CN109525386B - Paillier homomorphic encryption private aggregation and method based on Paillier - Google Patents
Paillier homomorphic encryption private aggregation and method based on Paillier Download PDFInfo
- Publication number
- CN109525386B CN109525386B CN201811442107.6A CN201811442107A CN109525386B CN 109525386 B CN109525386 B CN 109525386B CN 201811442107 A CN201811442107 A CN 201811442107A CN 109525386 B CN109525386 B CN 109525386B
- Authority
- CN
- China
- Prior art keywords
- party
- user
- parties
- intersection
- private
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a Paillier homomorphic encryption private aggregation and privacy protection-based method, and relates to the technical field of network space security and privacy protection. The method comprises a agreement of a private intersection set and a reverse private intersection set based on Paillier homomorphic encryption, wherein in the agreement of the private intersection set, two parties negotiate about basic settings of the encrypted private intersection set and carry out three rounds of encryption, finally, 2 parties use private key decryption to obtain the intersection set, in the agreement of the reverse private intersection set, the two parties negotiate about the basic settings of the encrypted reverse private intersection set and carry out two rounds of encryption, then, 2 parties use the private key to decrypt the intersection set with disturbing factors and judge whether the size of the intersection base number can enter a third round of decryption, and if the conditions are met, 1 party removes the disturbing factors to obtain the intersection set. The method provides the ciphertext segmentation scheme by utilizing the property of modular operation, has higher efficiency, and both sides of the protocol can accurately calculate the base number and the sum of the intersection, thereby avoiding information leakage possibly caused by two-by-two calculation of habitual thinking.
Description
Technical Field
The invention relates to the technical field of network space security and privacy protection, in particular to a Paillier homomorphic encryption private aggregation and privacy protection-based method.
Background
In recent years, data shows an explosive growth trend, the data quantity and the data types become more and more complex, and a great amount of valuable customer information, personal privacy records and enterprise operation data are continuously mined. In the era of data explosion, the problem of privacy protection under big data is very important.
Privacy Set Intersection (PSI) is an important protocol for secure multiparty computation. The method participates in calculating the input data sets of two or more parties, but only the result of intersection can be obtained, and no information beyond the intersection can be obtained. The correlation protocol only allows these parties to know certain properties of the intersection, such as the cardinality of the intersection or whether the size of the intersection exceeds some threshold. Various approaches have been proposed in previous work, including protocols that use a semi-honest model as well as a malicious model.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a Paillier homomorphic encryption private intersection set-based method, which comprises a Paillier homomorphic encryption private intersection set-based protocol and a Paillier homomorphic encryption reverse private intersection set-based protocol, wherein two parties, namely a party 1 and a party 2, exist in the two protocols, private intersection and protocol are private input data sets containing user identifiers held by the two parties, the data set of one party additionally contains integer values related to each user identifier, the two parties are not allowed to know the actual user identifier of intersection or the additional information (except the size of intersection) of the data of the other party on the basis that the two parties want to know the sum of the cardinality of intersection and the intersection related integer values, namely the privacy information of users, and the result obtained by the private intersection and protocol is that the cardinality of the party 1 can only obtain the cardinality of intersection, while 2 parties can only get an aggregate; the reverse private intersection and the protocol ensure the minimum value of the number of intersection elements by a mode of terminating communication before obtaining the intersection set if the intersection set is too small, so that the privacy information of the user is protected, and the result obtained by the reverse private intersection and the protocol is that both sides can obtain the cardinality of the intersection set, and only 1 side can obtain the intersection set.
In order to achieve the purpose, the method for encrypting the private aggregation and the private aggregation based on the Paillier homomorphic comprises a protocol based on the Paillier homomorphic encryption private aggregation and a protocol based on the Paillier homomorphic encryption reverse private aggregation;
(1) the agreement based on the Paillier homomorphic encryption private aggregation comprises the following steps:
step 1: the two parties negotiate about the basic setting of the encryption private transaction set, and the specific steps are as follows:
step 1.1: the two parties negotiate to set a security parameter lambda, a group G epsilon G (lambda), a user identifier space U ═ U (lambda) and a random speaker RO: u → G, where the random oracle RO maps the user identifier into a random element of group G;
step 1.2: input set U with m user identifiers held by 1 party1={ui}i∈[m]Wherein, the ith user u of the 1 st partyi∈U;
Step 1.3: party 2 holds a set of n user identifiers and associated integer values with which to pair { (v)j,tj)}j∈[n]Wherein, the jth user v of the 2 partiesjE and associated integer value t of the expected pairing with Ui∈Z+,Z+For positive integers, sum of private sums ∑ tjA Paillier message space suitable for the security parameter lambda and defining U2={vj}j∈[n];
