CN113434886B - Method and device for jointly generating data tuples for secure computation - Google Patents
Method and device for jointly generating data tuples for secure computation Download PDFInfo
- Publication number
- CN113434886B CN113434886B CN202110749265.1A CN202110749265A CN113434886B CN 113434886 B CN113434886 B CN 113434886B CN 202110749265 A CN202110749265 A CN 202110749265A CN 113434886 B CN113434886 B CN 113434886B
- Authority
- CN
- China
- Prior art keywords
- polynomial
- vector
- point
- point value
- party
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/15—Correlation function computation including computation of convolution operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/16—Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Mathematical Analysis (AREA)
- Pure & Applied Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- Mathematical Optimization (AREA)
- General Engineering & Computer Science (AREA)
- Computational Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Bioethics (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Algebra (AREA)
- Computer Security & Cryptography (AREA)
- Medical Informatics (AREA)
- Complex Calculations (AREA)
Abstract
The embodiment of the specification provides a method and a device for jointly generating a security-computed data tuple. According to the method, a first party obtains a common vector formed by c common polynomials in a polynomial ring and randomly generates c first polynomials to form a random vector. Then, the first party and the second party execute a function secret sharing protocol to obtain a shard vector formed by c2 first sharded polynomials, the sum of which and the corresponding shard obtained by the second party corresponds to c2 product polynomials of c polynomials of both parties. Each polynomial in each vector is then converted to a point value representation at the N root points of the modular polynomial f (x) of the polynomial ring. Thus, a point value sequence corresponding to the inner product result of the random vector and the common vector and a point value sequence corresponding to the inner product result of the common vector and the multiplication vector and the fragmentation vector obtained by tensor multiplication of the common vector are determined. And sequentially combining the point values of the two point value sequences to obtain N data tuples.
Description
Technical Field
One or more embodiments of the present specification relate to the field of data privacy security, and more particularly, to a method and apparatus for generating data tuples for secure computing.
Background
With the development of computer technology, machine learning has been applied to various technical fields for analyzing and processing various business data. Data needed by machine learning often relate to multiple fields, for example, in a merchant classification analysis scene based on machine learning, an electronic payment platform has transaction flow data of merchants, an electronic commerce platform stores sales data of the merchants, and a banking institution has loan data of the merchants. Data often exists in the form of islands. Due to the problems of industry competition, data safety, user privacy and the like, data integration faces great resistance, and training of machine learning models is difficult to achieve by integrating data dispersed on various platforms. Therefore, a way of multi-party joint training and business processing using machine learning models is proposed.
In a scenario of joint training of multiple parties and using a machine learning model, protection and security of data privacy become a significant issue. For example, in a multi-party computing scenario, party a holds a feature matrix formed by feature data of a user sample to be processed, and party B holds a parameter matrix formed by model parameters of a data processing model. For the security of the private data of the parties, the party a and the party B need to realize secure matrix multiplication without exposing the respective matrix data. In other multi-party computing scenarios, there are other security computing requirements.
In order to protect data privacy of each party in a multi-party computing process, a plurality of safe computing protocols are provided, and the safe computing protocols are suitable for different safe computing scenes. Most secure computing protocols require the pre-generation of data tuples for use in the computing process.
It is therefore desirable to provide improved schemes for more efficiently and more securely generating data tuples of secure computing protocols, thereby increasing the efficiency and security of multi-party computing.
Disclosure of Invention
One or more embodiments of the present specification describe a method and an apparatus for generating a securely computed data tuple by combining two parties, which can efficiently generate multiple groups of data tuples in a ring algebra structure meeting service requirements.
According to a first aspect, there is provided a method for generating a data tuple for secure computation jointly by two parties, performed by a first party, comprising:
acquiring a shared vector formed by c shared polynomials shared with the second party in the polynomial ring; the operations in the polynomial ring are defined based on taking the modulus of a predetermined polynomial f (x) of order N;
randomly generating c first polynomials in the polynomial ring to form random vectors;
obtaining c by performing a function secret sharing protocol with a second party2A slicing vector formed by the first slicing polynomial and making the second party obtain c2A second sliced polynomial; c is mentioned2The sum of the first and second fractional polynomials corresponds to the sum of the c first polynomials and the c second polynomials generated randomly by the second party2A plurality of product polynomials;
converting each polynomial in the common vector, the random vector and the slicing vector into point value representations of N root points in F (X);
determining a first point value sequence corresponding to an inner product result of the random vector and the common vector based on the point value representation;
determining a second point value sequence corresponding to an inner product result of a multiplication vector and a fragment vector based on the point value representation, wherein the multiplication vector is a result vector obtained by tensor multiplication of the common vector and the common vector;
and sequentially combining the point values of the same ordinal position in the first point value sequence and the second point value sequence to obtain N point value combination groups as N data tuples.
In one embodiment, the coefficients of each polynomial in the random vector, the common vector, and the tile vector are elements in a k-bit integer ring.
According to one embodiment, randomly generating the c first polynomials in the polynomial ring specifically comprises: executing a polynomial random generation process of degree c to obtain a plurality of first polynomials, wherein the single polynomial random generation process comprises: randomly sampling t non-negative integers smaller than N as polynomial times; and randomly sampling t weighted values as polynomial coefficients, and obtaining a single first polynomial based on the polynomial degree and the polynomial coefficients.
According to one embodiment, c is obtained by performing a function secret sharing protocol with a second party2The slicing vector formed by the first slicing polynomial specifically includes: based on the c first polynomials, anC second polynomials held by the second party and the second party cooperatively execute the key generation process of the function secret sharing protocol to obtain c2A first key; an evaluation process using the function secret sharing protocol based on the c2A first key, obtain c2A first sliced polynomial.
Further, in one embodiment, the c first polynomials comprise polynomial i, and the c second polynomials comprise polynomial j; the polynomial i and the polynomial j both comprise t terms; the function secret sharing protocol is based on t2Constructing a distributed point function; in such a case, the obtaining c2A first key comprising:
performing secret sharing based on the first coefficient of each item in the polynomial i and the second coefficient of each item in the polynomial j held by the second party to obtain t2Slicing the first coefficient such that the second party obtains t2Slicing a second coefficient; t is said2The sum of each first coefficient slice and the corresponding second coefficient slice is equal to t of the first coefficient and the second coefficient2A product of coefficients;
based on the degree of each item in the polynomial i and t2A first coefficient slice, and the degree of each item in the polynomial j held by the second party and t2A second coefficient slicing calling the t2A key generation process of distributed point function to obtain t2And the first sub-keys are used as first keys corresponding to the combination of the polynomial i and the polynomial j.
Further, in one embodiment, c is obtained2The first slicing polynomial specifically includes: for the t2Taking the times from 0 to 2N-2 as input times of any first sub-key in the first sub-keys, and calling the evaluation process of the corresponding distributed point function at the input times by using the first sub-key to obtain a corresponding output coefficient; obtaining a sub polynomial corresponding to the first sub key according to the input times and the output coefficient; will the t2T corresponding to the first sub-key2Summing the sub-polynomials to obtain a first component corresponding to the combination of polynomial i and polynomial jA patch polynomial.
According to one embodiment, converting each polynomial in the random vector, the common vector, and the patch vector to a point value representation of N root points at f (x) comprises: taking any polynomial in the polynomials as a current polynomial; and respectively substituting the N root points into the current polynomial to obtain N point values which are used as point value representation of the current polynomial.
According to one embodiment, the N root points of the nth order polynomial f (x) form an N-factorial group, the multiplicative group having generator elements, the N root points including N different order computed values of the generator elements.
In the case of the foregoing embodiment, in an embodiment, converting each polynomial in the random vector, the common vector, and the sliced vector into a point value representation of N root points in f (x), specifically includes: taking any polynomial in the polynomials as a current polynomial; performing degree parity expansion on the current polynomial, wherein the degree parity expansion comprises the steps of dividing the current polynomial into a odd part and an even part, representing the even part as a first sub-formula taking the square of the current independent variable as a new independent variable, and representing the odd part as the product of a second sub-formula taking the square of the current independent variable as the new independent variable and the current independent variable; for any group element in the multiplicative subgroup, determining a first root point corresponding to the k power of the group element, a second root point corresponding to the 2k power of the group element, and a third root point which is different from the first root point by N/2; determining a first point value and a second point value of the first sub-formula and the second sub-formula at the second root point respectively; and determining the point values of the current polynomial at the first root point and the third root point respectively according to the first point value and the second point value.
Further, in one embodiment, determining the first sub-type and the second sub-type as the first point value and the second point value of the second root point, respectively, may include: taking the first sub-formula as a current polynomial, and performing the odd-even expansion of the times for the current polynomial iteration so as to decompose the current polynomial into a plurality of basic sub-formulas; determining the first point value according to the point values of the plurality of base sub-types at the second point.
According to one embodiment, determining a first point value sequence corresponding to an inner product result of a random vector and a common vector specifically includes: carrying out counterpoint multiplication on the point value representation of the first polynomial at the ith position in the random vector and the point value representation of the common polynomial at the ith position in the common vector to obtain a point value representation vector at the ith position; summing the point value representation vectors of the respective positions, and sequentially composing the first point value sequence by point value elements in the vectors.
According to a second aspect, there is provided an apparatus for generating a data tuple for secure computation jointly by two parties, deployed in a first party, comprising:
a common vector acquisition unit configured to acquire a common vector formed by c common polynomials in the polynomial ring common to the second party; the operations in the polynomial ring are defined based on taking the modulus of a predetermined polynomial f (x) of order N;
a random vector generation unit configured to randomly generate c first polynomials in the polynomial ring to form random vectors;
a secret sharing unit configured to obtain c by performing a function secret sharing protocol with a second party2A slicing vector formed by the first slicing polynomial and making the second party obtain c2A second sliced polynomial; c is mentioned2The sum of the first and second fractional polynomials corresponds to the sum of the c first polynomials and the c second polynomials generated randomly by the second party2A plurality of product polynomials;
a point value conversion unit configured to convert each polynomial in the common vector, the random vector and the slicing vector into a point value representation of N root points in F (X);
a first sequence determination unit configured to determine a first point value sequence corresponding to an inner product result of the random vector and the common vector based on the point value representation;
a second sequence determination unit configured to determine, based on the point value representation, a second point value sequence corresponding to an inner product result of a multiplication vector and a fragmentation vector, wherein the multiplication vector is a result vector obtained by tensor multiplication of the shared vector and itself;
and the data tuple determining unit is configured to combine the point values of the same ordinal position in the first point value sequence and the second point value sequence in sequence to obtain N pairs of point value combination to form N data tuples.
According to a third aspect, there is provided a computing device comprising a memory and a processor, wherein the memory has stored therein executable code, and wherein the processor, when executing the executable code, implements the method of the first aspect.
According to the method and the device provided by the embodiment of the specification, the first party and the second party efficiently generate the data tuples based on the polynomial ring R. According to the scheme, a plurality of data tuples can be efficiently generated at one time, and the generated data tuples can meet the ring required by the actual serviceA data structure. By using the scheme, the method can support the generation of the ring which can be calculated efficiently in the actual service by using the OLE protocolThe triple in the process, thereby efficiently carrying out multi-party safe calculation.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 illustrates a schematic diagram of a scheme for two-party federated generation of securely computed data tuples, according to one embodiment;
FIG. 2 illustrates a flow diagram of a method for two-party federated generation of a secure computed data tuple in one embodiment;
FIG. 3 illustrates a flow of steps to execute a function secret sharing FSS protocol in one embodiment;
FIG. 4 is a diagram illustrating polynomial combinations and hierarchical relationships between the polynomial combinations in a secret sharing process;
FIG. 5 illustrates an apparatus diagram for generating a securely computed data tuple, according to one embodiment.
Detailed Description
The scheme provided by the specification is described below with reference to the accompanying drawings.
As described above, in consideration of enhancing security in privacy protection, multiple security computing protocols are proposed for implementing multi-party security modeling and prediction in different scenarios, so as to perform joint wind control and joint business prediction.
In particular, in a plurality of scenarios of jointly performing service prediction, it is a common calculation task for two parties to safely calculate multiplication. Here, the multiplication is performed by matrix-matrix multiplication, matrix-vector multiplication, number-vector multiplication, and number-sum multiplication. In the scenario of multiplication of the sum of two secure calculations, one P0 has a ∈ Z, and the other P1 has b ∈ Z, where Z represents a set of positive integers, and c ∈ ab is calculated by both parties, so that c _0 is obtained by P0 and c _1 is obtained by P1, which satisfies c _0+ c _1 ═ c, but neither party knows c. Wherein, a and b owned by both parties can be private data, such as user sensitive information, parameters in a model needing to be kept secret, and the like. C can be efficiently calculated using pre-calculated data tuples. Secure generation of data tuples by both parties may be achieved by an amnesic linear-function evaluation (OLE) protocol.
The forgetful linear function computing OLE protocol, also called an oblivious linear function computing protocol, is a secure two-party computing protocol. By running the protocol, the P0 side obtains a pseudo-random OLE partial tuple (x)0,z0) The P1 side obtains a pseudo-random OLE partial tuple (x)1,z1) Satisfy z0+z1=x0x1. The protocol security guarantees that neither P0 nor P1 can obtain the input and output data of the other party during the protocol execution.
Typically, the OLE protocol may be implemented by a distributed point function. A brief introduction description of the point function and the distributed point function follows.
Point function: let the definition domain of the function be I and the value domain be G. The point function is a special function defined in the above-mentioned domain and value range, such that there is and only one point in the domain mapped to a fixed value in the value range, and all other points in the domain are mapped to zero elements in the value range. This particular point may be referred to as a puncture point and the fixed value of the mapping may also be referred to as a mapping value. More specifically, let fα,β(x) Is a point function, the puncture point alpha belongs to I, the mapping value beta belongs to G, then:
distributed point function: in a secure multiparty computing scenario, sometimes a point function is determined by both parties participating in the protocol, and neither party can fully know the specific definition of the point function, that is, both parties only know the public definition domain and value domain, but neither know the specific puncture point and mapping value. For example, in a secure multiparty computing scenario, for point function fα,β(x) The method comprises the following steps I → G, both parties only know the puncture point α and one slice of the mapping value β (let α ═ α @0+α1P0 only knows α0P1 only knows α1(ii) a β like) without knowing the complete α and β, and thus neither party knows the complete fα,β(x)。
On the other hand, in many secure computing platforms, data operations are performed based on a ring algebra structure. The ring is an algebraic structure common in cryptography, and the definition of a ring R comprises three parts of a set of all elements in the ring, an addition operation and a multiplication operation, and satisfies the following conditions: (1) the set of all elements and the addition operation define an exchange group, namely, the conditions of closure, combination law, unit element content, inverse element of each element and exchangeable addition operation are met; (2) the set of all elements and the multiplication define a half-group, i.e. the closure is satisfied. (3) Multiplication operations satisfy the distribution law relative to addition operations. For example, the set Z of all integers and the commonly understood algebraic addition and multiplication operations form a loop.
It will be appreciated that in practice, data in a computing platform is often in the form of a bit string of a certain number of bits for the purpose of efficient computation, and therefore, in many secure computing platforms, the operation of data is based on a ring algebra structureWherein all elements belong to [0, 2 ]k) I.e. not exceeding k bits, the addition operation being based on pair 2kAnd (6) taking a model to obtain.
Although some solutions exist to implement the OLE protocol by a distributed point function, some of the existing solutions cannot implement one-time generation of multiple groups of data tuples, and some of the existing solutions cannot output results satisfying the ring algebra structure required by the secure computing platform, especiallyAn algebraic structure.
In view of the above, the inventor proposes an efficient scheme for generating data tuples based on the ring LPN characteristics of a polynomial ring. According to the scheme, a plurality of data tuples can be efficiently generated at one time, and the generated data tuples can meet the requirements of actual servicesA data structure. By using the scheme, the method can support the generation of the ring which can be calculated efficiently in the actual service by using the OLE protocolThe triple in the process, thereby efficiently carrying out multi-party safe calculation.
