CN111177790A - Collaborative computing method, system and device for protecting data privacy of two parties - Google Patents

Collaborative computing method, system and device for protecting data privacy of two parties Download PDF

Info

Publication number
CN111177790A
CN111177790A CN202010276651.9A CN202010276651A CN111177790A CN 111177790 A CN111177790 A CN 111177790A CN 202010276651 A CN202010276651 A CN 202010276651A CN 111177790 A CN111177790 A CN 111177790A
Authority
CN
China
Prior art keywords
computing
value
party
slice
fragment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010276651.9A
Other languages
Chinese (zh)
Other versions
CN111177790B (en
Inventor
张祺智
李漓春
殷山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202010276651.9A priority Critical patent/CN111177790B/en
Publication of CN111177790A publication Critical patent/CN111177790A/en
Application granted granted Critical
Publication of CN111177790B publication Critical patent/CN111177790B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Abstract

Embodiments in the present specification provide a collaborative computing method, system, and apparatus for protecting privacy of data in two parties, which can be applied to model training. The exponent of the exponent function value calculated by the two parties in cooperation is negatively correlated with privacy data, the privacy data comprising a first fragment and a second fragment of the input quotient group, wherein the first fragment is stored in a computing device of the first party, and the second fragment is stored in a computing device of the second party. And the two parties respectively obtain the fragments of the first comparison result of the private data relative to the target threshold value through safe comparison, and respectively perform modulus operation on the fragments of the private data relative to the target threshold value to obtain a modulus operation result. And through safety calculation, the two parties obtain output fragments of the two parties based on the modulus result of the two parties, and respectively obtain the fragments of the equivalent value of the index function value in the output quotient group based on the fragments of the first comparison result of the two parties and the output fragments of the two parties. And when the private data is not less than the target threshold, the first comparison result enables the equivalent value to be 0.

Description

Collaborative computing method, system and device for protecting data privacy of two parties
Technical Field
The embodiment of the specification relates to the technical field of information, in particular to a collaborative computing method, a collaborative computing system and a collaborative computing device for protecting data privacy of two sides.
Background
In some scenarios, the privacy data is split into multiple shares, each of which is executed by multiple participants to avoid privacy disclosure. In the process of jointly calculating the function value of the privacy data by multiple parties, the accuracy of a calculation result is ensured, and the privacy is effectively protected.
It is desirable to provide a scheme that enables secure computation of an exponential function value of private data by two parties.
Disclosure of Invention
One of the embodiments of the present specification provides a collaborative computing method for protecting privacy of data of two parties, where an index of an index function value of collaborative computing of two parties is negatively related to private data, the private data includes a first fragment and a second fragment input into a business group, the first fragment of the private data is stored in a computing device of the first party, and the second fragment of the private data is stored in a computing device of the second party; the method is performed by a computing device of a first party, comprising: interacting with a computing device of a second party according to a secure comparison protocol to obtain a first slice of a first comparison result of the private data against a target threshold; performing modulo on the first fragment of the private data relative to a target threshold to obtain a first modulo result; interacting with the computing device of the second party according to the secure computing protocol to obtain a first output fragment based on the first modulo result and a second modulo result stored in the computing device of the second party; interacting with computing equipment of a second party according to a safety computing protocol to obtain a first fragment of an equivalent value of the index function value in an output business group based on a first fragment and a first output fragment of a first comparison result, and a second fragment and a second output fragment of the first comparison result stored in the computing equipment of the second party; and when the private data is not less than the target threshold, the first comparison result enables the equivalent value to be 0.
One of the embodiments of the present specification provides a collaborative computing system for protecting privacy of data of two parties, wherein an index of an index function value of collaborative computing of the two parties is negatively correlated with private data, the private data includes a first fragment and a second fragment input into a business group, the first fragment of the private data is stored in a computing device of the first party, and the second fragment of the private data is stored in a computing device of the second party; the system is implemented on a computing device of a first party, comprising: a first security comparison module to interact with a computing device of a second party according to a security comparison protocol to obtain a first segment of a first comparison result of private data against a target threshold; the first modulus taking module is used for taking the modulus of the first fragment of the private data relative to the target threshold value to obtain a first modulus taking result; the first output fragment computing module is used for interacting with the computing equipment of the second party according to the secure computing protocol to obtain a first output fragment based on the first modulus result and a second modulus result stored in the computing equipment of the second party; the first equivalent calculation module is used for interacting with the computing equipment of the second party according to a secure calculation protocol so as to obtain a first fragment of an equivalent value of the index function value in the output business group based on the first fragment and the first output fragment of the first comparison result and the second fragment and the second output fragment of the first comparison result stored in the computing equipment of the second party; and when the private data is not less than the target threshold, the first comparison result enables the equivalent value to be 0.
One of the embodiments of the present specification provides a collaborative computing apparatus for protecting privacy of data on two sides, including a processor and a storage device, where the storage device is configured to store instructions, and when the processor executes the instructions, the collaborative computing method for protecting privacy of data on two sides as described in any one of the embodiments of the present specification is implemented.
Drawings
The present description will be further explained by way of exemplary embodiments, which will be described in detail by way of the accompanying drawings. These embodiments are not intended to be limiting, and in these embodiments like numerals are used to indicate like structures, wherein:
FIG. 1 is a schematic diagram of an application scenario of a computing system in accordance with some embodiments of the present description;
FIG. 2 is an exemplary flow diagram of a collaborative computing method for protecting privacy of data on two sides, according to some embodiments of the present description;
FIG. 3 is an exemplary flow diagram illustrating the calculation of a first output slice z _ L according to some embodiments of the present description;
FIG. 4 is a block diagram illustrating the calculation of a first possible value y according to some embodiments of the present disclosure0First segment y of0L and secondEnergy value y1First segment y of1An exemplary flow diagram of a method of _;
FIG. 5 is a schematic diagram illustrating a bitwise truncation according to some embodiments of the present description;
FIG. 6 is an interaction diagram of a secure multiplication protocol, shown in accordance with some embodiments of the present description;
FIG. 7 is an exemplary block diagram of a collaborative computing system that protects privacy of data on two sides, according to some embodiments of the present description.
Detailed Description
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only examples or embodiments of the present description, and that for a person skilled in the art, the present description can also be applied to other similar scenarios on the basis of these drawings without inventive effort. Unless otherwise apparent from the context, or otherwise indicated, like reference numbers in the figures refer to the same structure or operation.
It should be understood that "system", "device", "unit" and/or "module" as used herein is a method for distinguishing different components, elements, parts, portions or assemblies at different levels. However, other words may be substituted by other expressions if they accomplish the same purpose.
As used in this specification and the appended claims, the terms "a," "an," "the," and/or "the" are not intended to be inclusive in the singular, but rather are intended to be inclusive in the plural, unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" merely indicate that steps and elements are included which are explicitly identified, that the steps and elements do not form an exclusive list, and that a method or apparatus may include other steps or elements.
Flow charts are used in this description to illustrate operations performed by a system according to embodiments of the present description. It should be understood that the preceding or following operations are not necessarily performed in the exact order in which they are performed. Rather, the various steps may be processed in reverse order or simultaneously. Meanwhile, other operations may be added to the processes, or a certain step or several steps of operations may be removed from the processes.
For the purpose of illustrating embodiments of the present specification, reference will first be made to the mathematical knowledge involved therein.
In mathematics, a group (hereinafter denoted by G) defines a binary operation, which may generally be represented by a multiplication symbol "+" (omitted when unambiguous) or an addition symbol "+" as the symbol of the binary operation, but it should be noted that the binary operation is not necessarily equivalent to a multiplication or an addition in a four-way operation. The result of several elements through one or more binary operations may be referred to as a sum.
The binary operation of the group satisfies: 1. closed law, for any element a, b in G, a × b is still in G; 2. binding law, for any element a, b in G, (a × b) × c = a × b × c); 3. there are unit cells, the element e is present in G, such that e a = a e = a; 4. there is an inverse element, and for any element a in G, b exists in G, so that a × b = b × a = e, and a and b are inverse elements of each other. It should be noted that e may be called zero and the inverse may be called negative for the binary operation denoted by "+", and a + (inverse of b) may be denoted by a-b for any of the elements a, b in G. The abelian group has, in addition to the above 4 properties, also the commutative law, i.e. a + b = b + a for any element a, b in the abelian group.
Further, the present specification relates to a quotient group based on an integer abelian group, the mathematical representation of which may be G: =2- kZ/2N-kZ, where Z is a set of integers, k is a non-negative integer, N is a positive integer and N-k>0. The element in the quotient G is a non-negative binary fixed point number, the decimal place of the element has k bits and the integer place of the element has N-k bits, and 1N-bit (bit) storage unit can be used in the computing equipment to store the value of any fixed point number in the quotient G. The binary operation of quotient group G includes group addition and group multiplication: the mathematical representation of the group addition is (a + b) mod2N-kIn the unambiguous condition, the operation can be simplified into a + b, mod represents that the value on the left side is modulo with the value on the right side, and the plus of the former belongs to the four arithmetic operations; the mathematical representation of the group multiplication is(a*b)mod2N-kWhen the ambiguity is not clear, the operation can be simplified into a, b or ab, and the former's' belongs to four rules of operation.
It should be noted that unless it is defined in the present specification that the sum is based on group addition/the product is based on group multiplication, the sum/product should be understood as a concept in a four-way operation. In addition, since the sum values in the four arithmetic operations are directly expressed by the sum values in the present specification, the sum values based on the group addition and the slices based on the group addition can be directly simplified into the sum values and the slices in the present specification without causing ambiguity.
In some distributed scenarios, it is necessary to calculate the value of a function securely by multiple parties, where security may refer to the correctness of the output result and the confidentiality of the input information and the output information. For example, in some machine learning scenarios, one party holds private feature data and the other holds private tag data. If a function value is directly calculated for private data (feature data/tag data), leakage of the function value may cause the private data to be inferred. Therefore, each party can split the private data x held by the party into two parts, reserve one part x _ L and send the other part x _ R to the other party, wherein the sum of the x _ L and the x _ R is x. Then, the two parties operate a safety calculation protocol to respectively obtain a fragment of the function value. The sum of the fragments obtained by the two parties is the function value, and an attacker needs to obtain the fragments of the two parties if the attacker wants to know the private data.
Specifically, in scenarios such as logistic regression, neural networks, etc., two-way safe computation of an exponential function whose exponent is inversely related to the input (e.g., e whose base is the natural logarithm e) is required-x) The value of (c). With e-x(also denoted by exp (-x)) for example, x denotes private data as input, x _ L is the input patch of the first party, x _ R is the input patch of the second party, assuming x _ L, x _ R and x are both in quotient group 2-kZ/2N-kIn Z, i.e., x = (x _ L + x _ R) mod2 is satisfiedN-k. Note that e-xMay be based on e-x_LAnd e-x_RThe product of (a), i.e. the output fragmentation of the first party may be based on e-x_LTo obtain, the output sharding of the second party may be based on e-x_RThus obtaining the product. Due to e-xWhen the input slice of either party is too large, the output slice takes 0, resulting in the sum of the output slices of both parties being 0, possibly with e-xToo much deviation of the actual value of (c). For example, when N =64, k =16, x =0, x _ L = x _ R =247When due to e-x_L=e-x_R<2-64If e is to be-x_LAnd e-x_RStored as a number of N bit (bit) fixed points, then e-x_LAnd e-x_RAre both stored as 0, resulting in a sum of 0 for both output slices, but in reality e is-x=1。
Embodiments in this specification provide a collaborative computing method, system, and apparatus for protecting privacy of data in two parties, and compute a slice of an index function value according to the size of private data and its slice, so as to ensure the accuracy of a computation result while protecting the privacy of data.
FIG. 1 is a schematic diagram of an application scenario of a computing system in accordance with some embodiments of the present description. As shown in fig. 1, computing system 100 may include computing device 110-1, computing device 110-2, and network 120, where computing device 110-1 and computing device 110-2 may be two-party devices participating in two-party secure computing.
The computing device may include various types of computing-capable devices, such as a server. In some embodiments, the servers may be independent servers or groups of servers, which may be centralized or distributed. In some embodiments, the server may be regional or remote. In some embodiments, the server may execute on a cloud platform. For example, the cloud platform may include one or any combination of a private cloud, a public cloud, a hybrid cloud, a community cloud, a decentralized cloud, an internal cloud, and the like.
The network 120 connects the various components of the system so that communication can occur between the various components. The network between the various parts in the system may include wired networks and/or wireless networks. For example, network 120 may include a cable network, a wired network, a fiber optic network, a telecommunications network, an intranet, the internet, a Local Area Network (LAN), a Wide Area Network (WAN), a Wireless Local Area Network (WLAN), a Metropolitan Area Network (MAN), a Public Switched Telephone Network (PSTN), a bluetooth network, a ZigBee network (ZigBee), Near Field Communication (NFC), an intra-device bus, an intra-device line, a cable connection, and the like, or any combination thereof. The network connection between each two parts may be in one of the above-mentioned ways, or in a plurality of ways.
In some embodiments, computing system 100 may also include a random number server 130, and random number server 130 may assist two-party computing devices in running a secure computing protocol, such as a secure multiplication protocol. For details of the secure multiplication protocol, reference may be made to fig. 6 and its associated description.
FIG. 2 is an exemplary flow diagram of a collaborative computing method for protecting privacy of data at two parties, according to some embodiments of the present description. The private data x comprises a first patch x _ L and a second patch x _ R, x _ L being stored on the first party's computing device 110-1 and x _ R being stored on the second party's computing device 110-2. The exponent of the exponential function value of the two-party cooperative calculation is in negative correlation with the input. The quotient group where the input private data and its shards are located may be referred to as an input quotient group, and the quotient group where the equivalent value (denoted as h) of the output exponential function value and its shards (including the first shard h _ L stored at the first party's computing device 110-1 and the first shard h _ R stored at the first party's computing device 110-2) are located may be referred to as an output quotient group. Since numerical approximation or the like may be involved in the calculation process, and the calculated result is not necessarily equal to the index function value itself, the calculated result is referred to as an equivalent value of the index function in the present specification, and the equivalent value may be equal to an approximation of the index function value in the output quotient group, and in practical applications, the equivalent value may participate in subsequent operations instead of the index function value itself. In some embodiments, the input quotient group may be 2-kZ/2N-kZ, where k is a non-negative integer, N is the number of binary bits of a memory cell in the computing device and N-k>0. In some embodiments, the exponential function may be e-xThe output quotient group may be 2-N+1Z/2Z, the output quotient including e-x(x is not less than 0) value range (0, 1)]. Process 200 may be performed by a computing device 110-1 of a first party and a computing device 110-2 of a second partyThe process flow may refer to flow 200. The process 200 may include:
step 210, interacting with the computing device 110-2 of the second party according to the secure comparison protocol to obtain a first segment s _ L of a first comparison result s of the private data with respect to the target threshold. In some embodiments, step 210 may be implemented by the first security comparison module 710.
The target threshold may take the value of the privacy data when the approximation of the exponential function value in the output quotient group is 0. By an exponential function e-xFor example, according to the lemma: if m>log2N+log2(ln2), then exp (-2)m)<2-NIt can be deduced that: when x is more than or equal to 2mWhen e is present-xIn the export group 2-N+1Approximate value in Z/2Z is 0, where 2mI.e. the target threshold. In some embodiments, m = floor (log) may be made2N+log2(ln2)) +1, where floor denotes rounding down.
It should be appreciated that the computing device 110-2 of the second party may obtain the sum of the second split s _ R, s _ L, and s _ R of the first comparison result s, i.e., s, after interaction. In the subsequent step S240, the value of the first comparison result S may be designed, so that: and when the private data is not less than the target threshold value, the sum of the first fragment h _ L and the second fragment h _ R of the equivalent value h of the exponential function value is 0. Thus, the accuracy of the calculation result when the privacy data is not less than the target threshold value can be ensured.
In some embodiments, a particular implementation of a security comparison protocol may be found in the literature "GeofroyCountau. New Protocols for Secure Equipment and company. applied cryptography and Network Security, feature Notes in Computer Science Volume10892 II. Page 303-320.2018." (New protocol for GeofroyCountau. Security equivalent testing and comparison. applied to cryptography and Network security. Computer Science lectures Volume10892 II. Page 303 to Page 320. version 2018).
In step 220, the first slice x _ L is modulo with respect to the target threshold to obtain a first modulo result x _ L'. In some embodiments, step 220 may be implemented by a first modulo module 720.
It should be appreciated that the second party's computing device 110-2 may modulo the second slice x _ R with respect to the target threshold to obtain a second modulo result x _ R'.
After modulus taking, the obtained first modulus taking result x _ L 'and the second modulus taking result x _ R' are smaller than a target threshold value, so that the approximate values of the exponential function values of x _ L 'and x _ R' in the output quotient group are not 0. By an exponential function e-xFor example, x _ L and x _ R are relative to 2mAfter removal of the mold, e- x_L'And e- x_R'In the export group 2-N+1The approximate values in Z/2Z are not 0.
Step 230, interacting with the second party's computing device 110-2 according to the secure computing protocol to obtain the first output slice z _ L based on the first modulo result x _ L' and the second modulo result x _ R 'stored in the second party's computing device 110-2. In some embodiments, step 230 may be implemented by first output patch computation module 730.
It should be appreciated that the second party's computing device 110-2 will obtain a second output slice z _ R.
In the foregoing, when the private data is not less than the target threshold, the accuracy of the calculation result may be ensured by designing the value of s, and the like. Then the security calculation in step 230 only needs to guarantee that: in case the private data is smaller than the target threshold, the obtained combined value of the first output slice z _ L and the second output slice z _ R is more accurate than the true value of the index function value.
With regard to specific implementations of step 230, reference may be made to fig. 3 and its associated description.
Step 240, interacting with the computing device 110-2 of the second party according to the secure computing protocol to obtain a first slice h _ L of the equivalent value h of the exponential function value based on the first slice s _ L, the first output slice z _ L of the first comparison result s, and the second slice s _ R, the second output slice z _ R of the first comparison result s stored in the computing device 110-2 of the second party. In some embodiments, step 240 may be performed by the first equivalence computation module 740.
It should be appreciated that the second party's computing device 110-2 will obtain a first slice h _ L of the equivalent value h of the exponential function value. It should be noted that h and h _ L, h _ R belong to the inputAnd (5) going out of the business group. In some embodiments, the first comparison result s and its fragment may occupy 1N (bit) storage unit, specifically, may be a quotient Z/2NElements in Z.
In some embodiments, s =0 (i.e., the sum of s _ L and s _ R is 0) when the private data is not less than the target threshold, and s =1 (i.e., the sum of s _ L and s _ R is 1) when the private data is less than the target threshold. Accordingly, h _ L + h _ R = (s _ L + s _ R) (z _ L + z _ R), and the nature of the cluster combined indicates h _ L + h _ R = s _ L _ z _ L + s _ L _ z _ R + s _ R _ z _ L + s _ R _ z _ R, where "+" and "+" are the signs of the cluster addition and the cluster multiplication, respectively. In the polynomial, s _ L _ z _ L may be computed locally at the computing device 110-1 of the first party, s _ R _ z _ R may be computed locally at the computing device 110-2 of the second party, for s _ L _ z _ R and s _ R _ z _ L, a secure multiplication protocol may be run by both parties, the computing device 110-1 of the first party obtaining a first shard of s _ L _ z _ R and a first shard of s _ R _ z _ L, the computing device 110-2 of the second party obtaining a second shard of s _ L _ z _ R and a second shard of s _ R _ z _ L. Thus, the first-side computing device 110-1 calculates the first segment of s _ L _ z _ R, the first segment of s _ R _ z _ L, and the sum of s _ L _ z _ L by group addition to obtain the first segment h _ L, and the second-side computing device 110-2 calculates the second segment of s _ R _ z _ R and the sum of s _ R _ z _ L, to obtain the first segment h _ R by group addition.
It is noted that in some embodiments, flow 200 implies m<N-k. In fact, when m = N-k, step 210, step 220, and step 240 need not be executed, and both parties may also perform secure calculation based on the first slice x _ L and the second slice x _ R to obtain the first slice h _ L and the second slice h _ R as a result, and the calculation manner may refer to the related description of step 230. Specifically, the computing device 110-1 of the first party may perform step 230 with the first slice x _ L as the first modulo result x _ L '(the computing device 110-2 of the second party correspondingly takes the second slice x _ R as the second modulo result x _ R'), obtaining the first output slice z _ L as the first slice h _ L (the computing device 110-2 of the second party correspondingly obtains the second output slice z _ R as the first slice h _ R). When m is>N-k, the product of the index function value of the first fragment x _ L and the index function value of the second fragment x _ R can be directly and safely calculated by the two parties, and the calculation of the first party is performedComputing device 110-1 obtains a first slice (i.e., first slice h _ L) of the product's equivalent value in the output quotient group, and computing device 110-2 of the second party obtains a second slice (i.e., first slice h _ R) of the product's equivalent value in the output quotient group. By an exponential function e-xFor example, the first party calculates e- x_L'The second party calculates e- x_R'. Two parties calculate safely, the first party gets e- x_L'*e- x_R'In the first segment (i.e. the first segment h _ L) in the output quotient group, the second party gets e- x_L'*e- x_R'The second slice (i.e. the second slice h _ R) in the output quotient group can be calculated by referring to fig. 6 and the related description thereof. Of course, when m.gtoreq.N-k, according to m<The same calculation result can be obtained when the calculation mode is N-k, and when m is>In the case of N-k, the same calculation result can be obtained in the calculation method when m = N-k.
In addition, the computing devices of both parties may use 1N-bit (bit) storage unit to hold the slice of the first comparison result to keep consistent with the number of binary bits of the first output slice z _ L and the second output slice z _ R that participate in the computation at the same time.
FIG. 3 is an exemplary flow diagram illustrating the calculation of a first output slice z _ L according to some embodiments of the present description. The process 300 may be performed by a computing device of a first party, and the process 300 may include:
step 310, interacting with the computing device 110-2 of the second party according to the secure comparison protocol to obtain a first slice t _ L of a second comparison result t, where the second comparison result t is a comparison result of a sum of the first modulo result x _ L 'and the second modulo result x _ R' with respect to the target threshold.
Step 320, interacting with the computing device 110-2 of the second party according to the secure computing protocol to obtain a first possible value y in the output quotient group based on the first modulo result x _ L 'and the second modulo result x _ R' stored in the computing device 110-2 of the second party0First segment y of0L and a second possible value y1First segment y of1_L。
Wherein, when the privacy data x is less than the target threshold: first possible value y0Is the first modulus result and the second modulus resultIs less than the target threshold value, the equivalent value of the exponential function value in the output quotient group, a second possible value y1And outputting the equivalent value of the exponential function value in the output quotient group when the sum value of the first modulus result and the second modulus result is not less than the target threshold value.
It should be understood that the computing device 110-2 of the second party will obtain a second slice t _ R, a first possible value y, of the second comparison result t0Second segment y of0R and a second possible value y1Second segment y of1_R。
As mentioned above, the interaction in step 230 only needs to be guaranteed if the private data is less than the target threshold: the obtained combined value of the first output slice and the second output slice is more accurate than the actual value of the exponential function value of the private data. When the privacy data x is less than the target threshold, the relationship between the first modulo result x _ L 'and the second modulo result x _ R' and the privacy data x may be represented as x = (x _ L '+ x _ R') mod M, where M represents the target threshold. Specifically, since the first modulo result x _ L 'and the second modulo result x _ R' are both smaller than the target threshold M, it can be seen that: x _ L '+ x _ R'<M, x = x _ L '+ x _ R'; x = x _ L '+ x _ R' -M, when x _ L '+ x _ R' ≧ M. Thus, when the private data x is less than the target threshold M (x)<M), it is necessary to further distinguish x _ L '+ x _ R'<M and x _ L '+ x _ R' ≧ M. Thus, the first possible value y described in step 3200And a second possible value y1One for each of these two cases. By an exponential function e-xFor example, the first possible value y0And a second possible value y1Can be reacted with e-x_L'*e-x_R'And exp (2)m)e-x_L'*e-x_R'And correspond to each other.
With respect to calculating the first possible value y0First segment y of0L and a second possible value y1First segment y of1The specific manner of _lcan be referred to fig. 4 and its related description.
Step 330, interacting with the computing device 110-2 of the second party according to the secure computing protocol to base the first slice t _ L, the first possible value y of the second comparison result t on0First segment y of0L, the second possible value y1First segment ofy1L, and a second slice t _ R of a second comparison result t, a first possible value y, stored at the second party's computing device 110-20Second segment y of0R, the second possible value y1Second segment y of1R, obtaining a first output slice z _ L.
It should be appreciated that the second party's computing device 110-2 will obtain a second output slice z _ R. In some embodiments, the second comparison result t and its fragment may occupy 1N (bit) storage unit, specifically, may be a business group Z/2NElements in Z.
In some embodiments, both parties can safely calculate t x y0+(1-t)*y1=(t_L +t_R)*(y0_L+ y0_R)+(1-(t_L +t_R))*(y1_L+ y1R) to obtain a first output slice z _ L and a second output slice z _ R, wherein t _ L denotes the first slice of the second comparison result, t _ R denotes the second slice of the second comparison result, y0L denotes a first fragment of a first possible value, y0R represents a second fragment of the first possible value, y1L denotes the first fragment of the second possible value, y1R denotes the second slice of the second possible value, "-" denotes the left element + (negative of the right element), "+" is the sign of the group addition, "+" is the sign of the group multiplication. As mentioned above, when the private data x is less than the target threshold M: the first possible value is an equivalent value of the exponential function value in the output quotient group when the sum of the first modulo result and the second modulo result is smaller than the target threshold, and the second possible value is an equivalent value of the exponential function value in the output quotient group when the sum of the first modulo result and the second modulo result is not smaller than the target threshold. Thereby it is possible to make: x _ L '+ x _ R'<M, t = 1; when x _ L '+ x _ R' ≧ M, t = 0. Thus, when the private data x is less than the target threshold M (x)<M), all of x _ L ' + x _ R ' are satisfied '<And M is also x _ L '+ x _ R' is more than or equal to M, and the sum of the first output fragment z _ L and the second output fragment z _ R obtained by the two-party security calculation is equal to the equivalent value h of the exponential function value in the output quotient group.
Similarly to step 240, (t _ L + t _ R) × (y)0_L+ y0_R)+(1-(t_L +t_R))*(y1_L+y1R) and for the product terms relating to private values of both parties, an additive slice of the corresponding product is calculated using a secure multiplication protocol, one for each party. And the two parties respectively add and sum the locally calculated product term and the fragments calculated through the secure multiplication protocol according to the group to respectively obtain a first output fragment z _ L and a second output fragment z _ R.
FIG. 4 is a block diagram illustrating the calculation of a first possible value y according to some embodiments of the present disclosure0First segment y of0L and a second possible value y1First segment y of1Exemplary flow chart of the method of _L. The process 400 may be performed by the computing device 110-1 of the first party, and the process 400 may include:
step 410, calculate the exponential function value of the first modulo result x _ L' to obtain the first value u _ L.
It should be appreciated that the second party's computing device 110-2 may calculate the exponential function value of the second modulo result x _ R' to obtain the second value u _ R.
In some embodiments, the first numerical value u _ L and the second numerical value u _ R may be stored in the computing device as floating point numbers.
And step 420, amplifying the first numerical value u _ L according to a preset proportion to obtain a first amplification result v _ L in the target business group, wherein the first amplification result v _ L meets the preset precision.
It should be understood that the computing device 110-2 of the second party would amplify the second value u _ R by the predetermined ratio to obtain a second amplified result v _ R, and the second amplified result v _ R satisfies the predetermined precision.
In some embodiments, the predetermined precision may depend on the number of binary bits used to store the calculation results. For example, the exponential function is e-x,m=floor(log2N+log2(ln2)) +1, floor denotes rounding down, target threshold 2m=2Nln2, assuming that the computing device uses N-bit (bit) storage units to hold the computation results, the first and second values can be input separately to the function floor (2)3N-1x) to obtain a first amplification result v _ L and a second amplification result v _ R in the target quotient group. Take the example of amplifying the first value u _ L, since u _ L = e-x_L'>exp(-2m)≥2-2NThen 23N-1e-x_L'>2N-1I.e. if a sufficient number of N-bit (bit) memory cells are used to store 23N-1e-x_L'The stored rounding result has at least N-bit (bit) significant digits.
Considering that the subsequent two parties safely calculate v _ L _ v _ R based on v _ L, v _ R in the same quotient group (i.e. the target quotient group), the numerical range of the target quotient group can be determined based on the influence of the amplification and multiplication on the numerical value. By an exponential function e-xFor example, the maximum values of v _ L, v _ R obtained after amplification are all 23N-1The maximum value of v _ L v _ R is 26N-2At least 6N-bit (bit) storage locations may be used to hold v _ L, v _ R. In some embodiments, v _ L, v _ R may be saved using 6N-bit (bit) storage locations, and the target quotient group may be Z/26NZ。
Step 430, interacting with the computing device 110-2 of the second party according to the secure computing protocol to obtain the first segment w of v _ L x v _ R in the target business group0_L。
v _ L × v _ R represents the product of the first amplification result v _ L and the second amplification result v _ R. It should be appreciated that the second party's computing device 110-2 will obtain a second slice w of v _ L v _ R in the target business community0R. In addition, v _ L v _ R and its segment w0_L、w0R corresponds to x _ L '+ x _ R'<M。
First slice w for calculating v _ L v _ R in target quotient group0The specific manner of _, can refer to fig. 6 and its associated description.
Step 440, based on the target threshold M and the first segment w of v _ L x v _ R in the target quotient group0L, obtaining a first value w to be processed in the target quotient group1_L。
It should be appreciated that the second party's computing device 110-2 will be based on the target threshold M and the second slice w of v _ L v _ R in the target quotient group0R, obtaining a second value w to be processed in the target business group1R. In addition, w1_L、w1R is equal to or more than M corresponding to x _ L '+ x _ R', and if the influence of the integer on the numerical value is neglected, w1_L、w1R and w0_L、w0R differs by a multiple of the exponential function value of the target threshold M. By fingerNumber function e-xFor example, the first party may calculate floor (exp (2)m)w0L) to obtain a target business group Z/26NFirst value w to be processed in Z1L, the second party can calculate floor (exp (2)m)w0R) to obtain a target business group Z/26NFirst value w to be processed in Z1_R。
Step 450, the first segment w of v _ L v _ R in the target quotient group0Cutting L according to bit to obtain the first possible value y in the output quotient group0First segment y of0_L。
It should be appreciated that the second party's computing device 110-2 will fragment w the second segment of v _ L v _ R in the target quotient group0Truncating R according to bits to obtain a first possible value y in the output quotient group0Second segment y of0_R。
Step 460, the first value w to be processed in the target quotient group1Cutting L according to bit to obtain the second possible value y in the output quotient group1First segment y of1_L。
It should be appreciated that the second party's computing device 110-2 will assign a second pending value w in the target business community1Truncating R according to bits to obtain a second possible value y in the output quotient group1Second segment y of1_R。
From the foregoing, it can be seen that the first segment w in the target business group0L, the first value w to be processed1L and a second section w0R and a second pending value w1Since _ R is obtained by amplifying and multiplying numerical values, and occupies a large number of memory cells (the numerical value accuracy is too high), it is desirable to store the above numerical values in a small number of memory cells by the truncation process, and to ensure the accuracy of the result and the required numerical value accuracy at the time of truncation.
By an exponential function e-xFor example, the target business group may be Z/26NZ, the first segment w therein0L, the first value w to be processed1L and a second section w0R and a second pending value w1R occupies 6N-bit (bit) storage units, and the precision requirement can be met by using 1N-bit (bit) storage unit for the first output fragment and the second output fragment. Base ofHere, N bits (bit) may be reserved after bit (bit) truncation.
On the basis of reserving N bits (bit), bit-wise (bit) truncation also needs to ensure that the truncated binary bits do not influence the accuracy of the result. Taking into account e to be calculated-xThe value range of (private data x is a non-negative number) is (0, 1)]Numerical value to be truncated (first slice w)0L, the first value w to be processed1L and a second section w0R and a second pending value w1Any of R) occupies 6N-bit (bit) memory cells, which can be considered as quotient Z/26NThe element in Z, if neglecting the influence of rounding on the value in the calculation process, compares the value to be truncated with the value e to be calculated-xIs enlarged by 26N-2Multiple, therefore, if one wants to make the truncated numerical value to be truncated and the resultant value can recover e-xThe size of (2) is required to reduce the value to be truncated by 26N-2However, since the numerical value is always stored in 6N-bit (bit) storage units (the binary number stored by each bit is not changed), the numerical value to be truncated only needs to be regarded as the quotient group 2-(6N-2)Z/22Elements in Z. Taking into account e to be calculated-xHas a value range of (0, 1)]Therefore, the most significant bit of the sum of the to-be-truncated numerical values of either party is 0 no matter how the second bit (i.e., the most significant bit) before the decimal point of the to-be-truncated numerical value stored by the other party takes a value. Therefore, as shown in fig. 5, taking the fixed point number storage manner in which the decimal point is located between the second bit and the third bit (the highest bit is the first bit) of the storage unit (e.g., 6 × N bits) as an example, the highest bit of the numerical value to be truncated can be truncated, and since N bits (bits) are retained after truncation, truncation processing can be performed at the lower bit (specifically, 5N-1 consecutive bits starting from the lowest bit are truncated), and only N-1 bits (bits) behind the decimal point are retained. The truncated value can be regarded as the output quotient 2-(N-1)Z/2Z. It should be noted that the truncation of the lower bits may result in a sum of two power values of 2-(N-1)A deviation of the numerical value of (2)-(N-1)Numerical deviations of this magnitude have negligible effect on the accuracy of the calculated results.
FIG. 6 is an interaction diagram of a secure multiplication protocol, shown in accordance with some embodiments of the present description. Secure multiplication protocolThe product of the private numerical values of two parties based on group multiplication can be converted into two fragments based on group addition, the two parties respectively execute one fragment, and the private numerical value of any party cannot be leaked in the calculation process. As shown in FIG. 6, the first-party computing device 110-1 stores a private value a, the second-party computing device stores a private value b, both parties want to securely compute a b, and the first-party computing device 110-1 obtains a first slice c of a b0The second party's computing device 110-2 obtains a first fragment c of a b1. Since the secure multiplication protocol follows group addition and group multiplication, the values involved in fig. 6 (e.g., a, b, c, e, f, u, v, z) and their shards all belong to the same quotient group. The calculation process is described in detail below.
The random number server 130 generates a first random number u to be sent to the first party's computing device 110-1 and a second random number v to be sent to the second party's computing device 110-2. The random number server 130 calculates uv and splits uv into a first slice z to be sent to the first party's computing device 110-10And a second slice z to be sent to the second party's computing device 110-21。u、v、z0、z1Satisfies uv = z0+z1. The random number server 130 combines the first random number u and the first slice z0Sending to the computing device 110-1 of the first party a second random number v and a second slice z1To the second party's computing device 110-2.
The first party's computing device 110-1 calculates a-u (denoted as e) and sends e to the second party's computing device 110-2. The second party's computing device 110-2 calculates b-v (denoted as f) and sends f to the first party's computing device 110-1.
The first party's computing device 110-1 calculates uf + z0First segment c as a-b0. The computing device 110-2 of the second party calculates eb + z1First segment c as a-b1. Can be calculated, c0+c1=uf+eb+z0+z1= uf + eb + uz = u (b-v) + (a-u) b + uz = ab, i.e. c0+c1=ab。
It should be noted that in the above description of the secure multiplication protocol, "-" denotes the left element + (negative of the right element), "+" is the sign of the group addition, "-" is the sign of the group multiplication and may be omitted.
In order to more intuitively understand the embodiments of the present specification, a specific example of a two-party safe calculation of the index function value is provided below.
Suppose that: exponential function of e-xThe bit number of the storage unit of the computing device is N =4, and the target threshold value M =2m=4(m=floor(log2N+log2(ln2)) +1 = 2), the private data x, the first patch x _ L, the second patch x _ R are located in the input quotient Z/24Z,x=210=00102,x_L =(24-1)10=11112,x_R =(22-1)10=00112The output quotient group is 2-3Z/2Z。
Based on this, the values calculated by the first party's computing device 110-1 include: first modulo result x _ L' = (2)2-1)10=00112First value u _ L = e-x_L'=e-3(saved as a floating point number), first amplified value v _ L = floor (2)3N-1u_L)=floor(211e-3)=10110=0000 0000 0000 0000 0110 01012. The values calculated by the second party's computing device 110-2 include: second modulo result x _ R' = (2)2-1)10=00112Second value u _ R = e-x_R'=e-3(saved as a floating point number), second amplified value v _ R = floor (2)3N-1u_R)=floor(211e-3)=10110=0000 0000 0000 0000 0110 01012
Further, the two-party computing device securely computes v _ L v _ R with the assistance of the nonce server 130. Wherein, suppose: the random number server generates a random number u = 000000000000000000000001 to be sent to the first random number2And a second random number v = 000000000000000000000001 to be transmitted to the computing device 110-2 of the second party2. The random number server 130 calculates uv and splits uv into a first slice z to be sent to the first party's computing device 110-10=00000000 0000 0000 0000 00012And a computing device to be sent to the second party110-2 second section z1=00000000 0000 0000 0000 00002
The first party computing device 110-1 calculates e = u _ L-u = 0000000000000000011001002And sends e to the second party's computing device 110-2. The second party's computing device 110-2 calculates f = u _ R-v = 0000000000000000011001002And sends f to the first party's computing device 110-1. The first party's computing device 110-1 computes a first slice w of v _ L v _ R0_L=uf+z0=0000 0000 0000 0000 0110 01012The second party's computing device 110-2 computes a second slice w of v _ L v _ R0_R=eb+z1=0000 0000 0010 0111 0111 01002. The computing device 110-1 of the first party calculates a first value w to be processed1_L=floor(e4w0_L)=0000 0000 0001 0101 100010102The second party's computing device 110-2 calculates a second pending value w1_R=floor(e4w0_R)= 0000 1000 0110 1010 000100012. The computing device 110-1 of the first party truncates bit-wise to get w1First fragment y having a second possible value after _L1_L=0.0002The second party's computing device 110-2 is bitwise truncated to obtain w1Second fragment y giving a second possible value after R1_R=0.0012
Due to x<M and x _ L '+ x _ R' ≧ M, the sum of the first slice h _ L of the equivalent value of the exponential function value calculated by the first party's computing device 110-1 and the second slice h _ R of the equivalent value of the exponential function value calculated by the second party's computing device 110-2, h = h _ L + h _ R = y1_L+y1_R=0.0012
Can obtain 0.0012True value e of the value of the relative exponential function-2Error of about 0.010310Error is less than 2-4Satisfy export group 2-3Z/2Z corresponding accuracy.
It should be noted that the above description of the flow is for illustration and description only and does not limit the scope of the application of the present specification. Various modifications and alterations to one or more of the processes may be made by those skilled in the art in light of the present disclosure. However, such modifications and variations are intended to be within the scope of the present description.
FIG. 7 is an exemplary block diagram of a collaborative computing system that protects privacy of data on two sides, according to some embodiments of the present description. The system 700 may be implemented on a computing device 110-1 of a first party. As shown in fig. 7, the system 700 may include a first security comparison module 710, a first modulus module 720, a first output patch computation module 730, and a first equivalence computation module 740.
In some embodiments, the first secure comparison module 710 may be operable to interact with the computing device 110-2 of the second party according to a secure comparison protocol to obtain a first slice s _ L of the first comparison result s of the private data against the target threshold.
In some embodiments, the first modulo module 720 may be configured to modulo the first slice x _ L with respect to a target threshold to obtain a first modulo result x _ L'.
In some embodiments, the first output slice computation module 730 may be configured to interact with the second party's computing device 110-2 according to a secure computing protocol to obtain the first output slice z _ L based on the first modulo result x _ L', a second modulo result x _ R 'stored at the second party's computing device 110-2.
In some embodiments, the second equivalence computation module 740 may be configured to interact with the second party's computing device 110-2 according to a secure computing protocol to obtain a first slice h _ L of the equivalent value h of the exponent function value based on the first slice s _ L, the first output slice z _ L of the first comparison result s, and the second slice s _ R, the second output slice z _ R of the first comparison result s stored at the second party's computing device 110-2.
It should be appreciated that the collaborative computing system and its modules implemented on the second party's computing device 110-2 to protect both parties' data privacy have the same or similar functionality as the system 700 and its modules. In particular, the system implemented on the second party's computing device 110-2 may include a second security comparison module, a second modulo module, a second output shard computation module, and a second equivalence computation module.
In some embodiments, the second secure comparison module may be to interact with the computing device 110-1 of the first party according to a secure comparison protocol to obtain a second slice s _ R of the first comparison result s of the private data against the target threshold.
In some embodiments, the second modulo module may be configured to modulo the second slice x _ R with respect to the target threshold to obtain a second modulo result x _ R'.
In some embodiments, the second output slice computation module may be configured to interact with the first party's computing device 110-1 according to a secure computing protocol to obtain a second output slice z _ R based on the second modulo result x _ R', the first modulo result x _ L 'stored at the first party's computing device 110-1.
In some embodiments, the second equivalent computation module 740 may be configured to interact with the computing device 110-1 of the first party according to a secure computation protocol to obtain a second slice h _ R of the equivalent value h of the exponent function value based on the second slice s _ R, the second output slice z _ R of the first comparison result s, and the second slice s _ R, the first output slice z _ R of the first comparison result s stored at the computing device 110-1 of the first party.
Further details regarding the system and its modules implemented on the two-party computing devices may be found in fig. 2 and its associated description, which are not repeated herein.
It should be understood that the system and its modules disclosed in this specification may be implemented in a variety of ways. For example, in some embodiments, the system and its modules may be implemented in hardware, software, or a combination of software and hardware. Wherein the hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory for execution by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the methods and systems described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided, for example, on a carrier medium such as a diskette, CD-or DVD-ROM, a programmable memory such as read-only memory (firmware), or a data carrier such as an optical or electronic signal carrier. The system and its modules in this specification may be implemented not only by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., but also by software executed by various types of processors, for example, or by a combination of the above hardware circuits and software (e.g., firmware).
It should be noted that the above description of the system and its modules is for convenience only and should not limit the present disclosure to the illustrated embodiments. It will be appreciated by those skilled in the art that, given the teachings of the system, any combination of modules or sub-system configurations may be used to connect to other modules without departing from such teachings. For example, in some embodiments, the security comparison module and the modulus extraction module may be two modules or may be combined into one module. Such variations are within the scope of the present disclosure.
The beneficial effects that may be brought by the embodiments of the present description include, but are not limited to: (1) in the calculation process, the final calculation result and part of the intermediate calculation results are stored in the calculation devices of the two sides in a fragmentation mode, so that privacy disclosure can be effectively avoided; (2) by designing the processes of value taking, amplification, truncation and the like of the comparison result, the calculation result can be ensured to meet certain precision under various value taking conditions of the private data and the fragments thereof. It is to be noted that different embodiments may produce different advantages, and in different embodiments, any one or combination of the above advantages may be produced, or any other advantages may be obtained.
Having thus described the basic concept, it will be apparent to those skilled in the art that the foregoing detailed disclosure is to be considered merely illustrative and not restrictive of the embodiments herein. Various modifications, improvements and adaptations to the embodiments described herein may occur to those skilled in the art, although not explicitly described herein. Such modifications, improvements and adaptations are proposed in the embodiments of the present specification and thus fall within the spirit and scope of the exemplary embodiments of the present specification.
Also, the description uses specific words to describe embodiments of the description. Reference throughout this specification to "one embodiment," "an embodiment," and/or "some embodiments" means that a particular feature, structure, or characteristic described in connection with at least one embodiment of the specification is included. Therefore, it is emphasized and should be appreciated that two or more references to "an embodiment" or "one embodiment" or "an alternative embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, some features, structures, or characteristics of one or more embodiments of the specification may be combined as appropriate.
Moreover, those skilled in the art will appreciate that aspects of the embodiments of the present description may be illustrated and described in terms of several patentable species or situations, including any new and useful combination of processes, machines, manufacture, or materials, or any new and useful improvement thereof. Accordingly, aspects of embodiments of the present description may be carried out entirely by hardware, entirely by software (including firmware, resident software, micro-code, etc.), or by a combination of hardware and software. The above hardware or software may be referred to as "data block," module, "" engine, "" unit, "" component, "or" system. Furthermore, aspects of the embodiments of the present specification may be represented as a computer product, including computer readable program code, embodied in one or more computer readable media.
The computer storage medium may comprise a propagated data signal with the computer program code embodied therewith, for example, on baseband or as part of a carrier wave. The propagated signal may take any of a variety of forms, including electromagnetic, optical, etc., or any suitable combination. A computer storage medium may be any computer-readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code located on a computer storage medium may be propagated over any suitable medium, including radio, cable, fiber optic cable, RF, or the like, or any combination of the preceding.
Computer program code required for operation of various portions of the embodiments of the present description may be written in any one or more programming languages, including an object oriented programming language such as Java, Scala, Smalltalk, Eiffel, JADE, Emerald, C + +, C #, VB.NET, Python, and the like, a conventional programming language such as C, VisualBasic, Fortran2003, Perl, COBOL2002, PHP, ABAP, a dynamic programming language such as Python, Ruby, and Groovy, or other programming languages, and the like. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or processing device. In the latter scenario, the remote computer may be connected to the user's computer through any network format, such as a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet), or in a cloud computing environment, or as a service, such as a software as a service (SaaS).
In addition, unless explicitly stated in the claims, the order of processing elements and sequences, use of numbers and letters, or use of other names in the embodiments of the present specification are not intended to limit the order of the processes and methods in the embodiments of the present specification. While various presently contemplated embodiments of the invention have been discussed in the foregoing disclosure by way of example, it is to be understood that such detail is solely for that purpose and that the appended claims are not limited to the disclosed embodiments, but, on the contrary, are intended to cover all modifications and equivalent arrangements that are within the spirit and scope of the embodiments herein. For example, although the system components described above may be implemented by hardware devices, they may also be implemented by software-only solutions, such as installing the described system on an existing processing device or mobile device.
Similarly, it should be noted that in the preceding description of embodiments of the specification, various features are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more embodiments of the invention. This method of disclosure, however, is not intended to imply that more features are required than are expressly recited in the claims. Indeed, the embodiments may be characterized as having less than all of the features of a single embodiment disclosed above.
For each patent, patent application publication, and other material, such as articles, books, specifications, publications, documents, etc., cited in this specification, the entire contents of each are hereby incorporated by reference into this specification. Except where the application is inconsistent or conflicting with the present disclosure, as may be the case with the broadest limitation of the claims that follow (whether present or appended to the present specification). It is to be understood that the descriptions, definitions and/or uses of terms in the accompanying materials of this specification shall control if they are inconsistent or contrary to the descriptions and/or uses of terms in this specification.
Finally, it should be understood that the embodiments described herein are merely illustrative of the principles of the embodiments of the present disclosure. Other variations are possible within the scope of the embodiments of the present description. Thus, by way of example, and not limitation, alternative configurations of the embodiments of the specification can be considered consistent with the teachings of the specification. Accordingly, the embodiments of the present description are not limited to only those embodiments explicitly described and depicted herein.

Claims (11)

1. A cooperative computing method for protecting privacy of data of two parties is disclosed, wherein an index of an index function value of cooperative computing of the two parties is negatively related to private data, the private data comprises a first fragment and a second fragment which are input into a business group, the first fragment of the private data is stored in computing equipment of the first party, and the second fragment of the private data is stored in computing equipment of the second party; the method is performed by a computing device of a first party, comprising:
interacting with a computing device of a second party according to a secure comparison protocol to obtain a first slice of a first comparison result of the private data against a target threshold;
performing modulo on the first fragment of the private data relative to a target threshold to obtain a first modulo result;
interacting with the computing device of the second party according to the secure computing protocol to obtain a first output fragment based on the first modulo result and a second modulo result stored in the computing device of the second party;
interacting with computing equipment of a second party according to a safety computing protocol to obtain a first fragment of an equivalent value of the index function value in an output business group based on a first fragment and a first output fragment of a first comparison result, and a second fragment and a second output fragment of the first comparison result stored in the computing equipment of the second party; and when the private data is not less than the target threshold, the first comparison result enables the equivalent value to be 0.
2. The method of claim 1, wherein the interacting with the computing device of the second party according to the secure computing protocol to obtain the first output slice based on the first modulo result and a second modulo result stored at the computing device of the second party comprises:
interacting with computing equipment of a second party according to a safety comparison protocol to obtain a first fragment of a second comparison result, wherein the second comparison result is a comparison result of a sum value of the first modulus result and the second modulus result relative to a target threshold value;
interacting with the computing device of the second party according to the secure computing protocol to obtain a first slice of the first possible value and a first slice of the second possible value based on the first modulo result and a second modulo result stored in the computing device of the second party, wherein when the private data is less than the target threshold: the first possible value is an equivalent value of the exponential function value in the output quotient group when the sum value of the first modulus result and the second modulus result is smaller than the target threshold value, and the second possible value is an equivalent value of the exponential function value in the output quotient group when the sum value of the first modulus result and the second modulus result is not smaller than the target threshold value;
interacting with the computing device of the second party according to the secure computing protocol to obtain a first output slice based on the first slice of the second comparison result, the first slice of the first possible value, the first slice of the second possible value, and the second slice of the second comparison result, the second slice of the first possible value, the second slice of the second possible value, stored at the computing device of the second party.
3. The method of claim 2, wherein the interacting with the computing device of the second party according to the secure computing protocol to obtain the first slice of the first possible value and the first slice of the second possible value based on the first modulo result and a second modulo result stored in the computing device of the second party comprises:
calculating an exponential function value of the first modulus result to obtain a first numerical value;
amplifying the first numerical value according to a preset proportion to obtain a first amplification result in the target commodity group, wherein the first amplification result meets the preset precision;
interacting with the computing device of the second party according to a secure computing protocol to obtain a first fragment of a target product in the target business group, the target product being a product of the first amplification result and a second amplification result stored in the computing device of the second party;
obtaining a first value to be processed in a target quotient group based on a first segment of a target threshold and a target product;
truncating the first fragment of the target product according to bits to obtain a first fragment of the first possible value;
and truncating the first value to be processed according to bits to obtain a first fragment of a second possible value in the output quotient group.
4. The method of claim 3, wherein the exponential function value is e-xX is the privacy data and the target threshold is 2mWherein m = floor (log)2N+log2(ln2)) +1, N is the number of bits of the memory location in the computing device.
5. The method of claim 4, wherein the preset ratio is 23N-1
6. The method of claim 5, wherein the target business group is Z/26NZ, wherein Z represents a set of integers.
7. The method of claim 6, wherein the output quotient group is 2-N+1Z/2Z;
The bitwise truncation includes: truncate the most significant bit and truncate the consecutive 5N-1 bits from the least significant bit.
8. The method of claim 2, wherein the interacting with the computing device of the second party according to the secure computing protocol to obtain the first output slice based on the first slice of the second comparison result, the first slice of the first possible value, the first slice of the second possible value, and the second slice of the second comparison result, the second slice of the first possible value, the second slice of the second possible value stored at the computing device of the second party comprises:
interacting with the computing device of the second party according to the secure computing protocol to obtain (t _ L + t _ R) × (y)0_L+ y0_R)+(1-(t_L+t_R))*(y1_L+ y1R), as the first output slice, wherein t _ L denotes the first slice of the second comparison result, t _ R denotes the second slice of the second comparison result, y0L denotes a first fragment of a first possible value, y0R represents a second fragment of the first possible value, y1L denotes the first fragment of the second possible value, y1R represents the second fragment of the second possible value, -represents the left element + (negative of the right element), + represents the group addition, -, represents the group multiplication;
when the sum of the first and second modulo results is less than the target threshold, t _ L + t _ R = 1; when the sum of the first and second modulo results is not less than the target threshold, t _ L + t _ R = 0.
9. The method of claim 1, wherein interacting with the computing device of the second party according to the secure computing protocol to obtain a first slice of an equivalent value of the exponent function value in the output quotient group based on the first slice of the first comparison result, the first output slice, and the second slice of the first comparison result, the second output slice, stored at the computing device of the second party, comprises:
interacting with a computing device of a second party according to a secure computing protocol to obtain a first slice of (z _ L + z _ R) (s _ L + s _ R) as a first slice of the equivalent value, wherein z _ L denotes a first output slice, z _ R denotes a second output slice, s _ L denotes a first slice of a first comparison result, s _ R denotes a second slice of the first comparison result, + denotes a group addition, denotes a group multiplication;
when the private data is less than the target threshold, s _ L + s _ R = 1; when the private data is not less than the target threshold, s _ L + s _ R = 0.
10. A collaborative computing system for protecting privacy of data of two parties is disclosed, wherein an index of an index function value of collaborative computing of the two parties is negatively related to private data, the private data comprises a first fragment and a second fragment which are input into a business group, the first fragment of the private data is stored in a computing device of the first party, and the second fragment of the private data is stored in a computing device of the second party; the system is implemented on a computing device of a first party, comprising:
a first security comparison module to interact with a computing device of a second party according to a security comparison protocol to obtain a first segment of a first comparison result of private data against a target threshold;
the first modulus taking module is used for taking the modulus of the first fragment of the private data relative to the target threshold value to obtain a first modulus taking result;
the first output fragment computing module is used for interacting with the computing equipment of the second party according to the secure computing protocol to obtain a first output fragment based on the first modulus result and a second modulus result stored in the computing equipment of the second party;
the first equivalent calculation module is used for interacting with the computing equipment of the second party according to a secure calculation protocol so as to obtain a first fragment of an equivalent value of the index function value in the output business group based on the first fragment and the first output fragment of the first comparison result and the second fragment and the second output fragment of the first comparison result stored in the computing equipment of the second party; and when the private data is not less than the target threshold, the first comparison result enables the equivalent value to be 0.
11. A collaborative computing apparatus that protects privacy of data on both sides, comprising a processor and a storage device for storing instructions that, when executed by the processor, implement the method of any of claims 1-9.
CN202010276651.9A 2020-04-10 2020-04-10 Collaborative computing method, system and device for protecting data privacy of two parties Active CN111177790B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010276651.9A CN111177790B (en) 2020-04-10 2020-04-10 Collaborative computing method, system and device for protecting data privacy of two parties

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010276651.9A CN111177790B (en) 2020-04-10 2020-04-10 Collaborative computing method, system and device for protecting data privacy of two parties

Publications (2)

Publication Number Publication Date
CN111177790A true CN111177790A (en) 2020-05-19
CN111177790B CN111177790B (en) 2020-07-10

Family

ID=70647265

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010276651.9A Active CN111177790B (en) 2020-04-10 2020-04-10 Collaborative computing method, system and device for protecting data privacy of two parties

Country Status (1)

Country Link
CN (1) CN111177790B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111475854A (en) * 2020-06-24 2020-07-31 支付宝(杭州)信息技术有限公司 Collaborative computing method and system for protecting data privacy of two parties
CN111539026A (en) * 2020-06-19 2020-08-14 支付宝(杭州)信息技术有限公司 Method and device for performing secure operation on private data

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102394784A (en) * 2011-11-21 2012-03-28 北京邮电大学 Distributed Top-k query method based on privacy maintenance
JP2012216904A (en) * 2011-03-31 2012-11-08 Kddi Corp Distribution routing processing device and computer program
CN109359470A (en) * 2018-08-14 2019-02-19 阿里巴巴集团控股有限公司 Secure calculation method and device, electronic equipment
US10211980B1 (en) * 2018-03-28 2019-02-19 Bar Ilan University Method for lattice-based decryption of data
CN110166446A (en) * 2019-05-13 2019-08-23 矩阵元技术(深圳)有限公司 A kind of implementation method at the geographical weighted average center based on multi-party computations
CN110537191A (en) * 2017-03-22 2019-12-03 维萨国际服务协会 Secret protection machine learning

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012216904A (en) * 2011-03-31 2012-11-08 Kddi Corp Distribution routing processing device and computer program
CN102394784A (en) * 2011-11-21 2012-03-28 北京邮电大学 Distributed Top-k query method based on privacy maintenance
CN110537191A (en) * 2017-03-22 2019-12-03 维萨国际服务协会 Secret protection machine learning
US10211980B1 (en) * 2018-03-28 2019-02-19 Bar Ilan University Method for lattice-based decryption of data
CN109359470A (en) * 2018-08-14 2019-02-19 阿里巴巴集团控股有限公司 Secure calculation method and device, electronic equipment
CN110166446A (en) * 2019-05-13 2019-08-23 矩阵元技术(深圳)有限公司 A kind of implementation method at the geographical weighted average center based on multi-party computations

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111539026A (en) * 2020-06-19 2020-08-14 支付宝(杭州)信息技术有限公司 Method and device for performing secure operation on private data
CN111475854A (en) * 2020-06-24 2020-07-31 支付宝(杭州)信息技术有限公司 Collaborative computing method and system for protecting data privacy of two parties

Also Published As

Publication number Publication date
CN111177790B (en) 2020-07-10

Similar Documents

Publication Publication Date Title
CN111177790B (en) Collaborative computing method, system and device for protecting data privacy of two parties
CN111475854B (en) Collaborative computing method and system for protecting data privacy of two parties
CH708239A2 (en) Key agreement protocol.
CN103095450A (en) Finite Field Crytographic Arithmetic Resistant To Fault Attacks
CN112070222B (en) Processing device, accelerator and method for federal learning
JPWO2017099117A1 (en) PRE-COMPUTER DEVICE, METHOD, AND COMPUTER-READABLE RECORDING MEDIUM, AND VECTOR MULTIPLY DEVICE, AND METHOD
CN111026359A (en) Method and device for judging numerical range of private data in multi-party combination manner
US20200380122A1 (en) Elliptic curve point multiplication operation method and apparatus
CN112148437A (en) Calculation task acceleration processing method, device and equipment for federal learning
CN112149174A (en) Model training method, device, equipment and medium
CN113158239A (en) Selection problem processing method for protecting data privacy
Jahan et al. Design of a secure sum protocol using trusted third party system for secure multi-party computations
RU2591009C1 (en) Method and device for arrangement of groups of numbers in homogeneous units of digital register
JP2003263110A (en) Source generation device of partial group of rational point group on elliptic curve, program for the device and recording medium
CN112989421A (en) Method and system for processing safety selection problem
WO2020240654A1 (en) Anonymized signature system, signature generation device, anonymized signature generation device, verification device, anonymized signature method and program
KR20190123584A (en) Apparatus and method for performing operation being secure against side channel attack
US10778410B2 (en) Homomorphic data encryption method and apparatus for implementing privacy protection
CN111539027A (en) Information verification method and system based on privacy protection of two parties
JP6882512B2 (en) Preventing inaccurate notification of input data by participants in secure multi-party calculations
CN112561085B (en) Multi-classification model training method and system based on multi-party safety calculation
JP2021077961A (en) Digital signature system and digital signature method
CN111539041A (en) Safety selection method and system
RU2369974C1 (en) Method for generation and authentication of electronic digital signature that certifies electronic document
CN112906044B (en) Multi-party security calculation method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40029338

Country of ref document: HK