CN115982768A

CN115982768A - Privacy intersection method and device

Info

Publication number: CN115982768A
Application number: CN202211737648.8A
Authority: CN
Inventors: 吴晓晨; 李阳; 徐岩; 蒋志勇
Original assignee: Ant Blockchain Technology Shanghai Co Ltd
Current assignee: Ant Blockchain Technology Shanghai Co Ltd
Priority date: 2022-12-31
Filing date: 2022-12-31
Publication date: 2023-04-18

Abstract

A privacy intersection method and a device are used for privacy intersection of two data sets, wherein the privacy intersection method comprises the following steps: and adjusting the first encryption item of each first data in the first data set by using a first adjusting key acquired in advance to obtain a first adjusting item. And performing privacy intersection on the first data set and the second data set based on the first adjustment item and second encryption items of the second data in the second data set. The first adjustment key is determined based on a first encryption key corresponding to the first encryption item and a second encryption key corresponding to the second encryption item.

Description

Privacy intersection method and device

Technical Field

The embodiment of the specification belongs to the field of data security, and particularly relates to a privacy intersection method and device.

Background

The Privacy Set Intersection (PSI) means that one or both parties can obtain the Intersection result without any additional information leaked by the participating parties, but the participating parties cannot know the information of the data of the other party except the Intersection. The core of the method is to allow the circulation of data and generate data value on the premise of protecting the data security of individuals and enterprises.

Privacy set submission (also called privacy submission) has significant use scenarios in the current environment where data security is increasingly valued, such as social network relationship discovery for privacy protection, federal learning sample alignment, and federation white list calculation. Under the condition that data are held by different managers, the privacy set intersection achieves the win-win effect of protecting privacy and sharing information.

Disclosure of Invention

The invention aims to provide a privacy transaction method and a device, which can safely and efficiently implement privacy transaction of data of each party.

A first aspect of the present specification provides a privacy negotiation method, including:

adjusting a first encryption item of each first data in the first data set by using a first adjusting key acquired in advance to obtain a first adjusting item;

performing privacy intersection on the first data set and the second data set based on the first adjustment item and a second encryption item of each second data in the second data set;

wherein the first adjustment key is determined based on a first encryption key corresponding to the first encrypted item and a second encryption key corresponding to the second encrypted item.

A second aspect of the present specification provides a privacy negotiation method, including:

adjusting a first encryption item of each first data in the first data set by using a first adjusting key acquired in advance to obtain a first adjusting item, and adjusting a second encryption item of each second data in the second data set by using a second adjusting key acquired in advance to obtain a second adjusting item;

performing privacy intersection on the first data set and the second data set based on the first adjustment item and the second adjustment item;

wherein the first adjustment key is determined based on a first encryption key corresponding to the first encrypted item; the second adjustment key is determined based on the first encryption key and a second encryption key corresponding to the second encrypted item.

A third aspect of the present specification provides a privacy negotiation apparatus, including:

the adjusting unit is used for adjusting the first encryption item of each first data in the first data set by using a first adjusting key acquired in advance to obtain a first adjusting item;

a privacy intersection unit, configured to perform privacy intersection on the first data set and the second data set based on the first adjustment item and a second encryption item of each second data in the second data set;

A fourth aspect of the present specification provides a privacy negotiation apparatus, including:

the first adjusting unit is used for adjusting a first encryption item of each first data in the first data set by using a first adjusting key acquired in advance to obtain a first adjusting item;

the second adjusting unit is used for adjusting a second encryption item of each second data in the second data set by using a second adjusting key acquired in advance to obtain a second adjusting item;

a privacy intersection unit, configured to perform privacy intersection on the first data set and the second data set based on the first adjustment item and the second adjustment item;

A fifth aspect of the present specification provides a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any one of the first to fourth aspects.

A sixth aspect of the present specification provides a computing device comprising a memory having stored therein executable code and a processor that, when executing the executable code, implements the method of any of the first to fourth aspects.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and it is obvious for a person skilled in the art to obtain other drawings based on these drawings without inventive labor.

FIG. 1 is a flow chart of a data encryption method in one embodiment of the present disclosure;

FIG. 2 is a flow diagram of a method for privacy negotiation in one embodiment of the present description;

FIG. 3 is a flow chart of a data encryption method in another embodiment of the present description;

FIG. 4 is a flow diagram of a method for privacy negotiation in another embodiment of the present description;

FIG. 5 is a schematic diagram of a privacy negotiation method in a further embodiment of the present disclosure;

FIG. 6 is a block diagram of a privacy negotiation apparatus in one embodiment of the present description;

fig. 7 is a block diagram of a privacy negotiation apparatus in another embodiment of the present specification.

Detailed Description

In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.

The traditional privacy interaction method comprises the following steps:

1. a naive hash method. In the method, two parties participating in privacy intersection use the same hash function to calculate the hash value of respective data, and then send the respective calculated hash value to the other party, so that the two parties can obtain the intersection. Although the method has the advantages of simplicity and quickness, the method has the problem of privacy disclosure. For example, if two parties need to intersect with each other, the data itself is needed, and the data space is small. A malicious party can collide the hash value sent by the other party in a limited time by a hash collision mode, so that additional information is stolen.

2. A method based on homomorphic encryption. In the method, a plaintext set of a receiver is subjected to Full Homomorphic Encryption (FHE), and an obtained ciphertext is provided to a sender. The sender performs polynomial calculation on the ciphertext by using FHE, and returns the calculation result to the receiver. The receiver uses FHE decryption to return a result, and if the decryption result is 0, it indicates that the value of the corresponding receiver exists in the set, thereby obtaining the result of the intersection operation.

3. Elliptic curve based methods. The method requires mapping the receiver and sender's collection elements onto an agreed ellipse curve. After a certain element sa is selected by the receiver, the element sa is mapped to a point sa' on the elliptic curve and is sent to the sender, and the sender performs the following calculation after a certain element sb is selected:

first, the element sb 'is mapped to a point sb' on the elliptic curve, and sb 'sa' is calculated. Then, the two contents of sb ' and sb '. Sa ' are transmitted to the receiving side. After receiving the two contents, the receiver calculates sa 'sb'. And comparing whether the calculated sa 'sb' and the received sb 'sa' match, if so, indicating that the element is an element in the intersection.

It should be noted that, the above method based on the elliptic curve utilizes the characteristic that it is difficult to perform inverse dot multiplication on the elliptic curve, and further can ensure that the communication process is not monitored, however, the method has the problems of large calculation overhead and large communication traffic.

4. Garbled Circuits (GC) -based methods. The method compiles the functions of the two parties and calculation into the form of the corresponding Boolean circuit, and then calculates the circuit after confusion, so that the method has high universality. Then, the GC-based method needs to store the circuit completely in the memory, which occupies a large amount of memory, and needs to perform symmetric encryption and inadvertent transmission calculation for each gate circuit, so that the performance is poor.

5. Methods based on Oblivious Transfer (OT). In the method, a receiver uses two hash functions to perform hash calculation on elements of the receiver twice one by one, so that two hash values can be obtained for one element. And then selecting one hash value, and correlating the hash value into the bin. The sender calculates two hash values for its elements in the same way and associates both hash values into a bin. Bin here represents a way of function computation. And the sender sends bin calculation results obtained by performing bin calculation on the two hash values of all the elements to the receiver. The receiver compares the bin calculation result obtained by the receiver with the received bin calculation result. If the result exists, the received element is the element in the intersection on behalf of. In the method, a sender maps two hash values of an element to a bin calculation function to confuse the element content, thereby ensuring that the set data is not leaked. The elements of the receiver are also not available to the sender. However, this method requires multiple hash calculations and function calculations, which results in high computational overhead and high communication traffic.

6. A privacy intersection method based on a trusted execution environment. The method constructs a safe area in the central processing unit by a software and hardware method, and ensures that programs and data loaded in the safe area are protected on confidentiality and integrity. The method needs to use the mainstream technology provided by the manufacturer of the computing chip, such as SGX technology of the X86 instruction set, AMD SEV (Secure Encrypted Virtualization) technology, and TrustZone technology based on the ARM instruction set architecture. The method has the advantages that a safe execution environment is provided, the two parties can put the ciphertext into the environment for deal, and information leakage is not worried about. Besides privacy intersection, the method supports more operators and complex algorithms, and the expressiveness of upper-layer services is stronger. But this adds cost because trusted hardware requires the use of specialized hardware and requires trust in the hardware manufacturer.

In view of the above drawbacks or shortcomings of the privacy transaction methods, the inventor of the present application has proposed a privacy transaction method, in which two parties participating in privacy transaction use different encryption keys respectively, and encrypt and store data items for comparison in respective data sets. The respective encrypted data items (simply encrypted items) of both parties cannot be directly compared here. Then, when the privacy is required to be submitted for the data of both parties, the encryption item of one party or both parties is adjusted by using the adjusting key, and the privacy is submitted based on the adjusted encryption item (called the adjusting item for short).

First, a case where only one encrypted item is adjusted in the privacy provision process will be described below.

In the following description of the present specification, the two parties participating in the privacy negotiation will be referred to as a first party and a second party, respectively, a data set held by the first party will be referred to as a first data set, data in the first data set will be referred to as first data, and a data item for comparison will be referred to as a first data item. The data set held by the second party is referred to as a second data set, the data in the second data set is referred to as second data, and the data item to be compared is referred to as a second data item.

Since the encryption processes of the data items of the first party and the second party are similar, the following description will be given mainly to the first party, and the process of encrypting the data items will be described.

Fig. 1 is a flowchart of a data encryption method in an embodiment of the present disclosure, and as shown in fig. 1, the method may include the following steps:

in step S102, the first encryption key ska' is determined.

In one embodiment, the first encryption key ska' may be randomly generated.

In another embodiment, the first encryption key ska' may be generated based on the first initial key ska. The first initial key ska here has a corresponding decryption key. For example, it may be a symmetric encryption key.

In one example, a portion of bits in the bit string corresponding to the first initial key ska may be modified or inverted to obtain the first encryption key ska'.

In step S104, the first data item ItemA of each first data in the first data set is encrypted based on the first encryption key ska' and the constraint parameter.

The default parameters here include the first value g or the elliptic curve and the base point.

In one example, the first data item may be a unique identifier of the first data, that is, each first data item has one first data item, so that the number of the first data items is plural. Since the encryption method is the same for each first data item, no distinction is made below for each first data item.

In one embodiment, the product of the hash value of the first data item ItemA and the first encryption key ska' may be calculated to obtain: h (ItemA). Multidot.ska', where h () is a hash operation. Then, the exponentiation operation may be performed using the first value g agreed with the second party as a base number and the calculated product as an exponent to obtain the first encrypted item ItemA' = g ^{h(ItemA)*ska＇} 。

In another embodiment, the first encrypted item may be calculated based on an elliptic curve agreed upon with the second party and a base point. Specifically, scalar multiplication is performed on a base point on the given elliptic curve with the product as a multiple, so as to obtain the first encrypted item ItemA '= h (ItemA) × ska' = G.

Since the elliptic curve has a feature that it is difficult to perform inverse dot multiplication (described later), when the first data item is encrypted based on the elliptic curve and the base point, the security of the first data item can be ensured.

It will be appreciated that the party determined is the party determined for the first encrypted item described aboveSimilarly, the second party may also obtain a second encrypted item corresponding to the second data item ItemB: itemB' = g ^{h(ItemB)*skb＇} Or, itemB ' = h (ItemB) × skb ' × G, where skb ' is the second encryption key determined by the second party, G is the first value, and G is the base point on the elliptic curve.

The characteristics of the elliptic curve are described below.

An elliptic curve is a mathematical curve that can be generally expressed as the following binary third-order equation:

y ² ＝x ³ + ax + b (equation 1)

Wherein a and b are both coefficients.

The addition and multiplication of points may be defined on an elliptic curve.

Taking two points on the elliptic curve, namely a point P and a point Q, connecting the two points P and Q to form a straight line L, wherein the straight line is crossed with a third point S on the elliptic curve, the point S is crossed with a straight line vertical to the X axis, the point R is crossed with another point R (generally, the point S is symmetrical about the X axis) of the elliptic curve, and the point R is defined as the sum result of the point P and the point Q, namely P + Q = R. This is the process of the add operation.

When the point P and the point Q are the same point, the straight line L is a tangent line of the elliptic curve at the point P, and the point R obtained by this means can be expressed as: r = P + P =2 × P. And (4) continuously carrying out addition operation for multiple times to obtain a result m of multiplication operation on the point P, wherein m is P = P + P \8230and + P.

For more convenient use of the elliptic curve for data encryption and decryption, the elliptic curve may be defined in a finite field Fp. The finite field Fp is a field containing a finite number of elements, the number of which is a prime number p. The prime number p is also known as the order of the finite field. Operations within a finite field are defined based on taking the norm p.

The elliptic curve represented by equation (1) over the finite field Fp is often denoted Ep (a, b). By selecting the coefficients a, b and the finite field p, an elliptic curve can be uniquely defined, with different elliptic curves having different safety characteristics. Common elliptic curves include P-256, secp256k1, curve25519, and others.

After the elliptic curve is constrained to a finite field, the points comprised by the elliptic curve evolve from an infinite number of points that are continuous on the curve to a set of points T that comprise a finite number of discrete points. Based on the operation rule of the points on the elliptic curve, the point set T forms a cyclic group, namely an Abelian group. The number of the point concentration points is the order of the cyclic group.

Specifically, the cyclic group formed by elliptic curves in the finite field has the following characteristics:

(1) Performing a summation operation or adding operation on any point P and a point Q in the cyclic group, wherein the obtained point R = P + Q is still in the cyclic group, and the definition of the adding operation is consistent with the definition of the conventional elliptic curve;

(2) Multiplying any point P in the cyclic group to obtain a point Q = m × P = P + P + \ 8230 + P still in the cyclic group, wherein m belongs to the above finite field, and the definition of the multiplication operation is consistent with that of a conventional elliptic curve;

(3) The cycle group has a generator G, also called a base point G of the elliptic curve, and an infinite point O of the elliptic curve, and satisfies n G = O. The effect of this infinity point O in the operation is similar to zero in conventional mathematical operations.

(4) The addition operation and the multiplication operation in the cyclic group satisfy the distribution law and the exchange rate, namely:

x*P+y*P＝(x+y)*P；

x*(y*P)＝y*(x*P)；

it is also an important feature of the elliptic curve that it is easy to find the point Q according to the multiplication rule in (2) knowing m and P, but it is almost impossible to reverse the value of m (i.e. it is difficult to perform inverse point multiplication) knowing the points Q and P. The combination of the characteristics of the elliptic curve in the finite field enables the elliptic curve to be applied to various encryption algorithms.

In the embodiment of the present specification, the first party encrypts the first data item by using the characteristics of the elliptic curve, and the second party encrypts the second data item by using the characteristics of the elliptic curve, so that the security of the privacy data of the two parties participating in privacy transaction can be ensured, the storage resource can be saved, and the transmission efficiency can be improved.

According to an embodiment of the present specification, in order to be able to perform privacy intersection on data sets of a first party and a second party, a specific finite field p and an elliptic curve in the finite field need to be agreed between the first party and the second party. That is, the convention parameter p (order of finite field), and the parameters a and b of the elliptic curve in equation (1), result in the elliptic curve Ep (a, b) of the convention. In addition, the parties are required to agree on the radix point G.

It should be noted that, after the first party encrypts the first data item ItemA of each first data to obtain the corresponding first encrypted item ItemA ', the first encrypted item ItemA' may be added to the first data set, so as to obtain the updated first data set. The updated first set of data may then be stored to a trusted third party or database for querying by other parties. It should be understood that when the updated first data set is stored to the database, each of the first data sets may be recorded in a table form.

In the updated first data set, the first data item ItemA of each first data may be encrypted or plaintext, and for example, the encrypted storage may be referred to as a third encrypted item obtained by encrypting the first data item ItemA by using the first initial key ska. It will be appreciated that in the result of the privacy trade, the first encrypted item ItemA' may be replaced with a third encrypted item in order to facilitate decryption thereof.

The other data items in the first data set may be encrypted or stored in plaintext, which is not limited in this specification.

Similarly, the second party may also store the updated second data set to the trusted third party or the database, and the updated second data set may include a fourth encrypted item, where the fourth encrypted item is obtained by encrypting the second data item ItemB with the second initial key skb.

After the first party and the second party store the respective data sets to the trusted third party or the database, the first party or the second party may initiate a privacy submission request to the trusted third party or the database, and the trusted third party or the database may submit the privacy submission to the data sets of the two parties. The following describes a procedure of privacy negotiation, taking the second party initiating a request as an example.

Fig. 2 is a flow chart of a method for privacy negotiation in an embodiment of the present specification. As shown in fig. 2, the method may include the steps of:

in step S202, the first encrypted item ItemA' of each first data in the first data set is adjusted by using the first adjustment key ska ″ obtained in advance, so as to obtain a first adjustment item ItemA ″.

In one embodiment, the first adjustment key ska "is obtained from the key holder by a trusted third party or database.

In another embodiment, the first adjustment key ska "is received by a trusted third party or database from the second party.

The first adjustment key ska "is determined based on the first encryption key ska 'corresponding to the first encryption item ItemA' and the second encryption key skb 'corresponding to the second encryption item ItemB'.

In one example, the first adjustment key ska ″ may be obtained by:

the first encryption key ska 'is mapped to a first mapping value and the second encryption key skb' is mapped to a second mapping value using a mapping algorithm agreed by the first and second parties. The quotient of the second mapping value and the first mapping value is obtained and the obtained quotient is used as the first adjustment key ska ". Hereinafter, the first adjustment key ska "is expressed as: skb '/ska'.

In one example, the mapping algorithm includes applying a predetermined hash function to map the encryption key onto an elliptic curve agreed upon by the first and second parties.

It should be noted that, when the first adjustment key ska ″ is obtained from the key holder, the first encryption key ska 'and the second encryption key skb' may be actively managed by the first party and the second party to the key holder. Whereas the first encryption key ska' may be obtained by the second party by obtaining the authorization of the first party when the first adjustment key ska "is received from the second party.

In step S202, in the case where the first encrypted item ItemA ' and the second encrypted item ItemB ' are ciphertexts obtained by encrypting based on the same elliptic curve and base point, that is, in the case where the first encrypted item ItemA ' is determined based on an embodiment in step S104, the first encrypted item ItemA ' may be encrypted based on an agreed elliptic curve and a first adjustment key ska ″ with the first encrypted item ItemA ' as a base point and the first adjustment key ska ″ as a multiple. Specifically, it can be expressed as: itemA "= (skb '/ska')/h (ItemA) = ska '/G = skb'/G.

In the case where the first encrypted item ItemA 'and the second encrypted item ItemB' are ciphertexts that are exponentiated based on the same base, that is, in the case where the first encrypted item ItemA 'is determined based on another embodiment in step S104, an exponentiation may be performed with the first encrypted item ItemA' as a base and the first adjustment key ska ″ as an exponent to obtain a target operation result as the first adjustment item ItemA ″. Specifically, it can be expressed as: itemA "= (g) ^{h(ItemA)*ska＇} ) ^{skb＇/ska＇} ＝g ^{h(ItemA)*skb＇} 。

In step S204, based on the first adjustment item ItemA ″ and the second encrypted item ItemB' of each second data in the second data set, privacy negotiation is performed on the first data set and the second data set.

I.e., by aligning skb 'h (ItemA) G with h (ItemB) skb' G, or G ^{h(ItemA)*skb＇} And g ^h ^{(ItemB)*skb＇} And performing privacy intersection on the first data set and the second data set.

In addition, according to the above-described embodiments of the present specification, privacy provision can be performed for both data sets without revealing the plaintext data items of the first party and the second party.

Of course, in practical applications, the request for performing the privacy negotiation may also be initiated by the first party, and when the request is initiated by the first party, the second adjustment key skb "(i.e., ska '/skb ') may be used to adjust the second encryption item ItemB ' of each second data in the second data set, so as to obtain the second adjustment item ItemB ″. And the privacy intersection is carried out on the first data set and the second data set based on the second adjustment item ItemB 'and the first encryption item ItemA' of each first data in the first data set.

For the method for obtaining the second adjustment key skb ″ and the method for adjusting the first encryption item ItemA', reference may be made to steps S202 to S204, which are not repeated herein.

The above is a description of the case where only one encrypted item is adjusted, and in this case, it can be seen that the data items of the respective data in the data sets of both parties are encrypted based on one key. In order to further improve data security, the data items may be encrypted based on a plurality of keys, and in this case, if privacy is to be satisfied, the encrypted items of both sides need to be adjusted. An encryption method based on a plurality of encryption keys and a corresponding privacy delivery process are explained below.

Fig. 3 is a flow chart of a data encryption method in another embodiment of the present disclosure, and as shown in fig. 3, the method may include the following steps:

in step S302, a first spawn key ska1 'is determined based on the first encryption key ska' and using a predetermined hash function.

The hash function herein includes, but is not limited to, an SM3 function, an SHA-256 function, or an SHA-512 function, etc.

Taking the SM3 function as an example, the first encryption key ska' may be padded into a message with a length being a multiple of 512, and then a number of bits (for example, 8 bits from the last bit onward, that is, one byte) of the message may be modified to obtain a modified message. The modified message is then input to the SM3 function, and the output 256-bit digest value is used as the first derivation key ska 1'.

Similarly, the second party may also determine the second derived key skb1 'based on the second encryption key skb' and using the hash function described above.

In step S304, the first data item ItemA is encrypted based on the first derivation key ska 1' and the constraint parameter, and the obtained first ciphertext is split into two first original portions.

In one embodiment, the product of the hash value of the first data item ItemA and the first derivation key ska 1' may be calculated to obtain: h (ItemA). Multidot.ska 1', where h () is a hash operation. Then, taking the first value g agreed with the second party as a base number, taking the calculated product as an exponent, and performing an exponentiation operation to obtain a first ciphertext: g ^{h(ItemA)*ska1＇} 。

In another embodiment, the first encrypted item may be calculated based on an elliptic curve agreed upon with the second party and a base point. Specifically, taking the product as a multiple, performing a point multiplication operation on a base point on the contracted elliptic curve to obtain a first ciphertext: h (ItemA) ska 1' G.

After the first ciphertext is obtained, it may be equally divided into two first original parts: g ^{h(ItemA)*ska1＇} First half and g ^{h(ItemA)*ska1＇} The second half, or, equally divided into two first original parts: h (ItemA) 'ska 1' G first half and h (ItemA) 'ska 1' G second half.

Similarly, the second party may also obtain a second ciphertext corresponding to the second data item ItemB: g is a radical of formula ^{h(ItemB)*skb1＇} And the second ciphertext may be equally divided into two second original portions: g ^{h(ItemB)*skb1＇} First half and g ^{h(ItemB)*skb1＇} The second half. Or, obtaining a second ciphertext: h (ItemB) × skb 1' × G, and equally divided into two second original portions: h (ItemB). Skb1 'G first half and h (ItemB). Skb 1' G second half.

In step S306, the two first original portions are encrypted respectively to obtain two first encrypted portions, which are used to form a first encrypted item ItemA'.

In one embodiment, a first preceding one of the two first original portions may be encrypted with a first intermediate key, which is determined based on a third derivative key ska2 'of the first encryption key ska', and a subsequent first original portion may be encrypted with a second intermediate key, which is determined based on a fourth derivative key ska3 'of the first encryption key ska'.

The third derivative key ska2 'and the fourth derivative key ska 3' are similar to the first derivative key ska1 ', that is, the bits in the bit string corresponding to the first encryption key ska' are modified twice, so as to obtain a first modification result and a second modification result. Finally, the two modified results are respectively input into a hash function to obtain two different digest values as a third derived key ska2 'and a fourth derived key ska 3'.

In one example, the first party may use the hash value of the concatenation result of the third derived key ska 2' and the first random number IV1 as the first intermediate key. The first intermediate key can thus be expressed as: h (ska 2', IV 1). The hash value of the concatenation result of the previous first original portion and the fourth derivative key ska 3' and the hash value of the concatenation result of the first intermediate key are used as the second intermediate key. The second intermediate key can thus be expressed as: h (H (g) ^{h(ItemA)*ska1＇} The first half, ska3 '), H (ska 2', IV 1)), or, as represented by: h (ItemA) × ska1 ' × G front half, ska3 '), H (ska 2 ', IV 1)).

It should be understood that the above is only an exemplary illustration, and in practical applications, the hash value of the third derived key ska2 'may be directly used as the first intermediate key, or the hash value of the concatenation result of the previous first original part and the fourth derived key ska 3' may be directly used as the second intermediate key, and so on, which is not limited in this specification.

After obtaining the first intermediate key and the second intermediate key, the first party performs an exclusive-or operation on the first intermediate key and the previous first original part to obtain one of the two first encrypted parts, and performs an exclusive-or operation on the second intermediate key and the subsequent first original part to obtain the other first encrypted part. The complete first encrypted item ItemA' is then obtained by combining or splicing the two first encrypted portions.

Similarly, the second party may obtain the fifth derivative key skb2 ' and the sixth derivative key skb3 ' by performing two different modifications of the second encryption key skb ' and inputting the results of the two different modifications to the prescribed hash function. Thereafter, the second party may determine a third intermediate key based on the fifth derivative key skb 2': h (skb 2', IV 2), wherein IV2 is a second random number. And determining, based on the sixth derived key skb 3', a fourth intermediate key: h (H (g) ^{h(ItemB)*skb1＇} The first half, skb3 '), H (skb 2 ', IV 2)) (or, H (ItemB) × skb1 ' × G first half, skb3 '), H (skb 2 ', IV 2))). And finally, the second party performs exclusive-or operation on the third intermediate key and the previous second original part to obtain one of the two second encrypted parts, and performs exclusive-or operation on the fourth intermediate key and the next second original part to obtain the other second encrypted part. The complete second encrypted item ItemB' is then obtained by combining or splicing the two second encrypted portions.

As described above, the first party and the second party may add their respective encrypted items to the corresponding data sets, and store the data sets to which the encrypted items are added to the trusted third party or the database. And then, the first party or the second party can initiate a privacy submission request to the trusted third party or the database, and the trusted third party or the database can submit privacy submission to the data sets of the two parties. The following describes a procedure of privacy negotiation, taking the second party initiating a request as an example.

FIG. 4 is a flow chart of a method for privacy negotiation in another embodiment of the present disclosure. As shown in fig. 4, the method may include the steps of:

step S402, using the first adjusting key ska 'acquired in advance to adjust the first encrypted item ItemA' of each first data in the first data set to obtain a first adjusting item ItemA ', and using the second adjusting key skb' acquired in advance to adjust the second encrypted item ItemB 'of each second data in the second data set to obtain a second adjusting item ItemB'.

In one embodiment, the first and second adjustment keys ska "and skb" are obtained from the key holder by a trusted third party or database.

In another embodiment, the first and second adjustment keys ska "and skb" are received by a trusted third party or 5-database from the second party.

Wherein the first adjustment key ska "is determined based on the first encryption key ska 'corresponding to the first encryption item ItemA', and the second adjustment key skb" is determined based on the first encryption key ska 'and the second encryption key skb' corresponding to the second encryption item ItemB

And is determined.

Taking the example of reception from the second party, the second party obtains the above-described first adjustment key ska "and second adjustment 0 key skb" by:

the second party determines the first, third and fourth derivative keys ska1 ', ska 2', and ska3 'based on the first encryption key ska' previously received from the first party and using the agreed hash function. Based on the second encryption key skb',

and determines the second, fifth, and sixth derivative keys skb1 ', skb2 ', and skb3 ' using the hash function.

The third derived key ska2 ', the fourth derived key ska 3', and the concatenation result of the ratios of the second derived key skb1 'to the first derived key ska 1' 5 are taken as the first adjustment key ska ″. The concatenation result of the fifth derivative key skb2 'and the sixth derivative key skb 3' is taken as the second adjustment key skb ".

It should be understood that the determination of ska1 ', ska 2', ska3 ', skb 1', skb2 'and skb 3' may be made by reference to the above descriptions, and the description is not repeated here.

In addition, the method for calculating the ratio may include: the first encryption 0 key ska 'is mapped to a first mapping value and the second encryption key skb' is mapped to a second mapping value using a mapping algorithm agreed by the first and second parties. For the second mapping value

And carrying out quotient calculation with the first mapping value to obtain a ratio: skb '/ska'.

In one example, the mapping algorithm includes applying a predetermined hash function to map the encryption key onto an elliptic curve agreed upon by the first party and the second party.

The step S402 is specifically:

the first adjustment key ska "is split into a third derivative key ska2 ', a fourth derivative key ska 3', and a ratio: skb

Ska'. A first intermediate key is determined based on the third derived key ska2 'and a second intermediate key is determined based on the fourth derived key ska 3' and the first intermediate key. Two first encrypted portions obtained by splitting based on the first encrypted item ItemA' are correspondingly adjusted based on the first intermediate key and the second intermediate key, resulting in two first adjusted portions. Based on the result of the splicing of the two first adjustment portions and the above ratio, the first adjustment item ItemA ″ is determined.

0 the method of determining the first intermediate key and the second intermediate key herein can be referred to as described above. Specifically, the first middle

The key may be expressed as: h (ska 2', IV 1). The second intermediate key may be expressed as: h (g) ^{h(ItemA)*ska1＇} The first half, ska3 '), H (ska 2', IV 1)), or as: h (ItemA) × ska1 ' × G front half, ska3 '), H (ska 2 ', IV 1)).

H (ska 2', IV 1) and H (g) may then be paired ^{h(ItemA)*ska1＇} The first half, ska3 ' (or H (ItemA) × ska1 ' × G first half, ska3 ')), H (ska 2 ', IV 1)) are xored with the two first encryption portions of the first encryption item ItemA ', respectively, to obtain two first adjustment portions.

It is to be understood that the two first adjustment portions here are identical to the two first original portions described above. The principle is as follows: after a certain number is xored twice with the same number, the result is still the number itself. Thus, the concatenation result of the two first adjustment parts is the first ciphertext: g ^{h(ItemA)*ska1＇} Or h (ItemA) × ska 1' × G.

Thereafter, in the case where the first ciphertext and the second ciphertext are ciphered based on the same elliptic curve and the base point, that is, when the first ciphertext is determined based on an embodiment in step S304, the first ciphertext may be ciphered based on the agreed elliptic curve and the first adjustment key ska "to obtain the first adjustment item ItemA", where the first ciphertext is used as the base point and the first adjustment key ska "is used as the multiple in the first adjustment item ItemA".

In the case where the first ciphertext and the second ciphertext are ciphertexts obtained by performing the exponentiation based on the same base number, that is, in the case where the first ciphertext is determined based on the alternative embodiment in step S304, the exponentiation may be performed with the first ciphertext as the base number and the first adjustment key ska ″ as the exponent to obtain the target operation result as the first adjustment item ItemA ″.

The above-determined first adjustment term is expressed as: itemA "= (skb 1 '/ska 1') h (ItemA) × 1 '× G = skb 1' × h (ItemA) × G. Or as: itemA "= (g) ^{h(ItemA)*ska1＇} ) ^{skb1＇/ska1＇} ＝g ^{h(ItemA)*skb1＇} 。

Next, the adjustment process of the second adjustment item Itemb "is as follows:

the second adjusted key skb "is split into a fifth derived key skb2 'and a sixth derived key skb 3'. A third intermediate key is determined based on the fifth derived key skb2 'and a fourth intermediate key is determined based on the sixth derived key skb 3' and the third intermediate key. And correspondingly adjusting two second encryption parts obtained by splitting the second encryption item ItemB 'based on a third intermediate key and the fourth intermediate key to obtain two second adjustment parts which are used for forming a second adjustment item ItemB'.

The determination method of the third intermediate key and the fourth intermediate key herein can refer to the above. In particular, the third intermediate key may be expressed as: h (skb 2', IV 2). The fourth intermediate key may be expressed as: h (H (g) ^{h(ItemB)*skb1＇} The first half, skb3 '), H (skb 2', IV 2)), or as: h (ItemB) × skb1 ' × G first half, skb3 '), H (skb 2 ', IV 1)).

H (skb 2', IV 2) and H (g) may then be paired ^{h(ItemB)*skb1＇} The first half, skb3 ') (or H (ItemB) × skb1 ' × G first half, skb3 '), H (skb 2 ', IV 2)) is xored with the two second encryption parts of the second encryption item ItemB ' respectively, resulting in two second adjustment parts. And splicing the two second adjustment parts to obtain a second adjustment item ItemB'.

It should be understood that the two second adjustment parts are the same as the two second original parts described above, so that the resulting second adjustment item is the above-mentioned second ciphertext. The principle is as follows: after a certain number is xored twice with the same number, the result is still the number itself. Thus, the second adjustment item ItemB "= g ^{h(ItemB)*skb1＇} Alternatively, itemB "= h (ItemB) × skb 1' × G.

In step S404, based on the first adjustment item ItemA ″ and the second adjustment item ItemB ″, privacy negotiation is performed on the first data set and the second data set.

I.e., by skb1 'h (ItemA) G and h (ItemB) skb 1' G, or by comparison G ^{h(ItemA)*skb1＇} And g ^{h(ItemB)*skb1＇} And performing privacy intersection on the first data set and the second data set.

In addition, according to the above embodiments of the present specification, privacy negotiation can be performed on data sets of both parties without revealing respective plaintext data items of the first party and the second party.

Of course, in practical applications, the request for performing the privacy negotiation may also be initiated by the first party, and when the request is initiated by the first party, the determination methods of the first adjustment key and the second adjustment key may be interchanged, and the adjustment processes for the encrypted items may also be interchanged, which is not repeated herein.

In summary, the privacy interaction method provided in one or more embodiments of the present specification has the following advantages:

1. compared with the privacy intersection method based on the feasible execution environment, the method does not need to add new hardware, and therefore the use cost can be reduced.

2. By adopting a pure software method, the method can be combined with the storage capacity of a database, not only can the privacy interaction capacity be supported, but also the data can be encrypted and stored, and the safety is high.

3. The two parties negotiate to generate an adjustment key, and use the comparison value (namely, the data item for comparison) in the adjustment key adjustment set instead of simply executing hash comparison, thereby avoiding the safety disadvantage that the hash value is easily cracked violently when a naive hash method is adopted.

4. Compared with other privacy intersection methods, the method has the advantages of low complexity, low calculation cost and small memory occupation.

The above description is about a method for encrypting data of both parties participating in privacy negotiation based on a plurality of encryption keys and a privacy negotiation method therefor. The following describes a procedure of storing both data sets in a database and executing privacy negotiation by the database.

Fig. 5 is a schematic diagram of a privacy interaction method in a further embodiment of the present disclosure. In fig. 5, a first data set and a second data set are stored in the database, wherein the first data set includes a first encrypted item ItemA', a third encrypted item SM4A, and other data items; the second set of data includes a second encrypted item Itemb', a fourth encrypted item SM4B, and other data items. In addition, a first adjustment key ska ″ corresponding to the first data set and a second adjustment key skb ″ corresponding to the second data set are also maintained in the database.

Specifically, the database may receive a database query statement sent by a first party or a second party (generally referred to as a querying party), where a from clause in the database query statement includes a first data table (i.e., a table corresponding to the first data set) and a second data table (i.e., a table corresponding to the second data set), and the join field is the first encrypted item and the second encrypted item. Thereafter, the database may use the first adjustment key ska "to adjust the first encrypted item ItemA 'in the first data set (or first data table) to obtain a first adjustment item ItemA", and may use the second adjustment key skb "to adjust the second encrypted item ItemB' in the second data set (second data table) to obtain a second adjustment item ItemB". Finally, based on the first adjustment item ItemA "and the second adjustment item ItemB", an association query is performed, and an association query result of the two data tables, that is, a result of determining privacy intersection of the two data sets, is further determined.

Specifically, the association query may be performed based on a hashjoin mechanism or a nestloop mechanism.

The hashjoin mechanism is to establish a hash table for a data table with the minimum row number. For example, a hash table is established for the first data table, and the hash table includes the hash value of the first adjustment item ItemA ″. And then, by calculating the hash value of the join field in the other data table (namely, the hash value of the second adjustment item ItemB ″), determining whether the rows in the two data tables match, and if so, splicing the corresponding rows in the two data tables.

The nestloop mechanism is to read a row in the front table (from the previous data table in the word sentence), match the row with the back table row by row, and if the row is matched, the row in the front table and the back table is spliced. The execution is similar to a nested loop.

It should be noted that, when the select clause of the database query statement includes the first encrypted item and the second encrypted item, if the first encrypted item and the second encrypted item match, the third encrypted item SM4A and the fourth encrypted item SM4B are included in the result of the privacy intersection, so that the querying party can decrypt one of the items. For example, the first party may decrypt SM4A and the second party may decrypt SM4B.

Furthermore, when the result of the privacy intersection also includes other data items that have been encrypted, the other data items can only be decrypted by the party holding them, thereby ensuring that information outside the intersection is not revealed.

In a word, the database provides a join operator based on the ciphertext, supports the associated query of the data table based on the ciphertext, and further can obtain the intersection content of the two data tables containing the ciphertext, namely combines the data management capability and the privacy protection capability of the database, and provides a new implementation paradigm for the negotiation of the privacy set.

Fig. 6 is a block diagram of a privacy negotiation apparatus in one embodiment of the present specification. The apparatus specifically implements privacy negotiation by executing a method as shown in fig. 2, which includes:

an adjusting unit 602, configured to adjust a first encrypted item of each first data in the first data set by using a first adjusting key obtained in advance, so as to obtain a first adjusted item.

The privacy rendezvous unit 604 is configured to perform privacy rendezvous on the first data set and the second data set based on the first adjustment item and a second encryption item of each second data in the second data set;

the first adjustment key is determined based on a first encryption key corresponding to the first encryption item and a second encryption key corresponding to the second encryption item.

Fig. 7 is a block diagram of a privacy negotiation apparatus in another embodiment of the present specification. The apparatus specifically implements privacy negotiation by executing a method as shown in fig. 4, which includes:

a first adjusting unit 702, configured to adjust a first encrypted item of each first data in the first data set by using a first adjusting key obtained in advance, to obtain a first adjusted item.

A second adjusting unit 704, configured to adjust a second encrypted item of each second data in the second data set by using a second adjusting key obtained in advance, so as to obtain a second adjusted item.

The privacy rendezvous unit 706 is used for performing privacy rendezvous on the first data set and the second data set based on the first adjustment item and the second adjustment item;

the first adjustment key is determined based on a first encryption key corresponding to the first encryption item, and the second adjustment key is determined based on the first encryption key and a second encryption key corresponding to the second encryption item.

Embodiments of the present specification also provide a computer-readable storage medium having a computer program stored thereon, which, when executed in a computer, causes the computer to perform the method as shown in any of fig. 1-5.

The embodiment of the present specification further provides a block link point, which includes a memory and a processor, where the memory stores executable code, and the processor executes the executable code to implement the method shown in any one of fig. 1 to 5.

In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain a corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development, but the original code before compiling is also written in a specific Programming Language, which is called Hardware Description Language (HDL), and the HDL is not only one kind but many kinds, such as abll (Advanced boot Expression Language), AHDL (alternate hard Description Language), traffic, CUPL (computer universal Programming Language), HDCal (Java hard Description Language), lava, lola, HDL, PALASM, software, rhydl (Hardware Description Language), and vhul-Language (vhyg-Language), which is currently used in the field. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, apparatuses, modules or units described in the above embodiments may be specifically implemented by a computer chip or an entity, or implemented by a product with certain functions. One typical implementation device is a server system. Of course, this application does not exclude that with future developments in computer technology, the computer implementing the functionality of the above embodiments may be, for example, a personal computer, a laptop computer, a vehicle mounted human interaction device, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device or a combination of any of these devices.

Although one or more embodiments of the present description provide method operational steps as described in the embodiments or flowcharts, more or fewer operational steps may be included based on conventional or non-inventive approaches. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual apparatus or end product executes, it may execute sequentially or in parallel (e.g., parallel processors or multi-threaded environments, or even distributed data processing environments) according to the method shown in the embodiment or the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in processes, methods, articles, or apparatus that include the recited elements is not excluded. For example, if the terms first, second, etc. are used to denote names, they do not denote any particular order.

For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, when implementing one or more of the present description, the functions of each module may be implemented in one or more software and/or hardware, or the modules implementing the same functions may be implemented by a combination of a plurality of sub-modules or sub-units, etc. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a computer program product

A machine such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart and/or block diagram block or blocks of the 5-flow diagram.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

0 these computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process

A series of operational steps may be performed on other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, a network interface 5, and memory.

The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including non-transitory and non-transitory, removable and non-removable media, may be implemented by any method or technology

To enable information storage. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of the storage medium of the computer 0 include, but are not limited to, a phase change memory (PRAM), a Static Random Access Memory (SRAM), and a Dynamic Random Access Memory (DRAM)

Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage, graphene storage, or other magnetic storage devices

Or any other non-transmission medium, may be used to store information that is accessible by a computing device. As defined herein, computer-readable media does not include transitory computer-readable media (transient media), such as modulated data signals and carrier waves.

As will be appreciated by one skilled in the art, one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may be employed in one or more of the following

A computer program product embodied on a computer usable storage medium (including but not limited to disk storage, CD-ROM, optical 0 storage, etc.) having computer usable program code embodied therewith.

One or more embodiments of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the system embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points. In the description of the specification, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the specification. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.

The above description is intended to be illustrative of one or more embodiments of the disclosure, and is not intended to limit the scope of one or more embodiments of the disclosure. Various modifications and alterations to one or more embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of the present specification should be included in the scope of the claims.

Claims

1. A privacy rendezvous method comprising:

2. The method of claim 1, wherein the first adjustment key is obtained by:

mapping the first encryption key to a first mapping value and mapping the second encryption key to a second mapping value by using an agreed mapping algorithm;

and carrying out quotient calculation on the second mapping value and the first mapping value, and taking the obtained quotient value as the first adjusting key.

3. The method of claim 2, wherein the first and second encryption terms are ciphertexts obtained by encrypting based on the same elliptic curve and base point, and the adjusting the first encryption term of each first data in the first data set comprises:

and encrypting the first encryption item based on the elliptic curve and the first adjusting key to obtain a first adjusting item, wherein the first adjusting item takes the first encryption item as a base point and the first adjusting key as a multiple.

4. The method of claim 2, wherein the first encrypted item and the second encrypted item are ciphertexts exponentiated based on the same base, and the adjusting the first encrypted item of each first data in the first data set comprises:

and performing power operation by taking the first encryption item as a base number and the first adjusting key as an exponent to obtain a target operation result, which is used as the first adjusting item.

5. A privacy rendezvous method comprising:

6. The method of claim 5, wherein the first set of data is held by a first party and the second set of data is held by a second party; the first encrypted item is obtained by:

the first party determines a first derivation key based on the first encryption key and by using an agreed hash function; encrypting a first data item corresponding to the first encrypted item based on the first derived key, and splitting the obtained first ciphertext into two first original parts; encrypting the two first original parts respectively to obtain two first encrypted parts which are used for forming a first encrypted item;

the second encrypted item is obtained by:

the second party determines a second derivative key based on the second encryption key and by using the hash function; encrypting a second data item corresponding to the second encrypted item based on the second derivative key, and splitting the obtained second ciphertext into two second original parts; and respectively encrypting the second two original parts to obtain two second encrypted parts which are used for forming a second encrypted item.

7. The method of claim 6, wherein,

the encrypting the first data item corresponding to the first encrypted item includes:

taking the product of the hash value of the first data item and the first derivation key as a multiple, and performing point multiplication operation on a base point on an appointed elliptic curve to obtain the first ciphertext;

the encrypting the second data item corresponding to the second encrypted item includes:

and performing dot multiplication operation on the base point by taking the product of the hash value of the second data item and the second derivative key as a multiple to obtain the second ciphertext.

8. The method of claim 6, wherein,

and performing exponentiation operation by taking an agreed first numerical value as a base number and a product of the hash value of the first data item and the first derivation key as an exponent to obtain the first ciphertext.

and performing exponentiation operation by taking the first numerical value as a base number and taking the product of the second data item and the second derivative key as an exponent to obtain the second ciphertext.

9. The method of claim 6, wherein,

the encrypting the two first original portions respectively comprises:

encrypting a first original part in the two first original parts by using a first intermediate key, and encrypting a first original part in the two first original parts by using a second intermediate key; the first intermediate key is determined based on a third derivative of the first encryption key; the second intermediate key is determined based on a fourth derivative of the first encryption key.

The encrypting the two second original portions respectively comprises:

encrypting a previous second original part of the two second original parts by using a third intermediate key, and encrypting a next second original part by using a fourth intermediate key; the third intermediate key is determined based on a fifth derivative of the second encryption key; the fourth intermediate key is determined based on a sixth derivative of the second encryption key.

10. The method of claim 9, wherein,

the first intermediate key and the second intermediate key are obtained by:

the first party takes the hash value of the splicing result of the third derivative key and the first random number as the first intermediate key; taking the hash value of the splicing result of the previous first original part and the fourth derivative key and the hash value of the splicing result of the first intermediate key as the second intermediate key;

the fourth intermediate key and the fifth intermediate key are obtained by:

the second party takes the hash value of the splicing result of the fifth derivative key and the second random number as the third intermediate key; and taking the hash value of the splicing result of the previous second original part and the sixth derivative key and the hash value of the splicing result of the third intermediate key as the fourth intermediate key.

11. The method of claim 9, wherein,

the encrypting a first original part in front of the two first original parts with the first intermediate key and encrypting a first original part behind with the second intermediate key comprises:

performing exclusive-or operation on the first intermediate key and a previous first original part to obtain one first encryption part of the two first encryption parts; performing XOR operation on the second intermediate key and the subsequent first original part to obtain another first encrypted part;

the encrypting a preceding second original portion of the two second original portions using the third intermediate key and encrypting a following second original portion using the fourth intermediate key comprises:

performing exclusive or operation on the third intermediate key and the previous second original part to obtain one of the two second encrypted parts; and carrying out exclusive-or operation on the fourth intermediate key and the subsequent second original part to obtain another second encrypted part.

12. The method of claim 5, wherein the first and second adjustment keys are obtained by:

the second party determines a first derived key, a third derived key and a fourth derived key based on the first encryption key received from the first party in advance and by using an agreed hash function;

determining a second derivative key, a fifth derivative key and a sixth derivative key based on the second encryption key and by using the hash function;

taking the third derived key, the fourth derived key, and the concatenation result of the ratio of the second derived key to the first derived key as the first adjustment key;

and taking the splicing result of the fifth derivative key and the sixth derivative key as the second adjustment key.

13. The method of claim 12, wherein,

the adjusting the first encrypted item of each first data in the first data set includes:

splitting the first adjustment key into the third derivative key, the fourth derivative key, and the ratio; determining a first intermediate key based on the third derived key and a second intermediate key based on the fourth derived key and the first intermediate key; correspondingly adjusting two first encrypted parts obtained by splitting the first encrypted item based on the first intermediate key and the second intermediate key to obtain two first adjusted parts; determining the first adjustment term based on the splicing results of the two first adjustment parts and the ratio.

The adjusting the second encrypted item of each second data in the second data set includes:

splitting the second adjustment key into the fifth derivative key and the sixth derivative key; determining a third intermediate key based on the fifth derivative key and a fourth intermediate key based on the sixth derivative key and the third intermediate key; and correspondingly adjusting two second encryption parts obtained by splitting the second encryption item based on the third intermediate key and the fourth intermediate key to obtain two second adjustment parts used for forming the second adjustment item.

14. The method of claim 13, wherein the determining the first adjustment term comprises:

and encrypting the splicing result based on an agreed elliptic curve and the ratio to obtain the first adjustment item, wherein the splicing result is used as a base point in the first adjustment item, and the ratio is used as a multiple.

15. The method of claim 13, wherein the determining the first adjustment term comprises:

and performing power operation by taking the splicing result as a base number and the ratio as an exponent to obtain a target operation result which is used as the first adjustment item.

16. The method of claim 5, wherein the result of the privacy intersection comprises: a third encrypted item and/or a fourth encrypted item; the third encrypted item is obtained by encrypting a first data item corresponding to the first encrypted item by using a first initial key; the fourth encrypted item is obtained by encrypting a second data item corresponding to the second encrypted item by using a second initial key; the first initial key and the second initial key each have a corresponding decryption key.

17. The method of claim 16, wherein,

the first encryption key is obtained by modifying or reversing part of bits in a bit string corresponding to the first initial key;

the second encryption key is obtained by modifying or reversing part of bits in the bit string corresponding to the second initial key.

18. The method of claim 5, wherein the first set of data comprises a first data table and the second set of data comprises a second data table; the privacy intersecting the first data set and the second data set comprises:

and performing association query on the first data table and the second data table, and taking the obtained association query result as a privacy submission result.

19. A privacy rendezvous apparatus, comprising:

a privacy submitting unit, configured to perform privacy submitting on the first data set and the second data set based on the first adjustment item and a second encryption item of each second data in the second data set;

20. A privacy rendezvous apparatus comprising:

21. A computer-readable storage medium, having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-18.

22. A computing device comprising a memory having executable code stored therein and a processor that, when executing the executable code, implements the method of any of claims 1-18.