SECURE CONJUGATE GRADIENT METHOD COMPUTATION METHOD, SECURE CONJUGATE GRADIENT METHOD COMPUTATION SYSTEM, SECURE COMPUTATION APPARATUS, AND PROGRAM

TECHNICAL FIELD

The present invention relates to a secure computation technology, and more particularly, to a technology for securely computing a conjugate gradient method.

BACKGROUND ART

A conjugate gradient method is an algorithm for solving a simultaneous linear equation with symmetric positive definite matrices as coefficients. The conjugate gradient method is a technique of directly calculating A⁻¹b^→ without calculating an inverse matrix A⁻¹of a symmetric positive definite matrix A when the symmetric positive definite matrix A and a vector b^→ are given. The conjugate gradient method is often used in machine learning and the like.

When machine learning is performed by secure computation, it is necessary to calculate a conjugate gradient method efficiently. Patent literature 1 discloses a technology for efficiently calculating a conjugate gradient method by secure computation.

PRIOR ART LITERATURE
Patent Literature

Patent literature 1: International Publication No. 2020/246018

SUMMARY OF THE INVENTION
Problems to be Solved by the Invention

The prior art described in Patent literature 1 is a technology for efficiently calculating a conjugate gradient method for a set of a symmetric positive definite matrix and a vector. Therefore, it is necessary to calculate the conjugate gradient method N times in order to apply the conjugate gradient method for N sets of symmetric positive definite matrices and vectors using the prior art described in Patent Literature 1, and processing time increases at O (N).

In view of the above technical problems, an object of the present invention is to efficiently calculate a conjugate gradient method for a plurality of sets of symmetric positive definite matrices and vectors.

Means to Solve the Problems

A secure conjugate gradient method computation method for receiving a secret value of a multi-dimensional matrix A˜ consisting of N symmetric positive definite matrices A₁, A₂, . . . , A_Nand a secret value of a matrix B consisting of N vectors b^→₁, . . . , b^→_Nand outputting a secret value of a matrix X consisting of A₁⁻¹b^→₁, . . . , A_N⁻¹b^→_N, the secure conjugate gradient method computation method being executed by a secure conjugate gradient method computation system including a plurality of secure computation apparatuses, wherein ⋅^Trepresents a transpose of a matrix ⋅, diag (⋅) represents a function for outputting diagonal elements of the matrix ⋅, n represents a predetermined natural number, and 0ⁿrepresents a vector having a length of n with all elements being 0, an initialization unit of each secure computation apparatus securely computes the following formulas to generate a secret value of the matrix X, a secret value of a matrix R=(r^→₁, . . . , r^→_N), a secret value of a matrix P=(p^→₁, . . . , p^→_N)), and a secret value of a vector γ^→

$\begin{matrix} X \leftarrow (0^{n}, 0^{n}, \dots, 0^{n}) R, P \leftarrow B \vec{γ} \leftarrow diag (R^{T} R), & [Math . 1] \end{matrix}$

- a first calculation unit of each secure computation apparatus securely computes the following formula so that communication required for matrix calculation is collectively performed once for integer i equal to or greater than 1 or equal to or smaller than N, to generate a secret value of a vector α^→=(α₁, . . . , α_N)

$\begin{matrix} α_{i} \leftarrow \frac{{\vec{r}}_{i}^{T} \vec{p} i}{{\vec{p}}_{i}^{T} A_{i} {\vec{p}}_{i}}, & [Math . 2] \end{matrix}$

- a second calculation unit of each secure computation apparatus securely computes the following formula to update the secret value of the matrix X

$\begin{matrix} X \leftarrow X + {\vec{α}}^{T} P, & [Math . 3] \end{matrix}$

- a third calculation unit of each secure computation apparatus securely computes the following formula so that the communication required for the matrix calculation is collectively performed once for integer i equal to or greater than 1 or equal to or smaller than N, to update a secret value of the matrix R

$\begin{matrix} {\vec{r}}_{i} \leftarrow {\vec{r}}_{i} - α_{i} A_{i} {\vec{p}}_{i}, & [Math . 4] \end{matrix}$

- a fourth calculation unit of each secure computation apparatus securely computes the following formula while converting multiplication of N values into element-wise multiplication one vector to generate a secret value of the vector B^→

$\begin{matrix} \vec{β} \leftarrow diag (R^{T} R) / \vec{γ}, & [Math . 5] \end{matrix}$

- a fifth calculation unit of each secure computation apparatus securely computes the following formula to update the secret value of the matrix P

$\begin{matrix} P \leftarrow R + {\vec{β}}^{T} P, & [Math . 6] \end{matrix}$

- and
- a sixth calculation unit of each secure computation apparatus securely computes the following formula while converting multiplication of N values into element-wise multiplication one vector, to update the secret value of the vector γ^→

$\begin{matrix} \vec{γ} \leftarrow diag (R^{T} R) . & [Math . 7] \end{matrix}$

Effects of the Invention

According to the present invention, the conjugate gradient method computation for a plurality of sets of symmetric positive definite matrices and vectors can be a single computation, which is efficient.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating a functional configuration of a secure conjugate gradient method computation system.

FIG. 2 is a diagram illustrating a functional configuration of a secure computation apparatus.

FIG. 3 is a diagram illustrating a processing procedure of a secure conjugate gradient method computation method.

FIG. 4 is a diagram illustrating a functional configuration of a computer.

DETAILED DESCRIPTION OF THE EMBODIMENTS

First, notation and definitions of terms in the present description will be described.

Notation

Symbols “^→” (upper right arrow) and “˜” (tilde) used in sentences would normally be placed directly above the immediately preceding letters, but are placed immediately after the letters due to restrictions of text expression. In formulas, these symbols are in their normal positions thereof, that is, directly above the letters. For example, “a^→” and “C˜” are represented as follows in formulas.

$\begin{matrix} \vec{a}, \tilde{C} & [Math . 8] \end{matrix}$

- A letter with “^→” (upper right arrow) represents a vector. For example, a vector consisting of N values a₁, a₂, . . . , a_nis expressed as a^→=(a₁, a₂, . . . , a_n). A vector element number is indicated by a subscript. For example, an i-th element of the vector a^→ is denoted as a_i.

When there is a vector represented by a lowercase letter, the corresponding capital letter represents a matrix consisting of a plurality of vectors. For example, a matrix consisting of N vectors b^→₁, b^→₂, . . . , b^→_Nis expressed as B=(b^→₁, b^→₂, . . . , b^→_N).

The vector element number is represented by a subscript, but when the subscript representing the vector number is added to a vector, the subscripts shall be separated by a comma, and the vector number and the vector element number are described together. For example, a j-th element of an i-th vector b^→₁is denoted as b^→_i,j.

A capital letter with “˜” (tilde) represents a multi-dimensional matrix. For example, a multi-dimensional matrix with N matrices C₁, C₂, . . . , C_Nis denoted as C˜=(C₁, C₂, . . . , C_N).

[⋅] represents a secret text obtained by encrypting the value “⋅”. When the encryption is performed by secret sharing, this is called a “share.”

α→β represents conversion from α to β.

α←β represents substituting β into α.

⋅^T(superscript T) represents a transpose of the matrix “⋅”.

α^→Tβ^→ represents an inner product of a vector α^→ and a vector β^→.

Secure Computation

There is a method called secure computation as a method of obtaining a specific calculation result without restoring encrypted numerical values (see Reference 1, for example). In the method described in Reference 1, encryption for distributing fragments of the numerical values to three secure computation apparatuses is performed, and the three secure computation apparatuses perform cooperative calculation, making it possible to keep the result of addition and subtraction, constant addition, multiplication, constant multiple, a logical operation (negative, logical product, logical sum, or exclusive logical sum), and data format conversion (integer or binary) distributed to the three secure computation apparatuses without restoring the numerical values, that is, to keep the results remain encrypted.

[Reference 1] Koji Chida et al., “A Three-Party Secure Function Evaluation with Lightweight Verifiability Revisited,” Computer Security Symposium 2010, 2010.

Conventional Conjugate Gradient Method

An algorithm of the conventional conjugate gradient method (Algorithm 1) is shown below. This algorithm receives the symmetric positive definite matrix A, the vector b^→, and a threshold value δ, and outputs a calculation result of A⁻¹b^→. When the conjugate gradient method is performed by secure computation, all values “⋅” handled in the algorithm only need to be replaced with share [⋅].

TABLE 1

Algorithm 1: Conventional conjugate gradient method

Input: A, {right arrow over (b)}, δ

Output: A⁻¹{right arrow over (b)} ← {right arrow over (x)}

1. {right arrow over (x)} ← 0ⁿ

2. {right arrow over (r)}, {right arrow over (p)} ← {right arrow over (b)}

3. R ← {right arrow over (r)}^T{right arrow over (r)}

While R > δ do

4. α \leftarrow \frac{{\vec{r}}^{T} \vec{p}}{{\vec{p}}^{T} A \vec{p}}

5. {right arrow over (x)} ← {right arrow over (x)} + α{right arrow over (p)}

6. {right arrow over (r)} ← {right arrow over (r)} − αA{right arrow over (p)}

7. β \leftarrow \frac{R}{R}

8. {right arrow over (p)} ← {right arrow over (r)} + β{right arrow over (p)}

9. R ← {right arrow over (r)}^T{right arrow over (r)}

end

Here, 0ⁿrepresents a vector having a length of n with all elements being zero.

Proposed Conjugate Gradient Method

An algorithm of the conjugate gradient method proposed by the present invention (algorithm 2) will be shown hereinafter. This algorithm receives a multi-dimensional matrix A˜=(A₁, A₂, . . . , A_N) consisting of N symmetric positive definite matrices A₁, A₂, . . . , A_N, a matrix B=(b^→₁, b^→₂, . . . , b^→_N) consisting of N vectors b^→₁, b^→₂, . . . , b^→_N, and the number of iterations δ, and outputs a matrix X=(x^→₁, x^→₂, . . . , x^→_N) consisting of N vectors x^→₁, x^→₂, . . . , x^→_N(where x^→₁=A₁⁻¹b^→_i, i=1, . . . , N).

TABLE 2

Algorithm 2: Proposed conjugate gradient method

Input: Ã = (A₁, . . . , A_N), B = ({right arrow over (b)}₁, . . . , {right arrow over (b)}_N), δ

Output: X = (A₁⁻¹{right arrow over (b)}₁, . . . , A_N⁻¹{right arrow over (b)}_N)

1. X ← (0ⁿ, 0ⁿ, . . . , 0ⁿ)

2. R, P ← B

3. {right arrow over (γ)} ← diag(R^TR)

for j = 1, . . . , δ do

4. operate (α_{i} \leftarrow \frac{{\vec{r}}_{i}^{T} {\vec{p}}_{i}}{{\vec{p}}_{i}^{T} A {\vec{p}}_{i}}, i \in {1, \dots, N}) collectively

5. X ← X + {right arrow over (α)}^TP

6. operate ({right arrow over (r)}_i← {right arrow over (r)}_i− α_iA_i{right arrow over (p)}_i, i ∈ {1, . . . , N}) collectively

7. \vec{β} \leftarrow \frac{diag (R^{T} R)}{\vec{γ}}

8. P ← R + {right arrow over (β)}^TP

9. {right arrow over (γ)} ← diag (R^TR)

end

Here, diag (⋅) is a function that outputs the diagonal elements of a matrix “⋅”.

Element technologies 1 and 2 below are used to calculate algorithm 2. Element technology 1 is a method of collectively calculating an inner product of a plurality of vectors. Element technology 2 is a method of collectively calculating a plurality of vectors and matrices. Element technology 1 is used to calculate steps 3, 7, and 9 of algorithm 2. Element technology 2 is used to calculate steps 4 and 6 of algorithm 2.

Element Technology 1: Method of Collectively Calculating Inner Product of Vectors

Element technology 1 is a technique for calculating e^→←C⁷D=(c^→₁⁷d^→₁, c^→₂⁷d^→₂, . . . , c^→_N⁷d^→_N) when a matrix C=(c^→₁, c^→₂, . . . , c^→_N) and a matrix D=(d^→₁, d^→₂, . . . , d^→_N) are given. All of the respective vectors (c^→₁, c^→₂, . . . , c^→_N) and (d^→₁, d^→₂, . . . , d^→_N) included in the matrices C and D have a length n. Here, n is a predetermined natural number.

First, the vectors that are the elements of the matrix C and the matrix D are concatenated to generate concatenated vectors c^→ and d^→.

C=(c^→₁, c^→₂, . . . , c^→_N)→c^→=(c_1,1, c_1,2, . . . , c_1,n, c_2,1, c_2,2, . . . , c_2,n, . . . , c_N,1, c_N,2, . . . , c_N,n)

D=(d^→₁, d^→₂, . . . , d^→_N)→d^→=(d_1,1, d_1,2, . . . , d_1,n, d_2,1, d_2,2, . . . , d_2,n, . . . , d_N,1, d_N,2, . . . , d_N,n)

Next, the matrix C and the matrix D are multiplied element by element to generate an element product vector g^→.

g^→←c^→×d^→=(c_1,1×d_1,1, c_1,2×d_1,2, . . . , c_1,n×d_1,n, c_2,1×d_2,1, c_2,2×d_2,2, . . . , c_2,n×d_2,n, . . . , c_N,1×d_N,1, c_N,2×d_N,2, . . . , c_N,n×d_N,n)

Finally, the elements of the element product vector g^→ are divided into n pieces and the n elements are summed to generate a resultant vector e^→.

e^→←(sum(c_1,1×d_1,1, c_1,2×d_1,2, . . . , c_1,n×d_1,n), sum(c_2,1×d_2,1, c_2,2×d_2,2, . . . , c_2,n×d_2,n), . . . , sum(c_N,1×d_N,1, c_N,2×d_N,2, . . . , c_N,n×d_N,n))

In the conventional method, N times of multiplication of values are required to calculate an inner product of N vector pairs. Using element technology 1, an inner product of N vector pairs can be calculated by a single element-wise multiplication. In secure computation, both the multiplication of values and the element-wise multiplication of vectors require one communication. Therefore, when the multiplication of N values is converted into element-wise multiplication of vectors having N elements, the number of communications can be reduced to 1/N. In the secure computation, particularly, the multiplication requires a large amount of communication. Reducing the number of multiplications can greatly speed up processing.

Element Technology 2: Method for Collectively Calculating Vector and Matrix

Element technology 2 is a technique for calculating F←(c^→₁^TD₁, c^→₂^TD₂, . . . , c^→_N^TD_N) when a matrix C=(c^→₁, c^→₂, . . . , c^→_N) and multi-dimensional matrices D˜=(D₁, D₂, . . . , D_N) are given.

When matrix calculation is performed by secure computation, local operation consisting of multiplication and addition is performed on share, and then a result of the local operation is communicated between parties. Therefore, when N matrix calculations are performed in the conventional way, it is necessary to perform N communications. If local operations required for each of the N matrix calculations are first collectively performed, and then the communication required for each matrix calculation is collectively performed once, it is possible to perform N matrix calculations in one communication. Since communication becomes a bottleneck in secure computation, reducing the number of communications can speed up processing.

Hereinafter, embodiments of the present invention will be described in detail. In the drawings, constituent units having the same function are denoted by the same reference signs, and repeated description is omitted.

Embodiments

A configuration example of a secure conjugate gradient method computation system according to the embodiment will be described with reference to FIG. 1. The secure conjugate gradient method computation system 100 includes, for example, K (≥2) secure computation apparatuses 1₁, . . . , 1_K, as illustrated in FIG. 1. In the present embodiment, the secure computation apparatuses 1₁, . . . , 1_K, are connected to a communication network 9. The communication network 9 is a circuit-switched or packet-switched communication network configured so that connected apparatuses can communicate with each other and, for example, the Internet, a local area network (LAN), or a wide area network (WAN) can be used. Each apparatus does not necessarily need to be able to communicate online via the communication network 9. For example, a configuration in which information to be input to the secure computation apparatuses 1₁, . . . , 1_K, is stored in a portable recording medium such as a magnetic tape or a USB memory, and is input offline from the portable recording medium to the secure computation apparatuses 1₁, . . . , 1_K, may be adopted.

A configuration example of a secure computation apparatus 1_k(k=1, . . . , K) included in the secure conjugate gradient method computation system 100 of the embodiment will be described with reference to FIG. 2. The secure computation apparatus 1_kincludes, for example, an input unit 11, an initialization unit 12, a first calculation unit 13, a second calculation unit 14, a third calculation unit 15, a fourth calculation unit 16, a fifth calculation unit 17, a sixth calculation unit 18, an iteration control unit 19, and an output unit 20, as illustrated in FIG. 2. This secure computation apparatus 1_k(k=1, . . . , K) cooperates with another secure computation apparatus 1_k′(k′=1, . . . , K, where k≠k′) to perform processing of each step illustrated in FIG. 3, so that the secure conjugate gradient method computation method of the present embodiment is realized.

The secure computation apparatus is, for example, a special device configured by a special program being loaded into a known or dedicated computer including a central processing unit (CPU), a main storage (RAM: Random Access Memory), and the like. The secure computation apparatus, for example, executes each processing under control of the central processing unit. Data input to the secure computation apparatus or data obtained in each processing is stored in, for example, the main storage, and the data stored in the main storage is loaded onto the central processing unit as necessary and used for other processing. At least a part of each processing unit of the secure computation apparatus may be configured by hardware such as an integrated circuit.

A processing procedure of the secure conjugate gradient method computation method executed by the secure conjugate gradient method computation system 100 of the embodiment will be described with reference to FIG. 3. In formulas in the following description, brackets ([]) representing secret values are omitted in order to simplify expressions, but all values, vectors, and matrices are assumed to be made secret.

In step S11, a secret value [A˜] of the multi-dimensional matrix A˜=(A₁, A₂, . . . , A_N) consisting of the N symmetric positive definite matrices A₁, A₂, . . . , A_N, a secret value [B] of a matrix B=(b^→₁, b^→₂, . . . , b^→_N) consisting of N vectors b^→₁, b^→₂, . . . , b^→_N, and a secret value [δ] of the number of iterations δ are input to the input unit 11 of each secure computation apparatus 1_k. The number of iterations o may be set in consideration of the accuracy of a calculation result and a processing speed, but it is known that the number of iterations δ only needs to be set to about 10 in the conjugate gradient method. The secret value [A^˜] of the multi-dimensional matrix A^˜ is output to the first calculation unit 13. The secret value [B] of the matrix B is output to the initialization unit 13. A secret value [δ] of the number of iterations δ is output to the iteration control unit 19.

In step S12, the initializing unit 12 of each secure computation apparatus 1_ksecurely computes Formula (1), (2), and (3) to generate a secret value [X] of a matrix X=(x^→₁, . . . , x^→_N) consisting of N vectors x^→₁, . . . , x^→_N, a secret value [R] of a matrix R=(r^→₁, . . . , r^→_N) consisting of N vectors r^→₁, . . . , r^→_N, a secret value [P] of a matrix P=(p^→₁, . . . , p^→_N) consisting of N vectors p^→₁, . . . , p^→_N, and a secret value [γ^→] of a vector γ^→. The respective vectors (x^→₁, . . . x^→_N), (r^→₁, . . . , r^→_N), and (p^→₁, . . . , p^→_N) included in the matrices X, R, and P, and vector γ^→ have a length n. Further, the initialization unit 12 initializes the index j of the iteration to j=1. The generated secret value [X] of the matrix X is output to the second calculation device 14. The generated secret values [R] and [P] of the matrices R and P are output to the first calculation unit 13. The generated secret value [γ^→] of the vector γ^→ is output to the fourth calculation unit 16.

$\begin{matrix} [Math . 9] &  \\ X \leftarrow (0^{n}, 0^{n}, \dots, 0^{n}) & (1) \end{matrix}$

$\begin{matrix} R, P \leftarrow B & (2) \end{matrix}$

$\begin{matrix} \vec{γ} \leftarrow diag (R^{T} R) & (3) \end{matrix}$

The initialization unit 12 securely computes R^TR of Formula (3) while converting N multiplications into element-wise multiplication of one vector using the element technology 1. That is, when R^TR of Formula (3) is calculated, the following procedure is executed. First, the vectors r^→₁, r^→₂, . . . , r^→_Nincluded in the matrix R are concatenated to generate a concatenated vector r^→=(r_1,1, . . . , r_1,n, r_2,1, . . . , r_2,n, . . . , r_N,1, . . . , r_N,n). Next, the two concatenated vectors r^→ are multiplied element by element to generate an element product vector g^→←r^→×r^→=(r_1,1×r_1,1, . . . , r_1,n×r_1,n, r_2,1×r_2,1, . . . , r_2,n×r_2,n, . . . , r_N,1×r_N,1, . . . , r_N,n×r_N,n). Finally, the elements of the element product vector g^→ are divided into n pieces, and the n elements are summed to generate a resultant vector e^→←(sum(r_1,1×r_1,1, . . . , r_1,n×r_1,n), sum(r_2,1×r_2,1, . . . , r_2,n×r_2,n), . . . , sum(r_N,1×r_N,1, . . . , r_N,n×r_N,n)).

In step S13, the first calculation unit 13 of each secure computation apparatus 1_ksecurely computes Formula (4), where integer i is equal to or greater than 1 and equal to or smaller than N, collectively to generate the secret value [α^→] of the vector α^→=(α₁, . . . , α_N). The generated secret value [α^→] of the vector α^→ is output to the second calculation unit 14.

$\begin{matrix} [Math . 10] &  \\ α_{i} \leftarrow \frac{{\vec{r}}_{i}^{T} {\vec{p}}_{i}}{{\vec{p}}_{i}^{T} A_{i} {\vec{p}}_{i}} & (4) \end{matrix}$

The first calculation unit 13 securely computes p^→_i^TA_ip^→_iin Formula (4) so that communication required for N matrix calculations is collectively performed once by using the element technology 2. That is, local operations necessary for each of p^→_i^TA_ip^→_iare collectively performed first, and then the communication required for each of p^→_i^TA_ip^→_iis collectively performed once.

In step S14, the second calculation unit 14 of each secure computation apparatus 1_kupdates the secret value [X] of the matrix X by securely computing Formula (5). The updated secret value [X] of the matrix X is output to the output unit 20.

$\begin{matrix} [Math . 11] &  \\ X \leftarrow X + {\vec{α}}^{T} P & (5) \end{matrix}$

In step S15, the third calculation unit 15 of each secure computation apparatus 1_ksecurely computes Formula (6), where integer i is equal to or greater than 1 and equal to or smaller than N, collectively to update the secret value [R] of the matrix R. The updated secret value [R] of matrix R is output to the iteration control unit 19.

$\begin{matrix} [Math . 12] &  \\ {\vec{r}}_{i} \leftarrow {\vec{r}}_{i} - α_{i} A_{i} {\vec{p}}_{i} & (6) \end{matrix}$

The third calculation unit 15 securely computes A_ip^→_iin Formula (6) so that communication required for N matrix calculations is collectively performed once by using the element technology 2, like the first calculation unit 13.

In step S16, the fourth calculation unit 16 of each secure computation apparatus 1_ksecurely computes Formula (7) to generate a secret value [β^→] of the vector β^→. The generated secret value [β^→] of the vector β^→ is output to the fifth calculation unit 17.

$\begin{matrix} [Math . 13] &  \\ \vec{β} \leftarrow diag (R^{T} R) / \vec{γ} & (7) \end{matrix}$

The fourth calculation unit 16 securely computes R^TR of Formula (7) while converting N multiplications into element-wise multiplications of one vector using the element technology 1, like the initialization unit 12.

In step S17, the fifth calculation unit 17 of each secure computation apparatus 1_ksecurely computes Formula (8) to update the secret value [P] of the matrix P. The updated secret value [P] of the matrix P is output to the first calculation device 13.

$\begin{matrix} [Math . 14] &  \\ P \leftarrow R + {\vec{β}}^{T} P & (8) \end{matrix}$

In step S18, the sixth calculation unit 18 of each secure computation apparatus 1_ksecurely computes Formula (9) to update the secret value [γ^→] of the vector γ^→. The updated secret value [γ^→] of the vector γ^→ is output to the fourth calculation unit 16.

$\begin{matrix} [Math . 15] &  \\ \vec{γ} \leftarrow diag (R^{T} R) & (9) \end{matrix}$

The sixth calculation unit 18 securely computes R^TR of Formula (9) while converting N multiplications into element-wise multiplications of one vector using the element technology 1, like the initialization unit 12.

In step S19-1, the iteration control unit 19 of each secure computation apparatus 1_kdetermines whether or not the index j is equal to or greater than the number of iterations δ, that is, whether j≥δ is true or false. When j≥δ is false, that is, when j<δ, the processing advances to step S19-2. When j≥δ is true, the processing advances to step S20. In step S19-2, the iteration control unit 19 of each secure computation apparatus 1_kincrements j, that is, calculates j←j+1, and returns to processing of step S13. In other words, the iteration control unit 19 controls to repeatedly execute the processing from the first calculation unit 13 to the sixth calculation unit 18 δ times.

In step S20, the output unit 20 of each secure computation apparatus 1_koutputs the secret value [X] of the matrix X as a secret value of A₁⁻¹b^→₁, A₂⁻¹b^→₂, . . . , A_N⁻¹b^→_N.

EXAMPLE 1

Example 1 of the present invention is an example in which linear regression is solved using the conjugate gradient method of algorithm 2. An equation for obtaining a linear regression model is Equation (10).

$\begin{matrix} [Math . 16] &  \\ W = {(X^{T} X)}^{- 1} X^{T} \vec{y} & (10) \end{matrix}$

Equation (10) is typically solved using the conjugate gradient method because processing of an inverse matrix is heavy. By using the conjugate gradient method of algorithm 2, it is possible to collectively learn a plurality of linear regression models using different data sets by one execution of conjugate gradient method.

EXAMPLE 2

Example 2 of the present invention is an example in which ridge regression is solved using the conjugate gradient method of algorithm 2. An equation for obtaining a ridge regression model is Equation (11).

$\begin{matrix} [Math . 17] &  \\ W = {(X^{T} X + α I)}^{- 1} X^{T} \vec{y} & (11) \end{matrix}$

α in Equation (11) represents a hyperparameter. Conventionally, an arbitrary value is set to α and then learning is performed. Since an optimal hyperparameter value is not known in advance, a problem is that it is necessary to set a plurality of different hyperparameters and perform learning many times. By using the conjugate gradient method of algorithm 2, it is possible to collectively learn plural ridge regression models having different hyperparameters by one execution of conjugate gradient method. This makes it possible to efficiently learn an optimal model.

Although the embodiments of the present invention have been described above, a specific configuration is not limited to these embodiments and it is obvious that even if a design were appropriately changed without departing from the spirit of the present invention, such changes would be included in the present invention. Various processing described in the embodiments may be not only executed in chronological order according to an order of description, but may also be executed in parallel or individually according to a processing capacity of a device that executes processing or as necessary.

Program and Recording Medium

When various processing functions in each apparatus described in the above embodiment are realized by a computer, processing content of the functions to be included in each apparatus is described by a program. This program is loaded into an auxiliary storage 1050 of the computer illustrated in FIG. 4 and operated by a calculation unit 1010, an input unit 1030, an output unit 1040, and the like, so that various processing functions of the above apparatuses are realized on the computer.

A program in which processing content thereof has been described can be recorded on a computer-readable recording medium. The computer-readable recording medium is, for example, a non-transitory recording medium, such as a magnetic recording device or an optical disc.

Further, distribution of this program may be performed, for example, by selling, transferring, or renting a portable recording medium such as a DVD or CD-ROM on which the program has been recorded. Further, the program may be distributed by storing the program in a storage of a server computer and transferring the program from the server computer to another computer via a network.

The computer that executes such a program first temporarily stores, for example, the program recorded on the portable recording medium or the program transferred from the server computer in an auxiliary storage 1050, which is a non-transitory storage of the computer. When processing is executed, this computer loads the program stored in the auxiliary storage 1050, which is the non-transitory storage of the computer, onto the memory 1020, which is a transitory storage, and executes processing according to the loaded program. Further, as another execution form of the program, the computer may directly read the program from the portable recording medium and execute the processing according to the program, and further, processing according to a received program may be sequentially executed each time the program is transferred from the server computer to the computer. Further, a configuration in which the above-described processing is executed by a so-called application service provider (ASP) type service for realizing a processing function according to only an execution instruction and result acquisition without transferring the program from the server computer to the computer may be adopted. It is assumed that the program in the present embodiment includes information provided for processing of an electronic calculator and being equivalent of the program (such as data that is not a direct command to the computer, but has properties defining processing of the computer).

Further, in above description, the apparatus described in the embodiments is configured by a predetermined program being executed on the computer, but at least a part of processing content thereof may be realized by hardware.

SECURE CONJUGATE GRADIENT METHOD COMPUTATION METHOD, SECURE CONJUGATE GRADIENT METHOD COMPUTATION SYSTEM, SECURE COMPUTATION APPARATUS, AND PROGRAM

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

International Classifications

Abstract

Description

Claims

PCT Information