Secure sum-of-product computation method, secure sum-of-product computation system, computation apparatus and programs therefor

Information

  • Patent Grant
  • 9292258
  • Patent Number
    9,292,258
  • Date Filed
    Friday, January 20, 2012
    12 years ago
  • Date Issued
    Tuesday, March 22, 2016
    8 years ago
Abstract
There is provided a method that can quickly perform a secure sum-of-product computation by cooperative computation by three parties (computation apparatuses) that is easy to implement. In a secure computation method in which a party X performs a party-X random number generation step, a party-X first computation step and a party-X second computation step, a party Y performs a party-Y random number generation step, a party-Y first computation step and a party-Y second computation step, and a party Z performs a party-Z random number generation step, a party-Z first computation step and a party-Z second computation step, computation processings performed by the parties are symmetrical to each other.
Description
TECHNICAL FIELD

The present invention relates to a secure sum-of-product computation method, a secure sum-of-product computation system, a computation apparatus and programs therefor for performing data processings, particularly, a multiplication computation and a sum-of-product computation, while concealing data by secret sharing.


BACKGROUND ART

In the field of management and operation of so-called sensitive information, such as customer information and management information, the information to be managed is increasing in variety, and the information processing technology such as cloud computing is changing, so that measures to ensure security and privacy are becoming more important. Recently, the secret sharing art has become popular to prevent leakage of information by distributing the information among plural sites. Besides, a secure functional computation (a multi-party protocol) for deriving a specified computation result without reconstructing the distributed information is also being developed for commercialization. The secret sharing art is effective as a measure to ensure security when storing information but has a risk of leakage of information when using the information, because the information generally needs to be reconstructed for use. In view of the presence of such a risk of leakage of information, the secure functional computation can uses distributed information as operands for computation instead of the original input values and does not need to reconstruct the original input values at all in the computation process. Therefore, the secure functional computation can be said to be an advanced security art that maintains the functionality of the secret sharing art even when the information is used.


A prior art for performing a multiplication while concealing information is a multiplication protocol described in Non-Patent literature 1. A prior art for performing a sum-of-product computation while concealing information is a combination of a multiplication protocol and an addition protocol. These protocols are 3-party secure functional computation protocols that derive a result of an arithmetic/logical operation by cooperative computation by three parties (three computing entities) without reconstructing a shared input value. In the 3-party secure functional computation protocol, data is treated as a natural number smaller than a predetermined prime number p. To conceal data, which will be denoted as “a”, the data a is divided into three fragments in such a manner that the fragments satisfy the following condition.

a=a0+a1+a2 mod p

In practice, random numbers a0 and a1 are generated, and a relation holds: a2=a−a0−a1. Then, a random number sequence (a0, a1) is transmitted to a party X of the three parties, a random number sequence (a1, a2) is transmitted to a party Y of the three parties, and a random number sequence (a2, a0) is transmitted to a party Z of the three parties. Since a1 and a2 are random numbers, any of the parties X, Y and Z does not have information about the data a. However, any two of the parties can cooperate to reconstruct the data a.


Since the concealment is an additive distribution, the shared value can be equally reconstructed before or after addition of its fragments because of the interchangeability. That is, the addition and the constant multiplication of the distributed fragments can be achieved without communications. If a multiplication can additionally be performed, a logical circuit can be formed, and any computation can be performed. The multiplication needs communications and random number generation and therefore is a bottleneck of the 3-party secure functional computation.


PRIOR ART LITERATURE
Non-Patent Literature



  • Non-patent literature 1: Koji Chida, Koki Hamada, Dai Ikarashi, Katsumi Takahashi, “A Three-Party Secure Function Evaluation with Lightweight Verifiability Revisited”, CSS2010, 2010.



SUMMARY OF THE INVENTION
Problems to be Solved by the Invention

In the 3-party secure functional computation, the multiplication and the sum-of-product computation requires communications and random number generation and therefore are a bottleneck in the computation processing.


More specifically, the conventional multiplication protocol requires two rounds of communications. In addition, the computation amounts and the communication amounts of the three parties are not symmetrical to each other, so that a different program needs to be implemented in each party. As a result, the implementation cost increases. In addition, the part where the computation amount and the communication amount are at the maximum constitutes a bottleneck. In addition, the sum-of-product computation generally requires a large amount of communications.


An object of the present invention is to provide a secure sum-of-product computation method, a secure sum-of-product computation system, a computation apparatus and a program therefor that can quickly perform a multiplication and a sum-of-product computation and can be readily implemented.


Means to Solve the Problems

A secure sum-of-product computation method according to the present invention is a secure sum-of-product computation method used for performing a sum-of-product computation of data strings A0=(a00, . . . , a0na0-1), A1=(a10, . . . , a1na1-1) and A2=(a20, . . . , a2na2-1) and data strings B0=(b00, . . . , b0nb0-1), B1=(b10, . . . , b1nb1-1) and B2=(b20, . . . , b2nb2-1) by cooperative computation by three computation apparatuses, which are a party X, a party Y and a party Z, the sum-of-product computation being expressed as














i





0

,

j





0





(

e







00


i





0

,

j





0



·
a








0

i





0


·
b







0

j





0



)


+





i





0

,

j





1





(

e







01


i





0

,

j





0



·
a








0

i





0


·
b







1

j





1



)


+





i





1

,

j





0





(

e







10


i





1

,

j





0



·
a








1

i





1


·
b







0

j





0



)


+





i





1

,

j





1





(

e







11


i





1

,

j





1



·
a








1

i





1


·
b







1

j





1



)


+





i





1

,

j





2





(

e







12


i





1

,

j





2



·
a








1

i





1


·
b







2

j





2



)


+





i





2

,

j





1





(

e







21


i





2

,

j





1



·
a








2

i





2


·
b







1

j





1



)


+





i





2

,

j





2





(

e







22


i





2

,

j





2



·
a








2

i





2


·
b







2

j





2



)


+





i





2

,

j





0





(

e







20


i





2

,

j





0



·
a








2

i





2


·
b







0

j





0



)


+





i





0

,

j





2





(

e







02


i





0

,

j





2



·
a








0

i





0


·
b







2

j





2



)






[

FORMULA





1

]








(i0=0, . . . , na0-1, i1=0, . . . , na1-1, i2=0, . . . , na2-1, j0=0, . . . , nb0-1, j1=0, . . . , nb1-1, and j2=0, . . . , nb2-1, na0, na1, na2, nb0, nb1 and nb2 represent natural numbers), and comprises a party-X random number generation step, a party-X first computation step, a party-X second computation step, a party-Y random number generation step, a party-Y first computation step, a party-Y second computation step, a party-Z random number generation step, a party-Z first computation step and a party-Z second computation step.


In the processing, the data strings A0, A1, B0 and B1 are input to the party X, the data strings A1, A2, B1 and B2 are input to the party Y, and the data strings A2, A0, B2 and B0 are input to the party Z.


In the party-X random number generation step, the party X generates a number rx and transmits the number to the party Y.


In the party-X first computation step, the party X computes a value cX according to










c
X

=






i





0

,

j





1





(

e







01


i





0

,

j





1



·
a








0

i





0


·
b







1

j





1



)


+





i





1

,

j





0





(

e







10


i





1

,

j





0



·
a








1

i





1


·
b







0

j





0



)


+

r
X






[

FORMULA





2

]








(e01i0,j1 and e10i1,j0 represent any numbers) and transmits the value to the party Z.


In the party-X second computation step, the party X receives a number rZ from the party Z and a value cY from the party Y, computes values c0 and c1 according to











c
0

=






i





0

,

j





0





(

e







00


i





0

,

j





0



·
a








0

i





0


·
b







0

j





0



)


+

c
X

-

r
Z










c
1

=






i





1

,

j





1





(

e







11


i





1

,

j





1



·
a








1

i





1


·
b







1

j





1



)


+

c
Y

-

r
X







[

FORMULA





3

]








(e00i0,j0 and e11i1,j1 represent any numbers) and outputs the values.


In the party-Y random number generation step, the party Y generates a number rY and transmits the number to the party Z.


In the party-Y first computation step, the party Y computes the value cY according to










c
Y

=






i





1

,

j





2





(

e







12


i





1

,

j





2



·
a








1

i





1


·
b







2

j





2



)


+





i





2

,

j





1





(

e







21


i





2

,

j





1



·
a








2

i





2


·
b







1

j





1



)


+

r
Y






[

FORMULA





2

]








(e12i1,j2 and e21i2,j1 represent any numbers) and transmits the value to the party X.


In the party-Y second computation step, the party Y receives the number rx from the party X and a value cZ from the party Z, computes values c1 and c2 according to











c
1

=






i





1

,

j





1





(

e







11


i





1

,

j





1



·
a








1

i





1


·
b







1

j





1



)


+

c
Y

-

r
X










c
2

=






i





2

,

j





2





(

e







22


i





2

,

j





2



·
a








2

i





2


·
b







2

j





2



)


+

c
Z

-

r
Y







[

FORMULA





5

]








(e22i2,j2 represents any number) and outputs the values.


In the party-Z random number generation step, the party Z generates the number rZ and transmits the number to the party X.


In the party-Z first computation step, the party Z computes the value cZ according to










c
Z

=






i





2

,

j





0





(

e







20


i





2

,

j





0



·
a








2

i





2


·
b







0

j





0



)


+





i





0

,

j





2





(

e







02


i





0

,

j





2



·
a








0

i





0


·
b







2

j





2



)


+

r
Z






[

FORMULA





2

]








(e20i2,j0 and e02i0,j2 represent any numbers) and transmits the value to the party Y.


In the party-Z second computation step, the party Z receives the number rY from the party Y and the value cX from the party X, computes the values c0 and c2 according to











c
0

=






i





0

,

j





0





(

e







00


i





0

,

j





0



·
a








0

i





0


·
b







0

j





0



)


+

c
X

-

r
Z










c
2

=






i





2

,

j





2





(

e







22


i





2

,

j





2



·
a








2

i





2


·
b







2

j





2



)


+

c
Z

-

r
Y







[

FORMULA





7

]








and outputs the values.


Effects of the Invention

The secure sum-of-product computation methods, the secure sum-of-product computation systems, the computation apparatuses and the programs therefor according to the present invention can quickly perform a multiplication and a sum-of-product computation, and the programs can be readily implemented because the processings performed by the parties are symmetrical to each other.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is a diagram showing an example of a configuration of a secure sum-of-product computation system 100;



FIG. 2 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation system 100;



FIG. 3 is a diagram showing an example of an internal configuration of each party of the secure sum-of-product computation systems 100 and 200;



FIG. 4 is a diagram showing an example of a configuration of a secure sum-of-product computation system 200;



FIG. 5 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation system 200;



FIG. 6 is a diagram showing an example of a configuration of a secure sum-of-product computation system 300;



FIG. 7 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation system 300;



FIG. 8 is a diagram showing an example of an internal configuration of each party of the secure sum-of-product computation systems 300, 400 and 500;



FIG. 9 is a diagram showing an example of a configuration of secure sum-of-product computation systems 400 and 500;



FIG. 10 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation systems 400 and 500;



FIG. 11 is a diagram showing an example of a configuration of a secure sum-of-product computation system 600;



FIG. 12 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation system 600;



FIG. 13 is a diagram showing an example of an internal configuration of each party of the secure sum-of-product computation systems 600, 700 and 800;



FIG. 14 is a diagram showing an example of a configuration of secure sum-of-product computation systems 700 and 800;



FIG. 15 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation systems 700 and 800;



FIG. 16 is a diagram showing an example of a configuration of secure sum-of-product computation system 900, 910 and 920; and



FIG. 17 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation system 900, 910 and 920.





DETAILED DESCRIPTION OF THE EMBODIMENTS

In the following, embodiments of the present invention will be described in detail.


First Embodiment


FIG. 1 shows an example of a configuration of a secure sum-of-product computation system 100, and FIG. 2 shows an example of a flow of a processing performed by the secure sum-of-product computation system 100. The secure sum-of-product computation system 100 comprises a party X, a party Y and a party Z, which are computation apparatuses that perform symmetric computation processings.


A secure sum-of-product computation according to the present invention is achieved by the three computation apparatuses, the parties X, Y and Z, cooperating to perform sum-of-product computations of data strings A0=(a00, . . . , a0na0-1), A1=(a10, . . . , a1na1-1) and A2=(a20, . . . , a2na2-1) and data strings B0=(b00, . . . , b0nb0-1), B1=(b10, . . . , b1nb1-1) and B2=(b20, . . . , b2nb2-1). Note that na0, na1, na2, nb0, nb1 and nb2 represent natural numbers.


As shown in FIG. 3, each party has random number generation means 101, first computation means 102 and second computation means 103. In FIG. 3, a subject party is denoted as P, and other parties are denoted as P and P+. Specifically, when the subject party is the party X, another party P is the party Z, and the remaining party P+ is the party Y. When the subject party is the party Y, another party P is the party X, and the remaining party P+ is the party Z. When the subject party is the party Z, another party P is the party Y, and the remaining party P+ is the party X. In this specification, the relationship between the subject party P and the other parties P and P+ that does not change depending on which of the parties serves as the subject party P is expressed as “symmetric (symmetrical)”. And a processing performed by the parties in such a relationship is referred to as a “symmetric processing” or expressed as “symmetric (symmetrical)”.


In the following, details of a cooperative computation processing performed by each party will be specifically described. First, data strings A0, A1, B0 and B1 are input to the party X, data strings A1, A2, B1 and B2 are input to the party Y, and data strings A2, A0, B2 and B0 are input to the party Z (S1).


Then, the party X performs the following processing. The random number generation means 101 first generates a random number rX and transmits the random number to the party Y (S2-1). Then, the first computation means 102 computes a value cX according to










c
X

=






i





0

,

j





1





(

e







01


i





0

,

j





1



·
a








0

i





0


·
b







1

j





1



)


+





i





1

,

j





0





(

e







10


i





1

,

j





0



·
a








1

i





1


·
b







0

j





0



)


+

r
X






[

FORMULA





8

]








and transmits the value cX to the party Z (S2-2). Note that i0=0, . . . , na0-1, i1=0, . . . , na1-1, j0=0, . . . , nb0-1, j1=0, . . . , nb1-1, and e01i0,j1 and e10i1,j0 each represent any number. The second computation means 103 receives a random number rZ from the party Z and a value cY from the party Y and computes values c0 and c1 according to











c
0

=






i





0

,

j





0





(

e







00


i





0

,

j





0



·
a








0






i





0



·
b







0

j





0



)


+

c
X

-

r
Z










c
1

=











i





1

,

j





1






(

e







11


i





1

,

j





1



·
a








1

i





1


·
b







1

j





1



)


+

c
Y

-

r
X







[

FORMULA





9

]








and outputs the values c0 and c1 (S3). Note that e00i0,j0 and e11i1,j1 each represent any number.


The party Y performs the following processing. The random number generation means 101 first generates a random number rY and transmits the random number to the party Z (S4-1). Then, the first computation means 102 computes the value cY according to










c
Y

=






i





1

,

j





2





(

e







12


i





1

,

j





2



·
a








1

i





1


·




b







2

j





2



)


+





i





2

,

j





1





(

e







21


i





2

,

j





1



·
a








2

i





2


·
b







1

j





1



)


+

r
Y






[

FORMULA





10

]








and transmits the value cY to the party X (S4-2). Note that i2=0, . . . , na2-1, j2=0, . . . , nb2-1, and e12i1,j2 and e21i2,j1 each represent any number. The second computation means 103 receives the random number rX from the party X and a value cZ from the party Z and computes values c1 and c2 according to











c
1

=






i





1

,

j





1





(

e







11


i





1

,

j





1



·
a








1

i





1


·




b







1

j





1



)


+

c
Y

-

r
X










c
2

=






i





2

,

j





2





(

e







22


i





2

,

j





2



·
a








2

i





2


·
b







2






j





2




)


+

c
Z

-

r
Y







[

FORMULA





11

]








and outputs the values c1 and c2 (S5). Note that e22i2,j2 represents any number.


The party Z performs the following processing. The random number generation means 101 first generates the random number rZ and transmits the random number to the party X (S6-1). Then, the first computation means 102 computes the value cZ according to










c
Z

=






i





2

,

j





0





(

e







20


i





2

,

j





0



·
a








2

i





2


·
b







0

j





0



)


+





i





0

,

j





2





(

e







02


i





0

,

j





2



·
a








0

i





0


·
b







2

j





2



)


+

r
Z






[

FORMULA





12

]








and transmits the value cZ to the party Y (S6-2). Note that e20i2,j0 and e02i0,j2 represent any numbers. The second computation means 103 receives the random number rY from the party Y and the value cX from the party X and computes values c0 and c2 according to











c
0

=






i





0

,

j





0





(

e







00


i





0

,

j





0



·
a








0

i





0


·
b







0

j





0



)


+

c
X

-

r
Z










c
2

=






i





2

,

j





2





(

e







22


i





2

,

j





2



·
a








2

i





2


·
b







2

j





2



)


+

c
Z

-

r
Y







[

FORMULA





13

]








and outputs the values c0 and c2 (S7). Note that the series of steps S2-1 and S2-2, the series of steps S4-1 and S4-2 and the series of steps S6-1 and S6-2 can be performed in parallel, and the steps S3, S5 and S7 can also be performed in parallel.


Then, the total sum of the values c0, c1, and c2 output from the parties X, Y and Z can be computed to obtain a sum-of-product computation result as expressed by the following formula.











c
0

+

c
1

+

c
2


=






i





0

,

j





0





(

e







00


i





0

,

j





0



·
a








0

i





0


·
b







0

j





0



)


+





i





0

,

j





1





(

e







01


i





0

,

j





0



·
a








0

i





0


·
b







1

j





1



)


+





i





1

,

j





0





(

e







10


i





1

,

j





0



·
a








1

i





1


·
b







0

j





0



)


+





i





1

,

j





1





(

e







11


i





1

,

j





1



·
a








1

i





1


·
b







1

j





1



)


+





i





1

,

j





2





(

e







12


i





1

,

j





2



·
a








1

i





1


·
b







2

j





2



)


+





i





2

,

j





1





(

e







21


i





2

,

j





1



·
a








2

i





2


·
b







1

j





1



)


+





i





2

,

j





2





(

e







22


i





2

,

j





2



·
a








2

i





2


·
b







2

j





2



)


+





i





2

,

j





0





(

e







20


i





2

,

j





0



·
a








2

i





2


·




b







0

j





0



)


+





i





0

,

j





2





(

e







02


i





0

,

j





2



·
a








0

i





0


·
b







2

j





2



)







[

FORMULA





14

]








In the processing described above, hash values or other values can be substituted for the random numbers.


The effect of the method according to the present invention will be compared with that of the method described in Non-Patent literature 1. Most of the computations in Non-Patent literature 1 are involved with random number generation and encryption and decryption for communications in the case where no physical secure channels are available. The amount of computations for encryption and decryption agrees with the amount of communications, so that the efficiency can be evaluated by observing the number of random numbers generated and the amount of communications.


In the case where an addition is performed after repeatedly performing multiplications as described in Non-Patent literature 1, the number of random numbers generated and the amount of communications are proportional to the number of elements of the input data strings. In the method according to the present invention, the parties X, Y and Z each generate only one random number and transmit only two pieces of data to the other parties. In addition, the processings performed by the parties X, Y and Z are symmetrical to each other, so that common programs can be implemented in all the parties, and the implementation cost can be reduced.


Second Embodiment

A second embodiment is a specific example of the first embodiment, in which na0=na1=na2=nb0=nb1=nb2=n (n represents an integer equal to or greater than 1), and e00=e01=e10=e11=e12=e21=e22=e20=e02=1. FIG. 4 shows an example of a configuration of a secure sum-of-product computation system 200 according to this embodiment, and FIG. 5 shows an example of a flow of a processing performed by the secure sum-of-product computation system 200. The secure sum-of-product computation system 200 comprises a party X, a party Y, a party Z, a data string decomposition and supply part 210 and an output part 220. Each party has random number generation means 101, first computation means 102 and second computation means 103 as in the first embodiment as shown in FIG. 3.


The secure sum-of-product computation system 200 performs a sum-of-product computation












i


n
-
1





a
i

·

b
i






[

FORMULA





15

]








for two data strings A=(a0, . . . , an-1) and B=(b0, . . . , bn-1) comprising elements ai and bi (i=0, . . . , n−1), which are natural numbers smaller than a prime number p while concealing the contents of the data strings through cooperative computation by the three computation apparatuses, the parties X, Y and Z (the sum-of-product computation is a multiplication of a and b in the case where n=1).


Specifically, the data string decomposition and supply part 210 decomposes the input data strings A and B in such a manner that each element ai and bi satisfy conditional formulas ai=a0i+a1i+a2i mod p and bi=b0i+b1i+b2i mod p (a0i, a1i, b0i and b1i represent random numbers, and p represents a prime number) and supplies data strings A0=(a00, . . . , a0n-1), A1=(a10, . . . , a1n-1), B0=(b00, . . . , b0n-1) and B1=(b10, . . . , b1n-1) to the party X, the data strings A1, A2=(a20, . . . , a2n-1), B1 and B2=(b20, . . . , b2n-1) to the party Y, and data strings A2, A0, B2 and B0 to the party Z (S11).


Then, the party X performs the following processing. The random number generation means 101 first generates a random number rX and transmits the random number to the party Y (S12-1). Then, the first computation means 102 computes a value cX according to










c
X

=




i



(


a







0
i

·
b







1
i


+

a







1
i

·
b







0
i



)


+

r
X






[

FORMULA





16

]








and transmits the value cX to the party Z (S12-2). Then, the second computation means 103 receives a random number rZ from the party Z and a value cY from the party Y and computes values c0 and c1 according to











c
0

=




i



(

a







0
i

·
b







0
i


)


+

c
X

-

r
Z










c
1

=




i



(

a







1
i

·
b







1
i


)


+

c
Y

-

r
X







[

FORMULA





17

]








and outputs the values c0 and c1 (S13).


The party Y performs the following processing. The random number generation means 101 first generates a random number rY and transmits the random number to the party Z (S14-1). Then, the first computation means 102 computes the value cY according to










c
Y

=




i



(


a







1
i

·
b







2
i


+

a







2
i

·
b







1
i



)


+

r
Y






[

FORMULA





18

]








and transmits the value cY to the party X (S14-2). Then, the second computation means 103 receives the random number rX from the party X and a value cZ from the party Z and computes values c1 and c2 according to











c
1

=




i



(

a







1
i

·
b







1
i


)


+

c
Y

-

r
X










c
2

=




i



(

a







2
i

·




b







2
i


)


+

c
Z

-

r
Y







[

FORMULA





19

]








and outputs the values c1 and c2 (S15).


The party Z performs the following processing. The random number generation means 101 first generates the random number rZ and transmits the random number to the party X (S16-1). Then, the first computation means 102 computes the value cZ according to










c
Z

=




i



(


a







2
i

·
b







0
i


+

a







0
i

·
b







2
i



)


+

r
Z






[

FORMULA





20

]








and transmits the value cZ to the party Y (S16-2). Then, the second computation means 103 receives the random number rY from the party Y and the value cX from the party X and computes values c0 and c2 according to











c
0

=




i



(

a







0
i

·
b







0
i


)


+

c
X

-

r
Z










c
2

=




i



(

a







2
i

·
b







2
i


)


+

c
Z

-

r
Y







[

FORMULA





21

]








and outputs the values c0 and c2 (S17). Note that the series of steps S12-1 and S12-2, the series of steps S14-1 and S14-2 and the series of steps S16-1 and S16-2 can be performed in parallel, and the steps S13, S15 and S17 can also be performed in parallel.


Then, the output part 220 computes the total sum (c0+c1+c2) of the values c0, c1 and c2 output from the parties X, Y and Z and outputs the total sum.


The following relation holds.














c
0

+

c
1

+

c
2


=






i



(





a






0
i


+

b






0
i


+

a







0
i

·
b







1
i


+






a







1
i

·
b







0
i





)


+













i



(





a







1
i

·
b







1
i


+

a







1
i

·
b







2
i


+






a







2
i

·
b







1
i





)


+












i



(





a







2
i

·
b







2
i


+

a







2
i

·
b







0
i


+






a







0
i

·
b







2
i





)








=





i




(


a






0
i


+

a






1
i


+

a






2
i



)



(





b






0
i


+

b






1
i


+






b






2
i





)









=





i




a
i

·

b
i










[

FORMULA





22

]








From the relation above, it can be seen that the sum-of-product computation (a multiplication of a and b in the case where i=1) has been correctly done.


In the processing described above, hash values or other values can be substituted for the random numbers. The data string decomposition and supply part 210 and the output part 220 can be provided in an apparatus other than the parties or provided in any one or more of the apparatuses serving as the parties.


The effect of the method according to the present invention will be compared with that of the method described in Non-Patent literature 1. Concerning the multiplications, in the method described in Non-Patent literature 1, two rounds of communications are required (the term “round” means the number of times that each of the parties X, Y and Z performing parallel processing needs to wait for the other parties to complete their respective processings), and the party X generates one random number and transmits four pieces of data, and the parties Y and Z generate no random number and transmit one piece of data. On the other hand, according to the present invention, one round of communications is required, and all the parties X, Y and Z generate one random number and transmit two pieces of data. That is, the number of rounds is reduced to a half. In addition, the number of random numbers generated and the number of pieces of data transmitted are the same as those in the method described in Non-Patent literature 1, it can be said that the bottleneck is reduced because the processings performed by the parties X, Y and Z are symmetrical to each other.


Concerning the sum-of-product computation, in the case of the method of performing an addition after repeatedly performing multiplications described in Non-Patent literature 1, the number of random numbers generated and the amount of communications are proportional to the number of elements of the input data strings. However, in the case of the method according to the present invention, the parties X, Y and Z each generate only one random number and transmit only two pieces of data to the other parties. Since the processings for any computations performed by the parties X, Y and Z are symmetrical to each other, the implementation cost can be reduced.


Third Embodiment

According to a third embodiment, a misuse detection function is added to the configurations for performing a sum-of-product computation according to the first and second embodiments. FIG. 6 shows an example of a configuration of a secure sum-of-product computation system 300, and FIG. 7 shows an example of a flow of a processing performed by the secure sum-of-product computation system 300. The secure sum-of-product computation system 300 comprises a party X, a party Y and a party Z, which are computation apparatuses that perform symmetric computation processings.


A secure sum-of-product computation according to the present invention is achieved by the three computation apparatuses, the parties X, Y and Z, cooperating to perform a total of m sets of sum-of-product computations of data strings Aq0=(a0q0, . . . , a0qna0-1), Aq1=(a1q0, . . . , a1qna1-1) and Aq2=(a2q0, . . . , a2qna2-1) and Bq0=(b0q0, . . . , b0qnb0-1), Bq1=(b1q0, . . . , b1qnb1-1) and Bq2=(b2q0, . . . , b2qnb2-1) (q=0, . . . , m−1, and m represents an integer equal to or greater than 1) (the sum-of-product computations are performed in parallel in the case where m is equal to or greater than 2). Note that na0, na1, na2, nb0, nb1 and nb2 represent natural numbers.


As shown in FIG. 8, each party has first random number generation means 301, first computation means 302, second computation means 303, second random number generation means 304, third computation means 305, fourth computation means 306 and misuse detection means 307. In FIG. 8, provided that any of the apparatuses described above is a party P, when the party P is the party X, a party P is the party Z, and a party P+ is the party Y, and subscripts 0p, 1p and 2p correspond to numerals 0, 1 and 2, respectively. When the party P is the party Y, the party P is the party X, and the party P+ is the party Z, and the subscripts 0p, 1p and 2p correspond to numerals 1, 2 and 0, respectively. When the party P is the party Z, the party P is the party Y, and the party P+ is the party X, and the subscripts 0p, 1p and 2p correspond to numerals 2, 0 and 1, respectively.


In the following, details of a cooperative computation processing performed by each party will be specifically described. Steps S21 to S27 correspond to the sum-of-product computation processing according to the first embodiment, and steps S28 to S39 are involved in a misuse detection processing. It is assumed that the parties X and Y previously share a random number sqZ, the parties Y and Z previously share a random number sqX, and the parties Z and X previously share a random number sqY. First, data strings Aq0, Aq1, Bq0 and Bq1 are input to the party X, data strings Aq1, Aq2, Bq1 and Bq2 are input to the party Y, and data strings Aq2, Aq0, Bq2 and Bq0 are input to the party Z (S21).


Then, the party X performs the following processing. The first random number generation means 301 first generates a random number rqX and transmits the random number to the party Y (S22-1). Then, the first computation means 302 computes a value cqX according to










c

q





_





X


=











q





_





i





0

,

q





_





j





1






(

e







01


q





_





i





0

,

q





_





j





1



·
a








0

q





_





i





0


·
b







1

q





_





j





1



)


+





q





_





i





1

,

q





_





j





0





(

e







10


q





_





i





1

,

q





_





j





0



·
a








1

q





_





i





1


·




b







0

q





_





j





0



)


+

r

q





_





X







[

FORMULA





23

]








and transmits the value cqX to the party Z (S22-2). Note that i0=0, . . . , na0-1, i1=0, . . . , na1-1, j0=0, . . . , nb0-1, and j1=0, . . . , nb1-1, and e01qi0,qj1 and e10qi1,qj0 each represent any number. The second computation means 303 receives a random number rqZ from the party Z and a value cqY from the party Y and computes values cq0 and cq—1 according to











c


q

_


0


=






q_i





0

,

q_j





0





(

e







00


q_i





0

,

q_j





0



·
a








0

q_i





0


·
b







0

q_j





0



)


+

c
q_X

-

r
q_Z










c

q_

1


=






q_i





1

,

q_j





1





(

e







11


q_i





1

,

q_j





1



·
a








1

q_i





1


·
b







1

q_j





1



)


+

c
q_Y

-

r
q_X







[

FORMULA





24

]








and outputs the values cq0 and cq1 (S23). Note that e00qi0,qj0 and e11qi1,qj1 represent any numbers.


The party Y performs the following processing. The random number generation means 301 first generates a random number rqY and transmits the random number to the party Z (S24-1). Then, the first computation means 302 computes the value cqY according to










c
q_Y

=






q_i





1

,

q_j





2





(

e







12


q_i





1

,

q_j





2



·
a








1

q_i





1


·
b







2






q_j

2




)


+





q_i

2

,

q_j





1





(

e







21


q_i





2

,

q_j





1



·
a








2


q_

i






2


·
b







1

q_j





1



)


+

r
q_Y






[

FORMULA





25

]








and transmits the value cqY to the party X (S24-2). Note that i2=0, . . . , na2-1 and j2=0, . . . , nb2-1, and e12qi1,qj2 and e21qi2,qj1 represent any numbers. The second computation means 303 receives the random number rqX from the party X and a value cqZ from the party Z and computes values cq1 and cq2 according to the following formula (S25).











c


q

_


1


=






q_i





1

,

q_j





1





(

e







11


q_i





1

,

q_j





1



·
a








1

q_i





1


·
b







1

q_j





1



)


+

c
q_Y

-

r
q_X









c


q

_


2


=







q_

i






2

,

q_j





2





(

e







22


q_i

2

,

q_j





2



·
a








2

q_i

2


·
b







2

q_j

2



)


+

c
q_Z

-

r
q_Y






[

FORMULA





26

]








Note that e22qi2,qj2 represents any number.


The party Z performs the following processing. The random number generation means 301 first generates the random number rqZ and transmits the random number to the party X (S26-1). Then, the first computation means 302 computes the value cqZ according to










c
q_Z

=







q_

i






2

,

q_j

0





(

e







20



q_

i






2

,

q_j





0



·
a








2


q_

i






2


·
b







0

q_j





0



)


+





q_i





0

,

q_j





2





(

e







02


q_i





0

,

q_j





2



·
a








2

q_i





2


·
b







0

q_i





0



)


+

r
q_Z






[

FORMULA





27

]








and transmits the value cqZ to the party Y (S26-2). Note that e20qi2,qj0 and e02qi0,qj2 represent any multipliers. The second computation means 303 receives the random number rqY from the party Y and the value cqX from the party X and computes values cq0 and cq2 according to the following formula (S27).











c

q_

0


=






q_i





0

,

q_j





0





(

e







00


q_i





0

,

q_j





0



·
a








0

q_i





0


·
b







0

q_j





0



)


+

c
q_X

-

r
q_Z










c

q_

2


=







q_

i






2

,

q_j





2





(

e







22


q_i

2

,

q_j





2



·
a








2

q_i

2


·
b







2

q_j

2



)


+

c
q_Z

-

r
q_Y







[

FORMULA





28

]








Note that the series of steps S22-1 and S22-2, the series of steps S24-1 and S24-2 and the series of steps S26-1 and S26-2 can be performed in parallel, and the steps S23, S25 and S27 can also be performed in parallel.


Following the steps S21 to S27, each party performs a misuse detection processing as described below.


A processing performed by the party X will be described. First, the second random number generation means 304 generates a random number sequence (αY1q0, . . . , αY1qna1-1) and a random number ρX and transmits the random number sequence and the random number to the party Y, and generates a random number sequence (αZ0q0, . . . , αZ0qna0-1) and transmits the random number sequence to the party Z (S28). Then, the third computation means 305 computes a random number sequence (αZ0q0−sqZ·a0q0, . . . , αZ0qna0-1−sqZ·a0qna0-1), transmits the random number sequence to the party Y, receives a random number sequence (αX1q0, . . . , αX1qna1-1) from the party Y and a random number sequence (αX0q0, . . . , αX0qna0-1) from the party Z, computes a random number sequence (αY1q0−sqY·a1q0, . . . , αY1qna1-1−sqY·a1qna1-1) and a value γX according to










γ
X

=






i





0

,

j





1

,
q




(

e







01


q_i





0

,

q_j





1



·
α






X







0

q_i





0


·
b







1

q_j





1



)


+





i





1

,

j





0

,
q




(

e







10


q_i





1

,

q_j





0



·
α






X







1

q_j





1


·
b







0

q_j





0



)


+

ρ
X






[

FORMULA





29

]








and transmits the random number sequence and the value to the party Z (S29). Then, the fourth computation means 306 receives a random number sequence (αZ2q0−sqZ·a2q0, . . . , αZ2qna2-1−sqZ·a2qna2-1) from the party Y and a value ρZ from the party Z, computes a value










γ
Z


=






i





2

,

j





0

,
q




{


e







20


q_i





2

,

q_j





0



·

(


α





Z






2

q_i





2



-



s
q_Z

·
a







2

q_i





2




)

·
b







0

q_j





0



-


s
q_Z

·

r
q_Z



}


+

ρ
Z






[

FORMULA





30

]








and transmits the value to the party Y (S30). Then, the misuse detection means 307 receives a value γY from the party Y, a value γ′Y and a random number sequence (αY2q0−sqY·a2q0, . . . , αY2qna2-1−sqY·a2qna2-1) from the party Z, computes















i

2

,

j





1

,
q




{


e







21


q_i





2

,

q_j





1



·

(


α





Y






2

q_i





2



-



s
q_Y

·
a







2


q_

i






2




)

·
b







1

q_j





1



+


s
q_Y

·

c
q_Y



}


-

γ
Y

+

γ
Y



,




[

FORMULA





31

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq0 and cq1 if the computation result is 0 (S31).


Next, a processing performed by the party Y will be described. First, the second random number generation means 304 generates a random number sequence (αZ2q0, . . . , αZ2qna2-1) and a random number ρY and transmits the random number sequence and the random number to the party Z, and generates a random number sequence (αX1q0, . . . , αX1qna1-1) and transmits the random number sequence to the party X (S32). Then, the third computation means 305 computes a random number sequence (αX1q0−sqX·a1q0, . . . , αX1qna1-1−sqX·a1qna1-1), transmits the random number sequence to the party Z, receives a random number sequence (αY1q0, . . . , αY1qna1-1) from the party X and a random number sequence (αY2q0, . . . , αY2qna2-1) from the party Z, computes a random number sequence (αZ2q0−sqZ·a2q0, . . . , αZ2qna2-1−sqZ·a2qna2-1) and a value










γ
Y

=






i





1

,

j





2

,
q




(

e







12


q_i





1

,

q_j





2



·
α






Y







1

q_i





1


·
b







2






q_j

2




)


+





i

2

,

j





1

,
q




(

e







21


q_i





2

,

q_j





1



·
α






Y







2

q_i

2


·
b







1

q_j





1



)


+

ρ
Y






[

FORMULA





32

]








and transmits the random number sequence and the value to the party X (S33). Then, the fourth computation means 306 receives the random number ρX from the party X and a random number sequence (αX0q0−sqX·a0q0, . . . , αX0qna0-1−sqX·a0qna0-1) from the party Z, computes a value










γ
X


=






i





0

,

j





1

,
q




{


e







01


q_i





0

,

q_j





1



·

(


α





X






0

q_i





0



-



s
q_X

·
a







0

q_i





0




)

·
b







1


q_

j






1



-


s
q_X

·

r
q_X



}


+

ρ
X






[

FORMULA





33

]








and transmits the value to the party Z (S34). Then, the misuse detection means 307 receives a value γ′Z and a random number sequence (αZ0q0−sqZ·a0q0, . . . , αZ0qna0-1−sqZ·a0qna0-1) from the party X and a value γZ from the party Z, computes















i





0

,

j





2

,
q




{


e







02


q_i





0

,

q_j





2



·

(


α





Z






0

q_i





0



-



s
q_Z

·
a







0

q_i





0




)

·
b







2

q_j





2



+


s
q_Z

·

c
q_Z



}


-

γ
Z

+

γ
Z



,




[

FORMULA





34

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq1 and cq2 if the computation result is 0 (S35).


Next, a processing performed by the party Z will be described. First, the second random number generation means 304 generates a random number sequence (αX0q0, . . . , αX0qna0-1) and a random number ρZ and transmits the random number sequence and the random number to the party X, and generates a random number sequence (αY2q0, . . . , αY2qna2-1) and transmits the random number sequence to the party Y (S36). Then, the third computation means 305 computes a random number sequence (αY2q0−sqY·a2q0, . . . , αY2qna2-1−sqY·a2qna2-1), transmits the random number sequence to the party X, receives a random number sequence (αZ0q0, . . . , αZ0qna0-1) from the party X and a random number sequence (αZ2q0, . . . , αZ2qna2-1) from the party Y, computes a random number sequence (αX0q0−sqX·a0q0, . . . , αX0qna0-1−sqX·a0qna0-1) and a value γZ according to










γ
Z

=






i





2

,

j





0

,
q




(

e







20



q_

i






2

,

q_j





0



·
α






Z







2

q_i





2


·
b







0


q_j





0








)


+





i





0

,

j





2

,
q




(

e







02


q_i





0

,

q_j





2



·
α






Z







0

q_i





0


·
b







2

q_j





2



)


+

ρ
Z






[

FORMULA





35

]








and transmits the random number sequence and the value to the party Y (S37). Then, the fourth computation means 306 receives a random number sequence (αY1q0−sqY·a1q0, . . . , αY1qna1-1−sqY·a1qna1-1) from the party X and a value ρY from the party Y, computes a value γ′Y according to










γ
Y


=






i





1

,

j





2

,
q




{


e







12


q_i





1

,

q_j





2



·

(


α





Y






1

q_i





1



-



s
q_Y

·
a







1

q_i





1




)

·
b







2

q_j





2



-


s
q_Y

·

r
q_Y



}


+

ρ
Y






[

FORMULA





36

]








and transmits the value to the party X (S38). Then, the misuse detection means 307 receives the value γX from the party X and the value γ′X and a random number sequence (αX1q0−sqX·a1q0, . . . , αX1qna1-1−sqX·a1qna1-1) from the party Y, computes















i





1

,

j





0

,
q




{


e







10


q_i





1





,

q_j





0



·

(


α





X






1

q_i





1



-



s
q_X

·
a







1

q_i





1




)

·
b







0

q_j





0



+


s
q_X

·

c
q_X



}


-

γ
X

+

γ
X



,




[

FORMULA





37

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq2 and cq0 if the computation result is 0 (S39).


If no misuse detection occurs, the total sum of the values cq0, cq1 and cq2 output from the parties X, Y and Z can be computed to obtain a sum-of-product computation result as expressed by the following formula.











c

q_

0


+

c


q

_


1


+

c


q

_


2



=






q_i





0

,

q_j





0





(

e







00


q_i





0

,

q_j





0



·
a








0

q_i





0


·
b







0

q_j





0



)


+





q_i





0

,

q_j





1





(

e







01


q_i





0

,

q_j





1



·
a








0

q_i





0


·
b







1

q_j





1



)


+





q_i





1

,

q_j





0





(

e







10


q_i





1





,

q_j





0



·
a








1

q_i





1


·
b







0

q_j





0



)


+





q_i





1

,

q_j





1





(

e







11


q_i





1

,

q_j





1



·
a








1

q_i





1


·
b







1

q_j





1



)


+





q_i





1

,

q_j





2





(

e







12


q_i





1

,

q_j





2



·
a








1

q_i





1


·
b







2






q_j

2




)


+





q_i

2

,

q_j





1





(

e







21


q_i





2

,

q_j





1



·
a








2


q_

i






2


·
b







1

q_j





1



)


+






q_

i






2

,

q_j





2





(

e







22


q_i

2

,

q_j





2



·
a








2

q_i

2


·
b







2

q_j

2



)


+






q_

i






2

,

q_j

0





(

e







20



q_

i






2

,

q_j





0



·
a








2


q_

i






2


·
b







0

q_j





0



)


+





q_i





0

,

q_j





2





(

e







02


q_i





0

,

q_j





2



·
a








2

q_i





2


·
b







0

q_i





0



)







[

FORMULA





38

]








In the processing described above, hash values or other values can be substituted for the random numbers.


The misuse detection according to the present invention is performed once for one multiplication, one sum-of-product computation or a set of multiplications or sum-of-product computations performed in parallel. The values αP+0qi0, αP+1qi1 and αP+2qi2 (q=0, . . . , m−1) included in the value γP+ transmitted by the party P+ involved with the misuse detection function are fragments of the respective values aqi multiplied by different random numbers. Thus, if any of the values is not correct, the party P+ cannot predict the random numbers. Therefore, if the modulo is a prime number p, the probability that any misuse can be made agree with the misuse in the sum-of-product computation processing is only 1/(p−1).


Fourth Embodiment

A fourth embodiment is a specific example of the third embodiment, in which na0=na1=na2=nb0=nb1=nb2=n (n represents an integer equal to or greater than 1), and e00=e01=e10=e11=e12=e21=e22=e20=e02=1. FIG. 9 shows an example of a configuration of a secure sum-of-product computation system 400 according to this embodiment, and FIG. 10 shows an example of a flow of a processing performed by the secure sum-of-product computation system 400. The secure sum-of-product computation system 400 comprises a party X, a party Y, a party Z, a data string decomposition and supply part 410 and an output part 420. As in the third embodiment, each party has first random number generation means 301, first computation means 302, second computation means 303, second random number generation means 304, third computation means 305, fourth computation means 306 and misuse detection means 307.


The secure sum-of-product computation system 400 performs a sum-of-product computation












i
=
0


n
-
1





a






q





_





i



·

b

q





_





i







[

FORMULA





39

]








for m sets of data strings Aq=(aq0, . . . , aqn-1) and Bq=(bq0, . . . , bqn-1) (m represents an integer equal to or greater than 1, and q=0, . . . , m−1) comprising elements aqi and bqi (i=0, . . . , n−1 (n represents an integer equal to or greater than 1)), which are natural numbers smaller than a prime number p, through cooperative computation by the three computation apparatuses, the parties X, Y and Z (the sum-of-product computation is a multiplication of a and b in the case where n=1). As in the third embodiment, it is assumed that the parties X and Y previously share a random number sqZ, the parties Y and Z previously share a random number sqX, and the parties Z and X previously share a random number sqY.


Specifically, the data string decomposition and supply part 410 first decomposes the m sets of input data strings Aq and Bq in such a manner that each element aqi and bqi satisfy conditional formulas aqi=a0qi+a1qi+a2qi mod p and bqi=b0qi+b1qi+b2qi mod p (a0qi, a1qi, b0qi and b1qi represent random numbers, and p represents a prime number) and supplies data strings Aq0=(a0q0, . . . , a0qn-1), Aq1=(a1q0, . . . , a1qn-1), Bq0=(b0q0, . . . , b0qn-1) and Bq1=(b1q0, . . . , b1qn-1) to the party X, the data strings Aq1, Aq2=(a2q0, . . . , a2qn-1), Bq1 and Bq2=(b2q0, . . . , b2qn-1) to the party Y, and data strings Aq2, Aq0, Bq2 and Bq0 to the party Z (S41).


Then, the party X performs the following processing. The first random number generation means 301 first generates a random number rqX and transmits the random number to the party Y (S42-1). Then, the first computation means 302 computes a value cqX according to










c

q





_





X


=




i



(


a







0

q





_





i


·
b







1

q





_





i



+

a







1

q





_





i


·
b







0

q





_





i




)


+

r

q





_





X







[

FORMULA





40

]








and transmits the value cqX to the party Z (S42-2). Then, the second computation means 303 receives a random number rqZ from the party Z and a value cqY from the party Y and computes values cq0 and cq1 according to the following formula (S43).











c

q





_





0


=




i



(

a







0

q





_





i


·
b







0

q





_





i



)


+

c

q





_





X


-

r

q





_





Z











c

q





_





1


=




i



(

a







1

q





_





i


·
b







1

q





_





i



)


+

c

q





_





Y


-

r

q





_





X








[

FORMULA





41

]







The party Y performs the following processing. The first random number generation means 301 first generates a random number rqY and transmits the random number to the party Z (S44-1). Then, the first computation means 302 computes the value cqY according to










c

q





_





Y


=




i



(


a







1

q





_





i


·
b







2

q





_





i



+

a







2

q





_





i


·
b







1

q





_





i




)


+

r

q





_





Y







[

FORMULA





42

]








and transmits the value cqY to the party X (S44-2). Then, the second computation means 306 receives the random number rqX from the party X and a value cqZ from the party Z and computes values cq1 and cq2 according to the following formula (S45).











c

q





_





1


=




i



(

a







1

q





_





i


·
b







1

q





_





i



)


+

c

q





_





Y


-

r

q





_





X











c

q





_

2


=




i



(

a







2

q





_





i


·
b







2

q





_





i



)


+

c
Z

-

r
Y







[

FORMULA





43

]







The party Z performs the following processing. The first random number generation means 301 first generates the random number rqZ and transmits the random number to the party X (S46-1). Then, the first computation means 302 computes the value cqZ according to










c

q





_





Z


=




i



(


a







2

q





_





i


·
b







0

q





_





i



+

a







0

q





_





i


·




b







2

q





_





i




)


+

r

q





_





Z







[

FORMULA





44

]








and transmits the value cqZ to the party Y (S46-2). Then, the second computation means 303 receives the random number rqY from the party Y and the value cqX from the party X and computes values cq0 and cq2 according to the following formula (S47).











c
0

=




i



(

a







0
i

·
b







0
i


)


+

c
X

-

r
Z










c
2

=




i



(

a







2
i

·
b







2
i


)


+

c
Z

-

r
Y







[

FORMULA





45

]








Note that the series of steps S42-1 and S4-2, the series of steps S44-1 S44-2 and the series of steps S46-1 and S46-2 can be performed in parallel, and the steps S43, S45 and S47 can also be performed in parallel.


Following the steps S41 to S47, each party performs a misuse detection processing as described below. A processing performed by the party X will be described. First, the second random number generation means 304 generates a random number sequence (αY1q0, . . . , αY1qn-1) and a random number ρX and transmits the random number sequence and the random number to the party Y, and generates a random number sequence (αZ0q0, . . . , αZ0qn-1) and transmits the random number sequence to the party Z (S48). Then, the third computation means 305 computes a random number sequence (αZ0q0−sqZ·a0q0, . . . , αZ0qn-1−sqZ·a0qn-1), transmits the random number sequence to the party Y, receives a random number sequence (αX1q0, . . . , αX1qn-1) from the party Y and a random number sequence (αX0q0, . . . , αX0qn-1) from the party Z, computes a random number sequence (αY1q0−sqY·a1q0, . . . , αY1qn-1−sqY·a1qn-1) and a value γX according to










γ
X

=





i
,
q




(


α





X







0

q





_





i


·
b







1

q





_





i



+

α





X







1

q





_





i


·
b







0

q





_





i




)


+

ρ
X






[

FORMULA





46

]








and transmits the random number sequence and the value to the party Z (S49). Then, the fourth computation means 306 receives a random number sequence (αZ2q0−sqZ·a2q0, . . . , αZ2qn-1−sqZ·a2qn-1) from the party Y and a value ρZ from the party Z, computes a value γ′Z according to










γ
Z


=





i
,
q




{




(


α





Z






2

q





_





i



-



s

q





_





Z


·




a







2

q





_





i




)

·
b







0

q





_





i



-


s

q





_





Z


·

r

q





_





Z




}


+

ρ
Z






[

FORMULA





47

]








and transmits the value to the party Y (S50). Then, the misuse detection means 307 receives a value γY from the party Y, a value γ′Y and a random number sequence (αY2q0−sqY·a2q0, . . . , αY2qn-1−sqY·a2qn-1) from the party Z, computes














i
,
q




{




(


α





Y






2

q





_





i



-



s






q





_





Y



·
a







2

q





_





i




)

·
b







1

q





_





i



+


s

q





_





Y


·

c

q





_





Y




}


-

γ
Y

+

γ
Y



,




[

FORMULA





48

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq0 and cq1 if the computation result is 0 (S51).


Next, a processing performed by the party Y will be described.


First, the second random number generation means 304 generates a random number sequence (αZ2q0, . . . , αZ2qn-1) and a random number ρY and transmits the random number sequence and the random number to the party Z, and generates a random number sequence (αX1q0, . . . , αX1qn-1) and transmits the random number sequence to the party X (S52). Then, the third computation means 305 computes a random number sequence (αX1q0−sqX·a1q0, . . . , αX1qn-1−sqX·a1qn-1), transmits the random number sequence to the party Z, receives a random number sequence (αY1q0, . . . , αY1qn-1) from the party X and a random number sequence (αY2q0, . . . , αY2qn-1) from the party Z, computes a random number sequence (αZ2q0−sqZ·a2q0, . . . , αZ2qn-1−sqZ·a2qn-1) and a value γY according to










γ
Y

=





i
,
q




(


α





Y







1

q





_





i


·
b







2

q





_





i



+

α





Y







2

q





_





i


·
b







1

q





_





i




)


+

ρ
Y






[

FORMULA





49

]








and transmits the random number sequence and the value to the party X (S53). Then, the fourth computation means 306 receives the random number ρX from the party X and a random number sequence (αX0q0−sqX·a0q0, . . . , αX0qn-1−sqX·a0qn-1) from the party Z, computes a value γ′X according to










γ
X


=





i
,
q




{




(


α





X






0

q





_





i



-



s

q





_





X


·




a







0

q





_





i




)

·




b







1

q





_





i



-


s

q





_





X


·

r

q





_





X




}


+

ρ
X






[

FORMULA





50

]








and transmits the value to the party Z (S54). Then, the misuse detection means 307 receives a value γ′Z and a random number sequence (αZ0q0−sqZ·a0q0, . . . , αZ0qn-1−sqZ·a0qn-1) from the party X and a value γZ from the party Z, computes














i
,
q




{




(


α





Z






0

q





_





i



-



s

q





_





Z


·
a







0

q





_





i




)

·
b







2

q





_





i



+


s

q





_





Z


·





c

q





_





Z




}


-

γ
Z

+

γ
Z



,




[

FORMULA





51

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq1 and cq2 if the computation result is 0 (S55).


Next, a processing performed by the party Z will be described. First, the second random number generation means 304 generates a random number sequence (αX0q0, . . . , αX0qn-1) and a random number ρZ and transmits the random number sequence and the random number to the party X, and generates a random number sequence (αY2q0, . . . , αY2qn-1) and transmits the random number sequence to the party Y (S56). Then, the third computation means 305 computes a random number sequence (αY2q0−sqY·a2q0, . . . , αY2qn-1−sqY·a2qn-1), transmits the random number sequence to the party X, receives a random number sequence (αZ0q0, . . . , αZ0qn-1) from the party X and a random number sequence (αZ2q0, . . . , αZ2qn-1) from the party Y, computes a random number sequence (αX0q0−sqX·a0q0, . . . , αX0qn-1−sqX·a0qn-1) and a value γZ according to










γ
Z

=





i
,
q




(


α





Z







2

q





_





i


·
b







0

q





_





i



+

α





Z







0

q





_





i


·
b







2

q





_





i




)


+

ρ
Z






[

FORMULA





52

]








and transmits the random number sequence and the value to the party Y (S57). Then, the fourth computation means 306 receives a random number sequence (αY1q0−sqY·a1q0, . . . , αY1qn-1−sqY·a1qn-1) from the party X and a value ρY from the party Y, computes a value γ′Y according to










γ
Y


=





i
,
q




{




(


α





Y






1

q





_





i



-



s

q





_





Y


·
a







1

q





_





i




)

·
b







2






q





_





i




-


s

q





_





Y


·

r






q





_





Y





}


+

ρ
Y






[

FORMULA





53

]








and transmits the value to the party X (S58). Then, the misuse detection means 307 receives the value γX from the party X and the value γ′X and a random number sequence (αX1q0−sqX·a1q0, . . . , αX1qn-1−sqX·a1qn-1) from the party Y, computes














i
,
q




{




(


α





X






1
q_i


-



s
q_X

·
a







1
q_i



)

·
b







0
q_i


+


s
q_X

·

c
q_X



}


-

γ
X

+

γ
X



,




[

FORMULA





54

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq2 and cq0 if the computation result is 0 (S59).


Then, the output part 420 computes the total sum (cq0+cq1+cq2) of the values cq0, cq1 and cq2 output from the parties X, Y and Z and outputs the total sum (S60).


The following relation holds.











[

FORMULA





55

]












c


q

_


0


+

c


q

_


1


+

c


q

_


2



=






i



(


a







0
q_i

·
b







0
q_i


+

a







0
q_i

·
b







1
q_i


+

a







1
q_i

·
b







0
q_i



)


+













i



(


a







1
q_i

·
b







1
q_i


+

a







1
q_i

·
b






2






q
q_i


+

a







2
q_i

·
b







1
q_i



)


+












i



(


a







2
q_i

·
b







2
q_i


+

a







2
q_i

·
b







0
q_i


+

a







0
q_i

·
b







2
q_i



)








=





i




(


a






0
q_i


+

a






1
q_i


+

a






2
q_i



)



(


b






0
q_i


+

b






1
q_i


+

b






2
q_i



)









=





i




a
q_i

·

b
q_i











From the relation above, it can be seen that the sum-of-product computation (a multiplication of aq and bq in the case where i=1 (in the case where n=1)) has been correctly done. In the processing described above, hash values or other values can be substituted for the random numbers.


The data string decomposition and supply part 410 and the output part 420 can be provided in an apparatus other than the parties or provided in any one or more of the apparatuses serving as the parties.


The effect of the method according to the present invention will be compared with that of the method described in Non-Patent literature 1. Provided that m=1, according to the present invention, the number of rounds is 2, the number of pieces of data transmitted by each party is 10, and the number of random numbers generated by each party is 5. In addition, since the value sP can be repeatedly used once it is shared among the parties, the actual number of rounds is 2, the actual number of pieces of data transmitted is 9, and the number of random numbers generated is 4. On the other hand, according to the method described in Non-Patent literature 1, the number of rounds is 4, the number of pieces of data transmitted by the party X is 20, the number of random numbers generated by the party X is 12, the number of pieces of data transmitted by the parties Y and Z is 17, and the number of random numbers generated by the parties Y and Z is 9. Therefore, the method according to the present invention is about twice as efficient as the method described in Non-Patent literature 1.


In the case where m≧2, the efficiency is further improved. According to the present invention, the number of rounds is 2, the number of pieces of data transmitted by each party is 6 m+3, and the number of random numbers generated by each party is 3 m+1. On the other hand, according to the method described in Non-Patent literature 1, the number of rounds is 4, the number of pieces of data transmitted by the party X is 20m, the number of random numbers generated by the party X is 12m, the number of pieces of data transmitted by the parties Y and Z is 17m, and the number of random numbers generated by the parties Y and Z is 9m. Therefore, the method according to the present invention is about three times as efficient as the method described in Non-Patent literature 1.


Fifth Embodiment

While the secure sum-of-product computation system 400 according to the fourth embodiment is configured to perform a sum-of-product computation expressed as













i
=
0


n
-
1





a
q_i

·

b
q_i



,




[

FORMULA





56

]








a secure sum-of-product computation system 500 according to a fifth embodiment has a configuration in which one of the values involved in the multiplication is fixed, for example. More specifically, the secure sum-of-product computation system 500 performs the following m sum-of-product computations of a data string Aq=(aq0, . . . , aqn-1) (m represents an integer equal to or greater than 1, and q=0, . . . , m−1) comprising elements aqi (q=0, . . . , m−1 (m represents an integer equal to or greater than 1), and i=0, . . . , n−1 (n represents an integer equal to or greater than 1)), which are natural numbers smaller than a prime number p, and a value b, which is a natural number smaller than the prime number p, through cooperative computation by three computation apparatuses, the parties X, Y and Z.












i
=
0


n
-
1





a
q_i

·
b





[

FORMULA





57

]








The functional configuration and the process flow are the same as those in the fourth embodiment and therefore will be described below with reference to them (that is, FIG. 9 (and FIG. 8) showing the configuration and FIG. 10 showing the process flow). As in the fourth embodiment, it is assumed that the parties X and Y previously share a random number sqZ, the parties Y and Z previously share a random number sqX, and the parties Z and X previously share a random number sqY.


Specifically, the data string decomposition and supply part 410 first decomposes the input data string Aq and the value b in such a manner that each element aqi of the data string satisfies a conditional formula aqi=a0qi+a1qi+a2qi mod p and the value satisfies a conditional formula b=b0+b1+b2 mod p (a0qi, a1q, b0 and b1 represent random numbers, and p represents a prime number) and supplies data strings Aq0=(a0q0, . . . , a0qn-1) and Aq1=(a1q0, . . . , a1qn-1) and values b0 and b1 to the party X, data strings Aq1 and Aq2=(a2q0, . . . , a2q1) and values b1 and b2 to the party Y, and data strings Aq2 and Aq0 and values b2 and b0 to the party Z (S41).


Then, the party X performs the following processing. The first random number generation means 301 first generates a random number rqX and transmits the random number to the party Y (S42-1). Then, the first computation means 302 computes a value cqX according to










c
q_X

=




i



(


a







0
q_i

·
b






1

+

a







1
q_i

·
b






0


)


+

r
q_X






[

FORMULA





58

]








and transmits the value cqX to the party Z (S42-2). Then, the second computation means 303 receives a random number rqZ from the party Z and a value cqY from the party Y and computes values cq0 and cq1 according to the following formula (S43).











c


q

_


0


=




i



(

a







0

q_

i


·
b






0

)


+

c
q_X

-

r
q_Z










c


q

_


1


=




i



(

a







1

q_

i


·
b






1

)


+

c
q_Y

-

r
q_X







[

FORMULA





59

]







The party Y performs the following processing. The random number generation means 304 first generates a random number rqY and transmits the random number to the party Z (S44-1). Then, the first computation means 305 computes the value cqY according to










c
q_Y

=




i



(


a







1
q_i

·
b






2

+

a







2
q_i

·
b






1


)


+

r
q_Y






[

FORMULA





60

]








and transmits the value cqY to the party X (S44-2). Then, the second computation means 306 receives the random number rqX from the party X and a value cqZ from the party Z and computes values cq1 and cq2 according to the following formula (S45).











c


q

_


1


=




i



(

a







1

q_

i


·
b






1

)


+

c
q_Y

-

r
q_X










c


q

_


2


=




i



(

a







2

q_

i


·
b






2

)


+

c
q_Z

-

r
q_Y







[

FORMULA





61

]







The party Z performs the following processing. The first random number generation means 301 first generates the random number rqZ and transmits the random number to the party X (S46-1). Then, the first computation means 302 computes the value cqZ according to










c
q_Z

=




i



(


a







2
q_i

·
b






0

+

a







0
q_i

·
b






2


)


+

r
q_Z






[

FORMULA





62

]








and transmits the value cqZ to the party Y (S46-2). Then, the second computation means 303 receives the random number rqY from the party Y and the value cqX from the party X and computes values cq0 and cq2 according to the following formula (S47).











c


q

_


0


=




i



(

a







0

q_

i


·
b






0

)


+

c
q_X

-

r
q_Z










c


q

_


2


=




i



(

a







2

q_

i


·
b






2

)


+

c
q_Z

-

r
q_Y







[

FORMULA





63

]








Note that the series of steps S42-1 and S42-2, the series of steps S44-1 and S44-2 and the series of steps S46-1 and S46-2 can be performed in parallel, and the steps S43, S45 and S47 can also be performed in parallel.


Following the steps S41 to S47, each party performs a misuse detection processing as described below. A processing performed by the party X will be described. First, the second random number generation means 304 generates random numbers αY1 and ρX and transmits the random numbers to the party Y, and generates a random number αZ0 and transmits the random number to the party Z (S48). Then, the third computation means 305 computes a value











α





Z





0

-




i
,
q




(



s
q_Z

·
a







0
q_i


)



,




[

FORMULA





64

]








transmits the value to the party Y, receives a random number αX1 from the party Y and a random number α0 from the party Z, computes values











α





Y





1

-




i
,
q




(



s
q_Y

·
a







1
q_i


)








and




[

FORMULA





65

]







γ
X

=


α





X






0
·
b






1

+

α





X






1
·
b






0

+

ρ
X






[

FORMULA





66

]








and transmits the values to the party Z (S49). Then, the fourth computation means 306 receives a value










α





Z





2

-




i
,
q




(



s
q_Z

·
a







2
q_i


)






[

FORMULA





67

]








from the party Y and a value ρZ from the party Z, computes a value










γ
Z


=




(


α





Z





2

-




i
,
q




(



s
q_Z

·
a







2
q_i


)



)

·
b






0

-



q




s
q_Z

·

r
q_Z

·

ρ
Z








[

FORMULA





68

]








and outputs the value to the party Y (S50).


Then, the misuse detection means 307 receives a value γY from the party Y, a value γ′Y and a value







α





Y





2

-




i
,
q




(



s
q_Y

·
a







2
q_i


)







from the party Z, computes













(


α





Y





2

-




i
,
q




(



s


q





_





Y







·
a







2

q





_





i



)



)

·
b






1

+



q




s

q





_





Y


·

c

q





_





Y




-

γ
Y

+

γ
Y



,




[

FORMULA





70

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq0 and cq1 if the computation result is 0 (S51).


Next, a processing performed by the party Y will be described. First, the second random number generation means 304 generates random numbers αZ2 and ρY and transmits the random numbers to the party Z, and generates a random number αX1 and transmits the random number to the party X (S52). Then, the third computation means 305 computes a value










α





X





1

-




i
,
q




(



s






q





_





X



·




a







1

q





_





i



)






[

FORMULA





71

]








transmits the value to the party Z, receives a random number αY1 from the party X and a random number αY2 from the party Z, computes











α





Z





2

-




i
,
q




(



s

q





_





Z


·
a







2

q





_





i



)








and




[

FORMULA





72

]







γ
Y

=


α





Y






1
·
b






2

+

α





Y






2
·
b






1

+

ρ
Y






[

FORMULA





73

]








and transmits the values to the party X (S53). Then, the fourth computation means 306 receives the random number ρX from the party X and a value










α





X





0

-




i
,
q




(



s

q





_





X


·
a







0

q





_





i



)






[

FORMULA





74

]








from the party Z, computes a value γ′X according to










γ
X


=




(


α





X





0

-




i
,
q




(



s

q





_





X


·
a







0

q





_





i



)



)

·
b






1

-



q




s

q





_





X


·

r

q





_





X




+

ρ
X






[

FORMULA





75

]








and transmits the value to the party Z (S54). Then, the misuse detection means 307 receives a value γ′Z and a value










α





Z





0

-




i
,
q




(



s

q





_





Z


·
a







0

q





_





i



)






[

FORMULA





76

]








from the party X and a value γZ from the party Z, computes













(


α





Z





0

-




i
,
q




(



s

q





_





Z


·




a







0

q





_





i



)



)

·
b






2

+



q




s

q





_





Z


·

c

q





_





Z




-

γ
Z

+

γ
Z



,




[

FORMULA





77

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq1 and cq2 if the computation result is 0 (S55).


Next, a processing performed by the party Z will be described. First, the second random number generation means 304 generates random numbers αX0 and ρZ and transmits the random numbers to the party X, and generates a random number αY2 and transmits the random number to the party Y (S56). Then, the third computation means 305 computes a value











α





Y





2

-




i
,
q




(



s

q





_





Y


·




a







2

q





_





i



)



,




[

FORMULA





78

]








transmits the value to the party X, receives a random number αZ0 from the party X and a random number αZ2 from the party Y, computes values











α





X





0

-




i
,
q




(



s

q





_





X


·
a







0

q





_





i



)








and




[

FORMULA





79

]







γ
Z

=


α





Z






2
·
b






0

+

α





Z






0
·
b






2

+

ρ
Z






[

FORMULA





80

]








and transmits the values to the party Y (S57). Then, the fourth computation means 306 receives a value










α





Y





1

-




i
,
q




(



s

q





_





Y


·
a







1

q





_





i



)






[

FORMULA





81

]








from the party X and a value ρY from the party Y, computes a value γ′Y according to










γ
Y


=




(


α





Y





1

-




i
,
q




(



s

q





_





Y


·




a







1

q





_





i



)



)

·
b






2

-



q




s

q





_





Y


·

r

q





_





Y




+

ρ
Y






[

FORMULA





82

]








and transmits the value to the party X (S58). Then, the misuse detection means 307 receives the value γX from the party X and the value γ′X and a value










α





X





1

-




i
,
q




(



s

q





_





X


·
a







1

q





_





i



)






[

FORMULA





83

]








from the party Y, computes













(


α





X





1

-




i
,
q




(



s

q





_





X


·
a







1

q





_





i



)



)

·
b






0

+



q




s

q





_





X


·

c

q





_





X




-

γ
X

+

γ
X



,




[

FORMULA





84

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq2 and cq0 if the computation result is 0 (S59).


Then, the output part 420 computes the total sum (cq0+cq1+cq2) of the values cq0, cq1 and cq2 output from the parties X, Y and Z and outputs the total sum (S60).














c

q





_





0


+

c

q





_





1


+

c

q





_





2



=






i



(





a







0

q





_





i


·
b






0

+

a







0

q





_





i


·









b





1

+

a







1

q





_





i


·
b






0





)


+













i



(





a







1

q





_





i


·
b






1

+

a







1

q





_





i


·









b





2

+

a







2

q





_





i


·
b






1





)


+












i



(





a







2

q





_





i


·
b






2

+

a







2

q





_





i


·









b





0

+

a







0

q





_





i


·
b






2





)








=





i



(


a






0

q





_





i



+

a






1

q





_





i



+

a






2

q





_





i




)











(


b





0

+

b





1

+

b





2


)







=





i




a






q





_





i



·
b









[

FORMULA





85

]








From the relation above, it can be seen that the sum-of-product computation has been correctly done. In the processing described above, hash values or other values can be substituted for the random numbers. The data string decomposition and supply part 410 and the output part 420 can be provided in an apparatus other than the parties or provided in any one or more of the apparatuses serving as the parties.


The effect of the method according to the present invention will be compared with that of the method described in Non-Patent literature 1. According to the present invention, the number of rounds is 2, the number of pieces of data transmitted by each party is 2m, and the number of random numbers generated by each party is 3. Therefore, the method according to the present invention is about nine times as efficient as the method described in Non-Patent literature 1. An improvement is that the number of random numbers generated is constant and therefore does not depend on the value m, rather than increasing with the value m.


Sixth Embodiment

In the multiplication protocol for a and b, the secure sum-of-product computation system 300 with a misuse detection function shown in the third embodiment uses values αP0p and αPP− indicating fragment values of a value sP·a0p to compare (αP0p−αPP−)·b1p and sP·a0p·b1p and uses values αP1p and αPP+ indicating fragment values of a value sP·a1p to compare (αP1p−αPP+)·b0p and sP·a1p·b0p in order to check the validity of a0p·b1p+a1p·b0p. However, in the former comparison, the multiplication protocol of the secure sum-of-product computation system 300 involves a procedure of round-trip transmission of computed values between the parties. Specifically, the value αZ2qi2−sqZ·a2qi2 needs to be transmitted from the party Y to the party X and then transmitted from the party X back to the party Y, the value αX0qi0−sqX·a0qi0 needs to be transmitted from the party Z to the party Y and then transmitted from the party Y back to the party Z, and the value αY1qi1−sqY·a1qi1 needs to be transmitted from the party X to the party Z and then transmitted from the party Z back to the party X. Therefore, a computed value may leak during the transmission, and a server may perform a misuse (acquisition of information concerning data to be concealed) without causing a change of the computation result. That is, the third embodiment can be said to provide a configuration capable of perfect concealment as far as the server perform no misuse.


A sixth embodiment provides a configuration capable of perfect concealment even if the server performs a misuse. More specifically, the sixth embodiment provides a configuration whose protocol does not involve a round-trip transmission of a computed value that can lead to a misuse. FIG. 11 shows an example of a configuration of a secure sum-of-product computation system 600, and FIG. 12 shows an example of a flow of a processing performed by the secure sum-of-product computation system 600. The secure sum-of-product computation system 600 comprises a party X, a party Y and a party Z. As shown in FIG. 13, each party has first random number generation means 301, first computation means 302 and second computation means 303, which are the same as those of the secure sum-of-product computation system 300, as well as second random number generation means 604, third computation means 605, fourth computation means 606 and misuse detection means 607.


In the following specific description, the functions of the first random number generation means 301, the first computation means 302 and the second computation means 303 and the secure sum-of-product computation processing (steps S21 to S27) implemented by these functions are the same as those of the secure sum-of-product computation system 300 and therefore will not be further described, and the misuse detection processing, which differs from that of the secure sum-of-product computation system 300, will be particularly described.


Following the steps S21 to S27, each party performs a misuse detection processing as described below. As in the third embodiment, it is assumed that the parties X and Y previously share a random number sqZ, the parties Y and Z previously share a random number sqX, and the parties Z and X previously share a random number sqY.


A processing performed by the party X will be described. First, the second random number generation means 604 generates a random number ρX and transmits the random number to the party Y, and generates random number sequences (αZ0q0, . . . , αZ0qna0-1) and (βZ0q0, . . . , βZ0qnb0-1) and transmits the random number sequences to the party Z (S68). Then, the third computation means 605 computes random number sequences (αZ0q0−sqZ·a0q0, . . . , αZ0qna0-1−sqZ·a0qna0-1) and (βZ0q0−sqZ·b0q0, . . . , βZ0qnb0-1−sqZ·b0qnb0-1), transmits the random number sequences to the party Y, receives random number sequences (αX1q0, . . . , αX1qna1-1) and (βX1q0, . . . , βX1qnb1-1) from the party Y, computes a value γX according to










γ
X

=






i





1

,

j





0

,
q




(

e







10


q





_





i





1

,

q





_





j





0



·
α






X







1

q





_





i





1


·
b







0

q





_





j





0



)


+





i





0

,

j





1

,
q




(

e







01


q





_





i





0

,

q





_





j





1



·
a








0

q





_





i





0


·
β






X






1

q





_





j





1



)


+

ρ
X






[

FORMULA





86

]








and transmits the value to the party Z (S69). Then, the fourth computation means 606 receives a random number ρZ from the party Z, computes a value γ′Z according to










γ
Z


=




q



(


-

s

q





_





Z



·

r

q





_





Z



)


+

ρ
Z






[

FORMULA





87

]








and transmits the value to the party Y (S70). Then, the misuse detection means 607 receives a value γY from the party Y, a value γ′Y and random number sequences (αY2q0−sqY·a2q0, . . . , αY2qna2-1−sqY·a2qna2-1) and (βY2q0−sqY·b2q0, . . . , βY2qnb2-1−sqY·b2qnb2-1) from the party Z, computes















i





1

,

i





2

,

j





1

,

j





2

,
q




{







e







21


q





_





i





2

,

q





_





j





1



·

(


α





Y






2

q





_





i





2



-



s

q





_





Y


·
a







2

q





_





i





2




)

·








b






1

q





_





j





1



+

e







12


q





_





i





1

,

q





_





j





2



·

(





β





Y






2

q





_





j





2



-


s

q





_





Y


·







b






2

q





_





j





2






)

·












a






1

q





_





i





1



+


s

q





_





Y


·

c

q





_





Y







}


-

γ
Y

+

γ
Y



,




[

FORMULA





88

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq0 and cq1 if the computation result is 0 (S71).


Next, a processing performed by the party Y will be described. First, the second random number generation means 604 generates a random number ρY and transmits the random number to the party Z, and generates random number sequences (αX1q0, . . . , αX1qna1-1) and (βX1q0, . . . , βX1qnb1-1) and transmits the random number sequences to the party X (S72). Then, the third computation means 605 computes random number sequences (αX1q0−sqX·a1q0, . . . , αX1qna1-1−sqX·a1qna1-1) and (βX1q0−sqX·b1q0, . . . , βX1qnb1-1−sqX·b1qnb1-1), transmits the random number sequences to the party Z, receives random number sequences (αY2q0, . . . , αY2qna2-1) and (βY2q0, . . . , βY2qnb2-1) from the party Z, computes a value γY according to










γ
Y

=






i





2

,

j





1

,
q




(

e







21


q





_





i





2

,

q





_





j





1



·
α






Y







2

q





_





i





2


·
b







1

q





_





j





1



)


+





i





1

,

j





2

,
q




(

e







12


q





_





i





1

,

q





_





j





2



·
a








1

q





_





i





1


·
β






Y






2

q





_





j





2



)


+

ρ
Y






[

FORMULA





89

]








and transmits the value to the party X (S73). Then, the fourth computation means 606 receives the random number ρX from the party X, computes a value γ′X according to










γ
X


=




q



(


-

s

q





_





X



·

r

q





_





X



)


+

ρ
X






[

FORMULA





90

]








and transmits the value to the party Z (S74). Then, the misuse detection means 607 receives a value γ′Z and random number sequences (αZ0q0−sqZ·a0q0, . . . , αZ0qna0-1−sqZ·a0qna0-1) and (βZ0−sqZ·b0q0, . . . , βZ0qnb0-1−sqZ·b0qnb0-1) from the party X and a value γZ from the party Z, computes















i





0

,

i





2

,

j





0

,

j





2

,
q




{







e







02


q





_





i





0

,

q





_





j





2



·

(


α





Z






0

q





_





i





0



-



s






q





_





Z



·
a







0

q





_





i





0




)

·











b






2

q





_





j





2



+

e







20


q





_





i





2

,

q





_





j





0



·









(


β





Z






0

q





_





j





0



-



s

q





_





Z


·
b







0

q





_





j





0




)

·













a






2

q





_





i





2



+


s

q





_





Z


·





c

q





_





Z







}


-

γ
Z

+

γ
Z



,




[

FORMULA





91

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq1 and cq2 if the computation result is 0 (S75).


Next, a processing performed by the party Z will be described. First, the second random number generation means 604 generates a random number ρZ and transmits the random number to the party X, and generates random number sequences (αY2q0, . . . , αY2qna2-1) and (βY2q0, . . . , βY2qnb2-1) and transmits the random number sequences to the party Y (S76). Then, the third computation means 605 computes random number sequences (αY2q0−sqY·a2q0, . . . , αY2qna2-1−sqY·a2qna2-1) and (βY2q0−sqY·b2q0, . . . , βY2qnb2-1−sqY·b2qnb2-1), transmits the random number sequences to the party X, receives random number sequences (αZ0q0, . . . , αZ0qna0-1) and (βZ0q0, . . . , βZ0qnb0-1) from the party X, computes a value γZ according to










γ
Z

=






i





0

,

j





2

,
q




(

e







02


q





_





i





0

,

q





_





j





2



·
α






Z







0

q





_





i





0


·
b







2

q





_





j





0



)


+










i





2

,

j





0

,
q





(

e







20


q





_





i





2

,

q





_





j





0



·
a








2

q





_





i





2


·




β






Z






0

q





_





j





0



)


+

ρ
Z






[

FORMULA





92

]








and transmits the value to the party Y (S77). Then, the fourth computation means 606 receives a random number ρY from the party Y, computes a value γ′Y according to










γ
Y


=




q



(


-

s

q





_





Y



·

r

q





_





Y



)


+

ρ
Y






[

FORMULA





93

]








and transmits the value to the party X (S78). Then, the misuse detection means 607 receives the value γX from the party X and the value γ′X and random number sequences (αX1q0−sqX·a1q0, . . . , αX1qna1-1−sqX·a1qna1-1) and (βX1q0−sqX·b1q0, . . . , βX1qnb1−sqX·b1qnb1-1) from the party Y, computes















i





0

,

i





1

,

j





0

,

j





1

,
q




{




e







10


q





_





i





1

,

q





_





j





0



·

(


α





X






1

q





_





i





1



-



s

q





_





X


·
a







1

q





_





i





1




)

·











b






0

q





_





j





0



+

e







01


q





_





i





0

,





q





_





j





1



·









(


β





X






1

q





_





j





1



-



s

q





_





X


·




b







1

q





_





j





1




)

·










a






0

q





_





i





0



+


s

q





_





X


·





c

q





_





X











}


-

γ
X

+

γ
X



,




[

FORMULA





94

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq2 and cq0 if the computation result is 0 (S79). In the processing described above, hash values or other values can be substituted for the random numbers.


In the multiplication protocol for a and b, the secure sum-of-product computation system 600 described above uses values βP1p and βPP+ indicating fragment values of a value sP·b1p to compare (βP1p+a0p·βPP+) and sP·a1p·b0p and uses values αP1p and αPP+ indicating fragment values of a value sP·a1p to compare (αP1p−aPP+)·b0p and sP·a1p·b0p in order to check the validity of a0p·b1p+a1p·b0p. With such a configuration, the protocol involves no round-trip transmission of computed values among the parties. Therefore, leakage of a computed value can be prevented, and therefore, the server cannot perform a misuse. In addition, the number of processing steps is the same as that of the secure sum-of-product computation system 300, the secure sum-of-product computation system 600 can maintain approximately the same level of efficiency.


Seventh Embodiment

A seventh embodiment is a specific example of the sixth embodiment, in which na0=na1=na2=nb0=nb1=nb2=n, and e00=e01=e10=e11=e12=e21=e22=e20=e02=1. FIG. 14 shows an example of a configuration of a secure sum-of-product computation system 700 according to this embodiment, and FIG. 15 shows an example of a flow of a processing performed by the secure sum-of-product computation system 700. The secure sum-of-product computation system 700 comprises a party X, a party Y, a party Z, a data string decomposition and supply part 410 and an output part 420. The data string decomposition and supply part 410 and the output part 420 are the same as those of the secure sum-of-product computation system 400 according to the fourth embodiment. As shown in FIG. 13, each party has first random number generation means 301, first computation means 302 and second computation means 303, which are the same as those of the secure sum-of-product computation system 400, as well as second random number generation means 604, third computation means 605, fourth computation means 606 and misuse detection means 607.


As with the secure sum-of-product computation system 400 according to the fourth embodiment, the secure sum-of-product computation system 700 performs each set of sum-of-product computations












i
=
0


n
-
1





a

q





_





i


·

b

q





_





i







[

FORMULA





95

]








for m sets of data strings Aq=(aq0, . . . , aqn-1) and Bq=(bq0, . . . , bqn-1) comprising elements aqi and bqi, which are natural numbers smaller than a prime number p, through cooperative computation by the three computation apparatuses, the parties X, Y and Z (the sum-of-product computation is a multiplication of aq and bq in the case where n=1).


In the following specific description, the functions of the data string decomposition and supply part 410, the first random number generation means 301, the first computation means 302, the second computation means 303 and the output part 420 and the secure sum-of-product computation processing (steps S41 to S47 and S60) implemented by these functions are the same as those of the secure sum-of-product computation system 400 according to the fourth embodiment and therefore will not be further described, and the misuse detection processing, which differs from that of the secure sum-of-product computation system 400, will be particularly described.


Following the steps S41 to S47, each party performs a misuse detection processing as described below. As in the sixth embodiment, it is assumed that the parties X and Y previously share a random number sqZ, the parties Y and Z previously share a random number sqX, and the parties Z and X previously share a random number sqY.


A processing performed by the party X will be described. First, the second random number generation means 604 generates a random number ρX, and transmits the random number to the party Y, and generates random number sequences (αZ0q0, . . . , αZ0qn-1) and (βZ0q0, . . . , βZ0qn-1) and transmits the random number sequences to the party Z (S88). Then, the third computation means 605 computes random number sequences (αZ0q0−sqZ·a0q0, . . . , αZ0qn-1−sqZ·a0qn-1) and (βZ0q0−sqZ·b0q0, . . . , βZ0qn-1−sqZ·b0qn-1), transmits the random number sequences to the party Y, receives random number sequences (αX1q0, . . . , αX1qn-1) and (βX1q0, . . . , βX1qn-1) from the party Y, computes a value γX according to










γ
X

=





i
,
q




(


α





X







1






q





_





i



·
b







0

q





_





i



+

a







0

q





_





i


·
β






X






1

q





_





i




)


+

ρ
X






[

FORMULA





96

]








and transmits the value to the party Z (S89). Then, the fourth computation means 606 receives a random number ρZ from the party Z, computes a value γ′Z according to










γ
Z


=









q




(


-

s

q





_





Z



·

r

q





_





Z



)


+

ρ
Z






[

FORMULA





97

]








and transmits the value to the party Y (S90). Then, the misuse detection means 607 receives a value γY from the party Y, a value γ′Y and random number sequences (αY2q0−sqY·a2q0, . . . , αY2qn-1−sqY·a2qn-1) and (βY2q0−sqY·b2q0, . . . , βY2qn-1−sqY·b2qn-1) from the party Z, computes














i
,
q




{










(


α





Y






2

q





_





i



-



s

q





_





Y


·
a







2


q





_





i









)

·




b







1

q





_





i



+









(


β





Y






2

q





_





i



-



s

q





_





Y


·




b







2

q





_





i




)

·




a







1

q





_





i



+










s

q





_





Y


·

c

q





_





Y






}


-

γ
Y

+

γ
Y



,




[

FORMULA





98

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq0 and cq1 if the computation result is 0 (S91).


Next, a processing performed by the party Y will be described. First, the second random number generation means 604 generates a random number ρY and transmits the random number to the party Z, and generates random number sequences (αX1q0, . . . , αX1qn-1) and (βX1q0, . . . , βX1qn-1) and transmits the random number sequences to the party X (S92). Then, the third computation means 605 computes random number sequences (αX1q0−sqX·a1q0, . . . , αX1qn-1−sqX·a1qn-1) and (βX1q0−sqX·b1q0, . . . , βX1qn-1−sqX·b1qn-1), transmits the random number sequences to the party Z, receives random number sequences (αY2q0, . . . , αY2qn-1) and (βY2q0, . . . , βY2qn-1) from the party Z, computes a value γY according to










γ
Y

=





i
,
q




(


α





Y







2

q





_





i


·
b







1

q





_





i



+

a







1






q





_





i



·
β






Y






2

q





_





i




)


+

ρ
Y






[

FORMULA





99

]








and transmits the value to the party X (S93). Then, the fourth computation means 606 receives the random number ρX from the party X, computes a value γ′X according to










γ
X


=




q



(


-

s

q





_





X



·

r

q





_





X



)


+

ρ
X






[

FORMULA





100

]








and transmits the value to the party Z (S94). Then, the misuse detection means 607 receives a value γ′Z and random number sequences (αZ0q0−sqZ·a0q0, . . . , αZ0qn-1−sqZ·a0qn-1) and (βZ0q0−sqZ·b0q0, . . . , βZ0qn-1−sqZ·b0qn-1) from the party X and a value γZ from the party Z, computes














i
,
q




{










(


α





Z






0






q





_





i




-



s

q





_





Z


·
a







0

q





_





i




)

·
b







2

q





_





i



+









(


β





Z






0

q





_





i



-



s

q





_





Z


·




b







0

q





_





i




)

·




a







2

q





_





i



+










s

q





_





Z


·

c






q





_





Z







}


-

γ
Z

+

γ
Z



,




[

FORMULA





101

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq1 and cq2 if the computation result is 0 (S95).


Next, a processing performed by the party Z will be described.


First, the second random number generation means 604 generates a random number ρZ and transmits the random number to the party X, and generates random number sequences (αY2q0, . . . , αY2qn-1) and (βY2q0, . . . , βY2qn-1) and transmits the random number sequences to the party Y (S96). Then, the third computation means 605 computes random number sequences (αY2q0−sqY·a2q0, . . . , αY2qn-1−sqY·a2qn-1) and (βY2q0−sqY·b2q0, . . . , βY2qn-1−sqY·b2qn-1), transmits the random number sequences to the party X, receives random number sequences (αZ0q0, . . . , αZ0qn-1) and (βZ0q0, . . . , βZ0qn-1) from the party X, computes a value γZ according to










γ
Z

=





i
,
q




(


α





Z







0

q





_





i


·
b







2

q





_





i



+

a







2

q





_





i


·
β






Z






0

q





_





i




)


+

ρ
Z






[

FORMULA





102

]








and transmits the value to the party Y (S97). Then, the fourth computation means 606 receives a random number ρY from the party Y, computes a value γ′Y according to










γ
Y


=




q



(


-

s

q





_





Y



·

r






q





_





Y




)


+

ρ
Y






[

FORMULA





103

]








and transmits the value to the party X (S98). Then, the misuse detection means 607 receives the value γX from the party X and the value γ′X and random number sequences (αX1q0−sqX·a1q0, . . . , αX1qn-1−sqX·a1qn-1) and (βX1q0−sqX·b1q0, . . . , βX1qn-1−sqX·b1qn-1) from the party Y, computes














i
,
q




{










(


α





X






1

q





_





i



-



s

q





_





X


·




a







1

q





_





i




)

·




b







0

q





_





i



+









(


β





X






1

q





_





i



-



s

q





_





X


·




b







1


q





_





i









)

·




a







0

q





_





i



+










s

q





_





X


·

c

q





_





X






}


-

γ
X

+

γ
X



,




[

FORMULA





104

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq2 and cq0 if the computation result is 0 (S99). In the processing described above, hash values or other values can be substituted for the random numbers.


Eighth Embodiment

While the secure sum-of-product computation system 700 according to the seventh embodiment is configured to perform a sum-of-product computation expressed as












i
=
0


n
-
1





a

q





_





i


·

b

q





_





i







[

FORMULA





105

]








as with the secure sum-of-product computation system 400 according to the fourth embodiment and apply the method according to the embodiment 6 to the misuse detection processing for the sum-of-product computation, a secure sum-of-product computation system 800 according to an eighth embodiment has a configuration in which one of the values involved in the multiplication in the sum-of-product computation is fixed. More specifically, the secure sum-of-product computation system 800 is configured to perform the following m sum-of-product computations of a data string Aq=(aq0, . . . , aqn-1) comprising elements aqi, which are natural numbers smaller than a prime number p, and a value b, which is a natural number smaller than the prime number p, through cooperative computation by three computation apparatuses, the parties X, Y and Z, as with the secure sum-of-product computation system 500 according to the fifth embodiment and apply the misuse detection method according to the sixth embodiment to the misuse detection processing for the sum-of-product computation.












i
=
0


n
-
1





a

q





_





i


·
b





[

FORMULA





106

]







In the following specific description, the functions of the data string decomposition and supply part 410, the first random number generation means 301, the first computation means 302, the second computation means 303 and the output part 420 and the secure sum-of-product computation processing (steps S41 to S47 and S60) implemented by these functions are the same as those of the secure sum-of-product computation system 500 according to the fifth embodiment and therefore will not be further described, and the misuse detection processing, which differs from that of the secure sum-of-product computation system 500, will be particularly described. The functional configuration and the process flow are the same as those in the seventh embodiment and therefore will be described below with reference to them (that is, FIG. 14 (and FIG. 13) showing the configuration and FIG. 15 showing the process flow).


Following the steps S41 to S47, each party performs a misuse detection processing as described below. As in the seventh embodiment, it is assumed that the parties X and Y previously share a random number sqZ, the parties Y and Z previously share a random number sqX, and the parties Z and X previously share a random number sqY.


A processing performed by the party X will be described. First, the second random number generation means 604 generates a random number ρX and transmits the random number to the party Y, and generates random numbers αZ0 and βZ0q and transmits the random numbers to the party Z (S88). Then, the third computation means 605 computes random numbers











α





Z





0

-




i
,
q




(



s

q





_





Z


·




a







0

q





_





i



)



,






β





Z






0
q


-



s

q





_





Z


·
b






0






[

FORMULA





107

]








transmits the random numbers to the party Y, receives random numbers αX1 and βX1q from the party Y, computes a value γX according to










γ
X

=


α





X






1
·




b






0

+




i
,
q




(

a







0

q





_





i


·
β






X






1
q


)


+

ρ
X






[

FORMULA





108

]








and transmits the value to the party Z (S89). Then, the fourth computation means 606 receives a random number ρZ from the party Z, computes a value γ′Z according to










γ
Z


=


-



q



(


s

q





_





Z


·

r

q





_





Z



)



+

ρ
Z






[

FORMULA





109

]








and transmits the value to the party Y (S90). Then, the misuse detection means 607 receives a value γY from the party Y, a value γ′Y and values











α





Y





2

-




i
,
q




(



s

q





_





Y


·




a







2

q





_





i



)








and




[

FORMULA





110

]







β





Y






2





q



-



s

q





_





Y


·
b






2





[

FORMULA





111

]








from the party Z, computes













(


α





Y





2

-




i
,
q




(



s

q





_





Y


·
a







2

q





_





i



)



)

·
b






1

+



q



{







i



(

a






1

q





_





i




(


β





Y






2
q


-



s

q





_





Y


·




b






2


)


)


+







s

q





_





Y


·

c

q





_





Y






}


-

γ
Y

+

γ
Y



,




[

FORMULA





112

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq0 and cq1 if the computation result is 0 (S91).


Next, a processing performed by the party Y will be described. First, the second random number generation means 604 generates a random number ρY and transmits the random number to the party Z, and generates random numbers αX1 and βX1q and transmits the random numbers to the party X (S92). Then, the third computation means 605 computes random numbers











α





X





1

-




i
,
q




(



s

q





_





X


·




a







1

q





_





i



)



,






β





X






1
q


-



s

q





_





X


·
b






1






[

FORMULA





113

]








transmits the random numbers to the party Z, receives random numbers αY2 and βY2q from the party Z, computes a value γY according to










γ
Y

=


α





Y






2
·
b






1

+




i
,
q




(

a







1

q





_





i


·
β






Y






2
q


)


+

ρ
Y






[

FORMULA





114

]








and transmits the value to the party X (S93). Then, the fourth computation means 606 receives the random number ρX from the party X, computes a value γ′X according to










γ
X


=


-



q



(


s

q





_





X


·

r






q





_





X




)



+

ρ
X






[

FORMULA





115

]








and transmits the value to the party Z (S94). Then, the misuse detection means 607 receives a random number γZ from the party Z and random numbers γ′Z,











α





Z





0

-




i
,
q




(



s

q





_





Z


·
a







0

q





_





i



)








and




[

FORMULA





116

]







β





Z






0
q


-



s

q





_





Z


·
b






0





[

FORMULA





117

]








from the party X, computes













(


α





Z





0

-




i
,
q




(



s

q





_





Z


·




a







0

q





_





i



)



)

·
b






2

+



q



{







i



(

a






2

q





_





i




(


β





Z






0
q


-



s

q





_





Z


·
b






0


)


)


+







s

q





_





Z


·

c

q





_





Z






}


-

γ
Z

+

γ
Z



,




[

FORMULA





118

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq1 and cq2 if the computation result is 0 (S95).


Next, a processing performed by the party Z will be described. First, the second random number generation means 604 generates a random number ρZ and transmits the random number to the party X, and generates random numbers αY2 and βY2q and transmits the random numbers to the party Y (S96). Then, the third computation means 605 computes random numbers











α





Y





2

-




i
,
q




(



s
q_Y

·
a







2
q_i


)



,






β





Y






2
q


-



S
q_Y

·
b






2






[

FORMULA





119

]








transmits the random numbers to the party X, receives random numbers αZ0 and βZ0q from the party X, computes a value γZ according to










γ
Z

=


α





Z






0
·
b






2

+




i
,
q




(

a







2
q_i

·
β






Z






0
q


)


+

ρ
Z






[

FORMULA





136

]








and transmits the value to the party Y (S97). Then, the fourth computation means 606 receives a random number ρY from the party Y, computes a value γ′Y according to










γ
Y


=


-



q



(


s
q_Y

·

r
q_Y


)



+

ρ
Y






[

FORMULA





121

]








and transmits the value to the party X (S98). Then, the misuse detection means 607 receives the value γX from the party X and random numbers γ′X,











α





X





1

-




i
,
q




(



s
q_X

·
a







1
q_i


)








and




[

FORMULA





122

]







β





X






1
q


-



s
q_X

·
b






1





[

FORMULA





123

]








from the party Y, computes













(


α





X





1

-




i
,
q




(



s
q_X

·
a







1
q_i


)



)

·
b






0

+



q



{




i



(

a






0
q_i



(


β





X






1
q


-



s
q_X

·
b






1


)


)


+


s
q_X

·

c
q_X



}


-

γ
X

+

γ
X



,




[

FORMULA





124

]








ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq2 and cq0 if the computation result is 0 (S99). In the processing described above, hash values or other values can be substituted for the random numbers.


Ninth Embodiment

According to the sixth and seventh embodiments, two data strings A=(aq0, . . . , aqn-1) and B=(bq0, . . . , bqn-1) are divided into three fragment data strings A0, A1 and A2 and B0, B1 and B2, respectively, in such a manner that the fragments satisfy conditions that A=A0+A1+A2 mod p and B=B0+B1+B2 mod p, the data strings A0=(a0q0, . . . , a0qna0-1), A1=(a1q0, . . . , a1qna1-1), B0=(b0q0, . . . , b0qnb0-1) and B1=(b1q0, . . . , b1qnb1-1) are supplied to the party X as values to be concealed, the data strings A1, A2=(a2q0, . . . , a2qna2-1), B1 and B2=(b2q0, . . . , b2qnb2-1) are supplied to the party Y as values to be concealed, the data strings A2, A0, B2 and B0 are supplied to the party Z as valued to be concealed, and thus, the secure sum-of-product of these values expressed by the following formula can be securely computed by determining the value cq0+cq1+cq2 from the values cq0 and cq1, which are the results of the computation performed by the party X, the values cq1 and cq2, which are the results of the computation performed by the party Y, and the values cq2 and cq0, which are the results of the computation performed by the party Z.














q_i





0

,

q_j





0





(

e







00


q_i





0

,

q_j





0



·
a








0

q_i





0


·
b







0

q_j





0



)


+





q_i





0

,

q_j





1





(

e







01


q_i





0

,

q_j





1



·
a








0

q_i





0


·
b







1

q_j





1



)


+





q_i





1

,

q_j





0





(

e







10


q_i





1

,

q_j





0



·
a








1

q_i





1


·
b







0

q_j





0



)


+





q_i





1

,

q_j





1





(

e







11


q_i





1

,

q_j





1



·
a








1

q_i





1


·
b







1

q_j





1



)


+





q_i





1

,

q_j





2





(

e







12


q_i





1

,

q_j





2



·
a








1

q_i





1


·
b







2

q_j





2



)


+





q_i





2

,

q_j





1





(

e







21


q_i





2

,

q_j





1



·
a








2

q_i





2


·
b







1

q_j





1



)


+





q_i





2

,

q_j





2





(

e







22


q_i





2

,

q_j





2



·
a








2

q_i





2


·
b







2

q_j





2



)


+





q_i





2

,

q_j





0





(

e







20


q_i





2

,

q_j





0



·
a








2

q_i





2


·
b







0

q_j





0



)


+





q_i





0

,

q_j





2





(

e







02


q_i





0

,

q_j





2



·
a








2

q_i





2


·
b







0

q_i





0



)






[

FORMULA





125

]







Focusing on the six terms Σa0qi0·b1qj1, Σa1qi1·b0qj0, Σa1qi1·b2qj2, Σa2qi2·b1qj1, Σa2qi2·b0qj0 and Σa0qi0·b2qj2 in the above formula of the secure sum-of-product computation, one party has both the two fragment values of each term, another party has one of the two fragment values, and the remaining party has the other of the two fragment values. For example, concerning the fragment values a0qi0 and b1qj1 of the term Σa0qi0·b1qj1, the party X has both the fragment values a0qi0 and b1qj1, the party Y has only the fragment value b1qj1, and the party Z has only the fragment value a0qi0. The same holds true for the term Σa1qi1·b0qj0. A secure sum-of-product computation system 900 according to a ninth embodiment implements a method of determining a sum-of-product of two fragment values in the case where any one of three parties has both the two fragment values, another of the three parties has one of the two fragment values, and the remaining one of the three parties has the other of the two fragment values, that is, a sum-of-product computation method on which the secure sum-of-product computation according to the sixth and seventh embodiments is based.


In the following, an example in which the party X has both the fragment values, the party Y has one of the two fragment values, and the party Z has the other of the two fragment values will be described. However, the computation can also be achieved in the same manner in the cases where the party Y has both the fragment values, the party X has one of the two fragment values, and the party Z has the other of the two fragment values and where the party Z has both the fragment values, the party X has one of the two fragment values, and the party Y has the other of the two fragment values.



FIG. 16 shows an example of a configuration of the secure sum-of-product computation system 900, and FIG. 17 shows an example of a flow of a processing performed by the secure sum-of-product computation system 900. The secure sum-of-product computation system 900 comprises a party X, a party Y and a party Z, which are computation apparatuses. The party X has party-X random number generation means 901 and party-X computation means 903, the party Y has party-Y random number generation means 902 and party-Y computation means 904, and the party Z has misuse detection means 905.


The secure sum-of-product computation system 900 performs a total of m sets of sum-of-product computations of data strings Aq0=(a0q0, . . . , a0qna0-1) and Aq1=(a1q0, . . . , a1qna1-1) and data strings Bq0=(b0q0, . . . , b0qnb0-1) and Bq1=(b1q0, . . . , b1qnb1-1) expressed as the following formula by cooperative computation by the three computation apparatuses, the parties X, Y and Z (i0=0, . . . , na0-1, i1=0, . . . , na1-1, j0=0, . . . , nb0-1, j1=0, . . . , nb1-1, na0, na1, nb0 and nb1 represent natural numbers, e01qi0,qj1 and e10qi1,qj0 represent any numbers, q=0, . . . , m−1, and m represents an integer equal to or greater than 1) (the computations are performed in parallel in the case where m is equal to or greater than 2).














q_i





0

,

q_j





1





(

e







01


q_i





0

,

q_j





1



·
a








0

q_i





0


·
b







1

q_j





1



)


+





q_i





1

,

q_j





0





(

e







10


q_i





1

,

q_j





0



·
a








1

q_i





1


·
b







0

q_j





0



)






[

FORMULA





126

]







Data strings Aq0, Aq1, Bq0 and Bq1 are input to the party X, data strings Aq1 and Bq1 are input to the party Y, and data strings Aq0 and Bq0 are input to the party Z (S101).


First, the party-X random number generation means 901 in the party X generates random numbers cq1 and γ1 and random number sequences (α1q0, . . . , α1qnb0-1) and (β1q0, . . . , β1qna0-1) and transmits the random numbers and the random number sequences to the party Y (S102). In addition, the party-Y random number generation means 902 in the party Y generates a random number sq and transmits the random number to the party Z (S103).


Then, the party-X computation means 903 in the party X computes random numbers cq0 and γ0 according to











c


q

_


0


=






q_i





0

,

q_j





1





(

e







01


q_i





0

,

q_j





1



·
a








0

q_i





0


·
b







1

q_j





1



)


+





q_i





1

,

q_j





0





(

e







10


q_i





1

,

q_j





0



·
a








1

q_i





1


·
b







0

q_j





0



)


-

c


q

_


1















γ
0

=






i





0

,

j





0

,
q




(


a







0

q_i





0


·
b







1

q_i





0



+

b







0

q_j





0


·
α







1

q_j





0




)


-

γ
1







[

FORMULA





127

]








and transmits the random numbers to the party Z (S104).


In addition, the party-Y computation means 904 in the party Y receives the random numbers cq1 and γ1 and the random number sequences (α1q0, . . . , α1qnb0-1) and (β1q0, . . . , β1qna0-1) from the party X, computes number sequences (α0q0, . . . , α0qnb0-1) and (β0q0, . . . , β0qna0-1) and a value γ′ according to












α






0

q_j





0



=





q
,

q_i





1







s
q

·
e








10


q_i





1

,

q_j





0



·
a







1

q_i





1




-

α






1

q_j





0












β






0

q_i





0



=





q
,

q_j





1







s
q

·
e








01


q_i





0

,

q_j





1



·
b







1

q_j





1




-

β






1

q_i





0











γ


=




q




s
q

·

c


q

_


1




-

γ
1



,




[

FORMULA





128

]








and transmits the number sequences and the value to the party Z (S105).


Then, the misuse detection means 905 in the party Z receives the random numbers cq0 and γ0 from the party X and the random number sq, the number sequences (α0q0, . . . , α0qnb0-1) and (β0q0, . . . , β0qna0-1) and the value γ′ from the party Y, computes













q




s
q

·

c


q

_


0




-

γ
0

-





i





0

,

j





0

,
q




(


a







0

q_i





0


·
β







0

q_i





0



+

b







0

q_j





0


·
α







0

q_j





0




)


+

γ



,




[

FORMULA





129

]








and ends the processing by outputting data indicating a misuse detection if the computation result is not 0 (S106).


If the result of the computation by the misuse detection means 905 is 0, the party X outputs the random numbers cq0 and cq1, the party Y outputs the random number cq1 and 0, and the party Z outputs 0 and the random number cq0 (S107). In the processing described above, hash values or other values can be substituted for the random numbers.


Tenth Embodiment

A tenth embodiment is a specific example of the ninth embodiment, in which na0=na1=na2=nb0=nb1=nb2=n, and e00=e01=e10=e11=e12=e21=e22=e20=e02=1. The configuration and the process flow are the same as those according to the ninth embodiment (an example of the configuration is shown in FIG. 16, and an example of the process flow is shown in FIG. 17). A secure sum-of-product computation system 910 according to the tenth embodiment performs a total of m sets of sum-of-product computations of data strings Aq0=(α0q0, . . . , a0qn-1) and Aq1=(a1q0, . . . , a1qn-1) and data strings Bq0=(b0q0, . . . , b0qn-1) and Bq1=(b1q0, . . . , b1qn-1) expressed as the following formula by cooperative computation by the three computation apparatuses, the parties X, Y and Z (i=0, . . . , n−1, n represents a natural number, q=0, . . . , m−1, and m represents an integer equal to or greater than 1) (the computations are performed in parallel in the case where m is equal to or greater than 2).












q_i



a







0
q_i

·
b







1
q_i



+



q_i



a







1
q_i

·
b







0
q_i







[

FORMULA





130

]







Data strings Aq0, Aq1, Bq0 and Bq1 are input to the party X, data strings Aq1 and Bq1 are input to the party Y, and data strings Aq0 and Bq0 are input to the party Z (S101).


First, the party-X random number generation means 901 in the party X generates random numbers cq1 and γ1 and random number sequences (α1q0, . . . , α1qn-1) and (β1q0, . . . , β1qn-1) and transmits the random numbers and the random number sequences to the party Y (S102). In addition, the party-Y random number generation means 902 in the party Y generates a random number sq and transmits the random number to the party Z (S103).


Then, the party-X computation means 903 in the party X computes random numbers cq0 and γ0 according to











c


q

_


0


=




q_i



a







0
q_i

·
b







1
q_i



+



q_i



a







1
q_i

·
b







0
q_i



-

c


q

_


1











γ
0

=





i
,
q




(


a







0
q_i

·
β







1
q_i


+

b







0
q_i

·
α







1
q_i



)


-

γ
1







[

FORMULA





131

]








and transmits the random numbers to the party Z (S104).


In addition, the party-Y computation means 904 in the party Y receives the random numbers cq1 and γ1 and the random number sequences (α1q0, . . . , α1qn-1) and (β1q0, . . . , β1qn-1) from the party X, computes number sequences (α0q0, . . . , α0qn-1) and (β0q0, . . . , β0qn-1) and a value γ′ according to











α






0
q_i


=




s
q

·
a







1
q_i


-

α






1
q_i











β






0
q_i


=




s
q

·
b







1
q_i


-

β






1
q_i












γ


=




q




s
q

·

c


q

_


1




-

γ
1



,





[

FORMULA





132

]








and transmits the number sequences and the value to the party Z (S105).


Then, the misuse detection means 905 in the party Z receives the random numbers cq0 and γ0 from the party X and the random number sq, the number sequences (α0q0, . . . , α0qn-1) and (β0q0, . . . , β0qn-1) and the value γ′ from the party Y, computes













q




s
q

·

c


q

_


0




-

γ
0

-




i
,
q




(


a







0
q_i

·
β







0
q_i


+

b







0
q_i

·
α







0
q_i



)


+

γ



,




[

FORMULA





133

]








and ends the processing by outputting data indicating a misuse detection if the computation result is not 0 (S106).


If the result of the computation by the misuse detection means 905 is 0, the party X outputs the random numbers cq0 and cq1, the party Y outputs the random number cq1 and 0, and the party Z outputs 0 and the random number cq0 (S107). In the processing described above, hash values or other values can be substituted for the random numbers.


Eleventh Embodiment

A secure sum-of-product computation system 920 according to an eleventh embodiment is the secure sum-of-product computation system 910 according to the tenth embodiment that is improved so as to be able to more efficiently and securely perform the sum-of-product computation












q_i



a







0
q_i

·
b







1
q_i



+



q_i



a







1
q_i

·
b







0
q_i







[

FORMULA





134

]








with one of the multipliers in each term being fixed regardless of the values i and q, that is,













q





_





i




a






0
·
b







1

q





_





i




+




q





_





i




a






1
·
b








0

q





_





i


.







[

FORMULA





135

]







The configuration and the process flow of the secure sum-of-product computation system 920 are the same as those according to the ninth and tenth embodiment (an example of the configuration is shown in FIG. 16, and an example of the process flow is shown in FIG. 17). However, data a0 and a1 and data strings Bq0=(b0q0, . . . , b0qn-1) and Bq1=(b1q0, . . . , b1qn-1) are input to the party X, the data a1 and the data string Bq1 are input to the party Y, and the data a0 and the data string Bq0 are input to the party Z (S101).


First, the party-X random number generation means 901 in the party X generates random numbers cq1 and γ1, a random number sequence (α1q0, . . . , a1qn-1) and a random number β1 and transmits the random numbers and the random number sequence to the party Y (S102).


In addition, the party-Y random number generation means 902 in the party Y generates a random number sq and transmits the random number to the party Z (S103).


Then, the party-X computation means 903 in the party X computes random numbers cq0 and γ0 according to











c

q





_





0


=





q





_





i




a






0
·
b







1

q





_





i




+




q





_





i




a






1
·
b







0

q





_





i




-

c

q





_





1











γ
0

=


a






0
·
β






1

+




i
,
q




b







0

q





_





i


·
α







1

q





_





i




-

γ
1







[

FORMULA





136

]








and transmits the random numbers to the party Z (S104).


In addition, the party-Y computation means 904 in the party Y receives the random numbers cq1 and γ1, the random number sequence (α1q0, . . . , α1qn-1) and the random number β1 from the party X, computes a number sequence (α0q0, . . . , α0qn-1) and value β0 and γ′ according to











α






0

q





_





i



=




q





s
q

·
a






1


-

α






1

q





_





i












β





0

=





i
,
q






s
q

·
b







1

q





_





i




-

β





1











γ


=




q




s
q

·

c

q





_





1




-

γ
1



,





[

FORMULA





137

]








and transmits the number sequence and the values to the party Z (S105).


Then, the misuse detection means 905 in the party Z receives the random numbers cq0 and γ0 from the party X and the random number sq, the number sequence (α0q0, . . . , α0qn-1) and the values β0 and γ′ from the party Y, computes













q




s
q

·

c

q





_





0




-

γ
0

-

a






0
·
β






0

-




i
,
q




b







0

q





_





i


·
α







0

q





_





i




+

γ



,




[

FORMULA





138

]








and ends the processing by outputting data indicating a misuse detection if the computation result is not 0 (S106).


If the result of the computation by the misuse detection means 905 is 0, the party X outputs the random numbers cq0 and cq1, the party Y outputs the random number cq1 and 0, and the party Z outputs 0 and the random number cq0 (S107). In the processing described above, hash values or other values can be substituted for the random numbers.


The processings in the secure sum-of-product computation methods according to the present invention performed by the secure sum-of-product computation systems according to the present invention described above can be performed not only sequentially in the order described above but also in parallel with each other or individually as required or depending on the processing power of the apparatus that performs the processings. The functions of components of the secure sum-of-product computation systems according to the present invention can be combined or divided as required. Furthermore, other various modifications can be appropriately made without departing form the spirit of the present invention. In the case where the secure sum-of-product computation systems according to the embodiments of the present invention are implemented by computers, the specific processings of the functions of the apparatuses and the components thereof are described in programs. The programs are stored in a hard disk drive, for example, and a required program or data is loaded into a random access memory (RAM) for execution. The computer implements the specific processing by the CPU executing the loaded program.

Claims
  • 1. A secure sum-of-product computation method used for performing a sum-of-product computation of data strings A0=(a00, . . . , a0na0-1), A1=(a10, . . . , a1na1-1) and A2=(a20, . . . a2na2-1) and B0=(b00, . . . , b0nb0-1), B1=(b10, . . . , b1nb1-1) and B2=(b20, . . . , b2nb2-1) by cooperative computation by three computation apparatuses, which are a party X, a party Y and a party Z, the sum-of-product computation being expressed as
  • 2. A secure sum-of-product computation method used for performing, in parallel, a total of m sets of sum-of-product computations of data strings Aq—0=(a0q—0, . . . , a0q—na0-1), Aq—1=(a1q—0, . . . , a1q—na1-1) and Aq—2=(a2q—0, . . . , a2q—na2-1) and Bq—0=(b0q—0, . . . , b0q—nb0-1), Bq—1=(b1q—0, . . . , b1q—nb1-1) and Bq—2=(b2q—0, . . . , b2q—nb2-1) by cooperative computation by three computation apparatuses, which are a party X, a party Y and a party Z, the sum-of-product computations being expressed as
  • 3. The secure sum-of-product computation method according to claim 2, wherein the parties X and Y previously sharing a number sq—Z, the parties Y and Z previously sharing a number sq—X, and the parties Z and X previously sharing a number sq—Y, andsaid secure sum-of-product computation method further comprising:a party-X second random number generation step in which the party X generates a number ρX and transmits the number to the party Y, and generates number sequences (αZ0q—0, . . . , αZ0q—na0-1) and (βZ0q—0, . . . , βZ0q—nb0-1) and transmits the number sequences to the party Z;a party-X third computation step in which the party X computes number sequences (αZ0q—0−sq—Z·a0q—0, . . . , αZ0q—na0-1−sq—Z·a0q—na0-1) and (βZ0q—0−sq—Z·b0q—0, . . . , βZ0q—nb0-1−sq—Z·b0q—nb0-1) and transmits the number sequences to the party Y, receives number sequences (αX1q—0, . . . , αX1q—na1-1) and (βX1q—0, . . . , βX1q—nb1-1) from the party Y, computes a value
  • 4. The secure sum-of-product computation method according to claim 2, wherein the parties X and Y previously sharing a number sq—Z, the parties Y and Z previously sharing a number sq—X, and the parties Z and X previously sharing a number sq—Y, andsaid secure sum-of-product computation method further comprising:a party-X second random number generation step in which the party X generates a number sequence (αY1q—0, . . . , αY1q—na1-1) and a number ρX and transmits the number sequence and the number to the party Y, and generates a number sequence (αZ0q—0, . . . , αZ0q—na0-1) and transmits the number sequence to the party Z;a party-X third computation step in which the party X computes a number sequence (αZ0q—0−sq—Z·a0q—0, . . . , αZ0q—na0-1−sq—Z·a0q—na0-1) and transmits the number sequence to the party Y, receives a number sequence (αX1q—0, . . . , αX1q—na1-1) from the party Y and a number sequence (αX0q—0, . . . , αX0q—na0-1) from the party Z, computes a number sequence (αY1q—0−sq—Y·a1q—0, . . . , αY1q—na1-1−sq—Y·a1q—na1-1) and a value
  • 5. A secure sum-of-product computation method used for performing, in parallel, a total of m sets of sum-of-product computations of data strings Aq—0=(a0q—0, . . . , a0q—na0-1) and Aq—1=(a1q—0, . . . , a1q—na1-1) and Bq—0=(b0q—0, . . . b0q—na0-1) and Bq—1=(b1q—0, . . . b1q—nb1-1) by cooperative computation by three computation apparatuses, which are a party X, a party Y and a party Z, the sum-of-product computations being expressed as
  • 6. A secure sum-of-product computation method used for performing, in parallel, a total of m sets of sum-of-product computations of data a0 and a1 and data strings Bq—0=(b0q—0, . . . , b0q—nb0-1) and Bq—1=(b1q—0, . . . , b1q—nb1-1) by cooperative computation by three computation apparatuses, which are a party X, a party Y and a party Z, the sum-of-product computations being expressed as
  • 7. A secure sum-of-product computation system used for performing a sum-of-product computation of data strings A0=(a00, . . . , a0na0-1), A1=(a10, . . . , a1na1-1) and A2=(a20, . . . a2na2-1) and B0=(b00, . . . , b0nb0-1), B1=(b10, . . . , b1nb1-1) and B2=(B20, . . . , b2nb2-1) by cooperative computation by three computation apparatuses, which are a party X, a party Y and a party Z, the sum-of-product computation being expressed as
  • 8. A secure sum-of-product computation system used for performing, in parallel, a total of m sets of sum-of-product computations of data strings Aq—0=(a0q—0, . . . , a0q—na0-1), Aq—1=(a1q—0, . . . , a1q—na1-1) and Aq—0=(a2q—0, . . . , a2q—na2-1) and Bq—0=(b0q—0, . . . , b0q—nb0-1), Bq—1=(b1q—0, . . . , b1q—nb1-1) and Bq—2=(b2q—0, . . . , b2q—nb2-1) by cooperative computation by three computation apparatuses, which are a party X, by a party Y and a party Z, the sum-of-product computations being expressed as
  • 9. The secure sum-of-product computation system according to claim 8, wherein the parties X and Y previously sharing a number sq—Z, the parties Y and Z previously sharing a number sq—X, and the parties Z and X previously sharing a number sq—Y,the party X further comprises party-X second random number generation means, party-X third computation means, party-X fourth computation means and party-X misuse detection meansthe party-X second random number generation means generates a number ρX and transmits the number to the party Y, and generates number sequences (αZ0q—0, . . . , αZ0q—na0-1) and (βZ0q—0, . . . , βZ0q—nb0-1) and transmits the number sequences to the party Z, the party-X third computation means computes number sequences (αZ0q—0−sq—Z·a0q—0, . . . , αZ0q—na0-1−sq—Z·a0q—na0-1) and (βZ0q—0−sq—Z·b0q—0, . . . , βZ0q—nb0-1−sq—Z·b0q—nb0-1) and transmits the number sequences to the party Y, receives number sequences (αX1q—0, . . . , αX1q—na1-1) and (βX1q—0, . . . , βX1q—nb1-1) from the party Y, computes a value
  • 10. The secure sum-of-product computation system according to claim 8, wherein the parties X and Y previously sharing a number sq—Z, the parties Y and Z previously sharing a number sq—X, and the parties Z and X previously sharing a number sq—Y,the party X further comprises party-X second random number generation means, party-X third computation means, party-X fourth computation means and party-X misuse detection means, the party-X second random number generation means generates a number sequence (αY1q—0, . . . , αY1q—na1-1) and a number ρX and transmits the number sequence and the number to the party Y, and generates a number sequence (αZ0q—0, . . . , αZ0q—na0-1) and transmits the number sequence to the party Z, the party-X third computation means computes a number sequence (αZ0q—0−sq—Z·a0q—0, . . . , αZ0q—na0-1−sq—Z·a0q—na0-1) and transmits the number sequence to the party Y, receives a number sequence (αX1q—0, . . . , αX1q—na1-1) from the party Y and a number sequence (αX0q—0, . . . , αX0q—na0-1) from the party Z, computes a number sequence (αY1q—0−sq—Y·a1q—0, . . . , αY1q—na1-1−sq—Y·a1q—na1-1) and a value
  • 11. A secure sum-of-product computation system used for performing, in parallel, a total of m sets of sum-of-product computations of data strings Aq—0=(a0q—0, . . . , a0q—na0-1) and Aq—1=(a1q—0, . . . , a1q—na1-1) and Bq—0=(b0q—0, . . . b0q—nb0-1) and Bq—1=(b1q—0, . . . b1q—nb1-1) by cooperative computation by three computation apparatuses, which are a party X, a party Y and a party Z, the sum-of-product computations being expressed as
  • 12. A secure sum-of-product computation system used for performing, in parallel, a total of m sets of sum-of-product computations of data a0 and a1 and data strings Bq—0=(b0q—0, . . . , b0q—nb0-1) and Bq—1=(b1q—0, . . . , b1q—nb1-1) by cooperative computation by three computation apparatuses, which are a party X, a party Y and a party Z, the sum-of-product computations being expressed as
  • 13. A computation apparatus that is used in performing a sum-of-product computation by three computation apparatuses in cooperation, the three computation apparatuses serving as a party X, a party Y and a party Z and performing symmetric processings, wherein provided that any of the computation apparatuses is a party P, it is assumed that the party Z is a party P−, the party Y is a party P+, and subscripts 0p and 1p are 0 and 1, respectively, if the party P is the party X, the party X is the party P−, the party Z is the party P+, and the subscripts 0p and 1p are 1 and 2, respectively, if the party P is the party Y, and the party Y is the party P−, the party X is the party P+, and the subscripts 0p and 1p are 2 and 0, respectively, if the party P is the party Z,na0p, na1p, nb0p and nb1p represent natural numbers, i0p=0, . . . na0p−1, i1p=0, . . . , na1p−1, j0p=0, . . . , nb0p−1, and j1p=0, . . . , nb1p−1,e0p1pi0p,j1p, e1p0pi1p,j0p, e0p0pi0p,j0p and e1p1pi1p,j1p represent any numbers, andthe party P comprises:random number generation means that generates a number rP and transmits the number to the party P+;first computation means that receives data strings A0p=(a0p0, . . . , a0pna0p-1), A1p=(a1p0, . . . , a1pna1p-1), B0p=(b0p0, . . . , b0pnb0p-1) and B1pp=(b1p0, . . . , b1pnb1p-1), computes a value cP according to
  • 14. A computation apparatus that is used in performing a sum-of-product computation by three computation apparatuses in cooperation, the three computation apparatuses serving as a party X, a party Y and a party Z and performing symmetric processings, wherein provided that any of the computation apparatuses is a party P, it is assumed that the party Z is a party P−, and the party Y is a party P+, and subscripts 0p, 1p and 2p are 0, 1 and 2, respectively, if the party P is the party X, the party X is the party P−, the party Z is the party P+, and the subscripts 0p, 1p and 1p are 1, 2 and 0, respectively, if the party P is the party Y, and the party Y is the party P−, the party X is the party P+, and the subscripts 0p, 1p and 2p are 2, 0 and 1, respectively, if the party P is the party Z,m represents an integer equal to or greater than 1, na0p, na1p, na2p, nb0p and nb1p represent natural numbers, q=0, . . . , m−1, i0p=0, . . . , na0p−1, i1p=0, . . . , na1p−1, i2p=0, . . . , na2p−1, j0p=0, . . . nb0p−1, and j1p=0, . . . , nb1p−1,e0p1pi0p,j1p, e1p0pi1p,j0p, e0p0pi0p,j0p and e1p1pi1p,j1p represent any numbers, andthe party P comprises:first random number generation means that generates a number rq—P and transmits the number to the party P+;first computation means that receives data strings Aq—0p=(a0pq—0, . . . , a0pq—na0p-1) Aq—1p=(a1pq—0, . . . , a1pq—na1p-1), Bq—0p=(b0pq—0, . . . , b0pq—nb0p-1) and Bq—1p=(b1pq—0, . . . , b1pq—nb1p-1), computes a value cq—P according to
  • 15. The computation apparatus according to claim 14, wherein the parties P− and P previously share a number sq—P+, the parties P and P+ previously share a number sq—P−, and the parties P+ and P− previously share a number sq—P, andthe party P further comprises:second random number generation means that generates a number ρP and transmits the number to the party P+, and generates number sequences (αP−0pq—0, . . . , αP−0pq—na0p-1) and (βP−0pq—0, . . . , βP−0pq—nb0p-1) and transmits the number sequences to the party P−;third computation means that computes number sequences (αP−0pq—0−sq—P−·a0q—0, . . . , αP−0pq—na0p-1−sq—P−·a0pq—na0p-1) and (βP−0pq—0−sq—P−·b0pq—0, . . . , βP−0pq—na0p-1−sq—P−·b0pq—na0p-1) and transmits the number sequences to the party P+, receives number sequences (αP1pq—0, . . . , αP1pq—na1p-1) and (βP1pq—0, . . . , βP1pq—nb1p-1) from the party P+, computes a value
  • 16. A non-transitory computer readable medium including computer executable instructions that make a computer function as a computation apparatus according to claim 14.
  • 17. The computation apparatus according to claim 14, wherein the parties P− and P previously share a number sq-P+, the parties P and P+ previously share a number sq—P−, and the parties P+ and P− previously share a number sq—P, andthe party P further comprises:second random number generation means that generates a number sequence (αP+1pq—0, . . . , αP+1pq—na1p-1) and a number ρP and transmits the number sequence and the number to the party P+, and generates a number sequence (αP−0pq—0, . . . , αP−0pq—na0p-1) and transmits the number sequence to the party P−;third computation means that computes a number sequence (αP−0pq—0−sq—P−·a0pq—0, . . . , αP−0pq—na0p-1−sq—P−·a0pq—na0p-1) and transmits the number sequence to the party P+, receives a number sequence (αP1pq—0, . . . , αP1pq—na1p-1) from the party P+ and a number sequence (αP0pq—0, . . . , αP0pq—na0p-1) from the party P−, computes a number sequence (αP+1pq—0−sq—P+·a1pq—0, . . . , αP+1pq—na1p-1−sq—P+·a1pq—na1p-1) and a value
Priority Claims (3)
Number Date Country Kind
2011-012126 Jan 2011 JP national
2011-054965 Mar 2011 JP national
2011-110635 May 2011 JP national
PCT Information
Filing Document Filing Date Country Kind 371c Date
PCT/JP2012/051199 1/20/2012 WO 00 7/23/2013
Publishing Document Publishing Date Country Kind
WO2012/102203 8/2/2012 WO A
US Referenced Citations (4)
Number Name Date Kind
20090235085 Mathur Sep 2009 A1
20100054458 Schneider Mar 2010 A1
20100325443 Mattsson Dec 2010 A1
20120166582 Binder Jun 2012 A1
Non-Patent Literature Citations (2)
Entry
Chida, K. et al., “A Three-Party Secure Function Evaluation with Lightweight verifiability Revisited”, Computer Security Symposium 2010, vol. 2010, No. 9, pp. 555-560, Oct. 12, 2010 ( with English abstract ).
International Search Report Issued Feb. 21, 2012 in PCT/JP12/051199 filed Jan. 20, 2012.
Related Publications (1)
Number Date Country
20130304780 A1 Nov 2013 US