CN109525386B - Paillier homomorphic encryption private aggregation and method based on Paillier - Google Patents

Paillier homomorphic encryption private aggregation and method based on Paillier Download PDF

Info

Publication number
CN109525386B
CN109525386B CN201811442107.6A CN201811442107A CN109525386B CN 109525386 B CN109525386 B CN 109525386B CN 201811442107 A CN201811442107 A CN 201811442107A CN 109525386 B CN109525386 B CN 109525386B
Authority
CN
China
Prior art keywords
party
user
parties
intersection
private
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811442107.6A
Other languages
Chinese (zh)
Other versions
CN109525386A (en
Inventor
周福才
周搏洋
王强
吴淇毓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northeastern University China
Original Assignee
Northeastern University China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northeastern University China filed Critical Northeastern University China
Priority to CN201811442107.6A priority Critical patent/CN109525386B/en
Publication of CN109525386A publication Critical patent/CN109525386A/en
Application granted granted Critical
Publication of CN109525386B publication Critical patent/CN109525386B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a Paillier homomorphic encryption private aggregation and privacy protection-based method, and relates to the technical field of network space security and privacy protection. The method comprises a agreement of a private intersection set and a reverse private intersection set based on Paillier homomorphic encryption, wherein in the agreement of the private intersection set, two parties negotiate about basic settings of the encrypted private intersection set and carry out three rounds of encryption, finally, 2 parties use private key decryption to obtain the intersection set, in the agreement of the reverse private intersection set, the two parties negotiate about the basic settings of the encrypted reverse private intersection set and carry out two rounds of encryption, then, 2 parties use the private key to decrypt the intersection set with disturbing factors and judge whether the size of the intersection base number can enter a third round of decryption, and if the conditions are met, 1 party removes the disturbing factors to obtain the intersection set. The method provides the ciphertext segmentation scheme by utilizing the property of modular operation, has higher efficiency, and both sides of the protocol can accurately calculate the base number and the sum of the intersection, thereby avoiding information leakage possibly caused by two-by-two calculation of habitual thinking.

Description

Paillier homomorphic encryption private aggregation and method based on Paillier
Technical Field
The invention relates to the technical field of network space security and privacy protection, in particular to a Paillier homomorphic encryption private aggregation and privacy protection-based method.
Background
In recent years, data shows an explosive growth trend, the data quantity and the data types become more and more complex, and a great amount of valuable customer information, personal privacy records and enterprise operation data are continuously mined. In the era of data explosion, the problem of privacy protection under big data is very important.
Privacy Set Intersection (PSI) is an important protocol for secure multiparty computation. The method participates in calculating the input data sets of two or more parties, but only the result of intersection can be obtained, and no information beyond the intersection can be obtained. The correlation protocol only allows these parties to know certain properties of the intersection, such as the cardinality of the intersection or whether the size of the intersection exceeds some threshold. Various approaches have been proposed in previous work, including protocols that use a semi-honest model as well as a malicious model.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a Paillier homomorphic encryption private intersection set-based method, which comprises a Paillier homomorphic encryption private intersection set-based protocol and a Paillier homomorphic encryption reverse private intersection set-based protocol, wherein two parties, namely a party 1 and a party 2, exist in the two protocols, private intersection and protocol are private input data sets containing user identifiers held by the two parties, the data set of one party additionally contains integer values related to each user identifier, the two parties are not allowed to know the actual user identifier of intersection or the additional information (except the size of intersection) of the data of the other party on the basis that the two parties want to know the sum of the cardinality of intersection and the intersection related integer values, namely the privacy information of users, and the result obtained by the private intersection and protocol is that the cardinality of the party 1 can only obtain the cardinality of intersection, while 2 parties can only get an aggregate; the reverse private intersection and the protocol ensure the minimum value of the number of intersection elements by a mode of terminating communication before obtaining the intersection set if the intersection set is too small, so that the privacy information of the user is protected, and the result obtained by the reverse private intersection and the protocol is that both sides can obtain the cardinality of the intersection set, and only 1 side can obtain the intersection set.
In order to achieve the purpose, the method for encrypting the private aggregation and the private aggregation based on the Paillier homomorphic comprises a protocol based on the Paillier homomorphic encryption private aggregation and a protocol based on the Paillier homomorphic encryption reverse private aggregation;
(1) the agreement based on the Paillier homomorphic encryption private aggregation comprises the following steps:
step 1: the two parties negotiate about the basic setting of the encryption private transaction set, and the specific steps are as follows:
step 1.1: the two parties negotiate to set a security parameter lambda, a group G epsilon G (lambda), a user identifier space U ═ U (lambda) and a random speaker RO: u → G, where the random oracle RO maps the user identifier into a random element of group G;
step 1.2: input set U with m user identifiers held by 1 party1={ui}i∈[m]Wherein, the ith user u of the 1 st partyi∈U;
Step 1.3: party 2 holds a set of n user identifiers and associated integer values with which to pair { (v)j,tj)}j∈[n]Wherein, the jth user v of the 2 partiesjE and associated integer value t of the expected pairing with Ui∈Z+,Z+For positive integers, sum of private sums ∑ tjA Paillier message space suitable for the security parameter lambda and defining U2={vj}j∈[n]
Step 1.4: each party a selects a random secret index k in the group Ga
Step 1.5: generating a new key pair (pk, sk) by the 2 parties by using a Pai.Gen (lambda) function in the Pailler encryption scheme, and sharing the public key pk to the 1 party;
step 2: party 1 encrypts its own set of user identifiers U1Sending the data to the 2 parties in a disordered way, and specifically comprising the following steps:
step 2.1: party 1 sets each user u in own user identifieriApplied to a random oracle RO and then using the secret key k1The first encryption is carried out to obtain a 1-party user ciphertext after the 1-party encryption
Figure BDA0001884917180000021
Step 2.2: party 1 cipher text cipher after encryptionu1Set of constructs
Figure BDA0001884917180000022
Sending the data to the 2 parties out of order;
and step 3: party 2 encrypts user data sent by party 1 and own user identifier set U2And sending the data to the party 1 in a disordered way, and the specific steps are as follows:
step 3.1: party 2 uses key k2Receiving 1 party user cipher text after 1 party encryption
Figure BDA0001884917180000023
The elements are encrypted for the second time to obtain the ciphertext of the party 1 encrypted by the two parties
Figure BDA0001884917180000024
Step 3.2: ciphertext cipher obtained by encrypting 1-party user by both parties by 2 partiesu12Set of constructs
Figure BDA0001884917180000025
Sending the data to the party 1 out of order;
step 3.3: party 2 uses key k2For the input set element (v)j,tj) For each user identifier v in the pairjEncrypting the elements after being applied to the RO mapping of the random oracle machine, and then using the Paillier public key pk to input the set elements (v)j,tj) With each user identifier v in the pairjExpected paired related integer value tjEncrypting to obtain 2-party encrypted user ciphertext
Figure BDA0001884917180000026
Ciphertext cipher of integer value paired with 2-party encrypted 2-party usert2=Pai(tj) Carrying out pairing;
step 3.4: party 2 cipherer for encrypted user ciphertextv2And integer value cipher text cipher paired with itt2To a set of formations
Figure BDA0001884917180000027
Sending the data to the party 1 out of order;
and 4, step 4: party 1 encrypts data sent from party 2 and obtains cipherv12With a nepheru12And then the ciphertext Pai of the integer value sum matched with the intersection is obtained according to the set H (S)H) And sending the data to the party 2, which comprises the following steps:
step 4.1: party 1 uses key k1Cipher text cipher for received 2-party encrypted userv2And integer value cipher text cipher paired with itt2To a set of formations
Figure BDA0001884917180000028
Each element in (1)
Figure BDA0001884917180000029
Carrying out secondary encryption to obtain ciphertext after the two parties jointly encrypt the 2-party userv12And integer value cipher text cipher paired with itt2To pair
Figure BDA00018849171800000210
Step 4.2: 1-square computing cirherv12With a nepheru12The intersection of (H):
Figure BDA00018849171800000211
step 4.3: for each element H in the set H, the 1 st party will pair with H the integer value ciphertext nephrt2=Pai(tj) Multiplication, homomorphically obtaining the sum S of integer values paired with the intersectionHCiphertext Pai (S)H):Pai(SH)=Pai(∑j∈Htj)=Pai.Sum({Pai(tj)}j∈H);
Step 4.4: sum S of integer values that the 1 party will pair with the intersectionHCiphertext Pai (S)H) Sending to the party 2;
and 5: party 2 decrypts the sum S of the received Paillier encrypted integer values paired with the intersection using Paillier private key skHCiphertext Pai (S)H) Obtaining the sum S of integer values paired with the intersectionH
(2) The Paillier homomorphic encryption reverse private aggregation and based protocol comprises the following steps:
s1: the two parties negotiate about the basic setting of the encryption private transaction set, and the specific steps are as follows:
s1.1: the two parties negotiate to set a security parameter lambda, a group G epsilon G (lambda), a user identifier space U ═ U (lambda) and a random speaker RO: u → G, where the random oracle RO maps the user identifier into a random element of group G;
s1.2: input set U with m user identifiers held by 1 party1={ui}i∈[m]Wherein, the ith user u of the 1 st partyi∈U;
S1.3: party 2 holds a set of n user identifiers and associated integer values with which to pair { (v)j,tj)}j∈[n]Wherein, the jth user v of the 2 partiesjE and associated integer value t of the expected pairing with Uj∈Z+,Z+For positive integers, sum of private sums ∑ tjA Paillier message space adapted to the security parameter λ and defining an input set U of 2-party user identifiers2={vj}j∈[n]
S1.4: each party a selects a random secret index k in the group Ga
S1.5: generating a new key pair (pk, sk) by the 2 parties by using a Pai.Gen (lambda) function in the Pailler encryption scheme, and sharing the public key pk to the 1 party;
s2: party 2 encrypts its own set of user identifiers U2And sending the data to the party 1 in sequence, and the specific steps are as follows:
s2.1: party 2 uses key k2For the input set element (v)j,tj) For each user identifier v in the pairjEncrypting the elements applied to the random prediction machine RO, and then using Paillier public key pk to input set elements (v)j,tj) With each user identifier v in the pairjExpected paired related integer value tjEncrypting to obtain 2-party encrypted user ciphertext
Figure BDA0001884917180000036
Ciphertext cipher of integer value paired with 2-party encrypted 2-party usert2=Pai(tj) Carrying out pairing;
s2.2: party 2 cipherer for encrypted user ciphertextv2And integer value cipher text cipher paired with itt2To a set of formations
Figure BDA0001884917180000031
Sending the data to the 1 party in sequence;
s3: party 1 encrypts user data sent from party 2 and its own user identifier set U1And send to 2 parties in sequenceThe method comprises the following specific steps:
s3.1: party 1 uses key k1Cipher text cipher for received 2-party encrypted userv2And integer value cipher text cipher paired with itt2To a set of formations
Figure BDA0001884917180000035
Each of which is
Figure BDA0001884917180000033
The elements are encrypted for the second time to obtain the ciphertext after the two parties encrypt the 2-party user together
Figure BDA0001884917180000034
And randomly choosing the mapping under Paillier modulus N (j → r)j) Wherein r isj∈Z+Through Pai (t)j+rj)=Pai(tj)×Pai(rj) To each received in a homomorphic way
Figure BDA0001884917180000041
Element and user identifier vjExpected paired related integer value tjPerforming one-time filling encryption to finally obtain ciphertext after the two parties encrypt the 2-party user togetherv12Padded cipher with its paired integer valuetr2To pair
Figure BDA0001884917180000042
S3.2: side 1 save map (j → r)j) And the two parties encrypt the ciphertext after the 2 parties of the usersv12Padded cipher with its paired integer valuetr2To a set of formations
Figure BDA0001884917180000043
Sending the data to the 2 parties in sequence;
s3.3: party 1 uses key k1For user u to be input into set 1iThe method is applied to encryption of elements subjected to RO mapping of the random oracle machine to obtain the encrypted 1-party usage of the 1-partyHousehold cipher text
Figure BDA0001884917180000044
S3.4: party 1 cipher text cipher after encryptionu1Set of constructs
Figure BDA0001884917180000045
Sending the data to the 2 parties out of order;
s4: party 2 encrypts data sent by party 1 and obtains cipherv12With a nepheru12And filling and encrypting the subscript set J to obtain the sum S of integer values matched with the intersectionJrAnd sending the data to the party 1, which comprises the following steps:
s4.1: party 2 uses key k2Receiving 1 party user cipher text after 1 party encryption
Figure BDA0001884917180000046
Performing secondary encryption to obtain a ciphertext obtained by encrypting the 1-party user by both parties
Figure BDA0001884917180000047
S4.2: 2-square computing cirherv12With a nepheru12Subscript set J of intersection:
Figure BDA0001884917180000048
s4.3: judging whether the intersection cardinality is smaller than a set threshold value, if so, terminating the protocol by the 2-party, and if not, continuing S4.4;
s4.4: the 2 nd party converts all elements Pai (t) corresponding to subscripts in the subscript set Jj+rj) Multiplying, and decrypting by using a private key sk to obtain a sum S of integer values matched with the intersection and provided with one-time filling encryptionJr=∑j∈Jtj+rj
S4.5: 2-party sum S of encrypted integer values paired with intersectionJrAnd sending the subscript set J to the party 1;
s5: 1-way computation of the sum of integer values paired with an intersection
Figure BDA0001884917180000049
The invention has the beneficial effects that:
the invention provides a Paillier homomorphic encryption private aggregation and based method, which researches and adopts a Paillier homomorphic encryption based algorithm, utilizes the property of modular operation to provide a ciphertext segmentation scheme, segments and encrypts a plaintext, has higher efficiency, and can obtain the result of the encrypted plaintext without decryption. According to the agreement based on the Paillier homomorphic encryption private intersection set and the agreement based on the Paillier homomorphic encryption reverse private intersection set, both parties of the agreement can accurately calculate the base number and the intersection sum of the intersection set, information leakage possibly caused by two-by-two calculation of habitual thinking is avoided, if the base number of the set is found to be too small in the reverse private intersection set and the agreement, in order to prevent the intersection set from being acquired by a certain party, and therefore private information of certain users is deduced, and privacy of the users is leaked, the problem of privacy leakage is effectively prevented by adopting a protocol termination mode, in the process of adopting the Paillier homomorphic encryption, one party randomly selects mapping to carry out blind processing on the encrypted user id related integer values, before the intersection sum is obtained, blind factors are removed according to the mapping, and safety of the agreement is greatly improved.
Drawings
FIG. 1 is a diagram of private intersection and protocol architecture in an embodiment of the present invention;
FIG. 2 is a diagram illustrating private intersection and protocol timing diagrams in an embodiment of the present invention;
FIG. 3 is a flow diagram of private intersection and protocol in an embodiment of the present invention;
FIG. 4 is a diagram of reverse private aggregation and protocol architecture in an embodiment of the present invention;
FIG. 5 is a timing diagram of reverse private aggregation and protocol in an embodiment of the present invention;
fig. 6 is a flow chart of reverse private aggregation and protocol in an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clear, the present invention will be further described in detail with reference to the accompanying drawings and specific embodiments. The specific embodiments described herein are merely illustrative of the invention and are not intended to be limiting.
A method for encrypting private collections based on Paillier homomorphic encryption comprises a protocol based on the Paillier homomorphic encryption private collections and a protocol based on the Paillier homomorphic encryption reverse private collections;
(1) paillier homomorphic encryption private aggregation and based protocol
In this embodiment, an architecture based on Paillier homomorphic encryption private intersection and protocol is shown in fig. 1, in the private intersection and protocol, two parties input all user resource identifier sets of themselves, and when outputting, party 1 obtains the cardinality of the intersection, and party 2 obtains the intersection. Two parties of the private intersection and protocol implement the process of aggregation and aggregation through setup and three rounds of interaction, as shown in fig. 2.
As can be seen from fig. 2, in the setup step, both parties agree on a security parameter λ, a group G ∈ G (λ), and a user identifier space U ═ U (λ). Both parties can use a random oracle RO: u → G. First round, 1 square with k1Encrypts its own set of user identifiers and sends it to party 2. Second round, 2 squares with k2Encrypting the set sent by party 1 and using k2And pk encrypts its own set of user identifiers and sends it to party 1. Calculating to obtain the cirher by 1 squarev12With a nepheru12The intersection of (a). The third round, party 1 sends the encrypted set H to party 2, party 2 uses sk decryption to get the sum of integer values paired with the intersection, i.e. the intersection and SH
In the present embodiment, for convenience of the following description, the representation and explanation shown in table 1 are given.
TABLE 1 symbolic description of communications between entities
Figure BDA0001884917180000051
Figure BDA0001884917180000061
The specific flow is shown in fig. 3, and includes the following steps:
step 1: the two parties negotiate about the basic setting of the encryption private transaction set, and the specific steps are as follows:
step 1.1: the two parties negotiate to set a security parameter lambda, a group G epsilon G (lambda), a user identifier space U ═ U (lambda) and a random speaker RO: u → G, where the random oracle RO maps the user identifier into a random element of group G;
step 1.2: input set U with m user identifiers held by 1 party1={ui}i∈[m]Wherein, the ith user u of the 1 st partyi∈U;
Step 1.3: party 2 holds a set of n user identifiers and associated integer values with which to pair { (v)j,tj)}j∈[n]Wherein, the jth user v of the 2 partiesjE and associated integer value t of the expected pairing with Uj∈Z+,Z+For positive integers, sum of private sums ∑ tjA Paillier message space suitable for the security parameter lambda and defining U2={vj}j∈[n]
Step 1.4: each party a selects a random secret index k in the group Ga
Step 1.5: generating a new key pair (pk, sk) by the 2 parties by using a Pai.Gen (lambda) function in the Pailler encryption scheme, and sharing the public key pk to the 1 party;
step 2: party 1 encrypts its own set of user identifiers U1Sending the data to the 2 parties in a disordered way, and specifically comprising the following steps:
step 2.1: party 1 sets each user u in own user identifieriApplied to a random oracle RO and then using the secret key k1The first encryption is carried out to obtain a 1-party user ciphertext after the 1-party encryption
Figure BDA0001884917180000062
Step 2.2: party 1 will encryptLater user ciphertextu1Set of constructs
Figure BDA0001884917180000063
Sending the data to the 2 parties out of order;
and step 3: party 2 encrypts user data sent by party 1 and own user identifier set U2And sending the data to the party 1 in a disordered way, and the specific steps are as follows:
step 3.1: party 2 uses key k2Receiving 1 party user cipher text after 1 party encryption
Figure BDA0001884917180000064
The elements are encrypted for the second time to obtain the ciphertext of the party 1 encrypted by the two parties
Figure BDA0001884917180000065
Step 3.2: ciphertext cipher obtained by encrypting 1-party user by both parties by 2 partiesu12Set of constructs
Figure BDA0001884917180000066
Sending the data to the party 1 out of order;
step 3.3: party 2 uses key k2For the input set element (v)j,tj) For each user identifier v in the pairjEncrypting the elements after being applied to the RO mapping of the random oracle machine, and then using the Paillier public key pk to input the set elements (v)j,tj) With each user identifier v in the pairjExpected paired related integer value tjEncrypting to obtain 2-party encrypted user ciphertext
Figure BDA0001884917180000067
Ciphertext cipher of integer value paired with 2-party encrypted 2-party usert2=Pai(tj) Carrying out pairing;
step 3.4: party 2 cipherer for encrypted user ciphertextv2And integer value cipher text cipher paired with itt2To a set of formations
Figure BDA0001884917180000068
Sending the data to the party 1 out of order;
and 4, step 4: party 1 encrypts data sent from party 2 and obtains cipherv12With a nepheru12And then the ciphertext Pai of the integer value sum matched with the intersection is obtained according to the set H (S)H) And sending the data to the party 2, which comprises the following steps:
step 4.1: party 1 uses key k1Cipher text cipher for received 2-party encrypted userv2And integer value cipher text cipher paired with itt2To a set of formations
Figure BDA0001884917180000071
Each element in (1)
Figure BDA0001884917180000072
Carrying out secondary encryption to obtain ciphertext after the two parties jointly encrypt the 2-party uservl2And integer value cipher text cipher paired with itt2To pair
Figure BDA0001884917180000073
Step 4.2: 1-square computing cirherv12With a nepheru12The intersection of (H):
Figure BDA0001884917180000074
step 4.3: for each element H in the set H, the 1 st party will pair with H the integer value ciphertext nephrt2=Pai(tj) Multiplication, homomorphically obtaining the sum S of integer values paired with the intersectionHCiphertext Pai (S)H):Pai(SH)=Pai(∑j∈Htj)=Pai.Sum({Pai(tj)}j∈H);
Step 4.4: sum S of integer values that the 1 party will pair with the intersectionHCiphertext Pai (S)H) Sending to the party 2;
and 5: party 2 decrypts the sum S of the received Paillier encrypted integer values paired with the intersection using Paillier private key skHCiphertext Pai (S)H) Obtaining the aggregate and SH
(2) Paillier homomorphic encryption reverse private aggregation and based protocol
In this embodiment, the framework based on Paillier homomorphic encryption reverse private intersection and protocol is as shown in fig. 4, in the reverse private intersection and protocol, both parties also input all their own user resource identifier sets, and the protocol is terminated if the intersection cardinality is too small during output. Otherwise, the 1 party obtains the base number of the intersection and the intersection set, and the 2 party obtains the base number of the intersection set. Two parties of the reverse private intersection and protocol implement the intersection and set process through setup and three rounds of interaction, as shown in fig. 5.
As can be seen from fig. 5, in the setup step, both parties agree on a security parameter λ, a group G ∈ G (λ), and a user identifier space U ═ U (λ). Both parties can use a random oracle RO: u → G. First round, 2 squares with k2And pk encrypts its own set of user identifiers and sends it to party 1. Second round, 1 square with k1Encrypt its own set of user identifiers, k for each element in the set sent by 2 parties1After encrypting the user identifier, a scrambling factor is added and sent to party 2. Calculating by 2-square to obtain the nepherv12With a nepheru12A set J of intersecting indices, and a sum S of integer values paired with the intersection with a disturbing factor is decrypted using skJrIf the intersection cardinality is too small, the protocol is terminated. Third round, the 2 nd party will have the sum S of the integer values paired with the intersection of the perturbing factorJrAnd sending the subscript set J to the 1 side, and removing the disturbing factors by the 1 side to obtain the sum of integer values matched with the intersection, namely the intersection and the SJ
The specific flow is shown in fig. 6, and includes the following steps:
s1: the two parties negotiate about the basic setting of the encryption private transaction set, and the specific steps are as follows:
s1.1: the two parties negotiate to set a security parameter lambda, a group G epsilon G (lambda), a user identifier space U ═ U (lambda) and a random speaker RO: u → G, where the random oracle RO maps the user identifier into a random element of group G;
s1.2: input set U with m user identifiers held by 1 party1={ui}i∈[m]Wherein, the ith user u of the 1 st partyi∈U;
S1.3: party 2 holds a set of n user identifiers and associated integer values with which to pair { (v)j,tj)}j∈[n]Wherein, the jth user v of the 2 partiesjE and associated integer value t of the expected pairing with Uj∈Z+,Z+For positive integers, sum of private sums ∑ tjA Paillier message space adapted to the security parameter λ and defining an input set U of 2-party user identifiers2={vj}j∈[n]
S1.4: each party a selects a random secret index k in the group Ga
S1.5: generating a new key pair (pk, sk) by the 2 parties by using a Pai.Gen (lambda) function in the Pailler encryption scheme, and sharing the public key pk to the 1 party;
s2: party 2 encrypts its own set of user identifiers U2And sending the data to the party 1 in sequence, and the specific steps are as follows:
s2.1: party 2 uses key k2For the input set element (v)j,tj) For each user identifier v in the pairjEncrypting the elements applied to the random prediction machine RO, and then using Paillier public key pk to input set elements (v)j,tj) With each user identifier v in the pairjExpected paired related integer value tjEncrypting to obtain 2-party encrypted user ciphertext
Figure BDA0001884917180000081
Ciphertext cipher of integer value paired with 2-party encrypted 2-party usert2=Pai(tj) Carrying out pairing;
s2.2: party 2 cipherer for encrypted user ciphertextv2And integer value cipher text cipher paired with itt2To a set of formations
Figure BDA0001884917180000082
Sending the data to the 1 party in sequence;
s3: party 1 encrypts user data sent from party 2 and its own user identifier set U1And sending the data to the 2 parties in sequence, and the concrete steps are as follows:
s3.1: party 1 uses key k1Cipher text cipher for received 2-party encrypted userv2And integer value cipher text cipher paired with itt2To a set of formations
Figure BDA0001884917180000083
Each of which is
Figure BDA0001884917180000084
The elements are encrypted for the second time to obtain the ciphertext after the two parties encrypt the 2-party user together
Figure BDA0001884917180000085
And randomly choosing the mapping under Paillier modulus N (j → r)j) Wherein r isj∈Z+Through Pai (t)j+rj)=Pai(tj)×Pai(rj) To each received in a homomorphic way
Figure BDA0001884917180000086
Element and user identifier vjExpected paired related integer value tjPerforming one-time filling encryption to finally obtain ciphertext after the two parties encrypt the 2-party user togetherv12Padded cipher with its paired integer valuetr2To pair
Figure BDA0001884917180000087
S3.2: side 1 save map (j → r)i) And the two parties encrypt the ciphertext after the 2 parties of the usersv12Padded cipher with its paired integer valuetr2To a set of formations
Figure BDA0001884917180000088
Sending the data to the 2 parties in sequence;
S3.3: party 1 uses key k1For user u to be input into set 1iThe method is applied to encryption of elements after RO mapping of the random prediction machine to obtain 1-party user ciphertext after 1-party encryption
Figure BDA0001884917180000089
S3.4: party 1 cipher text cipher after encryptionu1Set of constructs
Figure BDA00018849171800000810
Sending the data to the 2 parties out of order;
s4: the data sent by the party 1 is encrypted by the party 2, a subscript set J of the integer value sum matched with the intersection is obtained, and then the subscript set J is subjected to filling encryption to obtain the sum S of the integer value sum matched with the intersectionJrAnd sending the data to the party 1, which comprises the following steps:
s4.1: party 2 uses key k2Receiving 1 party user cipher text after 1 party encryption
Figure BDA0001884917180000091
Performing secondary encryption to obtain a ciphertext obtained by encrypting the 1-party user by both parties
Figure BDA0001884917180000092
S4.2: 2-square computing cirherv12With a nepheru12Subscript set J of intersection:
Figure BDA0001884917180000093
s4.3: judging whether the intersection cardinality is smaller than a set threshold value, if so, terminating the protocol by the 2-party, and if not, continuing S4.4;
s4.4: the 2 nd party converts all elements Pai (t) corresponding to subscripts in the subscript set Jj+rj) Multiplying, and decrypting by using a private key sk to obtain a sum S of integer values matched with the intersection and provided with one-time filling encryptionJr=∑j∈Jtj+rj
S4.5: 2 Party pairs encrypted with intersectionSum of integer values of SJrAnd sending the subscript set J to the party 1;
s5: 1-way computation of the sum of integer values paired with an intersection
Figure BDA0001884917180000094
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art; the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions as defined in the appended claims.

Claims (7)

1. A method for encrypting private collections based on Paillier homomorphic encryption is characterized by comprising a protocol based on the Paillier homomorphic encryption private collections and a protocol based on the Paillier homomorphic encryption reverse private collections;
(1) the agreement based on the Paillier homomorphic encryption private aggregation comprises the following steps:
step 1: the two parties negotiate about the basic setting of the encryption private transaction set, and the specific steps are as follows:
step 1.1: the two parties negotiate to set a security parameter lambda, a group G epsilon G (lambda), a user identifier space U ═ U (lambda) and a random speaker RO: u → G, where the random oracle RO maps the user identifier into a random element of group G;
step 1.2: input set U with m user identifiers held by 1 party1={ui}i∈[1,m]Wherein, the ith user u of the 1 st partyi∈U;
Step 1.3: party 2 holds a set of n user identifiers and associated integer values with which to pair { (v)j,tj)}j∈[1,n]Wherein, the jth user v of the 2 partiesjE and associated integer value t of the expected pairing with Uj∈Z+,Z+For positive integers, sum of private sums ∑ tjA Paillier message space suitable for the security parameter lambda and defining U2={vj}j∈[1,n]
Step 1.4: each party a selects a random secret index k in the group Ga
Step 1.5: generating a new key pair (pk, sk) by the 2 parties by using a Pai.Gen (lambda) function in the Pailler encryption scheme, and sharing the public key pk to the 1 party;
step 2: party 1 encrypts its own set of user identifiers U1Sending the data to the 2 parties out of order;
and step 3: party 2 encrypts user data sent by party 1 and own user identifier set U2Sending the data to the party 1 out of order;
and 4, step 4: party 1 encrypts data sent from party 2 and obtains cipherv12With a nepheru12And then the ciphertext Pai of the integer value sum matched with the intersection is obtained according to the set H (S)H) And sending to party 2; said
Figure FDA0003007557290000011
The cipher text obtained by encrypting the identifier of the user on the 1 side by the 1, 2 sides; said
Figure FDA0003007557290000012
The cipher text obtained by encrypting the identifier of the user of the 2 parties by the 1 and 2 parties; k is a radical of1A key used for party 1; k is a radical of2A key used for party 2;
and 5: party 2 decrypts the sum S of the received Paillier encrypted integer values paired with the intersection using Paillier private key skHCiphertext Pai (S)H) Obtaining the sum S of integer values paired with the intersectionH
(2) The Paillier homomorphic encryption reverse private aggregation and based protocol comprises the following steps:
s1: the two parties negotiate about the basic setting of the encryption private transaction set, and the specific steps are as follows:
s1.1: the two parties negotiate to set a security parameter lambda, a group G epsilon G (lambda), a user identifier space U ═ U (lambda) and a random speaker RO: u → G, where the random oracle RO maps the user identifier into a random element of group G;
s1.2: input set U with m user identifiers held by 1 party1={ui}i∈[1,m]Wherein, the ith user u of the 1 st partyi∈U;
S1.3: party 2 holds a set of n user identifiers and associated integer values with which to pair { (v)j,tj)}j∈[1,n]Wherein, the jth user v of the 2 partiesjE and associated integer value t of the expected pairing with Uj∈Z+,Z+For positive integers, sum of private sums ∑ tjA Paillier message space adapted to the security parameter λ and defining an input set U of 2-party user identifiers2={vj}j∈[1,n]
S1.4: each party a selects a random secret index k in the group Ga
S1.5: generating a new key pair (pk, sk) by the 2 parties by using a Pai.Gen (lambda) function in the Pailler encryption scheme, and sharing the public key pk to the 1 party;
s2: party 2 encrypts its own set of user identifiers U2And sending the data to the 1 party in sequence;
s3: party 1 encrypts user data sent from party 2 and its own user identifier set U1And send to 2 parties in order;
s4: party 2 encrypts data sent by party 1 and obtains cipherv12With a nepheru12And filling and encrypting the subscript set J to obtain the sum S of integer values matched with the intersectionJrAnd sending to the party 1;
s5: 1-way computation of the sum of integer values paired with an intersection
Figure FDA0003007557290000021
Under Paillier modulus N, the mapping is chosen randomly (j → r)j) Wherein r isj∈Z+
2. The Paillier homomorphic encryption private aggregation and based method of claim 1, wherein the step 2 comprises the steps of:
step 2.1: party 1 sets each user u in own user identifieriApplied to a random oracle RO and then using the secret key k1The first encryption is carried out to obtain a 1-party user ciphertext after the 1-party encryption
Figure FDA0003007557290000022
Step 2.2: party 1 cipher text cipher after encryptionu1Set of constructs
Figure FDA0003007557290000023
And sending the data to the 2 parties out of order.
3. The Paillier homomorphic encryption private aggregation and based method of claim 1, wherein the step 3 comprises the steps of:
step 3.1: party 2 uses key k2Receiving 1 party user cipher text after 1 party encryption
Figure FDA0003007557290000024
The elements are encrypted for the second time to obtain the ciphertext of the party 1 encrypted by the two parties
Figure FDA0003007557290000025
Step 3.2: ciphertext cipher obtained by encrypting 1-party user by both parties by 2 partiesu12Set of constructs
Figure FDA0003007557290000026
Sending the data to the party 1 out of order;
step 3.3: party 2 uses key k2For the input set element (v)j,tj) For each user identifier v in the pairjEncrypting the elements after being applied to the RO mapping of the random oracle machine, and then using the Paillier public key pk to input the set elements (v)j,tj) With each user identifier v in the pairjExpected paired related integer value tjEncrypting to obtain 2-party encrypted user ciphertext
Figure FDA0003007557290000027
Figure FDA0003007557290000028
Ciphertext cipher of integer value paired with 2-party encrypted 2-party usert2=Pai(tj) Carrying out pairing;
step 3.4: party 2 cipherer for encrypted user ciphertextv2And integer value cipher text cipher paired with itt2To a set of formations
Figure FDA0003007557290000031
And sending the data out of order to the 1 party.
4. The Paillier homomorphic encryption private aggregation and based method of claim 1, wherein the step 4 comprises the steps of:
step 4.1: party 1 uses key k1Cipher text cipher for received 2-party encrypted userv2And integer value cipher text cipher paired with itt2To a set of formations
Figure FDA0003007557290000032
Each element in (1)
Figure FDA0003007557290000033
Carrying out secondary encryption to obtain ciphertext after the two parties jointly encrypt the 2-party userv12And integer value cipher text cipher paired with itt2To pair
Figure FDA0003007557290000034
Step 4.2: 1-square computing cirherv12With a nepheru12The intersection of (H):
Figure FDA0003007557290000035
step 4.3: for each element H in the set H, the 1 st party will pair with H the integer value ciphertext nephrt2=Pai(tj) Multiplication, homomorphically obtaining the sum S of integer values paired with the intersectionHCiphertext Pai (S)H):Pai(SH)=Pai(∑j∈Htj)=Pai.Sum({Pai(tj)}j∈H);
Step 4.4: sum S of integer values that the 1 party will pair with the intersectionHCiphertext Pai (S)H) And sending to the 2 side.
5. The Paillier homomorphic encryption private aggregation and based method of claim 1, wherein the step S2 comprises the steps of:
s2.1: party 2 uses key k2For the input set element (v)j,tj) For each user identifier v in the pairjEncrypting the elements applied to the random prediction machine RO, and then using Paillier public key pk to input set elements (v)j,tj) With each user identifier v in the pairjExpected paired related integer value tjEncrypting to obtain 2-party encrypted user ciphertext
Figure FDA0003007557290000036
Ciphertext cipher of integer value paired with 2-party encrypted 2-party usert2=Pai(tj) Carrying out pairing;
s2.2: party 2 cipherer for encrypted user ciphertextv2And integer value cipher text cipher paired with itt2To a set of formations
Figure FDA0003007557290000037
And the information is sent to the 1 party in sequence.
6. The Paillier homomorphic encryption private aggregation and based method of claim 1, wherein the step S3 comprises the steps of:
s3.1: party 1 uses key k1Cipher text cipher for received 2-party encrypted userv2And integer value cipher text cipher paired with itt2To a set of formations
Figure FDA0003007557290000038
Each of which is
Figure FDA0003007557290000039
The elements are encrypted for the second time to obtain the ciphertext after the two parties encrypt the 2-party user together
Figure FDA00030075572900000310
And randomly choosing the mapping under Paillier modulus N (j → r)j) Wherein r isj∈Z+Through Pai (t)j+rj)=Pai(tj)×Pai(rj) To each received in a homomorphic way
Figure FDA00030075572900000311
Element and user identifier vjExpected paired related integer value tjPerforming one-time filling encryption to finally obtain ciphertext after the two parties encrypt the 2-party user togetherv12Padded cipher with its paired integer valuetr2To pair
Figure FDA0003007557290000041
S3.2: side 1 save map (j → r)j) And the two parties encrypt the ciphertext after the 2 parties of the usersv12Padded cipher with its paired integer valuetr2To a set of formations
Figure FDA0003007557290000042
Sending the data to the 2 parties in sequence;
s3.3: party 1 uses key k1For user u to be input into set 1iApplication to random predictionEncrypting the elements after RO mapping to obtain 1-party encrypted 1-party user ciphertext
Figure FDA0003007557290000043
S3.4: party 1 cipher text cipher after encryptionu1Set of constructs
Figure FDA0003007557290000044
And sending the data to the 2 parties out of order.
7. The Paillier homomorphic encryption private aggregation and based method of claim 1, wherein the step S4 comprises the steps of:
s4.1: party 2 uses key k2Receiving 1 party user cipher text after 1 party encryption
Figure FDA0003007557290000045
Performing secondary encryption to obtain a ciphertext obtained by encrypting the 1-party user by both parties
Figure FDA0003007557290000046
S4.2: 2-square computing cirherv12With a nepheru12Subscript set J of intersection:
Figure FDA0003007557290000047
s4.3: judging whether the intersection cardinality is smaller than a set threshold value, if so, terminating the protocol by the 2-party, and if not, continuing S4.4;
s4.4: the 2 nd party converts all elements Pai (t) corresponding to subscripts in the subscript set Jj+rj) Multiplying, and decrypting by using a private key sk to obtain a sum S of integer values matched with the intersection and provided with one-time filling encryptionJr=∑j∈Jtj+rj
S4.5: 2-party sum S of encrypted integer values paired with intersectionJrAnd subscript set J is sent to party 1.
CN201811442107.6A 2018-11-29 2018-11-29 Paillier homomorphic encryption private aggregation and method based on Paillier Active CN109525386B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811442107.6A CN109525386B (en) 2018-11-29 2018-11-29 Paillier homomorphic encryption private aggregation and method based on Paillier

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811442107.6A CN109525386B (en) 2018-11-29 2018-11-29 Paillier homomorphic encryption private aggregation and method based on Paillier

Publications (2)

Publication Number Publication Date
CN109525386A CN109525386A (en) 2019-03-26
CN109525386B true CN109525386B (en) 2021-05-18

Family

ID=65794521

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811442107.6A Active CN109525386B (en) 2018-11-29 2018-11-29 Paillier homomorphic encryption private aggregation and method based on Paillier

Country Status (1)

Country Link
CN (1) CN109525386B (en)

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110086717B (en) * 2019-04-30 2021-06-22 创新先进技术有限公司 Method, device and system for data security matching
CN110324321B (en) * 2019-06-18 2021-07-13 创新先进技术有限公司 Data processing method and device
CN110399741A (en) * 2019-07-29 2019-11-01 深圳前海微众银行股份有限公司 Data alignment method, equipment and computer readable storage medium
US10885203B2 (en) * 2019-08-01 2021-01-05 Advanced New Technologies Co., Ltd. Encrypted data exchange
CN110535622A (en) * 2019-08-01 2019-12-03 阿里巴巴集团控股有限公司 Data processing method, device and electronic equipment
CN111641603B (en) * 2020-05-15 2022-07-01 北京青牛技术股份有限公司 Privacy set intersection data interaction method and system based on homomorphic encryption
CN111832050B (en) * 2020-07-10 2021-03-26 深圳致星科技有限公司 Paillier encryption scheme based on FPGA chip implementation for federal learning
CN111741020B (en) * 2020-07-31 2020-12-22 支付宝(杭州)信息技术有限公司 Public data set determination method, device and system based on data privacy protection
CN111931221B (en) * 2020-09-25 2021-01-01 支付宝(杭州)信息技术有限公司 Data processing method and device and server
CN112434329A (en) * 2020-10-23 2021-03-02 上海点融信息科技有限责任公司 Private data intersection acquisition method, computing device and storage medium
KR102284877B1 (en) * 2020-12-14 2021-07-30 세종대학교산학협력단 Efficient functional encryption for set intersection
CN112651042A (en) * 2020-12-23 2021-04-13 上海同态信息科技有限责任公司 Intersection solving method based on trusted third-party private data
CN113034276A (en) * 2020-12-29 2021-06-25 上海能链众合科技有限公司 Block chain privacy transaction solution method
CN113179150B (en) * 2021-04-26 2022-07-01 杭州宇链科技有限公司 Homomorphic privacy set intersection method based on order preserving function
CN113032848B (en) * 2021-05-20 2021-08-10 华控清交信息科技(北京)有限公司 Data processing method and chip for data processing
CN113343255B (en) * 2021-06-04 2024-06-25 百融云创科技股份有限公司 Data interaction method based on privacy protection
CN113434888B (en) * 2021-07-06 2022-08-26 建信金融科技有限责任公司 Data sharing method, device, equipment and system
CN113806795B (en) * 2021-08-10 2024-03-01 中国科学院信息工程研究所 Two-party privacy set union calculation method and device
CN114826546A (en) * 2022-04-02 2022-07-29 支付宝(杭州)信息技术有限公司 Transaction data processing method and device
CN116595562A (en) * 2023-06-06 2023-08-15 北京火山引擎科技有限公司 Data processing method and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107124268A (en) * 2017-04-01 2017-09-01 中国人民武装警察部队工程大学 A kind of privacy set common factor computational methods for resisting malicious attack
CN107196926A (en) * 2017-04-29 2017-09-22 河南师范大学 A kind of cloud outsourcing privacy set comparative approach and device
CN108055118A (en) * 2017-12-11 2018-05-18 东北大学 A kind of diagram data intersection computational methods of secret protection
CN108737115A (en) * 2018-06-20 2018-11-02 湖北工业大学 A kind of efficient privately owned property set intersection method for solving with secret protection

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8526603B2 (en) * 2011-07-08 2013-09-03 Sap Ag Public-key encrypted bloom filters with applications to private set intersection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107124268A (en) * 2017-04-01 2017-09-01 中国人民武装警察部队工程大学 A kind of privacy set common factor computational methods for resisting malicious attack
CN107196926A (en) * 2017-04-29 2017-09-22 河南师范大学 A kind of cloud outsourcing privacy set comparative approach and device
CN108055118A (en) * 2017-12-11 2018-05-18 东北大学 A kind of diagram data intersection computational methods of secret protection
CN108737115A (en) * 2018-06-20 2018-11-02 湖北工业大学 A kind of efficient privately owned property set intersection method for solving with secret protection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于双线性映射的公共可验证外包计算方案;李福祥 等;《东北大学学报(自然科学版)》;20160531;第37卷(第5期);第619-623页 *

Also Published As

Publication number Publication date
CN109525386A (en) 2019-03-26

Similar Documents

Publication Publication Date Title
CN109525386B (en) Paillier homomorphic encryption private aggregation and method based on Paillier
US9008312B2 (en) System and method of creating and sending broadcast and multicast data
Li et al. A novel user authentication and privacy preserving scheme with smart cards for wireless communications
Tseng et al. A chaotic maps-based key agreement protocol that preserves user anonymity
US9172529B2 (en) Hybrid encryption schemes
CN111049650B (en) SM2 algorithm-based collaborative decryption method, device, system and medium
Siahaan An overview of the RC4 algorithm
CN104158880A (en) User-end cloud data sharing solution
CN101808089A (en) Secret data transmission protection method based on isomorphism of asymmetrical encryption algorithm
CN111404953A (en) Message encryption method, message decryption method, related devices and related systems
Guo et al. A Secure and Efficient Mutual Authentication and Key Agreement Protocol with Smart Cards for Wireless Communications.
Mewada et al. Exploration of efficient symmetric AES algorithm
CN105306212B (en) A kind of label decryption method that identity is hiding and safe by force
Olumide et al. A hybrid encryption model for secure cloud computing
Khatarkar et al. A survey and performance analysis of various RSA based encryption techniques
WO2020042023A1 (en) Instant messaging data encryption method and apparatus
Wang et al. Key escrow protocol based on a tripartite authenticated key agreement and threshold cryptography
CN115865313A (en) Lightweight privacy protection longitudinal federal learning model parameter aggregation method
CN115204876A (en) Quantum security U shield equipment and method for mobile payment
KR101793528B1 (en) Certificateless public key encryption system and receiving terminal
Nagaraj et al. Image security using ECC approach
CN111526131B (en) Anti-quantum-computation electronic official document transmission method and system based on secret sharing and quantum communication service station
Meher et al. Hybrid solution (ecdhe+ newhope) for pq transition
EP3883178A1 (en) Encryption system and method employing permutation group-based encryption technology
Ahmed et al. A hybrid model to secure the exchange of DH keys

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant