SECURE COMPUTATION SYSTEM, SECURE COMPUTATION SERVER APPARATUS, SECURE COMPUTATION METHOD, AND SECURE COMPUTATION PROGRAM

Information

  • Patent Application
  • 20240430074
  • Publication Number
    20240430074
  • Date Filed
    January 26, 2021
    3 years ago
  • Date Published
    December 26, 2024
    23 days ago
Abstract
An secure computation server apparatus includes: a discriminant computation part that determines, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other and that computes a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher; a shuffle part that shuffles the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; and a comparison and verification part that compares received values with each other, in a communication performed in the shuffling of the discriminant, and adopts the received values that are same at least two received values as an accurate value.
Description
TECHNICAL FIELD

The present invention relates to a secure computation system, a secure computation server apparatus, a secure computation method, and a secure computation program.


BACKGROUND ART

In recent years, research and developments on techniques referred to as secure computation are active. Secure computation is one of the techniques for executing predetermined processing while keeping its computation processes and the results thereof secret to third parties. One typical technique used for secure computation is a multiparty computation technique. In this multiparty computation technique, data that needs to be kept secret is distributed to a plurality of servers (secure computation server apparatuses), and each server performs various operations on the data distributed thereto while keeping the data secret. The data distributed to the individual secure computation server apparatuses is called “shares”. Hereinafter, unless otherwise stated, the term “secure computation” signifies the multiparty computation technique.


In the secure computation as described above, computation protocols for specific use are usually implemented in addition to four basic arithmetic operations. As one of the computation protocols for specific use, there are certain kinds of magnitude comparison protocols. As one of the magnitude comparison protocols, there is a magnitude comparison, which is also referred to as Private Compare, between a value on which bit decomposition and secret sharing have been performed and a value which has not been made secret. Although this magnitude comparison also referred to as Private Compare is not often used as itself, the magnitude comparison is used as an internal process in a process such as extraction of the most significant bit or truncation of a numerical value. Thus, it is advantageous to implement the magnitude comparison also referred to as Private Compare as a separate building block in a secure computation system.


CITATION LIST
Non-Patent Literature



  • NPL 1: Byali, M., Chaudhari, H., Patra, A., & Suresh, A. (2020). FLASH: fast and robust framework for privacy-preserving machine learning. Proceedings on Privacy Enhancing Technologies, 2020 (2), 459-480.



SUMMARY
Technical Problem

The disclosure of the above citation list is incorporated herein in its entirety by reference thereto. The following analysis has been made by the present inventor.


Different techniques that are generally referred to as secure computation achieve different security levels. For example, a case in which one of the participants in a multiparty secure computation is a dishonest person will be considered. In this case, it is possible to adopt a secure computation technique that can detect the presence of the dishonest person and can abort its processes. Alternatively, it is possible to adopt a secure computation technique that can obtain an accurate computation result without aborting its processes even if there is the dishonest person. The latter technique achieves a higher security than the former technique. The secure computation satisfying the latter security is referred to as Guaranteed Output Delivery (GOD), and an example of the secure computation realizing this GOD is known (for example, see NPL 1).


In addition, regarding the evaluation of the security in the secure computation, not only the advantageous effects of the security that can be achieved, but also pre-conditions have significant implications. A typical pre-condition is use of a random oracle model as a hash function.


A hash function is a function that responds a unique output to an input, and it is difficult to deduce the input from the output. However, although it is difficult to deduce the input from the output, there is no guarantee that the input cannot be deduced from the output. Thus, the security is evaluated on the assumption that the hash function used does not have vulnerability. The security based on this assumption is called “as being secure in the random oracle model”. The security of the secure computation in NPL 1 is “as being secure in the random oracle model”.


In contrast, there is an expression “as being secure in the standard model”, as opposed to “as being secure in the random oracle model”. That is, although the input could be deduced from the output of the hash function, if this itself does not mean vulnerability of the secure computation, the security is referred to “as being secure in the standard model”. Of course, if the same security level is achieved, the security of the standard model is higher than the security of the random oracle model.


Thus, it is desirable to achieve Guaranteed Output Delivery (GOD) in the standard model also in the building block of the magnitude comparison also referred to as Private Compare. This is because, in order to achieve Guaranteed Output Delivery (GOD) in a process such as extraction of the most significant bit or truncation of a numerical value, it is necessary to achieve Guaranteed Output Delivery (GOD) in the standard model also in the building block as its internal process of the process.


The present invention has been made in view of the above problem, and it is an object of the present invention to provide a secure computation system, a secure computation server apparatus, a secure computation method, and a secure computation program that contribute to implementation of a magnitude comparison that achieves Guaranteed Output Delivery (GOD) in the standard model.


Solution to Problem

According to a first aspect of the present invention, there is provided a secure computation system, which includes five secure computation server apparatuses connected to each other via a network and obtains a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext, an individual one of the secure computation server apparatuses including:


a discriminant computation part that determines, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other and that computes a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher: a shuffle part that shuffles the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; and a comparison and verification part that compares, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be a same value, and adopts the received values that are same at least two received values as an accurate value.


According to a second aspect of the present invention, there is provided a secure computation server apparatus, which is one of five secure computation server apparatuses connected to each other via a network, to obtain a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext, the secure computation server apparatus including: a discriminant computation part that determines, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other and that computes a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher: a shuffle part that shuffles the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; and a comparison and verification part that compares, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be a same value, and adopts the received values that are same at least two received values as an accurate value.


According to a third aspect of the present invention, there is provided a secure computation method, which obtains a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext by using five secure computation server apparatuses connected to each other via a network, an individual one of the secure computation server apparatuses performing: determining, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other: computing a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher: shuffling the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; and comparing and verifying, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be a same value, and adopting the received values that are same at least two received values as an accurate value.


According to a fourth aspect of the present invention, there is provided a secure computation program, causing five secure computation server apparatuses connected to each other via a network to perform a secure computation, to obtain a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext, the secure computation program including: determining, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other: computing a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher: shuffling the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; and comparing and verifying, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be a same value, and adopting the received values that are same at least two received values as an accurate value. The program can be recorded in a computer-readable storage medium. The storage medium may be a non-transient storage medium such as a semiconductor memory, a hard disk, a magnetic recording medium, or an optical recording medium. The present invention can be embodied as a computer program product.


Advantageous Effects of Invention

According to the individual aspects of the present invention, it is possible to provide a secure computation system, a secure computation server apparatus, a secure computation method, and a secure computation program that contribute to implementation of a magnitude comparison that achieves Guaranteed Output Delivery (GOD) in the standard model.





BRIEF DESCRIPTION OF DRAWINGS


FIG. 1 is a block diagram illustrating a functional configuration example of a secure computation system according to a first example embodiment.



FIG. 2 is a block diagram illustrating a functional configuration example of a secure computation server apparatus according to the first example embodiment.



FIG. 3 is a flowchart illustrating an outline of a procedure of a secure computation method.



FIG. 4 is a block diagram illustrating a functional configuration example of a secure computation system according to a second example embodiment.



FIG. 5 is a block diagram illustrating a functional configuration example of a secure computation server apparatus according to the second example embodiment.



FIG. 6 is a flowchart illustrating a procedure of a protocol for a magnitude comparison (Private Compare).



FIG. 7 is a block diagram illustrating a functional configuration example of a secure computation system according to a third example embodiment.



FIG. 8 is a block diagram illustrating a functional configuration example of a secure computation server apparatus according to the third example embodiment.



FIG. 9 is a flowchart illustrating a procedure of a protocol for extraction of the most significant bit.



FIG. 10 is a diagram illustrating a hardware configuration example of a secure computation server apparatus.





DESCRIPTION OF EMBODIMENTS

Hereinafter, example embodiments of the present invention will be described with reference to the accompanying drawings. However, the present invention is not limited to the following example embodiments. In addition, in the drawings, the same or equivalent elements are denoted by the same reference characters, as necessary. In addition, the drawings are schematic drawings, and therefore, it should be noted that the sizes, ratios, etc. of the individual elements may differ from their actual sizes, ratios, etc. An element in a drawing may have a portion whose size or ratio differs from that of the portion of the element in a different drawing.


First Example Embodiment

Hereinafter, a secure computation system and secure computation server apparatuses according to a first example embodiment will be described with reference to FIGS. 1 and 2. The first example embodiment is an example embodiment for describing only a basic concept of the present invention.



FIG. 1 is a block diagram illustrating a functional configuration example of a secure computation system according to the first example embodiment. As illustrated in FIG. 1, a secure computation system 100 according to the first example embodiment includes a first secure computation server apparatus 100_0, a second secure computation server apparatus 100_1, a third secure computation server apparatus 100_2, a fourth secure computation server apparatus 100_3, and a fifth secure computation server apparatus 100_4. The first secure computation server apparatus 100_0, the second secure computation server apparatus 100_1, the third secure computation server apparatus 100_2, the fourth secure computation server apparatus 100_3, and the fifth secure computation server apparatus 100_4 are connected to each other via a network such that these apparatuses can communicate with each other.


In the secure computation system 100 including the first to fifth secure computation server apparatuses 100_i (i=0, 1, 2, 3, 4), it is possible to compute target shares from a value inputted to any one of the first to fifth secure computation server apparatuses 100_i (i=0, 1, 2, 3, 4) while keeping the input value and the values acquired in the computation processes secret, and it is possible to dispersedly store the computation results in the first to fifth secure computation server apparatuses 100_i (i=0, 1, 2, 3, 4).


In addition, in the secure computation system 100 including the first to fifth secure computation server apparatuses 100_i (i=0, 1, 2, 3, 4), it is possible to compute target shares from the shares dispersedly stored in the first to fifth secure computation server apparatuses 100_i (i=0, 1, 2, 3, 4) while keeping the values in the computation processes secret, and it is possible to dispersedly store the computation results in the first to fifth secure computation server apparatuses 100_i (i=0, 1, 2, 3, 4).


The shares of the computation results may be reconstructed by causing the first to fifth secure computation server apparatuses 100_0 to 100_4 exchange their shares with each other. Alternatively, the shares may be decoded by transmitting the shares to an external apparatus other than the first to fifth secure computation server apparatuses 100_0 to 100_4.


In addition, in the secure computation system 100 including the first to fifth secure computation server apparatuses 100_i (i=0, 1, 2, 3, 4), even when one of the first to fifth secure computation server apparatuses 100_i (i=0, 1, 2, 3, 4) is operated by a dishonest person, it is possible to continue an accurate secure computation without stopping the processes.


For example, the following construction may be adopted as the construction of the shares that enables continuation of an accurate secure computation without stopping the processes even when one of the first to fifth secure computation server apparatuses 100_i (i=0, 1, 2, 3, 4) is operated by a dishonest person as described above.


Shares of an element x of a residue class ring Zn of modulo n, that is, x∈Zn, on the residue class ring Zn are defined as follows (the shares may be referred to as arithmetic shares, as necessary). Note that n=2m, where m is an integer of 2 or more. That is, a residue class ring Z2 of modulo 2 is distinguished from the residue class ring Zn of modulo n.


An element x of the residue class ring Zn of modulo n, that is, x∈Zn, is decomposed to satisfy the following relationship:






x
=


x

0

+

x

1

+

x

2

+

x

3

+

x

4


mod


n






[x]i dispersedly held by the individual participants Pi (i=0, 1, 2, 3, 4) is defined as follows.









[
x
]


i

=

(


xi
+
1

,

xi
+
2

,

xi
+
3


)


,



note


that


x

4

+
1

=

x

0






Shares of an element x of the residue class ring Z2 of modulo 2, that is, x∈Z2, on the residue class ring Z2 (the shares may be referred to as logic shares, as necessary) are defined in the same way as the above shares on the residue class ring Zn where n=2. However, a different notation [x]B is used to distinguish the residue class ring Z2 of modulo 2 from the residue class ring Z1 of modulo n. That is, the shares are specifically defined as follows.


An element x of the residue class ring Z2 of modulo 2, that is, x∈Z2, is decomposed as follows. In Equation 1, “+” inside a circle represents an exclusive-or.









x
=


x_

0



x_

1



x_

2



x_

3



x_

4


mod


2






[

Equation


1

]







[x]Bi dispersedly held by the individual participants Pi (i=0, 1, 2, 3, 4) is defined as follows.









[
x
]


Bi

=

(

xi
,

xi
+
1

,

xi
+
2

,

xi
+
3


)


,



note


that


x

4

+
1

=

x

0






If these shares [x]0, [x]1, [x]2, [x]3, and [x]4 held by the individual participants Pi (i=0, 1, 2, 3, 4) are determined as described above, the individual participants Pi (i=0, 1, 2, 3, 4) cannot reconstruct x from their shares [x]0, [x]1, [x]2, [x]3, and [x]4 held thereby. However, it is possible to realize secret sharing in which x can be reconstructed if the shares held by at least two of the participants Pi (i=0, 1, 2, 3, 4) are combined. This secret sharing scheme is referred to as a 2-out-of-5 Replicated Secret Sharing Scheme.


In a secure computation based on this secret sharing scheme, not only when x is reconstructed but also when a magnitude comparison is performed, there is a situation in which the individual participants directly or indirectly receive the values of the sub-shares not held thereby from other participants. Thus, if one of the other participants is a dishonest person, a participant could receive a different value instead of a value that the participant is originally supposed to receive. If this happens, the secure computation is performed based on an erroneous value, resulting in an erroneous computation result. In some cases, the computation itself cannot be performed properly.


To solve this problem, as illustrated in FIG. 2, in the secure computation system 100 according to the present example embodiment, an individual one of the first to fifth secure computation server apparatuses 100_i (i=0, 1, 2, 3, 4) includes a discriminant computation part 101,_i a shuffle part 102_i, and a comparison and verification part 103_i. FIG. 2 is a block diagram illustrating a functional configuration example of a secure computation server apparatus according to the first example embodiment. In the secure computation system 100 according to the present example embodiment, since the individual one of the first to fifth secure computation server apparatuses 100_i (i=0, 1, 2, 3, 4) includes the discriminant computation part 101_i, the shuffle part 102_i, and the comparison and verification part 103_i, it is possible to obtain a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext.


The discriminant computation part 101_i determines, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other and computes a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher.


The shuffle part 102_i shuffles the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0. In addition, the comparison and verification part 103i compares, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be the same value, and adopt the received values that are same at least two received values as an accurate value.


Next, the significance of the above configuration will be described based on a magnitude comparison between specific numbers. In practice, a magnitude comparison between a value (share) on which bit decomposition and secret sharing have been performed and a value (cleartext) which has not been made secret is performed. However, for ease of description, cleartexts will be used as the two values in the following example.


As the value (share) on which bit decomposition and secret sharing have been performed, x=40 is set. In addition, as the value (cleartext) which has not been made secret and which will be compared with the value (share), r=32 is set. In this case, if bit decomposition is performed on x=40 and r=32, the values will be represented as follows (binary representation).






x
=

40
=

(
00101000
)








x
=

32
=

(
00100000
)






As is clear from the comparison between the above bit sequences, the first bit sequence (x) indicates 1 and the second bit sequence (r) indicates 0 at the 4th bit, and the first bit sequence (x) and the second bit sequence (r) match each other at the 5th bit and higher. The fact that x is greater than r indicates the presence of n. That is, the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit, and the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher. When x=40 and r=32, n=4.


By using this nature, the discriminant computation part 101_i determines, per bit, whether the first bit sequence and the second bit sequence into which the value of the cleartext is converted match each other and computes a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher.


Specifically, the discriminant can be configured as follows. Note that the following discriminant is used for a cleartext. An actual discriminant will be described below. In addition, “|1” in Equations 2 represents an lth bit.










c

|
l


=

r

|
l


-
x


|
l



+
1

+






m
=

l
+
1






k
-
1



w



|
m






[

Equations


2

]










w

|
m


=

x

|
l


+
r


|
l



-
2



r


|
l


×
x


|
l






When x=40 and r=32, the discriminant is computed as follows. Note that “*” represents a non-zero value.






x
=

40
=

(
00101000
)








r
=

32
-

(
00100000
)








c
=

(*

**

*
0


***)





As described above, this discriminant c is configured such that x>r if the sequence includes 0.


Although the discriminant c can determine that x>r if the sequence includes 0, the discriminant c includes excess information. That is, the location of 0 in the sequence indicates information about the difference between x and r. Thus, the shuffle part 102_i shuffles the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0.


In addition, the comparison and verification part 103_i compares, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be the same value, and adopts the received values that are same at least two received values as an accurate value. Consequently, Guaranteed Output Delivery (GOD) is achieved in the standard model.


Next, a secure computation method according to the present example embodiment will be described. FIG. 3 is a flowchart illustrating an outline of a procedure of the secure computation method.


As illustrated in FIG. 3, the secure computation method according to the present example embodiment includes a discriminant computation step (S11), a shuffle step (S12), and a comparison and verification step (S13). In the discriminant computation step (S11), the discriminant computation part 101_i determines, per bit, whether the first bit sequence and the second bit sequence into which the value of the cleartext is converted match each other and computes a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher. In the shuffle step (S12), the shuffle part 102_i shuffles the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0. Next, in the comparison and verification step (S13), the comparison and verification part 103i compares, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be the same value, and adopts the received values that are same at least two received values as an accurate value.


As described above, in the secure computation system 100 and the secure computation method according to the present example embodiment, a participant receives values, which are received from at least three of the other participants and which are supposed to be the same value, and adopts the received values that are same at least two received values as an accurate value. In this way, even if one of the other participants is a dishonest person, the participant can determine an accurate value. That is, even if there is a dishonest person, it is possible to realize Guaranteed Output Delivery (GOD) that can acquire an accurate computation without stopping the processes. In addition, because no hash function is used in the above processes, Guaranteed Output Delivery (GOD) is realized in the standard model.


The first example embodiment described above is an example embodiment for describing only a basic concept of the present invention. A second example embodiment described below is a practical example embodiment to which the above-described concept is applied.


Second Example Embodiment

Hereinafter, a secure computation system and secure computation server apparatuses according to a second example embodiment will be described with reference to FIGS. 4 and 5.



FIG. 4 is a block diagram illustrating a functional configuration example of a secure computation system according to the second example embodiment. As illustrated in FIG. 4, a secure computation system 200 according to the second example embodiment includes a first secure computation server apparatus 200_0, a second secure computation server apparatus 200_1, a third secure computation server apparatus 200_2, a fourth secure computation server apparatus 200_3, and a fifth secure computation server apparatus 200_4. The first secure computation server apparatus 200_0, the second secure computation server apparatus 200_1, the third secure computation server apparatus 200_2, the fourth secure computation server apparatus 200_3, and the fifth secure computation server apparatus 200_4 are connected to each other via a network such that these apparatuses can communicate with each other.


In the secure computation system 200 including the first to fifth secure computation server apparatuses 200_i (i=0, 1, 2, 3, 4), it is possible to compute target shares from a value inputted to any one of the first to fifth secure computation server apparatuses 200_i (i=0, 1, 2, 3, 4) while keeping the input value and the values acquired in the computation processes secret, and it is possible to dispersedly store the computation results in the first to fifth secure computation server apparatuses 200_i (i=0, 1, 2, 3, 4).


In addition, in the secure computation system 200 including the first to fifth secure computation server apparatuses 200_i (i=0, 1, 2, 3, 4), even when one of the first to fifth secure computation server apparatuses 200_i (i=0, 1, 2, 3, 4) is operated by a dishonest person, it is possible to continue an accurate secure computation without stopping the processes.



FIG. 5 is a block diagram illustrating a functional configuration example of a secure computation server apparatus according to the second example embodiment. As illustrated in FIG. 5, in the secure computation system 200 according to the present example embodiment, an individual one of the first to fifth secure computation server apparatuses 200_i (i=0, 1, 2, 3, 4) includes a discriminant computation part 201_i a shuffle part 202_i, and a comparison and verification part 203_i. In the secure computation system 200 according to the present example embodiment, since the individual one of the first to fifth secure computation server apparatuses 200_i (i=0, 1, 2, 3, 4) includes the discriminant computation part 201,_i the shuffle part 202_i, and the comparison and verification part 203,_i it is possible to obtain a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext.


Hereinafter, building blocks used for execution of the magnitude comparison according to the present example embodiment will be described. Note that not all the building blocks used for execution of the magnitude comparison will be described. Of all the four basic arithmetic operations used for the secure computation, multiplication, which is not obvious, will be mainly described. In addition, shuffle, bit conversion, reshare, and reconstruction, which are used in the magnitude comparison described below, will also be described.


[Generation of Pseudo Random Numbers and Sharing of Seeds]

Pseudo-random functions Fn and F2, seeds, and an identifier have a relationship as follows. The pseudo-random functions Fn and F2 are binary operations defined with a security parameter K.








F
n

:



{

0
,
1

}

κ

×


{

0
,
1

}

κ





{

0
,
1

}

n









F
2

:



{

0
,
1

}

κ

×


{

0
,
1

}

κ





{

0
,
1

}

2





Seeds seedi∈{0,1}k (i=0, 1, 2, 3, 4) are values appropriately shared by the individual secure computation server apparatuses 200_i, and an identifier vid∈{0,11} is a public value such as a counter. The pseudo-random functions Fn and F2 determinably generate pseudo random numbers by using the seeds and the identifier as their inputs.


Regarding the five seeds seedi∈{0,1}k (i=0, 1, 2, 3, 4), an individual one of the secure computation server apparatuses 200_i holds (seedi, seedi+1, seedi+2, seedi+3). Note that seed4+1=seed0. That is, an individual one of the secure computation server apparatuses 200_i holds the seeds seedi other than the seed seedi+4. For example, the sharing of these seeds can be appropriately set by an administrator or the like as a presetting of the secure computation server apparatuses 200_i.


[Creation of Mask]

Next, a pseudo random number (Correlated Randomness) that is seen as a random number by the participant Pi+4 and cannot be removed and that can be determinably computed by the other participants Pi, Pi+1, Pi+2, and Pi+3 is created, and this pseudo random number will be used as a mask in the multiplication in the secure computation, which will be described below.


First, since the participant Pi+4 does not hold the seed seedi+3, if the seed seedi+3 is used as an input of the pseudo-random function Fn, the following pseudo random number satisfies the above condition. That is, although the following αk is seen as a random number by the participant Pi+4 and cannot be removed, the following αk can be determinably computed by the other participants Pi, Pi+1, Pi+2, and Pi+3.







α
k

=



F
n

(


vid
k

,

seed

i
+
3



)

-



F
n

(


vid

k
+
1


,

seed

i
+
3



)



mod


n






In addition, by changing the index k in the identifier vidk from k=0 to k=4, five pseudo random numbers αk can be created. A set of these pseudo random numbers αk is defined as follows. Whether the following pseudo random numbers α0, α1, α2, α3, and α4 determined as follows satisfy α0+α1+α2+α3+α4=0 can be easily determined.







(


α
0

,

α
1

,

α
2

,

α
3

,

α
4


)

=

CR

(


i
+
4

,


{

vid
k

}


k
=
0

4

,

seed

i
+
3



)





Although the pseudo random numbers α0, α1, α2, α3, and α4 created as described above are seen as random numbers by the participant Pi+4 and cannot be removed, these pseudo random numbers can be determinably computed by the other participants Pi, Pi+1, Pi+2, and Pi+3. However, although the pseudo random numbers α0, α1, α2, α3, and α4 cannot be removed by the participant Pi+4, if all the pseudo random numbers α0, α1, α2, α3, and α4 are collected, because the sum is 0, the pseudo random numbers α0, α1, α2, α3, and α4 can be removed by the participant Pi+4.


In addition, the creation of the above pseudo random numbers can be performed in the same way by all the other participants Pi. Specifically, the pseudo random numbers can be defined as follows.







(


α

i
,
0


,

α



i

,
1



,

α

i
,
2


,

α

i
,
3


,

α

i
,
4



)

=

CR

(

i
,


{

vid
k

}


k
=
0

4

,

seed

i
+
4



)






for






i
=
0

,
1
,
2
,
3
,
4







a

i
,
k


=



F
n




(


vid
k

,

seed

i
+
4



)


-


F
n




(


vid

k
+
1


,

seed

i
+
4



)



mod


n







for






i
=
0

,
1
,
2
,
3
,
4




The sets of pseudo random numbers created as described above are defined as follows.















TABLE 1









α0, 0
α1, 0
α2, 0
α3, 0
α4, 0



α0, 1
α1, 1
α2, 1
α3, 1
α4, 1



α0, 2
α1, 2
α2, 2
α3, 2
α4, 2



α0, 3
α1, 3
α2, 3
α3, 3
α4, 3



α0, 4
α1, 4
α2, 4
α3, 4
α4, 4










In the above table of the pseudo random numbers, the sum of first indexes (in the vertical direction) is zero, and the sum of second indexes (in the horizontal direction) is not zero.


[Secure Computation (Multiplication)]


Next, multiplication, which is an important factor in the secure computation, will be described. That is, a specific example of a secure computation for computing [z]=[x y]=[x] [y] from two shares [x] and [y] will be described. Note that x, y, and z have been decomposed as follows.









z
=




i
=
0

4



z
i



mod


n






[

Equations


3

]









x
=




i
=
0

4



x
i



mod


n








y
=




i
=
0

4



y
i



mod


n









z
i

=


x
i

·




j
=
0

4



y
j



mod


n







The participant Pi (i=0, 1, 2, 3, 4) computes tmpzk as follows. xk·yi+4 is needed for the participant Pi to compute zk (the participant Pi cannot compute zk from the share held thereby), and this tmpzk is a value that the participant Pi computes instead. The following αj,k represents a pseudo random number described in the above section


[Creation of Mask].









tmp

z
k


=



x
k

·

(


y
i

+

y

i
+
1


+

y

i
+
2


+

y

i
+
3



)


+




j

i




a

j
,
k




mod


n







[

Equation


4

]









(


k

=

i

,

i
+
1

,

i
+
2

,

i
+
3


)




Next, sender groups Si, Si+1, Si+2, and Si+3 are defined as Si {Pi+2, Pi+3, Pi+4}, Si+1={Pi+3, Pi+4, Pi+11}, Si+2={Pi+4, Pi+1, Pi+2}, and Si+3={Pi+1, Pi+2, Pi+3}. In this way, the participants belonging to Sk can compute xkyi+4 from the shares held thereby. Thus, for example, the participants Pi+2, Pi+3, and Pi+4 belonging to the sender group Si={Pi+2, Pi+3, Pi+4} compute mk,i+2, mk,i+3, and mk,i+4 in which xk·yi+4 is masked by the above pseudo random number αi,k.








P

i
+
2


:


m

k
,

i
+
2




=


α

i
,
k


+



x
k

·

y

i
+
4





mod


n










P

i
+
3


:


m

k
,

i
+
3




=


α

i
,
k


+



x
k

·

y

i
+
4





mod


n










P

i
+
4


:


m

k
,

i
+
4




=


α

i
,
k


+



x
k

·

y

i
+
4





mod


n






In addition, among the participants Pi+2, Pi+3, and Pi+4 belonging to the sender group Si={Pi+2, Pi+3, Pi+4}, for example, the participants Pi+2 and Pi+3 send mk,i+2 and mk,i+3 to the participant Pi without change, and the participant Pi+4 sends a hash value hk,i+4 of mk,i+4 to the participant Pi. In this case, since mk,i+2, mk,i+3, and mk,i+4 are masked by the pseudo random number αi, k, xkyi+4 will not be leaked. That is, although a hash function is used in this case, use of the hash function is not for ensuring security but for reducing the communication cost.


Next, upon receiving mk,i+2 and mk,i+3 and the hash value hk,i+4 of mk,i+4, the participant Pi performs comparison and verification on mk,i+2 and mk,i+3 and the hash value hk,i+4 of mk,i+4. First, the participant Pi computes hash values hk,i+2 and hk,i+3 of mk,i+2 and mk,i+3. Next, if hk,i+2=hk,i+3 or if hk,i+2=hk,i+4, the participant Pi determines that mk=k, i+2. If hk,i+3=hk,i+4, the participant Pi determines that mk=Ink, i+2.


When xkyi+4 is sent to the participant Pi as described above, the participant Pi receives the values mk (hash values thereof), which are supposed to be the same value, from at least three of the other participants Pj and adopts the received values that are same at least two received values as an accurate value. In this way, even when one of the other participants Pj is a dishonest person, it is possible to determine an accurate value.


Next, the participant Pi computes zk=tmpzk+mk mod n (k=i i+1, i+2, i+3) by using mk, which has been determined to be an accurate value.












[

Equation


5

]










z
k

=



tmp

z
k


+

m
k


=



(



x
k

·

(


y
i

+

y

i
+
1


+

y

i
+
2


+

y

i
+
3



)


+




j

i



α

j
,
k




)

+

(


α

i
,
k


+


x
k

·

y

i
+
4




)


=



x
k

·




j
=
0

4


y
j



+




j
=
0

4


α

j
,
k










Although zk computed as described above includes an extra additional term, zk functions as a share [z]i=(zi, zi+1, zj+2, zi+3) of the computation result of [z]=[xy]=[x][y]. This becomes clear when z=z0+z1+z2+z3+z4 is actually computed as follows.










[

Equation


6

]









z
=



z
0

+

z
1

+

z
2

+

z
3

+

z
4


=



(



x
0

·




j
=
0

4


y
j



+




j
=
0

4


α

j
,
0




)

+

(



x
1

·




j
=
0

4


y
j



+




j
=
0

4


α

j
,
1




)

+

(



x
2

·




j
=
0

4


y
j



+




j
=
0

4


α

j
,
2




)

+

(



x
3

·




j
=
0

4


y
j



+




j
=
0

4


α

j
,
3




)

+

(



x
4

·




j
=
0

4


y
j



+




j
=
0

4


α

j
,
4




)


=




(


x
0

+

x
1

+

x
2

+

x
3

+

x
4


)

·




j
=
0

4


y
j



+




k
=
0

4


α

0
,
k



+




k
=
0

4


α

1
,
k



+




k
=
0

4


α

2
,
k



+




k
=
0

4


α

3
,
k



+




k
=
0

4


α

4
,
k




=


x
·
y



mod


n








The reason why the pseudo random number αi,k can be removed is that the following relational expression is established from the construction of the pseudo random number.














k
=
0

4


α

0
,
k



+




k
=
0

4


α

1
,
k



+




k
=
0

4


α

2
,
k



+




k
=
0

4


α

3
,
k



+




k
=
0

4


α

4
,
k




=
0




[

Equation


7

]







That is, as described in the above section [Creation of Mask], the pseudo random numbers having the present construction have the nature that the sum of first indexes (in the vertical direction) is zero and that the sum of second indexes (in the horizontal direction) is not zero. The additional term that appears in the computation result of zk=tmpzk+mk mod n (k=i, i+1, i+2, i+3) is the sum of the second indexes (in the horizontal direction) and is not zero. However, when the computation result of [z]=[x y]=[x] [y] is reconstructed, it becomes consequently possible to remove the impact of the additional term (mask) by using the nature that the sum of first indexes (in the vertical direction) is zero. That is, although zk computed as described above includes the extra additional term, zk functions as a share [z]i=(zi, zi+1, zi+2, zi+3) of the computation result of [z]=[x·y]=[x]·[y].


Thus, regarding the share [z]i=(zi, zi+1, zi+2, zi+3) of the computation result of [z]=[x·y]=[x]·[y] as described above, a participant Pi receives the values mk (hash values thereof), which are supposed to be the same value, from at least three of the other participants Pj and adopts the received values that are same at least two received values as an accurate value. In this way, even when one of the other participants Pj is a dishonest person, it is possible to determine an accurate value. That is, even if there is a dishonest participant, it is possible to realize Guaranteed Output Delivery (GOD) that can acquire an accurate computation without stopping the processes. In addition, although a hash function is used in the above processes, this is to reduce the communication amount. Even if the input is deduced from the output, the security is not affected. Thus, Guaranteed Output Delivery (GOD) in a standard model is realized.


[Reshare]

The reshare used in the present example embodiment is defined as follows. That is, the reshare is determinably defined from seeds and an identifier when participants Pi, Pi+1, and Pi+2 hold a value c.










