The present invention relates to a secure computation technique, and more particularly to a technique for performing a bit shift operation in the secure computation.
The secure computation is a method for obtaining a result of a designated operation without restoring an encrypted numerical value (for example, refer to a reference NPL 1). In the method of the reference NPL 1, encryption is performed in which a plurality of pieces of information capable of restoring a numerical value are distributed to three secure computation apparatuses, and a result of an addition/subtraction, a constant addition, a multiplication, a constant multiplication, a logical operation (a negation, a logical product, a logical sum, an exclusive or), a data format conversion (an integer, a binary number) can be held in a state of being distributed in the three secure computation apparatuses without restoring the numerical value, that is, in an encrypted state. In general, the number of sharing is not limited to three, and can be set to W (W is a predetermined constant value of three or more), and a protocol for realizing the secure computation by cooperative computation by W secure computation apparatuses is called a multi-party protocol.
(Reference NPL 1: Koji Chida, Koki Hamada, Dai Igarashi, Katsumi Takahashi, “Reconsideration of Light-Weight Verifiable Three-Party Secure Function Evaluation”, In CSS, 2010) Conventionally, there are NPL 1 and NPL 2 as references related to the protocols and implementation of the secure computation for performing floating point computation. The bit shift operation required for performing the floating point operation is an operation for shifting a binary number bit pattern to the left and right, and is one of basic operations in computer processing.
However, when the bit shift operation is executed by the secure computation, the computation cost is large because the operation is performed while concealing the right and left shift directions and the shift amount.
An object of the present invention is to provide a secure computation technique for performing a bit shift operation at a high speed by using a protocol for performing a left shift with a numerical value and a shift amount to be shifted as inputs.
One aspect of the present invention is a secure shift system that is configured of three or more secure shift apparatuses where P is a prime number, p is a number of bits of the prime number P, Q is an order of a factor ring, M is an upper limit value which can be taken by the MSB position of numerical values to be inputted, M′ is an upper limit value of the MSB position which is allowable by shares, and [R, R′] is a range of the right shift amount which is covered by the divided right shift and computes a share [[s]]P of a numerical value s (where, s=2ρa) obtained by shifting a numerical value a by ρ bits from a share [[a]]P of the numerical value a and a share <<ρ>>Q of the shift amount p (where, in a case of ρ≥0, ρ represents the left shift, and in a case of ρ<0, ρ represents the right shift), and include a modulus conversion means for computing a share <<ρ>>p from the <<ρ>>Q, a first flag computation means for computing shares [[f0]]2=[[(ρ≥−R′)]]2, [[f1]]2=[[(ρ≥−R′+u)]]2, . . . , [[fd-1]]=2=[[(ρ≥−R′+(d−1)u]]2, and [[fL]]2=[[(ρ≥−R+1)]]2 from the share <<ρ>>Q or the share <<ρ>>p, the range [R, R′], a numerical value u, and a numerical value d where u is an integer satisfying u≤M′−M+1 and d is an integer satisfying d ceiling(((R′−R+1)/u)Re), a second flag computation means for computing shares <<f1>>p, <<f2>>p, . . . , <<fd-1>>p, <<fL>>p from the shares [[f1]]2, [[f2]]2, . . . [[fd-1]]2, [[fL]]2, a shift amount computation means for computing a share <<ρ′>>p=<<ρ>>p+R′−u (Σ1≤i<d<<fi>>p)+((d−1)u−R′)<<fL>>p from the share <<ρ>>p, the shares <<f1>>p, <<f2>>p, . . . , <<fd-1>>p, <<fL>>p, the upper limit value R′ of the range, the numerical value u, and the numerical value d, a left shift means for computing a share [[b]]P=[[2ρ′a]]P from the share [[a]]P and the share <<ρ′>>p, a right shift means for computing shares [[c0]]P=[[2ρ′a/2R′]]P, [[c1]]P=[[2ρ′a/(2R′-u)]]P, . . . , [[cd-1]]P=[[2ρ′a/(2R′-(d-1)u)]]P from the share [[b]]P, the upper limit value R′ of the range, the numerical value u, and the numerical value d, a third flag computation means for computing shares [[f0]]P, [[f1]]P, . . . , [[fd-1]]P, [[fL]]P from the shares [[f0]]2, [[f1]]2, . . . , [[fd-1]]2, [[fL]]2, and a shift value computation means for computing the share [[s]]P=[[c0]]P[[f0]]P+[[c1]]P−[[c0]]P)[[f1]]P+ . . . +[[cd-1]]P−[[cd-2]]P)[[fd-1]]P+([[b]]P−[[cd-1]]P)[[fL]]P from the share [[b]]P, the shares [[c0]]P, [[c1]]P, . . . , [[cd-1]]P, and the shares [[f0]]P, [[f1]]P, . . . , [[fd-1]]P, [[fL]]P.
One aspect of the present invention is a secure shift system that is configured of three or more secure shift apparatuses, where P is a prime number, p is a number of bits of the prime number P, and M is an upper limit value of the shift amount, and computes a share [[s]]P of a numerical value s (where, s=a/2ρ) obtained by shifting a numerical value a to the right by ρ bits from a share [[a]]P of the numerical value a and a share <<ρ>>p of the shift amount ρ (0≤ρ≤M is satisfied, and a numerical value 2Ma obtained by shifting the numerical value a to the left by M bits does not overflow), and includes a shift amount computation means for computing a share <<M−ρ>>p from the share <<ρ>>p and the upper limit value M, a left shift means for computing a share [[b]]P=[[2M-ρa]]P from the share [[a]]P and the share <<M−ρ>>p, and a right shift means for computing the share [[s]]P=[[2M-ρa/2M]]P from the share [[b]]P and the upper limit value M.
