG. 3. FIG. 3 is a sequence diagram illustrating Example 1. Hereinafter, in the text of the specification, an arrow attached directly above a symbol is attached to a left shoulder. For example, Equation 5 above is expressed as <^→T>;^→T=Π^→D in the text of the specification.

The secure computation processing unit 101 of the secure computation apparatus 10 converts the share [^→D] into <^→D>₁ (S101). Similarly, the secure computation processing unit 301 of the secure computation apparatus 30 converts the share [^→D] into <^→D>₂ (S102). Here, it is assumed that P₁ has <^→D>₁ and P₂ has <^→D>₂, but P₁ may have <^→D>₂ and P₂ may have <^→D>₁. Hereinafter, it is assumed that P₁ has <^→D>₁ and P₂ has <^→D>₂.

Next, the secure computation processing unit 101 of the secure computation apparatus 10 selects random permutations Π₁ and Π₂ that satisfy:

π₁○π₂=π  [Math. 6]

(S103). Further, the secure computation processing unit 101 of the secure computation apparatus 10 selects a random vector ^→U, ^→V having the same size as <^→D>₁ (S104).

Next, the secure computation processing unit 101 of the secure computation apparatus 10 calculates ^→A:=Π<^→D>₁−Π₂^→U−^→V (S105).

The secure computation processing unit 101 of the secure computation apparatus 10 transmits Π₂ and ^→A to the secure computation apparatus 20 (S106), and also transmits Π₁, ^→U and ^→V to the secure computation apparatus 30 (S107).

The secure computation processing unit 301 of the secure computation apparatus 30 calculates ^→B:=Π₁<^→D>₂+^→U (S108), and then transmits ^→B to the secure computation apparatus 20 (S109). Further, the secure computation processing unit 301 of the secure computation apparatus 30 determines its own output to be <^→T>₂:=^→V (S110).

The secure computation processing unit 201 of the secure computation apparatus 20 determines its own output to be <^→T>₁:=^→A+Π₂^→B (S111).

Since in the above protocol ^→A+Π₂^→B=Π^→D−^→V, <^→T>₁ and <^→T>₂ are additive bipartite shares of ^→T=Π^→D. Further, in the above protocol, the amount of communication is 4×(size of vector <^→D>)+2×(size of permutation Π) bits, and the number of rounds is 2. From this, it can be seen that efficient concealed vector permutation can be realized in the present embodiment. Further, since P₁, who is an owner of the permutation, does not have <^→T>, it can be seen that, for example, a secure concealed vector permutation in which P₁ cannot perform (unauthorized) manipulation or information acquisition can be realized.

Therefore, according to the present embodiment, any permutation can be applied to the concealed vector, and a secure reference position concealment vector can be obtained efficiently.

EXAMPLE 2

The present embodiment is an extension of Example 1, and a case in which an amount of communication and the number of rounds are reduced using any cryptographic pseudo-random number generator (not based on secure computation) will be described with reference to FIG. 4. FIG. 4 is a sequence diagram illustrating Example 2. Here, in the present example, it is assumed that P₁ and P₂ share a common pseudo-random number generator φ and an input p thereof in advance. P₁ has a permutation Π of any plaintext, and all parties have any concealed vector [^→D], as in Example 1.

Since S201 to S202 in FIG. 4 are substantially the same as S101 to S102 in Example 1, respectively, description thereof will be omitted.

The secure computation processing unit 101 of the secure computation apparatus 10 executes ψ(p) to obtain random number sequences Π₁, ^→U, and ^→V (S203). Similarly, the secure computation processing unit 301 of the secure computation apparatus 30 executes ψ(p) to obtain random number sequences Π₁, ^→U, and ^→V (S204). That is, P₁ and P₃ independently execute ψ(p) to obtain common random number sequences Π₁, ^→U, and ^→V.

Next, the secure computation processing unit 101 of the secure computation apparatus 10 calculates a permutation:

π₂:=π₁⁻¹○π  [Math. 7]

(S205).

Next, the secure computation processing unit 101 of the secure computation apparatus 10 calculates ^→A:=Π<^→D>₁−Π₂^→U−^→V (S206).

The secure computation processing unit 101 of the secure computation apparatus 10 transmits Π₂ and ^→A to the secure computation apparatus 20 (S207).

Since subsequent S208 to S211 are substantially the same as S108 to S111 of Example 1, respectively, description thereof is omitted.

In the present example, any update rule regarding p (for example, update p←p+1 is performed each time ψ(p) is executed) is shared between P₁ and P₃, so that p or ψ can be executed repeatedly without re-sharing. This can reduce the amount of communication to 2×(size of vector <^→D>)+2>(size of permutation Π) bits and the number of rounds to 1.

EXAMPLE 3

This example is an extension of the concealed vector permutation described in Examples 1 and 2, and a method in which P₁ generates the permutation Π will be described with reference to FIG. 5. FIG. 5 is a sequence diagram illustrating Example 3. It should be noted that Examples 1 and 2 do not limit the method of generating permutation Π.

In the present embodiment, it is assumed that any pseudo-random function F capable of secure computation is shared among all parties in advance, and at least P₁ has any mechanism M that uniquely computes the permutation from a plaintext value of an output of F. Here, the mechanism M is a device or algorithm that outputs bijection Π: {1, . . . , m}^→{1, . . . , m} (here, n≤m) when a vector (f₁, . . . , f_n) is input, and outputs Π(i) when a value fi is input. As the mechanism M, it is possible to use, for example, cuckoo hashing described in Reference 5, but the present invention is not limited thereto, and it is possible to use any device or algorithm as long as the device or algorithm has properties similar to cuckoo hashing. In some mechanisms including cuckoo hashing, a case in which an output of the pseudo-random function is multiple values f_i⁽¹⁾, . . . , f_i^(l) (here, l is a lowercase letter of L), and an output when this is input to M is multiple values Π⁽¹⁾(i), . . . , Π^(l) (i) (here, l is a lowercase of L) is conceivable, but such a case can be used for the present example.

In the present example, [D_i]=([k_i], *), and a share of any concealed vector held (or input) by all parties is [^→D]:=([D₁], . . . , [D_n]). However, it is assumed that k_i functions as a search key for data reference described in Example 4, and that each D_i has a different k_i. Further, * is any type, size, and number of data, but in principle, it is assumed to be a share.

First, the secure computation processing unit 101 of the secure computation apparatus 10, the secure computation processing unit 201 of the secure computation apparatus 20, and the secure computation processing unit 301 of the secure computation apparatus 30 execute random share generation to obtain a random number share [s] (S301). That is, all parties execute the random share generation and P₁, P₂, and P₃ obtain shares [s]₁, [s]₂, and [s]₃ respectively.

Next, the secure computation processing unit 101 of the secure computation apparatus 10, the secure computation processing unit 201 of the secure computation apparatus 20, and the secure computation processing unit 301 of the secure computation apparatus 30 calculate [f_i]←F([k_i], [s]) for i=1, . . . , n to obtain [^→f]:=([f₁], . . . , [f_n]) (S302). That is, all parties calculate [f_i]←F([k_i], [s]) for i=1, . . . , n to obtain [^→f]:=([f₁], . . . , [f_n]). Accordingly, P₁, P₂, and P₃ obtain shares [^→f]₁, [^→f]₂, and [^→f]₃, respectively.

Next, the secure computation processing unit 201 of the secure computation apparatus 20 transmits its own share [^→f]₂ to the secure computation apparatus 10 (S303). However, the secure computation processing unit 301 of the secure computation apparatus 30 may transmit its own share [^→f]₃ to the secure computation apparatus 10. That is, either P₂ or P₃ may transmit its own share [^→f] to P₁.

