The present invention relates to a secure computation technique and a privacy protection technique.
Recently, demands for utilizing privacy data represented by private information have been increasing, and a secure computation technique for enabling various calculations while information is kept secret attracts attention. The secure computation is a useful technique that can be applied to various applications (e.g., refer to NPL 1). However, because the accuracy (correctness) of calculation results is ensured in the secure computation, the privacy of calculation results, which is called as “output privacy”, is not protected. Mixing of a calculation result using random noise, for example, is needed in order to protect the output privacy, and in the secure computation as well, such mixing, that is, generation of random noise is one technical issue.
For such an issue, a method of generating secret random noise following a binomial distribution using the secure computation is disclosed in NPL 2. Noise that follows the binomial distribution is used for satisfying an output privacy protection standard called differential privacy, and therefore the technique disclosed in NPL 2 can be said as a useful technique for achieving the output privacy protection in the secure computation.
[NPL 1] Naoto Kiribuchi, Dai Ikarashi, Koki Hamada, Ryo Kikuchi, “MEVAL3: A Library for Programmable Secure Computation”, Symposium on Cryptography and Information Security (SCIS), 2018.
[NPL 2] C. Dwork, K, Kenthapadi, F. McSherry, I. Mironov, M. Naor, “Our data, ourselves: privacy via distributed noise generation,” Advances in Cryptology, EUROCRYPT, LNCS 4004, pp. 486-503, 2006.
However, there is a problem regarding NPL 2 in that a communication amount according to the noise range is needed when noise is generated. The noise range drastically increases depending on the range of a calculation result to be protected and the protection strength, and therefore, in order to achieve the sufficient protection strength regarding any computation, quite a large communication amount corresponding to the increased noise range is needed. The reduction of this communication amount is a big issue from a viewpoint of speeding up the secure computation.
The present invention has been made in view of the technical issue described above, and an object of the present invention is to generate a secure random number that follows a binomial distribution without performing successive communication.
In order to achieve the above-described object, a secure random number generation system according to one aspect of the invention is a secure random number generation system that includes a plurality of secure computation apparatuses and generates a concealed value of a random number that follows a binomial distribution, wherein the secure computation apparatuses each include: a storage unit configured to store a pseudorandom function and at least one set of a key and a polynomial; a pseudorandom number generating unit configured to obtain a pseudorandom number for each of the keys by computing the pseudorandom function using the keys; a bit counting unit configured to count the number of 1s included in each pseudorandom number; and a random number share generating unit configured to obtain the sum of products of the number of 1s and an output of the polynomial corresponding to the number of 1s as the share of the random number.
According to the present invention, a secure random number that follows a binomial distribution can be generated without performing successive communication. As a result of performing mixing of a calculation result using this secure random number, the output privacy in the secure computation can be efficiently protected.
In this specification, “_” (underscore) in a subscript represents that a character on the right side is added to a character on the left side as a subscript. That is, “ab_c” represents that bc is added to a as a subscript.
First, the existing technologies on which the present invention is premised will be described.
Shamir's secret sharing method
Shamir's secret sharing method is a method in which a secret value s is broken up into n fragments by a random polynomial f, and the secret value s is restored from any t fragments (refer to Reference Literature 1, for example). Hereinafter, one fragment obtained by breaking up a certain value is called as a “share”, and a set of all shares is called as a “concealed value”. The concealed value of a certain value ⋅ is represented by [⋅], and the ith share of the concealed value [⋅] is represented by [⋅]i. Note that n is an integer of 3 or more, and t is an integer that satisfies n≥2t−1.
[Reference Literature 1] A. Shamir, “How to share a secret,” Communications of the ACM, Vol. 22, No. 11, pp. 612-613, 1979.
In the Shamir's secret sharing method, first, with respect to a secret s on a finite field Zp with order p, a t-1th order polynomial f(x)=rt−1xt−1+ . . . +r1x1+s on the finite field Zp is selected. Note that ri is a random value on the finite field Zp. Here, each of shares [s]1, . . . , [s]n of the secret s is obtained as [s]i=f(i), for example. When the secret s is restored, the constant term s of the polynomial f(x) is obtained by performing polynomial interpolation using any t or more shares that do not duplicate.
The pseudorandom secret sharing is a method for generating a share of a uniform random number using a pseudorandom function without performing communication (refer to Reference Literature 2, for example).
R. Cramer, I. Damgard, and Y. Ishai, “Share conversion, pseudorandom secret-sharing and applications to secure computation,” Theory of Cryptography, LNCS 3378, pp. 342-362, 2005.
A pseudorandom function PRF: K×{0, 1}α→Zp is a function for outputting a random number on an (approximately) uniform finite field Zp by receiving a private key and a bit stream of length α. Here, K represents a keyspace. Also, consider a case where shares in the Shamir's secret sharing method are retained by n parties P1, . . . , Pn in a broken up manner. Here, the shares [r]1, . . . , [r]n of a random number r are retained by n parties in a manner described below.
1. First, the key of the pseudorandom function is shared by some parties, in advance. Specifically, a set A is defined as a set constituted by n−t+1 parties selected from the n parties, and the key kA∈K is shared by all of the n−t+1 parties included in the set A. Conversely, t−1 parties that are not included in the set A do not obtain information regarding the key kA. Similarly, with respect to each set A that can be envisioned, all parties included in the envisioned set A shares a different key kA. Also, separately, with respect to each of all of the sets A, a tth order polynomial fA corresponding to the set A is shared. Here, assume that a condition that fA(0)=1 and fA(i)=0 (if Pi is not included in set A) is satisfied.
2. When a random number needs to be generated, each party generates a pseudorandom number with a value a such as a time stamp that is used in common. Specifically, when parties Pi are included in a set Aj and retain a key set {kA_j}, each party Pi computes [r]i←ΣjPRF(kA_j, a)·fA_j(i). Here, J is the number of sets A to which the party Pi belongs, and j indicates an integer from 1 to j.
The share [r]i to be obtained by the party Pi with the processing described above is a share of a pseudorandom number r=ΣAPRF(kA, a).
The number of 1s included in L-bit uniform random number r∈{0, 1}L is known to be a random number that follows a binomial distribution Bin(L, ½). If a pseudorandom function PRF: K×{0, 1}α→{0, 1}L has sufficient uniformity, the number of ls included in the pseudorandom number PRF(k, a) can also be said to similarly follow the binomial distribution Bin(L, ½).
Here, an embodiment of the present invention will be described in detail. Note that the same reference numerals are added to constituent units that have the same function, in the drawings, and redundant description will be omitted.
In the secure random number generation system of the embodiment, N (≥3) secure computation apparatus computes, in a cooperated manner, a concealed value of a random value that follows the binomial distribution. In the present embodiment, it is premised on that a multi-party computation based on the Shamir's secret sharing method is used.
A secure random number generation system 100 of the embodiment includes n (≥3) secure computation apparatuses 11, . . . , 1n, as shown in
The secure computation apparatus 1i (i=1, . . . , n) included in the secure random number generation system 100 of the embodiment includes a parameter storage unit 10, a pseudorandom number generating unit 11, a bit counting unit 12, a random number share generating unit 13, and an output unit 14, as shown in
The secure computation apparatus 1i is a special apparatus that is configured by a special program being read in a known or dedicated computer including a central processing unit (CPU), a main storage device (RAM: Random Access Memory), and the like, for example. The secure computation apparatus 1i executes the processing under the control of the central processing unit, for example. The data input to the secure computation apparatus 1i and the data obtained by the processing are stored in the main storage device, for example, and the data stored in the main storage device is read out to the central processing unit as necessary and is used for another processing. At least some of the processing units of the secure computation apparatus 1i may be configured by hardware such as an integrated circuit. The storage units included in the secure computation apparatus 1i can be configured by a main storage device such as RAM (Random Access Memory), an auxiliary storage device such as a hard disk, an optical disk, or a semiconductor memory device such as a flash memory, or middleware such as a relational database or key-value store, for example.
In the following, the processing procedure of the secure random number generation method to be executed by the secure random number generation system 100 of the embodiment will be described with reference to
The parameter storage unit 10 stores the pseudorandom function PRF: K×{0, 1}α→{0, 1}L, J keys {kA_1, . . . , kA_J}, and k polynomials {fA_1 (x), . . . , fA_J(x)}.
In step S11, the pseudorandom number generating unit 11 computes, for each integer j of 1 or more and J or less, a pseudorandom function PRF(kA_j, a) using a key kA_j and a parameter a that are stored in the parameter storage unit 10. The parameter a is a parameter, such as a time stamp, that can be used in common between all the secure computation apparatuses 1l. . . , 1n. The pseudorandom number generating unit 11 outputs pseudorandom numbers pA_j calculated from keys kA_j to the bit counting unit 12.
In step S12, the bit counting unit 12 obtains the number rA_j of 1s included in the pseudorandom number pA_j for each integer j of 1 or more and J or less. The bit counting unit 12 output the numbers rA_j of 1s obtained from the pseudorandom numbers pA_j to the random number share generating unit 13.
In step S13, the random number share generating unit 13 computes a sum of products [r]i←ΣjrA_j·fA_j(i) of the numbers rA_j of 1s and the outputs of polynomial fA_j (i). Here, i is the number of the secure computation apparatus. This [r]i is a share of the random number r=ΣArA. The random number share generating unit 13 outputs the share [r]i of a random number r to the output unit 14.
In step S14, the output unit 14 outputs the share [r]i of the random number r.
The number rA of 1s included in an L-bit pseudorandom number pA, which is an output of the pseudorandom function PRF(kA, a), follows a binomial distribution Bin(L, ½). Similarly, the number r of 1s included in a total N=(nCn−t+1)×L-bit random number computed by all the keys kA that are shared by the parties follows the binomial distribution Bin(N, ½). Here, nCn−t+1 represents the number of combinations of selecting different n−t+1 pieces from different n pieces. This number r of 1s satisfies r=ΣArA. Also, these computations can be locally performed, and therefore communication between parties is not needed. The present invention provides a technique in which, by utilizing this property, each party obtains the share [r]i of a random number that follows a binomial distribution Bin(N, ½) without the parties communicating to each other, and the concealed value [r] of a random number r is generated as an entire system.
In the present invention, the need of successive communication is eliminated when a secure random number is generated, based on the pseudorandom secret sharing method. Here, as a result of changing the pseudorandom secret sharing method for generating a uniform random number such that a random number that follows a binomial distribution can be generated, the communication amount is largely reduced relative to that of a known method. As described above, according to the present invention, a secure random number that follows a binomial distribution and can be used for output privacy protection of a secure computation result and the like can be generated without performing successive communication. In the known method, communication of an amount that is in proportion to a noise range N is needed every time a secure random number is generated.
Although an embodiment of the present invention have been described above, a specific configuration is not limited to the embodiment, and even if a design change or the like is made without departing from the spirit of the present invention, when necessary, such a change is included in the scope of the present invention as a matter of course. The various kinds of processing described in the embodiment are not necessarily executed in chronological order according to the order of descriptions, and may be parallelly or individually executed depending on the processing capabilities of the device that executes the processing or according to the need.
When the various processing functions of the devices described in the above embodiment are realized using a computer, the functions that the devices need to have are to be described in the form of a program. Then, this program is read in a storage unit 1020 of a computer shown in
The program that describes the contents of such processing can be recorded in a computer-readable recording medium. Any kind of computer-readable recording medium may be employed, such as a magnetic recording device, an optical disc, a magneto-optical recording medium, or a semiconductor memory.
The program is distributed by, for example, selling, transferring, or lending a portable recording medium such as a DVD or a CD-ROM on which the program is recorded. Furthermore, it is possible to employ a configuration in which the program is stored in a storage device of a server computer, and the program is distributed by the server computer transferring the program to other computers via a network.
A computer that executes such a program first stores, in a storage device thereof, the program that is recorded on a portable recording medium or that has been transferred from a server computer. Thereafter, when executing processing, the computer reads the program stored in the storage device thereof, and executes processing according to the program thus read. In another mode of execution of the program, the computer may read the program directly from a portable recording medium and execute processing according to the program. In addition, the computer may sequentially execute processing according to the received program every time the computer receives the program transferred from a server computer. Also, it is possible to employ a configuration for executing the above-described processing by using a so-called ASP (Application Service Provider) type service, which does not transfer a program from the server computer to the computer, but realizes processing functions by only making instructions to execute the program and acquiring the results. The program according to the embodiments may be information that is used by an electronic computer to perform processing, and that is similar to a program (e.g. data that is not a direct command to the computer, but has the property of defining computer processing).
Also, although the device is formed by running a predetermined program on a computer in the embodiment, at least part of the content of the above processing may be realized using hardware.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2019/049883 | 12/19/2019 | WO |