[
c
]



Reshare
(


P
i

,

P

i
+
1


,

P

i
+
2


,
c
,


{

vid
j

}


j
=
1

4

,

seed

i
+
2


,

seed

i
+
3



)





[

Equation


8

]










c
i

=

{




c
-

r
1

-

r
2

-

r
3

-

r
4

-

r
1


-

r
2


-

r
3


-


r
4





(

i
=
0

)









r
i

=


r
i





(
else
)












where





c
=


c
0

+

c
1

+

c
2

+

c
3

+


c
4



mod


n






Note that rj=Fn(vidk, seedi+2) and r′j=Fn(vidk+1, seedi+3), and that the seeds seedi∈{0,1}k (i=0, 1, 2, 3, 4) are those having the nature described in the above section [Generation of Pseudo Random Number and Sharing of Seeds]. Thus, a participant Pi+3 does not know seedi+2, and a participant Pi+4 does not know seedi+3. That is, the participant Pi+3 cannot compute ci+3 by himself or herself and the participant Pi+4 cannot compute ci+4 by himself or herself. Therefore, the participant Pi+3 needs to receive ci+3 from the participants Pi, Pi+1, and Pi+2, and the participant Pi+4 needs to receive ci+4 from the participants Pi, Pi+1, and Pi+2.


In this step, since a secure computation with communications is performed, the participant Pi+3 compares the received values ci+3, which are received from the participants Pi, Pi+1, and Pi+2 and which are supposed to be the same value, and adopts the received values that are same at least two received values as an accurate value. Similarly, the participant Pi+4 compares the received values ci+4, which are received from the participants Pi, Pi+1, and Pi+2 and which are supposed to be the same value, and adopts the received values that are same at least two received values as an accurate value. Specifically, this step can be performed as follows.


The participants Pi and Pi+1 send cj+1, cj+2, and cj+3 (j=i+3) to the participant Pi+3. In contrast, the participant Pi+2 sends hash values of cj+1, cj+2, and cj+3 (j=i+3) to the individual participant. In addition, the participants Pi and Pi+1 send cj′+1, cj′+2, and cj′+3 (j′=i+3) to the participant Pi+4. In contrast, the participant Pi+2 sends cj′+1, cj′+2, and cj′+3 (j′=i+3) to the individual participant. Next, each of the participants Pi+3 and Pi+4 adopts the received values received from the participants Pi, Pi+1, and Pi+2 that are same at least two received values as an accurate value.


Next, how the above-described reshare is used in the bit conversion will be described.


[Bit Conversion]

The bit conversion is a bit conversion: [x]←BC([x]B) for acquiring arithmetic shares [x] on a residue class ring Zn of modulo n from logic shares [x]B on a residue class ring Z2 of modulo 2. First, the participants P3, P4, and P0 and the participants P0, P1, and P2 compute temporary variables y0 and y1 from sub-shares xi in the logic share [x]B as follows.










y
0

=


x
0



x
1






[

Equations


9

]










y
1

=


x
2



x
3






Next, the participants P3, P4, and P0 and the participants P0, P1, and P2 reshare the temporary variables y0 and y1.










[

y
0

]



Reshare



(


P
3

,

P
4

,

P
0

,

y
0

,


{

vid

0
,
k


}


k
=
1

4

,

seed
0

,

seed
1


)






[

Equations


10

]










[

y
1

]



Reshare



(


P
0

,

P
1

,

P
2

,

y
1

,


{

vid

1
,
k


}


k
=
1

4

,

seed
2

,

seed
3


)






As described above, since the above reshare is a secure computation with communications, each of the participants Pi+3 and Pi+4 adopts the received values received from the participants Pi, Pi+1, and Pi+2 that are same at least two received values as an accurate value.


In contrast, the individual participant Pi (i=0, 1, 2, 3, 4) sets [x4]i as follows. This process is not a secure computation with communications, and therefore, no verification is needed.








P
0




:

[


x


4

]

0


=

(

0
,
0
,
0
,
0

)









P
1




:

[


x


4

]

1


=

(

0
,
0
,
0
,


x
4


)









P
2




:

[

x
4

]

2


=

(

0
,
0
,

x
4

,
0

)









P
3




:

[

x
4

]

3


=

(

0
,

x
4

,
0
,
0

)









P
4




:

[

x
4

]

4


=

(


x
4

,
0
,
0
,
0

)





Next, finally, by using the arithmetic shares of the temporary variables y0 and y1 and the arithmetic shares [x4]i (i=0, 1, 2, 3, 4), the individual participant Pi (i=0, 1, 2, 3, 4) performs a secure computation as follows to obtain an arithmetic share from the logic share through a bit conversion.










[


y
1



x
4


]

=


(


[

y
1

]

-

[

x
4

]


)

2





[

Equations


11

]










[
x
]

=


[


y
1



x
4



y
0


]

=


(


[


y
1



x
4


]

-

[

y
0

]


)

2






The above secure computation includes multiplications. By using the above [Secure Computation (Multiplication)], a secure computation server apparatus compares received values with each other, which are received from at least three of the secure computation server apparatuses and which are supposed to be the same value, and adopts the received values that are same at least two received values as an accurate value. In this way, the secure computation server apparatus verifies the received values acquired in the secure computation with communications.


As described above, in the secure computation system 200 and the secure computation method according to the second example embodiment, a participant receives received values, which are received from at least three of the other participants and which are supposed to be the same value, and adopts the received values that are same at least two received values as an accurate value. In this way, even if one of the other participants is a dishonest person, the participant can determine an accurate value. That is, even if there is a dishonest person, it is possible to realize Guaranteed Output Delivery (GOD) that can acquire an accurate computation without stopping the processes.


In addition, although a hash function is used in the above processes, this is to reduce the communication amount. Even if the input is deduced from the output, the security is not affected. Thus, Guaranteed Output Delivery (GOD) in the standard model is realized.


In addition, in the secure computation system 200 and the secure computation method according to the present example embodiment, because reshare (local reshare) is first performed without communications, and a secure computation with communications is next performed, reduction in communication cost is achieved.


[Shuffle]

First, the following description will be made on an example in which, among the participants Pi (i=0, 1, 2, 3, 4), each of the participants Pi (i=1, 2, 3, 4) computes a permutation of the participant P0 for the participant P0 by using a permutation shared thereby and sends the computed permutation to the participant P0.


A permutation Go E SM shared by the participants Pi (i=1, 2, 3, 4) is constructed as follows. As described above, the participants Pi (i=0, 1, 2, 3, 4) hold the seeds (seedi, seedi+1, seedi+2, seedi+3). In other words, each participant Pi (i=0, 1, 2, 3, 4) does not hold the seed seedi+4. That is, while the participant P0 does not hold the seed seed4, the other participants Pi (i=1, 2, 3, 4) hold the seed seed4. Thus, the permutation σ0∈SM shared by the participants Pi (i=1, 2, 3, 4) is constituted by using a pseudo random number generated by using the seed seed4. In this way, although the permutation σ0∈SM is traceable by the participants Pi (i=1, 2, 3, 4), the permutation σ0∈SM is not traceable by the participant P0.


Next, by using the permutation σ0∈SM constructed as described above and the pseudo random number rk, each of the participants Pi (i=1, 2, 3, 4) computes the permutation of the participant P0 for the participant P0 and sends the computed permutation to the participant P0 as follows. It should be noted here that, from the method of constructing the shares in secret sharing, there are shares shared by the participants Pi (i=1, 2, 3, 4) and the participant P0, and that the participants Pi (i=1, 2, 3, 4) can compute the permutation of the participant P0 for the participant P0.











{


P
2

,

P
3

,

P
4


}

:



r
0




+


σ
0

(


x
0



)





[

Equations


12

]











{


P
1

,

P
3

,

P
4


}

:



r
1




+


σ
0

(


x
1



)









{


P
1

,

P
2

,

P
4


}

:



r
2




+


σ
0

(


x
2



)









{


P
1

,

P
2

,

P
3


}

:



r
3




+


σ
0

(


x
3



)









x
l



=


(


x

0
,
i


,


,

x


M
-
1

,
i



)




(


i

=

0

,
1
,
2
,
3

)









x
j

=


x

j
,
0


+

x

j
,
1


+

x

j
,
2


+

x

j
,
3


+


x

j
,
4




mod


L










r
l



=

(


r

i
,
0


,


,

r

i
,
j


,


,

r

i
,

m
-
1




)









r

0
,
j


+

r

1
,
j


+

r

2
,
j


+

r

3
,
j


+

r

4
,
j



=

0


mod


L



(


j
=
0

,


,

m
-
1


)






In the above transmission, note that the participants P2, P3, P4 send the same value to the participant P0, the participants P1, P3, P4 send the same value to the participant P0, the participants P1, P2, P4 send the same value to the participant P0, the participants P1, P2, P3 send the same value to the participant P0. From this nature, the participant P0 can compare the values of the permutations of the shares, which are received from three participants and which are supposed to be the same value, and can adopt the received values that are same at least two received values as an accurate permutation. That is, even if one of the other participants is a dishonest person, the participants can determine an accurate value. That is, even if there is a dishonest person, it is possible to realize Guaranteed Output Delivery (GOD) that can acquire an accurate computation without stopping the processes.


In addition, in the above transmission, by using a hash function shared by the participants Pi (i=1, 2, 3, 4) and transmitting the hash value as follows, the communication amount can be reduced. First, one of the three participants converts a value by using the hash function and sends the obtained hash value to the participant P0. The other two participants send the value, not a hash value, to the participant P0 without change. Upon receiving the value, the participant P0 converts the value into a hash value by using the hash function. Next, the participant P0 compares the hash values with each other. If at least two of the hash values match each other, the participant P0 adopts this value as an accurate value.


By performing the process as described above, a share corresponding to the permutation σ0∈SM that can be computed by the participants Pi (i=1, 2, 3, 4) and that cannot be computed by the participant P0 can be constituted as follows. This is referred to as a mini-shuffle.










[

Equations


13

]











P
i




:

[


σ
0

(

x


)

]


L
,
i



=

(




r
l



+


σ
0

(


x
l



)


,



r

l
+
1




+


σ
0

(


x

l
+
1




)


,



r

l
+
2




+


σ
0

(


x

l
+
2




)


,



r

l
+
3




+


σ
0

(


x

l
+
3




)



)









x
l



=


(


x

0
,
i


,


,

x


M
-
1

,
i



)




(


i

=

0

,
1
,
2
,
3

)









x
j

=


x

j
,
0


+

x

j
,
1


+

x

j
,
2


+

x

j
,
3


+


x

j
,
4




mod


L










r
l



=

(


r

i
,
0


,


,

r

i
,
j


,


,

r

i
,

m
-
1




)









r

0
,
j


+

r

1
,
j


+

r

2
,
j


+

r

3
,
j


+

r

4
,
j



=

0


mod


L



(


j
=
0

,


,

m
-
1


)






In the above construction of mini-shuffles, of all the participants Pi (i=0, 1, 2, 3, 4), each of the participants Pi (i=1, 2, 3, 4) computes the permutation of the participant P0 for the participant P0 by using a permutation shared by the participants Pi (i=1, 2, 3, 4) and sends the computed permutation to the participant P0. However, alternatively, a combination of four participants Pi and one participant P0 may be changed. In this way, five mini-shuffles can be constructed. Each of these five mini-shuffles represents a permutation that is not traceable by one of the participants Pi (i=0, 1, 2, 3, 4).


Thus, by synthesizing all the permutations σi (i=0, 1, 2, 3, 4)∈SM, each of which is not traceable by one of the participants Pi (i=0, 1, 2, 3, 4), a permutation σ (shuffle) that is not traceable by any one of the participants Pi (i=0, 1, 2, 3, 4) can be constructed.









σ
=


σ
0





σ
1





σ
2





σ
3





σ
4






[

Equation


14

]







[Reconstruction]

The following description assumes a situation in which, when a participant Pi reconstructs x, the participant Pi receives a value xi+4 of a share not held by the participant Pi from the participants Pi+1, Pi+2, and Pi+3. The participants Pi+1 and Pi+2 send the value xi+4 to the participant Pi without change, and the participant Pi+3 sends a hash value hi+4 of the value xi+4 to the participant Pi. Next, the participant Pi computes the hash value of xi+4 received from the participants Pi+1 and Pi+2 as hi+1 and computes the hash value of xi+4 received from the participant Pi+2 as hi+2.


In this situation, if hi+1=hi+2 or hi+1=hi+3, the participant Pi adopts xi+4 received from the participant Pi+1 as an accurate value. If hi+2=hi+3, the participant Pi adopts xi+4 received from the participant Pi+2 as an accurate value. In this way, by adopting the received values that are same at least two received values as an accurate value, even if one of the received value is a fake value, the participant Pi can determine an accurate value. Next, by computing x=x0+x1+x2+x3+x4 mod n with the accurate value xi+4, the participant Pi can reconstruct x.


In the reconstruction method described above, a participant receives xi+4 (hash values thereof), which are supposed to be the same value, from at least three of the other participants Pj and adopts the received values that are same at least two received values as an accurate value. In this way, even when one of the other participants Pj is a dishonest person, it is possible to determine an accurate value. That is, even if there is a dishonest participant, it is possible to realize Guaranteed Output Delivery (GOD) that can acquire an accurate computation without stopping the processes. In addition, a hash function is used in the above processes. However, even if the input is deduced from the output, the security is not affected. Thus, Guaranteed Output Delivery (GOD) in the standard model is realized.


[Magnitude Comparison (Private Compare)]

Next, a secure computation protocol, which is also referred to as Private Compare, will be described by using the above-described building blocks. This protocol is used to obtain a share of a result of a magnitude comparison from input of a share relating to a bit sequence and a value of a cleartext. That is, the following description will be made on a secure computation for obtaining a share [x>r]2 of a result of a magnitude comparison from input of a share [x] on which bit decomposition and secret sharing have been performed and a value r which has not been made secret.










{


[

x

|
l


]


p
,
i


}





l
=
0

,

i
=
0






k


=
1

,
4





[

Equations


15

]








where





x

|
l





{

0
,
1

}



f







or






l
=
0

,






k



-
1

,







{

P
i

}


i
=
0

4






r



{

0
,
1

}


k








FIG. 6 is a flowchart illustrating a procedure of a protocol for a magnitude comparison (Private Compare). The magnitude comparison (Private Compare) protocol includes a non-zero random number computation step (S21), a random bit computation step (S22), a discriminant computation step (S23), a non-zero random number multiplication step (S24), a shuffle step (S25), and a value conversion step (S26). Hereinafter, the magnitude comparison (Private Compare) protocol will be described step by step.


(Non-zero Random Number Computation Step: S21)

In the non-zero random number computation step (S21), as illustrated in the following Equations, shares [sl]p and [s′l]p of non-zero random numbers are computed. The non-zero random number computation step can be performed offline. Specifically, from step 2 to step 8, the individual participants Pi determinably generate non-zero random numbers sl,j and s′l,j by using their seeds and identifier as input. Next, from step 9 to step 13, the individual participants Pi constitute formality shares by using the non-zero random numbers sl,j and s′l,j. However, the formality shares constituted from step 9 to step 13 are not actual shares. This is because, since the individual participants Pi have only formalistically performed the distribution by using the non-zero random numbers sl,j and s′l,j generated thereby, the individual participants Pi know the values of their own shares. Thus, from step 14 to step 21, multiplications are performed on the formality shares held by the individual participants Pi, so as to compute the shares [sl]p and [s′l]p of the non-zero random numbers that none of the participants Pi know. The building block in the above-described [Secure Computation (Multiplication)] can be used for the multiplications for obtaining the shares [sl]p and [s′l]p of the non-zero random numbers.












[Equations 16]
















 1:
(Offline phase)


 2:
for custom-character  = 0, . . . , k = 1 do


 3:
 for i = 0, . . . , 4 do


 4:
  for j = i, . . . , i + 3 do


 5:
   Pi computes s custom-character,j = Fp,(oid custom-character,j, kj) where s custom-character,4+1 = s custom-character,0, oid custom-character,4+1 =



   oid custom-character,0 and k4+1 = k0.


 6:
   Ptext missing or illegible when filed  computes s′ custom-character,j = Fp,(oid′ custom-character,j, kj) where s′ custom-character,4+1 = s′ custom-character,0, oid′ custom-character,4+1 =



   oid′ custom-character,0 and k4+1 = k0.


 7:
  end for


 8:
 end for


 9:
 P0 sets [s custom-character,0]p,0 = (s custom-character,0,0,0,0), [s custom-character,1]p,0 = (0, s custom-character  ,0,0), [s custom-character,2]p,0 = (0,0,s custom-character,2,0),



 [s custom-character,3]p,0 = (0,0,0,s custom-character,3), [s custom-character,4]p,0 = (0,0,0,0), [s′ custom-character,0]p,0 = (s′ custom-character,0,0,0,0),



 [s′ custom-character,1]p,0 = (0,s′ custom-character,1,0,0), [s′ custom-character,2]p,0 = (0,0,s′ custom-character,2,0), [s′ custom-character,3]p,0 = (0,0,0,s′ custom-character,3),



 and [s′ custom-character,4]p,0 = (0,0,0,0).


10:
 P1 sets [s custom-character,0]p,1 = (0,0,0,0), [s custom-character,1]p,1 = (s custom-character,1,0,0,0), [s custom-character,2]p,1 = (0, s custom-character,2,0,0),



 [s custom-character,3]p,1 = (0,0,s custom-character,3,0), [s custom-character,4]p,1 = (0,0,0,s custom-character,4), [s′ custom-character,0]p,1 = (0,0,0,0),



 [s′ custom-character,1]p,1 = (s′ custom-character,1,0,0,0), [s′ custom-character,2]p,1 = (0,s′ custom-character,2,0,0), [s′ custom-character,3]p,1 = (0,0,s′ custom-character,3,0),



 and [s′ custom-character,4]p,1 = (0,0,0,s′ custom-character,4).


11:
 P2 sets [s custom-character,0]p,2 = (0,0,0,s custom-character,0), [s custom-character,1]p,2 = (0,0,0,0), [s custom-character,2]p,2 = (s custom-character,2,0,0,0),



 [s custom-character,3]p,2 = (0, s custom-character,3, 0,0), [s custom-character,4]p,2 = (0,0,s custom-character,4,0), [s′ custom-character,0]p,2 = (0,0,0,s′ custom-character,0),



 [s′ custom-character,1]p,2 = (0,0,0,0), [s′ custom-character,2]p,2 = (s′ custom-character,2, 0,0,0), [s′ custom-character,3]p,2 = (0, s′ custom-character,0,0,0),



 and [s custom-character,4]p,2 = (0,0,s custom-character,4,0).


12:
 P3 sets [s custom-character,0]p,3 = (0,0,s custom-character,0,0), [s custom-character,1]p,2 = (0,0,0,s custom-character,1), [s custom-character,2]p,3 = (0,0,0,0),



 [s custom-character,2]p,3 = (s custom-character,3,0,0,0), [s custom-character,4]p,3 = (0,s custom-character,4,0,0), [s′ custom-character,0]p,3 = (0,0,s′ custom-character,0,0),



 [s′ custom-character,1]p,3 = (0,0,0,s′ custom-character,1), [s′ custom-character,2]p,3 = (0,0,0,0), [s′ custom-character,3]p,3 = (s′ custom-character,3,0,0,0),



 and [s′ custom-character,4]p,3 = (0,s′ custom-character,4,0,0).


13:
 P4 sets [s custom-character,0]p,4 = (0,s custom-character,0,0,0), [s custom-character,1]p,4 = (0,0,s custom-character,1,0), [s custom-character,2]p,4 = (0,0,0,s custom-character,2),



 [s custom-character,3]p,4 = (0,0,0,0), [s custom-character,4]p,4 = (s custom-character,4,0,0,0), [s′ custom-character,0]p,4 = (0,s′ custom-character,0,0,0),



 [s′ custom-character,1]p,4 = (0,0,s′ custom-character,1,0), [s′ custom-character,2]p,4 = (0,0,0,s′ custom-character,2), [s′ custom-character,3]p,4 = (0,0,0,0),



 and [s′ custom-character,4]p,3 = (s′ custom-character,4,0,0,0).


14:
 [s custom-character,0 · s custom-character,1]p text missing or illegible when filed ([s custom-character,0]p,[s custom-character,1]p)


15:
 [s custom-character,3 · s custom-character,4]p text missing or illegible when filed ([s custom-character,3]p,[s custom-character,4]p)


16:
 [s custom-character,0 · s custom-character,1 · s custom-character,3 · s custom-character,4]p text missing or illegible when filed ([s custom-character,0 · s custom-character,1]p,[s custom-character,3 · s custom-character,4]p)


17:
 [s custom-character  ]p = [s custom-character,0 · s custom-character,1 · s custom-character,2 · s custom-character,4]p text missing or illegible when filed ([s custom-character,0 · s custom-character,1 · s custom-character,3 · s custom-character,4]p, [s custom-character,2]p)


18:
 [s′ custom-character,0 · s′ custom-character,1]p text missing or illegible when filed ([s′ custom-character,3]p, [s′ custom-character,1]p)


19:
 [s′ custom-character,3 · s′ custom-character,4]p text missing or illegible when filed ([s′ custom-character,3]p, [s′ custom-character,4]p)


20:
 [s′ custom-character,0 · s′ custom-character,1 · s′ custom-character,3 · s′ custom-character,4]p text missing or illegible when filed ([s′ custom-character,0 · s′ custom-character,1]p, [s′ custom-character,3 · s′ custom-character,4]p)


21:
 [s′ custom-character  ]p = [s′ custom-character,0·s′ custom-character,1 · s′ custom-character,2 · s′ custom-character,3 · s′ custom-character,4]p text missing or illegible when filed ([s′ custom-character,0 · s′ custom-character,1 · s′ custom-character,2 · s′ custom-character,4]p,[s′ custom-character,2]p)


22:
end for






text missing or illegible when filed indicates data missing or illegible when filed







(Random Bit Computation Step: S22)

In the random bit computation step (S22), as illustrated in the following Equations, shares [b]2 and [b]p of random bits are computed. The random bit computation (S22) can be performed offline. Specifically, in step 23, the individual participants Pi compute [b]p by generating the share [b]2 of a random bit by using a pseudo random function and seeds, and performing bit conversion on the generated share [b]2 of the random bit. In this example, the building block in the above-described [Bit Conversion] can be used for the bit conversion for computing [b]p from the share [b]2 of the random bit.