The secure computation processing unit 101 of the secure computation apparatus 10 restores ^→f using its own share [^→f]₁ and the share [^→f] transmitted from the secure computation apparatus 20 (or the secure computation apparatus 30) (S304).

Next, the secure computation processing unit 101 of the secure computation apparatus 10 inputs the plaintext ^→f to the mechanism M to obtain the permutation Π (S305).

Thereafter, the secure computation processing unit 101 of the secure computation apparatus 10, the secure computation processing unit 201 of the secure computation apparatus 20, and the secure computation processing unit 301 of the secure computation apparatus 30 execute the concealed vector permutation described in Example 1 or 2 (S306). Accordingly, P₂ obtains <^→T>₁, and P₃ obtains <^→T>₂. Here, when a value range m of the bijection Π is n<m, a share of dummy data is added so that a length of [^→D] becomes m in all parties before the concealed vector permutation described in Example 1 or 2 is executed. The dummy data used here may have any value as long as the dummy data satisfies that “the search key is different from any k_i included in +D”.

The secure computation processing unit 101 of the secure computation apparatus 10 stores [s]₁ in the storage unit 102 (S307). Further, the secure computation processing unit 201 of the secure computation apparatus 20 stores [s]₂ and ^→T>₁ in the storage unit 202 (S308). Similarly, the secure computation processing unit 301 of the secure computation apparatus 30 stores [s]₃ and <^→T>₂ in the storage unit 302 (S309).

According to the above protocol, construction of any data structure (reference position concealment vector) including the cuckoo hash table described in Reference 5 and the like can be realized mainly by one-time permutation. In addition, since P₁, which knows the permutation Π, does not have the vector <^→T>, P₁ cannot observe the data reference (vector reference) described in Example 4, making it impossible to identify the reference. Therefore, as described in Example 1, according to the present embodiment, it is possible to efficiently obtain a secure reference position concealment vector.

EXAMPLE 4

In the present embodiment, a method of referring to the vector <^→T>obtained in Example 3 will be described with reference to FIG. 6. FIG. 6 is a sequence diagram illustrating Example 4. In the present example, it is assumed that a pseudo-random function F and a mechanism F that are substantially the same as those used in Example 3 are shared among all parties in advance.

Hereinafter, a case in which a tripartite share [k] of a certain search key is input and a bipartite share <D>=(<k>, *) of data matching the search key is output will be described.

First, the secure computation processing unit 101 of the secure computation apparatus 10, the secure computation processing unit 201 of the secure computation apparatus 20, and the secure computation processing unit 301 of the secure computation apparatus 30 calculate [f]←F([k], [s]) (S401). That is, all parties calculate [f]←F ([k], [s]). Accordingly, each P_i (i=1, 2, 3) has [f]_i.

Next, the secure computation processing unit 201 of the secure computation apparatus 20 and the secure computation processing unit 301 of the secure computation apparatus 30 mutually restore [f] to obtain a plaintext f (S402). That is, P₂ transmits [f]₂ of P₂ to P₃. Similarly, P₃ transmits [f]₃ of P₃ to P₂. P₂ restores f using [f]₂ of P₂ and [f]₃ transmitted from P₃. Similarly, P₃ restores f using [f]₃ of P₃ and [f]₂ transmitted from P₂.

Next, the secure computation processing unit 201 of the secure computation apparatus 20 inputs the plaintext f to the mechanism M to obtain a value q (S403). Similarly, the secure computation processing unit 301 of the secure computation apparatus 30 inputs the plaintext f to the mechanism M to obtain the value q (S404). That is, P₂ and P₃ independently input the plaintext f to the mechanism M to obtain the value q.

The secure computation processing unit 201 of the secure computation apparatus 20 outputs a q-th element <T_q>₁ of <←T>₁ (S405). Similarly, the secure computation processing unit 301 of the secure computation apparatus 30 outputs a q-th element <T_q>₁ of <^→T>₂ (S406). That is, P₂ and P₃ independently output the q-th element <T_q> of <^→T>.

In this case, when data [D_i]=([k_i], *) such that k_i=k is included in [^→D], <T_q>=<D_i>in which q=Π(i) can be correctly referred to by using the fact that a calculation result of the pseudo-random function is also f_i=f. Further, in this case, since P₂ and P₃ do not know the entire permutation Π or vector (f₁, . . . , f_n), it is difficult to identify a reference point (that is, an index i) in an original vector even when only f and q are observed. Further, when the mechanism M always maps any output f of the pseudo-random function F to a value range {1, . . . , m}, any element T_q; q∈{1, . . . , m} of ^→T is also referred to for unauthorized reference such that k of the input is not included in an original data vector ^→D, and there is resistance to an attack attempting to identify an index by intentionally making unauthorized reference.

When the pseudo-random function and the mechanism output multiple values as described in Example 3, P₂ and P₃ obtain multiple values q⁽¹⁾, . . . , q^(l) (here, l is a lowercase letter of case L). In this case, in S405 and S406, all elements

T_q(1), . . . ,   [Math. 8]

are output. In this case, desired data <D>=(<k>, *) is equivalent to any one element.

T_q(i)  [Math. 9]

Therefore, each party can also select and output a specific element from all the elements by using any operations such as an equality determination or secure computation, for example.

Conclusion

As described above, with the secure computation system 1 according to the present embodiment, it is possible to efficiently apply any permutation Π of P₁ to the vector while concealing the permutation Π for P₂ and P₃ by using asymmetry of information for each party in secure computation of three parties, and to achieve higher security than that in the related art because P₁ does not have the vector after permutation. Further, it is possible to construct any data in which the reference position of the vector can be concealed by using such a permutation. Here, asymmetry of information for each party indicates that the information is asymmetric between the party P₁ having the permutation for the vector and the parties P₂ and P₃ having the vector itself after the permutation. This also indicates that information is asymmetric between the parties P₂ and P₃.

For example, a vector permutation method described in Reference 6 assumes that the permutation is concealed for all parties, whereas in the present embodiment, P₁ has any plaintext permutation Π. Therefore, in Reference 6, it is necessary to allow an extra communication traffic cost or add a new process in order to perform any permutation not limited to random permutation, whereas in the present embodiment, it is possible to perform any permutation without any restrictions.

Further, for example, a vector permutation method described in Reference 7 has a wide range of applicable permutation as in the present embodiment because one party has any plaintext permutation, whereas the party having permutation also obtains the vector after permutation. Therefore, in Reference 7, the reference position can be concealed for the parties having the permutation. With respect to the above, in the present embodiment, since only P₂ and P₃ have the vector after the permutation, and P₁ having the permutation does not have the vector after the permutation as described above, it is possible to conceal the reference position for P₁ having the permutation.

The present invention is not limited to the specifically disclosed embodiments, and various modifications, changes, combinations with known techniques, and the like can be made without departing from the definition of the claims.

REFERENCES

• • Reference 1: A. Shamir. How to share a secret. Commun. ACM, Vol. 22, No. 11, pp. 612-613, 1979.
  • Reference 2: M. Ito, A. Saito, and T. Nishizeki. Secret sharing schemes realizing general access structures. Proceedings of the IEEE Global Telecommunication Conference, Globecom 87, pp. 99-102, 1987.
  • Reference 3: Naoto Kiribuchi, Dai Igarashi, koki Hamada, Ryo Kikuchi. Programmable secure computation library MEVAL3. Symposium on Cryptography and Information Security (SCIS) 2018 Proceedings (2018).
  • Reference 4: K. Chida, K. Hamada, D. Ikarashi, R. Kikuchi, and B. Pinkas. High-throughput secure AES computation. In WAHC@CCS 2018, pages 13-24, 2018.
  • Reference 5: A. Kirsch, M. Mitzenmacher, and U. Wieder. More robust hashing: Cuckoo hashing with a stash. In ESA, pages 611-622, 2008.
  • Reference 6: K. Chida, K. Hamada, D. Ikarashi, R. Kikuchi, N. Kiribuchi, B. Pinkas. An efficient secure threeparty sorting protocol with an honest majority. CryptologyePrint Archive, Report 2019/695 (2019), https://eprint.iacr.org/2019/695
  • Reference 7: P. Mohassel, P. Rindal, and M. Rosulek. Fast database joins and PSI for secret shared data. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS '20). Association for Computing Machinery, New York, NY, USA, 1271-1287. 2020.

REFERENCE SIGNS LIST

• • 1 secure computation system
  • 10, 20, 30 secure computation apparatus
  • 101, 201, 301 secure computation processing unit
  • 102, 202, 302 storage unit
  • 40 communications network
  • 500 computer
  • 501 input device
  • 502 display device
  • 503 external I/F
  • 503 a recording medium
  • 504 communication I/F
  • 505 processor
  • 506 memory device
  • 507 bus

Claims

1. A secure computation system including a first secure computation apparatus, a second secure computation apparatus, and a third secure computation apparatus each having a tripartite share of a concealed input vector, wherein the first secure computation apparatus includes a processor; anda memory storing program instructions that cause the processor to:convert its own tripartite share into a bipartite share with the third secure computation apparatus;calculate a third vector obtained by subtracting, from a result of applying its own permutation to its own bipartite share, a result of applying a second permutation determined according to the permutation to a first vector determined by a predetermined method and a second vector determined by a predetermined method; andtransmit the third vector and the second permutation to the second secure computation apparatus,the third secure computation apparatus includesa processor; anda memory storing program instructions that cause the processor to convert its own tripartite share into a bipartite share with the first secure computation apparatus;calculate a fourth vector obtained by adding the first vector to a result of applying a first permutation determined according to the permutation to its own bipartite share;transmit the fourth vector to the third secure computation apparatus;set the second vector as a bipartite share, with the second secure computation apparatus, of a result of applying the permutation to the input vector, andthe second secure computation apparatus includesa processor; anda memory storing program instructions that cause the processor to set a vector obtained by adding a result of applying the second permutation to the fourth vector to the third vector, as a bipartite share, with the third secure computation apparatus, of the result of applying the permutation to the input vector.

2. The secure computation system according to claim 1, wherein the processor of the first secure computation apparatus is further configured to: randomly determine the first permutation and the second permutation such that synthetic mapping between the first permutation and the second permutation is the permutation; andrandomly determine the first vector and the second vector having the same size as its own bipartite share, andthe processor of the first secure computation apparatus transmits the first permutation, the first vector, and the second vector to the third secure computation apparatus.

3. The secure computation system according to claim 1, wherein the processor of the first secure computation apparatus is further configured to: determine the first permutation, the first vector, and the second vector, using a pseudo-random number generator shared with the third secure computation apparatus and input data to the pseudo-random number generator; anddetermine synthesis mapping between inverse mapping of the first permutation and the permutation as the second permutation, andthe processor of the third secure computation apparatus is further configured to determine the first permutation, the first vector, and the second vector, using a pseudo-random number generator shared with the first secure computation apparatus and input data to the pseudo-random number generator.

4. The secure computation system according to claim 1, wherein the first secure computation apparatus, the second secure computation apparatus, and the third secure computation apparatus share a pseudo-random function capable of secure computation, andthe processor of the first secure computation apparatus is further configured to: generate a tripartite share of a random number through random share generation between the second secure computation apparatus and the third secure computation apparatus;calculate a tripartite share of a vector of a value of the pseudo-random function with the tripartite share of the random number and each of predetermined tripartite shares included in each element of the input vector as inputs through secure computation between the second secure computation apparatus and the third secure computation apparatus;the vector of the value of the pseudo-random function, using the tripartite share of the vector of the value of the pseudo-random function transmitted from the second secure computation apparatus or the third secure computation apparatus and its own tripartite share of the vector of the value of the pseudo-random function; andreceive the vector of the value of the pseudo-random function as an input and generate the permutation, using a predetermined mechanism.

5. The secure computation system according to claim 4, wherein the processor of the second secure computation apparatus is further configured to: calculate a tripartite share of the value of the pseudo-random function with the tripartite share of the random number and a tripartite share of a search key for the input vector as inputs through secure computation between the first secure computation apparatus and the third secure computation apparatus;transmit its own tripartite share of the value of the pseudo-random function to the third secure computation apparatus;restore the value of the pseudo-random function, using the tripartite share of the value of the pseudo-random function transmitted from the third secure computation apparatus and its own tripartite share of the value of the pseudo-random function; andgenerate a value indicating a reference position for a bipartite share. with the third secure computation apparatus, of the result of applying the permutation to the input vector, using the mechanism with the value of the pseudo-random function as an input, andthe processor of the third secure computation apparatus is further configured to: calculate the tripartite share of the value of the pseudo-random function with the tripartite share of the random number and the tripartite share of the search key for the input vector as inputs through secure computation between the first secure computation apparatus and the second secure computation apparatus;transmit its own tripartite share of the value of the pseudo-random function to the second secure computation apparatus;restore the value of the pseudo-random function, using the tripartite share of the value of the pseudo-random function transmitted from the second secure computation apparatus and its own tripartite share of the value of the pseudo-random function; andgenerate a value indicating a reference position for a bipartite share, with the second secure computation apparatus, of the result of applying the permutation to the input vector, using the mechanism with the value of the pseudo-random function as an input.

6. A secure computation apparatus sharing a tripartite share of a concealed input vector between a first secure computation apparatus and a second other secure computation apparatus, the secure computation apparatus comprising: a processor; anda memory storing program instructions that cause the processor to:convert its own tripartite share into a bipartite share with the second secure computation apparatus;randomly determine a first permutation and a second permutation such that synthetic mapping between the first permutation and the second permutation is its own permutation;randomly determine a first vector and a second vector having the same size as its own bipartite share;calculate a third vector obtained by subtracting a result of applying the second permutation to the first vector, and the second vector from a result of applying the permutation to its own bipartite share;transmit the third vector and the second permutation to the first secure computation apparatus; andtransmit the first permutation, the first vector, and the second vector to the second secure computation apparatus.

7. A method for use in a secure computation system including a first secure computation apparatus, a second secure computation apparatus, and a third secure computation apparatus each having a tripartite share of a concealed input vector. wherein the first secure computation apparatus executes converting its own tripartite share into a bipartite share with the third secure computation apparatus;calculating a third vector obtained by subtracting, from a result of applying its own permutation to its own bipartite share, a result of applying a second permutation determined according to the permutation to a first vector determined by a predetermined method and a second vector determined by a predetermined method; andtransmitting the third vector and the second permutation to the second secure computation apparatus,the third secure computation apparatus executes converting its own tripartite share into a bipartite share with the first secure computation apparatus;calculating a fourth vector obtained by adding the first vector to a result of applying a first permutation determined according to the permutation to its own bipartite share;transmitting the fourth vector to the third secure computation apparatus;setting the second vector as a bipartite share with the second secure computation apparatus of a result of applying the permutation to the input vector, andthe second secure computation apparatus executes setting a vector obtained by adding a result of applying the second permutation to the fourth vector to the third vector, as a bipartite share with the third secure computation apparatus of the result of applying the permutation to the input vector.

8. A non-transitory computer-readable recording medium having stored therein a program for causing a computer to perform the method according to claim 7.