FIG. 1 illustrates a schematic diagram of a scheme for the joint generation of a securely computed data tuple by two parties, according to one embodiment. The secure computation involves a first party P0 and a second party P1; the generation of the data tuples is based on a polynomial ring, the elements of which are each a polynomial, the operations in the ring being defined on taking the modulus of a predetermined polynomial f (x) of order N.
In advance, the two parties jointly agree on c common polynomials in the polynomial ring, which form a common vector a of c dimension, with a single polynomial as a vector element.
Further, the first party P0 and the first party P1 each generate a random polynomial. Specifically, the first party P0 randomly generates c first polynomials to form a random vector e of the first party0. The second party P1 randomly generates c second polynomials to form a random vector e of the second party1。
Then, the first party P0 and the first party P1 each obtain a sharded polynomial by executing the function secret sharing FSS protocol. Specifically, the first party P0 obtains c2A slicing vector u formed by a first slicing polynomial0The second party obtains c2A slicing vector u formed by a second slicing polynomial1Wherein c is2The sum of the first and second fractional polynomials corresponds to the c first polynomials of the first party and the c second polynomials of the second party2A plurality of product polynomials.
Next, the first party P0 calculates a random vector e of the first party based on point value expressions of the respective polynomials of this party at N root points of a predetermined polynomial f (x) of order N0Inner product result of sum common vector a<a,e0>Corresponding first point value sequenceThe first point sequence comprises N point values respectively corresponding to the inner product result<a,e0>Is evaluated at the N root points.
Correspondingly, the second party P1 calculates a random vector e of the second party based on the point value representation of each polynomial held by the second party at the N root points1Inner product result of sum common vector a<a,e1>Corresponding first point value sequenceThe first sequence of point values corresponds to the inner product result<a,e1>The polynomial of (c) is at the point values of the N root points.
The first party P0 also calculates a result vector v obtained by tensor multiplication of the shared vector a and itself based on the point value expression of each polynomial, and determines the result vector v and the local patch vector u0Inner product result of (1)<v,u0>Corresponding second point value sequenceWherein the second point value sequence corresponds to the inner product result<v,u0>Is evaluated at the N root points.
Correspondingly, the second party P1 similarly determines the result vector v and the slicing vector u of the present party based on the point value representations of the respective polynomials it holds1Inner product result of (1)<v,u1>Corresponding second point value sequenceWherein the second point value sequence corresponds to the inner product result<v,u1>The polynomial of (c) is at the point values of the N root points.
Thus, the first party P0 sequentially combines the point values in the same ordinal position in the first point value sequence and the second point value sequence of this party, to obtain N point value combinationsAs N data tuples. Correspondingly, the second party P1 combines the point values of the same ordinal position in the first point value sequence and the second point value sequence of this party in turn to obtain N point value combinationsAs N data tuples. Corresponding data tuples of the first party and the second party can be verifiedAndthe relationship that satisfies OLE between:
through the mode, the first party P0 and the second party P1 obtain N data tuples at one time by utilizing the characteristics of the polynomial ring; also, the above scheme can support 2kAnd generating a data tuple of the data structure so as to meet the requirement of actual service. A detailed implementation of the above concept is described below.
FIG. 2 illustrates a flow diagram of a method for two-party federated generation of a securely computed data tuple, in one embodiment. It is to be understood that the first party P0 and the second party P1 may be any entity that needs to perform secure computations, for example, the first party P0 is a bank or payment platform that owns the user privacy data, and the second party P1 is a model owner that owns the trained model data; alternatively, the first party P0 and the second party P1 each possess partial private data and partial model data. Also, it should be understood that the first party and the second party may each be implemented by any device, apparatus, platform, cluster of devices having computing and processing capabilities. The flow shown in fig. 2 is described with respect to a first party, however, it will be appreciated that the flow may be equally applicable to a second party.
The first party P0 and the second party P1 require a prior agreement of parameters before executing the flow of FIG. 2. First, a polynomial ring R, which is a ring structure having elements of polynomials, is required to be agreed, and addition and multiplication operations between the elements are defined based on modulo a predetermined polynomial f (x) of order N. The polynomial F (X) is also called a modular polynomial.
In one embodiment, to generate data tuples of k-bit integers, it may be agreed that each coefficient p of each polynomial in the polynomial ring R described above is a k-bit integer, i.e. the polynomial coefficients belong to a k-bit integer ringNamely haveA polynomial ring R whose coefficients are taken from a k-bit integer ring and modulo based on F (X) can be written asIn such a case, the order of the mode polynomial f (x) satisfies: n is 2q,q≤k-2。
In addition, both parties contract a plurality of c common polynomials, denoted as a, in various ways0,a1,...,ac-1. The number c may be called a compression factor and is an integer agreed by both parties; the c common polynomials are all polynomials in the above polynomial ring R. In practice, for simplicity of operation, a may be taken0=1。
Based on the above convention, the generation of the data tuple can be performed through the flow shown in fig. 2.
As shown in fig. 2, at step 21, the first party and the second party each obtain c common polynomials for the contract. Using a single polynomial as a vector element, the c common polynomials can form a common vectorWhen getting a0When 1, the common vector can be written as
In step 22, the first party randomly forms c first polynomials in the polynomial ring R, and forms a random vector in c dimensions with a single polynomial as a vector element.
For clarity, the c first polynomials are writtenWhereinThe lower subscript 0 in (1) indicates correspondence to the first party P0, and the upper subscript i indicates the index number of the first polynomial. The c first polynomials may formRandom vector of one party
In one embodiment, the c first polynomials may be obtained by performing a random generation process of polynomials of degree c as follows, wherein the random generation process of a single polynomial may include: randomly sampling t non-negative integers smaller than N as polynomial times; and randomly sampling t weighted values as polynomial coefficients, and obtaining a single first polynomial based on the polynomial degree and the polynomial coefficients. Wherein t is the noise number and is an integer agreed by both parties in advance. The integer t is selected according to the security of Ring-LPN. Generally, t is taken to be much smaller than N, so that the generated random polynomial term is sparse relative to f (x).
More specifically, in one example, for the ith generation process, i ∈ [0.. c), the first party may uniformly sample the random vectorWill be provided withAs the polynomial degree, willThe element in (b) is used as a polynomial coefficient, the polynomial degree and the polynomial coefficient are combined to obtain the ith first polynomial
It will be appreciated that the second party may similarly randomly generate c second polynomials, denoted asForm a random vector corresponding to the second party P1
Then, atStep 23, the first party and the second party execute the FSS protocol of function secret sharing, so that the first party obtains c2A first sliced polynomial, the second party obtaining c2A second sliced polynomial; c is mentioned2The sum of the first and second fractional polynomials corresponds to c first and second polynomials2A plurality of product polynomials.
It should be understood that, through step 22, the first party holds c first polynomials generated randomly, the second party holds c second polynomials, and the polynomials are combined and multiplied to obtain c2Product corresponding to combination of multiple polynomials In step 23, by using the function secret sharing FSS, the first party and the second party respectively obtain c based on the first polynomial/the second polynomial unique to the first party and the second party2A first party slice and a second party slice of the plurality of product polynomials.
In one embodiment, the function secret sharing FSS protocol is built based on a distributed point function, the execution of which includes a key generation process and an evaluation process. FIG. 3 shows a flow of steps for performing a function secret sharing FSS protocol, in one embodiment. In this embodiment, in step 231, the first party uses c first polynomials held by the first party and the second party uses c second polynomials held by the second party, and the two parties cooperatively execute the key generation process of the function secret sharing protocol, and the first party obtains c2A first keySecond party gets c2A second keyWhere i, j ∈ [0.. c)).
Then, in step 232, the first party utilizes the evaluation process of the function secret sharing protocol, based on c2A first keyObtaining c2A first slicing polynomialAccordingly, the second party is based on c2A second keyObtaining c2A second sliced polynomialSuch that:
in the following, an arbitrary first polynomialAnd a second polynomialFor example, the process of secret sharing between two parties is described.
According to the random generation process of the first/second polynomial, as described above, an arbitrary first polynomialAnd a second polynomialAre all polynomials with degree less than N and term number t. Thus, its product polynomial contains t2The maximum number of times is 2N-2. Accordingly, can be based on t2A distributed point function fα,β(x) Constructing a function secret sharing FSS protocol, each distributed point function fα,β(x) Has a value range of [0..2N-1 ], and the value range corresponds to a plurality of termsFormula coefficient, e.g. k-bit integer ring
To perform secret sharing of the product polynomial, the first party bases the polynomial in step 231The second party is based on the polynomial it holdsThe second coefficient of each item in the table, the secret sharing of multiplication is executed, the first party obtains t2Slicing the first coefficient, and obtaining t by the second party2A second coefficient slice, where t2Slice of first coefficient and corresponding t2The sum of the slices of the second coefficient is equal to t of the first coefficient and the second coefficient2The product of the coefficients.
For example, a first polynomialTerm (e.g. note asTo) In (1) contains a certain itemHereinafter referred to as the first item P; second polynomialT includes a certain itemHereinafter referred to as the second term Q. The first party gets a first coefficient slice β for the term combination PQ of the first term and the second term by multiplicative secret sharing0The second partyObtaining a second coefficient patch beta1The sum of the two-square coefficient slices equals the product of the two-square coefficients: beta is a0+β1=p0*p1. Since the first and second polynomials both have t terms, such terms are combined with t2Then, both sides respectively obtain t2And (5) dividing the coefficients into slices.
Next, the first party is based on the polynomialNumber of times and t2A first coefficient slicing, a second party based on a polynomialNumber of times and t2Slicing the second coefficient, calling t2In the key generation process of the distributed point function, the first party obtains t2A first sub-key as a polynomialSum polynomialThe polynomial of (a) combines the corresponding first keys; the second party obtains t2And the second sub-keys are used as second keys corresponding to the polynomial combination.
For example, for the term combination PQ of the first and second terms described above, the first party enters the number of times q the first term is entered0As a distributed point function fα,β(x) The local part of the piercing point alpha0Slicing the first coefficient by beta0As the present party's slice of the mapping value β, the second party inputs its number q1As the aforementioned distributed point function fα,β(x) The local part of the piercing point alpha1Slicing the second coefficient by beta1As the local fragment of the mapping value β, the two parties call the key generation process of the distributed point function, and the first party obtains the first sub-key corresponding to the item combination PQ of the first item and the second itemThe second party obtains a second sub-key corresponding to the combination PQThis means that the puncture point α of the distributed point function is the sum q of the two term times0+q1The mapping value beta is the product of two coefficients p0*p1. Item combinations between other items are handled in a similar manner.
Due to the first polynomialAnd a second polynomialAll have t terms, such terms are combined with t2Then, the first party obtains t2A first sub-key as a polynomialSum polynomialIs combined with a polynomial of a first keyThe second party obtains t2A second sub-key as a second key for the polynomial combination
Then, at step 232, the first party bases the first key on the evaluation process of the distributed point functionPerforming expansion processing to obtain a polynomialSum polynomialThe polynomial combination of (a) is corresponding to the first slicing polynomial; the second party is based on the second keyAnd performing expansion processing to obtain a second sliced polynomial corresponding to the polynomial combination.
As previously described for the first polynomialAnd a second polynomialA first key obtained by the first partyIncluding t2A first sub-key, t2The first sub-keys respectively correspond toAndt between the respective contained t terms2And (4) combining the items. Thus, the foregoing unfolding process may specifically include the first party aiming at t2Any first sub-key in the first sub-keys takes the times from 0 to 2N-2 as input times respectively, and the first sub-key is utilized to call a corresponding distributed point function fα,β(x) In the evaluation process of the input times, obtaining a corresponding output coefficient; and obtaining a sub polynomial corresponding to the first sub key according to the input times and the output coefficient. Then, t is added2T corresponding to the first subkey2Summing the polynomial to obtain the polynomialSum polynomialThe corresponding first sliced polynomial is combined.
Continue above for the first polynomialFirst term P and second polynomial in (1)The second term Q in (2) is combined with PQ. For the item combination PQ of the first and second items, as previously described, the first party's first keyIncludes the first sub-key corresponding to the combination PQThe first party may then use the numbers of 0 to 2N-2 as input numbers α', respectively, using the first subkeyUsing the aforementioned distributed point function fα,β(x) In the evaluation process of the input times alpha', the corresponding output coefficient v is obtained0(ii) a The input times alpha' and the output coefficient v are respectively0Combining to obtain the first sub-keyCorresponding sub-polynomial<PQ>0。
Accordingly, the second party may take the numbers of 0 to 2N-2 as the input numbers α', respectively, using the corresponding second subkeysUsing the distributed point function fα,β(x) In the evaluation process of the input times alpha', the corresponding output coefficient v is obtained1. The respective input times alpha' and output coefficient v1Combine to obtain the second sub-keyCorresponding sub-polynomial<PQ>1。
According to the characteristics of the distributed point function, when the input times alpha' are not equal to the puncture point q0+q1Both coefficients v of time output0And v1The sum is zero; when the input times alpha' is equal to the puncture point q0+q1Both coefficients v of time output0And v1The sum of which is equal to the mapping value p0*p1. Thus, the first party is based on the first subkeyThe obtained sub-polynomial<PQ>0And the second party according to the second subkeyThe obtained sub-polynomial<PQ>1Sum of the first and second termsThus, both parties realize polynomial shard secret sharing for the item combination of the first item P and the second item 0.
It will be appreciated that due to the first polynomialAnd a second polynomialAll have t terms, then the above terms are combined with t2The corresponding subkey also has t2And (4) respectively. Thus, the first party passes the first keyPerforms the above process with each first sub-key in t2T corresponding to the first sub-key2Sum of individual polynomialsA polynomial expression can be obtainedSum polynomialThe polynomial combination of (a) is corresponding to the first slicing polynomial; accordingly, the second party passes the second keyPerforms the above process with each second sub-key in t2T corresponding to the second sub-key2Summing the sub-polynomials to obtain a second fractional polynomial corresponding to the polynomial combination; the polynomial combination corresponds to the sum of the first and second fractional polynomials, i.e. equals the product of the two polynomials
First polynomial in any combinationAnd a second polynomialFor example, the process of secret sharing through a function secret sharing FSS protocol is described. Fig. 4 shows polynomial combinations in the secret sharing process, and a schematic diagram of hierarchical relations among the polynomial combinations. Referring to fig. 4, it can be seen that in step 22, the first party randomly generates c first polynomials and the second party also correspondingly holds c second polynomials, so that c exists between the two parties2A plurality of polynomial combinations. In view of above c2A plurality of polynomial combinations, all performing the above process, the first party can obtain c2A first slicing polynomialSecond party can obtain c2A second sliced polynomialThe sum of the two-way piecewise polynomials is equal to the result of the multiplication of the combination of the first and second polynomials.
According to another embodiment, the function secret sharing FSS protocol may be implemented based on a multi-point puncture function of a plurality of puncture points. The concept of implementation is similar to the above process, but can support multiple points at a time, e.g., t2And dots, thereby simplifying the above operation.
Thus, by various embodiments, step 23, the first party obtains c2A first slicing polynomialWith a single polynomial as a vector element, c2A first slicing polynomialForm c2First-party patch vector of dimensionAccordingly, the second party obtains c2A second sliced polynomialForm c2Second-party patch vector of dimension
As above, in steps 21-23, the first party has obtained a common vectorRandom vectorSliced vectorThe second party obtainsA common vector is obtainedRandom vectorSliced vectorThe elements of each vector are polynomials. To facilitate fast operation of subsequent polynomials, the first/second party, at step 24, converts each polynomial in each vector held by this party into a point representation at the N roots of the modular polynomial f (x).
The point value of any polynomial a (X) represents a plurality of specific values X of the variable X1,X2,…,XnSubstituting into the polynomial a (X) to obtain several calculated values Y1,Y2,…,YnThe calculation values are used to represent the way of the polynomial a (X). For the convenience of the subsequent polynomial multiplication calculation, in step 24, the respective polynomials in the respective vectors obtained above are uniformly converted into point value representations at the N root points of the modular polynomial f (x).
It will be appreciated that the modulo polynomial f (x) of order N has N root points. In one embodiment, for any polynomial a (x) in each vector, the N root points are respectively substituted into the polynomial to obtain N point values, which are represented by point values of the polynomial a (x).
In another embodiment, the point value conversion process of the polynomial is further simplified by designing a model polynomial f (x) and performing parity decomposition on the polynomial a (x) to be subjected to point value representation conversion.
In particular, the ring can be taken outDefines its generator as g. (X-g.) of f (X) (X-1) (X-g)N-1). Thus, the N root points of the modular polynomial F (X) form an N-factorial group having N roots of the generator g, F (X)The points include N different order operation values of the generator g, i.e. {1, g2,...gN-1}。
On the other hand, for any polynomial a (x), it can be expanded or decomposed into:
a(X)=G(X2)+X·H(X2) (2)
that is, the current polynomial a (X) is divided into odd parts X.H (X)2) And even fraction G (X)2) The even part is expressed as the square X of the current argument2First sub-formula G (X) as a new argument2) The odd part is expressed as the square X of the current argument2Second sub-formula H (X) as a new argument2) The product with the current argument X.
Since the root of F (X) forms a multiplicative group of order N, let w be a group element in the group, i.e. w is e {1, g2,...gN-1When w is equal tokAs a first root point, w2kAs a second point, wk+N/2As the third root, the following relationships exist among the several root points:
(wk+N/2)2=w2k (3)
by locating a first root point wkAnd a third point wk+N/2By substituting the above equation (2) and combining equation (3), there are:
a(wk)=G(w2k)+wk·H(w2k), (4)
a(wk+N/2)=G(w2k)+wN/2·wk·H(w2k) (5)
therefore, only G (w) needs to be calculated2k) And H (w)2k) A (w) can be obtained simultaneouslyk) And a (w)k+N/2). That is, by determining the first sub-formula G and the second sub-formula H at the second point w respectively2kFirst point value G (w)2k) And a second point value H (w)2k) The current polynomial a (x) at the first root point w can be determined by multiplexing the first point value and the second point valuekAnd a third point wk+N/2Point value of fromAnd simplifies the point value conversion process.
In order to further multiplex the point value calculation results, further parity decomposition may be performed for the first sub-formula G and the second sub-formula H described above. For example, Z ═ X may be given2Taking the first sub-formula g (z) as the current polynomial, and according to the above formula (2), performing parity expansion for the current polynomial iteration several times, thereby decomposing it into several basic sub-formulas. The above-described base sub-formula may be a polynomial in which the degree and/or number of terms reaches a preset base threshold. Then, a first point value of the first sub-formula at the second point is determined according to the point values of the base sub-formula at the second point. It is to be understood that, similar to equations (4) and (5) above, the base sub-formula point values may be used not only to determine the first sub-formula point values, but may also be multiplexed for use in determining other sub-formula point values based on the base sub-formulas.
In this way, the point value representation of each polynomial at the N root points of the modular polynomial f (x) can be determined quickly.
Returning to fig. 2. Upon determining the point value representation of each polynomial in each vector, next, in step 25, a first point value sequence corresponding to the inner product result of the present random vector and the common vector is determined based on the point value representation of each polynomial.
In particular, the first party determines a random vectorAnd a common vectorInner product result of (1)Corresponding first point value sequenceNamely:
it is to be understood that the random vectorAnd a common vectorVectors having a polynomial as an element, the inner product of which corresponds to a polynomial x0May be referred to as a result polynomial; first order of dot valuesI.e. corresponding to the result polynomial x0And point values of the N root points are represented. However, in this step 25, rather than calculating the expression of the resulting polynomial and then converting it to a point representation, it is based on a random vectorAnd a common vectorThe point value representation of each element polynomial is directly obtained, and the calculation step of the expression of the result polynomial is bypassed.
Specifically, in the process of calculating the first point value sequence, a random vector is usedPoint value representation of the first polynomial of the ith position in (1) and a common vectorCarrying out bit-wise multiplication on the point value representation of the common polynomial at the ith position to obtain a point value representation vector at the ith position; the point value representation vectors for the respective positions are then summed, and the point value elements in the vectors in turn constitute the first point value sequence. Thus, the first point sequence is directly obtained, and expression of the result polynomial is bypassedAnd (4) calculating the formula.
Similarly, the second party may determine a random vectorAnd a common vectorInner product result of (1)The corresponding first sequence of point values, namely:
on the other hand, at step 26, based on the point value representation of the respective polynomial, the first party first determines a common vectorMultiplication vector obtained by tensor multiplication with itselfThe multiplication vector and the slicing vector of the present side are then determinedInner product result of (1)Corresponding second point value sequenceNamely:
wherein the tensor multiplicationIt means that elements of two vectors are combined and multiplied in sequence, and the multiplication result is used as an element of a result vector. As previously described, the common vectorIs a c-dimensional vector, then the vector is multipliedIs c2Maintaining; on the other hand, the sliced vector obtained by function secret sharing FSSIs also c2Dimension, both can be inner product operated.
Similarly to step 25, in order to calculate the second point value sequence, in step 26, the expression of the inner-product-result polynomial of the multiplication vector and the slice vector is not calculated, but the operation is directly performed based on the point value representation of the vector elements, and the point value representation of the inner-product-result polynomial is directly obtained as the second point value sequence.
Accordingly, the second party can determine the multiplication vector and the slicing vector of the present party based on the point value representation of each polynomialInner product result of (1)Corresponding second point value sequenceNamely:
then, in step 27, the first party sequences the first point values in sequenceAnd a second point value sequenceCombining the point values of the same sequence position to obtain N point value combinationsAs N data tuples. Accordingly, the second party may similarly derive N pairs of point combinationsAs N data tuples.
According to the definition of the two-party slicing vector in step 23, the following formula (10) holds:
further, there is a relationship of equation (11):
thus, the corresponding tuples of data of the first and second partiesAndthe OLE protocol is satisfied:thus, both parties generate sets of data tuples that satisfy the OLE protocol.
In one embodiment, both parties may utilize such data tuples to generate data tuples for further security calculations, such as multiply triples, to facilitate such further security calculations, such as both parties' secure multiplications, and so on. Various secure computing protocols based on data tuples are widely applied to privacy protection scenes of joint machine learning, and no examples are given here.
In summary, in the embodiments of the present specification, the first party and the second party efficiently generate data tuples based on a polynomial ring R. According to the scheme, a plurality of data tuples can be efficiently generated at one time, and the generated data tuples can meet the requirements of actual servicesA data structure. By using the scheme, the method can support the generation of the ring which can be calculated efficiently in the actual service by using the OLE protocolThe triple in the process, thereby efficiently carrying out multi-party safe calculation.
According to another aspect, an apparatus for generating a secure computed data tuple jointly by two parties is further provided, where the two parties include a first party and a second party, and both the first party and the second party can be implemented as any device or platform with computing and processing capabilities. FIG. 5 illustrates a schematic diagram of an apparatus to generate a securely computed data tuple, which may be deployed in a first party, according to one embodiment. As shown in fig. 5, the apparatus 500 includes:
a common vector acquisition unit 51 configured to acquire a common vector formed of c common polynomials common to the second party in the polynomial ring; the operations in the polynomial ring are defined based on taking the modulus of a predetermined polynomial f (x) of order N;
a random vector generation unit 52 configured to randomly generate c first polynomials in the polynomial ring to form random vectors;
a secret sharing unit 53 configured to obtain c by performing a function secret sharing protocol with the second party2A slicing vector formed by the first slicing polynomial and making the second party obtain c2A second sliced polynomial; c is mentioned2The sum of the first and second fractional polynomials corresponds to the sum of the c first polynomials and the c second polynomials generated randomly by the second party2Multiplication by oneA product polynomial;
a point value conversion unit 54 configured to convert each polynomial in the common vector, the random vector, and the sliced vector into a point value representation of N root points at f (x);
a first sequence determination unit 55 configured to determine, based on the point value representation, a first point value sequence corresponding to an inner product result of the random vector and the common vector;
a second sequence determining unit 56 configured to determine a second point value sequence corresponding to an inner product result of a multiplication vector and a fragmentation vector based on the point value representation, wherein the multiplication vector is a result vector obtained by tensor multiplication of the common vector and the common vector;
the data tuple determining unit 57 is configured to sequentially combine point values of the same ordinal position in the first point value sequence and the second point value sequence to obtain N pairs of point value combinations as N data tuples.
In one embodiment, the coefficients of each polynomial in the random vector, the common vector, and the tile vector are elements in a k-bit integer ring.
According to one embodiment, the random vector generation unit 52 is configured to perform a random generation process of c-th order polynomial to obtain c first polynomials, wherein the random generation process of a single polynomial includes: randomly sampling t non-negative integers smaller than N as polynomial times; and randomly sampling t weighted values as polynomial coefficients, and obtaining a single first polynomial based on the polynomial degree and the polynomial coefficients.
According to one embodiment, the secret sharing unit 53 comprises:
a key obtaining module 531 configured to perform a key generation process of the function secret sharing protocol with the second party based on the c first polynomials and the c second polynomials held by the second party to obtain c2A first key;
a key expansion module 532 configured to utilize an evaluation process of the function secret sharing protocol based on the c2A first key, obtain c2A first sliced polynomial.
At one endIn some embodiments, the c first polynomials comprise polynomial i, and the c second polynomials comprise polynomial j; the polynomial i and the polynomial j both comprise t terms; the function secret sharing protocol is based on t2And constructing a distributed point function. In such a case, the key obtaining module 531 is configured to:
performing secret sharing based on the first coefficient of each item in the polynomial i and the second coefficient of each item in the polynomial j held by the second party to obtain t2Slicing the first coefficient such that the second party obtains t2Slicing a second coefficient; said t is2The sum of a first coefficient slice and a corresponding second coefficient slice is equal to t of the first coefficient and the second coefficient2A product of coefficients;
based on the degree of each item in the polynomial i and t2A first coefficient slice, and the degree of each item in the polynomial j held by the second party and t2A second coefficient slicing, calling said t2A key generation process of distributed point function to obtain t2And the first sub-keys are used as first keys corresponding to the combination of the polynomial i and the polynomial j.
Further, in one embodiment, the key expansion module 532 is configured to: for the t2Taking the times from 0 to 2N-2 as input times of any first sub-key in the first sub-keys, and calling the evaluation process of the corresponding distributed point function at the input times by using the first sub-key to obtain a corresponding output coefficient; obtaining a sub polynomial corresponding to the first sub key according to the input times and the output coefficient; will the t2T corresponding to the first sub-key2And summing the sub-polynomials to obtain a first fractional polynomial corresponding to the combination of the polynomial i and the polynomial j.
According to an embodiment, the point value conversion unit 54 is configured to: taking any polynomial in the polynomials as a current polynomial; and respectively substituting the N root points into the current polynomial to obtain N point values which are used as point value representation of the current polynomial.
In one embodiment, the N root points of the nth order polynomial f (x) form an N-factorial group, the multiplicative group having a generator, the N root points including N different order computed values of the generator.
On the basis of the above embodiments, in one embodiment, the point value conversion unit 54 is configured to:
taking any polynomial in the polynomials as a current polynomial;
performing degree parity expansion on the current polynomial, wherein the degree parity expansion comprises the steps of dividing the current polynomial into a odd part and an even part, expressing the even part as a first sub-formula taking the square of the current independent variable as a new independent variable, and expressing the odd part as the product of a second sub-formula taking the square of the current independent variable as the new independent variable and the current independent variable;
for any group element in the multiplicative subgroup, determining a first root point corresponding to the k power of the group element, a second root point corresponding to the 2k power of the group element, and a third root point which is different from the first root point by N/2;
determining a first point value and a second point value of the first sub-formula and the second sub-formula at the second root point respectively;
and determining the point values of the current polynomial at the first root point and the third root point respectively according to the first point value and the second point value.
Further, in an example, the point value converting unit 54 is further configured to: taking the first sub-formula as a current polynomial, and performing the odd-even expansion of the times for the current polynomial iteration so as to decompose the current polynomial into a plurality of basic sub-formulas; determining the first point value according to the point values of the plurality of base sub-types at the second point.
According to one embodiment, the first sequence determining unit 55 is configured to: carrying out counterpoint multiplication on the point value representation of the first polynomial at the ith position in the random vector and the point value representation of the common polynomial at the ith position in the common vector to obtain a point value representation vector at the ith position; summing the point value representation vectors of the respective positions, and sequentially composing the first point value sequence by point value elements in the vectors.
Through the device, the first party and the second party can jointly realize the efficient generation of the data tuple, and the data tuple can support the data structure of the k-bit integer ring required by the service, so that the data tuple can be effectively used for subsequent calculation and the security of the private data is better protected.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 2.
According to an embodiment of another aspect, there is also provided a computing device, including a memory and a processor, where the memory stores executable code, and the processor executes the executable code to implement the method described in conjunction with fig. 2.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.
Claims (23)
1. A method for two-party joint generation of data tuples for secure computation, performed by a first party, comprising:
acquiring a shared vector formed by c shared polynomials shared with the second party in the polynomial ring; the operations in the polynomial ring are defined based on taking the modulus of a predetermined polynomial f (x) of order N;
randomly generating c first polynomials in the polynomial ring to form a random vector;
obtaining c by performing a function secret sharing protocol with a second party2A slicing vector formed by the first slicing polynomial and making the second party obtain c2A second sliced polynomial; c is mentioned2The sum of the first and second fractional polynomials corresponds to the sum of the c first polynomials and the c second polynomials generated randomly by the second party2A plurality of product polynomials;
converting each polynomial in the common vector, the random vector and the slicing vector into point value representations of N root points in F (X);
determining a first point value sequence corresponding to an inner product result of the random vector and the common vector based on the point value representation;
determining a second point value sequence corresponding to an inner product result of a multiplication vector and a fragment vector based on the point value representation, wherein the multiplication vector is a result vector obtained by tensor multiplication of the common vector and the common vector;
and sequentially combining the point values of the same ordinal position in the first point value sequence and the second point value sequence to obtain N point value combination groups as N data tuples.
2. The method of claim 1, wherein the random vector, the consensus vector, and the coefficients of each polynomial in the patch vector are elements in a k-bit integer ring.
3. The method of claim 1, wherein randomly generating c first polynomials in the polynomial ring comprises: executing a polynomial random generation process of degree c to obtain a plurality of first polynomials, wherein the single polynomial random generation process comprises:
randomly sampling t non-negative integers smaller than N as polynomial times; and randomly sampling t weighted values as polynomial coefficients, and obtaining a single first polynomial based on the polynomial degree and the polynomial coefficients.
4. The method of claim 1, wherein the function is performed by a second partyNumber secret sharing protocol, get c2A sliced vector formed from the first sliced polynomial, comprising:
based on the c first polynomials and the c second polynomials held by the second party, executing a key generation process of the function secret sharing protocol in cooperation with the second party to obtain c2A first key;
an evaluation process using the function secret sharing protocol based on the c2A first key, obtain c2A first slicing polynomial.
5. The method of claim 4, wherein the c first polynomials comprise polynomial i (X), the c second polynomials comprise polynomial j (X); both the polynomials i (x) and polynomials j (x) comprise a term t; the function secret sharing protocol is based on t2Constructing a distributed point function;
said obtained c2A first key comprising:
performing secret sharing based on a first coefficient of each item in the polynomial i (X) and a second coefficient of each item in the polynomial j (X) held by the second party to obtain t2Slicing the first coefficient such that the second party obtains t2Slicing a second coefficient; said t is2The sum of a first coefficient slice and a corresponding second coefficient slice is equal to t of the first coefficient and the second coefficient2A product of coefficients;
based on the degree of each item in the polynomial i (X) and t2A first coefficient slice, and the degree of the polynomial j (X) held by the second party and t2A second coefficient slicing, calling said t2A key generation process of distributed point function to obtain t2And the first sub-keys are used as first keys corresponding to the combination of the polynomial i and the polynomial j.
6. The method of claim 5, wherein the obtaining c2A first slicing polynomial comprising:
for the t2Any first subkey of the first subkeys, from 0 to 2The times of N-2 are respectively used as input times, and the evaluation process of the corresponding distributed point function on the input times is called by utilizing the first sub-secret key to obtain corresponding output coefficients; obtaining a sub polynomial corresponding to the first sub key according to the input times and the output coefficient;
will the t2T corresponding to the first sub-key2And summing the sub-polynomials to obtain a first sliced polynomial corresponding to the combination of the polynomial i (X) and the polynomial j (X).
7. The method of claim 1, wherein converting each polynomial in the random vector, the consensus vector, and the patch vector to a point value representation of N root points at f (x) comprises:
taking any polynomial in the polynomials as a current polynomial;
and substituting the N root points into the current polynomial respectively to obtain N point values which are used as point value representation of the current polynomial.
8. The method of claim 1, wherein the N root points of the nth order polynomial f (x) form an N-factorial group, the multiplicative group having a generator, the N root points including N different order computed values of the generator.
9. The method of claim 8, wherein converting each polynomial in the random vector, the consensus vector, and the patch vector to a point value representation of N root points at f (x) comprises:
taking any polynomial in the polynomials as a current polynomial;
performing degree parity expansion on the current polynomial, wherein the degree parity expansion comprises the steps of dividing the current polynomial into a odd part and an even part, expressing the even part as a first sub-formula taking the square of the current independent variable as a new independent variable, and expressing the odd part as the product of a second sub-formula taking the square of the current independent variable as the new independent variable and the current independent variable;
for any group element in the multiplicative subgroup, determining a first root point corresponding to the k power of the group element, a second root point corresponding to the 2k power of the group element, and a third root point which is different from the first root point by N/2;
determining a first point value and a second point value of the first sub-formula and the second sub-formula at the second root point respectively;
and determining the point values of the current polynomial at the first root point and the third root point respectively according to the first point value and the second point value.
10. The method of claim 9, wherein determining the first and second sub-formulas at the first and second point values, respectively, of the second root point comprises:
taking the first sub-formula as a current polynomial, and performing the odd-even expansion of the times for the current polynomial iteration so as to decompose the current polynomial into a plurality of basic sub-formulas;
determining the first point value according to the point values of the plurality of base sub-types at the second point.
11. The method of claim 1, wherein determining, based on the point value representation, a first point value sequence corresponding to an inner product result of a random vector and a common vector comprises:
carrying out counterpoint multiplication on the point value representation of the first polynomial at the ith position in the random vector and the point value representation of the common polynomial at the ith position in the common vector to obtain a point value representation vector at the ith position;
summing the point value representation vectors of the respective positions, and sequentially composing the first point value sequence by point value elements in the vectors.
12. An apparatus for two-party joint generation of data tuples for secure computation, deployed in a first party, comprising:
a common vector acquisition unit configured to acquire a common vector formed by c common polynomials in the polynomial ring common to the second party; the operations in the polynomial ring are defined based on taking the modulus of a predetermined polynomial f (x) of order N;
a random vector generation unit configured to randomly generate c first polynomials in the polynomial ring to form random vectors;
a secret sharing unit configured to obtain c by performing a function secret sharing protocol with a second party2A slicing vector formed by the first slicing polynomial and making the second party obtain c2A second sliced polynomial; c is mentioned2The sum of the first and second fractional polynomials corresponds to the sum of the c first polynomials and the c second polynomials generated randomly by the second party2A plurality of product polynomials;
a point value conversion unit configured to convert each polynomial in the common vector, the random vector and the slicing vector into a point value representation of N root points in F (X);
a first sequence determination unit configured to determine a first point value sequence corresponding to an inner product result of the random vector and the common vector based on the point value representation;
a second sequence determination unit configured to determine, based on the point value representation, a second point value sequence corresponding to an inner product result of a multiplication vector and a fragmentation vector, wherein the multiplication vector is a result vector obtained by tensor multiplication of the shared vector and itself;
and the data tuple determining unit is configured to combine point values of the same ordinal position in the first point value sequence and the second point value sequence in sequence to obtain N data tuples formed by combining the N point values.
13. The apparatus of claim 12, wherein the random vector, the common vector, and the coefficients of each polynomial in the tile vector are elements in a k-bit integer ring.
14. The apparatus of claim 12, wherein the random vector generation unit is configured to perform a polynomial random generation procedure of degree c, resulting in a number c of first polynomials, wherein the single polynomial random generation procedure comprises:
randomly sampling t non-negative integers smaller than N as polynomial times; and randomly sampling t weighted values as polynomial coefficients, and obtaining a single first polynomial based on the polynomial degree and the polynomial coefficients.
15. The apparatus of claim 12, wherein the secret sharing unit comprises:
a key obtaining module configured to perform a key generation process of the function secret sharing protocol in cooperation with the second party based on the c first polynomials and the c second polynomials held by the second party to obtain c2A first key;
a key expansion module configured to utilize an evaluation process of the function secret sharing protocol based on the c2A first key, obtain c2A first sliced polynomial.
16. The apparatus of claim 15, wherein the c first polynomials comprise polynomial i (x), the c second polynomials comprise polynomial j (x); the polynomials i (x) and j (x) both comprise term t; the function secret sharing protocol is based on t2Constructing a distributed point function;
the key acquisition module is configured to:
performing secret sharing based on a first coefficient of each item in the polynomial i (X) and a second coefficient of each item in the polynomial j (X) held by the second party to obtain t2Slicing the first coefficient such that the second party obtains t2Slicing a second coefficient; said t is2The sum of a first coefficient slice and a corresponding second coefficient slice is equal to t of the first coefficient and the second coefficient2A product of coefficients;
based on the degree of each item in the polynomial i (X) and t2A first coefficient slice, and the degree of the polynomial j (X) held by the second party and t2A second coefficient slicing, calling said t2A key generation process of distributed point function to obtain t2And the first sub-keys are used as first keys corresponding to the combination of the polynomial i and the polynomial j.
17. The apparatus of claim 16, wherein the key expansion module is configured to:
for the t2Taking the times from 0 to 2N-2 as input times of any first sub-key in the first sub-keys, and calling the evaluation process of the corresponding distributed point function at the input times by using the first sub-key to obtain a corresponding output coefficient; obtaining a sub polynomial corresponding to the first sub key according to the input times and the output coefficient;
will the t2T corresponding to the first sub-key2And summing the sub-polynomials to obtain a first sliced polynomial corresponding to the combination of the polynomial i (X) and the polynomial j (X).
18. The apparatus according to claim 12, wherein the point value conversion unit is configured to:
taking any polynomial in the polynomials as a current polynomial;
and respectively substituting the N root points into the current polynomial to obtain N point values which are used as point value representation of the current polynomial.
19. The apparatus of claim 12, wherein N root points of the nth order polynomial f (x) form an N-factorial group, the multiplicative group having a generator, the N root points comprising N different order computed values of the generator.
20. The apparatus according to claim 19, wherein the point value conversion unit is configured to:
taking any polynomial in the polynomials as a current polynomial;
performing degree parity expansion on the current polynomial, wherein the degree parity expansion comprises the steps of dividing the current polynomial into a odd part and an even part, expressing the even part as a first sub-formula taking the square of the current independent variable as a new independent variable, and expressing the odd part as the product of a second sub-formula taking the square of the current independent variable as the new independent variable and the current independent variable;
for any group element in the multiplicative subgroup, determining a first root point corresponding to the k power of the group element, a second root point corresponding to the 2k power of the group element, and a third root point which is different from the first root point by N/2;
determining a first point value and a second point value of the first sub-formula and the second sub-formula at the second root point respectively;
and determining the point values of the current polynomial at the first root point and the third root point respectively according to the first point value and the second point value.
21. The apparatus according to claim 20, wherein the point value conversion unit is configured to:
taking the first sub-formula as a current polynomial, and performing the odd-even expansion for the current polynomial iteration for a plurality of times so as to decompose the current polynomial into a plurality of basic sub-formulas;
determining the first point value according to the point values of the plurality of base sub-types at the second point.
22. The apparatus of claim 12, wherein the first sequence determining unit is configured to:
carrying out counterpoint multiplication on the point value representation of the first polynomial at the ith position in the random vector and the point value representation of the common polynomial at the ith position in the common vector to obtain a point value representation vector at the ith position;
summing the point value representation vectors of the respective positions, and sequentially composing the first point value sequence by point value elements in the vectors.
23. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that, when executed by the processor, performs the method of any of claims 1-11.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110749265.1A CN113434886B (en) | 2021-07-01 | 2021-07-01 | Method and device for jointly generating data tuples for secure computation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110749265.1A CN113434886B (en) | 2021-07-01 | 2021-07-01 | Method and device for jointly generating data tuples for secure computation |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113434886A CN113434886A (en) | 2021-09-24 |
CN113434886B true CN113434886B (en) | 2022-05-17 |
Family
ID=77758644
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110749265.1A Active CN113434886B (en) | 2021-07-01 | 2021-07-01 | Method and device for jointly generating data tuples for secure computation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113434886B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114239811B (en) * | 2021-12-21 | 2024-05-31 | 支付宝(杭州)信息技术有限公司 | Multiparty joint convolution processing method, device and system based on privacy protection |
CN114978484A (en) * | 2022-04-15 | 2022-08-30 | 支付宝(杭州)信息技术有限公司 | Data processing method and device for protecting privacy and computer equipment |
CN114756815A (en) * | 2022-05-10 | 2022-07-15 | 蚂蚁区块链科技(上海)有限公司 | Triple generation method and system for multi-party secure computing |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101325596A (en) * | 2007-11-13 | 2008-12-17 | 北京大学 | Cryptography distributed calculation and step-by-step verification method with fault-tolerant function |
WO2015160839A1 (en) * | 2014-04-17 | 2015-10-22 | Hrl Laboratories, Llc | A method for secure and resilient distributed generation of elliptic curve digital signature algorithm (ecdsa) based digital signatures with proactive security |
CN108418810A (en) * | 2018-02-08 | 2018-08-17 | 中国人民解放军国防科技大学 | Secret sharing method based on Hadamard matrix |
CN110971405A (en) * | 2019-12-06 | 2020-04-07 | 支付宝(杭州)信息技术有限公司 | SM2 signing and decrypting method and system with cooperation of multiple parties |
CN111160573A (en) * | 2020-04-01 | 2020-05-15 | 支付宝(杭州)信息技术有限公司 | Method and device for protecting business prediction model of data privacy joint training by two parties |
JP2020519969A (en) * | 2017-05-18 | 2020-07-02 | 日本電気株式会社 | Secret calculation method, device, and program |
CN112487489A (en) * | 2021-02-05 | 2021-03-12 | 支付宝(杭州)信息技术有限公司 | Joint data processing method and device for protecting privacy |
CN112800478A (en) * | 2021-04-07 | 2021-05-14 | 支付宝(杭州)信息技术有限公司 | Method, device and system for determining shared data for protecting private data |
CN112818290A (en) * | 2021-01-21 | 2021-05-18 | 支付宝(杭州)信息技术有限公司 | Method and device for determining object feature correlation in private data in multi-party combination manner |
CN112989368A (en) * | 2021-02-07 | 2021-06-18 | 支付宝(杭州)信息技术有限公司 | Method and device for processing private data by combining multiple parties |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111543025A (en) * | 2017-08-30 | 2020-08-14 | 因福尔公司 | High precision privacy preserving real valued function evaluation |
EP3506547A1 (en) * | 2017-12-28 | 2019-07-03 | Flytxt B.V. | Providing security against user collusion in data analytics using random group selection |
-
2021
- 2021-07-01 CN CN202110749265.1A patent/CN113434886B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101325596A (en) * | 2007-11-13 | 2008-12-17 | 北京大学 | Cryptography distributed calculation and step-by-step verification method with fault-tolerant function |
WO2015160839A1 (en) * | 2014-04-17 | 2015-10-22 | Hrl Laboratories, Llc | A method for secure and resilient distributed generation of elliptic curve digital signature algorithm (ecdsa) based digital signatures with proactive security |
JP2020519969A (en) * | 2017-05-18 | 2020-07-02 | 日本電気株式会社 | Secret calculation method, device, and program |
CN108418810A (en) * | 2018-02-08 | 2018-08-17 | 中国人民解放军国防科技大学 | Secret sharing method based on Hadamard matrix |
CN110971405A (en) * | 2019-12-06 | 2020-04-07 | 支付宝(杭州)信息技术有限公司 | SM2 signing and decrypting method and system with cooperation of multiple parties |
CN111160573A (en) * | 2020-04-01 | 2020-05-15 | 支付宝(杭州)信息技术有限公司 | Method and device for protecting business prediction model of data privacy joint training by two parties |
CN112818290A (en) * | 2021-01-21 | 2021-05-18 | 支付宝(杭州)信息技术有限公司 | Method and device for determining object feature correlation in private data in multi-party combination manner |
CN112487489A (en) * | 2021-02-05 | 2021-03-12 | 支付宝(杭州)信息技术有限公司 | Joint data processing method and device for protecting privacy |
CN112989368A (en) * | 2021-02-07 | 2021-06-18 | 支付宝(杭州)信息技术有限公司 | Method and device for processing private data by combining multiple parties |
CN112800478A (en) * | 2021-04-07 | 2021-05-14 | 支付宝(杭州)信息技术有限公司 | Method, device and system for determining shared data for protecting private data |
Non-Patent Citations (3)
Title |
---|
(t,p)-Threshold point function secret sharing scheme based on polynomial interpolation and its application;Dazeng Yuan;《UCC "16: Proceedings of the 9th International Conference on Utility and Cloud Computing》;20121206;全文 * |
安全的常数轮多用户k-均值聚类计算协议;秦红等;《计算机研究与发展》;20201009(第10期);全文 * |
常数轮多项式互素多方安全判定协议;何云筱等;《中国科学院研究生院学报》;20040315(第02期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN113434886A (en) | 2021-09-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113434886B (en) | Method and device for jointly generating data tuples for secure computation | |
Eisenträger et al. | Supersingular isogeny graphs and endomorphism rings: reductions and solutions | |
US9515828B2 (en) | Sharing a secret via linear interpolation | |
US8443205B2 (en) | Secure function evaluation techniques for circuits containing XOR gates with applications to universal circuits | |
Pornin et al. | More efficient algorithms for the NTRU key generation using the field norm | |
US7995764B2 (en) | Sharing a secret using hyperplanes over GF(2m) | |
US20070291934A1 (en) | Method, system and computer program for polynomial based hashing and message authentication coding with separate generation of spectrums | |
Catrina | Round-efficient protocols for secure multiparty fixed-point arithmetic | |
Ye et al. | Secure outsourcing of modular exponentiations in cloud and cluster computing | |
Ghazanfaripour et al. | Designing a digital image encryption scheme using chaotic maps with prime modular | |
Jalali et al. | ARMv8 SIKE: Optimized supersingular isogeny key encapsulation on ARMv8 processors | |
Kumar et al. | Privacy preserving, verifiable and efficient outsourcing algorithm for matrix multiplication to a malicious cloud server | |
Xue et al. | Secure and privacy-preserving decision tree classification with lower complexity | |
EP3776305B1 (en) | Using cryptographic blinding for efficient use of montgomery multiplication | |
Coron et al. | Fast evaluation of polynomials over binary finite fields and application to side-channel countermeasures | |
Hu et al. | Efficient parallel secure outsourcing of modular exponentiation to cloud for IoT applications | |
Khalimov et al. | Encryption Based on the Group of the Hermitian Function Field and Homomorphic Encryption | |
Banerjee et al. | SPRING: Fast pseudorandom functions from rounded ring products | |
CN105119929A (en) | Safe mode index outsourcing method and system under single malicious cloud server | |
KR20040055550A (en) | Serial-Parallel Multiplier to Multiply Two Elements in the Finite Field | |
Azarderakhsh et al. | Common subexpression algorithms for space-complexity reduction of Gaussian normal basis multiplication | |
Almazrooie et al. | Quantum Grover attack on the simplified-AES | |
Xu et al. | Solving a class of modular polynomial equations and its relation to modular inversion hidden number problem and inversive congruential generator | |
Liu et al. | Secure and verifiable outsourcing protocol for non-negative matrix factorisation | |
Taheri et al. | Efficient hardware implementations of Legendre symbol suitable for MPC applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |