CN114301594B - Inadvertent transmission method, multi-party secure computing platform and device for inadvertent transmission - Google Patents
Inadvertent transmission method, multi-party secure computing platform and device for inadvertent transmission Download PDFInfo
- Publication number
- CN114301594B CN114301594B CN202210191205.7A CN202210191205A CN114301594B CN 114301594 B CN114301594 B CN 114301594B CN 202210191205 A CN202210191205 A CN 202210191205A CN 114301594 B CN114301594 B CN 114301594B
- Authority
- CN
- China
- Prior art keywords
- public key
- message
- key
- ith
- sender
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The embodiment of the invention provides an accidental transmission method, a multi-party secure computing platform and a device for the accidental transmission. The method comprises the following steps: the sender and the receiver execute preset operation for n times based on the n message groups and the k indexes; the ith preset operation comprises the following steps: the receiving party calculates a first parameter based on a locally generated random number and a base point G of an SM2 algorithm, and sends the first parameter to the sending party; the sender calculates a public key and a private key based on a locally generated random number and the first parameter, encrypts the message in the ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and sends the ciphertext and the public key of the ith message group as second parameters to the receiver; the receiver calculates a target message selected from the ith message group based on the ith target index, the key generation function, and the second parameter. The embodiment of the invention can improve the efficiency of the inadvertent transmission.
Description
Technical Field
The invention relates to the technical field of computers, in particular to an accidental transmission method, a multi-party secure computing platform and a device for the accidental transmission.
Background
The Oblivious Transfer (OT) is a basic protocol for multi-party secure computing, and is a two-party protocol, specifically an interaction protocol between a Receiver (Receiver) and a Sender (Sender). The OT protocol can ensure the security of data between the receiving party and the sending party, and thus is widely applied to various fields.
One problem that needs to be solved by an inadvertent transport protocol can be described as follows: sender a has a secret m0And m1The receiver B has an index a, and the sender A and the receiver B execute an oblivious transmission protocol so that the receiver can obtain the secret m corresponding to the index aa(if a =0, secret m is obtained0(ii) a If a =1, secret m is obtained1) And the sender a does not know which secret the receiver B obtained in the above process.
Patent application No. 202110912825.0 discloses a two-party privacy aggregation union computation method involving a sender and a receiver performing an n-times oblivious transfer protocol.
Disclosure of Invention
The embodiment of the invention provides an accidental transmission method, a multi-party secure computing platform and a device for the accidental transmission, which can greatly reduce the data transmission quantity of an OT protocol and improve the data transmission efficiency.
In a first aspect, an embodiment of the present invention discloses an inadvertent transmission method, which is applied to a multi-party secure computing platform, where the multi-party secure computing platform includes a sender and a receiver, and the method includes:
the sender and the receiver execute preset operation for n times based on the n held message groups and the n held target indexes; one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is larger than or equal to 1, and n is larger than or equal to k and larger than or equal to 1;
the ith presetting operation comprises the following steps:
the receiving party calculates a first parameter based on a locally generated random number and a base point G of an SM2 algorithm, and sends the first parameter to the sending party;
the sender calculates a public key and a private key based on a locally generated random number and the first parameter, encrypts the message in the ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and sends the ciphertext of the ith message group and the public key serving as second parameters to the receiver;
the receiver calculates a target message selected from the ith message group based on the ith target index, the key generation function, and the second parameter.
In a second aspect, an embodiment of the present invention discloses an inadvertent transmission method, which is applied to a sender in a multi-party secure computing platform, where the multi-party secure computing platform further includes a receiver, and the method includes:
executing n times of preset operation with a receiver based on n message groups, wherein one message group comprises two messages to be selected, the receiver holds n target indexes, the n target indexes are generated according to k original indexes of the receiver, n is larger than or equal to 1, and n is larger than or equal to k and larger than or equal to 1;
the ith presetting operation comprises the following steps:
receiving a first parameter from a receiver, wherein the first parameter is calculated by the receiver based on a locally generated random number and a base point G of an SM2 algorithm;
and calculating a public key and a private key based on the locally generated random number and the first parameter, encrypting the message in the ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and sending the ciphertext of the ith message group and the public key as second parameters to a receiving party.
In a third aspect, an embodiment of the present invention discloses an inadvertent transmission method, which is applied to a receiver in a multi-party secure computing platform, where the multi-party secure computing platform further includes a sender, and the method includes:
executing n times of preset operation with a sender based on n target indexes, wherein the sender holds n message groups, one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is more than or equal to 1, and n is more than or equal to k is more than or equal to 1;
the ith presetting operation comprises the following steps:
calculating a first parameter based on a locally generated random number and a base point G of an SM2 algorithm, and sending the first parameter to a sender;
receiving a second parameter from a sender, wherein the sender calculates a public key and a private key based on a locally generated random number and the first parameter, and encrypts messages in an ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and the second parameter comprises the ciphertext of the ith message group and the public key;
calculating a target message selected from an ith message group based on the ith target index, the key generation function, and the second parameter.
In a fourth aspect, the embodiment of the present invention discloses a multi-party secure computing platform, where the multi-party secure computing platform includes a sender and a receiver, where the sender is based on n message groups, and the receiver is based on n target indexes, and both of the sender and the receiver perform preset operations for n times; wherein, one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is more than or equal to 1, and n is more than or equal to k is more than or equal to 1;
the receiving party comprises a first parameter calculating module, which is used for calculating a first parameter based on a locally generated random number and a base point G of an SM2 algorithm and sending the first parameter to the sending party;
the sender comprises a second parameter calculation module, which is used for calculating a public key and a private key based on a locally generated random number and the first parameter, encrypting the message in the ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and sending the ciphertext of the ith message group and the public key as second parameters to a receiver;
the receiver further includes a target message calculation module for calculating a target message selected from an ith message group based on the ith target index, the key generation function, and the second parameter.
In a fifth aspect, the embodiment of the present invention discloses a receiving party in a multi-party secure computing platform, where the multi-party secure computing platform further includes a sending party, the sending party is based on n message groups held, the receiving party is based on n target indexes held, and both parties execute preset operations n times; wherein, one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is more than or equal to 1, and n is more than or equal to k is more than or equal to 1; the receiving side includes:
the first parameter calculation module is used for calculating a first parameter based on a locally generated random number and a base point G of an SM2 algorithm and sending the first parameter to a sender;
a second parameter receiving module, configured to receive a second parameter from a sender, where the sender calculates a public key and a private key based on a locally generated random number and the first parameter, and encrypts a message in an ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and the sender uses the ciphertext of the ith message group and the public key as the second parameter;
and the target message calculation module is used for calculating the target message selected from the ith message group based on the ith target index, the key generation function and the second parameter.
In a sixth aspect, the embodiment of the present invention discloses a sender in a multi-party secure computing platform, where the multi-party secure computing platform further includes a receiver, the sender is based on n message groups held, and the receiver is based on n target indexes held, and both sides execute preset operations n times; wherein, one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is more than or equal to 1, and n is more than or equal to k is more than or equal to 1; the sender includes:
the first parameter receiving module is used for receiving a first parameter from a receiving party, wherein the first parameter is obtained by calculation of the receiving party based on a locally generated random number and a base point G of an SM2 algorithm;
and the second parameter calculation module is used for calculating a public key and a private key based on the locally generated random number and the first parameter, encrypting the message in the ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and sending the ciphertext of the ith message group and the public key to a receiver as second parameters.
In a seventh aspect, an embodiment of the present invention discloses a device for inadvertent transmission, comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by one or more processors, and the one or more programs comprise instructions for performing one or more of the aforementioned methods for inadvertent transmission.
In an eighth aspect, embodiments of the invention disclose a machine-readable medium having instructions stored thereon, which when executed by one or more processors of an apparatus, cause the apparatus to perform one or more of the aforementioned methods of inadvertent transmission.
The embodiment of the invention has the following advantages:
the embodiment of the invention realizes the OT protocol of 1 from 2 based on the SM2 elliptic curve algorithm, and on the basis of the OT protocol of 1 from 2, the OT protocol of 1 from 2 and the OT protocol of k from n can be expanded and realized by executing the OT protocol of 1 from 2 n times. Compared with the traditional RSA encryption algorithm, the SM2 can obtain the same security by using a key shorter than RSA, and under the condition of realizing the same security, the embodiment of the invention can greatly reduce the data transmission quantity of the OT protocol and improve the data transmission efficiency.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
FIG. 1 is a flow chart of steps for an ith default operation in an embodiment of an inadvertent transmission method of the present invention;
FIG. 2 is a schematic diagram illustrating the interaction flow between the sender and the participant in one default operation according to the present invention;
FIG. 3 is a schematic diagram illustrating an interaction flow between a sender and a participant in an n-to-1 inadvertent transmission scenario according to the present invention;
FIG. 4 is a schematic diagram illustrating an interaction flow between a sender and a participant in an n-out-of-k inadvertent transmission scenario according to the present invention;
FIG. 5 is a flowchart illustrating steps of an ith default operation in another embodiment of an inadvertent transmission method of the present invention;
FIG. 6 is a flowchart illustrating steps of an ith default operation in yet another embodiment of the inadvertent transmission method of the present invention;
FIG. 7 is a block diagram of a multi-party secure computing platform embodiment of the present invention;
FIG. 8 is a block diagram of an apparatus 800 for inadvertent transmission of the present invention;
fig. 9 is a schematic diagram of a server in some embodiments of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms first, second and the like in the description and in the claims of the present invention are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that embodiments of the invention may be practiced other than those illustrated or described herein, and that the objects identified as "first," "second," etc. are generally a class of objects and do not limit the number of objects, e.g., a first object may be one or more. Furthermore, the term "and/or" in the specification and claims is used to describe an association relationship of associated objects, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. The term "plurality" in the embodiments of the present invention means two or more, and other terms are similar thereto.
The embodiment of the invention provides an oblivious transmission method, which can be applied to a multi-party secure computing platform, wherein the multi-party secure computing platform can comprise a sender and a receiver, and the method comprises the following steps: the sender and the receiver execute preset operation for n times based on the n held message groups and the n held target indexes; wherein, one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is more than or equal to 1, and n is more than or equal to k is more than or equal to 1. Referring to fig. 1, a flowchart illustrating steps of an ith preset operation in an embodiment of an inadvertent transmission method according to the present invention is shown, where the ith preset operation may include the following steps:
102, a sender calculates a public key and a private key based on a locally generated random number and the first parameter, encrypts a message in an ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and sends the ciphertext of the ith message group and the public key serving as second parameters to a receiver;
The Oblivious Transfer method of the embodiment of the invention can realize an Oblivious Transfer (OT) protocol based on a multi-party security computing platform. The OT protocol is a cryptographic protocol and is widely applied to the fields of multi-party security computing and the like.
The inadvertent transmission method of the embodiment of the invention can be applied to 1-out-of-2 (1 in 2), 1-out-of-n (1 in n), k-out-of-n (k in n), and the like.
The problem solved by the 1-out-of-2 (1 out of 2) OT protocol can be described as follows: suppose that the participants include Alice and Bob, the Alice (sender) holds two messages m to be selected0And m1Bob (receiver) holds the index a, and a takes the value of 0 or 1. Both Alice and Bob execute a 1-out-of-2 OT protocol, so that Bob can only obtain the message m corresponding to the index aa(if a =0, get the message m0(ii) a If a =1, the message m is obtained1) Bob does not know anything about the other messages and Alice does not know which message Bob has obtained in the above process.
The problem solved by the 1-out-of-n (n selects 1) OT protocol may beThe description is as follows: suppose that the participants include Alice and Bob, the Alice (sender) holds n messages m to be selected0、m1、m2、…、mn-1Bob (receiver) holds index a, and the value of a can be any one of 0-n-1. Both Alice and Bob execute a 1-out-of-n OT protocol, so that Bob can only obtain the message m corresponding to the index aaBob does not know anything about the other messages and Alice does not know which message Bob has obtained in the above process.
The problem solved by the k-out-of-n (k out of n) OT protocol can be described as follows: suppose that the participants include Alice and Bob, the Alice (sender) holds n messages m to be selected0、m1、m2、…、mn-1Bob (receiver) holds k indices a0~ak-1,a0~ak-1The value of each of the above-mentioned groups may be any one of 0 to n-1. Both Alice and Bob execute a k-out-of-n OT protocol so that Bob can only get the index a0~ak-1Corresponding message ma0~mak-1Bob has no knowledge of the other messages, and Alice does not know which messages Bob has obtained in the above process.
The 1-out-of-2 (1-in-2), 1-out-of-n (1-in-n), and k-out-of-n (k-in-n) OT protocols are one of the basic components of multi-party security computing, and can be applied to application scenarios such as garbled circuits, preprocessed data generation, and inadvertent polynomial computation.
It should be noted that, in the embodiment of the present invention, Alice and Bob are used to identify two peer communication entities. The communication entities Alice and Bob correspond to a sender and a receiver respectively, and the positions and the sequence of the two can be interchanged.
It should be noted that in the OT protocol scenario of 1-out-of-2, n =1, k =1, that is, the sender holds 1 message group, where the message group includes two messages to be selected, such as a message m0And m1(ii) a The receiver holds 1 original index, denoted as a, and the value of a can be 0 or 1. In the scenario of the OT protocol of 1-out-of-2, 1 original index held by the receiver can be used as the target index. Is executed once by both partiesA preset operation, the execution result of which is that the receiver obtains the message maAnd nothing is known about the unselected messages and the sender cannot know which message the recipient selected.
In the embodiment of the present invention, when n =1 and k =1, the receiving side uses 1 original index held as the target index, and the sending side and the receiving side perform a preset operation once, so that a 1-out-of-2 (1-out-of-2) OT protocol can be implemented. When n > 1 and k =1, the receiver expands the held 1 original index into n target indexes, and the sender and the receiver perform preset operations n times, so that 1-out-of-n (1-out-of-n) OT protocol can be realized. When n is greater than 1 and k is greater than 1, the receiver expands the held k original indexes into n target indexes, and the sender and the receiver execute n times of preset operations, so that the OT protocol of k-out-of-n (n selects k) can be realized.
In the embodiment of the present invention, the execution of one preset operation is actually the execution of one 1-out-of-2 (1-out-of-2) OT protocol by the sender and the receiver. On the basis, the sender and the receiver execute n times of preset operations (namely execute n times of OT protocol of 1 in 2 options), and can realize OT protocol of 1-out-of-n (1 in n options) and OT protocol of k-out-of-n (k in n options). The following description is made separately.
In the scenario of the OT protocol of 1 out of 2, a specific process of a preset operation executed by both the sender and the receiver is as follows: the receiving party calculates a first parameter based on a locally generated random number and a base point G of an SM2 algorithm, and sends the first parameter to the sending party; the sender calculates a public key and a private key based on a locally generated random number and the first parameter, and generates a function based on a preset secret key and the private key for the message m0And m1Respectively encrypting to obtain the ciphertext of each message, and sending the ciphertext of each message and the public key as second parameters to a receiver by a sender; the receiving party calculates the slave message m based on the held target index a, the key generation function and the second parameter0And m1Of the selected target message ma。
SM2 is an elliptic curve public key cryptographic algorithm issued by the national cryptology authority. G is a base point of the elliptic curve. The first parameter is used for generating a public key and a private key, and the sender can encrypt the message held by the sender by using the private key to generate a ciphertext of the message. The second parameter comprises a cipher text and a public key of the message, and the receiver can decrypt the target message by using the second parameter based on the held index. The key generation function may be used to generate a key. For example, the Key generation function may be KDF (Key derivation function).
Elliptic Curve Cryptography (ECC) is a public key system based on an Elliptic curve algorithm defined over a finite field. The SM2 algorithm is a specific algorithm of the ECC cryptosystem. An elliptic curve public key cryptographic algorithm is specified in the standard of the national standard GB/T32918 information security technology SM2 elliptic curve public key cryptographic algorithm, and an encryption algorithm and a decryption algorithm based on SM2 conform to the specification of the standard. The embodiment of the invention realizes the OT protocol by using the SM2 algorithm, and combines the multi-party security calculation with the domestic cryptographic algorithm, so that the multi-party security calculation is more in line with the national standard. In addition, compared with the common RSA encryption algorithm, the SM2 algorithm has higher security and computation speed.
In an alternative embodiment of the present invention, the receiving side calculating the first parameter based on the locally generated random number and the base point G of the SM2 algorithm may include:
step S11, the receiving party orders the first temporary public key g0= G, generate the first random number R _ R1, and obtain the second temporary public key G based on the dot product calculation of the first random number R _ R1 and the base point G1;
Step S12, the receiving side generates a second random number R _ R2, a dot product calculation and a dot addition calculation based on the second random number R _ R2 and the base point G, and a second temporary public key G1Calculating to obtain a third temporary public key h0And a fourth temporary public key h1;
Step S13, the receiving party generates a first random array R _ R3, and the point multiplication and point addition calculation based on the first random array R _ R3 and the base point G, the ith target index and the first temporary public key G0A second temporary public key g1And the third temporary publicKey h0Fourth temporary public key h1Calculating to obtain a fifth temporary public key g 'and a sixth temporary public key h';
step S14, the receiving party sends the second temporary public key g1The third temporary public key h0Fourth temporary public key h1The fifth temporary public key g 'and the sixth temporary public key h' are taken as first parameters.
In the 1-out-of-2 OT protocol scenario, assume that the sender holds message m0And m1The receiving party holds the destination index a. The receiving party orders the first temporary public key g0=G,g0May be a well-known parameter known to both the sender and the receiver. The receiving party generates a first random number R _ R1, and a second temporary public key G is obtained based on the dot product calculation of the first random number R _ R1 and the base point G1E.g. g1=[R_r1]G. Wherein, the [ alpha ], [ beta ] -a]Representing a point doubling operation on an elliptic curve. For example, [ R _ R1]G denotes the point R _ R1 times the point G on the elliptic curve. The receiving side generates a second random number R _ R2, a dot product calculation and a dot addition calculation based on the second random number R _ R2 and the base point G, and a second temporary public key G1Calculating to obtain a third temporary public key h0And a fourth temporary public key h1E.g. h0=[R_r2]*G,h1=g1+[R_r2]G. The receiving side generates a first random number group R _ R3, and the first random number group R _ R3 may contain n random numbers. The receiving party performs point multiplication and point addition calculation based on the first random array R _ R3 and the base point G, as well as the ith target index (as noted ai), and the first temporary public key G0A second temporary public key g1The third temporary public key h0Fourth temporary public key h1And calculating to obtain a fifth temporary public key g ' and a sixth temporary public key h ', such as g ' = gai+[R_r3]*G,h’= hai+[R_r3]G. The receiving party sends the second temporary public key g1The third temporary public key h0Fourth temporary public key h1The fifth temporary public key g 'and the sixth temporary public key h' are used as first parameters to the sender. Wherein, when ai =0, gai=g0,hai=h0(ii) a When ai =1, gai=g1,hai=h1。
It should be noted that, in the embodiment of the present invention, a manner of generating the random number is not limited, and the R _ R1, R _ R2, and R _ R3 are only indicated as a symbol, and are not used to limit a specific numerical value of the random number. Furthermore, in the embodiment of the present invention, the ith target index may be represented as ai or ai. For example, when the ith target index is used as a subscript, ai represents in the embodiment of the present invention. Such as gai、haiAnd the like.
In an optional embodiment of the present invention, the calculating, by the sender, a public key and a private key based on a locally generated random number and the first parameter, and encrypting, based on a preset key generation function and the private key, a message in an ith message group to obtain a ciphertext of the ith message group may include:
step S21, the sender generates a second random array, and obtains a first public key u based on the dot product calculation and the dot addition calculation of the random number in the second random array and the parameter in the first parameter0A first private key v0A second public key u1And a second private key v1;
Step S22, the sender bases on the first private key v0Generating a first key by a preset key generation function, and encrypting the first message in the ith message group by using the first key to obtain a ciphertext e of the first message0And based on a second private key v1Generating a second key by a key generation function, and encrypting a second message in the ith message group by using the second key to obtain a ciphertext e of the second message1。
In the 1-out-of-2 OT protocol scenario, assume that the sender holds message m0And m1The receiving side holds the destination index a. The receiving party sends the second temporary public key g1The third temporary public key h0Fourth temporary public key h1The fifth temporary public key g 'and the sixth temporary public key h' are taken as first parameters to the sender. The sender generates a second random array, and obtains a first public key u based on the dot product calculation and the dot addition calculation of the random number in the second random array and the parameter in the first parameter0A first private key v0The second public keyu1And a second private key v1。
Illustratively, the second random number group generated by the sender includes the following random numbers: s0、s1、t0、t1。u0=[s0]*g0+[t0]*h0,v0=[s0]*g’+[t0]*h’,u1=[s1]*g1+[t1]*h1,v1=[s1]*g’+[t1]*h’。
The sender is based on the first private key v0And a preset key generation function KDF for generating a first key, and using the first key to process the first message (such as message m)0) Encrypting to obtain a ciphertext e of the first message0E.g. e0=KDF(v0)⊕m0(ii) a Wherein ≧ indicates that both are subjected to an exclusive or operation one by one bit. The sender is based on the second private key v1And the KDF generating a second key, using the second key to match the second message (e.g. message m)1) Encrypting to obtain a ciphertext e of the second message1E.g. e1= KDF(v1)⊕m1。
The sender sends the ciphertext of the first message, the ciphertext of the second message and the first public key u0And a second public key u1And sending the second parameter to the receiving party.
The receiver calculates the slave message m based on the held target index ai, the key generation function, and the second parameter0And message m1The selected target message is mai。
In an optional embodiment of the present invention, the calculating, by the receiving side, a target message selected from an ith message group based on the ith target index, the key generation function, and the second parameter may include: the target message m is obtained by the following calculationai:mai=KDF(uai-[R_r3]G)⊕eaiWherein ai represents the ith target index, and KDF is a key generation function; when ai =0, uai=u0,eai=e0(ii) a When ai =1, uai=u1,eai=e1。
In the 1-out-of-2 OT protocol scenario, assume that the sender holds message m0And m1If the receiver only holds one target index (i.e. the original index), and if the value of a is marked as a, and a is 0 or 1, the target message m can be calculated by the following formulaa:ma=KDF(ua-[R_r3]G)⊕ea. Wherein, when a =0, ua= u0,ea= e0(ii) a When a =1, ua= u1,ea= e1。
Referring to fig. 2, a schematic diagram of an interaction flow between a sender and a participant in a preset operation is shown. That is, fig. 2 shows a schematic diagram of interaction flows of two parties in an inadvertent transmission protocol scenario in which 1 out of 2 is performed once. Wherein the sender holds a message m0And m1The receiving side holds the destination index a. As shown in fig. 2, the interaction process between the two parties is as follows:
Step 2, the receiver calculates based on the point multiplication and the point addition on the SM2 standard elliptic curve:
h0=[R_r2]G,h1=g1+[R_r2]G。
and 3, the receiving party generates a first random array R _ R3 containing n random numbers.
Step 4, the receiver calculates, for the target index a, based on the point multiplication and the point addition on the SM2 standard elliptic curve: g' = (g)a)+[R_r3]G,h’=(ha)+[R_r3]G. The receiving party will g1,h0,h1G ', h' are sent to the sender.
Step 5, the sender generates a second random array comprising a random number s0、s1、t0、t1。
u0=[s0]*g0+[t0]*h0,v0=[s0]*g’+[t0]*h’;
u1=[s1]*g1+[t0]*h1,v1=[s1]* g’+[t1]* h’。
step 7, the sending party orders KDF to be a key generation function and calculates e0=KDF(v0)⊕m0,e1=KDF(v1)⊕m1. The sender will e0、e1;u0、u1And sending the data to a receiving party.
In an alternative embodiment of the present invention, the multi-party secure computing platform may be based on a semi-honest participant model oblivious transfer protocol.
There are two security models in multi-party security computing: a semi-honest participant model and a malicious participant model. The semi-honest participant model means that a participant executes according to a flow specified by a protocol when the protocol is executed, but a malicious attacker may monitor and acquire own input and output in the protocol execution process and information obtained in the protocol operation process. The malicious participant model is: when the protocol is executed, an attacker can analyze the privacy information of honest participants by illegal input or malicious tampering input and the like by the participants under the control of the attacker, and can also cause the termination of the protocol by early termination, refusal of participation and the like.
The embodiment of the invention encrypts (covers) the message of the sender and the index of the receiver based on the SM2 algorithm and the random number, so that the participant can not obtain the information needing to be kept secret in the OT definition based on the information in the protocol operation. Therefore, the method for the oblivious transmission can realize the oblivious transmission protocol of the semi-honest participant model.
The OT protocol of 1-out-of-n and the OT protocol of k-out-of-n are similar to the implementation process of the OT protocol of 1-out-of-2. In the scenario of the OT protocol of 1 from n and the OT protocol of k from n, both the sender and the receiver execute n (n > 1) times of preset operations, that is, execute n times of the OT protocol of 1 from 2. In the embodiment of the invention, n, k and i are integers. The OT protocol scenario of 1 from n and the OT protocol scenario of k from n are described below.
In an optional embodiment of the present invention, in an OT protocol scenario of n-out-of-1, where n > 1, k =1, the sender holds the following n messages: m is0~mn-1E.g. comprising m0、m1、m2、…、mn-1The receiving party holds the original index a, and the value range of the index a is 0-n-1, namely the value of the index a can be any integer from 0-n-1.
In the scenario of an OT protocol of 1 out of n, the method may further include:
step S31, the sender sets n message groups according to the n messages, wherein the jth message group includes the following messages: 0 and mjJ has a value ranging from 0 to n-1;
step S32, the receiver sets n target indexes according to the original index a, the value of the a-th target index in the n target indexes is 1, and the values of the rest target indexes are 0;
step S33, the receiver obtains the result m of the inadvertent transmission of n-selected-1 when the a-th preset operation is completeda。
Under the scenario of an OT protocol of 1 from n, a sender carries the following n messages: m is a unit of0,m1, m2,… mn-1The following n message groups are set: [0, m ]0]、[0, m1]、[0, m2]、…、[0, ma0]、…、[0, mn-1]. The receiver sets the following n target indexes according to the held original index a: 0. 0, …, 1, …, 0. Wherein, the value of the a-th target index is 1, and the values of the rest target indexes are 0.
In the scenario of the OT protocol of selecting 1 from n, the sender performs the preset operation for n times, that is, performs the OT protocol of selecting 1 from 2 n times, based on n message groups held by the sender and n indexes held by the receiver. And the sender and the receiver execute the ith preset operation based on the ith message group held by the sender and the ith target index held by the receiver.
Referring to fig. 3, a schematic diagram illustrating an interaction flow between a sender and a participant in an n-select-1 inadvertent transmission scenario according to the present invention is shown.
Illustratively, the sender is based on the 0 th message group [0, m ]0]The receiving side executes the OT protocol of the 2-to-1 selection for the 0 th time based on the 0 th target index 0, and the result obtained at this time is that the receiving side selects the message 0, so that the message m is not leaked0. Sender is based on 1 st message group [0, m1]The receiving side executes the 1 st OT protocol of the 1 st time selection from 2 to 1 based on the 1 st target index 0, and the result obtained at this time is the receiving side selection message 0, so the message m is not leaked1. By analogy, the sender is based on the a-th message group [0, ma]The receiving side executes the OT protocol of the 1-out-of-2 described above a time based on the a-th target index 1, and the result obtained at this time is the receiving side selection message ma. Until the sender is finished based on the (n-1) th message group [0, m ]n-1]The receiving side executes the OT protocol of selecting 1 from 2 for the (n-1) th time based on the (n-1) th target index 0, and the obtained result is that the receiving side selects the message 0, so that the message m is not leakedn-1. That is, the receiving side obtains the result m of the OT protocol transmission of 1-out-of-n when the a-th OT protocol execution of 1-out-of-2 is completeda。
In an optional embodiment of the present invention, in an OT protocol scenario of n selecting k, where n > 1 and k > 1, a sender holds n messages: m is0~mn-1E.g. comprising m0、m1、m2、…、mn-1The receiver holds the original index a0~ak-1,a0~ak-1Each of which has a value ranging from 0 to n-1. That is, a0~ak-1Each of which may take any one of integers from 0 to n-1.
In the context of an n-k OT protocol, the method may further include:
step S41The sender sets n message groups according to the n messages, wherein the jth message group comprises the following messages: 0 and mjJ has a value ranging from 0 to n-1;
step S42, the receiver uses the original index a0~ak-1Setting n target indexes, the a-th target index of the n target indexes0~ak-1The value of each target index is 1, and the values of the other target indexes are 0;
step S43, the receiving party is in the a th0~ak-1Obtaining n-selected k inadvertent transmission result m when the preset operation is finisheda0~mak-1。
Under the scenario of an OT protocol of selecting k from n, a sender carries the following n messages: m is0,m1, m2,… mn-1The following n message groups are set: [0, m ]0]、[0, m1]、[0, m2]、…、[0, ma0]、…、[0, mn-1]. The receiver according to the held original index a0~ak-1The following n target indexes are set: 0. 1, 0, …, 1, 0, …, 1, …, 0. Wherein, the first0~ak-1The value of each target index is 1, and the values of the remaining target indices are 0.
In the n-out-of-k OT protocol scenario, the sender performs the aforementioned n times of preset operations, that is, n times of the aforementioned 2-out-of-1 OT protocol, based on n message groups held by the sender, and the receiver performs the aforementioned n target indexes held by the receiver. And the sender and the receiver execute the ith preset operation based on the ith message group held by the sender and the ith target index held by the receiver.
Referring to fig. 4, a schematic diagram illustrating an interaction flow between a sender and a participant in an n-out-of-k inadvertent transmission scenario according to the present invention is shown.
Illustratively, the sender is based on the 0 th message group [0, m ]0]The receiving side executes the OT protocol of the 2-to-1 selection for the 0 th time based on the 0 th target index 0, and the result obtained at this time is that the receiving side selects the message 0, so that the message m is not leaked0. Sender is based on 1 st message group [0, m1]The receiving party is based on1 target index 0, executing the 1 st OT protocol of 1 out of 2, wherein the obtained result is that the receiver selects the message 0, therefore, the message m can not be leaked1. By analogy, the sender is based on the a0 th message group [0, m ]a0]The receiving side performs the OT protocol of the aforementioned 1-out-of-2 for a0 th time based on the a0 th object index 1, and the result obtained at this time is the receiving side selection message ma0. By analogy, the sender is based on the a1 th message group [0, m ]a1]The receiving side performs the OT protocol of the aforementioned 1-out-of-2 for a1 th time based on the a1 th object index 1, and the result obtained at this time is the receiving side selection message ma1. Until the sender is finished based on the (n-1) th message group [0, m ]n-1]The receiving side executes the OT protocol of selecting 1 from 2 for the (n-1) th time based on the (n-1) th target index 0, and the obtained result is that the receiving side selects the message 0, so that the message m is not leakedn-1. That is, the receiving side is at the a0~ak-1Obtaining a result m of an n-to-1 OT protocol transmission upon completion of the execution of the 2-to-1 OT protocola0~mak-1。
It should be noted that, in the embodiment of the present invention, the counting is started from 0, but the present invention is not limited to this, and the counting may be started from any value in the specific implementation. In addition, a0~ak-1The indexes may be continuous target indexes or discontinuous target indexes, and the above example is only one application example of the present invention and should not be taken as a limitation of implementing the OT protocol of n-k-by-n in the present invention.
In summary, the embodiment of the present invention implements the 1-from-2 OT protocol based on the SM2 elliptic curve algorithm, and on the basis of the 1-from-2 OT protocol, the implementation of the 1-from-n OT protocol and the k-from-n OT protocol can be extended by executing the 1-from-2 OT protocol n times. Compared with the traditional RSA encryption algorithm, the SM2 can obtain the same security by using a key shorter than RSA, and under the condition of realizing the same security, the embodiment of the invention can greatly reduce the data transmission quantity of the OT protocol and improve the data transmission efficiency.
The embodiment of the invention provides an inadvertent transmission method, which can be applied to a sender in a multi-party security computing platform, wherein the multi-party security computing platform also comprises a receiver, and the method can comprise the following steps: the method comprises the steps of executing n times of preset operation with a receiver based on n message groups, wherein one message group comprises two messages to be selected, the receiver holds n target indexes, the n target indexes are generated according to k original indexes of the receiver, n is larger than or equal to 1, and n is larger than or equal to k and larger than or equal to 1. Referring to fig. 5, a flowchart illustrating steps of an ith preset operation in another embodiment of an inadvertent transmission method according to the present invention is shown, where the ith preset operation may include the following steps:
After receiving the second parameter sent by the sender, the receiver may calculate a target message selected from the ith message group based on the ith target index, the key generation function, and the second parameter.
Optionally, the calculating, based on the locally generated random number and the first parameter, a public key and a private key, and encrypting, based on a preset key generation function and the private key, a message in an ith message group to obtain a ciphertext of the ith message group includes:
generating a second random array, and obtaining a first public key u based on the point multiplication calculation and the point addition calculation of the random number in the second random array and the parameter in the first parameter0A first private key v0A second public key u1And a second private key v1;
Based on a first private key v0Generating a first key by a preset key generation function, and encrypting the first message in the ith message group by using the first key to obtain a ciphertext e of the first message0And based on the secondPrivate key v1Generating a second key by a key generation function, and encrypting a second message in the ith message group by using the second key to obtain a ciphertext e of the second message1。
Optionally, the ith message group includes a first message m0And a second message m1The ith target index is ai, where,
the second random number group includes the following random numbers: s0、s1、t0、t1;
First public key u0=[s0]*g0+[t0]*h0;
First private key v0=[s0]*g’+[t0]*h’;
Second public key u1=[s1]*g1+[t1]*h1;
Second private key v1=[s1]*g’+[t1]*h’;
Ciphertext e of the first message0=KDF(v0)⊕m0KDF is a key generation function;
ciphertext e of the second message1= KDF(v1)⊕m1。
Optionally, in an OT protocol scenario of 1 out of n, n > 1, the sender holds n messages: m is0~mn-1E.g. including m0、m1、m2、…、mn-1The method further comprises the following steps:
setting n message groups according to the n messages, wherein the j message group comprises the following messages: 0 and mjAnd j has a value ranging from 0 to n-1.
In the OT protocol scenario of 1 out of n, n > 1, k =1, the sender holds the following n messages: m is0~mn-1E.g. comprising m0、m1、m2、…、mn-1The receiving party holds the original index a, and the value range of the index a is 0-n-1, namely the value of the index a can be any integer from 0-n-1. The receiving party sets the following n target indexes according to the held original index a: 0. 0, …, 1, …, 0. Wherein, the value of the a-th target index is 1, and the values of the rest target indexes are 0.
In the scenario of the OT protocol of 1 out of n, the sender performs the aforementioned n times of preset operations, that is, performs the aforementioned OT protocol of 1 out of 2 n times, based on n message groups held by the sender and n indexes held by the receiver. And the sender and the receiver execute the ith preset operation based on the ith message group held by the sender and the ith target index held by the receiver. The receiving side obtains the result m of the OT protocol transmission of n-1-out when the OT protocol execution of the a-time 2-1-out is completeda。
Under the OT protocol scene of n selecting k, n is more than 1, k is more than 1, the sender holds n messages: m is0~mn-1E.g. comprising m0、m1、m2、…、mn-1The receiver holds the original index a0~ak-1,a0~ak-1Each of which has a value ranging from 0 to n-1. That is, a0~ak-1Each of which may take any one of integers from 0 to n-1.
Under the scenario of an OT protocol of selecting k from n, a sender carries the following n messages: m is0,m1, m2,… mn-1The following n message groups are set: [0, m ]0]、[0, m1]、[0, m2]、…、[0, ma0]、…、[0, mn-1]. The receiver is according to the held original index a0~ak-1The following n target indexes are set: 0. 1, 0, …, 1, 0, …, 1, …, 0. Wherein, the first0~ak-1The value of each target index is 1, and the values of the remaining target indices are 0.
In the n-out-of-k OT protocol scenario, the sender performs the aforementioned n times of preset operations, that is, n times of the aforementioned 2-out-of-1 OT protocol, based on n message groups held by the sender, and the receiver performs the aforementioned n target indexes held by the receiver. And the sender and the receiver execute the ith preset operation based on the ith message group held by the sender and the ith target index held by the receiver. The receiving party is at the a0~ak-1Second-to-first-1 OT protocolObtaining a result m of an n-out-of-1 OT protocol transfer upon completion of executiona0~mak-1。
Optionally, the multi-party secure computing platform is based on a semi-honest participant model of oblivious transfer protocol.
The inadvertent transmission method of the embodiment of the invention can be applied to 1-out-of-2 (1 in 2), 1-out-of-n (1 in n), k-out-of-n (k in n), and the like.
The steps executed by the sender in the inadvertent transmission method shown in fig. 5 are specifically described in the embodiment shown in fig. 1, and are not described herein again, and reference may be made to the specific processes in the foregoing embodiments.
The embodiment of the invention realizes the OT protocol of selecting 1 from 2 based on SM2 elliptic curve algorithm, and on the basis of the OT protocol of selecting 1 from 2, the OT protocol of selecting 1 from n and the OT protocol of selecting k from n can be expanded and realized by executing the OT protocol of selecting 1 from 2 n times. Compared with the traditional RSA encryption algorithm, the SM2 can obtain the same security by using a key shorter than RSA, and under the condition of realizing the same security, the embodiment of the invention can greatly reduce the data transmission quantity of the OT protocol and improve the data transmission efficiency.
The embodiment of the invention provides an inadvertent transmission method, which can be applied to a receiver in a multi-party security computing platform, wherein the multi-party security computing platform also comprises a sender, and the method can comprise the following steps: the method comprises the steps of executing n times of preset operation with a sender based on n target indexes, wherein the sender holds n message groups, one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is larger than or equal to 1, and n is larger than or equal to k and larger than or equal to 1. Referring to fig. 6, a flowchart illustrating steps of an ith preset operation in another embodiment of an inadvertent transmission method according to the present invention is shown, where the ith preset operation may include the following steps:
601, calculating a first parameter based on a locally generated random number and a base point G of an SM2 algorithm, and sending the first parameter to a sender;
Optionally, the calculating the first parameter based on the locally generated random number and the base point G of the SM2 algorithm includes:
let the first temporary public key g0= G, generate the first random number R _ R1, and obtain the second temporary public key G based on the dot product calculation of the first random number R _ R1 and the base point G1;
Generating a second random number R _ R2, calculating dot product and dot addition based on the second random number R _ R2 and the base point G, and a second temporary public key G1Calculating to obtain a third temporary public key h0And a fourth temporary public key h1;
Generating a first random number group R _ R3, based on the dot product and dot addition of the first random number group R _ R3 and the base point G, the ith target index, and the first temporary public key G0A second temporary public key g1The third temporary public key h0Fourth temporary public key h1Calculating to obtain a fifth temporary public key g 'and a sixth temporary public key h';
the second temporary public key g1The third temporary public key h0Fourth temporary public key h1The fifth temporary public key g 'and the sixth temporary public key h' are taken as first parameters.
Optionally, the ith message group includes a first message m0And a second message m1The ith target index is ai, wherein,
second temporary public key g1=[R_r1]*G;
Third temporary public key h0=[R_r2]*G;
Fourth temporary public key h1=g1+[R_r2]*G;
Fifth temporary public key g' = (g)ai)+[R_r3]G; wherein, when ai =0, gai=g0(ii) a When ai =1, gai=g1;
Sixth temporary public key h' = (h)ai)+[R_r3]G; wherein, when ai =0, hai=h0(ii) a When ai =1, hai=h1。
Alternatively, the target message m selected from the ith message group may be calculated byai:mai=KDF(uai-[R_r3]*G)⊕eaiKDF is a key generation function; wherein, when ai =0, uai=u0,eai=e0(ii) a When ai =1, uai=u1,eai=e1。
Optionally, n > 1, k =1, the receiver holds an original index a, and a ranges from 0 to n-1; the method further comprises the following steps:
setting n target indexes according to a held original index a, wherein the value of the a-th target index in the n target indexes is 1, and the values of the rest target indexes are 0;
obtaining an n-selected-1 inadvertent transmission result m when the a-th preset operation is completeda。
In the OT protocol scenario of 1 out of n, n > 1, k =1, the sender holds the following n messages: m is0~mn-1E.g. comprising m0、m1、m2、…、mn-1The receiving party holds the original index a, and the value range of the index a is 0-n-1, namely the value of the index a can be any integer from 0-n-1. The receiver sets the following n target indexes according to the held original index a: 0. 0, …, 1, …, 0. Wherein, the value of the a-th target index is 1, and the values of the rest target indexes are 0.
In the scenario of the OT protocol of 1 out of n, the sender performs the aforementioned n times of preset operations, that is, performs the aforementioned OT protocol of 1 out of 2 n times, based on n message groups held by the sender and n indexes held by the receiver. Wherein, the sender is based on the ith message group held by the sender, and the receiver is based on the ith target index held by the receiverAnd the two parties execute the ith preset operation. The receiving side obtains the result m of the OT protocol transmission of n-1-out when the OT protocol execution of the a-time 2-1-out is completeda。
Alternatively, n > 1, k > 1, the receiver holds the original index a0~ak-1,a0~ak-1The value range of each of the above-mentioned groups is 0-n-1; the method further comprises the following steps:
according to the held original index a0~ak-1Setting n target indexes, the a-th target index of the n target indexes0~ak-1The value of each target index is 1, and the values of the other target indexes are 0;
in the a th0~ak-1Obtaining n-selected k inadvertent transmission result m when the preset operation is finisheda0~mak-1。
Under the OT protocol scene of n selecting k, n is more than 1, k is more than 1, the sender holds n messages: m is0~mn-1E.g. comprising m0、m1、m2、…、mn-1The receiver holds the original index a0~ak-1,a0~ak-1Each of which has a value ranging from 0 to n-1. That is, a0~ak-1Each of which may take any integer from 0 to n-1.
Under the scenario of an OT protocol of selecting k from n, a sender carries the following n messages: m is0,m1, m2,… mn-1The following n message groups are set: [0, m ]0]、[0, m1]、[0, m2]、…、[0, ma0]、…、[0, mn-1]. The receiver is according to the held original index a0~ak-1The following n target indexes are set: 0. 1, 0, …, 1, 0, …, 1, …, 0. Wherein, the first0~ak-1The value of each target index is 1, and the values of the remaining target indices are 0.
In the n-out-of-k OT protocol scenario, the sender performs the aforementioned n times of preset operations, that is, n times of the aforementioned 2-out-of-1 OT protocol, based on n message groups held by the sender, and the receiver performs the aforementioned n target indexes held by the receiver. WhereinAnd the sender and the receiver execute the ith preset operation based on the ith message group held by the sender and the ith target index held by the receiver. The receiving party is at the a0~ak-1Obtaining a result m of an n-to-1 OT protocol transmission upon completion of the execution of the 2-to-1 OT protocola0~mak-1。
Optionally, the multi-party secure computing platform is based on a semi-honest participant model of oblivious transfer protocol.
The inadvertent transmission method of the embodiment of the invention can be applied to 1-out-of-2 (1 in 2), 1-out-of-n (1 in n), k-out-of-n (k in n), and the like.
The step of executing the receiving side in the inadvertent transmission method shown in fig. 6 is specifically described in the embodiment shown in fig. 1, and is not described herein again, and reference may be made to the specific process in the foregoing embodiment.
The embodiment of the invention realizes the OT protocol of 1 from 2 based on the SM2 elliptic curve algorithm, and on the basis of the OT protocol of 1 from 2, the OT protocol of 1 from 2 and the OT protocol of k from n can be expanded and realized by executing the OT protocol of 1 from 2 n times. Compared with the traditional RSA encryption algorithm, the SM2 can obtain the same security by using a key shorter than RSA, and under the condition of realizing the same security, the embodiment of the invention can greatly reduce the data transmission quantity of the OT protocol and improve the data transmission efficiency.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 7, a block diagram of a multi-party secure computing platform according to an embodiment of the present invention is shown, where the multi-party secure computing platform may execute an inadvertent transfer protocol, the multi-party secure computing platform includes a sender 701 and a receiver 702, the sender 701 is based on n message groups, the receiver 702 is based on n target indexes, and both parties execute n times of preset operations; wherein, one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is more than or equal to 1, and n is more than or equal to k is more than or equal to 1;
the receiving side 702 includes a first parameter calculation module 7021 for calculating a first parameter based on a locally generated random number and a base point G of the SM2 algorithm, and transmitting the first parameter to the transmitting side;
the sender 701 includes a second parameter calculation module 7011, configured to calculate a public key and a private key based on a locally generated random number and the first parameter, encrypt a message in an ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and send the ciphertext of the ith message group and the public key as second parameters to a receiver;
the receiver 702 further comprises a target message calculation module 7022 configured to calculate a target message selected from the ith group of messages based on the ith target index, the key generation function, and the second parameter.
In this embodiment of the present invention, the sender 701 may further include:
and the first parameter receiving module is used for receiving a first parameter from the receiving party, wherein the first parameter is calculated by the receiving party based on the locally generated random number and the base point G of the SM2 algorithm.
In this embodiment of the present invention, the receiving side 702 may further include:
and the second parameter receiving module is used for receiving a second parameter from a sender, wherein the sender calculates a public key and a private key based on a locally generated random number and the first parameter, encrypts the message in the ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and the sender takes the ciphertext of the ith message group and the public key as the second parameter.
Optionally, the first parameter calculating module includes:
a first calculation submodule for making the first temporary public key g0= G, generate the first random number R _ R1, and obtain the second temporary public key G based on the dot product calculation of the first random number R _ R1 and the base point G1;
A second calculation submodule for generating a second random number R _ R2, a dot product calculation and a dot addition calculation based on the second random number R _ R2 and the base point G, and a second temporary public key G1Calculating to obtain a third temporary public key h0And a fourth temporary public key h1;
A third calculation submodule for generating a first random array R _ R3, a dot product calculation and a dot addition calculation based on the first random array R _ R3 and a base point G, an ith target index and a first temporary public key G0A second temporary public key g1The third temporary public key h0Fourth temporary public key h1Calculating to obtain a fifth temporary public key g 'and a sixth temporary public key h';
a first parameter determination submodule for determining the second temporary public key g1The third temporary public key h0Fourth temporary public key h1The fifth temporary public key g 'and the sixth temporary public key h' are used as first parameters;
the second parameter calculation module includes:
a public key calculation submodule for generating a second random array and obtaining a first public key u based on the dot product calculation and the dot addition calculation of the random number in the second random array and the parameter in the first parameter0A first private key v0A second public key u1And a second private key v1;
A data encryption sub-module for encrypting data based on a first private key v0Generating a first key by a preset key generation function, and encrypting the first message in the ith message group by using the first key to obtain a ciphertext e of the first message0And based on a second private key v1Generating a second key by a key generation function, encrypting the second message in the ith message group by using the second key to obtain a ciphertext e of the second message1。
OptionallyIn the ith message group, the first message m is contained0And a second message m1The ith target index is ai, wherein,
second temporary public key g1=[R_r1]*G;
Third temporary public key h0=[R_r2]*G;
Fourth temporary public key h1=g1+[R_r2]*G;
Fifth temporary public key g' = (g)ai)+[R_r3]G; wherein, when ai =0, gai=g0(ii) a When ai =1, gai=g1;
Sixth temporary public key h' = (h)ai)+[R_r3]G; wherein, when ai =0, hai=h0(ii) a When ai =1, hai=h1;
The second random number group includes the following random numbers: s0、s1、t0、t1;
First public key u0=[s0]*g0+[t0]*h0;
First private key v0=[s0]*g’+[t0]*h’;
Second public key u1=[s1]*g1+[t1]*h1;
Second private key v1=[s1]*g’+[t1]*h’;
Ciphertext e of the first message0=KDF(v0)⊕m0KDF is a key generation function;
ciphertext e of the second message1= KDF(v1)⊕m1。
Alternatively, the target message m selected from the ith message group is calculated byai:mai=KDF(uai-[R_r3]G)⊕eai(ii) a Wherein, when ai =0, uai=u0,eai=e0(ii) a When ai =1, uai=u1,eai=e1。
Alternatively, n > 1, k =1, the sender holds n messages: m is0~mn-1The receiving party holds the original index a, and the value range of the index a is 0-n-1;
the sender also comprises a first message setting module, which is used for setting n message groups according to the n messages, wherein the jth message group comprises the following messages: 0 and mjThe value range of j is 0-n-1;
the receiver further comprises a first index setting module, configured to set n target indexes according to the held original index a, where a value of the a-th target index of the n target indexes is 1, and values of the remaining target indexes are 0;
the receiver also comprises a first result acquisition module used for acquiring the result m of the inadvertent transmission of n-selected-1 when the a-th preset operation is completeda。
Alternatively, n > 1, k > 1, the sender holds n messages: m is a unit of0~mn-1The receiver holds the original index a0~ak-1,a0~ak-1The value range of each of the above-mentioned groups is 0-n-1;
the sender also comprises a second message setting module, which is used for setting n message groups according to the n messages, wherein the jth message group comprises the following messages: 0 and mjJ has a value ranging from 0 to n-1;
the receiver also comprises a second index setting module used for setting the index a according to the held original index a0~ak-1Setting n target indexes, the a-th target index of the n target indexes0~ak-1The value of each target index is 1, and the values of the other target indexes are 0;
the receiver further comprises a second result obtaining module for obtaining the second result in the a-th step0~ak-1Obtaining n-selected k inadvertent transmission result m when the preset operation is finisheda0~mak-1。
Optionally, the multi-party secure computing platform is based on a semi-honest participant model oblivious transfer protocol.
The embodiment of the invention realizes the OT protocol of 1 from 2 based on the SM2 elliptic curve algorithm, and on the basis of the OT protocol of 1 from 2, the OT protocol of 1 from 2 and the OT protocol of k from n can be expanded and realized by executing the OT protocol of 1 from 2 n times. Compared with the traditional RSA encryption algorithm, the SM2 can obtain the same security by using a key shorter than RSA, and under the condition of realizing the same security, the embodiment of the invention can greatly reduce the data transmission quantity of the OT protocol and improve the data transmission efficiency.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
An embodiment of the present invention provides a device for inadvertent transmissions comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by one or more processors, the one or more programs comprising instructions for performing one or more of the aforementioned methods of inadvertent transmission.
Fig. 8 is a block diagram illustrating an apparatus 800 for inadvertent transmission, according to an example embodiment. For example, the apparatus 800 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, an exercise device, a personal digital assistant, and the like.
Referring to fig. 8, the apparatus 800 may include one or more of the following components: processing component 802, memory 804, power component 806, multimedia component 808, audio component 810, input/output (I/O) interface 812, sensor component 814, and communication component 816.
The processing component 802 generally controls overall operation of the device 800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing elements 802 may include one or more processors 820 to execute instructions to perform all or a portion of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interaction between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.
The memory 804 is configured to store various types of data to support operation at the device 800. Examples of such data include instructions for any application or method operating on device 800, contact data, phonebook data, messages, pictures, videos, and so forth. The memory 804 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
The multimedia component 808 includes a screen that provides an output interface between the device 800 and a user. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 808 includes a front facing camera and/or a rear facing camera. The front-facing camera and/or the rear-facing camera may receive external multimedia data when the device 800 is in an operating mode, such as a shooting mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have a focal length and optical zoom capability.
The audio component 810 is configured to output and/or input audio signals. For example, audio component 810 includes a Microphone (MIC) configured to receive external audio signals when apparatus 800 is in an operational mode, such as a call mode, a recording mode, and a voice information processing mode. The received audio signals may further be stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 also includes a speaker for outputting audio signals.
The I/O interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to: a home button, a volume button, a start button, and a lock button.
The sensor assembly 814 includes one or more sensors for providing various aspects of state assessment for the device 800. For example, the sensor assembly 814 may detect the open/closed state of the device 800, the relative positioning of components, such as a display and keypad of the apparatus 800, the sensor assembly 814 may also search for a change in the position of the apparatus 800 or a component of the apparatus 800, the presence or absence of user contact with the apparatus 800, orientation or acceleration/deceleration of the apparatus 800, and a change in the temperature of the apparatus 800. Sensor assembly 814 may include a proximity sensor configured to detect the presence of a nearby object without any physical contact. The sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication component 816 is configured to facilitate communications between the apparatus 800 and other devices in a wired or wireless manner. The apparatus 800 may access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component 816 receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 816 further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on radio frequency information processing (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the apparatus 800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors, or other electronic components for performing the above-described methods.
In an exemplary embodiment, a non-transitory computer-readable storage medium comprising instructions, such as the memory 804 comprising instructions, executable by the processor 820 of the device 800 to perform the above-described method is also provided. For example, the non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
Fig. 9 is a schematic diagram of a server in some embodiments of the invention. The server 1900 may vary widely by configuration or performance and may include one or more Central Processing Units (CPUs) 1922 (e.g., one or more processors) and memory 1932, one or more storage media 1930 (e.g., one or more mass storage devices) storing applications 1942 or data 1944. Memory 1932 and storage medium 1930 can be, among other things, transient or persistent storage. The program stored in the storage medium 1930 may include one or more modules (not shown), each of which may include a series of instructions operating on a server. Still further, a central processor 1922 may be provided in communication with the storage medium 1930 to execute a series of instruction operations in the storage medium 1930 on the server 1900.
The server 1900 may also include one or more power supplies 1926, one or more wired or wireless network interfaces 1950, one or more input-output interfaces 1958, one or more keyboards 1956, and/or one or more operating systems 1941, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
A non-transitory computer readable storage medium in which instructions, when executed by a processor of an apparatus (server or terminal), enable the apparatus to perform the inadvertent transmission method shown in fig. 1 or fig. 5 or fig. 6.
A non-transitory computer-readable storage medium, wherein instructions in the storage medium, when executed by a processor of a device (server or terminal), enable the device to perform the description of the inadvertent transmission method in the embodiment corresponding to fig. 1, fig. 5, or fig. 6, and therefore, the description thereof will not be repeated herein. In addition, the beneficial effects of the same method are not described in detail. For technical details not disclosed in the embodiments of the computer program product or the computer program referred to in the present application, reference is made to the description of the embodiments of the method of the present application.
Further, it should be noted that: embodiments of the present application also provide a computer program product or computer program, which may include computer instructions, which may be stored in a computer-readable storage medium. The processor of the computer device reads the computer instruction from the computer-readable storage medium, and the processor can execute the computer instruction, so that the computer device executes the description of the inadvertent transmission method in the embodiment corresponding to fig. 1, which is described above, and therefore, the description thereof will not be repeated here. In addition, the beneficial effects of the same method are not described in detail. For technical details not disclosed in the embodiments of the computer program product or the computer program referred to in the present application, reference is made to the description of the embodiments of the method of the present application.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This invention is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
The present invention provides an inadvertent transmission method, a multi-party secure computing platform and an apparatus for the inadvertent transmission, which are introduced in detail above, and specific examples are applied herein to illustrate the principles and embodiments of the present invention, and the above description of the embodiments is only used to help understanding the method and the core ideas of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (30)
1. An oblivious transfer method, applied to a multi-party secure computing platform including a sender and a receiver, the method comprising:
the sender and the receiver execute preset operation for n times based on the n supported message groups and the n supported target indexes; wherein, one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is more than or equal to 1, and n is more than or equal to k is more than or equal to 1;
the ith presetting operation comprises the following steps:
the receiving party calculates a first parameter based on a locally generated random number and a base point G of an SM2 algorithm, and sends the first parameter to the sending party;
the sender calculates a public key and a private key based on a locally generated random number and the first parameter, encrypts the message in the ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and sends the ciphertext of the ith message group and the public key serving as second parameters to the receiver;
the receiver calculates a target message selected from the ith message group based on the ith target index, the key generation function, and the second parameter.
2. The method of claim 1, wherein the receiver calculates a first parameter based on the locally generated random number and a base point G of the SM2 algorithm, comprising:
the receiving party orders the first temporary public key g0= G, generate the first random number R _ R1, and obtain the second temporary public key G based on the dot product calculation of the first random number R _ R1 and the base point G1;
The receiving side generates a second random number R _ R2, a dot product calculation and a dot addition calculation based on the second random number R _ R2 and the base point G, and a second temporary public key G1Calculating to obtain a third temporary public key h0And a fourth temporary public key h1;
The receiving side generates a first random array R _ R3, and performs dot product calculation and dot addition calculation based on the first random array R _ R3 and the base point G, the ith target index and the first temporary public key G0A second temporary public key g1The third temporary public key h0Fourth temporary public key h1Calculating to obtain a fifth temporary public key g 'and a sixth temporary public key h';
the receiving party sends the second temporary public key g1The third temporary public key h0Fourth temporary public key h1The fifth temporary public key g 'and the sixth temporary public key h' are used as first parameters;
the method includes the steps that the sender calculates a public key and a private key based on a locally generated random number and the first parameter, encrypts messages in an ith message group based on a preset key generation function and the private key, and obtains a ciphertext of the ith message group, and includes the following steps:
the sender generates a second random array, and obtains a first public key u based on the dot product calculation and the dot addition calculation of the random number in the second random array and the parameter in the first parameter0A first private key v0A second public key u1And a second private key v1;
The sender is based on the first private key v0Generating a first key by a preset key generation function, and encrypting the first message in the ith message group by using the first key to obtain a ciphertext e of the first message0And based on a second private key v1Generating a second key by a key generation function, and encrypting a second message in the ith message group by using the second key to obtain a ciphertext e of the second message1。
3. The method of claim 2, wherein the ith message group comprises a first message m0And a second message m1The ith target index is ai, where,
second temporary public key g1=[R_r1]*G;
Third temporary public key h0=[R_r2]*G;
Fourth temporary public key h1=g1+[R_r2]*G;
Fifth temporary public key g' = (g)ai)+[R_r3]G; wherein, when ai =0, gai=g0(ii) a When ai =1, gai=g1;
Sixth temporary public key h' = (h)ai)+[R_r3]G; wherein, when ai =0, hai=h0(ii) a When ai =1, hai=h1;
The second random number group includes the following random numbers: s is0、s1、t0、t1;
First of allPublic key u0=[s0]*g0+[t0]*h0;
First private key v0=[s0]*g’+[t0]*h’;
Second public key u1=[s1]*g1+[t1]*h1;
Second private key v1=[s1]*g’+[t1]*h’;
Ciphertext e of the first message0=KDF(v0)⊕m0KDF is a key generation function;
ciphertext e of the second message1=KDF(v1)⊕m1。
4. The method of claim 3, wherein the target message m selected from the ith group of messages is calculated byai:mai=KDF(uai-[R_r3]G)⊕eai(ii) a Wherein, when ai =0, uai=u0,eai=e0(ii) a When ai =1, uai=u1,eai=e1。
5. The method of claim 1, wherein n > 1, k =1, and wherein the sender holds n messages: m is0~mn-1The receiving party holds the original index a, and the value range of the index a is 0-n-1; the method further comprises the following steps:
the sender sets n message groups according to the n messages, wherein the j message group comprises the following messages: 0 and mjJ has a value ranging from 0 to n-1;
the receiving party sets n target indexes according to the held original index a, wherein the value of the a-th target index in the n target indexes is 1, and the values of the rest target indexes are 0;
the receiver obtains the result m of the n-to-1 inadvertent transmission when the a-th preset operation is completeda。
6. The method of claim 1, wherein n > 1, k(> 1), the sender holds n messages: m is0~mn-1The receiver holds the original index a0~ak-1,a0~ak-1The value range of each of the above-mentioned groups is 0-n-1; the method further comprises the following steps:
the sender sets n message groups according to the n messages, wherein the j message group comprises the following messages: 0 and mjJ has a value ranging from 0 to n-1;
the receiver according to the held original index a0~ak-1Setting n target indexes, the a-th target index of the n target indexes0~ak-1The value of each target index is 1, and the values of the other target indexes are 0;
the receiving party is at the a0~ak-1Obtaining n-selected k inadvertent transmission result m when the preset operation is finisheda0~mak-1。
7. The method of claim 1, wherein the multi-party secure computing platform is based on a semi-honest participant model oblivious transfer protocol.
8. An inadvertent transmission method applied to a sender in a multi-party secure computing platform, wherein the multi-party secure computing platform further comprises a receiver, the method comprising:
executing n times of preset operation with a receiver based on n message groups, wherein one message group comprises two messages to be selected, the receiver holds n target indexes, the n target indexes are generated according to k original indexes of the receiver, n is larger than or equal to 1, and n is larger than or equal to k and larger than or equal to 1;
the ith presetting operation comprises the following steps:
receiving a first parameter from a receiver, wherein the first parameter is obtained by calculating the receiver based on a locally generated random number and a base point G of an SM2 algorithm;
and calculating a public key and a private key based on the locally generated random number and the first parameter, encrypting the message in the ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and sending the ciphertext of the ith message group and the public key as second parameters to a receiving party.
9. The method of claim 8, wherein the calculating a public key and a private key based on the locally generated random number and the first parameter, and encrypting the messages in the ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group comprises:
generating a second random array, and obtaining a first public key u based on the point multiplication calculation and the point addition calculation of the random number in the second random array and the parameter in the first parameter0A first private key v0A second public key u1And a second private key v1;
Based on a first private key v0Generating a first key by a preset key generation function, and encrypting the first message in the ith message group by using the first key to obtain a ciphertext e of the first message0And based on a second private key v1Generating a second key by a key generation function, and encrypting a second message in the ith message group by using the second key to obtain a ciphertext e of the second message1。
10. The method of claim 9, wherein the first parameter comprises: second temporary public key g1The third temporary public key h0Fourth temporary public key h1A fifth temporary public key g 'and a sixth temporary public key h'; wherein the content of the first and second substances,
second temporary public key g1=[R_r1]G; r _ R1 is a first random number generated by the receiving party;
third temporary public key h0=[R_r2]G; r _ R2 is a second random number generated by the receiving party;
fourth temporary public key h1=g1+[R_r2]*G;
Fifth temporary public key g' = (g)ai)+[R_r3]G; wherein, R _ R3 is a first random array generated by the receiver; when ai =0, gai=g0(ii) a When ai =1, gai=g1(ii) a ai is the ith target index held by the receiver;
sixth temporary public key h' = (h)ai)+[R_r3]G; wherein, when ai =0, hai=h0(ii) a When ai =1, hai=h1;
The ith message group comprises a first message m0And a second message m1Wherein, in the step (A),
the second random number group includes the following random numbers: s0、s1、t0、t1;
First public key u0=[s0]*g0+[t0]*h0(ii) a Wherein, g0=G;
First private key v0=[s0]*g’+[t0]*h’;
Second public key u1=[s1]*g1+[t1]*h1;
Second private key v1=[s1]*g’+[t1]*h’;
Ciphertext e of the first message0=KDF(v0)⊕m0KDF is a key generation function;
ciphertext e of the second message1=KDF(v1)⊕m1。
11. The method of claim 8, wherein n > 1, wherein the sender holds n messages: m is0~mn-1The method further comprises the following steps:
setting n message groups according to the n messages, wherein the j message group comprises the following messages: 0 and mjAnd j has a value ranging from 0 to n-1.
12. The method of claim 8, wherein the multi-party secure computing platform is based on a semi-honest participant model of oblivious transfer protocol.
13. An oblivious transmission method, applied to a receiver in a multi-party secure computing platform, the multi-party secure computing platform further comprising a sender, the method comprising:
executing n times of preset operation with a sender based on n target indexes, wherein the sender holds n message groups, one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is more than or equal to 1, and n is more than or equal to k is more than or equal to 1;
the ith presetting operation comprises the following steps:
calculating a first parameter based on a locally generated random number and a base point G of an SM2 algorithm, and sending the first parameter to a sender;
receiving a second parameter from a sender, wherein the sender calculates a public key and a private key based on a locally generated random number and the first parameter, and encrypts a message in an ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and the second parameter comprises the ciphertext of the ith message group and the public key;
calculating a target message selected from an ith message group based on the ith target index, the key generation function, and the second parameter.
14. The method of claim 13, wherein calculating the first parameter based on the locally generated random number and the base point G of the SM2 algorithm comprises:
let the first temporary public key g0= G, generate the first random number R _ R1, and obtain the second temporary public key G based on the dot product calculation of the first random number R _ R1 and the base point G1;
Generating a second random number R _ R2, calculating dot product and dot addition based on the second random number R _ R2 and the base point G, and a second temporary public key G1Calculating to obtain a third temporary public key h0And a fourth temporary public key h1;
Generating a first random array R _ R3 based on the dot product and dot add calculations of the first random array R _ R3 and the base point G, the ith target index, and the first temporary indexPublic key g0A second temporary public key g1The third temporary public key h0Fourth temporary public key h1Calculating to obtain a fifth temporary public key g 'and a sixth temporary public key h';
the second temporary public key g1The third temporary public key h0Fourth temporary public key h1The fifth temporary public key g 'and the sixth temporary public key h' are taken as first parameters.
15. The method of claim 14, wherein the ith message group comprises a first message m0And a second message m1The ith target index is ai, wherein,
second temporary public key g1=[R_r1]*G;
Third temporary public key h0=[R_r2]*G;
Fourth temporary public key h1=g1+[R_r2]*G;
Fifth temporary public key g' = (g)ai)+[R_r3]G; wherein, when ai =0, gai=g0(ii) a When ai =1, gai=g1;
Sixth temporary public key h' = (h)ai)+[R_r3]G; wherein, when ai =0, hai=h0(ii) a When ai =1, hai=h1。
16. The method of claim 15, wherein the target message m selected from the ith message group is calculated byai:mai=KDF(uai-[R_r3]*G)⊕eaiKDF is a key generation function; wherein, when ai =0, uai=u0,eai=e0(ii) a When ai =1, uai=u1,eai=e1;
Wherein u is0Is the first public key from the sender, u0=[s0]*g0+[t0]*h0;u1Is a second public key from the sender, u1=[s1]*g1+[t1]*h1;e0Is the first message m0Ciphertext of e0=KDF(v0)⊕m0,v0First private key, v, generated for the sender0=[s0]*g’+[t0]*h’;e1For the second message m1Ciphertext of e1=KDF(v1)⊕m1,v1Second private key, v, generated for the sender1=[s1]*g’+[t1]*h’;s0、s1、t0、t1And the random number contained in the second random array generated for the sender.
17. The method according to claim 13, wherein n > 1, k =1, and the receiving side holds the original index a, a having a value ranging from 0 to n-1; the method further comprises the following steps:
setting n target indexes according to a held original index a, wherein the value of the a-th target index in the n target indexes is 1, and the values of the rest target indexes are 0;
obtaining an n-selected-1 inadvertent transmission result m when the a-th preset operation is completeda。
18. The method of claim 13, wherein n > 1, k > 1, and wherein the receiver holds the original index a0~ak-1,a0~ak-1The value range of each of the above-mentioned groups is 0-n-1; the method further comprises the following steps:
according to the held original index a0~ak-1Setting n target indexes, the a-th target index of the n target indexes0~ak-1The value of each target index is 1, and the values of the other target indexes are 0;
in the a th0~ak-1Obtaining n-selected k inadvertent transmission result m when the preset operation is finisheda0~mak-1。
19. The method of claim 13, wherein the multi-party secure computing platform is based on a semi-honest participant model of oblivious transfer protocol.
20. A multi-party safety computing platform is characterized in that the multi-party safety computing platform comprises a sender and a receiver, wherein the sender is based on n message groups, the receiver is based on n target indexes, and the sender and the receiver execute n times of preset operation; one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is larger than or equal to 1, and n is larger than or equal to k and larger than or equal to 1;
the receiving party comprises a first parameter calculating module which is used for calculating a first parameter based on a locally generated random number and a base point G of an SM2 algorithm and sending the first parameter to the sending party;
the sender comprises a second parameter calculation module, which is used for calculating a public key and a private key based on a locally generated random number and the first parameter, encrypting the message in the ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and sending the ciphertext of the ith message group and the public key as second parameters to a receiver;
the receiver further includes a target message calculation module for calculating a target message selected from an ith message group based on the ith target index, the key generation function, and the second parameter.
21. The multi-party secure computing platform of claim 20, wherein the first parameter computation module comprises:
a first calculation submodule for making the first temporary public key g0= G, generate the first random number R _ R1, and obtain the second temporary public key G based on the dot product calculation of the first random number R _ R1 and the base point G1;
A second calculation submodule for generating a second random number R _ R2, a dot product calculation and a dot addition calculation based on the second random number R _ R2 and the base point G, and a second temporary public key G1Calculating to obtain a third temporary public key h0And a fourth temporary public key h1;
Third calculation submoduleFor generating a first random number group R _ R3, a dot product calculation and a dot addition calculation based on the first random number group R _ R3 and a base point G, and an ith target index, a first temporary public key G0A second temporary public key g1The third temporary public key h0Fourth temporary public key h1Calculating to obtain a fifth temporary public key g 'and a sixth temporary public key h';
a first parameter determination submodule for determining the second temporary public key g1The third temporary public key h0Fourth temporary public key h1The fifth temporary public key g 'and the sixth temporary public key h' are used as first parameters;
the second parameter calculation module includes:
a public key calculation submodule for generating a second random array and obtaining a first public key u based on the dot product calculation and the dot addition calculation of the random number in the second random array and the parameter in the first parameter0A first private key v0A second public key u1And a second private key v1;
A data encryption submodule for encrypting data based on a first private key v0Generating a first key by a preset key generation function, and encrypting the first message in the ith message group by using the first key to obtain a ciphertext e of the first message0And based on a second private key v1Generating a second key by a key generation function, and encrypting a second message in the ith message group by using the second key to obtain a ciphertext e of the second message1。
22. The multi-party secure computing platform of claim 21, wherein the ith message group comprises a first message m0And a second message m1The ith target index is ai, wherein,
second temporary public key g1=[R_r1]*G;
Third temporary public key h0=[R_r2]*G;
Fourth temporary public key h1=g1+[R_r2]*G;
Fifth temporary public key g' = (g)ai)+[R_r3]*G;Wherein, when ai =0, gai=g0(ii) a When ai =1, gai=g1;
Sixth temporary public key h' = (h)ai)+[R_r3]G; wherein, when ai =0, hai=h0(ii) a When ai =1, hai=h1;
The second random number group includes the following random numbers: s0、s1、t0、t1;
First public key u0=[s0]*g0+[t0]*h0;
First private key v0=[s0]*g’+[t0]*h’;
Second public key u1=[s1]*g1+[t1]*h1;
Second private key v1=[s1]*g’+[t1]*h’;
Ciphertext e of the first message0=KDF(v0)⊕m0KDF is a key generation function;
ciphertext e of the second message1=KDF(v1)⊕m1。
23. The multi-party secure computing platform of claim 22, wherein the target message m selected from the ith message group is calculated byai:mai=KDF(uai-[R_r3]G)⊕eai(ii) a Wherein, when ai =0, uai=u0,eai=e0(ii) a When ai =1, uai=u1,eai=e1。
24. The multi-party secure computing platform of claim 20, wherein n > 1, k =1, and wherein the sender holds n messages: m is0~mn-1The receiving party holds the original index a, and the value range of the index a is 0-n-1;
the sender also comprises a first message setting module used for setting n message groups according to the n messages, wherein, the jth message group comprises the following componentsMessage: 0 and mjJ has a value ranging from 0 to n-1;
the receiver further comprises a first index setting module, configured to set n target indexes according to the held original index a, where a value of the a-th target index of the n target indexes is 1, and values of the remaining target indexes are 0;
the receiver also comprises a first result acquisition module used for acquiring the result m of the inadvertent transmission of n-selected-1 when the a-th preset operation is completeda。
25. The multi-party secure computing platform of claim 20, wherein n > 1, k > 1, and wherein the sender holds n messages: m is0~mn-1The receiver holds the original index a0~ak-1,a0~ak-1The value range of each of the above-mentioned groups is 0-n-1;
the sender also comprises a second message setting module, which is used for setting n message groups according to the n messages, wherein the jth message group comprises the following messages: 0 and mjJ has a value ranging from 0 to n-1;
the receiver also comprises a second index setting module used for setting the index a according to the held original index a0~ak-1Setting n target indexes, the a-th target index of the n target indexes0~ak-1The value of each target index is 1, and the values of the other target indexes are 0;
the receiver further comprises a second result obtaining module for obtaining the second result in the a-th step0~ak-1Obtaining n-selected k inadvertent transmission result m when the preset operation is finisheda0~mak-1。
26. The multi-party secure computing platform of claim 20, wherein the multi-party secure computing platform is based on a semi-honest participant model of oblivious transfer protocol.
27. A receiver in a multi-party security computing platform is characterized in that the multi-party security computing platform also comprises a sender, wherein the sender is based on n message groups, the receiver is based on n target indexes, and both sides execute preset operation for n times; wherein, one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is more than or equal to 1, and n is more than or equal to k is more than or equal to 1; the receiving side includes:
the first parameter calculation module is used for calculating a first parameter based on a locally generated random number and a base point G of an SM2 algorithm and sending the first parameter to a sender;
a second parameter receiving module, configured to receive a second parameter from a sender, where the sender calculates a public key and a private key based on a locally generated random number and the first parameter, and encrypts a message in an ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and the sender uses the ciphertext of the ith message group and the public key as the second parameter;
and the target message calculation module is used for calculating the target message selected from the ith message group based on the ith target index, the key generation function and the second parameter.
28. A sender in a multi-party security computing platform is characterized in that the multi-party security computing platform also comprises a receiver, the sender is based on n message groups, the receiver is based on n target indexes, and both sides execute n times of preset operation; wherein, one message group comprises two messages to be selected, the n target indexes are generated according to k original indexes of a receiver, n is more than or equal to 1, and n is more than or equal to k is more than or equal to 1; the sender includes:
the first parameter receiving module is used for receiving a first parameter from a receiving party, wherein the first parameter is obtained by calculation of the receiving party based on a locally generated random number and a base point G of an SM2 algorithm;
and the second parameter calculation module is used for calculating a public key and a private key based on the locally generated random number and the first parameter, encrypting the message in the ith message group based on a preset key generation function and the private key to obtain a ciphertext of the ith message group, and sending the ciphertext of the ith message group and the public key to a receiver as second parameters.
29. An apparatus for inadvertent transmission comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by one or more processors, the one or more programs comprising instructions for performing the method of inadvertent transmission of any of claims 1-7 or 8-12 or 13-19.
30. A machine-readable medium having instructions stored thereon, which when executed by one or more processors of an apparatus, cause the apparatus to perform the inadvertent transmission method of any of claims 1 to 7 or 8 to 12 or 13 to 19.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210191205.7A CN114301594B (en) | 2022-03-01 | 2022-03-01 | Inadvertent transmission method, multi-party secure computing platform and device for inadvertent transmission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210191205.7A CN114301594B (en) | 2022-03-01 | 2022-03-01 | Inadvertent transmission method, multi-party secure computing platform and device for inadvertent transmission |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301594A CN114301594A (en) | 2022-04-08 |
| CN114301594B true CN114301594B (en) | 2022-05-17 |
Family
ID=80978235
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210191205.7A Active CN114301594B (en) | 2022-03-01 | 2022-03-01 | Inadvertent transmission method, multi-party secure computing platform and device for inadvertent transmission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301594B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065470B (en) * | 2022-08-05 | 2022-11-11 | 北京信安世纪科技股份有限公司 | Data transmission method and device |
| CN115801234B (en) * | 2022-10-11 | 2023-04-07 | 蓝象智联(杭州)科技有限公司 | Data inadvertent transmission method based on state secret |
| CN116405734B (en) * | 2023-06-08 | 2023-08-25 | 深圳奥联信息安全技术有限公司 | Data transmission method and system for ensuring data security |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108632035A (en) * | 2018-05-17 | 2018-10-09 | 湖北工业大学 | A kind of Oblivious Transfer system and method with access control |
| CN112671802A (en) * | 2021-01-12 | 2021-04-16 | 北京邮电大学 | Data sharing method and system based on oblivious transmission protocol |
| CN113239046A (en) * | 2021-05-20 | 2021-08-10 | 平安科技(深圳)有限公司 | Data query method, system, computer device and storage medium |
| CN113259329A (en) * | 2021-04-26 | 2021-08-13 | 北京信安世纪科技股份有限公司 | Method and device for data inadvertent transmission, electronic equipment and storage medium |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10715319B2 (en) * | 2016-12-15 | 2020-07-14 | Universite Paris Diderot | Method and system for spacetime-constrained oblivious transfer |
| JP2021523620A (en) * | 2018-05-14 | 2021-09-02 | エヌチェーン ホールディングス リミテッドNchain Holdings Limited | Methods and systems for communicating secrets |
| CN109241016B (en) * | 2018-08-14 | 2020-07-07 | 阿里巴巴集团控股有限公司 | Multi-party security calculation method and device and electronic equipment |
| CN109474422B (en) * | 2018-11-19 | 2021-07-02 | 武汉大学 | Method for generating SM2 digital signature by cooperation of multiple parties |
| US11431487B2 (en) * | 2020-04-28 | 2022-08-30 | Visa International Service Association | Adaptive attack resistant distributed symmetric encryption |
| CN112134682B (en) * | 2020-09-09 | 2022-04-12 | 支付宝(杭州)信息技术有限公司 | Data processing method and device for OTA protocol |
-
2022
- 2022-03-01 CN CN202210191205.7A patent/CN114301594B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108632035A (en) * | 2018-05-17 | 2018-10-09 | 湖北工业大学 | A kind of Oblivious Transfer system and method with access control |
| CN112671802A (en) * | 2021-01-12 | 2021-04-16 | 北京邮电大学 | Data sharing method and system based on oblivious transmission protocol |
| CN113259329A (en) * | 2021-04-26 | 2021-08-13 | 北京信安世纪科技股份有限公司 | Method and device for data inadvertent transmission, electronic equipment and storage medium |
| CN113239046A (en) * | 2021-05-20 | 2021-08-10 | 平安科技(深圳)有限公司 | Data query method, system, computer device and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| Capacity of Quantum Symmetric Private Information Retrieval With Collusion of All But One of Servers;Seunghoan Song等;《IEEE JOURNAL ON SELECTED AREAS IN INFORMATION THEORY》;20210331;第2卷(第1期);第380-390页 * |
| 医疗辅助诊断系统中新型的双向隐私保护方法;陈磊磊等;《密码学报》;20210228;第8卷(第1期);第167-182页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301594A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114301594B (en) | Inadvertent transmission method, multi-party secure computing platform and device for inadvertent transmission | |
| CN114756886B (en) | Method and device for inquiring hiding trace | |
| US10791124B2 (en) | Method and terminal device for encrypting message | |
| CN114301609B (en) | Inadvertent transmission method, multi-party secure computing platform and device for inadvertent transmission | |
| CN115396100B (en) | Careless random disorganizing method and system based on secret sharing | |
| CN112688779B (en) | Data processing method and device and data processing device | |
| CN114884645B (en) | Privacy calculation method and device and readable storage medium | |
| CN115967491B (en) | Privacy intersection method, system and readable storage medium | |
| CN114969830B (en) | Privacy intersection method, system and readable storage medium | |
| CN113254956A (en) | Data processing method and device and data processing device | |
| CN115396101A (en) | Secret sharing based careless disorganizing method and system | |
| CN112861175A (en) | Data processing method and device and data processing device | |
| CN114885038B (en) | Encryption protocol conversion method, result acquisition node and privacy calculation node | |
| CN115617897B (en) | Data type conversion method and multi-party secure computing system | |
| CN112464257A (en) | Data detection method and device for data detection | |
| CN105120452A (en) | Information transmission method, device and system | |
| CN115941181A (en) | Out-of-order secret sharing method and system and readable storage medium | |
| CN116305206A (en) | Secure multiparty computing method, device, electronic equipment and storage medium | |
| CN114448631B (en) | Multi-party security computing method, system and device for multi-party security computing | |
| CN112468290B (en) | Data processing method and device and data processing device | |
| CN112671530B (en) | Data processing method and device and data processing device | |
| CN114915455A (en) | Ciphertext data transmission method and device for ciphertext data transmission | |
| CN112711744A (en) | Processing method and device for computing task and processing device for computing task | |
| CN114969164B (en) | Data query method and device and readable storage medium | |
| CN115499254B (en) | User data processing method, device and system and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |