CN115766009A - Method and device for power-of-2 inversion in multi-party security computation - Google Patents

Method and device for power-of-2 inversion in multi-party security computation Download PDF

Info

Publication number
CN115766009A
CN115766009A CN202211474800.8A CN202211474800A CN115766009A CN 115766009 A CN115766009 A CN 115766009A CN 202211474800 A CN202211474800 A CN 202211474800A CN 115766009 A CN115766009 A CN 115766009A
Authority
CN
China
Prior art keywords
party
fragment
boolean
power
slice
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211474800.8A
Other languages
Chinese (zh)
Inventor
张祺智
郑宇�
李漓春
殷山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ant Blockchain Technology Shanghai Co Ltd
Original Assignee
Ant Blockchain Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ant Blockchain Technology Shanghai Co Ltd filed Critical Ant Blockchain Technology Shanghai Co Ltd
Priority to CN202211474800.8A priority Critical patent/CN115766009A/en
Publication of CN115766009A publication Critical patent/CN115766009A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Compression, Expansion, Code Conversion, And Decoders (AREA)

Abstract

The embodiment of the specification provides a method and a device for power-of-2 inversion in multi-party security computing, and arithmetic inversion is performed on power-of-2 in a Boolean sharing form formed by two data parties in a business processing process based on multi-party security computing. The Boolean sharing form of the inverse of the power of 2 is determined by arranging bit values in the Boolean fragments in a reverse order by utilizing the characteristics of the power of 2 and Boolean sharing and the corresponding relation of the inverse of the power of 2 and the power of 2 in positions before and after the decimal point. After that, both parties execute the secure B2A protocol resulting in an arithmetically shared form of the inverse of the power of 2. Therefore, the data communication traffic of arithmetic inversion can be greatly reduced, and the service processing efficiency of safe calculation is improved.

Description

Method and device for power inversion of 2 in multi-party security calculation
Technical Field
One or more embodiments of the present disclosure relate to the field of security computing technologies, and in particular, to a method and an apparatus for inverse to power of 2 in multi-party security computing.
Background
The secure multi-party computation is also called multi-party secure computation, and the result of a function can be computed by multiple parties together without revealing the input data of the parties in the function, and the computed result is disclosed to one or more parties. Typical applications of secure multiparty computing are e.g. joint statistical analysis of privacy protected multiparty data, machine learning, etc. The function here is a function of statistical operations, a machine learning algorithm, and the like.
In a multi-party secure computing process, data or intermediate results may be held by parties in a shared (share) form in order not to reveal the parties' data and intermediate computing results. One party holds one data fragment, and the fragments held by each party are fused together to restore corresponding data. Typically, the computation is kept in a shared state. In this way, the number of data communications, the amount of communications, and the like in the multiparty security calculation are important factors that affect the efficiency of the security calculation.
Disclosure of Invention
One or more embodiments of the present specification describe a method and apparatus for power-of-2 inversion in multi-party security computing to solve one or more of the problems mentioned in the background.
According to a first aspect, there is provided a method for inverse power-of-2 in multi-party security computing, for two parties to determine an arithmetical shared form of an inverse power-of-2 based on a boolean shared form of power-of-2, the two parties including a first party and a second party respectively holding a first boolean slice and a second boolean slice of power-of-2 represented by n bits in the form of fixed point numbers, the method being performed by the first party and comprising: for a held first Boolean fragment, determining a first reference fragment corresponding to the first Boolean fragment based on the reverse order arrangement of the numerical values of the bits, wherein the first reference fragment and a second reference fragment held by a second party form a Boolean sharing form of the inverse of the power of 2, and the second reference fragment is determined based on the reverse order arrangement of the numerical values of the bits of the second Boolean fragment; and executing a secure B2A protocol with a second party by utilizing the first reference fragment to convert the inverse of the power of 2 from a Boolean shared form to an arithmetic shared form, thereby obtaining the first arithmetic fragment of the inverse of the power of 2.
In one embodiment, the lowest bit of the first boolean slice is the 0 th bit, corresponding to the fractional number f; the reverse ordering of the values of the respective bits is performed by one of: sequentially converting the lowest bit to the highest bit into the highest bit to the lowest bit, wherein the converted decimal place number is n-f-1; taking the decimal point position between the (f-1) th bit and the (f) th bit as an axis, carrying out mirror image inversion on each bit, wherein the inverted decimal place is n-f-1; and (4) taking the f-th bit as an axis, carrying out mirror image inversion on other bits, wherein the inverted decimal place is n-f.
In one embodiment, said executing a secure B2A protocol with a second party using said first reference slice to convert said inverse of power of 2 from a boolean shared form to an arithmetic shared form, resulting in a first arithmetic slice of the inverse of power of 2, comprises: for each bit in the first reference fragment, performing an oblivious transmission protocol with a corresponding bit in a second reference fragment obtained by a second party, wherein the oblivious transmission protocol process performed on a single bit i is as follows: one of the first and second parties is used as a sender to send two character strings s to the other party i0 And s i1 So that they respectively represent 0 and 1 by the value of said single bit, the other party acting as a receiver, based on the corresponding bit locally, selecting two strings s i0 And s i1 One of the bits is selected as a selection bit; and determining a first arithmetic fragment corresponding to the first reference fragment as a first arithmetic fragment of the inverse of the power of 2 based on the execution result of the careless transmission protocol.
In a further embodiment, in case that the first party is the sender, the first arithmetic slice corresponding to the first reference slice is in an arithmetic form of the first reference slice; and under the condition that the first party is the receiving party, the first arithmetic slice corresponding to the first reference slice is an arithmetic form of a slice obtained by multiplying each bit of the first reference slice by the corresponding selection bit.
In one embodiment, said executing a secure B2A protocol with a second party using said first reference slice to convert said inverse of power of 2 from a boolean share form to an arithmetic share form, resulting in a first arithmetic slice of the inverse of power of 2 comprises: determining 2 first reference values respectively corresponding to odd bits and even bits, wherein a single first reference value is determined by binary numbers formed by bit values on the corresponding odd bits or even bits; and performing a security calculation with the second party based on the 2 first reference values, thereby obtaining a first arithmetic slice of an inverse of the power of 2, wherein in the performed security calculation, the second party provides 2 second reference values corresponding to odd bits and even bits, respectively, based on the second boolean slice.
In a further embodiment, the single first reference value corresponds to modulo-2 consisting of either odd or even bits in the first boolean slice n In the case of a binary number of (2), the single second reference value corresponds to the inverse of the 2 d/a of the binary number formed by the odd or even bits of the second boolean section n The result of (1); the single first reference value corresponds to the inverse modulo-2 of a binary number consisting of an odd or even bit in the first Boolean slice n In the case of the result of (3), the single second reference value corresponds to modulo-2 consisting of either odd or even bits in the second boolean slice n A binary number of (c).
In a further embodiment, said performing a security calculation with the second party based on the 2 first reference values, resulting in a first arithmetic slice of the inverse of the power of 2 comprises: locally computing a first product of the square root of 2 and a first reference value corresponding to an odd bit, the first product and a second product locally computed by a second party constituting a sum-shared form of the odd term balance difference, wherein the second product corresponds to the product of the square root of 2 and a second reference value corresponding to an odd bit in a second boolean slice; summing the first products with the first reference values corresponding to the even bits, thereby obtaining a first composite slice of parity composite differences, the parity composite differences being a sum of balance differences between each first reference value and the corresponding second reference value; and executing a safe square protocol by utilizing the first comprehensive fragment and the second party to calculate a square value of the parity comprehensive difference so as to obtain a first fragment of the square value, wherein the first fragment is used as a first arithmetic fragment of the inverse of the power of 2, the parity comprehensive difference is formed by the first comprehensive fragment and a second comprehensive fragment of the second party in a sharing mode, and the second comprehensive fragment is determined by the sum of a second product and a second reference value corresponding to even bits in a second Boolean fragment.
In another further embodiment, said performing a security computation with a second party based on said 2 first reference values, resulting in a first arithmetic slice of an inverse of a power of 2 comprises: the method comprises the steps that the second party calculates the square of the sum of 2 first reference values and second reference values which are respectively corresponding to the second party based on a safe square protocol to obtain 2 first square fragments which respectively correspond to the 2 square values, and the single first square fragment and the single second square fragment obtained by the second party form a corresponding square sum sharing form; and performing polynomial summation on each first square fragment to obtain a first arithmetic fragment of the inverse of the power of 2, wherein the summation coefficient of a single first square fragment item corresponding to an even bit is 1, the summation coefficient of a single first square fragment item corresponding to an odd bit is 2, and a second arithmetic fragment obtained by performing polynomial summation on each second square fragment by the first arithmetic fragment and the second party forms the arithmetic form of the inverse of the power of 2.
In another further embodiment, said performing a security computation with a second party based on said 2 first reference values, resulting in a first arithmetic slice of an inverse of a power of 2 comprises: the method comprises the steps that 2 products of 2 first reference values and second reference values corresponding to a second party are calculated by the second party based on a secure multiplication protocol to obtain 2 first product fragments corresponding to the 2 products respectively, and the single first product fragment and a single second product fragment obtained by the second party form a sum sharing form of corresponding products; and performing polynomial summation with the 2 first product fragments by using the 2 square values respectively corresponding to the 2 first reference values calculated locally, so as to obtain a first arithmetic fragment of inverse power of 2, wherein the summation coefficients of the 2 square values are all 1, the summation coefficient of a single first product fragment item corresponding to an even bit is 2, and the summation coefficient of a single first product fragment item corresponding to an odd bit is 4.
In one embodiment, the first boolean section is obtained by performing an exclusive or operation on respective boolean sections on a plurality of parties other than the second party in sequence.
According to a second aspect, there is provided an apparatus for inverse power-of-2 in multi-party security computation, for two parties to determine an arithmetic sharing form of inverse power-of-2 based on a boolean sharing form of power-of-2, the two parties including a first party and a second party respectively holding a first boolean slice and a second boolean slice of power-of-2 in fixed-point number form represented by n bits, the apparatus being provided at the first party and comprising:
the inversion unit is configured to determine, for a held first boolean slice, a first reference slice corresponding to the first boolean slice based on a reverse order arrangement of values of respective bits, the first reference slice and a second reference slice held by a second party form a boolean sharing form of the inverse of the power of 2, the second reference slice is determined based on the reverse order arrangement of values of respective bits of the second boolean slice;
and the conversion unit is configured to execute a secure B2A protocol with a second party by utilizing the first reference fragment to convert the inverse of the power of 2 from a Boolean sharing form to an arithmetic sharing form, so as to obtain a first arithmetic fragment of the inverse of the power of 2.
According to a third aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first aspect.
According to a fourth aspect, there is provided a computing device comprising a memory and a processor, wherein the memory has stored therein executable code, and wherein the processor, when executing the executable code, implements the method of the first aspect.
By the method and the device provided by the embodiment of the specification, in the problem of arithmetic inversion aiming at the power of 2 involved in a two-party safety calculation scene, a new inversion scheme aiming at the power of 2 is provided in consideration of the complexity of inversion operation and the particularity of the power of 2 in a Boolean sharing form, so that the inversion complexity can be reduced, and the data processing efficiency of multi-party safety calculation can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 illustrates a flow diagram of a method for inverse power of 2 in multi-party security computations performed by a single participant, according to one embodiment;
FIG. 2 shows a data communication diagram for performing two-party secure multiplication;
FIG. 3 illustrates a data communication diagram implementing a two-party secure squaring protocol;
fig. 4 shows a schematic block diagram of an apparatus for power-of-2 inversion in multi-party security computation provided to a single participant, according to one embodiment.
Detailed Description
The technical solution provided in the present specification is described below with reference to the accompanying drawings.
Secret sharing (secret sharing), also called secret splitting and secret sharing, is based on the principle of splitting a secret (such as a key, private data, etc.) into multiple shares (shares) which are respectively handed to different data parties for storage. Secrets can only be recovered if more than a threshold number of parties merge their shares; shares taken from fewer than a threshold number of parties cannot recover any information that is secret. In multi-party security computation, the threshold number is usually the same as the number of participants, and the shares into which the secret is split may also be referred to as shards.
Secret sharing is an important tool in multi-party secure computing processes. Several forms of secret Sharing commonly used in multi-party security computing are, for example, arithmetic Sharing (arithmetric Sharing), boolean Sharing (Boolean Sharing), yao's Sharing (Yao's Sharing). Various sharing methods are described below by taking the shared secret data x as an example.
Arithmetic sharing is also referred to as sum sharing, among others. In two-party secure computation, an integer x is divided into two fragments x = x L +x R With a die 2 N Shared form of (shift to [0, 2) N -1]Interval) is stored distributed on both sides so that one side does not know x R The other party does not know x L Either party cannot get the complete form of x. Further, the two parties can be expanded into multiple parties, such as x = x 1 +x 2 +…+x d . Assuming N =64, a single slice of x at a single participant may be represented by a 64 byte (bit) binary number. The way to split and share one data x into forms is for example: randomly generating d-1 pieces of 2 64 The values in the table (e.g., randomly generated 64-byte binary numbers) are d-1 pieces, which are respectively denoted as x 1 、x 2 、…、x d-1 Use and pair 2 64 (translation to [0,2 ] 64 -1]Interval) modulo as another slice, denoted as x d =x-x 1 -x 2 -…-x d-1
Boolean sharing is a secret sharing way of performing an exclusive or operation on bits. For example, still taking two participants as an example, assume x is a bit of data (value 0 or 1), and x is taken as 0 ⊕x 1 Forming a Boolean sharing form at two participants, x 0 、x 1 The two Boolean sharing fragments of the two participants are x, both values are taken on 0 or 1, and ^ indicates XOR operation. A single participant does not know the shard held by another participant and therefore cannot speculate on data x. For data x' composed of n bits, n-bit binary numbers can be randomly generated as a boolean share slice of one party (e.g., x) 0 '). Boolean share sharding of the other party (e.g., x) 1 'can be obtained by the XOR result of x' and the Boolean shared slice of that party (x) 0 [ ] x') is determined.
The yao shi sharing is a sharing mode related to Garbled Circuits (GC), and the description does not refer to the sharing mode, and is not repeated herein.
Each of the three types of sharpening (Sharing) described above has its own advantages and disadvantages. In the business processing process of the multi-party security computing, the sharing form of the business data can be converted for the convenience of processing.
Boolean to Arithmetic Sharing (for example, B2A) is a common type of conversion operation. B2A can be implemented by subtraction on a Boolean circuit, but this approach is too costly. To improve performance, both parties may be implemented using methods based on the OT (oblivious transfer) protocol. In the ith OT process for the ith bit, one party (e.g., party A) acts as a sender and sends two strings s to the other party (e.g., party B) i,0 、s i,1 And making them satisfy:
Figure BDA0003959475860000051
the other party as the receiving party inputs the value of the ith bit in the local Boolean chip
Figure BDA0003959475860000061
As a selection bit
Figure BDA0003959475860000062
Further, the sender side calculates
Figure BDA0003959475860000063
Receiver computing
Figure BDA0003959475860000064
Thus, the boolean share form is converted to the sum share form.
In practice, there may be involved a sharing form conversion between the "yao" share and the "boolean share" (e.g. B2Y, Y2B, etc.), a sharing form conversion between the "yao" share and the "arithmetic share" (e.g. A2Y, Y2A, etc.), a sharing form from the "arithmetic share" to the "boolean share" (A2B), etc., and the conversion between the various sharing forms is not further exemplified here.
Such a scenario is typically encountered during business processes based on multi-party secure computing: a target data x, which is in a Boolean sharing form with floating point number or fixed point number at two participants, needs to calculate the inverse x of the target data x -1 The result constitutes an arithmetic sharing form between the two parties. This scenario may be mathematically inverted in this description.
Wherein, the concept about the fixed point number is as follows: for decimal fraction, Z modulo 2 is used r In a shared form, a fixed point position (describing the position of the decimal point) representation, namely a fixed point representation, is matched as common knowledge of both parties. One data a can be expressed as fixed-point number d × e -f And d is an integer. Where f represents the fixed point position, i.e., the decimal place in binary. As an example, assuming a numerical value a =0.125 and a fixed-point number f =14, an integer d =0.125 × e in the corresponding fixed-point number f =2048, the fixed point number corresponding to a is 2048 × e -14 . In a shared form, the resulting fragments may be split by integer portion 2048 (e.g., a) 0 =987 and a 1 = 1061) represents data a. When a is a power of 2, d is usually a power of 2, and the inverse of a can be expressed by a fixed point number and the integer part thereof is also a power of 2. The decimal point position in a fixed-point number is usually fixed, and a floating-point number differs from a fixed-point number representation in that its decimal point position is variable. The floating-point number is similar to the fixed-point number in representation of the data at a current decimal place.
In the arithmetic inversion process of the conventional technology, two parties firstly calculate the inverse of x through a division circuit and a GMW Protocol (Goldreich-microcali-Wigderson Protocol) safely, and then form a boolean sharing form, and then execute the B2A Protocol to convert the inverse of x from the boolean sharing form to the arithmetic sharing form. The GMW protocol is a semi-honest safe calculation protocol supporting multiple parties based on a garbled circuit, and an objective function of the GMW protocol consists of an exclusive-OR gate, an AND gate and a NOT gate. The GMW protocol consumes a relatively large amount of data traffic during the secure computation.
In the case where the target data x is a power of 2, arithmetic inversion is still performed by the above conventional technique, consuming a large amount of calculation and data communication costs. But to a power of 2 (e.g. 2) t ) Has a binary representation of oneWith special characteristics, the specification provides a new technical idea to perform arithmetic inversion on power 2 so as to reduce communication traffic and improve service processing efficiency.
Those skilled in the art will appreciate that the power of 2 in binary form may have the following properties:
(1) The power of 2 and its inverse are only 1 by one bit (e.g. the t-th bit from the lowest bit to the 0-th bit), and the rest bits are 0, and in the case that the power of 2 constitutes a boolean sharing form between two participating parties, only one bit of the two boolean partitions is different;
(2) One bit of the integer power of 2 before the decimal point is 1, and the rest bits are 0, while one bit of the inverse of the integer power of 2 after the decimal point is 1, and the other bits are 0;
(3) When the lowest bit before the decimal point is denoted as 0 th bit, the inverse of the power of 2 and the power of 2 have the following relationship: 2 t The t +1 th bit (tth bit) before the decimal point is 1,2 t The inverse of (c) is 1 at the t-th bit after the decimal point.
Based on the above properties, the present specification provides a technical idea that the inverse of the power of 2 corresponding to the boolean sharing form can be determined by arranging the boolean fragmentation of the power of 2 in reverse order so as to arrange the bits with the value of 1 behind the decimal point, and then the fragmentation of each participant is converted into an arithmetic fragmentation according to a protocol for converting the boolean sharing form into an arithmetic sharing form (e.g., the foregoing B2A protocol).
Specifically, in binary form, the principle of inverting the power of 2 is as follows: assume a value of 8=2 3 If the decimal digit f is 4, then the binary form is 1000 0000,1 is at the 7 th bit, i.e. 8=2 7 ×2 -4 =2 3 The lower 40 s represent the decimal part after the decimal point, and the bit value 1 is located at the 3 rd bit counted by the lower bit before the decimal point. The binary data 1000 0000 is arranged in reverse order, with the highest bit changing to the lowest bit, resulting in 0000 0001, then if the decimal point position is kept unchanged, there are: 2 0 ×2 -4 =2 -4 =8 -1 ×2 -1 . If desired to obtain 8 -1 Can be reduced to decimalThe digit is modified to f =3 (floating point), then 0000 0001 corresponds to 2 0 ×2 -3 =8 -1 Or, the lowest bit is complemented by 0, the highest bit is truncated to yield 0000 0010, corresponding decimal place f =4 (fixed point), and 2 1 ×2 -4 =8 -1
In the boolean sharing mode, when the first party and the second party perform the same processing on the local boolean slice, one boolean slice of the inverse of the power of 2, such as a reference slice, can be obtained. The first party and the second party can obtain an arithmetic sharing form of inverse power of 2 by executing the secure B2A protocol on the two reference fragments.
In this way, the traffic volume in the arithmetic inversion of power 2 coincides with the traffic volume of the B2A protocol. In a possible design, when B2A conversion is performed for the power of 2, a B2A method different from that in the conventional technique may be adopted according to the particularity of the power of 2, thereby further reducing traffic and improving service processing efficiency.
The technical idea of the present specification is described in detail below.
FIG. 1 illustrates a flow of inversion by a single participant to a power of 2 in a multi-party security computation, according to one embodiment.
Assuming that the participants of the current security calculation are a first party and a second party, the target data for determining the arithmetic inversion is x =2 t I.e. the arithmetic inversion is performed on x, which is stored as fixed-point number or floating-point number. Specifically, assuming that the decimal place number is f, x is expressed as x = d × 2 -f D is an integer part represented by a fixed point number or a floating point number corresponding to x and described by n bits, and the integer d forms a shared form on a first party and a second party and is used for describing x. Then, in the binary form,
Figure BDA0003959475860000071
a first boolean slice d with n bits for the first party L And d is recorded in order from the lowest position to the highest position 0 L 、d 1 L ……d n-1 L The second party has a second boolean slice d of n bits R From the lowest order to the highest order, e.g. in accordance withIs denoted by d 0 R 、d 1 R ……d n-1 R . And for a single bit i in binary form of d, there is: d i =d i L +d i R Mode 2, or d i =d i L ⊕d i R
Assuming that a current single participant is a first party, as shown in fig. 1, in a multi-party security computing scenario, in a process of inverting a power of 2, a flow performed by the first party may include: step 101, for a first boolean slice, determining a first reference slice corresponding to the first boolean slice based on a reverse order permutation of values of bits, where the first reference slice and a second reference slice held by a second party form a boolean sharing form of inverse power of 2, and the second reference slice is determined based on the reverse order permutation of values of bits of the second boolean slice; and 102, utilizing the first reference fragment and a second party to execute a secure B2A protocol to convert the inverse of the power of 2 from a Boolean sharing form to an arithmetic sharing form, thereby obtaining a first arithmetic fragment of the inverse of the power of 2. The inverse of the power of 2 may also be referred to as the inverse of the power of 2.
First, in step 101, for a held first boolean slice, a first reference slice corresponding to the first boolean slice is determined based on the reverse order arrangement of the numerical values of the respective bits.
The values in the first boolean section are arranged in reverse order with the aim of shifting the power of 2 from before the decimal point to the corresponding position after the decimal point in the fixed point number representation to determine the inverse of the power of 2. It is understood that the power of 2 has the following correspondence to its inverse: the j-th bit value of 2 before the decimal point is 1 and the rest is 0, which represents 2 j-1 The inverse of the power of 2 has a value of 1 in the j-1 th bit after the decimal point and a value of 0 in the remainder, for example 2 3 When the decimal point position f =4, j =4,2 is raised to the power of 2 3 Expressed as 0000 1000.0000 and the inverse 2 -3 Expressed as 00000 0000.001 0000, or 0000.0010 0000. Wherein the decimal point is added for convenience of description only, and actually, the decimal point is not included in the first boolean piece, but falls within 2 n An integer in the defined abelian group represents a value of the integer at a predetermined decimal place, and the predetermined decimal place f represents a binary number after the decimal place of f lower bits of the integer. For example, the value of n bits is: 0000 1000 0000, which represents the arithmetic value of the integer 0000 1000 0000 and 2 -4 Product of, i.e. 2 7 ×2 -4 =8。
As can be seen from the above example, the fixed point number of n bits, in the case where the initial decimal place number is f, the inverse of which may generate a position shift of the decimal place on the basis of the numerical reverse order arrangement, such as the decimal place number becoming n-f-1, etc. In the process of arranging the numerical values in the reverse order, only n-bit integers can be processed, and then a new decimal point position can be described based on the position relation of the inverse of the power of 2 and the power of 2 before and after the decimal point and the adjustment of the decimal point position.
It is understood that the reverse order of powers of 2 is applied, however, the splitting applies the same reverse order to the first boolean slice and the second boolean slice. The reversed boolean slice for the first boolean slice may be denoted as the first reference slice, e.g., by u L Is shown, then u L The bits are sequentially marked as: u. u 0 L 、u 1 L ……u n-1 L . For example, 0010 1101 0011 is 1100 1011 0100 after reverse order arrangement. The reverse ordering may be based on various rational approaches.
According to one embodiment, the reverse ordering may order the highest bit to the lowest bit in order as the lowest bit to the highest bit. If the (n-1) th bit becomes the lowest order bit 0 th bit, the (n-2) th bit becomes the lowest order bit 1 st bit \8230, the (8230) \, and so on, the reverse order arrangement result is obtained. That is, let u 0 L =d n-1 L 、u 1 L =d n-2 L ……u n-1 L =d 0 L . At this time, in the case of n =12, assuming that the initial decimal place is f =4, the decimal place number may be n-f-1=7, that is, 0010 1101.0011 in reverse order, in order to ensure the relation between the power of 2 and the inverse thereof after the reverse order arrangementAfter alignment, 1100.011 0100.
According to another embodiment, the bits of the first boolean slice may be mirror-flipped around the fractional number f to obtain the reverse order result. For example, when f =4, 0010 1101 0011 is 1100 1011 0100 after the inversion. In practice, data before and after the decimal point is mirrored, and if the decimal point is added, the data is represented as: 0010 1101.0011 mirror-inverted with decimal point as axis to 1100.1011 0100. At this time, in order to ensure the corresponding relation between the power of 2 and the inverse of the power of 2 with respect to the decimal point, the decimal place number can be adjusted to n-f-1, or one 0 is added to the lower place, the upper place is truncated, and a new decimal place number is determined to be n-f.
According to another embodiment, the f-th bit (i.e. a bit before the decimal point position indicated by the decimal place f) is used as an axis, and the bits of the first boolean fragmentation are subjected to mirror inversion to obtain a reverse ordering result. In this manner, the relative positions of the decimal point and the f-th bit are kept unchanged (it can also be understood that the common body of the f-th bit and the decimal point is an axis), and for example, 0010 1101 0011 is flipped around the f-th bit (bold bit) to obtain 1100 1011 0100. Thus, after the mirror image is inverted, the original f bit is changed into the n-f-1 bit, and the decimal point is needed to be behind the n-f-1 bit, so that the decimal number can be adjusted to n-f-1.
In more embodiments, the numerical values may be arranged in a reverse order in other reasonable manners, which are not described herein again. The first reference slice after the reverse order arrangement may correspond to the current decimal point position. Under the condition that the first party and the second party perform calculation in a fixed point number mode, the current decimal place can be converted into f through decimal place conversion, so that the consistent decimal place is kept in the subsequent calculation process. The decimal point digit conversion mode is defined according to the fixed point number, the integer part is zoomed by corresponding multiple, usually, the decimal point is moved to the lower position by 1 bit, and the integer part is zoomed out by one 2. If the current decimal place number is n-f-1=7, f =4, the representation corresponding to the current decimal place number is k = d' x 2 -7 The integer part is d', and the fixed point number converted to decimal place number 4 is expressed as: k = d' ″ x2 -4 =(d'×2- 3 )×2 -4 . I.e. the decimal point is shifted to the rightMoving 3 bits, the integer part d' being reduced to 2 of d 3 And one-fourth. In the floating-point number calculation mode, both parties can also record the current decimal digit for determining the actual value of the data, i.e. the arithmetic value of the inverse of the power of 2 in various binary systems (such as decimal), such as 0.125. Alternatively, the conversion of the shared form may be performed only for the integer part.
It will be appreciated that where the second party determines the second reference slice based on the second boolean slice in the same manner, the first reference slice and the second reference slice constitute a boolean share form of the inverse of power of 2 at the first and second parties. The second reference slice is denoted as u R Each bit is in turn: u. of 0 R 、u 1 R ……u n-1 R
Further, the secure B2A protocol is executed with the second party using the first reference slice to determine an arithmetic sharing form of the inverse of the power of 2, resulting in a first arithmetic slice of the inverse of the power of 2, via step 102.
The B2A protocol is an operation protocol for converting from the boolean sharing format to the arithmetic sharing format. Based on a B2A protocol, a first party and a second party can safely operate a first parameter fragment and a second parameter fragment and perform secure data communication, so that under the condition that local private data are not leaked by the two parties, a first arithmetic fragment is obtained by the first party and a second arithmetic fragment is obtained by the second party, and an arithmetic sharing form of inverse power of 2 is formed.
According to one possible design, the B2A protocol of the conventional technology described above may be adopted, that is, the OT protocol is adopted to obtain the arithmetic sharing form for each bit of the first reference slice and the second reference slice. For a single bit i, one of the first party and the second party is used as a sender, the other is used as a receiver, and the sender sends two character strings s to the other party i0 And s i1 So that they represent 0 and 1 respectively by the value of said single bit, the other party acting as a receiver, based on the corresponding bit locally, selecting two strings s i0 And s i1 One of the bits is selected as a selection bit; then, based on the execution result of the OT protocolThe first party and the second party respectively determine a first arithmetic fragment and a second arithmetic fragment corresponding to the first reference fragment and the second reference fragment to form an inverse arithmetic sharing form of power of 2.
Specifically, the sender uses the arithmetic form corresponding to the local reference fragment as the arithmetic fragment corresponding to the corresponding reference fragment, and the receiver determines the arithmetic form of the fragment obtained by multiplying each bit of the local reference fragment by the corresponding selection bit as the arithmetic fragment corresponding to the corresponding reference fragment.
In this way, the boolean share slice has n bits, and n times OT protocol is executed, with traffic of n (n + 1)/2 bits off-line and 2n bits on-line.
According to another possible design, since the inverse of the power of 2 is still the power of 2 in the integer part of the fixed or floating point number, the arithmetic sharing of the inverse of the power of 2 can be determined using the less traffic B2A protocol, taking into account the particularity of the power of 2.
First, the principle of the sharing style conversion based on the particularity of the power of 2 is described. For one data u =2 t The first party and the second party form a Boolean sharing form, and the two Boolean sharing slices are respectively marked as u L And u R Two Boolean patches u L 、u R A string of n bits, each bit taking the value 0 or 1. Since u is only 1 in 1 bit and the rest is 0, then u L 、u R Only 1 bit of the n bits of (a) is different. If u =0010 (at this time t = 1), then u L 、u R Only the 2 nd bit from the last bit number is different.
Thus, for n bit pass sets (u) 0 L ,u 1 L …u t L …u n-1 L ) First reference slice u of the representation L And n bits may be assembled by (u) 0 R ,u 1 R …u t R …u n-1 R ) U of (a) R The tth bit is two Boolean slices x t L And x t R The number of the distinct bits in the bit stream,the other bits are the same, but the two participants do not know each other which bit is different from the local boolean slice. Further, considering two boolean share slices as binary representations, a single boolean slice may correspond to a value in any one of octal, decimal, hexadecimal, etc. E.g. 1011 may correspond to a decimal value of 11=1 × 2 0 +1×2 1 +0×2 2 +1×2 3 . The respective corresponding values of the two boolean slices are:
y L =u 0 L ×2 0 +u 1 L ×2 1 …u t L ×2 t …u n-1 L ×2 n-1
y R =u 0 R ×2 0 +u 1 R ×2 1 …u t R ×2 t …u n-1 R ×2 n-1
then there is y L -y R =u t L ×2 t -u t R ×2 t =(u t L -u t R )×2 t =±2 t . Two parties each adjust y L 、y R Symbol of (e.g. y) L And-y R Or-y L And y R So that the preceding sign is positive (i.e. y is determined) L -y R Absolute value of (a) | y L -y R |) and modulo 2 with the adjusted value n Then u may be obtained as the sum of the two participants and the shared shard.
However, both participants do not know which participant needs to adjust the sign of the value locally. If y is determined by the security comparison L And y R May reveal possible values of t. For example, the comparison result is y L Less than y R Then t may be determined to be one of the bits of the first party having a value of 0 on the boolean slice or one of the bits of the second party having a value of 1 on the boolean slice. Thus, one party may reason about the data privacy of the other party based on a certain number (less than n) of assumptions. Thus, to protect data privacy, the present descriptionThe book is based on the preamble y L -y R =±2 t The principle of (1) is to split the bits of the Boolean fragments and introduce the calculation of even power (such as square), thereby not only protecting the data privacy, but also solving the problem of incapability of conversion caused by the symbol problem.
Taking square calculation as an example, the first party and the second party may split the local first reference slice and the local second reference slice according to odd bits and even bits, respectively. The binary number formed by the even bits of the first party may for example correspond to the reference value: y is L1 =u 0 L ×2 0/2 +u 2 L ×2 2/2 ……u n-2 L ×2 (n-2)/2 (ii) a Binary numbers formed by odd bits correspond, for example, to reference values: y is L2 =u 1 L ×2 0/2 +u 3 L ×2 2/2 ……u n-1 L ×2 (n-2)/2 . Similarly, the binary number formed by the even bits of the second party may correspond to a reference value, for example: y is R1 =u 0 R ×2 0/2 +u 2 R ×2 2/2 ……u n-2 R ×2 (n-2)/2 (ii) a The odd bits forming a binary number may correspond, for example, to the reference values: y is R2 =u 1 R ×2 0/2 +u 3 R ×2 2/2 ……u n-1 R ×2 (n-2)/2
According to the binary numerical value representation rule, the numerical values corresponding to the even bits are compared with the numerical values represented by the values at the bits in the Boolean slices of the target data, the numerical values represented by the values at the bits in the Boolean slices of the target data can be obtained by squaring each addend, and the numerical values corresponding to the odd bits are compared with the numerical values represented by the values at the bits in the Boolean slices of the target data, and the numerical values represented by the values at the bits in the Boolean slices of the target data can be obtained by squaring each addend and then multiplying the squared value by 2.
Thus, there are: 2 t =|y L -y R |=(y L1 -y R1 ) 2 +2(y L2 -y R2 ) 2 . Thus, the first party and the second party can pass through y L1 、-y R1 、y L2 、-y R2 Using (y) L1 -y R1 ) 2 +2(y L2 -y R2 ) 2 Performing a secure computation to obtain a first arithmetic slice and a second arithmetic slice, respectively, that are inverses of power 2.
Due to y L1 -y R1 And y L2 -y R2 Only one of the terms is a non-zero value, and therefore, further:
Figure BDA0003959475860000111
Figure BDA0003959475860000112
wherein (y) L1 -y R1 ) May be referred to as an even parameter difference, (y) L2 -y R2 ) Which may be referred to as an odd-numbered parameter difference,
Figure BDA0003959475860000113
which may be referred to as the balance factor,
Figure BDA0003959475860000114
which may be referred to as the balance difference of the odd bits,
Figure BDA0003959475860000115
may be referred to as parity entry complex differences. Both of these calculations can convert the difference of the data on the first and second parties into a squared form, thereby solving the symbol problem referred to earlier.
In some alternative implementations, according to | y L -y R |=(y L1 -y R1 ) 2 +2(y L2 -y R2 ) 2 The calculation can be done via a twice secure squaring protocol, or converted to a secure multiplication.
Specifically, in one embodiment, y may be L1 、-y R1 Viewed as y L1 -y R1 With a die 2 n Form of (1) forming an arithmetic shared form on a first side and a second sideTwo arithmetically shared slices of formula (I), will y L2 、-y R2 Viewed as y L2 -y R2 With a mould 2 n Form (a) two arithmetic sharing fragments of an arithmetic sharing form are formed on a first party and a second party, a secure square protocol is respectively executed twice, and a square value (y) is obtained on the first party and the second party L1 -y R1 ) 2 And the squared value (y) L2 -y R2 ) 2 Respective arithmetic sharing forms. Thereafter, the first party computes the polynomial sum of the first square slices of the two squared values, with the sum coefficients of the even and odd bits being 1 and 2, respectively, i.e., [ (y) L1 -y R1 ) 2 ] L +2[(y L2 -y R2 ) 2 ] L The second party calculates the polynomial addition of the second square patches of the two squared values, i.e., [ (y) L2 -y R2 ) 2 ] R +2[(y L2 -y R2 ) 2 ] R Thus, an arithmetically shared version of the inverse of the power of 2 is obtained. The traffic at this time is 2 times safe square protocol traffic.
In another embodiment, (y) may also be utilized L1 -y R1 ) 2 +2(y L2 -y R2 ) 2 =y L1 2 +y R1 2 -2 y L1 ×y R1 +2y L2 2 +2y R2 2 -4y L2 ×y R2 The first party locally calculates two square values y corresponding to the even bits and the odd bits respectively L1 2 、2y L2 2 The second party locally calculates y corresponding to the even bits and the odd bits respectively R1 2 、2y R2 2 The first and second parties perform a secure multiplication y L1 ×(-y R1 )、y L2 ×(-y R2 ) And 2 product fragments are obtained on the first party and the second party respectively. Then, the first party carries out polynomial summation with 2 square values respectively corresponding to 2 first reference values calculated locally and 2 first product slices, if the sum is y L1 2 +2y L2 2 +2[-y L1 ×y R1 ] L +4[-y L2 ×y R2 ] L Similarly, the second party performs polynomial summation with the 2 second product slices by using the 2 square values respectively corresponding to the 2 second reference values calculated locally, that is, y R1 2 +2y R2 2 +[-2y L1 ×y R1 ] R +[-4y L2 ×y R2 ] R . At this time, the traffic volume is the traffic volume of 2 secure multiplications.
In another embodiment, according to
Figure BDA0003959475860000121
A slice of an odd balance difference may be computed locally by a first party
Figure BDA0003959475860000122
Second party locally computes another slice of odd balance difference
Figure BDA0003959475860000123
Then according to the safe square protocol (w) 0 +w 1 ) 2 Two arithmetic sharing fragments of the safety square protocol result are obtained on the first side and the second side respectively, namely the inverse of the power of 2 is converted into two sum sharing fragments of an arithmetic sharing form by Boolean sharing. The traffic at this time is 1 time traffic of the secure square protocol.
Wherein, due to
Figure BDA0003959475860000124
To infinite decimal fraction, it can be calculated by taking an approximation, e.g. taking
Figure BDA0003959475860000125
Therefore, the converted calculation result can be regarded as approximate calculation of power of 2, and in the process of business processing, the technical scheme provided by the implementation mode can be used under the condition that the calculation result of power of 2 is not very accurate and does not influence the business processing result. Optionally in the calculation of
Figure BDA0003959475860000126
Or alternatively
Figure BDA0003959475860000127
In the process of (1), can be used
Figure BDA0003959475860000128
Is approximated by (e.g., 1.414) y L2 Or-y R2 The integer is then taken in a conventional manner (e.g., rounding) as the integer portion of the inverse of the power of 2 for fixed-point or floating-point representations. At this time, the decimal place of the multiplication result and y L2 、-y R2 The decimal place number remains the same. On the other hand, optionally, can be
Figure BDA0003959475860000129
Expressing by fixed point number, and taking the integer part of the fixed point number and y L2 、-y R2 Is multiplied by the integer part of (2) and modulo 2 n . At this time, the decimal place of the multiplication result is
Figure BDA00039594758600001210
Decimal fraction of (a) and (b) L2 、-y R2 The decimal place of (c) is summed.
Fig. 2 shows a communication diagram of secure multiplication of a specific example.
As shown in fig. 2, in the process of securely multiplying data a held by a first party and data b held by a second party, random numbers s, p may be generated by a trusted third party (such as a pseudo-random number generation server in fig. 2), and two shards z where sp = z are stored in an arithmetically shared form 1 、z 2 . The third party may follow the constraint sp = z 0 +z 1 Respective auxiliary parameters are generated. The first party may obtain or locally generate s, z from a trusted third party 1 The second party may obtain z from a trusted third party 1 、z 2 And obtaining from a third party or generating the other locally. E.g. s, z 1 Generated by the first party in a pseudo-random number manner agreed with the trusted third party, p generated by the second party in a pseudo-random number manner agreed with the trusted third party, z 2 From a trusted second partyThree-party acquisition, then offline traffic can be just one data slice (e.g., z) 1 ) The amount of traffic.
S and p can be regarded as disturbance terms for a and b, and disturbance results of a and b after noise is added are represented by e and f. The first party calculates the disturbance result e = a-s and sends it to the second party, and the second party calculates the disturbance result f = b-p and sends it to the first party. At this time, the generated online traffic is the number of bits (e.g., 2 n) of 2 data slices. Further, the first party may compute one of a b and a shared shard c 0 =sf+z 0 The second party may calculate another of a b and the shared shard c 1 =ep+z 1 . Substituting the expressions of e and f into the formula, the following steps are carried out: c. C 0 +c 1 =uf+z 0 +eb+z 1 =ub-uv+z 0 +ab-ub+z 1 = ab. That is, c 0 、c 1 Forming a sum sharing form of the products of a and b.
Fig. 3 shows a communication diagram of a secure squaring protocol of a specific example. The calculation principle of the secure squaring protocol shown in fig. 3 is as follows: for one data x, in case of introducing a perturbation a, there are: x is the number of 2 =(x-a) 2 +2(x-a)a+a 2 . Suppose data x is composed and shared between a first party and a second party, the first party having a first shard x 0 The second party having a second tile x 1 Let x-a be the disturbance value dx and let constant term a 2 = b as balanced term to eliminate perturbation, the respective shards a and b may be generated by a trusted third party (as shown in fig. 3 as a random number generation server) 0 、a 1 、b 0 、b 1 And a is 0 、b 0 Provided to a first party to a 1 、b 1 To the second party. Wherein, a 0 、a 1 、b 0 、b 1 May follow the constraint (a) 0 +a 1 ) 2 =(b 0 +b 1 ) Three terms are randomly generated, and the other term is calculated by the other three terms. For example, the first party generates a random number a 0 、b 0 The second party generates a random number a 1 The trusted third party generating a random number a 0 、b 0 、a 1 And calculate b 1 And then provided to the second party. Thus, offline traffic may be only fragmented for one data (e.g., b) 1 ) The amount of traffic.
Thereafter, the first party may calculate a slice dx of the disturbance value dx 0 =x 0 -a 0 And provided to the second party, who may calculate another fraction dx of the perturbation value dx, similarly 1 =x 1 -a 1 And provided to the first party. As such, the first party and the second party may each calculate the disturbance value dx = dx 0 +dx 1 . At this time, the generated online traffic is the number of bits (e.g., 2 n) of 2 data slices. In practice, one part may also calculate one slice of the disturbance value dx and provide the calculated slice to the other part, and the other part locally calculates another slice of dx and provides the disturbance value dx to the other part. In this way, the generated data traffic is the number of bits of one data slice and the traffic of one data dx, which is consistent with the number of bits of 2 data slices.
Further, the first party and the second party each locally compute x 2 To the corresponding slice. As shown in FIG. 3, in one specific example, the first party may compute a patch s 0 =(x 2 ) 0 =(x-a) 2 +2(x-a)a 0 +(a 2 ) 0 =dx×dx+2dx×a 0 +b 0 The second party may calculate another patch s 1 =(x 2 ) 1 =2(x-a)a 1 +(a 2 ) 1 =2dx×a 1 +b 1 . In practice, the first party and the second party may also calculate the respective shards using the local data in other manners, such as the second party calculating s 1 =dx×dx+2dx×a 1 +b 1 The first party calculates s 0 =2dx×a 0 +b 0 And the like, without limitation.
As can be seen from fig. 2 and 3, during the single secure multiplication and the single secure square calculation, the generated traffic is n-bit offline traffic and 2 n-bit online traffic. Compared with the conversion mode of the conventional technology, the B2A sharing mode conversion mode of converting into the safe multiplication or the safe square calculation has the advantages that the communication volume is greatly reduced, and the service processing efficiency can be improved.
It should be noted that the process executed by the second party and the process executed by the first party cooperate with each other, and the operations performed by the second party in the foregoing principle description and the description of the process shown in fig. 2 are also applicable to the process shown in fig. 3, and are not described again here. It is understood that the first party and the second party are only used for distinguishing two parties of secure computing, and the names "first" and "second" are the definitions applied by the corresponding descriptions of the corresponding parties, such as the first reference value, the second reference value, the first boolean segment, the second boolean segment, the first product, the second product \8230 \ 8230, and so on, i.e. the definitions of "first" and "second" describe the corresponding relations of the corresponding parties. In practice, the operations performed by the first party and the second party may be interchanged, and the correspondence relationship described above remains the same, that is, "first" and "second" in the names are also interchanged to correspond, which is not limited in this specification.
In more possible designs, the first party can also execute other secure B2A protocols with the second party, and convert the inverse of the power of 2 into an arithmetic sharing form in a boolean sharing form formed by the first reference fragment and the second reference fragment on two sides. For example, n bits in the boolean partition are split into m groups (m is an even number) of binary numbers, a secure square calculation is constructed corresponding to m reference values, and so on, which are not described herein again.
It is to be understood that, in the above process, only the conversion process of the sharing format of the integer part in the form of the fixed point number or the floating point number is described, and in practice, the above described embodiment may also be applied to other related calculation processes in the case of representing data by binary integers and decimal point positions/decimal digits, and will not be described herein again. The slice in the form of arithmetic sharing of the inverse of the power of 2 may be stored in the form of fixed point number or floating point number, or may be stored in the form of conversion into an arithmetic form (such as a decimal numeric value), which is not limited herein.
In addition, in a possible design, in the multi-party security calculation process of more than 2 participants, in order to facilitate arithmetic inversion, boolean partitions of one or more participants may be subjected to exclusive or in sequence to be attributed to one participant, and finally, a power of 2 constitutes a boolean sharing form distributed among the 2 participants. In this way, the arithmetic inversion of the target data can be performed by 2 participants without revealing the target data. The arithmetic sharing slices obtained at these 2 participants after conversion can be randomly split and distributed to other participants, so that the inverse of power of 2 forms and shares forms at multiple participants.
In view of the above, the present specification provides a technical idea of determining a boolean sharing format of inverse power of power 2 by arranging bit values in a boolean segment in reverse order in consideration of a change in decimal place by using the characteristics of power 2 and boolean sharing and the correspondence between inverse powers of power 2 and power 2 based on decimal points in the process of arithmetically inverting power of power 2 constituting the boolean sharing format of two data sides. Then, both parties execute the secure B2A protocol to get an arithmetic share of the inverse of the power of 2. Therefore, complex calculation of data inversion by using a circuit in the GMW can be avoided, data communication traffic is greatly reduced, a more efficient arithmetic inversion mode is provided for power of 2, and the service processing efficiency of safe calculation is improved.
According to an embodiment of another aspect, a device for inverse to power of 2 in multi-party security computation provided for a computation party is also provided. Fig. 4 illustrates an apparatus 400 for power-of-2 inversion in multi-party security computation, respectively, according to one embodiment. The apparatus 400 may be provided to any of a plurality of parties to a multi-party secure computation.
In the two-party secure computation, the target data forms a boolean sharing form with a first boolean slice and a second boolean slice of n bits respectively corresponding to the first party and the second party. The apparatus 400 is used for inverting power-of-2 arithmetic.
As shown in fig. 4, an apparatus 400 provided at a first party of a plurality of parties includes:
an inversion unit 401 configured to determine, for a held first boolean slice, a first reference slice corresponding to the first boolean slice based on a reverse order permutation of values of respective bits, where the first reference slice and a second party determine that the second reference slice constitutes a boolean sharing form of inverse power of 2 based on the reverse order permutation of the values of the respective bits of the second boolean slice;
a conversion unit 402 configured to execute the secure B2A protocol with the second party using the first reference slice to convert the inverse of the power of 2 from the boolean share form to the arithmetic share form, thereby obtaining a first arithmetic slice of the inverse of the power of 2.
It should be noted that the apparatus 400 shown in fig. 4 corresponds to the method described in fig. 1, and the corresponding description in the method embodiment of fig. 1 is also applicable to the apparatus 400, and is not repeated herein.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 1 and so on.
According to an embodiment of another aspect, there is also provided a computing device, including a memory and a processor, where the memory stores executable code, and the processor executes the executable code to implement the method described in conjunction with fig. 1 and so on.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in the embodiments of this specification may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The above embodiments, objects, technical solutions and advantages of the technical concepts of the present specification are described in further detail, it should be understood that the above embodiments are only specific embodiments of the technical concepts of the present specification, and do not limit the scope of the technical concepts of the present specification, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the embodiments of the present specification should be included in the scope of the technical concepts of the present specification.

Claims (13)

1. A method for inverse power-of-2 in multi-party security computing, for two parties to determine an arithmetically shared form of the inverse power-of-2 based on a boolean shared form of power-of-2, the two parties including a first party and a second party holding a first boolean slice of power-of-2 represented by n bits, a second boolean slice, respectively, the method being performed by the first party, comprising:
for a held first Boolean fragment, determining a first reference fragment corresponding to the first Boolean fragment based on the reverse order arrangement of the numerical values of the bits, wherein the first reference fragment and a second reference fragment held by a second party form a Boolean sharing form of the inverse of the power of 2, and the second reference fragment is determined based on the reverse order arrangement of the numerical values of the bits of the second Boolean fragment;
and executing a secure B2A protocol with a second party by utilizing the first reference fragment to convert the inverse of the power of 2 from a Boolean sharing form into an arithmetic sharing form, thereby obtaining a first arithmetic fragment of the inverse of the power of 2.
2. The method of claim 1, wherein the lowest bit of the first boolean slice is the 0 th bit and corresponds to a fractional number f; the reverse order of the numerical values of the respective bits is performed by one of the following methods:
sequentially converting the lowest bit to the highest bit into the highest bit to the lowest bit, wherein the converted decimal place number is n-f-1;
taking the decimal point position between the f-1 th bit and the f-th bit as an axis, and carrying out mirror image overturning on each bit, wherein the overturned decimal point is n-f-1;
and (4) taking the f-th bit as an axis, carrying out mirror image inversion on other bits, wherein the inverted decimal place is n-f.
3. The method of claim 1, wherein said executing a secure B2A protocol with a second party using the first reference slice to convert the inverse of the power of 2 from a boolean-shared form to an arithmetic-shared form to obtain a first arithmetic slice of the inverse of the power of 2 comprises:
for each bit in the first reference fragment, performing an oblivious transmission protocol with a corresponding bit in a second reference fragment obtained by a second party, wherein the oblivious transmission protocol process performed on a single bit i is as follows: one of the first and second parties is used as a sender to send two character strings s to the other party i0 And s i1 So that they respectively represent 0 and 1 by the value of said single bit, the other party acting as a receiver, based on the corresponding bit locally, selecting two strings s i0 And s i1 One of the bits is selected as a selection bit;
and determining a first arithmetic fragment corresponding to the first reference fragment as a first arithmetic fragment of the inverse of the power of 2 based on the execution result of the oblivious transmission protocol.
4. The method of claim 3, wherein:
under the condition that the first party is the sender, a first arithmetic fragment corresponding to the first reference fragment is in an arithmetic form of the first reference fragment;
when the first party is the receiving party, the first arithmetic slice corresponding to the first reference slice is an arithmetic form of a slice obtained by multiplying each bit of the first reference slice by the corresponding selection bit.
5. The method of claim 1, wherein said executing a secure B2A protocol with a second party using the first reference slice to convert the inverse of the power of 2 from a boolean share form to an arithmetic share form, resulting in a first arithmetic slice of the inverse of the power of 2 comprises:
determining 2 first reference values respectively corresponding to odd bits and even bits, wherein a single first reference value is determined by binary numbers formed by bit values on the corresponding odd bits or even bits;
and performing a security calculation with a second party based on the 2 first reference values, thereby obtaining a first arithmetic slice of an inverse of a power of 2, wherein in the performed security calculation, the second party provides 2 second reference values corresponding to odd bits and even bits, respectively, based on a second boolean slice.
6. The method of claim 5, wherein,
modulo-2 consisting of odd or even bits in a single first reference value corresponding to a first Boolean slice n In the case of a binary number of (a), the single second reference value corresponds to the opposite digit 2 of the binary number formed by the odd or even bits of the second boolean section n The result of (1);
the single first reference value corresponds to the inverse modulo-2 of a binary number consisting of an odd or even bit in the first Boolean slice n In the case of the result of (3), the single second reference value corresponds to modulo-2 consisting of either odd or even bits in the second boolean slice n A binary number of (c).
7. The method of claim 6, wherein said performing a security computation with a second party based on the 2 first reference values to obtain a first arithmetic slice of an inverse of a power of 2 comprises:
locally computing a first product of the square root of 2 and a first reference value corresponding to an odd bit, the first product and a second product locally computed by a second party constituting a sum-shared form of the odd-term balance difference, wherein the second product corresponds to a product of the square root of 2 and a second reference value corresponding to an odd bit in a second boolean slice;
summing the first products with the first reference values corresponding to the even bits, thereby obtaining a first composite slice of parity composite differences, the parity composite differences being a sum of balance differences between each first reference value and the corresponding second reference value;
and executing a secure square protocol by utilizing the first comprehensive fragment and the second party to calculate a square value of the parity comprehensive difference so as to obtain a first fragment of the square value, wherein the first fragment is used as a first arithmetic fragment of the inverse of the power of 2, the parity comprehensive difference is formed and shared by the first comprehensive fragment and a second comprehensive fragment of the second party, and the second comprehensive fragment is determined by the sum of a second product and a second reference value corresponding to even bits in a second Boolean fragment.
8. The method of claim 6, wherein said performing a security calculation with a second party based on the 2 first reference values to obtain a first arithmetic slice of an inverse of a power of 2 comprises:
the method comprises the steps that the second party calculates the square of the sum of 2 first reference values and second reference values which are respectively corresponding to the second party based on a safe square protocol to obtain 2 first square fragments which respectively correspond to the 2 square values, and the single first square fragment and the single second square fragment obtained by the second party form a corresponding square sum sharing form;
and performing polynomial summation on each first square fragment to obtain a first arithmetic fragment of the inverse of the power of 2, wherein the summation coefficient of a single first square fragment item corresponding to an even bit is 1, the summation coefficient of a single first square fragment item corresponding to an odd bit is 2, and a second arithmetic fragment obtained by performing polynomial summation on each second square fragment by the first arithmetic fragment and the second party forms the arithmetic form of the inverse of the power of 2.
9. The method of claim 6, wherein said performing a security calculation with a second party based on the 2 first reference values to obtain a first arithmetic slice of an inverse of a power of 2 comprises:
the method comprises the steps that 2 products of 2 first reference values and second reference values corresponding to a second party are calculated by the second party based on a secure multiplication protocol to obtain 2 first product fragments corresponding to the 2 products respectively, and the single first product fragment and a single second product fragment obtained by the second party form a sum sharing form of corresponding products;
and performing polynomial summation with the 2 first product fragments by using the 2 square values respectively corresponding to the 2 first reference values calculated locally, so as to obtain a first arithmetic fragment of inverse power of 2, wherein the summation coefficients of the 2 square values are all 1, the summation coefficient of a single first product fragment item corresponding to an even bit is 2, and the summation coefficient of a single first product fragment item corresponding to an odd bit is 4.
10. The method of claim 1, wherein the first boolean section is derived from respective boolean sections on a plurality of participants other than the second party by performing an exclusive or operation in sequence.
11. An apparatus for inverse power-of-2 in multi-party security computation, which is used for two parties to determine an arithmetic sharing form of inverse power-of-2 based on a boolean sharing form of power-of-2, wherein the two parties include a first party and a second party, and respectively hold a first boolean slice and a second boolean slice of power-of-2 represented by n bits in the form of fixed point number, and the apparatus is provided for the first party and comprises:
the inversion unit is configured to determine, for a held first boolean slice, a first reference slice corresponding to the first boolean slice based on a reverse order arrangement of values of respective bits, the first reference slice and a second reference slice held by a second party form a boolean sharing form of the inverse of the power of 2, the second reference slice is determined based on the reverse order arrangement of values of respective bits of the second boolean slice;
and the conversion unit is configured to execute a secure B2A protocol with a second party by utilizing the first reference fragment to convert the inverse of the power of 2 from a Boolean sharing form to an arithmetic sharing form, so as to obtain a first arithmetic fragment of the inverse of the power of 2.
12. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-10.
13. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that, when executed by the processor, performs the method of any of claims 1-10.
CN202211474800.8A 2022-11-23 2022-11-23 Method and device for power-of-2 inversion in multi-party security computation Pending CN115766009A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211474800.8A CN115766009A (en) 2022-11-23 2022-11-23 Method and device for power-of-2 inversion in multi-party security computation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211474800.8A CN115766009A (en) 2022-11-23 2022-11-23 Method and device for power-of-2 inversion in multi-party security computation

Publications (1)

Publication Number Publication Date
CN115766009A true CN115766009A (en) 2023-03-07

Family

ID=85335992

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211474800.8A Pending CN115766009A (en) 2022-11-23 2022-11-23 Method and device for power-of-2 inversion in multi-party security computation

Country Status (1)

Country Link
CN (1) CN115766009A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117725621A (en) * 2024-02-08 2024-03-19 腾讯科技(深圳)有限公司 Data processing method, device, equipment and readable storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117725621A (en) * 2024-02-08 2024-03-19 腾讯科技(深圳)有限公司 Data processing method, device, equipment and readable storage medium
CN117725621B (en) * 2024-02-08 2024-05-28 腾讯科技(深圳)有限公司 Data processing method, device, equipment and readable storage medium

Similar Documents

Publication Publication Date Title
KR100267009B1 (en) Method and device for modular multiplication
CN109067538B (en) Security protocol method, computer device, and storage medium
CN115906126A (en) Data processing method and device in multi-party security computing
WO2007034685A2 (en) General purpose hash function family computer and shared key creating system
CN115080615A (en) Data query method and device based on multi-party security calculation
Catrina Round-efficient protocols for secure multiparty fixed-point arithmetic
US20060222175A1 (en) Computation method, computing device and computer program
CN114866225B (en) Super-threshold multi-party privacy set intersection method based on careless pseudorandom secret sharing
CN111737757B (en) Method and device for performing secure operation on private data
CN115756386A (en) Efficient lightweight NTT multiplier circuit based on lattice code
CN115766009A (en) Method and device for power-of-2 inversion in multi-party security computation
JPWO2007080652A1 (en) Montgomery method multiplication remainder calculator
CN115906137A (en) Data processing method and device for multi-party secure computing
CN114978510A (en) Security processing method and device for privacy vector
CN115001674A (en) Execution method of sharing OT protocol, secure multi-party computing method and device
US11895230B2 (en) Information processing apparatus, secure computation method, and program
Biyashev et al. Modification of the cryptographic algorithms, developed on the basis of nonpositional polynomial notations
JP2020052215A (en) Public key encryption system, public key encryption method, and public key encryption program
CN115987493A (en) Data processing method and device in multi-party security computing
CN115270155A (en) Method for obtaining maximum common divisor of big number expansion and hardware architecture
Rao et al. VLSI realization of a secure cryptosystem for image encryption and decryption
CN115001675A (en) Execution method of sharing OT protocol, secure multi-party computing method and device
CN115766163A (en) Method and device for converting sharing form of target data
CN115442033A (en) Method and device for converting sharing form of target data
KR100330510B1 (en) Apparatus for high speed modular power exponentiation unit

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination