このアプリケーションの一部のコンテンツは現時点では利用できません。
このような状況が続く場合は、にお問い合わせくださいフィードバック & お問い合わせ
1. (WO2019025415) DISTRIBUTING A COMPUTATION OUTPUT
注意: このテキストは、OCR 処理によってテキスト化されたものです。法的な用途には PDF 版をご利用ください。

CLAIMS

1. A method of operating a first computing node to distribute a computation output, the method comprising:

determining a first random mask;

providing the first random mask as a private input to a computation by a first evaluator node and a second evaluator node;

receiving, from each of the first evaluator node and the second evaluator node, a respective masked computation output, wherein each masked computation output is a function of an output of the computation and the first random mask;

if the received respective masked computation outputs match, determining the output of the computation from the received masked computation output and the first random mask; and

sending information to the first evaluator node and the second evaluator node to enable the first evaluator node and the second evaluator node to determine the output of the computation from the respective masked computation output.

2. A method as claimed in claim 1, wherein the method further comprises the step of:

terminating the method after the step of receiving if the received respective masked computation outputs do not match.

3. A method as claimed in claim 1 or 2, wherein the masked computation outputs are broadcast from the first evaluator node and the second evaluator node respectively.

4. A method as claimed in any of claims 1-3, wherein the step of sending information comprises sending the determined computation output or the first random mask to the first evaluator node and the second evaluator node.

5. A method as claimed in any of claims 1-4, wherein the method further comprises the steps of:

providing a second random mask as a private input to the computation by the first evaluator node and the second evaluator node;

receiving, from each of the first evaluator node and the second evaluator node, a respective masked Message Authentication Code, MAC, of the computation output, wherein each masked MAC of the computation output is a function of a MAC of the computation output and the second random mask;

if the received respective masked MACs of the computation output do not match, terminating the method before the step of sending information;

sending information to the first evaluator node and the second evaluator node to enable the first evaluator node and second evaluator node to determine the MAC of the computation output from the respective masked MACs of the computation output.

6. A method of operating a first evaluator node to distribute a computation output, the method comprising:

performing a computation with a second evaluator node to determine a first masked computation output, wherein the first masked computation output is a function of an output of the computation and a first random mask, wherein the first random mask is provided as a private input to the computation by a first computing node;

sending the first masked computation output to the first computing node; receiving information from the first computing node; and

determining a first possible computation output from the received information and the first masked computation output.

7. A method as claimed in claim 6, wherein the step of sending comprises broadcasting the first masked computation output to the first computing node.

8. A method as claimed in claim 6 or 7, wherein the method further comprises:

receiving a second masked computation output from the second evaluator node; and

terminating the method after receiving the second masked computation output if the received first masked computation output does not match the second masked computation output.

9. A method as claimed in any of claims 6-8, wherein the method further comprises the steps of:

determining, with the second evaluator node, a second possible computation output; and

determining the computation output from the first possible computation output and the second possible computation output.

10. A method as claimed in claim 9, wherein the step of determining a second possible computation output comprises:

receiving a second computation output secret share from the second evaluator node, wherein the second computation output secret share is a secret share, determined by the second evaluator node when performing the computation, of the output of the computation; and

determining the second possible computation output from a first computation output secret share and the second computation output secret share, wherein the first computation output secret share is a secret share of the output of the computation determined by the first evaluator node when performing the computation.

11. A method as claimed in claim 9 or 10, wherein the step of determining the computation output comprises:

comparing the first possible computation output to the second possible computation output; and

determining the computation output as the first possible computation output or the second possible computation output if the first possible computation output matches the second possible computation output.

12. A method as claimed in claim 11, wherein, if the first possible computation output does not match the second possible computation output, the step of determining the computation output further comprises:

checking together with the second evaluator node whether the second possible computation output is correct; and

determining the computation output as the second possible computation output if the second possible computation output is correct, and determining the computation output as the first possible computation output if the second possible computation output is not correct.

13. A method as claimed in claim 12, wherein the step of checking comprises performing a Message Authentication Code, MAC, check on the second possible

computation output and a MAC of the second possible computation output.

14. A method as claimed in claim 6 or 7, wherein the method further comprises the steps of:

determining, with the second evaluator node, a Message Authentication Code,

MAC, key;

wherein the step of performing the computation with the second evaluator node further determines a masked MAC of the computation output, wherein the masked MAC of the computation output is a function of a MAC of an output of the computation determined using the MAC key, and a second random mask, wherein the second random mask is provided as a private input to the computation by the first computing node;

sending the masked MAC of the computation output to the first computing node;

receiving second information from the first computing node;

determining the MAC of the computation output from the second information and the masked MAC of the computation output; and

determining the computation output as the first possible computation output if the MAC of the computation output matches a MAC of the first possible computation output determined using the MAC key.

15. A method as claimed in claim 14, wherein the MAC key comprises first and second field elements, and wherein the MAC of the output of the computation is a sum of the first field element and a product of the output of the computation and the second field element.

16. A method as claimed in claim 14 or 15, wherein the method further comprises the steps of:

if the MAC of the computation output does not match the MAC of the first possible computation output, receiving a second computation output secret share from the second evaluator node, wherein the second computation output secret share is a secret share, determined by the second evaluator node, of the output of the computation; and

determining the computation output from a first computation output secret share and the second computation output secret share, wherein the first computation output secret share is a secret share, determined by the first evaluator node when performing the computation, of the output of the computation.

17. A method as claimed in claim 10 or 16, wherein the method further comprises the step of:

sending the first computation output secret share to the second evaluator node.

18. A first computing node for distributing a computation output, wherein the first computing node is configured to:

determine a first random mask;

provide the first random mask as a private input to a computation by a first evaluator node and a second evaluator node;

receive, from each of the first evaluator node and the second evaluator node, a respective masked computation output, wherein each masked computation output is a function of an output of the computation and the first random mask;

determine the output of the computation from the received masked computation output and the first random mask if the received respective masked computation outputs match; and

send information to the first evaluator node and the second evaluator node to enable the first evaluator node and the second evaluator node to determine the output of the computation from the respective masked computation output.

19. A first computing node as claimed in claim 18, wherein the first computing node is further configured to:

terminate after receiving the respective masked computation output if the received respective masked computation outputs do not match.

20. A first computing node as claimed in claim 18 or 19, wherein the masked computation outputs are broadcast from the first evaluator node and the second evaluator node respectively.

21. A first computing node as claimed in any of claims 18-20, wherein the first computing node is configured to send the determined computation output or the first random mask to the first evaluator node and the second evaluator node.

22. A first computing node as claimed in any of claims 18-21 wherein the first computing node is further configured to:

provide a second random mask as a private input to the computation by the first evaluator node and the second evaluator node;

receive, from each of the first evaluator node and the second evaluator node, a respective masked Message Authentication Code, MAC, of the computation output, wherein each masked MAC of the computation output is a function of a MAC of the computation output and the second random mask;

terminate before sending the information if the received respective masked MACs of the computation output do not match;

send information to the first evaluator node and the second evaluator node to enable the first evaluator node and second evaluator node to determine the MAC of the computation output from the respective masked MACs of the computation output.

23. A first evaluator node for distributing a computation output, wherein the first evaluator node is configured to:

perform a computation with a second evaluator node to determine a first masked computation output, wherein the first masked computation output is a function of an output of the computation and a first random mask, wherein the first random mask is provided as a private input to the computation by a first computing node;

send the first masked computation output to the first computing node;

receive information from the first computing node; and

determine a first possible computation output from the received information and the first masked computation output.

24. A first evaluator node as claimed in claim 23, wherein the first evaluator node is configured to broadcast the first masked computation output to the first computing node.

25. A first evaluator node as claimed in claim 23 or 24, wherein the first evaluator node is further configured to:

receive a second masked computation output from the second evaluator node; and

terminate after receiving the second masked computation output if the received first masked computation output does not match the second masked computation output.

26. A first evaluator node as claimed in any of claims 23-25, wherein the first evaluator node is further configured to:

determine, with the second evaluator node, a second possible computation output; and

determine the computation output from the first possible computation output and the second possible computation output.

27. A first evaluator node as claimed in claim 26, wherein the first evaluator node is configured to determine a second possible computation output by:

receiving a second computation output secret share from the second evaluator node, wherein the second computation output secret share is a secret share, determined by the second evaluator node when performing the computation, of the output of the computation; and

determining the second possible computation output from a first computation output secret share and the second computation output secret share, wherein the first computation output secret share is a secret share of the output of the computation determined by the first evaluator node when performing the computation.

28. A first evaluator node as claimed in claim 26 or 27, wherein the first evaluator node is configured to determine the computation output by:

comparing the first possible computation output to the second possible computation output; and

determining the computation output as the first possible computation output or the second possible computation output if the first possible computation output matches the second possible computation output.

29. A first evaluator node as claimed in claim 28, wherein, the first evaluator node is configured to, if the first possible computation output does not match the second possible computation output, determine the computation output by:

checking together with the second evaluator node whether the second possible computation output is correct; and

determining the computation output as the second possible computation output if the second possible computation output is correct, and determining the computation output as the first possible computation output if the second possible computation output is not correct.

30. A first evaluator node as claimed in claim 29, wherein the first evaluator node is configured to check by performing a Message Authentication Code, MAC, check on the second possible computation output and a MAC of the second possible computation output.

31. A first evaluator node as claimed in claim 23 or 24, wherein the first evaluator node is further configured to:

determine, with the second evaluator node, a Message Authentication Code,

MAC, key;

wherein the first evaluator node is configured to perform the computation with the second evaluator node by determining a masked MAC of the computation output, wherein the masked MAC of the computation output is a function of a MAC of an output of the computation determined using the MAC key, and a second random mask, wherein the second random mask is provided as a private input to the computation by the first computing node;

send the masked MAC of the computation output to the first computing node; receive second information from the first computing node;

determine the MAC of the computation output from the second information and the masked MAC of the computation output; and

determine the computation output as the first possible computation output if the MAC of the computation output matches a MAC of the first possible computation output determined using the MAC key.

32. A first evaluator node as claimed in claim 31, wherein the MAC key comprises first and second field elements, and wherein the MAC of the output of the

computation is a sum of the first field element and a product of the output of the computation and the second field element.

33. A first evaluator node as claimed in claim 31 or 32, wherein the first evaluator node is further configured to:

receive a second computation output secret share from the second evaluator node if the MAC of the computation output does not match the MAC of the first possible computation output, wherein the second computation output secret share is a secret share, determined by the second evaluator node, of the output of the computation; and

determine the computation output from a first computation output secret share and the second computation output secret share, wherein the first computation output secret share is a secret share, determined by the first evaluator node when performing the computation, of the output of the computation.

34. A first evaluator node as claimed in claim 27 or 33, wherein the first evaluator node is further configured to:

send the first computation output secret share to the second evaluator node.

35. A computer program product comprising a computer readable medium having computer readable code embodied therein, the computer readable code being configured such that, on execution by a suitable computer or processor, the computer or processor is caused to perform the method of any of claims 1-17.