CN113626841A - Selection problem processing method based on multi-party security calculation - Google Patents
Selection problem processing method based on multi-party security calculation Download PDFInfo
- Publication number
- CN113626841A CN113626841A CN202110915009.5A CN202110915009A CN113626841A CN 113626841 A CN113626841 A CN 113626841A CN 202110915009 A CN202110915009 A CN 202110915009A CN 113626841 A CN113626841 A CN 113626841A
- Authority
- CN
- China
- Prior art keywords
- polynomial
- party
- vector
- linear transformation
- transformation matrix
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/16—Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/18—Complex mathematical operations for evaluating statistical data, e.g. average values, frequency distributions, probability functions, regression analysis
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Data Mining & Analysis (AREA)
- Computational Mathematics (AREA)
- Mathematical Optimization (AREA)
- Mathematical Analysis (AREA)
- Pure & Applied Mathematics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Algebra (AREA)
- Databases & Information Systems (AREA)
- Life Sciences & Earth Sciences (AREA)
- Automation & Control Theory (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Biology (AREA)
- Operations Research (AREA)
- Probability & Statistics with Applications (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Image Processing (AREA)
Abstract
The embodiment of the specification provides a selection problem processing method based on multi-party security calculation. M original images P by constructing an embedding q of the set X into the vector space1,P2,...,PmMapping to vector space, e.g. collection
Obtain the corresponding vector Q1,Q2,...,QmFurther combine m original images P1,P2,...,PmImage f (P) under the map f1),f(P2),...,f(Pm) Conversion into a vector Q in a polynomial g, respectively1,Q2,...,QmIs the output at the input. Based on this, by running multi-party secure computing protocolThe first party holding the mapping f can obtain g (Q)1),g(Q2),...,g(Qm) As f (P) is the first fragment of1),f(P2),...,f(Pm) The first segment of (1) holds P1,P2,...,PmCan obtain g (Q)1),g(Q2),...,g(Qm) As f (P) is the second fragment of1),f(P2),...,f(Pm) The second slice.
Description
Technical Field
The present specification relates to the field of information technology, and in particular, to a selection problem processing method based on multi-party security computation.
Background
The secure multi-party computation is also called multi-party secure computation, namely, a plurality of parties jointly compute the result of a function without revealing the input data of the parties of the function, and the computed result is stored in a plurality of parties or is disclosed to one or more parties in a shared form. Therefore, through secure multiparty computation, the participating parties can be allowed to compute the results of the functions without exposing the respective raw data.
Some secure multiparty computation processes involve a selection problem, which may be described as selecting m elements from a set of n elements (abbreviated as an n-out-of-m problem). It is currently desirable to provide a selective problem handling method based on multi-party secure computing.
Disclosure of Invention
One of the embodiments of the present specification provides a selection problem processing method based on multi-party security computation. Wherein the participants of the secure computing comprise a first party and a second party; the first party has a private single shot f, and the single shot f is from the set X to the set A; the second party holds m private primary images P1,P2,…,PmM original images P1,P2,…,PmAll belong to a set X, and the number of elements in the set X is n; the first party and the second party share a single shot q, and the single shot q is used for mapping the elements of the set X to a preset vector space; the method is performed by an apparatus of a first party, comprising: obtaining a polynomial g corresponding to the single shots f and q; wherein, the output of the polynomial g when the element of the image of any element in the set X under the single shot q is taken as the input is equal to the image of the element under the single shot f; obtaining a polynomial
h0(ii) a Polynomial obtained by the first party
h0Linear transformation matrix sigma and polynomial h obtained from the second party1Satisfy, polynomial
Two slices of the complex polynomial obtained under the action of the linear transformation matrix sigma are polynomial h0And polynomial h1(ii) a Wherein the linear transformation matrix sigma is used for an operation with a vector to change the positions of elements in the vector, the action being such that the output of the complex polynomial when the linear transformation matrix sigma and each vector element of the operation result of the first vector are input is equal to the polynomial
An output when each vector element of the first vector is taken as an input; receiving and Q from a device of a second party1,Q2,…,QmRespectively correspond to
Wherein Q is1,Q2,…,QmRespectively m original images P1,P2,…,PmThe image under a single shot q is,
is a linear transformation matrix sigma and Q1,Q2,…,QmThe operation result of the corresponding vector; calculating polynomial h0Are respectively provided with
Is output when the vector element of (2) is input
And based on
Obtaining [ f (P)1),f(P2),…,f(Pm)]The first segment of (a); a polynomial of the form δ g is obtained,
and sends the polynomial δ g to the second party's device to enable the second party's device to obtain [ f (P)1),f(P2),…,f(Pm)]The second slice.
One embodiment of the present specification provides a selection problem processing system based on multi-party secure computing. Wherein the participants of the secure computing comprise a first party and a second party; the first party has a private single shot f, and the single shot f is from the set X to the set A; the second party holds m private primary images P1,P2,…,PmM original images P1,P2,…,PmAll belong to a set X, and the number of elements in the set X is n; the first party and the second party share a single shot q, and the single shot q is used for mapping the elements of the set X to a preset vector space; the system is implemented on a device of a first party, comprising: a first obtaining module for obtaining a polynomial g corresponding to a single shot f and a single shot q; wherein, the output of the polynomial g when the element of the image of any element in the set X under the single shot q is taken as the input is equal to the image of the element under the single shot f; a second obtaining module for obtaining a polynomial
h0(ii) a Polynomial obtained by the first party
h0Linear transformation matrix sigma and polynomial h obtained from the second party1Satisfy, polynomial
Two slices of the complex polynomial obtained under the action of the linear transformation matrix sigma are polynomial h0And polynomial h1(ii) a Wherein the linear transformation matrix σ is used in an operation with a vector to change the position of elements in the vector, the action being such that a complex polynomial is formedThe expression is equal to the polynomial expression in terms of the output when the linear transformation matrix sigma and each vector element of the operation result of the first vector are input
An output when each vector element of the first vector is taken as an input; a first receiving module for receiving the sum Q from the second party's device1,Q2,…,QmRespectively correspond to
Wherein Q is1,Q2,…,QmRespectively m original images P1,P2,…,PmThe image under a single shot q is,
is a linear transformation matrix sigma and Q1,Q2,…,QmThe operation result of the corresponding vector; a first calculation module for calculating a polynomial h0Are respectively provided with
Is output when the vector element of (2) is input
And based on
Obtaining [ f (P)1),f(P2),…,f(Pm)]The first segment of (a); a first sending module for obtaining a polynomial δ g,
and sends the polynomial δ g to the second party's device to enable the second party's device to obtain [ f (P)1),f(P2),…,f(Pm)]The second slice.
One of the embodiments of the present specification provides a selection problem processing method based on multi-party security computation. Wherein the participants of the secure computation includeOne party and a second party; the first party has a private single shot f, and the single shot f is from the set X to the set A; the second party holds m private primary images P1,P2,…,PmM original images P1,P2,…,PmAll belong to a set X, and the number of elements in the set X is n; the first party and the second party share a single shot q, and the single shot q is used for mapping the elements of the set X to a preset vector space; the method is performed by an apparatus of a second party, comprising: obtaining m original images P1,P2,…,PmImage Q under single shot Q1,Q2,…,Qm(ii) a Obtaining a linear transformation matrix sigma and a polynomial h1(ii) a Polynomial obtained by the first party
h0Linear transformation matrix sigma and polynomial h obtained from the second party1Satisfy, polynomial
Two slices of the complex polynomial obtained under the action of the linear transformation matrix sigma are polynomial h0And polynomial h1(ii) a Wherein the linear transformation matrix sigma is used for an operation with a vector to change the positions of elements in the vector, the action being such that the output of the complex polynomial when the linear transformation matrix sigma and each vector element of the operation result of the first vector are input is equal to the polynomial
An output when each vector element of the first vector is taken as an input; calculation and Q1,Q2,…,QmRespectively correspond to
And will be
Sending to the first party's device to enable the first party's device to obtain f (P)1),f(P2),…,f(Pm)]The first segment of (a); it is composed ofIn (1),
is a linear transformation matrix sigma and Q1,Q2,…,QmThe operation result of the corresponding vector; receives the polynomial deltag from the device of the first party,
wherein, the output of the polynomial g when the element of the image of any element in the set X under the single shot q is taken as the input is equal to the image of the element under the single shot f; calculating the polynomial δ g as Q1,Q2,…,QmOutput δ g (Q) when the element of each vector of (2) is input1),δg(Q2),…,δg(Qm) Calculating a polynomial h1Are respectively provided with
Is output when the vector element of (2) is input
And based on δ g (Q)1),δg(Q2),…,δg(Qm) And
obtaining [ f (P)1),f(P2),…,f(Pm)]The second slice.
One embodiment of the present specification provides a selection problem processing system based on multi-party secure computing. Wherein the participants of the secure computing comprise a first party and a second party; the first party has a private single shot f, and the single shot f is from the set X to the set A; the second party holds m private primary images P1,P2,…,PmM original images P1,P2,…,PmAll belong to a set X, and the number of elements in the set X is n; the first party and the second party share a single shot q, and the single shot q is used for mapping the elements of the set X to a preset vector space; the system is implemented on a device of a second party, comprising: a third obtaining module for obtaining m original images P1,P2,…,PmImage Q under single shot Q1,Q2,…,Qm(ii) a A fourth obtaining module for obtaining a linear transformation matrix sigma and a polynomial h1(ii) a Polynomial obtained by the first party
h0Linear transformation matrix sigma and polynomial h obtained from the second party1Satisfy, polynomial
Two slices of the complex polynomial obtained under the action of the linear transformation matrix sigma are polynomial h0And polynomial h1(ii) a Wherein the linear transformation matrix sigma is used for an operation with a vector to change the positions of elements in the vector, the action being such that the output of the complex polynomial when the linear transformation matrix sigma and each vector element of the operation result of the first vector are input is equal to the polynomial
An output when each vector element of the first vector is taken as an input; a second sending module for calculating and Q1,Q2,…,QmRespectively correspond to
And will be
Sending to the first party's device to enable the first party's device to obtain f (P)1),f(P2),…,f(Pm)]The first segment of (a); wherein the content of the first and second substances,
is a linear transformation matrix sigma and Q1,Q2,…,QmThe operation result of the corresponding vector; a second receiving module for receiving the polynomial δ g from the device of the first party,
wherein, the output of the polynomial g when the element of the image of any element in the set X under the single shot q is taken as the input is equal to the image of the element under the single shot f; a second calculation module to: calculating the polynomial δ g as Q1,Q2,…,QmOutput δ g (Q) when the element of each vector of (2) is input1),δg(Q2),…,δg(Qm) Calculating a polynomial h1Are respectively provided with
Is output when the vector element of (2) is input
And based on δ g (Q)1),δg(Q2),…,δg(Qm) And
obtaining [ f (P)1),f(P2),…,f(Pm)]The second slice.
One embodiment of the present specification provides a selection problem processing apparatus based on multi-party secure computing. The device comprises a processor and a storage device, wherein the storage device is used for storing instructions, and when the processor executes the instructions, the selection problem processing method based on the multi-party security computing is realized according to any embodiment of the specification.
Drawings
The present description will be further explained by way of exemplary embodiments, which will be described in detail by way of the accompanying drawings. These embodiments are not intended to be limiting, and in these embodiments like numerals are used to indicate like structures, wherein:
FIG. 1 is an exemplary interaction flow diagram of a multi-party secure computing based selection problem handling method according to some embodiments of the present description;
FIG. 2 is a diagram illustrating an obtainment polynomial in accordance with some embodiments of the present description
h0,h1And an exemplary interaction diagram of the linear transformation matrix σ;
FIG. 3 is an exemplary block diagram of a multi-party secure computing based selection problem processing system implemented on a device of a first party in accordance with some embodiments of the present description;
FIG. 4 is an exemplary block diagram of a multi-party secure computing based selection problem processing system implemented on a device of a second party in accordance with some embodiments of the present description.
Detailed Description
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only examples or embodiments of the present description, and that for a person skilled in the art, the present description can also be applied to other similar scenarios on the basis of these drawings without inventive effort. Unless otherwise apparent from the context, or otherwise indicated, like reference numbers in the figures refer to the same structure or operation.
It should be understood that "system", "device", "unit" and/or "module" as used herein is a method for distinguishing different components, elements, parts, portions or assemblies at different levels. However, other words may be substituted by other expressions if they accomplish the same purpose.
As used in this specification, the terms "a", "an" and/or "the" are not intended to be inclusive of the singular, but rather are intended to be inclusive of the plural, unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" merely indicate that steps and elements are included which are explicitly identified, that the steps and elements do not form an exclusive list, and that a method or apparatus may include other steps or elements.
Flow charts are used in this description to illustrate operations performed by a system according to embodiments of the present description. It should be understood that the preceding or following operations are not necessarily performed in the exact order in which they are performed. Rather, the various steps may be processed in reverse order or simultaneously. Meanwhile, other operations may be added to the processes, or a certain step or several steps of operations may be removed from the processes.
In mathematics, a "group" means an algebraic structure satisfying a closed, associative law, unitary-element, inverse-element binary operation, including abelian groups, homomorphic and conjugate classes. Where the sign of the binary operation may be generally used as a sign of a multiplication sign "+" (which may be omitted when unambiguous) or an addition sign "+", it is noted that the binary operation is not necessarily equivalent to a multiplication or an addition in a four-way operation. The result of several elements through one or more binary operations may be referred to as a sum.
The binary operation of the group satisfies: 1. closed law, for any element a, b in G, a × b is still in G; 2. binding law, for any elements a, b and c in G, (a × b) × c ═ a (b × c); 3. there are unit cells (also called unitary), and there is an element e in G, so that a ═ e ═ a; 4. there is an inverse element, where b is present in G for any element a in G, such that a ═ b ═ a ═ e, a and b are inverse elements to each other, where e is a unit element. It should be noted that e may be called zero and the inverse may be called negative for the binary operation denoted by "+", and a + (inverse of b) may be denoted by a-b for any of the elements a, b in G. The order of the group operations is important, element a is combined with element b, and the obtained result is not necessarily the same as the result obtained by combining element b with element a, i.e. the commutative law a _ b _ a is not necessarily always true. The group satisfying the commutative law is called an abelian group (commutative group), the group not satisfying the commutative law is called a non-abelian group (non-commutative group), and the abelian group is composed of its own set G and a binary operation.
