CN113821826B - Boolean circuit, method and system for realizing exclusive or slicing input and output - Google Patents

Boolean circuit, method and system for realizing exclusive or slicing input and output Download PDF

Info

Publication number
CN113821826B
CN113821826B CN202111163344.0A CN202111163344A CN113821826B CN 113821826 B CN113821826 B CN 113821826B CN 202111163344 A CN202111163344 A CN 202111163344A CN 113821826 B CN113821826 B CN 113821826B
Authority
CN
China
Prior art keywords
party
result
character string
labeling
input
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111163344.0A
Other languages
Chinese (zh)
Other versions
CN113821826A (en
Inventor
赵原
尹栋
张启超
李漓春
殷山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202111163344.0A priority Critical patent/CN113821826B/en
Publication of CN113821826A publication Critical patent/CN113821826A/en
Application granted granted Critical
Publication of CN113821826B publication Critical patent/CN113821826B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Compression, Expansion, Code Conversion, And Decoders (AREA)
  • Design And Manufacture Of Integrated Circuits (AREA)

Abstract

The embodiment of the specification provides a Boolean circuit, a method and a system for realizing exclusive or slicing input and output, which are realized by multiparty safe calculation, such as a garbled circuit. The Boolean circuit includes: the input processing unit receives n-bit first data fragments input by a first party and n-bit second data fragments input by a second party, and obtains input data through n first exclusive-OR gates; each first exclusive-OR gate receives the target bit of the first data slice and the target bit of the second data slice and outputs the target bit of the input data; the computing unit receives the input data obtained by the input processing unit, performs preset function computation on the input data to obtain a computing result, and enables a first result fragment of the computing result to be held by a first party and a second result fragment of the computing result to be held by a second party after the Boolean circuit executes the computing result. The Boolean circuit can receive the input of the exclusive-OR slicing and output the exclusive-OR slicing on the premise of protecting the privacy data.

Description

Boolean circuit, method and system for realizing exclusive or slicing input and output
Technical Field
One or more embodiments of the present description relate to the field of computers, and more particularly, to boolean circuits, methods, and systems for implementing exclusive-or sliced input/output.
Background
Secure multiparty computing is also known as multiparty secure computing, i.e. the parties together compute the result of a function without revealing the input data of the parties to the function, the computed result being revealed to one or more of the parties. Where the input data of the parties is often private data.
When implementing multiparty secure computation based on a boolean circuit, it may be required that the input of the boolean circuit is a two-sided exclusive-or slice, as is the output of the boolean circuit.
Disclosure of Invention
One or more embodiments of the present specification describe a boolean circuit, a method, and a system for implementing exclusive-or slicing input and output, where the boolean circuit can receive exclusive-or slicing input and output exclusive-or slicing on the premise of protecting private data.
In a first aspect, a boolean circuit for implementing exclusive-or sliced input/output is provided, the boolean circuit comprising:
The input processing unit receives n-bit first data fragments input by a first party and n-bit second data fragments input by a second party, and obtains input data through n first exclusive-OR gates; wherein each of the first exclusive-or gates receives a target bit of the first data slice and the target bit of the second data slice, and outputs the target bit of the input data;
and the computing unit is used for receiving the input data obtained by the input processing unit, carrying out preset function computation on the input data to obtain a computing result, so that after the Boolean circuit is executed, a first result fragment of the computing result is held by the first party, and a second result fragment of the computing result is held by the second party.
In one possible embodiment, the preset function calculation is used to implement at least one of the following functions:
mathematical operation, comparison operation, selection operation.
In one possible implementation, the boolean circuit is implemented as a garbled circuit.
Further, for each line in the boolean circuit, a first labeling character string is labeled by the first party for a true value 0, a second labeling character string is labeled for a true value 1, and for each line, the second labeling character string is equal to the first labeling character string or an offset value; different lines correspond to the same offset value.
In a second aspect, a method for splitting data slices is provided, which is used for splitting the calculation result of the boolean circuit in the first aspect, and includes:
the first party selects a global offset value, the predetermined bit of the offset value being 1;
The first party determines a first labeling character string corresponding to a true value 0 and a second labeling character string corresponding to a true value 1 of each line in the Boolean circuit, and meets the requirement that the second labeling character string is equal to the first labeling character string or the offset value for each line;
The first party determines the first result fragment according to the preset bit of a first labeling character string corresponding to the true value 0 of the output line of the calculation result;
The second party obtains a third marking character string corresponding to the actual true value of each input line from the first party, calculates a fourth marking character string corresponding to the actual true value of each output line according to the third marking character string of each input line, and determines the second result fragment according to the pre-positioning of the fourth marking character string.
In one possible embodiment, the predetermined bit is the lowest bit.
In a possible implementation, the first result slice or the second result slice is equal to the calculation result.
In one possible implementation, the calculation result corresponds to a plurality of output lines;
The first party determines the first result fragment according to the preset bit of the first labeling character string corresponding to the true value 0 of the output line of the calculation result, and the method comprises the following steps:
combining preset bits of a first labeling character string corresponding to true value 0 of the plurality of output lines by the first party to obtain the first result fragment;
the second party determining the second result fragment according to the pre-positioning of the fourth labeling character string, comprising:
And the second party combines the pre-positioning of the fourth labeling character strings of the plurality of output lines to obtain the second result fragment.
In a third aspect, a system for splitting data slices is provided, where the system is configured to split a calculation result of the boolean circuit in the first aspect, and includes:
The first party is configured to select a global offset value, where a predetermined bit of the offset value is 1; determining a first marking character string corresponding to a true value 0 and a second marking character string corresponding to a true value 1 of each line in the Boolean circuit, wherein the second marking character string is equal to the first marking character string or the offset value for each line; determining the first result fragment according to the preset bit of a first labeling character string corresponding to the true value 0 of the output line of the calculation result;
the second party is configured to obtain a third labeling string corresponding to an actual true value of each input line from the first party, calculate a fourth labeling string corresponding to an actual true value of each output line according to the third labeling string of each input line, and determine the second result fragment according to a predetermined position of the fourth labeling string.
In a fourth aspect, a boolean circuit for implementing exclusive-or sliced input/output is provided, the boolean circuit comprising:
The input processing unit receives n-bit first data fragments input by a first party and n-bit second data fragments input by a second party, and obtains input data through n first exclusive-OR gates; wherein each of the first exclusive-or gates receives a target bit of the first data slice and the target bit of the second data slice, and outputs the target bit of the input data;
The computing unit is used for receiving the input data obtained by the input processing unit, and performing preset function computation on the input data to obtain a computing result;
The splitting unit is used for receiving the calculation result obtained by the calculation unit and the first result fragments of the calculation result input by the first party, obtaining second result fragments of the calculation result through second exclusive-OR gates with the same number of bits as the calculation result, and providing the second result fragments for the second party; and each second exclusive-or gate receives the target bit of the calculation result and the target bit of the first result fragment and outputs the target bit of the second result fragment.
In one possible embodiment, the preset function calculation is used to implement at least one of the following functions:
mathematical operation, comparison operation, selection operation.
In one possible implementation, the boolean circuit is implemented as a garbled circuit.
In one possible implementation, for each line in the boolean circuit, a first labeling string is labeled by the first party for a true value of 0, a second labeling string is labeled for a true value of 1, and the second labeling string is equal to the first labeling string or an offset value for each line; different lines correspond to the same offset value.
In a fifth aspect, a method for splitting data slices is provided, which is used for splitting the calculation result of the boolean circuit in the fourth aspect, and includes:
The first party selects a global offset value;
The first party determines a first labeling character string corresponding to a true value 0 and a second labeling character string corresponding to a true value 1 of each line in the Boolean circuit, and meets the requirement that the second labeling character string is equal to the first labeling character string or the offset value for each line;
the first party randomly generates a first result fragment of the calculation result;
The second party obtains a labeling character string corresponding to a true value of an output line of the second exclusive-OR gate through exclusive-OR calculation based on a third labeling character string corresponding to a first result fragment in an input line of the second exclusive-OR gate obtained from the first party and a fourth labeling character string corresponding to the calculation result in the input line of the second exclusive-OR gate, and determines the second result fragment according to the labeling character string.
In a sixth aspect, a system for splitting data slices is provided, where the system is configured to split the calculation result of the boolean circuit in the fourth aspect, and includes:
The first party is used for selecting a global offset value; determining a first marking character string corresponding to a true value 0 and a second marking character string corresponding to a true value 1 of each line in the Boolean circuit, wherein the second marking character string is equal to the first marking character string or the offset value for each line; randomly generating a first result fragment of the calculation result;
The second party is configured to obtain, through exclusive or calculation, a labeling string corresponding to a true value of an output line of the second exclusive or gate based on a third labeling string corresponding to a first result slice in an input line of the second exclusive or gate obtained from the first party and a fourth labeling string corresponding to the calculation result in the input line of the second exclusive or gate, and determine the second result slice according to the labeling string.
In a seventh aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the second or fifth aspect.
In an eighth aspect, there is provided a computing device comprising a memory having executable code stored therein and a processor which when executing the executable code implements the method of the second or fifth aspect.
Through the Boolean circuit, the method and the system provided by the embodiment of the specification, the Boolean circuit comprises: the input processing unit receives n-bit first data fragments input by a first party and n-bit second data fragments input by a second party, and obtains input data through n first exclusive-OR gates; wherein each of the first exclusive-or gates receives a target bit of the first data slice and the target bit of the second data slice, and outputs the target bit of the input data; and the computing unit is used for receiving the input data obtained by the input processing unit, carrying out preset function computation on the input data to obtain a computing result, so that after the Boolean circuit is executed, a first result fragment of the computing result is held by the first party, and a second result fragment of the computing result is held by the second party. In the structure of the boolean circuit, the input processing unit performs the combination of the data slices through the exclusive-or gate, so that the boolean circuit can receive the input of the exclusive-or slices; the calculation unit obtains a calculation result, the calculation result does not need to be split through an additional circuit structure, and after the Boolean circuit is executed, the first party and the second party respectively obtain one result fragment of the calculation result. The Boolean circuit can receive the input of the exclusive-OR slicing and output the exclusive-OR slicing on the premise of protecting the privacy data. In addition, as the combined data slicing is not used for the AND gate, no extra circuit structure is needed for splitting the calculation result, and therefore the communication cost of the Boolean circuit in the execution process is low.
Correspondingly, a method for splitting data fragments is used for splitting the calculation result of the Boolean circuit, and firstly, a first party selects a global offset value, wherein the preset bit of the offset value is 1; then, the first party determines a first labeling character string corresponding to a true value 0 and a second labeling character string corresponding to a true value 1 of each line in the Boolean circuit, and the second labeling character string is equal to the first labeling character string or the offset value for each line; then, the first party determines the first result fragment according to the preset bit of the first labeling character string corresponding to the true value 0 of the output line of the calculation result; and finally, the second party acquires a third marking character string corresponding to the actual true value of each input line from the first party, calculates a fourth marking character string corresponding to the actual true value of each output line according to the third marking character string of each input line, and determines the second result fragment according to the pre-positioning of the fourth marking character string. In view of the above, in the embodiment of the present disclosure, the first party specifically selects the labeling character string, so that the labeling character string corresponding to the true value 0 and the labeling character string corresponding to the true value 1 of each line are different in preset positions, and accordingly, the preset position of the labeling character string corresponding to the true value 0 of the output line and the preset position of the labeling character string corresponding to the actual true value of the output line are exclusive or of the preset positions of the labeling character strings corresponding to the actual true values of the output line, so that after the boolean circuit is executed, the first party and the second party respectively obtain a result slice of the calculation result.
Another boolean circuit includes: the input processing unit receives n-bit first data fragments input by a first party and n-bit second data fragments input by a second party, and obtains input data through n first exclusive-OR gates; wherein each of the first exclusive-or gates receives a target bit of the first data slice and the target bit of the second data slice, and outputs the target bit of the input data; the computing unit is used for receiving the input data obtained by the input processing unit, and performing preset function computation on the input data to obtain a computing result; the splitting unit is used for receiving the calculation result obtained by the calculation unit and the first result fragments of the calculation result input by the first party, obtaining second result fragments of the calculation result through second exclusive-OR gates with the same number of bits as the calculation result, and providing the second result fragments for the second party; and each second exclusive-or gate receives the target bit of the calculation result and the target bit of the first result fragment and outputs the target bit of the second result fragment. In the structure of the boolean circuit, the input processing unit performs the combination of the data slices through the exclusive-or gate, so that the boolean circuit can receive the input of the exclusive-or slices; the calculation unit obtains a calculation result, and the calculation result is split by the splitting unit through the exclusive or gate, so that the first party and the second party respectively obtain one result fragment of the calculation result. The Boolean circuit can receive the input of the exclusive-OR slicing and output the exclusive-OR slicing on the premise of protecting the privacy data. In addition, the combined data slicing and the split calculation result do not use an AND gate, so that the communication cost of the Boolean circuit in the execution process is low.
Correspondingly, a method for splitting data fragments is used for splitting the calculation result of the Boolean circuit, and a first party selects a global offset value; then, the first party determines a first labeling character string corresponding to a true value 0 and a second labeling character string corresponding to a true value 1 of each line in the Boolean circuit, and the second labeling character string is equal to the first labeling character string or the offset value for each line; then the first party randomly generates a first result fragment of the calculation result; and finally, the second party obtains the labeling character string corresponding to the true value of the output line of the second exclusive-OR gate through exclusive-OR calculation based on the third labeling character string corresponding to the first result fragment in the input line of the second exclusive-OR gate obtained from the first party and the fourth labeling character string corresponding to the calculation result in the input line of the second exclusive-OR gate, and determines the second result fragment according to the labeling character string. From the above, in the embodiment of the present disclosure, by using the calculation result of the exclusive or gate splitting, the first party does not need to transmit the confusion table corresponding to the exclusive or gate to the second party by using a special selection manner of the labeling character string, and the second party obtains the labeling character string corresponding to the output line of the exclusive or gate through exclusive or calculation based on the labeling character string corresponding to the input line of the exclusive or gate obtained from the first party, where the labeling character string can determine the result fragment.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic illustration of an implementation scenario of an embodiment disclosed herein;
FIG. 2 illustrates a schematic diagram of a Boolean circuit architecture implementing exclusive-OR sliced input/output in accordance with one embodiment;
FIG. 3 illustrates a method interaction diagram for splitting a data slice, according to one embodiment;
FIG. 4 illustrates a schematic block diagram of a system for splitting data slices, according to one embodiment;
FIG. 5 shows a schematic diagram of a Boolean circuit implementing exclusive-OR sliced input/output in accordance with another embodiment;
FIG. 6 illustrates a method interaction diagram for splitting a data slice according to another embodiment;
fig. 7 shows a schematic block diagram of a system for splitting data slices according to another embodiment.
Detailed Description
The following describes the scheme provided in the present specification with reference to the drawings.
Fig. 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in the present specification. The implementation scenario relates to a boolean circuit for realizing exclusive-or sliced input and output, wherein the input of the boolean circuit is an exclusive-or sliced provided by two parties, the execution of the boolean circuit is realized by the combination of the two parties for multiparty security calculation, the exclusive-or sliced output of the boolean circuit is held by the two parties, and each party can be realized as any device, platform, server or cluster of devices with calculation processing capability. Exclusive-or slicing (XORShare), a bit string is split into two bit slices using exclusive-or. The two exclusive-or slices are exclusive-or the original bit string can be obtained, and each of the two sides holds one exclusive-or slice. Boolean circuits (Boolean circuits), which are a set of logic gates connected by connecting lines, are capable of performing function calculations on a set of inputs and outputting results. Logic gates include gates implementing boolean functions such as AND gates (AND), exclusive-or gates (XOR), NOT gates (NOT), AND typically a function may be compiled into a set of AND gates, exclusive-or gates, AND NOT gates to complete the computation.
Referring to fig. 1, the input of the boolean circuit is an exclusive-or slice provided by two parties, wherein a first party provides an n-bit data slice a0 and a second party provides an n-bit data slice a1, which is an exclusive-or slice, it being understood that a0 and a1 are exclusive-or can obtain input data. The execution of the Boolean circuit is realized by combining two parties to perform multiparty safety calculation, for example, an execution mode of a mixed circuit is adopted to obtain a calculation result r. The exclusive or slice output by the boolean circuit is also held by two parties, wherein the result slice obtained by the first party is r0 and the result slice obtained by the second party is r1, it being understood that r0 and r1 are exclusive or the calculation result r can be obtained.
The garbled circuit (Garbled Circuit, GC), which is a two-party secure multiparty computation protocol, generates garbled tables for boolean circuits implementing one computation function with cryptographic functions, computes results for two-party inputs, and does not leak one input to the other during the computation process. At present, an optimal implementation scheme of the confusion circuit does not need to communicate with an exclusive-or gate and an NOT gate, only needs to perform local calculation, and the AND gate needs to call password calculation and communicate with the exclusive-or gate, and the communication traffic is the bottleneck of the throughput upper limit in a general application scene. The traffic of the garbled circuit is positively correlated with the number of AND gates of the Boolean circuit.
The embodiment of the specification provides a Boolean circuit for realizing exclusive-OR slicing input and output, which can receive exclusive-OR slicing input and output exclusive-OR slicing on the premise of protecting private data, and has low communication cost in the execution process. The communication costs include traffic and the number of communication rounds.
Fig. 2 is a schematic diagram of a boolean circuit for implementing xor slicing input and output according to one embodiment, which may be based on the implementation scenario shown in fig. 1, and is configured to receive data slices of input data, obtain a calculation result after performing a preset function calculation, and output a result slice of the calculation result. As shown in fig. 2, the boolean circuit 200 includes:
An input processing unit 21 for receiving the n-bit first data slices input by the first party and the n-bit second data slices input by the second party, and obtaining input data through n first exclusive-or gates; wherein each of the first exclusive-or gates receives a target bit of the first data slice and the target bit of the second data slice, and outputs the target bit of the input data;
the calculating unit 22 receives the input data obtained by the input processing unit 21, performs a preset function calculation on the input data to obtain a calculation result, so that after the boolean circuit is executed, a first result slice of the calculation result is held by the first party, and a second result slice of the calculation result is held by the second party.
It can be understood that the input of the single first exclusive or gate is the ith bit of the first data slice and the second data slice, and the output is the ith bit of the input data obtained after the combination of the first data slice and the second data slice.
Exclusive-or gate: c=xor (a, b), representing c=a≡b.
For the data pieces a0 and a1 input from both sides, the input processing unit 21 calculates a [ i ] =xor (a 0[ i ], a1[ i ]), 0< =i < =len (a 0). Wherein a0[ i ] represents the ith bit of a0, a1[ i ] represents the ith bit of a1, and a [ i ] represents the ith bit of the input data a.
In one example, the preset function calculation is used to implement at least one of the following functions:
mathematical operation, comparison operation, selection operation.
In this example, the mathematical operation may include, but is not limited to, addition, subtraction, multiplication, division, etc., and the boolean circuit may be used as a calculation operator for multiparty safe calculation to implement the function of the preset function calculation. When the Boolean circuit realizes a calculation, the input of the circuit can be safe input, namely the two-sided slicing, and the output is generally the two-sided slicing, namely the intermediate result cannot be leaked, so that the result acquisition party is prevented from reversely pushing out the input of the Boolean circuit, and the input is used as the starting point of the next safe calculation. The boolean circuit uses exclusive-or slicing to reduce computation and communication costs for input and output processing.
In one example, the boolean circuit employs an implementation of a garbled circuit.
Further, for each line in the boolean circuit, a first labeling character string is labeled by the first party for a true value 0, a second labeling character string is labeled for a true value 1, and for each line, the second labeling character string is equal to the first labeling character string or an offset value; different lines correspond to the same offset value.
In this example, the first party corresponds to Garbler parties in the garbled circuit and the second party corresponds to Evaluator parties in the garbled circuit.
In the boolean circuit provided in the embodiment of the present disclosure, in the structure of the boolean circuit, the input processing unit 21 performs merging of data slices through exclusive or gates, so as to implement that the boolean circuit can receive input of exclusive or slices; the calculation unit 22 obtains a calculation result that does not need to be split by an additional circuit structure, and after the boolean circuit is executed, the first party and the second party obtain one result slice of the calculation result, respectively. The Boolean circuit can receive the input of the exclusive-OR slicing and output the exclusive-OR slicing on the premise of protecting the privacy data. In addition, as the combined data slicing is not used for the AND gate, no extra circuit structure is needed for splitting the calculation result, and therefore the communication cost of the Boolean circuit in the execution process is low.
FIG. 3 illustrates a schematic interaction diagram of a method of splitting a data slice, which may be based on the implementation scenario illustrated in FIG. 1, for splitting the calculation results of the Boolean circuit illustrated in FIG. 2, according to one embodiment. As shown in fig. 3, the method for splitting data slices in this embodiment includes the following steps: step 31, the first party selects a global offset value, the predetermined bit of which is 1; step 32, the first party determines a first labeling character string corresponding to a true value 0 and a second labeling character string corresponding to a true value 1 of each line in the boolean circuit, and satisfies that the second labeling character string is equal to the first labeling character string or the offset value for each line; step 33, the first party determines the first result fragment according to the preset bit of the first labeling character string corresponding to the true value 0 of the output line of the calculation result; step 34, the second party obtains a third labeling character string corresponding to the actual true value of each input line from the first party; step 35, the second party calculates a fourth labeling character string corresponding to the actual true value of the output line according to the third labeling character string of each input line; step 36, the second party determines the second result fragment according to the pre-positioning of the fourth labeling character string. Specific implementations of the above steps are described below.
First, in step 31, the first party selects a global offset value, the pre-determined bit of which is 1. It will be appreciated that different lines correspond to the same offset value.
Wherein the first party corresponds to Garbler parties in the garbling circuit.
In the embodiment of the present disclosure, the offset value and each labeling string are binary numbers having the same bit, and any bit of the offset value may be designated as the predetermined bit.
In one example, the predetermined bit is the lowest bit. In this example, the bit value of the lowest bit of the offset value is 1, and taking an offset value of 4-bit binary number as an example, the offset value may be selected as 1001, 0001, 0101, but may not be selected as 1000, 0000, 0100.
Then, in step 32, the first party determines a first labeling string corresponding to a true value 0 and a second labeling string corresponding to a true value 1 for each line in the boolean circuit, and satisfies that the second labeling string is equal to the first labeling string or the offset value for each line. It will be appreciated that each of the lines described above includes both the input line of the boolean circuit and the output line of the boolean circuit.
In the embodiment of the present disclosure, the first party selects a global offset value Δ, and has l1=l0 ΣΔ for the labeled string L0 of true value 0 and the labeled string L1 of true value 1 for each line in the circuit, and the predetermined bit of Δ is 1, so that the predetermined bits of L0 and L1 of the same line are different.
Next, in step 33, the first party determines the first result fragment according to the predetermined bit of the first labeling string corresponding to the true value 0 of the output line of the calculation result. It will be appreciated that if the output line corresponding to the calculation result is only one, the predetermined bit may be directly sliced as the first result.
In one example, the calculation result corresponds to a plurality of output lines;
The first party determines the first result fragment according to the preset bit of the first labeling character string corresponding to the true value 0 of the output line of the calculation result, and the method comprises the following steps:
and combining preset bits of a first labeling character string corresponding to true value 0 of the plurality of output lines by the first party to obtain the first result fragment.
In step 34, the second party obtains a third labeling string corresponding to the actual true value of each input line from the first party. It can be appreciated that the boolean circuit generally has a plurality of input lines, the first party has actual true values of some input lines, the second party has actual true values of other input lines, the first party can directly send the labeling character strings corresponding to the actual true values of some input lines of the first party to the second party, and the first party can send the labeling character strings corresponding to the actual true values of other input lines of the second party to the second party in an inadvertent transmission manner due to the fact that the second party has the actual true values of other input lines of the second party.
Wherein the second party corresponds to Evaluator parties in the garbled circuit.
For example, a boolean circuit has two input lines, denoted as L1 and L2, respectively. The first party has an actual true value 0 of L1, the second party has an actual true value 1 of L2, the first party can directly send the labeling character string corresponding to the true value 0 of L1 to the second party, and the first party can send the labeling character string corresponding to the true value 1 of L2 of the second party to the second party in an inadvertent transmission mode due to the fact that the second party has the actual true value 1 of L2. Therefore, the second party obtains the labeling character strings corresponding to the actual true values of all the input lines.
In step 35, the second party calculates a fourth labeled string corresponding to the actual true value of the output line according to the third labeled string of each input line. It can be understood that the second party can calculate the labeling character string corresponding to the actual true value of the output line by decrypting the confusion table; or calculating the labeling character string corresponding to the actual true value of the output line in a logical operation mode; or the two modes can be combined to calculate the labeling character string corresponding to the actual true value of the output line.
In this embodiment of the present disclosure, a first party may generate confusion tables for all or part of boolean gates in a boolean circuit, and then send the confusion tables corresponding to the boolean gates to a second party, so that the second party may calculate, by decrypting the confusion tables, a labeling string corresponding to an actual true value of an output line.
Finally, in step 36, the second party determines the second resulting tile according to the pre-positioning of the fourth annotation string. It will be appreciated that if the output line corresponding to the calculation result is only one, the predetermined bit may be directly sliced as the second result.
In one example, the calculation result corresponds to a plurality of output lines;
the second party determining the second result fragment according to the pre-positioning of the fourth labeling character string, comprising:
And the second party combines the pre-positioning of the fourth labeling character strings of the plurality of output lines to obtain the second result fragment.
In one example, the first result slice or the second result slice is equal to the calculation result.
For example, the first party selects a global offset value Δ, and for each line in the circuit, the string L0 for true value 0 and the string L1 for true value 1, there is l1=l0 ΔΔ, where the predetermined bit of Δ is 1, so the predetermined bits of L0 and L1 for the same line are different. Taking the example that the predetermined bit is the lowest bit, called permute bit, of L0, the first party knows permutebit of the output line, the second party calculates the labeled string Li, selectbit corresponding to the actual true value of the output line, and the actual true value bit= permute bit ++ selectbit of the output line.
According to the method provided by the embodiment of the specification, the first party particularly selects the labeling character strings, so that the labeling character string corresponding to the true value 0 of each line and the labeling character string corresponding to the true value 1 are different in preset positions, correspondingly, the preset position of the labeling character string corresponding to the true value 0 of the output line and the preset position of the labeling character string corresponding to the actual true value of the output line are exclusive OR of the two, and therefore after the Boolean circuit is executed, the first party and the second party respectively obtain one result fragment of the calculation result.
According to another aspect of the present invention, there is further provided a system for splitting data slices, for splitting the calculation result of the boolean circuit shown in fig. 2, the system including a first party and a second party for executing the actions executed by the first party and the second party in the method shown in fig. 3 provided in the embodiments of the present specification. FIG. 4 illustrates a schematic block diagram of a system for splitting data slices, according to one embodiment. As shown in fig. 4, the system 400 includes:
A first party 41 for selecting a global offset value, the predetermined bit of the offset value being 1; determining a first marking character string corresponding to a true value 0 and a second marking character string corresponding to a true value 1 of each line in the Boolean circuit, wherein the second marking character string is equal to the first marking character string or the offset value for each line; determining the first result fragment according to the preset bit of a first labeling character string corresponding to the true value 0 of the output line of the calculation result;
The second party 42 is configured to obtain a third labeling string corresponding to an actual true value of each input line from the first party 41, calculate a fourth labeling string corresponding to an actual true value of each output line according to the third labeling string of each input line, and determine the second result fragment according to a predetermined position of the fourth labeling string.
Alternatively, as an embodiment, the predetermined bit is the lowest bit.
Optionally, as an embodiment, the first result slice or the second result slice is equal to the calculation result.
Optionally, as an embodiment, the calculation result corresponds to a plurality of output lines;
The first party 41 is specifically configured to combine preset bits of a first labeling string corresponding to a true value 0 of the plurality of output lines to obtain the first result fragment;
The second party 42 is specifically configured to combine the pre-positioning of the fourth labeling strings of the plurality of output lines to obtain the second result slice.
Fig. 5 is a schematic diagram of a boolean circuit for implementing xor slicing input and output according to another embodiment, which may be based on the implementation scenario shown in fig. 1, and is configured to receive data slices of input data, obtain a calculation result after performing a preset function calculation, split the calculation result, and output a result slice of the calculation result. As shown in fig. 5, the boolean circuit 500 includes:
An input processing unit 51 for receiving the n-bit first data slices input by the first party and the n-bit second data slices input by the second party, and obtaining input data through n first exclusive-or gates; wherein each of the first exclusive-or gates receives a target bit of the first data slice and the target bit of the second data slice, and outputs the target bit of the input data;
a calculating unit 52, configured to receive the input data obtained by the input processing unit 51, and perform a preset function calculation on the input data to obtain a calculation result;
A splitting unit 53, configured to receive the calculation result obtained by the calculating unit 52 and the first result slice of the calculation result input by the first party, obtain a second result slice of the calculation result by using the same number of second exclusive-or gates as the number of bits of the calculation result, and provide the second result slice to the second party; and each second exclusive-or gate receives the target bit of the calculation result and the target bit of the first result fragment and outputs the target bit of the second result fragment.
It can be understood that the input of the single first exclusive or gate is the ith bit of the first data slice and the second data slice, and the output is the ith bit of the input data obtained after the combination of the first data slice and the second data slice.
Exclusive-or gate: c=xor (a, b), representing c=a≡b.
For the data pieces a0 and a1 input from both sides, the input processing unit 51 calculates a [ i ] =xor (a 0[ i ], a1[ i ]), 0< =i < =len (a 0). Wherein a0[ i ] represents the ith bit of a0, a1[ i ] represents the ith bit of a1, and a [ i ] represents the ith bit of the input data a.
It will be appreciated that the input of a single second exclusive or gate is the calculated result and the i-th bit of the first result slice, and the output is the i-th bit of the second result slice.
For the calculation result r obtained by the calculation unit 52 and the first result fragment r0 input by the first party, the splitting unit 53 calculates r1[ i ] =xor (r [ i ], r0[ i ]), 0< =i < =len (r). Wherein, r [ i ] represents the ith bit of r, r0[ i ] represents the ith bit of r0, and r1[ i ] represents the ith bit of the second result fragment r 1.
In one example, the preset function calculation is used to implement at least one of the following functions:
mathematical operation, comparison operation, selection operation.
In this example, the mathematical operation may include, but is not limited to, addition, subtraction, multiplication, division, etc., and the boolean circuit may be used as a calculation operator for multiparty safe calculation to implement the function of the preset function calculation. When the Boolean circuit realizes a calculation, the input of the circuit can be safe input, namely the two-sided slicing, and the output is generally the two-sided slicing, namely the intermediate result cannot be leaked, so that the result acquisition party is prevented from reversely pushing out the input of the Boolean circuit, and the input is used as the starting point of the next safe calculation. The boolean circuit uses exclusive-or slicing to reduce computation and communication costs for input and output processing.
In one example, the boolean circuit employs an implementation of a garbled circuit.
Further, for each line in the boolean circuit, a first labeling character string is labeled by the first party for a true value 0, a second labeling character string is labeled for a true value 1, and for each line, the second labeling character string is equal to the first labeling character string or an offset value; different lines correspond to the same offset value.
In this example, the first party corresponds to Garbler parties in the garbled circuit and the second party corresponds to Evaluator parties in the garbled circuit.
When the boolean circuit is executed by adopting the execution mode of the confusion circuit, garbler Fang Baoliu the first result fragment r0 is taken as the exclusive or fragment of the calculation result, evaluator the square calculates the labeling character string of each output line, and the true value bit string r1 of each output line is obtained with the assistance of Garbler, and r0 and r1 are exclusive or fragments of r.
In the boolean circuit provided in the embodiment of the present disclosure, in the structure of the boolean circuit, the input processing unit 51 performs merging of data slices through exclusive or gates, so as to implement that the boolean circuit can receive input of exclusive or slices; the calculation unit 52 obtains a calculation result, which is split by the splitting unit 53 through the exclusive or gate, so that the first party and the second party respectively obtain one result slice of the calculation result. The Boolean circuit can receive the input of the exclusive-OR slicing and output the exclusive-OR slicing on the premise of protecting the privacy data. In addition, the combined data slicing and the split calculation result do not use an AND gate, so that the communication cost of the Boolean circuit in the execution process is low.
Fig. 6 shows a schematic diagram of a method of splitting data slices, which may be based on the implementation scenario shown in fig. 1, for splitting the calculation result of the boolean circuit shown in fig. 5, according to another embodiment. As shown in fig. 6, the method for splitting data slices in this embodiment includes the following steps: step 61, the first party selects a global offset value; step 62, the first party determines a first labeling character string corresponding to a true value 0 and a second labeling character string corresponding to a true value 1 of each line in the boolean circuit, and satisfies that the second labeling character string is equal to the first labeling character string or the offset value for each line; step 63, the first party randomly generates a first result fragment of the calculation result; step 64, the second party obtains a third labeling character string corresponding to the first result fragment in the input line of the second exclusive or gate from the first party; step 65, the second party obtains the labeling character string corresponding to the actual true value of the output line of the second exclusive-or gate through exclusive-or calculation based on the third labeling character string and the fourth labeling character string corresponding to the calculation result in the input line of the second exclusive-or gate through calculation; and step 66, the second party determines the second result fragment according to the labeling character string. Specific implementations of the above steps are described below.
First, at step 61, the first party selects a global offset value. It will be appreciated that different lines correspond to the same offset value.
Wherein the first party corresponds to Garbler parties in the garbling circuit.
In the embodiment of the present disclosure, the offset value and each labeling string are binary numbers having the same bit, and the value of each bit of the offset value is not limited.
Then, in step 62, the first party determines a first labeled string corresponding to a true value 0 and a second labeled string corresponding to a true value 1 for each line in the boolean circuit, where the second labeled string is satisfied for each line as equal to the first labeled string or the offset value. It will be appreciated that each of the lines described above includes both the input line of the boolean circuit and the output line of the boolean circuit.
In the embodiment of the present disclosure, the first party selects a global offset value Δ, and has l1=l0 ΣΔ for the labeled string L0 of true value 0 and the labeled string L1 of true value 1 for each line in the circuit.
Next, in step 63, the first party randomly generates a first result slice of the calculation result. It will be appreciated that the first result slice is held by the first party as an exclusive or slice of the calculation result.
In step 64, the second party obtains a third labeling string corresponding to the first result slice in the input line of the second exclusive or gate from the first party. It can be appreciated that the first party has an actual true value corresponding to the first result fragment, so that the third annotation string can be directly sent to the second party.
Wherein the second party corresponds to Evaluator parties in the garbled circuit.
In step 65, the second party obtains the labeling character string corresponding to the actual true value of the output line of the second exclusive-or gate through exclusive-or calculation based on the third labeling character string and the fourth labeling character string corresponding to the calculation result in the input line of the second exclusive-or gate through calculation. It can be understood that the fourth labeling string is calculated by the second party in the process of executing the boolean circuit, and the labeling string corresponding to the true value of the output line of the second exclusive or gate can be obtained by performing exclusive or calculation on the labeling strings of the true values of the two input lines of the second exclusive or gate, which does not involve decrypting the confusion table.
For example, two input lines of the exclusive or gate are respectively denoted as L1 and L2, where a label string corresponding to a true value 0 of L1 is a, a label string corresponding to a true value 1 of L1 is a Δa, a label string corresponding to a true value 0 of L2 is b, a label string corresponding to a true value 1 of L1 is b Δa, a third label string obtained by the second party is a, a fourth label string is b Δa, and an actual label string corresponding to a true value of an output line of the exclusive or gate is a Δb by exclusive or calculation.
Finally, at step 66, the second party determines the second resulting tile from the annotation string. It will be appreciated that the second party may obtain the true value bit string for each output line with the assistance of the first party.
According to the method provided by the embodiment of the specification, the first party does not need to transmit the confusion table corresponding to the exclusive or gate to the second party by using the exclusive or gate splitting calculation result in a special selection mode of the marked character string, the second party obtains the marked character string corresponding to the output line of the exclusive or gate through exclusive or calculation based on the marked character string corresponding to the input line of the exclusive or gate obtained from the first party, and the marked character string can determine the result fragment.
According to another aspect of the present invention, there is provided a system for splitting data slices, for splitting the calculation result of the boolean circuit shown in fig. 5, the system including a first party and a second party for performing the actions performed by the first party and the second party in the method shown in fig. 6 provided in the embodiments of the present specification. Fig. 7 shows a schematic block diagram of a system for splitting data slices according to another embodiment. As shown in fig. 7, the system 700 includes:
A first party 71 for selecting a global offset value; determining a first marking character string corresponding to a true value 0 and a second marking character string corresponding to a true value 1 of each line in the Boolean circuit, wherein the second marking character string is equal to the first marking character string or the offset value for each line; randomly generating a first result fragment of the calculation result;
A second party 72, configured to obtain, through exclusive or calculation, a labeling string corresponding to a true value of an output line of the second exclusive or gate based on a third labeling string corresponding to a first result slice in an input line of the second exclusive or gate obtained from the first party 71 and a fourth labeling string corresponding to the calculation result in the input line of the second exclusive or gate, and determine the second result slice according to the labeling string.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 3 or 6.
According to an embodiment of yet another aspect, there is also provided a computing device including a memory having executable code stored therein and a processor that, when executing the executable code, implements the method described in connection with fig. 3 or 6.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.

Claims (12)

1. A boolean circuit implementing exclusive-or sliced input and output, the boolean circuit comprising:
The input processing unit receives n-bit first data fragments input by a first party and n-bit second data fragments input by a second party, and obtains input data through n first exclusive-OR gates; wherein each of the first exclusive-or gates receives a target bit of the first data slice and the target bit of the second data slice, and outputs the target bit of the input data;
the computing unit is used for receiving the input data obtained by the input processing unit, carrying out preset function computation on the input data to obtain a computing result, so that after the Boolean circuit is executed, a first result fragment of the computing result is held by the first party, and a second result fragment of the computing result is held by the second party;
Wherein, the Boolean circuit adopts the execution mode of the confusion circuit;
For each line in the Boolean circuit, a first labeling character string is labeled by the first party aiming at a true value 0, a second labeling character string is labeled by the first party aiming at a true value 1, and the second labeling character string is equal to the first labeling character string or an offset value for each line; different lines correspond to the same offset value.
2. The boolean circuit according to claim 1, wherein the preset function calculation is used to implement at least one of the following functions:
mathematical operation, comparison operation, selection operation.
3. A method of splitting a data slice for splitting the calculation of the boolean circuit of claim 1, comprising:
the first party selects a global offset value, the predetermined bit of the offset value being 1;
The first party determines a first labeling character string corresponding to a true value 0 and a second labeling character string corresponding to a true value 1 of each line in the Boolean circuit, and meets the requirement that the second labeling character string is equal to the first labeling character string or the offset value for each line;
The first party determines the first result fragment according to the preset bit of a first labeling character string corresponding to the true value 0 of the output line of the calculation result;
The second party obtains a third marking character string corresponding to the actual true value of each input line from the first party, calculates a fourth marking character string corresponding to the actual true value of each output line according to the third marking character string of each input line, and determines the second result fragment according to the pre-positioning of the fourth marking character string.
4. A method as claimed in claim 3, wherein the predetermined bit is the least significant bit.
5. A method as claimed in claim 3, wherein the first result slice or the second result slice is equal to the calculation result.
6. A method as claimed in claim 3, wherein the calculation result corresponds to a plurality of output lines;
The first party determines the first result fragment according to the preset bit of the first labeling character string corresponding to the true value 0 of the output line of the calculation result, and the method comprises the following steps:
combining preset bits of a first labeling character string corresponding to true value 0 of the plurality of output lines by the first party to obtain the first result fragment;
the second party determining the second result fragment according to the pre-positioning of the fourth labeling character string, comprising:
And the second party combines the pre-positioning of the fourth labeling character strings of the plurality of output lines to obtain the second result fragment.
7. A system for splitting a data slice, for splitting the calculation of the boolean circuit of claim 1, comprising:
The first party is configured to select a global offset value, where a predetermined bit of the offset value is 1; determining a first marking character string corresponding to a true value 0 and a second marking character string corresponding to a true value 1 of each line in the Boolean circuit, wherein the second marking character string is equal to the first marking character string or the offset value for each line; determining the first result fragment according to the preset bit of a first labeling character string corresponding to the true value 0 of the output line of the calculation result;
the second party is configured to obtain a third labeling string corresponding to an actual true value of each input line from the first party, calculate a fourth labeling string corresponding to an actual true value of each output line according to the third labeling string of each input line, and determine the second result fragment according to a predetermined position of the fourth labeling string.
8. The system of claim 7, wherein the predetermined bit is a least significant bit.
9. The system of claim 7, wherein the first result slice or the second result slice is equal to the computed result.
10. The system of claim 7, wherein the calculation result corresponds to a plurality of output lines;
the first party is specifically configured to combine preset bits of a first labeling string corresponding to a true value 0 of the plurality of output lines to obtain the first result fragment;
the second party is specifically configured to combine the pre-positioning of the fourth labeling strings of the plurality of output lines to obtain the second result fragment.
11. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 3-6.
12. A computing device comprising a memory having executable code stored therein and a processor, which when executing the executable code, implements the method of any of claims 3-6.
CN202111163344.0A 2021-09-30 2021-09-30 Boolean circuit, method and system for realizing exclusive or slicing input and output Active CN113821826B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111163344.0A CN113821826B (en) 2021-09-30 2021-09-30 Boolean circuit, method and system for realizing exclusive or slicing input and output

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111163344.0A CN113821826B (en) 2021-09-30 2021-09-30 Boolean circuit, method and system for realizing exclusive or slicing input and output

Publications (2)

Publication Number Publication Date
CN113821826A CN113821826A (en) 2021-12-21
CN113821826B true CN113821826B (en) 2024-07-02

Family

ID=78916270

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111163344.0A Active CN113821826B (en) 2021-09-30 2021-09-30 Boolean circuit, method and system for realizing exclusive or slicing input and output

Country Status (1)

Country Link
CN (1) CN113821826B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114499845B (en) * 2022-01-13 2024-04-30 蚂蚁区块链科技(上海)有限公司 Multi-party secure computing method, system, device, storage medium and equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109756442A (en) * 2017-11-01 2019-05-14 清华大学 Based on the data statistical approach, device and equipment for obscuring circuit
CN111177790A (en) * 2020-04-10 2020-05-19 支付宝(杭州)信息技术有限公司 Collaborative computing method, system and device for protecting data privacy of two parties

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8707053B2 (en) * 2011-02-09 2014-04-22 Apple Inc. Performing boolean logic operations using arithmetic operations by code obfuscation
US9917820B1 (en) * 2015-06-29 2018-03-13 EMC IP Holding Company LLC Secure information sharing
EP3447963A1 (en) * 2017-08-24 2019-02-27 Skeyecode Method for protecting data
EP3672139A1 (en) * 2018-12-19 2020-06-24 Koninklijke Philips N.V. A circuit compiling device and circuit evaluation device
CN113065162B (en) * 2021-04-25 2022-05-17 支付宝(杭州)信息技术有限公司 Method and device for processing private data in shared form
CN112995221B (en) * 2021-05-08 2021-07-23 浙江数秦科技有限公司 Safe multi-party calculation method for alliance chain

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109756442A (en) * 2017-11-01 2019-05-14 清华大学 Based on the data statistical approach, device and equipment for obscuring circuit
CN111177790A (en) * 2020-04-10 2020-05-19 支付宝(杭州)信息技术有限公司 Collaborative computing method, system and device for protecting data privacy of two parties

Also Published As

Publication number Publication date
CN113821826A (en) 2021-12-21

Similar Documents

Publication Publication Date Title
CN111539026B (en) Method and device for performing secure operation on private data
CN111523145B (en) Method and device for performing secure operation on private data
US11190339B2 (en) System and method for performing equality and less than operations on encrypted data with quasigroup operations
CN113722734A (en) Method, device and system for determining selection result fragmentation by two-party security selection
CN108933650B (en) Data encryption and decryption method and device
CN111586142B (en) Safe multiparty computing method and system
US20240163084A1 (en) Method of data transmission, and electronic devic
CN114239019A (en) Method, device and system for determining number of shared data for protecting privacy data
CN113626871A (en) Two-party multi-branch condition implementation method and system for protecting private data
CN113821826B (en) Boolean circuit, method and system for realizing exclusive or slicing input and output
WO2023231340A1 (en) Execution method and device for shared ot protocol, and secure multi-party computation method and device
CN114465708B (en) Privacy data processing method, device, system, electronic equipment and storage medium
CN114726512B (en) Data processing method and device
CN114978510A (en) Security processing method and device for privacy vector
CN114239018A (en) Method and system for determining number of shared data for protecting privacy data
CN113836595B (en) Method, device and system for two-party safety comparison
CN113836596A (en) Method, device and system for determining selection result fragmentation by two-party security selection
CN114499845B (en) Multi-party secure computing method, system, device, storage medium and equipment
CN114726580B (en) Data processing method and device
CN115001675A (en) Execution method of sharing OT protocol, secure multi-party computing method and device
CN114297726A (en) Multiplication execution method and device based on secure multi-party calculation
CN113347270A (en) Method and device for preventing horizontal unauthorized network transmission file
CN113806818B (en) Boolean circuit for two-party security selection
CN113836594B (en) Boolean circuit for realizing two-sided multi-branch condition
CN116318640A (en) Secure multiparty computing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant