SECURE COMPUTATION DEVICE, COMPARISON METHOD, COMPARISON PROGRAM RECORDING MEDIUM, AND SECURE COMPUTATION SYSTEM

Abstract

Provided is a secure computation device for computing a comparison operation to two integers without the use of AND/XOR. The secure computation device compares a first integer a and a second integer b when the first integer a and the second integer b, which are 0 or greater and less than 2{circumflex over ( )}k (k being an integer of 1 or greater), are subjected to ring sharing. The secure computation device includes: an addition/subtraction circuitry; a bit decomposition circuitry; and a bit extraction circuitry. The addition/subtraction circuitry uses the first integer a, the second integer b, and 2{circumflex over ( )}k to carry out a predetermined addition or subtraction with ring sharing, and output an added/subtracted result. The bit decomposition circuitry converts the added/subtracted result to bit sharing, and outputs a bit shared result. The bit extraction circuitry extracts a (k+1)-th bit of the bit shared result, and outputs an extracted result.

Claims

1. A secure computation device for comparing, in a case where a first integer a and a second integer b, each of which is more than 0 and less than 2{circumflex over ( )}k (where k is an integer equal to or more than one), are subjected to ring sharing, the first integer a with the second integer b, wherein the secure computation device comprises: an addition/subtraction circuitry configured to carry out a predetermined addition/subtraction using the first integer a, the second integer b, and 2{circumflex over ( )}k with the ring sharing to produce an added/subtracted result; a bit decomposition circuitry configured to convert the added/subtracted result into bit sharing to produce a bit shared result; and a bit extraction circuitry configured to extract a (k+1)-th bit of the bit shared result to produce an extracted result.

2. The secure computation device as claimed in claim 1, wherein the bit extraction circuitry comprises a shifting circuitry configured to shift the bit shared result right by k bits to produce a shifted result as the extracted result.

3. The secure computation device as claimed in claim 2, further comprising a bit composition circuitry configured to convert the shifted result into ring sharing to produce a ring shared result.

4. The secure computation device as claimed in claim 1, wherein: in a case of detecting whether or not the first integer a is not more than the second integer b, the addition/subtraction circuitry is configured to calculate (b+2{circumflex over ( )}k−a) with ring sharing as the predetermined addition/subtraction to produce (b+2{circumflex over ( )}k−a) as the added/subtracted result.

5. The secure computation device as claimed in claim 1, wherein: in a case of detecting whether or not the first integer a is less than the second integer b, the addition/subtraction circuitry is configured to calculate (b+2{circumflex over ( )}k−(a+1)) with ring sharing as the predetermined addition/subtraction to produce (b+2{circumflex over ( )}k−(a+1)) as the added/subtracted result.

6. The secure computation device as claimed in claim 1, wherein: in a case of detecting whether or not the first integer a is not less than the second integer b, the addition/subtraction circuitry is configured to calculate (a+2{circumflex over ( )}k−b) with ring sharing as the predetermined addition/subtraction to produce (a+2{circumflex over ( )}k−b) as the added/subtracted result.

7. The secure computation device as claimed in claim 1, wherein: in a case of detecting whether or not the first integer a is more than the second integer b, the addition/subtraction circuitry is configured to calculate (a+2{circumflex over ( )}k−(b+1)) with ring sharing as the predetermined addition/subtraction to produce (a+2{circumflex over ( )}k−(b+1)) as the added/subtracted result.

8. A secure computation system comprising N secure computation devices each of which is described in claim 1, where N represents an integer which is not less three.

9. A comparison method for comparing, in a case where a first integer a and a second integer b, each of which is more than 0 and less than 2{circumflex over ( )}k (where k is an integer equal to or more than one), are subjected to ring sharing, the first integer a with the second integer b in a secure computation device, wherein the comparison method comprises: an addition/subtraction step of carrying out a predetermined addition/subtraction using the first integer a, the second integer b, and 2{circumflex over ( )}k with the ring sharing to produce an added/subtracted result; a bit decomposition step of converting the added/subtracted result into bit sharing to produce a bit shared result; and a bit extraction step of extracting a (k+1)-th bit of the bit shared result to produce an extracted result.

10. The comparison method as claimed in claim 9, wherein the bit extraction step comprises a shifting step of shifting the bit shared result right by k bits.

11. (canceled)

12. The comparison method as claimed in claim 9, wherein: in a case of detecting whether or not the first integer a is not more than the second integer b, the addition/subtraction step calculates (b+2{circumflex over ( )}k−a) with ring sharing as the predetermined addition/subtraction to produce (b+2{circumflex over ( )}k−a) as the added/subtracted result.

13. The comparison method as claimed in claim 9, wherein: in a case of detecting whether or not the first integer a is less than the second integer b, the addition/subtraction step calculates (b+2{circumflex over ( )}k−(a+1)) with ring sharing as the predetermined addition/subtraction to produce (b+2{circumflex over ( )}k−(a+1)) as the added/subtracted result.

14. The comparison method as claimed in claim 9, wherein: in a case of detecting whether or not the first integer a is not less than the second integer b, the addition/subtraction step calculates (a+2{circumflex over ( )}k−b) with ring sharing as the predetermined addition/subtraction to produce (a+2{circumflex over ( )}k−b) as the added/subtracted result.

15. The comparison method as claimed in claim 9, wherein: in a case of detecting whether or not the first integer a is more than the second integer b, the addition/subtraction step calculates (a+2{circumflex over ( )}k−(b+1)) with ring sharing as the predetermined addition/subtraction to produce (a+2{circumflex over ( )}k−(b+1)) as the added/subtracted result.

16. A non-transitory comparison program recording medium storing a comparison program for causing, in a case where a first integer a and a second integer b, each of which is more than 0 and less than 2{circumflex over ( )}k (where k is an integer equal to or more than one), are subjected to ring sharing, a computer serving as a secure computation device to compare the first integer a with the second integer b, wherein the comparison program causes the computer to achieve: an addition/subtraction function of carrying out a predetermined addition/subtraction using the first integer a, the second integer b, and 2{circumflex over ( )}k with the ring sharing to produce an added/subtracted result; a bit decomposition function of converting the added/subtracted result into bit sharing to produce a bit shared result; and a bit extraction function of extracting a (k+1)-th bit of the bit shared result to produce an extracted result.

17. The non-transitory comparison program recording medium as claimed in claim 16, wherein the bit extraction function comprises a shifting function of shifting the bit shared result right by k bits.

18. (canceled)

19. The non-transitory comparison program recording medium as claimed in claim 16, wherein: in a case of detecting whether or not the first integer a is not more than the second integer b, the addition/subtraction function calculates (b+2{circumflex over ( )}k−a) with ring sharing as the predetermined addition/subtraction to produce (b+2{circumflex over ( )}k−a) as the added/subtracted result.

20. The non-transitory comparison program recording medium as claimed in claim 16, wherein: in a case of detecting whether or not the first integer a is less than the second integer b, the addition/subtraction function calculates (b+2{circumflex over ( )}k−(a+1)) with ring sharing as the predetermined addition/subtraction to produce (b+2{circumflex over ( )}k−(a+1)) as the added/subtracted result.

21. The non-transitory comparison program recording medium as claimed in claim 16, wherein: in a case of detecting whether or not the first integer a is not less than the second integer b, the addition/subtraction function calculates (a+2{circumflex over ( )}k−b) with ring sharing as the predetermined addition/subtraction to produce (a+2{circumflex over ( )}k−b) as the added/subtracted result.

22. The non-transitory comparison program recording medium as claimed in claim 16, wherein: in a case of detecting whether or not the first integer a is more than the second integer b, the addition/subtraction function calculates (a+2{circumflex over ( )}k−(b+1)) with ring sharing as the predetermined addition/subtraction to produce (a+2{circumflex over ( )}k−(b+1)) as the added/subtracted result.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0041] FIG. 1 is a diagram for illustrating an example in a related art where three computers (secure computation devices) share and save data Dsec to be kept secret, as first through third shared values, respectively;

[0042] FIG. 2 is a block diagram for illustrating a configuration of a secure computation system according to an example embodiment of the present invention;

[0043] FIG. 3 is a block diagram for illustrating an n-th secure computation device for use in the secure computation system illustrated in FIG. 2; and

[0044] FIG. 4 is a flow chart for describing an operation of the n-th computation device illustrated in FIG. 3.

DESCRIPTION OF EMBODIMENTS

Related Art

[0045] In order to facilitate an understanding of the present invention, a related art will be described.

[0046] First, a summary of secure computation will be described.

[0047] FIG. 1 is a diagram for illustrating an example where three computers (secure computation devices) 1-1, 1-2, and 1-3 share and save data Dsec to be kept secret, as first through third shared values, respectively. Thus, the data Dsec is split into a plurality of shared values. Therefore, original data Dsec is not known unless all or N or more shared values are collected (where N represents an integer which is not less than two). In addition, each of the computers 1-1 to 1-3 may also be called a node or a party.

[0048] Inasmuch as the original data Dsec is shared and managed in the plurality of computers 1-1 to 1-3 as mentioned above, the original data Dsec is secure even if an administrator of any computer leaks the shared value of himself.

[0049] When contents computed by the respective computers 1-1 to 1-3 are merged, a computed result for the original data Dsec is obtained. Security is assured also during computation.

[0050] Next, secret sharing will be described.

[0051] It is assumed that an integer v is split into three to be distributed to the respective nodes 1-1 to 1-3. As the secret sharing, bit sharing and ring sharing are known, which will be described hereafter.

[0052] The bit sharing is represented by the following equation:

v=v0∧v1∧v2,

where an operator ∧ represents an exclusive OR (XOR).

[0053] On the other hand, the ring sharing is represented by the following equation:

v=v0+v1+v3,

where an operator + represents an additive operation (addition) on the ring.

[0054] Conversion between two sharing methods is possible. Converting from the ring sharing to the bit sharing is called “bit decomposition.” A method of the “bit decomposition” is described in the above-mentioned Non Patent Literature 3 and, therefore, the description thereof is omitted herein.

[0055] On the other hand, converting from the bit sharing to the ring sharing is called “bit composition.” Now, a method of the “bit composition” will be described.

[0056] The bit composition is carried out in the following manner: [0057] 1. Shares a random number r on a ring; [0058] 2. Bit-decomposes shared information of the random number r; [0059] 3. Performs secure computation of an addition circuit about the shared information of the bit-decomposed random number and shared information of a target bit to be subjected to the bit composition and restores a result thereof. Assuming that x represents the result of the bit composition, r+x is restored; and [0060] 4. Performs ring sharing of r+x and then a result obtained by executing (r+x)-r as the secure computation of the share on the ring becomes the result of the bit composition.

[0061] The bit sharing and the ring sharing have characteristics which will be described hereafter. Specifically, by making two values be random numbers, they have following characteristics: [0062] 1) An original value is not known from individual shared values; and [0063] 2) The original value cannot be restored unless all of three shared values are collected.

[0064] Each of nodes (parties) 1-1 to 1-3 has two shared values among the three shared values. This is called the secret sharing. For example, it is assumed that the parties 1-1 to 1-3 are represented by Party0, Party1, and Party2, respectively. In this event, those parties have the two shared values as follows:

(v2,v0), Party0:

(v0,v1), and Party1:

(v1,v2). Party2:

[0065] Accordingly, the original value v cannot be restored unless at least two parties cooperate with each other.

[0066] Now, description will proceed to specific secure computation. The secure computation executes an operation without restoring the original value v.

[0067] Specifically, in regard to original values v and w, in the bit sharing and the ring sharing, the following operations are possible.

[0068] That is, in a case of the bit sharing, operations of v∧w and v&w are possible. Herein, an operator & represents AND (logical product).

[0069] On the other hand, in a case of the ring sharing, operations of v+w and v*w are possible. Herein, an operator * represents multiplicative operation (multiplication).

[0070] A more complicate operation is carried out by combining these operations.

[0071] Now, description will proceed to a specific example of the secure computation in the case of bit sharing. First, description will proceed to the secure computation in the case of XOR (exclusive OR).

[0072] It is assumed that the integers v and w are respectively subjected to bit sharing as follows:

v=v0∧v1∧v2, and

w=w0∧w1∧w2

and the first through the third parties 1-1 to 1-3 respectively hold:

(v2,v0),(w2,w0), Party0:

(v0,v1),(w0,w1), and Party1:

(v1,v2),(w1,w2) Party2:

[0073] v∧w is represented by the following equation:

v∧w=(v0∧w0)∧(v1∧w1)∧(v2∧w2).

[0074] Then, the respective parties 1-1 to 1-3 compute the following equations:

(x2,x0)=(v2∧w2,v0∧w0), Party0:

(x0,x1)=(v0∧w0,v1∧w1), and Party1:

(x1,x2)=(v1∧w1,v2∧w2). Party2:

[0075] On the other hand, x is represented by the following equation:

x=x0∧x1∧x2=v∧w.

[0076] Accordingly, the respective parties 1-1 to 1-3 are supposed to have shared values of a result of v∧w.

[0077] Herein, communication between the parties 1-1 to 1-3 is unnecessary.

[0078] Now, description will proceed to the secure computation in a case of AND.

[0079] v&w is represented by the following equation:

[00001] $\begin{matrix} v & w = (V 0 ⩓ V 1 ⩓ V 2) & (w 0 ⩓ w 1 ⩓ w 2) \\ = (v 0 & w 0) ⩓ (v 0 & w 2) ⩓ (v 2 & w 0) \\ ⩓ (v 1 & w 1) ⩓ (v 1 & w 0) ⩓ (v 0 & w 1) \\ ⩓ (v 2 & w 2) ⩓ (v 2 & w 1) ⩓ (v 1 & w 2) . \end{matrix}$

[0080] The respective parties 1-1 to 1-3 compute, using random numbers m0∧m1∧m2=0, the following equations:

x0=(v0&w0)∧(v0&w2)∧(v2&w0)∧m0, Party0:

x1=(v1&w1)∧(v1&w0)∧(v0&w1)∧m1, and Party1:

x2=(v2&w2)∧(v2&w1)∧(v1&w2)∧m2. Party2:

[0081] In this event, the following equation holds:

x0∧v1∧x2=v&w.

[0082] Accordingly, when the respective parties 1-1 to 1-3 deliver data to a neighboring party, the respective parties 1-1 to 1-3 are supposed to hold shared values which are represented by the following equations:

(x2,x0), Party0:

(x0,x1), and Party1:

(x1,x2). Party2:

[0083] As a result, the respective parties 1-1 to 1-3 are supposed to hold shared values of v&w.

[0084] In this case, inasmuch as x0, x1, and x2 are masked with the random numbers, information does not leak out.

[0085] In addition, communication is necessary for computation of AND.

[0086] Now, description will proceed to the secure computation in a case of the ring sharing.

[0087] In the ring sharing, the operation of v+w is possible without communication while the operation of v*w requires communication.

[0088] Inasmuch as derivation is same as that in the case of the above-mentioned bit sharing, a detailed explanation thereof is omitted.

[0089] Now, description will proceed to a comparison operation in the related art.

[0090] Comparison between integers v and w (e.g., v<=w) is computable by the bit sharing and a combination of XOR and AND.

[0091] For example, it is assumed that each of v and w is 1 bit. In this event, the comparison (v<=w) is computable by the following equation:

(v<=w)=(1∧v)∧(v&w).

[0092] Accordingly, the comparison requires one AND and two XOR.

[0093] If this operation is carried out by the secure computation, computation is possible for v and w which are secretly shared.

[0094] Consequently, in a case of 32-bit integers, much more AND and XOR are required.

[0095] Furthermore, in a case where the integers v and w to be compared are subjected to the ring sharing and a compared result is desired to be obtained with the ring sharing, the following processing is required:

[0096] 1) Converts v and w from the ring sharing to the bit sharing (bit decomposition),

[0097] 2) Computes the compared result with AND/XOR in the above-mentioned manner, and

[0098] 3) Converts the result from the bit sharing to the ring sharing (bit composition).

[0099] As described above, the related art has a problem that AND/XOR is required for the comparison operation between the integers v and w and a computation time becomes longer.

SUMMARY OF THE INVENTION

[0100] Now, a principle of a proposal method of the present invention will be described with reference to comparison in a case of (a<=b) by way of example.

[0101] In this event, two integers a and b are shared and held in first through third secure computation devices.

[0102] It is assumed that the ring sharing is as follows:

a=a0+a1+a2, and

b=b0+b1+b2.

[0103] In this event, the first through the third secure computation devices (Party0, Party1, Party2) hold:

(a2,a0),(b2,b0), Party0:

(a0,a1),(b0,b1), and Party1:

(a1,a2),(b1,b2). Party2:

[0104] Accordingly, it is noted that addition/subtraction circuitries in the first through the third secure computation devices carry out addition/subtraction without using the integers a and b as they are but using shared values of those values.

[0105] Hereinafter, description will proceed to an example of implementing a case with a limitation to 0<=a, b<2{circumflex over ( )}k. Herein, 2{circumflex over ( )}k represents 2 to the k-th power and k is an integer which is not less than one. It is noted that, if uint32_t is used as a variable, up to k=31 is possible.

[0106] Assuming c=2{circumflex over ( )}k−a, (b+c)/(a+c) is computed.

[0107] Herein, an operator/is a function of calculating an integer part of a result (a divided result) obtained by dividing a numerator by a denominator. In other words, the operator/is the function of rounding the divided result to an integer by truncating the numbers after a decimal point.

[0108] Inasmuch as 2{circumflex over ( )}k<=a+c, b+c<=2{circumflex over ( )}(k+1), the following equation is obtained:

[00002] $\begin{matrix} (b + c) / (a + c) = 1 (a <= b), \\ = 0 (a > b) . \end{matrix}$

[0109] In addition, inasmuch as a+c=2{circumflex over ( )}k, the following equation holds:

(b+c)/(a+c)=(b+c)/2{circumflex over ( )}k.

[0110] The right side of the above-mentioned equation corresponds to dividing (b+c) by 2{circumflex over ( )}k (shifts right by k bits) or indicates that a (k+1)-th bit represents a compared result. In addition, the shifting is possible with the bit sharing.

[0111] Now, description will be made as regards <shifting right by k bits>. When

v=v0∧v1∧v2,

then

v>>k=(v0>>k)∧(v1>>k)∧(v2>>k),

therefore the secure computation is possible.

[0112] Accordingly, in the proposal method of the present invention, a computation procedure in the case of a<=b is as follows.

[0113] A procedure in a case where a and b are less than 2{circumflex over ( )}k and are subjected to the ring sharing is as follows:

[0114] (1) Computes b+2{circumflex over ( )}k−a with the ring sharing (where 2{circumflex over ( )}k is a constant);

[0115] (2) Converts the result (b+2{circumflex over ( )}k−a) into the bit sharing (bit decomposition);

[0116] (3) Shifts by k bits; and

[0117] (4) Converts the result into the ring sharing (bit composition).

[0118] In a case where the result with the bit sharing is sufficient, the step (4) is unnecessary. In addition, in lieu of the step (3), a (k+1)-th bit may be extracted.

[0119] Now, description will be made about application except for the comparison of a<=b.

[0120] By operating in the following manner, application is possible to those except for the comparison of a<=b.

[0121] In a case of comparison of a<b, a+1<=b is computed.

[0122] In another case of comparisons of a>b and a>=b, computation is carried out by replacing a and b with each other.

[0123] The foregoing is summarized as follows.

[0124] When the integers a and b satisfy 0<=a, b<=2{circumflex over ( )}k, a<=b is computed by (b+c)/(a+c).

[0125] When the two integers a and b are secret-shared, comparison is carried out by the secure computation with the above-mentioned procedure.

EXAMPLE EMBODIMENT

[0126] First, referring to FIG. 2, description will proceed to a secure computation system 1A according to an example embodiment of the present invention.

[0127] FIG. 2 is a block diagram for illustrating a configuration of the secure computation system 1A. The secure computation system 1A comprises first through third secure computation devices 1A-1, 1A-2, and 1A-3.

[0128] The first through the third secure computation devices 1A-1 to 1A-3 are devices which are capable of carrying out a comparison operation between two integers, as will later be described. Of course, the first through the third secure computation devices 1A-1 to 1A-3 can carry out operations except for the comparison operation. However, description thereof is omitted because they are not related to this invention.

[0129] The first through the third secure computation devices 1A-1 to 1A-3 have the same configuration.

[0130] Specifically, the first secure computation device 1A-1 comprises a first addition/subtraction circuitry 100-1, a first bit decomposition circuitry 200-1, and a first bit extraction circuitry 300-1. Similarly, the second secure computation device 1A-2 comprises a second addition/subtraction circuitry 100-2, a second bit decomposition circuitry 200-2, and a second bit extraction circuitry 300-2. The third secure computation device 1A-3 comprises a third addition/subtraction circuitry 100-3, a third bit decomposition circuitry 200-3, and a third bit extraction circuitry 300-3.

[0131] The first secure computation device 1A-1 may further comprise a first bit composition circuitry 400-1, as depicted by a broken line. Likewise, the second computation device 1A-2 may further comprise a second bit composition circuitry 400-2 and the third computation device 1A-3 may further comprise a third bit composition circuitry 400-3.

[0132] Inasmuch as the first through the third secure computation devices 1A-1 to 1A-3 have the same configuration as mentioned above, the first secure computation device 1A-1 will hereinafter be described as a representative example for the sake of simplification of explanation.

[0133] It is assumed that a first integer a and a second integer b, each of which is 0 or more and less than 2{circumflex over ( )}k (k being an integer which is not less than one), are subjected to ring sharing. In this event, the first secure computation device 1A-1 compares the first integer a with the second integer b in the following manner. Hereinafter, description will proceed to, by way of example, a case of detecting whether or not the first integer a is not more than the second integer b (a<=b).

[0134] The first addition/subtraction circuitry 100-1 carries out, using the first integer a, the second integer b, and 2{circumflex over ( )}k, a predetermined addition/subtraction with the ring sharing to produce a first added/subtracted result. Specifically, the first addition/subtraction circuitry 100-1 computes (b+2{circumflex over ( )}k−a) as the predetermined addition/subtraction with the ring sharing to produce (b+2{circumflex over ( )}k−a) as the first added/subtracted result.

[0135] The first bit decomposition circuitry 200-1 converts the first added/subtracted result into bit sharing to produce a first bit shared result.

[0136] The first bit extraction circuitry 300-1 extracts a (k+1)-th bit of the first bit shared result to produce a first extracted result. The first bit extraction circuitry 300-1 can be achieved as a first shifting circuitry for shifting the first bit shared result right by k bits to produce a first shifted result as the first extracted result.

[0137] The first bit composition circuitry 400-1 converts the first extracted result into ring sharing to produce a first ring shared result.

[0138] Other comparison computations except for (a<=b) may also be carried out in the following manner.

[0139] It is assumed that whether or not the first integer a is less than the second integer b (a<b) is detected. In this event, the first addition/subtraction circuitry 100-1 computes (b+2{circumflex over ( )}k−(a+1)) as the above-mentioned addition/subtraction with the ring sharing to produce (b+2{circumflex over ( )}k−(a+1)) as the first added/subtracted result. However, this method is applicable in a case of a+1<2{circumflex over ( )}k.

[0140] In addition, it is assumed that whether or not the first integer a is not less than the second integer b (a>=b) is detected. In this event, the first addition/subtraction circuitry 200-1 computes (a+2{circumflex over ( )}k−b) as the predetermined addition/subtraction with the ring sharing to produce (a+2{circumflex over ( )}k−b) as the first added/subtracted result.

[0141] Finally, it is assumed that whether or not the first integer a is more than the second integer b (a>b) is detected. In this event, the first addition/subtraction circuitry 200-1 computes (a+2{circumflex over ( )}k−(b+1)) as the above-mentioned addition/subtraction with the ring sharing to produce (a+2{circumflex over ( )}k−(b+1)) as the first added/subtracted result. However, this method is applicable in a case of a+1<2{circumflex over ( )}k.

[0142] Thus, in this example embodiment, it is possible to carry out the comparison computation without AND/XOR operation.

Example 1

[0143] Now, description will proceed to a first example of the present invention.

[0144] FIG. 3 is a block diagram for illustrating an n-th secure computation device 1A-n (n being an integer 1, 2, or 3) for use in the secure computation system 1A illustrated in FIG. 2.

[0145] The n-th secure computation device 1A-n comprises an addition/subtraction circuitry 100, a bit decomposition circuitry 200, and a bit extraction circuitry 300. The n-th secure computation device 1A-n may further comprise a bit composition circuitry 400, as depicted by a broken line.

[0146] The addition/subtraction circuitry 100 is supplied with the first integer a and the second integer b, each of which is 0 or more and less than 2{circumflex over ( )}k (k being an integer which is not less than one), and 2{circumflex over ( )}k. The addition/subtraction circuitry 100 carries out the predetermined addition/subtraction using the first integer a, the second integer b, and 2{circumflex over ( )}k with the ring sharing to produce an added/subtracted result. In this example, it is assumed that, as a comparison operation, whether or not the first integer a is not more than the second integer b (a<=b) is detected. In this event, the addition/subtraction circuitry 100 computes (b+2{circumflex over ( )}k−a) as the predetermined addition/subtraction with the ring sharing to produce (b+2{circumflex over ( )}k−a) as the added/subtracted result.

[0147] The added/subtracted result is supplied to the bit decomposition circuitry 200. The bit decomposition circuitry 200 converts the added/subtracted result into bit sharing to produce a bit shared result.

[0148] The bit shared result is supplied to the bit extraction circuitry 300. The bit extraction circuitry 300 extracts a (k+1)-th bit of the bit shared result to produce an extracted result. In addition, the bit extraction circuitry 300 can be achieved as a shifting circuitry for shifting the bit shared result right by k bits to produce a shifted result as the extracted result.

[0149] The shifted result is supplied to the bit composition circuitry 400. The bit composition circuitry 400 converts the shifted result into ring sharing to produce a ring shared result.

[0150] FIG. 4 is a flow chart for use in describing an operation of the n-th secure computation device 1A-n illustrated in FIG. 3.

[0151] The addition/subtraction circuitry 100 computes (b+2{circumflex over ( )}k−a) with the ring sharing to produce (b+2{circumflex over ( )}k−a) as the added/subtracted result (step S101).

[0152] Next, the bit decomposition circuitry 200 converts the added/subtracted result into the bit sharing to produce the bit shared result (step S102).

[0153] Subsequently, the bit extraction circuitry 300 shifts the bit shared result right by k bits to produce the shifted result as the extracted result (step S103).

[0154] As an option, the bit composition circuitry 400 converts the shifted result into the ring sharing to produce the ring shared result (step S104).

[0155] Other comparison computations except for (a<=b) are possible by the addition/subtraction circuitry 100 carrying out the predetermined addition/subtraction as described above.

[0156] Now, description will proceed to an effect of the first example of the present invention.

[0157] Using this comparison method brings about an effect that the comparison computation can be carried out without AND/XOR operation.

Example 2

[0158] Now, description will proceed to a second example of the present invention.

[0159] In the second example, description will be made about <an example in a ring of 2{circumflex over ( )}4 (=16)>. Herein, it is assumed that k=3 (2{circumflex over ( )}k=8). In this example, description will proceed to a case of computing a<=b where a=5, b=7.

[0160] First, it is assumed that a, b, and 2{circumflex over ( )}k are subjected to ring sharing as follows:

a=7+6+8(=21%16=5)

b=9+3+11(=23%16=7)

2{circumflex over ( )}k=1+15+8(=24%16=8)

[0161] Herein, % means mod and indicates congruence modulo. Accordingly, 21%16=5 indicates that the remainder obtained by dividing 21 by 16 is equal to 5.

[0162] The respective parties compute (b+2{circumflex over ( )}5−a). Herein, n=4.

(b+2{circumflex over ( )}k−a)%2{circumflex over ( )}n=(9+1−7)%16=3 party0:

(b+2{circumflex over ( )}k−a)%2{circumflex over ( )}n=(3+15−6)%16=12 party1:

(b+2{circumflex over ( )}k−a)%2{circumflex over ( )}n=(11+8−8)%16=11 party2:

[0163] When the added/subtracted result is decoded, (3+12+11)%16=10 is obtained.

[0164] The bit shared result, which is obtained by bit-decomposing the added/subtracted result, is as follows:

1111 party0:

0110 party1:

0011 party2:

[0165] When the above result is decoded, 1111∧0110∧0011=1010 (10 in decimal number) is obtained. A (k+1)-th bit (e.g. fourth bit) is 1 and this represents a result of a<=b (5<=7).

[0166] When shifting right by k bits is carried out in order to extract the (k+1)-th bit, the following is obtained:

0001 party0:

0000 party1:

0000 party2:

[0167] When the above is decoded, 0000∧0001∧0000=0001 is obtained, which is the bit sharing of the result of a<=b.

[0168] When the bit composition is carried out in order to obtain the result with the ring sharing, the following is obtained:

1 party0:

4 party1:

12 party2:

[0169] When the above is decoded, (1+4+12)%16=1 is obtained, which is the ring sharing of the result of a<=b.

[0170] As described above, according to the second example, it is understood that the comparison computation can be carried out without AND/XOR operation.

[0171] Furthermore, this invention is not limited to the foregoing example embodiment and examples as they are, but may be embodied in an implementation stage by changing the components in a range not departing from the gist of this invention. In addition, various inventions may be formed by an appropriate combination of a plurality of components. For example, in the foregoing example embodiment (examples), description has been made about only the case of the secure computation system comprising the three secure computation devices. However, it is needless to say that this invention is generally applicable in a similar manner also to a case of the secure computation system comprising N secure computation devices (where N represents an integer which is not less than three).

[0172] It is noted that the method described in the present invention may be executed by a computer. A program causing this method to be executed may be distributed by storing the program in a recording medium, for example, a magnetic disk such as a floppy (registered trademark) disk, a hard disk, and so on, an optical disc such as a CD-ROM (Compact Disc-Read Only memory), a DVD (digital versatile disc) and so on, a magneto-optical disc, a semiconductor memory, or the like.

[0173] Furthermore, the recording medium may have any form of a storage format as far as the recording medium can store the program and can be read by the computer.

[0174] In addition, a part of each processing may be executed by an operating system or a middleware, such as a database management software, a network software or the like, operating on the computer on the basis of instructions of the program installed from the recording medium to the computer.

[0175] Moreover, the above-mentioned recording medium is not restricted to a medium independent from the computer and includes a recording medium in which the program transmitted via a LAN (Local Area Network), the Internet, or the like is downloaded and stored or temporarily stored.

[0176] In addition, the recording medium is not restricted to one and the recording medium according to this invention includes a case where the processing according to the above-mentioned example embodiment (examples) is carried out with a plurality of media. Configuration of the medium may be any configuration.

[0177] The computer in this invention executes each processing based on the program stored in the recording medium and may have any configuration such as a device composed of a personal computer or the like, a system including a plurality of devices connected via a network, and so on.

[0178] In addition, the computer in this invention is not restricted to the personal computer and is equipment or a device which includes a processing unit to be included in an information processing apparatus and which is capable of realizing the function of this invention by using the program.

[0179] Specifically, each part of the n-th secure computation device 1A-n may be implemented by a combination of hardware and software. In a form in which the hardware and the software are combined, the respective parts are implemented as various kinds of means by developing a comparison program in an RAM (random access memory) and making hardware such as a control unit (CPU (central processing unit)) or the like operate based on the comparison program. The comparison program may be recorded in a recording medium to be distributed, as mentioned above. A face authentication program recorded in the recording medium is read into a memory via a wire, wirelessly, or via the recording medium itself to operate the control unit and so on. By way of example, the recording medium may be an optical disc, a magnetic disk, a semiconductor memory device, a hard disk, or the like.

[0180] Explaining the above-mentioned example embodiment with a different expression, it is possible to implement the example embodiment by making a computer to be operated as the n-th secure computation device 1A-n act as the addition/subtraction circuitry 100, the bit decomposition circuitry 200, the bit extraction circuitry 300, and the bit composition circuitry 400 according to the comparison program developed in the RAM.

[0181] A part or a whole of the example embodiment described above may be described as, but not limited to, the following supplementary notes.

[0182] (Supplementary Note 1)

[0183] A secure computation device for comparing, in a case where a first integer a and a second integer b, each of which is more than 0 and less than 2{circumflex over ( )}k (where k is an integer equal to or more than one), are subjected to ring sharing, the first integer a with the second integer b, wherein the secure computation device comprises:

[0184] an addition/subtraction circuitry configured to carry out a predetermined addition/subtraction using the first integer a, the second integer b, and 2{circumflex over ( )}k with the ring sharing to produce an added/subtracted result;

[0185] a bit decomposition circuitry configured to convert the added/subtracted result into bit sharing to produce a bit shared result; and

[0186] a bit extraction circuitry configured to extract a (k+1)-th bit of the bit shared result to produce an extracted result.

[0187] (Supplementary Note 2)

[0188] The secure computation device according to Supplementary Note 1, wherein the bit extraction circuitry comprises a shifting circuitry configured to shift the bit shared result right by k bits to produce a shifted result as the extracted result.

[0189] (Supplementary Note 3)

[0190] The secure computation device according to Supplementary Note 2, further comprising a bit composition circuitry configured to convert the shifted result into ring sharing to produce a ring shared result.

[0191] (Supplementary Note 4)

[0192] The secure computation device according to any one of Supplementary Notes 1 to 3, wherein:

[0193] in a case of detecting whether or not the first integer a is not more than the second integer b,

[0194] the addition/subtraction circuitry is configured to calculate (b+2{circumflex over ( )}k−a) with ring sharing as the predetermined addition/subtraction to produce (b+2{circumflex over ( )}k−a) as the added/subtracted result.

[0195] (Supplementary Note 5)

[0196] The secure computation device according to any one of Supplementary Notes 1 to 3, wherein:

[0197] in a case of detecting whether or not the first integer a is less than the second integer b,

[0198] the addition/subtraction circuitry is configured to calculate (b+2{circumflex over ( )}k−(a+1)) with ring sharing as the predetermined addition/subtraction to produce (b+2{circumflex over ( )}k−(a+1)) as the added/subtracted result.

[0199] (Supplementary Note 6)

[0200] The secure computation device according to any one of Supplementary Notes 1 to 3, wherein:

[0201] in a case of detecting whether or not the first integer a is not less than the second integer b,

[0202] the addition/subtraction circuitry is configured to calculate (a+2{circumflex over ( )}k−b) with ring sharing as the predetermined addition/subtraction to produce (a+2{circumflex over ( )}k−b) as the added/subtracted result.

[0203] (Supplementary Note 7)

[0204] The secure computation device according to any one of Supplementary Notes 1 to 3, wherein:

[0205] in a case of detecting whether or not the first integer a is more than the second integer b, the addition/subtraction circuitry is configured to calculate (a+2{circumflex over ( )}k−(b+1)) with ring sharing as the predetermined addition/subtraction to produce (a+2{circumflex over ( )}k−(b+1)) as the added/subtracted result.

[0206] (Supplementary Note 8)

[0207] A secure computation system comprising N secure computation devices each of which is described in any one of Supplementary Notes 1 to 7, where N represents an integer which is not less three.

[0208] (Supplementary Note 9)

[0209] A comparison method for comparing, in a case where a first integer a and a second integer b, each of which is more than 0 and less than 2{circumflex over ( )}k (where k is an integer equal to or more than one), are subjected to ring sharing, the first integer a with the second integer b in a secure computation device, wherein the comparison method comprises:

[0210] an addition/subtraction step of carrying out a predetermined addition/subtraction using the first integer a, the second integer b, and 2{circumflex over ( )}k with the ring sharing to produce an added/subtracted result;

[0211] a bit decomposition step of converting the added/subtracted result into bit sharing to produce a bit shared result; and

[0212] a bit extraction step of extracting a (k+1)-th bit of the bit shared result to produce an extracted result.

[0213] (Supplementary Note 10)

[0214] The comparison method according to Supplementary Note 9, wherein the bit extraction step comprises a shifting step of shifting the bit shared result right by k bits.

[0215] (Supplementary Note 11)

[0216] The comparison method according to Supplementary Note 10, further comprising a bit composition step for converting the shifted result into ring sharing to produce a ring shared result.

[0217] (Supplementary Note 12)

[0218] The comparison method according to any one of Supplementary Notes 9 to 11, wherein:

[0219] in a case of detecting whether or not the first integer a is not more than the second integer b,

[0220] the addition/subtraction step calculates (b+2{circumflex over ( )}k−a) with ring sharing as the predetermined addition/subtraction to produce (b+2{circumflex over ( )}k−a) as the added/subtracted result.

[0221] (Supplementary Note 13)

[0222] The comparison method according to any one of Supplementary Notes 9 to 11, wherein:

[0223] in a case of detecting whether or not the first integer a is less than the second integer b,

[0224] the addition/subtraction step calculates (b+2{circumflex over ( )}k−(a+1)) with ring sharing as the predetermined addition/subtraction to produce (b+2{circumflex over ( )}k−(a+1)) as the added/subtracted result.

[0225] (Supplementary Note 14)

[0226] The comparison method according to any one of Supplementary Notes 9 to 11, wherein:

[0227] in a case of detecting whether or not the first integer a is not less than the second integer b,

[0228] the addition/subtraction step calculates (a+2{circumflex over ( )}k−b) with ring sharing as the predetermined addition/subtraction to produce (a+2{circumflex over ( )}k−b) as the added/subtracted result.

[0229] (Supplementary Note 15)

[0230] The comparison method according to any one of Supplementary Notes 9 to 11, wherein:

[0231] in a case of detecting whether or not the first integer a is more than the second integer b,

[0232] the addition/subtraction step calculates (a+2{circumflex over ( )}k−(b+1)) with ring sharing as the predetermined addition/subtraction to produce (a+2{circumflex over ( )}k−(b+1)) as the added/subtracted result.

[0233] (Supplementary Note 16)

[0234] A comparison program recording medium storing a comparison program for causing, in a case where a first integer a and a second integer b, each of which is more than 0 and less than 2{circumflex over ( )}k (where k is an integer equal to or more than one), are subjected to ring sharing, a computer serving as a secure computation device to compare the first integer a with the second integer b, wherein the comparison program causes the computer to achieve:

[0235] an addition/subtraction function of carrying out a predetermined addition/subtraction using the first integer a, the second integer b, and 2{circumflex over ( )}k with the ring sharing to produce an added/subtracted result;

[0236] a bit decomposition function of converting the added/subtracted result into bit sharing to produce a bit shared result; and

[0237] a bit extraction function of extracting a (k+1)-th bit of the bit shared result to produce an extracted result.

[0238] (Supplementary Note 17)

[0239] The comparison program recording medium according to Supplementary Note 16, wherein the bit extraction function comprises a shifting function of shifting the bit shared result right by k bits.

[0240] (Supplementary Note 18)

[0241] The comparison program recording medium according to Supplementary Note 17, wherein the comparison program further causes the computer to achieve a bit composition function of converting the shifted result into ring sharing to produce a ring shared result.

[0242] (Supplementary Note 19)

[0243] The comparison program recording medium according to any one of Supplementary Notes 16 to 18, wherein:

[0244] in a case of detecting whether or not the first integer a is not more than the second integer b,

[0245] the addition/subtraction function calculates (b+2{circumflex over ( )}k−a) with ring sharing as the predetermined addition/subtraction to produce (b+2{circumflex over ( )}k−a) as the added/subtracted result.

[0246] (Supplementary Note 20)

[0247] The comparison program recording medium according to any one of Supplementary Notes 16 to 18, wherein:

[0248] in a case of detecting whether or not the first integer a is less than the second integer b,

[0249] the addition/subtraction function calculates (b+2{circumflex over ( )}k−(a+1)) with ring sharing as the predetermined addition/subtraction to produce (b+2{circumflex over ( )}k−(a+1)) as the added/subtracted result.

[0250] (Supplementary Note 21)

[0251] The comparison program recording medium according to any one of Supplementary Notes 16 to 18, wherein:

[0252] in a case of detecting whether or not the first integer a is not less than the second integer b,

[0253] the addition/subtraction function calculates (a+2{circumflex over ( )}k−b) with ring sharing as the predetermined addition/subtraction to produce (a+2{circumflex over ( )}k−b) as the added/subtracted result.

[0254] (Supplementary Note 22)

[0255] The comparison program recording medium according to any one of Supplementary Notes 16 to 18, wherein:

[0256] in a case of detecting whether or not the first integer a is more than the second integer b,

[0257] the addition/subtraction function calculates (a+2{circumflex over ( )}k−(b+1)) with ring sharing as the predetermined addition/subtraction to produce (a+2{circumflex over ( )}k−(b+1)) as the added/subtracted result.

[0258] This application is based upon and claims the benefit of priority from Japanese patent application No. 2017-98853, filed on May 18, 2017, the disclosure of which is incorporated herein in its entirety by reference.

REFERENCE SIGNS LIST

[0259] 1A secure computation system [0260] 1A-1 first secure computation device [0261] 1A-2 second secure computation device [0262] 1A-3 third secure computation device [0263] 1A-n n-th secure computation device [0264] 100, 100-1 to 100-3 addition/subtraction circuitry [0265] 200, 200-1 to 200-3 bit decomposition circuitry [0266] 300, 300-1 to 300-3 bit extraction circuitry (shifting circuitry) [0267] 400, 400-1 to 400-3 bit composition circuitry

SECURE COMPUTATION DEVICE, COMPARISON METHOD, COMPARISON PROGRAM RECORDING MEDIUM, AND SECURE COMPUTATION SYSTEM

Assignee

Inventors

Cpc classification

Classification Explorer

G09C1/00

PHYSICS

Classification Explorer

H04L2209/00

ELECTRICITY

Classification Explorer

H04L9/00

ELECTRICITY

Classification Explorer

H04L9/085

ELECTRICITY

Classification Explorer

H04L2209/46

ELECTRICITY

Classification Explorer

G06F9/3001

PHYSICS

Classification Explorer

G06F9/30134

PHYSICS

Classification Explorer

G06F9/30018

PHYSICS

Classification Explorer

G06F9/30029

PHYSICS

International classification

Classification Explorer

G06F9/30

PHYSICS

Abstract

Claims

Description