WO2023231340A1 - Execution method and device for shared ot protocol, and secure multi-party computation method and device - Google Patents

Execution method and device for shared ot protocol, and secure multi-party computation method and device Download PDF

Info

Publication number
WO2023231340A1
WO2023231340A1 PCT/CN2022/135294 CN2022135294W WO2023231340A1 WO 2023231340 A1 WO2023231340 A1 WO 2023231340A1 CN 2022135294 W CN2022135294 W CN 2022135294W WO 2023231340 A1 WO2023231340 A1 WO 2023231340A1
Authority
WO
WIPO (PCT)
Prior art keywords
privacy
party
privacy value
value
serial number
Prior art date
Application number
PCT/CN2022/135294
Other languages
French (fr)
Chinese (zh)
Inventor
李漓春
尹栋
赵原
Original Assignee
蚂蚁区块链科技(上海)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 蚂蚁区块链科技(上海)有限公司 filed Critical 蚂蚁区块链科技(上海)有限公司
Publication of WO2023231340A1 publication Critical patent/WO2023231340A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem

Definitions

  • One or more embodiments of this specification relate to the computer field, and in particular, to an execution method of a shared OT protocol, a secure multi-party computing method and device based on a shared OT protocol.
  • the oblivious transfer (OT) protocol is a typical two-party protocol in cryptography, and it is often used to support the execution of secure multi-party computations.
  • OT protocol to support secure multi-party computation (SMPC)
  • SMPC secure multi-party computation
  • different parties involved in secure multi-party computation usually need to transmit a large amount of data, and even multiple rounds may be required between different parties. times of communication.
  • One or more embodiments of this specification provide an execution method for a shared OT protocol, a secure multi-party computing method and device based on the shared OT protocol.
  • the first aspect provides a method for executing a shared OT protocol, involving a first party and a second party.
  • the second party holds N privacy values arranged in order and N random numbers arranged in order, so The first party holds the first serial number of the target privacy value among the N privacy values, the target random number, and its second serial number among the N random numbers, and the method is applied to the second party .
  • the method includes: receiving from the first party a third sequence number calculated based on the first sequence number and the second sequence number; based on the third sequence number, the N privacy values and the N Random numbers, calculate the intermediate data corresponding to each of the N-1 privacy values except for the third serial number; send the intermediate data corresponding to each of the N-1 privacy values to the first party, so that all
  • the first party calculates the first fragment of the target privacy value; calculates the second fragment of the target privacy value based on the random number whose serial number is the third serial number and the privacy value ranked first, wherein the third fragment is used
  • the result of processing the first fragment and the second fragment by a preset algorithm is equal to the target privacy value.
  • the method further includes: receiving the N random numbers from a third party; wherein the target random number and the second sequence number are sent by the third party to the first party .
  • the third serial number is obtained by using N to perform a modulo operation on the sum of the first serial number and the second serial number.
  • the result of the summation operation of the two slices is equal to the target privacy value.
  • the third serial number is obtained by performing an XOR operation on the first serial number and the second serial number, and the first slice and the second slice are The result of the XOR operation is equal to the target privacy value.
  • the N privacy values and the N random numbers calculate the respective corresponding correspondences of the remaining N-1 privacy values other than the third serial number.
  • the intermediate data includes: for any privacy value with serial number j other than the third serial number, process the random number with serial number j according to the second preset operation rule to obtain its corresponding first data item, based on The first data item, the second data item, the third data item and the privacy value ranked first, calculate the intermediate data with serial number j corresponding to the privacy value with serial number j, wherein the second data item is calculated by using The second preset operation rule is obtained by processing the random number whose serial number is the third serial number.
  • the third data item is a private value with the serial number y. The value of y is the same as using N to pair the third serial number. The result obtained modulo the difference from j.
  • calculating the second fragment of the target privacy value based on the random number whose sequence number is the third sequence number and the privacy value ranked first includes: according to the second data item and The first ranked privacy value calculates the second shard of the target privacy value.
  • the lengths of the N privacy values are all t bits; and processing the random number with serial number j according to the second preset operation rule to obtain its corresponding first data item includes: Calculate the hash value of the random number j with length t bits as its corresponding first data item; or, for the random number j with length greater than t bits, extract the length t bits starting from the predetermined position bit sequence, and use the data represented by this bit sequence as the first data item corresponding to the random number with serial number j.
  • a method for executing a shared OT protocol involving a first party and a second party.
  • the second party holds N privacy values arranged in order and N random numbers arranged in order, so
  • the first party holds a target random number with a first serial number among the N privacy values and a second serial number among the N random numbers, and the method is applied to the first party.
  • the method includes: sending a third serial number calculated based on the first serial number and the second serial number to the second party, causing the second party to generate a random number and an arrangement based on the serial number being the third serial number.
  • For the first privacy value calculate the second fragment of the target privacy value, and return the intermediate data corresponding to each of the remaining N-1 privacy values except for the third serial number; at least according to the first serial number and the target random number to calculate the first fragment of the target privacy value, wherein the first fragment and the second fragment are processed using a first preset operation rule to obtain a result equal to the target privacy value. numerical value.
  • the N random numbers are sent by a third party to the second party; the method further includes: receiving the target random number and the second sequence number from the third party.
  • the third serial number is obtained by using N to perform a modulo operation on the sum of the first serial number and the second serial number.
  • the result of the summation operation of the two slices is equal to the target privacy value.
  • the third serial number is a result obtained by performing an XOR operation on the first serial number and the second serial number, and the first slice and the second slice are The result obtained by performing an XOR operation is equal to the target privacy value.
  • calculating the first fragment of the target privacy value based on at least the first sequence number and the target random number includes: using a second preset operation rule to process the target random number to Obtain the fourth data item; determine whether the target privacy value is the first-ranked privacy value based on the first serial number, and if so, use the fourth data item as the first fragment of the target privacy value; otherwise The first fragment of the target privacy value is calculated based on the fourth data item and the intermediate data corresponding to the privacy value whose serial number is the second serial number.
  • the length of the N privacy values is t bits; and using the second preset operation rule to process the target random number to obtain the fourth data item includes: calculating the target The length of the random number is a hash value of t bits as the fourth data item; or, for the target random number whose length is greater than t bits, a bit sequence of length t bits is extracted starting from a predetermined position, and the length is The data represented by the bit sequence of t bits is used as the fourth data item.
  • a secure multi-party computing method based on the shared OT protocol involving a first party and a second party.
  • the first party holds a third privacy value that will be used as the first serial number
  • the second party Having a second privacy value
  • the method is applied to the second party.
  • the method includes: generating N privacy values arranged in order, wherein any privacy value with serial number j is obtained by processing serial number j and the second privacy value using a target operation rule, so that the serial number is the third privacy value.
  • the privacy value of the privacy value is equal to the result of using the target operation rule to process the third privacy value and the second privacy value; for the N privacy values and the third privacy value as the first serial number, use rights
  • the method described in any one of claims 1 to 7 jointly executes the shared OT protocol with the first party, obtains the second fragment whose sequence number is the target privacy value of the three privacy values, and makes the first party correspond Obtain the first fragment whose sequence number is the target privacy value of the third privacy value.
  • the second privacy value and the third privacy value are two slices of the fourth privacy value in modulo 2 space, and the first slice and the second slice are The length of each slice is t bits greater than 1; the result of performing an XOR operation on the second privacy value and the third privacy value is equivalent to performing a summation operation on the first fragment and the second fragment. the result of.
  • the target operation rules include summation operation, product operation, bitwise AND operation, bitwise OR operation or bitwise XOR operation.
  • the first preset operation rule includes a summation operation or a bitwise XOR operation.
  • the first party also holds a fourth privacy value, and the sum of the second privacy value and the fourth privacy value is equal to a fifth privacy value; the second shard The sum of the third fragment is equal to the product of the third privacy value and the fifth privacy value, wherein the third fragment is generated by the first party based on the third privacy value, the fourth privacy value The privacy value is calculated with the first shard.
  • the first party also holds a fourth privacy value
  • the second party also holds a sixth privacy value and a seventh privacy value
  • the third privacy value and the third privacy value The six privacy values are two XOR slices of the eighth privacy value located in the modulo 2 space in the modulo 2 space, and the sum of the fourth privacy value and the seventh privacy value is equal to the fifth privacy value; so
  • the second privacy value is calculated by the second party based on the sixth privacy value and the seventh privacy value, and the second fragment is used to calculate the fifth privacy value and the eighth privacy value. product of .
  • the fourth aspect provides a secure multi-party computing method based on the shared OT protocol, involving a first party and a second party.
  • the first party holds a third privacy value that will be used as the first serial number, and the second party Having a second privacy value, the method is applied to the first party.
  • the method includes: using the method described in any one of the second aspects to jointly execute the shared OT protocol with the second party for the third privacy value and the N privacy values as the first serial number, and obtain the serial number of The first fragment of the target privacy value of the three privacy values, and the second party obtains the second fragment of the target privacy value with the sequence number of the third privacy value, wherein any privacy value with the sequence number j is It is obtained by the second party using the target operation rule to process the serial number j and the second privacy value, so that the privacy value with the serial number being the third privacy value is equal to the third privacy value and using the target operation rule.
  • the result of the second privacy value is: using the method described in any one of the second aspects to jointly execute the shared OT protocol with the second party for the third privacy value and the N privacy values as the first serial number, and obtain the serial number of The first fragment of the target privacy value of the three privacy values, and the second party obtains the second fragment of the target privacy value with the sequence number of the third privacy value, wherein any privacy value with the sequence
  • the second privacy value and the third privacy value are two slices of the fourth privacy value in modulo 2 space, and the first slice and the second slice are The length of each slice is t bits greater than 1; the result of performing an XOR operation on the second privacy value and the third privacy value is equivalent to performing a summation operation on the first fragment and the second fragment. the result of.
  • the target operation rules include summation operation, product operation, bitwise AND operation, bitwise OR operation or bitwise XOR operation.
  • the first preset operation rule includes a summation operation or a bitwise XOR operation.
  • the sum of the second privacy value and the fourth privacy value held by the first party is equal to the fifth privacy value.
  • the method further includes: calculating a third fragment based on the third privacy value, the fourth privacy value and the first fragment, so that the second fragment is equal to the sum of the third fragment. It is equal to the product of the third privacy value and the fifth privacy value.
  • the first party also holds a fourth privacy value
  • the second party also holds a sixth privacy value and a seventh privacy value
  • the third privacy value and the third privacy value The six privacy values are two XOR slices of the eighth privacy value located in the modulo 2 space in the modulo 2 space, and the sum of the fourth privacy value and the seventh privacy value is equal to the fifth privacy value; so
  • the second privacy value is calculated by the second party based on the sixth privacy value and the seventh privacy value, and the first fragment is used to calculate the fifth privacy value and the eighth privacy value. product of .
  • a secure multi-party computing method based on the shared OT protocol involving a first party and a second party.
  • the first party holds a third privacy value that will be used as the first serial number
  • the second party Holding the fifth privacy value and the sixth privacy value, the third privacy value and the sixth privacy value are two XOR slices in the modulo 2 space of the eighth privacy value located in the modulo 2 space, so
  • the method is applied to the first party.
  • the method includes: the second party generates N privacy values arranged in order, wherein any privacy value with serial number j is equal to the XOR result of serial number j and the fifth privacy value using the target operation rule.
  • the XOR result with serial number j is obtained by performing an XOR operation on serial number j and the sixth privacy value, so that the target privacy value with the serial number being the third privacy value is equal to the target privacy value processed using the target operation rule
  • the result of the fifth privacy value and the eighth privacy value; the first party and the second party adopt the first method for the third privacy value and the N privacy values as the first serial number.
  • the method described in any one of the aspect and the second aspect jointly executes the sharing OT protocol, and obtains the first fragment and the second fragment whose sequence numbers are the target privacy values of the three privacy values.
  • the sixth aspect provides an execution device for sharing OT, involving a first party and a second party.
  • the second party holds N privacy values arranged in order and N random numbers arranged in order.
  • the first party holds the first serial number of the target privacy value among the N privacy values, the target random number, and its second serial number among the N random numbers, and the device is deployed on the second party.
  • the device includes: a communication processing unit configured to receive from the first party a third sequence number calculated based on the first sequence number and the second sequence number; a first calculation unit configured to receive the third sequence number based on the third sequence number.
  • the communication processing unit is also configured to provide The first party sends the intermediate data corresponding to each of the N-1 privacy values, so that the first party calculates the first fragment of the target privacy value; the second calculation unit is configured to calculate the first fragment of the target privacy value based on the sequence number.
  • the random number of the third serial number and the privacy value ranked first are used to calculate the second fragment of the target privacy value, wherein the first preset operation rule is used to process the results of the first fragment and the second fragment. equal to the target privacy value.
  • an execution device for sharing OT involving a first party and a second party.
  • the second party holds N privacy values arranged in order and N random numbers arranged in order.
  • the first party holds the first serial number of the target privacy value among the N privacy values, the target random number, and its second serial number among the N random numbers, and the device is deployed on the first party.
  • the device includes: a communication processing unit configured to send a third sequence number calculated based on the first sequence number and the second sequence number to the second party, so that the second party determines the third sequence number based on the sequence number.
  • the random number of the serial number and the privacy value ranked first calculate the second fragment of the target privacy value, and return the intermediate data corresponding to each of the remaining N-1 privacy values except the third serial number; calculate A processing unit configured to calculate a first fragment of the target privacy value based on at least the first sequence number and the target random number, wherein the first fragment and the second fragment are processed using a first preset operation rule. The result of fragmentation is equal to the target privacy value.
  • a secure multi-party computing device based on the OT protocol involving a first party and a second party.
  • the first party holds a third privacy value to be used as the first serial number
  • the second party holds There is a second privacy value and the device is deployed on the second party.
  • the device includes: a calculation processing unit configured to generate N privacy values arranged in order, wherein any privacy value with serial number j is obtained by processing serial number j and the second privacy value using a target operation rule, so that The privacy value whose serial number is the third privacy value is equal to the result of using the target operation rule to process the third privacy value and the second privacy value; the processing unit is called and is configured to sum the N privacy values as the third privacy value.
  • the shared OT execution device described in the sixth aspect jointly executes the shared OT protocol with the first party to obtain the second target privacy value with a serial number of the three privacy values. fragment, and the first party obtains the first fragment corresponding to the target privacy value whose sequence number is the third privacy value.
  • a secure multi-party computing device based on the shared OT protocol involving a first party and a second party.
  • the first party holds a third privacy value to be used as the first serial number
  • the second party Holding a second privacy value
  • the device is deployed on the first party.
  • the device is configured to jointly execute the shared OT protocol with the second party through the shared OT execution device described in the seventh aspect for the third privacy value and the N privacy values as the first serial number, and obtain the serial number.
  • any privacy value with the sequence number is j It is obtained by the second party using the target operation rule to process the serial number j and the second privacy value, so that the privacy value with the serial number being the third privacy value is equal to the third privacy value using the target operation rule. and the result of the second privacy value.
  • a computer-readable storage medium is provided with a computer program stored thereon.
  • the computer program When the computer program is executed in a computing device, the computing device performs the method described in any one of the first to fourth aspects. .
  • a computing device includes a memory and a processor.
  • a computer program is stored in the memory.
  • the processor executes the computer program, it implements any one of the first to fourth aspects. method.
  • the first party when the second party holds N privacy values and the first party holds the sequence number of the target privacy value among the N privacy values, the first party The first party and the second party can each obtain a shard of the target privacy value by executing the sharing OT protocol while ensuring the security of the target privacy value and its sequence number.
  • This allows the first party and the second party to implement secure multi-party calculations of privacy values based on the shared OT protocol.
  • the first and second parties implement secure multi-party calculations, the amount of data they need to transmit is small and the number of communication rounds is relatively long. less, so that secure multi-party computation can be completed more efficiently.
  • Figure 1 is a schematic process diagram of a shared OT protocol execution method provided in the embodiment of this specification
  • Figure 2 is one of the process schematic diagrams of an exemplary secure multi-party computing method based on the shared OT protocol
  • Figure 3 is an exemplary process diagram of the secure multi-party computing method based on the shared OT protocol
  • Figure 4 is the third schematic process diagram of the secure multi-party computing method based on the shared OT protocol provided as an example
  • Figure 5 is an exemplary process diagram of the fourth secure multi-party computing method based on the shared OT protocol
  • Figure 6 is one of the schematic diagrams of an execution device for sharing an OT protocol provided in the embodiment of this specification
  • Figure 7 is a second schematic diagram of an execution device for sharing an OT protocol provided in the embodiment of this specification.
  • Figure 8 is a schematic diagram of a secure multi-party computing device based on the shared OT protocol.
  • the aforementioned privacy value x 0 is the first privacy value among the aforementioned N privacy values. It can be expressed as the first privacy value among the N privacy values.
  • sequence number of any j-th data in any sequence data can be set to j instead of j-1.
  • sequence number of the aforementioned privacy value x 0 among the aforementioned N privacy values can be set to 1.
  • Alice and Bob can each be implemented as any device, device, platform or device cluster with computing/processing capabilities.
  • the Random Occasional Transmission (Random OT) protocol is a variant of the above-mentioned OT protocol and can be used to construct the above-mentioned OT protocol.
  • the Random OT protocol can be implemented through a variety of cryptography techniques.
  • the requirements of the Random OT protocol are: Bob can obtain N random numbers ⁇ r 0 , r 1 ,..., r N-1 ⁇ arranged in order; Alice can obtain the i+1th random number among the N random numbers. r i and its sequence number i among the N random numbers.
  • the method of constructing an OT protocol through the Random OT protocol may include but is not limited to the following steps S01 to S03:
  • Step S02 For each privacy value x j with serial number j among the N privacy values ⁇ x 0 , x 1 ,..., x N-1 ⁇ except the privacy value re with serial number e , use N random numbers Encrypt x j with a random number with serial number (ej)%N in ⁇ r 0 , r 1 ,..., r N-1 ⁇ to obtain ciphertext f j with serial number j, and send the ciphertext f j to Alice;
  • Step S03 Alice uses the random number r i she holds with serial number i to decrypt the ciphertext fi corresponding to the privacy value x i she received with serial number i, and can obtain the privacy value x with serial number p. p .
  • Secure multi-party computation is a calculation result of a function that is jointly calculated by multiple participants. During the calculation process, the input data of the function held by multiple participants is not disclosed. The input data held by each participant is usually It is treated as private data and cannot be known by other participants, but the calculation results are allowed to be disclosed to designated objects. For example, there may be the following secure multi-party computation requirements: Alice holds the private value A, and Bob holds the private value B. After performing secure multi-party computation, Alice obtains the fragment c0 and Bob obtains the fragment c1, in which preset operation rules are used to process c0 and c1. The result is equal to the result of processing A and B using the target operation rule g.
  • the aforementioned target operation rules g may include but are not limited to safe modulo conversion, summation operation, quadrature operation, bitwise AND operation, bitwise OR operation or bitwise XOR operation, etc.; the aforementioned preset operation rules may include but Not limited to summation operations or XOR operations.
  • the aforementioned OT protocol can generally be used to support the aforementioned secure multi-party computation.
  • the method of implementing the aforementioned secure multi-party computation through the aforementioned OT protocol may include but is not limited to the following steps S11 to S14:
  • Step S11 Bob generates a random value as fragment c1;
  • the N privacy values generated by Bob are also the ones in the aforementioned OT protocol.
  • Step S13 Alice uses A as p in the aforementioned OT protocol
  • Step S14 Alice jointly executes the aforementioned OT protocol based on A as p in the OT protocol and Bob based on the N privacy values calculated by it.
  • the embodiments of this specification provide an execution method of the shared OT protocol, a secure multi-party computing method and device based on the shared OT protocol, in order to reduce the amount of data that needs to be transmitted when implementing secure multi-party computation, thereby making it more efficient. Efficiently complete secure multi-party computations.
  • FIG. 1 is a schematic process diagram of a method for executing a shared OT protocol provided in an embodiment of this specification.
  • Alice serves as the OT receiver (i.e., the first party) sharing the OT protocol
  • Bob serves as the OT sender (i.e., the second party) sharing the OT protocol.
  • Alice and Bob By executing the Random OT protocol or other methods mentioned above, Bob can obtain N random numbers ⁇ r 0 , r 1 ,...r N-1 ⁇ arranged in order, and Alice can obtain the target random number r i and other Serial number i among N random numbers.
  • Bob can specifically receive the aforementioned N random numbers ⁇ r 0 , r 1 ,..., r N-1 ⁇ from a third party, and Alice can receive r i and its sequence number i among the aforementioned N random numbers from a third party. .
  • Bob can also hold N privacy values ⁇ x 0 , x 1 ,..., x N-1 ⁇ arranged in order, and Alice can also hold the target privacy value x p in the aforementioned The first sequence number p among the N privacy values ⁇ x 0 , x 1 ,..., x N-1 ⁇ .
  • Alice and Bob can jointly execute the following method steps 100 to 110 as shown in Figure 1.
  • step 100 Alice calculates sequence number e based on sequence number p and sequence number i. For example, Alice can use N to perform a modulo operation on the sum of serial number p and serial number i to obtain serial number e, or she can perform an XOR operation on serial number p and serial number i to obtain serial number e, or she can use N to perform a modulo operation on the sum of serial number p and serial number i. The difference is taken modulo to obtain the sequence number e.
  • step 102 Alice sends sequence number e to Bob.
  • step 104 Bob calculates the intermediate data corresponding to each of the remaining N-1 privacy values except the sequence number e, based on the sequence number e, the N privacy values he holds, and the N random numbers.
  • Bob can use the second preset operation rule h to process N random
  • the random number r j with serial number j in the number ⁇ r 0 , r 1 ,..., r N-1 ⁇ is used to obtain the first data item h(r j ) corresponding to the privacy value x j ; and then based on the first data item h (r j ), the second data item, the third data item and the privacy value x 0 ranked first, calculate the intermediate data f j with serial number j corresponding to the privacy value x j .
  • the aforementioned second data item is h( re ) obtained by processing the random number re with serial number e using the second preset operation rule h
  • the aforementioned third data item is the random number with serial number y among the N privacy values.
  • the value of privacy value x y , y is the same as the result obtained by using N to perform the modulo operation on the difference between e and j.
  • the N privacy values ⁇ x 0 , x 1 ,..., x N-1 ⁇ can all be integers in the modulo 2 t space. In this case, it is necessary to ensure that the second preset operation rule h is used to process any random number held by Bob. , data with a length of t bits can be output corresponding to any random number.
  • the second preset operation rule h is used to process the random number r j
  • the first data item h(r j ) obtained from the number r j can be the hash value of the length t bits of the random number r j calculated by Bob; if N random numbers ⁇ r 0 , r 1 ,..., The length of any random number r j with serial number j in r N-1 ⁇ is greater than t bits.
  • the first data item h(r j ) obtained by processing the random number r j using the second preset operation rule h can be Data represented by a sub-bit sequence of length t bits extracted starting from a predetermined position in the bit sequence characterizing the random number r j .
  • the process in which Bob uses the second preset operation rule to process the random number r e with serial number e to obtain the second data item h( re ) is the same as the process in which Bob uses the second preset operation rule to process the random number r j to obtain its corresponding
  • the first data item h(r j ) of therefore will not be described again.
  • Bob can calculate the intermediate data f j corresponding to the privacy value x j through the following formula 1:
  • the intermediate data f j corresponding to the privacy value x j can also be calculated through other methods, such as adding specific coefficients in front of some or all data items in Formula 1 or making certain deformations to the aforementioned Formula 1. More specifically, for example, all the addition and subtraction operations involved in Formula 1 can be replaced with XOR operations.
  • Step 106 Bob sends the intermediate data corresponding to each of the remaining N-1 privacy values to Alice. That is, Bob needs to send to Alice the intermediate data f j corresponding to each privacy value x j calculated by him except the sequence number e.
  • Step 108 Alice calculates the first fragment c0 of the target privacy value x p based on the sequence number p and the target random number r i .
  • Alice can use the aforementioned second preset operation rule h to process the target random number r i she holds to obtain the fourth data item h(ri ) .
  • Alice's method of obtaining the fourth data item h( ri ) can be the same as Bob's.
  • Alice can determine whether the target privacy value x p is the first-ranked privacy value x 0 based on the sequence number p. If so, use the fourth data item h(r i ) as the first fragment c0 of the target privacy value x p .
  • Step 110 Bob calculates the second fragment c1 of the target privacy value x p based on the random number r e with serial number e and the privacy value x 0 ranked first.
  • Bob can use the second operation rule h to process the random number re with serial number e to obtain the second data item h( re ), and then in step 110, it can be based on the second data item h( re ) and the privacy value.
  • the result of processing fragment c0 and fragment c1 using the first preset operation rule is equal to the target privacy value x p , where the first preset operation rule is specific It can be a summation operation or a bitwise XOR operation.
  • the result of a summation operation or a bitwise XOR operation on the slice c0 and the slice c1 is equal to the target privacy value x p .
  • Alice cannot know the target privacy value x p , ensuring the security of the target privacy value x p .
  • the aforementioned shared OT protocol can be used to support Alice and Bob to perform secure multi-party calculations on two private values a and b.
  • secret sharing is widely used in secure multi-party computation. Its basic principle is to split the secret value into multiple shards (shares) and hand them over to different participants for safekeeping. Only participants exceeding a threshold number can The shards held by each are merged to recover the original secret value.
  • the threshold number is usually the same as the number of parties participating in the secure multi-party computation.
  • Alice and Bob For the actual execution of secure multi-party computation by Alice and Bob, for the privacy value a and privacy value b expected to be processed through the target operation rules, their typical data holding situations are except for case 1 as shown below, Alice and Bob’s data holding situations may include the following situations 2 to 4:
  • Case 1 Alice holds a and Bob holds b.
  • a and b can both be single-bit values 0 or 1 in the modulo 2 space; or a and b can both be integers in the modulo 2 t space; or a can be a single-bit value 0 or 1 in the modulo 2 space, And b is an integer in modulo 2 t space.
  • a is a single-bit value 0 or 1 in the modulo 2 space, and b is an integer in the modulo 2 space; Alice holds the slice b0 of a and b in the modulo 2 t space, and Bob holds b in the modulo 2 space.
  • Case 3 a is a single-bit value 0 or 1 in the modulo 2 space, and b is an integer in the modulo 2 space; Alice holds the slice a0 of a in the modulo 2 space and the slice of b in the modulo 2 t space. b0, Bob holds a's slice a1 in the modulo 2 space and b's slice b1 in the modulo 2 t space.
  • the result of the XOR operation on a0 and a1 is equal to a, and b0 and b1 are summed. The result of the operation is equal to b.
  • a is a single-bit value 0 or 1 in the modulo 2 space, and b is an integer in the modulo 2 space; Alice holds the slice a0 of a in the modulo 2 space, and Bob holds b and a in the modulo 2 space.
  • Slice a1 within where the result of the XOR operation on a0 and a1 is equal to a.
  • the aforementioned shared OT protocol can be used to implement secure multi-party calculations of the privacy value a and the privacy value b.
  • Alice and Bob use the aforementioned shared OT protocol.
  • the process by which protocols implement secure multi-party computations for a and b may differ.
  • the following describes in detail the process by which Alice and Bob implement secure multi-party calculations of privacy value a and privacy value b based on the aforementioned sharing OT protocol under the aforementioned four data holding situations.
  • Figure 2 is one of the process diagrams of the secure multi-party computing method based on the shared OT protocol.
  • Alice will serve as the receiver (ie, the first party) of the shared OT protocol
  • Bob will serve as the sender (ie, the second party) of the shared OT protocol. See Figure 2.
  • Alice and Bob can implement secure multi-party computation of privacy value a and privacy value b through step 200 and step 202 in the aforementioned data holding situation 1.
  • step 200 Bob generates N privacy values arranged in order according to the privacy value b.
  • N privacy values ⁇ x 0 , x 1 ,..., x N-1 ⁇ arranged in order in the aforementioned sharing OT protocol are generated.
  • any privacy value x j with serial number j among the N privacy values it can be obtained by processing serial number j and privacy value b using the target operation rule g, so that the target privacy value x with serial number a can be obtained a is equal to the result of using the target operation rule g to process the privacy value a and the privacy value b.
  • the target operation rule g may include, but is not limited to, summation operations, quadrature operations, bitwise AND operations, bitwise OR operations, or Bitwise XOR operation; when a is a single-bit value in the modulo 2 space and b is an integer in the modulo 2 t space, the target operation rule may include, for example, but is not limited to a quadrature operation. What needs special explanation here is that the value of N in step 200 should be greater than the privacy value a held by Alice.
  • step 202 Alice and Bob jointly execute the sharing OT protocol based on the privacy value a as the sequence number p and the N privacy values generated by it, so that Alice obtains the first fragment c0 of the target privacy value x p , and Bob obtains The second fragment c1 of the target privacy value x p . Since a is equal to p, the target privacy value x p is obtained by Bob using the target operation rule g to process the sequence number p and the privacy value b. Therefore, the first preset operation rule is used to process the first fragment c0 and the target privacy value x p .
  • the result of the second slice c1 is equal to the result of processing a and b using the target operation rule g, so that Alice and Bob complete the secure multi-party calculation of a and b.
  • a and b are two XOR slices of a certain privacy value in the modulo 2 space, that is, the result of the XOR operation on a and b is equal to a certain private value in the modulo 2 space.
  • the privacy value c since the first fragment c0 and the second fragment c1 of the target privacy value Two shards a and b perform safe mode conversion.
  • Figure 3 is the second process diagram of the secure multi-party computing method based on the shared OT protocol.
  • Alice will serve as the receiver (ie, the first party) of the shared OT protocol
  • Bob will serve as the sender (ie, the second party) of the shared OT protocol.
  • Alice and Bob can implement secure multi-party calculations of privacy value a and privacy value b through steps 300 to 306 in the aforementioned data holding situation 2.
  • step 300 Bob generates N privacy values arranged in order according to the slice b1.
  • N privacy values ⁇ x 0 , x 1 ,..., x N-1 ⁇ arranged in order in the aforementioned sharing OT protocol are generated.
  • any privacy value x j with serial number j among the N privacy values it can be obtained by processing serial number j and fragment b1 using the target operation rule g, for example, performing the integral of serial number j and fragment b1 Obtained by the operation, in this way, the target privacy value x a with the serial number a can be equal to the result of processing a and b1 using the target operation rule g.
  • step 302 Alice and Bob jointly execute the sharing OT protocol based on the privacy value a as the sequence number p and the N privacy values generated by it, so that Alice obtains the first fragment c0 of the target privacy value x p , and Bob obtains The second fragment c1 of the target privacy value x p . Since a is equal to p, x p is obtained by Bob using the target operation rule g to process the sequence number p and the fragment b1. Therefore, the first fragment c0 and the second fragment c1 of x p are summed or XORed. The result is equal to the result of using the target operation rule g to process the serial numbers a and b1, thus completing the secure multi-party calculation of a and b1.
  • Figure 4 is the third process diagram of the secure multi-party computing method based on the shared OT protocol.
  • the implementation shown in Figure 4 includes execution process 1 and execution process 2:
  • execution process 1 Alice will be the receiver (i.e. the first party) of the shared OT protocol, and Bob will be the sender of the shared OT protocol.
  • Party i.e. the second party
  • execution process 2 Alice will be the sender of the shared OT protocol, and Bob will be the receiver of the shared OT protocol.
  • Alice and Bob can implement secure multi-party calculations of privacy value a and privacy value b through steps 400 to 407 in the aforementioned data holding situation 3. Steps 400 to 402 belong to the execution process 1.
  • 403 to 405 belong to execution process 2.
  • Execution process 1 and execution process 2 can be executed independently of each other and there is no necessary sequence relationship.
  • step 400 Bob calculates the privacy value L1 based on the slice a1 and the slice b1.
  • step 401 Bob generates N privacy values arranged in order according to the privacy value L1.
  • N privacy values ⁇ x 0 , x 1 ,..., x N-1 ⁇ arranged in order in the aforementioned sharing OT protocol are generated.
  • any privacy value x j with serial number j among the N privacy values it can be obtained by processing the serial number j and the privacy value L1 using the target operation rule g, for example, by performing a multiplication operation on the serial number j and L1. Obtained, in this way, the target privacy value with serial number a0 can be equal to the result of processing a0 and L1 using the target operation rule g.
  • step 402 Alice jointly executes the sharing OT protocol based on the privacy value a0 as the sequence number p, and the N privacy values generated by Bob based on it, so that Alice obtains the target privacy value with the sequence number a0 among the N privacy values generated by Bob.
  • the first fragment c00, Bob obtains the second fragment c01 of the target privacy value with serial number a0 among the N privacy values generated by Bob.
  • Alice calculates the privacy value L0 based on the fragment a0 and the fragment b0.
  • step 404 Alice generates N privacy values arranged in order according to the privacy value L0.
  • N privacy values ⁇ x 0 , x 1 ,..., x N-1 ⁇ arranged in order in the aforementioned sharing OT protocol are generated.
  • any privacy value x j with serial number j among the N privacy values it can be obtained by processing the serial number j and the privacy value L0 using the target operation rule g, for example, by performing a multiplication operation on the serial number j and L0. Obtained, in this way, the privacy value with serial number a1 can be equal to the result of processing a1 and L0 using the target operation rule g.
  • step 405 Bob jointly executes the sharing OT protocol based on the privacy value a1 as the sequence number p, and Alice based on the N privacy values generated by it, so that Bob obtains the target privacy value with the sequence number a1 among the N privacy values generated by Alice.
  • Figure 5 is the fourth process diagram of the secure multi-party computing method based on the shared OT protocol.
  • Alice will serve as the receiver (ie, the first party) of the shared OT protocol
  • Bob will serve as the sender (ie, the second party) of the shared OT protocol. See Figure 5.
  • Alice and Bob can implement secure multi-party calculations of privacy value a and privacy value b through steps 500 to 502 in the aforementioned data holding situation 4.
  • step 500 Bob generates N privacy values arranged in order according to the fragment a1 and the privacy value b.
  • any privacy value x j with serial number j is equal to the result obtained by using the target operation rule g to process the XOR result with serial number j and the privacy value b (i.e., the fifth privacy value).
  • the XOR result with serial number j is obtained by comparing the serial number j is obtained by performing an XOR operation on fragment a1 (i.e., the sixth privacy value), so that the target privacy value with serial number a0 (i.e., the third privacy value) among the N privacy values is equivalent to using the target operation rule to process privacy.
  • the result of the value b and the privacy value a is, for example, equal to the result of the multiplication operation of the privacy value a and the privacy value b.
  • step 502 Alice and Bob jointly execute the sharing OT protocol based on the fragment a0 as the sequence number p and the N privacy values generated by Bob, so that Alice obtains the target with the sequence number a0 among the N privacy values generated by Bob.
  • Bob obtains the second fragment c1 of the target privacy value numbered a0 among the N privacy values generated by Bob.
  • the result of the summation operation or the XOR operation of the first slice c0 and the second slice c1 is equal to the result of processing a and b using the target operation rule.
  • the first party and the second party can pass Execute the sharing OT protocol to ensure that the first party and the second party can each obtain a shard of the target privacy value while ensuring the security of the target privacy value and its sequence number.
  • This allows the first party and the second party to implement secure multi-party calculations of two privacy values based on the shared OT protocol.
  • the amount of data that the first party and the second party need to transmit when implementing secure multi-party calculations is small and the communication is round-robin. With fewer times, secure multi-party computation can be completed more efficiently.
  • the embodiments of this specification also provide an execution device for sharing OT, involving a first party and a second party.
  • the second party holds N privacy values arranged in order.
  • N random numbers arranged in order the first party holds the first serial number of the target privacy value among the N privacy values, the target random number, and its second serial number among the N random numbers.
  • the device is deployed on the second party.
  • the device includes: a communication processing unit 61 configured to receive from the first party a third sequence number calculated based on the first sequence number and the second sequence number; a first calculation unit 63 , configured to calculate, based on the third sequence number, the N privacy values and the N random numbers, the intermediate data corresponding to each of the remaining N-1 privacy values except the sequence number being the third sequence number; the The communication processing unit 61 is also configured to send the intermediate data corresponding to each of the N-1 privacy values to the first party, so that the first party calculates the first fragment of the target privacy value; the second calculation Unit 65 is configured to calculate the second fragment of the target privacy value based on the random number whose serial number is the third serial number and the privacy value ranked first, wherein the first fragment is processed using a first preset operation rule. The result of the slice and the second slice is equal to the target privacy value.
  • the embodiments of this specification also provide an execution device for sharing OT, involving a first party and a second party.
  • the second party holds N privacy values arranged in order.
  • N random numbers arranged in order the first party holds the first serial number of the target privacy value among the N privacy values, the target random number, and its second serial number among the N random numbers.
  • the device is deployed on the first party.
  • the device includes: a communication processing unit 71 configured to send a third sequence number calculated based on the first sequence number and the second sequence number to the second party, so that the second party Based on the random number whose serial number is the third serial number and the privacy value ranked first, calculate the second fragment of the target privacy value, and return the remaining N-1 privacy values except the third serial number.
  • the calculation processing unit 73 is configured to calculate the first fragment of the target privacy value based on at least the first sequence number and the target random number, wherein the first preset operation rule is used to process the first fragment of the target privacy value. The result obtained from one fragment and the second fragment is equal to the target privacy value.
  • the embodiment of this specification also provides a secure multi-party computing device based on the OT protocol, involving a first party and a second party.
  • the first party holds the first serial number that will be used as the first party.
  • a third privacy value the second party holds the second privacy value, and the device is deployed on the second party.
  • the device includes: a calculation processing unit 81 configured to generate N privacy values arranged in order, wherein any privacy value with serial number j is processed by using a target operation rule to process serial number j and the second Obtained from the privacy value, the privacy value with the serial number of the third privacy value is equal to the result of processing the third privacy value and the second privacy value using the target operation rule; call the processing unit 83, configured to process the third privacy value
  • the N privacy values and the third privacy value as the first serial number are jointly executed with the first party through the shared OT execution device deployed on the second party as described in the embodiment of this specification.
  • the protocol is to obtain the second fragment with a sequence number of the target privacy value of the three privacy values, and enable the first party to correspondingly obtain the first fragment with the sequence number of the target privacy value of the third privacy value.
  • the embodiments of this specification also provide a secure multi-party computing device based on the shared OT protocol, involving a first party and a second party.
  • the first party holds the information that will be used as the first party.
  • a third privacy value of the serial number the second party holds the second privacy value, and the device is deployed on the first party.
  • the device is configured to use the execution device of the shared OT deployed on the first party as described in the embodiment of this specification to communicate with the second privacy value as the first serial number and the third privacy value.
  • the two parties jointly execute the sharing OT protocol to obtain the first fragment with a sequence number of the target privacy value of the three privacy values, and enable the second party to obtain the second fragment with a sequence number of the target privacy value of the third privacy value.
  • any privacy value with serial number j is obtained by the second party using the target operation rule to process serial number j and the second privacy value, so that the privacy value with the serial number being the third privacy value is equal to the use of the target
  • the operation rule processes the result of the third privacy value and the second privacy value.
  • the functions described in this specification can be implemented using hardware, software, firmware, or any combination thereof.
  • the computer program corresponding to these functions can be stored in a computer-readable medium or transmitted as one or more instructions/codes on the computer-readable medium, so that the computer program corresponding to these functions can be used by the computer.
  • the method described in any embodiment of this specification is implemented through a computer.
  • the embodiments of this specification also provide a computer-readable storage medium on which computer programs/instructions are stored.
  • the computing device executes the information provided in any embodiment of this specification.
  • the execution method of the shared OT implemented by the first party or the second party, or the secure multi-party computing method based on the shared OT protocol implemented by the first party or the second party provided in any embodiment of this specification.
  • the embodiments of this specification also provide a computing device, including a memory and a processor.
  • Computer programs/instructions are stored in the memory.
  • the processor executes the computer program/instructions, any embodiment of this specification is implemented.
  • the execution method of the shared OT protocol implemented by the first party or the second party provided in the document, or the secure multi-party computing method based on the shared OT protocol implemented by the first party or the second party provided in any embodiment of this specification are examples of this specification.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

An execution method and device for a shared OT protocol, and a secure multi-party computation method and device based on a shared OT protocol, relating to a first party and a second party. The second party has N privacy numerical values and N random numbers, and the first party has a first serial number of a target privacy numerical value in the N privacy numerical values, a target random number, and a second serial number of the target random number in the N random numbers. The execution method for a shared OT protocol comprises: the second party receives, from the first party, a third serial number calculated by the first party according to the first serial number and the second serial number, and then calculates, according to the third serial number, the N privacy numerical values and the N random numbers, intermediate data respectively corresponding to the remaining N-1 privacy numerical values other than that having the third serial number, and calculates a second share of the target privacy numerical value on the basis of a random number of which the serial number is the third serial number and a privacy numerical value arranged at the first place; the second party can also send, to the first party, the intermediate data respectively corresponding to the remaining N-1 privacy numerical values, so that the first party calculates a first share of the target privacy numerical value.

Description

分享OT协议的执行方法、安全多方计算方法及装置Share the execution methods of OT protocols, secure multi-party computing methods and devices
本申请要求于2022年6月2日提交中国国家知识产权局、申请号为202210619377.X、申请名称为“分享OT协议的执行方法、安全多方计算方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application requests the priority of the Chinese patent application submitted to the State Intellectual Property Office of China on June 2, 2022, with the application number 202210619377. The entire contents of which are incorporated herein by reference.
技术领域Technical field
本说明书一个或多个实施例涉及计算机领域,尤其涉及一种分享OT协议的执行方法、基于分享OT协议的安全多方计算方法及装置。One or more embodiments of this specification relate to the computer field, and in particular, to an execution method of a shared OT protocol, a secure multi-party computing method and device based on a shared OT protocol.
背景技术Background technique
不经意传输(oblivious transfer,OT)协议是密码学中的较为典型的两方协议,其经常被用于支持安全多方计算的执行。通过OT协议来支持安全多方计算(secure multi-party computation,SMPC)时,参与进行安全多方计算的不同参与方之间通常需要传输大量的数据,甚至不同参与方之间还可能需要进行多个轮次的通信。The oblivious transfer (OT) protocol is a typical two-party protocol in cryptography, and it is often used to support the execution of secure multi-party computations. When using the OT protocol to support secure multi-party computation (SMPC), different parties involved in secure multi-party computation usually need to transmit a large amount of data, and even multiple rounds may be required between different parties. times of communication.
希望有一种新的方案,以期有利于更加高效的完成安全多方计算。It is hoped that there will be a new solution that will help complete secure multi-party computation more efficiently.
发明内容Contents of the invention
本说明书一个或多个实施例中提供了一种分享OT协议的执行方法、基于分享OT协议的安全多方计算方法及装置。One or more embodiments of this specification provide an execution method for a shared OT protocol, a secure multi-party computing method and device based on the shared OT protocol.
第一方面,提供了一种分享OT协议的执行方法,涉及第一方和第二方,所述第二方持有按顺序排列的N个隐私数值以及按顺序排列的N个随机数,所述第一方持有目标隐私数值在所述N个隐私数值中的第一序号、目标随机数以及其在所述N个随机数中的第二序号,所述方法应用于所述第二方。所述方法包括:从所述第一方接收其基于所述第一序号和所述第二序号计算得到的第三序号;基于所述第三序号、所述N个隐私数值以及所述N个随机数,计算除序号为所述第三序号以外的其余N-1个隐私数值各自对应的中间数据;向所述第一方发送所述N-1个隐私数值各自对应的中间数据,使所述第一方计算所述目标隐私数值的第一分片;基于序号为所述第三序号的随机数以及排列在首位的隐私数值,计算所述目标隐私数值的第二分片,其中利用第一预设运算规则处理所述第一分片和所述第二分片的结果相等于所述目标隐私数值。The first aspect provides a method for executing a shared OT protocol, involving a first party and a second party. The second party holds N privacy values arranged in order and N random numbers arranged in order, so The first party holds the first serial number of the target privacy value among the N privacy values, the target random number, and its second serial number among the N random numbers, and the method is applied to the second party . The method includes: receiving from the first party a third sequence number calculated based on the first sequence number and the second sequence number; based on the third sequence number, the N privacy values and the N Random numbers, calculate the intermediate data corresponding to each of the N-1 privacy values except for the third serial number; send the intermediate data corresponding to each of the N-1 privacy values to the first party, so that all The first party calculates the first fragment of the target privacy value; calculates the second fragment of the target privacy value based on the random number whose serial number is the third serial number and the privacy value ranked first, wherein the third fragment is used The result of processing the first fragment and the second fragment by a preset algorithm is equal to the target privacy value.
在一种可能的实施方式中,所述方法还包括:从第三方接收所述N个随机数;其中所述目标随机数和所述第二序号由所述第三方发送至所述第一方。In a possible implementation, the method further includes: receiving the N random numbers from a third party; wherein the target random number and the second sequence number are sent by the third party to the first party .
在一种可能的实施方式中,所述第三序号是利用N对所述第一序号与所述第二序号的和进行取模运算而得到的,对所述第一分片和所述第二分片进行求和运算的结果相等于所 述目标隐私数值。In a possible implementation, the third serial number is obtained by using N to perform a modulo operation on the sum of the first serial number and the second serial number. The result of the summation operation of the two slices is equal to the target privacy value.
在一种可能的实施方式中,所述第三序号是对所述第一序号和所述第二序号进行异或运算而得到的,对所述第一分片和所述第二分片进行异或运算的结果相等于所述目标隐私数值。In a possible implementation, the third serial number is obtained by performing an XOR operation on the first serial number and the second serial number, and the first slice and the second slice are The result of the XOR operation is equal to the target privacy value.
在一种可能的实施方式中,基于所述第三序号、所述N个隐私数值以及所述N个随机数,计算除序号为所述第三序号以外的其余N-1个隐私数值各自对应的中间数据,包括:对于除序号为所述第三序号以外的任意序号为j的隐私数值,根据第二预设运算规则处理序号为j的随机数以获得其对应的第一数据项,基于所述第一数据项、第二数据项、第三数据项和排列在首位的隐私数值,计算与序号为j的隐私数值对应的序号为j的中间数据,其中所述第二数据项通过利用所述第二预设运算规则处理序号为所述第三序号的随机数而得到,所述第三数据项是序号为y的隐私数值,y的取值相同于利用N对所述第三序号与j的差进行取模运算而得到的结果。In a possible implementation, based on the third serial number, the N privacy values and the N random numbers, calculate the respective corresponding correspondences of the remaining N-1 privacy values other than the third serial number. The intermediate data includes: for any privacy value with serial number j other than the third serial number, process the random number with serial number j according to the second preset operation rule to obtain its corresponding first data item, based on The first data item, the second data item, the third data item and the privacy value ranked first, calculate the intermediate data with serial number j corresponding to the privacy value with serial number j, wherein the second data item is calculated by using The second preset operation rule is obtained by processing the random number whose serial number is the third serial number. The third data item is a private value with the serial number y. The value of y is the same as using N to pair the third serial number. The result obtained modulo the difference from j.
在一种可能的实施方式中,基于序号为所述第三序号的随机数以及排列在首位的隐私数值,计算所述目标隐私数值的第二分片,包括:根据所述第二数据项和排列在首位的隐私数值计算所述目标隐私数值的第二分片。In a possible implementation, calculating the second fragment of the target privacy value based on the random number whose sequence number is the third sequence number and the privacy value ranked first includes: according to the second data item and The first ranked privacy value calculates the second shard of the target privacy value.
在一种可能的实施方式中,所述N个隐私数值的长度均为t比特;所述根据第二预设运算规则处理序号为j的随机数以获得其对应的第一数据项,包括:计算序号为j的随机数的长度为t比特的哈希值以作为其对应的第一数据项;或者,对长度大于t比特的序号为j的随机数,从预定位置开始提取长度为t比特的比特序列,并将该比特序列表征的数据作为序号为j的随机数所对应的第一数据项。In a possible implementation, the lengths of the N privacy values are all t bits; and processing the random number with serial number j according to the second preset operation rule to obtain its corresponding first data item includes: Calculate the hash value of the random number j with length t bits as its corresponding first data item; or, for the random number j with length greater than t bits, extract the length t bits starting from the predetermined position bit sequence, and use the data represented by this bit sequence as the first data item corresponding to the random number with serial number j.
第二方面,提供了一种分享OT协议的执行方法,涉及第一方和第二方,所述第二方持有按顺序排列的N个隐私数值以及按顺序排列的N个随机数,所述第一方持有目标隐私数值在所述N个隐私数值中的第一序号目标随机数以及其在所述N个随机数中的第二序号,所述方法应用于所述第一方。所述方法包括:向所述第二方发送基于所述第一序号和所述第二序号计算得到的第三序号,使所述第二方基于序号为所述第三序号的随机数以及排列在首位的隐私数值,计算所述目标隐私数值的第二分片,并返回除序号为所述第三序号以外的其余N-1个隐私数值各自对应的中间数据;至少根据所述第一序号和所述目标随机数计算所述目标隐私数值的第一分片,其中利用第一预设运算规则处理所述第一分片和所述第二分片而得到的结果相等于所述目标隐私数值。In the second aspect, a method for executing a shared OT protocol is provided, involving a first party and a second party. The second party holds N privacy values arranged in order and N random numbers arranged in order, so The first party holds a target random number with a first serial number among the N privacy values and a second serial number among the N random numbers, and the method is applied to the first party. The method includes: sending a third serial number calculated based on the first serial number and the second serial number to the second party, causing the second party to generate a random number and an arrangement based on the serial number being the third serial number. For the first privacy value, calculate the second fragment of the target privacy value, and return the intermediate data corresponding to each of the remaining N-1 privacy values except for the third serial number; at least according to the first serial number and the target random number to calculate the first fragment of the target privacy value, wherein the first fragment and the second fragment are processed using a first preset operation rule to obtain a result equal to the target privacy value. numerical value.
在一种可能的实施方式中,所述N个随机数由第三方发送至所述第二方;所述方法还包括:从所述第三方接收所述目标随机数和所述第二序号。In a possible implementation, the N random numbers are sent by a third party to the second party; the method further includes: receiving the target random number and the second sequence number from the third party.
在一种可能的实施方式中,所述第三序号是利用N对所述第一序号与所述第二序号的和进行取模运算而得到的,对所述第一分片和所述第二分片进行求和运算的结果相等于所述目标隐私数值。In a possible implementation, the third serial number is obtained by using N to perform a modulo operation on the sum of the first serial number and the second serial number. The result of the summation operation of the two slices is equal to the target privacy value.
在一种可能的实施方式中,所述第三序号是对所述第一序号和所述第二序号进行异或 运算而得到的结果,对所述第一分片和所述第二分片进行异或运算而得到的结果相等于所述目标隐私数值。In a possible implementation, the third serial number is a result obtained by performing an XOR operation on the first serial number and the second serial number, and the first slice and the second slice are The result obtained by performing an XOR operation is equal to the target privacy value.
在一种可能的实施方式中,至少根据所述第一序号和所述目标随机数计算所述目标隐私数值的第一分片,包括:利用第二预设运算规则处理所述目标随机数以获得第四数据项;基于所述第一序号确定所述目标隐私数值是否为排列在首位的隐私数值,如果是则将所述第四数据项作为所述目标隐私数值的第一分片,否则基于所述第四数据项和序号为所述第二序号的隐私数值所对应的中间数据计算所述目标隐私数值的第一分片。In a possible implementation, calculating the first fragment of the target privacy value based on at least the first sequence number and the target random number includes: using a second preset operation rule to process the target random number to Obtain the fourth data item; determine whether the target privacy value is the first-ranked privacy value based on the first serial number, and if so, use the fourth data item as the first fragment of the target privacy value; otherwise The first fragment of the target privacy value is calculated based on the fourth data item and the intermediate data corresponding to the privacy value whose serial number is the second serial number.
在一种可能的实施方式中,所述N个隐私数值的长度均为t比特;所述利用第二预设运算规则处理所述目标随机数以获得第四数据项,包括:计算所述目标随机数的长度为t比特的哈希值以作为第四数据项;或者,对长度大于t比特的所述目标随机数,从预定位置开始提取长度为t比特的比特序列,并将该长度为t比特的比特序列所表征的数据作为第四数据项。In a possible implementation, the length of the N privacy values is t bits; and using the second preset operation rule to process the target random number to obtain the fourth data item includes: calculating the target The length of the random number is a hash value of t bits as the fourth data item; or, for the target random number whose length is greater than t bits, a bit sequence of length t bits is extracted starting from a predetermined position, and the length is The data represented by the bit sequence of t bits is used as the fourth data item.
第三方面,提供了一种基于分享OT协议的安全多方计算方法,涉及第一方和第二方,所述第一方持有将要作为第一序号的第三隐私数值,所述第二方持有第二隐私数值,所述方法应用于所述第二方。所述方法包括:生成按顺序排列的N个隐私数值,其中任意的序号为j的隐私数值是利用目标运算规则处理序号j和所述第二隐私数值而得到的,使序号为所述第三隐私数值的隐私数值相等于利用目标运算规则处理所述第三隐私数值和所述第二隐私数值的结果;对所述N个隐私数值和作为第一序号的所述第三隐私数值,采用权利要求1-7中任一项所述的方法与所述第一方联合执行分享OT协议,获得序号为所述三隐私数值的目标隐私数值的第二分片,并使所述第一方对应获得序号为所述第三隐私数值的目标隐私数值的第一分片。In the third aspect, a secure multi-party computing method based on the shared OT protocol is provided, involving a first party and a second party. The first party holds a third privacy value that will be used as the first serial number, and the second party Having a second privacy value, the method is applied to the second party. The method includes: generating N privacy values arranged in order, wherein any privacy value with serial number j is obtained by processing serial number j and the second privacy value using a target operation rule, so that the serial number is the third privacy value. The privacy value of the privacy value is equal to the result of using the target operation rule to process the third privacy value and the second privacy value; for the N privacy values and the third privacy value as the first serial number, use rights The method described in any one of claims 1 to 7 jointly executes the shared OT protocol with the first party, obtains the second fragment whose sequence number is the target privacy value of the three privacy values, and makes the first party correspond Obtain the first fragment whose sequence number is the target privacy value of the third privacy value.
在一种可能的实施方式中,所述第二隐私数值和所述第三隐私数值是第四隐私数值在模2空间内的两个分片,所述第一分片和所述第二分片的长度均为大于1的t比特;对所述第二隐私数值和所述第三隐私数值进行异或运算的结果,相等于对所述第一分片和第二分片进行求和运算的结果。In a possible implementation, the second privacy value and the third privacy value are two slices of the fourth privacy value in modulo 2 space, and the first slice and the second slice are The length of each slice is t bits greater than 1; the result of performing an XOR operation on the second privacy value and the third privacy value is equivalent to performing a summation operation on the first fragment and the second fragment. the result of.
在一种可能的实施方式中,所述目标运算规则包括求和运算、求积运算、按位与运算、按位或运算或者按位异或运算。In a possible implementation, the target operation rules include summation operation, product operation, bitwise AND operation, bitwise OR operation or bitwise XOR operation.
在一种可能的实施方式中,所述第一预设运算规则包括求和运算或者按位异或运算。In a possible implementation, the first preset operation rule includes a summation operation or a bitwise XOR operation.
在一种可能的实施方式中,所述第一方还持有第四隐私数值,所述第二隐私数值和所述第四隐私数值的和相等于第五隐私数值;所述第二分片与第三分片的和相等于所述第三隐私数值与所述第五隐私数值的乘积,其中所述第三分片由所述第一方基于所述第三隐私数值、所述第四隐私数值和所述第一分片计算得到。In a possible implementation, the first party also holds a fourth privacy value, and the sum of the second privacy value and the fourth privacy value is equal to a fifth privacy value; the second shard The sum of the third fragment is equal to the product of the third privacy value and the fifth privacy value, wherein the third fragment is generated by the first party based on the third privacy value, the fourth privacy value The privacy value is calculated with the first shard.
在一种可能的实施方式中,所述第一方还持有第四隐私数值,所述第二方还持有第六隐私数值和第七隐私数值,所述第三隐私数值和所述第六隐私数值是位于模2空间内的第八隐私数值在模2空间内的两个异或分片,所述第四隐私数值与所述第七隐私数值的和相 等于第五隐私数值;所述第二隐私数值由所述第二方基于所述第六隐私数值和所述第七隐私数值计算得到,所述第二分片用于计算所述第五隐私数值与所述第八隐私数值的乘积。In a possible implementation, the first party also holds a fourth privacy value, the second party also holds a sixth privacy value and a seventh privacy value, the third privacy value and the third privacy value The six privacy values are two XOR slices of the eighth privacy value located in the modulo 2 space in the modulo 2 space, and the sum of the fourth privacy value and the seventh privacy value is equal to the fifth privacy value; so The second privacy value is calculated by the second party based on the sixth privacy value and the seventh privacy value, and the second fragment is used to calculate the fifth privacy value and the eighth privacy value. product of .
第四方面,提供了一种基于分享OT协议的安全多方计算方法,涉及第一方和第二方,所述第一方持有将要作为第一序号的第三隐私数值,所述第二方持有第二隐私数值,所述方法应用于所述第一方。所述方法包括:对作为第一序号的所述第三隐私数值和N个隐私数值,采用第二方面中任一项所述的方法与所述第二方联合执行分享OT协议,获得序号为所述三隐私数值的目标隐私数值的第一分片,并使所述第二方获得序号为所述第三隐私数值的目标隐私数值的第二分片,其中任意序号为j的隐私数值是由所述第二方利用目标运算规则处理序号j和所述第二隐私数值而得到的,使序号为所述第三隐私数值的隐私数值相等于利用目标运算规则处理所述第三隐私数值和所述第二隐私数值的结果。The fourth aspect provides a secure multi-party computing method based on the shared OT protocol, involving a first party and a second party. The first party holds a third privacy value that will be used as the first serial number, and the second party Having a second privacy value, the method is applied to the first party. The method includes: using the method described in any one of the second aspects to jointly execute the shared OT protocol with the second party for the third privacy value and the N privacy values as the first serial number, and obtain the serial number of The first fragment of the target privacy value of the three privacy values, and the second party obtains the second fragment of the target privacy value with the sequence number of the third privacy value, wherein any privacy value with the sequence number j is It is obtained by the second party using the target operation rule to process the serial number j and the second privacy value, so that the privacy value with the serial number being the third privacy value is equal to the third privacy value and using the target operation rule. The result of the second privacy value.
在一种可能的实施方式中,所述第二隐私数值和所述第三隐私数值是第四隐私数值在模2空间内的两个分片,所述第一分片和所述第二分片的长度均为大于1的t比特;对所述第二隐私数值和所述第三隐私数值进行异或运算的结果,相等于对所述第一分片和第二分片进行求和运算的结果。In a possible implementation, the second privacy value and the third privacy value are two slices of the fourth privacy value in modulo 2 space, and the first slice and the second slice are The length of each slice is t bits greater than 1; the result of performing an XOR operation on the second privacy value and the third privacy value is equivalent to performing a summation operation on the first fragment and the second fragment. the result of.
在一种可能的实施方式中,所述目标运算规则包括求和运算、求积运算、按位与运算、按位或运算或者按位异或运算。In a possible implementation, the target operation rules include summation operation, product operation, bitwise AND operation, bitwise OR operation or bitwise XOR operation.
在一种可能的实施方式中,所述第一预设运算规则包括求和运算或者按位异或运算。In a possible implementation, the first preset operation rule includes a summation operation or a bitwise XOR operation.
在一种可能的实施方式中,所述第二隐私数值和由所述第一方持有的第四隐私数值的和相等于第五隐私数值。所述方法还包括:基于所述第三隐私数值、所述第四隐私数值和所述第一分片计算第三分片,使所述第二分片与所述第三分片的和相等于所述第三隐私数值与所述第五隐私数值的乘积。In a possible implementation, the sum of the second privacy value and the fourth privacy value held by the first party is equal to the fifth privacy value. The method further includes: calculating a third fragment based on the third privacy value, the fourth privacy value and the first fragment, so that the second fragment is equal to the sum of the third fragment. It is equal to the product of the third privacy value and the fifth privacy value.
在一种可能的实施方式中,所述第一方还持有第四隐私数值,所述第二方还持有第六隐私数值和第七隐私数值,所述第三隐私数值和所述第六隐私数值是位于模2空间内的第八隐私数值在模2空间内的两个异或分片,所述第四隐私数值与所述第七隐私数值的和相等于第五隐私数值;所述第二隐私数值由所述第二方基于所述第六隐私数值和所述第七隐私数值计算得到,所述第一分片用于计算所述第五隐私数值与所述第八隐私数值的乘积。In a possible implementation, the first party also holds a fourth privacy value, the second party also holds a sixth privacy value and a seventh privacy value, the third privacy value and the third privacy value The six privacy values are two XOR slices of the eighth privacy value located in the modulo 2 space in the modulo 2 space, and the sum of the fourth privacy value and the seventh privacy value is equal to the fifth privacy value; so The second privacy value is calculated by the second party based on the sixth privacy value and the seventh privacy value, and the first fragment is used to calculate the fifth privacy value and the eighth privacy value. product of .
第五方面,提供了一种基于分享OT协议的安全多方计算方法,涉及第一方和第二方,所述第一方持有将要作为第一序号的第三隐私数值,所述第二方持有第五隐私数值和第六隐私数值,所述第三隐私数值和所述第六隐私数值是位于模2空间内的第八隐私数值在模2空间内的两个异或分片,所述方法应用于所述第一方。所述方法包括:所述第二方生成按顺序排列的N个隐私数值,其中任意序号为j的隐私数值相等于利用目标运算规则处理序号为j的异或结果和所述第五隐私数值而得到的,序号为j的异或结果通过对序号j和所述第六隐私数值进行异或运算而得到,使序号为所述第三隐私数值的目标隐私数值相等于利用所述目标运算规则处理所述第五隐私数值和所述第八隐私数值的结果;所述第一方和所述第二方对作为第一序号的所述第三隐私数值和所述N个隐私数值,采用第一方面和第 二方面中任一项所述的方法联合执行分享OT协议,分别获得序号为所述三隐私数值的目标隐私数值的第一分片和第二分片。In the fifth aspect, a secure multi-party computing method based on the shared OT protocol is provided, involving a first party and a second party. The first party holds a third privacy value that will be used as the first serial number, and the second party Holding the fifth privacy value and the sixth privacy value, the third privacy value and the sixth privacy value are two XOR slices in the modulo 2 space of the eighth privacy value located in the modulo 2 space, so The method is applied to the first party. The method includes: the second party generates N privacy values arranged in order, wherein any privacy value with serial number j is equal to the XOR result of serial number j and the fifth privacy value using the target operation rule. Obtained, the XOR result with serial number j is obtained by performing an XOR operation on serial number j and the sixth privacy value, so that the target privacy value with the serial number being the third privacy value is equal to the target privacy value processed using the target operation rule The result of the fifth privacy value and the eighth privacy value; the first party and the second party adopt the first method for the third privacy value and the N privacy values as the first serial number. The method described in any one of the aspect and the second aspect jointly executes the sharing OT protocol, and obtains the first fragment and the second fragment whose sequence numbers are the target privacy values of the three privacy values.
第六方面,提供了一种分享OT的执行装置,涉及第一方和第二方,所述第二方持有按顺序排列的N个隐私数值以及按顺序排列的N个随机数,所述第一方持有目标隐私数值在所述N个隐私数值中的第一序号、目标随机数以及其在所述N个随机数中的第二序号,所述装置部署在所述第二方。所述装置包括:通信处理单元,配置为从所述第一方接收其基于所述第一序号和所述第二序号计算得到的第三序号;第一计算单元,配置为基于所述第三序号、所述N个隐私数值以及所述N个随机数,计算除序号为所述第三序号以外的其余N-1个隐私数值各自对应的中间数据;所述通信处理单元,还配置为向所述第一方发送所述N-1个隐私数值各自对应的中间数据,使所述第一方计算所述目标隐私数值的第一分片;第二计算单元,配置为基于序号为所述第三序号的随机数以及排列在首位的隐私数值,计算所述目标隐私数值的第二分片,其中利用第一预设运算规则处理所述第一分片和所述第二分片的结果相等于所述目标隐私数值。The sixth aspect provides an execution device for sharing OT, involving a first party and a second party. The second party holds N privacy values arranged in order and N random numbers arranged in order. The first party holds the first serial number of the target privacy value among the N privacy values, the target random number, and its second serial number among the N random numbers, and the device is deployed on the second party. The device includes: a communication processing unit configured to receive from the first party a third sequence number calculated based on the first sequence number and the second sequence number; a first calculation unit configured to receive the third sequence number based on the third sequence number. serial number, the N privacy values and the N random numbers, and calculate the intermediate data corresponding to each of the N-1 privacy values except the sequence number being the third serial number; the communication processing unit is also configured to provide The first party sends the intermediate data corresponding to each of the N-1 privacy values, so that the first party calculates the first fragment of the target privacy value; the second calculation unit is configured to calculate the first fragment of the target privacy value based on the sequence number. The random number of the third serial number and the privacy value ranked first are used to calculate the second fragment of the target privacy value, wherein the first preset operation rule is used to process the results of the first fragment and the second fragment. equal to the target privacy value.
第七方面,提供了一种分享OT的执行装置,涉及第一方和第二方,所述第二方持有按顺序排列的N个隐私数值以及按顺序排列的N个随机数,所述第一方持有目标隐私数值在所述N个隐私数值中的第一序号、目标随机数以及其在所述N个随机数中的第二序号,所述装置部署在所述第一方。所述装置包括:通信处理单元,配置为向所述第二方发送基于所述第一序号和所述第二序号计算得到的第三序号,使所述第二方基于序号为所述第三序号的随机数以及排列在首位的隐私数值,计算所述目标隐私数值的第二分片,并返回除序号为所述第三序号以外的其余N-1个隐私数值各自对应的中间数据;计算处理单元,配置为至少根据所述第一序号和所述目标随机数计算所述目标隐私数值的第一分片,其中利用第一预设运算规则处理所述第一分片和所述第二分片而得到的结果相等于所述目标隐私数值。In the seventh aspect, an execution device for sharing OT is provided, involving a first party and a second party. The second party holds N privacy values arranged in order and N random numbers arranged in order. The first party holds the first serial number of the target privacy value among the N privacy values, the target random number, and its second serial number among the N random numbers, and the device is deployed on the first party. The device includes: a communication processing unit configured to send a third sequence number calculated based on the first sequence number and the second sequence number to the second party, so that the second party determines the third sequence number based on the sequence number. The random number of the serial number and the privacy value ranked first, calculate the second fragment of the target privacy value, and return the intermediate data corresponding to each of the remaining N-1 privacy values except the third serial number; calculate A processing unit configured to calculate a first fragment of the target privacy value based on at least the first sequence number and the target random number, wherein the first fragment and the second fragment are processed using a first preset operation rule. The result of fragmentation is equal to the target privacy value.
第八方面,提供了一种基于OT协议的安全多方计算装置,涉及第一方和第二方,所述第一方持有将要作为第一序号的第三隐私数值,所述第二方持有第二隐私数值,所述装置部署在所述第二方。所述装置包括:计算处理单元,配置为生成按顺序排列的N个隐私数值,其中任意的序号为j的隐私数值是利用目标运算规则处理序号j和所述第二隐私数值而得到的,使序号为所述第三隐私数值的隐私数值相等于利用目标运算规则处理所述第三隐私数值和所述第二隐私数值的结果;调用处理单元,配置为对所述N个隐私数值和作为第一序号的所述第三隐私数值,通过第六方面中所述的分享OT的执行装置与所述第一方联合执行分享OT协议,获得序号为所述三隐私数值的目标隐私数值的第二分片,并使所述第一方对应获得序号为所述第三隐私数值的目标隐私数值的第一分片。In an eighth aspect, a secure multi-party computing device based on the OT protocol is provided, involving a first party and a second party. The first party holds a third privacy value to be used as the first serial number, and the second party holds There is a second privacy value and the device is deployed on the second party. The device includes: a calculation processing unit configured to generate N privacy values arranged in order, wherein any privacy value with serial number j is obtained by processing serial number j and the second privacy value using a target operation rule, so that The privacy value whose serial number is the third privacy value is equal to the result of using the target operation rule to process the third privacy value and the second privacy value; the processing unit is called and is configured to sum the N privacy values as the third privacy value. For the third privacy value with a serial number, the shared OT execution device described in the sixth aspect jointly executes the shared OT protocol with the first party to obtain the second target privacy value with a serial number of the three privacy values. fragment, and the first party obtains the first fragment corresponding to the target privacy value whose sequence number is the third privacy value.
第九方面,提供了一种基于分享OT协议的安全多方计算装置,涉及第一方和第二方,所述第一方持有将要作为第一序号的第三隐私数值,所述第二方持有第二隐私数值,所述装置部署在所述第一方。所述装置用于对作为第一序号的所述第三隐私数值和N个隐私数 值,通过第七方面中所述的分享OT的执行装置与所述第二方联合执行分享OT协议,获得序号为所述三隐私数值的目标隐私数值的第一分片,并使所述第二方获得序号为所述第三隐私数值的目标隐私数值的第二分片,其中任意序号为j的隐私数值是由所述第二方利用目标运算规则处理序号j和所述第二隐私数值而得到的,使序号为所述第三隐私数值的隐私数值相等于利用目标运算规则处理所述第三隐私数值和所述第二隐私数值的结果。In the ninth aspect, a secure multi-party computing device based on the shared OT protocol is provided, involving a first party and a second party. The first party holds a third privacy value to be used as the first serial number, and the second party Holding a second privacy value, the device is deployed on the first party. The device is configured to jointly execute the shared OT protocol with the second party through the shared OT execution device described in the seventh aspect for the third privacy value and the N privacy values as the first serial number, and obtain the serial number. Be the first fragment of the target privacy value of the three privacy values, and enable the second party to obtain the second fragment of the target privacy value with the sequence number of the third privacy value, wherein any privacy value with the sequence number is j It is obtained by the second party using the target operation rule to process the serial number j and the second privacy value, so that the privacy value with the serial number being the third privacy value is equal to the third privacy value using the target operation rule. and the result of the second privacy value.
第十方面,提供了一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算设备中执行时,计算设备执行第一至第四方面中任一项所述的方法。In a tenth aspect, a computer-readable storage medium is provided with a computer program stored thereon. When the computer program is executed in a computing device, the computing device performs the method described in any one of the first to fourth aspects. .
第十一方面,一种计算设备,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器执行所述计算机程序时,实现第一至第四方面中任一项所述的方法。In an eleventh aspect, a computing device includes a memory and a processor. A computer program is stored in the memory. When the processor executes the computer program, it implements any one of the first to fourth aspects. method.
通过本说明书一个或多个实施例中提供的方法及装置,在第二方持有N个隐私数值且第一方持有目标隐私数值在该N个隐私数值中的序号的情况下,第一方和第二方可以通过执行分享OT协议,实现在确保目标隐私数值以及其序号的安全的情况下,使得第一方和第二方能够各自获得该目标隐私数值的一个分片。进而使得第一方和第二方可以基于该分享OT协议实现对隐私数值的安全多方计算,第一方和第二方在实现安全多方计算时所需传输的数据量较小而且通信轮次较少,从而可以更为高效的完成安全多方计算。Through the methods and devices provided in one or more embodiments of this specification, when the second party holds N privacy values and the first party holds the sequence number of the target privacy value among the N privacy values, the first party The first party and the second party can each obtain a shard of the target privacy value by executing the sharing OT protocol while ensuring the security of the target privacy value and its sequence number. This allows the first party and the second party to implement secure multi-party calculations of privacy values based on the shared OT protocol. When the first and second parties implement secure multi-party calculations, the amount of data they need to transmit is small and the number of communication rounds is relatively long. less, so that secure multi-party computation can be completed more efficiently.
附图说明Description of the drawings
为了更清楚地说明本说明书实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions of the embodiments of this specification, the drawings needed to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. Those of ordinary skill in the art can also obtain other drawings based on these drawings without exerting creative efforts.
图1为本说明书实施例中提供的一种分享OT协议的执行方法的过程示意图;Figure 1 is a schematic process diagram of a shared OT protocol execution method provided in the embodiment of this specification;
图2为示例性提供的基于分享OT协议的安全多方计算方法的过程示意图之一;Figure 2 is one of the process schematic diagrams of an exemplary secure multi-party computing method based on the shared OT protocol;
图3为示例性提供的基于分享OT协议的安全多方计算方法的过程示意图之二;Figure 3 is an exemplary process diagram of the secure multi-party computing method based on the shared OT protocol;
图4为示例性提供的基于分享OT协议的安全多方计算方法的过程示意图之三;Figure 4 is the third schematic process diagram of the secure multi-party computing method based on the shared OT protocol provided as an example;
图5为示例性提供的基于分享OT协议的安全多方计算方法的过程示意图之四;Figure 5 is an exemplary process diagram of the fourth secure multi-party computing method based on the shared OT protocol;
图6为本说明书实施例中提供的一种分享OT协议的执行装置的示意图之一;Figure 6 is one of the schematic diagrams of an execution device for sharing an OT protocol provided in the embodiment of this specification;
图7为本说明书实施例中提供的一种分享OT协议的执行装置的示意图之二;Figure 7 is a second schematic diagram of an execution device for sharing an OT protocol provided in the embodiment of this specification;
图8为基于分享OT协议的安全多方计算装置的示意图。Figure 8 is a schematic diagram of a secure multi-party computing device based on the shared OT protocol.
具体实施方式Detailed ways
下面结合附图,对本说明书所提供的各个非限制性实施例进行详细描述。Each non-limiting embodiment provided in this specification will be described in detail below with reference to the accompanying drawings.
OT协议是密码学中的较为典型的两方协议。以执行该协议的两个参与方包括Alice和Bob为例,OT协议的要求是:Alice作为OT接收方(或称为第一方)持有隐私数值p,p 为整数且满足0=<p=<N-1;Bob作为OT发送方(或称为第二方)持有N个长度为t比特并且按顺序排列的隐私数值{x 0,x 1,…,x N-1};Alice和Bob联合执行OT协议后,Alice可以获得N个隐私数值中序号为p的隐私数值x p而无法获知Bob持有的其它隐私数值,Bob无法获知Alice持有的p。需要特别说明的是,鉴于计算设备通过比特序列表征数值时的最小非负整数是0,对于某个序列数据中的任意第j个数据在该序列数据中的序号,本说明书实施例中通常将其设置为j-1而并不是j,例如前述隐私数值x 0作为前述N个隐私数值中排列在首位的隐私数值,其可以被表述为N个隐私数值中的第1个隐私数值,然而其在前述N个隐私数值中的序号为0而并非为1,因此而要求p为整数且满足0=<p=<N-1。可以理解的是就技术实现而言,也可以采用其它序号设置规则,例如也可以将任意某个序列数据中任意的第j个数据在该序列数据中的序号设置为j而并非为j-1,具体例如前述隐私数值x 0在前述N个隐私数值中的序号可以设置为1,与之对应的是可以要求序号p为整数且满足1=<p=<N。此外还需要说明的是,Alice和Bob可以各自实现为任何具有计算/处理能力的装置、设备、平台或设备集群。 The OT protocol is a typical two-party protocol in cryptography. Taking the two participants executing the protocol including Alice and Bob as an example, the requirements of the OT protocol are: Alice, as the OT receiver (or first party), holds a privacy value p, p is an integer and satisfies 0=<p =<N-1; Bob, as the OT sender (or called the second party), holds N privacy values of length t bits and arranged in order {x 0 , x 1 ,..., x N-1 }; Alice After jointly executing the OT protocol with Bob, Alice can obtain the privacy value x p with serial number p among the N privacy values, but cannot know other privacy values held by Bob. Bob cannot know the p held by Alice. It should be noted that in view of the fact that the smallest non-negative integer when a computing device represents a value through a bit sequence is 0, for the sequence number of any j-th data in a certain sequence data in the sequence data, in the embodiment of this specification, it is usually It is set to j-1 instead of j. For example, the aforementioned privacy value x 0 is the first privacy value among the aforementioned N privacy values. It can be expressed as the first privacy value among the N privacy values. However, The sequence number among the aforementioned N privacy values is 0 instead of 1, so p is required to be an integer and satisfy 0=<p=<N-1. It can be understood that in terms of technical implementation, other sequence number setting rules can also be used. For example, the sequence number of any j-th data in any sequence data can be set to j instead of j-1. , specifically, for example, the sequence number of the aforementioned privacy value x 0 among the aforementioned N privacy values can be set to 1. Correspondingly, the sequence number p can be required to be an integer and satisfy 1=<p=<N. In addition, it should be noted that Alice and Bob can each be implemented as any device, device, platform or device cluster with computing/processing capabilities.
随机不经意传输(Random OT)协议是上述OT协议的变种,可用于构建上述OT协议,Random OT协议可通过多种密码学技术实现。Random OT协议的要求是:Bob可以获得按顺序排列的N个随机数{r 0,r 1,…,r N-1};Alice可以获得该N个随机数中的第i+1个随机数r i以及其在该N个随机数中的序号i。通过Random OT协议构建OT协议的方法可以包括但不限于如下步骤S01~步骤S03: The Random Occasional Transmission (Random OT) protocol is a variant of the above-mentioned OT protocol and can be used to construct the above-mentioned OT protocol. The Random OT protocol can be implemented through a variety of cryptography techniques. The requirements of the Random OT protocol are: Bob can obtain N random numbers {r 0 , r 1 ,..., r N-1 } arranged in order; Alice can obtain the i+1th random number among the N random numbers. r i and its sequence number i among the N random numbers. The method of constructing an OT protocol through the Random OT protocol may include but is not limited to the following steps S01 to S03:
步骤S01,Alice计算中间序号e=(i+p)%N,并发送e给Bob;Step S01, Alice calculates the intermediate sequence number e=(i+p)%N, and sends e to Bob;
步骤S02,对N个隐私数值{x 0,x 1,…,x N-1}中除序号为e的隐私数值r e以外的每个序号为j的隐私数值x j,利用N个随机数{r 0,r 1,…,r N-1}中序号为(e-j)%N的随机数加密x j以获得序号为j的密文f j,并将密文f j发送给Alice; Step S02: For each privacy value x j with serial number j among the N privacy values {x 0 , x 1 ,..., x N-1 } except the privacy value re with serial number e , use N random numbers Encrypt x j with a random number with serial number (ej)%N in {r 0 , r 1 ,…, r N-1 } to obtain ciphertext f j with serial number j, and send the ciphertext f j to Alice;
步骤S03,Alice利用其持有的序号为i的随机数r i,对其接收的序号为i的隐私数值x i所对应的密文f i进行解密,即可获得序号为p的隐私数值x pStep S03, Alice uses the random number r i she holds with serial number i to decrypt the ciphertext fi corresponding to the privacy value x i she received with serial number i, and can obtain the privacy value x with serial number p. p .
安全多方计算是由多个参与方共同计算出某个函数的计算结果,计算过程中不泄露由多个参与方各自持有的该函数的输入数据,其中由各参与方持有的输入数据通常为被作为隐私数据而不能被其它参与方获知,但是计算结果却允许向指定的对象公开。例如可能存在如下安全多方计算需求:Alice持有隐私数值A,Bob持有隐私数值B,进行安全多方计算后Alice获得分片c0、Bob获得分片c1,其中利用预设运算规则处理c0和c1的结果,相等于利用目标运算规则g处理A和B的结果。前述的目标运算规则g可以包括但不限于安全模转换、求和运算、求积运算、按位与运算、按位或运算或者按位异或运算等等;前述的预设运算规则可以包括但不限于求和运算或者异或运算。Secure multi-party computation is a calculation result of a function that is jointly calculated by multiple participants. During the calculation process, the input data of the function held by multiple participants is not disclosed. The input data held by each participant is usually It is treated as private data and cannot be known by other participants, but the calculation results are allowed to be disclosed to designated objects. For example, there may be the following secure multi-party computation requirements: Alice holds the private value A, and Bob holds the private value B. After performing secure multi-party computation, Alice obtains the fragment c0 and Bob obtains the fragment c1, in which preset operation rules are used to process c0 and c1. The result is equal to the result of processing A and B using the target operation rule g. The aforementioned target operation rules g may include but are not limited to safe modulo conversion, summation operation, quadrature operation, bitwise AND operation, bitwise OR operation or bitwise XOR operation, etc.; the aforementioned preset operation rules may include but Not limited to summation operations or XOR operations.
前述的OT协议通常可以用于支持前述安全多方计算,通过前述OT协议实现前述安全多方计算的方法可以包括但不限于如下步骤S11~步骤S14:The aforementioned OT protocol can generally be used to support the aforementioned secure multi-party computation. The method of implementing the aforementioned secure multi-party computation through the aforementioned OT protocol may include but is not limited to the following steps S11 to S14:
步骤S11,Bob生成一个随机值作为分片c1;Step S11, Bob generates a random value as fragment c1;
步骤S12,Bob计算按顺序排列的N个隐私数值,其中任意第j+1个隐私数值x j=g(j,B)-c1,Bob生成的N个隐私数值也就是前述OT协议中的按顺序排列的N个隐私数值; Step S12, Bob calculates N privacy values arranged in order, among which any j+1th privacy value x j =g(j,B)-c1. The N privacy values generated by Bob are also the ones in the aforementioned OT protocol. N privacy values arranged in order;
步骤S13,Alice将A作为前述的OT协议中的p;Step S13, Alice uses A as p in the aforementioned OT protocol;
步骤S14,Alice基于作为OT协议中的p的A,与Bob基于其计算的N个隐私数值,联合执行前述的OT协议,执行结果为:Alice获得将作为分片c0的x A=g(A,B)-c1。 Step S14, Alice jointly executes the aforementioned OT protocol based on A as p in the OT protocol and Bob based on the N privacy values calculated by it. The execution result is: Alice obtains x A =g(A ,B)-c1.
基于前述的OT协议实现前述的安全多方计算的过程中,Alice和Bob间需要进行多个轮次的通信而且所需传输的数据量相对较大。鉴于以上问题,本说明书实施例中提供了一种分享OT协议的执行方法、基于分享OT协议的安全多方计算方法及装置,以期降低在实现安全多方计算时所需传输的数据量,从而更为高效的完成安全多方计算。In the process of implementing the aforementioned secure multi-party computation based on the aforementioned OT protocol, multiple rounds of communication are required between Alice and Bob and the amount of data to be transmitted is relatively large. In view of the above problems, the embodiments of this specification provide an execution method of the shared OT protocol, a secure multi-party computing method and device based on the shared OT protocol, in order to reduce the amount of data that needs to be transmitted when implementing secure multi-party computation, thereby making it more efficient. Efficiently complete secure multi-party computations.
图1为本说明书实施例中提供的一种分享OT协议的执行方法的过程示意图。其中该方法中Alice作为分享OT协议的OT接收方(即第一方),Bob作为分享OT协议的OT发送方(即第二方),在执行如图1所示的方法之前,Alice和Bob可以通过执行前文所述的Random OT协议或者其它方法,使Bob获得按顺序排列的N个随机数{r 0,r 1,…r N-1},并且使Alice获得目标随机数r i以及其在N个随机数中的序号i。例如Bob具体可以从第三方接收前述的N个随机数{r 0,r 1,…,r N-1},Alice可以从第三方接收r i以及其在前述的N个随机数中的序号i。此外相同于前文所述的OT协议,Bob还可以持有按顺序排列的N个隐私数值{x 0,x 1,…,x N-1},Alice还可以持有目标隐私数值x p在前述的N个隐私数值{x 0,x 1,…,x N-1}中的第一序号p。在此基础上Alice和Bob可以联合执行如图1中所示的如下各个方法步骤100~步骤110。 Figure 1 is a schematic process diagram of a method for executing a shared OT protocol provided in an embodiment of this specification. In this method, Alice serves as the OT receiver (i.e., the first party) sharing the OT protocol, and Bob serves as the OT sender (i.e., the second party) sharing the OT protocol. Before executing the method shown in Figure 1, Alice and Bob By executing the Random OT protocol or other methods mentioned above, Bob can obtain N random numbers {r 0 , r 1 ,...r N-1 } arranged in order, and Alice can obtain the target random number r i and other Serial number i among N random numbers. For example, Bob can specifically receive the aforementioned N random numbers {r 0 , r 1 ,..., r N-1 } from a third party, and Alice can receive r i and its sequence number i among the aforementioned N random numbers from a third party. . In addition, the same as the OT protocol mentioned above, Bob can also hold N privacy values {x 0 , x 1 ,..., x N-1 } arranged in order, and Alice can also hold the target privacy value x p in the aforementioned The first sequence number p among the N privacy values {x 0 , x 1 ,..., x N-1 }. On this basis, Alice and Bob can jointly execute the following method steps 100 to 110 as shown in Figure 1.
首先,在步骤100,Alice根据序号p和序号i计算序号e。Alice例如可以利用N对序号p与序号i的和进行取模运算以得到序号e,或者可以对序号p和序号i进行异或运算以得到序号e,或者可以利用N对序号p与序号i的差进行取模运算以得到序号e。First, in step 100, Alice calculates sequence number e based on sequence number p and sequence number i. For example, Alice can use N to perform a modulo operation on the sum of serial number p and serial number i to obtain serial number e, or she can perform an XOR operation on serial number p and serial number i to obtain serial number e, or she can use N to perform a modulo operation on the sum of serial number p and serial number i. The difference is taken modulo to obtain the sequence number e.
接着,在步骤102,Alice向Bob发送序号e。Next, in step 102, Alice sends sequence number e to Bob.
接着,在步骤104,Bob根据序号e、其持有的N个隐私数值以及N个随机数,计算除序号为e以外的其余N-1个隐私数值各自对应的中间数据。Next, in step 104, Bob calculates the intermediate data corresponding to each of the remaining N-1 privacy values except the sequence number e, based on the sequence number e, the N privacy values he holds, and the N random numbers.
对于N个隐私数值{x 0,x 1,…,x N-1}中除序号为e以外的任意序号为j的隐私数值x j,Bob可以利用第二预设运算规则h处理N个随机数{r 0,r 1,…,r N-1}中序号为j的随机数r j,获得隐私数值x j对应的第一数据项h(r j);然后再根据第一数据项h(r j)、第二数据项、第三数据项和排列在首位的隐私数值x 0,计算隐私数值x j对应的序号为j的中间数据f j。其中前述的第二数据项是利用第二预设运算规则h处理序号为e的随机数r e而得到的h(r e),前述的第三数据项是N个隐私数值中序号为y的隐私数值x y,y的取值相同于利用N对e与j的差进行取模运算而得到的结果。 For any privacy value x j with serial number j among the N privacy values {x 0 , x 1 ,..., x N-1 } except serial number e, Bob can use the second preset operation rule h to process N random The random number r j with serial number j in the number {r 0 , r 1 ,..., r N-1 } is used to obtain the first data item h(r j ) corresponding to the privacy value x j ; and then based on the first data item h (r j ), the second data item, the third data item and the privacy value x 0 ranked first, calculate the intermediate data f j with serial number j corresponding to the privacy value x j . The aforementioned second data item is h( re ) obtained by processing the random number re with serial number e using the second preset operation rule h, and the aforementioned third data item is the random number with serial number y among the N privacy values. The value of privacy value x y , y is the same as the result obtained by using N to perform the modulo operation on the difference between e and j.
N个隐私数值{x 0,x 1,…,x N-1}均可以为模2 t空间内的整数,此时需要确保利用第二预设运算规则h处理Bob持有的任意随机数后,可以对该任意随机数对应输出长度为t比特的数据。示例性的,如果N个随机数{r 0,r 1,…,r N-1}中任意序号为j的随机数r j的 长度不大于t比特,利用第二预设运算规则h处理随机数r j而得到的第一数据项h(r j)则可以是由Bob计算的随机数r j的长度为t比特的哈希值;如果N个随机数{r 0,r 1,…,r N-1}中任意序号为j的随机数r j的长度大于t比特,利用第二预设运算规则h处理随机数r j而得到的第一数据项h(r j),则可以是从表征随机数r j的比特序列中的预定位置开始提取的长度为t比特的子比特序列所表征的数据。Bob利用第二预设运算规则处理序号为e的随机数r e以得到第二数据项h(r e)的过程,相同于Bob利用第二预设运算规则处理随机数r j而得到其对应的第一数据项h(r j),因此而不再赘述。 The N privacy values {x 0 , x 1 ,..., x N-1 } can all be integers in the modulo 2 t space. In this case, it is necessary to ensure that the second preset operation rule h is used to process any random number held by Bob. , data with a length of t bits can be output corresponding to any random number. For example, if the length of any random number r j with serial number j among the N random numbers {r 0 , r 1 ,..., r N-1 } is not greater than t bits, the second preset operation rule h is used to process the random number r j The first data item h(r j ) obtained from the number r j can be the hash value of the length t bits of the random number r j calculated by Bob; if N random numbers {r 0 , r 1 ,..., The length of any random number r j with serial number j in r N-1 } is greater than t bits. The first data item h(r j ) obtained by processing the random number r j using the second preset operation rule h can be Data represented by a sub-bit sequence of length t bits extracted starting from a predetermined position in the bit sequence characterizing the random number r j . The process in which Bob uses the second preset operation rule to process the random number r e with serial number e to obtain the second data item h( re ) is the same as the process in which Bob uses the second preset operation rule to process the random number r j to obtain its corresponding The first data item h(r j ) of , therefore will not be described again.
更具体地,Bob可以通过如下公式1计算隐私数值x j对应的中间数据f jMore specifically, Bob can calculate the intermediate data f j corresponding to the privacy value x j through the following formula 1:
f j=h(r j)+h(r e)-x 0+x (e-j)%N    (1) f j =h(r j )+h(re e )-x 0 +x (ej)%N (1)
可以理解的是还可以通过其它方法计算得到隐私数值x j所对应的中间数据f j,例如在公式1中的部分或全部数据项前增加特定系数或对前述公式1进行某些形变,更具体地说例如还可以将公式1中涉及的加法、减法运算全部替换为异或运算。 It can be understood that the intermediate data f j corresponding to the privacy value x j can also be calculated through other methods, such as adding specific coefficients in front of some or all data items in Formula 1 or making certain deformations to the aforementioned Formula 1. More specifically, For example, all the addition and subtraction operations involved in Formula 1 can be replaced with XOR operations.
步骤106,Bob向Alice发送其余N-1个隐私数值各自对应的中间数据。即Bob需要向Alice发送其计算的除序号为e以外的每个隐私数值x j各自对应的中间数据f jStep 106: Bob sends the intermediate data corresponding to each of the remaining N-1 privacy values to Alice. That is, Bob needs to send to Alice the intermediate data f j corresponding to each privacy value x j calculated by him except the sequence number e.
步骤108,Alice根据序号p和目标随机数r i计算目标隐私数值x p的第一分片c0。 Step 108: Alice calculates the first fragment c0 of the target privacy value x p based on the sequence number p and the target random number r i .
Alice可以利用前述第二预设运算规则h处理其持有的目标随机数r i以获得第四数据项h(r i),Alice获得第四数据项h(r i)的方法可以相同于Bob获得第二数据项h(r e)或隐私数值x j对应的第一数据项h(r j),因此而不再赘述。Alice可以根据序号p确定目标隐私数值x p是否为排列在首位的隐私数值x 0,如果是则将第四数据项h(r i)作为目标隐私数值x p的第一分片c0,否则Alice可以根据第四数据项h(r i)和序号为i的隐私数值x i所对应的中间数据f i计算目标隐私数值x p的第一分片c0,例如c0=f i-h(r i),或者c0为对中间数据f i和第四数据项h(r i)进行异或运算的结果。 Alice can use the aforementioned second preset operation rule h to process the target random number r i she holds to obtain the fourth data item h(ri ) . Alice's method of obtaining the fourth data item h( ri ) can be the same as Bob's. Obtain the second data item h( re ) or the first data item h(r j ) corresponding to the privacy value x j , so no details will be given. Alice can determine whether the target privacy value x p is the first-ranked privacy value x 0 based on the sequence number p. If so, use the fourth data item h(r i ) as the first fragment c0 of the target privacy value x p . Otherwise, Alice The first fragment c0 of the target privacy value x p can be calculated based on the fourth data item h(ri ) and the intermediate data fi corresponding to the privacy value x i with serial number i, for example, c0=fi -h ( ri ), or c0 is the result of the XOR operation on the intermediate data fi and the fourth data item h(ri ) .
步骤110,Bob基于序号为e的随机数r e以及排列在首位的隐私数值x 0,计算目标隐私数值x p的第二分片c1。Bob可以利用第二运算规则h处理序号为e的随机数r e而获得第二数据项h(r e),进而在步骤110中具体可以基于该第二数据项h(r e)和隐私数值x 0计算得到目标隐私数值x p的第二分片c1,例如c1=x 0-h(r e),或者第二分片c1还可以为对隐私数值x 0和第二数据项h(r e)进行异或运算的结果。 Step 110: Bob calculates the second fragment c1 of the target privacy value x p based on the random number r e with serial number e and the privacy value x 0 ranked first. Bob can use the second operation rule h to process the random number re with serial number e to obtain the second data item h( re ), and then in step 110, it can be based on the second data item h( re ) and the privacy value. x 0 calculates the second fragment c1 of the target privacy value x p , for example, c1 = x 0 -h( re ), or the second fragment c1 can also be the pair of privacy value x 0 and the second data item h(r e ) The result of XOR operation.
参照前文Alice获得分片c0和Bob获得分片c1的过程可见,利用第一预设运算规则处理分片c0和分片c1的结果相等于目标隐私数值x p,其中第一预设运算规则具体可以是求和运算或者按位异或运算,换而言之即对分片c0和分片c1进行求和运算或者按位异或运算的结果相等于目标隐私数值x p。此外在使得Alice和Bob分别获得分片c0和分片c1的过程中,Alice无法获知目标隐私数值x p,保证了目标隐私数值x p的安全性。 Referring to the previous process of Alice obtaining fragment c0 and Bob obtaining fragment c1, it can be seen that the result of processing fragment c0 and fragment c1 using the first preset operation rule is equal to the target privacy value x p , where the first preset operation rule is specific It can be a summation operation or a bitwise XOR operation. In other words, the result of a summation operation or a bitwise XOR operation on the slice c0 and the slice c1 is equal to the target privacy value x p . In addition, in the process of getting Alice and Bob to obtain fragment c0 and fragment c1 respectively, Alice cannot know the target privacy value x p , ensuring the security of the target privacy value x p .
前述分享OT协议可以用于支持Alice和Bob实现对两个隐私数值a和b进行安全多方计算。其中秘密分享(secret sharing)被广泛的应用于安全多方计算,其基本原理是将秘密值拆分为多个分片(share)交由不同的参与方进行保管,只有超过门限数量的参与方能够对 其各自持有的分片进行合并以恢复出原始的秘密值,该门限数量通常相同于参与进行安全多方计算的参与方的数量。因此Alice和Bob在实际执行安全多方计算的过程中,对于期望通过目标运算规则处理的隐私数值a和隐私数值b而言,其典型的数据持有情况除了如下所示的情况1以外,Alice和Bob的数据持有情况可能包括如下情况2~情况4:The aforementioned shared OT protocol can be used to support Alice and Bob to perform secure multi-party calculations on two private values a and b. Among them, secret sharing is widely used in secure multi-party computation. Its basic principle is to split the secret value into multiple shards (shares) and hand them over to different participants for safekeeping. Only participants exceeding a threshold number can The shards held by each are merged to recover the original secret value. The threshold number is usually the same as the number of parties participating in the secure multi-party computation. Therefore, during the actual execution of secure multi-party computation by Alice and Bob, for the privacy value a and privacy value b expected to be processed through the target operation rules, their typical data holding situations are except for case 1 as shown below, Alice and Bob’s data holding situations may include the following situations 2 to 4:
情况1,Alice持有a,Bob持有b。其中a和b的均可以为模2空间内的单比特数值0或1;或者a和b均可以为模2 t空间内的整数;或者a为模2空间内的单比特数值0或1,而b为模2 t空间内的整数。 Case 1, Alice holds a and Bob holds b. Where a and b can both be single-bit values 0 or 1 in the modulo 2 space; or a and b can both be integers in the modulo 2 t space; or a can be a single-bit value 0 or 1 in the modulo 2 space, And b is an integer in modulo 2 t space.
情况2,a为模2空间内的单比特数值0或1,b为模2空间内的整数;Alice持有a以及b在模2 t空间内的分片b0,Bob持有b在模2 t空间内的分片b1,其中对b0和b1进行求和运算的结果相等于b。 Case 2, a is a single-bit value 0 or 1 in the modulo 2 space, and b is an integer in the modulo 2 space; Alice holds the slice b0 of a and b in the modulo 2 t space, and Bob holds b in the modulo 2 space. Slice b1 in t space, where the sum of b0 and b1 is equal to b.
情况3,a为模2空间内的单比特数值0或1,b为模2空间内的整数;Alice持有a在模2空间内的分片a0以及b在模2 t空间内的分片b0,Bob持有a在模2空间内的分片a1以及b在模2 t空间内的分片b1,其中对a0和a1进行异或运算的结果相等于a,对b0和b1进行求和运算的结果相等于b。 Case 3, a is a single-bit value 0 or 1 in the modulo 2 space, and b is an integer in the modulo 2 space; Alice holds the slice a0 of a in the modulo 2 space and the slice of b in the modulo 2 t space. b0, Bob holds a's slice a1 in the modulo 2 space and b's slice b1 in the modulo 2 t space. The result of the XOR operation on a0 and a1 is equal to a, and b0 and b1 are summed. The result of the operation is equal to b.
情况4,a为模2空间内的单比特数值0或1,b为模2空间内的整数;Alice持有a在模2空间内的分片a0,Bob持有b以及a在模2空间内的分片a1,其中对a0和a1进行异或运算的结果相等于a。Case 4, a is a single-bit value 0 or 1 in the modulo 2 space, and b is an integer in the modulo 2 space; Alice holds the slice a0 of a in the modulo 2 space, and Bob holds b and a in the modulo 2 space. Slice a1 within , where the result of the XOR operation on a0 and a1 is equal to a.
对于前述的情况1~情况4,其均可以采用前述分享OT协议来实现对隐私数值a和隐私数值b的安全多方计算,然而对于不同的数据持有情况来讲,Alice和Bob基于前述分享OT协议实现对a和b的安全多方计算的过程可能有所差异。下面详细描述Alice和Bob在前述4种数据持有情况下基于前述分享OT协议具体实现对隐私数值a和隐私数值b的安全多方计算的过程。For the aforementioned situations 1 to 4, the aforementioned shared OT protocol can be used to implement secure multi-party calculations of the privacy value a and the privacy value b. However, for different data holding situations, Alice and Bob use the aforementioned shared OT protocol. The process by which protocols implement secure multi-party computations for a and b may differ. The following describes in detail the process by which Alice and Bob implement secure multi-party calculations of privacy value a and privacy value b based on the aforementioned sharing OT protocol under the aforementioned four data holding situations.
图2为基于分享OT协议的安全多方计算方法的过程示意图之一。其中在如图2所示的实施中Alice将会作为分享OT协议的接收方(即第一方),Bob将会作为分享OT协议的发送方(即第二方)。参见图2所示。Alice和Bob可以在前述数据持有情况1下通过步骤200和步骤202实现对隐私数值a和隐私数值b的安全多方计算。Figure 2 is one of the process diagrams of the secure multi-party computing method based on the shared OT protocol. In the implementation shown in Figure 2, Alice will serve as the receiver (ie, the first party) of the shared OT protocol, and Bob will serve as the sender (ie, the second party) of the shared OT protocol. See Figure 2. Alice and Bob can implement secure multi-party computation of privacy value a and privacy value b through step 200 and step 202 in the aforementioned data holding situation 1.
首先,在步骤200,Bob根据隐私数值b生成按顺序排列的N个隐私数值。First, in step 200, Bob generates N privacy values arranged in order according to the privacy value b.
即生成前述分享OT协议中的按顺序排列的N个隐私数值{x 0,x 1,…,x N-1}。对于该N个隐私数值中任意的序号为j的隐私数值x j而言,其可以是利用目标运算规则g处理序号j和隐私数值b而得到的,如此可以使序号为a的目标隐私数值x a相等于利用目标运算规则g处理隐私数值a和隐私数值b的结果。其中当a和b均为整数或者均为默2空间内的单比特隐私数值时,目标运算规则g例如可以包括但不限于求和运算、求积运算、按位与运算、按位或运算或者按位异或运算;当a为模2空间内的单比特数值而b为模2 t空间内的整数时,目标运算规则例如可以包括但不限于求积运算。此处需要特别说明的是步骤200中N的取值应当大于Alice持有的隐私数值a。 That is, N privacy values {x 0 , x 1 ,..., x N-1 } arranged in order in the aforementioned sharing OT protocol are generated. For any privacy value x j with serial number j among the N privacy values, it can be obtained by processing serial number j and privacy value b using the target operation rule g, so that the target privacy value x with serial number a can be obtained a is equal to the result of using the target operation rule g to process the privacy value a and the privacy value b. When a and b are both integers or single-bit private values in the default space, the target operation rule g may include, but is not limited to, summation operations, quadrature operations, bitwise AND operations, bitwise OR operations, or Bitwise XOR operation; when a is a single-bit value in the modulo 2 space and b is an integer in the modulo 2 t space, the target operation rule may include, for example, but is not limited to a quadrature operation. What needs special explanation here is that the value of N in step 200 should be greater than the privacy value a held by Alice.
接着,在步骤202,Alice基于作为序号p的隐私数值a,与Bob基于其生成的N个隐私数值,联合执行分享OT协议,使得Alice获得目标隐私数值x p的第一分片c0,Bob获得目标隐私数值x p的第二分片c1。由于a相等于p,目标隐私数值x p是Bob利用目标运算规则g处理序号p和隐私数值b而得到的,因此利用第一预设运算规则处理目标隐私数值x p的第一分片c0和第二分片c1的结果相等于利用目标运算规则g处理a和b的结果,从而使得Alice和Bob完成了对a和b的安全多方计算。需要特别说明的是,当a和b为某个隐私数值在模2空间内的两个异或分片时,即对a和b进行异或运算的结果相等于位于模2空间内的某个隐私数值c时,由于目标隐私数值x p的第一分片c0和第二分片c1均为模2 t空间内的整数,因此通过该方法还可以实现对隐私数值c在模2空间内的两个分片a和b进行安全模转换。 Then, in step 202, Alice and Bob jointly execute the sharing OT protocol based on the privacy value a as the sequence number p and the N privacy values generated by it, so that Alice obtains the first fragment c0 of the target privacy value x p , and Bob obtains The second fragment c1 of the target privacy value x p . Since a is equal to p, the target privacy value x p is obtained by Bob using the target operation rule g to process the sequence number p and the privacy value b. Therefore, the first preset operation rule is used to process the first fragment c0 and the target privacy value x p . The result of the second slice c1 is equal to the result of processing a and b using the target operation rule g, so that Alice and Bob complete the secure multi-party calculation of a and b. It should be noted that when a and b are two XOR slices of a certain privacy value in the modulo 2 space, that is, the result of the XOR operation on a and b is equal to a certain private value in the modulo 2 space. When the privacy value c is used, since the first fragment c0 and the second fragment c1 of the target privacy value Two shards a and b perform safe mode conversion.
图3为基于分享OT协议的安全多方计算方法的过程示意图之二。其中在如图3所示的实施中Alice将会作为分享OT协议的接收方(即第一方),Bob将会作为分享OT协议的发送方(即第二方)。参见图3所示,Alice和Bob可以在前述数据持有情况2下通过步骤300~步骤306实现对隐私数值a和隐私数值b的安全多方计算。Figure 3 is the second process diagram of the secure multi-party computing method based on the shared OT protocol. In the implementation shown in Figure 3, Alice will serve as the receiver (ie, the first party) of the shared OT protocol, and Bob will serve as the sender (ie, the second party) of the shared OT protocol. As shown in Figure 3, Alice and Bob can implement secure multi-party calculations of privacy value a and privacy value b through steps 300 to 306 in the aforementioned data holding situation 2.
首先,在步骤300,Bob根据分片b1生成按顺序排列的N个隐私数值。First, in step 300, Bob generates N privacy values arranged in order according to the slice b1.
即生成前述分享OT协议中的按顺序排列的N个隐私数值{x 0,x 1,…,x N-1}。对于该N个隐私数值中任意的序号为j的隐私数值x j,其具体可以是利用目标运算规则g处理序号j和分片b1而得到的,例如时对序号j和分片b1进行求积运算而得到的,如此可以使序号为a的目标隐私数值x a相等于利用目标运算规则g处理a和b1的结果。 That is, N privacy values {x 0 , x 1 ,..., x N-1 } arranged in order in the aforementioned sharing OT protocol are generated. For any privacy value x j with serial number j among the N privacy values, it can be obtained by processing serial number j and fragment b1 using the target operation rule g, for example, performing the integral of serial number j and fragment b1 Obtained by the operation, in this way, the target privacy value x a with the serial number a can be equal to the result of processing a and b1 using the target operation rule g.
接着,在步骤302,Alice基于作为序号p的隐私数值a,与Bob基于其生成的N个隐私数值,联合执行分享OT协议,使得Alice获得目标隐私数值x p的第一分片c0,Bob获得目标隐私数值x p的第二分片c1。由于a等于p,x p是Bob利用目标运算规则g处理序号p和分片b1而得到的,因此对x p的第一分片c0和第二分片c1进行求和运算或者异或运算的结果相等于利用目标运算规则g处理序号a和b1的结果,从而完成了对a和b1的安全多方计算。 Then, in step 302, Alice and Bob jointly execute the sharing OT protocol based on the privacy value a as the sequence number p and the N privacy values generated by it, so that Alice obtains the first fragment c0 of the target privacy value x p , and Bob obtains The second fragment c1 of the target privacy value x p . Since a is equal to p, x p is obtained by Bob using the target operation rule g to process the sequence number p and the fragment b1. Therefore, the first fragment c0 and the second fragment c1 of x p are summed or XORed. The result is equal to the result of using the target operation rule g to process the serial numbers a and b1, thus completing the secure multi-party calculation of a and b1.
接着,在步骤304,Alice根据x p的第一分片c0、隐私数值a和分片b0计算第三分片c0g。Alice例如可以通过c0g=a*b0+c0计算得到分片c0g,使得对分片c0g与x p的第二分片进行求和运算的结果相等于利用目标运算规则处理a和b的结果。需要特别说明的是c0g也可能通过对a、b0和c0进行异或运算而得到。 Next, in step 304, Alice calculates the third fragment c0g based on the first fragment c0 of x p , the privacy value a and the fragment b0. For example, Alice can calculate the slice c0g through c0g=a*b0+c0, so that the result of the summation operation of the slice c0g and the second slice of x p is equal to the result of processing a and b using the target operation rule. It should be noted that c0g may also be obtained by performing an XOR operation on a, b0 and c0.
图4为基于分享OT协议的安全多方计算方法的过程示意图之三。其中在如图4所示的实施中包含执行过程1和执行过程2:在执行过程1中Alice将会作为分享OT协议的接收方(即第一方),Bob将会作为分享OT协议的发送方(即第二方);在执行过程2中Alice将会作为分享OT协议的发送方,Bob将会作为分享OT协议的接收方。参见图4所示,Alice和Bob可以在前述数据持有情况3下通过步骤400~步骤407实现对隐私数值a和隐私数值b的安全多方计算,其中步骤400~步骤402属于执行过程1,步骤403~405属 于执行过程2,执行过程1和执行过程2可相互独立的执行而并不存在必然的顺序关系。Figure 4 is the third process diagram of the secure multi-party computing method based on the shared OT protocol. The implementation shown in Figure 4 includes execution process 1 and execution process 2: In execution process 1, Alice will be the receiver (i.e. the first party) of the shared OT protocol, and Bob will be the sender of the shared OT protocol. Party (i.e. the second party); in execution process 2, Alice will be the sender of the shared OT protocol, and Bob will be the receiver of the shared OT protocol. As shown in Figure 4, Alice and Bob can implement secure multi-party calculations of privacy value a and privacy value b through steps 400 to 407 in the aforementioned data holding situation 3. Steps 400 to 402 belong to the execution process 1. 403 to 405 belong to execution process 2. Execution process 1 and execution process 2 can be executed independently of each other and there is no necessary sequence relationship.
在步骤400,Bob根据分片a1和分片b1计算隐私数值L1。隐私数值L1例如可以通过公式L1=(b1-2a1*b1)或者该基于该公式的形变计算得到。In step 400, Bob calculates the privacy value L1 based on the slice a1 and the slice b1. The privacy value L1 can be calculated, for example, by the formula L1 = (b1-2a1*b1) or the deformation based on this formula.
在步骤401,Bob根据隐私数值L1生成按顺序排列的N个隐私数值。In step 401, Bob generates N privacy values arranged in order according to the privacy value L1.
即生成前述分享OT协议中的按顺序排列的N个隐私数值{x 0,x 1,…,x N-1}。对于该N个隐私数值中任意的序号为j的隐私数值x j,其具体可以是利用目标运算规则g处理序号j和隐私数值L1而得到的,例如是对序号j和L1进行求积运算而得到的,如此可以使序号为a0的目标隐私数值相等于利用目标运算规则g处理a0和L1的结果。 That is, N privacy values {x 0 , x 1 ,..., x N-1 } arranged in order in the aforementioned sharing OT protocol are generated. For any privacy value x j with serial number j among the N privacy values, it can be obtained by processing the serial number j and the privacy value L1 using the target operation rule g, for example, by performing a multiplication operation on the serial number j and L1. Obtained, in this way, the target privacy value with serial number a0 can be equal to the result of processing a0 and L1 using the target operation rule g.
在步骤402,Alice基于作为序号p的隐私数值a0,与Bob基于其生成的N个隐私数值,联合执行分享OT协议,使得Alice获得由Bob生成的N个隐私数值中序号为a0的目标隐私数值的第一分片c00,Bob获得由Bob生成的N个隐私数值中序号为a0的目标隐私数值的第二分片c01。In step 402, Alice jointly executes the sharing OT protocol based on the privacy value a0 as the sequence number p, and the N privacy values generated by Bob based on it, so that Alice obtains the target privacy value with the sequence number a0 among the N privacy values generated by Bob. The first fragment c00, Bob obtains the second fragment c01 of the target privacy value with serial number a0 among the N privacy values generated by Bob.
在步骤403,Alice根据分片a0和分片b0计算隐私数值L0。隐私数值L0例如可以通过公式L0=(b0-2a0*b0)或者该基于该公式的形变计算得到。In step 403, Alice calculates the privacy value L0 based on the fragment a0 and the fragment b0. The privacy value L0 can be calculated, for example, by the formula L0=(b0-2a0*b0) or the deformation based on this formula.
在步骤404,Alice根据隐私数值L0生成按顺序排列的N个隐私数值。In step 404, Alice generates N privacy values arranged in order according to the privacy value L0.
即生成前述分享OT协议中的按顺序排列的N个隐私数值{x 0,x 1,…,x N-1}。对于该N个隐私数值中任意的序号为j的隐私数值x j,其具体可以是利用目标运算规则g处理序号j和隐私数值L0而得到的,例如是对序号j和L0进行求积运算而得到的,如此可以使序号为a1的隐私数值相等于利用目标运算规则g处理a1和L0的结果。 That is, N privacy values {x 0 , x 1 ,..., x N-1 } arranged in order in the aforementioned sharing OT protocol are generated. For any privacy value x j with serial number j among the N privacy values, it can be obtained by processing the serial number j and the privacy value L0 using the target operation rule g, for example, by performing a multiplication operation on the serial number j and L0. Obtained, in this way, the privacy value with serial number a1 can be equal to the result of processing a1 and L0 using the target operation rule g.
在步骤405,Bob基于作为序号p的隐私数值a1,与Alice基于其生成的N个隐私数值,联合执行分享OT协议,使得Bob获得由Alice生成的N个隐私数值中序号为a1的目标隐私数值的第一分片c10,Alice获得由Alice生成的N个隐私数值中序号为a1的目标隐私数值的第二分片c11。In step 405, Bob jointly executes the sharing OT protocol based on the privacy value a1 as the sequence number p, and Alice based on the N privacy values generated by it, so that Bob obtains the target privacy value with the sequence number a1 among the N privacy values generated by Alice. The first fragment c10, Alice obtains the second fragment c11 of the target privacy value with serial number a1 among the N privacy values generated by Alice.
在步骤406,Alice根据分片a0、分片b0、分片c00和分片c11计算分片m0。例如Alice可以通过公式m0=a0*b0+c00+c11或者其形变计算得到分片m0。In step 406, Alice calculates slice m0 based on slice a0, slice b0, slice c00, and slice c11. For example, Alice can obtain the slice m0 through the formula m0=a0*b0+c00+c11 or its deformation calculation.
在步骤407,Bob根据分片a1、分片b1、分片c01和分片c10计算分片m1。例如Bob可以通过公式m1=a1*b1+c01+c10或者其形变计算得到分片m1。In step 407, Bob calculates slice m1 based on slice a1, slice b1, slice c01, and slice c10. For example, Bob can obtain the slice m1 through the formula m1=a1*b1+c01+c10 or its deformation calculation.
参见Alice和Bob计算m0和m1的计算过程可见,对m0和m1进行求和运算结果相等于利用目标运算规则处理a和b的结果,从而使得Alice和Bob通过基于分享OT协议的上述步骤400~407完成对隐私数值a和隐私数值b的安全多方计算。此外可以理解的是也可以将前述用于计算分片的公式中的加法和乘法运算替换为异或运算。Referring to the calculation process of Alice and Bob calculating m0 and m1, it can be seen that the result of the summation operation of m0 and m1 is equal to the result of using the target operation rule to process a and b, so that Alice and Bob pass the above steps 400~ based on the shared OT protocol. 407 Complete the secure multi-party calculation of privacy value a and privacy value b. In addition, it can be understood that the addition and multiplication operations in the foregoing formula for calculating sharding can also be replaced by XOR operations.
图5为基于分享OT协议的安全多方计算方法的过程示意图之四。其中在如图5所示的实施中Alice将会作为分享OT协议的接收方(即第一方),Bob将会作为分享OT协议的发送方(即第二方)。参见图5所示。Alice和Bob可以在前述数据持有情况4下通过步骤500~步骤502实现对隐私数值a和隐私数值b的安全多方计算。Figure 5 is the fourth process diagram of the secure multi-party computing method based on the shared OT protocol. In the implementation shown in Figure 5, Alice will serve as the receiver (ie, the first party) of the shared OT protocol, and Bob will serve as the sender (ie, the second party) of the shared OT protocol. See Figure 5. Alice and Bob can implement secure multi-party calculations of privacy value a and privacy value b through steps 500 to 502 in the aforementioned data holding situation 4.
首先,在步骤500,Bob根据分片a1和隐私数值b生成按顺序排列的N个隐私数值。First, in step 500, Bob generates N privacy values arranged in order according to the fragment a1 and the privacy value b.
即生成前述分享OT协议中的按顺序排列的N个隐私数值{x 0,x 1,…,x N-1}。其中任意序号为j的隐私数值x j相等于利用目标运算规则g处理序号为j的异或结果和隐私数值b(即第五隐私数值)而得到的,序号为j的异或结果通过对序号j和分片a1(即第六隐私数值)进行异或运算而得到,从而使得N个隐私数值中序号为a0(即第三隐私数值)的目标隐私数值,相等于对采用目标运算规则处理隐私数值b与隐私数值a的结果,例如相等于对隐私数值a和隐私数值b进行求积运算的结果。 That is, N privacy values {x 0 , x 1 ,..., x N-1 } arranged in order in the aforementioned sharing OT protocol are generated. Among them, any privacy value x j with serial number j is equal to the result obtained by using the target operation rule g to process the XOR result with serial number j and the privacy value b (i.e., the fifth privacy value). The XOR result with serial number j is obtained by comparing the serial number j is obtained by performing an XOR operation on fragment a1 (i.e., the sixth privacy value), so that the target privacy value with serial number a0 (i.e., the third privacy value) among the N privacy values is equivalent to using the target operation rule to process privacy. The result of the value b and the privacy value a is, for example, equal to the result of the multiplication operation of the privacy value a and the privacy value b.
接着,在步骤502,Alice基于作为序号p的分片a0,与Bob基于其生成的N个隐私数值,联合执行分享OT协议,使得Alice获得由Bob生成的N个隐私数值中序号为a0的目标隐私数值的第一分片c0,Bob获得由Bob生成的N个隐私数值中序号为a0的目标隐私数值的第二分片c1。其中对该第一分片c0和该第二分片c1进行求和运算或者异或运算的结果,相等于利用目标运算规则处理a和b的结果。Next, in step 502, Alice and Bob jointly execute the sharing OT protocol based on the fragment a0 as the sequence number p and the N privacy values generated by Bob, so that Alice obtains the target with the sequence number a0 among the N privacy values generated by Bob. For the first fragment c0 of the privacy value, Bob obtains the second fragment c1 of the target privacy value numbered a0 among the N privacy values generated by Bob. The result of the summation operation or the XOR operation of the first slice c0 and the second slice c1 is equal to the result of processing a and b using the target operation rule.
通过本说明书实施例的技术方案,在第二方持有N个隐私数值且第一方持有目标隐私数值在该N个隐私数值中的序号的情况下,第一方和第二方可以通过执行分享OT协议,实现在确保目标隐私数值以及其序号的安全的情况下,使得第一方和第二方能够各自获得该目标隐私数值的一个分片。进而使得第一方和第二方可以基于该分享OT协议实现对两个隐私数值的安全多方计算,第一方和第二方在实现安全多方计算时所需传输的数据量较小而且通信轮次较少,从而可以更为高效的完成安全多方计算。Through the technical solutions of the embodiments of this specification, when the second party holds N privacy values and the first party holds the sequence number of the target privacy value among the N privacy values, the first party and the second party can pass Execute the sharing OT protocol to ensure that the first party and the second party can each obtain a shard of the target privacy value while ensuring the security of the target privacy value and its sequence number. This allows the first party and the second party to implement secure multi-party calculations of two privacy values based on the shared OT protocol. The amount of data that the first party and the second party need to transmit when implementing secure multi-party calculations is small and the communication is round-robin. With fewer times, secure multi-party computation can be completed more efficiently.
需要特别说明的是,前述图2~图5所示的各个方法实施例中,当隐私数值a为模2空间内的单比特数值时,N的取值通可以为2,如此可以更为有效的减少Alice和Bob在实现对a和b进行安全多方计算时所需执行的计算量。It should be noted that in the aforementioned method embodiments shown in Figures 2 to 5, when the privacy value a is a single-bit value in the modulo 2 space, the value of N can generally be 2, which can be more effective. Reduce the amount of calculations Alice and Bob need to perform when implementing secure multi-party computations on a and b.
与前述方法实施例基于相同的构思,本说明书实施例中还提供了一种分享OT的执行装置,涉及第一方和第二方,所述第二方持有按顺序排列的N个隐私数值以及按顺序排列的N个随机数,所述第一方持有目标隐私数值在所述N个隐私数值中的第一序号、目标随机数以及其在所述N个随机数中的第二序号,所述装置部署在所述第二方。如图6所示,所述装置包括:通信处理单元61,配置为从所述第一方接收其基于所述第一序号和所述第二序号计算得到的第三序号;第一计算单元63,配置为基于所述第三序号、所述N个隐私数值以及所述N个随机数,计算除序号为所述第三序号以外的其余N-1个隐私数值各自对应的中间数据;所述通信处理单元61,还配置为向所述第一方发送所述N-1个隐私数值各自对应的中间数据,使所述第一方计算所述目标隐私数值的第一分片;第二计算单元65,配置为基于序号为所述第三序号的随机数以及排列在首位的隐私数值,计算所述目标隐私数值的第二分片,其中利用第一预设运算规则处理所述第一分片和所述第二分片的结果相等于所述目标隐私数值。Based on the same concept as the foregoing method embodiments, the embodiments of this specification also provide an execution device for sharing OT, involving a first party and a second party. The second party holds N privacy values arranged in order. And N random numbers arranged in order, the first party holds the first serial number of the target privacy value among the N privacy values, the target random number, and its second serial number among the N random numbers. , the device is deployed on the second party. As shown in Figure 6, the device includes: a communication processing unit 61 configured to receive from the first party a third sequence number calculated based on the first sequence number and the second sequence number; a first calculation unit 63 , configured to calculate, based on the third sequence number, the N privacy values and the N random numbers, the intermediate data corresponding to each of the remaining N-1 privacy values except the sequence number being the third sequence number; the The communication processing unit 61 is also configured to send the intermediate data corresponding to each of the N-1 privacy values to the first party, so that the first party calculates the first fragment of the target privacy value; the second calculation Unit 65 is configured to calculate the second fragment of the target privacy value based on the random number whose serial number is the third serial number and the privacy value ranked first, wherein the first fragment is processed using a first preset operation rule. The result of the slice and the second slice is equal to the target privacy value.
与前述方法实施例基于相同的构思,本说明书实施例中还提供了一种分享OT的执行装置,涉及第一方和第二方,所述第二方持有按顺序排列的N个隐私数值以及按顺序排列 的N个随机数,所述第一方持有目标隐私数值在所述N个隐私数值中的第一序号、目标随机数以及其在所述N个随机数中的第二序号,所述装置部署在所述第一方。如图7所示,所述装置包括:通信处理单元71,配置为向所述第二方发送基于所述第一序号和所述第二序号计算得到的第三序号,使所述第二方基于序号为所述第三序号的随机数以及排列在首位的隐私数值,计算所述目标隐私数值的第二分片,并返回除序号为所述第三序号以外的其余N-1个隐私数值各自对应的中间数据;计算处理单元73,配置为至少根据所述第一序号和所述目标随机数计算所述目标隐私数值的第一分片,其中利用第一预设运算规则处理所述第一分片和所述第二分片而得到的结果相等于所述目标隐私数值。Based on the same concept as the foregoing method embodiments, the embodiments of this specification also provide an execution device for sharing OT, involving a first party and a second party. The second party holds N privacy values arranged in order. And N random numbers arranged in order, the first party holds the first serial number of the target privacy value among the N privacy values, the target random number, and its second serial number among the N random numbers. , the device is deployed on the first party. As shown in Figure 7, the device includes: a communication processing unit 71 configured to send a third sequence number calculated based on the first sequence number and the second sequence number to the second party, so that the second party Based on the random number whose serial number is the third serial number and the privacy value ranked first, calculate the second fragment of the target privacy value, and return the remaining N-1 privacy values except the third serial number. Respectively corresponding intermediate data; the calculation processing unit 73 is configured to calculate the first fragment of the target privacy value based on at least the first sequence number and the target random number, wherein the first preset operation rule is used to process the first fragment of the target privacy value. The result obtained from one fragment and the second fragment is equal to the target privacy value.
与前述方法是实力基于相同的构思,本说明书实施例中还提供了一种基于OT协议的安全多方计算装置,涉及第一方和第二方,所述第一方持有将要作为第一序号的第三隐私数值,所述第二方持有第二隐私数值,所述装置部署在所述第二方。如图8所示,所述装置包括:计算处理单元81,配置为生成按顺序排列的N个隐私数值,其中任意的序号为j的隐私数值是利用目标运算规则处理序号j和所述第二隐私数值而得到的,使序号为所述第三隐私数值的隐私数值相等于利用目标运算规则处理所述第三隐私数值和所述第二隐私数值的结果;调用处理单元83,配置为对所述N个隐私数值和作为第一序号的所述第三隐私数值,通过本说明书实施例中所述的部署在所述第二方的分享OT的执行装置与所述第一方联合执行分享OT协议,获得序号为所述三隐私数值的目标隐私数值的第二分片,并使所述第一方对应获得序号为所述第三隐私数值的目标隐私数值的第一分片。Based on the same concept as the foregoing method, the embodiment of this specification also provides a secure multi-party computing device based on the OT protocol, involving a first party and a second party. The first party holds the first serial number that will be used as the first party. a third privacy value, the second party holds the second privacy value, and the device is deployed on the second party. As shown in Figure 8, the device includes: a calculation processing unit 81 configured to generate N privacy values arranged in order, wherein any privacy value with serial number j is processed by using a target operation rule to process serial number j and the second Obtained from the privacy value, the privacy value with the serial number of the third privacy value is equal to the result of processing the third privacy value and the second privacy value using the target operation rule; call the processing unit 83, configured to process the third privacy value The N privacy values and the third privacy value as the first serial number are jointly executed with the first party through the shared OT execution device deployed on the second party as described in the embodiment of this specification. The protocol is to obtain the second fragment with a sequence number of the target privacy value of the three privacy values, and enable the first party to correspondingly obtain the first fragment with the sequence number of the target privacy value of the third privacy value.
与前述方法实施例基于相同的构思,本说明书实施例中还提供了一种基于分享OT协议的安全多方计算装置,涉及第一方和第二方,所述第一方持有将要作为第一序号的第三隐私数值,所述第二方持有第二隐私数值,所述装置部署在所述第一方。所述装置用于对作为第一序号的所述第三隐私数值和N个隐私数值,通过本说明书实施例中所述的部署在所述第一方的分享OT的执行装置与所述第二方联合执行分享OT协议,获得序号为所述三隐私数值的目标隐私数值的第一分片,并使所述第二方获得序号为所述第三隐私数值的目标隐私数值的第二分片,其中任意序号为j的隐私数值是由所述第二方利用目标运算规则处理序号j和所述第二隐私数值而得到的,使序号为所述第三隐私数值的隐私数值相等于利用目标运算规则处理所述第三隐私数值和所述第二隐私数值的结果。Based on the same concept as the foregoing method embodiments, the embodiments of this specification also provide a secure multi-party computing device based on the shared OT protocol, involving a first party and a second party. The first party holds the information that will be used as the first party. A third privacy value of the serial number, the second party holds the second privacy value, and the device is deployed on the first party. The device is configured to use the execution device of the shared OT deployed on the first party as described in the embodiment of this specification to communicate with the second privacy value as the first serial number and the third privacy value. The two parties jointly execute the sharing OT protocol to obtain the first fragment with a sequence number of the target privacy value of the three privacy values, and enable the second party to obtain the second fragment with a sequence number of the target privacy value of the third privacy value. , where any privacy value with serial number j is obtained by the second party using the target operation rule to process serial number j and the second privacy value, so that the privacy value with the serial number being the third privacy value is equal to the use of the target The operation rule processes the result of the third privacy value and the second privacy value.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本说明书所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能所对应的计算机程序存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令/代码进行传输,以便这些功能所对应的计算机程序被计算机执行时,通过计算机实现本说明书任意一个实施例中所述的方法。Those skilled in the art should realize that in one or more of the above examples, the functions described in this specification can be implemented using hardware, software, firmware, or any combination thereof. When implemented using software, the computer program corresponding to these functions can be stored in a computer-readable medium or transmitted as one or more instructions/codes on the computer-readable medium, so that the computer program corresponding to these functions can be used by the computer. During execution, the method described in any embodiment of this specification is implemented through a computer.
本说明书实施例中还提供了一种计算机可读存储介质,其上存储有计算机程序/指令,当所述计算机程序/指令在计算设备中执行时,计算设备执行本说明书任意一个实施例中提供的由第一方或第二方实现的分享OT的执行方法,或者执行本说明书任意一个实施例中 提供的由第一方或第二方实现的基于分享OT协议的安全多方计算方法。The embodiments of this specification also provide a computer-readable storage medium on which computer programs/instructions are stored. When the computer program/instructions are executed in a computing device, the computing device executes the information provided in any embodiment of this specification. The execution method of the shared OT implemented by the first party or the second party, or the secure multi-party computing method based on the shared OT protocol implemented by the first party or the second party provided in any embodiment of this specification.
本说明书实施例中还提供了一种计算设备,包括存储器和处理器,所述存储器中存储有计算机程序/指令,所述处理器执行所述计算机程序/指令时,实现本说明书任意一个实施例中提供的由第一方或第二方实现的分享OT协议的执行方法,或者实现本说明书任意一个实施例中提供的由第一方或第二方实现的基于分享OT协议的安全多方计算方法。The embodiments of this specification also provide a computing device, including a memory and a processor. Computer programs/instructions are stored in the memory. When the processor executes the computer program/instructions, any embodiment of this specification is implemented. The execution method of the shared OT protocol implemented by the first party or the second party provided in the document, or the secure multi-party computing method based on the shared OT protocol implemented by the first party or the second party provided in any embodiment of this specification .
本说明书中的各个实施例均采用递进的方式描述,各个实施例中相同、相似的部分互相参见即可,每个实施例中重点说明的都是与其他实施例的不同之处。尤其,对于装置实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。Each embodiment in this specification is described in a progressive manner. The same and similar parts in each embodiment can be referred to each other. The emphasis in each embodiment is on the differences from other embodiments. In particular, for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple. For relevant details, please refer to the partial description of the method embodiment.
上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。The foregoing describes specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desired results. Additionally, the processes depicted in the figures do not necessarily require the specific order shown, or sequential order, to achieve desirable results. Multitasking and parallel processing are also possible or may be advantageous in certain implementations.
以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本发明的保护范围之内。The above-described specific embodiments further describe the objectives, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above-mentioned are only specific embodiments of the present invention and are not intended to limit the scope of the present invention. Protection scope: Any modifications, equivalent substitutions, improvements, etc. made on the basis of the technical solution of the present invention shall be included in the protection scope of the present invention.

Claims (30)

  1. 一种分享不经意传输OT协议的执行方法,涉及第一方和第二方,所述第二方持有N个隐私数值以及N个随机数,所述第一方持有目标隐私数值在所述N个隐私数值中的第一序号、目标随机数以及其在所述N个随机数中的第二序号,所述方法应用于所述第二方,所述方法包括:An execution method for sharing the inadvertent transmission OT protocol, involving a first party and a second party. The second party holds N privacy values and N random numbers. The first party holds a target privacy value in the said The first serial number among the N privacy values, the target random number and its second serial number among the N random numbers, the method is applied to the second party, and the method includes:
    从所述第一方接收其基于所述第一序号和所述第二序号计算得到的第三序号;Receive from the first party a third sequence number calculated based on the first sequence number and the second sequence number;
    基于所述第三序号、所述N个隐私数值以及所述N个随机数,计算除序号为所述第三序号以外的其余N-1个隐私数值各自对应的中间数据;Based on the third sequence number, the N privacy values and the N random numbers, calculate the intermediate data corresponding to each of the remaining N-1 privacy values except the sequence number is the third sequence number;
    向所述第一方发送所述N-1个隐私数值各自对应的中间数据,使所述第一方计算所述目标隐私数值的第一分片;Send the intermediate data corresponding to each of the N-1 privacy values to the first party, so that the first party calculates the first fragment of the target privacy value;
    基于序号为所述第三序号的随机数以及排列在首位的隐私数值,计算所述目标隐私数值的第二分片,其中利用第一预设运算规则处理所述第一分片和所述第二分片的结果相等于所述目标隐私数值。Based on the random number whose serial number is the third serial number and the privacy value ranked first, the second fragment of the target privacy value is calculated, wherein the first fragment and the third fragment are processed using a first preset operation rule The result of bi-sharding is equal to the target privacy value.
  2. 根据权利要求1所述的方法,所述方法还包括:从第三方接收所述N个随机数;其中所述目标随机数和所述第二序号由所述第三方发送至所述第一方。The method of claim 1, further comprising: receiving the N random numbers from a third party; wherein the target random number and the second sequence number are sent to the first party by the third party .
  3. 根据权利要求1所述的方法,所述第三序号是利用N对所述第一序号与所述第二序号的和进行取模运算而得到的,对所述第一分片和所述第二分片进行求和运算的结果相等于所述目标隐私数值。According to the method of claim 1, the third serial number is obtained by performing a modulo operation on the sum of the first serial number and the second serial number using N, and the first slice and the third serial number are The result of the summation operation of the two slices is equal to the target privacy value.
  4. 根据权利要求1所述的方法,所述第三序号是对所述第一序号和所述第二序号进行异或运算而得到的,对所述第一分片和所述第二分片进行异或运算的结果相等于所述目标隐私数值。The method according to claim 1, wherein the third serial number is obtained by performing an XOR operation on the first serial number and the second serial number, and the first slice and the second slice are The result of the XOR operation is equal to the target privacy value.
  5. 根据权利要求1-4中任一项所述的方法,基于所述第三序号、所述N个隐私数值以及所述N个随机数,计算除序号为所述第三序号以外的其余N-1个隐私数值各自对应的中间数据,包括:对于除序号为所述第三序号以外的任意序号为j的隐私数值,根据第二预设运算规则处理序号为j的随机数以获得其对应的第一数据项,基于所述第一数据项、第二数据项、第三数据项和排列在首位的隐私数值,计算与序号为j的隐私数值对应的序号为j的中间数据,其中所述第二数据项通过利用所述第二预设运算规则处理序号为所述第三序号的随机数而得到,所述第三数据项是序号为y的隐私数值,y的取值相同于利用N对所述第三序号与j的差进行取模运算而得到的结果。According to the method of any one of claims 1-4, based on the third serial number, the N privacy values and the N random numbers, calculate the remaining N- numbers except the third serial number. The intermediate data corresponding to each privacy value includes: for any privacy value with serial number j other than the third serial number, processing the random number with serial number j according to the second preset operation rule to obtain its corresponding The first data item, based on the first data item, the second data item, the third data item and the privacy value ranked first, calculates the intermediate data with serial number j corresponding to the privacy value with serial number j, wherein said The second data item is obtained by using the second preset operation rule to process the random number whose serial number is the third serial number. The third data item is a private value with the serial number y, and the value of y is the same as using N The result is obtained by performing a modulo operation on the difference between the third serial number and j.
  6. 根据权利要求5所述的方法,基于序号为所述第三序号的随机数以及排列在首位的隐私数值,计算所述目标隐私数值的第二分片,包括:根据所述第二数据项和排列在首位的隐私数值计算所述目标隐私数值的第二分片。The method according to claim 5, calculating the second fragment of the target privacy value based on the random number whose sequence number is the third sequence number and the privacy value ranked first, including: according to the second data item and The first ranked privacy value calculates the second shard of the target privacy value.
  7. 根据权利要求5所述的方法,所述N个隐私数值的长度均为t比特;所述根据第二预设运算规则处理序号为j的随机数以获得其对应的第一数据项,包括:计算序号为j的随机数的长度为t比特的哈希值以作为其对应的第一数据项;或者,对长度大于t比特 的序号为j的随机数,从预定位置开始提取长度为t比特的比特序列,并将该比特序列表征的数据作为序号为j的随机数所对应的第一数据项。The method according to claim 5, the lengths of the N privacy values are all t bits; processing the random number with serial number j according to the second preset operation rule to obtain its corresponding first data item includes: Calculate the hash value of the random number j with length t bits as its corresponding first data item; or, for the random number j with length greater than t bits, extract the length t bits starting from the predetermined position bit sequence, and use the data represented by this bit sequence as the first data item corresponding to the random number with serial number j.
  8. 一种分享不经意传输OT协议的执行方法,涉及第一方和第二方所述第二方持有N个隐私数值以及N个随机数,所述第一方持有目标隐私数值在所述N个隐私数值中的第一序号、目标随机数以及其在所述N个随机数中的第二序号,所述方法应用于所述第一方,所述方法包括:向所述第二方发送基于所述第一序号和所述第二序号计算得到的第三序号,使所述第二方基于序号为所述第三序号的随机数以及排列在首位的隐私数值,计算所述目标隐私数值的第二分片,并返回除序号为所述第三序号以外的其余N-1个隐私数值各自对应的中间数据;An execution method for sharing the inadvertent transmission OT protocol, involving a first party and a second party. The second party holds N privacy values and N random numbers. The first party holds a target privacy value in the N The first serial number among the private values, the target random number and its second serial number among the N random numbers, the method is applied to the first party, and the method includes: sending to the second party The third serial number calculated based on the first serial number and the second serial number enables the second party to calculate the target privacy value based on the random number whose serial number is the third serial number and the privacy value ranked first. The second fragment, and return the intermediate data corresponding to each of the N-1 privacy values except the sequence number that is the third sequence number;
    至少根据所述第一序号和所述目标随机数计算所述目标隐私数值的第一分片,其中利用第一预设运算规则处理所述第一分片和所述第二分片而得到的结果相等于所述目标隐私数值。Calculate the first fragment of the target privacy value based on at least the first sequence number and the target random number, wherein the first fragment and the second fragment are processed using a first preset operation rule. The result is equal to the target privacy value.
  9. 根据权利要求8所述的方法,所述N个随机数由第三方发送至所述第二方;所述方法还包括:从所述第三方接收所述目标随机数和所述第二序号。According to the method of claim 8, the N random numbers are sent to the second party by a third party; the method further includes: receiving the target random number and the second sequence number from the third party.
  10. 根据权利要求8所述的方法,所述第三序号是利用N对所述第一序号与所述第二序号的和进行取模运算而得到的,对所述第一分片和所述第二分片进行求和运算的结果相等于所述目标隐私数值。According to the method of claim 8, the third serial number is obtained by performing a modulo operation on the sum of the first serial number and the second serial number using N, and the first slice and the third serial number are The result of the summation operation of the two slices is equal to the target privacy value.
  11. 根据权利要求1所述的方法,所述第三序号是对所述第一序号和所述第二序号进行异或运算而得到的结果,对所述第一分片和所述第二分片进行异或运算而得到的结果相等于所述目标隐私数值。The method according to claim 1, wherein the third serial number is a result obtained by performing an XOR operation on the first serial number and the second serial number, and the first slice and the second slice are The result obtained by performing an XOR operation is equal to the target privacy value.
  12. 根据权利要求8-11中任一项所述的方法,至少根据所述第一序号和所述目标随机数计算所述目标隐私数值的第一分片,包括:利用第二预设运算规则处理所述目标随机数以获得第四数据项;基于所述第一序号确定所述目标隐私数值是否为排列在首位的隐私数值,如果是则将所述第四数据项作为所述目标隐私数值的第一分片,否则基于所述第四数据项和序号为所述第二序号的隐私数值所对应的中间数据计算所述目标隐私数值的第一分片。The method according to any one of claims 8-11, calculating the first fragment of the target privacy value based on at least the first serial number and the target random number, including: processing using a second preset operation rule The target random number is used to obtain a fourth data item; based on the first serial number, it is determined whether the target privacy value is the first privacy value, and if so, the fourth data item is used as the target privacy value. the first fragment, otherwise the first fragment of the target privacy value is calculated based on the fourth data item and the intermediate data corresponding to the privacy value whose serial number is the second serial number.
  13. 根据权利要求12所述的方法,所述N个隐私数值的长度均为t比特;所述利用第二预设运算规则处理所述目标随机数以获得第四数据项,包括:计算所述目标随机数的长度为t比特的哈希值以作为第四数据项;或者,对长度大于t比特的所述目标随机数,从预定位置开始提取长度为t比特的比特序列,并将该长度为t比特的比特序列所表征的数据作为第四数据项。The method according to claim 12, the lengths of the N privacy values are all t bits; and using the second preset operation rule to process the target random number to obtain the fourth data item includes: calculating the target The length of the random number is a hash value of t bits as the fourth data item; or, for the target random number whose length is greater than t bits, a bit sequence of length t bits is extracted starting from a predetermined position, and the length is The data represented by the bit sequence of t bits is used as the fourth data item.
  14. 一种基于分享不经意传输OT协议的安全多方计算方法,涉及第一方和第二方,所述第一方持有将要作为第一序号的第三隐私数值,所述第二方持有第二隐私数值,所述方法应用于所述第二方,所述方法包括:A secure multi-party computing method based on sharing the unintentional transmission OT protocol, involving a first party and a second party. The first party holds a third privacy value that will be used as the first serial number, and the second party holds a second Privacy value, the method is applied to the second party, the method includes:
    生成按顺序排列的N个隐私数值,其中任意的序号为j的隐私数值是利用目标运算规 则处理序号j和所述第二隐私数值而得到的,使序号为所述第三隐私数值的隐私数值相等于利用目标运算规则处理所述第三隐私数值和所述第二隐私数值的结果;Generate N privacy values arranged in order, wherein any privacy value with serial number j is obtained by processing serial number j and the second privacy value using the target operation rule, so that the serial number is the privacy value of the third privacy value Equivalent to the result of processing the third privacy value and the second privacy value using a target operation rule;
    对所述N个隐私数值和作为第一序号的所述第三隐私数值,采用权利要求1-7中任一项所述的方法与所述第一方联合执行分享OT协议,获得序号为所述三隐私数值的目标隐私数值的第二分片,并使所述第一方对应获得序号为所述第三隐私数值的目标隐私数值的第一分片。For the N privacy values and the third privacy value as the first serial number, the method described in any one of claims 1-7 is used to jointly execute the sharing OT protocol with the first party, and the serial number is obtained. The second fragment of the target privacy value of the third privacy value is obtained, and the first party correspondingly obtains the first fragment of the target privacy value whose sequence number is the third privacy value.
  15. 根据权利要求14所述的方法,所述第二隐私数值和所述第三隐私数值是第四隐私数值在模2空间内的两个分片,所述第一分片和所述第二分片的长度均为大于1的t比特;对所述第二隐私数值和所述第三隐私数值进行异或运算的结果,相等于对所述第一分片和第二分片进行求和运算的结果。According to the method of claim 14, the second privacy value and the third privacy value are two slices of the fourth privacy value in modulo 2 space, and the first slice and the second slice are The length of each slice is t bits greater than 1; the result of performing an XOR operation on the second privacy value and the third privacy value is equivalent to performing a summation operation on the first fragment and the second fragment. the result of.
  16. 根据权利要求14所述的方法,所述目标运算规则包括求和运算、求积运算、按位与运算、按位或运算或者按位异或运算。According to the method of claim 14, the target operation rule includes a summation operation, a product operation, a bitwise AND operation, a bitwise OR operation or a bitwise XOR operation.
  17. 根据权利要求14所述的方法,所述第一方还持有第四隐私数值,所述第二隐私数值和所述第四隐私数值的和相等于第五隐私数值;所述第二分片与第三分片的和相等于所述第三隐私数值与所述第五隐私数值的乘积,其中所述第三分片由所述第一方基于所述第三隐私数值、所述第四隐私数值和所述第一分片计算得到。According to the method of claim 14, the first party also holds a fourth privacy value, and the sum of the second privacy value and the fourth privacy value is equal to a fifth privacy value; the second shard The sum of the third fragment is equal to the product of the third privacy value and the fifth privacy value, wherein the third fragment is generated by the first party based on the third privacy value, the fourth privacy value The privacy value is calculated with the first shard.
  18. 根据权利要求14所述的方法,所述第一方还持有第四隐私数值,所述第二方还持有第六隐私数值和第七隐私数值,所述第三隐私数值和所述第六隐私数值是位于模2空间内的第八隐私数值在模2空间内的两个异或分片,所述第四隐私数值与所述第七隐私数值的和相等于第五隐私数值;所述第二隐私数值由所述第二方基于所述第六隐私数值和所述第七隐私数值计算得到,所述第二分片用于计算所述第五隐私数值与所述第八隐私数值的乘积。According to the method of claim 14, the first party also holds a fourth privacy value, the second party also holds a sixth privacy value and a seventh privacy value, the third privacy value and the third privacy value. The six privacy values are two XOR slices of the eighth privacy value located in the modulo 2 space in the modulo 2 space, and the sum of the fourth privacy value and the seventh privacy value is equal to the fifth privacy value; so The second privacy value is calculated by the second party based on the sixth privacy value and the seventh privacy value, and the second fragment is used to calculate the fifth privacy value and the eighth privacy value. product of .
  19. 一种基于分享不经意传输OT协议的安全多方计算方法,涉及第一方和第二方,所述第一方持有将要作为第一序号的第三隐私数值,所述第二方持有第二隐私数值,所述方法应用于所述第一方,所述方法包括:对作为第一序号的所述第三隐私数值和N个隐私数值,采用权利要求8-13中任一项所述的方法与所述第二方联合执行分享OT协议,获得序号为所述三隐私数值的目标隐私数值的第一分片,并使所述第二方获得序号为所述第三隐私数值的目标隐私数值的第二分片,其中任意序号为j的隐私数值是由所述第二方利用目标运算规则处理序号j和所述第二隐私数值而得到的,使序号为所述第三隐私数值的隐私数值相等于利用目标运算规则处理所述第三隐私数值和所述第二隐私数值的结果。A secure multi-party computing method based on sharing the unintentional transmission OT protocol, involving a first party and a second party. The first party holds a third privacy value that will be used as the first serial number, and the second party holds a second Privacy value, the method is applied to the first party, and the method includes: using the method described in any one of claims 8-13 for the third privacy value as the first serial number and the N privacy values. The method jointly executes the sharing OT protocol with the second party, obtains the first fragment of the target privacy value with the serial number of the three privacy values, and enables the second party to obtain the target privacy with the serial number of the third privacy value. The second fragment of the value, in which any privacy value with sequence number j is obtained by the second party using the target operation rule to process sequence number j and the second privacy value, so that the sequence number is the third privacy value The privacy value is equal to the result of processing the third privacy value and the second privacy value using a target operation rule.
  20. 根据权利要求19所述的方法,所述第二隐私数值和所述第三隐私数值是第四隐私数值在模2空间内的两个分片,所述第一分片和所述第二分片的长度均为大于1的t比特;对所述第二隐私数值和所述第三隐私数值进行异或运算的结果,相等于对所述第一分片和第二分片进行求和运算的结果。According to the method of claim 19, the second privacy value and the third privacy value are two slices of the fourth privacy value in modulo 2 space, and the first slice and the second slice are The length of each slice is t bits greater than 1; the result of performing an XOR operation on the second privacy value and the third privacy value is equivalent to performing a summation operation on the first fragment and the second fragment. the result of.
  21. 根据权利要求19所述的方法,所述目标运算规则包括求和运算、求积运算、按 位与运算、按位或运算或者按位异或运算。The method according to claim 19, the target operation rule includes a summation operation, a product operation, a bitwise AND operation, a bitwise OR operation or a bitwise XOR operation.
  22. 根据权利要求19所述的方法,所述第二隐私数值和由所述第一方持有的第四隐私数值的和相等于第五隐私数值;所述方法还包括:基于所述第三隐私数值、所述第四隐私数值和所述第一分片计算第三分片,使所述第二分片与所述第三分片的和相等于所述第三隐私数值与所述第五隐私数值的乘积。According to the method of claim 19, the sum of the second privacy value and the fourth privacy value held by the first party is equal to a fifth privacy value; the method further includes: based on the third privacy value value, the fourth privacy value and the first fragment to calculate a third fragment such that the sum of the second fragment and the third fragment is equal to the third privacy value and the fifth fragment. The product of privacy values.
  23. 根据权利要求19所述的方法,所述第一方还持有第四隐私数值,所述第二方还持有第六隐私数值和第七隐私数值,所述第三隐私数值和所述第六隐私数值是位于模2空间内的第八隐私数值在模2空间内的两个异或分片,所述第四隐私数值与所述第七隐私数值的和相等于第五隐私数值;所述第二隐私数值由所述第二方基于所述第六隐私数值和所述第七隐私数值计算得到,所述第一分片用于计算所述第五隐私数值与所述第八隐私数值的乘积。According to the method of claim 19, the first party also holds a fourth privacy value, the second party also holds a sixth privacy value and a seventh privacy value, the third privacy value and the third privacy value. The six privacy values are two XOR slices of the eighth privacy value located in the modulo 2 space in the modulo 2 space, and the sum of the fourth privacy value and the seventh privacy value is equal to the fifth privacy value; so The second privacy value is calculated by the second party based on the sixth privacy value and the seventh privacy value, and the first fragment is used to calculate the fifth privacy value and the eighth privacy value. product of .
  24. 一种基于分享不经意传输OT协议的安全多方计算方法,涉及第一方和第二方,所述第一方持有将要作为第一序号的第三隐私数值,所述第二方持有第五隐私数值和第六隐私数值,所述第三隐私数值和所述第六隐私数值是位于模2空间内的第八隐私数值在模2空间内的两个异或分片,所述方法应用于所述第一方,所述方法包括:所述第二方生成按顺序排列的N个隐私数值,其中任意序号为j的隐私数值相等于利用目标运算规则处理序号为j的异或结果和所述第五隐私数值而得到的,序号为j的异或结果通过对序号j和所述第六隐私数值进行异或运算而得到,使序号为所述第三隐私数值的目标隐私数值相等于利用所述目标运算规则处理所述第五隐私数值和所述第八隐私数值的结果;A secure multi-party computing method based on sharing the unintentional transmission OT protocol, involving a first party and a second party. The first party holds a third privacy value that will be used as the first serial number, and the second party holds a fifth The privacy value and the sixth privacy value. The third privacy value and the sixth privacy value are two XOR slices of the eighth privacy value located in the modulo 2 space in the modulo 2 space. The method is applied to The first party, the method includes: the second party generates N privacy values arranged in order, wherein any privacy value with serial number j is equal to the sum of the XOR result of processing serial number j using the target operation rule. Obtained from the fifth privacy value, the XOR result with serial number j is obtained by performing an XOR operation on serial number j and the sixth privacy value, so that the target privacy value with serial number j is equal to the third privacy value using The target operation rule processes the result of the fifth privacy value and the eighth privacy value;
    所述第一方和所述第二方对作为第一序号的所述第三隐私数值和所述N个隐私数值,采用权利要求1-13中任一项所述的方法联合执行分享OT协议,分别获得序号为所述三隐私数值的目标隐私数值的第一分片和第二分片。The first party and the second party jointly execute the shared OT protocol using the method described in any one of claims 1-13 for the third privacy value and the N privacy values as the first serial number. , respectively obtain the first fragment and the second fragment whose sequence numbers are the target privacy values of the three privacy values.
  25. 一种分享不经意传输协议OT的执行装置,涉及第一方和第二方,所述第二方持有N个隐私数值以及N个随机数,所述第一方持有目标隐私数值在所述N个隐私数值中的第一序号、目标随机数以及其在所述N个随机数中的第二序号,所述装置部署在所述第二方,所述装置包括:An execution device for sharing an oblivious transmission protocol OT, involving a first party and a second party. The second party holds N privacy values and N random numbers. The first party holds a target privacy value in the The first serial number among the N privacy values, the target random number and its second serial number among the N random numbers, the device is deployed on the second party, and the device includes:
    通信处理单元,配置为从所述第一方接收其基于所述第一序号和所述第二序号计算得到的第三序号;a communication processing unit configured to receive from the first party a third sequence number calculated based on the first sequence number and the second sequence number;
    第一计算单元,配置为基于所述第三序号、所述N个隐私数值以及所述N个随机数,计算除序号为所述第三序号以外的其余N-1个隐私数值各自对应的中间数据;A first calculation unit configured to calculate, based on the third serial number, the N privacy values and the N random numbers, the corresponding intermediate values of the remaining N-1 privacy values except for the third serial number. data;
    所述通信处理单元,还配置为向所述第一方发送所述N-1个隐私数值各自对应的中间数据,使所述第一方计算所述目标隐私数值的第一分片;The communication processing unit is further configured to send intermediate data corresponding to each of the N-1 privacy values to the first party, so that the first party calculates the first fragment of the target privacy value;
    第二计算单元,配置为基于序号为所述第三序号的随机数以及排列在首位的隐私数值,计算所述目标隐私数值的第二分片,其中利用第一预设运算规则处理所述第一分片和所述第二分片的结果相等于所述目标隐私数值。The second calculation unit is configured to calculate the second fragment of the target privacy value based on the random number whose serial number is the third serial number and the privacy value ranked first, wherein the first preset operation rule is used to process the second fragment of the target privacy value. The results of one fragment and the second fragment are equal to the target privacy value.
  26. 一种分享不经意传输协议OT的执行装置,涉及第一方和第二方,所述第二方持有N个隐私数值以及N个随机数,所述第一方持有目标隐私数值在所述N个隐私数值中的第一序号、目标随机数以及其在所述N个随机数中的第二序号,所述装置部署在所述第一方,所述装置包括:An execution device for sharing an oblivious transmission protocol OT, involving a first party and a second party. The second party holds N privacy values and N random numbers. The first party holds a target privacy value in the The first serial number among the N privacy values, the target random number and its second serial number among the N random numbers, the device is deployed on the first party, and the device includes:
    通信处理单元,配置为向所述第二方发送基于所述第一序号和所述第二序号计算得到的第三序号,使所述第二方基于序号为所述第三序号的随机数以及排列在首位的隐私数值,计算所述目标隐私数值的第二分片,并返回除序号为所述第三序号以外的其余N-1个隐私数值各自对应的中间数据;A communication processing unit configured to send a third serial number calculated based on the first serial number and the second serial number to the second party, so that the second party can generate a random number based on the serial number being the third serial number and For the privacy value ranked first, calculate the second fragment of the target privacy value, and return the intermediate data corresponding to each of the remaining N-1 privacy values except for the third sequence number;
    计算处理单元,配置为至少根据所述第一序号和所述目标随机数计算所述目标隐私数值的第一分片,其中利用第一预设运算规则处理所述第一分片和所述第二分片而得到的结果相等于所述目标隐私数值。A calculation processing unit configured to calculate the first fragment of the target privacy value based on at least the first sequence number and the target random number, wherein the first fragment and the third fragment are processed using a first preset operation rule. The result of bi-sharding is equal to the target privacy value.
  27. 一种基于分享不经意传输OT协议的安全多方计算装置,涉及第一方和第二方,所述第一方持有将要作为第一序号的第三隐私数值,所述第二方持有第二隐私数值,所述装置部署在所述第二方,所述装置包括:A secure multi-party computing device based on the shared unintentional transmission OT protocol, involving a first party and a second party. The first party holds a third privacy value to be used as a first serial number, and the second party holds a second Privacy value, the device is deployed on the second party, and the device includes:
    计算处理单元,配置为生成按顺序排列的N个隐私数值,其中任意的序号为j的隐私数值是利用目标运算规则处理序号j和所述第二隐私数值而得到的,使序号为所述第三隐私数值的隐私数值相等于利用目标运算规则处理所述第三隐私数值和所述第二隐私数值的结果;The calculation processing unit is configured to generate N privacy values arranged in order, wherein any privacy value with serial number j is obtained by processing serial number j and the second privacy value using the target operation rule, so that the serial number is the third privacy value. The privacy value of the three privacy values is equal to the result of processing the third privacy value and the second privacy value using a target operation rule;
    调用处理单元,配置为对所述N个隐私数值和作为第一序号的所述第三隐私数值,通过权利要求26中所述的分享OT的执行装置与所述第一方联合执行分享OT协议,获得序号为所述三隐私数值的目标隐私数值的第二分片,并使所述第一方对应获得序号为所述第三隐私数值的目标隐私数值的第一分片。Calling a processing unit configured to jointly execute the shared OT protocol with the first party through the shared OT execution device described in claim 26 for the N privacy values and the third privacy value as the first serial number. , obtain the second fragment whose sequence number is the target privacy value of the three privacy values, and enable the first party to correspondingly obtain the first fragment whose sequence number is the target privacy value of the third privacy value.
  28. 一种基于分享不经意传输OT协议的安全多方计算装置,涉及第一方和第二方,所述第一方持有将要作为第一序号的第三隐私数值,所述第二方持有第二隐私数值,所述装置部署在所述第一方,所述装置用于对作为第一序号的所述第三隐私数值和N个隐私数值,通过权利要求27中所述的分享OT的执行装置与所述第二方联合执行分享OT协议,获得序号为所述三隐私数值的目标隐私数值的第一分片,并使所述第二方获得序号为所述第三隐私数值的目标隐私数值的第二分片,其中任意序号为j的隐私数值是由所述第二方利用目标运算规则处理序号j和所述第二隐私数值而得到的,使序号为所述第三隐私数值的隐私数值相等于利用目标运算规则处理所述第三隐私数值和所述第二隐私数值的结果。A secure multi-party computing device based on the shared unintentional transmission OT protocol, involving a first party and a second party. The first party holds a third privacy value to be used as a first serial number, and the second party holds a second Privacy value, the device is deployed on the first party, and the device is used to process the third privacy value as the first serial number and the N privacy values through the execution device for sharing OT described in claim 27 Jointly execute the sharing OT protocol with the second party to obtain the first fragment with a sequence number of the target privacy value of the three privacy values, and enable the second party to obtain the target privacy value with a sequence number of the third privacy value. The second fragment of , in which any privacy value with serial number j is obtained by the second party using the target operation rule to process serial number j and the second privacy value, so that the serial number is the privacy value of the third privacy value The numerical value is equal to the result of processing the third privacy value and the second privacy value using a target operation rule.
  29. 一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算设备中执行时,计算设备执行权利要求1-23中任一项所述的方法。A computer-readable storage medium having a computer program stored thereon. When the computer program is executed in a computing device, the computing device performs the method of any one of claims 1-23.
  30. 一种计算设备,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器执行所述计算机程序时,实现权利要求1-23中任一项所述的方法。A computing device includes a memory and a processor. A computer program is stored in the memory. When the processor executes the computer program, the method of any one of claims 1-23 is implemented.
PCT/CN2022/135294 2022-06-02 2022-11-30 Execution method and device for shared ot protocol, and secure multi-party computation method and device WO2023231340A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210619377.X 2022-06-02
CN202210619377.XA CN115001674A (en) 2022-06-02 2022-06-02 Execution method of sharing OT protocol, secure multi-party computing method and device

Publications (1)

Publication Number Publication Date
WO2023231340A1 true WO2023231340A1 (en) 2023-12-07

Family

ID=83030326

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/135294 WO2023231340A1 (en) 2022-06-02 2022-11-30 Execution method and device for shared ot protocol, and secure multi-party computation method and device

Country Status (2)

Country Link
CN (1) CN115001674A (en)
WO (1) WO2023231340A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117520970A (en) * 2024-01-05 2024-02-06 同盾科技有限公司 Symbol position determining method, device and system based on multiparty security calculation

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001674A (en) * 2022-06-02 2022-09-02 蚂蚁区块链科技(上海)有限公司 Execution method of sharing OT protocol, secure multi-party computing method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020167333A1 (en) * 2019-02-12 2020-08-20 Visa International Service Association Fast oblivious transfers
WO2021237437A1 (en) * 2020-05-26 2021-12-02 云图技术有限公司 Data processing method and apparatus employing secure multi-party computation, and electronic device
CN114297726A (en) * 2021-12-28 2022-04-08 支付宝(杭州)信息技术有限公司 Multiplication execution method and device based on secure multi-party calculation
CN115001674A (en) * 2022-06-02 2022-09-02 蚂蚁区块链科技(上海)有限公司 Execution method of sharing OT protocol, secure multi-party computing method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020167333A1 (en) * 2019-02-12 2020-08-20 Visa International Service Association Fast oblivious transfers
WO2021237437A1 (en) * 2020-05-26 2021-12-02 云图技术有限公司 Data processing method and apparatus employing secure multi-party computation, and electronic device
CN114297726A (en) * 2021-12-28 2022-04-08 支付宝(杭州)信息技术有限公司 Multiplication execution method and device based on secure multi-party calculation
CN115001674A (en) * 2022-06-02 2022-09-02 蚂蚁区块链科技(上海)有限公司 Execution method of sharing OT protocol, secure multi-party computing method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117520970A (en) * 2024-01-05 2024-02-06 同盾科技有限公司 Symbol position determining method, device and system based on multiparty security calculation
CN117520970B (en) * 2024-01-05 2024-03-29 同盾科技有限公司 Symbol position determining method, device and system based on multiparty security calculation

Also Published As

Publication number Publication date
CN115001674A (en) 2022-09-02

Similar Documents

Publication Publication Date Title
WO2023231340A1 (en) Execution method and device for shared ot protocol, and secure multi-party computation method and device
CN111512589B (en) Method for fast secure multiparty inner product with SPDZ
WO2022237450A1 (en) Secure multi-party computation method and apparatus, and device and storage medium
US20210167946A1 (en) One-Round Secure Multiparty Computation of Arithmetic Streams and Evaluation of Functions
RU2534944C2 (en) Method for secure communication in network, communication device, network and computer programme therefor
CA3152501A1 (en) Systems and methods for signing of a message
CN114175572B (en) System and method for performing equal and less operations on encrypted data using a quasi-group operation
TWI688250B (en) Method and device for data encryption and decryption
WO2022121623A1 (en) Data set intersection method and apparatus
CN108055128B (en) RSA key generation method, RSA key generation device, storage medium and computer equipment
CN114785480A (en) Multi-party secure computing method, device and system
CN113722734A (en) Method, device and system for determining selection result fragmentation by two-party security selection
WO2024051864A1 (en) Method for optimizing constant round secure multi-party computation protocol
CN111917533A (en) Privacy preserving benchmark analysis with leakage reducing interval statistics
CN111555880A (en) Data collision method and device, storage medium and electronic equipment
JPWO2017038761A1 (en) Secret calculation system, secret calculation device, and secret calculation method
US20190215148A1 (en) Method of establishing anti-attack public key cryptogram
CN115001675A (en) Execution method of sharing OT protocol, secure multi-party computing method and device
JP7023584B2 (en) Public key cryptosystem, public key cryptosystem, public key crypto program
CN116821961A (en) Boolean arithmetic sharing conversion method and device for protecting privacy data
CN115859365A (en) Security fragment conversion method and device for protecting private data
CN113836596A (en) Method, device and system for determining selection result fragmentation by two-party security selection
CN113836595A (en) Method, device and system for comparing two parties safely
CN114244497B (en) Method and device for generating split chips by combining two parties
CN114024674B (en) Method and system for safety comparison of two parties

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22944641

Country of ref document: EP

Kind code of ref document: A1