CN111177790A  Collaborative computing method, system and device for protecting data privacy of two parties  Google Patents
Collaborative computing method, system and device for protecting data privacy of two parties Download PDFInfo
 Publication number
 CN111177790A CN111177790A CN202010276651.9A CN202010276651A CN111177790A CN 111177790 A CN111177790 A CN 111177790A CN 202010276651 A CN202010276651 A CN 202010276651A CN 111177790 A CN111177790 A CN 111177790A
 Authority
 CN
 China
 Prior art keywords
 computing
 value
 party
 slice
 fragment
 Prior art date
 Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
 Granted
Links
 238000004364 calculation methods Methods 0.000 title claims abstract description 44
 238000003860 storage Methods 0.000 claims description 19
 230000003321 amplification Effects 0.000 claims description 13
 238000003199 nucleic acid amplification method Methods 0.000 claims description 13
 230000002596 correlated Effects 0.000 abstract description 2
 238000000034 method Methods 0.000 description 20
 238000010586 diagram Methods 0.000 description 14
 230000004048 modification Effects 0.000 description 5
 238000006011 modification reaction Methods 0.000 description 5
 239000000969 carrier Substances 0.000 description 4
 230000003993 interaction Effects 0.000 description 4
 230000000875 corresponding Effects 0.000 description 3
 239000000463 material Substances 0.000 description 3
 230000000644 propagated Effects 0.000 description 3
 238000004590 computer program Methods 0.000 description 2
 230000000694 effects Effects 0.000 description 2
 239000000835 fiber Substances 0.000 description 2
 238000006062 fragmentation reaction Methods 0.000 description 2
 230000004301 light adaptation Effects 0.000 description 2
 230000003287 optical Effects 0.000 description 2
 230000000717 retained Effects 0.000 description 2
 239000000654 additive Substances 0.000 description 1
 230000000996 additive Effects 0.000 description 1
 230000004075 alteration Effects 0.000 description 1
 230000000712 assembly Effects 0.000 description 1
 238000000605 extraction Methods 0.000 description 1
 230000014509 gene expression Effects 0.000 description 1
 239000010977 jade Substances 0.000 description 1
 238000007477 logistic regression Methods 0.000 description 1
 238000010801 machine learning Methods 0.000 description 1
 238000004519 manufacturing process Methods 0.000 description 1
 230000001537 neural Effects 0.000 description 1
 239000004065 semiconductor Substances 0.000 description 1
 241000894007 species Species 0.000 description 1
Classifications

 G—PHYSICS
 G06—COMPUTING; CALCULATING; COUNTING
 G06F—ELECTRIC DIGITAL DATA PROCESSING
 G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
 G06F21/60—Protecting data
 G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
 G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
 G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Abstract
Embodiments in the present specification provide a collaborative computing method, system, and apparatus for protecting privacy of data in two parties, which can be applied to model training. The exponent of the exponent function value calculated by the two parties in cooperation is negatively correlated with privacy data, the privacy data comprising a first fragment and a second fragment of the input quotient group, wherein the first fragment is stored in a computing device of the first party, and the second fragment is stored in a computing device of the second party. And the two parties respectively obtain the fragments of the first comparison result of the private data relative to the target threshold value through safe comparison, and respectively perform modulus operation on the fragments of the private data relative to the target threshold value to obtain a modulus operation result. And through safety calculation, the two parties obtain output fragments of the two parties based on the modulus result of the two parties, and respectively obtain the fragments of the equivalent value of the index function value in the output quotient group based on the fragments of the first comparison result of the two parties and the output fragments of the two parties. And when the private data is not less than the target threshold, the first comparison result enables the equivalent value to be 0.
Description
Technical Field
The embodiment of the specification relates to the technical field of information, in particular to a collaborative computing method, a collaborative computing system and a collaborative computing device for protecting data privacy of two sides.
Background
In some scenarios, the privacy data is split into multiple shares, each of which is executed by multiple participants to avoid privacy disclosure. In the process of jointly calculating the function value of the privacy data by multiple parties, the accuracy of a calculation result is ensured, and the privacy is effectively protected.
It is desirable to provide a scheme that enables secure computation of an exponential function value of private data by two parties.
Disclosure of Invention
One of the embodiments of the present specification provides a collaborative computing method for protecting privacy of data of two parties, where an index of an index function value of collaborative computing of two parties is negatively related to private data, the private data includes a first fragment and a second fragment input into a business group, the first fragment of the private data is stored in a computing device of the first party, and the second fragment of the private data is stored in a computing device of the second party; the method is performed by a computing device of a first party, comprising: interacting with a computing device of a second party according to a secure comparison protocol to obtain a first slice of a first comparison result of the private data against a target threshold; performing modulo on the first fragment of the private data relative to a target threshold to obtain a first modulo result; interacting with the computing device of the second party according to the secure computing protocol to obtain a first output fragment based on the first modulo result and a second modulo result stored in the computing device of the second party; interacting with computing equipment of a second party according to a safety computing protocol to obtain a first fragment of an equivalent value of the index function value in an output business group based on a first fragment and a first output fragment of a first comparison result, and a second fragment and a second output fragment of the first comparison result stored in the computing equipment of the second party; and when the private data is not less than the target threshold, the first comparison result enables the equivalent value to be 0.
One of the embodiments of the present specification provides a collaborative computing system for protecting privacy of data of two parties, wherein an index of an index function value of collaborative computing of the two parties is negatively correlated with private data, the private data includes a first fragment and a second fragment input into a business group, the first fragment of the private data is stored in a computing device of the first party, and the second fragment of the private data is stored in a computing device of the second party; the system is implemented on a computing device of a first party, comprising: a first security comparison module to interact with a computing device of a second party according to a security comparison protocol to obtain a first segment of a first comparison result of private data against a target threshold; the first modulus taking module is used for taking the modulus of the first fragment of the private data relative to the target threshold value to obtain a first modulus taking result; the first output fragment computing module is used for interacting with the computing equipment of the second party according to the secure computing protocol to obtain a first output fragment based on the first modulus result and a second modulus result stored in the computing equipment of the second party; the first equivalent calculation module is used for interacting with the computing equipment of the second party according to a secure calculation protocol so as to obtain a first fragment of an equivalent value of the index function value in the output business group based on the first fragment and the first output fragment of the first comparison result and the second fragment and the second output fragment of the first comparison result stored in the computing equipment of the second party; and when the private data is not less than the target threshold, the first comparison result enables the equivalent value to be 0.
One of the embodiments of the present specification provides a collaborative computing apparatus for protecting privacy of data on two sides, including a processor and a storage device, where the storage device is configured to store instructions, and when the processor executes the instructions, the collaborative computing method for protecting privacy of data on two sides as described in any one of the embodiments of the present specification is implemented.
Drawings
The present description will be further explained by way of exemplary embodiments, which will be described in detail by way of the accompanying drawings. These embodiments are not intended to be limiting, and in these embodiments like numerals are used to indicate like structures, wherein:
FIG. 1 is a schematic diagram of an application scenario of a computing system in accordance with some embodiments of the present description;
FIG. 2 is an exemplary flow diagram of a collaborative computing method for protecting privacy of data on two sides, according to some embodiments of the present description;
FIG. 3 is an exemplary flow diagram illustrating the calculation of a first output slice z _ L according to some embodiments of the present description;
FIG. 4 is a block diagram illustrating the calculation of a first possible value y according to some embodiments of the present disclosure_{0}First segment y of_{0}L and secondEnergy value y_{1}First segment y of_{1}An exemplary flow diagram of a method of _;
FIG. 5 is a schematic diagram illustrating a bitwise truncation according to some embodiments of the present description;
FIG. 6 is an interaction diagram of a secure multiplication protocol, shown in accordance with some embodiments of the present description;
FIG. 7 is an exemplary block diagram of a collaborative computing system that protects privacy of data on two sides, according to some embodiments of the present description.
Detailed Description
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only examples or embodiments of the present description, and that for a person skilled in the art, the present description can also be applied to other similar scenarios on the basis of these drawings without inventive effort. Unless otherwise apparent from the context, or otherwise indicated, like reference numbers in the figures refer to the same structure or operation.
It should be understood that "system", "device", "unit" and/or "module" as used herein is a method for distinguishing different components, elements, parts, portions or assemblies at different levels. However, other words may be substituted by other expressions if they accomplish the same purpose.
As used in this specification and the appended claims, the terms "a," "an," "the," and/or "the" are not intended to be inclusive in the singular, but rather are intended to be inclusive in the plural, unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" merely indicate that steps and elements are included which are explicitly identified, that the steps and elements do not form an exclusive list, and that a method or apparatus may include other steps or elements.
Flow charts are used in this description to illustrate operations performed by a system according to embodiments of the present description. It should be understood that the preceding or following operations are not necessarily performed in the exact order in which they are performed. Rather, the various steps may be processed in reverse order or simultaneously. Meanwhile, other operations may be added to the processes, or a certain step or several steps of operations may be removed from the processes.
For the purpose of illustrating embodiments of the present specification, reference will first be made to the mathematical knowledge involved therein.
In mathematics, a group (hereinafter denoted by G) defines a binary operation, which may generally be represented by a multiplication symbol "+" (omitted when unambiguous) or an addition symbol "+" as the symbol of the binary operation, but it should be noted that the binary operation is not necessarily equivalent to a multiplication or an addition in a fourway operation. The result of several elements through one or more binary operations may be referred to as a sum.
The binary operation of the group satisfies: 1. closed law, for any element a, b in G, a × b is still in G; 2. binding law, for any element a, b in G, (a × b) × c = a × b × c); 3. there are unit cells, the element e is present in G, such that e a = a e = a; 4. there is an inverse element, and for any element a in G, b exists in G, so that a × b = b × a = e, and a and b are inverse elements of each other. It should be noted that e may be called zero and the inverse may be called negative for the binary operation denoted by "+", and a + (inverse of b) may be denoted by ab for any of the elements a, b in G. The abelian group has, in addition to the above 4 properties, also the commutative law, i.e. a + b = b + a for any element a, b in the abelian group.
Further, the present specification relates to a quotient group based on an integer abelian group, the mathematical representation of which may be G: =2^{} ^{k}Z/2^{Nk}Z, where Z is a set of integers, k is a nonnegative integer, N is a positive integer and Nk>0. The element in the quotient G is a nonnegative binary fixed point number, the decimal place of the element has k bits and the integer place of the element has Nk bits, and 1Nbit (bit) storage unit can be used in the computing equipment to store the value of any fixed point number in the quotient G. The binary operation of quotient group G includes group addition and group multiplication: the mathematical representation of the group addition is (a + b) mod2^{Nk}In the unambiguous condition, the operation can be simplified into a + b, mod represents that the value on the left side is modulo with the value on the right side, and the plus of the former belongs to the four arithmetic operations; the mathematical representation of the group multiplication is(a*b)mod2^{Nk}When the ambiguity is not clear, the operation can be simplified into a, b or ab, and the former's' belongs to four rules of operation.
It should be noted that unless it is defined in the present specification that the sum is based on group addition/the product is based on group multiplication, the sum/product should be understood as a concept in a fourway operation. In addition, since the sum values in the four arithmetic operations are directly expressed by the sum values in the present specification, the sum values based on the group addition and the slices based on the group addition can be directly simplified into the sum values and the slices in the present specification without causing ambiguity.
In some distributed scenarios, it is necessary to calculate the value of a function securely by multiple parties, where security may refer to the correctness of the output result and the confidentiality of the input information and the output information. For example, in some machine learning scenarios, one party holds private feature data and the other holds private tag data. If a function value is directly calculated for private data (feature data/tag data), leakage of the function value may cause the private data to be inferred. Therefore, each party can split the private data x held by the party into two parts, reserve one part x _ L and send the other part x _ R to the other party, wherein the sum of the x _ L and the x _ R is x. Then, the two parties operate a safety calculation protocol to respectively obtain a fragment of the function value. The sum of the fragments obtained by the two parties is the function value, and an attacker needs to obtain the fragments of the two parties if the attacker wants to know the private data.
Specifically, in scenarios such as logistic regression, neural networks, etc., twoway safe computation of an exponential function whose exponent is inversely related to the input (e.g., e whose base is the natural logarithm e) is required^{x}) The value of (c). With e^{x}(also denoted by exp (x)) for example, x denotes private data as input, x _ L is the input patch of the first party, x _ R is the input patch of the second party, assuming x _ L, x _ R and x are both in quotient group 2^{k}Z/2^{Nk}In Z, i.e., x = (x _ L + x _ R) mod2 is satisfied^{Nk}. Note that e^{x}May be based on e^{x_L}And e^{x_R}The product of (a), i.e. the output fragmentation of the first party may be based on e^{x_L}To obtain, the output sharding of the second party may be based on e^{x_R}Thus obtaining the product. Due to e^{x}When the input slice of either party is too large, the output slice takes 0, resulting in the sum of the output slices of both parties being 0, possibly with e^{x}Too much deviation of the actual value of (c). For example, when N =64, k =16, x =0, x _ L = x _ R =2^{47}When due to e^{x_L}=e^{x_R}<2^{64}If e is to be^{x_L}And e^{x_R}Stored as a number of N bit (bit) fixed points, then e^{x_L}And e^{x_R}Are both stored as 0, resulting in a sum of 0 for both output slices, but in reality e is^{x}=1。
Embodiments in this specification provide a collaborative computing method, system, and apparatus for protecting privacy of data in two parties, and compute a slice of an index function value according to the size of private data and its slice, so as to ensure the accuracy of a computation result while protecting the privacy of data.
FIG. 1 is a schematic diagram of an application scenario of a computing system in accordance with some embodiments of the present description. As shown in fig. 1, computing system 100 may include computing device 1101, computing device 1102, and network 120, where computing device 1101 and computing device 1102 may be twoparty devices participating in twoparty secure computing.
The computing device may include various types of computingcapable devices, such as a server. In some embodiments, the servers may be independent servers or groups of servers, which may be centralized or distributed. In some embodiments, the server may be regional or remote. In some embodiments, the server may execute on a cloud platform. For example, the cloud platform may include one or any combination of a private cloud, a public cloud, a hybrid cloud, a community cloud, a decentralized cloud, an internal cloud, and the like.
The network 120 connects the various components of the system so that communication can occur between the various components. The network between the various parts in the system may include wired networks and/or wireless networks. For example, network 120 may include a cable network, a wired network, a fiber optic network, a telecommunications network, an intranet, the internet, a Local Area Network (LAN), a Wide Area Network (WAN), a Wireless Local Area Network (WLAN), a Metropolitan Area Network (MAN), a Public Switched Telephone Network (PSTN), a bluetooth network, a ZigBee network (ZigBee), Near Field Communication (NFC), an intradevice bus, an intradevice line, a cable connection, and the like, or any combination thereof. The network connection between each two parts may be in one of the abovementioned ways, or in a plurality of ways.
In some embodiments, computing system 100 may also include a random number server 130, and random number server 130 may assist twoparty computing devices in running a secure computing protocol, such as a secure multiplication protocol. For details of the secure multiplication protocol, reference may be made to fig. 6 and its associated description.
FIG. 2 is an exemplary flow diagram of a collaborative computing method for protecting privacy of data at two parties, according to some embodiments of the present description. The private data x comprises a first patch x _ L and a second patch x _ R, x _ L being stored on the first party's computing device 1101 and x _ R being stored on the second party's computing device 1102. The exponent of the exponential function value of the twoparty cooperative calculation is in negative correlation with the input. The quotient group where the input private data and its shards are located may be referred to as an input quotient group, and the quotient group where the equivalent value (denoted as h) of the output exponential function value and its shards (including the first shard h _ L stored at the first party's computing device 1101 and the first shard h _ R stored at the first party's computing device 1102) are located may be referred to as an output quotient group. Since numerical approximation or the like may be involved in the calculation process, and the calculated result is not necessarily equal to the index function value itself, the calculated result is referred to as an equivalent value of the index function in the present specification, and the equivalent value may be equal to an approximation of the index function value in the output quotient group, and in practical applications, the equivalent value may participate in subsequent operations instead of the index function value itself. In some embodiments, the input quotient group may be 2^{k}Z/2^{Nk}Z, where k is a nonnegative integer, N is the number of binary bits of a memory cell in the computing device and Nk>0. In some embodiments, the exponential function may be e^{x}The output quotient group may be 2^{N+1}Z/2Z, the output quotient including e^{x}(x is not less than 0) value range (0, 1)]. Process 200 may be performed by a computing device 1101 of a first party and a computing device 1102 of a second partyThe process flow may refer to flow 200. The process 200 may include:
step 210, interacting with the computing device 1102 of the second party according to the secure comparison protocol to obtain a first segment s _ L of a first comparison result s of the private data with respect to the target threshold. In some embodiments, step 210 may be implemented by the first security comparison module 710.
The target threshold may take the value of the privacy data when the approximation of the exponential function value in the output quotient group is 0. By an exponential function e^{x}For example, according to the lemma: if m>log_{2}N+log_{2}(ln2), then exp (2)^{m})<2^{N}It can be deduced that: when x is more than or equal to 2^{m}When e is present^{x}In the export group 2^{N+1}Approximate value in Z/2Z is 0, where 2^{m}I.e. the target threshold. In some embodiments, m = floor (log) may be made_{2}N+log_{2}(ln2)) +1, where floor denotes rounding down.
It should be appreciated that the computing device 1102 of the second party may obtain the sum of the second split s _ R, s _ L, and s _ R of the first comparison result s, i.e., s, after interaction. In the subsequent step S240, the value of the first comparison result S may be designed, so that: and when the private data is not less than the target threshold value, the sum of the first fragment h _ L and the second fragment h _ R of the equivalent value h of the exponential function value is 0. Thus, the accuracy of the calculation result when the privacy data is not less than the target threshold value can be ensured.
In some embodiments, a particular implementation of a security comparison protocol may be found in the literature "GeofroyCountau. New Protocols for Secure Equipment and company. applied cryptography and Network Security, feature Notes in Computer Science Volume10892 II. Page 303320.2018." (New protocol for GeofroyCountau. Security equivalent testing and comparison. applied to cryptography and Network security. Computer Science lectures Volume10892 II. Page 303 to Page 320. version 2018).
In step 220, the first slice x _ L is modulo with respect to the target threshold to obtain a first modulo result x _ L'. In some embodiments, step 220 may be implemented by a first modulo module 720.
It should be appreciated that the second party's computing device 1102 may modulo the second slice x _ R with respect to the target threshold to obtain a second modulo result x _ R'.
After modulus taking, the obtained first modulus taking result x _ L 'and the second modulus taking result x _ R' are smaller than a target threshold value, so that the approximate values of the exponential function values of x _ L 'and x _ R' in the output quotient group are not 0. By an exponential function e^{x}For example, x _ L and x _ R are relative to 2^{m}After removal of the mold, e^{ x_L'}And e^{ x_R'}In the export group 2^{N+1}The approximate values in Z/2Z are not 0.
Step 230, interacting with the second party's computing device 1102 according to the secure computing protocol to obtain the first output slice z _ L based on the first modulo result x _ L' and the second modulo result x _ R 'stored in the second party's computing device 1102. In some embodiments, step 230 may be implemented by first output patch computation module 730.
It should be appreciated that the second party's computing device 1102 will obtain a second output slice z _ R.
In the foregoing, when the private data is not less than the target threshold, the accuracy of the calculation result may be ensured by designing the value of s, and the like. Then the security calculation in step 230 only needs to guarantee that: in case the private data is smaller than the target threshold, the obtained combined value of the first output slice z _ L and the second output slice z _ R is more accurate than the true value of the index function value.
With regard to specific implementations of step 230, reference may be made to fig. 3 and its associated description.
Step 240, interacting with the computing device 1102 of the second party according to the secure computing protocol to obtain a first slice h _ L of the equivalent value h of the exponential function value based on the first slice s _ L, the first output slice z _ L of the first comparison result s, and the second slice s _ R, the second output slice z _ R of the first comparison result s stored in the computing device 1102 of the second party. In some embodiments, step 240 may be performed by the first equivalence computation module 740.
It should be appreciated that the second party's computing device 1102 will obtain a first slice h _ L of the equivalent value h of the exponential function value. It should be noted that h and h _ L, h _ R belong to the inputAnd (5) going out of the business group. In some embodiments, the first comparison result s and its fragment may occupy 1N (bit) storage unit, specifically, may be a quotient Z/2^{N}Elements in Z.
In some embodiments, s =0 (i.e., the sum of s _ L and s _ R is 0) when the private data is not less than the target threshold, and s =1 (i.e., the sum of s _ L and s _ R is 1) when the private data is less than the target threshold. Accordingly, h _ L + h _ R = (s _ L + s _ R) (z _ L + z _ R), and the nature of the cluster combined indicates h _ L + h _ R = s _ L _ z _ L + s _ L _ z _ R + s _ R _ z _ L + s _ R _ z _ R, where "+" and "+" are the signs of the cluster addition and the cluster multiplication, respectively. In the polynomial, s _ L _ z _ L may be computed locally at the computing device 1101 of the first party, s _ R _ z _ R may be computed locally at the computing device 1102 of the second party, for s _ L _ z _ R and s _ R _ z _ L, a secure multiplication protocol may be run by both parties, the computing device 1101 of the first party obtaining a first shard of s _ L _ z _ R and a first shard of s _ R _ z _ L, the computing device 1102 of the second party obtaining a second shard of s _ L _ z _ R and a second shard of s _ R _ z _ L. Thus, the firstside computing device 1101 calculates the first segment of s _ L _ z _ R, the first segment of s _ R _ z _ L, and the sum of s _ L _ z _ L by group addition to obtain the first segment h _ L, and the secondside computing device 1102 calculates the second segment of s _ R _ z _ R and the sum of s _ R _ z _ L, to obtain the first segment h _ R by group addition.
It is noted that in some embodiments, flow 200 implies m<Nk. In fact, when m = Nk, step 210, step 220, and step 240 need not be executed, and both parties may also perform secure calculation based on the first slice x _ L and the second slice x _ R to obtain the first slice h _ L and the second slice h _ R as a result, and the calculation manner may refer to the related description of step 230. Specifically, the computing device 1101 of the first party may perform step 230 with the first slice x _ L as the first modulo result x _ L '(the computing device 1102 of the second party correspondingly takes the second slice x _ R as the second modulo result x _ R'), obtaining the first output slice z _ L as the first slice h _ L (the computing device 1102 of the second party correspondingly obtains the second output slice z _ R as the first slice h _ R). When m is>Nk, the product of the index function value of the first fragment x _ L and the index function value of the second fragment x _ R can be directly and safely calculated by the two parties, and the calculation of the first party is performedComputing device 1101 obtains a first slice (i.e., first slice h _ L) of the product's equivalent value in the output quotient group, and computing device 1102 of the second party obtains a second slice (i.e., first slice h _ R) of the product's equivalent value in the output quotient group. By an exponential function e^{x}For example, the first party calculates e^{ x_L'}The second party calculates e^{ x_R'}. Two parties calculate safely, the first party gets e^{ x_L'}*e^{ x_R'}In the first segment (i.e. the first segment h _ L) in the output quotient group, the second party gets e^{ x_L'}*e^{ x_R'}The second slice (i.e. the second slice h _ R) in the output quotient group can be calculated by referring to fig. 6 and the related description thereof. Of course, when m.gtoreq.Nk, according to m<The same calculation result can be obtained when the calculation mode is Nk, and when m is>In the case of Nk, the same calculation result can be obtained in the calculation method when m = Nk.
In addition, the computing devices of both parties may use 1Nbit (bit) storage unit to hold the slice of the first comparison result to keep consistent with the number of binary bits of the first output slice z _ L and the second output slice z _ R that participate in the computation at the same time.
FIG. 3 is an exemplary flow diagram illustrating the calculation of a first output slice z _ L according to some embodiments of the present description. The process 300 may be performed by a computing device of a first party, and the process 300 may include:
step 310, interacting with the computing device 1102 of the second party according to the secure comparison protocol to obtain a first slice t _ L of a second comparison result t, where the second comparison result t is a comparison result of a sum of the first modulo result x _ L 'and the second modulo result x _ R' with respect to the target threshold.
Step 320, interacting with the computing device 1102 of the second party according to the secure computing protocol to obtain a first possible value y in the output quotient group based on the first modulo result x _ L 'and the second modulo result x _ R' stored in the computing device 1102 of the second party_{0}First segment y of_{0}L and a second possible value y_{1}First segment y of_{1}_L。
Wherein, when the privacy data x is less than the target threshold: first possible value y_{0}Is the first modulus result and the second modulus resultIs less than the target threshold value, the equivalent value of the exponential function value in the output quotient group, a second possible value y_{1}And outputting the equivalent value of the exponential function value in the output quotient group when the sum value of the first modulus result and the second modulus result is not less than the target threshold value.
It should be understood that the computing device 1102 of the second party will obtain a second slice t _ R, a first possible value y, of the second comparison result t_{0}Second segment y of_{0}R and a second possible value y_{1}Second segment y of_{1}_R。
As mentioned above, the interaction in step 230 only needs to be guaranteed if the private data is less than the target threshold: the obtained combined value of the first output slice and the second output slice is more accurate than the actual value of the exponential function value of the private data. When the privacy data x is less than the target threshold, the relationship between the first modulo result x _ L 'and the second modulo result x _ R' and the privacy data x may be represented as x = (x _ L '+ x _ R') mod M, where M represents the target threshold. Specifically, since the first modulo result x _ L 'and the second modulo result x _ R' are both smaller than the target threshold M, it can be seen that: x _ L '+ x _ R'<M, x = x _ L '+ x _ R'; x = x _ L '+ x _ R' M, when x _ L '+ x _ R' ≧ M. Thus, when the private data x is less than the target threshold M (x)<M), it is necessary to further distinguish x _ L '+ x _ R'<M and x _ L '+ x _ R' ≧ M. Thus, the first possible value y described in step 320_{0}And a second possible value y_{1}One for each of these two cases. By an exponential function e^{x}For example, the first possible value y_{0}And a second possible value y_{1}Can be reacted with e^{x_L'}*e^{x_R'}And exp (2)^{m})e^{x_L'}*e^{x_R'}And correspond to each other.
With respect to calculating the first possible value y_{0}First segment y of_{0}L and a second possible value y_{1}First segment y of_{1}The specific manner of _lcan be referred to fig. 4 and its related description.
Step 330, interacting with the computing device 1102 of the second party according to the secure computing protocol to base the first slice t _ L, the first possible value y of the second comparison result t on_{0}First segment y of_{0}L, the second possible value y_{1}First segment ofy_{1}L, and a second slice t _ R of a second comparison result t, a first possible value y, stored at the second party's computing device 1102_{0}Second segment y of_{0}R, the second possible value y_{1}Second segment y of_{1}R, obtaining a first output slice z _ L.
It should be appreciated that the second party's computing device 1102 will obtain a second output slice z _ R. In some embodiments, the second comparison result t and its fragment may occupy 1N (bit) storage unit, specifically, may be a business group Z/2^{N}Elements in Z.
In some embodiments, both parties can safely calculate t x y_{0}+(1t)*y_{1}=(t_L +t_R)*(y_{0}_L+ y_{0}_R)+(1(t_L +t_R))*(y_{1}_L+ y_{1}R) to obtain a first output slice z _ L and a second output slice z _ R, wherein t _ L denotes the first slice of the second comparison result, t _ R denotes the second slice of the second comparison result, y_{0}L denotes a first fragment of a first possible value, y_{0}R represents a second fragment of the first possible value, y_{1}L denotes the first fragment of the second possible value, y_{1}R denotes the second slice of the second possible value, "" denotes the left element + (negative of the right element), "+" is the sign of the group addition, "+" is the sign of the group multiplication. As mentioned above, when the private data x is less than the target threshold M: the first possible value is an equivalent value of the exponential function value in the output quotient group when the sum of the first modulo result and the second modulo result is smaller than the target threshold, and the second possible value is an equivalent value of the exponential function value in the output quotient group when the sum of the first modulo result and the second modulo result is not smaller than the target threshold. Thereby it is possible to make: x _ L '+ x _ R'<M, t = 1; when x _ L '+ x _ R' ≧ M, t = 0. Thus, when the private data x is less than the target threshold M (x)<M), all of x _ L ' + x _ R ' are satisfied '<And M is also x _ L '+ x _ R' is more than or equal to M, and the sum of the first output fragment z _ L and the second output fragment z _ R obtained by the twoparty security calculation is equal to the equivalent value h of the exponential function value in the output quotient group.
Similarly to step 240, (t _ L + t _ R) × (y)_{0}_L+ y_{0}_R)+(1(t_L +t_R))*(y_{1}_L+y_{1}R) and for the product terms relating to private values of both parties, an additive slice of the corresponding product is calculated using a secure multiplication protocol, one for each party. And the two parties respectively add and sum the locally calculated product term and the fragments calculated through the secure multiplication protocol according to the group to respectively obtain a first output fragment z _ L and a second output fragment z _ R.
FIG. 4 is a block diagram illustrating the calculation of a first possible value y according to some embodiments of the present disclosure_{0}First segment y of_{0}L and a second possible value y_{1}First segment y of_{1}Exemplary flow chart of the method of _L. The process 400 may be performed by the computing device 1101 of the first party, and the process 400 may include:
step 410, calculate the exponential function value of the first modulo result x _ L' to obtain the first value u _ L.
It should be appreciated that the second party's computing device 1102 may calculate the exponential function value of the second modulo result x _ R' to obtain the second value u _ R.
In some embodiments, the first numerical value u _ L and the second numerical value u _ R may be stored in the computing device as floating point numbers.
And step 420, amplifying the first numerical value u _ L according to a preset proportion to obtain a first amplification result v _ L in the target business group, wherein the first amplification result v _ L meets the preset precision.
It should be understood that the computing device 1102 of the second party would amplify the second value u _ R by the predetermined ratio to obtain a second amplified result v _ R, and the second amplified result v _ R satisfies the predetermined precision.
In some embodiments, the predetermined precision may depend on the number of binary bits used to store the calculation results. For example, the exponential function is e^{x}，m=floor(log_{2}N+log_{2}(ln2)) +1, floor denotes rounding down, target threshold 2^{m}=2Nln2, assuming that the computing device uses Nbit (bit) storage units to hold the computation results, the first and second values can be input separately to the function floor (2)^{3N1}x) to obtain a first amplification result v _ L and a second amplification result v _ R in the target quotient group. Take the example of amplifying the first value u _ L, since u _ L = e^{x_L'}>exp(2^{m})≥2^{2N}Then 2^{3N1}e^{x_L'}>2^{N1}I.e. if a sufficient number of Nbit (bit) memory cells are used to store 2^{3N1}e^{x_L'}The stored rounding result has at least Nbit (bit) significant digits.
Considering that the subsequent two parties safely calculate v _ L _ v _ R based on v _ L, v _ R in the same quotient group (i.e. the target quotient group), the numerical range of the target quotient group can be determined based on the influence of the amplification and multiplication on the numerical value. By an exponential function e^{x}For example, the maximum values of v _ L, v _ R obtained after amplification are all 2^{3N1}The maximum value of v _ L v _ R is 2^{6N2}At least 6Nbit (bit) storage locations may be used to hold v _ L, v _ R. In some embodiments, v _ L, v _ R may be saved using 6Nbit (bit) storage locations, and the target quotient group may be Z/2^{6N}Z。
Step 430, interacting with the computing device 1102 of the second party according to the secure computing protocol to obtain the first segment w of v _ L x v _ R in the target business group_{0}_L。
v _ L × v _ R represents the product of the first amplification result v _ L and the second amplification result v _ R. It should be appreciated that the second party's computing device 1102 will obtain a second slice w of v _ L v _ R in the target business community_{0}R. In addition, v _ L v _ R and its segment w_{0}_L、w_{0}R corresponds to x _ L '+ x _ R'<M。
First slice w for calculating v _ L v _ R in target quotient group_{0}The specific manner of _, can refer to fig. 6 and its associated description.
Step 440, based on the target threshold M and the first segment w of v _ L x v _ R in the target quotient group_{0}L, obtaining a first value w to be processed in the target quotient group_{1}_L。
It should be appreciated that the second party's computing device 1102 will be based on the target threshold M and the second slice w of v _ L v _ R in the target quotient group_{0}R, obtaining a second value w to be processed in the target business group_{1}R. In addition, w_{1}_L、w_{1}R is equal to or more than M corresponding to x _ L '+ x _ R', and if the influence of the integer on the numerical value is neglected, w_{1}_L、w_{1}R and w_{0}_L、w_{0}R differs by a multiple of the exponential function value of the target threshold M. By fingerNumber function e^{x}For example, the first party may calculate floor (exp (2)^{m})w_{0}L) to obtain a target business group Z/2^{6N}First value w to be processed in Z_{1}L, the second party can calculate floor (exp (2)^{m})w_{0}R) to obtain a target business group Z/2^{6N}First value w to be processed in Z_{1}_R。
Step 450, the first segment w of v _ L v _ R in the target quotient group_{0}Cutting L according to bit to obtain the first possible value y in the output quotient group_{0}First segment y of_{0}_L。
It should be appreciated that the second party's computing device 1102 will fragment w the second segment of v _ L v _ R in the target quotient group_{0}Truncating R according to bits to obtain a first possible value y in the output quotient group_{0}Second segment y of_{0}_R。
Step 460, the first value w to be processed in the target quotient group_{1}Cutting L according to bit to obtain the second possible value y in the output quotient group_{1}First segment y of_{1}_L。
It should be appreciated that the second party's computing device 1102 will assign a second pending value w in the target business community_{1}Truncating R according to bits to obtain a second possible value y in the output quotient group_{1}Second segment y of_{1}_R。
From the foregoing, it can be seen that the first segment w in the target business group_{0}L, the first value w to be processed_{1}L and a second section w_{0}R and a second pending value w_{1}Since _ R is obtained by amplifying and multiplying numerical values, and occupies a large number of memory cells (the numerical value accuracy is too high), it is desirable to store the above numerical values in a small number of memory cells by the truncation process, and to ensure the accuracy of the result and the required numerical value accuracy at the time of truncation.
By an exponential function e^{x}For example, the target business group may be Z/2^{6N}Z, the first segment w therein_{0}L, the first value w to be processed_{1}L and a second section w_{0}R and a second pending value w_{1}R occupies 6Nbit (bit) storage units, and the precision requirement can be met by using 1Nbit (bit) storage unit for the first output fragment and the second output fragment. Base ofHere, N bits (bit) may be reserved after bit (bit) truncation.
On the basis of reserving N bits (bit), bitwise (bit) truncation also needs to ensure that the truncated binary bits do not influence the accuracy of the result. Taking into account e to be calculated^{x}The value range of (private data x is a nonnegative number) is (0, 1)]Numerical value to be truncated (first slice w)_{0}L, the first value w to be processed_{1}L and a second section w_{0}R and a second pending value w_{1}Any of R) occupies 6Nbit (bit) memory cells, which can be considered as quotient Z/2^{6N}The element in Z, if neglecting the influence of rounding on the value in the calculation process, compares the value to be truncated with the value e to be calculated^{x}Is enlarged by 2^{6N2}Multiple, therefore, if one wants to make the truncated numerical value to be truncated and the resultant value can recover e^{x}The size of (2) is required to reduce the value to be truncated by 2^{6N2}However, since the numerical value is always stored in 6Nbit (bit) storage units (the binary number stored by each bit is not changed), the numerical value to be truncated only needs to be regarded as the quotient group 2^{(6N2)}Z/2^{2}Elements in Z. Taking into account e to be calculated^{x}Has a value range of (0, 1)]Therefore, the most significant bit of the sum of the tobetruncated numerical values of either party is 0 no matter how the second bit (i.e., the most significant bit) before the decimal point of the tobetruncated numerical value stored by the other party takes a value. Therefore, as shown in fig. 5, taking the fixed point number storage manner in which the decimal point is located between the second bit and the third bit (the highest bit is the first bit) of the storage unit (e.g., 6 × N bits) as an example, the highest bit of the numerical value to be truncated can be truncated, and since N bits (bits) are retained after truncation, truncation processing can be performed at the lower bit (specifically, 5N1 consecutive bits starting from the lowest bit are truncated), and only N1 bits (bits) behind the decimal point are retained. The truncated value can be regarded as the output quotient 2^{(N1)}Z/2Z. It should be noted that the truncation of the lower bits may result in a sum of two power values of 2^{(N1)}A deviation of the numerical value of (2)^{(N1)}Numerical deviations of this magnitude have negligible effect on the accuracy of the calculated results.
FIG. 6 is an interaction diagram of a secure multiplication protocol, shown in accordance with some embodiments of the present description. Secure multiplication protocolThe product of the private numerical values of two parties based on group multiplication can be converted into two fragments based on group addition, the two parties respectively execute one fragment, and the private numerical value of any party cannot be leaked in the calculation process. As shown in FIG. 6, the firstparty computing device 1101 stores a private value a, the secondparty computing device stores a private value b, both parties want to securely compute a b, and the firstparty computing device 1101 obtains a first slice c of a b_{0}The second party's computing device 1102 obtains a first fragment c of a b_{1}. Since the secure multiplication protocol follows group addition and group multiplication, the values involved in fig. 6 (e.g., a, b, c, e, f, u, v, z) and their shards all belong to the same quotient group. The calculation process is described in detail below.
The random number server 130 generates a first random number u to be sent to the first party's computing device 1101 and a second random number v to be sent to the second party's computing device 1102. The random number server 130 calculates uv and splits uv into a first slice z to be sent to the first party's computing device 1101_{0}And a second slice z to be sent to the second party's computing device 1102_{1}。u、v、z_{0}、z_{1}Satisfies uv = z_{0}+z_{1}. The random number server 130 combines the first random number u and the first slice z_{0}Sending to the computing device 1101 of the first party a second random number v and a second slice z_{1}To the second party's computing device 1102.
The first party's computing device 1101 calculates au (denoted as e) and sends e to the second party's computing device 1102. The second party's computing device 1102 calculates bv (denoted as f) and sends f to the first party's computing device 1101.
The first party's computing device 1101 calculates uf + z_{0}First segment c as ab_{0}. The computing device 1102 of the second party calculates eb + z_{1}First segment c as ab_{1}. Can be calculated, c_{0}+c_{1}=uf+eb+z_{0}+z_{1}= uf + eb + uz = u (bv) + (au) b + uz = ab, i.e. c_{0}+c_{1}=ab。
It should be noted that in the above description of the secure multiplication protocol, "" denotes the left element + (negative of the right element), "+" is the sign of the group addition, "" is the sign of the group multiplication and may be omitted.
In order to more intuitively understand the embodiments of the present specification, a specific example of a twoparty safe calculation of the index function value is provided below.
Suppose that: exponential function of e^{x}The bit number of the storage unit of the computing device is N =4, and the target threshold value M =2^{m}=4（m=floor(log_{2}N+log_{2}(ln2)) +1 = 2), the private data x, the first patch x _ L, the second patch x _ R are located in the input quotient Z/2^{4}Z，x=2_{10}=0010_{2}，x_L =(2^{4}1)_{10}=1111_{2}，x_R =(2^{2}1)_{10}=0011_{2}The output quotient group is 2^{3}Z/2Z。
Based on this, the values calculated by the first party's computing device 1101 include: first modulo result x _ L' = (2)^{2}1)_{10}=0011_{2}First value u _ L = e^{x_L'}=e^{3}(saved as a floating point number), first amplified value v _ L = floor (2)^{3N1}u_L)=floor(2^{11}e^{3})=101_{10}=0000 0000 0000 0000 0110 0101_{2}. The values calculated by the second party's computing device 1102 include: second modulo result x _ R' = (2)^{2}1)_{10}=0011_{2}Second value u _ R = e^{x_R'}=e^{3}(saved as a floating point number), second amplified value v _ R = floor (2)^{3N1}u_R)=floor(2^{11}e^{3})=101_{10}=0000 0000 0000 0000 0110 0101_{2}。
Further, the twoparty computing device securely computes v _ L v _ R with the assistance of the nonce server 130. Wherein, suppose: the random number server generates a random number u = 000000000000000000000001 to be sent to the first random number_{2}And a second random number v = 000000000000000000000001 to be transmitted to the computing device 1102 of the second party_{2}. The random number server 130 calculates uv and splits uv into a first slice z to be sent to the first party's computing device 1101_{0}=00000000 0000 0000 0000 0001_{2}And a computing device to be sent to the second party1102 second section z_{1}=00000000 0000 0000 0000 0000_{2}。
The first party computing device 1101 calculates e = u _ Lu = 000000000000000001100100_{2}And sends e to the second party's computing device 1102. The second party's computing device 1102 calculates f = u _ Rv = 000000000000000001100100_{2}And sends f to the first party's computing device 1101. The first party's computing device 1101 computes a first slice w of v _ L v _ R_{0}_L=uf+z_{0}=0000 0000 0000 0000 0110 0101_{2}The second party's computing device 1102 computes a second slice w of v _ L v _ R_{0}_R=eb+z_{1}=0000 0000 0010 0111 0111 0100_{2}. The computing device 1101 of the first party calculates a first value w to be processed_{1}_L=floor(e^{4}w_{0}_L)=0000 0000 0001 0101 10001010_{2}The second party's computing device 1102 calculates a second pending value w_{1}_R=floor(e^{4}w_{0}_R)= 0000 1000 0110 1010 00010001_{2}. The computing device 1101 of the first party truncates bitwise to get w_{1}First fragment y having a second possible value after _L_{1}_L=0.000_{2}The second party's computing device 1102 is bitwise truncated to obtain w_{1}Second fragment y giving a second possible value after R_{1}_R=0.001_{2}。
Due to x<M and x _ L '+ x _ R' ≧ M, the sum of the first slice h _ L of the equivalent value of the exponential function value calculated by the first party's computing device 1101 and the second slice h _ R of the equivalent value of the exponential function value calculated by the second party's computing device 1102, h = h _ L + h _ R = y_{1}_L+y_{1}_R=0.001_{2}。
Can obtain 0.001_{2}True value e of the value of the relative exponential function^{2}Error of about 0.0103_{10}Error is less than 2^{4}Satisfy export group 2^{3}Z/2Z corresponding accuracy.
It should be noted that the above description of the flow is for illustration and description only and does not limit the scope of the application of the present specification. Various modifications and alterations to one or more of the processes may be made by those skilled in the art in light of the present disclosure. However, such modifications and variations are intended to be within the scope of the present description.
FIG. 7 is an exemplary block diagram of a collaborative computing system that protects privacy of data on two sides, according to some embodiments of the present description. The system 700 may be implemented on a computing device 1101 of a first party. As shown in fig. 7, the system 700 may include a first security comparison module 710, a first modulus module 720, a first output patch computation module 730, and a first equivalence computation module 740.
In some embodiments, the first secure comparison module 710 may be operable to interact with the computing device 1102 of the second party according to a secure comparison protocol to obtain a first slice s _ L of the first comparison result s of the private data against the target threshold.
In some embodiments, the first modulo module 720 may be configured to modulo the first slice x _ L with respect to a target threshold to obtain a first modulo result x _ L'.
In some embodiments, the first output slice computation module 730 may be configured to interact with the second party's computing device 1102 according to a secure computing protocol to obtain the first output slice z _ L based on the first modulo result x _ L', a second modulo result x _ R 'stored at the second party's computing device 1102.
In some embodiments, the second equivalence computation module 740 may be configured to interact with the second party's computing device 1102 according to a secure computing protocol to obtain a first slice h _ L of the equivalent value h of the exponent function value based on the first slice s _ L, the first output slice z _ L of the first comparison result s, and the second slice s _ R, the second output slice z _ R of the first comparison result s stored at the second party's computing device 1102.
It should be appreciated that the collaborative computing system and its modules implemented on the second party's computing device 1102 to protect both parties' data privacy have the same or similar functionality as the system 700 and its modules. In particular, the system implemented on the second party's computing device 1102 may include a second security comparison module, a second modulo module, a second output shard computation module, and a second equivalence computation module.
In some embodiments, the second secure comparison module may be to interact with the computing device 1101 of the first party according to a secure comparison protocol to obtain a second slice s _ R of the first comparison result s of the private data against the target threshold.
In some embodiments, the second modulo module may be configured to modulo the second slice x _ R with respect to the target threshold to obtain a second modulo result x _ R'.
In some embodiments, the second output slice computation module may be configured to interact with the first party's computing device 1101 according to a secure computing protocol to obtain a second output slice z _ R based on the second modulo result x _ R', the first modulo result x _ L 'stored at the first party's computing device 1101.
In some embodiments, the second equivalent computation module 740 may be configured to interact with the computing device 1101 of the first party according to a secure computation protocol to obtain a second slice h _ R of the equivalent value h of the exponent function value based on the second slice s _ R, the second output slice z _ R of the first comparison result s, and the second slice s _ R, the first output slice z _ R of the first comparison result s stored at the computing device 1101 of the first party.
Further details regarding the system and its modules implemented on the twoparty computing devices may be found in fig. 2 and its associated description, which are not repeated herein.
It should be understood that the system and its modules disclosed in this specification may be implemented in a variety of ways. For example, in some embodiments, the system and its modules may be implemented in hardware, software, or a combination of software and hardware. Wherein the hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory for execution by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the methods and systems described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided, for example, on a carrier medium such as a diskette, CDor DVDROM, a programmable memory such as readonly memory (firmware), or a data carrier such as an optical or electronic signal carrier. The system and its modules in this specification may be implemented not only by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., but also by software executed by various types of processors, for example, or by a combination of the above hardware circuits and software (e.g., firmware).
It should be noted that the above description of the system and its modules is for convenience only and should not limit the present disclosure to the illustrated embodiments. It will be appreciated by those skilled in the art that, given the teachings of the system, any combination of modules or subsystem configurations may be used to connect to other modules without departing from such teachings. For example, in some embodiments, the security comparison module and the modulus extraction module may be two modules or may be combined into one module. Such variations are within the scope of the present disclosure.
The beneficial effects that may be brought by the embodiments of the present description include, but are not limited to: (1) in the calculation process, the final calculation result and part of the intermediate calculation results are stored in the calculation devices of the two sides in a fragmentation mode, so that privacy disclosure can be effectively avoided; (2) by designing the processes of value taking, amplification, truncation and the like of the comparison result, the calculation result can be ensured to meet certain precision under various value taking conditions of the private data and the fragments thereof. It is to be noted that different embodiments may produce different advantages, and in different embodiments, any one or combination of the above advantages may be produced, or any other advantages may be obtained.
Having thus described the basic concept, it will be apparent to those skilled in the art that the foregoing detailed disclosure is to be considered merely illustrative and not restrictive of the embodiments herein. Various modifications, improvements and adaptations to the embodiments described herein may occur to those skilled in the art, although not explicitly described herein. Such modifications, improvements and adaptations are proposed in the embodiments of the present specification and thus fall within the spirit and scope of the exemplary embodiments of the present specification.
Also, the description uses specific words to describe embodiments of the description. Reference throughout this specification to "one embodiment," "an embodiment," and/or "some embodiments" means that a particular feature, structure, or characteristic described in connection with at least one embodiment of the specification is included. Therefore, it is emphasized and should be appreciated that two or more references to "an embodiment" or "one embodiment" or "an alternative embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, some features, structures, or characteristics of one or more embodiments of the specification may be combined as appropriate.
Moreover, those skilled in the art will appreciate that aspects of the embodiments of the present description may be illustrated and described in terms of several patentable species or situations, including any new and useful combination of processes, machines, manufacture, or materials, or any new and useful improvement thereof. Accordingly, aspects of embodiments of the present description may be carried out entirely by hardware, entirely by software (including firmware, resident software, microcode, etc.), or by a combination of hardware and software. The above hardware or software may be referred to as "data block," module, "" engine, "" unit, "" component, "or" system. Furthermore, aspects of the embodiments of the present specification may be represented as a computer product, including computer readable program code, embodied in one or more computer readable media.
The computer storage medium may comprise a propagated data signal with the computer program code embodied therewith, for example, on baseband or as part of a carrier wave. The propagated signal may take any of a variety of forms, including electromagnetic, optical, etc., or any suitable combination. A computer storage medium may be any computerreadable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code located on a computer storage medium may be propagated over any suitable medium, including radio, cable, fiber optic cable, RF, or the like, or any combination of the preceding.
Computer program code required for operation of various portions of the embodiments of the present description may be written in any one or more programming languages, including an object oriented programming language such as Java, Scala, Smalltalk, Eiffel, JADE, Emerald, C + +, C #, VB.NET, Python, and the like, a conventional programming language such as C, VisualBasic, Fortran2003, Perl, COBOL2002, PHP, ABAP, a dynamic programming language such as Python, Ruby, and Groovy, or other programming languages, and the like. The program code may execute entirely on the user's computer, partly on the user's computer, as a standalone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or processing device. In the latter scenario, the remote computer may be connected to the user's computer through any network format, such as a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet), or in a cloud computing environment, or as a service, such as a software as a service (SaaS).
In addition, unless explicitly stated in the claims, the order of processing elements and sequences, use of numbers and letters, or use of other names in the embodiments of the present specification are not intended to limit the order of the processes and methods in the embodiments of the present specification. While various presently contemplated embodiments of the invention have been discussed in the foregoing disclosure by way of example, it is to be understood that such detail is solely for that purpose and that the appended claims are not limited to the disclosed embodiments, but, on the contrary, are intended to cover all modifications and equivalent arrangements that are within the spirit and scope of the embodiments herein. For example, although the system components described above may be implemented by hardware devices, they may also be implemented by softwareonly solutions, such as installing the described system on an existing processing device or mobile device.
Similarly, it should be noted that in the preceding description of embodiments of the specification, various features are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more embodiments of the invention. This method of disclosure, however, is not intended to imply that more features are required than are expressly recited in the claims. Indeed, the embodiments may be characterized as having less than all of the features of a single embodiment disclosed above.
For each patent, patent application publication, and other material, such as articles, books, specifications, publications, documents, etc., cited in this specification, the entire contents of each are hereby incorporated by reference into this specification. Except where the application is inconsistent or conflicting with the present disclosure, as may be the case with the broadest limitation of the claims that follow (whether present or appended to the present specification). It is to be understood that the descriptions, definitions and/or uses of terms in the accompanying materials of this specification shall control if they are inconsistent or contrary to the descriptions and/or uses of terms in this specification.
Finally, it should be understood that the embodiments described herein are merely illustrative of the principles of the embodiments of the present disclosure. Other variations are possible within the scope of the embodiments of the present description. Thus, by way of example, and not limitation, alternative configurations of the embodiments of the specification can be considered consistent with the teachings of the specification. Accordingly, the embodiments of the present description are not limited to only those embodiments explicitly described and depicted herein.
Claims (11)
1. A cooperative computing method for protecting privacy of data of two parties is disclosed, wherein an index of an index function value of cooperative computing of the two parties is negatively related to private data, the private data comprises a first fragment and a second fragment which are input into a business group, the first fragment of the private data is stored in computing equipment of the first party, and the second fragment of the private data is stored in computing equipment of the second party; the method is performed by a computing device of a first party, comprising:
interacting with a computing device of a second party according to a secure comparison protocol to obtain a first slice of a first comparison result of the private data against a target threshold;
performing modulo on the first fragment of the private data relative to a target threshold to obtain a first modulo result;
interacting with the computing device of the second party according to the secure computing protocol to obtain a first output fragment based on the first modulo result and a second modulo result stored in the computing device of the second party;
interacting with computing equipment of a second party according to a safety computing protocol to obtain a first fragment of an equivalent value of the index function value in an output business group based on a first fragment and a first output fragment of a first comparison result, and a second fragment and a second output fragment of the first comparison result stored in the computing equipment of the second party; and when the private data is not less than the target threshold, the first comparison result enables the equivalent value to be 0.
2. The method of claim 1, wherein the interacting with the computing device of the second party according to the secure computing protocol to obtain the first output slice based on the first modulo result and a second modulo result stored at the computing device of the second party comprises:
interacting with computing equipment of a second party according to a safety comparison protocol to obtain a first fragment of a second comparison result, wherein the second comparison result is a comparison result of a sum value of the first modulus result and the second modulus result relative to a target threshold value;
interacting with the computing device of the second party according to the secure computing protocol to obtain a first slice of the first possible value and a first slice of the second possible value based on the first modulo result and a second modulo result stored in the computing device of the second party, wherein when the private data is less than the target threshold: the first possible value is an equivalent value of the exponential function value in the output quotient group when the sum value of the first modulus result and the second modulus result is smaller than the target threshold value, and the second possible value is an equivalent value of the exponential function value in the output quotient group when the sum value of the first modulus result and the second modulus result is not smaller than the target threshold value;
interacting with the computing device of the second party according to the secure computing protocol to obtain a first output slice based on the first slice of the second comparison result, the first slice of the first possible value, the first slice of the second possible value, and the second slice of the second comparison result, the second slice of the first possible value, the second slice of the second possible value, stored at the computing device of the second party.
3. The method of claim 2, wherein the interacting with the computing device of the second party according to the secure computing protocol to obtain the first slice of the first possible value and the first slice of the second possible value based on the first modulo result and a second modulo result stored in the computing device of the second party comprises:
calculating an exponential function value of the first modulus result to obtain a first numerical value;
amplifying the first numerical value according to a preset proportion to obtain a first amplification result in the target commodity group, wherein the first amplification result meets the preset precision;
interacting with the computing device of the second party according to a secure computing protocol to obtain a first fragment of a target product in the target business group, the target product being a product of the first amplification result and a second amplification result stored in the computing device of the second party;
obtaining a first value to be processed in a target quotient group based on a first segment of a target threshold and a target product;
truncating the first fragment of the target product according to bits to obtain a first fragment of the first possible value;
and truncating the first value to be processed according to bits to obtain a first fragment of a second possible value in the output quotient group.
4. The method of claim 3, wherein the exponential function value is e^{x}X is the privacy data and the target threshold is 2^{m}Wherein m = floor (log)_{2}N+log_{2}(ln2)) +1, N is the number of bits of the memory location in the computing device.
5. The method of claim 4, wherein the preset ratio is 2^{3N1}。
6. The method of claim 5, wherein the target business group is Z/2^{6N}Z, wherein Z represents a set of integers.
7. The method of claim 6, wherein the output quotient group is 2^{N+1}Z/2Z；
The bitwise truncation includes: truncate the most significant bit and truncate the consecutive 5N1 bits from the least significant bit.
8. The method of claim 2, wherein the interacting with the computing device of the second party according to the secure computing protocol to obtain the first output slice based on the first slice of the second comparison result, the first slice of the first possible value, the first slice of the second possible value, and the second slice of the second comparison result, the second slice of the first possible value, the second slice of the second possible value stored at the computing device of the second party comprises:
interacting with the computing device of the second party according to the secure computing protocol to obtain (t _ L + t _ R) × (y)_{0}_L+ y_{0}_R)+(1(t_L+t_R))*(y_{1}_L+ y_{1}R), as the first output slice, wherein t _ L denotes the first slice of the second comparison result, t _ R denotes the second slice of the second comparison result, y_{0}L denotes a first fragment of a first possible value, y_{0}R represents a second fragment of the first possible value, y_{1}L denotes the first fragment of the second possible value, y_{1}R represents the second fragment of the second possible value, represents the left element + (negative of the right element), + represents the group addition, , represents the group multiplication;
when the sum of the first and second modulo results is less than the target threshold, t _ L + t _ R = 1; when the sum of the first and second modulo results is not less than the target threshold, t _ L + t _ R = 0.
9. The method of claim 1, wherein interacting with the computing device of the second party according to the secure computing protocol to obtain a first slice of an equivalent value of the exponent function value in the output quotient group based on the first slice of the first comparison result, the first output slice, and the second slice of the first comparison result, the second output slice, stored at the computing device of the second party, comprises:
interacting with a computing device of a second party according to a secure computing protocol to obtain a first slice of (z _ L + z _ R) (s _ L + s _ R) as a first slice of the equivalent value, wherein z _ L denotes a first output slice, z _ R denotes a second output slice, s _ L denotes a first slice of a first comparison result, s _ R denotes a second slice of the first comparison result, + denotes a group addition, denotes a group multiplication;
when the private data is less than the target threshold, s _ L + s _ R = 1; when the private data is not less than the target threshold, s _ L + s _ R = 0.
10. A collaborative computing system for protecting privacy of data of two parties is disclosed, wherein an index of an index function value of collaborative computing of the two parties is negatively related to private data, the private data comprises a first fragment and a second fragment which are input into a business group, the first fragment of the private data is stored in a computing device of the first party, and the second fragment of the private data is stored in a computing device of the second party; the system is implemented on a computing device of a first party, comprising:
a first security comparison module to interact with a computing device of a second party according to a security comparison protocol to obtain a first segment of a first comparison result of private data against a target threshold;
the first modulus taking module is used for taking the modulus of the first fragment of the private data relative to the target threshold value to obtain a first modulus taking result;
the first output fragment computing module is used for interacting with the computing equipment of the second party according to the secure computing protocol to obtain a first output fragment based on the first modulus result and a second modulus result stored in the computing equipment of the second party;
the first equivalent calculation module is used for interacting with the computing equipment of the second party according to a secure calculation protocol so as to obtain a first fragment of an equivalent value of the index function value in the output business group based on the first fragment and the first output fragment of the first comparison result and the second fragment and the second output fragment of the first comparison result stored in the computing equipment of the second party; and when the private data is not less than the target threshold, the first comparison result enables the equivalent value to be 0.
11. A collaborative computing apparatus that protects privacy of data on both sides, comprising a processor and a storage device for storing instructions that, when executed by the processor, implement the method of any of claims 19.
Priority Applications (1)
Application Number  Priority Date  Filing Date  Title 

CN202010276651.9A CN111177790B (en)  20200410  20200410  Collaborative computing method, system and device for protecting data privacy of two parties 
Applications Claiming Priority (1)
Application Number  Priority Date  Filing Date  Title 

CN202010276651.9A CN111177790B (en)  20200410  20200410  Collaborative computing method, system and device for protecting data privacy of two parties 
Publications (2)
Publication Number  Publication Date 

CN111177790A true CN111177790A (en)  20200519 
CN111177790B CN111177790B (en)  20200710 
Family
ID=70647265
Family Applications (1)
Application Number  Title  Priority Date  Filing Date 

CN202010276651.9A Active CN111177790B (en)  20200410  20200410  Collaborative computing method, system and device for protecting data privacy of two parties 
Country Status (1)
Country  Link 

CN (1)  CN111177790B (en) 
Cited By (2)
Publication number  Priority date  Publication date  Assignee  Title 

CN111475854A (en) *  20200624  20200731  支付宝(杭州)信息技术有限公司  Collaborative computing method and system for protecting data privacy of two parties 
CN111539026A (en) *  20200619  20200814  支付宝(杭州)信息技术有限公司  Method and device for performing secure operation on private data 
Citations (6)
Publication number  Priority date  Publication date  Assignee  Title 

CN102394784A (en) *  20111121  20120328  北京邮电大学  Distributed Topk query method based on privacy maintenance 
JP2012216904A (en) *  20110331  20121108  Kddi Corp  Distribution routing processing device and computer program 
CN109359470A (en) *  20180814  20190219  阿里巴巴集团控股有限公司  Secure calculation method and device, electronic equipment 
US10211980B1 (en) *  20180328  20190219  Bar Ilan University  Method for latticebased decryption of data 
CN110166446A (en) *  20190513  20190823  矩阵元技术（深圳）有限公司  A kind of implementation method at the geographical weighted average center based on multiparty computations 
CN110537191A (en) *  20170322  20191203  维萨国际服务协会  Secret protection machine learning 

2020
 20200410 CN CN202010276651.9A patent/CN111177790B/en active Active
Patent Citations (6)
Publication number  Priority date  Publication date  Assignee  Title 

JP2012216904A (en) *  20110331  20121108  Kddi Corp  Distribution routing processing device and computer program 
CN102394784A (en) *  20111121  20120328  北京邮电大学  Distributed Topk query method based on privacy maintenance 
CN110537191A (en) *  20170322  20191203  维萨国际服务协会  Secret protection machine learning 
US10211980B1 (en) *  20180328  20190219  Bar Ilan University  Method for latticebased decryption of data 
CN109359470A (en) *  20180814  20190219  阿里巴巴集团控股有限公司  Secure calculation method and device, electronic equipment 
CN110166446A (en) *  20190513  20190823  矩阵元技术（深圳）有限公司  A kind of implementation method at the geographical weighted average center based on multiparty computations 
Cited By (2)
Publication number  Priority date  Publication date  Assignee  Title 

CN111539026A (en) *  20200619  20200814  支付宝(杭州)信息技术有限公司  Method and device for performing secure operation on private data 
CN111475854A (en) *  20200624  20200731  支付宝(杭州)信息技术有限公司  Collaborative computing method and system for protecting data privacy of two parties 
Also Published As
Publication number  Publication date 

CN111177790B (en)  20200710 
Similar Documents
Publication  Publication Date  Title 

CN111177790B (en)  Collaborative computing method, system and device for protecting data privacy of two parties  
CN111475854B (en)  Collaborative computing method and system for protecting data privacy of two parties  
CH708239A2 (en)  Key agreement protocol.  
CN103095450A (en)  Finite Field Crytographic Arithmetic Resistant To Fault Attacks  
CN112070222B (en)  Processing device, accelerator and method for federal learning  
JPWO2017099117A1 (en)  PRECOMPUTER DEVICE, METHOD, AND COMPUTERREADABLE RECORDING MEDIUM, AND VECTOR MULTIPLY DEVICE, AND METHOD  
CN111026359A (en)  Method and device for judging numerical range of private data in multiparty combination manner  
US20200380122A1 (en)  Elliptic curve point multiplication operation method and apparatus  
CN112148437A (en)  Calculation task acceleration processing method, device and equipment for federal learning  
CN112149174A (en)  Model training method, device, equipment and medium  
CN113158239A (en)  Selection problem processing method for protecting data privacy  
Jahan et al.  Design of a secure sum protocol using trusted third party system for secure multiparty computations  
RU2591009C1 (en)  Method and device for arrangement of groups of numbers in homogeneous units of digital register  
JP2003263110A (en)  Source generation device of partial group of rational point group on elliptic curve, program for the device and recording medium  
CN112989421A (en)  Method and system for processing safety selection problem  
WO2020240654A1 (en)  Anonymized signature system, signature generation device, anonymized signature generation device, verification device, anonymized signature method and program  
KR20190123584A (en)  Apparatus and method for performing operation being secure against side channel attack  
US10778410B2 (en)  Homomorphic data encryption method and apparatus for implementing privacy protection  
CN111539027A (en)  Information verification method and system based on privacy protection of two parties  
JP6882512B2 (en)  Preventing inaccurate notification of input data by participants in secure multiparty calculations  
CN112561085B (en)  Multiclassification model training method and system based on multiparty safety calculation  
JP2021077961A (en)  Digital signature system and digital signature method  
CN111539041A (en)  Safety selection method and system  
RU2369974C1 (en)  Method for generation and authentication of electronic digital signature that certifies electronic document  
CN112906044B (en)  Multiparty security calculation method, device, equipment and storage medium 
Legal Events
Date  Code  Title  Description 

PB01  Publication  
PB01  Publication  
SE01  Entry into force of request for substantive examination  
SE01  Entry into force of request for substantive examination  
GR01  Patent grant  
GR01  Patent grant  
REG  Reference to a national code 
Ref country code: HK Ref legal event code: DE Ref document number: 40029338 Country of ref document: HK 