JP-7855700-B2 - Information processing device and privacy-protected data linkage system

Inventors

• 野澤 一真
• 長谷川 慶太
• 中川 智尋
• 佐々木 一也
• 寺田 雅之

Assignees

• 株式会社ＮＴＴドコモ

Dates

Publication Date

20260508

Application Date

20230630

Priority Date

20220902

Claims (5)

1. An ID encryption unit obtains user data including a user ID, performs a hashing process on the user ID using a salt, and then encrypts the resulting hash value with a self-encrypting key held by the device to generate encrypted user data. A data transmission unit that transmits and receives the encrypted user data between the other device and the other device, A data matching unit that matches the encrypted user data of its own device generated by the ID encryption unit with the encrypted user data of the other device received by the data transmission/reception unit, The aggregation processing unit generates encrypted aggregate data by counting the number of encrypted user data entries in which the portion corresponding to the user ID matches as a result of matching by the data matching unit, A confidentiality processing unit performs confidentiality processing on the encrypted aggregated data generated by the aggregation processing unit to generate encrypted statistical information, Equipped with, The encrypted user data of the counterparty device includes data whose attribute information is encrypted using a homomorphic encryption scheme. The attribute information is composed of a binary value in which a flag is set at the bit position corresponding to the content of the attribute information. The aggregation processing unit performs the count by taking the sum of identical bits in the bit sequence for a plurality of records represented by the binary values. Information processing device.
2. The information processing apparatus according to claim 1 , wherein the data matching unit matches based on a portion corresponding to the user ID, which is identified based on predetermined structural information of the user data.
3. It has multiple devices that hold user data including user IDs and attribute information about the user, One of the aforementioned plurality of devices includes an ID encryption unit that performs a hashing process using a salt on the user ID, then discards the salt, and encrypts the resulting hash value with a self-encrypting key held by the device to generate encrypted user data. Among the aforementioned plurality of devices, the counterparty device includes an encryption unit that performs a hashing process using a salt on the user ID, then discards the salt, and encrypts the resulting hash value with a self-encrypting key held by its own device, and also encrypts the attribute information using a homomorphic encryption scheme to generate encrypted user data. The aforementioned device and the counterpart device further comprise a data transmission/reception unit for sending and receiving the encrypted user data, The aforementioned first device is A data matching unit that matches the encrypted user data of one device generated by the ID encryption unit with the encrypted user data of the other device received by the data transmission/reception unit, The aggregation processing unit generates encrypted aggregate data by counting the number of encrypted user data entries in which the portion corresponding to the user ID matches as a result of matching by the data matching unit, A confidentiality processing unit performs confidentiality processing on the encrypted aggregated data generated by the aggregation processing unit to generate encrypted statistical information, Furthermore, The attribute information encrypted by the encryption unit of the counterparty device is composed of a binary value in which a flag is set at the bit position corresponding to the content of the attribute information. The aggregation processing unit of the first device performs the count by taking the sum of identical bits in the bit sequence for a plurality of records represented by the binary value. Privacy-protecting data sharing system.
4. The aforementioned device one and the aforementioned counterpart device, Prior to encrypting the user ID, an anonymization processing unit performs privacy protection processing on the user data held by its own device, Furthermore, The privacy-protecting data sharing system according to claim 3 .
5. The data transmission/reception unit of the first device transmits the encrypted statistical information generated by the confidentiality processing unit to the data transmission/reception unit of the other device. The counterparty device further comprises a decryption unit that decrypts the encrypted statistical information received by the data transmission/reception unit of the counterparty device based on a decryption method corresponding to the encryption performed by the encryption unit. The privacy-protecting data sharing system according to claim 3 .

Description

This disclosure relates to an information processing device and a privacy-protecting data linkage system. When performing statistical analysis on confidential user data managed in a database across multiple organizations' information processing devices (devices that broadly include computers, servers, etc., hereinafter referred to as "devices"), it is necessary to take some measures from the perspective of protecting privacy. As an example of such measures, a technology is known that integrates both confidential and non-confidential data while keeping confidential data confidential, by having a system configuration with an interface that can handle both confidential and non-confidential data simultaneously (see Patent Document 1 below). Japanese Patent Publication No. 2011-081301 This is a configuration diagram of the information processing device according to the first embodiment.This is a flowchart showing the processing performed in the information processing device according to the first embodiment.(a) is a diagram illustrating the input of user data, (b) is a diagram illustrating the encryption of user IDs, and (c) is a diagram illustrating the encryption of attribute information.(a) is a diagram to explain the aggregation process, (b) is a diagram to explain the concealment process, and (c) is a diagram to explain the decryption process.This is a diagram illustrating the configuration of the privacy-protecting data linkage system according to the second embodiment.This is a flowchart showing the processes performed in the privacy protection data linkage system according to the second embodiment.(a) is a diagram illustrating the input of user data, and (b) is a diagram illustrating the anonymization process.This is a diagram to explain irreversible ID transformation.This is a diagram to explain ID encryption.(a) is a diagram illustrating the encryption of attribute information, and (b) is a diagram illustrating the sending and receiving of encrypted IDs.This is a diagram to explain ID re-encryption.This is a diagram to explain data matching.This is a diagram to explain the aggregation process.This is a diagram to explain the confidentiality process.This is a diagram to explain the decoding process.This figure shows a modified example of the configuration of the information processing device according to the first embodiment.This figure shows a modified example of the configuration of the privacy-protecting data linkage system according to the second embodiment.This figure shows another modified example of the configuration of the privacy-protecting data linkage system according to the second embodiment.This figure shows a modified configuration of a privacy-protecting data linkage system that does not require attribute information as a mandatory requirement, but aggregates user data that includes at least the user ID.Figure 19 is a flowchart showing the processes performed in the privacy protection data sharing system.This figure shows an example of the hardware configuration of an information processing device. The following describes various embodiments of this disclosure with reference to the drawings. In the following, as the first embodiment, an embodiment is described in which a single organization's information processing device generates statistical information that excludes correspondence with individuals, targeting user data containing confidential attribute information. In the second embodiment, an embodiment is described in which a privacy-protecting data linkage system has multiple devices that hold user data including user IDs and attribute information about users, and generates statistical information that excludes correspondence with individuals through the linkage between one of the multiple devices and a partner device. (First Embodiment) As shown in Figure 1, the information processing device 10 in the first embodiment includes an encryption unit 11, an aggregation processing unit 12, and a confidentiality processing unit 13 as the minimum necessary components for generating statistical information that excludes correspondences with individuals, and further includes a decryption unit 14 as a component for restoring the generated statistical information. The functions of each unit will be described below. The encryption unit 11 is a functional unit that acquires user data, including user IDs and attribute information about the user, from an external device, encrypts the user IDs in the user data to be aggregated based on a self-encrypting key and a keyed one-way commutative operation held by its own device, and encrypts the attribute information in the user data to be aggregated using a homomorphic encryption scheme that allows for aggregation processing, thereby generating encrypted user data for the user data to be aggregated. The encryption unit 11 includes an ID encryption unit 11A that has the function of encrypting user IDs and an attribute information encryption unit 11B that h