Secure consolidation system, information processing apparatus, secure consolidation method, and program

Abstract

The secure join system includes the first and second information-processing-apparatuses respectively holding first and second data. The second information-processing-apparatus is configured to: create third and fourth vectors in which a hash-value related to a key-value of the first data in a first vector and a ciphertext of the first data corresponding to the key-value in a second vector are rearranged by permutation; and create a fifth vector having a hash-value related to a key-value of the second data. The first information-processing-apparatus is configured to: search for j in which a hash-value of an i-th element of the fifth vector matches a j-th element value of the third vector for each i and create encrypted data in which a ciphertext of a j-th element value of the fourth vector is set when j is found and a ciphertext of a dummy value is set when j is not found.

Claims

1. A secure join system that performs secure data join between a first information processing apparatus and a second information processing apparatus, the secure join system comprising the first information processing apparatus and the second information processing apparatus, the second information processing apparatus being configured to: receive a first vector having a hash value related to a key value of first data held by the first information processing apparatus as an element and a second vector having an encrypted element generated by applying a re-encryption capable encryption scheme to the first data corresponding to the key value as an element, after receiving the first and second vectors, create a third vector and a fourth vector that are generated by rearranging respective elements of the first vector and the second vector according to a permutation that is not known to the first information processing apparatus; create a fifth vector having a hash value related to a key value of second data held by the second information processing apparatus as an element; and transmit the third vector, the fourth vector, and the fifth vector to the first information processing apparatus, and the first information processing apparatus being configured to: after the third vector, the fourth vector, and the fifth vector are received, search for j in which a hash value of an i-th element of the fifth vector matches a value of a j-th element of the third vector for each i and create encrypted data in which a ciphertext of a value of a j-th element of the fourth vector is set as an i-th element in a case where j is found and a ciphertext of a dummy value is set as the i-th element in a case where j is not found; and transmit the encrypted data to the second information processing apparatus when a match was found, wherein ID assigned to each piece of data serves as the key value for the data join, and the second information processing apparatus is further configured to: generate the third vector and the fourth vector by applying a commutative hash function determined by a secret key to the IDs of the first data and by encrypting values of the first data using the re-encryption capable encryption scheme, and generate the permutation used for rearranging the first vector and the second vector, and the first information processing apparatus is further configured to assign, when no element of the third vector matches an element of the fifth vector, as the corresponding element, a dummy ciphertext that is indistinguishable in appearance from a ciphertext of actual data.

2. The secure join system according to claim 1, wherein, when f and g are commutative hash functions, the first information processing apparatus being further configured to: calculate a hash value, by f, of the key value of the first data held by the first information processing apparatus and create the first vector having the hash value as the element and the second vector having the ciphertext of the first data corresponding to the key value as the element; and transmit the first vector and the second vector to the second information processing apparatus, when the first vector and the second vector are received, the second information processing apparatus calculates a hash value, by g, of the element of the first vector and rearranges the hash value, by g, of the element of the first vector and the element of the second vector by the permutation to create the third vector and the fourth vector, the second information processing apparatus creates the fifth vector having a hash value, by g, of the key value of the second data as the element, and when the third vector, the fourth vector, and the fifth vector are received, the first information processing apparatus calculates a hash value, by f, of the i-th element of the fifth vector, searches for j in which the hash value matches a value of the j-th element of the third vector and creates encrypted data in which the ciphertext of the value of the j-th element of the fourth vector is set as the i-th element in a case where j is found and the ciphertext of the dummy value is set as the i-th element in a case where j is not found.

3. An information processing apparatus that performs secure data join with another information processing apparatus, the information processing apparatus comprising: a processor; and a memory storing program instructions that cause the processor to: receive a first vector having a hash value related to a key value of first data held by the another information processing apparatus as an element and a second vector having an encrypted element generated by applying a re-encryption capable encryption scheme to the first data corresponding to the key value as an element are received, after receiving the first and second vectors, create a third vector and a fourth vector that are generated by rearranging respective elements of the first vector and the second vector according to a permutation that is not known to the first information processing apparatus; create a fifth vector having a hash value related to a key value of second data held by the information processing apparatus as an element; and transmit the third vector, the fourth vector, and the fifth vector to the another information processing apparatus when a match was found, wherein ID assigned to each piece of data serves as the key value for the data join, and the program instructions further cause the processor to: generate the third vector and the fourth vector by applying a commutative hash function determined by a secret key to the IDs of the first data and by encrypting values of the first data using the re-encryption capable encryption scheme, and generate the permutation used for rearranging the first vector and the second vector.

4. An information processing apparatus that performs secure data join with another information processing apparatus, the information processing apparatus comprising: a processor; and a memory storing program instructions that cause the processor to: receive a third vector and a fourth vector that are generated at the another information processing apparatus by rearranging respective elements of the first vector and the second vector according to a permutation that is not known to the first information processing apparatus, the first vector having a hash value related to a key value of first data held by the information processing apparatus as an element and the second vector having an encrypted element generated by applying a re-encryption capable encryption scheme to the first data corresponding to the key value as an element, and a fifth vector having a hash value related to a key value of second data held by the another information processing apparatus as an element, search for j in which a hash value of an i-th element of the fifth vector matches a value of a j-th element of the third vector for each i and create encrypted data in which a ciphertext of a value of a j-th element of the fourth vector is set as an i-th element in a case where j is found and a ciphertext of a dummy value is set as an i-th element in a case where j is not found; and transmit the encrypted data to the another information processing apparatus when a match was found, wherein ID assigned to each piece of data serves as the key value for the data join, and the program instructions cause the processor to assign, when no element of the third vector matches an element of the fifth vector, as the corresponding element, a dummy ciphertext that is indistinguishable in appearance from a ciphertext of actual data.

5. A secure join method for performing secure data join between a first information processing apparatus and a second information processing apparatus, the secure join method comprising: receiving, by the second information processing apparatus, a first vector having a hash value related to a key value of first data held by the first information processing apparatus as an element and a second vector having an encrypted element generated by applying a re-encryption capable encryption scheme to the first data corresponding to the key value as an element, after receiving the first and second vectors, creating, by the second information processing apparatus, a third vector and a fourth vector that are generated by rearranging respective elements of the first vector and the second vector according to a permutation that is not known to the first information processing apparatus; creating, by the second information processing apparatus, a fifth vector having a hash value related to a key value of second data held by the second information processing apparatus as an element; and transmitting, by the second information processing apparatus, the third vector, the fourth vector, and the fifth vector to the first information processing apparatus, and after the third vector, the fourth vector, and the fifth vector are received, searching, by the first information processing apparatus, for j in which a hash value of an i-th element of the fifth vector matches a value of a j-th element of the third vector for each i and creating encrypted data in which a ciphertext of a value of a j-th element of the fourth vector is set as an i-th element in a case where j is found and a ciphertext of a dummy value is set as the i-th element in a case where j is not found; and transmitting, by the first information processing apparatus, the encrypted data to the second information processing apparatus when a match was found, wherein ID assigned to each piece of data serves as the key value for the data join, and the secure join method further comprises: generating, by the second information processing apparatus, the third vector and the fourth vector by applying a commutative hash function determined by a secret key to the IDs of the first data and by encrypting values of the first data using the re-encryption capable encryption scheme, and generating, by the second information processing apparatus, a permutation used for rearranging the first vector and the second vector is, and wherein the secure join method further comprises: assigning, when no element of the third vector matches an element of the fifth vector, as the corresponding element, a dummy ciphertext that is indistinguishable in appearance from a ciphertext of actual data.

6. A non-transitory computer-readable recording medium having stored therein a program for causing the first information processing apparatus and the second information processing apparatus to execute the secure join method according to claim 5.

7. The secure join system according to claim 1, wherein the first information processing apparatus does not transmit a ciphertext of the first data itself to the second information processing apparatus.

8. The secure join system according to claim 1, wherein the dummy ciphertext is generated by using the same encryption scheme used to generate the encrypted element included in the second vector.

Description

BRIEF DESCRIPTION OF DRAWINGS

(1) FIG. 1 is a diagram illustrating an example of an overall configuration of a secure join system according to the present embodiment.

(2) FIG. 2 is a sequence diagram illustrating an example of secure join processing according to the present embodiment.

(3) FIG. 3 is a diagram illustrating an example of a hardware configuration of an information processing apparatus according to the present embodiment.

DESCRIPTION OF EMBODIMENTS

(4) Hereinafter, an embodiment of the present invention will be described. In the present embodiment, a secure join system 1 capable of realizing secure join between two parties without transmitting and receiving a ciphertext of data held by one party will be described. As a result, in the secure join system 1 according to the present embodiment, in a case where one party has large data, it is possible to perform secure join between two parties with a smaller communication amount than before. Note that the secure join is a method for joining data between two parties without disclosing mutual data or disclosing which data is joined. In addition, the data join is operation of joining data having the same value for a certain key.

Overall Configuration

(5) First, an overall configuration of the secure join system 1 according to the present embodiment will be described with reference to FIG. 1. FIG. 1 is a diagram illustrating an example of the overall configuration of the secure join system 1 according to the present embodiment.

(6) As illustrated in FIG. 1, the secure join system 1 according to the present embodiment includes an information processing apparatus 10 and an information processing apparatus 20 that perform secure join between the two. The information processing apparatus 10 and the information processing apparatus 20 are communicably connected via a communication network N such as the Internet.

(7) The information processing apparatus 10 and the information processing apparatus 20 are, for example, various devices and equipment such as a general-purpose server, a personal computer (PC), a smartphone, a tablet terminal, and a wearable device.

(8) Here, the information processing apparatus 10 includes a calculation unit 101, a communication unit 102, and a storage unit 103. Note that the calculation unit 101 and the communication unit 102 are implemented by processing caused to be executed by a processor such as a central processing unit (CPU) by one or more programs installed in the information processing apparatus 10. Furthermore, the storage unit 103 is implemented by, for example, various memory devices such as a hard disk drive (HDD), a solid state drive (SSD), and a flash memory.

(9) The calculation unit 101 executes various calculations for realizing secure join with the information processing apparatus 20. The communication unit 102 transmits and receives various data to and from the information processing apparatus 20. The storage unit 103 stores one or more pieces of data (these pieces of data may be referred to as records) to be subjected to secure join. It is assumed that IDs serving as keys of joining are assigned to these pieces of data.

(10) Furthermore, the information processing apparatus 20 includes a calculation unit 201, a communication unit 202, and a storage unit 203. Note that the calculation unit 201 and the communication unit 202 are implemented by processing caused to be executed by a processor such as a CPU by one or more programs installed in the information processing apparatus 20. Furthermore, the storage unit 203 is implemented by, for example, various memory devices such as an HDD, an SSD, and a flash memory.

(11) The calculation unit 201 executes various calculations for realizing secure join with the information processing apparatus 10. The communication unit 202 transmits and receives various data to and from the information processing apparatus 10. The storage unit 203 stores one or more pieces of data (records) to be subjected to secure join. It is assumed that IDs serving as keys of joining are assigned to these pieces of data.

(12) Note that, hereinafter, the information processing apparatus 10 itself or a person who uses or manages the information processing apparatus 10 is referred to as a user A. Similarly, the information processing apparatus 20 itself or a person who uses or manages the information processing apparatus 20 is referred to as a user B.

(13) <Preparation>

(14) Before the secure join processing is described, some symbols, concepts, and the like, are prepared.

(15) It is assumed that h.sub.k is a hash function determined by a secret key k, and for any two secret keys k.sub.1 and k.sub.2,

(16) $\begin{matrix} h_{k_{1}}, h_{k_{2}} & [Math . 1] \end{matrix}$
is commutative. Here, arbitrary hash functions f and g being commutative indicate that f(g(x))=g(f(x)) holds for an arbitrary value x.

(17) Hereinafter, as a secret key k.sub.A of the user A, a hash function determined by the secret key k.sub.A is expressed as h.sub.kA in the text of the specification. Similarly, as a secret key k.sub.B of the user B, a hash function determined by the secret key k.sub.B is expressed as h.sub.kB in the text of the specification.

(18) Note that, in a case where x is a vector and an i-th element thereof is x[i], h.sub.k(x) is a vector in which h.sub.k(x[i]) is the i-th element. In this event, the i-th element of h.sub.k(x) is also expressed as h.sub.k(x) [i].

(19) HE is an encryption scheme in which the users A and B can re-encrypt. In a case where x is a vector and an i-th element thereof is x[i], HE(x) is a vector in which HE(x[i]) is the i-th element. In this event, the i-th element of HE(x) is also expressed as HE(x)[i].

(20) In addition, it is assumed that Val.sub.A is a vector in which data of the user A to be subjected to secure join is arranged, ID.sub.A is a vector in which IDs corresponding to respective elements (that is, respective pieces of data of the user A) of Val.sub.A are arranged, and ID.sub.B is a vector in which IDs corresponding to respective pieces of data of the user B are arranged. However, it is assumed that the Val.sub.A and the ID.sub.A are arranged in an order not known to the user B, and the ID.sub.B is arranged in an order not known to the user A.

(21) <Secure Join Processing>

(22) Hereinafter, the secure join processing according to the present embodiment will be described with reference to FIG. 2. FIG. 2 is a sequence diagram illustrating an example of the secure join processing according to the present embodiment.

(23) First, the calculation unit 101 of the information processing apparatus 10 calculates h.sub.kA(ID.sub.A) and HE(Val.sub.A) (step S101). Next, the communication unit 102 of the information processing apparatus 10 transmits h.sub.kA(ID.sub.A) and HE(Val.sub.A) to the information processing apparatus 20 (step S102).

(24) When h.sub.kA(ID.sub.A) and HE(Val.sub.A) are received by the communication unit 202, the calculation unit 201 of the information processing apparatus 20 executes the following (1-1) to (1-4) (step S103). (1-1) Calculate h.sub.kB(ID.sub.B). (1-2) Create random permutation . (1-3) Re-encrypt HE(Val.sub.A) and then rearrange it by . Hereinafter, the rearranged one is referred to as HE(Val.sub.A). (1-4) Calculate (h.sub.kB(h.sub.kA(ID.sub.A))). Hereinafter, a result obtained after this calculation is referred to as h.sub.kB(h.sub.kA(ID.sub.A)).

(25) Next, the communication unit 202 of the information processing apparatus 20 transmits h.sub.kB(h.sub.kA(ID.sub.A)), HE(Val.sub.A), and h.sub.kB(ID.sub.B) to the information processing apparatus 10 (step S104).

(26) When h.sub.kB(h.sub.kA(ID.sub.A)), HE(Val.sub.A), and h.sub.kB(ID.sub.B) are received by the communication unit 102, the calculation unit 101 of the information processing apparatus 10 executes the following (2-1) to (2-2) (step S105). (2-1) Calculate h.sub.kA(h.sub.kB(ID.sub.B)). (2-2) Collate h.sub.kA(h.sub.kB(ID.sub.B)) and h.sub.kB(h.sub.kA(ID.sub.A)), search for j in which h.sub.kA(h.sub.kB(ID.sub.B) [i]=h.sub.kB(h.sub.kA(ID.sub.A)) [j] for each i, and in a case where such j is found, create a value by re-encrypting HE(Val.sub.A) [j] so that Val.sub.A[i]=Val.sub.A [j] and set it as HE(Val.sub.A) [i]. On the other hand, in a case where j in which h.sub.kA(h.sub.kB(ID.sub.B) [i]=h.sub.kB(h.sub.kA(ID.sub.A)) [j] is not found, a value obtained by encrypting a dummy value is created and set it as HE(Val.sub.A) [i].

(27) Note that, for each i, a method of searching for j in which h.sub.kA(h.sub.kB(ID.sub.B) [i]=h.sub.kB(h.sub.kA(ID.sub.A)) [j] is not particularly limited, and any general search method can be used. For example, it may be confirmed whether or not h.sub.kA(h.sub.kB(ID.sub.B) [i]=h.sub.kB(h.sub.kA(ID.sub.A)) [j] is satisfied for each i and j, or the corresponding j may be searched for by creating an associative array having h.sub.kB(h.sub.kA(ID.sub.A)) [j] as a key for each j in advance.

(28) Then, the communication unit 102 of the information processing apparatus 10 transmits HE(Val.sub.A) including HE(Val.sub.A) [i] to the information processing apparatus 20 (step S106).

(29) As described above, elements having the same value are associated with each other between ID.sub.A and ID.sub.B, so that secure join is implemented between data of the user A and data of the user B. In this event, in the present embodiment, one of the final outputs is made into plain text (in the present embodiment, the data of the user B is made into plain text), so that the data join is implemented without transmitting the data on one party to the other. In addition, if no measure is taken at that time, which data is joined is revealed to the user B, and thus a dummy ciphertext is added to prevent which data is joined from being revealed.

Effects

(30) In a case where secure join is performed between two parties, in related art, it has been necessary to transmit ciphertexts of data on both parties, but in the present embodiment, it is not necessary to transmit data on one party. Thus, in a case where there is a large difference in an amount of data held by both parties, it is possible to implement secure join with a small communication amount by using a larger amount of data as the data not to be transmitted.

(31) More precisely, it is assumed that the user A has n.sub.A pieces of data including m.sub.A values, and the user has n.sub.B pieces of data including m.sub.B values. In this event, in related art, the communication amount has been required to be (m.sub.An.sub.A+m.sub.An.sub.B), but in the present embodiment, secure join can be implemented with the communication amount of (m.sub.An.sub.A+m.sub.An.sub.B). Thus, in a case where m.sub.A<m.sub.B, the secure join can be implemented with an asymptotically small communication amount by using the secure join described in the present embodiment.

(32) <Hardware Configuration>

(33) Finally, hardware configurations of the information processing apparatuses 10 and 20 according to the present embodiment will be described with reference to FIG. 3. FIG. 3 is a diagram illustrating an example of the hardware configurations of the information processing apparatuses 10 and 20 according to the present embodiment. Note that the information processing apparatuses 10 and 20 can be implemented by substantially the same hardware configurations, and thus, the hardware configuration of the information processing apparatus 10 will be described below.

(34) As illustrated in FIG. 3, the information processing apparatus 10 according to the present embodiment includes an input device 301, a display device 302, an external I/F 303, a communication I/F 304, a processor 305, and a memory device 306. These pieces of hardware are communicably connected by a bus 307.

(35) The input device 301 is, for example, a keyboard and a mouse, a touch panel, or the like. The display device 302 is, for example, a display, or the like. Note that the information processing apparatus 10 does not have to include, for example, at least one of the input device 301 or the display device 302.

(36) The external I/F 303 is an interface with an external device such as a recording medium 303a. The information processing apparatus 10 can perform reading, writing, and the like, of the recording medium 303a via the external I/F 303. Note that examples of the recording medium 303a include a compact disc (CD), a digital versatile disk (DVD), a secure digital memory card (SD memory card), a universal serial bus (USB) memory card, and the like.

(37) The communication I/F 304 is an interface for connecting the information processing apparatus 10 to the communication network N. The processor 305 is one of various arithmetic devices such as a CPU, for example. The memory device 306 is, for example, various storage devices such as an HDD, an SSD, a flash memory, a random access memory (RAM), and a read only memory (ROM).

(38) The information processing apparatuses 10 and 20 according to the present embodiment can implement the above-described secure join processing by having the hardware configuration illustrated in FIG. 3. Note that the hardware configuration illustrated in FIG. 3 is an example, and the information processing apparatuses 10 and 20 may include a plurality of processors, a plurality of memory devices, or various hardware configurations, for example.

(39) The present invention is not limited to the above embodiment specifically disclosed, and various modifications and changes, combinations with known technologies, and the like, can be made without departing from the scope of the claims.

REFERENCE SIGNS LIST

(40) 1 Secure join system 10 Information processing apparatus 20 Information processing apparatus 101 Calculation unit 102 Communication unit 103 Storage unit 201 Calculation unit 202 Communication unit 203 Storage unit 301 Input device 302 Display device 303 External I/F 303a Recording medium 304 Communication I/F 305 Processor 306 Memory device 307 Bus N Communication network

Secure consolidation system, information processing apparatus, secure consolidation method, and program

Assignee

Inventors

Cpc classification

Classification Explorer

G09C1/00

PHYSICS

Classification Explorer

H04L2209/08

ELECTRICITY

Classification Explorer

H04L9/0618

ELECTRICITY

Classification Explorer

H04L9/3242

ELECTRICITY

Classification Explorer

H04L9/0631

ELECTRICITY

Classification Explorer

H04L9/0643

ELECTRICITY

International classification

Classification Explorer

H04L9/32

ELECTRICITY

Classification Explorer

H04L9/06

ELECTRICITY

Abstract

Claims

Description