Step 1.4: each party a selects a random secret index k in the group Ga;
Step 1.5: generating a new key pair (pk, sk) by the 2 parties by using a Pai.Gen (lambda) function in the Pailler encryption scheme, and sharing the public key pk to the 1 party;
step 2: party 1 encrypts its own set of user identifiers U1Sending the data to the 2 parties in a disordered way, and specifically comprising the following steps:
step 2.1: party 1 sets each user u in own user identifieriApplied to a random oracle RO and then using the secret key k1The first encryption is carried out to obtain a 1-party user ciphertext after the 1-party encryption
Step 2.2: party 1 cipher text cipher after encryptionu1Set of constructsSending the data to the 2 parties out of order;
and step 3: party 2 encrypts user data sent by party 1 and own user identifier set U2And sending the data to the party 1 in a disordered way, and the specific steps are as follows:
step 3.1: party 2 uses key k2Receiving 1 party user cipher text after 1 party encryptionThe elements are encrypted for the second time to obtain the ciphertext of the party 1 encrypted by the two parties
Step 3.2: ciphertext cipher obtained by encrypting 1-party user by both parties by 2 partiesu12Set of constructsSending the data to the party 1 out of order;
step 3.3: party 2 uses key k2For the input set element (v)j,tj) For each user identifier v in the pairjEncrypting the elements after being applied to the RO mapping of the random oracle machine, and then using the Paillier public key pk to input the set elements (v)j,tj) With each user identifier v in the pairjExpected paired related integer value tjEncrypting to obtain 2-party encrypted user ciphertextCiphertext cipher of integer value paired with 2-party encrypted 2-party usert2=Pai(tj) Carrying out pairing;
step 3.4: party 2 cipherer for encrypted user ciphertextv2And integer value cipher text cipher paired with itt2To a set of formationsSending the data to the party 1 out of order;
and 4, step 4: party 1 encrypts data sent from party 2 and obtains cipherv12With a nepheru12And then the ciphertext Pai of the integer value sum matched with the intersection is obtained according to the set H (S)H) And sending the data to the party 2, which comprises the following steps:
step 4.1: party 1 uses key k1Cipher text cipher for received 2-party encrypted userv2And integer value cipher text cipher paired with itt2To a set of formationsEach element in (1)Carrying out secondary encryption to obtain ciphertext after the two parties jointly encrypt the 2-party userv12And integer value cipher text cipher paired with itt2To pair
step 4.3: for each element H in the set H, the 1 st party will pair with H the integer value ciphertext nephrt2=Pai(tj) Multiplication, homomorphically obtaining the sum S of integer values paired with the intersectionHCiphertext Pai (S)H):Pai(SH)=Pai(∑j∈Htj)=Pai.Sum({Pai(tj)}j∈H);
Step 4.4: sum S of integer values that the 1 party will pair with the intersectionHCiphertext Pai (S)H) Sending to the party 2;
and 5: party 2 decrypts the sum S of the received Paillier encrypted integer values paired with the intersection using Paillier private key skHCiphertext Pai (S)H) Obtaining the sum S of integer values paired with the intersectionH;
(2) The Paillier homomorphic encryption reverse private aggregation and based protocol comprises the following steps:
s1: the two parties negotiate about the basic setting of the encryption private transaction set, and the specific steps are as follows:
s1.1: the two parties negotiate to set a security parameter lambda, a group G epsilon G (lambda), a user identifier space U ═ U (lambda) and a random speaker RO: u → G, where the random oracle RO maps the user identifier into a random element of group G;
s1.2: input set U with m user identifiers held by 1 party1={ui}i∈[m]Wherein, the ith user u of the 1 st partyi∈U;
S1.3: party 2 holds a set of n user identifiers and associated integer values with which to pair { (v)j,tj)}j∈[n]Wherein, the jth user v of the 2 partiesjE and associated integer value t of the expected pairing with Uj∈Z+,Z+For positive integers, sum of private sums ∑ tjA Paillier message space adapted to the security parameter λ and defining an input set U of 2-party user identifiers2={vj}j∈[n];
S1.4: each party a selects a random secret index k in the group Ga;
S1.5: generating a new key pair (pk, sk) by the 2 parties by using a Pai.Gen (lambda) function in the Pailler encryption scheme, and sharing the public key pk to the 1 party;
s2: party 2 encrypts its own set of user identifiers U2And sending the data to the party 1 in sequence, and the specific steps are as follows:
s2.1: party 2 uses key k2For the input set element (v)j,tj) For each user identifier v in the pairjEncrypting the elements applied to the random prediction machine RO, and then using Paillier public key pk to input set elements (v)j,tj) With each user identifier v in the pairjExpected paired related integer value tjEncrypting to obtain 2-party encrypted user ciphertextCiphertext cipher of integer value paired with 2-party encrypted 2-party usert2=Pai(tj) Carrying out pairing;
s2.2: party 2 cipherer for encrypted user ciphertextv2And integer value cipher text cipher paired with itt2To a set of formationsSending the data to the 1 party in sequence;
s3: party 1 encrypts user data sent from party 2 and its own user identifier set U1And send to 2 parties in sequenceThe method comprises the following specific steps:
s3.1: party 1 uses key k1Cipher text cipher for received 2-party encrypted userv2And integer value cipher text cipher paired with itt2To a set of formationsEach of which isThe elements are encrypted for the second time to obtain the ciphertext after the two parties encrypt the 2-party user togetherAnd randomly choosing the mapping under Paillier modulus N (j → r)j) Wherein r isj∈Z+Through Pai (t)j+rj)=Pai(tj)×Pai(rj) To each received in a homomorphic wayElement and user identifier vjExpected paired related integer value tjPerforming one-time filling encryption to finally obtain ciphertext after the two parties encrypt the 2-party user togetherv12Padded cipher with its paired integer valuetr2To pair
S3.2: side 1 save map (j → r)j) And the two parties encrypt the ciphertext after the 2 parties of the usersv12Padded cipher with its paired integer valuetr2To a set of formationsSending the data to the 2 parties in sequence;
s3.3: party 1 uses key k1For user u to be input into set 1iThe method is applied to encryption of elements subjected to RO mapping of the random oracle machine to obtain the encrypted 1-party usage of the 1-partyHousehold cipher text
S3.4: party 1 cipher text cipher after encryptionu1Set of constructsSending the data to the 2 parties out of order;
s4: party 2 encrypts data sent by party 1 and obtains cipherv12With a nepheru12And filling and encrypting the subscript set J to obtain the sum S of integer values matched with the intersectionJrAnd sending the data to the party 1, which comprises the following steps:
s4.1: party 2 uses key k2Receiving 1 party user cipher text after 1 party encryptionPerforming secondary encryption to obtain a ciphertext obtained by encrypting the 1-party user by both parties
s4.3: judging whether the intersection cardinality is smaller than a set threshold value, if so, terminating the protocol by the 2-party, and if not, continuing S4.4;
s4.4: the 2 nd party converts all elements Pai (t) corresponding to subscripts in the subscript set Jj+rj) Multiplying, and decrypting by using a private key sk to obtain a sum S of integer values matched with the intersection and provided with one-time filling encryptionJr=∑j∈Jtj+rj;
S4.5: 2-party sum S of encrypted integer values paired with intersectionJrAnd sending the subscript set J to the party 1;
The invention has the beneficial effects that:
the invention provides a Paillier homomorphic encryption private aggregation and based method, which researches and adopts a Paillier homomorphic encryption based algorithm, utilizes the property of modular operation to provide a ciphertext segmentation scheme, segments and encrypts a plaintext, has higher efficiency, and can obtain the result of the encrypted plaintext without decryption. According to the agreement based on the Paillier homomorphic encryption private intersection set and the agreement based on the Paillier homomorphic encryption reverse private intersection set, both parties of the agreement can accurately calculate the base number and the intersection sum of the intersection set, information leakage possibly caused by two-by-two calculation of habitual thinking is avoided, if the base number of the set is found to be too small in the reverse private intersection set and the agreement, in order to prevent the intersection set from being acquired by a certain party, and therefore private information of certain users is deduced, and privacy of the users is leaked, the problem of privacy leakage is effectively prevented by adopting a protocol termination mode, in the process of adopting the Paillier homomorphic encryption, one party randomly selects mapping to carry out blind processing on the encrypted user id related integer values, before the intersection sum is obtained, blind factors are removed according to the mapping, and safety of the agreement is greatly improved.
Drawings
FIG. 1 is a diagram of private intersection and protocol architecture in an embodiment of the present invention;
FIG. 2 is a diagram illustrating private intersection and protocol timing diagrams in an embodiment of the present invention;
FIG. 3 is a flow diagram of private intersection and protocol in an embodiment of the present invention;
FIG. 4 is a diagram of reverse private aggregation and protocol architecture in an embodiment of the present invention;
FIG. 5 is a timing diagram of reverse private aggregation and protocol in an embodiment of the present invention;
fig. 6 is a flow chart of reverse private aggregation and protocol in an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clear, the present invention will be further described in detail with reference to the accompanying drawings and specific embodiments. The specific embodiments described herein are merely illustrative of the invention and are not intended to be limiting.
A method for encrypting private collections based on Paillier homomorphic encryption comprises a protocol based on the Paillier homomorphic encryption private collections and a protocol based on the Paillier homomorphic encryption reverse private collections;
(1) paillier homomorphic encryption private aggregation and based protocol
In this embodiment, an architecture based on Paillier homomorphic encryption private intersection and protocol is shown in fig. 1, in the private intersection and protocol, two parties input all user resource identifier sets of themselves, and when outputting, party 1 obtains the cardinality of the intersection, and party 2 obtains the intersection. Two parties of the private intersection and protocol implement the process of aggregation and aggregation through setup and three rounds of interaction, as shown in fig. 2.
As can be seen from fig. 2, in the setup step, both parties agree on a security parameter λ, a group G ∈ G (λ), and a user identifier space U ═ U (λ). Both parties can use a random oracle RO: u → G. First round, 1 square with k1Encrypts its own set of user identifiers and sends it to party 2. Second round, 2 squares with k2Encrypting the set sent by party 1 and using k2And pk encrypts its own set of user identifiers and sends it to party 1. Calculating to obtain the cirher by 1 squarev12With a nepheru12The intersection of (a). The third round, party 1 sends the encrypted set H to party 2, party 2 uses sk decryption to get the sum of integer values paired with the intersection, i.e. the intersection and SH。
In the present embodiment, for convenience of the following description, the representation and explanation shown in table 1 are given.
TABLE 1 symbolic description of communications between entities
The specific flow is shown in fig. 3, and includes the following steps:
step 1: the two parties negotiate about the basic setting of the encryption private transaction set, and the specific steps are as follows:
step 1.1: the two parties negotiate to set a security parameter lambda, a group G epsilon G (lambda), a user identifier space U ═ U (lambda) and a random speaker RO: u → G, where the random oracle RO maps the user identifier into a random element of group G;
step 1.2: input set U with m user identifiers held by 1 party1={ui}i∈[m]Wherein, the ith user u of the 1 st partyi∈U;
Step 1.3: party 2 holds a set of n user identifiers and associated integer values with which to pair { (v)j,tj)}j∈[n]Wherein, the jth user v of the 2 partiesjE and associated integer value t of the expected pairing with Uj∈Z+,Z+For positive integers, sum of private sums ∑ tjA Paillier message space suitable for the security parameter lambda and defining U2={vj}j∈[n];
Step 1.4: each party a selects a random secret index k in the group Ga;
Step 1.5: generating a new key pair (pk, sk) by the 2 parties by using a Pai.Gen (lambda) function in the Pailler encryption scheme, and sharing the public key pk to the 1 party;
step 2: party 1 encrypts its own set of user identifiers U1Sending the data to the 2 parties in a disordered way, and specifically comprising the following steps:
step 2.1: party 1 sets each user u in own user identifieriApplied to a random oracle RO and then using the secret key k1The first encryption is carried out to obtain a 1-party user ciphertext after the 1-party encryption
Step 2.2: party 1 will encryptLater user ciphertextu1Set of constructsSending the data to the 2 parties out of order;
and step 3: party 2 encrypts user data sent by party 1 and own user identifier set U2And sending the data to the party 1 in a disordered way, and the specific steps are as follows:
step 3.1: party 2 uses key k2Receiving 1 party user cipher text after 1 party encryptionThe elements are encrypted for the second time to obtain the ciphertext of the party 1 encrypted by the two parties
Step 3.2: ciphertext cipher obtained by encrypting 1-party user by both parties by 2 partiesu12Set of constructsSending the data to the party 1 out of order;
step 3.3: party 2 uses key k2For the input set element (v)j,tj) For each user identifier v in the pairjEncrypting the elements after being applied to the RO mapping of the random oracle machine, and then using the Paillier public key pk to input the set elements (v)j,tj) With each user identifier v in the pairjExpected paired related integer value tjEncrypting to obtain 2-party encrypted user ciphertextCiphertext cipher of integer value paired with 2-party encrypted 2-party usert2=Pai(tj) Carrying out pairing;
step 3.4: party 2 cipherer for encrypted user ciphertextv2And integer value cipher text cipher paired with itt2To a set of formationsSending the data to the party 1 out of order;
and 4, step 4: party 1 encrypts data sent from party 2 and obtains cipherv12With a nepheru12And then the ciphertext Pai of the integer value sum matched with the intersection is obtained according to the set H (S)H) And sending the data to the party 2, which comprises the following steps:
step 4.1: party 1 uses key k1Cipher text cipher for received 2-party encrypted userv2And integer value cipher text cipher paired with itt2To a set of formationsEach element in (1)Carrying out secondary encryption to obtain ciphertext after the two parties jointly encrypt the 2-party uservl2And integer value cipher text cipher paired with itt2To pair
step 4.3: for each element H in the set H, the 1 st party will pair with H the integer value ciphertext nephrt2=Pai(tj) Multiplication, homomorphically obtaining the sum S of integer values paired with the intersectionHCiphertext Pai (S)H):Pai(SH)=Pai(∑j∈Htj)=Pai.Sum({Pai(tj)}j∈H);
Step 4.4: sum S of integer values that the 1 party will pair with the intersectionHCiphertext Pai (S)H) Sending to the party 2;
and 5: party 2 decrypts the sum S of the received Paillier encrypted integer values paired with the intersection using Paillier private key skHCiphertext Pai (S)H) Obtaining the aggregate and SH;
(2) Paillier homomorphic encryption reverse private aggregation and based protocol
In this embodiment, the framework based on Paillier homomorphic encryption reverse private intersection and protocol is as shown in fig. 4, in the reverse private intersection and protocol, both parties also input all their own user resource identifier sets, and the protocol is terminated if the intersection cardinality is too small during output. Otherwise, the 1 party obtains the base number of the intersection and the intersection set, and the 2 party obtains the base number of the intersection set. Two parties of the reverse private intersection and protocol implement the intersection and set process through setup and three rounds of interaction, as shown in fig. 5.
As can be seen from fig. 5, in the setup step, both parties agree on a security parameter λ, a group G ∈ G (λ), and a user identifier space U ═ U (λ). Both parties can use a random oracle RO: u → G. First round, 2 squares with k2And pk encrypts its own set of user identifiers and sends it to party 1. Second round, 1 square with k1Encrypt its own set of user identifiers, k for each element in the set sent by 2 parties1After encrypting the user identifier, a scrambling factor is added and sent to party 2. Calculating by 2-square to obtain the nepherv12With a nepheru12A set J of intersecting indices, and a sum S of integer values paired with the intersection with a disturbing factor is decrypted using skJrIf the intersection cardinality is too small, the protocol is terminated. Third round, the 2 nd party will have the sum S of the integer values paired with the intersection of the perturbing factorJrAnd sending the subscript set J to the 1 side, and removing the disturbing factors by the 1 side to obtain the sum of integer values matched with the intersection, namely the intersection and the SJ。
The specific flow is shown in fig. 6, and includes the following steps:
s1: the two parties negotiate about the basic setting of the encryption private transaction set, and the specific steps are as follows:
s1.1: the two parties negotiate to set a security parameter lambda, a group G epsilon G (lambda), a user identifier space U ═ U (lambda) and a random speaker RO: u → G, where the random oracle RO maps the user identifier into a random element of group G;
s1.2: input set U with m user identifiers held by 1 party1={ui}i∈[m]Wherein, the ith user u of the 1 st partyi∈U;
S1.3: party 2 holds a set of n user identifiers and associated integer values with which to pair { (v)j,tj)}j∈[n]Wherein, the jth user v of the 2 partiesjE and associated integer value t of the expected pairing with Uj∈Z+,Z+For positive integers, sum of private sums ∑ tjA Paillier message space adapted to the security parameter λ and defining an input set U of 2-party user identifiers2={vj}j∈[n];
S1.4: each party a selects a random secret index k in the group Ga;
S1.5: generating a new key pair (pk, sk) by the 2 parties by using a Pai.Gen (lambda) function in the Pailler encryption scheme, and sharing the public key pk to the 1 party;
s2: party 2 encrypts its own set of user identifiers U2And sending the data to the party 1 in sequence, and the specific steps are as follows:
s2.1: party 2 uses key k2For the input set element (v)j,tj) For each user identifier v in the pairjEncrypting the elements applied to the random prediction machine RO, and then using Paillier public key pk to input set elements (v)j,tj) With each user identifier v in the pairjExpected paired related integer value tjEncrypting to obtain 2-party encrypted user ciphertextCiphertext cipher of integer value paired with 2-party encrypted 2-party usert2=Pai(tj) Carrying out pairing;
s2.2: party 2 cipherer for encrypted user ciphertextv2And integer value cipher text cipher paired with itt2To a set of formationsSending the data to the 1 party in sequence;
s3: party 1 encrypts user data sent from party 2 and its own user identifier set U1And sending the data to the 2 parties in sequence, and the concrete steps are as follows:
s3.1: party 1 uses key k1Cipher text cipher for received 2-party encrypted userv2And integer value cipher text cipher paired with itt2To a set of formationsEach of which isThe elements are encrypted for the second time to obtain the ciphertext after the two parties encrypt the 2-party user togetherAnd randomly choosing the mapping under Paillier modulus N (j → r)j) Wherein r isj∈Z+Through Pai (t)j+rj)=Pai(tj)×Pai(rj) To each received in a homomorphic wayElement and user identifier vjExpected paired related integer value tjPerforming one-time filling encryption to finally obtain ciphertext after the two parties encrypt the 2-party user togetherv12Padded cipher with its paired integer valuetr2To pair
S3.2: side 1 save map (j → r)i) And the two parties encrypt the ciphertext after the 2 parties of the usersv12Padded cipher with its paired integer valuetr2To a set of formationsSending the data to the 2 parties in sequence;
S3.3: party 1 uses key k1For user u to be input into set 1iThe method is applied to encryption of elements after RO mapping of the random prediction machine to obtain 1-party user ciphertext after 1-party encryption
S3.4: party 1 cipher text cipher after encryptionu1Set of constructsSending the data to the 2 parties out of order;
s4: the data sent by the party 1 is encrypted by the party 2, a subscript set J of the integer value sum matched with the intersection is obtained, and then the subscript set J is subjected to filling encryption to obtain the sum S of the integer value sum matched with the intersectionJrAnd sending the data to the party 1, which comprises the following steps:
s4.1: party 2 uses key k2Receiving 1 party user cipher text after 1 party encryptionPerforming secondary encryption to obtain a ciphertext obtained by encrypting the 1-party user by both parties
s4.3: judging whether the intersection cardinality is smaller than a set threshold value, if so, terminating the protocol by the 2-party, and if not, continuing S4.4;
s4.4: the 2 nd party converts all elements Pai (t) corresponding to subscripts in the subscript set Jj+rj) Multiplying, and decrypting by using a private key sk to obtain a sum S of integer values matched with the intersection and provided with one-time filling encryptionJr=∑j∈Jtj+rj;
S4.5: 2 Party pairs encrypted with intersectionSum of integer values of SJrAnd sending the subscript set J to the party 1;
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art; the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions as defined in the appended claims.
Claims (7)
1. A method for encrypting private collections based on Paillier homomorphic encryption is characterized by comprising a protocol based on the Paillier homomorphic encryption private collections and a protocol based on the Paillier homomorphic encryption reverse private collections;
(1) the agreement based on the Paillier homomorphic encryption private aggregation comprises the following steps:
step 1: the two parties negotiate about the basic setting of the encryption private transaction set, and the specific steps are as follows:
step 1.1: the two parties negotiate to set a security parameter lambda, a group G epsilon G (lambda), a user identifier space U ═ U (lambda) and a random speaker RO: u → G, where the random oracle RO maps the user identifier into a random element of group G;
step 1.2: input set U with m user identifiers held by 1 party1={ui}i∈[1,m]Wherein, the ith user u of the 1 st partyi∈U;
Step 1.3: party 2 holds a set of n user identifiers and associated integer values with which to pair { (v)j,tj)}j∈[1,n]Wherein, the jth user v of the 2 partiesjE and associated integer value t of the expected pairing with Uj∈Z+,Z+For positive integers, sum of private sums ∑ tjA Paillier message space suitable for the security parameter lambda and defining U2={vj}j∈[1,n];
Step 1.4: each party a selects a random secret index k in the group Ga;
Step 1.5: generating a new key pair (pk, sk) by the 2 parties by using a Pai.Gen (lambda) function in the Pailler encryption scheme, and sharing the public key pk to the 1 party;
step 2: party 1 encrypts its own set of user identifiers U1Sending the data to the 2 parties out of order;
and step 3: party 2 encrypts user data sent by party 1 and own user identifier set U2Sending the data to the party 1 out of order;
and 4, step 4: party 1 encrypts data sent from party 2 and obtains cipherv12With a nepheru12And then the ciphertext Pai of the integer value sum matched with the intersection is obtained according to the set H (S)H) And sending to party 2; saidThe cipher text obtained by encrypting the identifier of the user on the 1 side by the 1, 2 sides; saidThe cipher text obtained by encrypting the identifier of the user of the 2 parties by the 1 and 2 parties; k is a radical of1A key used for party 1; k is a radical of2A key used for party 2;
and 5: party 2 decrypts the sum S of the received Paillier encrypted integer values paired with the intersection using Paillier private key skHCiphertext Pai (S)H) Obtaining the sum S of integer values paired with the intersectionH;
(2) The Paillier homomorphic encryption reverse private aggregation and based protocol comprises the following steps:
s1: the two parties negotiate about the basic setting of the encryption private transaction set, and the specific steps are as follows:
s1.1: the two parties negotiate to set a security parameter lambda, a group G epsilon G (lambda), a user identifier space U ═ U (lambda) and a random speaker RO: u → G, where the random oracle RO maps the user identifier into a random element of group G;
s1.2: input set U with m user identifiers held by 1 party1={ui}i∈[1,m]Wherein, the ith user u of the 1 st partyi∈U;
S1.3: party 2 holds a set of n user identifiers and associated integer values with which to pair { (v)j,tj)}j∈[1,n]Wherein, the jth user v of the 2 partiesjE and associated integer value t of the expected pairing with Uj∈Z+,Z+For positive integers, sum of private sums ∑ tjA Paillier message space adapted to the security parameter λ and defining an input set U of 2-party user identifiers2={vj}j∈[1,n];
S1.4: each party a selects a random secret index k in the group Ga;
S1.5: generating a new key pair (pk, sk) by the 2 parties by using a Pai.Gen (lambda) function in the Pailler encryption scheme, and sharing the public key pk to the 1 party;
s2: party 2 encrypts its own set of user identifiers U2And sending the data to the 1 party in sequence;
s3: party 1 encrypts user data sent from party 2 and its own user identifier set U1And send to 2 parties in order;
s4: party 2 encrypts data sent by party 1 and obtains cipherv12With a nepheru12And filling and encrypting the subscript set J to obtain the sum S of integer values matched with the intersectionJrAnd sending to the party 1;
2. The Paillier homomorphic encryption private aggregation and based method of claim 1, wherein the step 2 comprises the steps of:
step 2.1: party 1 sets each user u in own user identifieriApplied to a random oracle RO and then using the secret key k1The first encryption is carried out to obtain a 1-party user ciphertext after the 1-party encryption
3. The Paillier homomorphic encryption private aggregation and based method of claim 1, wherein the step 3 comprises the steps of:
step 3.1: party 2 uses key k2Receiving 1 party user cipher text after 1 party encryptionThe elements are encrypted for the second time to obtain the ciphertext of the party 1 encrypted by the two parties
Step 3.2: ciphertext cipher obtained by encrypting 1-party user by both parties by 2 partiesu12Set of constructsSending the data to the party 1 out of order;
step 3.3: party 2 uses key k2For the input set element (v)j,tj) For each user identifier v in the pairjEncrypting the elements after being applied to the RO mapping of the random oracle machine, and then using the Paillier public key pk to input the set elements (v)j,tj) With each user identifier v in the pairjExpected paired related integer value tjEncrypting to obtain 2-party encrypted user ciphertext Ciphertext cipher of integer value paired with 2-party encrypted 2-party usert2=Pai(tj) Carrying out pairing;
4. The Paillier homomorphic encryption private aggregation and based method of claim 1, wherein the step 4 comprises the steps of:
step 4.1: party 1 uses key k1Cipher text cipher for received 2-party encrypted userv2And integer value cipher text cipher paired with itt2To a set of formationsEach element in (1)Carrying out secondary encryption to obtain ciphertext after the two parties jointly encrypt the 2-party userv12And integer value cipher text cipher paired with itt2To pair
step 4.3: for each element H in the set H, the 1 st party will pair with H the integer value ciphertext nephrt2=Pai(tj) Multiplication, homomorphically obtaining the sum S of integer values paired with the intersectionHCiphertext Pai (S)H):Pai(SH)=Pai(∑j∈Htj)=Pai.Sum({Pai(tj)}j∈H);
Step 4.4: sum S of integer values that the 1 party will pair with the intersectionHCiphertext Pai (S)H) And sending to the 2 side.
5. The Paillier homomorphic encryption private aggregation and based method of claim 1, wherein the step S2 comprises the steps of:
s2.1: party 2 uses key k2For the input set element (v)j,tj) For each user identifier v in the pairjEncrypting the elements applied to the random prediction machine RO, and then using Paillier public key pk to input set elements (v)j,tj) With each user identifier v in the pairjExpected paired related integer value tjEncrypting to obtain 2-party encrypted user ciphertextCiphertext cipher of integer value paired with 2-party encrypted 2-party usert2=Pai(tj) Carrying out pairing;
6. The Paillier homomorphic encryption private aggregation and based method of claim 1, wherein the step S3 comprises the steps of:
s3.1: party 1 uses key k1Cipher text cipher for received 2-party encrypted userv2And integer value cipher text cipher paired with itt2To a set of formationsEach of which isThe elements are encrypted for the second time to obtain the ciphertext after the two parties encrypt the 2-party user togetherAnd randomly choosing the mapping under Paillier modulus N (j → r)j) Wherein r isj∈Z+Through Pai (t)j+rj)=Pai(tj)×Pai(rj) To each received in a homomorphic wayElement and user identifier vjExpected paired related integer value tjPerforming one-time filling encryption to finally obtain ciphertext after the two parties encrypt the 2-party user togetherv12Padded cipher with its paired integer valuetr2To pair
S3.2: side 1 save map (j → r)j) And the two parties encrypt the ciphertext after the 2 parties of the usersv12Padded cipher with its paired integer valuetr2To a set of formationsSending the data to the 2 parties in sequence;
s3.3: party 1 uses key k1For user u to be input into set 1iApplication to random predictionEncrypting the elements after RO mapping to obtain 1-party encrypted 1-party user ciphertext
7. The Paillier homomorphic encryption private aggregation and based method of claim 1, wherein the step S4 comprises the steps of:
s4.1: party 2 uses key k2Receiving 1 party user cipher text after 1 party encryptionPerforming secondary encryption to obtain a ciphertext obtained by encrypting the 1-party user by both parties
s4.3: judging whether the intersection cardinality is smaller than a set threshold value, if so, terminating the protocol by the 2-party, and if not, continuing S4.4;
s4.4: the 2 nd party converts all elements Pai (t) corresponding to subscripts in the subscript set Jj+rj) Multiplying, and decrypting by using a private key sk to obtain a sum S of integer values matched with the intersection and provided with one-time filling encryptionJr=∑j∈Jtj+rj;
S4.5: 2-party sum S of encrypted integer values paired with intersectionJrAnd subscript set J is sent to party 1.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811442107.6A CN109525386B (en) | 2018-11-29 | 2018-11-29 | Paillier homomorphic encryption private aggregation and method based on Paillier |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811442107.6A CN109525386B (en) | 2018-11-29 | 2018-11-29 | Paillier homomorphic encryption private aggregation and method based on Paillier |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109525386A CN109525386A (en) | 2019-03-26 |
CN109525386B true CN109525386B (en) | 2021-05-18 |
Family
ID=65794521
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811442107.6A Active CN109525386B (en) | 2018-11-29 | 2018-11-29 | Paillier homomorphic encryption private aggregation and method based on Paillier |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109525386B (en) |
Families Citing this family (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110086717B (en) * | 2019-04-30 | 2021-06-22 | 创新先进技术有限公司 | Method, device and system for data security matching |
CN110324321B (en) * | 2019-06-18 | 2021-07-13 | 创新先进技术有限公司 | Data processing method and device |
CN110399741A (en) * | 2019-07-29 | 2019-11-01 | 深圳前海微众银行股份有限公司 | Data alignment method, equipment and computer readable storage medium |
US10885203B2 (en) * | 2019-08-01 | 2021-01-05 | Advanced New Technologies Co., Ltd. | Encrypted data exchange |
CN110535622A (en) * | 2019-08-01 | 2019-12-03 | 阿里巴巴集团控股有限公司 | Data processing method, device and electronic equipment |
CN111641603B (en) * | 2020-05-15 | 2022-07-01 | 北京青牛技术股份有限公司 | Privacy set intersection data interaction method and system based on homomorphic encryption |
CN111832050B (en) * | 2020-07-10 | 2021-03-26 | 深圳致星科技有限公司 | Paillier encryption scheme based on FPGA chip implementation for federal learning |
CN111741020B (en) * | 2020-07-31 | 2020-12-22 | 支付宝(杭州)信息技术有限公司 | Public data set determination method, device and system based on data privacy protection |
CN111931221B (en) * | 2020-09-25 | 2021-01-01 | 支付宝(杭州)信息技术有限公司 | Data processing method and device and server |
CN112434329A (en) * | 2020-10-23 | 2021-03-02 | 上海点融信息科技有限责任公司 | Private data intersection acquisition method, computing device and storage medium |
KR102284877B1 (en) * | 2020-12-14 | 2021-07-30 | 세종대학교산학협력단 | Efficient functional encryption for set intersection |
CN112651042A (en) * | 2020-12-23 | 2021-04-13 | 上海同态信息科技有限责任公司 | Intersection solving method based on trusted third-party private data |
CN113034276A (en) * | 2020-12-29 | 2021-06-25 | 上海能链众合科技有限公司 | Block chain privacy transaction solution method |
CN113179150B (en) * | 2021-04-26 | 2022-07-01 | 杭州宇链科技有限公司 | Homomorphic privacy set intersection method based on order preserving function |
CN113032848B (en) * | 2021-05-20 | 2021-08-10 | 华控清交信息科技(北京)有限公司 | Data processing method and chip for data processing |
CN113343255B (en) * | 2021-06-04 | 2024-06-25 | 百融云创科技股份有限公司 | Data interaction method based on privacy protection |
CN113434888B (en) * | 2021-07-06 | 2022-08-26 | 建信金融科技有限责任公司 | Data sharing method, device, equipment and system |
CN113806795B (en) * | 2021-08-10 | 2024-03-01 | 中国科学院信息工程研究所 | Two-party privacy set union calculation method and device |
CN114826546A (en) * | 2022-04-02 | 2022-07-29 | 支付宝(杭州)信息技术有限公司 | Transaction data processing method and device |
CN116595562A (en) * | 2023-06-06 | 2023-08-15 | 北京火山引擎科技有限公司 | Data processing method and electronic equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107124268A (en) * | 2017-04-01 | 2017-09-01 | 中国人民武装警察部队工程大学 | A kind of privacy set common factor computational methods for resisting malicious attack |
CN107196926A (en) * | 2017-04-29 | 2017-09-22 | 河南师范大学 | A kind of cloud outsourcing privacy set comparative approach and device |
CN108055118A (en) * | 2017-12-11 | 2018-05-18 | 东北大学 | A kind of diagram data intersection computational methods of secret protection |
CN108737115A (en) * | 2018-06-20 | 2018-11-02 | 湖北工业大学 | A kind of efficient privately owned property set intersection method for solving with secret protection |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8526603B2 (en) * | 2011-07-08 | 2013-09-03 | Sap Ag | Public-key encrypted bloom filters with applications to private set intersection |
-
2018
- 2018-11-29 CN CN201811442107.6A patent/CN109525386B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107124268A (en) * | 2017-04-01 | 2017-09-01 | 中国人民武装警察部队工程大学 | A kind of privacy set common factor computational methods for resisting malicious attack |
CN107196926A (en) * | 2017-04-29 | 2017-09-22 | 河南师范大学 | A kind of cloud outsourcing privacy set comparative approach and device |
CN108055118A (en) * | 2017-12-11 | 2018-05-18 | 东北大学 | A kind of diagram data intersection computational methods of secret protection |
CN108737115A (en) * | 2018-06-20 | 2018-11-02 | 湖北工业大学 | A kind of efficient privately owned property set intersection method for solving with secret protection |
Non-Patent Citations (1)
Title |
---|
基于双线性映射的公共可验证外包计算方案;李福祥 等;《东北大学学报(自然科学版)》;20160531;第37卷(第5期);第619-623页 * |
Also Published As
Publication number | Publication date |
---|---|
CN109525386A (en) | 2019-03-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109525386B (en) | Paillier homomorphic encryption private aggregation and method based on Paillier | |
US9008312B2 (en) | System and method of creating and sending broadcast and multicast data | |
Li et al. | A novel user authentication and privacy preserving scheme with smart cards for wireless communications | |
Tseng et al. | A chaotic maps-based key agreement protocol that preserves user anonymity | |
US9172529B2 (en) | Hybrid encryption schemes | |
CN111049650B (en) | SM2 algorithm-based collaborative decryption method, device, system and medium | |
Siahaan | An overview of the RC4 algorithm | |
CN104158880A (en) | User-end cloud data sharing solution | |
CN101808089A (en) | Secret data transmission protection method based on isomorphism of asymmetrical encryption algorithm | |
CN111404953A (en) | Message encryption method, message decryption method, related devices and related systems | |
Guo et al. | A Secure and Efficient Mutual Authentication and Key Agreement Protocol with Smart Cards for Wireless Communications. | |
Mewada et al. | Exploration of efficient symmetric AES algorithm | |
CN105306212B (en) | A kind of label decryption method that identity is hiding and safe by force | |
Olumide et al. | A hybrid encryption model for secure cloud computing | |
Khatarkar et al. | A survey and performance analysis of various RSA based encryption techniques | |
WO2020042023A1 (en) | Instant messaging data encryption method and apparatus | |
Wang et al. | Key escrow protocol based on a tripartite authenticated key agreement and threshold cryptography | |
CN115865313A (en) | Lightweight privacy protection longitudinal federal learning model parameter aggregation method | |
CN115204876A (en) | Quantum security U shield equipment and method for mobile payment | |
KR101793528B1 (en) | Certificateless public key encryption system and receiving terminal | |
Nagaraj et al. | Image security using ECC approach | |
CN111526131B (en) | Anti-quantum-computation electronic official document transmission method and system based on secret sharing and quantum communication service station | |
Meher et al. | Hybrid solution (ecdhe+ newhope) for pq transition | |
EP3883178A1 (en) | Encryption system and method employing permutation group-based encryption technology | |
Ahmed et al. | A hybrid model to secure the exchange of DH keys |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |