(19)
(11)EP 3 901 808 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
11.10.2023 Bulletin 2023/41

(21)Application number: 19901217.0

(22)Date of filing:  19.12.2019
(51)International Patent Classification (IPC): 
G06F 21/62(2013.01)
G06F 16/245(2019.01)
H04L 9/40(2022.01)
H04L 9/08(2006.01)
G06F 16/2452(2019.01)
G06F 21/44(2013.01)
H04W 12/02(2009.01)
(52)Cooperative Patent Classification (CPC):
G06F 16/2452; G06F 21/6254; G06F 21/44; G06F 21/6227; H04L 63/105; H04W 12/02; H04L 2209/42; H04L 9/088
(86)International application number:
PCT/JP2019/049849
(87)International publication number:
WO 2020/130082 (25.06.2020 Gazette  2020/26)

(54)

ANALYSIS QUERY RESPONSE SYSTEM, ANALYSIS QUERY EXECUTION DEVICE, ANALYSIS QUERY VERIFICATION DEVICE, ANALYSIS QUERY RESPONSE METHOD, AND PROGRAM

ANALYSEABFRAGEANTWORTSYSTEM, ANALYSEABFRAGEAUSFÜHRUNGSVORRICHTUNG, ANALYSEABFRAGEPRÜFVORRICHTUNG, ANALYSEABFRAGEANTWORTVERFAHREN UND PROGRAMM

SYSTÈME DE RÉPONSE D'INTERROGATION D'ANALYSE, DISPOSITIF D'EXÉCUTION D'INTERROGATION D'ANALYSE, DISPOSITIF DE VÉRIFICATION D'INTERROGATION D'ANALYSE, PROCÉDÉ DE RÉPONSE D'INTERROGATION D'ANALYSE ET PROGRAMME


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 20.12.2018 JP 2018238166

(43)Date of publication of application:
27.10.2021 Bulletin 2021/43

(73)Proprietor: NIPPON TELEGRAPH AND TELEPHONE CORPORATION
Chiyoda-ku, Tokyo 100-8116, (JP)

(72)Inventors:
  • ICHIKAWA, Atsunori
    Musashino-shi, Tokyo 180-8585 (JP)
  • HAMADA, Koki
    Musashino-shi, Tokyo 180-8585 (JP)

(74)Representative: MERH-IP Matias Erny Reichl Hoffmann Patentanwälte PartG mbB 
Paul-Heyse-Strasse 29
80336 München
80336 München (DE)


(56)References cited: : 
WO-A1-2014/088903
WO-A1-2017/187207
JP-A- 2017 204 277
WO-A1-2016/203752
JP-A- 2014 038 524
US-A1- 2017 161 439
  
  • MCSHERRY FRANK D: "Privacy integrated queries an extensible platform for privacy-preserving data analysis", USER INTERFACE SOFTWARE AND TECHNOLOGY, ACM, 2 PENN PLAZA, SUITE 701 NEW YORK NY 10121-0701 USA, 29 June 2009 (2009-06-29), pages 19-30, XP058519581, DOI: 10.1145/1559845.1559850 ISBN: 978-1-4503-4531-6
  • Arai, Hiromi; Tsuda, Koji; Sakuma, Jun: "Query auditing for privacy preserving similarity search", IEICE Technical report, vol. 113, no. 286, 5 November 2013 (2013-11-05), pages 77-83, XP009522156, ISSN: 0913-5685
  
Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


Description

TECHNICAL FIELD



[0001] The present invention relates to a privacy-preserving query response technology capable of requesting analysis while also preserving the privacy of data.

BACKGROUND ART



[0002] Recently, interest in the utilization of various information is growing. Particularly, there is increasing demand to utilize personal data, that is, information closely related to individuals, in various fields such as commerce, medical care, and welfare.

[0003] On the other hand, utilizing personal data demands sufficient consideration for privacy, which refers to sensitive information included in personal data. Particularly, in the case of disclosing and providing analysis results such as statistics obtained from a plurality of personal data to another party, it is necessary to apply an appropriate privacy-preserving mechanism so that personal data cannot be deduced from the disclosed statistics.

[0004] Such methods of attaining both privacy preservation and data disclosure are collectively referred to as "privacy-preserving data publishing".

[0005] One model of privacy-preserving data publishing is called "privacy-preserving query response". This is a model comprising a database apparatus that saves a plurality of personal data and a user apparatus that requests analysis of the personal data. In privacy-preserving query response, first, the user apparatus creates a desired analysis query to perform on data in the database apparatus, and sends the analysis query to the database apparatus. The analysis query is written in some kind of programming language, for example.

[0006] The database apparatus executes the sent analysis query on data held in the database apparatus itself, applies a privacy-preserving mechanism to the analysis execution result according to a privacy preservation indicator preset in the database apparatus, and replies to the user.

[0007] Existing methods of achieving privacy-preserving query response include the methods in Non-patent literatures 1 and 2.

[0008] Patent literature 1 discloses a system that allows the identification and protection of sensitive data in a multiple ways, which can be combined for different workflows, data situations or use cases. The system scans datasets to identify sensitive data or identifying datasets, and to enable the anonymization of sensitive or identifying datasets by processing that data to produce a safe copy. Furthermore, the system prevents access to a raw dataset. The system enables privacy preserving aggregate queries and computations. The system uses differentially private algorithms to reduce or prevent the risk of identification or disclosure of sensitive information. The system scales to big data and is implemented in a way that supports parallel execution on a distributed compute cluster.

[0009] Patent literature 2 discloses a method and apparatus for ensuring a level of privacy for answering a convolution query on data stored in a database is provided. The method and apparatus includes the activities of determining the level of privacy associated with at least a portion of the data stored in the database and receiving query data, from a querier, for use in performing a convolution over the data stored in the database. The database is searched for data related to the received query data and the data that corresponds to the received query data is retrieved from the database. An amount of noise based on the determined privacy level is generated and added to the retrieved data to create noisy data which is then communicated to the querier.

PRIOR ART LITERATURE


PATENT LITERATURE



[0010] 

Patent literature 1: WO 2017/187207 A1.

Patent literature 2: WO 2014/088903 A1.


NON-PATENT LITERATURE



[0011] 

Non-patent literature 1: F. McSherry, "Privacy integrated queries: An Extensible Platform for Privacy-Preserving Data Analysis", In Proceedings of the 35th SIGMOD International Conference on Management of Data (SIGMOD), 2009.

Non-patent literature 2: J. Hou, X.-Y. Li, T. Jung, Y. Wang, and D. Zheng, "CASTLE: Enhancing the utility of inequality query auditing without denial threats", TIFS, 2018.


SUMMARY OF THE INVENTION


PROBLEMS TO BE SOLVED BY THE INVENTION



[0012] In the privacy-preserving query response achieved in the related art, only calculations by library functions, which are standardized calculations implemented and maintained on the database apparatus side, and analysis queries achievable by combinations of library functions can be sent as queries.

[0013] If free-form analysis queries not dependent on library functions, such as analysis queries structured as combinations of basic calculations like the four basic arithmetic operations and equality comparisons, could be sent, a wider range of data utilization would be possible.

[0014] However, an increasing degree of freedom in crafting analysis queries also makes it easier to craft malicious analysis queries intended to infringe on the privacy of the data, and there is a possibility that applying an appropriate privacy-preserving mechanism in the database apparatus may become difficult as a result.

[0015] Consequently, the related art prevents privacy infringement by limiting the degree of freedom to only library functions and combinations thereof.

[0016] An object of the present invention is to provide an analysis query response system, an analysis query execution apparatus, an analysis query verification apparatus, an analysis query response method, and a program capable of responding to more free-form analysis queries than the related art.

MEANS TO SOLVE THE PROBLEMS



[0017] The present invention provides an analysis query response system, an analysis query response method, as well as a corresponding program, having the features of the respective independent claims. The dependent claim relates to a preferred embodiment.

[0018] An analysis query response system according to an example that is not encompassed by the claims but useful for understanding the invention comprises a user terminal that generates and transmits an analysis query, and a database apparatus including an analysis query verification apparatus that includes a verification execution part that performs a first verification of whether the analysis query satisfies a predetermined privacy preservation indicator, and an analysis query execution apparatus that includes a personal data storage part that stores personal data and an analysis query execution and preservation part that, in a case where the first verification is successful, performs an analysis corresponding to the analysis query on the personal data read from the personal data storage part to acquire an analysis result, and applies a predetermined privacy-preserving mechanism to the acquired analysis result.

EFFECTS OF THE INVENTION



[0019] By providing the database apparatus with a verification function that verifies whether an analysis query satisfies a predetermined privacy preservation indicator, it is possible to respond to analysis queries that are more free-form than the related art.

BRIEF DESCRIPTION OF THE DRAWINGS



[0020] 

Fig. 1 is a diagram illustrating an example of a functional configuration of an analysis query response system.

Fig. 2 is a diagram illustrating an example of a functional configuration of a database apparatus.

Fig. 3 is a diagram illustrating an example of a processing procedure in an analysis query response method.


DETAILED DESCRIPTION OF THE EMBODIMENTS



[0021] Hereinafter, embodiments of the present invention will be described in detail. Note that structural elements having the same function are denoted with the same reference numerals in the drawings, and duplicate description of such elements is omitted.

[0022] As illustrated in Fig. 1 for example, an analysis query response system is provided with a database apparatus 2 that accumulates and saves a plurality of personal data, and a user terminal 1 which is a user apparatus that creates and transmits analysis queries to the database apparatus 2. As described later, the database apparatus 2 achieves a privacy-preserving query response to an arbitrarily created analysis query according to a predetermined privacy preservation indicator. The analysis query response method is achieved by, for example, causing the components of the analysis query response system to perform the process from step S1 to step S4 described in Fig. 3 and hereinafter.

[0023] The database apparatus 2 includes a storage function that stores personal data, a verification function that verifies that a received analysis query may satisfy a privacy preservation indicator, and a privacy-preserving mechanism function that performs an analysis query on the personal data and applies a privacy-preserving mechanism. The storage function is achieved by a personal data storage part 211. The verification function is achieved by a verification execution part 222. The privacy-preserving mechanism function is achieved by an analysis query execution and preservation part 214.

[0024] An analysis query is written in a programming language prespecified by the database apparatus 2 in advance. In the database apparatus 2 and the user terminal 1, it is assumed that the execution environment of the programming language can be constructed.

[0025] In the embodiment to be described later, the related art "differential privacy" and "ACL2" (for example, see Reference literature 1) are used as the "privacy preservation indicator" and the "programming language", respectively. However, a programming language having theorem-proving functions equal to or exceeding ACL2 in capability may also be used as the programming language.

[0026] Reference literature 1: "User manual for the ACL2 Theorem Prover and the ACL2 Community Books", [online], [retrieved December 13, 2018], Internet <URL: http://www.cs.utexas.edu/users/moore/acl2/v8-0/combined-manual/index.html>

[0027] Differential privacy is a privacy preservation indicator proposed by Reference literature 2, for example.

[0028] Reference literature 2: C. Dwork, "Differential privacy", In Proceedings of the International Colloquium on Automata, Languages and Programming (ICALP)(2), 112, 2006.

[0029] In the definition of the privacy preservation indicator, for a plurality of data sets D, a different data set ~D in which only one data element is different, and a parameter ε, when an analysis calculation q and a privacy-preserving mechanism M satisfy the inequality Pr[M(q(D)) = x] ≤ eεPr[M(q(~D)) =x], the analysis calculation q and the privacy-preserving mechanism M are considered to satisfy ε-differential privacy. The parameter ε represents a predetermined number close to 0, Pr represents probability, and e represents the natural logarithm.

[0030] The above inequality indicates that by applying the privacy-preserving mechanism M, the values q(D) and q(~D) obtained by inputting the two different data sets D and ~D into the analysis calculation q will be the same value x with a high probability. In other words, this means that it will be difficult to infer from the analysis result whether the original data of the analysis is D or ~D.

[0031] In differential privacy, many techniques of the related art exist for determining an appropriate privacy-preserving mechanism M depending on the "behavior" of the analysis calculation q. The "behavior" of the analysis calculation q is called the "sensitivity" in the context of differential privacy.

[0032] Particularly, the privacy-preserving mechanism M(q(D)) = q(D) + Lap(δq/ ε) using a parameter δq called "global sensitivity" and Laplace noise Lap is known to satisfy ε-differential privacy. Consequently, if the global sensitivity δq of q can be obtained for all analysis calculations q, it is possible to construct a privacy-preserving mechanism M. The global sensitivity can be obtained as δq = maxD,~D(|q(D) - q(~D)|), for example. The meaning of the global sensitivity δq is "the maximum value of the difference that may occur in the case where there is at most one change (D→~D) in the input data into q".

[0033] ACL2 is a programming language based on Common Lisp, and is a formal method and a theorem prover.

[0034] Like Common Lisp, ACL2 can be used to write functions that perform arbitrary calculations by combining basic calculations such as the four basic arithmetic operations. Also, with ACL2, a proof that a function "satisfies a certain property" can be written, and ACL2 is capable of verifying that the proof is correct.

[0035] The present embodiment preserves privacy appropriately and responds with an analysis result to an analysis query written in ACL2.

[0036] In the present embodiment, an initial value of the parameter ε that represents a privacy budget allowed by the database apparatus 2 is at first set individually in each user terminal 1. Also, a library function group and a library theorem group to provide to the user terminal 1 may be written in ACL2 in the database apparatus 2, as necessary.

<User terminal 1>



[0037] The user terminal 1 generates and transmits an analysis query (step S1).

[0038] The analysis query is assumed to contain at least information about a function q that performs an analysis calculation. The analysis query is generated under a predetermined privacy preservation indicator and a predetermined programming language.

[0039] The user terminal 1 may additionally generate and transmit proof information, which is information related to a proof that the analysis query satisfies the predetermined privacy preservation indicator. In the case where the predetermined privacy preservation indicator is ε-differential privacy, the proof information may be proof information related to the global sensitivity of the analysis calculation corresponding to the analysis query. One example of the proof information is information about a proof that the global sensitivity of the function q satisfies the property δq ≤ Δd. The proof information is written in a predetermined programming language such as ACL2 for example.

[0040] In the case where a library function group and a library theorem group provided by the database apparatus 2 exist, the analysis query and the proof information may also be written using the library function group and the library theorem group.

[0041] Furthermore, the user terminal 1 may additionally transmit a privacy quantity that is consumed by the analysis query. In the case where the predetermined privacy preservation indicator is ε-differential privacy, the privacy quantity is the parameter εq for example.

[0042] Note that the user terminal 1 does not know the actual data D (and ~D and the like) on the database apparatus, and therefore is unable to compute the global sensitivity δq directly. For this reason, instead of D and ~D, the two of an input variable X = (x1, ..., xn) of the function q and an input variable ~X = (x1, ..., xi + d, ..., xn) obtained by using a variable d to modify an arbitrary position i (where 1 ≤ i ≤ n) of X are used to prove the property. In other words, if |q(X) - q(~X)| ≤ Δd is satisfied for arbitrary X and ~X, then the same is also true when (X, ~X) = (D, ~D), and therefore max(|q(D) - q(~D)|) ≤ Δd holds. Here, Δd may be a constant, or a function that takes d and X as input variables.

[0043] For example, in the case where the function q is the linear combination q(X) = Σ1≤k≤nakxk, q(~X) = (Σ1≤k≤n,k≠iakxk) + ai(xi + d) = (Σ1≤k≤nakxk) + aid gives |q(X) - q(~X)| = |aid| ≤ |maxi(ai)·d|, and when d matches the width of the range of actual data, Δd = |maxi(ai)·d| matches the global sensitivity of q. Here, a1, ..., an are predetermined numbers. Consequently, the user terminal 1 proves that |q(X) - q(~X)| ≤ |maxi(ai)·d| for the variables X, ~X, and d.

[0044] For example, with this configuration, the user terminal 1 can generate proof information related to the global sensitivity of an analysis calculation corresponding to an analysis query that is unknown to the database apparatus 2, without knowing the actual personal data.

<Database apparatus 2>



[0045] As illustrated in Fig. 2, the database apparatus 2 is provided with an analysis query execution apparatus 21 and an analysis query verification apparatus 22 for example.

[0046] The analysis query execution apparatus 21 is provided with a personal data storage part 211, an analysis query reception part 212, a verification request part 213, an analysis query execution and preservation part 214, and an analysis result transmission part 215.

[0047] The analysis query verification apparatus 22 is provided with an analysis query reception part 221, a verification execution part 222, and a verification result transmission part 223.

[0048] Personal data is stored in the personal data storage part 211. Personal data contains combinations of any information in any format, such as numerical values and character strings, for example.

[0049] The analysis query reception part 212 receives an analysis query transmitted by the user terminal 1. The analysis query reception part 212 outputs the analysis query to the verification request part 213.

[0050] The verification request part 213 outputs the analysis query and a verification request corresponding to the analysis query to the analysis query reception part 221 of the analysis query verification apparatus 22. Also, the verification request part 213 outputs the analysis query to the analysis query execution and preservation part 214.

[0051] The analysis query reception part 221 outputs the analysis query and the verification request corresponding to the analysis query to the verification execution part 222.

[0052] The verification execution part 222 receives the verification request corresponding to the analysis query and performs a first verification of whether the analysis query satisfies a predetermined privacy preservation indicator (step S2). The result of the first verification is output to the verification result transmission part 223.

[0053] Note that in the case where the user terminal 1 outputs proof information, the analysis query together with the proof information are input into the verification request part 213 through the analysis query reception part 212, the verification request part 213, and the analysis query reception part 221. In this case, the verification execution part 222 may use the proof information to perform the first verification of whether the analysis query satisfies the predetermined privacy preservation indicator. By using the proof information, the first verification can be performed more easily.

[0054] For example, the verification execution part 222 executes ACL2 to verify that a proof claimed by the user terminal 1 is correct regarding a property of an analysis calculation q corresponding to the analysis query.

[0055] The verification result transmission part 223 outputs the result of the first verification to the analysis query execution and preservation part 214.

[0056] The analysis query execution and preservation part 214 determines whether the first verification is successful on the basis of the result of the first verification, and discards the analysis query if the first verification is unsuccessful.

[0057] On the other hand, if the first verification is successful, the analysis query execution and preservation part 214 performs an analysis corresponding to the analysis query on personal data read from the personal data storage part to acquire an analysis result, and applies a predetermined privacy-preserving mechanism to the acquired analysis result (step S3).

[0058] For example, the analysis query execution and preservation part 214 applies a privacy-preserving mechanism by deriving an upper bound on the global sensitivity from the proven property of the analysis calculation q, generating noise v so as to satisfy εq-differential privacy, and adding the generated noise v to the analysis result q(D). In this case, the analysis result after applying the privacy-preserving mechanism is q(D) + v. The noise v may be generated as v = Lap(Δd/ εq) as described above, or the noise v may be generated so as to satisfy εq-differential privacy according to another method.

[0059] Note that in the case where the user terminal 1 additionally transmits a privacy quantity that is consumed by the analysis query, the analysis query together with the privacy quantity are input into the analysis query execution and preservation part 214 through the analysis query reception part 212 and the verification request part 213.

[0060] In this case, the analysis query execution and preservation part 214 may additionally perform a second verification of whether the remainder of a predetermined privacy budget for the user terminal 1 exceeds the privacy quantity, and in the case where the first verification and the second verification are successful, the analysis query execution and preservation part 214 may perform an analysis corresponding to the analysis query on personal data read from the personal data storage part 211 to acquire an analysis result, and apply a predetermined privacy-preserving mechanism to the acquired analysis result.

[0061] In other words, for example, in the case where the first verification is successful, the analysis query execution and preservation part 214 compares the parameter εq expressing the privacy quantity to be consumed to the parameter ε expressing the privacy budget, and executes the analysis query only if εq ≤ ε holds.

[0062] Note that the parameter ε expressing the privacy budget is updated by the remainder ε - εq obtained by subtracting the consumed privacy quantity εq from the parameter ε expressing the privacy budget and saved.

[0063] The analysis result generated by the analysis query execution and preservation part 214 is output to the analysis result transmission part 215.

[0064] The analysis result transmission part 215 transmits the analysis result to the user terminal 1 (step S4).

[0065] According to the above, a privacy-preserving query response database apparatus for which analysis queries can be created more freely than the related art may be achieved.

[Modifications]



[0066] The foregoing describes embodiments of the present invention, but the specific configuration is not limited to these embodiments.

[0067] The various processes described in the embodiments not only may be executed in a time series following the order described, but may also be executed in parallel or individually according to the processing performance of the apparatus executing the process, or as needed.

[0068] For example, data may be exchanged directly between the components of the analysis query response system, or through a storage part not illustrated.

[Program, recording medium]



[0069] In the case where the various processing functions in each of the apparatuses described above are achieved by a computer, the processing content of the functions to be included in each apparatus is stated by a program. Additionally, by causing a computer to execute the program, the various processing functions in each of the above apparatuses are achieved on the computer

[0070] The program stating the processing content can be recorded to a computer-readable recording medium. The computer-readable recording medium may be any type of medium such as a magnetic recording apparatus, an optical disc, a magneto-optical recording medium, or semiconductor memory, for example.

[0071] Also, the program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM disc on which the program is recorded, for example. Furthermore, the program may also be stored in a storage apparatus of a server computer and distributed by transferring the program from the server computer to another computer over a network.

[0072] The computer that executes such a computer first stores the program recorded on the portable recording medium or the program transferred from the server computer in its own storage apparatus, for example. Additionally, when executing processes, the computer loads the program stored in its own storage apparatus, and executes processes according to the loaded program. Also, as a different mode of executing the program, the computer may be configured to load the program directly from the portable recording medium and execute processes according to the program, and furthermore, every time the program is transferred to the computer from the server computer, the computer may be configured to execute processes according to the received program in succession. Also, a configuration for executing the processes described above may also be achieved by what is called an application service provider (ASP) type service, in which processing functions are achieved by an execution instruction and a result acquisition only, without transferring the program from the server computer to the computer. Note that the program in this mode is assumed to include accompanying information conforming to the program for processing by an electronic computer (such as data that is not direct instructions to the computer, but has properties that stipulate processing by the computer).

[0073] Also, in this mode, the apparatus is configured by causing the predetermined program to be executed on the computer, but at least a portion of the processing content may also be achieved in hardware.

DESCRIPTION OF REFERENCE NUMERALS



[0074] 
1
user terminal
2
database apparatus
21
analysis query execution apparatus
211
personal data storage part
212
analysis query reception part
213
verification request part
214
analysis query execution and preservation part
215
analysis result transmission part
22
analysis query verification apparatus
221
analysis query reception part
222
verification execution part
223
verification result transmission part



Claims

1. An analysis query response system comprising:

a user terminal (1) that generates and transmits an analysis query, the analysis query containing at least information about a function q that performs an analysis calculation; and

a database apparatus (2) including an analysis query verification apparatus (22) that includes a verification execution part (222) that performs a first verification of whether the analysis query satisfies a predetermined privacy preservation indicator, and an analysis query execution apparatus (21) that includes a personal data storage part (211) that stores personal data and an analysis query execution and preservation part (214) that, in a case where the first verification is successful, performs an analysis corresponding to the analysis query on the personal data read from the personal data storage part (211) to acquire an analysis result, and applies a predetermined privacy-preserving mechanism to the acquired analysis result,

wherein

the user terminal (1) generates the analysis query under a predetermined privacy preservation indicator and a predetermined programming language,

the analysis query execution and preservation part (214) discards the analysis query in a case where the first verification is unsuccessful,

the user terminal (1) additionally generates and transmits proof information, the proof information being information related to a proof that the analysis query satisfies the predetermined privacy preservation indicator, and

the verification execution part (222) uses the proof information to perform the first verification of whether the analysis query satisfies the predetermined privacy preservation indicator.


 
2. The analysis query response system according to Claim 1, wherein

the predetermined privacy preservation indicator is ε-differential privacy,

the proof information is proof information related to a global sensitivity of an analysis calculation corresponding to the analysis query,

the user terminal (1) additionally transmits a privacy quantity that is consumed by the analysis query,

the analysis query execution and preservation part (214) additionally performs a second verification of whether a remainder of a predetermined privacy budget for the user terminal (1) exceeds the privacy quantity, and in a case where the first verification and the second verification are successful, the analysis query execution and preservation part (214) performs an analysis corresponding to the analysis query on personal data read from the personal data storage part (211) to acquire an analysis result, and applies a predetermined privacy-preserving mechanism to the acquired analysis result, and

the analysis query execution and preservation part (214) discards the analysis query in a case where either of the first verification and the second verification is unsuccessful.


 
3. An analysis query response method comprising:

a step (S1) of a user terminal (1) generating and transmitting an analysis query, the analysis query containing at least information about a function q that performs an analysis calculation;

a step (S2) of a verification execution part (222) of a database apparatus (2) performing a first verification of whether the analysis query satisfies a predetermined privacy preservation indicator; and

a step (S3) of an analysis query execution and preservation part (214) of the database apparatus (2), in a case where the first verification is successful, performing an analysis corresponding to the analysis query on personal data read from a personal data storage part (211) storing personal data to acquire an analysis result, and applying a predetermined privacy-preserving mechanism to the acquired analysis result,

wherein the method further comprises:

a step of the user terminal (1) generating the analysis query under a predetermined privacy preservation indicator and a predetermined programming language,

a step of the analysis query execution and preservation part (214) discarding the analysis query in a case where the first verification is unsuccessful,

a step of the user terminal (1) additionally generating and transmitting proof information, the proof information being information related to a proof that the analysis query satisfies the predetermined privacy preservation indicator, and

a step of the verification execution part (222) using the proof information to perform the first verification of whether the analysis query satisfies the predetermined privacy preservation indicator.


 
4. A program comprising instructions for causing the analysis query response system according to claim 1 to perform the method according to claim 3.
 


Ansprüche

1. Analyseabfrageantwortsystem, Folgendes umfassend:

ein Benutzerendgerät (1), welches eine Analyseabfrage generiert und sendet, wobei die Analyseabfrage mindestens Informationen über eine Funktion q enthält, welche eine Analyseberechnung durchführt; und

eine Datenbankvorrichtung (2), eine Analyseabfrageprüfvorrichtung (22), welche einen Prüfungsausführungsteil (222) umfasst, welcher eine erste Prüfung darüber durchführt, ob die Analyseabfrage einen vorbestimmten Datenschutzindikator erfüllt, und eine Analyseabfrageausführungsvorrichtung (21) umfassend, welche einen Privatdatenspeicherteil (211), welcher Privatdaten speichert, und einen Analyseabfrageausführungs- und Schutzteil (214) umfasst, welcher in einem Fall, in welchem die erste Prüfung erfolgreich ist, eine Analyse, welche der Analyseabfrage entspricht, an den Privatdaten durchführt, welche aus dem Privatdatenspeicherteil (211) gelesen werden, um ein Analyseergebnis zu erlangen, und einen vorbestimmten Datenschutzmechanismus auf das erlangte Analyseergebnis anwendet,

wobei

das Benutzerendgerät (1) die Analyseabfrage unter einem vorbestimmten Datenschutzindikator und einer vorbestimmten Programmiersprache generiert,

der Analyseabfrageausführungs- und Schutzteil (214) die Analyseabfrage in einem Fall verwirft, in welchem die erste Prüfung nicht erfolgreich ist,

das Benutzerendgerät (1) zusätzlich Beleginformationen generiert und sendet, wobei die Beleginformationen Informationen gemäß einem Beleg sind, dass die Analyseabfrage den vorbestimmten Datenschutzindikator erfüllt, und

der Prüfungsausführungsteil (222) die Beleginformationen verwendet, um die erste Prüfung darüber durchzuführen, ob die Analyseabfrage den vorbestimmten Datenschutzindikator erfüllt.


 
2. Analyseabfrageantwortsystem nach Anspruch 1, wobei

der vorbestimmte Datenschutzindikator ein ε-Differenzdatenschutz ist,

die Beleginformationen Beleginformationen gemäß einer globalen Empfindlichkeit einer Analyseberechnung sind, welche der Analyseabfrage entsprechen,

das Benutzerendgerät (1) zusätzlich eine Datenschutzquantität sendet, welche durch die Analyseabfrage verbraucht wird,

der Analyseabfrageausführungs- und Schutzteil (214) zusätzlich eine zweite Prüfung darüber durchführt, ob ein Rest eines vorbestimmten Datenschutzbudgets für das Benutzerendgerät (1) die Datenschutzquantität überschreitet, und in einem Fall, in welchem die erste Prüfung und die zweite Prüfung erfolgreich sind, der Analyseabfrageausführungs- und Schutzteil (214) eine Analyse, welche der Analyseabfrage entsprechen, an Privatdaten durchführt, welche aus dem Privatdatenspeicherteil (211) gelesen werden, um ein Analyseergebnis zu erlangen, und einen vorbestimmten Datenschutzmechanismus an dem erlangten Analyseergebnis anwendet und

der Analyseabfrageausführungs- und Schutzteil (214) die Analyseabfrage in einem Fall verwirft, in welchem entweder die erste Prüfung oder die zweite Prüfung nicht erfolgreich ist.


 
3. Analyseabfrageantwortverfahren, Folgendes umfassend:

einen Schritt (S1) eines Benutzerendgeräts (1), welches eine Analyseabfrage generiert und sendet, wobei die Analyseabfrage mindestens Informationen über eine Funktion q enthält, welche eine Analyseberechnung durchführt;

einen Schritt (S2) eines Prüfungsausführungsteils (222) einer Datenbankvorrichtung (2), welcher eine erste Prüfung darüber durchführt, ob die Analyseabfrage einen vorbestimmten Datenschutzindikator erfüllt; und

einen Schritt (S3) eines Analyseabfrageausführungs- und Schutzteils (214) der Datenbankvorrichtung (2), welcher in einem Fall, in welchem die erste Prüfung erfolgreich ist, eine Analyse, welche der Analyseabfrage entspricht, an Privatdaten durchführt, welche aus einem Privatdatenspeicherteil (211), welcher Privatdaten speichert, gelesen werden, um ein Analyseergebnis zu erlangen, und einen vorbestimmten Datenschutzmechanismus an dem erlangten Analyseergebnis anwendet,

wobei das Verfahren weiterhin Folgendes umfasst:

einen Schritt des Benutzerendgeräts (1), welches die Analyseabfrage unter einem vorbestimmten Datenschutzindikator und einer vorbestimmten Programmiersprache generiert,

einen Schritt des Analyseabfrageausführungs- und Schutzteils (214), welcher die Analyseabfrage in einem Fall verwirft, in welchem die erste Prüfung nicht erfolgreich ist,

einen Schritt des Benutzerendgeräts (1), welches zusätzlich Beleginformationen generiert und sendet, wobei die Beleginformationen Informationen gemäß einem Beleg sind, dass die Analyseabfrage den vorbestimmten Datenschutzindikator erfüllt, und

einen Schritt des Prüfungsausführungsteils (222), welcher die Beleginformationen verwendet, um die erste Prüfung darüber durchzuführen, ob die Analyseabfrage den vorbestimmten Datenschutzindikator erfüllt.


 
4. Programm, Befehle zum Veranlassen des Analyseabfrageantwortsystems nach Anspruch 1 umfassend, um das Verfahren nach Anspruch 3 durchzuführen.
 


Revendications

1. Système de réponse à une interrogation d'analyse comprenant :

un terminal utilisateur (1) qui génère et transmet une interrogation d'analyse, l'interrogation d'analyse contenant au moins des informations relatives à une fonction q qui réalise un calcul d'analyse ; et

un appareil de base de données (2) incluant un appareil de vérification d'interrogation d'analyse (22) qui inclut une partie d'exécution de vérification (222) qui réalise une première vérification vérifiant si l'interrogation d'analyse satisfait ou non un indicateur de préservation de confidentialité prédéterminé, et un appareil d'exécution d'interrogation d'analyse (21) qui inclut une partie de stockage de données personnelles (211) qui stocke des données personnelles et une partie de préservation et d'exécution d'interrogation d'analyse (214) qui, dans un cas où la première vérification est réussie, réalise une analyse correspondant à l'interrogation d'analyse sur les données personnelles lues depuis la partie de stockage de données personnelles (211) pour acquérir un résultat d'analyse, et applique un mécanisme de préservation de confidentialité prédéterminé au résultat d'analyse acquis,

dans lequel

le terminal utilisateur (1) génère l'interrogation d'analyse conformément à un indicateur de préservation de confidentialité prédéterminé et un langage de programmation prédéterminé,

la partie de préservation et d'exécution d'interrogation d'analyse (214) rejette l'interrogation d'analyse dans un cas où la première vérification a échoué,

le terminal utilisateur (1) génère et transmet en outre des informations de preuve, les informations de preuve étant des informations relatives à une preuve que l'interrogation d'analyse satisfait l'indicateur de préservation de confidentialité prédéterminé, et

la partie d'exécution de vérification (222) utilise les informations de preuve pour réaliser la première vérification vérifiant si l'interrogation d'analyse satisfait ou non l'indicateur de préservation de confidentialité prédéterminé.


 
2. Système de réponse à une interrogation d'analyse selon la revendication 1, dans lequel

l'indicateur de préservation de confidentialité prédéterminé est une confidentialité différentielle ε,

les informations de preuve sont des informations de preuve relatives à une sensibilité globale d'un calcul d'analyse correspondant à l'interrogation d'analyse,

le terminal utilisateur (1) transmet en outre une quantité de confidentialité qui est consommée par l'interrogation d'analyse,

la partie de préservation et d'exécution d'interrogation d'analyse (214) réalise en outre une deuxième vérification vérifiant si un reste d'un budget de confidentialité prédéterminé pour le terminal utilisateur (1) dépasse la quantité de confidentialité et, dans un cas où la première vérification et la deuxième vérification sont réussies, la partie de préservation et d'exécution d'interrogation d'analyse (214) réalise une analyse correspondant à l'interrogation d'analyse sur des données personnelles lues depuis la partie de stockage de données personnelles (211) pour acquérir un résultat d'analyse, et applique un mécanisme de préservation de confidentialité prédéterminé au résultat d'analyse acquis, et

la partie de préservation et d'exécution d'interrogation d'analyse (214) rejette l'interrogation d'analyse dans un cas où la première vérification et la deuxième vérification ont échoué.


 
3. Procédé de réponse à une interrogation d'analyse comprenant :

une étape (S1) de, par un terminal utilisateur (1), la génération et la transmission d'une interrogation d'analyse, l'interrogation d'analyse contenant au moins des informations relatives à une fonction q qui réalise un calcul d'analyse ;

une étape (S2) de, par une partie d'exécution de vérification (222) d'un appareil de base de données (2), la réalisation d'une première vérification vérifiant si l'interrogation d'analyse satisfait ou non un indicateur de préservation de confidentialité prédéterminé ; et

une étape (S3) de, par une partie de préservation et d'exécution d'interrogation d'analyse (214) de l'appareil de base de données (2), dans un cas où la première vérification est réussie, la réalisation d'une analyse correspondant à l'interrogation d'analyse sur des données personnelles lues depuis une partie de stockage de données personnelles (211) stockant des données personnelles pour acquérir un résultat d'analyse, et l'application d'un mécanisme de préservation de confidentialité prédéterminé au résultat d'analyse acquis,

dans lequel le procédé comprend en outre :

une étape de, par le terminal utilisateur (1), la génération d'une interrogation d'analyse conformément à un indicateur de préservation de confidentialité prédéterminé et un langage de programmation prédéterminé,

une étape du, par la partie de préservation et d'exécution d'interrogation d'analyse (214), rejet de l'interrogation d'analyse dans un cas où la première vérification a échoué,

une étape de, par le terminal utilisateur (1), en outre la génération et la transmission d'informations de preuve, les informations de preuve étant des informations relatives à une preuve que l'interrogation d'analyse satisfait l'indicateur de préservation de confidentialité prédéterminé, et

une étape de, par la partie d'exécution de vérification (222), l'utilisation des informations de preuve pour réaliser la première vérification vérifiant si l'interrogation d'analyse satisfait ou non l'indicateur de préservation de confidentialité prédéterminé.


 
4. Programme comprenant des instructions pour amener le système de réponse à une interrogation d'analyse selon la revendication 1 à réaliser le procédé selon la revendication 3.
 




Drawing














Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description




Non-patent literature cited in the description