One aspect of the present invention is the secure shift system that is configured of three or more secure shift apparatuses, where P is a prime number, p is a number of bits of the prime number P, Q is an order of a factor ring, and M is an upper limit value that can be taken by the MSB position of numerical values to be inputted and computes a share [[s]]P of a numerical value s (where, s=2ρa) obtained by shifting a numerical value a by ρ bits from a share [[a]]P of the numerical value a and a share <<ρ>>Q of the shift amount ρ (where, in a case of ρ<0, ρ represents the left shift, and in a case of ρ<0, ρ represents the right shift) and includes a modulus conversion means for computing a share <<ρ>>p from the share <<ρ>>Q, a first flag computation means for computing a share [[fL]]2=[[(ρ≥0)]]2 from the share <<ρ>>Q or the share <<ρ>>p, a second flag computation means for computing a share <<fL>>p from the share [[fL]]2, a shift amount computation means for computing a share <<ρ′>>p=<<ρ>>p+M−M<<fL>>p from the share <<ρ>>Q, the share <<fL>>p, and the upper limit value M, a left shift computation means for computing a share [[b]]P=[[2ρ′a]]P from the share [[a]]P and the share <<ρ′>>p, a right shift means for computing a share [[c]]P=[[2ρ′a/2M]]P from the share [[b]]P and the upper limit value M, a third flag computation means for computing a share [[fL]]P from the share [[fL]]2, and a shift value computation means for computing the share [[s]]P=[[c]]P+([[b]]P−[[c]]P) [[fL]]P from the share [[b]]P, the share [[c]]P, and the share [[fL]]P.
According to the present invention, the shift operation can be performed at high speed while keeping the numerical value and the shift amount to be shifted secure.
Hereinafter, embodiments of the present invention will be described in detail. Note that configuration units having the same function are denoted by the same number, and redundant description is omitted.
Prior to the description of each embodiment, the notation in the present specification will be explained.
{circumflex over ( )}(caret) indicates a superscript. For example, xy{circumflex over ( )}z indicates that yz is a superscript to x, and xy{circumflex over ( )}z indicates that yz is a subscript to x. In addition, _ (underscore) indicates a subscript. For example, xy_z indicates that yz is a superscript to x, and xy_z indicates that yz is a subscript to x.
Superscripts “{circumflex over ( )}” and “˜” for a certain letter x, as in “{circumflex over ( )}x” and “˜x”, should originally be written directly above “x”, but are written as “{circumflex over ( )}x” and “˜x” due to the restrictions of the descriptive notation of the specification.
The secure computation in each embodiment of the present invention is constructed using an existing secure computation protocol. Hereinafter, a notation will be described.
P is a prime number. For example, it is preferable to set a Melsenne prime number P=261−1. p is a number of bits of the prime number P. Note that p may be expressed by p=|P|. When P is the Mersenne prime number, p is the prime number. For example, if P=261−1, p=61 is obtained. Also, Q is an order of a ring factor. The order Q is used as the prime number P and its number of bits p. In addition, the order Q can be used for the exponent part of the floating point. When the order Q is used for the exponent part of the floating point, for example, Q can be set to Q=213−1.
k is set to a threshold value of a secret sharing. For example, it is preferable to set k=2. In addition, n is set to a number of sharing of the secret sharing (that is, a number of parties of the secure computation). For example, it is preferable that n is set to n=3.
[[x]]y represents a share in which a mod y element x is performed by (k, n)-secret sharing. As a method of the secret sharing, for example, Shamir secret sharing or replicated secret sharing can be used. The share of (k, n)-replicated secret sharing is expressed by <<x>>y. Since (k, n)-replicated secret sharing is (k, n)-secret sharing, a protocol applicable to (k, n)-secret sharing can be applied to the share in which (k, n)-replicated secret sharing is performed. Note that when the share is expressed as <<x>>>y, it means that the property of the replicated secret sharing is utilized. In particular, (k, k)-replicated secret sharing is called (k, k)-additive secret sharing. The mod y element x is expressed as a share <x>y in which (k, k)-additive secret sharing is performed.
[[X]]2{circumflex over ( )}m represents a share in which m shares in the form of [[x]]2 are arranged. In some cases, [[x]]2{circumflex over ( )}m is regarded as a bit representation of a numerical value.
x≈y indicates that x and y are equal as real numbers on a computer. That is, the difference between x and y is within a certain error range.
For two numbers a, d, a/d represents the value of integer division for truncating a fraction after the decimal part. Therefore, the integer division by the exponent of two is equivalent to the right shift. In addition, (a/d)Re represents the value of real number division for the two numbers a, d.
For the number a, ceiling(a) represents the minimum integer of a or more.
(prop) expresses that in a case where proposition prop is satisfied, (prop) is set to 1, and in a case where proposition prop is not satisfied, (prop) is set to 0. For example, (1 >0) is 1.
Floating point 2ba (where, a and b represent a mantissa part and an exponent part respectively) are represented as floating point (a, b). Further, m floating points 2b_0a0, 2b_1a1, 2b_m-1am-1 (where, ai and bi (0≤i<m) represent the mantissa part and the exponent part respectively) represents a floating point vector (->a, ->b) (where, ->a=(a0, a1, . . . , am-1), ->b=(b0, b1, . . . , bm-1) is satisfied). The length m of the vector ->a=(a0, a1, . . . , am-1) may be expressed as |->a|.
<<Existing Secure Computation Protocol>>
First, an existing secure computation protocol used in the present invention will be described. The existing secure computation protocol is used for an addition/subtraction, a constant addition, a multiplication, a constant multiplication, a logical operation (a negation, a logical product, a logical sum, an exclusive or), a data format conversion (an integer, a binary number), and a computation of an exponential function. The following protocol is used as an existing protocol used in the present invention.
[Conversion from (k, n)-Secret Sharing (the Replicated Secret Sharing) to (k, k)-Additive Secret Sharing]
Input: a share [[x]]y of a numerical value x (a share <<x>>y of a numerical value x)
Output: a share <x>y of the numerical value x Specifically, there is a method described in the reference NPL 2.
(Reference NPL 2: Kikuchi, R., Igarashi, D., Matsuda, T., Hamada, K. and Chida, K., “Efficient Bit-Decomposition and Modulus-Conversion Protocols with an Honest Majority,” 23rd Australasian Conference on Information Security and Privacy (ACISP 2018), Lecture Notes in Computer Science, Vol. 10946, Springer, pp. 64-82, 2018)
[Conversion from (k, k)-Additive Secret Sharing to (k, n)-Secret Sharing (the Replicated Secret Sharing)]
Input: a share <x>y of a numerical value x
Output: a share [[x]]y of the numerical value x (a share <<x>>y of the numerical value x)
Specifically, there is a method described in the reference NPL 2.
[Conversion from Mod 2 to Mod q]
Input: a share [[x]]2 of a numerical value x (a share <<x>>2 of the numerical value x)
Output: a share [[x]]q of the numerical value x (a share <<x>>q of the numerical value x)
Specifically, there is a method described in the reference NPL 2.
[Shift Amount Disclosure Right Shift]
Input: a share [[x]]q of a numerical value x, and a shift amount ρ
Output: a share [[x/2ρ]]q of a numerical value obtained by shifting the numerical value x to the right by ρ bits Specifically, there is a method described in the reference NPL 3.
(Reference NPL 3: Ibuki Mishina, Dai Igarashi, Koki Hamada, Ryo Kikuchi, “Designs and Implementations of Efficient and Accurate Secret Logistic Regression”, CSS2018, 2018)
[Batch Shift Amount Disclosure Right Shift]
Input: A share [[x]]q of a numerical value x, a shift amount ρ0, . . . , ρm-1
Output: shares [[x/2ρ_0]]q, . . . , [[x/2ρ_m-1]]q of numerical values obtained by right-shifting the numerical value x by ρ0 bits, . . . , ρm-1 bits
Specifically, there is a method described in the reference NPL 4.
(Reference NPL 4: Dai Igarashi, “The elementary functions of the secure computation over M op/s”, SCIS2020, 2020) Note that as a self-evident method, a batch shift amount disclosure right shift can be formed by repeating the shift amount disclosure right shift.
[Modulus Conversion Using the Quotient Transfer]
Input: a share <<x>>q of a numerical value x
Output: a share <<x>>r of the numerical value x
Specifically, there is a method described in the reference NPL 2.
[Bit Decomposition]
Input: a share [[x]]q of a numerical value x
Parameter: the maximum number of bits M of inputted numerical values
Output: a share [[x]]2{circumflex over ( )}M of the numerical value x
Specifically, there is a method described in the reference NPL 2.
<<Secure Computation Protocol of the Present Invention>>
Subsequently, the secure computation protocol of the present invention will be described.
[Multiplicative Rotation (Shift Amount Secure Left Shift)]
Input: a share [[a]]P of a numerical value a and a share <<ρ>>p of a rotation amount (a shift amount) ρ (≥0)
Output: a share [[2ρa]]P of a numerical value obtained by left-shifting the numerical value a by ρ bits
Although the share to be output can be computed by using a protocol such as multiplication or exponential function computation, the share can be computed by using a method using the idea of a random substitution (refer to reference NPL 5). As a specific example, a case where n=3 will be described.
(Reference NPL 5: Dai Igarashi, Koki Hamada, Ryo Kikuchi, Koji Chida, “The improvement of the secure computation basic sort directed to statistical processing of 1 second of response to the Internet environment”, SCI2014, 2014)
(Round 1)
step 1: A share [[a]]P is converted into (k, k)-additive secret sharing <a>p in which the parties 0 and 1 share.
step 2: The party 0 and party 1 share a random number r01. In addition, the parties 1 and 2 share a random number r12.
step 3: The party 0 compute b0=2(<<β>>{circumflex over ( )}p)_01<a>p0−r01, and sends b0 to the party 2.
Here, <<ρ>>p01 represents the share held by the party 0 and party 1 with respect to the share <<ρ>>p. In addition, <a>p0 represents the share held by the party 0 with respect to the share <a>p.
step 4: The party 1 computes b1=2(<<ρ>>p)_12(2(<<ρ>>p)_01<a>p1+r01)−r12, and sends b1 to the party 0.
Here, <<ρ>>p12 represents the share held by the party 1 and party 2 with respect to the share <<ρ>>p. In addition, <a>p1 represents the share held by the party 1 with respect to the share <a>p.
(Round 2)
step 5: The party 0 computes <c>p0=2<<ρ>>{circumflex over ( )}p)_20b1.
Here, <<ρ>>p20 represents the share held by the party 2 and party 0 with respect to the share <<ρ>>p.
Step 6: The party 2 computes <c>p2=2(<<ρ>>{circumflex over ( )}p)_20 (2(<<ρ>>{circumflex over ( )}p)_12b0+r12)
(Round 3)
Step 7: The share <c>p is converted into a share [[c]]P of (k, n)-secret sharing.
Here, c=2ρa is satisfied.
[Shift Amount Secure Right Shift]
Input: a share [[a]]P of a numerical value a, and a share <<ρ>>p of a shift amount ρ.
Parameter: an upper limit value M of the shift amount
However, it is assumed that 0<ρ<M, and a numerical value 2Ma obtained by shifting the numerical value a to the left by M bits does not overflow.
Output: a share [[a/2ρ]]P of a numerical value obtained by shifting the numerical value a to the right by ρ bits
step 1: <<M−ρ>>p is computed.
step 2: a share [[2M_ρa]]P of a numerical value obtained by left-shifting the numerical value a by M−ρ bits is computed by using the multiplicative rotation.
step 3: a share [[a/2ρ]]P=[[2M-ρa/2M]]P of a numerical value obtained by shifting the numerical value 2M-ρa to the right by M bits is computed by using shift amount disclosure right shift.
[Shift Amount Secure Shift (Part 1)]
Input: a share [[a]]P of a numerical value a, and a share <<ρ>>Q of a shift amount ρ (where, in a case of ρ≥0, ρ represents the left shift, and in a case of ρ<0, ρ represents the right shift).
Parameter: an upper limit M that can be taken in the MSB (Most Significant Bit) position of numerical values to be inputted
Output: a share [[s]]P of a numerical value s obtained by shifting the numerical value a by ρ bits
Here, s=2ρa is satisfied.
step 1: a share <<ρ>>p is computed by using the modulus conversion. For example, a modulus conversion using the above-mentioned quotient transition can be used for the modulus conversion.
step 2: [[fL]]2=[[(ρ≥0)]]2 is computed by the comparison of the size.
step 3: <<fL>>p is computed by using the mod 2->mod p conversion.
step 4: <<ρ′>>p=<<ρ>>p+M−M<<fL>>p is computed.
step 5: [[b]]P=[[2ρ′a]]P is computed by using the multiplicative rotation.
step 6: [[c]]P=[[2ρ′a/2M]]P is computed by using the shift amount disclosure right shift.
step 7: [[fL]]P is computed by using mod 2->mod P conversion.
step 8: [[s]]P=[[c]]P+([[b]]P−[[c]]P)[[fL]]P is computed.
This equation is a selection gate, and in a case of ρ<0, s=c is satisfied, and in a case of ρ≥0, s=b is satisfied.
[Shift Amount Secure Shift (Part 2)]
Input: a share [[a]]P of a numerical value a, and a share <<ρ>>Q of a shift amount ρ (where, in a case of ρ≥0, ρ represents the left shift, and in a case of ρ<0, ρ represents the right shift).
Parameter: an upper limit value M which can be taken by the MSB position of numerical values to be inputted, and an upper limit value M′ of the MSB position allowed by shares Output: a share [[s]]P of a numerical value s obtained by shifting the numerical value a by ρ bits
Here, s=2ρa is satisfied.
step 1: u=M′−M+1, d=ceiling(((M−1)/u)Re) are computed.
Here, u is the right shift amount which can be covered by one shift amount secure right shift (specifically, the amount in the range of 1 to M′−M bits), and d is the number of execution times of the shift amount secure right shift necessary for performing the right shift in the range of 1 to M−1 bits.
step 2: a share <<ρ>>p is computed by using the modulus conversion. For example, a modulus conversion using the above-mentioned quotient transition can be used for the modulus conversion.
step 3: [[f0]]2=[[(ρ≥−M+1)]]2, [[f1]]2=[[(ρ≥−M+1+u)]]2, . . . , [[fd-1]]2=[[(ρ≥−M+1+(d−1)u)]]2, [[fL]]2=[[(ρ≥0)]]2 are computed by the comparison of the size.
Here, in the case of fL, fd-1, in the case of fd-1, fd-2, . . . are established. The f0, f1, fd-1, and fL are referred to as transitive flags.
step 4: <<f1>>p, <<f2>>p, . . . , <<fd-1>>p, <<fL>>p are computed by using the mod 2->mod p conversion.
In this step, the computation of <<f0>>p is not required.
step 5: <<ρ′>>p=<<ρ>>p+M−1−u(Σ1≤I<d<<fi>>p)+((d−1)u−M+1) <<fL>>p is computed.
step 6: [[b]]P=[[2ρ′a]]P is computed by using the multiplicative rotation.
step 7: [[c0]]P=[[2ρ′a/2M-1]]P, [[c1]]P=[[2ρ′a/(2M-1-u)]]P, [[cd-1]]P=[[2ρ′a/(2M-1-(d-1)u)]]P are computed by using a batch shift amount disclosure right shift.
step 8: [[f0]]P, [[f1]]P, . . . , [[fd-1]]P, [[fL]]P are computed by using the mod 2->mod P conversion.
In this step, the computation of [[f0]]p is necessary.
step 9: [[s]]P=[[c0]]P[[f0]]P+([[c1]]P−[[c0]]P) [[f1]]P+ . . . +([[cd- 1]]P−[[cd-2]]P) [[fd-1]]P+([[b]]P−[[cd-1]]P) [[fL]]P is computed.
This expression is a selection gate for transitive flags f0, f1, . . . , fd-1, fL, when all of f0, f1, . . . , fd-1, fL are 0, s=0 is satisfied, in the case of f0, s=0, in the case of f1, s=c1, . . . , in the case of fL, s=b is satisfied, respectively.
[Shift Amount Secure Shift (Part 3)]
Input: a share [[a]]P of a numerical value a, and a share <<ρ>>Q of a shift amount ρ (where, in a case of ρ≥0, ρ represents the left shift, and in a case of ρ<0, ρ represents the right shift).
Parameter: an upper limit value M which can be taken by the MSB position of numerical values to be inputted, and an upper limit value M′ of the MSB position allowed by shares
Output: a share [[s]]P of a numerical value s obtained by shifting the numerical value a by ρ bits
Here, s=2 Pa is satisfied.
step 1: u is an integer satisfying u≤M′−M+1. Further, [R, R′] is a range of the right shift amount covered by the divided right shift, and d is an integer satisfying d ceiling(((R′−R+1)/u)Re).
Hereinafter, { }L indicates that when the shift amount larger than −R need not be taken into consideration (for example, when it is known that the shift is right shift), the computation of the portion surrounded by the parentheses can be omitted. In addition, { }0 indicates that when the shift amount smaller than −R′ is not required to be considered (for example, when the right shift amount is larger than the value to which the shift amount secure shift (Part 1) can be applied but is not an extremely large value), the computation of the portion surrounded by the parentheses can be omitted.
step 2: a share <<ρ>>p is computed by using the modulus conversion. For example, a modulus conversion using the above-mentioned quotient transition can be used for the modulus conversion.
step 3: {[[f0]]2=[[(ρ≥−R′)]]2,}0 [[f1]]2=[[(ρ≥−R′+u)]]2, . . . , [[fd-1]]2=[[(ρ≥−R′+(d−1)u)]]2{, [[fL]]2=[[(ρ≥−R+1)]]2}L is computed by the comparison of the size.
Here, in the case of fL, fd-1, in the case of fd-1, fd-2, . . . are established. The f0, f1, . . . , fd-1, and fL are referred to as transitive flags.
step 4: <<f1>>p, <<f2>>p, . . . , <<fd-1>>p{, <<fL>>p}L is computed by using the mod 2->mod p conversion.
step 5: <<ρ′>>p=<<ρ>>p+R′−u(Σ1≤i<d<<fi>>p){+((d−1)u−R′)<<fL>>p}L is computed.
step 6: [[b]]P=[[2ρ′]]P is computed by using the multiplicative rotation.
step 7: {[[c0]]P=[[2ρ′a/2R′]]P,}0 [[c1]]P=[[2ρ′a/(2R′-u)]]P, . . . , [[cd-1]]P=[[2ρ′a/(2R′-(d-1)u)]]P is computed by using the batch shift amount secure right shift.
step 8: {[[f0]]P,}0 [[f1]]P, . . . , [[fd-1]]P{, [[fL]]P}, is computed by using the mod 2->mod P conversion.
step 9: [[s]]P=[[c0]]P [[f0]]P+{ }0 [[c1]]P{−[[c0]]P)}0[[f1]]P+ . . . +[[cd-1]][[cd-2]]P) [[fd-1]]P{+([[b]]P−[[cd-1]]P) [[fL]]P}L is computed.
This expression is a selection gate for transitive flags f0, f1, . . . , fd-1, fL, when all of f0, f1, . . . , fd-1, fL are 0, s=0 is satisfied, in the case of f0, s=c0, in the case of f1, s=c1, . . . , in the case of fL, s=b is satisfied, respectively.
Note that when R=1, R′=M−1, u=M′−M+1, and d=ceiling(((R′−R+1)/u)) are satisfied, the shift amount secure shift Part 3) becomes the shift amount secure shift (Part 2). Therefore, the shift amount secure shift (Part 3) is a protocol in which the shift amount secure shift (Part 2) is generalized.
The secure shift system 10 will be described below with reference to
As shown in
The secure shift system 10 realizes the secure computation of the shift amount secure right shift being the multi-party protocol by cooperative computation by W pieces of secure shift apparatuses 100i. Therefore, a shift amount computation means 140 (not shown) of the secure shift system 10 is constituted of the shift amount computation units 1401, . . . , 140W, a left shift means 150 (not shown) is constituted of the left shift units 1501, . . . , 150W, and a right shift means 160 (not shown) is constituted of the right shift units 1601, . . . , 160W.
P is a prime number, p is a number of bits of the prime number P, and M is the upper limit value of the shift amount, and the secure shift system 10 computes a share [[s]]P of a numerical value s (where, s=a/2ρ) obtained by right-shifting a numerical value a by ρ bits from a share [[a]]P of the numerical value a and a share <<ρ>>p of the shift amount ρ (0≤ρ<M is satisfied, and a numerical value 2Ma obtained by left-shifting the numerical value a by M bits does not overflow). The operation of the secure shift system 10 will be described with reference to
In S140, the shift amount computation means 140 computes a share <<M−ρ>>p from the share <<ρ>>p and the upper limit value M.
In S150, the left shift means 150 computes a share [[b]]P=[[2M-ρa]]P from the share [[a]]P and the share <<M−ρ>>p computed in S140. The left shift means 150 may be configured to execute, for example, the shift amount secure left shift.
In S160, the right shift means 160 computes the share [[s]]P=[[2M-ρa/2M]]P from the share [[b]]P computed in S150 and the upper limit value M. For example, the right shift means 160 may be configured to execute the shift amount disclosure right shift.
According to the embodiment of the present invention, the right shift operation can be performed at high speed while keeping the numerical value and the shift amount to be shifted secure.
The secure shift system 20 will be described below with reference to
As shown in
The secure shift system 20 realizes the secure computation of the shift amount secure shift (Part 1) being the multi-party protocol by the cooperative computation by the W pieces of secure shift apparatuses 200i. Therefore, a modulus conversion means 210 (not shown) of the secure shift system 20 is constituted of the modulus conversion units 2101, . . . , 210W, a first flag computation means 220 (not shown) is constituted of the first flag computation units 2201, . . . , 220W, a second flag computation means 230 (not shown) is constituted of the second flag computation units 2301, . . . , 230W, a shift amount computation means 240 (not shown) is constituted of the shift amount computation units 2401, . . . , 240W, a left shift means 250 (not shown) is constituted of the left shift units 2501, . . . , 250W, a right shift means 260 (not shown) is constituted of the right shift units 2601, . . . , 260W, a third flag computation means 270 (not shown) is constituted of the third flag computation units 2701, . . . , 270W, and a shift value computation means 280 (not shown) is constituted of the shift value computation units 2801, . . . , 280W.
P is a prime number, p is a number of bits of the prime number P, and M is an upper limit value of the MSB position of numerical values to be inputted, and the secure shift system 20 computes a share [[s]]P of a numerical value s (where, s=2ρa) obtained by shifting a numerical value a by ρ bits from a share [[a]]P of the numerical value a and a share <<ρ>>Q of the shift amount ρ (where, in the case of ρ≥0, ρ represents the left shift, in the case of ρ<0, p represents the right shift). The operation of the secure shift system 20 will be described with reference to
In S210, the modulus conversion means 210 computes a share <<ρ>>p from the share <<ρ>>Q. The modulus conversion means 210 may be configured to execute the modulus conversion, for example.
In S220, the first flag computation means 220 computes a share [[fL]]2=[[(ρ≥0)]]2 from the share <<ρ>>Q. In the first flag computation means 220, it may be configured that a share <<(ρ≥0)>>Q is computed from the share <<ρ>>Q, a share <<(ρ≥0)>>2 is computed from the share <<(ρ≥0)>>Q by using the modulus conversion, and the share <<(ρ≥0)>>2 can be converted into a share [[fL]]2=[[(ρ≥0)]]2. Note that in place of the share <<ρ>>Q, a share <<ρ>>p maybe used.
In S230, the second flag computation means 230 computes a share <<fL>>p from the share [[fL]]2 computed in S220. The second flag computation means 230 may be configured to execute, for example, the mod 2->mod p conversion.
In S240, the shift amount computation means 240 computes a share <<ρ′>>p=<<ρ>>p+M−M<<fL>>p from the share <<ρ>>p computed in S210, the share <<fL>>computed in S230, and the upper limit value M.
In S250, the left shift means 250 computes a share [[b]]P=[[2ρ′a]]P from the share [[a]]P and the share <<ρ′>>P computed in S240. The left shift means 250 may be configured to execute, for example, the shift amount secure left shift.
In S260, the right shift means 260 computes a share [[c]]P=[[2ρ′a/2M]]P from the share [[b]]P computed in S250 and the upper limit value M. For example, the right shift means 260 may be configured to execute the shift amount disclosure right shift.
In S270, the third flag computation means 270 computes a share [[fL]]P from the share [[fL]]2 computed in S220. The third flag computation means 270 may be configured to execute, for example, the mod 2->mod P conversion.
In S280, the shift value computation means 280 computes the share [[s]]P=[[c]]P+([[b]]P−[[c]]P)[[fL]]P from the share [[b]]P computed in S250, the share [[c]]P computed in S260, and the share [[fL]]P computed in S270.
According to the embodiment of the present invention, the shift computation can be performed at high speed while keeping the numerical value and the shift amount to be shifted secure. In particular, although there is a limitation in the amount of right shift, the shift operation can be performed at high speed.
The secure shift system 30 will be described below with reference to
As shown in
The secure shift system 30 realizes the secure computation of the shift amount secure shift (Part 2) being the multi-party protocol by the cooperative computation by the W pieces of secure shift apparatuses 300i. Therefore, a modulus conversion means 310 (not shown) of the secure shift system 30 is constituted of the modulus conversion units 3101, . . . , 310W, a first flag computation means 320 (not shown) is constituted of the first flag computation units 3201, . . . , 320W, a second flag computation means 330 (not shown) is constituted of the second flag computation units 3301, . . . , and 330W, a shift amount computation means 340 (not shown) is constituted of the shift amount computation units 3401, . . . , and 340W, a left shift means 350 (not shown) is constituted of the left shift units 3501, . . . , 350i, a right shift means 360 (not shown) is constituted of the right shift units 3601, . . . , 360W, a third flag computation means 370 (not shown) is constituted of the third flag computation units 3701, . . . , 370W, and a shift value computation means 380 (not shown) is constituted of the shift value computation units 3801, . . . , 380W.
P is a prime number, p is a number of bits of the prime number P, Q is an order of a factor ring, M is an upper limit value which can be taken by the MSB position of numerical values to be inputted, therefore the secure shift system 30 computes a share [[s]]P of a numerical value s (where, s=2 Pa) obtained by shifting a numerical value a by ρ bits from a share [[a]]P of the numerical value a and a share <<ρ>>Q of the shift amount ρ (where, in the case of ρ≥0, ρ represents the left shift, and in the case of ρ<0, ρ represents the right shift). The operation of the secure shift system 30 will be described with reference to
In S310, the modulus conversion means 310 computes a share <<ρ>>p from the share <<ρ>>Q. The modulus conversion means 310 may be configured to execute the modulus conversion, for example.
In S320, the first flag computation means 320 computes a share [[f0]]2=[[(ρ≥−M+1)]]2, [[f1]]2=[[(ρ≥−M+1+u)]]2, . . . , [[fd-1]]2=[[(ρ≥−M+1+(d−1)u)]]2, [[fL]]2=[[(ρ≥0)]]2 from the share <<ρ>>Q, the first upper limit value, a numerical value u=M′−M+1, and a numerical value d=ceiling(((M−1)/u)Re). In the first flag computation means 320, it may be configured that, for example, shares <<(ρ≥−M+1)>>Q, <<(ρ≥−M+1+u)>>Q, . . . , <<(ρ≥−M+1+(d−1)u)>>Q, <<(ρ≥0) >>Q are computed from the share <<ρ>>Q, shares <<(ρ≥−M+1)>>2, <<(ρ≥−M+1+u)>>2, . . . , <<(ρ≥−M+1+(d−1)u)>>2, <<(ρ≥0)>>2 are computed from the shares <<(ρ≥−M+1)>>Q, <<(ρ≥−M+1+u)>>Q, <<(ρ≥−M+1+(d−1)u)>>Q, <<(ρ≥0)>>Q by using the modulus conversion, and the shares <<(ρ≥−M+1)>>2, <<(ρ≥−M+1+u)>>2, <<(ρ≥−M+1+(d−1)u)>>2, <<(ρ≥0) >>2 can be converted into shares [[f0]]2=[[(ρ≥−M+1)]]2, [[f1]]2=[[(ρ≥−M+1+u)]]2, . . . , [[fd-1]]2=[[(ρ≥−M+1+(d−1)u)]]2, [[fL]]2=[[(ρ≥0)]]2. Note that in place of the share <<ρ>>Q, a share <<ρ>>p may be used. The numerical values u and d may be computed from the first upper limit value M and the second upper limit value M′ by the first flag computation means 320, or the numerical values u and d may be recorded in the recording unit 390i in advance.
In S330, the second flag computation means 330 computes shares <<f1>>p, <<f2>>p, . . . , <<fd-1>>p, <<fL>>p from the share [[f1]]2. [[f2]]2, [[fd-1]]2, [[fL]]2 computed in S320. The second flag computation means 330 may be configured to execute, for example, the mod 2->mod p conversion.
In S340, the shift amount computation means 340 computes a share <<ρ′>>p=<<ρ>>p+M−1−u(Σ1≤i<d<<fi>>p)+((d−1)u−M+1)<<fL>>p from the share <<ρ>>p computed in S310, the shares <<f1>>p, <<f2>>p, . . . , <<fd-1>>p, <<fL>>p computed in S330, the first upper limit value M, the numerical value u, and the numerical value d.
In S350, the left shift means 350 computes a share [[b]]P=[[2ρ′a]]P from the share [[a]]P and the share <<ρ′>>p computed in S340. The left shift means 350 may be configured to execute, for example, the shift amount secure left shift.
In S360, the right shift means 360 computes shares [[c0]]P=[[2ρ′a/2M-1]]P, [[c1]]P=[[2ρ′a/(2M-1-u)]]P, . . . , [[cd-1]]P=[[2ρ′a/(2M-1-(d-1)u)]]P from the share [[b]]P computed in S350, the first upper limit value M, the numerical value u, and the numerical value d. For example, the right shift means 360 may be configured so as to execute the batch shift amount disclosure right shift.
In S370, the third flag computation means 370 computes shares [[f0]]P, [[f1]]P, . . . , [[fd-1]]P, [[fL]]P from the share [[f0]]2, [[f1]]2, . . . , [[fd-1]]2, [[fL]]2 computed in S320. The third flag computation means 370 may be configured to execute, for example, the mod 2->mod P conversion.
In S380, the shift value computation means 380 computes the share [[s]]P=[[c0]]P[[f0]]P+([[c1]]P−[[c0]]P)[[f1]]P+ . . . +([[cd-1]]P−[[cd-2]]P) [[fd-1]]P+([[b]]P−[[cd-1]]P) [[fL]]P from the share [[b]]P computed in S350, the shares [[c0]]P, [[c1]]P, . . . , [[cd-1]]P computed in S360, and the shares [[f0]]P, [[f1]]P, . . . , [[fd-1]]P, [[fL]]P computed in S370.
According to the embodiment of the present invention, the shift computation can be performed at high speed while keeping the numerical value and the shift amount to be shifted secure. In particular, the shift operation can be performed at high speed without limitation on the amount of right shift.
The secure shift system 40 will be described below with reference to
As shown in
The secure shift system 40 realizes the secure computation of the shift amount secure shift (Part 3) being the multi-party protocol by the cooperative computation by the W pieces of secure shift apparatuses 400i. Therefore, a modulus conversion means 410 (not shown) of the secure shift system 40 is constituted of the modulus conversion units 4101, . . . , 410W, a first flag computation means 420 (not shown) is constituted of the first flag computation units 4201, . . . , 420W, a second flag computation means 430 (not shown) is constituted of the second flag computation units 4301, . . . , and 430W, a shift amount computation means 440 (not shown) is constituted of the shift amount computation units 4401, . . . , and 440W, a left shift means 450 (not shown) is constituted of the left shift units 4501, . . . , 450i, a right shift means 460 (not shown) is constituted of the right shift units 4601, . . . , 460W, a third flag computation means 470 (not shown) is constituted of the third flag computation units 4701, . . . , 470W, and a shift value computation means 480 (not shown) is constituted of the shift value computation units 4801, . . . , 480W.
P is a prime number, p is a number of bits of the prime number P, Q is an order of a factor ring, M is an upper limit value which can be taken by the MSB position of numerical values to be inputted, [R, R′] is a range of the right shift amount covered by the divided right shift, and the secure shift system 40 computes a share [[s]]P of a numerical value s (where, s=2ρa) obtained by shifting a numerical value a to the right by ρ bits from a share [[a]]P of the numerical value a and a share <<ρ>>Q of the shift amount ρ (where, in the case of ρ≥0, ρ represents the left shift, and in the case of ρ<0, ρ represents the right shift). The operation of the secure shift system 40 will be described with reference to
In S410, the modulus conversion means 410 computes a share <<ρ>>p from the share <<ρ>>Q. The modulus conversion means 410 may be configured to execute the modulus conversion, for example.
In S420, the first flag computation means 420 computes shares [[f0]]2=[[(ρ≥−R′)]]2, [[f1]]2=[[(ρ≥−R′+u)]]2, [[fd-1]]2=[[(ρ≥−R′+(d−1)u)]]2, [[fL]]2=[[(ρ≥−R+1)]]2 from the share <<ρ>>Q, the range [R, R′], a numerical value u (u is an integer satisfying u<M′−M+1), and a numerical value d (d is an integer satisfying d≥ceiling(((R′−R+1)/u)Re)). In the first flag computation means 420, it may be configured that shares <<(ρ≥−R′)>>Q, <<(ρ≥−R′+u)>>Q, . . . , <<(ρ≥−R′+(d−1)u)>>Q, <<(ρ≥−R+1)>>Q are computed from the share <<ρ>>Q, shares <<(ρ≥−R′)>>2, <<(ρ≥−R′+u)>>2, . . . , <<(ρ≥−R′+(d−1)u)>>2, <<(ρ≥−R+1)>>Z are computed from the shares <<(ρ≥−R′)>>Q, <<(ρ≥−R′+u)>>Q, . . . , <<(ρ≥−R′+(d−1)u)>>Q, <<(ρ≥−R+1)>>Q by using the modulus conversion, the shares <<(ρ≥−R′)>>2, <<(ρ≥−R′+u)>>2, . . . , <<(ρ≥−R′+(d−1)u)>>2, <<(ρ≥−R+1)>>Z can be converted into shares [[f0]]2=[[(ρ≥−R′)]]2. [[f1]]2=[[(ρ≥−R′+u)]]2, . . . , [[fd-1]]2=[[(ρ≥−R′+(d−1)u)]]2, [[fL]]2=[[(ρ≥−R+1)]]2. Note that in place of the share <<ρ>>Q, a share <<ρ>>p may be used. The numerical values u and d may be recorded in the recording unit 490i in advance.
In S430, the second flag computation means 430 computes shares <<f1>>p, <<f2>>p, . . . , <<fd-1>>p, <<fL>>p from the share [[f1]]2, [[f2]]2, [[fd-1]]2, [[fL]]2 computed in S420. The second flag computation means 430 may be configured to execute, for example, the mod 2->mod p conversion.
In S440, the shift amount computation means 440 computes a share <<p′>>p=<<ρ>>p+R′−u(Σ1≤i<d<<fi>>p)+((d−1)u-R′)<<fL>>p from the share <<ρ>>p computed in S410, the shares <<f1>>P, <<f2>>p, . . . , <<fd-1>>p, <<fL>>13 computed in S430, the upper limit value R′ of the range, the numerical value u, and the numerical value d.
In S450, the left shift means 450 computes a share [[b]]P=[[2ρ′a]]P from the share [[a]]P and the share <<ρ′>>p computed in S440. The left shift means 450 may be configured to execute, for example, the shift amount secure left shift.
In S460, the right shift means 460 computes shares [[c0]]P=[[2ρ′a/2R′]]P, [[c1]]P=[[2ρ′a/(2R′-′-u)]]P, . . . , [[cd-1]]P=[[2ρ′a/(2R′-(d-1)u)]]P from the share [[b]]P computed in S450, the upper limit R′ of the range, the numerical value u, and the numerical value d. For example, the right shift means 460 may be configured so as to execute the batch shift amount disclosure right shift.
In S470, the third flag computation means 470 computes shares [[f0]]P, [[f1]]P, . . . , [[fd-1]]P, [[fL]]P from the share [[f0]]2, [[f1]]2, . . . , [[fd-1]]2, [[fL]]2 computed in S420. The third flag computation means 470 may be configured to execute, for example, the mod 2->mod P conversion.
In S480, the shift value computation means 480 computes the share [[s]]P=[[c0]]P[[f0]]P+([[c1]]P−[[c0]]P)[[f1]]P+ . . . +([[cd-1]]P−[[cd-2]]P)[[fd-1]]P+([[b]]P−[[cd-1]]P)[[fL]]P from the share [[b]]P computed in S450, [[c0]]P, [[c1]]P, . . . , [[cd-1]]P computed in S460, and the share [[f0]]P, [[f1]]P, . . . , [[fd-1]]P, [[fL]]P computed in S470 in.
(Modification)
As described with reference to the “Technical Background”, in the shift amount secure shift (Part 3), when the shift amount greater than −R is not required to be taken into consideration, or when the shift amount smaller than −R′ is not required to be taken into consideration, a part of the computations can be omitted. Therefore, in the case of any one of these two, the secure shift system 40 can be constructed so as to omit a part of computations.
According to the embodiment of the present invention, the shift computation can be performed at high speed while keeping the numerical value and the shift amount to be shifted secure. In particular, the shift operation can be performed at high speed without limitation on the amount of right shift.
<Supplementary Note>
The apparatus of the present invention includes, for example, as a single hardware entity, an input unit to which a keyboard or the like can be connected, an output unit to which a liquid crystal display or the like can be connected, a communication unit to which a communication device (e.g., a communication cable) capable of communicating with the exterior of the hardware entity can be connected, a CPU (Central Processing Unit; may also include a cache memory, registers, etc.), a RAM or ROM serving as a memory, an external storage device, which is a hard disk, and a bus that connects the input unit, the output unit, the communication unit, the CPU, the RAM, the ROM, and the external storage device such that data can be exchanged there between. As required, the device (the drive) that can read and write the storage medium such as CD-ROM may be included. A general-purpose computer or the like is an example of a physical entity including such hardware resources.
A program that is necessary to realize the above-described functions and data and the like that are necessary for processing of the program are stored in the external storage device of the hardware entity (the program does not necessarily have to be stored in the external storage device, and may be stored in, for example, the ROM, which is a read-only storage device). Data and the like that are obtained in the processing of the program are stored in the RAM, the external storage device or the like as appropriate.
In the hardware entity, each program and the data needed for processing of each program stored in the external storage device (or ROM, etc.) are loaded to the memory as needed, and the CPU interprets, executes, and processes them as appropriate. As a result, the CPU realizes the predetermined functions (above mentioned, each configuration unit represented as . . . unit, . . . means).
The present invention is not limited to the embodiment described above, and can be modified as appropriate within a scope not departing from the gist of the present invention. The processing described in the foregoing embodiments do not necessarily have to be executed chronologically in the described order, and may be executed in parallel or individually as necessary or according to the processing capacity of the apparatus that executes the processing.
As described above, in a case where processing functions of the hardware entity (the apparatus according to the present invention) described in the foregoing embodiments are realized by the computer, the processing contents of the functions that are to be included in the hardware entity are described by the program. The processing functions of the hardware entity described above are realized in the computer as a result of the program being executed by the computer.
The program describing the processing contents can be recorded in an computer readable recording medium. As the computer readable recording medium, for example, a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, and anything can be used. Specifically, for example, a hard disk device, a flexible disk, a magnetic tape, or the like can be used as the magnetic recording device, a DVD (Digital Versatile Disc), a DVD-RAM (Random Access Memory), a CD-ROM (Compact Disc Read Only Memory), CD-R (Recordable)/RW (ReWritable), or the like can be used as the optical disk, an MO (Magneto-Optical disc) or the like can be used as the magneto-optical recording medium, and an EEP-ROM (Electronically Erasable and Programmable-Read Only Memory) or the like can be used as the semiconductor memory.
In addition, the distribution of this program is carried out by, for example, selling, transferring, or lending a portable recording medium such as the DVD or the CD-ROM on which the program is recorded. Further, the program may be distributed by storing the program in a storage device of a server computer and transmitting the program from the server computer to other computers via a network.
The computer executing such a program is configured to, for example, first, temporarily store the program recorded on the portable recording medium or the program transferred from the server computer in its own storage device. When executing the processing, the computer reads the program stored in its own storage device, and executes the processing according to the read program. As another execution form of the program, the computer may directly read the program from the portable recording medium and execute processing according to the program, each time the program is transferred from the server computer to the computer, processing according to the received program may be executed sequentially. In addition, by a so-called ASP (Application Service Provider) type service which does not transfer the program from the server computer to the computer and realizes the processing function only by the execution instruction and the result acquisition, the above-mentioned processing may be executed. Note that the program in this embodiment includes something which is information to be provided for processing by the electronic computer and equivalent to the program (data which is not a direct instruction to the computer but has a property to specify the processing of the computer).
Further, according to this aspect, the computer is caused to execute the predetermined program to constitute the hardware entity, but at least part of the processing contents may be realized using hardware.
The above descriptions of the embodiments of the present invention are presented for the purpose of illustration and description. The descriptions are neither intended to be comprehensive nor to limit the present invention to the strict form disclosed. Modifications and variations can be made from the teachings described above. The embodiments were selected and described to provide the best illustration of the principle of the present invention such that those skilled in the art can use the present invention in various embodiments suitable for thoroughly considered practical use, and by adding various alterations. All of such modifications and variations are within the scope of the present invention defined by the appended claims that are interpreted according to a fairly, legally, and equitably given range.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2020/039077 | 10/16/2020 | WO |