CN114448630B - Multi-party secure computing method, system and device for multi-party secure computing - Google Patents
Multi-party secure computing method, system and device for multi-party secure computing Download PDFInfo
- Publication number
- CN114448630B CN114448630B CN202210358386.8A CN202210358386A CN114448630B CN 114448630 B CN114448630 B CN 114448630B CN 202210358386 A CN202210358386 A CN 202210358386A CN 114448630 B CN114448630 B CN 114448630B
- Authority
- CN
- China
- Prior art keywords
- result
- computing node
- computing
- secret
- fragment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Abstract
The embodiment of the invention provides a multi-party secure computing method and system and a device for multi-party secure computing. In the multiparty security computing method provided by the embodiment of the present invention, when computing the product of the first secret X and the second secret Y based on the 2-4 secret sharing protocol, each computing node only needs to perform 4 communications, which are: in the first round of communication, the computing node S1 interacts with the computing node Sb for 2 times of communication; in the second round of communication, the computing node S1 fragments the third result
Sending the third result fragment to the computing node Sa, and the computing node S2 fragmenting the third result fragment
And sending the data to the computing node Sb for 2 times of communication. Compared with the processing process of calculating the product of the first secret X and the second secret Y based on the 2-4 secret sharing protocol in the prior art, the method and the device for processing the secret data reduce communication traffic among the computing nodes, and therefore time consumption of multi-party secure calculation can be reduced.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a multi-party secure computing method, system, and apparatus for multi-party secure computing.
Background
The information protection technology based on secret sharing refers to that the secret is split in a proper mode, each split data fragment is managed by different participants, a single participant cannot recover the original secret, and the original secret can be recovered only by cooperation of a plurality of participants.
The currently adopted 2-4 secret sharing protocol is a multi-party secure computing protocol based on secret sharing, and 4 computing nodes are adopted to store data fragments, wherein any 2 computing nodes can recover the original secret. When the 2-4 secret sharing protocol is adopted to carry out secret multiplication, 8 times of communication is needed among each computing node in each round of computing process, the communication volume is too large, and the computing efficiency of multi-party security computing is influenced.
Disclosure of Invention
The embodiment of the invention provides a multi-party security calculation method, a multi-party security calculation system and a device for multi-party security calculation, which can reduce 8 times of communication among calculation nodes into 4 times of communication when secret multiplication calculation is carried out in a 2-4 secret sharing protocol, and are favorable for reducing the time consumption of multi-party security calculation.
In order to solve the above problem, an embodiment of the present invention discloses a multi-party secure computing method, which is applied to a multi-party secure computing system, where the multi-party secure computing system includes 4 computing nodes, where the 4 computing nodes include computing nodes S1, S2, Sa, and Sb, and the method is used to compute a product of a first secret X and a second secret Y, and the method includes:
Each computing node respectively holds ciphertext fragments of a first secret X and a second secret Y, and meets a 2-4 secret sharing protocol, wherein S1 and S2 share a random number r12, S1, an Sb share random number r1b, S1, S2 and an Sa share random number r12a, and S2, Sa and an Sb share random number r2 ab;
each computing node performs local multiplication on the basis of the held ciphertext fragment and encrypts a multiplication result by using a shared random number to obtain a first result fragment;
the computing node S1 interacts with the computing node Sb such that the computing node S1 and the computing node Sb hold the first result slice z1 and the first result slice zb in common;
the computing node S1 and the computing node Sb perform local addition computation based on the held first result fragment, and encrypt the addition computation result with the random number r1b, so that the computing node S1 obtains the second result fragment
Computing nodeSb gets a second result slice
;
The computing node S1 and the computing node S2 respectively perform encryption calculation on the held second result fragment or the held first result fragment by using the random number r12, so that the computing node S1 obtains a third result fragment
Computing node S2 obtains a third result fragment
;
The computing node S1 segments the third result 
Sending the third result fragment to the computing node Sa, and the computing node S2 fragmenting the third result fragment
Sending the data to a computing node Sb;
and obtaining a product of the first secret X and the second secret Y based on result fragments held by any 2 computing nodes in the 4 computing nodes, wherein the result fragments comprise at least one of a first result fragment, a second result fragment and a third result fragment.
In another aspect, an embodiment of the present invention discloses a multi-party secure computing system, where the multi-party secure computing system includes 4 computing nodes, where the 4 computing nodes include computing nodes S1, S2, Sa, and Sb, and the multi-party secure computing system is configured to compute a product of a first secret X and a second secret Y;
each computing node respectively holds ciphertext fragments of a first secret X and a second secret Y, and meets a 2-4 secret sharing protocol, wherein S1 and S2 share a random number r12, S1, an Sb share random number r1b, S1, S2 and an Sa share random number r12a, and S2, Sa and an Sb share random number r2 ab;
each computing node performs local multiplication on the basis of the held ciphertext fragment and encrypts a multiplication result by using a shared random number to obtain a first result fragment;
computing node S1 interacts with computing node Sb such that computing node S1 and computing node Sb collectively hold first result shard z1 and first result shard zb;
The computing node S1 and the computing node Sb perform local addition computation based on the held first result fragment, and encrypt the addition computation result by using the random number r1b, so that the computing node S1 obtains a second result fragment
Computing node Sb obtains a second result fragment
;
The computing node S1 and the computing node S2 respectively perform encryption calculation on the held second result fragment or the held first result fragment by using the random number r12, so that the computing node S1 obtains a third result fragment
Computing node S2 obtains a third result fragment
;
A computing node S1, further for slicing the third result
Sending to a computing node Sa;
a computing node S2, further for slicing the third result
Sending the data to a computing node Sb;
the multi-party secure computing system is configured to obtain a product of the first secret X and the second secret Y based on result shards held by any 2 computing nodes of the 4 computing nodes, where the result shards include at least one of a first result shard, a second result shard, and a third result shard.
In yet another aspect, an embodiment of the present invention discloses an apparatus for multi-party secure computing, applied to a multi-party secure computing system, the multi-party secure computing system including 4 computing nodes, the 4 computing nodes including computing nodes S1, S2, Sa, and Sb, the apparatus for computing a product of the first secret X and the second secret Y, the apparatus including a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for:
Each computing node respectively holds ciphertext fragments of a first secret X and a second secret Y, and meets a 2-4 secret sharing protocol, wherein S1 and S2 share a random number r12, S1, an Sb share random number r1b, S1, S2 and an Sa share random number r12a, and S2, Sa and an Sb share random number r2 ab;
each computing node performs local multiplication on the basis of the held ciphertext fragment and encrypts a multiplication result by using a shared random number to obtain a first result fragment;
computing node S1 interacts with computing node Sb such that computing node S1 and computing node Sb collectively hold first result shard z1 and first result shard zb;
the computing node S1 and the computing node Sb perform local addition computation based on the held first result fragment, and encrypt the addition computation result by using the random number r1b, so that the computing node S1 obtains a second result fragment
Computing node Sb obtains a second result fragment
;
The compute node S1 and the compute node S2 each utilize a random number r12, carrying out encryption calculation on the held second result fragment or the held first result fragment, so that the computing node S1 obtains a third result fragment
The computing node S2 obtains a third result fragment
;
The computing node S1 segments the third result 
Sending the third result fragment to the computing node Sa, and the computing node S2 fragmenting the third result fragment
Sending the data to a computing node Sb;
and obtaining a product of the first secret X and the second secret Y based on result shards held by any 2 computing nodes of the 4 computing nodes, wherein the result shards comprise at least one of a first result shard, a second result shard and a third result shard.
In yet another aspect, an embodiment of the invention discloses a machine-readable medium having stored thereon instructions, which when executed by one or more processors, cause an apparatus to perform a multi-party secure computing method as described in one or more of the preceding.
The embodiment of the invention has the following advantages:
in the multiparty security computing method provided in the embodiment of the present invention, when computing the product of the first secret X and the second secret Y based on the 2-4 secret sharing protocol, each computing node only needs to perform 4 communications, which are: in the first round of communication, the computing node S1 interacts with the computing node Sb for 2 times of communication; second round of communication, computing node S1 shards the third result
Sending the third result to a computing node Sa, and segmenting the third result by the computing node S2
And sending the data to the computing node Sb for 2 times of communication. Compared with the processing process of calculating the product of the first secret X and the second secret Y based on the 2-4 secret sharing protocol in the prior art, the method and the device for processing the secret data reduce communication traffic among the computing nodes, and therefore time consumption of multi-party secure calculation can be reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
FIG. 1 is a schematic diagram of secret sharing based on a 2-4 secret sharing protocol;
FIG. 2 is a schematic diagram of data allocation for a compute node;
FIG. 3 is a schematic diagram of a prior art local multiply computation process for each compute node;
FIG. 4 is a communication diagram of various computing nodes in the prior art;
FIG. 5 is a flow diagram of the steps of one embodiment of a multi-party secure computing method of the present invention;
FIG. 6 is a block diagram of a multi-party secure computing system of the present invention;
FIG. 7 is a schematic diagram of a compute node's local multiply computation process of the present invention;
FIG. 8 is a schematic diagram of a first round of communication process of a compute node of the present invention;
FIG. 9 is a schematic diagram of a second round of communication process of a compute node of the present invention;
FIG. 10 is a diagram of prior art result slices held by various compute nodes for recovering X Y;
FIG. 11 is a block diagram of an apparatus 800 for multi-party secure computing of the present invention;
fig. 12 is a schematic diagram of a server in some embodiments of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Method embodiment
The multi-party secure computing method provided by the embodiment of the invention can be applied to a multi-party secure computing system, and the multi-party secure computing system is a computing system for protecting data privacy and security. Under the premise of not revealing the data of the participants, the multiple participants can use the multi-party safety computing technology to carry out collaborative computing to obtain computing results, and the computed data, the intermediate results and the final results can be guaranteed not to be revealed. The participants of the multi-party secure computing can comprise task control nodes and computing nodes, wherein the task control nodes are used for scheduling the computing nodes to execute the secure computing tasks, and the computing nodes perform collaborative computing on the basis of the respectively-held ciphertext fragments to complete the secure computing tasks.
It should be noted that, in the embodiment of the present invention, the number of computing nodes included in one multi-party secure computing system is not limited, and the number of computing nodes may be determined according to a secret sharing protocol supported by the multi-party secure computing system. For example, for a multi-party secure computing system that supports a 2-4 secret sharing protocol, at least 4 computing nodes are included. Further, the multi-party secure computing system may further include a data node for providing services such as data storage, data provision, computation result storage, and the like. The multi-party security computing system may further include a result acquirer, configured to acquire a computation result from the computing node, where the result acquirer may be a specified certain data node or certain data nodes.
The secure computing tasks executed by the computing nodes in the multi-party secure computing system may be computer program codes implemented through a preset programming language, and the multi-party secure computing system may implement corresponding computing functions by executing the computer program codes. The secure computing task includes, but is not limited to: and data related operations such as calculation, cleaning, analysis, model training, storage, database query and the like of the data are realized based on the ciphertext. It is to be understood that embodiments of the present invention do not impose limitations on the specific types of secure computing tasks.
A secure computation task may include any type of mathematical computation, such as four arithmetic computations (e.g., addition, subtraction, multiplication, division), logical computations (e.g., and, or, xor), etc.
In the embodiment of the present invention, the secure computation tasks executed by the respective compute nodes at least include multiplication computation, and the multi-party secure computation method provided in the embodiment of the present invention is mainly used for computing the product of the first secret X and the second secret Y.
It is understood that the first secret X and the second secret Y in the present invention may be any data that is not convenient for disclosure, and may include, but is not limited to, data representing personal information of a user, business secrets, model parameters of a neural network model, and the like. The multi-party safe calculation method provided by the embodiment of the invention can be applied to ciphertext multiplication operation in tasks such as calculation, cleaning, analysis, model training, storage, database query and the like of data based on ciphertext.
The multiplication in the multi-party security calculation process is usually implemented based on a secret sharing technology. The secret sharing technology mainly divides a secret into n ciphertext fragments, sends the corresponding ciphertext fragments to corresponding computing nodes, and any k (k is less than or equal to n) computing nodes can recover the original secret by using the mastered ciphertext fragments. For example, in a 2-4 secret sharing protocol, ciphertext fragments are held by 4 compute nodes (S1, S2, Sa, Sb), where any 2 compute nodes may recover the original secret based on the held ciphertext fragments.
Referring to fig. 1, a schematic diagram of secret sharing based on a 2-4 secret sharing protocol is shown. As shown in fig. 1, assume that the original secret X is randomly divided into two ciphertext fragments X1 and X2, where compute node S1 holds ciphertext fragment X1, compute node S2 holds ciphertext fragment X2, and compute nodes S1 and S2 share random number r 12. The computing nodes S1 and S2 respectively encrypt the held ciphertext fragments by using the random number r12, the computing node S1 obtains ciphertext fragments x1_, x1_ = x1-r12, and the computing node S2 obtains ciphertext fragments x2_, x2_ = x2+ r 12. The computing node S1 sends the ciphertext fragment x1 to the computing node Sb, and sends the ciphertext fragment x1_ to the computing node Sa; the computing node S2 sends the ciphertext fragment x2 to the computing node Sa and the ciphertext fragment x2_ to the computing node Sb.
Through the secret sharing process shown in fig. 1, the computing node S1 holds ciphertext fragments x1 and x1_, the computing node S2 holds ciphertext fragments x2 and x2_, the computing node Sa holds ciphertext fragments x2 and x1_, and the computing node Sb holds ciphertext fragments x1 and x2 _. Any 2 of the 4 compute nodes may recover the original secret X based on the held ciphertext fragments. Referring to table 1, various possible scenarios for any 2 of the compute nodes S1, S2, Sa, and Sb to recover the original secret X are listed.
The following will use 2-4 secret sharing protocol as an example to describe the specific implementation process of the prior art for multiplication calculation in multi-party security calculation. It is assumed that the product of the first secret X and the second secret Y is calculated. First, the first secret X and the second secret Y are randomly divided into 2 ciphertext fragments, and each computing node holds the corresponding ciphertext fragment. If the ciphertext fragments are distributed according to the secret sharing method shown in fig. 1, reference may be made to the data distribution diagram shown in fig. 2 for the data holding situations of the computing nodes S1, S2, Sa, and Sb. As shown in fig. 2, the computing node S1 holds ciphertext fragments x1, y1, x1_ and y1_, the computing node S2 holds ciphertext fragments x2, y2, x2_ and y2_, the computing node Sa holds ciphertext fragments x2, y2, x1_ and y1_, and the computing node Sb holds ciphertext fragments x1, y1, x2_ and y2 _. Wherein, X = X1+ X2= X1_ + X2_, Y = Y1+ Y2= Y1_ + Y2_, the computing nodes S1 and S2 share the random numbers r12 and r12_, and the computing nodes Sa and Sb share the random numbers rab and rab _. It should be noted that the ciphertext fragments held by each computing node satisfy the 2-4 secret sharing protocol, in other words, any 2 computing nodes in the 4 computing nodes can recover the first secret X and the second secret Y based on the held ciphertext fragments, the recovery processes of the first secret X and the second secret Y are the same, and the specific secret recovery condition can refer to table 1.
And each computing node cooperatively computes X X Y based on the held ciphertext fragments. The specific calculation steps in the prior art are as follows:
1. each computing node performs local multiplication on the basis of the held ciphertext fragment, and encrypts a multiplication result by using random numbers r12 and r12 or random numbers rab and rab to obtain result fragments. Referring to fig. 3, a schematic diagram of a local multiplication process of each computation node in the prior art is shown. As shown in fig. 3, through local multiplication computation, the computation node S1 holds result patches z1 and z1_, z1= x1 y1_ -r12, and z1_ = x1 y1_ -r12 _; the compute node S2 holds result slices z2 and z2_, z2= x2 y2 + r12, z2_ = x2 y2_ + r12 _; the computation node Sa holds result slices za and za _, za = x2 y1_ -rab, and za _ = x2 y1_ -rab _; the compute node Sb holds result slices zb and zb _, zb = x1 y2_ + rab, zb _ = x1 y2_ + rab _.
2. Communications are conducted between the various compute nodes such that compute node S1 holds result slices z1, z1_, za _, and zb, compute node S2 holds result slices z2, z2_, za, and zb _, compute node Sa holds result slices z1_, z2, za, and za _, and compute node Sb holds result slices z1, z2_, zb, and zb _. Referring to FIG. 4, a communication diagram of various computing nodes in the prior art is shown. As shown in fig. 4, the computing nodes S1, S2, Sa and Sb perform 8 communications in total, and specifically include:
1) The computing node S1 sends the result fragment z1 to the computing node Sb;
2) the computing node Sb sends the result fragment zb to the computing node S1;
3) the computing node S1 sends the result fragment z1_ to the computing node Sa;
4) the computing node Sa sends the result fragment za _ to the computing node S1;
5) the computing node S2 sends the result fragment z2 to the computing node Sa;
6) the computing node Sa sends the result fragment za to the computing node S2;
7) the computing node S2 sends the result fragment z2_ to the computing node Sb;
8) the computing node Sb transmits the result fragment zb _ to the computing node S2.
Via the 8 communications illustrated in FIG. 4, compute node S1 holds result slices z1, z1_, za _, and zb, compute node S2 holds result slices z2, z2_, za, and zb _, compute node Sa holds result slices z1_, z2, za, and za _, and compute node Sb holds result slices z1, z2_, zb, and zb _. Any two of the 4 compute nodes may derive X Y based on the held result shards. Referring to table 2, various possible cases of obtaining X × Y by any 2 computation nodes of the computation nodes S1, S2, Sa, and Sb are listed.
From the above, in the prior art, when performing multiplication calculation in multi-party security calculation based on a 2-4 secret sharing protocol, 8 communications need to be performed between each computing node, and the communication traffic is large, which affects the calculation efficiency of multi-party security calculation. In order to solve the problem, the multiparty security computing method provided by the embodiment of the invention optimizes the computing process of performing multiplication computation based on a 2-4 secret sharing protocol. Referring to FIG. 5, a flow diagram of the steps of one embodiment of a multi-party security computing method of the present invention is shown. It should be noted that, an embodiment of the present invention discloses a multi-party secure computing method, which is applied to a multi-party secure computing system, and referring to fig. 6, a schematic structural diagram of the multi-party secure computing system provided in the embodiment of the present invention is shown, as shown in fig. 6, the multi-party secure computing system includes 4 computing nodes, where the 4 computing nodes include computing nodes S1, S2, Sa, and Sb, the method is used for computing a product of the first secret X and the second secret Y, and the method may specifically include the following steps:
In step 101, each computing node respectively holds ciphertext fragments of a first secret X and a second secret Y, and meets a 2-4 secret sharing protocol, wherein S1 and S2 share a random number r12, S1, an Sb share a random number r1b, S1, S2, an Sa share a random number r12a, and S2, Sa, and an Sb share a random number r2 ab.
And 102, each computing node performs local multiplication calculation based on the held ciphertext fragment and encrypts a multiplication result by using a shared random number to obtain a first result fragment.
In the invention, the computing nodes S1, S2, Sa, and Sb respectively hold ciphertext fragments of the first secret X and the second secret Y, and satisfy the 2-4 secret sharing protocol, and any 2 computing nodes of the 4 computing nodes can recover the first secret X and the second secret Y based on the held ciphertext fragments.
It should be noted that, in the multi-party security calculation process, the multiplication calculation is usually performed in a vector form, and the first secret X and the second secret Y in the present invention may be vectors or matrices. The shared random number between the computing nodes can be an array.
Each computing node performs local multiplication calculation based on the held ciphertext fragment, and encrypts a multiplication result by using a shared random number to obtain a first result fragment.
Then, the first round of communication process in the embodiment of the present invention is performed: computing node S1 interacts with computing node Sb. In the first round of communication, 2 times of communication are performed, and the specific communication conditions are as follows:
1) the computing node S1 sends the first result slice z1 to the computing node Sb;
2) the computing node Sb sends the first result slice zb to the computing node S1.
Through the first round of communication, computing nodes S1 and Sb hold first result shards z1 and zb, computing node S2 holds first result shard z2, and computing node Sa holds first result shard za.
Then, the computing node S1 and the computing node Sb perform local processing based on the held first result slices z1 and zb, respectivelyAnd (5) performing addition calculation, and encrypting the addition calculation result by using a random number r1b to obtain a second result fragment. The second result obtained by the computing node S1 is sliced into
The second result obtained by the computing node Sb is segmented into
Second result slicing
And
the following relationship can be satisfied:
。
to ensure data security during the next second round of communication, the computing node S1 shards the second result held with a random number r12
Carrying out encryption calculation to obtain a third result fragment
(ii) a The computing node S2 carries out encryption computation on the held first result fragment z2 by using the random number r12 to obtain a third result fragment 
。
Next, a second round of communication according to the embodiment of the present invention is performed, and the specific communication process is as follows:
3) the computing node S1 segments the third result
Sending to a computing node Sa;
4) computing nodeS2 slicing the third result
And sending to the computing node Sb.
Finally, the product of the first secret X and the second secret Y can be obtained based on the result shards held by any 2 of the 4 compute nodes. It should be noted that the result fragment includes at least one of a first result fragment, a second result fragment, and a third result fragment.
According to the multi-party security calculation method provided by the embodiment of the invention, when the product of the first secret X and the second secret Y is calculated, only 4 times of communication are needed between each calculation node, and compared with the processing process of calculating the product of the first secret X and the second secret Y based on a 2-4 secret sharing protocol in the prior art, the multi-party security calculation method provided by the embodiment of the invention reduces the communication traffic between each calculation node, thereby reducing the time consumption of multi-party security calculation.
In an optional embodiment of the present invention, each of the computing nodes respectively holds ciphertext fragments of a first secret X and a second secret Y, and satisfies a 2-4 secret sharing protocol, including:
Step S11, the computing node S1 holds one of the 2 ciphertext fragments into which the first secret X is randomly divided, X1, and one of the 2 ciphertext fragments into which the second secret Y is randomly divided, Y1; the computing node S2 holds another ciphertext fragment X2 of the first secret X, and another ciphertext fragment Y2 of the second secret Y;
step S12, the computing node S1 performs encryption calculation on the held ciphertext fragments x1 and y1 by using the random number r12 to obtain ciphertext fragments x1_ and y1_, sends the ciphertext fragments x1_ and y1_ to the computing node Sa, and sends the ciphertext fragments x1 and y1 to the computing node Sb;
step S13 and the computing node S2 perform encryption calculation on the held ciphertext fragments x2 and y2 respectively by using the random number r12 to obtain ciphertext fragments x2_ and y2_, send the ciphertext fragments x2_ and y2_ to the computing node Sb, and send the ciphertext fragments x2 and y2 to the computing node Sa.
Assume that the first secret X is randomly divided into 2 ciphertext fragments: x1 and x2, the second secret Y is also randomly divided into 2 ciphertext fragments: y1 and y 2. Of the 4 compute nodes S1, S2, Sa, and Sb, compute node S1 holds ciphertext fragments x1 and y1, compute node S2 holds ciphertext fragments x2 and y2, and compute nodes S1 and S2 share a random number r 12.
The computation nodes S1 and S2 process the held ciphertext fragments, so that the computation nodes Sa and Sb also hold ciphertext fragments corresponding to the first secret X and the second secret Y, and the ciphertext fragments held by each computation node satisfy a 2-4 secret sharing protocol, and any 2 computation nodes in 4 computation nodes can recover the first secret X and the second secret Y based on the held ciphertext fragments.
Specifically, the computing node S1 performs encryption calculation on the ciphertext fragments x1 and y1 respectively by using the random number r12 to obtain ciphertext fragments x1_ and y1_, sends the ciphertext fragments x1_ and y1_ to the computing node Sa, and sends the ciphertext fragments x1 and y1 to the computing node Sb. The computing node S2 performs encryption computation on the ciphertext fragments x2 and y2 by using the random number r12 to obtain ciphertext fragments x2_ and y2_, sends the ciphertext fragments x2_ and y2_ to the computing node Sb, and sends the ciphertext fragments x2 and y2 to the computing node Sa.
Through the above processing, the computing node S1 holds ciphertext fragments x1, y1, x1_ and y1_, the computing node S2 holds ciphertext fragments x2, y2, x2_ and y2_, the computing node Sa holds ciphertext fragments x2, y2, x1_ and y1_, and the computing node Sb holds ciphertext fragments x1, y1, x2_ and y2 _.
It should be noted that, in the embodiment of the present invention, when performing encryption calculation on ciphertext fragments x1 and x2 and performing encryption calculation on ciphertext fragments y1 and y2, the random numbers used may be the same or different, for example, random number r12 may be used to perform encryption calculation on ciphertext fragments x1, x2, y1, and y2, respectively; cipher text segments x1 and x2 may also be encrypted using random number r12, cipher text segments y1 and y2 may also be encrypted using random number r12_ and so on. The encryption calculation process of the ciphertext fragment is not specifically limited in the embodiments of the present invention, as long as the ciphertext fragment held by each computing node satisfies the 2-4 secret sharing protocol, specifically, ciphertext fragments x1, x2, x1_ and x2_ satisfy x1+ x2= x1_ + x2_, and ciphertext fragments y1, y2, y1_ and y2_ satisfy y1+ y2= y1_ + y2 _.
The specific steps of the multiparty security computation provided by the embodiment of the present invention will be described below by taking as an example that the computing node holds ciphertext fragments x1, y1, x1_ and y1_, the computing node S2 holds ciphertext fragments x2, y2, x2_ and y2_, the computing node Sa holds ciphertext fragments x2, y2, x1_ and y1_, the computing node Sb holds ciphertext fragments x1, y1, x2_ and y2_, x1_ = x1-r12, x2_ = x2+ r12, y1_ = y1-r12, and y2_ = y2+ r 12.
In an optional embodiment of the present invention, the performing, by each computing node, local multiplication on the basis of the held ciphertext fragment, and encrypting a multiplication result by using a shared random number, respectively, to obtain a first result fragment includes:
step S21, the computing node S1 performs local multiplication based on the held ciphertext fragments x1, y1, x1_ and y1_ and encrypts the multiplication result with the random number r12a to obtain the first result fragment z1, z1= x1_ y1_ - (x1-x1_) (y1-y1_) + r12 a;
step S22, the computation nodes S2 and Sa perform local multiplication based on the held ciphertext fragments x2 and y2, respectively, and encrypt the multiplication result by using random numbers r12a and r2ab, so that the computation node S2 obtains a first result fragment z2, and the computation node Sa obtains a first result fragment za, where z2= za = x2 y2-r12a-r2 ab;
In step S23, the computing node Sb performs local multiplication based on the held ciphertext fragments x1, y1, x2_ and y2_ and encrypts the multiplication result using the random numbers r1b and r2ab to obtain the first result fragment zb, zb = x2_ y2_ + x1 _y 1- (x1-x2_) (y1-y2_) + r1b + r2 ab.
Referring to fig. 7, a schematic diagram of a local multiplication process of a compute node according to an embodiment of the present invention is shown. As shown in fig. 7, each computing node performs local multiplication based on the held ciphertext fragment, and encrypts the multiplication result by using the shared random number to obtain the first result fragment. Wherein, the computing node S1 obtains a first result fragment z1, z1= x1_ y1_ - (x1-x1_) _ (y1-y1_) + r12 a; calculating node S2 to obtain a first result patch z2, z2= x2 x y2-r12a-r2 ab; computing node Sa yields a first result patch za, za = x2 y2-r12a-r2ab, and first result patch z2= za; node Sb is calculated to give the first result patch zb, zb = x2_ y2_ + x1 _y 1- (x1-x2_) _ (y1-y2_) + r1b + r2 ab.
After each computing node obtains the first result fragment, the first round of communication process of the invention is started. Referring to fig. 8, a schematic diagram of a first round of communication process of each computing node provided by the embodiment of the present invention is shown. As shown in fig. 8, the computing node S1 interacts with the computing node Sb for 2 communications. Through a first round of communication, compute nodes S1 and Sb each hold a first result slice z1 and zb.
Then, the computing nodes S1 and Sb perform local addition calculation based on the held first result fragment, and encrypt the addition calculation result with the random number r1b, to obtain a second result fragment. The second result obtained by computing node S1 is sliced into
The second result obtained by the computing node Sb is segmented into
Second result slicing
And
the following relationship can be satisfied:
。
in the embodiment of the present invention, the second round of communication is the communication between the computing nodes S1 and Sa, and the computing nodes S2 and Sb. In order to ensure data security during communication, before the second round of communication, the computing node S1 and the computing node S2 perform encryption calculation on the held second result fragment or first result fragment by using the random number r12, respectively.
As an example, the compute node S1 and compute node S2 each utilizeThe random number r12 performs encryption calculation on the held second result fragment or first result fragment, so that the computing node S1 obtains a third result fragment
Computing node S2 obtains a third result fragment
The method comprises the following steps:
step S31, the computing node S1 shards the held second result with the random number r12
Carrying out encryption calculation to obtain a third result fragment
,
;
Step S32, the computing node S2 uses the random number r12 to perform encryption calculation on the held first result fragment z2 to obtain a third result fragment 
,
。
Next, the second round of communication in the present invention is performed. Referring to fig. 9, a schematic diagram of a second round of communication processes of each computing node provided by the embodiment of the present invention is shown. As shown in FIG. 9, the computing node S1 segments the third result
Sending the third result to the computing node Sa, and the computing node S2 fragmenting the third result
And sending the data to the computing node Sb.
It should be noted that, in the embodiment of the present invention, the first result segment held by each node satisfies: z1= X1_ Y1_ - (X1-X1_) + r12a (Y1-Y1_) + r12, z2= X2Y 2-r12a-r2ab, za = X2Y 2-r12a-r2ab, zb = X2_ Y2_, + X1Y 1- (X1-X2_) (Y1-Y2_) + r1b + r2ab, the product of the first secret X and the second secret Y being obtained from the first result piece z1, z2, zb and the random number r1b, and the specific calculation process can be expressed as:
therefore, as long as the result shards held by any 2 computing nodes of the 4 computing nodes can obtain z1+ z2+ zb-r1b, the product of the first secret X and the second secret Y can be obtained.
In the embodiment of the invention, through two rounds of communication, the second result fragment and the third result fragment held by each computing node satisfy the following relation:
second result shard held by compute node S1
Third result slicing 
。
Second result shard held by compute node S2
Third result slicing
。
Second result sharding held by computing node Sa
Third result slicing
。
Second result shard held by compute node Sb
Third result slicing
。
Obviously, in the case that the second result segment and the third result segment both satisfy the above condition, any 2 computing nodes of the computing nodes S1, S2, Sa, and Sb can obtain z1+ z2+ zb-r1b based on the held second result segment or third result segment, that is, the product of the first secret X and the second secret Y is obtained. Referring to table 3, various possible situations that any 2 computing nodes of the computing nodes S1, S2, Sa, and Sb obtain X × Y based on the second result fragment or the third result fragment held in the embodiment of the present invention are listed.
It should be noted that the first secret X and the second secret Y may include, but are not limited to, data representing personal information of the user, business secrets, model parameters of a neural network model, and other arbitrary data, and therefore, there is a possibility that the first secret X and/or the second secret Y are fixed-point numbers. The positions of the decimal points of the fixed point number are fixed, and the numbers before and after the decimal points are respectively represented by binary systems. In the multi-party security calculation process in the prior art, if the fixed point number is subjected to multiplication calculation, the result fragment needs to be moved to the right. Taking the prior art as an example of performing multiplication calculation on fixed-point numbers X and/or Y based on a 2-4 secret sharing protocol, referring to fig. 10, a schematic diagram of a result fragment held by each compute node for recovering X × Y is shown. As shown in fig. 10, compute node S1 holds an upper result tile z1_ S = z1+ zb and a lower result tile z1_ x = z1+ za _; the compute node S2 holds an upper result tile z2_ S = z2+ za and a lower result tile z2_ x = z2_ + zb _; the compute node Sa holds the upper result slice za _ s = z2+ za and the lower result slice za _ x = z1_ + za _; the compute node Sb holds an upper result slice zb _ s = z1+ zb and a lower result slice zb _ x = z2_ + zb _. The upper result fragment and the lower result fragment held by each computing node meet a 2-4 secret sharing protocol. Taking the computing nodes S1 and S2 as examples, z1_ S + z2_ S = z1_ x + z2_ x. The upper result fragment and the lower result fragment held by each computing node are respectively shifted to the right, and since the upper result fragment and the lower result fragment held by each computing node in fig. 10 are not the same, the upper result fragment and the lower result fragment of the same computing node are shifted to the right, and the right shift results are also different. Through the right shift processing, the result fragments held by each computing node do not necessarily satisfy the 2-4 secret sharing protocol. As an example, assume in fig. 10 that the upper result slice z1_ S =000010.1, the lower result slice z1_ x =000011.0 of the computing node S1, the upper result slice z2_ S =000000.1, the lower result slice z2_ x =000000.0, z1_ S + z2_ S = z1_ x + z2_ x =000011.0 held by the computing node S2. For z1_ s, z1_ x, z2_ s, and z2_ x, right shifted by 1 bit, the right shifted result slices are: z1_ sr =000001.0, z1_ xr =000001.1, z2_ sr =000000.0, z2_ xr =000000.0, z1_ sr + z2_ sr =000001.0, z1_ xr + z2_ xr = 000001.1. Obviously, through the right shift process, z1_ s + z2_ s ≠ z1_ x + z2_ x, which fails to satisfy the 2-4 secret sharing protocol. In order to solve the problem, the embodiment of the invention also provides a processing scheme for fixed point number.
In an optional embodiment of the present invention, if the first secret X and/or the second secret Y are fixed-point numbers, before the computing node S1 and the computing node S2 perform cryptographic computation on the held second result fragment or the held first result fragment by using the random number r12, the method further includes:
step S41, each computing node carries out right shift processing on the held first result fragment and/or second result fragment to obtain the right-shifted first result fragment or second result fragment;
step S42, the computing node S1 and the computing node S2 respectively perform encryption computation on the held second result fragment or first result fragment by using the random number r12, including:
step S43, the computing node S1 and the computing node S2 respectively perform encryption calculation on the right-shifted second result segment or the first result segment by using the random number r 12.
When the product of the fixed point number is calculated, the first result fragment or the second result fragment held by each computing node is shifted to the right after the first round of communication. As an example, if a compute node only holds a first result shard, such as compute nodes S2 and Sa: (A), (B)
,
) If so, performing right shift on the first result fragment; if the computing node holds both the first result slice and the second result slice, such as computing nodes S1 and Sb, the second result slice is shifted to the right.
Then, before the second round of communication starts, the computing nodes S1 and S2 perform encryption computation on the right-shifted second result fragment or the first result fragment by using the random number r12, respectively, to obtain a third result fragment.
As can be seen from table 3, in the embodiment of the present invention, through the second round of communication, the second result fragment and the third result fragment held by each computing node satisfy the 2-4 secret sharing protocol. In the embodiment of the present invention, the third result fragment held by each computing node is obtained by performing encryption calculation on the corresponding second result fragment or first result fragment, and the right shift processing result is not affected by the encryption calculation. Therefore, in the embodiment of the present invention, after right shift processing is performed on the second result shard and the first result shard corresponding to the fixed-point number, the second result shard and the third result shard held by each computing node still satisfy the 2-4 secret sharing protocol.
In summary, the embodiments of the present invention provide a multiparty secure computing method, when computing a product of a first secret X and a second secret Y, each computing node only needs to perform 4 communications, and compared with a processing procedure of computing the product of the first secret X and the second secret Y based on a 2-4 secret sharing protocol in the prior art, the embodiments of the present invention reduce communications among the computing nodes, thereby reducing time consumption of multiparty secure computing.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Device embodiment
Referring to FIG. 6, a block diagram of an embodiment of a multi-party secure computing system of the present invention is shown, the multi-party secure computing system including 4 compute nodes, the 4 compute nodes including compute nodes S1, S2, Sa, and Sb, the multi-party secure computing system being configured to compute a product of a first secret X and a second secret Y;
each computing node respectively holds ciphertext fragments of a first secret X and a second secret Y, and meets a 2-4 secret sharing protocol, wherein S1 and S2 share a random number r12, S1, an Sb share random number r1b, S1, S2 and an Sa share random number r12a, and S2, Sa and an Sb share random number r2 ab;
Each computing node performs local multiplication on the basis of the held ciphertext fragment and encrypts a multiplication result by using a shared random number to obtain a first result fragment;
the computing node S1 interacts with the computing node Sb such that the computing node S1 and the computing node Sb hold the first result slice z1 and the first result slice zb in common;
the computing node S1 and the computing node Sb perform local addition computation based on the held first result fragment, and encrypt the addition computation result with the random number r1b, so that the computing node S1 obtains the second result fragment
Computing node Sb obtains a second result fragment
;
The computing node S1 and the computing node S2 respectively perform encryption calculation on the held second result fragment or the held first result fragment by using the random number r12, so that the computing node S1 obtains a third result fragment
Computing node S2 obtains a third result fragment
;
A computing node S1, further for slicing the third result
Sending to a computing node Sa;
a computing node S2, further for slicing the third result
Sending the data to a computing node Sb;
the multi-party secure computing system is configured to obtain a product of the first secret X and the second secret Y based on result shards held by any 2 computing nodes of the 4 computing nodes, where the result shards include at least one of a first result shard, a second result shard, and a third result shard.
Optionally, if the first secret X and/or the second secret Y are fixed-point numbers, before the computing node S1 and the computing node S2 respectively perform encryption calculation on the held second result fragment or the held first result fragment by using the random number r12, each computing node performs right shift processing on the held first result fragment and/or the held second result fragment to obtain a right-shifted first result fragment and/or second result fragment;
the computing node S1 and the computing node S2 are further configured to perform an encryption calculation on the right-shifted second result segment or the first result segment by using a random number r12, respectively.
Optionally, the computing node S1 holds one of the 2 ciphertext fragments into which the first secret X is randomly divided, X1, and one of the 2 ciphertext fragments into which the second secret Y is randomly divided, Y1; the computing node S2 holds another ciphertext fragment X2 of the first secret X, and another ciphertext fragment Y2 of the second secret Y;
the computing node S1 is further configured to perform encryption computation on the held ciphertext fragments x1 and y1 by using a random number r12, to obtain ciphertext fragments x1_ and y1_, send the ciphertext fragments x1_ and y1_ to the computing node Sa, and send the ciphertext fragments x1 and y1 to the computing node Sb;
The computing node S2 is further configured to perform encryption computation on the held ciphertext fragments x2 and y2 by using a random number r12, respectively, to obtain ciphertext fragments x2_ and y2_, send the ciphertext fragments x2_ and y2_ to the computing node Sb, and send the ciphertext fragments x2 and y2 to the computing node Sa.
Optionally, ciphertext fragments x1, x2, x1_ and x2_ satisfy x1+ x2= x1_ + x2_, ciphertext fragments y1, y2, y1_ and y2_ satisfy y1+ y2= y1_ + y2 _.
Optionally, the computing node S1 is further configured to perform local multiplication computation based on the held ciphertext fragments x1, y1, x1_ and y1_ and encrypt a multiplication result by using a random number r12a, so as to obtain a first result fragment z1, where z1= x1 _y 1_ - (x1-x1_) (y1-y1_) + r12 a;
the computation nodes S2 and Sa are further configured to perform local multiplication computation based on the held ciphertext fragments x2 and y2, respectively, and encrypt a multiplication result by using random numbers r12a and r2ab, so that the computation node S2 obtains a first result fragment z2, and the computation node Sa obtains a first result fragment za, where z2= za = x2 × y2-r12a-r2 ab;
the computation node Sb is further configured to perform local multiplication computation based on the held ciphertext fragments x1, y1, x2_ and y2_ and encrypt the multiplication result by using random numbers r1b and r2ab, so as to obtain a first result fragment zb, zb = x2_ y2_, + x1 y1- (x1-x2_) (y1-y2_) + r1b + r2 ab.
Optionally, a second result sharding
With second result slicing
Satisfies the following conditions:
。
optionally, compute node S1, further for sharding a second result held with a random number r12
Carrying out encryption calculation to obtain a third result fragment
,
;
The computing node S2 is further configured to perform cryptographic computation on the held first result segment z2 by using the random number r12 to obtain a third result segment
,
。
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
An embodiment of the present invention provides an apparatus for multi-party secure computing, applied to a multi-party secure computing system, the multi-party secure computing system including 4 computing nodes, the 4 computing nodes including computing nodes S1, S2, Sa, and Sb, the apparatus being configured to compute a product of the first secret X and the second secret Y, the apparatus including a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for:
Each computing node respectively holds ciphertext fragments of a first secret X and a second secret Y, and meets a 2-4 secret sharing protocol, wherein S1 and S2 share a random number r12, S1, an Sb share random number r1b, S1, S2 and an Sa share random number r12a, and S2, Sa and an Sb share random number r2 ab;
each computing node performs local multiplication on the basis of the held ciphertext fragment and encrypts a multiplication result by using a shared random number to obtain a first result fragment;
the computing node S1 interacts with the computing node Sb such that the computing node S1 and the computing node Sb hold the first result slice z1 and the first result slice zb in common;
the computing node S1 and the computing node Sb perform local addition computation based on the held first result fragment, and encrypt the addition computation result with the random number r1b, so that the computing node S1 obtains the second result fragment
Computing node Sb obtains a second result fragment
;
The computing node S1 and the computing node S2 respectively perform encryption calculation on the held second result fragment or the held first result fragment by using the random number r12, so that the computing node S1 obtains a third result fragment
Computing node S2 obtains a third result fragment
;
The computing node S1 segments the third result 
Sending the third result to a computing node Sa, and segmenting the third result by the computing node S2
Sending the data to a computing node Sb;
and obtaining a product of the first secret X and the second secret Y based on result shards held by any 2 computing nodes of the 4 computing nodes, wherein the result shards comprise at least one of a first result shard, a second result shard and a third result shard.
Optionally, if the first secret X and/or the second secret Y are fixed-point numbers, before the computing node S1 and computing node S2 cryptographically compute a held second result slice or first result slice, respectively, with a random number r12, the apparatus is further configured to execute, by one or more processors, the one or more programs including instructions for:
each computing node carries out right shift processing on the held first result fragment and/or second result fragment to obtain the right-shifted first result fragment and/or second result fragment;
the computing node S1 and the computing node S2 respectively perform encryption computation on the held second result fragment or first result fragment by using the random number r12, including:
the computing node S1 and the computing node S2 perform cryptographic calculation on the right-shifted second result slice or the first result slice using the random number r12, respectively.
Optionally, each of the computing nodes respectively holds ciphertext fragments of the first secret X and the second secret Y, and satisfies a 2-4 secret sharing protocol, including:
the computing node S1 holds one of 2 ciphertext fragments into which the first secret X is randomly divided, X1, and one of 2 ciphertext fragments into which the second secret Y is randomly divided, Y1; the computing node S2 holds another ciphertext fragment X2 of the first secret X, and another ciphertext fragment Y2 of the second secret Y;
the computing node S1 performs encryption computation on the held ciphertext fragments x1 and y1 by using a random number r12 to obtain ciphertext fragments x1_ and y1_, sends the ciphertext fragments x1_ and y1_ to the computing node Sa, and sends the ciphertext fragments x1 and y1 to the computing node Sb;
the computing node S2 performs encryption computation on the held ciphertext fragments x2 and y2 by using the random number r12 to obtain ciphertext fragments x2_ and y2_, sends the ciphertext fragments x2_ and y2_ to the computing node Sb, and sends the ciphertext fragments x2 and y2 to the computing node Sa.
Optionally, ciphertext fragments x1, x2, x1_ and x2_ satisfy x1+ x2= x1_ + x2_, and ciphertext fragments y1, y2, y1_ and y2_ satisfy y1+ y2= y1_ + y2 _.
Optionally, the performing, by each computing node, local multiplication calculation based on the held ciphertext fragment, and encrypting the multiplication result by using a shared random number, respectively, to obtain a first result fragment, includes:
The computation node S1 performs local multiplication computation based on the held ciphertext fragments x1, y1, x1_ and y1_ and encrypts the multiplication result by using a random number r12a, so as to obtain a first result fragment z1, wherein z1= x1_ y1_ - (x1-x1_) (y1-y1_) + r12 a;
the calculation nodes S2 and Sa perform local multiplication calculation based on the held ciphertext fragments x2 and y2, respectively, and encrypt the multiplication result by using random numbers r12a and r2ab, so that the calculation node S2 obtains a first result fragment z2, the calculation node Sa obtains a first result fragment za, z2= za = x2 y2-r12a-r2 ab;
the computation node Sb performs local multiplication computation based on the held ciphertext fragments x1, y1, x2_ and y2_ and encrypts the multiplication result using random numbers r1b and r2ab to obtain a first result fragment zb, zb = x2_ y2_ + x1_ y1- (x1-x2_) (y1-y2_) + r1b + r2 ab.
Optionally, a second result sharding
With a second result shard
Satisfies the following conditions:
。
optionally, the computing node S1 and the computing node S2 perform encryption calculation on the held second result fragment or the held first result fragment by using the random number r12, respectively, so that the computing node S1 obtains a third result fragment
The computing node S2 obtains a third result fragment
The method comprises the following steps:
the compute node S1 shards the second result held with the random number r12 
Performing encryption calculation to obtain a third result fragment
,
;
The computing node S2 utilizes the random number r12 to carry out encryption computation on the held first result fragment z2 to obtain a third result fragment
,
。
FIG. 11 is a block diagram illustrating an apparatus 800 for multi-party secure computing, according to an example embodiment. For example, the apparatus 800 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, an exercise device, a personal digital assistant, and the like.
Referring to fig. 11, the apparatus 800 may include one or more of the following components: processing component 802, memory 804, power component 806, multimedia component 808, audio component 810, input/output (I/O) interface 812, sensor component 814, and communication component 816.
The processing component 802 generally controls overall operation of the device 800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing elements 802 may include one or more processors 820 to execute instructions to perform all or a portion of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interaction between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.
The memory 804 is configured to store various types of data to support operation at the device 800. Examples of such data include instructions for any application or method operating on device 800, contact data, phonebook data, messages, pictures, videos, and so forth. The memory 804 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
A power supply component 806 provides power to the various components of the device 800. The power components 806 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device 800.
The multimedia component 808 includes a screen that provides an output interface between the device 800 and a user. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 808 includes a front facing camera and/or a rear facing camera. The front-facing camera and/or the rear-facing camera may receive external multimedia data when the device 800 is in an operating mode, such as a shooting mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have a focal length and optical zoom capability.
The audio component 810 is configured to output and/or input audio signals. For example, audio component 810 includes a Microphone (MIC) configured to receive external audio signals when apparatus 800 is in an operational mode, such as a call mode, a recording mode, and a voice information processing mode. The received audio signal may further be stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 also includes a speaker for outputting audio signals.
The I/O interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to: a home button, a volume button, a start button, and a lock button.
The sensor assembly 814 includes one or more sensors for providing various aspects of state assessment for the device 800. For example, the sensor assembly 814 may detect the open/closed state of the device 800, the relative positioning of the components, such as a display and keypad of the apparatus 800, the sensor assembly 814 may also detect a change in position of the apparatus 800 or a component of the apparatus 800, the presence or absence of user contact with the apparatus 800, orientation or acceleration/deceleration of the apparatus 800, and a change in temperature of the apparatus 800. Sensor assembly 814 may include a proximity sensor configured to detect the presence of a nearby object without any physical contact. The sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication component 816 is configured to facilitate communication between the apparatus 800 and other devices in a wired or wireless manner. The device 800 may access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component 816 receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 816 further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on radio frequency information processing (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the apparatus 800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors or other electronic components for performing the above-described methods.
In an exemplary embodiment, a non-transitory computer-readable storage medium comprising instructions, such as the memory 804 comprising instructions, executable by the processor 820 of the device 800 to perform the above-described method is also provided. For example, the non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
Fig. 12 is a schematic diagram of a server in some embodiments of the invention. The server 1900 may vary widely by configuration or performance and may include one or more Central Processing Units (CPUs) 1922 (e.g., one or more processors) and memory 1932, one or more storage media 1930 (e.g., one or more mass storage devices) storing applications 1942 or data 1944. Memory 1932 and storage medium 1930 can be, among other things, transient or persistent storage. The program stored in the storage medium 1930 may include one or more modules (not shown), each of which may include a sequence of instructions operating on a server. Still further, a central processor 1922 may be provided in communication with the storage medium 1930 to execute a series of instruction operations in the storage medium 1930 on the server 1900.
The server 1900 may also include one or more power supplies 1926, one or more wired or wireless network interfaces 1950, one or more input-output interfaces 1958, one or more keyboards 1956, and/or one or more operating systems 1941, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
A non-transitory computer readable storage medium having instructions therein, which when executed by a processor of a device (server or terminal), enable the device to perform the multiparty secure computing method shown in fig. 5.
A non-transitory computer-readable storage medium, wherein instructions of the storage medium, when executed by a processor of an apparatus (server or terminal), enable the apparatus to perform a multiparty secure computing method, the method being applied to a multiparty secure computing system, the multiparty secure computing system comprising 4 computing nodes, the 4 computing nodes comprising computing nodes S1, S2, Sa and Sb, the method for computing a product of the first secret X and the second secret Y, the method comprising: each computing node respectively holds ciphertext fragments of a first secret X and a second secret Y and meets a 2-4 secret sharing protocol, wherein S1 and S2 share a random number r12, S1 and Sb share a random number r1b, S1 and S2 and Sa share a random number r12a, and S2, Sa and Sb share a random number r2 ab; each computing node performs local multiplication calculation based on the held ciphertext fragment and encrypts the multiplication result by using the shared random number to obtain a first result Slicing; computing node S1 interacts with computing node Sb such that computing node S1 and computing node Sb collectively hold first result shard z1 and first result shard zb; the computing node S1 and the computing node Sb perform local addition computation based on the held first result fragment, and encrypt the addition computation result by using the random number r1b, so that the computing node S1 obtains a second result fragment
And the computing node Sb obtains a second result fragment
(ii) a The computing node S1 and the computing node S2 respectively perform encryption calculation on the held second result fragment or the held first result fragment by using the random number r12, so that the computing node S1 obtains a third result fragment
The computing node S2 obtains a third result fragment
(ii) a The computing node S1 segments the third result
Sending the third result fragment to the computing node Sa, and the computing node S2 fragmenting the third result fragment
Sending the data to a computing node Sb; and obtaining a product of the first secret X and the second secret Y based on result fragments held by any 2 computing nodes in the 4 computing nodes, wherein the result fragments comprise at least one of a first result fragment, a second result fragment and a third result fragment.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This invention is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements that have been described above and shown in the drawings, and that various modifications and changes can be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and should not be taken as limiting the scope of the present invention, which is intended to cover any modifications, equivalents, improvements, etc. within the spirit and scope of the present invention.
The multi-party secure computing method, the multi-party secure computing system and the device for multi-party secure computing provided by the present invention are introduced in detail above, and specific examples are applied herein to explain the principle and the implementation of the present invention, and the description of the above embodiments is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (6)
1. A multi-party secure computing method applied to a multi-party secure computing system, the multi-party secure computing system comprising 4 computing nodes, the 4 computing nodes comprising computing nodes S1, S2, Sa, and Sb, the method for computing a product of a first secret X and a second secret Y, the method comprising:
Each computing node respectively holds ciphertext fragments of a first secret X and a second secret Y, and meets a 2-4 secret sharing protocol, wherein S1 and S2 share a random number r12, S1, an Sb share random number r1b, S1, S2 and an Sa share random number r12a, and S2, Sa and an Sb share random number r2 ab;
each computing node performs local multiplication on the basis of the held ciphertext fragment and encrypts a multiplication result by using a shared random number to obtain a first result fragment;
the computing node S1 interacts with the computing node Sb such that the computing node S1 and the computing node Sb hold the first result slice z1 and the first result slice zb in common;
the computing node S1 and the computing node Sb perform local addition computation based on the held first result fragment, and encrypt the addition computation result with the random number r1b, so that the computing node S1 obtains the second result fragment
Computing node Sb obtains a second result fragment
;
The computing node S1 and the computing node S2 respectively utilize the random number r12 to perform encryption calculation on the held result fragments, so that the computing node S1 obtains a third result fragment
Computing node S2 obtains a third result fragment
;
The computing node S1 segments the third result 
Sending the third result to a computing node Sa, and segmenting the third result by the computing node S2
Sending the data to a computing node Sb;
obtaining a product of the first secret X and the second secret Y based on result shards held by any 2 computing nodes of the 4 computing nodes, where the result shards include at least one of a first result shard, a second result shard, and a third result shard;
the computing node S1 holds ciphertext fragments x1, y1, x1_ and y1_, the computing node S2 holds ciphertext fragments x2, y2, x2_ and y2_, the computing node Sa holds ciphertext fragments x2, y2, x1_ and y1_, and the computing node Sb holds ciphertext fragments x1, y1, x2_ and y2 _; ciphertext fragments X1, X2, X1_ and X2_ satisfy X = X1+ X2= X1_ + X2_, ciphertext fragments Y1, Y2, Y1_ and Y2_ satisfy Y = Y1+ Y2= Y1_ + Y2 _;
the first result shards held by each computing node satisfy the following conditions: z1= x1_ (y 1_) - (x1-x1_), (y1-y1_) + r12a, z2= za = x2_ (y 2-r12a-r2ab, zb = x2_ (y 2_) + x1_ (y) 1- (x1-x2 _)), (y1-y2_) + r 1+ 1b + r2 ab; second result slicing
With second result slicing
Satisfies the following conditions:
(ii) a Third result slicing
Third result slicing
。
2. The method according to claim 1, wherein if the first secret X and/or the second secret Y is a fixed point number, before the computing nodes S1 and S2 respectively perform encryption computation on the held result fragment by using a random number r12, the method further comprises:
Each computing node carries out right shift processing on the held first result fragment and/or second result fragment to obtain the right-shifted first result fragment and/or second result fragment;
the computing node S1 and the computing node S2 respectively perform encryption calculation on the held result fragment by using a random number r12, including:
the computing node S1 and the computing node S2 perform encryption calculation on the right-shifted result slice by using the random number r12, respectively.
3. The method according to claim 1, wherein each of the computing nodes holds ciphertext fragments of a first secret X and a second secret Y, respectively, and satisfies a 2-4 secret sharing protocol, comprising:
the computing node S1 holds one of 2 ciphertext fragments into which the first secret X is randomly divided, X1, and one of 2 ciphertext fragments into which the second secret Y is randomly divided, Y1; the computing node S2 holds another ciphertext fragment X2 of the first secret X, and another ciphertext fragment Y2 of the second secret Y;
the computing node S1 performs encryption computation on the held ciphertext fragments x1 and y1 by using a random number r12 to obtain ciphertext fragments x1_ and y1_, sends the ciphertext fragments x1_ and y1_ to the computing node Sa, and sends the ciphertext fragments x1 and y1 to the computing node Sb;
The computing node S2 performs encryption computation on the held ciphertext fragments x2 and y2 by using a random number r12 to obtain ciphertext fragments x2_ and y2_, sends the ciphertext fragments x2_ and y2_ to the computing node Sb, and sends the ciphertext fragments x2 and y2 to the computing node Sa.
4. An apparatus for multi-party secure computing, applied to a multi-party secure computing system comprising 4 computing nodes, the 4 computing nodes comprising computing nodes S1, S2, Sa, and Sb, the apparatus for computing a product of a first secret X and a second secret Y, the apparatus comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured for execution by the one or more processors to perform the one or more programs including instructions for:
each computing node respectively holds ciphertext fragments of a first secret X and a second secret Y, and meets a 2-4 secret sharing protocol, wherein S1 and S2 share a random number r12, S1, an Sb share random number r1b, S1, S2 and an Sa share random number r12a, and S2, Sa and an Sb share random number r2 ab;
each computing node performs local multiplication on the basis of the held ciphertext fragment and encrypts a multiplication result by using a shared random number to obtain a first result fragment;
The computing node S1 interacts with the computing node Sb such that the computing node S1 and the computing node Sb hold the first result slice z1 and the first result slice zb in common;
the computing node S1 and the computing node Sb perform local addition computation based on the held first result fragment, and encrypt the addition computation result by using the random number r1b, so that the computing node S1 obtains a second result fragment
Computing node Sb obtains a second result fragment
;
The computing node S1 and the computing node S2 respectively perform encryption calculation on the held result fragments by using the random number r12, so that the computing node S1 obtains a third result fragment
Computing node S2 obtains a third result fragment
;
The computing node S1 segments the third result
Sending the third result fragment to the computing node Sa, and the computing node S2 fragmenting the third result fragment
Sending the data to a computing node Sb;
obtaining a product of the first secret X and the second secret Y based on result shards held by any 2 computing nodes of the 4 computing nodes, the result shards including at least one of a first result shard, a second result shard, and a third result shard;
the computing node S1 holds ciphertext fragments x1, y1, x1_ and y1_, the computing node S2 holds ciphertext fragments x2, y2, x2_ and y2_, the computing node Sa holds ciphertext fragments x2, y2, x1_ and y1_, and the computing node Sb holds ciphertext fragments x1, y1, x2_ and y2 _; ciphertext fragments X1, X2, X1_ and X2_ satisfy X = X1+ X2= X1_ + X2_, ciphertext fragments Y1, Y2, Y1_ and Y2_ satisfy Y = Y1+ Y2= Y1_ + Y2 _;
The first result shards held by each computing node satisfy the following conditions: z1= x1_ (y 1_) - (x1-x1_), (y1-y1_) + r12a, z2= za = x2_ (y 2-r12a-r2ab, zb = x2_ (y 2_) + x1_ (y) 1- (x1-x2 _)), (y1-y2_) + r1 + 1b + r2 ab; second result slicing
With second result slicing
Satisfies the following conditions:
(ii) a Third result slicing
Third result slicing
。
5. The apparatus of claim 4, wherein if the first secret X and/or the second secret Y is a fixed-point number, then before cryptographic computation by compute node S1 and compute node S2 on the held second result slice or first result slice, respectively, using random number r12, the apparatus further configured to execute the one or more programs by the one or more processors comprises instructions for:
each computing node carries out right shift processing on the held first result fragment and/or second result fragment to obtain the right-shifted first result fragment and/or second result fragment;
the computing node S1 and the computing node S2 respectively perform encryption calculation on the held result fragment by using a random number r12, and the method comprises the following steps:
the computing node S1 and the computing node S2 perform encryption calculation on the right-shifted result slice by using the random number r12, respectively.
6. A machine-readable medium having instructions stored thereon, which when executed by one or more processors, cause an apparatus to perform the multi-party secure computing method of any of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210358386.8A CN114448630B (en) | 2022-04-07 | 2022-04-07 | Multi-party secure computing method, system and device for multi-party secure computing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210358386.8A CN114448630B (en) | 2022-04-07 | 2022-04-07 | Multi-party secure computing method, system and device for multi-party secure computing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114448630A CN114448630A (en) | 2022-05-06 |
| CN114448630B true CN114448630B (en) | 2022-06-14 |
Family
ID=81359829
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210358386.8A Active CN114448630B (en) | 2022-04-07 | 2022-04-07 | Multi-party secure computing method, system and device for multi-party secure computing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114448630B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112865953A (en) * | 2021-02-01 | 2021-05-28 | 浙江大学 | Safe multi-party computing method, device and system based on auxiliary server |
| CN112906044A (en) * | 2021-05-10 | 2021-06-04 | 腾讯科技(深圳)有限公司 | Multi-party security calculation method, device, equipment and storage medium |
| CN112989421A (en) * | 2021-03-31 | 2021-06-18 | 支付宝(杭州)信息技术有限公司 | Method and system for processing safety selection problem |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6732959B2 (en) * | 2017-01-18 | 2020-07-29 | 日本電信電話株式会社 | Secret calculation method, secret calculation system, secret calculation device, and program |
-
2022
- 2022-04-07 CN CN202210358386.8A patent/CN114448630B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112865953A (en) * | 2021-02-01 | 2021-05-28 | 浙江大学 | Safe multi-party computing method, device and system based on auxiliary server |
| CN112989421A (en) * | 2021-03-31 | 2021-06-18 | 支付宝(杭州)信息技术有限公司 | Method and system for processing safety selection problem |
| CN112906044A (en) * | 2021-05-10 | 2021-06-04 | 腾讯科技(深圳)有限公司 | Multi-party security calculation method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| Performance Impact Analysis of Rounds and Amounts of Communication in Secure Multiparty Computation Based on Secret Sharing;Diana-Elena Fălămaş等;《2019 18th RoEduNet Conference: Networking in Education and Research (RoEduNet)》;20191125;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114448630A (en) | 2022-05-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112398648B (en) | Key management method and device for key management | |
| CN115396100B (en) | Careless random disorganizing method and system based on secret sharing | |
| CN112688779B (en) | Data processing method and device and data processing device | |
| CN115396101B (en) | Secret sharing based careless disorganizing method and system | |
| CN114969830B (en) | Privacy intersection method, system and readable storage medium | |
| CN114301594B (en) | Inadvertent transmission method, multi-party secure computing platform and device for inadvertent transmission | |
| CN114884645B (en) | Privacy calculation method and device and readable storage medium | |
| CN112241250B (en) | Data processing method and device and data processing device | |
| CN114448631B (en) | Multi-party security computing method, system and device for multi-party security computing | |
| CN112307056A (en) | Data processing method and device and data processing device | |
| CN115941181B (en) | Out-of-order secret sharing method, system and readable storage medium | |
| CN112464257A (en) | Data detection method and device for data detection | |
| CN114885038B (en) | Encryption protocol conversion method, result acquisition node and privacy calculation node | |
| CN115617897B (en) | Data type conversion method and multi-party secure computing system | |
| CN114448630B (en) | Multi-party secure computing method, system and device for multi-party secure computing | |
| CN116401423A (en) | Method, device, equipment and medium for determining median based on secure multiparty calculation | |
| CN112468290B (en) | Data processing method and device and data processing device | |
| CN115085912A (en) | Ciphertext computing method and device for ciphertext computing | |
| CN112685747B (en) | Data processing method and device and data processing device | |
| CN114915455A (en) | Ciphertext data transmission method and device for ciphertext data transmission | |
| CN112463332A (en) | Data processing method, ciphertext computing system and device for data processing | |
| CN112711744A (en) | Processing method and device for computing task and processing device for computing task | |
| CN114969164B (en) | Data query method and device and readable storage medium | |
| CN114881248B (en) | Two-party horizontal federal learning method and device for two-party horizontal federal learning | |
| CN116684094B (en) | Data processing method, device and system and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |