SECURE COMPUTATION APPARATUS, SECURE COMPUTATION METHOD, AND PROGRAM

Abstract

A secret share value [f.sub.t(x)-f.sub.t(x)] of f.sub.t(x)-f.sub.t(x) is obtained through secure computation using a secret share value [x] of a real number x, and a secret share value [f.sub.t(x)-f.sub.t(x)].sub.r of (f.sub.t(x)-f.sub.t(x)).sub.r obtained by right-shifting f.sub.t(x)-f.sub.t(x) by the predetermined number of bits is obtained through secure computation using the secret share value [f.sub.t(x)-f.sub.t(x)]. Here, [μ] is a secret share value of μ, n is an integer equal to or greater than 1, t=0, . . . , n−1, u=1, . . . , n−1, f.sub.t(x) is a function of the real number x, f.sub.t(x) is an approximation function of the function f.sub.t(x), a secret share value [f.sub.0(x)] of an approximation function f.sub.0(x) is [f.sub.0(x)]=c.sub.o,0+c.sub.0,1[x], a secret share value [f.sub.u(x)] of an approximation function f.sub.u(x) is [f.sub.u(x)]=c.sub.u,0+c.sub.u,1[x]+c.sub.u,2[f.sub.0(x)]+. . . +c.sub.u,u+1[f.sub.u−1(x)], c.sub.t,0 is a public value, and c.sub.t,1, . . . , c.sub.t,n+1 are coefficients.

Claims

1. A secure computation device, wherein x is a real number, [μ] is a secret share value of μ, n is an integer equal to or greater than 1, t=0, . . . , n−1, u=1, . . . , n−1, f.sub.t(x) is a function of the real number x, f′.sub.t(x) is an approximation function of the function f.sub.t(x), a secret share value [f′.sub.0(x)] of an approximation function f′.sub.0(x) is [f′.sub.0(x)]=c.sub.o,0 +c.sub.0,1[x], a secret share value [f′.sub.u(x)] of an approximation function f′.sub.u(x) is [f′.sub.u(x)]=c.sub.u,0+c.sub.u,1[x]+c.sub.u,2[f.sub.0(x)]+, . . . +c.sub.u,u+1[f.sub.u−1(x)], c.sub.t,0 is a public value, and c.sub.t,1, . . . , c.sub.t,n+1 are coefficients, the secure computation device comprising: first secure computation circuitry configured to obtain a secret share value [f.sub.t(x)-f′.sub.t(x)] of f.sub.t(x)-f′.sub.t(x) through secure computation using a secret share value [x] of the real number x; and second secure computation circuitry configured to obtain a secret share value [f.sub.t(x)-f′.sub.t(x)].sub.r of (f.sub.t(x)-f′.sub.t(x)).sub.r obtained by right-shifting f.sub.t(x)-f′.sub.t(x) by the number of bits predetermined through secure computation using the secret share value [f.sub.t(x)-f′.sub.t(x)].

2. The secure computation device according to claim 1, further comprising third secure computation circuitry configured to obtain a secret share value [f.sub.t(x)] of the function f.sub.t(x) through secure computation using the secret share value [f.sub.t(x)-f′.sub.t(x)].sub.r and the secret share value [f′.sub.t(x)].

3. The secure computation device according to claim 1, wherein the first secure computation circuitry obtains the secret share value [f.sub.t(x)-f′.sub.t(x)] through secure computation of sum-of-product computation using the secret share value [x].

4. The secure computation device according to claim 2, wherein n is an integer equal to or greater than 2, and every time processing operations of the first secure computation circuitry, the second secure computation circuitry, and the third secure computation circuitry are executed for t=0, . . . , n−2, the processing operations, with t+1 as a new t, of the first secure computation circuitry, the second secure computation circuitry, and the third secure computation circuitry are executed again to obtain a secret share value [f.sub.n−1(x)].

5. The secure computation device according to claim 2, wherein n=3, a, b, c, d, f, g, h, i, j, k, s, m, n, o, p, q, α, β, γ, δ, and ζ are real numbers, f.sub.0(x)=y=δx.sup.2+ax, f.sub.1(x)=z=y(ζy+b)+cx, f.sub.2(x)=w=γ(z(αz+d)+y(βx+f)+gx), f.sub.0(x)=ix+j, f.sub.1(x)=ky+sx+m, and f.sub.2(x)=nz+oy+px+q.

6. The secure computation device according to claim 5, wherein the first secure computation circuitry obtains a secret share value [f.sub.0(x)-f′.sub.0(x)]=[y′]=[x(δx+a−i)-j] through secure computation of sum-of-product computation using the secret share value [x], the second secure computation circuitry obtains a secret share value [y′].sub.r of y′.sub.r obtained by right-shifting y′ by the number of bits predetermined through secure computation using the secret share value [y′], the third secure computation circuitry obtains a secret share value [y]=[y′+(ix+j)] through secure computation using the secret share value [y′].sub.r and the secret share value [f′.sub.0(x)]=[ix+j], the first secure computation circuitry obtains a secret share value [f.sub.1(x)-f′.sub.1(x)]=[z′]=[y(ζy+b−k)+(c−s)x- m] through secure computation of sum-of-product computation using the secret share value [x] and the secret share value [y], the second secure computation circuitry obtains a secret share value [z′].sub.r of z′.sub.r obtained by right-shifting z′ by the number of bits predetermined through secure computation using the secret share value [z′], the third secure computation circuitry obtains a secret share value [y]=[z′+(ky+sx+m)] through secure computation using the secret share value [z′].sub.r and the secret share value [f′.sub.1(x)]=[ky+sx+m], the first secure computation circuitry obtains a secret share value [w′/γ]=[z(αz+d−n/γ)+(βx+f-o/γ)y+(g-p)x+(h-q)/γ] through secure computation of sum-of-product computation using the secret share value [x], the secret share value [y], and the secret share value [z], the second secure computation circuitry obtains a secret share value [w].sub.r of w′.sub.r obtained by right-shifting w′ obtained by multiplying w′/γ by γ by the number of bits predetermined through secure computation using the secret share value [w′/γ], and the third secure computation circuitry obtains a secret share value [w]=[w′+(nz+oy+px+q)] through secure computation using the secret share value [w′].sub.r and the secret share value [f′.sub.2(x)]=[nz+oy+px+q].

7. The secure computation device according to claim 6, wherein 6 is a positive integer, and the second secure computation circuitry obtains a public value 2.sup.σ/γ, and obtains the secret share value [w′].sub.r through secure computation of public value division [w′/γ]/(2.sup.σ/γ) using the public value 2.sup.θ/γ and the secret share value [w′/γ].

8. The secure computation device according to claim 2, wherein n=2, a, b, c, γ, δ, i, j, k, s, and m are real numbers, f.sub.0(x)=y=δx.sup.2+ax, f.sub.1(x)=z=γ(y(δy+b)+cx), f.sub.0(x)=ix+j, and f.sub.1(x)=ky+sx+m.

9. The secure computation device according to claim 8, wherein the first secure computation circuitry obtains a secret share value [f.sub.0(x)-f′.sub.0(x)]=[y′]=[x(δx+a-i)-j] through secure computation of sum-of-product computation using the secret share value [x], the second secure computation circuitry obtains a secret share value [y′].sub.r of y′.sub.r obtained by right-shifting y′ by the number of bits predetermined through secure computation using the secret share value [y′], the third secure computation circuitry obtains a secret share value [y]=[y′+(ix+j)] through secure computation using the secret share value [y′].sub.r and the secret share value [f′.sub.0(x)]=[ix+j], the first secure computation circuitry obtains a secret share value [z′/γ]=[y(ζy +b-k/y)+(c-s/y)x-m/y] through secure computation of sum-of-product computation using the secret share value [x] and the secret share value [y], the second secure computation circuitry obtains a secret share value [z′].sub.r of z′.sub.r obtained by right-shifting z′ obtained by multiplying z′/γ by γ by the number of bits predetermined through secure computation using the secret share value [z′/γ], and the third secure computation circuitry obtains a secret share value [z]=[z′+(ky+sx+m)] through secure computation using the secret share value [z′].sub.r and the secret share value [f′.sub.1(x)]=[ky+sx+m].

10. The secure computation device according to claim 9, wherein 6 is a positive integer, and the second secure computation circuitry obtains a public value 2.sup.σ/γ, and obtains the secret share value [z′].sub.r through secure computation of public value division [z′/γ]/(2.sup.σ/γ) using the public value 2.sup.σ/γ and the secret share value [z′/γ].

11. A secure computation method, wherein x is a real number, [a] is a secret share value of μ, n is an integer equal to or greater than 1, t=0, . . . , n−1, u=1, . . . , n−1, F.sub.t(x) is a function of the real number x, f′.sub.t(x) is an approximation function of the function f.sub.t(x), a secret share value [f′.sub.0(x)] of an approximation function f′.sub.0(x) is [f′.sub.0(x)]=c.sub.o,0 +c.sub.o,1[x], a secret share value [f′.sub.u(x)] of an approximation function f′.sub.u(x) is [f′.sub.u(x)]=c.sub.u,0+c.sub.u,1[x]+c.sub.u,2[f.sub.0(x)]+. . . +c.sub.u,u+1[f.sub.u-1(x)], c.sub.t,0 is a public value, and c.sub.t,1, . . . , c.sub.t,n+1 are coefficients, the secure computation method, performed by processing circuitry, comprising: obtaining, a secret share value [f.sub.t(x)-f′.sub.t(x)] of f.sub.t(x)-f′.sub.t(x) through secure computation using a secret share value [x] of the real number x; and obtaining, a secret share value [f.sub.t(x)-f′.sub.t(x)].sub.r of (f.sub.t(x)-f′.sub.t(x)).sub.r obtained by right-shifting f.sub.t(x)-f′.sub.t(x) by the number of bits predetermined through secure computation using the secret share value [f.sub.t(x)-f′.sub.t(x)].

12. A non-transitory computer-readable recording medium storing a program for causing a computer to execute processing according to claim 11.

Description

BRIEF DESCRIPTION OF DRAWINGS

[0008] FIG. 1 is a block illustrating a secure computation device of an embodiment.

[0009] FIG. 2 is a flow diagram illustrating processing of a first embodiment.

[0010] FIG. 3 is a flow diagram illustrating processing of a second embodiment.

[0011] FIG. 4 is a flow diagram illustrating processing of a third embodiment.

[0012] FIG. 5 is a table illustrating calculated parameters regarding each elementary function.

[0013] FIG. 6 is a block diagram illustrating a hardware configuration.

DESCRIPTION OF EMBODIMENTS

[0014] Hereinafter, embodiments of the present disclosure will be described with reference to the drawings.

[0015] In recent years, research on advanced statistics and machine learning using secure computation has been actively performed. However, most of these operations include elementary function calculations such as reciprocals, square roots, exponents, logarithms, and the like that go beyond addition, subtraction, and multiplication that are good for secure computation. Examples of a function approximation method for a basic function such as an elementary function include a Taylor expansion. The Taylor expansion or the like is a polynomial, and any function is approximated by a polynomial so that approximate calculation of the function can be performed by using addition, subtraction, and multiplication that are good for secure computation.

[0016] In the following embodiment, any function is approximated by a polynomial function f.sub.t(x), a secret share value [f.sub.t(x)-f′.sub.t(x)] of a difference f.sub.t(x)-f′.sub.t(x) between the function f.sub.t(x) before right shift and the approximation function f′.sub.u(x) of the function f.sub.t(x) is calculated, a secret share value [f.sub.t(x)-f′.sub.t(x)].sub.r of (f.sub.t(x)-f′.sub.t(x)).sub.r obtained by right-shifting f.sub.t(x)-f′.sub.t(x) is obtained, and a secret share value [f.sub.t(x)] of a function f.sub.t(x) obtained by adding f′.sub.t(x) to f.sub.t(x)-f′.sub.t(x) is obtained through secure computation of the secret share value [f.sub.t(x)-f′.sub.t(x)].sub.r and the secret share value [f′.sub.t(x)]. Here, x is a real number, [μ] is a secret share value of μ, n is an integer equal to or greater than 1 (for example, n is an integer equal to or greater than 2), t=0, . . . , n−1, u=1, . . . , n−1 , f.sub.t(x) is a function of the real number x, f′.sub.t(x) is an approximation function of the function f.sub.t(x), a secret share value [f′.sub.0(x)] of an approximation function f′.sub.0(x) is [f′.sub.0(x)]=c.sub.o,0+c.sub.o,1[x], a secret share value [f′.sub.u(x)] of an approximation function f′.sub.u(x) is [f′.sub.u(x)]=c.sub.u,0+c.sub.u,1[x]+c.sub.u,1[x]+c.sub.u,2[f.sub.0(x)]+. . . +[f.sub.u-1(x)], c.sub.t,0 is a public value, and c.sub.t,1, . . . , c.sub.t,n+1 are coefficients. Here, c.sub.t,1, . . . , c.sub.t,n+1 are values with small effective numbers of bits and are values that do not require a shift due to overflow even when c.sub.t,1, . . . , c.sub.t,n+1 is multiplied. f.sub.t(x)-f′.sub.t(x) is positive. Further, a public decimal point position is defined for an integer on the ring so that this can be regarded as a fixed-point real number. In the embodiment, the fixed-point real number indicated on the ring in this way is simply expressed as a real number. A secret sharing scheme is not limited, and examples thereof include an additive secret sharing scheme and a Shamir's secret sharing scheme. An example of [μ] is a secret share value (share) obtained by performing linear secret sharing on an element μ on a quotient ring.

[0017] Here, because magnitude of f.sub.t(x)-f′.sub.t(x) is smaller than that of f.sub.t(x), an overflow of the secret share value [f.sub.t(x)-f′.sub.t(x)] can be curbed. Further, because the secret share value [f.sub.t(x)-f′.sub.t(x)] of the difference f.sub.t(x)-f′.sub.t(x) between the function f.sub.t(x) before right shift and the approximation function f.sub.u(x) of the function f.sub.t(x) is calculated, it is possible to maintain high precision. The overflow is a problem based on performance of a processor in which the secure computation is implemented, and the present scheme provides a scheme for solving a problem based on constraints on this hardware. Thus, this scheme does not solve pure mathematics problems, but solves hardware implementation problems, and therefore, has technical characteristics. For example, technical characteristics of a processor that overflows when the secret share value [f.sub.t(x)] is calculated but does not overflow in calculation of the secret share value [f.sub.t(x)-f′.sub.t(x)] are remarkable.

[0018] Hereinafter, each of embodiments will be described.

First Embodiment

[0019] The secure computation device 1 of the first embodiment includes secure computation units 11, 12, and 13 and a control unit 19, as illustrated in FIG. 1. The secure computation device 1 of the present embodiment receives the secret share value [x] ∈[L, R) of the real number x as an input and performs secure computation to output a secret share value [f.sub.n−1 (x)] of a target function f.sub.n−1(x). Here, L and R are real numbers satisfying L <R, and [L, R) indicates a left-closed, right-open interval of L or more and smaller than R. An example of the function f.sub.n−1(x) is a polynomial for approximating an elementary function. Functions that appear in the process of obtaining f.sub.n−1(x) are written as f.sub.0(x), . . . , f.sub.n−2(x). Hereinafter, a detailed description will be given with reference to FIG. 2.

[0020] As illustrated in FIG. 2, first, the secret share value [x] is input to the secure computation unit 11 of the secure computation device 1 (step S10). Then, the control unit 19 initializes a value of t to t=0 (step S19a).

[0021] The secure computation unit 11 uses at least the secret share value [x] to obtain and output a secret share value [f.sub.t(x)-f′.sub.t(x)] of a difference f.sub.t(x)-f′.sub.t(x) between the function f.sub.t(x) and the approximation function f.sub.u(x) of the function f.sub.t(x) through secure computation of a sum of products. Here, [f′.sub.0(x)]=c.sub.o,0+c.sub.o,1[x], and [f′.sub.u(x)]=c.sub.u,0+c.sub.u,1[x]+c.sub.u,2[f.sub.0(x)]+. . . +[f.sub.u−1(x)] for u=1, . . . , n−1. For example, when t=0, the secure computation unit 11 uses the secret share value [x], the function f.sub.0(x), c.sub.0,0 and c.sub.0,1 to obtain the secret share value [f.sub.0(x)-f′.sub.0(x)]. When t=1, . . . , n−1, the secure computation unit 11 uses the secret share value [x], [f.sub.0(x)], . . . , [f.sub.t(x)], and c.sub.0,0, c.sub.0,1, . . . , c.sub.0,t+1 to obtain the secret share value [f.sub.t(x)-f′.sub.t(x)] (step S11).

[0022] The secret share value [f.sub.t(x)-f′.sub.t(x)] is input to the secure computation unit 12. The secure computation unit 12 obtains and outputs the secret share value [f.sub.t(x)-f′.sub.t(x)].sub.r of (f.sub.t(x)-f′.sub.t(x)), obtained by right-shifting f.sub.t(x)-f′.sub.t(x) by the predetermined number of bits through secure computation using the secret share value [f.sub.t(x)-f′.sub.t(x)]. The secure computation of the right shift can be realized by secret computation of division. This lowers a decimal point position of f.sub.t(x)-f′.sub.t(x) to a predetermined digit. This decimal point position is determined in advance (step S12).

[0023] The secret share value [f.sub.t(x)-f′.sub.t(x)].sub.r is input to the secure computation unit 13. The secure computation unit 13 obtains and outputs the secret share value [f.sub.t(x)] of the function f.sub.t(x) through secure computation using the secret share value [f.sub.t(x)-f′.sub.t(x)].sub.r and the secret share value [f′.sub.t(x)]. That is, the secure computation unit 13 obtains the secret share value [f.sub.t(x)] of f.sub.t(x)-f′.sub.t(x) +f.sub.t(x)=f.sub.t(x) through secure computation of addition using the secret share value [f.sub.t(x)-f′.sub.t(x)].sub.r and the secret share value [f.sub.t(x)] (step S13).

[0024] The control unit 19 determines whether t=n−1 (step S19b). When it is not that t=n−1, the control unit 19 sets t+1 as a newt and returns the processing to step S11 (step S19c). On the other hand, when t=n−1, the secure computation unit 13 outputs the secret share value [f.sub.n−1(x)] (step S19d). That is, every time the secure computation device 1 executes processing operations of steps S11 to S13 of the secure computation units 11 to 13, respectively, for t=0, . . . , n−2, the secure computation device 1 sets t+1 as a new t, executes processing operations of steps S11 to S13 again, and obtains the secret share value [f.sub.n−1(x)].

Second Embodiment

[0025] As illustrated in FIG. 1, a secure computation device 2 of a second embodiment includes secure computation units 21, 22, and 23, and a control unit 19. The secure computation device 2 of the second embodiment receives the secret share value [x] ∈ [L, R) of the real number x as an input and performs secure computation to output a secret share value [f.sub.n−1(x)] of a target function f.sub.n−1(x). In the second embodiment, an example in which n=3, a, b, c, d, f, g, h, i, j, k, s, m, n, o, p, q, α, β, 65 , δ, and ζ are real numbers, f.sub.0(x)=y=δx.sup.2+ax, f.sub.1(x)=z=y(ζy+b)+cx, f.sub.2(x)=w=γ(z(αz+d) +y(βx+f)+gx), f′.sub.0(x)=ix+j, i(x)=ky+sx+m, and f′.sub.2(x)=nz+oy+px+q will be described. A method of setting the recent functions f.sub.0(x)=ix+j, f′.sub.1(x)=ky+sx+m, and f′.sub.2(x)=nz+oy+px+q, and specific examples thereof will be described below.

[0026] As illustrated in FIG. 3, first, the secret share value [x] is input to the secure computation unit 21 of the secure computation device 2 (step S10).

[0027] The secure computation unit 21 obtains and outputs a secret share value [f.sub.0(x)-f′.sub.0(x)]=[y′]=[x(δx+a-i)-j] through secure computation of sum-of-product computation using the secret share value [x] (step S21a).

[0028] The secret share value [y′] is input to the secure computation unit 22. The secure computation unit 22 obtains and outputs a secret share value [y′].sub.r of y′.sub.r obtained by right-shifting y′ by the predetermined number of bits through secure computation using the secret share value [y′] (step S22a).

[0029] The secret share value [y′].sub.r is input to the secure computation unit 23. The secure computation unit 23 obtains and outputs a secret share value [y]=[y′+(ix+j)] through secure computation using the secret share value [y′].sub.r and the secret share value [f′.sub.0(x)]=[ix+j] (step S23a).

[0030] The secret share value [y] is input to the secure computation unit 21. The secure computation unit 21 obtains and outputs the secret share value [f.sub.1(x)-f′.sub.1(x)]=[z′]=[y(ζy+b−k)+(c−s)x−m] through secure computation of sum-of-product computation using the secret share value [x] and the secret share value [y] (step S21b).

[0031] The secret share value [z′] is input to the secure computation unit 22. The secure computation unit 22 obtains and outputs a secret share value [z′].sub.r of z′.sub.r obtained by right-shifting z′ by the predetermined number of bits through secure computation using the secret share value [z′] (step S22b).

[0032] The secret share value [z′].sub.r is input to the secure computation unit 23. The secure computation unit 23 obtains and outputs a secret share value [z]=[z′+(ky+s +m)] through secure computation using the secret share value [z′].sub.r and secret share value [f′.sub.1(x)]=[ky+sx+m] (step S23b).

[0033] The secret share value [z] is input to the secure computation unit 21. The secure computation unit 21 obtains and outputs a secret share value [w′/γ]=[z(αz+d−n/γ)+(βx+f−o/γ)y+(g−p)x+(h−q)/γ] through secure computation of sum-of-product computation using the secret share value [x], the secret share value [y], and the secret share value [z] (step S21c).

[0034] The secret share value [w′/γ] is input to the secure computation unit 22. The secure computation unit 22 obtains and outputs a secret share value [w′].sub.r of w′.sub.r obtained by right-shifting w′ obtained by multiplying w′/γ by γ by the predetermined number of bits through secure computation using the secret share value [w′/γ] (step S22c). Processing for obtaining the secret share value [W′].sub.r is not limited. For example, the secure computation unit 22 may obtain a public value 2.sup.σ/γ to obtain the secret share value [w′].sub.r through secure computation of public value division [w′/γ]/(2.sup.σ/γ) using the public value 2.sup.σ/γ and the secret share value [w′/γ]. Here, σ is a positive integer indicating an amount of right shift. Thus, because the multiplication of γ and the secure computation of the right shift can be executed at the same time, a processing cost can be reduced.

[0035] The secret share value [w′], is input to the secure computation unit 23. The secure computation unit 23 obtains and outputs a secret share value [w]=[w′+(nz+oy+px+q)] through secure computation using the secret share value [w′], and the secret share value [f′.sub.2(x)]=[nz+oy+px+q].

Example of Method of Searching for Approximation Function

[0036] Hereinafter, a method of searching for an approximation function before right shift will be illustrated. Input: Interval [L, R), and functions y=δx.sup.2+ax, z=y(ζ+b)+cx, and w=γ(z(αz+d)+y(βx+f)+gx) Set parameters: Minimum search values i.sub.min, k.sub.min, s.sub.min, n.sub.min, o.sub.min, and p.sub.min of respective discrete coefficients i, k, s, n, o, and p, and maximum search values i.sub.max, k.sub.max, s.sub.max, n.sub.max, O.sub.min, O.sub.max, p.sub.min, and p.sub.max of respective discrete coefficient i, k, s, n, o, and p Output: Maximum value M.sub.y of approximation functions ix+j and y-(ix+j) of y, maximum value M.sub.z of approximation functions ky+sx+m and z−(ky+sx+m) of z, and maximum value M.sub.w of approximation functions nz+oy+px+q and w−(nz+oy+px+q) of w

[0037] 1: for i=i.sub.min to i.sub.max do

[0038] 2: Calculate a difference between the maximum value and the minimum value in an interval [L, R) of y−ix.

[0039] 3: Output i at which the difference between the maximum value and the minimum value in the interval [L, R) of y−ix is smallest, a minimum value j of the difference y−ix in this case, and a difference M.sub.y ((maximum value of y−ix)−(minimum value of y−ix), in other words, a width of movement of a function value of y−ix).

[0040] 4: for each (k, s) ∈{k.sub.min, . . . , k.sub.max}×{s.sub.min, . . . , s.sub.max} do

[0041] 5: Calculate a difference between the maximum value and the minimum value in an interval [L, R) of z−(ky+sx).

[0042] 6: Output (k, s) at which a difference between the maximum value and the minimum value in the interval [L, R) of z−(ky+sx) is smallest, a minimum value m of the difference z−(ky+sx) in this case, and a difference M.sub.z ((maximum value of z−(ky+sx))−(minimum value of z−(ky+sx)), in other words, a width of movement of a function value of z−(ky+sx)).

[0043] 7: for each (n, o, p) ∈{n.sub.min, . . . , n.sub.max}×{o.sub.min, . . . , o.sub.max}×{p.sub.min, . . . , p.sub.max} do

[0044] 8: Calculate a difference between the maximum value and the minimum value in an interval [L, R) of z−(nz+oy+px).

[0045] 9: Output (n, o, p) at which the difference between the maximum value and the minimum value in the interval [L, R) of z−(nz+oy+px) is smallest, a minimum value q of the difference z−(nz+oy+px) in this case, and a difference M.sub.w ((maximum value of z−(nz+oy+px))−(minimum value of z−(nz+oy+px)), in other words, a width of movement of a function value of z−(nz+oy+px)).

Third Embodiment

[0046] As illustrated in a third embodiment, the secure computation device 3 of the third embodiment includes secure computation units 31, 32, and 33, and a control unit 19. The secure computation device 3 of the third embodiment receives the secret share value [x] ∈ [L, R) of the real number x as an input and performs secure computation to output a secret share value [f.sub.n−1i(x)] of a target function f.sub.n−1(x). In the third embodiment, an example in which n=2, a, b, c, γ, δ, i, j, k, s, and m are real numbers, f.sub.0(x)=y=δx.sup.2+ax, f.sub.1(x)=z=γ(y(δy+b)+cx), f′.sub.0(x)=ix+j, and f′.sub.1(x)=ky+sx+m will be described.

[0047] As illustrated in FIG. 4, first, the secret share value [x] is input to the secure computation unit 31 of the secure computation device 3 (step S10).

[0048] The secure computation unit 31 obtains and outputs a secret share value [f.sub.0(x)−f′.sub.0(x)]=[y′]=[x(δx+a−i)−j] through secure computation of sum-of-product computation using the secret share value [x] (step S21a).

[0049] The secret share value [y] is input to the secure computation unit 32. The secure computation unit 32 obtains and outputs a secret share value [y′].sub.r of y′.sub.r obtained by right-shifting y′ by the predetermined number of bits through secure computation using the secret share value [y′] (step S22a).

[0050] The secret share value [y′].sub.r is input to the secure computation unit 33. The secure computation unit 33 obtains and outputs a secret share value [y]=[y′+(ix+j)] through secure computation using the secret share value [y′].sub.r and the secret share value [f′.sub.0(x)]=[ix+j] (step S23a).

[0051] The secret share value [y] is input to the secure computation unit 31. The secure computation unit 31 obtains and outputs a secret share value [z′/γ′]=[y(ζy+b−k/γ)+(c−s/γ)x−m/γ] through secure computation of sum-of-product computation using the secret share value [x] and the secret share value [y] (step S31c).

[0052] The secret share value [z′/γ] is input to the secure computation unit 32. The secure computation unit 32 obtains and outputs a secret share value [z′].sub.r of z′.sub.r obtained by right-shifting z′ obtained by multiplying z′/γ by γ by the predetermined number of bits through secure computation using the secret share value [z′/γ] (step S32b). Processing for obtaining the secret share value [z′].sub.r is not limited. For example, the secure computation unit 32 may obtain a public value 2.sup.σ/γ to obtain a secret share value [z′].sub.r through secure computation of public value division [z′/γ]/(2.sup.σ/γ) using the public value 2.sup.σ/γ and the secret share value [z′/γ]. Thus, because the multiplication of γ and the secure computation of the right shift can be executed at the same time, a processing cost can be reduced.

[0053] The secret share value [z′].sub.r is input to the secure computation unit 33. The secure computation unit 33 obtains and outputs a secret share value [z]=[z′+(ky+sx+m)] through secure computation using the secret share value [z′].sub.r and the secret share value [f′.sub.1(x)]=[ky+sx+m] (step S33b).

Example of Calculated Parameters Regarding Each Elementary Function

[0054] FIG. 5 illustrates calculated parameters when the function f.sub.n-1(x) is a reciprocal function, a square root function, a reciprocal function of a square root, an exponential function, and a logarithmic function, which are elementary functions. ex, ey, and ez indicate decimal point positions of x, y, and z, respectively. Further, e′x, e′y, and e′z indicate decimal point positions of x′, y′, and z′ before right shift, respectively. These decimal point positions indicate bit positions of the decimal point positions counted from the lower bits. A value indicating this bit position starts from 0, and when an e1-st bit counted from a lower bit indicates 1, a decimal point position is represented as e1.

[0055] Hardware Configuration

[0056] The secure computation devices 1, 2, and 3 in the respective embodiments are, for example, devices configured by a general-purpose or dedicated computer including a processor (hardware processor) such as a central processing unit (CPU), a memory such as a random-access memory (RAM) and a read-only memory (ROM), and the like executing a predetermined program. This computer may include one processor and memory or may include a plurality of processors and memories. This program may be installed in a computer or may be recorded in a ROM or the like in advance. Further, a part or all of processing units may be configured by using an electronic circuit that implements a processing function alone, instead of an electronic circuit (circuitry) that implements a functional configuration by a program being read, like a CPU. Further, an electronic circuit constituting one device may include a plurality of CPUs.

[0057] FIG. 6 is a block diagram illustrating hardware configurations of the secure computation devices 1, 2, and 3 in the respective embodiments. As illustrated in FIG. 6, the secure computation devices 1, 2, and 3 of this example include a central processing unit (CPU) 10a, an input unit 10b, an output unit 10c, a random access memory (RAM) 10d, a read only memory (ROM) 10e, an auxiliary storage device 10f, and a bus 10g. The CPU 10a of this example includes a control unit 10aa, an operation unit 10ab, and a register 10ac, and executes various pieces of operation processing according to various programs read into the register 10ac. Further, the output unit 10c is an output terminal, a display, or the like on which data is output. Further, the output unit 10c is a LAN card or the like controlled by the CPU 10a that has read a predetermined program. Further, the RAM 10d is a static random access memory (SRAM), a dynamic random access memory (DRAM), or the like, and has a program area 10da in which a predetermined program is stored and a data area 10db in which various types of data is stored. Further, the auxiliary storage device 10f is, for example, a hard disk, a magneto-optical disc (MO), a semiconductor memory, or the like, and has a program area 10fa in which a predetermined program is stored and a data area 10fb in which various types of data is stored. Further, the bus 10g connects the CPU 10a, the input unit 10b, the output unit 10c, the RAM 10d, the ROM 10e, and the auxiliary storage device 10f so that information can be exchanged. The CPU 10a writes the program stored in the program area 10fa of the auxiliary storage device 10f to the program area 10da of the RAM 10d according to a read operating system (OS) program. Similarly, the CPU 10a writes various types of data stored in the data area 10fb of the auxiliary storage device 10f to the data area 10db of the RAM 10d. An address on the RAM 10d in which this program or data is written is stored in the register 10ac of the CPU 10a. The control unit 10ab of the CPU 10a sequentially reads out these addresses stored in the register 10ac, reads a program or data from the area on the RAM 10d indicated by the read address, causes the operation unit 10ab to sequentially execute operations indicated by the program, and stores operation results in the register 10ac. With such a configuration, functional configurations of the secure computation device 1, 2, and 3 are implemented.

[0058] The above-described program can be recorded on a computer-readable recording medium. An example of the computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disc, a photomagnetic recording medium, and a semiconductor memory.

[0059] Distribution of this program is performed, for example, by selling, transferring, or renting a portable recording medium such as a DVD or CD-ROM on which the program has been recorded. Further, this program may be distributed by being stored in a storage device of a server computer and transferred from the server computer to another computer via a network. As described above, the computer that executes such a program first temporarily stores, for example, the program recorded on the portable recording medium or the program transferred from the server computer in a storage device of the computer. When the computer executes the processing, the computer reads the program stored in the storage device of the computer and executes processing according to the read program. Further, as another form of execution of the program, the computer may directly read the program from the portable recording medium and execute the processing according to the program, and further, the processing according to the received program may be sequentially executed each time the program is transferred from the server computer to the computer. Further, a configuration in which the above-described processing may be executed by a so-called application service provider (ASP) type service that implements a processing function only by an execution instruction and result acquisition without transferring the program from the server computer to the computer. It is assumed that the program in the present embodiment includes information provided for processing of an electronic calculator and being pursuant to the program (such as data that is not a direct command to the computer, but has properties defining processing of the computer).

[0060] In each embodiment, although the present device is configured by a predetermined program being executed on the computer, at least a part of processing content of thereof may be implemented by hardware.

Other Modification Examples, and the Like

[0061] The present disclosure is not limited to the above-described embodiments. For example, the secure computation devices 1, 2, and 3 of the embodiments obtain the secret share value [f.sub.t(x)-f′.sub.t(x)] of f.sub.t(x)- f′.sub.t(x) through secure computation using the secret share value [x] of the real number x, obtain the secret share value [f.sub.t(x)-f′.sub.t(x)].sub.r of (f.sub.t(x)-f′.sub.t(x)).sub.r obtained by right-shifting f.sub.t(x)- f′.sub.t(x) by the predetermined number of bits through secure computation using the secret share value [f.sub.t(x)-f′.sub.t(x)], and obtain the secret share value [f.sub.t(x)] of the function f.sub.t(x) through secure computation using the secret share value [f.sub.t(x)-f′.sub.t(x)].sub.r and the secret share value [f′.sub.t(x)]. However, the secret share value [f.sub.t(x)-f′.sub.t(x)].sub.r may be used for other secure computations before the secret share value [f.sub.t(x)] is obtained.

[0062] Although the secure computation unit 11 has obtained the secret share value [f.sub.t(x)-f′.sub.t(x)] through the secure computation of the sum-of-product computation using the secret share value [x] in the above embodiment, the secret share value [f.sub.t(x)-f′.sub.t(x)] may be obtained through secure computation other than the secure computation of the sum-of-product computation.

[0063] Further, various types of processing described above may be not only executed in chronological order according to the description but may also be executed in parallel or individually according to a processing capacity of a device that executes the processing or as necessary. In addition, it is obvious that change can be made appropriately without departing from the spirit of the present disclosure.

INDUSTRIAL APPLICABILITY

[0064] The present disclosure can be used, for example, for calculation of an elementary function such as a reciprocal function, a square root function, an exponential function, and a logarithmic function in machine learning and data mining performed in secure computation while concealing data.

Reference Signs List

[0065] 1, 2, 3 Secure computation device 11, 21, 31, 12, 22, 32, 13, 23, 33 Secure computation unit