In mathematics, a mapping is often equivalent to a function. For example, assuming that a and B are two non-empty sets, if for each element x in a, there is always a uniquely determined element y in B corresponding to it according to some rule (or law) f, the corresponding rule f is called a mapping from a to B, a can be called an initial set, and B can be called an end set. Notation f: a → B, called y x, and denoted y ═ f (x), and x is the original image of y, set a is called the domain of the map f, and set B is called the cosomain of f. Further, if different original images under the mapping f have different images, the mapping f is called as single-shot (or incident/embedded). In other words, if f (a) is f (b), then a is b (if a ≠ b, then f (a) ≠ f (b)).
Further, the present description relates to a quotient based on a (non-negative) integer abelian group, the mathematical representation of which may be G: ═ Z/nZ, where Z is a set of (non-negative) integers, n is a positive integer, Z to the left of "/" denotes that the group element is an integer multiple of 1, nZ to the right of "/" denotes that the modulus of the group is n, and the quotient Z/nZ is an n-th order cyclic group modulo the remainder of n.
It should be noted that, since a computing device usually uses a fixed number (e.g. bit) to store the value generated during the computation process, the multi-party cooperative computation frequently uses addition and multiplication (hereinafter referred to as modular addition and modular multiplication) involving modulus, and so on. In this specification, unless otherwise specified, the mathematical expression referring to symbols may be understood by preference to modulo addition, modulo multiplication, rather than four arithmetic, and the related terms (such as sum, multiplication, product, etc.) may be understood by preference to modulo addition, modulo multiplication, rather than four arithmetic.
In some distributed scenarios, multi-party secure computation is required to obtain a target operation result, where security may refer to correctness of an output result and confidentiality of input information and output information. For example, in some machine learning scenarios, one party holds private feature data and the other holds private tag data. If the target operation result on the private data (feature data/tag data) is directly calculated, the private data may be deduced backwards once the target operation result is leaked. Therefore, two parties can respectively obtain one private data x and the shared fragment, and the sum of the private data x and the shared fragment obtained by the two parties is x. Then, the two parties operate a safety calculation protocol to respectively obtain one of the target operation results f (x) and the shared fragment. The sum of the target operation results f (x) obtained by both parties shares the slice sum value f (x). In multiparty security computing involving two parties, an attacker needs to obtain shared fragments (hereinafter referred to as fragments) of the two parties if the attacker wants to know private data.
Some secure multi-party computing processes involve a selection problem,the selection problem may be described as selecting m elements from a set of n elements. The selection problem may be equivalent to: there are mappings f and m pre-images P1,P2,…,PmCalculating m number of original images P1,P2,…,PmImage f (P) under the map f1),f(P2),…,f(Pm). Wherein the mapping f is the mapping of the set X to the set A, and the m primary images P1,P2,…,PmAll belong to a set X, and the number of elements in the set X is n. In some embodiments, for group addition and group multiplication, set A may be an Abelian group, such as Z/nZ. The participants of the secure computation comprise a first party and a second party, wherein the first party holds the private mapping f, and the second party holds the private m primary images P1,P2,…,Pm. In the process of secure computation, a first party does not want to expose private f, and a second party does not want to expose private m primary images P1,P2,…,Pm。
By way of example only, in a distributed machine learning scenario, a feature party holds feature data for a large number of samples (e.g., containing n samples), while a label party holds label data for the samples. The training requires the feature side and the label side to align the samples, so that the training can be performed at least based on the data of m samples (which belong to the feature side and the label side) in the n samples. Specifically, the feature side holds the correspondence between the IDs of the n samples and the feature data (not denoted as the mapping f), and the label side holds at least the IDs of the m samples (i.e., the m original images P)1,P2,…,Pm) And the corresponding relation with the label data, and for the same sample, the ID of the characteristic party is the same as the ID of the label party. During training, the labeler needs to take the fragments of the feature data corresponding to the IDs of the m samples from the feature part, and meanwhile, the feature part needs to take the fragments of the feature data of the m samples, but does not know which samples the fragments belong to. It will be appreciated that data security herein includes two aspects: on the one hand, the characterizer does not want to disclose more information from the mapping f to the tagger, in other words, the characterizer only wants to provide the tagger with at most partial information (e.g., shards) of the characterization data for m of the n samples) (ii) a On the other hand, the tagger does not want the characterizer to know which samples of the n samples the tagger holds the m samples of the tagger specifically corresponds to, i.e., the tagger does not want to disclose the IDs of the m samples to the characterizer. For the distribution of the fragments of the feature data, on the premise of ensuring data security, the feature party and the label party respectively obtain own fragments of the feature data of the m samples through cooperative computing, that is, the two parties need to compute m original images P safely1,P2,…,PmImage f (P) under the map f1),f(P2),…,f(Pm)。
In view of this, the embodiments of the present specification provide a selection problem processing method based on multi-party security computation. By constructing sets X to sets
Q, embedding m original images P1,P2,…,PmMapping to vector space, e.g. collection
Obtain the corresponding vector Q1,Q2,…,QmFurther combine m original images P1,P2,…,PmImage f (P) under the map f1),f(P2),…,f(Pm) Conversion into a vector Q in a polynomial g, respectively1,Q2,…,QmThe vector element of (2) is the output at the input (denoted as g (Q)1),g(Q2),…,g(Qm)). Wherein, aggregate
A set of vectors of m dimensions with a hamming weight of k, each vector element of said vectors (hereinafter referred to as 0/1 vectors) being 0 or 1, Q1,Q2,…,QmRespectively m original images P1,P2,…,PmImage under embedding q. Based on this, a first party holding the mapping f can obtain g (Q) by running a multi-party secure computing protocol1),g(Q2),…,g(Qm) As f (P) is the first fragment of1),f(P2),…,f(Pm) The first segment of (1) holding m original images P1,P2,…,PmCan obtain g (Q)1),g(Q2),…,g(Qm) As f (P) is the second fragment of1),f(P2),…,f(Pm) The second slice.
FIG. 1 is an exemplary interaction flow diagram of a multi-party security computing based selection problem handling method according to some embodiments of the present description. In fig. 1, the step with the suffix 1 is performed by the first party of the privacy-preserving mapping f, and the step with the suffix 2 is performed by the m original images P of the privacy-preserving1,P2,…,PmIs performed by the second party.
Step 110-1, a polynomial g corresponding to the mapping f and the embedding q is obtained.
Step 110-2, obtaining m original images P1,P2,…,PmImage Q under embedding Q1,Q2,…,Qm。
Wherein the embedded q is common to the first party and the second party, i.e. the embedded q is common knowledge of the first party and the second party. And embedding q, namely, the single shot q, wherein the single shot necessarily satisfies that the number of the final set elements is not less than that of the initial set elements according to the definition of the single shot. Thus, for set X to set
Satisfies the set
Is not less than the number n of elements of the set X, i.e.
