CN113051590A - Data processing method and related equipment - Google Patents
Data processing method and related equipment Download PDFInfo
- Publication number
- CN113051590A CN113051590A CN202110296986.1A CN202110296986A CN113051590A CN 113051590 A CN113051590 A CN 113051590A CN 202110296986 A CN202110296986 A CN 202110296986A CN 113051590 A CN113051590 A CN 113051590A
- Authority
- CN
- China
- Prior art keywords
- client device
- ciphertext
- secret
- server
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 20
- 238000000034 method Methods 0.000 claims abstract description 86
- 239000013598 vector Substances 0.000 claims abstract description 36
- 238000004422 calculation algorithm Methods 0.000 claims description 88
- 230000006870 function Effects 0.000 claims description 64
- 238000012545 processing Methods 0.000 claims description 48
- 238000004220 aggregation Methods 0.000 claims description 41
- 230000002776 aggregation Effects 0.000 claims description 40
- 230000015654 memory Effects 0.000 claims description 35
- 230000004931 aggregating effect Effects 0.000 claims description 30
- 230000006854 communication Effects 0.000 claims description 19
- 238000004891 communication Methods 0.000 claims description 18
- 238000004364 calculation method Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 11
- 229920000642 polymer Polymers 0.000 claims description 5
- 230000008569 process Effects 0.000 abstract description 13
- 230000000379 polymerizing effect Effects 0.000 abstract description 4
- 238000013473 artificial intelligence Methods 0.000 abstract description 2
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 90
- 230000004044 response Effects 0.000 description 50
- 238000009826 distribution Methods 0.000 description 18
- 230000000694 effects Effects 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 7
- 238000009827 uniform distribution Methods 0.000 description 7
- 230000006399 behavior Effects 0.000 description 6
- 238000011022 operating instruction Methods 0.000 description 6
- 239000000126 substance Substances 0.000 description 6
- 238000012795 verification Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000006116 polymerization reaction Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000003786 synthesis reaction Methods 0.000 description 2
- 102100029469 WD repeat and HMG-box DNA-binding protein 1 Human genes 0.000 description 1
- 101710097421 WD repeat and HMG-box DNA-binding protein 1 Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- CLOMYZFHNHFSIQ-UHFFFAOYSA-N clonixin Chemical compound CC1=C(Cl)C=CC=C1NC1=NC=CC=C1C(O)=O CLOMYZFHNHFSIQ-UHFFFAOYSA-N 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000004576 sand Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 101150049349 setA gene Proteins 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Abstract
The application provides a data processing method and related equipment, which are used for protecting privacy information of client equipment in the process of federal learning and relate to the field of artificial intelligence. In the method of the present application, a first client device first obtains N2A secret share and a first part
And polymerizing said N2A secret share to obtain a secret sharing vector of the first client device, the first portion decrypted using the secret sharing vector
To obtain a partially decrypted ciphertext
Finally sending the partial decryptionCipher text
The server decrypts the ciphertext according to the received plurality of parts
Decryption is performed to obtain a weighted average of multiple plaintext data without being able to decrypt ciphertext from portions sent by a single client device
The plaintext data is recovered, thereby protecting the privacy of the client device.
Description
Technical Field
The present application relates to the field of artificial intelligence, and in particular, to a data processing method and related device.
Background
A distributed learning system includes a server and a plurality of different client devices (also referred to as data owners). The client device completes model learning locally, and then uploads model parameters obtained after learning to the server, so that the server further processes the model parameters to obtain a better learning model. The client device may be a device dedicated to distributed learning, or may be a common user device. Such a distributed learning system is also called a federated learning (federated learning) system if the client device is a normal user device.
In the federal learning system, the server is also called a parameter server, and since the model parameters uploaded by the client device include privacy information, privacy protection is required. Currently, enterprises propose arithmetic mean random gradient descent algorithms to protect privacy information of client devices. In the arithmetic mean random gradient descent algorithm, the client device only needs to submit the gradient information of the model to the server, and the server calculates the mean value of the gradient information to update the global model. After multiple iterations, the server may obtain a trained global model. Then, the model parameters of the client device may be kept local, which is beneficial for privacy protection of the model parameters.
However, the gradient information still contains sensitive information of the client device, and an attacker can reversely attack through a model, attack through a feature vector or reversely deduce original data of model parameters from the gradient information, which is not beneficial to protecting the privacy of the federal learning system.
Disclosure of Invention
The embodiment of the application provides a data processing method and related equipment, which are used for better protecting privacy information of client equipment in the process of federal learning.
In a first aspect, an embodiment of the present application provides a data processing method, including: the first client device obtains and aggregates the data from N2N of client devices2A secret share to obtain a secret sharing vector for the first client device, the secret sharing vector including the aggregated private key secret sskuAnd aggregating random noise secrets
Aggregate private key secret sskuFrom N2The secret shares are obtained by aggregating the secret keys of each secret share, and random noise secrets are aggregated
From N2The random noise secrets of each of the secret shares are aggregated.
Wherein N is2Each client device comprises N3Individual client device, N3Is an integer of 2 or more, N3Each client device comprises a second client device, which may be the N3Any one of the client devices. Taking the second client device as an example, the first public key of the second client device is generated by the second client device according to the first private key of the second client device. Second client device obtains and aggregates N2A first public key of each client device to obtain an encrypted public key, and encrypting plaintext data of a second client device by using the encrypted public key to obtain a ciphertext c of the second client deviceuWherein the ciphertext cuIncluding a first partial ciphertext cu0And a second partial ciphertext cu1The second client device then sends the ciphertext c to the serveru. Namely N3Each client device of each client device sends ciphertext c to the serveruTo make the server acquire N3A ciphertext cu。
Then, the server aggregates N3A ciphertext cuTo obtain an aggregate ciphertext
Wherein the ciphertext is aggregated
Comprises a first part
And a second part
The first part
From N3A ciphertext cuThe first partial ciphertext c of (1)u0Is polymerized to obtain a second part
From N3A ciphertext cuThe second partial cipher text c in (1)u1And polymerizing to obtain the polymer. Server to N3Each client device in the client devices respectively sends the aggregation ciphertext
The first part of
If the first client device belongs to N3One of the client devices, when the first client device acquires the first part
The first client device uses the aggregated private key secret sskuAnd aggregating random noise secrets
Decrypting a first part
To obtain a partially decrypted ciphertext
The first client device sends a partially decrypted ciphertext to the server
Due to aggregated random noise secret
Participates in partial decryption to obtain partial decrypted ciphertext
Corresponding to the perturbation of the partially decrypted data, so that the server cannot decrypt the partially decrypted ciphertext transmitted from a single client device
The plaintext data is restored, and the ciphertext can be decrypted only in the part which is converged and sent by the plurality of client devices
On the basis of the data recovery method, the sum average of the plaintext data of each client device is recovered, so that the privacy information of the single client device is protected.
In addition, when the server acquires N4Partial decryption of ciphertext
When N is present4Partial decryption of ciphertext
From N4Individual client device, N3Each client device comprises N4A client device, a server according to the aggregated ciphertext
In (1)The second part
And N4Partial decryption of ciphertext
T partial decrypted ciphertext
Decrypting, wherein t is a preset threshold value and is less than or equal to N4To obtain the final decrypted ciphertext m, so that the server can obtain N3And the weighted average value of the plaintext data uploaded by each client device can be used for subsequent data processing.
Moreover, since the server only needs to decrypt the ciphertext with t portions
Carry out final decryption to obtain N3Weighted average of plaintext data uploaded by the client devices, if the client devices are disconnected in the communication process, the server can receive at least t partial decrypted ciphertexts
The decryption can be normally carried out, and the tolerance to the disconnection rate is higher.
In a second aspect, an embodiment of the present application provides a data processing method, where a first client device obtains N2A secret share of N2Secret shares from N2A client device, N2Each client device comprises a second client device, which may be the N2Any one of the client devices, the secret shares from the second client device including a private key secret and a random noise secret, the private key secret being one of a plurality of private key secrets of a first private key of the second client device, N2Is an integer of 2 or more. The first client device obtainsGet the aggregate ciphertext
First part of
The aggregate ciphertext
From N respectively3The ciphertext of each client device is aggregated to obtain N2Each client device comprises the N3A client device, N3Each client device comprises the second client device, and the ciphertext from the second client device is obtained by encrypting the plaintext data of the second client device by using an encryption public key, wherein the encryption public key is obtained by the N2The first public key of each client device is obtained through aggregation. Then, the first client device aggregates the N2A secret share to obtain a secret sharing vector for the first client device, the secret sharing vector for the first client device including an aggregated private key secret sskuAnd aggregating random noise secrets
The aggregate private key secret sskuFrom said N2The secret shares are obtained by secret aggregation of the private keys of each secret share, and the random noise secret is aggregated
From said N2The random noise secrets of each of the secret shares are aggregated. The first client device uses the aggregated private key secret sskuAnd said aggregated random noise secret
Decrypting the first portion
To obtain a partially decrypted ciphertext
And sends the partially decrypted ciphertext to a server
For the technical effects brought by the technical solution of the second aspect, please refer to the description in the first aspect, which is not described herein again.
In some possible implementations, the first client device may generate a random vector
And random noise
Wherein the content of the first and second substances,
generated by uniform distribution, random noise
Is generated by a chi-square distribution. The first client device then calculates
To obtain cu=(cu0,cu1) Wherein, in the step (A),
h is a preset parameter, representing the modulus of the polynomial coefficient, thereby generating a ciphertext cu. By
It can be known that the encryption algorithm is homomorphic addition for modulo addition operationCipher algorithm, so that the cipher text cuCan participate in subsequent operations.
In some of the possible implementations of the present invention,
wherein h is a preset parameter and represents the modulus of the polynomial coefficient of the ciphertext. Due to the fact that
Is a homomorphic algorithm for modulo addition operation, so that the server receives
Then, a decryption algorithm based on a homomorphic encryption system can be realized by executing the modulo addition operation.
In some possible implementations, the first public key of the second client device is generated by the second client device according to the first private key of the second client device, and then the ciphertext encrypted by the first public key may be decrypted using the first private key.
In some of the possible implementations of the present invention,
wherein pku0Is the first public key, sku0Is a first private key that is a second private key,
and h are both preset parameters,
is a random noise. Due to the fact that
Is homomorphic for modulo addition, then for using N2The ciphertext obtained by encrypting the encrypted public key obtained by aggregating the first public keys of the client devices can be obtained by using N2The first private key respectively decrypts the ciphertext, and then performs modular addition operation, or can perform modular addition operationTo N2And performing modulo addition operation on the first private key to obtain a value, and decrypting the ciphertext by using the obtained value.
In some possible implementations, the first client device obtains information from N1A first public key of each of the client devices to obtain N1A first public key, said N1Each client device comprises the N2A client device. The first client device then aggregates the N1From the N of the first public keys2And the first public key of each client device is used for obtaining the encrypted public key, and the encrypted public key is used for encrypting the plaintext data of the first client device so as to obtain the ciphertext of the first client device. And finally, the first client equipment sends the ciphertext of the first client equipment, and the ciphertext is obtained by encrypting the encryption public key which is obtained by the N2The first public key of each client device is obtained by aggregation, and after the server receives the ciphertext of the first client device, the server does not have N1The first private key of any one of the client devices cannot decrypt the ciphertext to obtain the plaintext data of the first client device, so that the privacy of the first client device is protected.
In some possible implementations, the first client device sends the request to the N1Each client device in the client devices sends the first public key of the first client device. Exposing, by the first client device, its first public key such that N1Each of the client devices may use N including the first public key of the first client device2The first public keys are aggregated.
In some possible implementations, the first client device generates a first random noise and generates N of a first private key of the first client device1Share private key secret and N of the first random noise1Share random noise secret to obtain N1A secret share comprising a copy of the private key secret and a copy of the random noise secret. Then, the said firstA client device to said N1Each client device in the client devices respectively sends the N1One of the secret shares, the secret shares sent to different client devices, are different. Secret sharing of the first private key by the first client device and handing over to N is achieved1Each of the client devices stores the data.
In some possible implementations, the first client device and the second client device have blockchain accounts, and the second client device is a different client device than the first client device.
In some possible implementations, the first client device obtains the first portion over a blockchain network
The server is ensured to execute the aggregation N through the block chain network2And (4) aggregation of the ciphertext.
In some possible implementations, the first client device first determines a blockchain account of the second client device, and then queries the blockchain account of the second client device through the blockchain account of the first client device to obtain the first public key of the second client device. Then, the first client device aggregates the first public key of the second client device and the first public key from the N2The first public keys of other client devices in the client devices are used for obtaining the encrypted public key, and the plaintext data of the first client device is encrypted by using the encrypted public key to obtain the ciphertext c of the first client deviceuFinally, the ciphertext c of the first client device is sent to the blockchain network through the blockchain account of the first client deviceu. Therefore, through the blockchain account and the blockchain network, the data between the first client device and the second client device can be interacted through the blockchain network, and the first client device can specifically acquire the N2A first public key of each client device, and realizesThe first client device sends the ciphertext to the server.
In some possible implementations, the first client device discloses the first public key of the first client device through a blockchain account of the first client device. Implementing the first client device to the N1Each client device in the client devices sends the first public key of the first client device.
In some possible implementations, the aggregation is a modulo addition operation. The above described data processing method can be implemented for a number of different aggregation algorithms.
In some possible implementations, the plaintext data includes model parameters. When the first client device uploads the model parameters to the server, the model parameters of the first client device can be prevented from being leaked, and therefore privacy of the first client device is protected.
In a third aspect, an embodiment of the present application provides a data processing method, where a server obtains N3A ciphertext cuSaid N is3A ciphertext cuFrom N3A client device, the ciphertext cuFrom the first partial cryptogram cu0And a second partial ciphertext cu1Composition of, the said N3Is an integer of 2 or more. The server then aggregates the N3A ciphertext cuTo obtain an aggregate ciphertext
The aggregate ciphertext
Comprises a first part
And a second part
The first part
From said N3A ciphertext cuThe first partial ciphertext c of (1)u0Is polymerized to obtain the second part
From said N3A ciphertext cuThe second partial cipher text c in (1)u1And polymerizing to obtain the polymer. Then, the server sends the N3Each client device in the client devices respectively sends the first part
And obtaining N4Partial decryption of ciphertext
Said N is4Partial decryption of ciphertext
From N4A client device, N3Each client device comprises the N4A client device. Finally, the server according to the second part of the ciphertext
And said N4Partial decryption of ciphertext
T partial decrypted ciphertext
Decrypting to obtain a final decrypted ciphertext m, wherein t is a preset threshold value and is less than or equal to N4。
For the technical effects brought by the technical solution of the third aspect, please refer to the description in the first aspect, which is not described herein again.
In some possible implementations, the server decrypts the t parts using a preset final decryption algorithmCipher text
And said second part
Performing decryption calculation to obtain a polynomial t1The final decryption algorithm is used to decrypt t secret shares (the t parts can be decrypted into ciphertext
Treated as t secret shares) to recover the data that is shared in secret. The server then pairs the polynomial t1To obtain a polynomial t2And using said polynomial t2And modulus l of each coefficient is used for obtaining the final decrypted ciphertext m, wherein l is a preset parameter and represents the modulus of the polynomial coefficient of the plaintext data.
By fitting a polynomial t1To obtain a polynomial t2Thereby eliminating t partial decrypted ciphertexts
Due to the use of aggregated random noise secrets in secret sharing vectors
Thereby enabling the server to acquire N3A weighted average of plaintext data for the individual client devices.
In some possible implementations, the calculation may be by a lagrange interpolation formula
Wherein, liuFor Lagrange interpolation coefficients, l and h are preset parameters, wherein l represents a polynomial modulus of plaintext data, h represents a modulus of the polynomial coefficient, and V represents N4A collection of individual client devices.
In some possible implementations, the
The above-mentioned
The above-mentioned
Wherein h is a preset parameter and represents the modulus of polynomial coefficient, thereby realizing the aim of N3A ciphertext cuThe polymerization of (2).
In some possible implementations, the server obtains N1A first public key, said N1A first public key from N1A client device, N1Each client device comprises the N3A client device, then said server to said N1Each client device broadcasts the N1A first public key implementing N1Each client device in the client devices respectively acquires the first public keys of other client devices.
In some possible implementations, the server obtains a message from N2Secret shares of individual client devices, said N1Each client device comprises the N2A client device, a secret share from one client device comprising the secret share with the N1N corresponding to each client device1Share secret shares, which the server then sends to the N based on the identity of the recipient1A client side realizes N2Each client device in the client devices respectively acquires N of other client devices1Share secret shares.
In some possible implementations, the server and the N3Each client device has a blockchain account, then server and N3Data between client devices may interact through a blockchain network.
In some possible implementations, by block chainingThe network realizes that the server acquires the N from the blockchain network through the blockchain account of the server3A ciphertext cuAnd implementing the server to the N3Each client device in the client devices respectively sends the first part
Including the server through the blockchain account of the server to the N through the blockchain network3Each of the client devices transmits the first portion
In some possible implementations, the server deploys an intelligent contract in a blockchain network through a blockchain account of the server, the intelligent contract comprising a logging function and a checking function, wherein the logging function is used for logging the N3A ciphertext cuSaid checking function is used for checking said server to aggregate said N3A ciphertext cuWhether the step of (1) is performed. Thereby restricting the behavior of the server and ensuring that the server must respond to the received N3A ciphertext cuAnd aggregation is carried out, so that the privacy of the client device is further protected.
In some possible implementations, the check function is further to perform aggregating the N3A ciphertext cuTo obtain a check aggregate ciphertext
The check aggregate ciphertext
Including a first portion of the inspection aggregate ciphertext
If it is as described
And the above-mentioned
If so, the check function determines that the server aggregates the N3A ciphertext cuThe steps of (1) are performed. Thereby ensuring that the server must be aligned to the received N3A ciphertext cuPolymerization is carried out.
In some possible implementations, the aggregation is an addition operation, a modulo addition operation, a multiplication operation, or a modulo multiplication operation, and the data processing method may be implemented for a plurality of different aggregation algorithms.
In a fourth aspect, an embodiment of the present application provides a first client device, configured to perform the method of any one of the foregoing second aspects or second aspects. The first client device comprises a transceiver module and a processing module, wherein the transceiver module can be one or more modules with data receiving and/or transmitting capabilities, and the processing module can be one or more modules with data processing capabilities.
In a fifth aspect, an embodiment of the present application provides a server, configured to perform the method of any one of the foregoing third aspect or third aspect.
In a sixth aspect, an embodiment of the present application provides a communication system, including: a first client device and a server, wherein the first client device is configured to perform any one of the methods performed by the first client device in the foregoing second aspect; the server is configured to perform any one of the methods performed by the server in the foregoing third aspect.
In a seventh aspect, this application embodiment provides a computer-readable storage medium, in which a program is stored, where the program makes a computer device execute the method in any one of the second aspect or the third aspect.
An eighth aspect of the present application provides a computer program product comprising: computer program or instructions for causing an electronic device to perform a method as provided in any one of the possible implementations of the second or third aspect described above, when the computer program or instructions are run on the electronic device.
A ninth aspect of the present application provides a client device that may include at least one processor, a memory, and a communication interface. At least one processor is coupled with the memory and the communication interface. The memory is configured to store instructions, the at least one processor is configured to execute the instructions, and the communication interface is configured to communicate with other network elements under control of the at least one processor. The instructions, when executed by at least one processor, cause the at least one processor to perform the second aspect or the method of any possible implementation of the second aspect.
A tenth aspect of the present application provides an electronic device that may include at least one processor, a memory, and a communication interface. At least one processor is coupled with the memory and the communication interface. The memory is configured to store instructions, the at least one processor is configured to execute the instructions, and the communication interface is configured to communicate with other network elements under control of the at least one processor. The instructions, when executed by at least one processor, cause the at least one processor to perform the method of the third aspect or any possible implementation of the third aspect.
An eleventh aspect of the present application provides a chip system, where the chip system includes a processor and a communication interface, and is configured to support a first client device to implement the functions in any one of the above-described second aspect or possible implementation manners of the second aspect, or support a server to implement the functions in any one of the above-described third aspect or possible implementation manners of the third aspect.
In one possible design, the system-on-chip may further include a memory for storing necessary program instructions and data for the first client device and/or the server. The chip system may be constituted by a chip, or may include a chip and other discrete devices.
For technical effects brought by any one or any one of the seventh to eleventh aspects, reference may be made to technical effects brought by different possible implementation manners in the first aspect, the second aspect, and the third aspect, and no further description is given here.
Drawings
Fig. 1 is a schematic structural diagram of a federated learning system provided in the embodiment of the present application;
fig. 2 is a schematic flowchart of a data processing method according to an embodiment of the present application;
fig. 3 is a schematic flow chart of another data processing method according to an embodiment of the present application;
fig. 4 is a schematic diagram of a first client device according to an embodiment of the present application;
fig. 5 is a schematic diagram of a server according to an embodiment of the present application;
fig. 6 is a schematic diagram of another first client device provided in an embodiment of the present application;
fig. 7 is a schematic diagram of another server provided in the embodiment of the present application.
Detailed Description
The embodiment of the application provides a data processing method and related equipment, which are used for protecting privacy information of client equipment in the process of federal learning.
Embodiments of the present application are described below with reference to the accompanying drawings.
The terms "first," "second," and the like in the description and in the claims of the present application and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances and are merely descriptive of the various embodiments of the application and how objects of the same nature can be distinguished. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of elements is not necessarily limited to those elements, but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Fig. 1 shows a bang learning system 100 according to an embodiment of the present application. The federated learning system 100 is a distributed data mining framework that includes a server 110 and a plurality of disparate client devices 120.
In the federated learning system 100, the client device 120, also referred to as a data owner, expects a better learning model by completing learning of data locally and then uploading the learned model parameters to the server 110 for further processing by the server 110.
The server 110 may have a relatively large difference due to configuration or performance, and may include at least one Central Processing Unit (CPU) (e.g., at least one processor) and a memory, and at least one storage medium (e.g., at least one mass storage device) storing an application program or data. The memory and storage medium may be, among other things, transient or persistent storage. The program stored in the storage medium may include at least one module, and each module may include a series of instruction operations on the server. Still further, the central processor may be configured to communicate with the storage medium and execute a series of instruction operations in the storage medium on the server. The Server may also include at least one power source, at least one wired or wireless network interface, at least one input output interface, and/or at least one operating system, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, NetWare, and the like.
In the federal learning system 100, the client device 120 may be a terminal device or a server. The terminal device may be any wired or wireless intelligent terminal device such as a mobile phone, a tablet computer, a Personal Digital Assistant (PDA), a point of sale (POS), a vehicle-mounted computer, and an intelligent wearable device (e.g., an intelligent watch, a health bracelet, and intelligent glasses). The wireless intelligent terminal device can be a handheld device with a wireless connection function or other processing devices connected to a wireless modem. Wireless intelligent terminal devices are used to communicate via a Radio Access Network (RAN) with one or more core networks, such as mobile terminals, mobile phones (or so-called "cellular" phones), or computers with mobile terminals (e.g., portable, pocket, hand-held, computer-included, or vehicle-mounted mobile devices that exchange language and/or data with the RAN). Common wireless intelligent terminal devices include Personal Communication Service (PCS) phones, cordless phones, Session Initiation Protocol (SIP) phones, Wireless Local Loop (WLL) stations, personal digital assistants, and the like.
To avoid directly uploading model parameters carrying user privacy information to the server 110, currently, enterprises propose an arithmetic mean random gradient descent algorithm, in which the client device 120 only needs to submit gradient information to the server 110, and the server 110 calculates a mean value of the gradient information to update the global model. After a number of iterations, the server 110 may obtain a trained global model. The arithmetic mean random gradient descent algorithm has better prediction accuracy, and enables the model parameters of the client device 120 to be kept local, which is beneficial to protecting privacy. However, the gradient information includes sensitive information of the client device 120, and an attacker can reverse attack through the model, attack through the feature vector, or reversely deduce the original data of the model parameters from the gradient information.
Therefore, in the embodiments of the present application, a data processing method is provided in the embodiments of the present application. In the method of the present application, a first client device obtains N2A secret share of N2Secret shares including N2Respective secret shares of the client devices, when the client devices receive the aggregated ciphertext
The first part of
When N is used, N can be used2Aggregating the secret shares to obtain a secret sharing vector, and using the secret sharing vector to pair the first part
Decrypting to obtain partially decrypted ciphertext
And sends the partially decrypted ciphertext to a server
Due to N2Each secret share in the secret shares comprises a private key secret of the first private key and a random noise secret obtained by secret sharing of random noise, so that when the server receives a partial decryption ciphertext
Then, the ciphertext cannot be decrypted based on the portion
Recovering partially decrypted ciphertext transmitted by a single client device
The plaintext data is recovered, thereby protecting the privacy of the client device.
In this embodiment, the server 110 may decrypt the t partial decrypted ciphertexts by using a preset final decryption algorithm
And a second partial ciphertext
Performing decryption calculation to obtain a polynomial t1(the final decryption algorithm is used to decrypt the t secret shares to recover the secret shared data, which may be used to decrypt the t partial decrypted ciphertexts
As t secret shares) and then on the polynomial t1To obtain a polynomial t2Finally, the polynomial t is calculated2And (4) obtaining m and l as preset parameters by using the coefficient module l to represent the modulus of the polynomial coefficient of the plaintext data.Due to the execution of the p-polynomial t1To obtain a polynomial t2The method has the advantages that the influence of random noise is counteracted, so that data used for training by the server are more accurate, the model precision of each client device is guaranteed, and finally, the data can be recovered only by at least t devices on line without being influenced by the scale and the disconnection rate of a user scene.
The embodiment of the application can be applied to different application scenes, such as an application scene for preventing active attackers or an application scene for preventing semi-honest attackers. For an application scenario for preventing a semi-honest attacker, the method flow of the first embodiment may be adopted. For the application scenario of preventing the active attacker, the method flow of the second embodiment may be adopted.
It should be noted that, in the following first embodiment or second embodiment, a distributed threshold homomorphic encryption mechanism is involved. The distributed threshold homomorphic encryption mechanism includes two important features: distributed threshold and homomorphic encryption. These two important features are explained below separately.
1. Distributed threshold
Secret sharing is carried out on data to obtain T secret shares (secret share/share of secret), the T secret shares are respectively handed to T devices to be stored, and 1 device stores 1 secret share. For example, 10 secret shares are generated for the data a (i.e., T is 10), and the 10 secret shares are respectively handed to 10 different devices to be stored, wherein 1 secret share is stored for each 1 device, and the secret shares stored for each device are different. When the data needs to be recovered, only T shares of the T secret shares (T < T) need to be obtained to recover the data. For example, if t is 5, then only 5 different secret shares of the 10 devices need to be obtained from any 5 devices, and the data can be recovered by calculation. The data is shared secretly and handed over to a plurality of different devices for storage, so the scheme is called distributed, t is called a threshold value, and the scheme is called a secret sharing scheme of distributed threshold. In the secret sharing scheme of the "distributed threshold", assuming that (T-T) devices are disconnected or lose secret shares, the original data can be recovered as long as T secret shares can be obtained.
Taking the federal learning system 100 as an example, the first client device needs to share the private key in secret, and then the first client device first sets the number T of secret sharing and a threshold value T (T > T), and then shares the private key in secret to obtain the secret share of T shares. The first client device then sends T secret shares to T client devices in the federated learning system 100, where each client device holds 1 secret share, and the secret shares held by different clients are not the same. When data needs to be recovered, any one client device in the federated learning system 100 can recover the private key of the first client device by calculation as long as T of the T secret shares are obtained.
For example, T is 100 and T is 67. That is, there are 100 client devices (including the first client device) in the federated learning system 100, the first client device may share the secret key in secret to obtain 100 secret shares, and then send the 100 secret shares to the 100 client devices, where each client device respectively keeps 1 secret share, and the secret shares kept by different client devices are different from each other. When data needs to be recovered, any client device in the federated learning system 100 can recover the first private key by calculation as long as 67 (t) of the 100 secret shares are obtained.
2. And (4) homomorphic encryption.
Homomorphic encryption refers to homomorphic encryption algorithms, namely:
f(En(m1),En(m2))=En(f(m1,m2))
where En () is a homomorphic encryption algorithm with respect to f (), which is called aggregation. Where f () may be a modulo addition operation, an addition operation, a multiplication operation, or a modulo multiplication operation. In the embodiment of the present application, f () is taken as an example of a modulo addition operation. For example, assuming that En () is a cryptographic algorithm and is also a homomorphic algorithm, then En () is a homomorphic cryptographic algorithm. By homomorphic encryption algorithmsReceive data (m)1And m2) Respectively carrying out the operation of homomorphic encryption algorithm, and then carrying out the operation to obtain f (En (m)1),En(m2) And to data (m)1And m2) F (m) is obtained by calculation1,m2) Then using a homomorphic encryption algorithm En () to encrypt to obtain En (f (m)1,m2) The values of the two are equal, and the effect is the same. Therefore, the homomorphic encryption algorithm can be applied to the scenario of federal learning, each client device can encrypt data (such as model parameters, gradients and the like) and then upload the data to the server 110, and then decrypt the data after the server 110 performs operation to obtain the value of f () operation on the data, so that the server 110 cannot acquire the data uploaded by a single client device 120, and the privacy of a user is protected.
Referring to fig. 2, a data processing method is disclosed in a first embodiment of the present application.
In the first embodiment, one server and N0The scenario of the client device is illustrated by way of example, where N is given below0The description will be given by way of example with reference to 100, but of course, N is0Any other integer of 2 or more may be used.
The method of the first embodiment comprises the following steps: an initialization wheel (the server generates system parameters and sends the system parameters to a plurality of client devices, each client device in the plurality of client devices generates a respective public and private key pair according to the system parameters, the public and private key pair comprises a public key and a private key), a broadcast key wheel (each client device generating the respective public and private key pair sends the identity and the public key information of the client device to the server, the server broadcasts the identity and the public key information of each client device in the plurality of client devices to other client devices participating in a protocol in the form of a first response message), a share key wheel (the client device receiving the first response message shares the first private key of the client device in a secret way so as to respectively deliver the generated secret shares to other client devices for storage), a ciphertext wheel (the client device generates an encrypted public key by using each public key information and encrypts the model parameters to obtain a ciphertext, and the server aggregates the ciphertext to obtain an aggregated ciphertext, and sends part of the ciphertext of the aggregated ciphertext to the plurality of client devices) and a decrypted ciphertext wheel (after the plurality of client devices receive the part of the ciphertext, the part of the ciphertext is partially decrypted by using the secret shares collected in the sharing key wheel to obtain a part of the decrypted ciphertext, and the part of the decrypted ciphertext is returned to the server to be finally decrypted by the server).
It should be noted that, in the embodiment of the present application, the plurality of client devices refers to all or part of 100 client devices.
Each round is described in detail below.
Firstly, initializing a wheel.
In the initialization process, the server can run a setting algorithm of a distributed threshold homomorphic encryption system to generate system parameters and send the system parameters to 100 client devices, and each client device can use the system parameters to run a key generation algorithm of the distributed threshold homomorphic encryption system to form a respective public and private key pair.
In an embodiment of the present application, the initialization wheel includes:
211. the server generates system parameters.
For example, the server may run a setting algorithm of the distributed threshold homomorphic encryption system to generate a system parameter params, which includes
The following describes the setting algorithm and the above system parameters in detail.
Wherein λ is a security parameter, d is a polynomial degree, h is a modulus of a polynomial coefficient of a ciphertext, l is a modulus of a polynomial coefficient of plaintext data, f (x) is a cyclotomic polynomial of degree d,
(
a set of polynomials of unlimited degree with coefficients being integers,
a set of polynomials of degree (d) of degree f (x) with R being a coefficient which is an integer, and R also being a ring), RhDenotes a set of polynomials modulo h from the coefficients of the polynomials in R, # denotes chi-square distribution, # denotes uniform distribution,
is represented by RhIn terms of a polynomial generated by uniformly distributing μ, HPKE represents a Hybrid Public Key Encryption (HPKE), and ss.split () represents a threshold secret sharing algorithm.
It should be noted that, in the embodiment of the present application, random noise may be generated according to chi-square distribution χ
Wherein
Is a polynomial of degree d,
is an element in ring R. Likewise, random polynomials may be generated from a uniform distribution μ
Wherein
Is a polynomial of degree d,
is an element in ring R.
Exemplarily, HPKE ═ is (hpke.gen (), hpke.enc (), hpke.dec ()). Gen () is a key generation algorithm, and input is a security parameter λ and output is a key pair (e.g., a second public-private key pair) used for encryption and decryption. Enc () encryption algorithm, input is data to be encrypted and a key used for encryption (for example, a second public key in a second public and private key pair), and output is ciphertext. The hpke.dec () is a decryption algorithm, and the input is a ciphertext encrypted by using the hpke.enc () and a key (for example, a second private key in a second public and private key pair) for decryption, and the output is plaintext data, that is, the above-mentioned data to be encrypted.
Illustratively, the ss.split () includes a number T of secret shares, a threshold value T, and a modulus, with the input being pending data, h, and the output being T secret shares. Split () may be a samell (Shamir) secret sharing algorithm, for example. For example, in ss.split (), a (T-1) degree polynomial f (x) is preset, wherein f (0) is set as the secret to be shared, and f (x1), f (x2), … …, f (xt) are respectively T secret shares, so that the secret to be shared can be recovered as long as T secret shares of the T secret shares are obtained. For example, the method for recovering the secret to be shared may be to respectively bring the t secret shares into a (t-1) -degree polynomial with unknown coefficients to obtain an equation set, where the equation set is t-element linear equations, and by solving the equation set, coefficients of the (t-1) -degree polynomial are obtained to recover f (x), and then f (0) is calculated to obtain the shared secret. In some possible implementations, the values of the coefficients of the terms in polynomial f (x) may also be calculated using lagrange interpolation to recover polynomial f (x).
In summary, the system parameters output by the server based on the setting algorithm of the distributed threshold homomorphic encryption system are as follows:
for example, λ 128, d 2048, h is a 54-bit integer, l is a 17-bit integer, and f (x) xd+1=x2048+1, R is a set of polynomials of degree 2048 with coefficients being integer, RhExpressing the set of polynomials with coefficients of elements in R modulo h, i.e. the set of polynomials with coefficients smaller than h, chi is the standard chi-square distribution, mu is the standard uniform distribution, from RhIn which the polynomial is selected according to a uniform distribution mu
Also for polynomials with coefficients less than 54 bits, HPKE uses the standard integrated encryption scheme (ECIES) encryption scheme, ss.split () is the samell (Shamir) secret sharing algorithm. The ECIES system is defined in a standard document such as a crypto standardization organization (SECG) for electronic cryptography group (SECG), an international organization for standardization (ISO)/International Electrotechnical Commission (IEC) 18033-2, and the like, and a graph is a secp256k1 curve.
212. The server sends the system parameters.
And after the server generates the system parameters, the system parameters are respectively sent to 100 client devices. In some possible implementations, the server may send the system parameters in a broadcast manner, or may enable 100 client devices to obtain the system parameters in a software embedded manner. It should be noted that the software embedding means that after each client device downloads and installs the relevant software, the relevant software automatically acquires the system parameters. It should be noted that, when the server needs to modify the system parameters, the server may also notify the client device in a broadcast or software embedded manner.
213. And the first client equipment generates a public and private key pair according to the system parameters.
Here, the first client device represents the client device that acquired the system parameters.
In this embodiment of the present application, the first client device may run a key generation algorithm of a distributed threshold homomorphic encryption system according to the system parameter to generate respective public and private key pairs. The example of step 211 above is that the system parameters include
The first client device generates a public and private key pair through the system parameters, and the first client device generates a public and private key pair through the system parametersThe public and private key pair of the end device can be represented as (pk)u,sku) Wherein pkuIs the public key information, sk, of the first client deviceuAnd u represents the identity of the first client device as the private key information of the first client device. In some possible implementations, the public key information includes a first public key and a second public key, and the private key information includes a first private key and a second private key. The first private key is used for secret sharing, the first public key is used for being aggregated with first public keys of other client devices to obtain an encrypted public key PK, and the encrypted public key PK is used for encrypting plaintext data. While the second public key is used to encrypt the secret share to be shared to obtain an encrypted secret share and the second private key is used to decrypt the encrypted secret share to recover the secret share.
Illustratively, the step of generating a public-private key pair by the first client device comprises:
(1) the first client device generates a first private key sku0。
First, the first client device sets R according to R3. R in the system parameters is a set of polynomials of degree no greater than 2048, then R3Set of polynomials modulo 3 which are coefficients of elements (polynomials) in R, i.e. R3Is a polynomial of degree 2048 and the coefficient is a value in { -1,0,1 }. In some possible implementations, the first client device may also set R according to R5Or R7Etc., without limitation. Herein, with R3The description is given for the sake of example.
The first client device then follows the uniform distribution μ from R3To select a polynomial
I.e. polynomial
Is R3One element of (1), i.e.
One degree is 2048 and the coefficient is { -1,0,1 }.
Finally, the first client device determines a first private key
In this step, the inputs are R, μ, and 3 (which may also be 5 or 7 or other integers) in the system parameters, and the output is the first private key sku0。
(2) The first client device generates a first public key pku0。
First, the first client device determines random noise according to chi-square distribution%
The first client device then calculates a first public key
I.e. the first public key
Note that [ · is]hThe polynomial coefficient number h in the opposite brackets is represented, i.e. the first public key of the first client device is generated by the first private key of the first client device. Likewise, the first public keys of the other client devices of the 100 client devices are also generated by their first private keys, for example, the first public key of a second client device other than the first client device is generated by the second client device according to the first private key of the second client device.
It should be noted that, the first private key sk of the first client deviceu0Is a polynomial of degree 2048 and coefficient { -1,0,1} median, then the first public key pk of the first client deviceu0Is a polynomial of degree 2048 and the first public key pku0Each coefficient of which does not exceed h (in the embodiment of the present application, h is a 54-bit integer).
In this step, the input is the chi-squared distribution χ sum of the system parameters
And a first private key sku0(or polynomial)
) And the output is the first public key. (the output also includes random noise
)
(3) The first client device generates a second public-private key pair.
Gen (l) for example, the first client device runs hpkeλ) To obtain a second public and private key pair (pk)u1,sku1). Wherein the second public and private key pair (pk)u1,sku1) Including a second public key pku1And a second private key sku1。
In this step, the inputs are λ, l, hpke.gen () in the system parameters, and the output is (pk)u1,sku1)。
Through the steps (1) to (3), R, uniformly distributed mu, chi-square distribution chi, and,
Gen (), and 3, input results in a first public and private key pair (pk)u0,sku0) And a second public and private key pair (pk)u1,sku1). From this, the public key information is pku=(pku0,pku1) The private key information is sku=(sku0,sku1)。
It should be noted that the second client device (the second client device is another client device than the first client device) may use the second public key pk of the first client deviceu1And encrypting the data to obtain a ciphertext, and then sending the ciphertext to the first client device, so that the first client device can decrypt the ciphertext by using the second private key to recover the data.
In some possible implementations, the first client deviceOr may not generate the second public-private key pair (pk)u1,sku1) But instead negotiates a symmetric key with the second client device. Then, the second client device may encrypt the data using the symmetric key to obtain a ciphertext, which is sent to the first client device, and then the first client device decrypts the ciphertext using the same symmetric key to recover the data. The information transmission between the first client device and the second client device is not limited as long as it can achieve security.
And secondly, broadcasting a key wheel.
In the broadcast key wheel, a first client device (representing a client device that generates a public-private key pair) may disclose public key information pk therein to other client devicesu=(pku0,pku1). For example, the first client device may share the public key pku=(pku0,pku1) And sending the data to a server, and broadcasting the data to a plurality of client devices by the server.
In an embodiment of the present application, a broadcast key wheel includes:
221. the first client device sends the identity u and the public key information pk of the first client device to the serveru=(pku0,pku1)。
In one possible implementation, the first client device may identify the identities u and pku=(pku0,pku1) Constructed as a message to be sent to the server.
In the embodiment of the present application, the second public key pku1Is generated according to HPKE.Gen (), which is the standard encryption system of ECIES and adopts the secp256k1 curve, i.e. the second public key pku1Is an elliptic curve point and the uncompressed representation requires 512 bits. First public key pku0Is a polynomial of degree 2048, where each coefficient is a number within 54 bits. Therefore, the public key information pku=(pku0,pku1) Roughly (2048 × 54+512) bits, about 13.6 KB. In addition, the id u is an address, a port number, and a local time of the first client device using its own network protocol (IP)A hash value, modulo h, calculated by a stamp, etc., may be a 54-bit value. Thus, the first client device uses the identity u and the public key information pku=(pku0,pku1) The useful part (u, pk) of the message being constructedu) About 13.6kb +54 b.
Since the first client device is as N1When the first client device sends the identity u and the public key information pk of the first client device to the serveru=(pku0,pku1) I.e. the server obtains N1A first public key of each of the client devices to obtain N1A first public key.
222. Server to N1The client equipment broadcasts a first response message, and the first response message carries U1Identity information and public key information of each client device.
When the server receives the identity u and the public key information pk sent by the first client deviceu=(pku0,pku1) Then, the server calculates the number of the client devices receiving the sending identity and the public key information to obtain a set U1, wherein the number of the client devices in U1 is N1. The server may then forward to N1The client device broadcasts a first response message including
Where v denotes the identity of the client device, pkv denotes the public key information of the client device with identity v, which may include a first public key and a second public key, i.e. the server sends N1Individual client device broadcasts N1A first public key. Wherein the content of the first and second substances,
including the identity and the first public key of the first client device, it is realized that the first client device sends the information to the N through the server1The client device sends the ID u and public key information pk of the first client deviceu=(pku0,pku1) I.e. the first client device is enabled to move to N1Each of the client devices sends a first public key of a first client device.
That is, when the server receives N1Identity v and public key information pk carried by client equipmentvAfter receiving the message, the server may regard the identifier v of the client device corresponding to the received message as a set U1, where the client device in U1 is the set N1The client devices, i.e., v ∈ U1, then construct a set
As the first response message. Where v represents the identity of the client device in U1, pkvPublic key information representing the client device identified by v. The server then broadcasts the first response message to N in U11A client device. It should be noted that in some possible implementations, if two different client devices use the same id, then both client devices are not counted in U1.
When the first client device receives the first response message broadcast by the server, the identity and public key information of other client devices in U1 can be obtained. For example, the second client device is represented as a client device other than the first client device in U1. The second client device sends the identity and the public key information to the server, and the server places the identity and the public key information of the second client device in the first response message. When the server broadcasts the first response message
Then due to N1The client devices include a first client device that receives the first response message and receives the first response message from the first client device
The second client device obtains the identification and public key information, which is equivalent to the first client deviceA client device obtains information from N through broadcasting of a server1A first public key of each of the client devices to obtain N1A first public key. Similarly, the second client device also obtains the identity u and the public key information pk of the first client deviceu=(pku0,pku1)。
E.g. U1Including the aforementioned N0N in (e.g., 100) client devices1(e.g., 90) client devices, of course, N1It is only necessary to be 2 or more and N or less0The integer of (3) is sufficient. Each of the 90 client devices generates a public and private key pair (pk) respectivelyu,sku) And the 90 client devices respectively disclose the public key information pk thereinu=(pku0,pku1). Then, the 90 client devices respectively identify the identity v and the public key information pkv=(pkv0,pkv1) Sending the ID v and public key information pk to the serverv=(pkv0,pkv1) Broadcasting to make each client device in the 90 client devices respectively acquire the identity v and the public key information pk of other client devicesv=(pkv0,pkv1)。
In this embodiment, t is a threshold value for secret sharing of the first private key. Taking the first client device as an example, the first client device will use the first private key sku0Secret sharing is carried out to obtain T secret shares, and the first private key sk can be recovered as long as T secret shares are obtainedu0. Therefore, in the embodiment of the present application, the server needs to ensure that the number of the collected client devices is more than t in each signaling interaction, so as to ensure subsequent operation, otherwise, subsequent decryption cannot be performed. For example, if the number of client devices in the federal learning system is 100, the server may set t to 2/3 which is not less than 100, i.e., the smallest integer 67 which is not less than 100 × 2/3. In some possible implementations, the server may also set t to 3/4 or 5/6 of not less than 100, which is not limited herein.In the embodiment of the present application, the maximum drop rate that the server can receive is (1-T/T) × 100%, for example, T ═ 67, T ═ 100, and then (1-T/T) × 100 ═ 33%. Therefore, the method of the embodiment of the application can reduce the influence of the disconnection of the client equipment. For example, if U1The number of the client devices in (1) is 90, which means that 10 client devices are disconnected from 100-90, but the method in the embodiment of the present application may continue to be performed without being affected.
Therefore, in the embodiment of the application, if the server only receives the messages of less than t client devices, the protocol is exited, otherwise, the server executes the protocol towards N1The client device broadcasts a first response message
The step (2). E.g. U1If the number of the client devices in the server is below 67, the server exits the protocol, and if U is detected1If the number of the client devices in the network is more than 67, the process continues to be executed to N1The client device broadcasts a first response message
The step (2). In the first response message, since the identification v is a 54-bit value, the public key information pkvAbout 13.6KB if U1The number of the middle client devices is 90, and the size of the first response message is (13.6kb +54b) × 90, about 1.2 mkb.
And thirdly, sharing the key wheel.
In the shared key wheel, U1The client device in (1) shares its own first private key in secret to obtain N1Share secret shares, respectively given to N1Each of the client devices stores the data. The following description is made on behalf of the first client device.
In this application embodiment, sharing key wheel includes:
231. first client device generating N1Share secret shares, wherein 1 share of the secret share comprises 1 share of the private key secret and1 random noise secret.
Illustratively, first, the first client device generates a first random noise, and then the first client device generates N of a first private key of the first client device1N of secret key secret and first random noise1Share random noise secret to obtain N1Share secret shares, wherein 1 share of the secret share comprises 1 private key secret and 1 random noise secret.
In the embodiment of the application, after the first client device receives the first response message sent by the server, the first response message is analyzed to obtain the first response message
In the embodiment of the present application, the first client device needs to check U first1Number of client devices N1If N is present1If t is greater than or equal to t, the first client device continues to perform subsequent steps, otherwise the protocol ends. When N is present1When the key is larger than or equal to t, the first client equipment runs a sharing generation algorithm of a distributed threshold homomorphic encryption system to generate a first private key sku0N of (A)1Share secret shares. The following describes in detail the sharing generation algorithm of the distributed threshold homomorphic encryption scheme.
In the sharing generation algorithm of the distributed threshold homomorphic encryption system, the input is SS.Split (), the input is the set S of the second public key of the public key information in the first response messagepk1Threshold value t, first private key sk of first client deviceu0Dimension m of the model parameters.
Split () may be a secret sharing algorithm, S, of sand (shamir) in the present embodimentpk1Is U1T 67 for the second set of public keys. Wherein the first private key sk of the first client deviceu0Is a polynomial of degree 2048 with coefficients of values in { -1,0,1}, where u is the identity of the first client device. In addition, the dimension m of the model parameter is the dimension of the model parameter that needs to be encrypted to obtain the ciphertext and sent to the server by the first client device. Example (b)If the model parameter is (0011), then m is 4, and if the model parameter is (0011000010101011), then m is 16. In some possible implementations, the model parameters may be plaintext data.
Illustratively, the first private key sk is generatedu0N of (A)1The step of sharing the secret share includes:
(1) the first client device constructs a sequence ES.
First client device sets enum.
If the data of the model parameters is too long, a large amount of computing resources are required to directly encrypt the model parameters. Therefore, in some possible implementations, the model parameters may be segmented, each segment in the model parameters may be encrypted, and then the ciphertext of each segment may be decrypted in the following. For example, if the model parameter of the first client device is equal to (0011000010101011), i.e., m is 16, the model parameter may be divided into 4 segments, each of which is 4 bits, to obtain (0011) (0000) (1010) (1011). In some possible implementations, the model parameters may also be divided into 3 segments, for example, the first two segments are 6 bits respectively, and the last segment is 4 bits, to obtain (001100) (001010) (1011). Optionally, the model parameter may be divided into enum segments, and each segment is a length of an encryption public key (i.e., a value obtained by aggregating the first public keys of subsequent client devices), so that the method is more suitable for calculation. Since the encrypted public key is a value obtained by aggregating the first public keys of the client devices, the first public key is a d-degree polynomial, that is, the length of the first public key is d bits, and then the length of the encrypted public key is d, then the model parameters are divided into enum segments, and each segment is d, which is more suitable for calculation.
For this reason, in the embodiment of the present application, the first client device may be provided
I.e. enum is the smallest integer with a quotient greater than m/d. Then, the model parameters are divided into enum segments, each segment in the previous enum-1 segment is d bits, and the length of the last segment is m-d (enum-1) bits.
In the embodiment of the present application, d is 2048, and the dimension m of the model parameter is 100K (K is 1024), so that
Namely, the model parameters with 100K bits are divided into 50 segments, wherein each segment in the first 49 segments is 2048 bits, and the last segment is m-d (enum-1) ═ 2048 bits.
In this step, the input is the polynomial degree d in the system parameters and the dimension m of the model parameters, and the output is enum.
The first client device generates random noise.
After enum is determined, in the embodiment of the present application, the first client device generates enum random noises according to chi-square distribution χ
Wherein the content of the first and second substances,
polynomial of degree d.
In this step, the inputs are enum and chi-square distributions in the system parameters, and the outputs are enum random noises
(iii) constructing a set of polynomials
The coefficient sequence ES of (1).
When enum random noise is generated
Then, can construct
The coefficient sequence ES of (1). Elements in the ES include
The coefficients of each polynomial. For example, enum ═ 2, sku0=(1101),
Then ES ═ 1,1,0,1,1,0,1,1,1,0,1 }.
In the embodiment of the application, sku0A polynomial of degree 2048,
also 2048-degree polynomial, and the number of random noises is 50(enum is 50), the sharing generation algorithm needs to share 51 polynomials
Where 1 polynomial is the first private key sk (enum ═ 50), and a coefficient (enum ═ 50) of (a) is the first private key sku0And the other 50 are random noise
Then the number of elements in the sequence ES is 51 × 2048 — 102K.
In summary, in the step of constructing the sequence ES by the first client device, the input is d, m, chi-square distribution χ in the system parameters, and the output is the sequence ES.
(2) The first client device shares secret with each element ES in the sequence ES to obtain N of ES1Share secret shares.
In the present embodiment, the first client device performs ss.split (ES, | S) on each element ES in the sequence ESpk1I, t, h). Where t is the threshold, h is the modulus of the polynomial coefficient, and ss.split () is the secret sharing algorithm. In addition, Spk1Represents U1Set of second public keys, | S, of respective client devicespk1I represents Spk1The number of second public keys.
In this step, the inputs are SS.Split (), ES, S among the system parameterspk1And h, SS.Split () includes a threshold value t, output as N for each element ES in ES1Share secret shares.
For example, ES is {1,1,0,1,1,0,1,1, 0,1}, i.e., ES (1) is 1, ES (2) is 1, ES (3) is 0, ES (4) is 1, ES (5) is 1, ES (6) is 0, ES (7) is 1, ES (8) is 1, ES (9) is 1, ES (10) is 0, ES (11) is 1, ES (12) is 1, i.e., ES i is one of the elements in ES, i is 1,2, …, 12. The first client device then performs the secret sharing algorithm ss.split (es, | S) for each element es (i) in {1,1,0,1,1,0,1,1, 1}, respectivelypk1L, t, h) to share secret es (i) to obtain | S of each element es (i)pk1| secret shares. For example, | Spk1And 5, secret sharing is performed on the es (1) to obtain 5 secret shares {1,2,3,4,5} of the es (1). Assuming that t is 3, the value of es (1) can be restored by acquiring 3 of {1,2,3,4,5}, with es (1) being 1. The first client device may then send each of {1,2,3,4,5} values to S, respectivelypk1The 5 client devices indicated in (1), respectively, have these 5 client devices keep the secret shares.
In the embodiment of the present application, the sequence ES has 100K elements, and this step executes the secret sharing algorithm ss.split (ES, | S) for each of the 100K elements ESpk1I, t, h) for secret sharing to get S for each element espk1I secret shares are respectively sent to U1And each client device stores the data. If exemplified in the previous embodiment, U1The number of middle client devices is 90, i.e. | Spk1Then the first client device makes a secret share for each element es to get 90 secret shares, which 90 secret shares will be sent to U respectively1The respective client devices in (1) are stored.
It should be noted that each secret share is 54 bits of data, as well as the first private key. The number of elements of the ES is 100K, then the number of secret shares the first client device sends to the second client device is 100K, and thus, allocated to U1The size of the secret shares of one of the client devices is about 5.4 mbits, then the secret shares generated by the first client device are 5.4 x 90MB in total.
In some possible implementations, the order may not be constructed eitherColumn ES, but pair
Each polynomial in (1) is shared secretly, i.e. the sk is sharedu0And
and respectively carrying out secret sharing. If enum ═ 50, | Spk1I.e. | 90, 50 polynomials are shared secretly to get sku0Of 90 secret shares and
90 secret shares.
(3) The first client device constructs a message to be sent to the second client device, the message carrying the secret shares allocated to the second client device for custody.
In the embodiment of the application, the first client device constructs the secret share shared to the second client device for safekeeping as a message
Wherein v is the identity of the second client device. Then, the message
Secret sharing | S for each element ES in the sequence ESpk1One of the secret shares. For example, | Spk1If the sequence ES has 100K elements, the first client device shares each of the 100K elements with a secret to obtain 90 secret shares, and takes one of the 90 secret shares to obtain 100 secret shares, which are then structured as a message
In the embodiment of the present application, the first client device may further use the second public key pk of the second client device for security during transmissionv1For messages
Is encrypted, i.e. run
To obtain encrypted secret shares
It should be noted that the second public key pkv1Obtained in the broadcast key wheel for the first client device. Finally, the first client device obtains an encrypted set of secret shares
V represents a second client device to send, the second client device represents U1The client device of (1). Since the second client device has the second private key skv1When the second client device receives
Thereafter, the second private key sk may be usedv1For secret shares
Decrypting to obtain the message
I.e. secret shares of each of the 100K elements.
232. The first client device sends N to the server1Share secret shares.
Wherein N is1Each secret share of the secret shares is used for transmitting N1And the secret shares of different client devices are different for the corresponding client devices in the client devices.
In an embodiment of the application, a first client device generates a set
Then, will
Adding the ID v of the receiver to form a message, sending the message to the server, and distributing the message to the | S by the server according to the IDpk1L client devices.
It should be noted that hpke. enc () is an encryption method in standard ECIES, and then generated by the first client device
In addition to the 5.4 mbit of the data portion, an elliptic curve point element of 512 bits added by ECIES is added, and in addition, the identity (54 bits) of the receiver is required in the message sent by the first client device, so that the first client device sends the server the identity (54 bits) of the receiver assigned to the second client device
Is about 675KB, the total amount of data sent by the first client device to the server is then approximately 90 × 675KB, about 59 MB.
233. Server to N1Each client device in the client devices sends a second response message, and the second response message carries U2The secret shares sent to different client devices are different for each client device.
In the embodiment of the application, the server receives N2Sent by a client device
Then, wherein N is1Each client device comprises N2A client device, if N2Less than t, the server ends the protocol. Otherwise, the server will identify the receiver according to the identity of the receiver
Separately to a different second client device as a second response message. It should be noted that the second client device represents hereU2The client device of (1). Then, the message received by the second client device is parsed into
Due to N1Each client device comprises a first client device, namely the first client device obtains N2Secret shares of respective ones of the client devices to obtain N2A secret share.
It should be noted that if U is provided1In (C) has N1(e.g., 90) client devices, but the server receives only N2In the embodiment of the present application, only t (e.g., 67) or more encrypted secret shares sent by the client devices need to be received to continue the subsequent steps. Therefore, the operation of the embodiment of the application is not affected by the disconnection rate to a certain degree, and therefore the application can effectively reduce the influence of disconnection of the client equipment.
In the present embodiment, suppose U1Of the 90 client devices, 10 were dropped, and the server only collected the encrypted secret shares sent by 80 client devices, then the encrypted secret shares ready to be sent to these 10 client devices would not be ready to be sent to other client devices, then the data sent by the server to each client device is approximately 80 × 675KB, which is approximately 54M.
It should be noted that, after the server obtains the encrypted secret shares sent by the respective client devices, since the server does not have the second private key, the server cannot decrypt the received encrypted secret shares, thereby increasing the security.
Note that, in this step, the first client device is regarded as U1The second response message is also received by one of the client devices, thereby obtaining the secret shares that each of the 80 client devices assigns to itself.
Fourthly, collecting the ciphertext wheel.
In the ciphertext round, the first client device that receives the second response message may encrypt the model parameter x that it wants to uploaduTo obtain a ciphertext cuAnd combines these ciphertexts cuSending to the server, which then sends these ciphertexts cuAnd transmitting the ciphertext to other client side equipment, and enabling the client side equipment which receives the ciphertext to partially decrypt the ciphertext.
Next, the first client apparatus will be described as an example.
241. First client device aggregation N1One first public key from N2A first public key of the individual client device to obtain an encrypted public key PK.
In this embodiment, after receiving the second response message sent by the server, the first client device may calculate the number of secret shares from different client devices in the second response message, and if the number is less than t, exit the protocol. If the number of secret shares from different client devices in the second response message is greater than or equal to t, the set formed by the identities of the different client devices in the second response message is called U2,U2The number of client devices in (1) is N2It is obvious that
E.g. U1Including 90 client devices, 10 client devices are disconnected, so U2Including 80 client devices.
In the foregoing broadcast key wheel, the first client device has obtained the attribute U from the first response message1Public key of each client device of the set
Due to the fact that
Then the equivalent first client device also acquires U2Public key of each client device of the set
Including U2The first public key pk of each client devicev0。
In the embodiment of the application, the first client device uses U2First public key of each client device
As input, a public key synthesis algorithm of a distributed threshold homomorphic encryption system is operated to obtain an encrypted public key PK encrypted homomorphically:
wherein S ispk0Represents U2A set of first public keys of the middle client device. E.g. U2The number of middle client devices is 80, then Spk0A set of first public keys representing the 80 client devices, the encrypted public key PK being a modulo sum of the first public keys of the 80 client devices.
242. The first client device encrypts a model parameter x of the first client device using an encrypted public key PKu(plaintext data) to obtain ciphertext c of the first client deviceu。
In this embodiment, the first client device may run an encryption algorithm of a distributed threshold homomorphic encryption system, and use the encryption public key PK encryption model parameter x generated in the above stepsuTo obtain a ciphertext c of the first client deviceuWhere u represents the identity of the first client device.
In the embodiment of the present application, the model parameter x needs to be first determineduInto enum segments to obtain { x1,...,xenumThen x for each segment thereiniEach of (i ═ 1,2,3, …, enum) is encrypted. For example, continuing with the above example, enum is 50, i.e., model parameter x of the first client device is calculateduDividing into 50 parts to obtain xu=(x1,…,x50) Then for each model parameter xiAnd (4) running an encryption algorithm, wherein i is more than or equal to 1 and less than or equal to 50.
Specifically, the step of executing the encryption algorithm includes:
(1) the first client device according to the uniform distribution μ from R3To select a polynomial
Where R in the system parameters is a set of polynomials of degree no greater than 2048, then R3Set of polynomials modulo 3 which are coefficients of elements (polynomials) in R, i.e. R3Is a polynomial of degree 2048 and coefficient is a value in { -1,0,1}, wherein
Is R3One element of (1).
(2) The first client device selects two noises according to chi-square distribution x
(3) Computing
To obtain ci=(cu0,cu1)。
Through the steps, each segment x is realizediEncryption operation of (i ═ 1,2,3, …, enum), and finally output ci=(cu0,cu1) (i ═ 1,2, …, enum), i.e. cu={c1,...,cenum}. Continuing with the above example, if enum is 50, then c is obtainedu={c1,...,c50And (c) ciphertext size of 50 x2 x (2048 x 54) bits, about 1.4 MB.
The above pair x is demonstrated belowiEncryption algorithm c ofu1() It is a homomorphic encryption algorithm for modulo addition.
Specifically, for any x1 and x2, there are:
cu1(x1)+cu1(x2)=cu1((x1+x2))
wherein, the step (3) shows that:
due to the fact that
Then can be regarded as cu1(x1+x2):
I.e. where a polynomial is uniformly randomly chosen to be equal to from a ring of polynomials whose coefficients are-1, 0,1 {
The noise is selected according to chi-square distribution
Namely:
cu1(x1)+c(x2)=cu1((x1+x2))
thus the above encryption algorithm cu1() Is a homomorphic encryption algorithm with respect to modulo addition.
243. The first client device sends the ciphertext c of the first client device to the serveru。
When the first client device completes xiCryptographic calculation of (i ═ 1,2, …, enum) to obtain cuThereafter, c may be sent to the serveru。
244. Server aggregate ciphertext cuTo obtain an aggregate ciphertext
In the embodiment of the application, when the server receives cuAfter that, the transmission c is determineduIf the number of the client devices is not greater than t, the protocol is exited. If it sends cuIs greater than or equal to t, the server may send cuIs constructed as a set U3,U3The number of client devices in (1) is N3。
In an embodiment of the application, the first client device represents U2The client device receiving the second response message, so in this embodiment of the application, the server may run a homomorphic addition algorithm of the distributed threshold homomorphic encryption system to aggregate the ciphertext cuTo obtain an aggregate ciphertext
Wherein the ciphertext is aggregated
Comprises a first part
And a second part
The first part
From N3A ciphertext cuThe first partial ciphertext c of (1)u0Is polymerized to obtain a second part
From N3A ciphertext cuThe second partial cipher text c in (1)u1Is obtained by polymerization, i.e.
Wherein h is a preset parameter and represents a polynomialModulus of the coefficients.
Continuing the above example, assume t is 67, if U2Comprising 80 client devices, 10 client devices are disconnected, then U3Comprising 70 client devices, i.e. the server collects the C sent by 70 client devicesuHomomorphic encryption algorithm of distributed threshold homomorphic encryption system can be operated
To obtain
Wherein
245. Server to N3Each client device in the client devices respectively sends a third response message carrying the first part
In the embodiment of the application, when the server generates
Then, the server will partially cipher the text therein
Is sent to U3As a third response message. Continuing with the above example, the server sends U3C of client devices (70 client devices) of (1)uAn aggregate ciphertext is synthesized
Server parallel U3Each client device in (a) returns a portion of the ciphertext therein
The size is about 50 x 2048 x 54 bits, i.e., approximately 0.7 MB. Due to N3The first client device is included in the client devices, and thus the first client device acquires the first part
Aggregate ciphertext
Comprises a first part
And a second part
And fifthly, decrypting the ciphertext wheel.
In the ciphertext decryption round, the first client device (representing the client device receiving the third response message) receives the partial ciphertext transmitted by the server
After the third response message, the partial ciphertext is processed
Performing partial decryption processing to obtain partial decrypted ciphertext
The first client device then sends the partially decrypted ciphertext to the server
Let the server do the final decryption. Next, the first client device will be described as a representative example.
In this embodiment of the present application, decrypting the ciphertext round includes:
251. first client device aggregation N2Secret shares to obtain the first clientA secret sharing vector of the end device.
Wherein the secret sharing vector of the first client device comprises the aggregated private key secret sskuAnd aggregating random noise secrets
Aggregate private key secret sskuFrom N2The secret shares are obtained by aggregating the secret keys of each secret share, and random noise secrets are aggregated
From N2The random noise secrets of each of the secret shares are aggregated.
In the embodiment of the application, the input of the partial decryption algorithm is partial ciphertext
And the encrypted secret shares escrowed by the first client device
Wherein the content of the first and second substances,
refers to the encrypted secret share sent by the client device identified by v to the first client device (identified by U), since v is e.u1Then, then
Represents U1Each client device in the set of client devices sends an encrypted secret share to the first client device.
For example, the first client device may generate a secret sharing vector for decryption
In the embodiment of the present application, since in step 231, the second client device (with the identity v, representing U)1Customer in (1)End device) sends encrypted secret shares
Is encrypted using the second public key of the first client device, the first client device needs to use the second private key to encrypt the secret shares
Decrypting to obtain decrypted secret shares, i.e. messages
E.g. U1Comprises 90 client devices, then
Is U190 client devices (identity is v, v belongs to U)1) The secret shares sent to the first client device (identified by u), the set of secret shares actually received by the first client device is noted
The set of identity information of the client device corresponding to the secret share actually received by the first client device is U2Each 1 secret share contains 100K values. It can be known that the first 2048 of the 100K values is the first private key skv0The other values are secret shares of each coefficient in the random noise which is secret shared.
The first client device then aggregates the secret shares
To obtain the secret sharing vector. In an embodiment of the application, the first client device uses secret shares
For partial cipher text
Decryption is carried out by first decrypting
Performing aggregation, namely performing modulo addition operation to obtain a secret sharing vector:
wherein, sskuIs expressed as U2The aggregation of the first private keys of the respective client devices (i.e., the result of the modulo addition operation), the secret sharing vector used for decryption
Represents U2The aggregation of secret shares of random noise of the respective client devices.
E.g. U1With 90 client devices, enum 50, U2Having 80 client devices, then computing
I.e. performing a modular addition operation on 80 secret shares, the object of each modular addition operation is 100K secret shares to obtain a secret sharing vector for decryption
252. The first client device performs partial decryption to obtain a partially decrypted ciphertext
Illustratively, the server may use the aggregated private key secret sskuAnd aggregating random noise secrets
Decrypting a first part
To obtain a partially decrypted ciphertext
Wherein the content of the first and second substances,
h is a preset parameter and represents the modulus of the polynomial coefficient of the ciphertext.
Illustratively, the first client device uses a secret sharing vector
For partial cipher text
Performing partial decryption to obtain a partially decrypted ciphertext
It should be noted that, in the following description,
length of (2) and model parameter xuAre identical, i.e. that
M, in the present embodiment, will be
Is divided into enum segments to obtain
Wherein the content of the first and second substances,
for a polynomial of degree 2048, then a partial decryption algorithm of the distributed threshold homomorphic encryption scheme is run:
thereby obtaining
Thereby realizing the pair
Partial decryption of (2).
In the embodiment of the present application, if enum is 50, then
For each one
Running partial decryption algorithm of distributed threshold homomorphic encryption system to obtain partial decryption ciphertext
The partial decrypted ciphertext
The data volume of (a) is approximately 50 × 2048 × 54, about 0.7 MB.
It should be noted that the first client device is regarded as U3Is represented by (A), U3Wherein different pairs of secret sharing vectors generated by different client devices are the same
Partial decryption to obtain different partially decrypted ciphertext
253. The first client device sends a partially decrypted ciphertext to the server
When the first client device generates
Thereafter, the partially decrypted ciphertext is sent to the server
In the embodiment of the application, when the server receives the partial decrypted ciphertext
Thereafter, since the ciphertext is partially decrypted
Middle through
The server cannot decrypt the ciphertext according to the part
And decrypting to obtain the model parameters of the first client device, thereby protecting the privacy of the first client device.
254. The server decrypts the received partial decryption ciphertext
Final decryption is performed.
In the embodiment of the application, when the server receives the partial decrypted ciphertext
Thereafter, the ciphertext is decrypted with the received portion
Is N4If N is present4If the value is less than the threshold value t, the protocol is ended. Otherwise, the server decrypts the received portionThe ciphertext operates a final decryption algorithm of a distributed threshold homomorphic encryption system to obtain N3A weighted average of model parameters for individual client devices.
It should be noted that, in the embodiments of the present application, N is3Weighted average (N) of plaintext data for each of the plurality of client devices3Weighted average of individual plaintext data) as the shared secret, and the received N is considered4Partial decryption of ciphertext
The secret share considered as the secret can thus be passed through N4Partial decryption of ciphertext
To obtain the secret, i.e. N3A weighted average of the individual plaintext data.
Illustratively, the server receives N4Partial decryption ciphertext transmitted by each client device in client devices
To obtain N4Partial decryption of ciphertext
And then based on the second partial ciphertext
And N4Partial decryption of ciphertext
T partial decrypted ciphertext
Decrypting to obtain a final decrypted ciphertext m, wherein t is a preset threshold value and is less than or equal to N4。
In some possible implementations, the server uses a preset final decryption algorithm for the t partsSeparate decryption ciphertext
And a second partial ciphertext
Performing decryption calculation to obtain a polynomial t1The final decryption algorithm is used to decrypt the t secret shares to recover the secret shared data, and then to apply the polynomial t1To obtain a polynomial t2Finally, the server calculates the polynomial t2And (4) obtaining m and l as preset parameters by using the coefficient module l to represent the modulus of the polynomial coefficient of the plaintext data.
Note that t is calculated in the final decryption algorithm1Can be understood as decrypting t parts of the ciphertext
Considering t secret shares obtained by secret sharing certain data, t is calculated1Understood as decrypting t parts of the ciphertext
Is restored to the data. In the embodiment of the present application, since the first client device uses ss.split () (i.e., a secret sharing algorithm of Shamir) when performing secret sharing), then t is calculated1Split () can be seen as the inverse of ss.
It should be noted that, in ss.split (), a (T-1) degree polynomial f (x) is preset, where f (0) is set as the secret to be shared, f (x1), f (x2), … …, f (xt) are respectively T secret shares, and then f (x1), f (x2), … …, f (xt) are respectively sent to T devices for storage. Then any device, once it obtains T secret shares out of the T secret shares, can, without knowing the polynomial f (x), find f (x) and calculate the value of f (0) to recover the secret to be shared (i.e., the value of f (0)). That is, t is calculated1In the process of (2), the t parts are decrypted to obtain ciphertext
Looking at t of f (x1), f (x2), … …, f (xt), and then recovering the secret to be shared.
For example, the method for recovering the secret to be shared may be to bring t secret shares into a (t-1) th-order polynomial f (x) with unknown coefficients (i.e., the polynomial f (x) used in secret sharing), respectively, to obtain a system of equations, which is t-th-element linear equations, and obtain coefficients of the polynomial f (x) by solving the system of equations, thereby recovering f (x). F (0) is then calculated, resulting in the shared secret, i.e. the result of the final decryption algorithm. In some possible implementation manners, the value of each coefficient in the polynomial f (x) can be obtained by directly solving the equation set, solving the matrix equation and the lagrange interpolation algorithm, so as to obtain the polynomial f (x) and further calculate the value of f (0) as N3A weighted average of the individual plaintext data. The lagrange interpolation algorithm is explained as an example.
Illustratively, the server records the received partial decryption ciphertext
Wherein u represents the identity of the client device that sends the partial decrypted ciphertext, and V represents the set of identities of the client devices that send the partial decrypted ciphertext. In the embodiment of the present application, assuming that t is 67, if there are 70 client devices in V, the server also only needs to decrypt the ciphertext using 67 parts, so the cost of the final decryption algorithm is only related to t.
In the embodiment of the present application, the final decryption algorithm is:
(1) server request
T of1;
In this step, the input is
For each one
Calculating a polynomial t1:
Wherein, liuAnd the lagrangian interpolation coefficient is calculated according to the identity of the client equipment in the V.
(2) Server polynomial t2;
In this step, the first client device takes the polynomial t1To obtain a polynomial t2。
By way of example, e.g. a polynomial t1(0.7,0.8,0.1), then the polynomial t2=(1,1,0)。
(3) Server compute mi=[t2]l。
In this step, the server calculates mi=[t2]lTo obtain m ═ m (m)1,...,menum) And m is N3A weighted average of model parameters for individual client devices.
The technical effects of the present solution will be described below with reference to the proof of the effectiveness of the solution provided in the present embodiment.
In the following descriptions, X, NS0, MP, Y and NS are intermediate amounts and have no special meaning, and m is used hereinuAs model parameters for a single client device.
In particular, the following requires demonstration
Wherein m represents a result obtained by the server performing final decryption operation on the received partial decrypted ciphertext, U represents a set of client devices uploading model parameters in the federal learning system, that is, N in the above embodiment3Identity of individual client devices, muModel parameters representing the client device identified by the identity u,
the weighted average of the model parameters for each client device in U is shown, which corresponds to N in the above-described embodiment3A weighted average of plaintext data for each client device.
And (3) proving that:
is provided with
Wherein V represents N used by the server to perform the final decryption algorithm4Partial decryption of ciphertext
The identity of the corresponding client device, i.e. U, comprises V.
Then the formula in step 254 above is followed to obtain:
according to partial decryption algorithms
Wherein equation (1) is available:
due to the fact that
(homomorphic addition algorithm),
(homomorphic addition algorithm),
(homomorphic encryption algorithm),
(homomorphic encryption Algorithm, encrypted plaintext m)u),
(public key synthesis algorithm) of the public key,
(key generation algorithm), equation (2) can be derived:
then, let:
Y=[X-NS0-MP]h
wherein m isuAs model parameters, equation (3) can then be derived:
order to
It is possible to obtain:
X=[NS+MP]h
due to the fact that
Equation (4) can be obtained:
then, when
When is at time
Namely, it is
Can obtain
Therefore, the numerical value obtained by aggregating the model parameters uploaded by each client device in the U can be obtained
Equal to the value m obtained after the above encryption and decryption, i.e., the above decryption result is correct.
Then, due to
sku0Is of the formula R3And is and
generated by chi-square distribution chi, the degree of freedom B in chi-square distribution chi is limited by the system parameters, so that the absolute value NS is less than or equal to the absolute value U and the absolute value B + deltaR|U|2B+|U|B+δR|U|2B=2|U|B(1+δRU | is true) to ensure
So that
Thus, the method of the first embodiment of the present application is proved to be effective.
It should be noted that B is a boundary in chi-square distribution χ, and the value is not more than B. Specifically, if one value is generated from chi-square distribution χ, if the value exceeds B, it is discarded, and another value is generated again from chi-square distribution χ. In some possible implementations, the value B is equal to 8 or 10 times the variance of the chi-squared distribution χ. In addition, δ R is an expansion factor (expxx factor), and it is preferable to estimate the assurance margin, and the value of δ R is generally a value of a polynomial degree d (in the embodiment of the present application, d is 2048).
In the method of the present application, since the client device obtains N2Secret shares, i.e. N2Secret shares of each client device in the client devices, when the client devices receive the aggregated ciphertext
The first part of
When N is used, N can be used2Aggregating the secret shares to obtain a secret sharing vector, and using the secret sharing vector to pair the first part
Decrypting to obtain partially decrypted ciphertext
And transmits the partially decrypted ciphertext
Due to N2Each secret share in the secret shares comprises a random noise secret obtained by secret sharing of random noise in addition to the private key secret of the first private key, so that when the server receives a partially decrypted ciphertext
Then, the ciphertext cannot be decrypted based on the portion
Restoring a single client devicePartial decrypted ciphertext to be transmitted
The plaintext data is recovered, thereby protecting the privacy of the client device.
In addition, the ciphertext from the second client device is obtained by the second client device encrypting the plaintext data of the second client device according to an encrypted public key PK, which is aggregated by the second client device to the N2The first public key of each client device is obtained, and the secret sharing vector is obtained by aggregating N2A secret share is obtained, wherein the secret share comprises a private key secret, N2First public key and N of client device2The first private key of each client device corresponds to, and N2Secret shares are respectively composed of N2The first private key of each client device is shared in secret, and then the first client device uses the secret sharing vector to aggregate the ciphertext
The first part of
Partial decryption is performed to obtain partial decrypted ciphertext
When the server obtains at least t partial decrypted ciphertexts
Time (t is a threshold value), the ciphertext can be decrypted according to at least t parts based on a distributed threshold homomorphic encryption system
To get N secret shares of3A weighted average of plaintext data for each client device.
Viewed from another perspective, in an implementation of the present application, when a server receives N3A client deviceN sent by each client device3A ciphertext cuDue to N3A ciphertext cuIs formed by N3Each of the client devices encrypts its respective plaintext data using an encrypted public key PK, denoted by N3The first public keys of the client devices are aggregated, and the server does not have N3The first private key of any client device in the client devices, so the server cannot decrypt the ciphertext cuThereby protecting N3Privacy of individual client devices.
Then, the server pair N3A ciphertext cuPolymerizing to obtain a polymerized ciphertext
The aggregate ciphertext
Comprises the first part
And a second part
The first part
From said N3A ciphertext cuThe first partial ciphertext c of (1)u0Is polymerized to obtain the second part
From said N3A ciphertext cuThe second partial cipher text c in (1)u1Is polymerized, and then the server sends the N3Each client device in the client devices respectively sends the first part
So that N is3N in one client device4Each of the client devices may be paired with a first portion
Partial decryption is performed to obtain N4Partial decryption of ciphertext
And returned to the server.
Due to the N4Partial decryption of ciphertext
Respectively decrypt the ciphertext
Respectively formed by said N4Corresponding ones of the client devices use the respective generated secret sharing vectors for the first portion
Partial decryption is performed to obtain the secret sharing vector comprising the aggregated private key secret sskuAnd aggregating random noise secrets
The aggregate private key secret sskuFrom said N2The secret shares are obtained by secret aggregation of the private keys of each secret share, and the random noise secret is aggregated
From said N2The random noise secret of each secret share in the secret shares is aggregated, and the secret key secret is the N4Each client device in the client devices shares the first private key in secret to obtain one private key secret, so that the server can perform secret sharing on the second part of ciphertext according to a preset final decryption algorithm
And said N4Partial decryption of ciphertext
T partial decrypted ciphertext
Decrypting to obtain a final decrypted ciphertext m, wherein t is a preset threshold value and is less than or equal to N4The final decryption algorithm is used for performing decryption calculation on the t secret shares to recover the data which is subjected to secret sharing, so that the server obtains N3A weighted average of plaintext data for each client device for subsequent use.
Example II,
In the first embodiment, if the active attacker controls the server, so that the server broadcasts a false public key (including the first public key and the second public key), the client device uses the wrong public key encryption model parameters, thereby causing hidden danger to the privacy protection of the client device. To this end, in the embodiment of the present application, the client device may guarantee the correctness of the first public key sent by the server by using a digital certificate from an authority Certificate Authority (CA).
In addition, the server may not perform the aggregation of the ciphertext c under the control of an active attackeruBut m isuSent to a single client device to attempt to decrypt mu. In order to avoid the risk that the server is controlled by an active attacker and the privacy of a user is revealed, the embodiment of the application restricts the behavior of the server through a security verification mechanism, the server is verified to perform specified operation (for example, summation/aggregation operation on a ciphertext), the security verification mechanism is to ensure that the verification is performed actually, and the security verification mechanism can be implemented through a blockchain network.
In some possible implementations, the blockchain network may be an ethernet or fabric. In the second embodiment, the intelligent contract in the ether house is taken as an example of the verification mechanism for description. Of course, the behavior of the server may also be constrained by other forms of security verification mechanisms, which are not limited in this application.
Next, please refer to fig. 3, which discloses a data processing method according to a second embodiment of the present application. In the second embodiment, a server and 100 client devices are taken as an example for detailed description.
The method flow of the second embodiment comprises the following steps: an initialization wheel (a server generates system parameters and sends the system parameters to 100 client devices, each client device in the 100 client devices generates a respective public and private key pair according to the system parameters), a broadcast account wheel (each client device participating in the protocol and generating the respective public and private key pair discloses own identity and public key information to an Ethernet network), a sharing key wheel (the client device receiving a first response message shares the first private key in a secret way and respectively transfers the generated secret shares to other client devices for storage), a ciphertext wheel (each public key information is used for generating an encrypted public key and encrypting the model parameters to obtain a ciphertext and sends the ciphertext to a server, the server aggregates the ciphertext to obtain an aggregated ciphertext and sends the part of the ciphertext to the client devices) and the decryption key wheel (the client devices receive part of the ciphertext, the secret shares collected in the sharing key wheel are used for carrying out partial decryption on the partial ciphertext to obtain a partial decrypted ciphertext, the partial decrypted ciphertext is returned to the server, and the server is allowed to carry out final decryption on the partial decrypted ciphertext).
It should be noted that, in the embodiment of the present application, the plurality of client devices refers to all or part of 100 client devices.
Each round is described in detail below.
Firstly, initializing a wheel.
In the initialization process, the server may run a setting algorithm of a distributed threshold homomorphic encryption system, generate system parameters, and send the system parameters to each client device of 100 client devices. Each of the 100 client devices may use the system parameters and run a key generation algorithm of a distributed threshold homomorphic encryption system to form a public-private key pair. In addition, the server can also be provided with an intelligent contract, and the behavior of the server is restrained by operating the intelligent contract.
311. The server generates system parameters.
In step 311, the step of generating the system parameters by the server is the same as that in step 211, which is not described herein again.
In the embodiment of the application, the server and the 100 client devices both have the ether house accounts (blockchain accounts) and have the capability of receiving and sending ether house transactions, so that the server deploys an intelligent contract in a blockchain network through the blockchain accounts of the server, the intelligent contract is used for restricting the behavior of the server and ensuring that the server executes the aggregated ciphertext cuTo increase the trustworthiness of the server.
In the embodiment of the present application, the server-deployed intelligent contract is named as: EpochencCheck. The intelligent contract epochencheck includes a contract initialization function, a logging function, and a checking function.
The following describes each function separately.
(1) The contract initializes the function.
In the embodiment of the application, the contract initialization function is called and executed by the server, and the input parameter is the threshold value t. The contract initialization function is used to check whether the number of mortgage tokens in the server's etherhouse account is sufficient to indemnify t client devices.
In the embodiment of the present application, if the sum of the number of the mortgage tokens in the ether house account of the server and the number of the mortgage tokens injected by the server in the next generation is not less than the product of the remaining generation number and the minimum value of the compensation of each generation, the number of the mortgage tokens in the ether house account representing the server is sufficient, otherwise, the number is not sufficient. It should be noted that, a generation is to finish uploading the ciphertext by multiple client devices at a time, and the server decrypts the ciphertext to obtain a weighted average of multiple model parameters, for example, completely execute the scheme of the first embodiment once. If the number of the tokens to be collated in the Ethernet workshop account of the server is not enough, the contract initialization function reduces the tokens injected this time from the Ethernet workshop account of the server, increases the number of the tokens to be collated in the intelligent contract, and then stores the identification information and the threshold value t of the server. If so, the subsequent steps are continued.
When executing the intelligent contract, in order to ensure that the server executes the aggregation ciphertext c in each generationuThe steps of (1) are performed and the server needs to first preset enough mortgage tokens in the smart contract. Sufficient mortgage tokens refer to sufficient product not less than each generation indemnity value multiplied by the number of generations remaining. The generation number is the preset number of times of running the generation, the remaining generation number is the remaining generation number to be executed, and each generation compensation value is the aggregation ciphertext c if the server does not execute the aggregationuThe amount of the mortgage token in the server's etherhouse account that will be deducted.
For example, if the generation number is 100 and the minimum value of the indemnity per generation is 10 mortgage tokens, the server needs 1000 tokens as 10 × 100 mortgages, i.e. 1000 mortgage tokens are sufficient. If 10 generations are performed, and 90 remaining generations are performed, then the server needs to collate 10 x 90 tokens to 900 tokens, i.e., 900 tokens are sufficient. If the number of tokens in the Etherhouse account of the server is deducted to 0, which indicates that the server does not fulfill the contract for many times, the intelligent contract is ended as a punishment, and the intelligent contract does not return the mortgage tokens to ensure that the server executes the aggregation ciphertext cuThe step (2).
(2) The function is recorded.
The record function is used for recording N3A ciphertext cu。
In the embodiment of the application, the recording function is called and executed by each of the plurality of client devices, and is used for storing the input parameters. Wherein, the input parameters of the recording function comprise: generation identification, Ether house account number of client equipment executing the recording function and ciphertext c sent by the client equipmentu. The recording function is used to record and store these parameters. The generation identification is used to indicate the current generation.
(3) The function is checked.
The checking function is used for checking server aggregation N3Secret codeText cuWhether the step of (1) is performed. In some possible implementations, a check function is used to perform the aggregation N3A ciphertext cuTo obtain a check aggregate ciphertext
Checking aggregate ciphertext
Including a first portion of the inspection aggregate ciphertext
If it is
And
if so, the check function determines the server aggregation N3A ciphertext cuThe steps of (1) are performed.
In the embodiment of the application, the checking function is called and executed by the server, and the input parameters comprise an end identifier, a generation identifier and a part of ciphertext
And a user account list LA.
In this embodiment of the present application, the generation identifier of the check function should be consistent with the generation identifier in the record function, otherwise, it indicates that the generation identifier is tampered with by the server, and the check function deducts the mortgage token of the next generation, shares the mortgage token to the ether house account of the client device in the record function, and exits the check function.
It should be noted that the user account list LA represents the client device corresponding to the received message. For example, the first client device sends the ciphertext c to the serveruThen the first client device is in the user account list LA. In the embodiment of the present application, through the checking function, the server may check whether the number of different user accounts in the user account list LA is greater than or equal to t,if t is greater than t, the check function continues to be executed, and if t is not greater than t, the check function exits.
And if the number of different user accounts in the user account list LA is larger than or equal to t, the server constructs an A set according to the LA, so that the A belongs to the LA, and the generation identification of the client equipment in the A is the same as the generation identification of the server. It should be noted that the server should make a LA, and apply each ciphertext c in auThe polymerization is carried out so the scale of a should be the same as the scale of LA. Thus, the check function may also check whether the scale of a is the same as the scale of LA. If not, the server is not prepared for all the ciphertexts c in LAuAnd aggregating, and then as a penalty, the checking function deducts the mortgage token in the ether house account of the next generation server, shares the mortgage token with the ether house account of the client device with the generation identifier, and exits from the checking function. If the scale of A is the same as that of LA, the check function executes a homomorphic addition algorithm of a distributed threshold homomorphic encryption system to homomorphically add the ciphertext submitted by the client device in the set A to obtain the ciphertext
When the server executes the homomorphic addition algorithm of the distributed threshold homomorphic encryption system, the check function can check whether the output of the homomorphic addition algorithm contains part of the ciphertext
I.e. whether the server generated part of the ciphertext is
If not, the server does not correctly execute the homomorphism adding algorithm, and the checking function deducts the mortgage token of the next generation as a punishment and shares the mortgage token with the Ether house account of the client device with the generation identifier.
After the check function has checked a portion of the server's ciphertext, the end flag may be viewed. If the end flag is true, the server decides to end the intelligent contract, and after waiting for a number of block times (e.g., 1 block time is 10 seconds, and 6 block times are 1 minute), returns the mortgage token to the ethernet account of the server, and the intelligent contract ends.
In some possible implementations, the check function may also check whether the mortgage token is empty. If the mortgage token is empty, the smart contract will end regardless of whether the end flag is true.
It should be noted that the intelligent contract is a virtual entity with an address. When the server needs to call and execute the intelligent contract, the Ethernet house transaction can be constructed and sent to the intelligent contract, and the intelligent contract executes a corresponding function according to the content in the Ethernet house transaction so as to realize the action constraint of the server.
312. The server sends the system parameters.
Step 312 is the same as step 212, and is not described herein.
313. And the first client equipment generates a public and private key pair according to the system parameters.
The manner in which the first client device generates the public-private key pair according to the system parameters in step 313 is the same as that in step 213, and is not described herein.
In addition, in the present embodiment, each client device has a digital certificate from a Certificate Authority (CA). It should be noted that, taking the first client device as an example, the digital certificate is that the first client device sends the first public key to the CA, and the CA uses its own private key to sign the first public key to obtain the digital certificate, and returns the digital certificate to the first client device. The CA discloses its own authentication public key, so the client devices in the system all have the CA's authentication public key, e.g., a first client device and a second client device. Then, when the first client device sends the digital certificate to the second client device, the second client device may decrypt the digital certificate through the authentication public key of the CA, and if the decryption is successful, the first public key of the first client device may be obtained, and it is indicated that the first public key is correct and has not been modified.
In the embodiment of the application, each client device (including the first client device) in the plurality of client devices respectively has an ethernet house account, and has the capability of receiving and sending ethernet house transactions, and meanwhile, the first client device also calls and executes a recording function in the intelligent contract.
In the embodiment of the application, the ethernet network is a distributed network created based on a block chain technology. The ethernet lane network includes a plurality of ethernet lane nodes. For example, the plurality of client devices and 1 server are all ethernet lane nodes, forming an ethernet lane network. The Etherhouse nodes are devices with Etherhouse related applications built in, and the devices can be user terminals or servers. The transaction between the Etherhouse nodes can be realized through the Etherhouse accounts.
The etherhouse transaction is constructed from etherhouse nodes, including the receiving etherhouse node, the number of tokens, and data fields. When the ether house node constructs an ether house transaction, the ether house node can send the ether house transaction to the ether house network, which can also be called as broadcasting to the ether house network, so that all the ether house nodes in the ether house network can acquire the content in the data field of the ether house transaction by acquiring the ether house transaction. The content of the data field in the EtherFang transaction can be a public key and a partial cryptograph
Ciphertext cuAnd the like.
It should be noted that miners (the ether house nodes for accounting) in the ether house network can record the ether house transactions and write the recorded ether house transactions to the ether house accounts of the ether house nodes, so that the ether house nodes can obtain the contents of the data fields of the ether house transactions by querying the ether house accounts of other ether house nodes.
For example, the first public key of the first client device may be used as long-term, multi-use data, and when sent as an ethernet transaction to the ethernet house network, a certain number of tokens may be set so that miners may write these first public keys to the ethernet house account of the first client device, then a number of these first public keysOther client devices in the client devices may obtain the first public key of the first client device by querying the etherhouse account of the first client device. However, for partial ciphertext
Ciphertext cuAnd because the device is disposable, the device does not need to be written into an Etherhouse account.
It should be noted that the first client device may be an ethernet lane node or may not be the ethernet lane node. If the first client device is not an etherhouse node, the etherhouse transaction can be implemented by communicating with other etherhouse nodes, such as by connecting to a server that is an etherhouse node.
And secondly, broadcasting an account wheel.
In the broadcast secret account, each client device can disclose the information of the ether house account to the ether house network, so that each client device can write a first public key into the ether house account, and the first public key can be disclosed.
321. The first client device sends an etherhouse account to the server.
In this embodiment, the first client device may first check whether the server in the smart contract has enough mortgage tokens, and confirm the parameter t in the smart contract. If the server does not have enough mortgage tokens, the first client device exits the protocol. If the server has enough mortgage orders, the first client device can read the local timestamp, generate a message from the own Ethernet account and the local timestamp, digitally sign the message by using the own private key, and send the digitally signed message to the server.
In this embodiment, the data size of the timestamp may be 64 bits, the data size of the ethernet account may be 160 bits, and the digital signature adopts a Digital Signature Algorithm (DSA) and requires 512 bits, so that the total number of digitally signed messages is 68 bytes. The first client device should also submit its own digital certificate or digital certificate number, one digital certificate being approximately 2KB, so the amount of data sent by the first client device is approximately 2KB +68 bytes.
In this embodiment of the application, the first client device may construct an etherhouse transaction, which carries the first public key pkv0The first client device sends the Ether shop transaction to the Ether shop network, so that the miners in the Ether shop network can use the first public key pkv0Recorded in an etherhouse account of the first client device. Then, each of the plurality of client devices may implement the respective first public key pkv0Written to the respective etherhouse account.
322. Server to N1The client equipment broadcasts a first response message, and the first response message carries U1The ether house account of each client device.
In the embodiment of the present application, if the server collects messages of at least t client devices, the identities of the client devices that the server collects the messages are regarded as a set U1. If the server collects less than t, the protocol is exited. Otherwise, the server generates a generation identification as the unique identification of the protocol and collects the U1The message and generation ID of the middle client device are used as the first response message and broadcast to U1The client device of (1).
It should be noted that, by broadcasting the first response message through the server, each of the plurality of client devices obtains the information of the ethernet accounts of the other client devices. For example, the plurality of client devices all acquire information of the ethernet house account of the first client device, so that the first client device may write information to be disclosed in the ethernet house account, and each of the plurality of client devices may acquire the information to be disclosed, such as the first public key, by querying the ethernet house account of the first client device.
Illustratively, the first client device publishes the first public key of the first client device through a blockchain account of the first client device. In addition, the first client device determines a blockchain account of the second client device, and queries the blockchain account of the second client device through the blockchain account of the first client device to obtain a first public key of the second client device.
In the embodiment of the application, when U is1When the number of the middle client devices is 100, t is set to be the smallest integer larger than 100 × 2/3, namely 67, namely U1At least 67 blockchain accounts are included. In the first response message constructed by the server, the SHA256 algorithm can be used to identify U when calculating the generation identifier1The blockchain account number and local timestamp in the set are used as input to get a 256-bit generation id. Note that if U is1Which contains 90 blockchain accounts for the client device, the amount of data sent by the server to the client device is approximately 90 × 2KB +32 ≈ 180KB in total.
And thirdly, sharing the key wheel.
In the sharing key wheel, the client device receiving the first response message can share the first private key in secret, and the obtained secret share is given to the U1The other client devices in (1) are stored. The following description will be given taking the first client apparatus as an example.
331. First client device generating N1Share secret shares, wherein 1 share of the secret share comprises 1 private key secret and 1 random noise secret.
In the embodiment of the application, after the first client device receives the first response message sent by the server, whether the number of different client devices in the first response message is greater than t, whether the digital signature is correct, and whether the timestamp is reasonable is checked. If the number of different client devices is larger than t, the digital signature is correct, and the timestamp is reasonable, the first client device runs a sharing generation algorithm of a distributed threshold homomorphic encryption system to obtain the encrypted related sku0Multiple secret shares of. For the sharing generation algorithm of the distributed threshold homomorphic encryption system, please refer to step 231, which is not described herein.
332. The first client device sends N to the server1Share secret shares.
Step 332 is the same as step 232 and will not be described herein.
333. The server sends a second response message to the client device, wherein the second response message carries U2Of the secret shares of the respective client devices.
In this embodiment, if the server collects at least t secret shares sent by the client device, the secret shares are divided according to different ethernet accounts of the receivers and are sent to different receivers separately as a second response message. And if the server cannot collect at least t secret shares sent by the client device, exiting the protocol.
Fourthly, collecting the ciphertext wheel.
In the ciphertext round, the first client device that receives the second response message may encrypt the model parameter x that it wants to uploaduTo obtain a ciphertext cuAnd combines these ciphertexts cuSending to the server, which then sends these ciphertexts cuAnd transmitting the ciphertext to other client side equipment, and enabling the client side equipment which receives the ciphertext to partially decrypt the ciphertext.
Next, the first client apparatus will be described as an example.
341. First client device aggregation N1One first public key from N2A first public key of the client device to obtain an encrypted public key PK
In the embodiment of the present application, the method for generating the encrypted public key PK in step 341 is the same as that in step 241, and is not described herein again. It should be noted that, in the embodiment of the present application, each first public key pkv0May be obtained in an etherhouse account by querying the respective client device, and the etherhouse account is obtained in the first response message.
342. The first client device encrypts a model parameter x of the first client device using an encrypted public key PKu(plaintext data) to obtain ciphertext c of the first client deviceu。
In the embodiment of the present application, the encryption method in step 342 is the same as that in step 242, and is not described herein again.
343. The first client equipment sends the cryptograph c of the first client equipment to the Ethernet workshop networku。
In the embodiment of the present application, when the ciphertext c is generateduThereafter, the first client device uses the ciphertext cuAnd constructing an Ethernet shop transaction, and sending the Ethernet shop transaction to an Ethernet shop network, wherein a receiver of the Ethernet shop transaction is a server. And the first client device calls a recording function in the intelligent contract to record the generation identification of the current generation, the Ether house account number of the first client device and the sent ciphertext cu. It should be noted that the server may obtain c by querying the ethernet house transaction in the ethernet house networkuThat is, the first client device sends the ciphertext c to the server through the EtherFang networku。
344. The server obtains N from the Ether house network3A ciphertext cu。
It should be noted that, sending the ethernet house transaction to the ethernet house network by the first client device is equivalent to broadcasting the content in the ethernet house transaction, so that the server can obtain the ethernet house transaction from the ethernet house network to obtain cu. Then, each of the plurality of client devices may send the ciphertext c to the server via the ethernet networku。
345. Server aggregate ciphertext cuTo obtain an aggregate ciphertext
In this embodiment of the application, after the server collects the ethernet lane transactions of at least t client devices through the ethernet lane network, the ethernet lane accounts of the client devices of the at least t ethernet lane transactions are regarded as a set U3If U is present3If the number of the client devices is less than t, the protocol is exited, otherwise the server is aggregateduTo obtain
In particular, the servicePolymerization in reactor cuPlease refer to step 244 for the detailed process of this embodiment, which is not described herein.
346. The server sends a third response message to the Ethernet workshop network, which carries the first part
In the embodiment of the application, the server transmits part of the ciphertext
The method is structured as an Ether house transaction which carries partial cipher text
In addition, the server handles U3Is regarded as a user account list LA and executes a check function in the intelligent contract to ensure that the server has realized the ciphertext c to a plurality of client devicesuIs performed by homomorphic addition. And after the server generates the Ethernet house transaction, sending the Ethernet house transaction to the Ethernet house network. The server discloses the ether house transaction, so that each client device in the plurality of client devices can acquire the ether house transaction from the ether house network, namely acquiring
Ciphertext c of 70 client devices at this time, for exampleuA ciphertext is synthesized
The server only using therein
An ether house transaction is constructed.
About 50 x 2048 x 54 bits, approximately 0.7MB, server-structured ether house transactions except
It is also necessary to include a list of user accounts LA, of about 20 bytes per account, 70 totaling 1.4 KB. Then the server finally constructs an etherhouse transaction size of about 0.7M.
347. The first client device obtains partial cipher text from the Ethernet workshop network
In the embodiment of the application, the first client device acquires the Ethernet house transaction sent by the server from the Ethernet house network, and extracts a part of ciphertext in the Ethernet house transaction
And fifthly, decrypting the ciphertext wheel.
In the ciphertext wheel of the embodiment of the application, U3The client device in (1) receives the message sent by the server
And partial decryption processing is carried out to obtain
And returning the data to the server to enable the server to perform final decryption processing.
The first client device will be described in detail below as an example.
351. First client device aggregation N2A secret share to obtain a secret sharing vector for the first client device.
Step 351 is the same as step 251, and is not described herein.
352. The first client device performs partial decryption to obtain a partially decrypted ciphertext
Step 352 is the same as step 252 and will not be described herein.
353. First of allThe client device sends a partially decrypted ciphertext to the server
Step 353 is the same as step 253, and is not described herein.
354. The server decrypts the received partial decryption ciphertext
Final decryption is performed.
Step 354 is the same as step 254 and is not repeated here.
In the embodiment of the application, the server is prevented from tampering public key information (first public key) through the digital certificate, and meanwhile, the server is restrained from behavior through the intelligent contract based on the Ethernet network, so that the server is ensured to execute the aggregation ciphertext cuThe method avoids the user privacy disclosure when the server is actively attacked, and does not need to rely on a credible third-party device.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
To facilitate better implementation of the above-described aspects of the embodiments of the present application, the following also provides relevant means for implementing the above-described aspects.
Referring to fig. 4, a first client device 400 provided in an embodiment of the present application may include: a transceiver module 401 and a processing module 402, wherein,
a transceiver module 401 for obtaining N2Secret shares of respective ones of the client devices to obtain N2Secret shares, N2Each client device comprises a second client deviceThe secret shares from the second client device include a private key secret and a random noise secret, the private key secret being one of a plurality of private key secrets obtained by the second client device sharing the first private key of the second client device in secret, N2The first private key of the second client device and the first public key of the second client device form a first public and private key pair of the second client device, wherein the first private key is an integer greater than or equal to 2;
the transceiver module 401, further configured to obtain the first part
The first part
And a second part
Composing an aggregated ciphertext
Aggregate ciphertext
From N respectively3The ciphertext of each client device is aggregated to obtain N2Each client device comprises N3Individual client device, N3The client devices comprise second client devices, ciphertext from the second client devices is obtained by the second client devices through encrypting plaintext data of the second client devices according to encryption public keys PK, and the encryption public keys PK are aggregated by the second client devices to obtain the N2Obtaining a first public key of each client device;
a processing module 402 for aggregating N2A secret share to obtain a secret sharing vector for the first client device, the secret sharing vector for the first client device including the aggregated private key secret sskuAnd aggregating random noise secrets
Aggregate private key secret sskuFrom N2The secret shares are obtained by aggregating the secret keys of each secret share, and random noise secrets are aggregated
From N2The random noise of each secret share in the secret shares is obtained through secret aggregation;
The transceiver module 401 is further configured to transmit a partially decrypted ciphertext
In some of the possible implementations of the present invention,
wherein h is a preset parameter and represents the modulus of the polynomial coefficient of the ciphertext.
In some possible implementations, the transceiver module 401 is further configured to acquire the information from N1A first public key of each of the client devices to obtain N1A first public key, N1Each client device comprises N2A client device; a processing module for aggregating N1One first public key from N2A first public key of each client device to obtain an encrypted public key PK;
the processing module 402 is further configured to encrypt plaintext data of the first client device using the encrypted public key PK to obtain a ciphertext c of the first client deviceu;
Transmit-receive moduleBlock 401, also for sending a ciphertext c of the first client deviceu。
In some possible implementations, the transceiver module 401 is further configured to forward N to1Each of the client devices sends a first public key of a first client device.
In some possible implementations, the processing module 402 is further configured to generate a first random noise, and generate N of a first private key of the first client device1N of secret key secret and first random noise1Share random noise secret to obtain N1A secret share comprising a private key secret and a random noise secret. A transceiver module 401 for transmitting data to N1Each client device in the client devices respectively sends N1One of the secret shares, the secret shares sent to different client devices, are different.
In some possible implementations, the first client device 400 has a blockchain account.
In some possible implementations, the first client device 400 obtains the first portion over a blockchain network
In some possible implementations, the processing module 402 is further configured to determine a blockchain account of a second client device, where the second client device is a different client device from the first client device 400, query the blockchain account of the second client device through the blockchain account of the first client device to obtain a first public key of the second client device, and then aggregate the first public key of the second client device and the blockchain account from N2The first public keys of other client devices in the client devices are used for obtaining an encrypted public key PK, and the plaintext data of the first client device is encrypted by using the encrypted public key PK to obtain a ciphertext c of the first client deviceu。
The transceiver module 401 is further configured to send the password of the first client device to the blockchain network through the blockchain account of the first client device 400Text cu。
In some possible implementations, the processing module 402 is further configured to disclose the first public key of the first client device 400 through the blockchain account of the first client device 400.
In some possible implementations, the aggregation is an addition operation, a modulo addition operation, a multiplication operation, or a modulo multiplication operation.
In some possible implementations, the plaintext data includes model parameters.
Referring to fig. 5, a server 500 according to an embodiment of the present application may include: a transceiver module 501 and a processing module 502, wherein,
a transceiver module 501 for receiving N3Ciphertext c sent by each client device in each client deviceuTo obtain N3A ciphertext cuCiphertext cuIncluding a first partial ciphertext cu0And a second partial ciphertext cu1,N3Is an integer of 2 or more, N3A ciphertext cuEach ciphertext c ofuAre each independently of N3The corresponding client device in the client devices encrypts the plaintext data thereof by using an encrypted public key PK, and the encrypted public key PK is aggregated by the second client device N2First public key derivation, N, for individual client devices2Each client device comprises N3A client device.
A processing module 502 for aggregating N3A ciphertext cuTo obtain an aggregate ciphertext
Aggregate ciphertext
Comprises a first part
And a second part
The first part
From N3A ciphertext cuThe first partial ciphertext c of (1)u0Is polymerized to obtain a second part
From N3A ciphertext cuThe second partial cipher text c in (1)u1And polymerizing to obtain the polymer.
A transceiver module 501 for transmitting data to N3Each client device in the client devices respectively sends the first part
And receive N4Partial decryption ciphertext transmitted by each client device in client devices
To obtain N4Partial decryption of ciphertext
N4Partial decryption of ciphertext
The decryption ciphertext of each part is respectively composed of N4Corresponding ones of the individual client devices use the respective generated secret sharing vectors for the first portion
The partial decryption is performed to obtain a secret sharing vector comprising the aggregated private key secret sskuAnd aggregating random noise secrets
Aggregate private key secret sskuFrom N2The secret shares are obtained by aggregating the secret keys of each secret share, and random noise secrets are aggregated
From N2The random noise secret of each secret share in the secret shares is aggregated to obtain a secret key secret N4One of the multiple private key secrets obtained by secret sharing of the first private key by each of the client devices, N3Each client device comprises N4A client device;
the processing module 502 is further configured to obtain a second partial ciphertext
And N4Partial decryption of ciphertext
T partial decrypted ciphertext
Decrypting to obtain a final decrypted ciphertext m, wherein t is a preset threshold value and is less than or equal to N4。
In some possible implementations, the processing module 502 is further configured to decrypt the ciphertext using the final decryption algorithm and the t portions
And a second partial ciphertext
Performing decryption calculation to obtain a polynomial t1And the final decryption algorithm is used for carrying out decryption calculation on the t secret shares so as to recover the data which is subjected to secret sharing, and the polynomial t is subjected to1To obtain a polynomial t2And calculating the modulus l of each coefficient in the polynomial t2 to obtain m, l as a preset parameter, which represents the modulus of the polynomial coefficient of the plaintext data.
In some of the possible implementations of the present invention,
wherein h is a preset parameter and represents the modulus of the polynomial coefficient。
In some possible implementations, the transceiver module 501 is further configured to obtain N1A first public key of each of the client devices to obtain N1A first public key, N1Each client device comprises N3A client device to N1Individual client device broadcasts N1A first public key.
In some possible implementations, the transceiver module 501 is further configured to receive N2N sent by second client device in client devices1Share secret share, and N1Each secret of secret shares and N1Each client device in the client devices corresponds to, N1Each client device comprises N2A client device.
A processing module 502, further configured to process the data according to N2A first one of the client devices determines N1A first secret share of the share secret shares, the first secret share corresponding to the first client device.
The transceiver module 501 is further configured to send a first secret share to a client device.
In some possible implementations, the server 500 has a blockchain account.
In some possible implementations, the transceiver module 501 is further configured to obtain N from the blockchain network through the blockchain account of the server3A ciphertext cuSending the first portion to the blockchain network through the blockchain account of the server
In some possible implementations, the processing module 502 is further configured to deploy an intelligent contract in the blockchain network through the blockchain account of the server, the intelligent contract including a logging function and a checking function. Wherein the recording function is used for recording N3A ciphertext cuChecking function for checking processing module aggregation N3A ciphertext cuWhether the step of (1) is performed.
In some possible implementations, the aggregation is an addition operation, a modulo addition operation, a multiplication operation, or a modulo multiplication operation.
It should be noted that, because the contents of information interaction, execution process, and the like between the modules/units of the apparatus are based on the same concept as the method embodiment of the present application, the technical effect brought by the contents is the same as the method embodiment of the present application, and specific contents may refer to the description in the foregoing method embodiment of the present application, and are not described herein again.
The embodiment of the present application further provides a computer storage medium, where the computer storage medium stores a program, and the program executes some or all of the steps described in the above method embodiments.
Referring next to another first client device 600 provided in an embodiment of the present application, please refer to fig. 6, where the first client device 600 includes:
a receiver 601, a transmitter 602, a processor 603 and a memory 604 (wherein the number of processors 603 in the first client device 600 may be one or more, for example one processor in fig. 6). In some embodiments of the present application, the receiver 601, the transmitter 602, the processor 603 and the memory 604 may be connected by a bus or other means, wherein the connection by the bus is exemplified in fig. 6.
The memory 604 may include a read-only memory and a random access memory, and provides instructions and data to the processor 603. A portion of memory 604 may also include non-volatile random access memory (NVRAM). The memory 604 stores an operating system and operating instructions, executable modules or data structures, or a subset or an expanded set thereof, wherein the operating instructions may include various operating instructions for performing various operations. The operating system may include various system programs for implementing various basic services and for handling hardware-based tasks.
The processor 603 controls the operation of the first client device, and the processor 603 may also be referred to as a Central Processing Unit (CPU). In a particular application, the various components of the first client device are coupled together by a bus system, which may include a power bus, a control bus, a status signal bus, etc., in addition to a data bus. For clarity of illustration, the various buses are referred to in the figures as a bus system.
The method disclosed in the embodiments of the present application may be applied to the processor 603 or implemented by the processor 603. The processor 603 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 603. The processor 603 may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory 604, and the processor 603 reads the information in the memory 604 and performs the steps of the above method in combination with hardware thereof.
The receiver 601 may be configured to receive input numeric or character information and generate signal inputs related to related settings and function control of a server or other client device, the transmitter 602 may include a display device such as a display screen, and the transmitter 602 may be configured to output numeric or character information through an external interface.
In this embodiment of the application, the processor 603 is configured to execute the data processing method executed by the first client device.
Referring next to another server 700 provided in the embodiment of the present application, please refer to fig. 7, in which the server 700 includes:
a receiver 701, a transmitter 702, a processor 703 and a memory 704 (wherein the number of processors 703 in the server 700 may be one or more, for example one processor in fig. 7). In some embodiments of the present application, the receiver 701, the transmitter 702, the processor 703 and the memory 704 may be connected by a bus or other means, wherein fig. 7 illustrates the connection by a bus.
The memory 704 may include read-only memory and random access memory, and provides instructions and data to the processor 703. A portion of the memory 704 may also include non-volatile random access memory (NVRAM). The memory 704 stores an operating system and operating instructions, executable modules or data structures, or a subset or an expanded set thereof, wherein the operating instructions may include various operating instructions for performing various operations. The operating system may include various system programs for implementing various basic services and for handling hardware-based tasks.
The processor 703 controls the operation of the first client device, and the processor 703 may also be referred to as a Central Processing Unit (CPU). In a particular application, the various components of the first client device are coupled together by a bus system, which may include a power bus, a control bus, a status signal bus, etc., in addition to a data bus. For clarity of illustration, the various buses are referred to in the figures as a bus system.
The method disclosed in the embodiment of the present application may be applied to the processor 703 or implemented by the processor 703. The processor 703 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the method may be implemented by hardware integrated logic circuits in the processor 703 or by instructions in the form of software. The processor 703 may be a general-purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory 704, and a processor 703 reads information in the memory 704 and performs the steps of the above method in combination with hardware thereof.
The receiver 701 may be configured to receive input numeric or character information and generate signal inputs related to related settings and function controls of a server or other client device, the transmitter 702 may include a display device such as a display screen, and the transmitter 702 may be configured to output numeric or character information through an external interface.
In this embodiment, the processor 703 is configured to execute the data processing method executed by the server.
In another possible design, when the server 700 and the first client device 600 are chips, the method includes: a processing unit, which may be, for example, a processor, and a communication unit, which may be, for example, an input/output interface, a pin or a circuit, etc. The processing unit may execute the computer executable instructions stored by the storage unit to cause the chip in the terminal to execute the method for transmitting the wireless report information according to any one of the first aspect. Alternatively, the storage unit is a storage unit in the chip, such as a register, a cache, and the like, and the storage unit may also be a storage unit located outside the chip in the terminal, such as a read-only memory (ROM) or another type of static storage device that can store static information and instructions, a Random Access Memory (RAM), and the like.
The processor mentioned in any of the above may be a general purpose central processing unit, a microprocessor, an ASIC, or one or more integrated circuits for controlling the execution of the programs of the above methods.
It should be noted that the above-described embodiments of the apparatus are merely schematic, where units illustrated as separate components may or may not be physically separate, and components illustrated as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. In addition, in the drawings of the embodiments of the apparatus provided in the present application, the connection relationship between the modules indicates that there is a communication connection therebetween, and may be implemented as one or more communication buses or signal lines.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus necessary general-purpose hardware, and certainly can also be implemented by special-purpose hardware including special-purpose integrated circuits, special-purpose CPUs, special-purpose memories, special-purpose components and the like. Generally, functions performed by computer programs can be easily implemented by corresponding hardware, and specific hardware structures for implementing the same functions may be various, such as analog circuits, digital circuits, or dedicated circuits. However, for the present application, the implementation of a software program is more preferable. Based on such understanding, the technical solutions of the present application may be substantially embodied in the form of a software product, which is stored in a readable storage medium, such as a floppy disk, a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the method of the embodiments of the present application.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer programs or instructions. The procedures or functions according to the embodiments of the present application are all or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, e.g., the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. A computer-readable storage medium may be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
Claims (38)
1. A data processing method, comprising:
first client device obtaining N2A secret share of N2Secret shares from N2A client device, N2The client devices include a second client device, the secret shares from the second client device include a private key secret and a random noise secret, the private key secret being one of a plurality of private key secrets of a first private key of the second client device, N2Is an integer of 2 or more;
the first client device obtains an aggregated ciphertext
First part of
The aggregate ciphertext
From N respectively3The ciphertext of each client device is aggregated to obtain N2Each client device comprises the N3A client device, N3Each client device comprises the second client device, and the ciphertext from the second client device is obtained by encrypting the plaintext data of the second client device by using an encryption public key, wherein the encryption public key is obtained by the N2The first public key of each client device is obtained by aggregation;
the first client device aggregates the N2A secret share to obtain a secret sharing vector for the first client device, the secret sharing vector for the first client device including an aggregated private key secret sskuAnd aggregating random noise secrets
The aggregate private key secret sskuFrom said N2The secret shares are obtained by secret aggregation of the private keys of each secret share, and the random noise secret is aggregated
From said N2The random noise of each secret share in the secret shares is obtained through secret aggregation;
the first client device uses the aggregated private key secret sskuAnd said aggregated random noise secret
Decrypting the aggregated ciphertext
First part of
To obtain a partially decrypted ciphertext
The first client device sends the partially decrypted ciphertext to a server
2. The method of claim 1,
wherein h is a preset parameter and represents the modulus of the polynomial coefficient of the ciphertext.
3. The method of claim 1 or 2, wherein the first public key of the second client device is generated by the second client device according to the first private key of the second client device.
4. The method according to any one of claims 1-3, further comprising:
the first client device obtains a message from N1N of client devices1A first public key, said N1Each client device comprises the N2A client device;
the first client device aggregates the N1From the N of the first public keys2A first public key of each client device to obtain the encrypted public key;
the first client device encrypts plaintext data of the first client device by using the encryption public key to obtain a ciphertext of the first client device;
and the first client equipment sends the ciphertext of the first client equipment to the server.
5. The method according to any one of claims 1-4, further comprising:
the first client device sends N to1Each client device in the client devices sends the first public key of the first client device.
6. The method according to any one of claims 1-5, further comprising:
the first client device generating first random noise;
the first client device generates N of a first private key of the first client device1Share private key secret and N of the first random noise1Share random noise secret to obtain N1A secret share comprising a copy of the private key secret and a copy of the random noise secret;
the first client device sends N to1Each client device in the client devices respectively sends the N1One of the secret shares, the secret shares sent to different client devices, are different.
7. The method of any of claims 1-3, wherein the first client device and the second client device have blockchain accounts, and wherein the second client device is a different client device than the first client device.
8. The method of claim 7, wherein the first client device obtains the first portion via a blockchain network
9. The method of claim 7 or 8, further comprising:
the first client device determines the N2A blockchain account for each of the individual client devices;
the first client device queries the blockchain account of each client device through the blockchain account of each client device to obtain a first public key of each client device;
the first client device aggregates the N2A first public key of each client device to obtain the encrypted public key;
the first client device encrypts plaintext data of the first client device by using the encryption public key to obtain a ciphertext of the first client device;
the first client device sends the ciphertext of the first client device to the blockchain network through a blockchain account of the first client device.
10. The method according to any one of claims 7-9, further comprising:
the first client device publishes a first public key of the first client device through a blockchain account of the first client device.
11. The method of any one of claims 1-10, wherein the aggregating is a modulo addition operation.
12. The method according to any of claims 1-11, wherein said plaintext data comprises model parameters.
13. A data processing method, comprising:
server acquisition N3A ciphertext cuSaid N is3A ciphertext cuFrom N3An individual guestClient device, said ciphertext cuIncluding a first partial ciphertext cu0And a second partial ciphertext cu1Said N is3Is an integer of 2 or more;
the server aggregates the N3A ciphertext cuTo obtain an aggregate ciphertext
The aggregate ciphertext
Comprises a first part
And a second part
The first part
From said N3A ciphertext cuFirst part c ofu0Is polymerized to obtain the second part
From said N3A ciphertext cuSecond part c ofu1Polymerizing to obtain the polymer;
the server sends the N3Each of the client devices transmits the first portion
The server obtains N4Partial decryption of ciphertext
Said N is4Partial decryption of ciphertext
From N4A client device, N3Each client device comprises the N4A client device;
the server is based on the second part
And said N4Partial decryption of ciphertext
T partial decrypted ciphertext
Decrypting to obtain a final decrypted ciphertext m, wherein t is a preset threshold value and is less than or equal to N4。
14. The method of claim 13, wherein the server is based on the second component
And said N4Partial decryption of ciphertext
T partial decrypted ciphertext
And decrypting to obtain a final decrypted ciphertext m, wherein the decrypting comprises the following steps:
the server decrypts the ciphertext of the t parts by using a preset final decryption algorithm
And said second part
To carry outDecrypting the calculation to obtain the polynomial t1;
The server pair the polynomial t1To obtain a polynomial t2;
The server uses the polynomial t2And modulus l of each coefficient is used for obtaining the final decrypted ciphertext m, wherein l is a preset parameter and represents the modulus of the polynomial coefficient of the plaintext data.
15. The method of claim 13 or 14, further comprising:
the server obtains N1A first public key, said N1A first public key from N1A client device, N1Each client device comprises the N3A client device;
the server sends the N1Each client device broadcasts the N1A first public key.
16. The method of claim 15, further comprising:
the server obtains the information from N2Secret shares of individual client devices, said N1Each client device comprises the N2A client device from the N2Secret shares of any one of the client devices include the secret shares with the N1N corresponding to each client device1Share secret shares;
the server sends the secret share to the N according to the identity of the receiver1And (4) each client.
17. The method according to claim 13 or 14, wherein the server and the N3Each client device has a blockchain account.
18. The method of claim 17, wherein the server obtains N3A ciphertext cuThe server obtains the N from the blockchain network through the blockchain account of the server3A ciphertext cu;
The server sends the N3Each of the client devices transmits the first portion
Including the server through the blockchain account of the server to the N through the blockchain network3Each of the client devices transmits the first portion
19. The method of claim 18, further comprising:
the server deploys an intelligent contract in a blockchain network through a blockchain account of the server, wherein the intelligent contract comprises a recording function and a checking function;
the recording function is used for recording the N3A ciphertext cu;
The checking function is used for checking the server to aggregate the N3A ciphertext cuWhether the step of (1) is performed.
20. The method of claim 19, wherein the checking function is configured to check the server to aggregate the N3A ciphertext cuWhether the steps of (a) are performed, comprising:
the check function is further to perform aggregating the N3A ciphertext cuTo obtain a check aggregate ciphertext
The check aggregate ciphertext
Comprises a first part
If it is as described
And the above-mentioned
If so, the check function determines that the server aggregates the N3A ciphertext cuThe steps of (1) are performed.
21. The method of any one of claims 13-20, wherein the aggregating is a modulo addition operation.
22. A first client device, the first client device comprising:
a transceiver module for acquiring N2A secret share of N2Secret shares from N2A client device, N2The client devices include a second client device, the secret shares from the second client device include a private key secret and a random noise secret, the private key secret being one of a plurality of private key secrets of a first private key of the second client device, N2Is an integer of 2 or more;
the transceiver module is further configured to obtain an aggregate ciphertext
First part of
The aggregate ciphertext
From N respectively3The ciphertext of each client device is aggregated to obtain N2Each client device comprises the N3A client device, N3Each client device comprises the second client device, and the ciphertext from the second client device is obtained by encrypting the plaintext data of the second client device by using an encryption public key, wherein the encryption public key is obtained by the N2The first public key of each client device is obtained by aggregation;
a processing module for aggregating the N2A secret share to obtain a secret sharing vector for the first client device, the secret sharing vector for the first client device including an aggregated private key secret sskuAnd aggregating random noise secrets
The aggregate private key secret sskuFrom said N2The secret shares are obtained by secret aggregation of the private keys of each secret share, and the random noise secret is aggregated
From said N2The random noise of each secret share in the secret shares is obtained through secret aggregation;
the processing module is further to use the aggregated private key secret sskuAnd said aggregated random noise secret
Decrypting the aggregated ciphertext
First part of
To obtain a partially decrypted ciphertext
The transceiver module is further used for sending the partial decryption ciphertext to a server
23. The first client device of claim 22,
wherein h is a preset parameter and represents the modulus of the polynomial coefficient of the ciphertext.
24. The first client device of claim 22 or 23, wherein the first client device generates the first public key of the first client device from a first private key of the first client device.
25. The first client device of any of claims 22-24,
the transceiver module is further used for acquiring the data from N1N of client devices1A first public key, said N1Each client device comprises the N2A client device;
the processing module is further configured to aggregate the N1From the N of the first public keys2A first public key of each client device to obtain the encrypted public key;
the processing module is further configured to encrypt plaintext data of the first client device using the encrypted public key to obtain a ciphertext of the first client device;
the transceiver module is further configured to send the ciphertext of the first client device to the server.
26. The first client device of any of claims 22-25,
the transceiver module is further configured to transmit the data to the N1Each client device in the client devices sends the first public key of the first client device.
27. The first client device of any of claims 22-26,
the processing module is further used for generating first random noise;
the processing module is further configured to generate N of a first private key of the first client device1Share private key secret and N of the first random noise1Share random noise secret to obtain N1A secret share comprising a copy of the private key secret and a copy of the random noise secret;
the transceiver module is further configured to transmit the data to the N1Each client device in the client devices respectively sends the N1One of the secret shares, the secret shares sent to different client devices, are different.
28. The first client device of any of claims 22-24, wherein the first client device and the second client device have blockchain accounts, and wherein the second client device is a different client device than the first client device.
29. The first client device of claim 28, wherein the first client device obtains the first portion via a blockchain network
30. The first client device of claim 28 or 29,
the processing module is further configured to determine the N2A blockchain account for each of the individual client devices;
the processing module is further configured to query the blockchain account of each client device through the blockchain account of each client device to obtain a first public key of each client device;
the processing module is further configured to aggregate the N2A first public key of each client device to obtain the encrypted public key; the processing module is further configured to encrypt plaintext data of the first client device using the encrypted public key to obtain a ciphertext of the first client device;
the transceiver module is further configured to send a ciphertext of the first client device to the blockchain network through a blockchain account of the first client device.
31. The first client device of any one of claims 28-30,
the processing module is further configured to disclose the first public key of the first client device through the blockchain account of the first client device.
32. The first client device as in any one of claims 22-31, wherein the aggregation is a modulo addition operation.
33. A server, comprising:
a transceiver module for acquiring N3A ciphertext cuSaid N is3A ciphertext cuFrom N3A client device, the ciphertext cuIncluding a first partial ciphertext cu0And a second partial ciphertext cu1Said N is3Is an integer of 2 or more;
a processing module for aggregating the N3A ciphertext cuTo obtain an aggregate ciphertext
The aggregate ciphertext
Comprises a first part
And a second part
The first part
From said N3A ciphertext cuFirst part c ofu0Is polymerized to obtain the second part
From said N3A ciphertext cuSecond part c ofu1Polymerizing to obtain the polymer;
the transceiver module is further configured to transmit the data to the N3Each of the client devices transmits the first portion
The transceiver module is further configured to obtain N4Partial decryption of ciphertext
Said N is4Partial decryption of ciphertext
From N4A client device, N3Each client device comprises the N4A client device;
the processing module is further configured to determine a second portion of the data based on the first portion
And said N4Partial decryption of ciphertext
T partial decrypted ciphertext
Decrypting to obtain a final decrypted ciphertext m, wherein t is a preset threshold value and is less than or equal to N4。
34. The server according to claim 33, wherein the server is based on the second portion
And said N4Partial decryption of ciphertext
T partial decrypted ciphertext
And decrypting to obtain a final decrypted ciphertext m, wherein the decrypting comprises the following steps:
the processing module decrypts the ciphertext of the t parts by using a preset final decryption algorithm
And the second partial ciphertext
Performing decryption calculation to obtain a polynomial t1;
The processing module is used for the polynomial t1To obtain a polynomial t2;
The processing module uses the polynomial t2And modulus l of each coefficient is used for obtaining the final decrypted ciphertext m, wherein l is a preset parameter and represents the modulus of the polynomial coefficient of the plaintext data.
35. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a program that causes a computer device to perform the method of any one of claims 1-12 or 13-21.
36. A computer program product, the computer program product comprising: computer program or instructions, which, when run on an electronic device, causes the electronic device to perform the method of any of claims 1-12 or 13-21.
37. A client device, characterized in that the client device comprises at least one processor, a memory and a communication interface;
the at least one processor is coupled with the memory and the communication interface;
the memory is configured to store instructions, the processor is configured to execute the instructions, and the communication interface is configured to communicate with a server or other client device under control of the at least one processor;
the instructions, when executed by the at least one processor, cause the at least one processor to perform the method of any of claims 1-12.
38. An electronic device, wherein the electronic device may comprise at least one processor, memory, and a communication interface;
the at least one processor is coupled with the memory and the communication interface;
the memory is configured to store instructions, the processor is configured to execute the instructions, and the communication interface is configured to communicate with other electronic devices under control of the at least one processor;
the instructions, when executed by the at least one processor, cause the at least one processor to perform the method of any of claims 13-21.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110296986.1A CN113051590B (en) | 2021-03-19 | 2021-03-19 | Data processing method and related equipment |
| PCT/CN2022/081658 WO2022194276A1 (en) | 2021-03-19 | 2022-03-18 | Data processing method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110296986.1A CN113051590B (en) | 2021-03-19 | 2021-03-19 | Data processing method and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113051590A true CN113051590A (en) | 2021-06-29 |
| CN113051590B CN113051590B (en) | 2024-03-26 |
Family
ID=76513861
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110296986.1A Active CN113051590B (en) | 2021-03-19 | 2021-03-19 | Data processing method and related equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN113051590B (en) |
| WO (1) | WO2022194276A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114143311A (en) * | 2021-11-03 | 2022-03-04 | 深圳前海微众银行股份有限公司 | Privacy protection scheme aggregation method and device based on block chain |
| CN114239070A (en) * | 2021-12-23 | 2022-03-25 | 电子科技大学 | Privacy protection method for removing irregular users in federal learning |
| CN114422107A (en) * | 2022-03-31 | 2022-04-29 | 四川高速公路建设开发集团有限公司 | Fault-tolerant ciphertext data aggregation method based on intelligent engineering construction system platform |
| WO2022194276A1 (en) * | 2021-03-19 | 2022-09-22 | 华为技术有限公司 | Data processing method and related device |
| WO2023213190A1 (en) * | 2022-05-06 | 2023-11-09 | 华为技术有限公司 | Model security aggregation method and device |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150288662A1 (en) * | 2014-04-03 | 2015-10-08 | Palo Alto Research Center Incorporated | Computer-Implemented System And Method For Establishing Distributed Secret Shares In A Private Data Aggregation Scheme |
| WO2018091084A1 (en) * | 2016-11-16 | 2018-05-24 | Huawei Technologies Co., Ltd. | Homomorphic based method and system for securely aggregating data |
| US20180373882A1 (en) * | 2017-06-23 | 2018-12-27 | Thijs Veugen | Privacy preserving computation protocol for data analytics |
| US20190394019A1 (en) * | 2018-06-20 | 2019-12-26 | Clemson University | System And Method For Homomorphic Encryption |
| US20200280430A1 (en) * | 2019-02-28 | 2020-09-03 | Sap Se | Efficient Cloud-Based Secure Computation of the Median Using Homomorphic Encryption |
| WO2020205010A1 (en) * | 2019-04-05 | 2020-10-08 | Google Llc | Methods for protecting privacy |
| CN112149160A (en) * | 2020-08-28 | 2020-12-29 | 山东大学 | Homomorphic pseudo-random number-based federated learning privacy protection method and system |
| CN112217626A (en) * | 2020-08-24 | 2021-01-12 | 中国人民解放军战略支援部队信息工程大学 | Network threat cooperative defense system and method based on intelligence sharing |
| US20210073677A1 (en) * | 2019-09-06 | 2021-03-11 | Oracle International Corporation | Privacy preserving collaborative learning with domain adaptation |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113051590B (en) * | 2021-03-19 | 2024-03-26 | 华为技术有限公司 | Data processing method and related equipment |
-
2021
- 2021-03-19 CN CN202110296986.1A patent/CN113051590B/en active Active
-
2022
- 2022-03-18 WO PCT/CN2022/081658 patent/WO2022194276A1/en active Application Filing
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150288662A1 (en) * | 2014-04-03 | 2015-10-08 | Palo Alto Research Center Incorporated | Computer-Implemented System And Method For Establishing Distributed Secret Shares In A Private Data Aggregation Scheme |
| WO2018091084A1 (en) * | 2016-11-16 | 2018-05-24 | Huawei Technologies Co., Ltd. | Homomorphic based method and system for securely aggregating data |
| US20180373882A1 (en) * | 2017-06-23 | 2018-12-27 | Thijs Veugen | Privacy preserving computation protocol for data analytics |
| US20190394019A1 (en) * | 2018-06-20 | 2019-12-26 | Clemson University | System And Method For Homomorphic Encryption |
| US20200280430A1 (en) * | 2019-02-28 | 2020-09-03 | Sap Se | Efficient Cloud-Based Secure Computation of the Median Using Homomorphic Encryption |
| WO2020205010A1 (en) * | 2019-04-05 | 2020-10-08 | Google Llc | Methods for protecting privacy |
| US20210073677A1 (en) * | 2019-09-06 | 2021-03-11 | Oracle International Corporation | Privacy preserving collaborative learning with domain adaptation |
| CN112217626A (en) * | 2020-08-24 | 2021-01-12 | 中国人民解放军战略支援部队信息工程大学 | Network threat cooperative defense system and method based on intelligence sharing |
| CN112149160A (en) * | 2020-08-28 | 2020-12-29 | 山东大学 | Homomorphic pseudo-random number-based federated learning privacy protection method and system |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022194276A1 (en) * | 2021-03-19 | 2022-09-22 | 华为技术有限公司 | Data processing method and related device |
| CN114143311A (en) * | 2021-11-03 | 2022-03-04 | 深圳前海微众银行股份有限公司 | Privacy protection scheme aggregation method and device based on block chain |
| CN114239070A (en) * | 2021-12-23 | 2022-03-25 | 电子科技大学 | Privacy protection method for removing irregular users in federal learning |
| CN114422107A (en) * | 2022-03-31 | 2022-04-29 | 四川高速公路建设开发集团有限公司 | Fault-tolerant ciphertext data aggregation method based on intelligent engineering construction system platform |
| WO2023213190A1 (en) * | 2022-05-06 | 2023-11-09 | 华为技术有限公司 | Model security aggregation method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022194276A1 (en) | 2022-09-22 |
| CN113051590B (en) | 2024-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230224148A1 (en) | System and method for quantum-safe authentication, encryption and decryption of information | |
| US9973334B2 (en) | Homomorphically-created symmetric key | |
| CN113051590B (en) | Data processing method and related equipment | |
| CN109359470A (en) | Secure calculation method and device, electronic equipment | |
| JP6363032B2 (en) | Key change direction control system and key change direction control method | |
| CN111448779A (en) | System, device and method for hybrid secret sharing | |
| US10715332B2 (en) | Encryption for transactions in a memory fabric | |
| EP3490189B1 (en) | Communication terminals, server devices, and programs | |
| US7894608B2 (en) | Secure approach to send data from one system to another | |
| US10447475B1 (en) | System and method for managing backup of cryptographic keys | |
| CN114095170B (en) | Data processing method, device, system and computer readable storage medium | |
| CN109905229B (en) | Anti-quantum computing Elgamal encryption and decryption method and system based on group asymmetric key pool | |
| GB2603495A (en) | Generating shared keys | |
| WO2014030706A1 (en) | Encrypted database system, client device and server, method and program for adding encrypted data | |
| US20240063999A1 (en) | Multi-party cryptographic systems and methods | |
| EP3010173B1 (en) | Key storage device, key storage method, and program therefor | |
| CN111294196B (en) | Signal sending and receiving method and device, electronic equipment and storage medium | |
| US10057054B2 (en) | Method and system for remotely keyed encrypting/decrypting data with prior checking a token | |
| CN116861477A (en) | Data processing method, system, terminal and storage medium based on privacy protection | |
| JP6840685B2 (en) | Data sharing method, data sharing system, communication terminal, data sharing server, program | |
| CN113645022A (en) | Method and device for determining privacy set intersection, electronic equipment and storage medium | |
| KR101812311B1 (en) | User terminal and data sharing method of user terminal based on attributed re-encryption | |
| CN113381854B (en) | Data transmission method, device, equipment and storage medium | |
| CN112073172B (en) | Grid identity-based dual-receiver fully homomorphic encryption method and system | |
| CN113965310B (en) | Method for realizing mixed privacy calculation processing based on label capable of being controlled to be de-identified |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |