A technique for performing secure computation of a sigmoid function with high speed and precision is provided. A secret sigmoid function calculation system is a system, in which g(x) is assumed to be a secure computable function, which calculates, from a share [[x]] of an input value x, a share [[σ′(x)]] of a value of a sigmoid function for the input value x, and includes: a first comparing means that generates a first comparison result [[c]]=less_than([[x]], t.sub.1); a second comparing means that generates a second comparison result [[d]]=greater_than([[x]], t.sub.0); a first logical computation means that generates a first logical computation result [[e]]=not([[c]]); a second logical computation means that generates a second logical computation result [[k]]=and([[c]], [[d]]) or [[k]]=mul([[c]], [[d]]); and a function value calculating means that calculates the share [[σ′(x)]]=mul([[k]], [[g(x)]])+[[e]].

According to a data analysis method by which time required for data analysis is shortened and practicality is improved, a client terminal requests institution terminals to perform analysis of a matching attribute; each of the institution terminals encrypts an element belonging to the matching attribute within a database and sends the converted data to an outsource terminal; the outsource terminal integrates the plurality of converted data sent from the institution terminals and sends the integrated converted data to the institution terminals; and each of the institution terminals compares each matching attribute of a plurality of the elements within the database of the institution terminal against the integrated converted data, thereby identifying, as a common element, an element associated with the matching attribute and held in common by the institution terminals.

A server receives a corresponding data value encrypted using a common threshold public key from each of a plurality of clients. The server distributes the received data values to the clients for evaluating comparison of values. The server receives the encrypted comparison results from each of the clients in response to the distribution of the received encrypted data values. The comparison results are encrypted using the common key. The server homomorphically determines a ciphertext encrypting the rank of each client's data value using the comparison results. Further, the server can compute a ciphertext encrypting the median of the datasets. Thereafter, the server can initiate a threshold decryption to generate a final result.

A secure computing hardware apparatus includes at least a secret generator module, the at least a secret generator module configured to generate a module-specific secret, and a device identifier circuit communicatively connected to the at least a secret generator, the device identifier circuit configured to produce at least an output comprising a secure proof of the module-specific secret. Secret generator module may implement one or more physically unclonable functions to generate the module-specific secret.

A method for providing encrypted search includes receiving, at a user device associated with a user, a search query for a keyword that appears in one or more encrypted documents stored on an untrusted storage device and accessing a count table to obtain a count of documents that include the keyword. The method also includes generating a delegatable pseudorandom function (DPRF) based on the keyword, a private cryptographic key, and the count of documents. The method also includes evaluating a first portion of the DPRF and delegating a remaining second portion of the DPRF to the untrusted storage device which causes the untrusted storage device to evaluate the DPRF and access an encrypted search index associated with the documents. The untrusted storage device determines one or more encrypted documents associated with DPRF and returns, to the user device, an identifier for each encrypted document associated with the DPRF.

Systems and methods for generating min-increment counting bloom filters to determine count and frequency of device identifiers and attributes in a networking environment are disclosed. The system can maintain a set of data records including device identifiers and attributes associated with device in a network. The system can generate a vector comprising coordinates corresponding to counter registers. The system can identify hash functions to update a counting bloom filter. The system can hash the data records to extract index values pointing to a set of counter registers. The system can increment the positions in the min-increment counting bloom filter corresponding to the minimum values of the counter registers. The system can obtain an aggregated public key comprising a public key. The system can encrypt the counter registers using the aggregated shared key to generate an encrypted vector. The system can transmit the encrypted vector to a networked worker computing device.

Provided is a technique for performing statistical processing such as processing for obtaining parameters of logistic regression analysis faster than before. A secure statistical processing system includes a cross tabulation table computing device 2 that performs secure computation on a cross tabulation table in which frequencies are in plain texts while keeping each record concealed; and a statistical processing device 3 that performs predetermined statistical processing using the cross tabulation table in which frequencies are in plain texts. The cross tabulation table computing device 2 may include a plurality of secure computation devices 221, . . . , 22N that perform secure computation on a cross tabulation table in which frequencies are fragments subjected to secret sharing while keeping each record concealed, and a management device 21 that restores the fragments to compute the cross tabulation table in which frequencies are in plain texts.

A first party of two parties performs masking on three first-party fragments corresponding to three types of training data split into fragments and distributed between the two parties by using first fragments of three random numbers in a first fragment of a random array to obtain three first mask fragments sent to a second party, the first fragment of the random array is a fragment, sent by a third party to the first party, of two-party fragments obtained by splitting values in the random array generated by the third party. Three pieces of mask data are constructed by using the three first mask fragments and three second mask fragments received from the second party. A first calculation based on the three pieces of mask data and the first fragment of the random array is performed to obtain a first gradient fragment for updating the first-party fragment of the model parameter.

Embodiments of this specification provide computer-implemented methods, apparatuses, computer-readable media and systems for secure multi-party computation. According to an example computer-implemented method, a first party performs a first mapping operation and homomorphic encryption on first plaintext data to obtain a first converted ciphertext in a Montgomery state, where the first mapping operation converts data from an integer ring to the Montgomery state. The first party sends the first converted ciphertext to a second party. Then, the second party performs a first homomorphic operation in the Montgomery state based on the first converted ciphertext to obtain a first result ciphertext in the Montgomery state, where the first homomorphic operation includes a modular multiplication operation.

Several round-efficient solitary multi-party computation protocols with guaranteed output delivery are disclosed. A plurality of input devices and an output device can collectively perform a computation using methods such as fully homomorphic encryption. The output of the computation is only known to the output device. Some number of these devices may be corrupt. However, even in the presence of corrupt devices, the output device can still either generate a correct output or identify that the computation was compromised. These protocols operate under different assumptions regarding the communication infrastructure (e.g., broadcast vs point-to-point), the number of participating devices, and the number of corrupt devices. These protocols are round-efficient in that they require a minimal number of communication rounds to calculate the result of the multi-party computation.