[Equations 17]















23: Parties get the share of random bit [b]2 by running text missing or illegible when filedRBG({Pi}i=04, {oidj}j=04).


24: Parties get the share of random bit on Ztext missing or illegible when filed  [b]p by running text missing or illegible when filedBitConv(p,[b]2).






text missing or illegible when filed indicates data missing or illegible when filed







(Discriminant Computation Step: S23)

In the discriminant computation step (S23), as illustrated in the following Equations, the individual participants Pi determine, per bit, whether a first bit sequence [x|l] and a second bit sequence r|l into which a value r of a cleartext is converted match each other and compute a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher. The discriminant computation step (S23) and its subsequent steps will be performed online.


First, from step 28 to step 30 and from step 31 to step 33, two operations are performed for a case in which a random bit b computed in the random bit computation step (S22) is 0 and for a case in which the random bit b computed in the random bit computation step (S22) is 1. Because the participant Pi does not know whether the random bit b is 0 or 1, the participant Pi computes discriminants [c|l]p and [c′|l]p for a case in which the random bit b is 0 and for a case in which the random bit b is 1, and selects one of the discriminants appropriately later.


If the random bit b is 0, the participant Pi computes a sequence including the discriminant [c|l]p that indicates 0 when x>r. If the random bit b is 0, the participant Pi computes a sequence including the discriminant [c′|l]p that indicates 0 when x≤r. However, because it is inconvenient to directly compute x≤r, the participant Pi performs this computation as x<r+1. For this reason, t=r+1 is computed in step 26.












[Equations 18]


















25:
(Online phase)



26:
Let t text missing or illegible when filed  mod 2k.



27:
for custom-character   = k′ − 1,...,0 do



28:
(Case of b = 0)



29:
[w| custom-character  ]p = [x| custom-character  ]p + r| custom-character  − 2r|j[x| custom-character  ]p



30:
[c| custom-character  ]p = r| custom-character   − [x| custom-character  ]p + 1 + Σm=custom-character+1k−1[w|m]p



31:
(Case of b = 1)



32:
[w′| custom-character  ]p = [x| custom-character  ]p + t| custom-character   − 2t|j[x| custom-character  ]p



33:
[c′| custom-character  ]p = t| custom-character   + [x| custom-character  ]p + 1 + Σm=custom-character+1k−1 [w′|m]p



34:
end for








text missing or illegible when filed indicates data missing or illegible when filed







In the above computation, the computation in step 29 is equivalent to an exclusive-or. That is, in step 29, whether the first bit sequence [x|l]p and the second bit sequence r|l match each other or not is computed at each bit. Next, r|l−[x|l]p+1 in step 30 is a term that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an lth bit, and the term of the sum Σ is a term that indicates 0 when the first bit sequence [x|l]p and the second bit sequence r|l match each other at an (l+1)th bit and higher. In steps 31 and 32, the equivalent computation is performed for x<r+1.


(Non-zero Random Number Multiplication Step: S24)

In the non-zero random number multiplication step (S24), as illustrated in the following Equations, the individual participant Pi multiplies the discriminants [c|l]p and [c′|l]p by the shares [sl]p and [s′l]p of the non-zero random numbers, respectively, so as to conceal the values in the sequences in which the discriminants [c|l] and [c′|l]p do not indicate 0. The building block in the above-described [Secure Computation (Multiplication)] can be used for the multiplications.












[Equations 19]

















35: [s custom-character  · c| custom-character  ]p text missing or illegible when filedmult([s custom-character  ]p, [c| custom-character  ]p) for custom-character  = 0, . . . ,k′ − 1



36: [s′ custom-character  · c′| custom-character  ]p text missing or illegible when filedmult([s′ custom-character  ]p, [c′| custom-character  ]p) for custom-character   = 0, . . . ,k′ − 1








text missing or illegible when filed indicates data missing or illegible when filed







(Shuffle Step: S25)

In the shuffle step (S25), as illustrated in the following Equations, the individual participant Pi shuffles the sequences [sl c|l]p and [s′l c′|l]p obtained by multiplying the discriminants [c|l]p and [c′|l]p by the shares [sl]p and [s′l]p of the non-zero random numbers, so as to conceal information about the digit of the bit for which the discriminant indicates 0. The building block in the above-described [Shuffle] can be used for the multiplications.












[Equations 20]















37: Parties get {[d| custom-character  ]p} custom-character=0k′−1 by running text missing or illegible when filedRShuffle({[s custom-character  · c| custom-character  ]p} custom-character=0k′−1).


38: Parties get {[d′| custom-character  ]p} custom-character=0k′−1 by running text missing or illegible when filedRShuffle({[s′ custom-character  · c′| custom-character  ]p} custom-character=0k′−1).






text missing or illegible when filed indicates data missing or illegible when filed







(Value Conversion Step: S26)

Although the discriminants [d|l]p and [d′|l]p obtained as described above include information about whether x>r, this does not indicate the share [x>r]2 of the result of the magnitude comparison. Thus, as illustrated in the following Equations, the individual participant Pi performs a computation for deriving the share [x>r]2 of the result of the magnitude comparison from the discriminants [d|l]p and [d′|l]p.












[Equations 21]
















39:
for  custom-character  = k′ − 1,...,0 do


40:
[d″| custom-character  ]p = (1 − [b]p) · [d| custom-character  ]p + [b]p · [d′| custom-character  ]p


41:
P0 reconstructs d″| custom-character  by running text missing or illegible when filed ({P1, P2, P3}, {[d″|j]p,1, [d″|j]p,2, [d″|j]p,3}, P0, [d″|j]p,0).


42:
P1 reconstructs d″| custom-character  by running text missing or illegible when filed ({P2, P3, P4}, {[d″|j]p,2, [d″|j]p,3, [d″|j]p,4}, P1, [d″|j]p,1).


43:
P2 reconstructs d″| custom-character  by running text missing or illegible when filed ({P3, P4, P0}, {[d″|j]p,3, [d″|j]p,4, [d″|j]p,0}, P2, [d″|j]p,2).


44:
end for


45:
P0, P1, and P2 run text missing or illegible when filed ([P0, P1, P2}, 2, b′) and distribute [b′]2 where b′ =




text missing or illegible when filedcustom-character  ∈ {0, . . . ,k′ − 1} s.t. d″| custom-character   = 0 then b′ = 0 else.



46:
return [(x > r)]2 = [b′]2 text missing or illegible when filed  [b]2.






text missing or illegible when filed indicates data missing or illegible when filed







First, in step 40, depending on whether b is 0 or 1, an appropriate one of the values [d|l]p and [d′|l]p is selected. Next, from step 41 to step 42, the selected value of a discriminant [d′|l]p is reconstructed for the participants P0, P1, and P2. The building block in the above-described [Reconstruction] can be used for the reconstruction.


Next, in step 45, the participants P0, P1, and P2 reshare b′=1 if the reconstructed discriminant d″|l includes 1 such that d″|l=0. In contrast, the participants P0, P1, and P2 reshare b′=0 if the reconstructed discriminant d″|l does not include 1 such that d″|l=0. The building block in the above-described [Reshare] can be used for the reconstruction.


Finally, by computing an exclusive-or on [b′]2 and [b]2 in step 46, the share [x>r]2 of the result of the magnitude comparison can be obtained.


As described above, it is possible to obtain the share [x>r]2 of the result of the magnitude comparison from input of the share [x] on which bit decomposition and secret sharing have been performed and the value r which has not been made secret. The above secure computation achieves Guaranteed Output Delivery (GOD) in the standard model in the used building blocks. Thus, a magnitude comparison secure computation in which a secure computation is performed by combining these building blocks also achieves Guaranteed Output Delivery (GOD) in the standard model.


Third Example Embodiment

Next, a secure computation system and a secure computation server apparatus according to a third example embodiment will be described with reference to FIGS. 7 and 8. The third example embodiment is an example embodiment obtained by applying the first example embodiment or the second example embodiment to a most significant bit extraction protocol. Most significant bit extraction is a protocol for computing, from a value (share) dispersedly held by the individual secure computation server apparatuses, the most significant bit of the value while maintaining the secret state.



FIG. 7 is a block diagram illustrating a functional configuration example of the secure computation system according to the third example embodiment. As illustrated in FIG. 7, a secure computation system 300 according to the third example embodiment includes a first secure computation server apparatus 300_0, a second secure computation server apparatus 300_1, a third secure computation server apparatus 300_2, a fourth secure computation server apparatus 300_3, and a fifth secure computation server apparatus 300_4. The first secure computation server apparatus 300_0, the second secure computation server apparatus 300_1, the third secure computation server apparatus 300_2, the fourth secure computation server apparatus 300_3, and the fifth secure computation server apparatus 300_4 are connected to each other via a network such that these apparatuses can communicate with each other.


In the secure computation system 300 including the first to fifth secure computation server apparatuses 300_i (i=0, 1, 2, 3, 4), it is possible to compute target shares from a value inputted to any one of the first to fifth secure computation server apparatuses 300_i (i=0, 1, 2, 3, 4) while keeping the input value and the values acquired in the computation processes secret, and it is possible to dispersedly store the computation results in the first to fifth secure computation server apparatuses 300_i (i=0, 1, 2, 3, 4).


In addition, in the secure computation system 300 including the first to fifth secure computation server apparatuses 300_i (i=0, 1, 2, 3, 4), even when one of the first to fifth secure computation server apparatuses 300_i (i=0, 1, 2, 3, 4) is operated by a dishonest person, it is possible to continue an accurate secure computation without stopping the processes.



FIG. 8 is a block diagram illustrating a functional configuration example of a secure computation server apparatus according to the third example embodiment. As illustrated in FIG. 8, in the secure computation system 300 according to the present example embodiment, each of the first to fifth secure computation server apparatus 300_i (i=0, 1, 2, 3, 4) includes a random number generation part 301,_i a magnitude comparison part 302_i, a carry-up correction part 303,_i and a most significant bit computation part 304_i.


The random number generation part 301i generates a random number for masking an input value, and the magnitude comparison part 302_i performs a magnitude comparison between a value obtained by removing the most significant bit from the input value masked by the random number and a value obtained by removing the most significant bit from the random number. The carry-up correction part 303_i corrects, based on the result of the magnitude comparison, the computation of the value obtained by removing the most significant bit from the input value, and the most significant bit computation part 304_i computes the most significant bit of the input value by subtracting the value obtained by removing the most significant bit from the corrected input value from the input value.


With the most significant bit extraction protocol, information obtained by masking the input value by a random number needs to be sent, received, and processed. However, when a random number is added to an input value, the most significant bit could be carried up. To solve this, in the secure computation system 300 according to the present example embodiment, since each of the first to fifth secure computation server apparatuses 300_i (i=0, 1, 2, 3, 4) includes the random number generation part 301,_i the magnitude comparison part 302_i, the carry-up correction part 303_i, and the most significant bit computation part 304_i, the carry-up of the most significant bit, which could occur when the random number is added to the input value, can be corrected.



FIG. 9 is a flowchart illustrating a procedure of a protocol for extraction of the most significant bit. This most significant bit extraction protocol includes a random number generation step (S31), a magnitude comparison step (S32), a carry-up correction step (S33), and a most significant bit computation step (S34). Hereinafter, the most significant bit extraction protocol will be described step by step. The input and output of the most significant bit extraction protocol will be represented as follows.










Input
:





[
a
]


2
k





s
.
t
.

a




Z

2
k




,




[

Equations


22

]








where





a
=







j
=
0





k
-
1





2
j

·
a



|
j








Output
:




[

msb

(
a
)

]

2




(

=


[

a

|

k
-
1



]

2


)






(Random Number Generation Step: S31)

In the random number generation step (S31), as illustrated in the following Equations, a share of a random number used for a mask is computed. The random number generation step (S31) can be performed offline. The individual participants Pi determinably generate a random number by using seeds as input and perform bit decomposition on the generated random number, so as to create a bit sequence share of the random number. In addition, the most significant bit of a random number r will be denoted as msb(r).












[Equations 23]
















 1:
(Offline phase)


 2:
for custom-character  = 0, . . . ,k − 1 do


 3:
 Parties get the share of random bit [r custom-character  ]2 by running text missing or illegible when filedRBG({Pi}i=04, {oid custom-character,j}j=04).


 4:
end for


 5:
for j = 0,...,k − 1 do


 6:
 [r|j]2k text missing or illegible when filedBitConv(2k, [r|j]2)


 7:
 [r|j]p text missing or illegible when filedBitConv(p, [r|j]2)


 8:
end for


 9:
[r|k−2,...,0]2k = Σj=0k−2 2j · [r|j]2k


10:
[2k−1 · msb(r)]2k = 2k−1 · [r|k−1]2k






text missing or illegible when filed indicates data missing or illegible when filed







(Magnitude Comparison Step: S32)

In the magnitude comparison step (S32), as illustrated in the following Equations, a magnitude comparison between a value obtained by removing the most significant bit from an input value masked by the random number and a value obtained by removing the most significant bit from the random number. The magnitude comparison step (S32) and its subsequent steps will be performed online. In addition, in the magnitude comparison performed in the following step 15, the [magnitude comparison (Private Compare)] protocol described in the first example embodiment and the second example embodiment can be used as a building block.












[Equations 24]
















11:
(Online phase)


12:
[a + (r|k−2,...,0)]2k = [a]2k + [r|k−2,...,0]2k


13:
[2 · ((a + r)|k−2,...,0)]2k = 2 · [a + (r|k−2,...,0)]2k


14:
Parties reconstruct 2 · ((a + r)|k−2,...,0) by running text missing or illegible when filed ({Pi}i=04, {[2 · ((a +



r)|k−2,...,0)]2k,i}i=04)


15:
[r|k−2,...,0 > (a + r)|k−2,...,0] ← text missing or illegible when filedRPC(k − 1, {Pi}i=04, {[r custom-character  ]p,1} custom-character=0,i=0k−2,4, (a +



r)|k−2,...,0)






text missing or illegible when filed indicates data missing or illegible when filed







(Carry-up Correction Step: S33)

In the carry-up correction step (S33), as illustrated in the following Equations, based on the result of the magnitude comparison step (S32), the computation of the value obtained by removing the most significant bit from the input value is corrected. In this way, the carry-up of the most significant bit, which could occur when the input value is masked by the random number, can be corrected.












[Equations 25]
















16:
If (a+r)|k−2,...,0 ≠ 2k−1−1, Parties computes [a|k−2,...,0]2k = [(a+r)|k−2,...,0]2k



[r|k−2,...,0]2k + 2k−1 · [r|k−2,...,0 > (a + r)|k−2,...,0])]2k.



If (a+r)|k−2,...,0 = 2k−1−1, Parties computes [a|k−2,...,0]2k = [(a+r)|k−2,...,0]2k



[r|k−2,...,0]2k.









(Most Significant Bit Computation Step: S34)

Finally, in the most significant bit computation step (S34), as illustrated in the following Equations, an exclusive-or on the most significant bit msb(r) of the random number r and the most significant bit msb(a) of an input value a is reconstructed, and the most significant bit msb(r) of the random number r as a mask is removed. In the reconstruction performed in this step 20, the above-described [Reconstruction] protocol can be used as a building block.












[Equations 26]
















17:
[2k−1 · msb(a)]2k = [2k−1 · a|k−1] = [text missing or illegible when filed ]2k − [a|k−2,...,0]2k


18:
[2k−1 · (msb(a) ⊕ msb(r))]2k = [2k−1 · msb(a)]2k + [2k−1 · msb(r)]2k = 2k−1 ·



[a|k−1]2k + 2k−1 · [r|k−1]2k


19:
for i = 0,...,3 do


20:
 Pi gets 2k−1 ·(msb(a)⊕msb(r)) by running text missing or illegible when filed ({Pi+1, Pi+2, Pi+3}, {[2k−1 ·



 (msb(a) ⊕ msb(r))]2k,i+1,[2k−1 · (msb(a) ⊕msb(r))]2k,i+2,[2k−1 · (msb(a) ⊕



 msb(r))|2k,i+3}, Pi,[2k−1 · (msb(a) ⊕ msb(r))]2k,text missing or illegible when filed


21:
end for


22:
P0 sets [msb(a) ⊕ msb(r)]2,0 = (msb(a) ⊕ msb(r), 0, 0, 0).


23:
P1 sets [msb(a) ⊕ msb(r)]2,1 = (0, msb(a) ⊕ msb(r), 0, 0).


24:
P2 sets [msb(a) ⊕ msb(r)]2,2 = (0, 0, msb(a) ⊕ msb(r), 0).


25:
P3 sets [msb(a) ⊕ msb(r)]2,3 = (0, 0, 0, msb(a) ⊕ msb(r)).


26:
P4 sets [msb(a) ⊕ msb(r)]2,4 = (0, 0, 0, 0).


27:
[msb(a)]2 = [msb(a) ⊕ msb(r)]2 ⊕ [r|k−1]2


28:
return [msb(a)]2






text missing or illegible when filed indicates data missing or illegible when filed







As described above, it is possible to realize the most significant bit extraction protocol for computing, from a value held in a secret sharing manner, the most significant bit of the value while maintaining the secret state. The above secure computation achieves Guaranteed Output Delivery (GOD) in a standard model in a building block such as the magnitude comparison (Private Compare) used. Thus, a magnitude comparison secure computation in which a secure computation is performed by combining these building blocks also achieves Guaranteed Output Delivery (GOD) in the standard


[Hardware Configuration Example]


FIG. 10 is a diagram illustrating a hardware configuration example of a secure computation server apparatus. That is, the hardware configuration example illustrated in FIG. 10 is a hardware configuration example of any one of the secure computation server apparatuses 100_i, 200_i, and 300_i (i=0, 1, 2, 3, 4). An information processing apparatus (a computer) that adopts the hardware configuration illustrated in FIG. 10 can realize the individual functions of any one of the secure computation server apparatuses 100_i, 200i, and 300_i (i=0, 1, 2, 3, 4) by executing the corresponding one of the above secure computation methods as a program.


The hardware configuration example illustrated in FIG. 10 is an example of the hardware configuration that realizes the individual functions of any one of the secure computation server apparatuses 100i, 200_i, and 300_i (i=0, 1, 2, 3, 4), and does not limit the hardware configuration of any one of the secure computation server apparatuses 100_i, 200_i, and 300_i (i=0, 1, 2, 3, 4). The secure computation server apparatuses 100_i, 200_i, and 300_i (i=0, 1, 2, 3, 4) may include hardware not illustrated in FIG. 10.


As illustrated in FIG. 10, a hardware configuration 10 that can be adopted by any one of the secure computation server apparatuses 100i, 200_i, and 300_i (i=0, 1, 2, 3, 4) includes, for example, a CPU (Central Processing Unit) 11, a main storage device 12, an auxiliary storage device 13, and an IF (Interface) part 14, which are connected to each other via an internal bus.


The CPU 11 executes various commands included in the secure computation program executed by the corresponding one of the secure computation server apparatuses 100_i, 200_i, and 300_i (i=0, 1, 2, 3, 4). The main storage device 12 is, for example, a RAM (Random Access Memory) and temporarily stores various kinds of programs such as the secure computation program executed by the corresponding one of the secure computation server apparatuses 100_i, 200_i, and 300_i (i=0, 1, 2, 3, 4) so that the CPU 11 can execute the programs.


The auxiliary storage device 13 is, for example, an HDD (Hard Disk Drive) and can store, in the mid-to-long term, various kinds of programs such as the secure computation program executed by the corresponding one of the secure computation server apparatuses 100_i, 200_i, and 300_i (i=0, 1, 2, 3, 4). These various kinds of programs such as the secure computation program can be recorded in a non-transitory computer-readable storage medium and can be provided as a program product. The auxiliary storage device 13 can be used to store, in the mid-to-long term, various kinds of programs such as the secure computation program recorded in a non-transitory computer-readable storage medium. The IF part 14 provides an interface regarding the input and output among the corresponding secure computation server apparatuses 100_i, 200_i, or 300_i (i=0, 1, 2, 3, 4).


An information processing apparatus that adopts the hardware configuration 10 as described above realizes the functions of any one of the secure computation server apparatuses 100_i, 200_i, and 300_i (i=0, 1, 2, 3, 4) by executing the corresponding one of the above-described secure computation methods as a program.


The above example embodiments can partially or entirely be described, but not limited to, as the following notes.


[Note 1]

A secure computation system, which includes five secure computation server apparatuses connected to each other via a network and obtains a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext, an individual one of the secure computation server apparatuses including: a discriminant computation part that determines, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other and that computes a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher;

    • a shuffle part that shuffles the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; and
    • a comparison and verification part that compares, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be a same value, and adopts the received values that are same at least two received values as an accurate value.


[Note 2]

The secure computation system according to note 1;

    • wherein the shuffle part computes, by using a permutation shared by four of the five secure computation server apparatuses, a permutation of a share for a remaining one of the five secure computation server apparatuses, so as to construct a mini-shuffle, and synthesizes mini-shuffles regarding five combinations of four secure computation server apparatuses selected from the five secure computation server apparatuses; and
    • wherein the comparison and verification part compares permutations of the shares, which are received from at least three of the four secure computation server apparatuses and which are supposed to be a same value, and adopts the received permutations that are same at least two received permutations as an accurate permutation.


[Note 3]

The secure computation system according to note 1 or 2; wherein, by multiplying the discriminant by a non-zero random number, a value(s) in a sequence for which the discriminant does not indicate 0 is concealed.


[Note 4]

The secure computation system according to any one of notes 1 to 3; wherein the first bit sequence is a value obtained by removing a most significant bit from an input value masked by a random number; wherein the second bit sequence is a value obtained by removing a most significant bit from a random number; and

    • wherein, based on a result of a magnitude comparison between the first bit sequence and the second bit sequence, the computation of the value obtained by removing the most significant bit from the input value is corrected, and the most significant bit of the input value is computed by subtracting the corrected value obtained by removing the most significant bit from the input value from the input value.


[Note 5]

A secure computation server apparatus, which is one of five secure computation server apparatuses connected to each other via a network, to obtain a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext, the secure computation server apparatus including:

    • a discriminant computation part that determines, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other and that computes a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher;
    • a shuffle part that shuffles the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; and
    • a comparison and verification part that compares, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be a same value, and adopts the received values that are same at least two received values as an accurate value.


[Note 6]

A secure computation method, which obtains a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext by using five secure computation server apparatuses connected to each other via a network, an individual one of the secure computation server apparatuses performing: determining, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other;

    • computing a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher;
    • shuffling the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; and
    • comparing and verifying, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be a same value, and adopting the received values that are same at least two received values as an accurate value.


[Note 7]

The secure computation method according to note 6;

    • wherein, in the shuffling, by using a permutation shared by four of the five secure computation server apparatuses, a permutation of a share for a remaining one of the five secure computation server apparatuses is computed, so as to construct a mini-shuffle, and mini-shuffles regarding five combinations of four secure computation server apparatuses selected from the five secure computation server apparatuses are synthesized; and
    • wherein, the comparing and verifying, permutations of the shares, which are received from at least three of the four secure computation server apparatuses and which are supposed to be a same value, are compared with each other, and the received permutations that are same at least two received permutations are adopted as an accurate permutation.


[Note 8]

The secure computation method according to note 6 or 7; wherein, by multiplying the discriminant by a non-zero random number, a value(s) in a sequence for which the discriminant does not indicate 0 is concealed.


[Note 9]

The secure computation method according to any one of notes 6 to 8; wherein the first bit sequence is a value obtained by removing a most significant bit from an input value masked by a random number; wherein the second bit sequence is a value obtained by removing a most significant bit from a random number; and

    • wherein, based on a result of a magnitude comparison between the first bit sequence and the second bit sequence, the computation of the value obtained by removing the most significant bit from the input value is corrected, and the most significant bit of the input value is computed by subtracting the corrected value obtained by removing the most significant bit from the input value from the input value.


[Note 10]

A secure computation program, causing five secure computation server apparatuses connected to each other via a network to perform a secure computation, to obtain a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext, the secure computation program including:

    • determining, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other;
    • computing a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher;
    • shuffling the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; and
    • comparing and verifying, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be a same value, and adopting the received values that are same at least two received values being the same value, as an accurate value.


The disclosure of the above NPL is incorporated herein by reference thereto. Modifications and adjustments of the example embodiments or examples are possible within the scope of the overall disclosure (including the claims) of the present invention and based on the basic technical concept of the present invention. Various combinations or selections (including partial deletion) of various disclosed elements (including the elements in each of the claims, example embodiments, examples, drawings, etc.) are possible within the scope of the disclosure of the present invention. That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the overall disclosure including the claims and the technical concept. The description discloses numerical value ranges. However, even if the description does not particularly disclose arbitrary numerical values or small ranges included in the ranges, these values and ranges should be deemed to have been specifically disclosed. In addition, as needed and based on the gist of the present invention, partial or entire use of the individual disclosed matters in the above literature that has been referred to in combination with what is disclosed in the present application should be deemed to be included in what is disclosed in the present application, as a part of the disclosure of the present invention.


REFERENCE SIGNS LIST






    • 100, 200, 300 secure computation system


    • 100_i, 200_i, 300_i secure computation server apparatus


    • 101_i, 201_i discriminant computation part


    • 102_i, 202_i shuffle part


    • 103_i, 203_i comparison and verification part


    • 301_i random number generation part


    • 302_i magnitude comparison part


    • 303_i carry-up correction part


    • 304_i most significant bit computation part


    • 10 hardware configuration


    • 11 CPU (Central Processing Unit)


    • 12 main storage device


    • 13 auxiliary storage device


    • 14 IF (Interface) part




Claims
  • 1. A secure computation system, which includes five secure computation server apparatuses connected to each other via a network and obtains a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext, an individual one of the secure computation server apparatuses comprising: a discriminant computation part that determines, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other and that computes a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher;a shuffle part that shuffles the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; anda comparison and verification part that compares, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be a same value, and adopts the received values that are same at least two received values as an accurate value.
  • 2. The secure computation system according to claim 1; wherein the shuffle part computes, by using a permutation shared by four of the five secure computation server apparatuses, a permutation of a share for a remaining one of the five secure computation server apparatuses, so as to construct a mini-shuffle, and synthesizes mini-shuffles regarding five combinations of four secure computation server apparatuses selected from the five secure computation server apparatuses; andwherein the comparison and verification part compares permutations of the shares, which are received from at least three of the four secure computation server apparatuses and which are supposed to be a same value, and adopts the received permutations that are same at least two received permutations as an accurate permutation.
  • 3. The secure computation system according to claim 1; wherein, by multiplying the discriminant by a non-zero random number, a value(s) in a sequence for which the discriminant does not indicate 0 is concealed.
  • 4. The secure computation system according to claim 1; wherein the first bit sequence is a value obtained by removing a most significant bit from an input value masked by a random number;wherein the second bit sequence is a value obtained by removing a most significant bit from a random number; andwherein, based on a result of a magnitude comparison between the first bit sequence and the second bit sequence, the computation of the value obtained by removing the most significant bit from the input value is corrected, and the most significant bit of the input value is computed by subtracting the corrected value obtained by removing the most significant bit from the input value from the input value.
  • 5. A secure computation server apparatus, which is one of five secure computation server apparatuses connected to each other via a network, to obtain a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext, the secure computation server apparatus including: a discriminant computation part that determines, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other and that computes a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher;a shuffle part that shuffles the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; anda comparison and verification part that compares, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be a same value, and adopts the received values that are same at least two received values as an accurate value.
  • 6. A secure computation method, which obtains a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext by using five secure computation server apparatuses connected to each other via a network, an individual one of the secure computation server apparatuses performing: determining, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other;computing a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher;shuffling the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; andcomparing and verifying, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be a same value, and adopting the received values that are same at least received values as an accurate value.
  • 7. The secure computation method according to claim 6; wherein, in the shuffling, by using a permutation shared by four of the five secure computation server apparatuses, a permutation of a share for a remaining one of the five secure computation server apparatuses is computed, so as to construct a mini-shuffle, and mini-shuffles regarding five combinations of four secure computation server apparatuses selected from the five secure computation server apparatuses are synthesized; andwherein, in the comparing and verifying, permutations of the shares, which are received from at least three of the four secure computation server apparatuses and which are supposed to be a same value, are compared with each other, and the received permutations that are same at least two received permutations are adopted as an accurate permutation.
  • 8. The secure computation method according to claim 6; wherein, by multiplying the discriminant by a non-zero random number, a value(s) in a sequence for which the discriminant does not indicate 0 is concealed.
  • 9. The secure computation method according to claim 6; wherein the first bit sequence is a value obtained by removing a most significant bit from an input value masked by a random number;wherein the second bit sequence is a value obtained by removing a most significant bit from a random number; andwherein, based on a result of a magnitude comparison between the first bit sequence and the second bit sequence, the computation of the value obtained by removing the most significant bit from the input value is corrected, and the most significant bit of the input value is computed by subtracting the corrected value obtained by removing the most significant bit from the input value from the input value.
  • 10. A non-transient computer readable medium storing a secure computation program, causing five secure computation server apparatuses connected to each other via a network to perform a secure computation, to obtain a share of a result of a magnitude comparison from input of a share relating to a first bit sequence and a value of a cleartext, the secure computation program including: determining, per bit, whether the first bit sequence and a second bit sequence into which the value of the cleartext is converted match each other;computing a sequence of a discriminant that indicates 0 when the first bit sequence indicates 1 and the second bit sequence indicates 0 at an n-th bit and when the first bit sequence and the second bit sequence match each other at an (n+1)th bit and higher;shuffling the sequence of the discriminant to conceal information about the digit of the bit for which the discriminant indicates 0; andcomparing and verifying, in a communication performed in the shuffling of the discriminant, values with each other, which are received from at least three of the five secure computation server apparatuses and which are supposed to be a same value, and adopting the received values that are same at least two received values as an accurate value.
  • 11. The secure computation server apparatus according to claim 5; wherein the shuffle part computes, by using a permutation shared by four of the five secure computation server apparatuses, a permutation of a share for a remaining one of the five secure computation server apparatuses, so as to construct a mini-shuffle, and synthesizes mini-shuffles regarding five combinations of four secure computation server apparatuses selected from the five secure computation server apparatuses; andwherein the comparison and verification part compares permutations of the shares, which are received from at least three of the four secure computation server apparatuses and which are supposed to be a same value, and adopts the received permutations that are same at least two received permutations as an accurate permutation.
  • 12. The secure computation server apparatus according to claim 5; wherein, by multiplying the discriminant by a non-zero random number, a value(s) in a sequence for which the discriminant does not indicate 0 is concealed.
  • 13. The secure computation server apparatus according to claim 5; wherein the first bit sequence is a value obtained by removing a most significant bit from an input value masked by a random number;wherein the second bit sequence is a value obtained by removing a most significant bit from a random number; andwherein, based on a result of a magnitude comparison between the first bit sequence and the second bit sequence, the computation of the value obtained by removing the most significant bit from the input value is corrected, and the most significant bit of the input value is computed by subtracting the corrected value obtained by removing the most significant bit from the input value from the input value.
  • 14. The non-transient computer readable medium storing a secure computation program according to claim 10; wherein, in the shuffling, by using a permutation shared by four of the five secure computation server apparatuses, a permutation of a share for a remaining one of the five secure computation server apparatuses is computed, so as to construct a mini-shuffle, and mini-shuffles regarding five combinations of four secure computation server apparatuses selected from the five secure computation server apparatuses are synthesized; andwherein, in the comparing and verifying, permutations of the shares, which are received from at least three of the four secure computation server apparatuses and which are supposed to be a same value, are compared with each other, and the received permutations that are same at least two received permutations are adopted as an accurate permutation.
  • 15. The non-transient computer readable medium storing a secure computation program according to claim 10; wherein, by multiplying the discriminant by a non-zero random number, a value(s) in a sequence for which the discriminant does not indicate 0 is concealed.
  • 16. The non-transient computer readable medium storing a secure computation program according to claim 10; wherein the first bit sequence is a value obtained by removing a most significant bit from an input value masked by a random number;wherein the second bit sequence is a value obtained by removing a most significant bit from a random number; andwherein, based on a result of a magnitude comparison between the first bit sequence and the second bit sequence, the computation of the value obtained by removing the most significant bit from the input value is corrected, and the most significant bit of the input value is computed by subtracting the corrected value obtained by removing the most significant bit from the input value from the input value.
PCT Information
Filing Document Filing Date Country Kind
PCT/JP2021/002598 1/26/2021 WO