Great research starts with great data.

Learn More
More >
Patent Analysis of

Secret calculation method, secret calculation system, random permutation device, and program

Updated Time 12 June 2019

Patent Registration Data

Publication Number

US10002547

Application Number

US15/110886

Application Date

07 January 2015

Publication Date

19 June 2018

Current Assignee

NIPPON TELEGRAPH AND TELEPHONE CORPORATION

Original Assignee (Applicant)

NIPPON TELEGRAPH AND TELEPHONE CORPORATION

International Classification

H04L29/06,G09C1/00,G06F21/60,H04L9/08

Cooperative Classification

G09C1/00,G06F21/60,H04L9/085,H04L2209/46

Inventor

IKARASHI, DAI,HAMADA, KOKI,KIKUCHI, RYO,CHIDA, KOJI

Patent Images

This patent contains figures and images illustrating the invention and its embodiment.

US10002547 Secret calculation method, secret calculation 1 US10002547 Secret calculation method, secret calculation 2 US10002547 Secret calculation method, secret calculation 3
See all images <>

Abstract

Secret calculation including secret random permutation is performed at high speed. In unit permutation, random permutation devices p0, . . . , pk-1 perform permutation of additive secret sharing values «a»ρi of a plain text a with sub shares πρi of permutation data π. In resharing, the random permutation device p0 generates additive secret sharing values «a»ρi+1pk by using random numbers r1, . . . , rk-1 which are respectively shared with random permutation devices pj (j=1, . . . , k−1) so as to transmit the additive secret sharing values «a»ρi+1pk to the random permutation device pk and each of the random permutation devices pj generates additive secret sharing values «a»ρi+1pj by using random numbers rj.

Read more

Claims

1. A secret calculation method, implemented by a system that includes n permutation devices which each respectively receive in advance one of n pieces of a plain text a, wherein at least k pieces of the n pieces are required to restore the original plain text a, in which n and k are set as integers which are 2 or larger, n>k holds, N=nCk holds, ρ is set as a group of k pieces of random permutation devices which are selected from the n random permutation devices, ρ0, . . . , ρN-1 are set to satisfy |ρii+1|=1 with respect to i=0, . . . , N−2, «a»ρi is set as additive secret sharing values of the plain text a, the additive secret sharing values being possessed by an i-th random permutation device group ρi, «a»ρip is set as an additive secret sharing value possessed by a random permutation device p among the additive secret sharing values «a»ρi, πρi is set as sub shares of permutation data π, the sub shares corresponding to the i-th random permutation device group ρi, a random permutation device p0 is set as a random permutation device which is included in the i-th random permutation device group ρi and is not included in an i+1-th random permutation device group ρi+1, a random permutation device pk is set as a random permutation device which is not included in the i-th random permutation device group ρi and is included in the i+1-th random permutation device group ρi+1, and random permutation devices pj (j=1, . . . , k−1) are set as k−1 pieces of random permutation devices which are included in both of the i-th random permutation device group ρi and the i+1-th random permutation device group ρi+1, the secret calculation method comprising: a unit permutation step in which processing circuitry of the random permutation devices p0, . . . , pk-1 perform permutation of the additive secret sharing values «a»ρi by the sub shares πρi; and a resharing step in which the processing circuitry of random permutation device p0 generates additive secret sharing values «a»ρi+1pk by using random numbers r1, . . . , rk-1 which are respectively shared with the random permutation devices pj so as to transmit the additive secret sharing values «a»ρi+1pk to the random permutation device pk and each of the random permutation devices pj generates additive secret sharing values «a»ρi+1pj by using the random numbers rj, wherein ρ0, . . . , ρN-1 are set so that a difference between a maximum value and a minimum value of a number of communication stages of paths from k pieces of random permutation devices, which are included in a 0th random permutation device group ρ0, to k pieces of random permutation devices, which are included in an N−1-th random permutation device group ρN-1, becomes smallest.

2. The secret calculation method according to claim 1, wherein in the resharing step, the processing circuitry of the random permutation device p0 generates the additive secret sharing values «a»ρi+1pk with a following formula,

apkρi+1=ap0ρi-1i<kri,and

each of the random permutation devices pj generates the additive secret sharing values «a»ρi+1pj with a following formula: apjρi+1=apjρi-rj.

3. The secret calculation method according to claim 1, further comprising: a preliminary conversion step in which secret sharing values [a] obtained by (k,n)-secret sharing of the plain text a are converted into additive secret sharing values «a»ρ0; and a post-facto conversion step in which additive secret sharing values «a»ρN-1 are converted into the secret sharing values [a] to be outputted.

4. The secret calculation method according to claim 2, further comprising: a unit conversion step in which the additive secret sharing values «a»ρi which are permutated in the unit permutation step are converted into secret sharing values [a] based on (k,n)-secret sharing so as to be accumulated in a storage unit.

5. The secret calculation method according to claim 1, in which N=n-1Ck holds and ρ is set as a group of k pieces of random permutation devices which are selected from n pieces of random permutation devices while excluding a predetermined random permutation device q, further comprising: a preliminary conversion step in which the plain text a is converted into additive secret sharing values «a»ρ0; and a post-facto conversion step in which additive secret sharing values «a»ρN-1 are converted into the secret sharing values [a] based on (k,n)-secret sharing to be outputted, wherein in the unit permutation step, the random permutation device q performs permutation of the plain text a with the sub shares πρi in a case of i≤nCk-n-1Ck, and the random permutation devices p1, . . . , pk-1 perform permutation of the additive secret sharing values «a»ρi with the sub shares πρi in a case of i>nCk-n-1Ck.

6. The secret calculation method according to claim 3, further comprising: a unit conversion step in which the additive secret sharing values «a»ρi which are permutated in the unit permutation step are converted into secret sharing values [a] based on (k,n)-secret sharing so as to be accumulated in a storage unit.

7. The secret calculation method according to claim 1, in which N=n-1Ck holds and ρ is set as a group of k pieces of random permutation devices which are selected from n pieces of random permutation devices while excluding a predetermined random permutation device q, further comprising: a preliminary conversion step in which the secret sharing values [a] based on (k,n)-secret sharing of the plain text a are converted into additive secret sharing values «a»ρ0; and a post-facto conversion step in which additive secret sharing values «a»ρN-1 are restored so as to output the plain text a, wherein in the unit permutation step, in a case of i≤n-1Ck the random permutation devices p1, . . . , pk-1 perform permutation of the additive secret sharing values «a»ρi with the sub shares πρi, and in a case of i>n-1Ck the random permutation device q performs permutation of the plain text a with the sub shares πρi.

8. The secret calculation method according to claim 5, further comprising: a unit conversion step in which the additive secret sharing values «a»ρi which are permutated in the unit permutation step are converted into secret sharing values [a] based on (k,n)-secret sharing so as to be accumulated in a storage unit.

9. The secret calculation method according to claim 1, further comprising: a unit conversion step in which the additive secret sharing values «a»ρi which are permutated in the unit permutation step are converted into secret sharing values [a] based on (k,n)-secret sharing so as to be accumulated in a storage unit.

10. The secret calculation method according to claim 7, further comprising: a unit conversion step in which the additive secret sharing values «a»ρi which are permutated in the unit permutation step are converted into secret sharing values [a] based on (k,n)-secret sharing so as to be accumulated in a storage unit.

11. A secret calculation system comprising: n random permutation devices when n is set as an integer which is 2 or larger, in which each of the random permutation devices respectively receive in advance one of n pieces of a plain text a, wherein at least k pieces of the n pieces are required to restore the original plain text a; wherein k is set as an integer which is 2 or larger, n>k holds, N=nCk holds, ρ is set as a group of k random permutation devices which are selected from the n random permutation devices, ρ0, . . . , ρN-1 are set to satisfy |ρii+1|=1 with respect to i=0, . . . , N−2, «a»ρi is set as additive secret sharing values of the plain text a, the additive secret sharing values being possessed by an i-th random permutation device group ρ1, «a»ρip is set as an additive secret sharing value possessed by a random permutation device p among the additive secret sharing values «a»ρi, πρi is set as sub shares of permutation data π, the sub shares corresponding to the i-th random permutation device group ρi, a random permutation device p0 is set as a random permutation device which is included in the i-th random permutation device group ρi and is not included in an i+1-th random permutation device group ρi+1, a random permutation device pk is set as a random permutation device which is not included in the i-th random permutation device group ρi and is included in the i+1-th random permutation device group ρi+1, random permutation devices pj (j=1, . . . , k−1) are set as k−1 pieces of random permutation devices which are included in both of the i-th random permutation device group ρi and the i+1-th random permutation device group ρi+1, and the random permutation devices include processing circuitry configured to perform permutation of the additive secret sharing values «a»ρi with the sub shares πρi, and generate additive secret sharing values «a»ρi+1pk by using random numbers r1, . . . , rk-1 which are shared with each of the random permutation devices pj so as to transmit the additive secret sharing values «a»ρi+1pk to the random permutation device pk when a corresponding random permutation device is the random permutation device p0 and generate additive secret sharing values «a»ρi+1pj by using random numbers rj when the corresponding random permutation device is any one of the random permutation devices pj, wherein ρ0, . . . , ρN-1 are set so that a difference between a maximum value and a minimum value of a number of communication stages of paths from k pieces of random permutation devices, which are included in a 0th random permutation device group ρ0, to k pieces of random permutation devices, which are included in an N−1-th random permutation device group ρN-1, becomes smallest.

12. A random permutation device configured to be part of a system that includes n permutation devices which each respectively receive in advance one of n pieces of a plain text a, wherein at least k pieces of the n pieces are required to restore the original plain text a, in which n and k are set as integers which are 2 or larger, n>k holds, N=nCk holds, ρ is set as a group of k pieces of random permutation devices which are selected from the n random permutation devices, ρ0, . . . , ρN-1 are set to satisfy |ρii+1|=1 with respect to i=0, . . . , N−2, «a»ρi is set as additive secret sharing values of the plain text a, the additive secret sharing values being possessed by an i-th random permutation device group ρi, «a»ρip is set as an additive secret sharing value possessed by a random permutation device p among the additive secret sharing values «a»ρi, πρi is set as sub shares of permutation data π, the sub shares corresponding to the i-th random permutation device group ρi, a random permutation device p0 is set as a random permutation device which is included in the i-th random permutation device group ρ1 and is not included in an i+1-th random permutation device group ρi+1, a random permutation device pk is set as a random permutation device which is not included in the i-th random permutation device group ρi and is included in the i+1-th random permutation device group ρi+1, and random permutation devices pj (j=1, . . . , k−1) are set as k−1 pieces of random permutation devices which are included in both of the i-th random permutation device group ρi and the i+1-th random permutation device group ρi+1, the random permutation device comprising: processing circuitry configured to perform permutation of the additive secret sharing values «a»ρi with the sub shares πρi; and generate additive secret sharing values «a»ρi+1pk by using random numbers r1, . . . , rk-1 which are shared with each of the random permutation devices pj so as to transmit the additive secret sharing values «a»ρi+1pk to the random permutation device pk when a corresponding random permutation device is the random permutation device p0 and generate additive secret sharing values «a»ρi+1pj by using random numbers rj when the corresponding random permutation device is any one of the random permutation devices pj, wherein ρ0, . . . , ρN-1 are set so that a difference between a maximum value and a minimum value of a number of communication stages of paths from k pieces of random permutation devices, which are included in a 0th random permutation device group ρ0, to k pieces of random permutation devices, which are included in an N−1-th random permutation device group ρN-1, becomes smallest.

13. A non-transitory computer readable medium including computer executable instructions that make a computer function as a random permutation device configured to be part of a system that includes n permutation devices which each respectively receive in advance one of n pieces of a plain text a, wherein at least k pieces of the n pieces are required to restore the original plain text a, in which n and k are set as integers which are 2 or larger, n>k holds, N=nCk holds, ρ is set as a group of k pieces of random permutation devices which are selected from the n random permutation devices, ρ0, . . . , ρN-1 are set to satisfy |ρii+1|=1 with respect to i=0, . . . , N−2, «a»ρi is set as additive secret sharing values of the plain text a, the additive secret sharing values being possessed by an i-th random permutation device group ρi, «a»ρip is set as an additive secret sharing value possessed by a random permutation device p among the additive secret sharing values «a»ρi, πρi is set as sub shares of permutation data π, the sub shares corresponding to the i-th random permutation device group ρi, a random permutation device p0 is set as a random permutation device which is included in the i-th random permutation device group ρi and is not included in an i+1-th random permutation device group ρi+1, a random permutation device pk is set as a random permutation device which is not included in the i-th random permutation device group ρi and is included in the i+1-th random permutation device group ρi+1, and random permutation devices pj (j=1, . . . , k−1) are set as k−1 pieces of random permutation devices which are included in both of the i-th random permutation device group ρi and the i+1-th random permutation device group ρi+1, the random permutation device comprising: processing circuitry configured to perform permutation of the additive secret sharing values «a»ρi with the sub shares πρi; and generate additive secret sharing values «a»ρi+1pk by using random numbers r1, . . . , rk-1 which are shared with each of the random permutation devices pj so as to transmit the additive secret sharing values «a»ρi+1pk to the random permutation device pk when a corresponding random permutation device is the random permutation device p0 and generate additive secret sharing values «a»ρi+1pj by using random numbers rj when the corresponding random permutation device is any one of the random permutation devices pj, wherein ρ0, . . . , ρN-1 are set so that a difference between a maximum value and a minimum value of a number of communication stages of paths from k pieces of random permutation devices, which are included in a 0th random permutation device group ρ0, to k pieces of random permutation devices, which are included in an N−1-th random permutation device group ρN-1, becomes smallest.

Read more

Claim Tree

  • 1
    1. A secret calculation method, implemented by a system that includes n permutation devices which each respectively receive in advance one of n pieces of a plain text a, wherein
    • at least k pieces of the n pieces are required to restore the original plain text a, in which
    • 2. The secret calculation method according to claim 1, wherein
      • in the resharing step, the processing circuitry of the random permutation device p0 generates the additive secret sharing values «a»ρi+1pk with a following formula, apkρi+1=ap0ρi-1i<kri,and each of the random permutation devices pj generates the additive secret sharing values «a»ρi+1pj with a following formula: apjρi+1=apjρi-rj.
      • 3. The secret calculation method according to claim 1, further comprising:
        • a preliminary conversion step in which secret sharing values [a] obtained by (k,n)-secret sharing of the plain text a are converted into additive secret sharing values «a»ρ0
        • and a post-facto conversion step in which additive secret sharing values «a»ρN-1 are converted into the secret sharing values [a] to be outputted.
      • 5. The secret calculation method according to claim 1, in which
        • N=n-1Ck holds and ρ is set as a group of k pieces of random permutation devices which are selected from n pieces of random permutation devices while excluding a predetermined random permutation device q, further comprising:
      • 7. The secret calculation method according to claim 1, in which
        • N=n-1Ck holds and ρ is set as a group of k pieces of random permutation devices which are selected from n pieces of random permutation devices while excluding a predetermined random permutation device q, further comprising:
      • 9. The secret calculation method according to claim 1, further comprising:
        • a unit conversion step in which the additive secret sharing values «a»ρi which are permutated in the unit permutation step are converted into secret sharing values [a] based on (k,n)-secret sharing so as to be accumulated in a storage unit.
      • 11
        11. A secret calculation system comprising:
        • n random permutation devices when n is set as an integer which is 2 or larger, in which each of the random permutation devices respectively receive in advance one of n pieces of a plain text a, wherein at least k pieces of the n pieces are required to restore the original plain text a
        • wherein k is set as an integer which is 2 or larger, n>k holds, N=nCk holds, ρ is set as a group of k random permutation devices which are selected from the n random permutation devices, ρ0, . . . , ρN-1 are set to satisfy |ρii+1|=1 with respect to i=0, . . . , N−2, «a»ρi is set as additive secret sharing values of the plain text a, the additive secret sharing values being possessed by an i-th random permutation device group ρ1, «a»ρip is set as an additive secret sharing value possessed by a random permutation device p among the additive secret sharing values «a»ρi, πρi is set as sub shares of permutation data π, the sub shares corresponding to the i-th random permutation device group ρi, a random permutation device p0 is set as a random permutation device which is included in the i-th random permutation device group ρi and is not included in an i+1-th random permutation device group ρi+1, a random permutation device pk is set as a random permutation device which is not included in the i-th random permutation device group ρi and is included in the i+1-th random permutation device group ρi+1, random permutation devices pj (j=1, . . . , k−1) are set as k−1 pieces of random permutation devices which are included in both of the i-th random permutation device group ρi and the i+1-th random permutation device group ρi+1, and the random permutation devices include processing circuitry configured to perform permutation of the additive secret sharing values «a»ρi with the sub shares πρi, and generate additive secret sharing values «a»ρi+1pk by using random numbers r1, . . . , rk-1 which are shared with each of the random permutation devices pj so as to transmit the additive secret sharing values «a»ρi+1pk to the random permutation device pk when a corresponding random permutation device is the random permutation device p0 and generate additive secret sharing values «a»ρi+1pj by using random numbers rj when the corresponding random permutation device is any one of the random permutation devices pj, wherein ρ0, . . . , ρN-1 are set so that a difference between a maximum value and a minimum value of a number of communication stages of paths from k pieces of random permutation devices, which are included in a 0th random permutation device group ρ0, to k pieces of random permutation devices, which are included in an N−1-th random permutation device group ρN-1, becomes smallest.
      • 12
        12. A random permutation device configured to be part of a system that includes n permutation devices which each respectively receive in advance one of n pieces of a plain text a, wherein
        • at least k pieces of the n pieces are required to restore the original plain text a, in which
      • 13
        13. A non-transitory computer readable medium including
        • computer executable instructions that make a computer function as a random permutation device configured to be part of a system that includes n permutation devices which each respectively receive in advance one of n pieces of a plain text a, wherein at least k pieces of the n pieces are required to restore the original plain text a, in which n and k are set as integers which are 2 or larger, n>k holds, N=nCk holds, ρ is set as a group of k pieces of random permutation devices which are selected from the n random permutation devices, ρ0, . . . , ρN-1 are set to satisfy |ρii+1|=1 with respect to i=0, . . . , N−2, «a»ρi is set as additive secret sharing values of the plain text a, the additive secret sharing values being possessed by an i-th random permutation device group ρi, «a»ρip is set as an additive secret sharing value possessed by a random permutation device p among the additive secret sharing values «a»ρi, πρi is set as sub shares of permutation data π, the sub shares corresponding to the i-th random permutation device group ρi, a random permutation device p0 is set as a random permutation device which is included in the i-th random permutation device group ρi and is not included in an i+1-th random permutation device group ρi+1, a random permutation device pk is set as a random permutation device which is not included in the i-th random permutation device group ρi and is included in the i+1-th random permutation device group ρi+1, and random permutation devices pj (j=1, . . . , k−1) are set as k−1 pieces of random permutation devices which are included in both of the i-th random permutation device group ρi and the i+1-th random permutation device group ρi+1, the random permutation device comprising: processing circuitry configured to perform permutation of the additive secret sharing values «a»ρi with the sub shares πρi
        • and generate additive secret sharing values «a»ρi+1pk by using random numbers r1, . . . , rk-1 which are shared with each of the random permutation devices pj so as to transmit the additive secret sharing values «a»ρi+1pk to the random permutation device pk when a corresponding random permutation device is the random permutation device p0 and generate additive secret sharing values «a»ρi+1pj by using random numbers rj when the corresponding random permutation device is any one of the random permutation devices pj, wherein ρ0, . . . , ρN-1 are set so that a difference between a maximum value and a minimum value of a number of communication stages of paths from k pieces of random permutation devices, which are included in a 0th random permutation device group ρ0, to k pieces of random permutation devices, which are included in an N−1-th random permutation device group ρN-1, becomes smallest.
      • See all independent claims <>

        Description

        TECHNICAL FIELD

        The present invention relates to a secret calculation technique, and especially relates to a technique for performing secret random permutation.

        BACKGROUND ART

        Secret calculation is a technique in which data processing is performed while concealing data by secret sharing. The secret sharing is a technique in which data is converted into a plurality of distributed values so that original data can be restored by using a certain number or more number of pieces of distributed values, while original data cannot be restored by using distributed values of which the number of pieces is smaller than the certain number. The secret sharing can be categorized into several kinds. Examples of the secret sharing include (k,n)-secret sharing, additive secret sharing, permutation data secret sharing, and the like.

        The (k,n)-secret sharing is secret sharing in which a plain text which is inputted is divided into n pieces of shares so as to be distributed to n pieces of parties P=(p0, . . . , pn-1) in advance. The plain text can be restored when arbitrary k pieces of shares are provided. Any information on the plain text cannot be obtained from shares of which the number is smaller than k. Specific examples of types of the (k,n)-secret sharing include Shamir secret sharing, replicated secret sharing, and the like.

        The additive secret sharing is (k,k)-secret sharing by the replicated secret sharing. The (k,k)-secret sharing represents a case where n=k is set in the (k,n)-secret sharing. In the (k,k)-secret sharing, it is impossible to restore a plain text until shares of all parties are collected. The additive secret sharing is the simplest secret sharing in which a plain text is restored only by adding up k pieces of shares.

        The permutation data secret sharing is secret sharing performed while concealing permutation data. The permutation data is data representing the rearrangement way in rearrangement of data columns. When m pieces of data columns are rearranged, permutation data π having the volume m is data representing a bijective map π:Nm→Nm. Here, Nm represents a collection of non-negative integers which are smaller than an arbitrary integer m. For example, data of which elements in vectors x∈(Nm)m are different from each other can be assumed as random permutation data having the volume m.

        More specifically, a vector x=(3,0,2,1) can be assumed as random permutation data having the volume 4. For example, it is assumed to rearrange the data column y=(1,5,7,10) by the vector x. 1 which is the 0th element of the data column yis moved to the third position represented by the 0th element of the vector x. 5 which is the first element of the data column y is moved to the 0th position represented by the first element of the vector x. In a similar manner, 7 is moved to the second position and 10 is moved to the first position. As a result, the post-permutation data column z=(5,10,7,1) is obtained.

        In the permutation data secret sharing, permutation data is concealed by the following procedure. It is assumed that there are N pieces of k party groups of columns P=ρ0, . . . , ρN-1. For example, when k=2, each k party group ρi is a set (p0,p1) of the party p0 and the party p1, a set (p0,p2) of the party p0 and the party p2, or the like. It is assumed that all parties in each k party group ρi mutually share the permutation data πρi and the permutation data πρi is not informed to a complement ρi. Further, a corresponding plain text is assumed to be π01( . . . (πN-1(I)) . . . )). Here, I represents permutation in which output is performed in the same arrangement as that of input, that is, identical permutation. In this case, if the k party groups of columns P=ρ0, . . . , ρN-1 is set so that “(condition 1) any complement ρi satisfies ρ⊆ρi with respect to an arbitrary k−1 party group ρ”, any permutation data πρi is unknown in any coupling of the k−1 party.

        For example, when the number n of parties satisfies n≥2k−1, the above-mentioned condition 1 is satisfied if the column P of the k party groups is set as a collection including all the k party groups. Further, when the number n of parties satisfies n>2k−1, the above-mentioned condition 1 is sometimes satisfied even if not all the k party groups are included. For example, when k=2 and n=4, the condition 1 is satisfied though {(p0,p1),(p2,p3)} does not include all the k party groups.

        The secret random permutation is a technique for performing permutation of an inputted data column in a random manner while concealing the permutated orders even from a processing executor. As a conventional technique for performing the secret random permutation, the technique described in Non-patent Literature 1 is disclosed.

        As a basic form of the secret random permutation described in Non-patent Literature 1, permutation data secret sharing values <π> are generated with the input of the column [a] of (k,n)-secret sharing values so as to output the column [b]=([aπ(0)], . . . , [aπ(m-1)]) of (k,n)-secret sharing values. At this time, it is characterized that any parties do not know the plain text π of the permutation data secret sharing values <π>, that is, the permutated order in the data column. As specific processing, the party p∈ρi which belongs to the k party collection ρi performs normal permutation processing, which is not a secret calculation, with respect to each sub share πρi in permutation data secret sharing so as to generate ([aπρi(0)], . . . , [aπρi(m-1)]) from the input [a]=([a0], . . . , [am-1]) and performs redoing of the secret sharing of ([aπρi(0)], . . . , [aπρi(m-1)]) by processing called resharing in a repeated manner.

        The following three types of secret random permutation can be conceivable based on the difference in forms of an input and an output. The first type is a case where both of an input and an output are (k,n)-secret sharing values. The second type is a case where an input is a (k,n)-secret sharing value and an output is a disclosed value. The third type is a case where an input is a disclosed value and an output is a (k,n)-secret sharing value. In the case where an input is a disclosed value, the above-described processing of the basic form is performed after the disclosed value is subjected to secret sharing to be secret sharing values. Further, in the case where an output is a disclosed value, disclosed processing is performed after the above-described processing of the basic form is performed. A disclosed value is a value which is known by all parties. The disclosed processing represents that all parties transmit own shares to other all parties and secret sharing is restored from the shares which are received by all parties.

        PRIOR ART LITERATURE

        Non-Patent Literature

        • Non-patent Literature 1: Koki Hamada, Dai Ikarashi, Koji Chida, Katsumi Takahashi, “A Random Permutation Protocol on Three-Party Secure Function Evaluation”, Computer Security Symposium 2010, 2010

        SUMMARY OF THE INVENTION

        Problems to be Solved by the Invention

        In the secret random permutation described in Non-patent Literature 1, processing of permutation and processing of resharing are repeated by using (k,n)-secret sharing values. Respective parties have to mutually communicate with all other parties so as to perform resharing of (k,n)-secret sharing values. Thus, there is a problem in which the communication volume and the number of communication stages are large.

        An object of the present invention is to reduce the communication volume and the number of communication stages required for secret random permutation and to perform secret calculation including secret random permutation at high speed.

        Means to Solve the Problems

        In order to solve the above-described problem, a secret calculation method according to the present invention, in which n and k are set as integers which are 2 or larger, n>k holds, N=nCk holds, p is set as a group of k pieces of random permutation devices which are selected from n pieces of random permutation devices, ρ0, . . . , ρN-1 are set to satisfy |ρii+1|=1 with respect to i=0, . . . , N−2, «a»ρi is set as additive secret sharing values of a plain text a, the additive secret sharing values being possessed by an i-th random permutation device group ρi, «a»ρip is set as an additive secret sharing value possessed by a random permutation device p among the additive secret sharing values «a»ρi, πρi is set as sub shares of permutation data π, the sub shares corresponding to the i-th random permutation device group ρi, a random permutation device p0 is set as a random permutation device which is included in the i-th random permutation device group ρi and is not included in an i+1-th random permutation device group ρi+1, a random permutation device pk is set as a random permutation device which is not included in the i-th random permutation device group ρi and is included in the i+1-th random permutation device group ρi+1, and random permutation devices pj (j=1, . . . , k−1) are set as k−1 pieces of random permutation devices which are included in both of the i-th random permutation device group ρi and the i+1-th random permutation device group ρi+1, includes a unit permutation step in which the random permutation devices p0, . . . , pk-1 perform permutation of the additive secret sharing values «a»ρi by the sub shares πρi, and a resharing step in which the random permutation device p0 generates additive secret sharing values «a»ρi+1pk by using random numbers r1, . . . , rk-1 which are respectively shared with the random permutation devices p1, . . . , pk-1 so as to transmit the additive secret sharing values «a»ρi+1pk to the random permutation device pk and each of the random permutation devices pj generates additive secret sharing values «a»ρi+1pj by using the random numbers rj.

        Effects of the Invention

        According to the secret calculation technique of the present invention, the communication volume and the number of communication stages in performing of secret random permutation can be reduced. Accordingly, secret calculation including secret random permutation can be executed at high speed.

        BRIEF DESCRIPTION OF THE DRAWINGS

        FIG. 1 illustrates the functional configuration of a secret calculation system.

        FIG. 2 illustrates the functional configuration of a random permutation device according to a first embodiment.

        FIG. 3 illustrates a processing flow of a secret calculation method according to the first embodiment.

        FIG. 4 illustrates a processing flow of a secret calculation method according to a second embodiment.

        FIG. 5 illustrates a processing flow of a secret calculation method according to a third embodiment.

        FIG. 6 illustrates the functional configuration of a random permutation device according to a fourth embodiment.

        FIG. 7 illustrates a processing flow of a secret calculation method according to the fourth embodiment.

        FIG. 8 illustrates a specific example of k=2 and n=3 in the first embodiment.

        FIG. 9 illustrates a specific example of k=3 and n=5 in the first embodiment.

        FIG. 10 illustrates a specific example of k=2 and n=3 in the second embodiment.

        FIG. 11 illustrates a specific example of k=3 and n=5 in the second embodiment.

        FIG. 12 illustrates a specific example of k=2 and n=3 in the third embodiment.

        FIG. 13 illustrates a specific example of k=3 and n=5 in the third embodiment.

        DETAILED DESCRIPTION OF THE EMBODIMENTS

        Before provision of the description of embodiments, notation and terms used in this specification are defined.

        [Notation]

        p represents a party possessing shares.

        P=(p0, . . . , pn-1) represents a collection of the whole of n parties possessing shares.

        ρ=(p0, . . . , pk-1) represents a collection of k party groups executing permutation processing.

        P=(p0, . . . , ρN-1) represents the order in the k party group which executes each permutation processing. Here, N=nCk represents the number of times of execution of the permutation processing and is the number of all combinations in selection of the k party from the n party.

        [x] represents a (k,n)-secret sharing value of the plane text x∈G. Here, G represents a commutative group. The (k,n)-secret sharing value represents a set obtained by collecting all shares which are obtained by distributing the plain text x by the (k,n)-secret sharing. Secret sharing values [x] are normally possessed in a manner to be distributed in n party collection P, so that all secret sharing values [x] are not possessed at one place and therefore, secret sharing values [x] are virtual.

        [x]p represents a share possessed by the party p∈P among (k,n)-secret sharing values [x].

        [x] represents a column of (k,n)-secret sharing values by which a column of a plain text becomes x.

        [G] represents a collection of the whole of (k,n)-secret sharing values in the commutative group G.

        «x»ρ represents an additive secret sharing value of the plain text x∈G and represents that the k party group p possesses a share. The additive secret sharing value represents a set obtained by collecting all shares which are obtained by distributing the plain text x by additive secret sharing.

        «x»ρp represents a share possessed by the party p∈ρ in the additive secret sharing value «x»ρ.

        «x»ρ represents a column of additive secret sharing values by which a column of a plain text becomes x.

        «G»p represents a collection of the whole of additive secret sharing values in the commutative group G.

        <π> represents a permutation data secret sharing value of permutation data π.

        Π represents a collection of the whole permutation data having the volume m.

        <Π> represents a collection of the whole permutation data secret sharing value having the volume m.

        Points of Invention

        The general outline of the secret random permutation according to the present invention is as follows.

        Step 1. An input is converted from a (k,n)-secret sharing value or a disclosed value into an additive secret sharing value.

        Step 2. Each party which belongs to the k party collection p having shares repeats normal permutation of the permutation data secret sharing value <π> by the sub share πρ and resharing on additive secret sharing values. However, the resharing is not performed on the final time. Hereinafter, one time in the repetition is referred to as unit permutation and the whole repeated processing is referred to as repetition permutation.

        Step 3. An output is converted from an additive secret sharing value into a (k,n)-secret sharing value or a disclosed value.

        An existing method is applicable to Step 1 and Step 3. Points in the processing of Step 2 will be described below.

        <Unit Permutation>

        A point in the unit permutation is selecting of the k party collection ρi on the i-th unit permutation so as to satisfy |ρii+1|=1. That is, only one party is different between the k party collection ρi performing the i-th unit permutation and the k party collection ρi+1 performing the i+1-th unit permutation and the rest of k−1 parties are same parties. Such unit permutation is referred to as 1-additive resharing protocol because this unit permutation is the case where only one party is different.

        In resharing in the secret random permutation described in Non-patent Literature 1, the communication volume of (n−1)(k−1) pieces of G elements is required. On the other hand, in the 1-additive resharing protocol, the communication volume of only k−1 pieces of G elements is required. Especially, if a seed is preliminarily shared to share a pseudo random number, the communication volume is the communication volume of only one piece of G element. In this case, the communication volume becomes a constant and thus, it is very efficient.

        In the 1-additive resharing protocol, data processing is performed in accordance with the following procedure with an input of the secret sharing values «a»ρ∈«G»ρ which are possessed by the k party group ρ=p0, . . . , pk-1 so as to output the secret sharing values «a»ρ′∈«G»ρ′ which are possessed by other k party groups ρ′=p1, . . . , pk. Here, it should be noted that roles of the parties are appropriately changed.

        First, the party p0 shares the random number ri∈G with the party pi with respect to i=1, . . . , k−1. Then, the party p0 calculates the secret sharing value «a»ρ′pk with the following formula so as to send the secret sharing value «a»ρ′pk to the party pk. The party pk outputs the received «a»ρ′pk.

        apkρ=ap0ρ-1i<kri

        Subsequently, the party pi (i=1, . . . , k−1) calculates the secret sharing value «a»ρ′pi with the following formula so as to output the secret sharing value «a»ρ′pi.

        apiρ′=apiρ+ri

        <Parallelization of Unit Permutation in Repetition Permutation>

        The repetition permutation is repetition of permutation→resharing→permutation→resharing→ . . . → permutation, in which permutation is executed N times and resharing is executed N−1 times. When this is simply described, the number of communication stages is the number of times of resharing, that is, N−1 stages. However, unit permutation by the 1-additive resharing protocol can be parallelized on communication. This is because a party which waits for data reception is one party, that is, only a party which does not participate in the previous unit permutation and other parties execute only offline processing without waiting for any data reception and can shift to the next unit permutation processing. The number of shares of the additive secret sharing is k pieces. Therefore, if the order P in the k party group is appropriately set, k times of unit permutation, at the maximum, can be executed on one stage. Accordingly, the number of communication stages can be reduced to (N−1)/k stages.

        The number of communication stages can be efficiently improved by setting the order P in the k party group such that the numbers of communication stages of paths from the party pi are equal to each other or such that the difference between the maximum value and the minimum value is the smallest, with respect to arbitrary i<k.

        The path from the party pi is the column (pj0,pj1, . . . , pjL-1) of parties with respect to the column P=(ρ0, . . . , ρL-1) of the k party group having the length L, that is, a column which is recursively defined by the following formulas.

        pj0=pi,pjL+1={pjLifpjLPL+1onlyelementpofPL+1\PLotherwise

        The number of communication stages of a path is the number of λ in which communication is required due to change of parties on the path, that is, |{λ∈NL|p≠pjλ+1}|. The communication in the 1-additive resharing protocol is communication of random numbers except that the party pk waits for transmission from the party p0 and does not depend on a result of resharing on the previous stage. The number of communication stages of a path represents the number of stages which are aligned in series and therefore, cannot be executed in parallel in communication from the party p0 to the party pk. The number of communication stages in the whole repetition permutation is as expressed in the following formula. Thus, when the numbers of communication stages of respective paths are equal to each other, it is efficient.

        maxi<k(numberofcommunicationstagesofpathfrompi)andi<k(numberofcommunicationstagesofpathfrompi)=P_

        Embodiments of the present invention will be described in detail below. Here, it should be noted that constituent portions mutually having the same functions are given the same reference numerals in the drawings and duplicate description thereof is omitted.

        First Embodiment

        Referring to FIG. 1, a configuration example of a secret calculation system according to a first embodiment is described. The secret calculation system includes n (≥2) pieces of random permutation devices 11, . . . , 1n and a network 9. Each of the random permutation devices 11, . . . , 1n is connected to the network 9. It is sufficient that the network 9 is configured so that the random permutation devices 11, . . . , 1n can communicate with each other and the network 9 may be composed of an internet, a LAN, a WAN, or the like, for example. Further, the random permutation devices 11, . . . , 1n do not necessarily have to be able to mutually communicate online via the network 9. For example, such configuration may be employed that information outputted from a certain random permutation device 1i (1≤i≤n) is stored in a portable recording medium such as a USB memory and is inputted offline into another random permutation device 1j (1≤j≤n, i≠j) from the portable recording medium.

        A configuration example of the random permutation device 1 included in the secret calculation system is described with reference to FIG. 2. The random permutation device 1 includes a preliminary conversion unit 10, a unit permutation unit 12, a resharing unit 14, a post-facto conversion unit 16, and a storage unit 18. The random permutation device 1 is a special device which is configured by reading a special program into a known or dedicated computer including a central processing unit (CPU), a main storage device (a random access memory, RAM), and the like, for example. The random permutation device 1 executes each processing under the control of the central processing unit, for example. Data inputted into the random permutation device 1 and data obtained in each processing are stored in the main storage device, for example, and the data stored in the main storage device is read when needed so as to be used for other processing. The storage unit 18 provided to the random permutation device 1 can be composed of a main storage device such as a random access memory (RAM), an auxiliary storage device composed of a hard disc, an optical disc, or a semiconductor memory element such as a flash memory, or middleware such as a relational database and a key-value store, for example.

        In the storage unit 18 provided to the random permutation device 1p corresponding to the party p, the (k,n)-secret sharing value [a]p or the disclosed value a of the plain text a, the sub share πp of the permutation data π corresponding to the k party group ρ including the party p, and N×k pieces of seeds s0,1, . . . , sN-1,k are stored. Here, the seeds s0,1, . . . , sN-1,k are preliminarily stored so as to generate random numbers without communication in the later-described processing by the resharing unit 14. However, the seeds s0,1, . . . , sN-1,k do not have to be stored in the case where random numbers are generated in a coordinated manner each time.

        Referring to FIG. 3, one example of a processing flow of a secret calculation method which is executed by the secret calculation system according to the first embodiment is described in accordance with an order of a procedure which is actually performed.

        In step S10, the preliminary conversion units 10 provided to the k pieces of random permutation devices 1ρ0 convert the (k,n)-secret sharing values [a]pi or the disclosed values a which are stored in the storage units 18 into the additive secret sharing values «a»ρ0. ρ0 represents the 0-th element in the column P=(ρ0, . . . , ρN-1) of the k party group and the random permutation devices 1ρ0 are k pieces of random permutation devices 1p0, . . . , 1pk-1 corresponding to ρ0=(p0, . . . , pk-1).

        A known method can be used for the method for converting from a (k,n)-secret sharing value or a disclosed value into an additive secret sharing value.

        In the case where an input is a disclosed value, the conversion into an additive secret sharing value can be performed as follows, for example. It is assumed that ρ is a group of the k pieces of random permutation devices 1p0, . . . , 1pk-1, a∈G is a disclosed value which is inputted, and the random permutation device 1p0 knows the disclosed value a. The conversion from the disclosed value a into the additive secret sharing value «a»ρ may be performed with the following formula with respect to i=0, . . . , k−1.

        apiP:={aifi=00otherwise

        In the case where an input is a (k,n)-secret sharing value, the conversion into an additive secret sharing value can be performed by the method described in Reference Literature 1 and Reference Literature 2 below, for example. In Reference Literature 1, the method for converting from linear secret sharing including Shamir secret sharing into additive secret sharing without communication is described. In Reference Literature 2, the method for converting from replicated secret sharing into linear secret sharing without communication is described. Therefore, the conversion from replicated secret sharing into additive secret sharing is realized without communication by combining the method described in Reference Literature 2 and the method described in Reference Literature 1.

        • [Reference Literature 1] Dai Ikarashi, Koki Hamada, Ryo Kikuchi, Koji Chida, “O(1) Bits Communication Bit Decomposition and O(|p′|) Bits Communication Modulus Conversion for Small k Secret-Sharing-Based Secure Computation”, Computer Security Symposium 2013, 2013
        • [Reference Literature 2] R. Cramer, I. Damgard, and Y. Ishai, “Share conversion, pseudorandom secret-sharing and applications to secure computation”, TCC 2005, Vol. 3378 of Lecture Notes in Computer Science, pp. 342-362, 2005

        In step S1a, the k pieces of random permutation devices 1ρ0 initialize the counter i which shows the number of times of execution of permutation processing to 0.

        In step S12, the unit permutation unit 12 provided to the k pieces of random permutation devices 1ρi permutates the additive secret sharing values «a»ρi by using the sub share πρi of permutation data which is stored in the storage unit 18. ρi represents the i-th element of the column P=(ρ0, . . . , ρN-1) of k party group and the random permutation devices 1ρi are k pieces of random permutation devices 1p0, . . . , 1pk-1 corresponding to ρi=(p0, . . . , pk-1). A conventional method of permutation data secret sharing may be employed as the method of permutation.

        In step S1b, the k pieces of random permutation devices 1ρi determine whether or not permutation processing is executed predetermined times. Specifically, whether or not a value of the counter i reaches N−1 when N=nCk is set as the total number of times of execution of the unit permutation. In the case of i<N−1, the processing goes to step S14. In the case of i≥N−1, the processing goes to step S16.

        In step S14, the resharing units 14 provided to the k pieces of random permutation devices 1ρi+1 performs resharing of the additive secret sharing values «a»ρi by the 1-additive resharing protocol. Hereinafter, it is assumed that the random permutation device 1p0 is a random permutation device which is included in the random permutation devices 1ρi but is not included in the random permutation devices 1ρi+1 and the random permutation device 1pk is a random permutation device which is not included in the random permutation devices 1ρi but is included in the random permutation devices 1ρi+1. Further, it is assumed that the random permutation device 1pj (j=1, . . . , k−1) represents k−1 pieces of random permutation devices which are included in the random permutation devices 1ρi+1 except for the random permutation device 1pk.

        The resharing units 14 provided to the random permutation devices 1ρi+1 generate k pieces of random numbers r1, . . . , rk∈G. As for the random numbers r1, . . . , rk, the k pieces of random permutation devices 1ρi+1 may cooperate with each other to generate common random numbers r1, . . . , rk or may generate pseudo random numbers r1, . . . , rk by using the seeds si,1, . . . , si,k which are stored in the storage units 18. In the case where pseudo random numbers are generated by using the seeds si,1, . . . , si,k which are shared in advance, random numbers can be generated without communication among the random permutation devices. Thus, it is very efficient.

        Then, the resharing unit 14 provided to the random permutation device 1p0 generates the additive secret sharing values «a»ρi+1pk for the random permutation device 1pk by using the additive secret sharing values «a»ρip0 and the random numbers r0, . . . , rk-1 with the formula below so as to transmit the additive secret sharing values «a»ρi+1pk to the random permutation device 1pk.

        apkρi+1=ap0ρi-1i<kri

        Subsequently, the resharing units 14 provided to the random permutation devices 1pj generate the additive secret sharing values «a»ρi+1pj by using the additive secret sharing values «a»ρipj and the random numbers rj with the formula below.

        apjρi+1=apjρi−rj

        In step S1c, the k pieces of random permutation devices 1ρi+1 add 1 to the counter i showing the number of times of execution of the permutation processing. After that, the unit permutation of step S12 and the resharing of step S14 are repeated until it is determined that the counter i reaches N−1 in step S1b.

        In step S16, the post-facto conversion units 16 provided to the k pieces of random permutation devices 1ρN-1 convert additive secret sharing values into (k,n)-secret sharing values or disclosed values. The method for converting from an additive secret sharing value into other format can be performed with relatively light volume. Here, it should be noted that the conversion method described below is an example and it does not represent that other conversion methods are not applicable.

        There is such method that in the case where an output is a disclosed value, the k pieces of random permutation devices 1ρN-1 which execute the permutation processing last transmit the additive secret sharing value «a»ρN-1pj (j=0, . . . , k−1) with respect to the random permutation device 1p (1≤p≤n) which desires to obtain the output and the random permutation device 1p performs restoration. Alternatively, there is such method that the k pieces of random permutation devices 1ρN-1 which execute the permutation processing last transmit the additive secret sharing values «a»ρN-1pj (j=0, . . . , k−1) with respect to one piece of random permutation device 1p (p∈ρ) which is selected from a plurality of pieces of random permutation devices 1ρ (ρ⊆{1, . . . , n}) which desire to obtain the output and the random permutation device 1p performs restoration to transmit a restoration result to other random permutation devices 1ρ.

        In the case where an output is a (k,n)-secret sharing value, conversion can be performed by the following procedure, for example, with respect to secret sharing with the additive homomorphism property such as linear secret sharing and replicated secret sharing, that is, secret sharing in which addition can be performed without communication on secret sharing values. The k pieces of random permutation devices 1ρN-1 first perform secret sharing of the additive secret sharing values «a»ρN-1pj by (k,n)-secret sharing of a conversion destination so as to distribute the (k,n)-secret sharing values [«a»ρN-1pj]p (p=1, . . . , n) to n pieces of random permutation devices 1P. Then, the n pieces of random permutation devices 1P add up all of k pieces of (k,n)-secret sharing values [«a»ρN-1pj]p which are received.

        Thus, the secret calculation system according to the first embodiment converts an input into additive secret sharing values so as to be able to reduce the communication volume in processing of resharing and thus, the processing can be performed more efficiently than conventional random permutation.

        Second Embodiment

        In the case where an input in secret random permutation is a disclosed value, efficiency can be further improved than the first embodiment. In order to conceal permutation data in random permutation by the method of Non-patent Literature 1 or the first embodiment, unit permutation needs to be performed equal times to the number of elements of the column P of the k party group, of which any complement ρi satisfies ρ⊆ρi, with respect to arbitrary k−1 party group ρ. However, in the case where an input is a disclosed value possessed by a certain party p, unit permutation may be performed fewer times. This is because an input is a disclosed value and therefore the party p can perform permutation by one party at first and thus can collectively perform permutation for all disclosed values which are known by the party p.

        In the storage unit 18 provided to at least one piece of random permutation device 1p0, the disclosed value a is stored. The disclosed value a may be possessed at least one device and may be possessed by any number of pieces of random permutation devices.

        It is assumed that the sub share πρi, which corresponds to the k party group ρi including the party pi, of the permutation data π and N×k pieces of seeds s0,1, . . . , sN-1,k are stored in the storage units 18 provided to n−1 pieces of random permutation devices 1p1, . . . , 1pn-1 except for the random permutation device 1p0. Here, N is n-1Ck. In a similar manner to the first embodiment, the seeds s0,1, . . . , sN-1,k do not necessarily have to be stored.

        Referring to FIG. 4, one example of a processing flow of a secret calculation method which is executed by a secret calculation system according to the second embodiment is described in accordance with an order of a procedure which is actually performed.

        In step S12p0, the unit permutation unit 12 provided to the random permutation device 1p0 generates the permutation data π which is random so as to permutate the disclosed values a with the permutation data π. The method of permutation is similar to a conventional permutation method.

        In step S10p0, the preliminary conversion unit 10 provided to the random permutation device 1p0 converts the disclosed values a which are permutated into the additive secret sharing values «a»ρ-1. The method of conversion is similar to step S10 of the first embodiment. The additive secret sharing values «a»ρ-1 are distributed to arbitrarily-selected k−1 pieces of random permutation devices among the random permutation devices 1ρ0. It is assumed that distribution is performed with respect to the random permutation devices 1p1, . . . , 1pk-1, in this example.

        In step S14p0, the resharing units 14 provided to the k pieces of random permutation devices 1ρ0 perform resharing of the additive secret sharing values «a»ρ-1 by the 1-additive resharing protocol. The method of resharing is similar to that in step S14 of the first embodiment.

        After that, processing from step S1a to S16 is executed by n−1 pieces of random permutation devices 1p1, . . . , 1pn-1 except for the random permutation device 1p0.

        Thus, in the secret calculation system of the second embodiment, random permutation is performed by n−1 pieces of random permutation devices after permutation is collectively performed by one piece of random permutation device, so that the number of times of permutation processing is n-1Ck+1. Thus, the secret calculation system of the second embodiment can perform the processing more efficiently than the secret calculation system of the first embodiment.

        Third Embodiment

        In the case where an output in secret random permutation is a disclosed value as well, efficiency can be further improved than the first embodiment in a similar manner to the case where an input in secret random permutation is a disclosed value. This is because an output is a disclosed value, so that n−1 parties perform random permutation and then secret sharing values are transmitted to one party which is the rest of parties so as to be able to perform permutation collectively with respect to restored disclosed values.

        It is assumed that the sub share πρi, which corresponds to the k party group ρi including the party pi, of the permutation data π and N×k pieces of seeds s0,1, . . . , sN-1,k are stored in the storage units 18 provided to n−1 pieces of random permutation devices 1p1, . . . , 1pn-1 except for the random permutation device 1p0. Here, N is n-1Ck. In a similar manner to the first embodiment, the seeds s0,1, . . . , sN-1,k do not necessarily have to be stored.

        Referring to FIG. 5, one example of a processing flow of a secret calculation method which is executed by a secret calculation system according to the third embodiment is described in accordance with an order of a procedure which is actually performed.

        From step S10 to S1b, processing until it is determined that i≥N−1 is satisfied is executed by the n−1 pieces of random permutation devices 1p1, . . . , 1pn-1 except for the random permutation device 40.

        In step S16p0, the post-facto conversion unit 16 provided to the random permutation device 1p0 converts additive secret sharing values into disclosed values. The method of conversion is similar to step S16 of the first embodiment. Specifically, the k pieces of random permutation devices 1ρN-1 which execute the permutation processing last transmit the additive secret sharing values «a»ρN-1pj (j=0, . . . , k−1) with respect to the random permutation device 1p0 and the post-facto conversion unit 16 provided to the random permutation device 1p0 restores the additive secret sharing values «a»ρN-1.

        In step S12p0, the unit permutation unit 12 provided to the random permutation device 1p0 generates the permutation data π which is random so as to permutate the disclosed values which are restored. The method of permutation is similar to a conventional permutation method.

        Thus, in the secret calculation system of the third embodiment, permutation is collectively performed by one piece of random permutation device after random permutation is performed by n−1 pieces of random permutation devices, so that the number of times of permutation processing is n-1Ck+1. Thus, the secret calculation system of the third embodiment can perform the processing more efficiently than the secret calculation system of the first embodiment.

        Fourth Embodiment

        A fourth embodiment enables detection of tampering in secret calculation with respect to secret random permutation of this invention. As a secret tampering detection method for detecting tampering in secret calculation, a method described in Reference Literature 3 below is proposed. In Reference Literature 3, tampering detection in secret calculation is performed in three phases. In a randomization phase, a distributed value is converted into a randomized distributed value of which correctness can be verified. In a calculation phase, desired secret calculation is executed by using an operation, which is composed of the semi-honest operation, for a randomized distributed value. At this time, the calculation is performed while collecting randomized distributed values which will be required for calculation of a checksum in the following correctness verification phase. In the correctness verification phase, checksums are collectively calculated with respect to the randomized distributed values which are collected in the calculation phase so as to perform correctness verification. When the checksum is correct, a calculation result obtained in the calculation phase is outputted. When the checksum is incorrect, only the fact of incorrectness is outputted without outputting the calculation result.

        • [Reference Literature 3] Dai Ikarashi, Koji Chida, Koki Hamada, Ryo Kikuchi, “An Extremely Efficient Secret-sharing-based Multi-Party Computation against Malicious Adversary”, SCIS 2013, 2013

        However, in order to apply the method described in Reference Literature 3, each operation executed in secret calculation needs to be tamper-simulatable (Reference Literature 4).

        • [Reference Literature 4] D. Ikarashi, R. Kikuchi, K. Hamada, and K. Chida, “Actively Private and Correct MPC Scheme in t<n/2 from Passively Secure Schemes with Small Overhead”, IACR Cryptology ePrint Archive, vol. 2014, p. 304, 2014

        Therefore, in the fourth embodiment, such configuration example is described that the secret tampering detection method described in Reference Literature 3 is applied to secret random permutation of the first embodiment so that the above-mentioned condition is satisfied. Here, an example in which the method is applied to the first embodiment is described below, but the method is applicable to the second embodiment and the third embodiment as well based on a similar concept.

        A configuration example of a random permutation device 2 according to the fourth embodiment is described with reference to FIG. 6. The random permutation device 2 includes the preliminary conversion unit 10, the unit permutation unit 12, the resharing unit 14, the post-facto conversion unit 16, and the storage unit 18 in a similar manner to the random permutation device 1 according to the above-described embodiments and further includes a randomization unit 20, a unit conversion unit 22, and a correctness verification unit 24.

        Referring to FIG. 7, one example of a processing flow of a secret calculation method which is executed by the secret calculation system according to the fourth embodiment is described in accordance with an order of a procedure which is actually performed.

        In step S20, the randomization units 20 provided to the k pieces of random permutation devices 1ρ0 convert the (k,n)-secret sharing values [a]pi which are stored into randomized distributed values. In the case where the disclosed values a are stored in the storage unit 18, the disclosed values a are converted into the (k,n)-secret sharing values [a]pi so as to be converted into randomized distributed values. The randomized distributed value is the set ([a]pi,[ar]pi) composed of the distributed value [a]pi of the value a∈R and the distributed value [ar]pi of the integrated value ar of the value a∈R and the random number r∈A. Here, R represents a ring and A represents an associative algebra on the ring R. The associative algebra is a joined ring and has a structure in a linear space on a certain field compatible with the ring. The associative algebra can be described such that a value dealt in a vector space may be a ring instead of a field. The 0th component ([a]pi) of the randomized distributed value is also referred to as the R component and the first component ([ar]pi) is also referred to as the A component.

        A random number used in generation of a randomized distributed value is generated such that a distributed value for one secret sharing is converted into a distributed value for the other secret sharing so as to obtain an identical value of the random number in the case where a plurality of types of secret sharing on one ring are used. In this format conversion as well, tampering detection should be possible or tampering should be impossible. For example, a method which prohibits tampering conversion from replicated secret sharing into linear secret sharing is described in Reference Literature 2 above.

        In step S22, the unit conversion units 22 provided to the k pieces of random permutation devices 1ρi convert the additive secret sharing values «a»ρi which are permutated by the unit permutation unit 12 into randomized distributed values by (k,n)-secret sharing so as to be accumulated in the storage units 18. The accumulated randomized distributed values are used for calculation for a checksum by the correctness verification unit 24 which will be described later. Accumulation of randomized distributed values does not necessarily have to be performed after all unit permutation but may be performed in part of unit permutation.

        In step S24, the correctness verification unit 24 executes synchronous processing (SYNC) in which an action of waiting is performed until all secret calculations for all secret sharing are ended. When the end of all secret calculations for all secret sharing is detected, the checksums C0, . . . , Cj-1 are verified by using the distributed values [r0], . . . , [rJ-1] of the random numbers r0, . . . , rJ-1 which are used in the randomization unit 20 so as to verify correctness of (k,n)-secret sharing values or disclosed values which are obtained as a result of secret random permutation. In the case where it is determined that there is no tampering as a result of the verification of the checksums C0, . . . , CJ-1, the processing goes to step S16. In the case where it is determined that there is tampering, information representing the presence of tampering (for example, “⊥” or the like) is outputted.

        In the verification of a checksum, the distributed value [φj] obtained by multiplying a sum of the R components of randomized distributed values included in the checksum Cj by the distributed value [rj] and the distributed value [ψj] which is a sum of the A components of randomized distributed values included in the checksum Cj are calculated and the distributed value [δj]=[φj]−[ψj] obtained by subtracting the distributed value [ψj] from the distributed value [φj] is restored. When all of the values δ0, . . . , δJ-1 are 0, it is determined that there is no tampering in the whole secret random permutation. When any value δj is not 0, it is determined that tampering is performed in any operation in the secret random permutation.

        In the case where there are pieces of secret sharing on one ring among J pieces of secret sharing, if correctness verification is performed collectively to the extent possible, the number of disclosed values is reduced and consequently confidentiality can be further enhanced. For example, in the case where the α-th (α=0, . . . , J−1) secret sharing and the β-th (β=0, . . . , J−1, α≠β) secret sharing are pieces of secret sharing on one ring, the correctness verification is performed as follows. First, the distributed value [φα] which is calculated from the checksum Cα as described above and the distributed value [ψα] which is calculated from the checksum Cα as described above are respectively converted into the β-th secret sharing. Then, the distributed value [δ]([φα]+[φβ])−([ψα]+[ψβ]) which is obtained by subtracting the distributed value [ψαβ] which is obtained by adding the converted distributed value [ψα] and the distributed value [ψβ] which is calculated from the β-th checksum Cβ in a similar manner from the distributed value [φαβ] which is obtained by adding the converted distributed value [φα] and the distributed value [φβ] which is calculated from the checksum Cβ in a similar manner is restored. When the restored value δ is 0, it is determined that there is no tampering. When the restored value δ is other than 0, it is determined that there is tampering. Thus, all combinations of pieces of secret sharing on one ring are verified so as to verify that there is no tampering in the whole secret random permutation. The example in which two pieces of secret sharing are secret sharing on one ring is described in the present embodiment. However, correctness verification can be performed by a similar method even in the case where three or more pieces of secret sharing are secret sharing on one ring.

        In step S16, the post-facto conversion unit 16 converts additive secret sharing values into (k,n)-secret sharing values or disclosed values. In the above-described embodiment, such configuration is employed that the additive secret sharing values «a»ρN-1 after execution of last permutation processing are transmitted to the random permutation device 1p and the random permutation device 1p obtains disclosed values a by the restoration method of additive secret sharing values in the case where an output is a disclosed value. In the present embodiment, in order to detect tampering in disclosure, such configuration is employed that additive secret sharing values are once converted into (k,n)-secret sharing values and then disclosed values a are obtained by the restoration method of (k,n)-secret sharing.

        When disclosed values are obtained from (k,n)-secret sharing values, a disclosure method in which tampering can be detected is required. As the disclosure method in which tampering can be detected, there is the method described in the appendix of Reference Literature 4 above. Alternatively, tampering can be detected by performing disclosure as follows.

        The random permutation device 1p receives (k,n)-secret sharing values which are obtained by converting a format of the additive secret sharing values «a»ρN-1 from arbitrary k−1 pieces of random permutation devices. Further, checksums such as hash values of the (k,n)-secret sharing values which are obtained by converting the format of the additive secret sharing values «a»ρN-1 are received from n−k pieces of random permutation devices which are the rest of random permutation devices. The checksum does not have to be a hash value but a safer and more information-theoretical checksum can be used. The information-theoretical checksum is a combination of a random number r and airi+1 when a calculation object of the checksum is ai, for example. The random permutation device 1p recovers n−k pieces of (k,n)-secret sharing values from k pieces of (k,n)-secret sharing values to which a (k,n)-secret sharing value possessed by the random permutation device 1p is added and calculates checksums respectively from the (k,n)-secret sharing values which are recovered. Here, the recovery is a method in which n−k pieces of distributed values which are unusable are reconstructed without losing secrecy from k pieces of distributed values which are usable when part of distributed values are lost.

        Subsequently, the random permutation device 1p confirms whether or not the checksums of the (k,n)-secret sharing values which are received from the n−k pieces of random permutation devices and the checksums of the recovered (k,n)-secret sharing values are accorded with each other. In the case where all of the checksums are accorded with each other, it is determined that there is not tampering and (k,n)-secret sharing values or disclosed values are outputted. In the case where any of the checksums are different from each other, it is determined that there is tampering and information representing the presence of tampering (for example, “⊥” or the like) is outputted.

        The configuration as that of the present embodiment enables tampering detection and enhances security in the secret random permutation of the present invention.

        [Combination of Configuration Examples]

        The present invention can employ various configurations by combining four independent standpoints other than the above-described embodiments.

        The first standpoint is a form of an input and an output. From this standpoint, four configuration methods are conceivable. The first configuration is a case where an input is a linear secret sharing value and an output is a linear secret sharing value. The second configuration is a case where an input is a linear secret sharing value and an output is a replicated secret sharing value or a case where an input is a replicated secret sharing value and an output is a linear secret sharing value on the other way. The third configuration is a case where an input is a disclosed value and an output is a secret sharing value. The fourth configuration is a case where an input is a linear secret sharing value and an output is a disclosed value.

        The second standpoint is a standpoint of the random number generation method. In this standpoint, two configuration methods are conceivable. The first configuration is the case where a random number is a pseudo random number which is generated from a seed which is preliminarily shared. The second configuration is the case where a random number is shared in execution of a protocol.

        The third standpoint is a standpoint of types of random permutation. In this standpoint, two configuration methods are conceivable. The first configuration is the case where permutation data is arbitrary, that is, the case where shuffling is desired to be performed in a totally random manner. The second configuration is the case where permutation data is limited by rotation, that is, the case where permutation data is expressed by certain r∈Nm, π(i)=i+r mod m is satisfied, and an absolute position is desired to be concealed while a relative alignment order does not have to be concealed.

        The fourth standpoint is a standpoint of a specific example of repetition permutation limiting k and n. The first configuration is the case of k=2 and n=3. The second configuration is the case of k=3 and n=5. In this standpoint, six specific examples, in total, which are obtained by adding the standpoint of an input and an output to each configuration are conceivable.

        The first specific example is the case where both of an input and an output are secret sharing values in the configuration of k=2 and n=3. Referring to FIG. 8, repetition permutation of this specific example is described. In FIG. 8, the vertical axis represents a party and the horizontal axis represents the number of times of unit permutation. A circle represents a party which performs processing in unit permutation. A solid arrow represents a direction of a party to which a secret sharing value is transmitted in the resharing. A dotted arrow represents that the same party continuously holds a secret sharing value in the resharing. In the example of FIG. 8, the order P=(ρ012) of the k party group is set as ρ0=(p0,p1), ρ1=(p1,p2), and ρ2=(p0,p2). The parties p0 and p1 perform processing in the first unit permutation and a secret sharing value is transmitted from the party p0 to the party p2 in the first resharing. The parties p1 and p2 perform processing in the second unit permutation and a secret sharing value is transmitted from the party p1 to the party p0 in the second resharing. The parties p0 and p2 perform processing in the third unit permutation and repetition permutation is completed.

        The second specific example is the case where both of an input and an output are secret sharing values in the configuration of k=3 and n=5. Referring to FIG. 9, repetition permutation of this specific example is described. Notation of the drawing is similar to that of FIG. 8. In the example of FIG. 9, the order P=(ρ0, . . . , ρ9) of the k party group is set as ρ0=(p0,p1,p2), ρ1=(p1,p2,p3), ρ2=(p2,p3,p4), ρ3=(p0,p3,p4), ρ4=(p0,p1,p4), ρ5=(p1,p3,p4), ρ6=(p0,p1,p3), ρ7=(p0,p2,p3), ρ8=(p0,p2,p4), and ρ9=(p1,p2,p4). The parties p0, p1, and p2 perform processing in the first unit permutation and a secret sharing value is transmitted from the party p0 to the party p3 in the first resharing. The parties p1, p2, and p3 perform processing in the second unit permutation and a secret sharing value is transmitted from the party p1 to the party p4 in the second resharing. The parties p2, p3, and p4 perform processing in the third unit permutation and a secret sharing value is transmitted from the party p2 to the party p0 in the third resharing. The parties p0, p3, and p4 perform processing in the fourth unit permutation and a secret sharing value is transmitted from the party p3 to the party p1 in the fourth resharing. Here, the secret sharing value which is transmitted from the party p3 to the party p1 is the secret sharing value which is transmitted from the party p0 to the party p3 in the first resharing, so that reception waiting of the party p1 occurs before the fifth resharing. Accordingly, the resharing up to the fourth resharing is the first stage of communication. After that, permutation and resharing are repeated in a similar manner and thus, the repetition permutation is completed with three communication stages in this specific example.

        The third specific example is the case where an input is a disclosed value and an output is a secret sharing value in the configuration of k=2 and n=3. Referring to FIG. 10, repetition permutation of this specific example is described. Notation of the drawing is similar to that of FIG. 8. In the example of FIG. 10, the order P=(ρ012) of the k party group is set as ρ01=(p0) and ρ2=(p1,p2). Only the party p0 performs processing in the first and second unit permutation. The unit permutation may be simply repeated twice or permutation for two-time permutation may be collectively performed. A secret sharing value is transmitted from the party p0 to the parties p1 and p2 in the second resharing. The parties p1 and p2 perform processing in the third unit permutation and the repetition permutation is completed.

        The fourth specific example is the case where an input is a disclosed value and an output is a secret sharing value in the configuration of k=3 and n=5. Referring to FIG. 11, repetition permutation of this specific example is described. Notation of the drawing is similar to that of FIG. 8. In the example of FIG. 11, the order P=(ρ0, . . . , ρ9) of the k party group is set as ρ012345=(p0), ρ6=(p2,p3,p4), ρ7=(p1,p3,p4), ρ8=(p1,p2,p4), and ρ9=(p1,p2,p3). In the first to sixth unit permutation, only the party p0 performs processing. The unit permutation may be simply repeated six times or permutation for six-time permutation may be collectively performed. A secret sharing value is transmitted from the party p0 to the parties p2, p3 and p4 in the sixth resharing. The parties p2, p3, and p4 perform processing in the seventh unit permutation and a secret sharing value is transmitted from the party p2 to the party p1 in the seventh resharing. The parties p1, p3, and p4 perform processing in the eighth unit permutation and a secret sharing value is transmitted from the party p3 to the party p2 in the eighth resharing. The parties p1, p2, and p4 perform processing in the ninth unit permutation and a secret sharing value is transmitted from the party p4 to the party p3 in the ninth resharing. The parties p1, p2, and p3 perform processing in the tenth unit permutation and the repetition permutation is completed. As illustrated in FIG. 9, the repetition permutation is completed with two communication stages in this specific example.

        The fifth specific example is the case where an input is a secret sharing value and an output is a disclosed value in the configuration of k=2 and n=3. Referring to FIG. 12, repetition permutation of this specific example is described. Notation of the drawing is similar to that of FIG. 8. In the example of FIG. 12, the order P=(ρ012) of the k party group is set as ρ0=(p1,p2) and ρ12 (p0). The parties p1 and p2 perform processing in the first unit permutation and secret sharing values are transmitted from the party p1 and p2 to the party p0. The party p0 restores a secret sharing value and performs the second and third unit permutation. The unit permutation may be simply repeated twice or permutation for two-time permutation may be collectively performed. Thus, the repetition permutation is completed.

        The sixth specific example is the case where an input is a secret sharing value and an output is a disclosed value in the configuration of k=3 and n=5. Referring to FIG. 13, repetition permutation of this specific example is described. Notation of the drawing is similar to that of FIG. 8. In the example of FIG. 13, the order P=(ρ0, . . . , ρ9) of the k party group is set as ρ0=(p2,p3,p4), ρ1=(p1,p3,p4), ρ2=(p1,p2,p4), ρ3=(p1,p2,p3), and ρ456789=(p0). The parties p2, p3, and p4 perform processing in the first unit permutation and a secret sharing value is transmitted from the party p2 to the party p1 in the first resharing. After that, permutation and resharing are repeated by the parties p1, p2, p3, and p4 and after N(=4C3=4)-th permutation is completed, secret sharing values are transmitted from the parties p1, p2, and p3 to the party p0. The party p0 restores a secret sharing value and performs the fifth to tenth unit permutation. The unit permutation may be simply repeated six times or permutation for six-time permutation may be collectively performed. Thus, the repetition permutation is completed.

        It is obvious that the present invention is not limited to the above-described embodiments and alterations can be made as appropriate within a scope of the idea of the present invention. Various types of processing which are described in the above embodiments may be executed in time series in accordance with the described order and may be executed in parallel or individually in accordance with the processing capacity of the device performing the processing or in accordance with the need.

        [Program and Recording Medium]

        When various types of processing functions in the devices described in the above embodiments are implemented on a computer, the contents of processing function to be contained in each device is written by a program. With this program executed on the computer, various types of processing functions in the above-described devices are executed on the computer.

        This program in which the contents of processing are written can be recorded in a computer-readable recording medium. The computer-readable recording medium may be any medium such as a magnetic recording device, an optical disc, a magneto-optical recording medium, and a semiconductor memory.

        Distribution of this program is implemented by sales, transfer, rental, and other transactions of a portable recording medium such as a DVD and a CD-ROM on which the program is recorded, for example. Furthermore, this program may be stored in a storage unit of a server computer and transferred from the server computer to other computers via a network so as to be distributed.

        A computer which executes such program first stores the program stored in a portable recording medium or transferred from a server computer once in a storage unit of the computer, for example. When the processing is performed, the computer reads out the program stored in the recording medium of the computer and performs processing in accordance with the program thus read out. As another execution form of this program, the computer may directly read out the program from a portable recording medium and perform processing in accordance with the program. Furthermore, each time the program is transferred to the computer from the server computer, the computer may sequentially perform processing in accordance with the received program. Alternatively, what is called application service provider (ASP) type of services may be used to perform the processing described above, with which the program is not transferred from the server computer to the computer and the processing function is realized only with execution instructions and result acquisition. It should be noted that a program according to the present embodiment includes information provided for processing performed by electronic calculation equipment, which is equivalent to a program (such as data which is not a direct instruction to the computer but has a property specifying the processing performed by the computer).

        In the present embodiment, the present device is configured with a predetermined program executed on a computer. However, the present device may be configured with at least part of these processing contents realized in a hardware manner.

        Read more
        PatSnap Solutions

        Great research starts with great data.

        Use the most comprehensive innovation intelligence platform to maximise ROI on research.

        Learn More

        Patent Valuation

        $

        Reveal the value <>

        34.05/100 Score

        Market Attractiveness

        It shows from an IP point of view how many competitors are active and innovations are made in the different technical fields of the company. On a company level, the market attractiveness is often also an indicator of how diversified a company is. Here we look into the commercial relevance of the market.

        58.0/100 Score

        Market Coverage

        It shows the sizes of the market that is covered with the IP and in how many countries the IP guarantees protection. It reflects a market size that is potentially addressable with the invented technology/formulation with a legal protection which also includes a freedom to operate. Here we look into the size of the impacted market.

        73.7/100 Score

        Technology Quality

        It shows the degree of innovation that can be derived from a company’s IP. Here we look into ease of detection, ability to design around and significance of the patented feature to the product/service.

        92.0/100 Score

        Assignee Score

        It takes the R&D behavior of the company itself into account that results in IP. During the invention phase, larger companies are considered to assign a higher R&D budget on a certain technology field, these companies have a better influence on their market, on what is marketable and what might lead to a standard.

        18.96/100 Score

        Legal Score

        It shows the legal strength of IP in terms of its degree of protecting effect. Here we look into claim scope, claim breadth, claim quality, stability and priority.

        Citation

        Title Current Assignee Application Date Publication Date
        Secure distributed computation in cryptographic applications ALCATEL-LUCENT USA INC. 30 May 2001 06 March 2003
        Method of a public key encryption and a cypher communication both secure against a chosen-ciphertext attack HITACHI, LTD. 31 January 2002 02 January 2003
        Method of managing one-time pad data and device implementing this method HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP 17 July 2006 26 July 2007
        Optimal-resilience, proactive, public-key cryptographic system and method CERTCO, INC., A CORPORATION OF DELAWARE 28 April 1997 07 March 2000
        Mix and match: a new approach to secure multiparty computation ALCATEL-LUCENT USA INC. 13 March 2000 03 August 2004
        See full citation <>

        PatSnap Solutions

        PatSnap solutions are used by R&D teams, legal and IP professionals, those in business intelligence and strategic planning roles and by research staff at academic institutions globally.

        PatSnap Solutions
        Search & Analyze
        The widest range of IP search tools makes getting the right answers and asking the right questions easier than ever. One click analysis extracts meaningful information on competitors and technology trends from IP data.
        Business Intelligence
        Gain powerful insights into future technology changes, market shifts and competitor strategies.
        Workflow
        Manage IP-related processes across multiple teams and departments with integrated collaboration and workflow tools.
        Contact Sales