TECHNICAL FIELD
The present invention relates to a secure sum-of-product computation method, a secure sum-of-product computation system, a computation apparatus and programs therefor for performing data processings, particularly, a multiplication computation and a sum-of-product computation, while concealing data by secret sharing.
BACKGROUND ART
In the field of management and operation of so-called sensitive information, such as customer information and management information, the information to be managed is increasing in variety, and the information processing technology such as cloud computing is changing, so that measures to ensure security and privacy are becoming more important. Recently, the secret sharing art has become popular to prevent leakage of information by distributing the information among plural sites. Besides, a secure functional computation (a multi-party protocol) for deriving a specified computation result without reconstructing the distributed information is also being developed for commercialization. The secret sharing art is effective as a measure to ensure security when storing information but has a risk of leakage of information when using the information, because the information generally needs to be reconstructed for use. In view of the presence of such a risk of leakage of information, the secure functional computation can uses distributed information as operands for computation instead of the original input values and does not need to reconstruct the original input values at all in the computation process. Therefore, the secure functional computation can be said to be an advanced security art that maintains the functionality of the secret sharing art even when the information is used.
A prior art for performing a multiplication while concealing information is a multiplication protocol described in Non-Patent literature 1. A prior art for performing a sum-of-product computation while concealing information is a combination of a multiplication protocol and an addition protocol. These protocols are 3-party secure functional computation protocols that derive a result of an arithmetic/logical operation by cooperative computation by three parties (three computing entities) without reconstructing a shared input value. In the 3-party secure functional computation protocol, data is treated as a natural number smaller than a predetermined prime number p. To conceal data, which will be denoted as “a”, the data a is divided into three fragments in such a manner that the fragments satisfy the following condition.
a=a0+a1+a2 mod p
In practice, random numbers a0 and a1 are generated, and a relation holds: a2=a−a0−a1. Then, a random number sequence (a0, a1) is transmitted to a party X of the three parties, a random number sequence (a1, a2) is transmitted to a party Y of the three parties, and a random number sequence (a2, a0) is transmitted to a party Z of the three parties. Since a1 and a2 are random numbers, any of the parties X, Y and Z does not have information about the data a. However, any two of the parties can cooperate to reconstruct the data a.
Since the concealment is an additive distribution, the shared value can be equally reconstructed before or after addition of its fragments because of the interchangeability. That is, the addition and the constant multiplication of the distributed fragments can be achieved without communications. If a multiplication can additionally be performed, a logical circuit can be formed, and any computation can be performed. The multiplication needs communications and random number generation and therefore is a bottleneck of the 3-party secure functional computation.
PRIOR ART LITERATURE
Non-Patent Literature
- Non-patent literature 1: Koji Chida, Koki Hamada, Dai Ikarashi, Katsumi Takahashi, “A Three-Party Secure Function Evaluation with Lightweight Verifiability Revisited”, CSS2010, 2010.
SUMMARY OF THE INVENTION
Problems to be Solved by the Invention
In the 3-party secure functional computation, the multiplication and the sum-of-product computation requires communications and random number generation and therefore are a bottleneck in the computation processing.
More specifically, the conventional multiplication protocol requires two rounds of communications. In addition, the computation amounts and the communication amounts of the three parties are not symmetrical to each other, so that a different program needs to be implemented in each party. As a result, the implementation cost increases. In addition, the part where the computation amount and the communication amount are at the maximum constitutes a bottleneck. In addition, the sum-of-product computation generally requires a large amount of communications.
An object of the present invention is to provide a secure sum-of-product computation method, a secure sum-of-product computation system, a computation apparatus and a program therefor that can quickly perform a multiplication and a sum-of-product computation and can be readily implemented.
Means to Solve the Problems
A secure sum-of-product computation method according to the present invention is a secure sum-of-product computation method used for performing a sum-of-product computation of data strings A0=(a00, . . . , a0na0-1), A1=(a10, . . . , a1na1-1) and A2=(a20, . . . , a2na2-1) and data strings B0=(b00, . . . , b0nb0-1), B1=(b10, . . . , b1nb1-1) and B2=(b20, . . . , b2nb2-1) by cooperative computation by three computation apparatuses, which are a party X, a party Y and a party Z, the sum-of-product computation being expressed as
(i0=0, . . . , na0-1, i1=0, . . . , na1-1, i2=0, . . . , na2-1, j0=0, . . . , nb0-1, j1=0, . . . , nb1-1, and j2=0, . . . , nb2-1, na0, na1, na2, nb0, nb1 and nb2 represent natural numbers), and comprises a party-X random number generation step, a party-X first computation step, a party-X second computation step, a party-Y random number generation step, a party-Y first computation step, a party-Y second computation step, a party-Z random number generation step, a party-Z first computation step and a party-Z second computation step.
In the processing, the data strings A0, A1, B0 and B1 are input to the party X, the data strings A1, A2, B1 and B2 are input to the party Y, and the data strings A2, A0, B2 and B0 are input to the party Z.
In the party-X random number generation step, the party X generates a number rx and transmits the number to the party Y.
In the party-X first computation step, the party X computes a value cX according to
(e01i0,j1 and e10i1,j0 represent any numbers) and transmits the value to the party Z.
In the party-X second computation step, the party X receives a number rZ from the party Z and a value cY from the party Y, computes values c0 and c1 according to
(e00i0,j0 and e11i1,j1 represent any numbers) and outputs the values.
In the party-Y random number generation step, the party Y generates a number rY and transmits the number to the party Z.
In the party-Y first computation step, the party Y computes the value cY according to
(e12i1,j2 and e21i2,j1 represent any numbers) and transmits the value to the party X.
In the party-Y second computation step, the party Y receives the number rx from the party X and a value cZ from the party Z, computes values c1 and c2 according to
(e22i2,j2 represents any number) and outputs the values.
In the party-Z random number generation step, the party Z generates the number rZ and transmits the number to the party X.
In the party-Z first computation step, the party Z computes the value cZ according to
(e20i2,j0 and e02i0,j2 represent any numbers) and transmits the value to the party Y.
In the party-Z second computation step, the party Z receives the number rY from the party Y and the value cX from the party X, computes the values c0 and c2 according to
and outputs the values.
Effects of the Invention
The secure sum-of-product computation methods, the secure sum-of-product computation systems, the computation apparatuses and the programs therefor according to the present invention can quickly perform a multiplication and a sum-of-product computation, and the programs can be readily implemented because the processings performed by the parties are symmetrical to each other.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a diagram showing an example of a configuration of a secure sum-of-product computation system 100;
FIG. 2 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation system 100;
FIG. 3 is a diagram showing an example of an internal configuration of each party of the secure sum-of-product computation systems 100 and 200;
FIG. 4 is a diagram showing an example of a configuration of a secure sum-of-product computation system 200;
FIG. 5 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation system 200;
FIG. 6 is a diagram showing an example of a configuration of a secure sum-of-product computation system 300;
FIG. 7 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation system 300;
FIG. 8 is a diagram showing an example of an internal configuration of each party of the secure sum-of-product computation systems 300, 400 and 500;
FIG. 9 is a diagram showing an example of a configuration of secure sum-of-product computation systems 400 and 500;
FIG. 10 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation systems 400 and 500;
FIG. 11 is a diagram showing an example of a configuration of a secure sum-of-product computation system 600;
FIG. 12 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation system 600;
FIG. 13 is a diagram showing an example of an internal configuration of each party of the secure sum-of-product computation systems 600, 700 and 800;
FIG. 14 is a diagram showing an example of a configuration of secure sum-of-product computation systems 700 and 800;
FIG. 15 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation systems 700 and 800;
FIG. 16 is a diagram showing an example of a configuration of secure sum-of-product computation system 900, 910 and 920; and
FIG. 17 is a diagram showing an example of a flow of a processing performed by the secure sum-of-product computation system 900, 910 and 920.
DETAILED DESCRIPTION OF THE EMBODIMENTS
In the following, embodiments of the present invention will be described in detail.
First Embodiment
FIG. 1 shows an example of a configuration of a secure sum-of-product computation system 100, and FIG. 2 shows an example of a flow of a processing performed by the secure sum-of-product computation system 100. The secure sum-of-product computation system 100 comprises a party X, a party Y and a party Z, which are computation apparatuses that perform symmetric computation processings.
A secure sum-of-product computation according to the present invention is achieved by the three computation apparatuses, the parties X, Y and Z, cooperating to perform sum-of-product computations of data strings A0=(a00, . . . , a0na0-1), A1=(a10, . . . , a1na1-1) and A2=(a20, . . . , a2na2-1) and data strings B0=(b00, . . . , b0nb0-1), B1=(b10, . . . , b1nb1-1) and B2=(b20, . . . , b2nb2-1). Note that na0, na1, na2, nb0, nb1 and nb2 represent natural numbers.
As shown in FIG. 3, each party has random number generation means 101, first computation means 102 and second computation means 103. In FIG. 3, a subject party is denoted as P, and other parties are denoted as P− and P+. Specifically, when the subject party is the party X, another party P− is the party Z, and the remaining party P+ is the party Y. When the subject party is the party Y, another party P− is the party X, and the remaining party P+ is the party Z. When the subject party is the party Z, another party P− is the party Y, and the remaining party P+ is the party X. In this specification, the relationship between the subject party P and the other parties P− and P+ that does not change depending on which of the parties serves as the subject party P is expressed as “symmetric (symmetrical)”. And a processing performed by the parties in such a relationship is referred to as a “symmetric processing” or expressed as “symmetric (symmetrical)”.
In the following, details of a cooperative computation processing performed by each party will be specifically described. First, data strings A0, A1, B0 and B1 are input to the party X, data strings A1, A2, B1 and B2 are input to the party Y, and data strings A2, A0, B2 and B0 are input to the party Z (S1).
Then, the party X performs the following processing. The random number generation means 101 first generates a random number rX and transmits the random number to the party Y (S2-1). Then, the first computation means 102 computes a value cX according to
and transmits the value cX to the party Z (S2-2). Note that i0=0, . . . , na0-1, i1=0, . . . , na1-1, j0=0, . . . , nb0-1, j1=0, . . . , nb1-1, and e01i0,j1 and e10i1,j0 each represent any number. The second computation means 103 receives a random number rZ from the party Z and a value cY from the party Y and computes values c0 and c1 according to
and outputs the values c0 and c1 (S3). Note that e00i0,j0 and e11i1,j1 each represent any number.
The party Y performs the following processing. The random number generation means 101 first generates a random number rY and transmits the random number to the party Z (S4-1). Then, the first computation means 102 computes the value cY according to
and transmits the value cY to the party X (S4-2). Note that i2=0, . . . , na2-1, j2=0, . . . , nb2-1, and e12i1,j2 and e21i2,j1 each represent any number. The second computation means 103 receives the random number rX from the party X and a value cZ from the party Z and computes values c1 and c2 according to
and outputs the values c1 and c2 (S5). Note that e22i2,j2 represents any number.
The party Z performs the following processing. The random number generation means 101 first generates the random number rZ and transmits the random number to the party X (S6-1). Then, the first computation means 102 computes the value cZ according to
and transmits the value cZ to the party Y (S6-2). Note that e20i2,j0 and e02i0,j2 represent any numbers. The second computation means 103 receives the random number rY from the party Y and the value cX from the party X and computes values c0 and c2 according to
and outputs the values c0 and c2 (S7). Note that the series of steps S2-1 and S2-2, the series of steps S4-1 and S4-2 and the series of steps S6-1 and S6-2 can be performed in parallel, and the steps S3, S5 and S7 can also be performed in parallel.
Then, the total sum of the values c0, c1, and c2 output from the parties X, Y and Z can be computed to obtain a sum-of-product computation result as expressed by the following formula.
In the processing described above, hash values or other values can be substituted for the random numbers.
The effect of the method according to the present invention will be compared with that of the method described in Non-Patent literature 1. Most of the computations in Non-Patent literature 1 are involved with random number generation and encryption and decryption for communications in the case where no physical secure channels are available. The amount of computations for encryption and decryption agrees with the amount of communications, so that the efficiency can be evaluated by observing the number of random numbers generated and the amount of communications.
In the case where an addition is performed after repeatedly performing multiplications as described in Non-Patent literature 1, the number of random numbers generated and the amount of communications are proportional to the number of elements of the input data strings. In the method according to the present invention, the parties X, Y and Z each generate only one random number and transmit only two pieces of data to the other parties. In addition, the processings performed by the parties X, Y and Z are symmetrical to each other, so that common programs can be implemented in all the parties, and the implementation cost can be reduced.
Second Embodiment
A second embodiment is a specific example of the first embodiment, in which na0=na1=na2=nb0=nb1=nb2=n (n represents an integer equal to or greater than 1), and e00=e01=e10=e11=e12=e21=e22=e20=e02=1. FIG. 4 shows an example of a configuration of a secure sum-of-product computation system 200 according to this embodiment, and FIG. 5 shows an example of a flow of a processing performed by the secure sum-of-product computation system 200. The secure sum-of-product computation system 200 comprises a party X, a party Y, a party Z, a data string decomposition and supply part 210 and an output part 220. Each party has random number generation means 101, first computation means 102 and second computation means 103 as in the first embodiment as shown in FIG. 3.
The secure sum-of-product computation system 200 performs a sum-of-product computation
for two data strings A=(a0, . . . , an-1) and B=(b0, . . . , bn-1) comprising elements ai and bi (i=0, . . . , n−1), which are natural numbers smaller than a prime number p while concealing the contents of the data strings through cooperative computation by the three computation apparatuses, the parties X, Y and Z (the sum-of-product computation is a multiplication of a and b in the case where n=1).
Specifically, the data string decomposition and supply part 210 decomposes the input data strings A and B in such a manner that each element ai and bi satisfy conditional formulas ai=a0i+a1i+a2i mod p and bi=b0i+b1i+b2i mod p (a0i, a1i, b0i and b1i represent random numbers, and p represents a prime number) and supplies data strings A0=(a00, . . . , a0n-1), A1=(a10, . . . , a1n-1), B0=(b00, . . . , b0n-1) and B1=(b10, . . . , b1n-1) to the party X, the data strings A1, A2=(a20, . . . , a2n-1), B1 and B2=(b20, . . . , b2n-1) to the party Y, and data strings A2, A0, B2 and B0 to the party Z (S11).
Then, the party X performs the following processing. The random number generation means 101 first generates a random number rX and transmits the random number to the party Y (S12-1). Then, the first computation means 102 computes a value cX according to
and transmits the value cX to the party Z (S12-2). Then, the second computation means 103 receives a random number rZ from the party Z and a value cY from the party Y and computes values c0 and c1 according to
and outputs the values c0 and c1 (S13).
The party Y performs the following processing. The random number generation means 101 first generates a random number rY and transmits the random number to the party Z (S14-1). Then, the first computation means 102 computes the value cY according to
and transmits the value cY to the party X (S14-2). Then, the second computation means 103 receives the random number rX from the party X and a value cZ from the party Z and computes values c1 and c2 according to
and outputs the values c1 and c2 (S15).
The party Z performs the following processing. The random number generation means 101 first generates the random number rZ and transmits the random number to the party X (S16-1). Then, the first computation means 102 computes the value cZ according to
and transmits the value cZ to the party Y (S16-2). Then, the second computation means 103 receives the random number rY from the party Y and the value cX from the party X and computes values c0 and c2 according to
and outputs the values c0 and c2 (S17). Note that the series of steps S12-1 and S12-2, the series of steps S14-1 and S14-2 and the series of steps S16-1 and S16-2 can be performed in parallel, and the steps S13, S15 and S17 can also be performed in parallel.
Then, the output part 220 computes the total sum (c0+c1+c2) of the values c0, c1 and c2 output from the parties X, Y and Z and outputs the total sum.
The following relation holds.
From the relation above, it can be seen that the sum-of-product computation (a multiplication of a and b in the case where i=1) has been correctly done.
In the processing described above, hash values or other values can be substituted for the random numbers. The data string decomposition and supply part 210 and the output part 220 can be provided in an apparatus other than the parties or provided in any one or more of the apparatuses serving as the parties.
The effect of the method according to the present invention will be compared with that of the method described in Non-Patent literature 1. Concerning the multiplications, in the method described in Non-Patent literature 1, two rounds of communications are required (the term “round” means the number of times that each of the parties X, Y and Z performing parallel processing needs to wait for the other parties to complete their respective processings), and the party X generates one random number and transmits four pieces of data, and the parties Y and Z generate no random number and transmit one piece of data. On the other hand, according to the present invention, one round of communications is required, and all the parties X, Y and Z generate one random number and transmit two pieces of data. That is, the number of rounds is reduced to a half. In addition, the number of random numbers generated and the number of pieces of data transmitted are the same as those in the method described in Non-Patent literature 1, it can be said that the bottleneck is reduced because the processings performed by the parties X, Y and Z are symmetrical to each other.
Concerning the sum-of-product computation, in the case of the method of performing an addition after repeatedly performing multiplications described in Non-Patent literature 1, the number of random numbers generated and the amount of communications are proportional to the number of elements of the input data strings. However, in the case of the method according to the present invention, the parties X, Y and Z each generate only one random number and transmit only two pieces of data to the other parties. Since the processings for any computations performed by the parties X, Y and Z are symmetrical to each other, the implementation cost can be reduced.
Third Embodiment
According to a third embodiment, a misuse detection function is added to the configurations for performing a sum-of-product computation according to the first and second embodiments. FIG. 6 shows an example of a configuration of a secure sum-of-product computation system 300, and FIG. 7 shows an example of a flow of a processing performed by the secure sum-of-product computation system 300. The secure sum-of-product computation system 300 comprises a party X, a party Y and a party Z, which are computation apparatuses that perform symmetric computation processings.
A secure sum-of-product computation according to the present invention is achieved by the three computation apparatuses, the parties X, Y and Z, cooperating to perform a total of m sets of sum-of-product computations of data strings Aq—0=(a0q—0, . . . , a0q—na0-1), Aq—1=(a1q—0, . . . , a1q—na1-1) and Aq—2=(a2q—0, . . . , a2q—na2-1) and Bq—0=(b0q—0, . . . , b0q—nb0-1), Bq—1=(b1q—0, . . . , b1q—nb1-1) and Bq—2=(b2q—0, . . . , b2q—nb2-1) (q=0, . . . , m−1, and m represents an integer equal to or greater than 1) (the sum-of-product computations are performed in parallel in the case where m is equal to or greater than 2). Note that na0, na1, na2, nb0, nb1 and nb2 represent natural numbers.
As shown in FIG. 8, each party has first random number generation means 301, first computation means 302, second computation means 303, second random number generation means 304, third computation means 305, fourth computation means 306 and misuse detection means 307. In FIG. 8, provided that any of the apparatuses described above is a party P, when the party P is the party X, a party P− is the party Z, and a party P+ is the party Y, and subscripts 0p, 1p and 2p correspond to numerals 0, 1 and 2, respectively. When the party P is the party Y, the party P− is the party X, and the party P+ is the party Z, and the subscripts 0p, 1p and 2p correspond to numerals 1, 2 and 0, respectively. When the party P is the party Z, the party P− is the party Y, and the party P+ is the party X, and the subscripts 0p, 1p and 2p correspond to numerals 2, 0 and 1, respectively.
In the following, details of a cooperative computation processing performed by each party will be specifically described. Steps S21 to S27 correspond to the sum-of-product computation processing according to the first embodiment, and steps S28 to S39 are involved in a misuse detection processing. It is assumed that the parties X and Y previously share a random number sq—Z, the parties Y and Z previously share a random number sq—X, and the parties Z and X previously share a random number sq—Y. First, data strings Aq—0, Aq—1, Bq—0 and Bq—1 are input to the party X, data strings Aq—1, Aq—2, Bq—1 and Bq—2 are input to the party Y, and data strings Aq—2, Aq—0, Bq—2 and Bq—0 are input to the party Z (S21).
Then, the party X performs the following processing. The first random number generation means 301 first generates a random number rq—X and transmits the random number to the party Y (S22-1). Then, the first computation means 302 computes a value cq—X according to
and transmits the value cq—X to the party Z (S22-2). Note that i0=0, . . . , na0-1, i1=0, . . . , na1-1, j0=0, . . . , nb0-1, and j1=0, . . . , nb1-1, and e01q—i0,q—j1 and e10q—i1,q—j0 each represent any number. The second computation means 303 receives a random number rq—Z from the party Z and a value cq—Y from the party Y and computes values cq—0 and cq—1 according to
and outputs the values cq—0 and cq—1 (S23). Note that e00q—i0,q—j0 and e11q—i1,q—j1 represent any numbers.
The party Y performs the following processing. The random number generation means 301 first generates a random number rq—Y and transmits the random number to the party Z (S24-1). Then, the first computation means 302 computes the value cq—Y according to
and transmits the value cq—Y to the party X (S24-2). Note that i2=0, . . . , na2-1 and j2=0, . . . , nb2-1, and e12q—i1,q—j2 and e21q—i2,q—j1 represent any numbers. The second computation means 303 receives the random number rq—X from the party X and a value cq—Z from the party Z and computes values cq—1 and cq—2 according to the following formula (S25).
Note that e22q—i2,q—j2 represents any number.
The party Z performs the following processing. The random number generation means 301 first generates the random number rq—Z and transmits the random number to the party X (S26-1). Then, the first computation means 302 computes the value cq—Z according to
and transmits the value cq—Z to the party Y (S26-2). Note that e20q—i2,q—j0 and e02q—i0,q—j2 represent any multipliers. The second computation means 303 receives the random number rq—Y from the party Y and the value cq—X from the party X and computes values cq—0 and cq—2 according to the following formula (S27).
Note that the series of steps S22-1 and S22-2, the series of steps S24-1 and S24-2 and the series of steps S26-1 and S26-2 can be performed in parallel, and the steps S23, S25 and S27 can also be performed in parallel.
Following the steps S21 to S27, each party performs a misuse detection processing as described below.
A processing performed by the party X will be described. First, the second random number generation means 304 generates a random number sequence (αY1q—0, . . . , αY1q—na1-1) and a random number ρX and transmits the random number sequence and the random number to the party Y, and generates a random number sequence (αZ0q—0, . . . , αZ0q—na0-1) and transmits the random number sequence to the party Z (S28). Then, the third computation means 305 computes a random number sequence (αZ0q—0−sq—Z·a0q—0, . . . , αZ0q—na0-1−sq—Z·a0q—na0-1), transmits the random number sequence to the party Y, receives a random number sequence (αX1q—0, . . . , αX1q—na1-1) from the party Y and a random number sequence (αX0q—0, . . . , αX0q—na0-1) from the party Z, computes a random number sequence (αY1q—0−sq—Y·a1q—0, . . . , αY1q—na1-1−sq—Y·a1q—na1-1) and a value γX according to
and transmits the random number sequence and the value to the party Z (S29). Then, the fourth computation means 306 receives a random number sequence (αZ2q—0−sq—Z·a2q—0, . . . , αZ2q—na2-1−sq—Z·a2q—na2-1) from the party Y and a value ρZ from the party Z, computes a value
and transmits the value to the party Y (S30). Then, the misuse detection means 307 receives a value γY from the party Y, a value γ′Y and a random number sequence (αY2q—0−sq—Y·a2q—0, . . . , αY2q—na2-1−sq—Y·a2q—na2-1) from the party Z, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—0 and cq—1 if the computation result is 0 (S31).
Next, a processing performed by the party Y will be described. First, the second random number generation means 304 generates a random number sequence (αZ2q—0, . . . , αZ2q—na2-1) and a random number ρY and transmits the random number sequence and the random number to the party Z, and generates a random number sequence (αX1q—0, . . . , αX1q—na1-1) and transmits the random number sequence to the party X (S32). Then, the third computation means 305 computes a random number sequence (αX1q—0−sq—X·a1q—0, . . . , αX1q—na1-1−sq—X·a1q—na1-1), transmits the random number sequence to the party Z, receives a random number sequence (αY1q—0, . . . , αY1q—na1-1) from the party X and a random number sequence (αY2q—0, . . . , αY2q—na2-1) from the party Z, computes a random number sequence (αZ2q—0−sq—Z·a2q—0, . . . , αZ2q—na2-1−sq—Z·a2q—na2-1) and a value
and transmits the random number sequence and the value to the party X (S33). Then, the fourth computation means 306 receives the random number ρX from the party X and a random number sequence (αX0q—0−sq—X·a0q—0, . . . , αX0q—na0-1−sq—X·a0q—na0-1) from the party Z, computes a value
and transmits the value to the party Z (S34). Then, the misuse detection means 307 receives a value γ′Z and a random number sequence (αZ0q—0−sq—Z·a0q—0, . . . , αZ0q—na0-1−sq—Z·a0q—na0-1) from the party X and a value γZ from the party Z, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—1 and cq—2 if the computation result is 0 (S35).
Next, a processing performed by the party Z will be described. First, the second random number generation means 304 generates a random number sequence (αX0q—0, . . . , αX0q—na0-1) and a random number ρZ and transmits the random number sequence and the random number to the party X, and generates a random number sequence (αY2q—0, . . . , αY2q—na2-1) and transmits the random number sequence to the party Y (S36). Then, the third computation means 305 computes a random number sequence (αY2q—0−sq—Y·a2q—0, . . . , αY2q—na2-1−sq—Y·a2q—na2-1), transmits the random number sequence to the party X, receives a random number sequence (αZ0q—0, . . . , αZ0q—na0-1) from the party X and a random number sequence (αZ2q—0, . . . , αZ2q—na2-1) from the party Y, computes a random number sequence (αX0q—0−sq—X·a0q—0, . . . , αX0q—na0-1−sq—X·a0q—na0-1) and a value γZ according to
and transmits the random number sequence and the value to the party Y (S37). Then, the fourth computation means 306 receives a random number sequence (αY1q—0−sq—Y·a1q—0, . . . , αY1q—na1-1−sq—Y·a1q—na1-1) from the party X and a value ρY from the party Y, computes a value γ′Y according to
and transmits the value to the party X (S38). Then, the misuse detection means 307 receives the value γX from the party X and the value γ′X and a random number sequence (αX1q—0−sq—X·a1q—0, . . . , αX1q—na1-1−sq—X·a1q—na1-1) from the party Y, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—2 and cq—0 if the computation result is 0 (S39).
If no misuse detection occurs, the total sum of the values cq—0, cq—1 and cq—2 output from the parties X, Y and Z can be computed to obtain a sum-of-product computation result as expressed by the following formula.
In the processing described above, hash values or other values can be substituted for the random numbers.
The misuse detection according to the present invention is performed once for one multiplication, one sum-of-product computation or a set of multiplications or sum-of-product computations performed in parallel. The values αP+0q—i0, αP+1q—i1 and αP+2q—i2 (q=0, . . . , m−1) included in the value γP+ transmitted by the party P+ involved with the misuse detection function are fragments of the respective values aq—i multiplied by different random numbers. Thus, if any of the values is not correct, the party P+ cannot predict the random numbers. Therefore, if the modulo is a prime number p, the probability that any misuse can be made agree with the misuse in the sum-of-product computation processing is only 1/(p−1).
Fourth Embodiment
A fourth embodiment is a specific example of the third embodiment, in which na0=na1=na2=nb0=nb1=nb2=n (n represents an integer equal to or greater than 1), and e00=e01=e10=e11=e12=e21=e22=e20=e02=1. FIG. 9 shows an example of a configuration of a secure sum-of-product computation system 400 according to this embodiment, and FIG. 10 shows an example of a flow of a processing performed by the secure sum-of-product computation system 400. The secure sum-of-product computation system 400 comprises a party X, a party Y, a party Z, a data string decomposition and supply part 410 and an output part 420. As in the third embodiment, each party has first random number generation means 301, first computation means 302, second computation means 303, second random number generation means 304, third computation means 305, fourth computation means 306 and misuse detection means 307.
The secure sum-of-product computation system 400 performs a sum-of-product computation
for m sets of data strings Aq=(aq—0, . . . , aq—n-1) and Bq=(bq—0, . . . , bq—n-1) (m represents an integer equal to or greater than 1, and q=0, . . . , m−1) comprising elements aq—i and bq—i (i=0, . . . , n−1 (n represents an integer equal to or greater than 1)), which are natural numbers smaller than a prime number p, through cooperative computation by the three computation apparatuses, the parties X, Y and Z (the sum-of-product computation is a multiplication of a and b in the case where n=1). As in the third embodiment, it is assumed that the parties X and Y previously share a random number sq—Z, the parties Y and Z previously share a random number sq—X, and the parties Z and X previously share a random number sq—Y.
Specifically, the data string decomposition and supply part 410 first decomposes the m sets of input data strings Aq and Bq in such a manner that each element aq—i and bq—i satisfy conditional formulas aq—i=a0q—i+a1q—i+a2q—i mod p and bq—i=b0q—i+b1q—i+b2q—i mod p (a0q—i, a1q—i, b0q—i and b1q—i represent random numbers, and p represents a prime number) and supplies data strings Aq—0=(a0q—0, . . . , a0q—n-1), Aq—1=(a1q—0, . . . , a1q—n-1), Bq—0=(b0q—0, . . . , b0q—n-1) and Bq—1=(b1q—0, . . . , b1q—n-1) to the party X, the data strings Aq—1, Aq—2=(a2q—0, . . . , a2q—n-1), Bq—1 and Bq—2=(b2q—0, . . . , b2q—n-1) to the party Y, and data strings Aq—2, Aq—0, Bq—2 and Bq—0 to the party Z (S41).
Then, the party X performs the following processing. The first random number generation means 301 first generates a random number rq—X and transmits the random number to the party Y (S42-1). Then, the first computation means 302 computes a value cq—X according to
and transmits the value cq—X to the party Z (S42-2). Then, the second computation means 303 receives a random number rq—Z from the party Z and a value cq—Y from the party Y and computes values cq—0 and cq—1 according to the following formula (S43).
The party Y performs the following processing. The first random number generation means 301 first generates a random number rq—Y and transmits the random number to the party Z (S44-1). Then, the first computation means 302 computes the value cq—Y according to
and transmits the value cq—Y to the party X (S44-2). Then, the second computation means 306 receives the random number rq—X from the party X and a value cq—Z from the party Z and computes values cq—1 and cq—2 according to the following formula (S45).
The party Z performs the following processing. The first random number generation means 301 first generates the random number rq—Z and transmits the random number to the party X (S46-1). Then, the first computation means 302 computes the value cq—Z according to
and transmits the value cq—Z to the party Y (S46-2). Then, the second computation means 303 receives the random number rq—Y from the party Y and the value cq—X from the party X and computes values cq—0 and cq—2 according to the following formula (S47).
Note that the series of steps S42-1 and S4-2, the series of steps S44-1 S44-2 and the series of steps S46-1 and S46-2 can be performed in parallel, and the steps S43, S45 and S47 can also be performed in parallel.
Following the steps S41 to S47, each party performs a misuse detection processing as described below. A processing performed by the party X will be described. First, the second random number generation means 304 generates a random number sequence (αY1q—0, . . . , αY1q—n-1) and a random number ρX and transmits the random number sequence and the random number to the party Y, and generates a random number sequence (αZ0q—0, . . . , αZ0q—n-1) and transmits the random number sequence to the party Z (S48). Then, the third computation means 305 computes a random number sequence (αZ0q—0−sq—Z·a0q—0, . . . , αZ0q—n-1−sq—Z·a0q—n-1), transmits the random number sequence to the party Y, receives a random number sequence (αX1q—0, . . . , αX1q—n-1) from the party Y and a random number sequence (αX0q—0, . . . , αX0q—n-1) from the party Z, computes a random number sequence (αY1q—0−sq—Y·a1q—0, . . . , αY1q—n-1−sq—Y·a1q—n-1) and a value γX according to
and transmits the random number sequence and the value to the party Z (S49). Then, the fourth computation means 306 receives a random number sequence (αZ2q—0−sq—Z·a2q—0, . . . , αZ2q—n-1−sq—Z·a2q—n-1) from the party Y and a value ρZ from the party Z, computes a value γ′Z according to
and transmits the value to the party Y (S50). Then, the misuse detection means 307 receives a value γY from the party Y, a value γ′Y and a random number sequence (αY2q—0−sq—Y·a2q—0, . . . , αY2q—n-1−sq—Y·a2q—n-1) from the party Z, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—0 and cq—1 if the computation result is 0 (S51).
Next, a processing performed by the party Y will be described.
First, the second random number generation means 304 generates a random number sequence (αZ2q—0, . . . , αZ2q—n-1) and a random number ρY and transmits the random number sequence and the random number to the party Z, and generates a random number sequence (αX1q—0, . . . , αX1q—n-1) and transmits the random number sequence to the party X (S52). Then, the third computation means 305 computes a random number sequence (αX1q—0−sq—X·a1q—0, . . . , αX1q—n-1−sq—X·a1q—n-1), transmits the random number sequence to the party Z, receives a random number sequence (αY1q—0, . . . , αY1q—n-1) from the party X and a random number sequence (αY2q—0, . . . , αY2q—n-1) from the party Z, computes a random number sequence (αZ2q—0−sq—Z·a2q—0, . . . , αZ2q—n-1−sq—Z·a2q—n-1) and a value γY according to
and transmits the random number sequence and the value to the party X (S53). Then, the fourth computation means 306 receives the random number ρX from the party X and a random number sequence (αX0q—0−sq—X·a0q—0, . . . , αX0q—n-1−sq—X·a0q—n-1) from the party Z, computes a value γ′X according to
and transmits the value to the party Z (S54). Then, the misuse detection means 307 receives a value γ′Z and a random number sequence (αZ0q—0−sq—Z·a0q—0, . . . , αZ0q—n-1−sq—Z·a0q—n-1) from the party X and a value γZ from the party Z, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—1 and cq—2 if the computation result is 0 (S55).
Next, a processing performed by the party Z will be described. First, the second random number generation means 304 generates a random number sequence (αX0q—0, . . . , αX0q—n-1) and a random number ρZ and transmits the random number sequence and the random number to the party X, and generates a random number sequence (αY2q—0, . . . , αY2q—n-1) and transmits the random number sequence to the party Y (S56). Then, the third computation means 305 computes a random number sequence (αY2q—0−sq—Y·a2q—0, . . . , αY2q—n-1−sq—Y·a2q—n-1), transmits the random number sequence to the party X, receives a random number sequence (αZ0q—0, . . . , αZ0q—n-1) from the party X and a random number sequence (αZ2q—0, . . . , αZ2q—n-1) from the party Y, computes a random number sequence (αX0q—0−sq—X·a0q—0, . . . , αX0q—n-1−sq—X·a0q—n-1) and a value γZ according to
and transmits the random number sequence and the value to the party Y (S57). Then, the fourth computation means 306 receives a random number sequence (αY1q—0−sq—Y·a1q—0, . . . , αY1q—n-1−sq—Y·a1q—n-1) from the party X and a value ρY from the party Y, computes a value γ′Y according to
and transmits the value to the party X (S58). Then, the misuse detection means 307 receives the value γX from the party X and the value γ′X and a random number sequence (αX1q—0−sq—X·a1q—0, . . . , αX1q—n-1−sq—X·a1q—n-1) from the party Y, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—2 and cq—0 if the computation result is 0 (S59).
Then, the output part 420 computes the total sum (cq—0+cq—1+cq—2) of the values cq—0, cq—1 and cq—2 output from the parties X, Y and Z and outputs the total sum (S60).
The following relation holds.
From the relation above, it can be seen that the sum-of-product computation (a multiplication of aq and bq in the case where i=1 (in the case where n=1)) has been correctly done. In the processing described above, hash values or other values can be substituted for the random numbers.
The data string decomposition and supply part 410 and the output part 420 can be provided in an apparatus other than the parties or provided in any one or more of the apparatuses serving as the parties.
The effect of the method according to the present invention will be compared with that of the method described in Non-Patent literature 1. Provided that m=1, according to the present invention, the number of rounds is 2, the number of pieces of data transmitted by each party is 10, and the number of random numbers generated by each party is 5. In addition, since the value sP can be repeatedly used once it is shared among the parties, the actual number of rounds is 2, the actual number of pieces of data transmitted is 9, and the number of random numbers generated is 4. On the other hand, according to the method described in Non-Patent literature 1, the number of rounds is 4, the number of pieces of data transmitted by the party X is 20, the number of random numbers generated by the party X is 12, the number of pieces of data transmitted by the parties Y and Z is 17, and the number of random numbers generated by the parties Y and Z is 9. Therefore, the method according to the present invention is about twice as efficient as the method described in Non-Patent literature 1.
In the case where m≧2, the efficiency is further improved. According to the present invention, the number of rounds is 2, the number of pieces of data transmitted by each party is 6 m+3, and the number of random numbers generated by each party is 3 m+1. On the other hand, according to the method described in Non-Patent literature 1, the number of rounds is 4, the number of pieces of data transmitted by the party X is 20m, the number of random numbers generated by the party X is 12m, the number of pieces of data transmitted by the parties Y and Z is 17m, and the number of random numbers generated by the parties Y and Z is 9m. Therefore, the method according to the present invention is about three times as efficient as the method described in Non-Patent literature 1.
Fifth Embodiment
While the secure sum-of-product computation system 400 according to the fourth embodiment is configured to perform a sum-of-product computation expressed as
a secure sum-of-product computation system 500 according to a fifth embodiment has a configuration in which one of the values involved in the multiplication is fixed, for example. More specifically, the secure sum-of-product computation system 500 performs the following m sum-of-product computations of a data string Aq=(aq—0, . . . , aq—n-1) (m represents an integer equal to or greater than 1, and q=0, . . . , m−1) comprising elements aq—i (q=0, . . . , m−1 (m represents an integer equal to or greater than 1), and i=0, . . . , n−1 (n represents an integer equal to or greater than 1)), which are natural numbers smaller than a prime number p, and a value b, which is a natural number smaller than the prime number p, through cooperative computation by three computation apparatuses, the parties X, Y and Z.
The functional configuration and the process flow are the same as those in the fourth embodiment and therefore will be described below with reference to them (that is, FIG. 9 (and FIG. 8) showing the configuration and FIG. 10 showing the process flow). As in the fourth embodiment, it is assumed that the parties X and Y previously share a random number sq—Z, the parties Y and Z previously share a random number sq—X, and the parties Z and X previously share a random number sq—Y.
Specifically, the data string decomposition and supply part 410 first decomposes the input data string Aq and the value b in such a manner that each element aq—i of the data string satisfies a conditional formula aq—i=a0q—i+a1q—i+a2q—i mod p and the value satisfies a conditional formula b=b0+b1+b2 mod p (a0q—i, a1q—, b0 and b1 represent random numbers, and p represents a prime number) and supplies data strings Aq—0=(a0q—0, . . . , a0q—n-1) and Aq—1=(a1q—0, . . . , a1q—n-1) and values b0 and b1 to the party X, data strings Aq—1 and Aq—2=(a2q—0, . . . , a2q—1) and values b1 and b2 to the party Y, and data strings Aq—2 and Aq—0 and values b2 and b0 to the party Z (S41).
Then, the party X performs the following processing. The first random number generation means 301 first generates a random number rq—X and transmits the random number to the party Y (S42-1). Then, the first computation means 302 computes a value cq—X according to
and transmits the value cq—X to the party Z (S42-2). Then, the second computation means 303 receives a random number rq—Z from the party Z and a value cq—Y from the party Y and computes values cq—0 and cq—1 according to the following formula (S43).
The party Y performs the following processing. The random number generation means 304 first generates a random number rq—Y and transmits the random number to the party Z (S44-1). Then, the first computation means 305 computes the value cq—Y according to
and transmits the value cq—Y to the party X (S44-2). Then, the second computation means 306 receives the random number rq—X from the party X and a value cq—Z from the party Z and computes values cq—1 and cq—2 according to the following formula (S45).
The party Z performs the following processing. The first random number generation means 301 first generates the random number rq—Z and transmits the random number to the party X (S46-1). Then, the first computation means 302 computes the value cq—Z according to
and transmits the value cq—Z to the party Y (S46-2). Then, the second computation means 303 receives the random number rq—Y from the party Y and the value cq—X from the party X and computes values cq—0 and cq—2 according to the following formula (S47).
Note that the series of steps S42-1 and S42-2, the series of steps S44-1 and S44-2 and the series of steps S46-1 and S46-2 can be performed in parallel, and the steps S43, S45 and S47 can also be performed in parallel.
Following the steps S41 to S47, each party performs a misuse detection processing as described below. A processing performed by the party X will be described. First, the second random number generation means 304 generates random numbers αY1 and ρX and transmits the random numbers to the party Y, and generates a random number αZ0 and transmits the random number to the party Z (S48). Then, the third computation means 305 computes a value
transmits the value to the party Y, receives a random number αX1 from the party Y and a random number α0 from the party Z, computes values
and transmits the values to the party Z (S49). Then, the fourth computation means 306 receives a value
from the party Y and a value ρZ from the party Z, computes a value
and outputs the value to the party Y (S50).
Then, the misuse detection means 307 receives a value γY from the party Y, a value γ′Y and a value
from the party Z, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—0 and cq—1 if the computation result is 0 (S51).
Next, a processing performed by the party Y will be described. First, the second random number generation means 304 generates random numbers αZ2 and ρY and transmits the random numbers to the party Z, and generates a random number αX1 and transmits the random number to the party X (S52). Then, the third computation means 305 computes a value
transmits the value to the party Z, receives a random number αY1 from the party X and a random number αY2 from the party Z, computes
and transmits the values to the party X (S53). Then, the fourth computation means 306 receives the random number ρX from the party X and a value
from the party Z, computes a value γ′X according to
and transmits the value to the party Z (S54). Then, the misuse detection means 307 receives a value γ′Z and a value
from the party X and a value γZ from the party Z, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—1 and cq—2 if the computation result is 0 (S55).
Next, a processing performed by the party Z will be described. First, the second random number generation means 304 generates random numbers αX0 and ρZ and transmits the random numbers to the party X, and generates a random number αY2 and transmits the random number to the party Y (S56). Then, the third computation means 305 computes a value
transmits the value to the party X, receives a random number αZ0 from the party X and a random number αZ2 from the party Y, computes values
and transmits the values to the party Y (S57). Then, the fourth computation means 306 receives a value
from the party X and a value ρY from the party Y, computes a value γ′Y according to
and transmits the value to the party X (S58). Then, the misuse detection means 307 receives the value γX from the party X and the value γ′X and a value
from the party Y, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—2 and cq—0 if the computation result is 0 (S59).
Then, the output part 420 computes the total sum (cq—0+cq—1+cq—2) of the values cq—0, cq—1 and cq—2 output from the parties X, Y and Z and outputs the total sum (S60).
From the relation above, it can be seen that the sum-of-product computation has been correctly done. In the processing described above, hash values or other values can be substituted for the random numbers. The data string decomposition and supply part 410 and the output part 420 can be provided in an apparatus other than the parties or provided in any one or more of the apparatuses serving as the parties.
The effect of the method according to the present invention will be compared with that of the method described in Non-Patent literature 1. According to the present invention, the number of rounds is 2, the number of pieces of data transmitted by each party is 2m, and the number of random numbers generated by each party is 3. Therefore, the method according to the present invention is about nine times as efficient as the method described in Non-Patent literature 1. An improvement is that the number of random numbers generated is constant and therefore does not depend on the value m, rather than increasing with the value m.
Sixth Embodiment
In the multiplication protocol for a and b, the secure sum-of-product computation system 300 with a misuse detection function shown in the third embodiment uses values αP0p and αPP− indicating fragment values of a value sP·a0p to compare (αP0p−αPP−)·b1p and sP·a0p·b1p and uses values αP1p and αPP+ indicating fragment values of a value sP·a1p to compare (αP1p−αPP+)·b0p and sP·a1p·b0p in order to check the validity of a0p·b1p+a1p·b0p. However, in the former comparison, the multiplication protocol of the secure sum-of-product computation system 300 involves a procedure of round-trip transmission of computed values between the parties. Specifically, the value αZ2q—i2−sq—Z·a2q—i2 needs to be transmitted from the party Y to the party X and then transmitted from the party X back to the party Y, the value αX0q—i0−sq—X·a0q—i0 needs to be transmitted from the party Z to the party Y and then transmitted from the party Y back to the party Z, and the value αY1q—i1−sq—Y·a1q—i1 needs to be transmitted from the party X to the party Z and then transmitted from the party Z back to the party X. Therefore, a computed value may leak during the transmission, and a server may perform a misuse (acquisition of information concerning data to be concealed) without causing a change of the computation result. That is, the third embodiment can be said to provide a configuration capable of perfect concealment as far as the server perform no misuse.
A sixth embodiment provides a configuration capable of perfect concealment even if the server performs a misuse. More specifically, the sixth embodiment provides a configuration whose protocol does not involve a round-trip transmission of a computed value that can lead to a misuse. FIG. 11 shows an example of a configuration of a secure sum-of-product computation system 600, and FIG. 12 shows an example of a flow of a processing performed by the secure sum-of-product computation system 600. The secure sum-of-product computation system 600 comprises a party X, a party Y and a party Z. As shown in FIG. 13, each party has first random number generation means 301, first computation means 302 and second computation means 303, which are the same as those of the secure sum-of-product computation system 300, as well as second random number generation means 604, third computation means 605, fourth computation means 606 and misuse detection means 607.
In the following specific description, the functions of the first random number generation means 301, the first computation means 302 and the second computation means 303 and the secure sum-of-product computation processing (steps S21 to S27) implemented by these functions are the same as those of the secure sum-of-product computation system 300 and therefore will not be further described, and the misuse detection processing, which differs from that of the secure sum-of-product computation system 300, will be particularly described.
Following the steps S21 to S27, each party performs a misuse detection processing as described below. As in the third embodiment, it is assumed that the parties X and Y previously share a random number sq—Z, the parties Y and Z previously share a random number sq—X, and the parties Z and X previously share a random number sq—Y.
A processing performed by the party X will be described. First, the second random number generation means 604 generates a random number ρX and transmits the random number to the party Y, and generates random number sequences (αZ0q—0, . . . , αZ0q—na0-1) and (βZ0q—0, . . . , βZ0q—nb0-1) and transmits the random number sequences to the party Z (S68). Then, the third computation means 605 computes random number sequences (αZ0q—0−sq—Z·a0q—0, . . . , αZ0q—na0-1−sq—Z·a0q—na0-1) and (βZ0q—0−sq—Z·b0q—0, . . . , βZ0q—nb0-1−sq—Z·b0q—nb0-1), transmits the random number sequences to the party Y, receives random number sequences (αX1q—0, . . . , αX1q—na1-1) and (βX1q—0, . . . , βX1q—nb1-1) from the party Y, computes a value γX according to
and transmits the value to the party Z (S69). Then, the fourth computation means 606 receives a random number ρZ from the party Z, computes a value γ′Z according to
and transmits the value to the party Y (S70). Then, the misuse detection means 607 receives a value γY from the party Y, a value γ′Y and random number sequences (αY2q—0−sq—Y·a2q—0, . . . , αY2q—na2-1−sq—Y·a2q—na2-1) and (βY2q—0−sq—Y·b2q—0, . . . , βY2q—nb2-1−sq—Y·b2q—nb2-1) from the party Z, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—0 and cq—1 if the computation result is 0 (S71).
Next, a processing performed by the party Y will be described. First, the second random number generation means 604 generates a random number ρY and transmits the random number to the party Z, and generates random number sequences (αX1q—0, . . . , αX1q—na1-1) and (βX1q—0, . . . , βX1q—nb1-1) and transmits the random number sequences to the party X (S72). Then, the third computation means 605 computes random number sequences (αX1q—0−sq—X·a1q—0, . . . , αX1q—na1-1−sq—X·a1q—na1-1) and (βX1q—0−sq—X·b1q—0, . . . , βX1q—nb1-1−sq—X·b1q—nb1-1), transmits the random number sequences to the party Z, receives random number sequences (αY2q—0, . . . , αY2q—na2-1) and (βY2q—0, . . . , βY2q—nb2-1) from the party Z, computes a value γY according to
and transmits the value to the party X (S73). Then, the fourth computation means 606 receives the random number ρX from the party X, computes a value γ′X according to
and transmits the value to the party Z (S74). Then, the misuse detection means 607 receives a value γ′Z and random number sequences (αZ0q—0−sq—Z·a0q—0, . . . , αZ0q—na0-1−sq—Z·a0q—na0-1) and (βZ0−sq—Z·b0q—0, . . . , βZ0q—nb0-1−sq—Z·b0q—nb0-1) from the party X and a value γZ from the party Z, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—1 and cq—2 if the computation result is 0 (S75).
Next, a processing performed by the party Z will be described. First, the second random number generation means 604 generates a random number ρZ and transmits the random number to the party X, and generates random number sequences (αY2q—0, . . . , αY2q—na2-1) and (βY2q—0, . . . , βY2q—nb2-1) and transmits the random number sequences to the party Y (S76). Then, the third computation means 605 computes random number sequences (αY2q—0−sq—Y·a2q—0, . . . , αY2q—na2-1−sq—Y·a2q—na2-1) and (βY2q—0−sq—Y·b2q—0, . . . , βY2q—nb2-1−sq—Y·b2q—nb2-1), transmits the random number sequences to the party X, receives random number sequences (αZ0q—0, . . . , αZ0q—na0-1) and (βZ0q—0, . . . , βZ0q—nb0-1) from the party X, computes a value γZ according to
and transmits the value to the party Y (S77). Then, the fourth computation means 606 receives a random number ρY from the party Y, computes a value γ′Y according to
and transmits the value to the party X (S78). Then, the misuse detection means 607 receives the value γX from the party X and the value γ′X and random number sequences (αX1q—0−sq—X·a1q—0, . . . , αX1q—na1-1−sq—X·a1q—na1-1) and (βX1q—0−sq—X·b1q—0, . . . , βX1q—nb1−sq—X·b1q—nb1-1) from the party Y, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—2 and cq—0 if the computation result is 0 (S79). In the processing described above, hash values or other values can be substituted for the random numbers.
In the multiplication protocol for a and b, the secure sum-of-product computation system 600 described above uses values βP1p and βPP+ indicating fragment values of a value sP·b1p to compare (βP1p+a0p·βPP+) and sP·a1p·b0p and uses values αP1p and αPP+ indicating fragment values of a value sP·a1p to compare (αP1p−aPP+)·b0p and sP·a1p·b0p in order to check the validity of a0p·b1p+a1p·b0p. With such a configuration, the protocol involves no round-trip transmission of computed values among the parties. Therefore, leakage of a computed value can be prevented, and therefore, the server cannot perform a misuse. In addition, the number of processing steps is the same as that of the secure sum-of-product computation system 300, the secure sum-of-product computation system 600 can maintain approximately the same level of efficiency.
Seventh Embodiment
A seventh embodiment is a specific example of the sixth embodiment, in which na0=na1=na2=nb0=nb1=nb2=n, and e00=e01=e10=e11=e12=e21=e22=e20=e02=1. FIG. 14 shows an example of a configuration of a secure sum-of-product computation system 700 according to this embodiment, and FIG. 15 shows an example of a flow of a processing performed by the secure sum-of-product computation system 700. The secure sum-of-product computation system 700 comprises a party X, a party Y, a party Z, a data string decomposition and supply part 410 and an output part 420. The data string decomposition and supply part 410 and the output part 420 are the same as those of the secure sum-of-product computation system 400 according to the fourth embodiment. As shown in FIG. 13, each party has first random number generation means 301, first computation means 302 and second computation means 303, which are the same as those of the secure sum-of-product computation system 400, as well as second random number generation means 604, third computation means 605, fourth computation means 606 and misuse detection means 607.
As with the secure sum-of-product computation system 400 according to the fourth embodiment, the secure sum-of-product computation system 700 performs each set of sum-of-product computations
for m sets of data strings Aq=(aq—0, . . . , aq—n-1) and Bq=(bq—0, . . . , bq—n-1) comprising elements aq—i and bq—i, which are natural numbers smaller than a prime number p, through cooperative computation by the three computation apparatuses, the parties X, Y and Z (the sum-of-product computation is a multiplication of aq and bq in the case where n=1).
In the following specific description, the functions of the data string decomposition and supply part 410, the first random number generation means 301, the first computation means 302, the second computation means 303 and the output part 420 and the secure sum-of-product computation processing (steps S41 to S47 and S60) implemented by these functions are the same as those of the secure sum-of-product computation system 400 according to the fourth embodiment and therefore will not be further described, and the misuse detection processing, which differs from that of the secure sum-of-product computation system 400, will be particularly described.
Following the steps S41 to S47, each party performs a misuse detection processing as described below. As in the sixth embodiment, it is assumed that the parties X and Y previously share a random number sq—Z, the parties Y and Z previously share a random number sq—X, and the parties Z and X previously share a random number sq—Y.
A processing performed by the party X will be described. First, the second random number generation means 604 generates a random number ρX, and transmits the random number to the party Y, and generates random number sequences (αZ0q—0, . . . , αZ0q—n-1) and (βZ0q—0, . . . , βZ0q—n-1) and transmits the random number sequences to the party Z (S88). Then, the third computation means 605 computes random number sequences (αZ0q—0−sq—Z·a0q—0, . . . , αZ0q—n-1−sq—Z·a0q—n-1) and (βZ0q—0−sq—Z·b0q—0, . . . , βZ0q—n-1−sq—Z·b0q—n-1), transmits the random number sequences to the party Y, receives random number sequences (αX1q—0, . . . , αX1q—n-1) and (βX1q—0, . . . , βX1q—n-1) from the party Y, computes a value γX according to
and transmits the value to the party Z (S89). Then, the fourth computation means 606 receives a random number ρZ from the party Z, computes a value γ′Z according to
and transmits the value to the party Y (S90). Then, the misuse detection means 607 receives a value γY from the party Y, a value γ′Y and random number sequences (αY2q—0−sq—Y·a2q—0, . . . , αY2q—n-1−sq—Y·a2q—n-1) and (βY2q—0−sq—Y·b2q—0, . . . , βY2q—n-1−sq—Y·b2q—n-1) from the party Z, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—0 and cq—1 if the computation result is 0 (S91).
Next, a processing performed by the party Y will be described. First, the second random number generation means 604 generates a random number ρY and transmits the random number to the party Z, and generates random number sequences (αX1q—0, . . . , αX1q—n-1) and (βX1q—0, . . . , βX1q—n-1) and transmits the random number sequences to the party X (S92). Then, the third computation means 605 computes random number sequences (αX1q—0−sq—X·a1q—0, . . . , αX1q—n-1−sq—X·a1q—n-1) and (βX1q—0−sq—X·b1q—0, . . . , βX1q—n-1−sq—X·b1q—n-1), transmits the random number sequences to the party Z, receives random number sequences (αY2q—0, . . . , αY2q—n-1) and (βY2q—0, . . . , βY2q—n-1) from the party Z, computes a value γY according to
and transmits the value to the party X (S93). Then, the fourth computation means 606 receives the random number ρX from the party X, computes a value γ′X according to
and transmits the value to the party Z (S94). Then, the misuse detection means 607 receives a value γ′Z and random number sequences (αZ0q—0−sq—Z·a0q—0, . . . , αZ0q—n-1−sq—Z·a0q—n-1) and (βZ0q—0−sq—Z·b0q—0, . . . , βZ0q—n-1−sq—Z·b0q—n-1) from the party X and a value γZ from the party Z, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—1 and cq—2 if the computation result is 0 (S95).
Next, a processing performed by the party Z will be described.
First, the second random number generation means 604 generates a random number ρZ and transmits the random number to the party X, and generates random number sequences (αY2q—0, . . . , αY2q—n-1) and (βY2q—0, . . . , βY2q—n-1) and transmits the random number sequences to the party Y (S96). Then, the third computation means 605 computes random number sequences (αY2q—0−sq—Y·a2q—0, . . . , αY2q—n-1−sq—Y·a2q—n-1) and (βY2q—0−sq—Y·b2q—0, . . . , βY2q—n-1−sq—Y·b2q—n-1), transmits the random number sequences to the party X, receives random number sequences (αZ0q—0, . . . , αZ0q—n-1) and (βZ0q—0, . . . , βZ0q—n-1) from the party X, computes a value γZ according to
and transmits the value to the party Y (S97). Then, the fourth computation means 606 receives a random number ρY from the party Y, computes a value γ′Y according to
and transmits the value to the party X (S98). Then, the misuse detection means 607 receives the value γX from the party X and the value γ′X and random number sequences (αX1q—0−sq—X·a1q—0, . . . , αX1q—n-1−sq—X·a1q—n-1) and (βX1q—0−sq—X·b1q—0, . . . , βX1q—n-1−sq—X·b1q—n-1) from the party Y, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—2 and cq—0 if the computation result is 0 (S99). In the processing described above, hash values or other values can be substituted for the random numbers.
Eighth Embodiment
While the secure sum-of-product computation system 700 according to the seventh embodiment is configured to perform a sum-of-product computation expressed as
as with the secure sum-of-product computation system 400 according to the fourth embodiment and apply the method according to the embodiment 6 to the misuse detection processing for the sum-of-product computation, a secure sum-of-product computation system 800 according to an eighth embodiment has a configuration in which one of the values involved in the multiplication in the sum-of-product computation is fixed. More specifically, the secure sum-of-product computation system 800 is configured to perform the following m sum-of-product computations of a data string Aq=(aq—0, . . . , aq—n-1) comprising elements aq—i, which are natural numbers smaller than a prime number p, and a value b, which is a natural number smaller than the prime number p, through cooperative computation by three computation apparatuses, the parties X, Y and Z, as with the secure sum-of-product computation system 500 according to the fifth embodiment and apply the misuse detection method according to the sixth embodiment to the misuse detection processing for the sum-of-product computation.
In the following specific description, the functions of the data string decomposition and supply part 410, the first random number generation means 301, the first computation means 302, the second computation means 303 and the output part 420 and the secure sum-of-product computation processing (steps S41 to S47 and S60) implemented by these functions are the same as those of the secure sum-of-product computation system 500 according to the fifth embodiment and therefore will not be further described, and the misuse detection processing, which differs from that of the secure sum-of-product computation system 500, will be particularly described. The functional configuration and the process flow are the same as those in the seventh embodiment and therefore will be described below with reference to them (that is, FIG. 14 (and FIG. 13) showing the configuration and FIG. 15 showing the process flow).
Following the steps S41 to S47, each party performs a misuse detection processing as described below. As in the seventh embodiment, it is assumed that the parties X and Y previously share a random number sq—Z, the parties Y and Z previously share a random number sq—X, and the parties Z and X previously share a random number sq—Y.
A processing performed by the party X will be described. First, the second random number generation means 604 generates a random number ρX and transmits the random number to the party Y, and generates random numbers αZ0 and βZ0q and transmits the random numbers to the party Z (S88). Then, the third computation means 605 computes random numbers
transmits the random numbers to the party Y, receives random numbers αX1 and βX1q from the party Y, computes a value γX according to
and transmits the value to the party Z (S89). Then, the fourth computation means 606 receives a random number ρZ from the party Z, computes a value γ′Z according to
and transmits the value to the party Y (S90). Then, the misuse detection means 607 receives a value γY from the party Y, a value γ′Y and values
from the party Z, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—0 and cq—1 if the computation result is 0 (S91).
Next, a processing performed by the party Y will be described. First, the second random number generation means 604 generates a random number ρY and transmits the random number to the party Z, and generates random numbers αX1 and βX1q and transmits the random numbers to the party X (S92). Then, the third computation means 605 computes random numbers
transmits the random numbers to the party Z, receives random numbers αY2 and βY2q from the party Z, computes a value γY according to
and transmits the value to the party X (S93). Then, the fourth computation means 606 receives the random number ρX from the party X, computes a value γ′X according to
and transmits the value to the party Z (S94). Then, the misuse detection means 607 receives a random number γZ from the party Z and random numbers γ′Z,
from the party X, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—1 and cq—2 if the computation result is 0 (S95).
Next, a processing performed by the party Z will be described. First, the second random number generation means 604 generates a random number ρZ and transmits the random number to the party X, and generates random numbers αY2 and βY2q and transmits the random numbers to the party Y (S96). Then, the third computation means 605 computes random numbers
transmits the random numbers to the party X, receives random numbers αZ0 and βZ0q from the party X, computes a value γZ according to
and transmits the value to the party Y (S97). Then, the fourth computation means 606 receives a random number ρY from the party Y, computes a value γ′Y according to
and transmits the value to the party X (S98). Then, the misuse detection means 607 receives the value γX from the party X and random numbers γ′X,
from the party Y, computes
ends the processing by outputting data indicating a misuse detection if the computation result is not 0, and outputs values cq—2 and cq—0 if the computation result is 0 (S99). In the processing described above, hash values or other values can be substituted for the random numbers.
Ninth Embodiment
According to the sixth and seventh embodiments, two data strings A=(aq—0, . . . , aq—n-1) and B=(bq—0, . . . , bq—n-1) are divided into three fragment data strings A0, A1 and A2 and B0, B1 and B2, respectively, in such a manner that the fragments satisfy conditions that A=A0+A1+A2 mod p and B=B0+B1+B2 mod p, the data strings A0=(a0q—0, . . . , a0q—na0-1), A1=(a1q—0, . . . , a1q—na1-1), B0=(b0q—0, . . . , b0q—nb0-1) and B1=(b1q—0, . . . , b1q—nb1-1) are supplied to the party X as values to be concealed, the data strings A1, A2=(a2q—0, . . . , a2q—na2-1), B1 and B2=(b2q—0, . . . , b2q—nb2-1) are supplied to the party Y as values to be concealed, the data strings A2, A0, B2 and B0 are supplied to the party Z as valued to be concealed, and thus, the secure sum-of-product of these values expressed by the following formula can be securely computed by determining the value cq—0+cq—1+cq—2 from the values cq—0 and cq—1, which are the results of the computation performed by the party X, the values cq—1 and cq—2, which are the results of the computation performed by the party Y, and the values cq—2 and cq—0, which are the results of the computation performed by the party Z.
Focusing on the six terms Σa0q—i0·b1q—j1, Σa1q—i1·b0q—j0, Σa1q—i1·b2q—j2, Σa2q—i2·b1q—j1, Σa2q—i2·b0q—j0 and Σa0q—i0·b2q—j2 in the above formula of the secure sum-of-product computation, one party has both the two fragment values of each term, another party has one of the two fragment values, and the remaining party has the other of the two fragment values. For example, concerning the fragment values a0q—i0 and b1q—j1 of the term Σa0q—i0·b1q—j1, the party X has both the fragment values a0q—i0 and b1q—j1, the party Y has only the fragment value b1q—j1, and the party Z has only the fragment value a0q—i0. The same holds true for the term Σa1q—i1·b0q—j0. A secure sum-of-product computation system 900 according to a ninth embodiment implements a method of determining a sum-of-product of two fragment values in the case where any one of three parties has both the two fragment values, another of the three parties has one of the two fragment values, and the remaining one of the three parties has the other of the two fragment values, that is, a sum-of-product computation method on which the secure sum-of-product computation according to the sixth and seventh embodiments is based.
In the following, an example in which the party X has both the fragment values, the party Y has one of the two fragment values, and the party Z has the other of the two fragment values will be described. However, the computation can also be achieved in the same manner in the cases where the party Y has both the fragment values, the party X has one of the two fragment values, and the party Z has the other of the two fragment values and where the party Z has both the fragment values, the party X has one of the two fragment values, and the party Y has the other of the two fragment values.
FIG. 16 shows an example of a configuration of the secure sum-of-product computation system 900, and FIG. 17 shows an example of a flow of a processing performed by the secure sum-of-product computation system 900. The secure sum-of-product computation system 900 comprises a party X, a party Y and a party Z, which are computation apparatuses. The party X has party-X random number generation means 901 and party-X computation means 903, the party Y has party-Y random number generation means 902 and party-Y computation means 904, and the party Z has misuse detection means 905.
The secure sum-of-product computation system 900 performs a total of m sets of sum-of-product computations of data strings Aq—0=(a0q—0, . . . , a0q—na0-1) and Aq—1=(a1q—0, . . . , a1q—na1-1) and data strings Bq—0=(b0q—0, . . . , b0q—nb0-1) and Bq—1=(b1q—0, . . . , b1q—nb1-1) expressed as the following formula by cooperative computation by the three computation apparatuses, the parties X, Y and Z (i0=0, . . . , na0-1, i1=0, . . . , na1-1, j0=0, . . . , nb0-1, j1=0, . . . , nb1-1, na0, na1, nb0 and nb1 represent natural numbers, e01q—i0,q—j1 and e10q—i1,q—j0 represent any numbers, q=0, . . . , m−1, and m represents an integer equal to or greater than 1) (the computations are performed in parallel in the case where m is equal to or greater than 2).
Data strings Aq—0, Aq—1, Bq—0 and Bq—1 are input to the party X, data strings Aq—1 and Bq—1 are input to the party Y, and data strings Aq—0 and Bq—0 are input to the party Z (S101).
First, the party-X random number generation means 901 in the party X generates random numbers cq—1 and γ1 and random number sequences (α1q—0, . . . , α1q—nb0-1) and (β1q—0, . . . , β1q—na0-1) and transmits the random numbers and the random number sequences to the party Y (S102). In addition, the party-Y random number generation means 902 in the party Y generates a random number sq and transmits the random number to the party Z (S103).
Then, the party-X computation means 903 in the party X computes random numbers cq—0 and γ0 according to
and transmits the random numbers to the party Z (S104).
In addition, the party-Y computation means 904 in the party Y receives the random numbers cq—1 and γ1 and the random number sequences (α1q—0, . . . , α1q—nb0-1) and (β1q—0, . . . , β1q—na0-1) from the party X, computes number sequences (α0q—0, . . . , α0q—nb0-1) and (β0q—0, . . . , β0q—na0-1) and a value γ′ according to
and transmits the number sequences and the value to the party Z (S105).
Then, the misuse detection means 905 in the party Z receives the random numbers cq—0 and γ0 from the party X and the random number sq, the number sequences (α0q—0, . . . , α0q—nb0-1) and (β0q—0, . . . , β0q—na0-1) and the value γ′ from the party Y, computes
and ends the processing by outputting data indicating a misuse detection if the computation result is not 0 (S106).
If the result of the computation by the misuse detection means 905 is 0, the party X outputs the random numbers cq—0 and cq—1, the party Y outputs the random number cq—1 and 0, and the party Z outputs 0 and the random number cq—0 (S107). In the processing described above, hash values or other values can be substituted for the random numbers.
Tenth Embodiment
A tenth embodiment is a specific example of the ninth embodiment, in which na0=na1=na2=nb0=nb1=nb2=n, and e00=e01=e10=e11=e12=e21=e22=e20=e02=1. The configuration and the process flow are the same as those according to the ninth embodiment (an example of the configuration is shown in FIG. 16, and an example of the process flow is shown in FIG. 17). A secure sum-of-product computation system 910 according to the tenth embodiment performs a total of m sets of sum-of-product computations of data strings Aq—0=(α0q—0, . . . , a0q—n-1) and Aq—1=(a1q—0, . . . , a1q—n-1) and data strings Bq—0=(b0q—0, . . . , b0q—n-1) and Bq—1=(b1q—0, . . . , b1q—n-1) expressed as the following formula by cooperative computation by the three computation apparatuses, the parties X, Y and Z (i=0, . . . , n−1, n represents a natural number, q=0, . . . , m−1, and m represents an integer equal to or greater than 1) (the computations are performed in parallel in the case where m is equal to or greater than 2).
Data strings Aq—0, Aq—1, Bq—0 and Bq—1 are input to the party X, data strings Aq—1 and Bq—1 are input to the party Y, and data strings Aq—0 and Bq—0 are input to the party Z (S101).
First, the party-X random number generation means 901 in the party X generates random numbers cq—1 and γ1 and random number sequences (α1q—0, . . . , α1q—n-1) and (β1q—0, . . . , β1q—n-1) and transmits the random numbers and the random number sequences to the party Y (S102). In addition, the party-Y random number generation means 902 in the party Y generates a random number sq and transmits the random number to the party Z (S103).
Then, the party-X computation means 903 in the party X computes random numbers cq—0 and γ0 according to
and transmits the random numbers to the party Z (S104).
In addition, the party-Y computation means 904 in the party Y receives the random numbers cq—1 and γ1 and the random number sequences (α1q—0, . . . , α1q—n-1) and (β1q—0, . . . , β1q—n-1) from the party X, computes number sequences (α0q—0, . . . , α0q—n-1) and (β0q—0, . . . , β0q—n-1) and a value γ′ according to
and transmits the number sequences and the value to the party Z (S105).
Then, the misuse detection means 905 in the party Z receives the random numbers cq—0 and γ0 from the party X and the random number sq, the number sequences (α0q—0, . . . , α0q—n-1) and (β0q—0, . . . , β0q—n-1) and the value γ′ from the party Y, computes
and ends the processing by outputting data indicating a misuse detection if the computation result is not 0 (S106).
If the result of the computation by the misuse detection means 905 is 0, the party X outputs the random numbers cq—0 and cq—1, the party Y outputs the random number cq—1 and 0, and the party Z outputs 0 and the random number cq—0 (S107). In the processing described above, hash values or other values can be substituted for the random numbers.
Eleventh Embodiment
A secure sum-of-product computation system 920 according to an eleventh embodiment is the secure sum-of-product computation system 910 according to the tenth embodiment that is improved so as to be able to more efficiently and securely perform the sum-of-product computation
with one of the multipliers in each term being fixed regardless of the values i and q, that is,
The configuration and the process flow of the secure sum-of-product computation system 920 are the same as those according to the ninth and tenth embodiment (an example of the configuration is shown in FIG. 16, and an example of the process flow is shown in FIG. 17). However, data a0 and a1 and data strings Bq—0=(b0q—0, . . . , b0q—n-1) and Bq—1=(b1q—0, . . . , b1q—n-1) are input to the party X, the data a1 and the data string Bq—1 are input to the party Y, and the data a0 and the data string Bq—0 are input to the party Z (S101).
First, the party-X random number generation means 901 in the party X generates random numbers cq—1 and γ1, a random number sequence (α1q—0, . . . , a1q—n-1) and a random number β1 and transmits the random numbers and the random number sequence to the party Y (S102).
In addition, the party-Y random number generation means 902 in the party Y generates a random number sq and transmits the random number to the party Z (S103).
Then, the party-X computation means 903 in the party X computes random numbers cq—0 and γ0 according to
and transmits the random numbers to the party Z (S104).
In addition, the party-Y computation means 904 in the party Y receives the random numbers cq—1 and γ1, the random number sequence (α1q—0, . . . , α1q—n-1) and the random number β1 from the party X, computes a number sequence (α0q—0, . . . , α0q—n-1) and value β0 and γ′ according to
and transmits the number sequence and the values to the party Z (S105).
Then, the misuse detection means 905 in the party Z receives the random numbers cq—0 and γ0 from the party X and the random number sq, the number sequence (α0q—0, . . . , α0q—n-1) and the values β0 and γ′ from the party Y, computes
and ends the processing by outputting data indicating a misuse detection if the computation result is not 0 (S106).
If the result of the computation by the misuse detection means 905 is 0, the party X outputs the random numbers cq—0 and cq—1, the party Y outputs the random number cq—1 and 0, and the party Z outputs 0 and the random number cq—0 (S107). In the processing described above, hash values or other values can be substituted for the random numbers.
The processings in the secure sum-of-product computation methods according to the present invention performed by the secure sum-of-product computation systems according to the present invention described above can be performed not only sequentially in the order described above but also in parallel with each other or individually as required or depending on the processing power of the apparatus that performs the processings. The functions of components of the secure sum-of-product computation systems according to the present invention can be combined or divided as required. Furthermore, other various modifications can be appropriately made without departing form the spirit of the present invention. In the case where the secure sum-of-product computation systems according to the embodiments of the present invention are implemented by computers, the specific processings of the functions of the apparatuses and the components thereof are described in programs. The programs are stored in a hard disk drive, for example, and a required program or data is loaded into a random access memory (RAM) for execution. The computer implements the specific processing by the CPU executing the loaded program.