For more details on mapping f and embedding q, reference may be made to the related description above.
The polynomial g belongs to a set of polynomials A [ x ]1,x2,…,xm]kPolynomial set A [ x ]1,x2,…,xm]kThe polynomial in (1) has the following characteristics: 1. of a polynomial of order m-k, x1,x2,…,xmI.e. m input elements representing a polynomial; 2. the coefficients of each polynomial are the elements in set a. For ease of understanding, the polynomial set A [ x ]1,x2,…,xm]kThe structure of the medium polynomial (hereinafter referred to as the target polynomial) can be expressed in the following mathematical form:
wherein the content of the first and second substances,
i.e. monomial
Is an element of set a. Each monomial being accessible by m input elements x from the polynomial1,x2,…,xmSelecting k input elements so that each target polynomial is derived from
A single polynomial component.
Collection
The middle m-dimensional 0/1 vector has its vector elements as the input of the target polynomial and is collected
The hamming weight of the medium 0/1 vector is k (i.e. only k vector elements in 0/1 vector are 1), and the structure of the target polynomial is known: polynomial g takes the image of any element in set X (denoted as P) under embedding q (i.e. set)
The output (denoted as g (Q)) when the vector element of 0/1 in (Q) is input is equal to the coefficient of a certain polynomial of polynomial g, which is the element in set a.
Based on this, an idea of converting f (p) to g (q) for calculation was found. Specifically, the polynomial g corresponding to the mapping f and the embedding q may satisfy: the output (denoted as g (Q)) of the polynomial g when the anisotropic element of the image (denoted as Q) of any element (denoted as P) in the set X under the single shot Q is used as input is equal to the image (denoted as f (P)) of the element under the single shot f, i.e., g (Q) ═ f (P).
In some embodiments, to ensure that all values of the output of the polynomial g may cover all values of the image under the mapping f (not exceeding the number of elements of the set a, denoted as | a |), the number of monomials of the polynomial g (i.e., the number of monomial coefficients, is
) The number of elements that can be greater than or equal to set A, i.e.
Polynomial set A [ x ]1,x2,…,xm]kSome mathematical properties are provided, so that after f (p) is converted into g (q), the fragment of g (q) can be obtained through appropriate mathematical transformation, and of course, the fragment of g (q) can be used as the fragment of f (p), for details, refer to the following description.
Step 120-1, obtaining a polynomial
h0。
Step 120-2, obtaining a linear transformation matrix sigma and a polynomial h1。
Polynomial obtained by the first party
h0Linear transformation matrix sigma and polynomial h obtained from the second party1Can satisfy
The origin of this relationship will be explained in detail below.
First, the description is given
The mathematical meaning of (1).
Expression polynomial
And obtaining a composite polynomial under the action of a linear transformation matrix sigma. The linear transformation matrix sigma is operated on by the vector, e.g. by a matrix multiplication, in which case the position of the elements in the vector, sigma, can be varied-1When the inverse matrix representing the linear transformation matrix σ is operated again with the result of the above operation, the positions of the elements can be restored to obtain the vector. The action is such that: the complex polynomial is equal to the polynomial at the output when the element of each component of the matrix product of the linear transformation matrix sigma and the first vector is input
And taking each vector element of the first vector as an output when inputting. To facilitate understanding of the effect of the linear transformation matrix on the polynomial, the first vector is not assumed to be V (now, the column vector is taken as an example for explanation), and the matrix product of the linear transformation matrix σ and the first vector is assumed to be a vector
Namely, it is
Will be provided with
By substituting the elements of the various vectors as inputs into a complex polynomial
A polynomial with the V's anisotropic element as input can be obtained
Namely, it is
In other words, the inverse matrix σ of the linear transformation matrix σ-1And a second vector (not denoted as column vector Y) (i.e., σ)-1Y) as input into a polynomial
A polynomial with Y's anisotropic element as input can be obtained
Namely, it is
Is based on
If the polynomial g belongs to the set of polynomials A [ x ]1,x2,…,xm]kThen a complex polynomial
Also belong to the set; for modulo addition, the polynomial set A [ x ]1,x2,…,xm]kGroups can be formed so that the polynomials in the set can be combined
Splitting into two slices, i.e. polynomial h0And polynomial h1(these two slices also belong to the set). In practice, a computer may store a polynomial by storing its individual monomial coefficients, and accordingly a computer may perform operations on the polynomial by operating on the monomial coefficients.
With respect to specific implementations of step 120-1 and step 120-2, reference may be made to fig. 2 and its associated description.
Step 130-1, the polynomial δ g is calculated and sent to the device of the second party.
Wherein the content of the first and second substances,
the apparatus of the first party obtains a polynomial g and a polynomial
After that, δ g can be calculated locally. Further, the first party's device may send the polynomial δ g to the second party's device to enable the second party's device to obtain g (Q)1),g(Q2),…,g(Qm) As f (P) is the second fragment of1),f(P2),…,f(Pm) The second slice.
Step 130-2, calculate
And will be
To the device of the first party.
Wherein the content of the first and second substances,
the second party's apparatus obtains linear transformation matrices sigma and Q1,Q2,…,QmThereafter, it can be calculated locally
Further, the device of the second party may be the
Sending to the first party's device to enable the first party's device to obtain g (Q)1),g(Q2),…,g(Qm) As f (P) is the first fragment of1),f(P2),…,f(Pm) The first segment of (a).
Step 140-1, receiving from the device of the second party
Step 150-1, calculating a polynomial h0Are respectively provided with
Is output when the vector element of (2) is input
And based on
Obtaining f (Q)1),f(Q2),…,f(Qm) The first segment of (a).
In some embodiments, the device of the first party may directly couple
As g (Q)1),g(Q2),…,g(Qm) Is first sliced, i.e. f (P) is obtained1),f(P2),…,f(Pm) The first segment of (a). Accordingly, the device of the second party may calculate
To obtain g (Q)1),g(Q2),…,g(Qm) I.e. obtaining f (P)1),f(P2),…,f(Pm) The second slice.
Step 140-2, a polynomial δ g is received from the device of the first party.
Step 150-2, calculating the polynomial δ g as Q1,Q2,…,QmOutput δ g (Q) when the element of each vector of (2) is input1),δg(Q2),…,δg(Qm) Calculating a polynomial h1Are respectively provided with
Is output when the vector element of (2) is input
Based on δ g (Q)1),δg(Q2),…,δg(Qm) And
obtaining f (Q)1),f(Q2),…,f(Qm) The second slice.
In some embodiments, the device of the second party may compute
To obtain g (Q)1),g(Q2),…,g(Qm) I.e. obtaining f (P)1),f(P2),…,f(Pm) The second slice. Accordingly, the device of the first party may be
As g (Q)1),g(Q2),…,g(Qm) Is first sliced, i.e. f (P) is obtained1),f(P2),…,f(Pm) The first segment of (a).
Can be understood based on
That is, g (q) ═ δ g (q) + h0(σQ)+h1(σ Q), the specific way of calculating the partition of g (Q) illustrated in this specification may be adjusted as appropriate, and the adjusted embodiment is still within the scope of this specification. By way of example only, the device of the first party may calculate
To obtain g (Q)1) The device of the second party may calculate
To obtain g (Q)1) Wherein k is common knowledge of the first party and the second party.
In review of the foregoing, the first vector V may also be a lineVector is then given by
Will the row vector
By substituting the elements of the various vectors as inputs into a complex polynomial
A polynomial with each vector element of the row vector V as input can be obtained
Namely, it is
Accordingly, the number of the first and second electrodes,
the inverse of the linear transformation matrix sigma, regardless of whether the first vector is a row vector or a column vector-1The effects on the polynomial g are such that the output of the complex polynomial at the input of the vector elements of the matrix product of the linear transformation matrix sigma and the first vector is equal to the polynomial
The output when each vector element of the first vector is input is distinguished only by the associated matrix (e.g. σ, σ)-1) Whether it is a left-or right-multiplied vector.
In some embodiments, the linear transformation matrix σ may be an invertible matrix (which may be referred to as an invertible 0/1 matrix) with matrix elements of 0 or 1, such invertible matrix may be obtained by a pseudo-random function or randomly transforming rows and/or columns of an identity matrix. Whereas a linear transformation matrix sigma operates on a vector Q, which is essentially a vector having 0 or 1 vector elements (i.e., 1bit per vector element), if a linear transformation matrix sigma having 0 or 1 matrix elements (i.e., 1bit per matrix element) is used, the calculation is performed
Each vector element of (1) can also be stored by 1bit, which can save transmission to the maximum extent
(see step 130-2) traffic generated.
FIG. 2 is a diagram illustrating an obtainment polynomial in accordance with some embodiments of the present description
h0,h1And an exemplary interaction diagram of the linear transformation matrix sigma.
As shown in FIG. 2, two parties involved in secure computing may obtain a polynomial with the assistance of a third party device
h0,h1And a linear transformation matrix sigma. First, a third party device can be satisfied
Polynomial of
h0,h1And linearly transforming the matrix sigma, thereby transforming the polynomial
h0Sending to the first party's device a polynomial h1And the linear transformation matrix sigma to the device of the second party.
To save traffic, a polynomial may be generated using a pseudo-random function
h0,h1And one or more data in the linear transformation matrix sigma. The pseudo-random function accepts a seed as an input to randomly generate a value (controllable within a certain size range, such as set A) or other typeWhen the seed is fixed, other types of data of fixed or fixed values may be generated. Based on this, for the polynomial
h0,h1And any data in the linear transformation matrix sigma, a participant in the secure computation can agree with a third party device to seed in advance to generate the same (equal) data with a pseudorandom function without communicating.
For example, by prescribing seeds in advance, the first party's device and the third party's device may generate polynomials using pseudorandom functions
To obtain a polynomial
Generating a polynomial h using a pseudorandom function0To obtain a polynomial h0. Accordingly, by prescribing the seeds in advance, the second party's device and the third party's device may generate an invertible linear transformation matrix σ using a pseudorandom function. Third party device generator polynomial
h0And after linear transformation of matrix sigma, may be based on
Calculating (e.g. pressing)
Computing) polynomial h1And the polynomial h1To the device of the second party.
As another example, by prescribing the seed in advance, the second party's device and the third party's device may utilize a pseudorandom functionNumber generator polynomial h1To obtain a polynomial h1And generating an invertible linear transformation matrix sigma using a pseudorandom function. Accordingly, by prescribing the seed in advance, the device of the first party and the third party device may generate polynomials using pseudo-random functions
To obtain a polynomial
Third party device generator polynomial
h1And after linear transformation of matrix sigma, may be based on
Calculating (e.g. pressing)
Computing) polynomial h0And the polynomial h0To the device of the first party.
In some embodiments, the polynomial may also be generated by the device of the first and/or second party
h0,h1And one or more data in the linear transformation matrix sigma and sending the generated one or more data to the third party device, so that the third party device is based on the data already provided by the first party and/or the second party and
calculating polynomial
h0,h1And the data to be calculated in the linear transformation matrix sigma. In general, the polynomial h0And polynomial h1In at leastThere is a polynomial that requires the computation of the monomial coefficients by a third party device and the transmission of the computed monomial coefficients to the corresponding party's device.
In some embodiments, for a fixed mapping f, multiple rounds of security computation may be performed, each round of security computing a set of pre-images (each set comprising m pre-images P)1,P2,…,Pm) Image f (P) under the map f1),f(P2),…,f(Pm). For example, in the distributed machine learning scenario introduced above, assume that the tagger holds 27Tag data of individual samples, the tag side can assign 27The samples were divided into 4 groups of 25And (4) sampling. That is, the feature party and the tag party can perform 4 rounds of security calculations, 2 security calculations per round5The ID of each sample corresponds to a fragment of the feature data.
It should be noted that, when the mapping f is not changed, fixing the embedding q again makes the polynomial g corresponding to the mapping f and the embedding q also not changed, and further fixes the polynomial
The polynomial δ g can be made constant. Therefore, only the first order polynomial δ g may be transmitted in multiple rounds of security calculation.
Compared with the method of directly and safely calculating the images of all the original images under the mapping f, the method of dividing all the original images into a plurality of groups and carrying out multi-round safe calculation can obtain a smaller m, and the smaller m can reduce the dimensionality of a series of data (such as vectors P and Q, a matrix sigma and the number of monomials contained in a single polynomial), so that the storage pressure and the processing pressure in the calculation process can be relieved.
It should be noted that the above description of the flow is for illustration and description only and does not limit the scope of the application of the present specification. Various modifications and alterations to the flow may occur to those skilled in the art, given the benefit of this description. However, such modifications and variations are intended to be within the scope of the present description.
FIG. 3 is an exemplary block diagram of a multi-party secure computing based selection problem processing system according to some embodiments of the present description. The system 300 may be implemented on a device of the first party. As shown in fig. 3, the system 300 may include a first obtaining module 310, a second obtaining module 320, a first receiving module 330, a first calculating module 340, and a first transmitting module 350.
The first obtaining module 310 may be configured to obtain a polynomial g corresponding to a single shot f and a single shot q.
The second obtaining module 320 may be configured to obtain a polynomial
h0。
The first receiving module 330 may be used to receive from a device of a second party
The first calculation module 340 may be used to calculate the polynomial h0Are respectively provided with
Is output when the vector element of (2) is input
The first sending module 350 may be configured to obtain the polynomial δ g and send the polynomial δ g to the second party's device, so that the second party's device can obtain f (P)1),f(P2),…,f(Pm) The second slice.
FIG. 4 is an exemplary block diagram of a multi-party secure computing based selection problem processing system according to some embodiments of the present description. The system 400 may be implemented on a device of the first party. As shown in fig. 4, the system 400 may include a third obtaining module 410, a fourth obtaining module 420, a second sending module 430, a second receiving module 440, and a second calculating module 450.
The third obtaining module 410 may be configured to obtain m pre-images P1,P2,…,PmImage Q under single shot Q1,Q2,…,Qm。
The fourth obtaining module 420 mayFor obtaining a linear transformation matrix sigma and a polynomial h1。
The second sending module 430 may be used for computing
And will be
To the device of the first party.
The second receiving module 440 may be configured to receive the polynomial δ g from the device of the first party.
The second calculation module 450 may be used to calculate the polynomial δ g as Q, respectively1,Q2,…,QmOutput δ g (Q) when the element of each vector of (2) is input1),δg(Q2),…,δg(Qm) Calculating a polynomial h1Are respectively provided with
Is output when the vector element of (2) is input
Based on δ g (Q)1),δg(Q2),…,δg(Qm) And
obtaining f (Q)1),f(Q2),…,f(Qm) The second slice.
For more details on the systems 300, 400 and their modules, reference may be made to the process 100 and its associated description.
It should be understood that the systems shown in fig. 3, 4 and their modules may be implemented in a variety of ways. For example, in some embodiments, the system and its modules may be implemented in hardware, software, or a combination of software and hardware. Wherein the hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory for execution by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the methods and systems described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided, for example, on a carrier medium such as a diskette, CD-or DVD-ROM, a programmable memory such as read-only memory (firmware), or a data carrier such as an optical or electronic signal carrier. The system and its modules in this specification may be implemented not only by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., but also by software executed by various types of processors, for example, or by a combination of the above hardware circuits and software (e.g., firmware).
It should be noted that the above description of the system and its modules is for convenience only and should not limit the present disclosure to the illustrated embodiments. It will be appreciated by those skilled in the art that, given the teachings of the system, any combination of modules or sub-system configurations may be used to connect to other modules without departing from such teachings. For example, in some embodiments, the first obtaining module 310 and the second obtaining module 320 may be two modules or may be combined into one module. Such variations are within the scope of the present disclosure.
The beneficial effects that may be brought by the embodiments of the present description include, but are not limited to: the n-to-m problem processing method based on multi-party secure computing is provided, and data privacy of two computing parties can be protected. It is to be noted that different embodiments may produce different advantages, and in different embodiments, any one or combination of the above advantages may be produced, or any other advantages may be obtained.
Having thus described the basic concept, it will be apparent to those skilled in the art that the foregoing detailed disclosure is to be considered merely illustrative and not restrictive of the embodiments herein. Various modifications, improvements and adaptations to the embodiments described herein may occur to those skilled in the art, although not explicitly described herein. Such modifications, improvements and adaptations are proposed in the embodiments of the present specification and thus fall within the spirit and scope of the exemplary embodiments of the present specification.
Also, the description uses specific words to describe embodiments of the description. Reference throughout this specification to "one embodiment," "an embodiment," and/or "some embodiments" means that a particular feature, structure, or characteristic described in connection with at least one embodiment of the specification is included. Therefore, it is emphasized and should be appreciated that two or more references to "an embodiment" or "one embodiment" or "an alternative embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, some features, structures, or characteristics of one or more embodiments of the specification may be combined as appropriate.
Moreover, those skilled in the art will appreciate that aspects of the embodiments of the present description may be illustrated and described in terms of several patentable species or situations, including any new and useful combination of processes, machines, manufacture, or materials, or any new and useful improvement thereof. Accordingly, aspects of embodiments of the present description may be carried out entirely by hardware, entirely by software (including firmware, resident software, micro-code, etc.), or by a combination of hardware and software. The above hardware or software may be referred to as "data block," module, "" engine, "" unit, "" component, "or" system. Furthermore, aspects of the embodiments of the present specification may be represented as a computer product, including computer readable program code, embodied in one or more computer readable media.
The computer storage medium may comprise a propagated data signal with the computer program code embodied therewith, for example, on baseband or as part of a carrier wave. The propagated signal may take any of a variety of forms, including electromagnetic, optical, etc., or any suitable combination. A computer storage medium may be any computer-readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code located on a computer storage medium may be propagated over any suitable medium, including radio, cable, fiber optic cable, RF, or the like, or any combination of the preceding.
Computer program code required for operation of various portions of the embodiments of the present description may be written in any one or more programming languages, including an object oriented programming language such as Java, Scala, Smalltalk, Eiffel, JADE, Emerald, C + +, C #, VB.NET, Python, and the like, a conventional programming language such as C, VisualBasic, Fortran2003, Perl, COBOL2002, PHP, ABAP, a dynamic programming language such as Python, Ruby, and Groovy, or other programming languages, and the like. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or processing device. In the latter scenario, the remote computer may be connected to the user's computer through any network format, such as a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet), or in a cloud computing environment, or as a service, such as a software as a service (SaaS).
In addition, unless explicitly stated in the claims, the order of processing elements and sequences, use of numbers and letters, or use of other names in the embodiments of the present specification are not intended to limit the order of the processes and methods in the embodiments of the present specification. While various presently contemplated embodiments of the invention have been discussed in the foregoing disclosure by way of example, it is to be understood that such detail is solely for that purpose and that the appended claims are not limited to the disclosed embodiments, but, on the contrary, are intended to cover all modifications and equivalent arrangements that are within the spirit and scope of the embodiments herein. For example, although the system components described above may be implemented by hardware devices, they may also be implemented by software-only solutions, such as installing the described system on an existing processing device or mobile device.
Similarly, it should be noted that in the preceding description of embodiments of the specification, various features are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more embodiments of the invention. This method of disclosure, however, is not intended to imply that more features are required than are expressly recited in the claims. Indeed, the embodiments may be characterized as having less than all of the features of a single embodiment disclosed above.
For each patent, patent application publication, and other material, such as articles, books, specifications, publications, documents, etc., cited in this specification, the entire contents of each are hereby incorporated by reference into this specification. Except where the application history document does not conform to or conflict with the contents of the present specification, it is to be understood that the application history document, as used herein in the present specification or appended claims, is intended to define the broadest scope of the present specification (whether presently or later in the specification) rather than the broadest scope of the present specification. It is to be understood that the descriptions, definitions and/or uses of terms in the accompanying materials of this specification shall control if they are inconsistent or contrary to the descriptions and/or uses of terms in this specification.
Finally, it should be understood that the embodiments described herein are merely illustrative of the principles of the embodiments of the present disclosure. Other variations are possible within the scope of the embodiments of the present description. Thus, by way of example, and not limitation, alternative configurations of the embodiments of the specification can be considered consistent with the teachings of the specification. Accordingly, the embodiments of the present description are not limited to only those embodiments explicitly described and depicted herein.
Claims (20)
1. A multi-party security computation-based selection problem processing method is provided, wherein,
the participants of the secure computation comprise a first party and a second party; the first party has a private single shot f, and the single shot f is from the set X to the set A; the second party holds m private primary images P1,P2,...,PmM original images P1,P2,...,PmAll belong to a set X, and the number of elements in the set X is n; the first party and the second party share a single-shot q, which is used to map elements of the set XShooting to a preset vector space; the method is performed by an apparatus of a first party, comprising:
obtaining a polynomial g corresponding to the single shots f and q; wherein, the output of the polynomial g when the element of the image of any element in the set X under the single shot q is taken as the input is equal to the image of the element under the single shot f;
obtaining a polynomial
Polynomial obtained by the first party
Linear transformation matrix sigma and polynomial h obtained from the second party1Satisfy, polynomial
Two slices of the complex polynomial obtained under the action of the linear transformation matrix sigma are polynomial h0And polynomial h1(ii) a Wherein the linear transformation matrix sigma is used for an operation with a vector to change the positions of elements in the vector, the action being such that the output of the complex polynomial when the linear transformation matrix sigma and each vector element of the operation result of the first vector are input is equal to the polynomial
An output when each vector element of the first vector is taken as an input;
receiving and Q from a device of a second party1,Q2,...,QmRespectively correspond to
Wherein Q is1,Q2,...,QmRespectively m original images P1,P2,...,PmThe image under a single shot q is,
is a linear transformation matrix sigma and Q1,Q2,...,QmThe operation result of the corresponding vector;
calculating polynomial h0Are respectively provided with
Is output when the vector element of (2) is input
And based on
Obtaining [ f (P)1),f(P2),...,f(Pm)]The first segment of (a);
a polynomial of the form δ g is obtained,
and sends the polynomial δ g to the second party's device to enable the second party's device to obtain [ f (P)1),f(P2),...,f(Pm)]The second slice.
2. The method of claim 1, wherein a vector in the vector space is m-dimensional and a hamming weight is k, and each vector element of the vector is 0 or 1;
polynomial equation
Are all m-element k-degree homogeneous polynomial
The coefficients of the monomials in (a) are all elements in the set a.
3. The method of claim 1, wherein the obtaining a polynomial
The method comprises the following steps:
generating a polynomial using a pseudorandom function
To obtain a polynomial coefficient of
Generating a polynomial h using a pseudorandom function0To obtain a polynomial h0。
4. The method of claim 1, wherein the obtaining a polynomial
The method comprises the following steps:
generating a polynomial using a pseudorandom function
To obtain a polynomial coefficient of
Receiving a polynomial h from a third party device0To obtain a polynomial h0。
5. The method of claim 1, wherein the basing is based on
Obtaining [ f (P)1),f(P2),...,f(Pm)]The first segment of (a), comprising:
will be provided with
Respectively as [ f (P) ]1),f(P2),...,f(Pm)]The first segment of (a).
6. The method of claim 1, wherein the operation is a matrix product, and each matrix element of the linear transformation matrix σ is 0 or 1.
7. The method of claim 2, wherein the number of elements of the vector space
Greater than or equal to the number of elements of set a.
8. The method of claim 2, wherein the m-ary k-th order polynomial is represented as
Wherein, ai1,i2...ikAre elements in set a.
9. A multi-party secure computing based selection problem processing system, wherein,
the participants of the secure computation comprise a first party and a second party; the first party has a private single shot f, and the single shot f is from the set X to the set A; the second party holds m private primary images P1,P2,...,PmM original images P1,P2,...,PmAll belong to a set X, and the number of elements in the set X is n; the first party and the second party share a single shot q, and the single shot q is used for mapping the elements of the set X to a preset vector space; the system is implemented on a device of a first party, comprising:
a first obtaining module for obtaining a polynomial g corresponding to a single shot f and a single shot q; wherein, the output of the polynomial g when the element of the image of any element in the set X under the single shot q is taken as the input is equal to the image of the element under the single shot f;
a second obtaining module for obtaining a polynomial
Polynomial obtained by the first party
Linear transformation matrix sigma and polynomial h obtained from the second party1Satisfy, polynomial
Two slices of the complex polynomial obtained under the action of the linear transformation matrix sigma are polynomial h0And polynomial h1(ii) a Wherein the linear transformation matrix sigma is used for an operation with a vector to change the positions of elements in the vector, the action being such that the output of the complex polynomial when the linear transformation matrix sigma and each vector element of the operation result of the first vector are input is equal to the polynomial
An output when each vector element of the first vector is taken as an input;
a first receiving module for receiving the sum Q from the second party's device1,Q2,...,QmRespectively correspond to
Wherein Q is1,Q2,...,QmRespectively m original images P1,P2,...,PmThe image under a single shot q is,
is a linear transformation matrix sigma and Q1,Q2,...,QmThe operation result of the corresponding vector;
a first calculation module for calculating a polynomial h0Are respectively provided with
Is an input of an element ofTime of day output
And based on
Obtaining [ f (P)1),f(P2),...,f(Pm)]The first segment of (a);
a first sending module for obtaining a polynomial δ g,
and sends the polynomial δ g to the second party's device to enable the second party's device to obtain [ f (P)1),f(P2),...,f(Pm)]The second slice.
10. A choice question processing apparatus based on multi-party secure computing, comprising a processor and a storage device for storing instructions which, when executed by the processor, implement the method according to any one of claims 1 to 8.
11. A multi-party security computation-based selection problem processing method is provided, wherein,
the participants of the secure computation comprise a first party and a second party; the first party has a private single shot f, and the single shot f is from the set X to the set A; the second party holds m private primary images P1,P2,...,PmM original images P1,P2,...,PmAll belong to a set X, and the number of elements in the set X is n; the first party and the second party share a single shot q, and the single shot q is used for mapping the elements of the set X to a preset vector space; the method is performed by an apparatus of a second party, comprising:
obtaining m original images P1,P2,...,PmImage Q under single shot Q1,Q2,...,Qm;
Obtaining a linear transformation matrix sigma and a polynomial h1(ii) a First of allPolynomial of square
Linear transformation matrix sigma and polynomial h obtained from the second party1Satisfy, polynomial
Two slices of the complex polynomial obtained under the action of the linear transformation matrix sigma are polynomial h0And polynomial h1(ii) a Wherein the linear transformation matrix sigma is used for an operation with a vector to change the positions of elements in the vector, the action being such that the output of the complex polynomial when the linear transformation matrix sigma and each vector element of the operation result of the first vector are input is equal to the polynomial
An output when each vector element of the first vector is taken as an input;
calculation and Q1,Q2,...,QmRespectively correspond to
And will be
Sending to the first party's device to enable the first party's device to obtain f (P)1),f(P2),...,f(Pm)]The first segment of (a); wherein the content of the first and second substances,
is a linear transformation matrix sigma and Q1,Q2,...,QmThe operation result of the corresponding vector;
receives the polynomial deltag from the device of the first party,
wherein the polynomial g is in the setThe output of the image of any element in X under the single shot q when the vector element is input is equal to the image of the element under the single shot f;
calculating the polynomial δ g as Q1,Q2,...,QmOutput δ g (Q) when the element of each vector of (2) is input1),δg(Q2),...,δg(Qm) Calculating a polynomial h1Are respectively provided with
Is output when the vector element of (2) is input
And based on δ g (Q)1),δg(Q2),...,δg(Qm) And
obtaining [ f (P)1),f(P2),...,f(Pm)]The second slice.
12. The method of claim 11, wherein the vector in the vector space is m-dimensional and the hamming weight is k, and each vector element of the vector is 0 or 1;
polynomial equation
Are all m-element k-degree homogeneous polynomial
The coefficients of the monomials in (a) are all elements in the set a.
13. The method of claim 11, wherein the obtaining a linear transformation matrix σ and a polynomial h1The method comprises the following steps:
generating a linear transformation matrix sigma by using a pseudo-random function;
generating a polynomial h using a pseudorandom function1Is single item ofCoefficient of formula to obtain a polynomial h1。
14. The method of claim 11, wherein the obtaining a linear transformation matrix σ and a polynomial h1The method comprises the following steps:
generating a linear transformation matrix sigma by using a pseudo-random function;
receiving a polynomial h from a third party device1To obtain a polynomial h1。
15. The method of claim 11, wherein the base is δ g (Q)1),δg(Q2),...,δg(Qm) And
obtaining [ f (P)1),f(P2),...,f(Pm)]The second segment of (a), comprising:
computing
To obtain [ f (P)1),f(P2),...,f(Pm)]The second slice.
16. The method of claim 11, wherein the operation is a matrix product, and each matrix element of the linear transformation matrix σ is 0 or 1.
17. The method of claim 12, wherein the number of elements of the vector space
Greater than or equal to the number of elements of set a.
18. The method of claim 12, wherein the m-ary k-th order polynomial is represented as
Wherein, ai1,i2...ikAre elements in set a.
19. A multi-party secure computing based selection problem processing system, wherein,
the participants of the secure computation comprise a first party and a second party; the first party has a private single shot f, and the single shot f is from the set X to the set A; the second party holds m private primary images P1,P2,...,PmM original images P1,P2,...,PmAll belong to a set X, and the number of elements in the set X is n; the first party and the second party share a single shot q, and the single shot q is used for mapping the elements of the set X to a preset vector space; the system is implemented on a device of a second party, comprising:
a third obtaining module for obtaining m original images P1,P2,...,PmImage Q under single shot Q1,Q2,...,Qm;
A fourth obtaining module for obtaining a linear transformation matrix sigma and a polynomial h1(ii) a Polynomial obtained by the first party
Linear transformation matrix sigma and polynomial h obtained from the second party1Satisfy, polynomial
Two slices of the complex polynomial obtained under the action of the linear transformation matrix sigma are polynomial h0And polynomial h1(ii) a Wherein the linear transformation matrix sigma is used for an operation with a vector to change the positions of elements in the vector, the action being such that the output of the complex polynomial when the linear transformation matrix sigma and each vector element of the operation result of the first vector are input is equal to the polynomial
When each vector element of the first vector is taken as inputOutputting;
a second sending module for calculating and Q1,Q2,...,QmRespectively correspond to
And will be
Sending to the first party's device to enable the first party's device to obtain f (P)1),f(P2),...,f(Pm)]The first segment of (a); wherein the content of the first and second substances,
is a linear transformation matrix sigma and Q1,Q2,...,QmThe operation result of the corresponding vector;
a second receiving module for receiving the polynomial δ g from the device of the first party,
wherein, the output of the polynomial g when the element of the image of any element in the set X under the single shot q is taken as the input is equal to the image of the element under the single shot f;
a second calculation module to: calculating the polynomial δ g as Q1,Q2,...,QmOutput δ g (Q) when the element of each vector of (2) is input1),δg(Q2),...,δg(Qm) Calculating a polynomial h1Are respectively provided with
Is output when the vector element of (2) is input
And based on δ g (Q)1),δg(Q2),...,δg(Qm) And
obtaining [ f (P)1),f(P2),...,f(Pm)]The second slice.
20. A choice question processing apparatus based on multi-party secure computing, comprising a processor and a storage device for storing instructions which, when executed by the processor, implement the method according to any one of claims 11 to 18.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110915009.5A CN113626841A (en) | 2021-08-10 | 2021-08-10 | Selection problem processing method based on multi-party security calculation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110915009.5A CN113626841A (en) | 2021-08-10 | 2021-08-10 | Selection problem processing method based on multi-party security calculation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113626841A true CN113626841A (en) | 2021-11-09 |
Family
ID=78384128
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110915009.5A Pending CN113626841A (en) | 2021-08-10 | 2021-08-10 | Selection problem processing method based on multi-party security calculation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113626841A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113987559A (en) * | 2021-12-24 | 2022-01-28 | 支付宝(杭州)信息技术有限公司 | Method and device for jointly processing data by two parties for protecting data privacy |
-
2021
- 2021-08-10 CN CN202110915009.5A patent/CN113626841A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113987559A (en) * | 2021-12-24 | 2022-01-28 | 支付宝(杭州)信息技术有限公司 | Method and device for jointly processing data by two parties for protecting data privacy |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zheng et al. | Aggregation service for federated learning: An efficient, secure, and more resilient realization | |
| US9515828B2 (en) | Sharing a secret via linear interpolation | |
| CN113761469B (en) | Highest bit carry calculation method for protecting data privacy | |
| CN113158239B (en) | Selection problem processing method for protecting data privacy | |
| Zheng et al. | Securely and efficiently outsourcing decision tree inference | |
| US7995764B2 (en) | Sharing a secret using hyperplanes over GF(2m) | |
| Hu et al. | Secure outsourced computation of the characteristic polynomial and eigenvalues of matrix | |
| Abdoun et al. | Designing two secure keyed hash functions based on sponge construction and the chaotic neural network | |
| JP2019095635A (en) | Processing device, inference device, learning device, processing system, processing method, and processing program | |
| Liu et al. | : Towards Secure and Lightweight Deep Learning as a Medical Diagnostic Service | |
| Zheng et al. | Towards secure and practical machine learning via secret sharing and random permutation | |
| Zhang et al. | Enhanced certificateless auditing protocols for cloud data management and transformative computation | |
| Kim et al. | HyPHEN: A Hybrid Packing Method and Its Optimizations for Homomorphic Encryption-Based Neural Networks | |
| CN113626841A (en) | Selection problem processing method based on multi-party security calculation | |
| Hao et al. | Fastsecnet: An efficient cryptographic framework for private neural network inference | |
| Li et al. | GPU accelerated full homomorphic encryption cryptosystem, library and applications for iot systems | |
| CN117313119A (en) | Application code encryption verification method and device and computer equipment | |
| Ugwuoke et al. | Secure fixed-point division for homomorphically encrypted operands | |
| Ganesan et al. | Efficient ml models for practical secure inference | |
| Tang et al. | LPCP: An efficient privacy-preserving protocol for polynomial calculation based on CRT | |
| Chung et al. | Encoding of rational numbers and their homomorphic computations for FHE-based applications | |
| Ebel et al. | Orion: A Fully Homomorphic Encryption Compiler for Private Deep Neural Network Inference | |
| Sawka et al. | A sponge-based key expansion scheme for modern block ciphers | |
| Song et al. | Protecting function privacy and input privacy in the publicly verifiable outsourcing computation of polynomial functions | |
| Zhang et al. | Joint Linear and Nonlinear Computation across Functions for Efficient Privacy-Preserving Neural Network Inference |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |