CN115967491B - Privacy intersection method, system and readable storage medium - Google Patents
Privacy intersection method, system and readable storage medium Download PDFInfo
- Publication number
- CN115967491B CN115967491B CN202310236753.1A CN202310236753A CN115967491B CN 115967491 B CN115967491 B CN 115967491B CN 202310236753 A CN202310236753 A CN 202310236753A CN 115967491 B CN115967491 B CN 115967491B
- Authority
- CN
- China
- Prior art keywords
- party
- data
- hash table
- sequence
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a privacy intersection method, a privacy intersection system and a readable storage medium. The method comprises the following steps: the first party performs a first hash operation on the first data set to obtain a first hash table; the second party performs a second hash operation on the second data set to obtain a second hash table; the first party and the second party execute an out-of-order secret sharing protocol; the second party performs disorder operation on the second hash table by using the first disorder sequence, and subtracts the data of the corresponding position in the first sharing sequence from each data in the second hash table after disorder to obtain an updated second hash table; the first party and the second party execute an OPRF protocol; the first party compares the first OPRF result with the second OPRF result to obtain a first target set; the first party obtains a secret sharing result of intersection data of the first data set and the second data set based on the first sharing sequence based on the first target set and the second party. The embodiment of the invention can protect the data privacy security of privacy exchange.
Description
Technical Field
The present invention relates to the field of multiparty secure computing, and in particular, to a privacy intersection method, system and readable storage medium.
Background
PSI (Private Set Intersection, privacy intersection) of two-party scenes refers to intersection of two parties' data sets based on privacy protection. PSI is an important scene in the field of multiparty security computation in cryptography, plays an important role in sensitive privacy data circulation in the fields of finance, government affairs, industry and the like, and participants executing privacy computation can preprocess private data owned by themselves through PSI, so that the two parties can screen valuable shared data for subsequent computation.
For example, banks and hospitals want to screen out financial and medical data of some users who are commonly owned to perform subsequent machine learning model training, so that both sides utilize the user identity data which are commonly owned to perform PSI operation, and the user identity data which are commonly owned can be screened out on the premise of not revealing other user privacy data which are commonly owned, so that subsequent privacy calculation can be performed by utilizing the financial and medical data corresponding to the user identity data which are commonly owned.
However, with current PSI methods, the parties can obtain the intersection data in the clear, exposing the parties' private data.
Disclosure of Invention
The embodiment of the invention provides a privacy intersection method, a privacy intersection system and a readable storage medium, wherein the privacy sharing result of intersection data is obtained by two parties participating in privacy intersection, so that the data privacy security of the parties can be protected.
In order to solve the above-mentioned problems, an embodiment of the present invention discloses a privacy intersection method for performing privacy intersection on a first data set of a first party and a second data set of a second party, the method comprising:
the first party executes a first hash operation on the first data set to obtain a first hash table; the second party executes a second hash operation on the second data set to obtain a second hash table;
the first party executes an out-of-order secret sharing protocol with the second party based on the first hash table, so that the first party obtains an updated first hash table, and the second party obtains a first sharing sequence; the updated first hash table and the first sharing sequence form an disordered secret sharing result of the first hash table, wherein the disordered secret sharing result is obtained by scrambling a first disordered sequence, and the first disordered sequence is owned by the second party;
the second party performs disorder operation on the second hash table by using the first disorder sequence, and subtracts the data in the corresponding position in the first sharing sequence from each data in the second hash table after disorder to obtain an updated second hash table;
The first party and the second party execute an inadvertent pseudo random function (OPRF) protocol to enable the first party to obtain a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table;
the second party sends the second OPRF result to the first party, the first party compares the first OPRF result with the second OPRF result, and a first target set is obtained according to the comparison result, and the first target set comprises data of the corresponding position of the first OPRF result which is equal to the second OPRF result in the updated first hash table;
the first party obtains a secret sharing result of intersection data of the first data set and the second data set based on the first sharing sequence by the first party based on the first target set and the second party.
In another aspect, an embodiment of the present invention discloses a privacy intersection system, configured to perform privacy intersection on a first data set of a first party and a second data set of a second party, where the system includes the first party and the second party, and where:
the first party is configured to perform a first hash operation on the first data set to obtain a first hash table, perform an out-of-order secret sharing protocol with the second party based on the first hash table, so that the first party obtains an updated first hash table, and the second party obtains a first sharing sequence; the updated first hash table and the first sharing sequence form an disordered secret sharing result of the first hash table, wherein the disordered secret sharing result is obtained by scrambling a first disordered sequence, and the first disordered sequence is owned by the second party;
The second party is configured to perform a second hash operation on the second data set to obtain a second hash table, perform an out-of-order operation on the second hash table by using the first out-of-order sequence, and subtract each data in the out-of-order second hash table from the data in the corresponding position in the first sharing sequence to obtain an updated second hash table;
the first party is further configured to perform an inadvertent pseudo random function OPRF protocol with the second party, so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table;
the second party is further configured to send the second OPRF result to the first party;
the first party is further configured to compare the first OPRF result with the second OPRF result, and obtain a first target set according to the comparison result, where the first target set includes data corresponding to a position of the first OPRF result equal to the second OPRF result in the updated first hash table;
the first party is further configured to obtain a secret sharing result of intersection data of the first data set and the second data set based on the first sharing sequence based on the first target set and the second party.
Optionally, the first hash operation includes a cuckoo hash operation, the second hash operation includes a simple hash operation, the first hash operation and the second hash operation use the same hash function, and lengths of the first hash table and the second hash table are equal.
In yet another aspect, an embodiment of the present invention discloses a device for privacy intersection, comprising a memory, and one or more programs, wherein one or more programs are stored in the memory and configured to be executed by one or more processors, the one or more programs comprising instructions for performing the privacy intersection method as described in one or more of the foregoing.
In yet another aspect, embodiments of the present invention disclose a machine-readable storage medium having instructions stored thereon that, when executed by one or more processors of an apparatus, cause the apparatus to perform a privacy-preserving method as described in one or more of the preceding.
The embodiment of the invention has the following advantages:
the embodiment of the invention realizes a privacy intersection method with an output intersection result being a secret sharing mode by utilizing the technologies such as a hash technology, a Shuffle-SS (out-of-order secret sharing protocol), an OPRF (Oblivious Pseudorandom Function, unintentional pseudo random function) and the like, so that two parties (such as a first party and a second party) participating in privacy intersection obtain the secret sharing result of intersection data of data sets of the two parties. The first party and the second party respectively obtain half secret sharing results, and the two parties cannot obtain specific information of the intersection data, so that only the number of the intersection data can be known, and the privacy security of the intersection data can be protected. Further, since the first party and the second party obtain the secret sharing result of the intersection data, the first party and the second party can directly perform any multiparty security calculation using the intersection data as input based on the secret sharing protocol by using the secret sharing result of the intersection data, for example, perform machine learning training by using the secret sharing result of the intersection data, so that the efficiency of subsequent multiparty security calculation can be improved, and the plaintext information of each intersection data is not exposed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments of the present invention will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of steps of an embodiment of a privacy routing method of the present invention;
FIG. 2 is a schematic diagram illustrating a result of first performing an out-of-order secret sharing protocol with a second party according to an example of the present invention;
FIG. 3 is a schematic diagram of a first OPRF result and a second OPRF result in one example of the invention;
FIG. 4 is a schematic diagram illustrating a result of a second out-of-order secret sharing protocol performed by a first party and a second party according to an example of the present invention;
FIG. 5 is a block diagram of an embodiment of a privacy routing system of the present invention;
FIG. 6 is a block diagram of an apparatus 800 for privacy routing in accordance with the present invention;
fig. 7 is a schematic diagram of a server in some embodiments of the invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms first, second and the like in the description and in the claims, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged, as appropriate, such that embodiments of the present invention may be implemented in sequences other than those illustrated or described herein, and that the objects identified by "first," "second," etc. are generally of a type, and are not limited to the number of objects, such as the first object may be one or more. Furthermore, the term "and/or" as used in the specification and claims to describe an association of associated objects means that there may be three relationships, e.g., a and/or B, may mean: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. The term "plurality" in embodiments of the present invention means two or more, and other adjectives are similar.
Referring to fig. 1, a flowchart illustrating steps of an embodiment of a privacy blending method of the present invention may be used to perform privacy blending on a first data set of a first party and a second data set of a second party, the method may include the steps of:
104, the first party and the second party execute an inadvertent pseudo random function (OPRF) protocol to enable the first party to obtain a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table;
The privacy intersection method provided by the embodiment of the invention can be applied to a scene of privacy intersection of data sets of two parties in multi-party security computing (MPC). The multiparty secure computation is a cryptography technology, and the multiparty participating in the computation can perform secure computation together by executing a multiparty secure computation algorithm based on the input data held by each party, so as to obtain a computation result without revealing the input data held by each party to other parties.
In the embodiment of the invention, the first party and the second party are parties for privacy exchange, the first party and the second party can be data providers for multiparty secure computation, and the first party and the second party can also be parties for multiparty secure computation. In implementations, the first and second parties may be peer-to-peer parties, and roles of the first and second parties may be interchanged. In the embodiment of the present invention, the first party is also referred to as a client (client) side, and the second party is referred to as a service (server) side.
The embodiment of the invention uses a multiparty security computing framework based on secret sharing, so that an intersection result obtained by executing a PSI protocol by two parties (such as a first party and a second party) is in a secret sharing form. Secret sharing is a cryptographic technology for dividing and storing secrets, and the secret sharing idea is to split secrets in a proper way, each split share is managed by different participators, a single participator cannot recover secret information, and only a plurality of participators cooperate together to recover secret information. That is, the first party and the second party obtain the secret sharing result of the intersection data, and neither the first party nor the second party can obtain the plaintext information of the intersection data, and only the number of the intersection data can be known. In addition, since the first and second parties obtain the secret sharing result of the intersection data, the first and second parties can perform any multiparty secure computation with the intersection data as input based on the secret sharing protocol using the secret sharing result of the intersection data held by each, and the plaintext information of each intersection data is not exposed.
It should be noted that, in the embodiment of the present invention, the secret sharing refers to an additive secret sharing, and the secret sharing result refers to an additive secret sharing result. For example, assuming that for data x, the first party gets r1 and the second party gets r2, r1+r2=x, then r1 held by the first party and r2 held by the second party are said to constitute the result of the addition secret sharing of data x. Only if r1 and r2 are obtained simultaneously can x be recovered.
The privacy intersection method provided by the embodiment of the invention constructs a privacy intersection protocol with an output intersection Result being in a secret sharing mode, and the privacy intersection protocol is called RS-PSI (Result-Shared PSI) in the embodiment of the invention. The embodiment of the invention realizes the RS-PSI by utilizing the hash technology, the Shuffle-SS, the OPRF and other technologies, so that two participants participating in privacy intersection obtain the secret sharing result of intersection data of the data sets of the two parties.
Specifically, first, a first party performs a first hash operation on a first data set owned by the first party to obtain a first hash table; the second party performs a second hash operation on a second data set owned by the second party to obtain a second hash table.
In an alternative embodiment of the present invention, the first hash operation may include a cuckoo hash operation, the second hash operation may include a simple hash (simple hash) operation, the first hash operation and the second hash operation use the same hash function, and lengths of the first hash table and the second hash table are equal.
The embodiment of the invention does not limit the number of the functions of the cuckoo hash, alternatively, the number of the functions of the cuckoo hash can be 3, which means that at most 3 hash positions of each piece of data can be selected when the cuckoo hash operation is executed. In the embodiment of the present invention, the first hash operation and the second hash operation use the same hash function, for example, the first party performs a cuckoo hash operation and the second party performs a simple hash operation to use 3 same hash functions together, so that the lengths of the first hash table and the second hash table are equal. Each piece of data in the first data set of the first party is mapped to one hash position in the first hash table, each piece of data can only be stored in one of 3 hash positions calculated by 3 hash functions, and each hash position in the first hash table is used for storing at most 1 piece of data. The second hash table of the second party does not need to specify the maximum capacity at each hash position, that is, the second party calculates each piece of data in the second data set once by using 3 hash functions identical to those of the first party, and places the data in the 3 hash positions. That is, each piece of data in the second data set of the second party is mapped to 3 positions in the second hash table, and the data are stacked in sequence. In the embodiment of the present invention, 3 hash functions are taken as an example, and the number of hash functions is not limited in the embodiment of the present invention.
In one example, it is assumed that the first data set owned by the first party includes the following data: x1, x2, x3, x4, x5; the second data set owned by the second party includes the following data: x2, x3, x4, x5, x6. Referring to table 1, one example of a first hash table is shown, and referring to table 2, one example of a second hash table is shown.
TABLE 1
TABLE 2
In implementations, the lengths of the first hash table and the second hash table may be determined based on the data amount of the first data set of the first party. The length of the first hash table should be such that all data of the first data set can be put down. Further, the lengths of the first hash table and the second hash table may be selected to be 1.3 times or 1.4 times the data amount of the first data set. In this example, the lengths of the first hash table and the second hash table are chosen to be 8.
As shown in table 1, the first data set owned by the first party includes the following data: x1, x2, x3, x4, x5. The length of the first hash table is 8, after the first party performs the cuckoo hash operation on the first data set, the data x1 is stored in the 4 th position in the first hash table, the data x2 is stored in the 2 nd position in the first hash table, the data x3 is stored in the 6 th position in the first hash table, the data x4 is stored in the 3 rd position in the first hash table, and the data x5 is stored in the 8 th position in the first hash table.
Further, the method may further include: the length of the first hash table is greater than the length of the first data set, and then the first party fills the idle positions in the first hash table by using random numbers. As shown in table 1, the free locations 1, 5, 7 in the first hash table are filled with random numbers random, respectively.
As shown in table 2, the second data set owned by the second party includes the following data: x2, x3, x4, x5, x6. The second hash table has a length of 8, after the second party performs a simple hash operation on the second data set, data x2 is stored in the second hash table at positions 2, 3 and 7, data x3 is stored in the second hash table at positions 4, 6 and 8, data x4 is stored in the second hash table at positions 1, 3 and 5, data x5 is stored in the second hash table at positions 1, 6 and 8, and data x6 is stored in the second hash table at positions 2, 3 and 5. It should be noted that table 2 is shown in three columns only for ease of illustration.
And then, the first party executes an out-of-order secret sharing protocol based on the first hash table and the second party, so that the first party obtains the updated first hash table, and the second party obtains the first sharing sequence. The updated first hash table and the first sharing sequence form an disordered secret sharing result of the first hash table, wherein the disordered secret sharing result is obtained by scrambling the first disordered sequence, and the first disordered sequence is owned by a second party.
Out-of-order secret sharing refers to: a has a sequence of m pieces of data (x 1 ,x 2 ,…,x m ) A and B execute out-of-order secret sharing protocol, and finally B obtains an out-of-order sequence pi of 1~m and a random number sequence (r 1 ,r 2 ,…,r m ) A obtains a random number sequence (x π(1) -r 1 , x π(2) -r 2 ,…, x π(m) -r m ). That is, A and B each possess a data sequence (x π(1) ,x π(2) ,…,x π(m) ) Is a result of the addition secret sharing of (x) the owning data sequence (x 1 ,x 2 ,…,x m ) And (5) adding the secret sharing result of the data sequence after pi disorder. The security requirement is that A cannot learn out-of-order pi and random number sequences (r 1 ,r 2 ,…,r m ) B cannot learn the information of A's data sequence (x 1 ,x 2 ,…,x m ) Is a piece of information of (a).
The embodiment of the invention does not limit the implementation mode of the out-of-order secret sharing protocol. In an alternative embodiment of the present invention, the out-of-order secret sharing protocol may be implemented based on an addition homomorphic encryption algorithm, or the out-of-order secret sharing protocol may be implemented based on an inadvertent transmission protocol.
In an alternative embodiment of the present invention, the first party performs an out-of-order secret sharing protocol with the second party based on the first hash table, and may include:
step S11, the first party generates a homomorphic encryption private key and a public key, encrypts the first hash table by using the public key, and sends the encrypted first hash table and the public key to the second party;
Step S12, the second party generates a first disordered sequence and a local random number sequence, and the first disordered sequence is utilized to perform disordered operation on the local random number sequence to obtain a first sharing sequence;
step S13, the second party uses the public key to perform homomorphic operation on each data in the encrypted first hash table and the data in the corresponding position in the local random number sequence, so as to obtain an intermediate sequence;
step S14, the second party uses the first disordered sequence to perform disordered operation on the intermediate sequence to obtain a target disordered result;
step S15, the second party sends the target out-of-order result to the first party;
and S16, the first party decrypts the target disordered result by using the public key and the private key to obtain an updated first hash table.
The embodiment of the invention can realize the out-of-order secret sharing protocol based on the addition homomorphic encryption algorithm.
In the above example, the first hash is denoted [ random, x2, x4, x1, random, x3, random, x5]. The first party generates a homomorphic encryption private key and a public key, encrypts data in the first hash table by using the public key, and sends the encrypted first hash table and the public key to the second party.
The second party generates a first disordered sequence and a local random number sequence, and the lengths of the first disordered sequence and the local random number sequence are equal to the lengths of the first hash table and the second hash table. Let the first disordered sequence be [2,5,7,3,8,4,1,6], the local random number sequence be [ r1, r2, r3, r4, r5, r6, r7, r8]. And the second party performs disorder operation on the local random number sequence by using the first disorder sequence to obtain a first sharing sequence, and the first sharing sequence is [ r2, r5, r7, r3, r8, r4, r1 and r6].
And the second party carries out homomorphic operation on each data in the encrypted first hash table and the data in the corresponding position in the local random number sequence by using the received public key to obtain an intermediate sequence. The homomorphic operation may include homomorphic addition or homomorphic subtraction, for example, the second party calculates E (random-r 1), E (x 2-r 2), …, E (x 5-r 8) using the received public key, resulting in an intermediate sequence, where E represents the homomorphic operation.
And the second party performs disorder operation on the intermediate sequence by using the first disorder sequence to obtain a target disorder result, and sends the target disorder result to the first party. The target out-of-order results are as follows: [ E (x 2-r 2), E (random-r 5), E (random-r 7), E (x 4-r 3), E (x 5-r 8), E (x 1-r 4), E (random-r 1), E (x 3-r 6) ].
And the first party decrypts the target disordered result by using the public key and the private key, and an updated first hash table is obtained as shown in table 3.
TABLE 3 Table 3
As shown in table 3, the updated first hash table includes the following data: [ x2-r2, random-r5, random-r7, x4-r3, x5-r8, x1-r4, random-r1, x3-r6]. Since x2-r2+r2=x2, random-r5+r5=random, and so on. Thus, the first sharing sequence [ r2, r5, r7, r3, r8, r4, r1, r6] and the updated first hash table [ x2-r2, random-r5, random-r7, x4-r3, x5-r8, x1-r4, random-r1, x3-r6] form a first hash table [ random, x2, x4, x1, random, x3, random, x5] with the first random sequence [2,5,7,3,8,4,1,6 ]. Because the first hash table is confused by the local random numbers of the second party, the first party does not know the first disordered sequence, does not know the meaning of the data in the updated first hash table obtained after decryption, and only a pile of random numbers is seen by the first party. Since the second party cannot perform the homomorphic decryption operation, the second party cannot learn the information of the data in the first hash table. Thus, the first party and the second party have inadvertently owned the out-of-order secret sharing result of the first hash table.
In an alternative embodiment of the present invention, the first party performs an out-of-order secret sharing protocol with the second party based on the first hash table, and may include:
step S21, the second party generates a first random number sequence with the length of m, wherein m is the length of the first hash table;
step S22, the first party and the second party execute n×2 n-1 The method comprises the steps that based on a preset operator of an accidental transmission protocol, the first party obtains an updated first hash table, the second party obtains a second random number sequence with the length of m, the sum of data of a first position in the updated first hash table and the second random number sequence is equal to the sum of data of a second position in the first hash table and the first random number sequence, and the first position is a position of the second position which is scrambled by the first disordered sequence;
step S23, the second party calculates a first sharing sequence according to the first random number sequence and the second random number sequence, so that the first sharing sequence and the updated first hash table form an out-of-order secret sharing result of the first hash table.
Further, a preset operator may be defined as follows: assuming that the first party owns the data x1 and x2, the second party owns the random numbers r1 and r2 and the selection bit b, b=0 or b=1; the two parties execute a preset operator so that the first party obtains random numbers x1 'and x2', and the second party obtains random numbers r1 'and r2'; if b=0, then x1'+r1' =x1+r1, x2'+r2' =x2+r2; if b=1, then x1'+r1' =x2+r2, x2'+r2' =x1+r1.
Note that, the symbols x1, x2, r1, r2, b, x1', x2', r1', r2' in the definition of the preset operators are general symbols used to describe the preset operators, and specific data are not specified.
In the embodiment of the invention, the preset operator is called as an SS-select operator, and after the first party and the second party execute a single SS-select operator, two pieces of data owned by the two parties respectively become two new random numbers. For example, x1 and x2 owned by a first party become x1 'and x2', and r1 and r2 owned by a second party become r1 'and r2'. The new random number obtained by both sides is exactly the addition secret sharing result of the sum of the original corresponding data, and the transposition is carried out according to the selection bit b. For example, when b=0, the new random numbers x1 'and r1' are the result of the addition secret sharing of x1+r1, and the new random numbers x2 'and r2' are the result of the addition secret sharing of x2+r2; when b=1, the new random numbers x1 'and r1' are the result of the addition secret sharing of x2+r2, and the new random numbers x2 'and r2' are the result of the addition secret sharing of x1+r1.
The SS-select operator of the embodiment of the present invention may be regarded as a black box, where a first party inputs data x1 and x2, a second party inputs random numbers r1 and r2 and a selection bit b, and both parties can obtain the result that the black box outputs to each other, the first party obtains random numbers x1 'and x2', and the second party obtains random numbers r1 'and r2'; and satisfies that if b=0, x1'+r1' =x1+r1, x2'+r2' =x2+r2; if b=1, then x1'+r1' =x2+r2, x2'+r2' =x1+r1. n×2 n-1 The selection bits of the SS-select operators combine to form 1 data size of 2 n Out-of-order sequences of the Shuffle-SS protocol of (c), and which are known only to the second party.
In an embodiment of the present invention, one SS-select operator may be implemented by one OT (Oblivious Transfer), with no intentional transmission. In an alternative embodiment of the invention, the first party has data x1 and x2, the second party has random numbers r1 and r2 and a selection bit b, b=0 or b=1; the step of executing a preset operator by both the first party and the second party may include:
step S31, the first party generating a random number t and obtaining an unintentionally transmitted message to be queried includes: t and t+ (x 2-x 1); the second party regards the selection bit b as an inadvertently transmitted query bit;
step S32, the first party and the second party execute a 2-choice 1 unintentional transmission protocol using the first party as a sender and the second party as a receiver, and the second party obtains a query result (t+b× (x 2-x 1));
step S33, the first party constructs (x 1-t) and (x2+t);
step S34, the second party is constructed to obtain ((t+b× (x 2-x 1)) +b× (r 2-r 1) +r1) and (- (t+b× (x 2-x 1)) -b× (r 2-r 1) +r2).
In the embodiment of the invention, the first party is used as a sender for carelessly transmitting, generates a random number t, and takes t and t+ (x 2-x 1) as messages to be queried for carelessly transmitting. The second party is used as a receiver of the careless transmission, the selection bit b of the SS-select operator is used as a query bit of the careless transmission, the first party and the second party execute 2-1 careless transmission protocol taking the first party as a sender and the second party as a receiver, and the second party obtains an OT query result (t+b× (x 2-x 1)). Since the random number t is randomly generated by the first party, the information of x1 and x2 is completely masked, and thus the second party cannot acquire valid information of x1 and x 2. In addition, the first party cannot obtain the information of the selection bit b, and therefore, n×2 n-1 The first party is also aware of the out-of-order sequence formed by combining the select bits of the SS-select operators. The first party may construct new random numbers (x 1-t) and (x2+t), and the second party may construct new random numbers ((t+b× (x 2-x 1)) +b× (r 2-r 1) +r1) and (- (t+b× (x 2-x 1)) -b× (r 2-r 1) +r2) using the OT query result. Then it can be verified that the new random numbers (both the data locally owned and generated by the first party and the data obtained by the OT query) constructed by the second party together form the addition secret sharing result after the (x1+r1) and (x2+r2) are inverted and transposed by the selection bit b, which accords with the definition of the SS-select operator in the embodiment of the present invention.
In a specific implementation, the disordered secret sharing protocol may be regarded as a black box, the first party inputs data in the first hash table into the black box, the second party generates a first disordered sequence and a random number sequence (such as a local random number sequence or a first random number sequence), the first disordered sequence and the random number sequence are input into the black box, the two parties obtain disordered secret sharing results respectively, and the added result of the disordered secret sharing results of the two parties is the data obtained by scrambling the data in the first hash table by the first disordered sequence, and some filled random numbers.
Referring to fig. 2, a schematic diagram of a result of first performing an out-of-order secret sharing protocol with a second party in one example of the invention is shown. As shown in fig. 2, the data of the black box input by the first party in the out-of-order secret sharing protocol includes the data in the first hash table, taking the first hash table shown in table 1 as an example, the data of the black box input by the first party is as follows: [ random, x2, x4, x1, random, x3, random, x5]. The second party generates a first random number sequence of [ r1, r2, r3, r4, r5, r6, r7, r8], and generates a first random sequence of [2,5,7,3,8,4,1,6]. The data entered by the second party into the black box includes [ r1, r2, r3, r4, r5, r6, r7, r8] and [2,5,7,3,8,4,1,6]. After the two parties execute the out-of-order secret sharing protocol, the first party obtains the updated first hash table which comprises the following data: [ x2-r2, random-r5, random-r7, x4-r3, x5-r8, x1-r4, random-r1, x3-r6]. The second party obtains the first sharing sequence as follows: [ r2, r5, r7, r3, r8, r4, r1, r6].
And then, the second party performs disorder operation on the second hash table by using the first disorder sequence, and subtracts the data in the corresponding position in the first sharing sequence from each data in the second hash table after disorder to obtain an updated second hash table.
In an optional embodiment of the present invention, subtracting, from each data in the second hash table after the disorder, the data in the corresponding position in the first sharing sequence may include: when more than two pieces of data exist at a certain position in the second hash table after disorder, subtracting the data at the corresponding position in the first sharing sequence from the more than two pieces of data respectively.
In the embodiment of the present invention, when there are more than two pieces of data in a certain position in the hash table, processing the data in the position refers to processing each piece of data in the position.
For example, in the example above, the second party gets the first out-of-order sequence [2,5,7,3,8,4,1,6] and the first shared sequence [ r2, r5, r7, r3, r8, r4, r1, r6]. The second party performs the disorder operation on the second hash table shown in table 2 by using the first disorder sequence [2,5,7,3,8,4,1,6], and the second hash table after disorder can be obtained as shown in table 4.
TABLE 4 Table 4
And then subtracting the data of the corresponding position in the first sharing sequence from each data in the second hash table after disorder. As shown in table 4, there are two pieces of data at the 1 st position in the second hash table after the disorder: x2 and x6, respectively subtracting the data r2 at the corresponding position in the first sharing sequence from the two pieces of data; as another example, in table 4, there are two pieces of data at position 2 in the second hash table after the disorder: x4 and x6, respectively subtracting the data r5 at the corresponding position in the first sharing sequence from the two pieces of data; similarly, an updated second hash table may be obtained as shown in table 5.
TABLE 5
At this time, the first party obtains an updated first hash table (as shown in table 3), and the second party obtains an updated second hash table (as shown in table 5).
Then, the first party and the second party execute an inadvertent pseudo random function (OPRF) protocol to enable the first party to obtain a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table.
OPRF belongs to an extended protocol for unintentional transmission. The function of the OPRF protocol is described as follows: the sender and the receiver execute the two-party OPRF protocol, the sender has no input, the receiver inputs data x_i, the sender outputs a key k, and the receiver outputs an OPRF result F (k, x_i).
In an optional embodiment of the present invention, the first party and the second party perform an unintentional pseudo random function OPRF protocol, so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table, which may include:
step S41, the first party is taken as a receiving party, each data and the position information thereof in the updated first hash table are taken as input data of an OPRF protocol, the second party is taken as a transmitting party, and both parties execute batch OPRF protocols, so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table under the position information thereof, and the second party obtains an OPRF key corresponding to each position information;
step S42, the second party calculates a second OPRF result corresponding to each data in the updated second hash table under the position information thereof by using the OPRF key corresponding to each position information, each data in the updated second hash table, and the position information thereof.
In the embodiment of the invention, the first party is a receiver of the OPRF protocol, the second party is a sender of the OPRF protocol, and both parties execute batch OPRF protocol. Specifically, the first party uses each data and its position information in the updated first hash table as input data of the OPRF protocol, and executes the batch OPRF protocol with the second party.
Taking the updated first hash table shown in table 3 as an example, taking the data of the 1 st position in table 3 as x2-r2, and the position information of the data as 1, taking the data x2-r2 and the position information 1 of the data as input data of an OPRF protocol, executing the OPRF protocol with a second party, and obtaining a first OPRF result corresponding to the data x2-r2 under the position information 1 by the first party, wherein the first result is denoted as OPRF (k 1, (x 2-r2, 1)); wherein k1 represents an OPRF key corresponding to the position information 1, (x 2-r2, 1) represents that the position information corresponding to the data x2-r2 is 1; the second party gets the OPRF key, e.g. k1, corresponding to the location information 1. The data at the 2 nd position in table 3 is random-r5, and the position information of the data is 2, then the data random-r5 and the position information 2 of the data are used as input data of the OPRF protocol, the OPRF protocol is executed with the second party, and the first party obtains a first OPRF result corresponding to the data random-r5 under the position information 2, for example, the first OPRF result is denoted as OPRF (k 2, (random-r 5, 2)); wherein k2 represents an OPRF key corresponding to the position information 2, (random-r 5, 2) represents that the position information corresponding to the data random-r5 is 2; the second party gets the OPRF key, e.g. k2, corresponding to the location information 2. And so on.
After the two parties execute the batch OPRF protocol, the second party calculates and obtains a second OPRF result corresponding to each data in the updated second hash table under the position information by using the OPRF key corresponding to each position information, each data in the updated second hash table and the position information thereof. For example, in the above example, the second party may obtain an OPRF key corresponding to 8 pieces of location information, e.g., denoted as k 1-k 8. Since the second party has the OPRF key, it can calculate a second OPRF result for each data in the updated second hash table under its location information. Taking the updated second hash table shown in table 5 as an example, the data of the 1 st position in table 5 includes x2-r2 and x6-r2, and the second party can calculate to obtain OPRF (k 1, (x 2-r2, 1)) and OPRF (k 1, (x 6-r2, 1)); where k1 represents an OPRF key corresponding to the location information 1, (x 2-r2, 1) represents that the location information corresponding to the data x2-r2 is 1, and (x 6-r2, 1) represents that the location information corresponding to the data x6-r2 is 1. And so on, the second party can calculate and obtain a second OPRF result corresponding to each data in the second hash table under the position information.
Referring to fig. 3, a schematic diagram of a first OPRF result and a second OPRF result in one example of the invention is shown. The OPRF key is not shown in fig. 3.
And then, the second party sends the second OPRF result to the first party, the first party compares the first OPRF result owned by the second party with the second OPRF result of the second party, and a first target set is obtained according to the comparison result, wherein the first target set comprises data of the corresponding position of the first OPRF result which is equal to the second OPRF result in the updated first hash table.
Since the first party is the receiver of the OPRF protocol and does not calculate the OPRF key, even if the first party obtains the second OPRF result sent by the second party, the first party cannot acquire any effective information from the second OPRF result, and the data privacy security can be ensured.
The first party can compare the equality of the first OPRF result of the first party with the second OPRF result of the second party based on privacy calculation, and acquire a first target set in the updated first hash table according to the comparison result. The first target set includes data of a corresponding position of a first OPRF result in the updated first hash table, which is equal to a second OPRF result, and the data is a part of secret sharing result of intersection data of the first data set and the second data set. Therefore, the embodiment of the present invention refers to the data of the corresponding position of the first OPRF result in the updated first hash table, which is equal to the second OPRF result, in the first target set as intersection related data.
As shown in fig. 3, the first party has 4 first OPRF results with equal second OPRF results, respectively: OPRF (k 1, (x 2-r2, 1)), OPRF (k 4, (x 4-r3, 4)), OPRF (k 5, (x 5-r8, 5)), OPRF (k 8, (x 3-r6, 8)), and the positional information corresponding to each are: 1. 4, 5, 8, the data with the location information of 1, 4, 5, 8 may be obtained from the updated first hash table shown in table 3, including: x2-r2, x4-r3, x5-r8, x3-r6, thereby yielding a first set of targets. Referring to Table 6, a first set of targets in one example of the invention is shown. The first target set includes a portion of the secret sharing result (also referred to as intersection related data) of the intersection data of the first data set and the second data set, and some random numbers, which are not shown in table 6, as white positions in table 6. The length of the first target set is equal to the lengths of the first hash table and the second hash table, and the position information of the intersection related data in the first target set is consistent with the position information in the updated first hash table.
TABLE 6
At this time, x2-r2, x4-r3, x5-r8 and x3-r6 in the first target set obtained by the first party and r2, r3, r8 and r6 in the first sharing sequence obtained by the second party together form a secret sharing result of the intersection data. The first target set x2-r2, x4-r3, x5-r8, and x3-r6 shown in Table 6 are intersection related data. However, at this time, the second party has no knowledge of the information of the intersection data, and the second party has not yet obtained another partial secret sharing result of the intersection data.
Therefore, the embodiment of the invention also needs to enable the second party to acquire the secret sharing result of the intersection data. Specifically, the first party is based on the first target set and the second party is based on the first sharing sequence, so that both parties can acquire a secret sharing result of intersection data of the first data set and the second data set.
In order to enable the second party to obtain the secret sharing result of the intersection data without revealing the data, the embodiment of the invention enables the second party to obtain the secret sharing result of the intersection data through an out-of-order operation.
In an optional embodiment of the invention, the first party obtaining, based on the first target set and the second party, a secret sharing result of intersection data of the first data set and the second data set based on the first sharing sequence may include:
step S51, the second party performs an out-of-order secret sharing protocol with the first party based on the first sharing sequence, so that the second party obtains an updated first sharing sequence, and the first party obtains a second sharing sequence; the updated first sharing sequence and the second sharing sequence form an disordered secret sharing result of the first sharing sequence which is disordered by a second disordered sequence, wherein the second disordered sequence is owned by the first party;
Step S52, the first party performs disorder operation on the first target set by using the second disorder sequence, and adds data of corresponding positions in the second sharing sequence to each data in the first target set after disorder to obtain an updated first target set;
step S53, the first party sends the position information of each intersection related data in the updated first target set to the second party, and the second party extracts the data corresponding to the position information from the updated first sharing sequence to obtain a second target set; the updated first target set and the second target set form a secret sharing result of intersection data of the first data set and the second data set.
The first party and the second party execute the disordered secret sharing protocol again, the second party takes the first sharing sequence owned by the first party as input data, after the two parties execute the disordered secret sharing protocol, the second party obtains the updated first sharing sequence, the first party obtains the second sharing sequence, the updated first sharing sequence and the second sharing sequence form a disordered secret sharing result of the first sharing sequence which is scrambled by the second disordered sequence, and the second disordered sequence is owned by the first party.
Referring to fig. 4, a schematic diagram of a result of performing an out-of-order secret sharing protocol for a second time by a first party and a second party in one example of the present invention is shown.
As shown in fig. 4, when the out-of-order secret sharing protocol is performed for the second time, the data of the black box of the out-of-order secret sharing protocol input by the second party includes the data in the first sharing sequence, such as [ r2, r5, r7, r3, r8, r4, r1, r6]. The first party generates a local random number sequence of [ t1, t2, t3, t4, t5, t6, t7, t8], and generates a second out-of-order sequence of [4,3,7,8,5,1,6,2]. The data entered by the first party into the black box includes [ t1, t2, t3, t4, t5, t6, t7, t8] and [4,3,7,8,5,1,6,2]. After the two parties execute the out-of-order secret sharing protocol, the second party obtains the updated first sharing sequence as follows: [ r3-t4, r7-t3, r1-t7, r6-t8, r8-t5, r2-t1, r4-t6, r5-t2]. The first party obtains the second shared sequence as follows: [ t4, t3, t7, t8, t5, t1, t6, t2].
And the first party performs disorder operation on the first target set by using the second disorder sequence, and adds the data in the corresponding position in the second sharing sequence to each data in the first target set after disorder to obtain the updated first target set. For example, in the above example, after the first party performs the out-of-order operation on the first target set using the second out-of-order sequence [4,3,7,8,5,1,6,2], the first target set after out-of-order is obtained as shown in table 7.
TABLE 7
And adding the data in the corresponding position in the second sharing sequence to each data in the first target set after disorder. Specifically, the data x4-r3 of the first position in the first target set is added to the data t4 of the first position in the second shared sequence, the data (a certain random number) of the 2 nd position in the first target set is added to the data t3 of the 2 nd position in the second shared sequence, the data (a certain random number) of the 3 rd position in the first target set is added to the data t7 of the 3 rd position in the second shared sequence, the data x3-r6 of the 4 th position in the first target set is added to the data t8 of the 4 th position in the second shared sequence, and so on, the data (a certain random number) of the 8 th position in the first target set is added to the data t2 of the 8 th position in the second shared sequence, and the updated first target set is obtained as shown in table 8. The updated first set of targets contains intersection related data and some random numbers. It will be appreciated that the intersection related data in table 8 has changed relative to the intersection related data in table 6. The blank positions in table 8 are random numbers, which are not shown in table 8. Because the first party has the second disordered sequence, the first party can know which positions in the updated first target set are intersection related data, and it is required to be noted that all data in the updated first target set are meaningless random numbers in the first party, so that privacy security of the intersection data can be protected.
TABLE 8
Finally, the first party sends the position information of each intersection related data in the updated first target set to the second party, and the second party obtains the data of the corresponding position in the updated first sharing sequence according to the received position information to obtain a second target set; the updated first target set and the second target set form a secret sharing result of intersection data of the first data set and the second data set.
As shown in table 8, the updated first target set obtained by the first party includes the following intersection related data: because the first party has the second disordered sequence used for scrambling the first target set into the updated first target set, the first party can acquire the position information corresponding to the 4 intersection related data in the updated first target set, such as 1, 4, 5 and 6 respectively. The first party sends the position information of the data related to each intersection in the updated first target set to the second party, and the second party can acquire the data of the corresponding position in the updated first sharing sequence according to the received position information to obtain a second target set. In the above example, the updated first sharing sequence is [ r3-t4, r7-t3, r1-t7, r6-t8, r8-t5, r2-t1, r4-t6, r5-t2], from which the second party can obtain the data of the 1 st, 4 th, 5 th, 6 th positions including r3-t4, r6-t8, r8-t5, r2-t1, thereby obtaining the second target set. At this time, the updated first target set includes the following data: x4-r3+t4, x3-r6+t8, x5-r8+t5, x2-r2+t1; the second target set includes the following data: r3-t4, r6-t8, r8-t5, r2-t1. Since x4-r3+t4+r3-t4=x4, x3-r6+t8+r6-t8=x3, x5-r8+t5+r8-t5=x5, x2-r2+t1+r2-t1=x2, the updated first and second target sets may constitute a secret sharing result of the intersection data of the first and second data sets.
In the above process, the first party informs the second party of the updated position information of each intersection related data in the first target set, and the second party cannot obtain any related information of the original data through the position information informed by the first party because the second party cannot obtain the information of the second disordered sequence. Furthermore, for the first party, each data in the updated first target set it acquires is a random number of no significance; for the second party, each data in the second target set acquired by the second party is a random number without meaning; the first party and the second party can only acquire the secret sharing result of the intersection data of the two parties and the number of the intersection data, but cannot learn other effective information of the intersection data, so that the privacy security of the data can be ensured.
In summary, the embodiment of the invention realizes a privacy intersection method with an output intersection result being in a secret sharing form by utilizing the technologies of hash technology, shuffle-SS (out-of-order secret sharing protocol), OPRF (open-close-open-close) and the like, so that two parties (such as a first party and a second party) participating in privacy intersection obtain the secret sharing result of intersection data of data sets of the two parties. The first party and the second party respectively obtain half secret sharing results, and the two parties cannot obtain specific information of the intersection data, so that only the number of the intersection data can be known, and the privacy security of the intersection data can be protected. Further, since the first party and the second party obtain the secret sharing result of the intersection data, the first party and the second party can directly perform any multiparty security calculation using the intersection data as input based on the secret sharing protocol by using the secret sharing result of the intersection data, for example, perform machine learning training by using the secret sharing result of the intersection data, so that the efficiency of subsequent multiparty security calculation can be improved, and the plaintext information of each intersection data is not exposed.
It should be noted that, for simplicity of description, the method embodiments are shown as a series of acts, but it should be understood by those skilled in the art that the embodiments are not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred embodiments, and that the acts are not necessarily required by the embodiments of the invention.
Referring to fig. 5, there is shown a block diagram of an embodiment of a privacy blending system of the present invention for privacy blending a first data set of a first party and a second data set of a second party, the system comprising a first party 501 and a second party 502, wherein:
the first party 501 is configured to perform a first hash operation on the first data set to obtain a first hash table, and perform an out-of-order secret sharing protocol with the second party based on the first hash table, so that the first party obtains an updated first hash table, and the second party obtains a first sharing sequence; the updated first hash table and the first sharing sequence form an disordered secret sharing result of the first hash table, wherein the disordered secret sharing result is obtained by scrambling a first disordered sequence, and the first disordered sequence is owned by the second party;
The second party 502 is configured to perform a second hash operation on the second data set to obtain a second hash table, perform an out-of-order operation on the second hash table by using the first out-of-order sequence, and subtract each data in the out-of-order second hash table from the data in the corresponding position in the first sharing sequence to obtain an updated second hash table;
the first party 501 is further configured to perform an inadvertent pseudo random function OPRF protocol with the second party, so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table;
the second party 502 is further configured to send the second OPRF result to the first party;
the first party 501 is further configured to compare the first OPRF result with the second OPRF result, and obtain a first target set according to the comparison result, where the first target set includes data of a corresponding position of a first OPRF result equal to the second OPRF result in the updated first hash table;
the first party 501 is further configured to obtain a secret sharing result of intersection data of the first data set and the second data set based on the first sharing sequence based on the first target set and the second party 502.
Optionally, the first hash operation includes a cuckoo hash operation, the second hash operation includes a simple hash operation, the first hash operation and the second hash operation use the same hash function, and lengths of the first hash table and the second hash table are equal.
Optionally, the second party is specifically configured to subtract, when there is more than two pieces of data in a certain position in the out-of-order second hash table, the data in the corresponding position in the first sharing sequence from the more than two pieces of data respectively.
Optionally, the first party is specifically configured to perform batch OPRF protocol with the second party by using, as a receiving party, each data in the updated first hash table and the location information thereof as input data of the OPRF protocol; the second party is specifically configured to perform a batch OPRF protocol with the first party as a sender, so that the first party obtains a first OPRF result corresponding to each piece of data in the updated first hash table under the position information of the first OPRF result, and the second party obtains an OPRF key corresponding to each piece of position information;
the second party is further configured to calculate, using the OPRF key corresponding to each piece of location information, each piece of data in the updated second hash table and the location information thereof, to obtain a second OPRF result corresponding to each piece of data in the updated second hash table under the location information thereof.
Optionally, the lengths of the first target set and the first hash table are equal to the lengths of the second hash table, and the second party is specifically configured to execute an out-of-order secret sharing protocol with the first party based on the first sharing sequence, so that the second party obtains the updated first sharing sequence, and the first party obtains the second sharing sequence; the updated first sharing sequence and the second sharing sequence form an disordered secret sharing result of the first sharing sequence which is disordered by a second disordered sequence, wherein the second disordered sequence is owned by the first party;
the first party is specifically configured to perform disorder operation on the first target set by using the second disorder sequence, and add data in corresponding positions in the second sharing sequence to each data in the first target set after disorder, so as to obtain an updated first target set; transmitting the updated position information of each intersection related data in the first target set to the second party;
the second party is further configured to extract data corresponding to the location information from the updated first sharing sequence, so as to obtain a second target set; the updated first target set and the second target set form a secret sharing result of intersection data of the first data set and the second data set.
Optionally, the out-of-order secret sharing protocol is implemented based on an addition homomorphic encryption algorithm, or the out-of-order secret sharing protocol is implemented based on an unintentional transmission protocol.
Optionally, the first party is specifically configured to generate a homomorphic encrypted private key and a public key, encrypt the first hash table with the public key, and send the encrypted first hash table and the public key to the second party;
the second party is specifically configured to generate a first disordered sequence and a local random number sequence, and perform disordered operation on the local random number sequence by using the first disordered sequence to obtain a first sharing sequence;
the second party is further configured to perform homomorphic operation on each data in the encrypted first hash table and the data in the corresponding position in the local random number sequence by using the public key, so as to obtain an intermediate sequence; performing disorder operation on the intermediate sequence by using the first disorder sequence to obtain a target disorder result; sending the target out-of-order result to the first party;
and the first party is further configured to decrypt the target out-of-order result by using the public key and the private key, thereby obtaining an updated first hash table.
Optionally, the second party is specifically configured to generate a first random number sequence with a length m, where m is the length of the first hash table;
the first and second parties, in particular for executing an n x 2 n-1 The method comprises the steps that based on a preset operator of an accidental transmission protocol, the first party obtains an updated first hash table, the second party obtains a second random number sequence with the length of m, the sum of data of a first position in the updated first hash table and the second random number sequence is equal to the sum of data of a second position in the first hash table and the first random number sequence, and the first position is a position of the second position which is scrambled by the first disordered sequence;
the second party is further configured to calculate, according to the first random number sequence and the second random number sequence, a first sharing sequence, so that the first sharing sequence and the updated first hash table form an out-of-order secret sharing result of the first hash table.
The embodiment of the invention realizes a privacy intersection system with an output intersection result in a secret sharing mode by utilizing the hash technology, the Shuffle-SS (out-of-order secret sharing protocol), the OPRF (open-loop radio frequency) technology and the like, so that two parties (such as a first party and a second party) participating in privacy intersection obtain the secret sharing result of intersection data of the data sets of the two parties. The first party and the second party respectively obtain half secret sharing results, and the two parties cannot obtain specific information of the intersection data, so that only the number of the intersection data can be known, and the privacy security of the intersection data can be protected. Further, since the first party and the second party obtain the secret sharing result of the intersection data, the first party and the second party can directly perform any multiparty security calculation using the intersection data as input based on the secret sharing protocol by using the secret sharing result of the intersection data, for example, perform machine learning training by using the secret sharing result of the intersection data, so that the efficiency of subsequent multiparty security calculation can be improved, and the plaintext information of each intersection data is not exposed.
For system embodiments, the description is relatively simple as it is substantially similar to method embodiments, and reference is made to the description of method embodiments for relevant points.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
The specific manner in which the various modules perform the operations in relation to the systems of the above embodiments have been described in detail in relation to the embodiments of the method and will not be described in detail herein.
Embodiments of the present invention provide a device for privacy intersection, comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory, and configured to be executed by one or more processors, the one or more programs comprising instructions for performing the privacy intersection method described in one or more embodiments above.
Fig. 6 is a block diagram illustrating an apparatus 800 for privacy trading in accordance with an exemplary embodiment. For example, apparatus 800 may be a mobile phone, computer, digital broadcast terminal, messaging device, game console, tablet device, medical device, exercise device, personal digital assistant, or the like.
Referring to fig. 6, apparatus 800 may include one or more of the following components: a processing component 802, a memory 804, a power component 806, a multimedia component 808, an audio component 810, an input/output (I/O) interface 812, a sensor component 814, and a communication component 816.
The processing component 802 generally controls overall operation of the apparatus 800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. Processing element 802 may include one or more processors 820 to execute instructions to perform all or part of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interactions between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.
The memory 804 is configured to store various types of data to support operations at the device 800. Examples of such data include instructions for any application or method operating on the device 800, contact data, phonebook data, messages, pictures, videos, and the like. The memory 804 may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
The power supply component 806 provides power to the various components of the device 800. The power components 806 may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the device 800.
The multimedia component 808 includes a screen between the device 800 and the user that provides an output interface. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may sense not only the boundary of a touch or slide action, but also the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 808 includes a front camera and/or a rear camera. The front camera and/or the rear camera may receive external multimedia data when the device 800 is in an operational mode, such as a shooting mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have focal length and optical zoom capabilities.
The audio component 810 is configured to output and/or input audio signals. For example, the audio component 810 includes a Microphone (MIC) configured to receive external audio signals when the device 800 is in an operational mode, such as a call mode, a recording mode, and a voice information processing mode. The received audio signals may be further stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 further includes a speaker for outputting audio signals.
The I/O interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be a keyboard, click wheel, buttons, etc. These buttons may include, but are not limited to: homepage button, volume button, start button, and lock button.
The sensor assembly 814 includes one or more sensors for providing status assessment of various aspects of the apparatus 800. For example, the sensor assembly 814 may detect the on/off state of the device 800, the relative positioning of the components, such as the display and keypad of the apparatus 800, the sensor assembly 814 may also search for a change in position of the apparatus 800 or one component of the apparatus 800, the presence or absence of user contact with the apparatus 800, the orientation or acceleration/deceleration of the apparatus 800, and a change in temperature of the apparatus 800. The sensor assembly 814 may include a proximity sensor configured to detect the presence of nearby objects without any physical contact. The sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscopic sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication component 816 is configured to facilitate communication between the apparatus 800 and other devices, either in a wired or wireless manner. The device 800 may access a wireless network based on a communication standard, such as WiFi,2G or 3G, or a combination thereof. In one exemplary embodiment, the communication component 816 receives broadcast signals or broadcast related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component 816 further includes a Near Field Communication (NFC) module to facilitate short range communications. For example, the NFC module may be implemented based on radio frequency information processing (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the apparatus 800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic elements for executing the methods described above.
In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, such as memory 804 including instructions executable by processor 820 of apparatus 800 to perform the above-described method. For example, the non-transitory computer readable storage medium may be ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
Fig. 7 is a schematic diagram of a server in some embodiments of the invention. The server 1900 may vary considerably in configuration or performance and may include one or more central processing units (central processing units, CPU) 1922 (e.g., one or more processors) and memory 1932, one or more storage media 1930 (e.g., one or more mass storage devices) that store applications 1942 or data 1944. Wherein the memory 1932 and storage medium 1930 may be transitory or persistent. The program stored in the storage medium 1930 may include one or more modules (not shown), each of which may include a series of instruction operations on a server. Still further, a central processor 1922 may be provided in communication with a storage medium 1930 to execute a series of instruction operations in the storage medium 1930 on the server 1900.
The server 1900 may also include one or more power supplies 1926, one or more wired or wireless network interfaces 1950, one or more input/output interfaces 1958, one or more keyboards 1956, and/or one or more operating systems 1941, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, and the like.
A non-transitory computer readable storage medium, which when executed by a processor of an apparatus (server or terminal) enables the apparatus to perform the privacy intersection method shown in fig. 1.
A non-transitory computer readable storage medium, when executed by a processor of an apparatus (server or terminal), enables the apparatus to perform the foregoing description of the privacy-preserving method in the corresponding embodiment of fig. 1, and thus, a detailed description thereof will not be provided herein. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the computer program product or the computer program embodiments related to the present application, please refer to the description of the method embodiments of the present application.
In addition, it should be noted that: embodiments of the present application also provide a computer program product or computer program that may include computer instructions that may be stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor may execute the computer instructions, so that the computer device performs the foregoing description of the privacy interaction method in the embodiment corresponding to fig. 1, and therefore, a detailed description will not be given here. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the computer program product or the computer program embodiments related to the present application, please refer to the description of the method embodiments of the present application.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This invention is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It is to be understood that the invention is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.
The above description of a privacy intersection method, a privacy intersection system, a device for privacy intersection and a readable storage medium provided by the present invention applies specific examples to illustrate the principles and embodiments of the present invention, and the above examples are only used to help understand the method and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Claims (11)
1. A method of privacy blending, for use in privacy blending a first data set of a first party and a second data set of a second party, the method comprising:
the first party executes a first hash operation on the first data set to obtain a first hash table; the second party executes a second hash operation on the second data set to obtain a second hash table;
the first party executes an out-of-order secret sharing protocol with the second party based on the first hash table, so that the first party obtains an updated first hash table, and the second party obtains a first sharing sequence; the updated first hash table and the first sharing sequence form an disordered secret sharing result of the first hash table, wherein the disordered secret sharing result is obtained by scrambling a first disordered sequence, and the first disordered sequence is owned by the second party;
the second party performs disorder operation on the second hash table by using the first disorder sequence, and subtracts the data in the corresponding position in the first sharing sequence from each data in the second hash table after disorder to obtain an updated second hash table;
the first party and the second party execute an inadvertent pseudo random function (OPRF) protocol to enable the first party to obtain a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table;
The second party sends the second OPRF result to the first party, the first party compares the first OPRF result with the second OPRF result, and a first target set is obtained according to the comparison result, and the first target set comprises data of the corresponding position of the first OPRF result which is equal to the second OPRF result in the updated first hash table;
the first party obtains a secret sharing result of intersection data of the first data set and the second data set based on the first sharing sequence by the first party based on the first target set and the second party.
2. The method of claim 1, wherein the first hash operation comprises a cuckoo hash operation and the second hash operation comprises a simple hash operation, the first hash operation and the second hash operation use the same hash function, and the first hash table and the second hash table are equal in length.
3. The method of claim 1, wherein subtracting the data in the corresponding position in the first shared sequence from each data in the second hash table after the disorder comprises:
when more than two pieces of data exist at a certain position in the second hash table after disorder, subtracting the data at the corresponding position in the first sharing sequence from the more than two pieces of data respectively.
4. The method of claim 1, wherein the first party and the second party cause the first party to obtain a first OPRF result for each data in the updated first hash table by executing an inadvertent pseudorandom function OPRF protocol, and wherein the second party obtains a second OPRF result for each data in the updated second hash table, comprising:
the first party is used as a receiving party, each data in the updated first hash table and the position information thereof are used as input data of an OPRF protocol, the second party is used as a transmitting party, and the two parties execute batch OPRF protocols, so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table under the position information thereof, and the second party obtains an OPRF key corresponding to each position information;
and the second party calculates and obtains a second OPRF result corresponding to each data in the updated second hash table under the position information by using the OPRF key corresponding to each position information, each data in the updated second hash table and the position information thereof.
5. The method of claim 1, wherein the first target set is equal in length to the first hash table and the second hash table, wherein the first party obtains a secret sharing result of intersection data of the first data set and the second data set based on the first target set and the second party based on the first sharing sequence, comprising:
The second party executes an out-of-order secret sharing protocol with the first party based on the first sharing sequence, so that the second party obtains an updated first sharing sequence, and the first party obtains a second sharing sequence; the updated first sharing sequence and the second sharing sequence form an disordered secret sharing result of the first sharing sequence which is disordered by a second disordered sequence, wherein the second disordered sequence is owned by the first party;
the first party performs disorder operation on the first target set by using the second disorder sequence, and adds data of corresponding positions in the second sharing sequence to each data in the first target set after disorder to obtain an updated first target set;
the first party sends the position information of each intersection related data in the updated first target set to the second party, and the second party extracts data corresponding to the position information from the updated first sharing sequence to obtain a second target set; the updated first target set and the second target set form a secret sharing result of intersection data of the first data set and the second data set.
6. The method of claim 1, wherein the out-of-order secret sharing protocol is implemented based on an addition homomorphic encryption algorithm, or wherein the out-of-order secret sharing protocol is implemented based on an inadvertent transmission protocol.
7. The method of claim 1, wherein the first party performs an out-of-order secret sharing protocol with the second party based on the first hash table, comprising:
the first party generates a homomorphic encryption private key and a public key, encrypts the first hash table by using the public key, and sends the encrypted first hash table and the public key to the second party;
the second party generates a first disordered sequence and a local random number sequence, and performs disordered operation on the local random number sequence by using the first disordered sequence to obtain a first sharing sequence;
the second party uses the public key to homomorphic operation is carried out on each data in the encrypted first hash table and the data in the corresponding position in the local random number sequence, so as to obtain an intermediate sequence;
the second party performs disorder operation on the intermediate sequence by using the first disorder sequence to obtain a target disorder result;
the second party sends the target out-of-order result to the first party;
And the first party decrypts the target disordered result by using the public key and the private key to obtain an updated first hash table.
8. The method of claim 1, wherein the first party performs an out-of-order secret sharing protocol with the second party based on the first hash table, comprising:
the second party generates a first random number sequence with the length of m, wherein m is the length of the first hash table;
the first party and the second party perform n×2 n-1 A preset operator based on an careless transmission protocol, so that the first party obtains an updated first hash table, the second party obtains a second random number sequence with the length of m, and the sum of the updated first hash table and the data of a first position in the second random number sequence is equal to the sum of the first hash table and the data of a second position in the first random number sequence, wherein the first position is a first position of the first random number sequenceThe first position is located at a position of the second position which is scrambled by the first scrambling sequence; wherein 2 is n =m;
And the second party calculates a first sharing sequence according to the first random number sequence and the second random number sequence, so that the first sharing sequence and the updated first hash table form an out-of-order secret sharing result of the first hash table.
9. A privacy routing system for routing a first data set of a first party to a second data set of a second party, the system comprising the first party and the second party, wherein:
the first party is configured to perform a first hash operation on the first data set to obtain a first hash table, perform an out-of-order secret sharing protocol with the second party based on the first hash table, so that the first party obtains an updated first hash table, and the second party obtains a first sharing sequence; the updated first hash table and the first sharing sequence form an disordered secret sharing result of the first hash table, wherein the disordered secret sharing result is obtained by scrambling a first disordered sequence, and the first disordered sequence is owned by the second party;
the second party is configured to perform a second hash operation on the second data set to obtain a second hash table, perform an out-of-order operation on the second hash table by using the first out-of-order sequence, and subtract each data in the out-of-order second hash table from the data in the corresponding position in the first sharing sequence to obtain an updated second hash table;
the first party is further configured to perform an inadvertent pseudo random function OPRF protocol with the second party, so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table;
The second party is further configured to send the second OPRF result to the first party;
the first party is further configured to compare the first OPRF result with the second OPRF result, and obtain a first target set according to the comparison result, where the first target set includes data corresponding to a position of the first OPRF result equal to the second OPRF result in the updated first hash table;
the first party is further configured to obtain a secret sharing result of intersection data of the first data set and the second data set based on the first sharing sequence based on the first target set and the second party.
10. An apparatus for privacy interchange comprising a memory, and one or more programs, wherein one or more programs are stored in the memory and configured to be executed by one or more processors, the one or more programs comprising instructions for performing the privacy interchange method of any of claims 1-8.
11. A readable storage medium having instructions stored thereon, which when executed by one or more processors of an apparatus, cause the apparatus to perform the privacy intersection method of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310236753.1A CN115967491B (en) | 2023-03-07 | 2023-03-07 | Privacy intersection method, system and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310236753.1A CN115967491B (en) | 2023-03-07 | 2023-03-07 | Privacy intersection method, system and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115967491A CN115967491A (en) | 2023-04-14 |
| CN115967491B true CN115967491B (en) | 2023-05-23 |
Family
ID=85905157
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310236753.1A Active CN115967491B (en) | 2023-03-07 | 2023-03-07 | Privacy intersection method, system and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115967491B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116488789A (en) * | 2023-04-23 | 2023-07-25 | 北京火山引擎科技有限公司 | Data processing method, device, equipment and medium |
| CN117171779B (en) * | 2023-11-02 | 2024-02-27 | 闪捷信息科技有限公司 | Data processing device based on intersection protection |
| CN117574412B (en) * | 2024-01-16 | 2024-04-02 | 国家计算机网络与信息安全管理中心天津分中心 | Multiparty privacy exchange method and device and electronic equipment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115333721A (en) * | 2022-10-13 | 2022-11-11 | 北京融数联智科技有限公司 | Privacy set intersection calculation method, device and system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10904225B2 (en) * | 2018-05-07 | 2021-01-26 | Microsoft Technology Licensing, Llc | Computing a private set intersection |
| CN113259106B (en) * | 2021-06-28 | 2021-09-24 | 华控清交信息科技(北京)有限公司 | Data processing method and system |
| CN114329527A (en) * | 2021-12-17 | 2022-04-12 | 阿里巴巴(中国)有限公司 | Intersection data acquisition method, equipment and system |
| CN115186145B (en) * | 2022-09-09 | 2022-11-18 | 华控清交信息科技(北京)有限公司 | Privacy keyword query method, device and system |
-
2023
- 2023-03-07 CN CN202310236753.1A patent/CN115967491B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115333721A (en) * | 2022-10-13 | 2022-11-11 | 北京融数联智科技有限公司 | Privacy set intersection calculation method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115967491A (en) | 2023-04-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114756886B (en) | Method and device for inquiring hiding trace | |
| CN115967491B (en) | Privacy intersection method, system and readable storage medium | |
| CN115396100B (en) | Careless random disorganizing method and system based on secret sharing | |
| CN115396101B (en) | Secret sharing based careless disorganizing method and system | |
| CN114301594B (en) | Inadvertent transmission method, multi-party secure computing platform and device for inadvertent transmission | |
| CN113449325B (en) | Data processing method and device and data processing device | |
| CN114978512B (en) | Privacy intersection method and device and readable storage medium | |
| CN114884645B (en) | Privacy calculation method and device and readable storage medium | |
| CN112688779B (en) | Data processing method and device and data processing device | |
| CN114969830B (en) | Privacy intersection method, system and readable storage medium | |
| CN113254956A (en) | Data processing method and device and data processing device | |
| CN115085912A (en) | Ciphertext computing method and device for ciphertext computing | |
| CN114666048A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN115941181B (en) | Out-of-order secret sharing method, system and readable storage medium | |
| CN114885038B (en) | Encryption protocol conversion method, result acquisition node and privacy calculation node | |
| CN114448631B (en) | Multi-party security computing method, system and device for multi-party security computing | |
| CN112671530B (en) | Data processing method and device and data processing device | |
| CN114969164B (en) | Data query method and device and readable storage medium | |
| CN114880691B (en) | Character encoding and decoding method and device for character encoding and decoding | |
| CN115499254B (en) | User data processing method, device and system and readable storage medium | |
| CN114760367B (en) | Encryption protocol conversion method, first node and second node | |
| CN111726802B (en) | Communication method, device and storage medium based on WiFi Aware | |
| CN114448630B (en) | Multi-party secure computing method, system and device for multi-party secure computing | |
| CN117579255B (en) | Method and device for generating inadvertent transmission instance, electronic equipment and medium | |
| CN112580063B (en) | Data processing method and device and data processing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |