CN114650128A - Aggregation verification method for federated learning - Google Patents

Aggregation verification method for federated learning Download PDF

Info

Publication number
CN114650128A
CN114650128A CN202210329985.7A CN202210329985A CN114650128A CN 114650128 A CN114650128 A CN 114650128A CN 202210329985 A CN202210329985 A CN 202210329985A CN 114650128 A CN114650128 A CN 114650128A
Authority
CN
China
Prior art keywords
client
clients
chameleon hash
secret
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210329985.7A
Other languages
Chinese (zh)
Other versions
CN114650128B (en
Inventor
于婧悦
卞超轶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Venustech Cybervision Co ltd
Venustech Group Inc
Original Assignee
Beijing Venustech Cybervision Co ltd
Venustech Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Venustech Cybervision Co ltd, Venustech Group Inc filed Critical Beijing Venustech Cybervision Co ltd
Priority to CN202210329985.7A priority Critical patent/CN114650128B/en
Publication of CN114650128A publication Critical patent/CN114650128A/en
Application granted granted Critical
Publication of CN114650128B publication Critical patent/CN114650128B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Power Engineering (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a federated learning aggregation verification method, which is characterized in that a secret share of a client chameleon hash function random number is added into a secret share ciphertext generated in a key sharing stage, and a homomorphic chameleon hash value of a model parameter is generated by taking the random number, a public parameter of the chameleon hash function and the model parameter as the input of the chameleon hash function in a generation stage of a model parameter ciphertext. And in the decryption stage, the server decrypts the secret share of the random number in the secret shares decrypted by the client to obtain the corresponding random number. And in the verification stage, the random number obtained by decryption of the server, the aggregation result of the model parameters and the public parameter of the chameleon hash function are used as input to obtain homomorphic chameleon hash values of the aggregation result, the homomorphic chameleon hash values are multiplied and then compared with the homomorphic chameleon hash values of the aggregation result, and the aggregation result is verified according to the homomorphism of the chameleon hash function. The number of information interaction rounds is reduced, and the aggregation rate is improved.

Description

Aggregation verification method for federated learning
Technical Field
The invention belongs to the technical field of information encryption, and particularly relates to an aggregation verification method for federated learning.
Background
Federated learning is a distributed machine learning framework that allows participating clients to upload model parameters to co-train a model rather than directly upload private training data. Therefore, the privacy of the original data of the client can be effectively protected. However, the existing research shows that the attacker can still reversely deduce the original training data through the uploaded model-related parameters.
In order to protect the security of the client private parameters, at present, a verifiable security aggregation protocol is usually adopted to process the interactive data, so that the server obtains the global model parameters without revealing the private parameters of a single client. The existing verifiable security aggregation protocol adopts a commitment scheme to ensure the consistency of aggregation at a server, which causes the security aggregation protocol to need to share the related information of additionally opening the commitment in the aggregation stage and the verification stage, thereby increasing the communication traffic and the number of interaction rounds and reducing the aggregation rate.
Disclosure of Invention
In order to solve the problems of more information interaction times and low aggregation efficiency in the prior art, the invention provides an aggregation verification method for federated learning, which has the characteristics of less aggregation verification interaction times, higher aggregation verification efficiency and the like
The aggregation verification method for federated learning provided by the embodiment of the invention comprises the following steps:
each client sends two public keys in the two generated public and private key pairs to a server, the server broadcasts a received public key set to each client connected with the server, and the clients receiving the public key set form a first client set;
for any client in the first set of clients: adding the secret shares of the random number of the client chameleon hash function into the secret shares, sending each generated secret share ciphertext to the server by each client, broadcasting the received secret share ciphertext set to each client connected with the server by the server, and forming a second client set by the clients receiving the secret share ciphertext set;
for any client in the second set of clients: taking the public parameter, the random number and the model parameter of the chameleon hash function of the client as the input of the chameleon hash function, and generating a homomorphic chameleon hash value of the model parameter;
the server broadcasts the received model parameter ciphertext and the homomorphic chameleon hash value set to the clients connected with the server, and the clients receiving the model parameter ciphertext and the homomorphic chameleon hash value set form a third client set;
for any client in the third set of clients: decrypting the received secret share ciphertexts of other clients, sending the decrypted secret shares to the server, and forming a fourth client set by the clients which are still connected with the server after the sending is finished;
reconstructing and decrypting secret shares in the server for clients belonging to the second set of clients but not to a third set of clients;
aggregating the model parameters of the clients in the third client set based on the random number and other secret values obtained by decryption to obtain an aggregation result;
sending the aggregation result and the random number of each client in the third client set to each client in the fourth client set;
for any client in the fourth set of clients: and taking the public parameter of the chameleon hash function of the client, the aggregation result and the sum of the random numbers of the clients in the third client set as the input of the chameleon hash function, generating a homomorphic chameleon hash value of the aggregation result, and comparing the product of the homomorphic chameleon hash value of the aggregation result and the homomorphic chameleon hash value of the clients in the third client set.
Further, the federally-learned aggregation verification method further includes:
for the server: if the number of the clients forming the current data set to be broadcasted or the fourth client set is smaller than a preset secret sharing threshold value, the data set to be broadcasted is not broadcasted, and the data set to be broadcasted is any one of the public key set, the secret share ciphertext set, the model parameter ciphertext and the homomorphic chameleon hash value set.
Further, the federally-learned aggregation verification method further includes:
for any client in any set of clients: and if the number of the clients forming the currently received data set is smaller than the preset secret sharing threshold value, stopping data transmission with the server, wherein the received data set is any one of the public key set, the secret share ciphertext set, the model parameter ciphertext and the homomorphic chameleon hash value set.
Further, the pair of any client in the first set of clients: adding the secret shares of the random number of the client chameleon hash function into the secret shares, and each client sends each generated secret share ciphertext to the server, wherein the method comprises the following steps:
calculating first symmetric keys between the client and the other clients respectively based on a first private key of the client and a first public key of each other client, and encrypting secret shares between the client and each other client respectively based on the first symmetric keys to generate secret share ciphertext:
ki1,j1←KA.Agree(ski1,pkj1)
wherein k isi1,j1For the first symmetric key, i1 and j1 are client identifications in the first set of clients, kai1Is the first private key, pk, of the clientj1The first public key of the other client side;
by passing
Figure BDA0003574910330000031
Obtaining the secret share ciphertext, wherein cti1,j1For the secret share ciphertext, se. enc () is the ciphertext encryption algorithm, ki1,j1For the first symmetric key, i1 and j1 are client identifications in the first set of clients,
Figure BDA0003574910330000032
is a secret share of the client's second private key,
Figure BDA0003574910330000033
is a secret share of the first seed parameter,
Figure BDA0003574910330000034
changing a secret share of a random number of a chameleon hash function for the client.
Further, the process of generating the model parameter ciphertext includes: for any client in the second set of clients: calculating second symmetric keys between the client and other clients respectively based on a second private key of the client and a second public key of each other client, taking the second symmetric keys as second seed parameters of a pseudo-random generator of the client, and encrypting model parameters of the client based on the first seed parameters and the second seed parameters of the client to generate a model parameter ciphertext:
maki2,j2←KA.Agree(mski2,mpkj2)
mak thereini2,j2For the second symmetric key, i2 and j2 are client identifications in the second set of clients, kai2Is a second private key, mpk, of the clientj2A second public key of the other client;
by passing
Figure BDA0003574910330000041
Obtaining the model parameter ciphertext, wherein msxi2For the model parameter ciphertext, xi2For the model parameters of the client, PRG (b)i2) For the first pseudo-random bit string, PRG () is the pseudo-random generator, bi2Is a first sub-parameter, U, of the client2For the second set of clients, a PRG (mak)i2,j2) Is a second pseudo-random bit string, maki2,j2Mod is the second seed parameter of the client, modulo operation, B is the dimension of the model parameter,
Figure BDA0003574910330000042
further, the generating a homomorphic chameleon hash value of the model parameter by using the public parameter of the chameleon hash function of the client, the random number and the model parameter as the input of the chameleon hash function includes: by passing
chi2←CH.Hash(CHpp,xi2,ri2)
Obtaining homomorphic chameleon hash values of the model parameters, wherein chi2The Hash () is chameleon hash function, the CHpp is the public parameter of chameleon hash function, xi2Is a model parameter of the client, ri2Is the random number of the client.
Further, the reconstructing and decrypting, in the server, the secret shares of the clients belonging to the second set of clients but not belonging to a third set of clients includes:
reconstructing and decrypting the secret share of the second private key of the client which belongs to the second client set but does not belong to the third client set to obtain a second symmetric key of the client:
Figure BDA0003574910330000043
wherein mskjJ is an identification of a client belonging to the second set of clients but not to a third set of clients, ss.recon () is a secret reconstruction algorithm,
Figure BDA0003574910330000044
is a secret share of the second private key, is U4For the fourth set of clients, t is a preset secret sharing threshold of the secret reconstruction algorithm;
by passing
makj,i3←KA.Agree(mskj,mpki3)
Obtaining a second symmetric key of the client, wherein makj,i3For the second symmetric key of the client, kajIs said second private key, mpki3I3 is a second public key of a client in the third set of clients, and is an identifier of the client in the third set of clients;
reconstructing the secret shares of the first seed parameters and the secret shares of the random numbers of the clients in the third client set respectively to obtain the first seed parameters and the random numbers of the clients:
Figure BDA0003574910330000051
wherein b isi3As a first sub-parameter of the client, ss.recon () is a secret reconstruction algorithm,
Figure BDA0003574910330000052
i3 being a secret share of the first seed parameter of the client, i4 being an identification of the client of the third set of clients, U4 being an identification of the client of the fourth set of clients4And t is a preset secret sharing threshold value of the secret reconstruction algorithm for the fourth client set.
Further, the aggregating the model parameters of the clients in the third client set based on the random number obtained by decryption and other secret values to obtain an aggregated result includes:
aggregating the model parameters of the clients in the third client set based on the decrypted second symmetric key of the client, the first seed parameter of the client and the random number to obtain an aggregation result:
Figure BDA0003574910330000053
wherein y is the polymerization result, xi3Model parameters of the clients in the third set of clients, i3 is an identification of the clients in the third set of clients, U3For the third set of clients, msxi3Model parameter ciphertext, PRG (b), for a client in the third set of clientsi3) For a first pseudo-random bit string, PRG (mak), in the third set of clientsj,i3) A second pseudo-random bit string for clients belonging to the second set of clients but not to a third set of clients,
Figure BDA0003574910330000054
further, for any client in the fourth set of clients: taking the public parameter of the chameleon hash function of the client, the aggregation result and the sum of the random numbers of the clients in the third client set as the input of the chameleon hash function, generating the homomorphic chameleon hash value of the aggregation result, and comparing the product of the homomorphic chameleon hash value of the aggregation result and the homomorphic chameleon hash value of the clients in the third client set, including: by passing
Figure BDA0003574910330000055
To carry outComparison in which
Figure BDA0003574910330000056
Is a homomorphic chameleon hash value of the aggregated result,
Figure BDA0003574910330000057
and the product of homomorphic chameleon hash values of the clients in the third client set.
Further, the federally-learned aggregation verification method further includes:
for any client in the second set of clients: and decrypting the received secret share ciphertext of the other client and the client based on the first symmetric key of the client to obtain two client identifications, and stopping the decryption of the secret share ciphertext if the two client identifications obtained by decryption are not corresponding to the client identification and the client identification.
The federated learning aggregation verification method provided by the invention can add the secret share of the client chameleon hash function random number into the secret share ciphertext generated in the key sharing stage, and generates the homomorphic chameleon hash value of the model parameter by taking the random number, the public parameter of the chameleon hash function and the model parameter as the input of the chameleon hash function in the generation stage of the model parameter ciphertext. And in the decryption stage of the server, the server decrypts the secret share of the random number in the secret shares decrypted by the client to obtain the corresponding random number. And in the verification stage, the client takes the random number obtained by decryption of the server, the aggregation result of the model parameters and the public parameter of the chameleon hash function as input to obtain the homomorphic chameleon hash value of the aggregation result, multiplies the homomorphic chameleon hash values of the model parameters of the clients participating in the aggregation process, compares the product with the homomorphic chameleon hash value of the aggregation result, and verifies the aggregation result according to the homomorphism of the chameleon hash function. Compared with the existing verification scheme, the method does not need to share the related information of the extra opening commitment, reduces the number of information interaction rounds and improves the aggregation rate.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow diagram of a federated learned aggregation validation method provided in accordance with an exemplary embodiment;
fig. 2 is a flow diagram of specific interactions of a federated learned aggregation validation method provided in accordance with an exemplary embodiment.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention. Referring to fig. 1, an embodiment of the present invention provides an aggregation verification method for federated learning, which may include the following steps:
101. and each client sends the two public keys in the generated two public and private key pairs to the server.
102. The server broadcasts the received public key set to each client connected with the server, and the clients receiving the public key set form a first client set. For any client in the first set of clients:
103. and adding the secret shares of the random number of the chameleon hash function of the client into the secret shares, and transmitting each generated secret share ciphertext to the server by each client.
104. And the server broadcasts the received secret share ciphertext set to each client connected with the server, and the clients receiving the secret share ciphertext set form a second client set. For any client in the second set of clients:
105. and taking the public parameter, the random number and the model parameter of the chameleon hash function of the client as the input of the chameleon hash function to generate a homomorphic chameleon hash value of the model parameter.
106. And the server broadcasts the received model parameter ciphertext and the homomorphic chameleon hash value set to each client connected with the server, and the clients receiving the model parameter ciphertext and the homomorphic chameleon hash value set form a third client set. For any client in the third set of clients:
107. and decrypting the received secret share ciphertexts of other clients, sending the decrypted secret shares to the server, and forming a fourth client set by the clients which are still connected with the server after the sending is finished.
108. Reconstructing and decrypting the secret shares in the server for clients belonging to the second set of clients but not to the third set of clients;
109. aggregating the model parameters of the clients in the third client set based on the random number and other secret values obtained by decryption to obtain an aggregation result;
1010. and sending the aggregation result and the random number of each client in the third client set to each client in the fourth client set. For any client in the fourth set of clients:
1011. and taking the public parameter of the chameleon hash function of the client, the aggregation result and the sum of the random numbers of the clients in the third client set as the input of the chameleon hash function, generating homomorphic chameleon hash values of the aggregation result, and comparing the products of the homomorphic chameleon hash values of the aggregation result and the homomorphic chameleon hash values of the clients in the third client set.
Specifically, in the process of performing aggregation verification, the cryptographic algorithm that needs to be used includes:
symmetric encryption algorithm (se.kgen, se.enc, se.dec):
SE.KGen(1κ) → k: with a safety parameter 1κOutputting a symmetric key k for input; .
Enc (k, m) → ct: generating a ciphertext ct by taking the symmetric key k and the message m as input;
dec (k ', ct) → m': with the symmetric key k 'and the ciphertext message ct as inputs, the output message m' satisfies ct ═ se.
Key agreement protocol (ka. param, ka. kgen, ka. agre):
KA.Param(1κ) → KApp: with a safety parameter 1κOutputting the common parameter KApp for input;
kgen (KApp) → (pk, sk): the algorithm generates a public and private key pair (pk, sk) of the algorithm for a user;
KA.Agree(ski,pkj)→ki,j: the algorithm takes the private key sk of the user iiAnd public key pk of user jjFor input, a negotiation key (private key) k is outputi,j
The key agreement protocol is such that user i and user j generate the same key ki,jThat is to say
ki,j=KA.Agree(ski,pkj)=KA.Agree(skj,pki)=kj,i
In the invention, the key negotiated by the key negotiation algorithm can be used as a session key generated between the client i and the client j and a mask value generated in pair by the client i and the client j.
Secret sharing scheme (ss.share, ss.recon):
Figure BDA0003574910330000081
the secret sharing algorithm takes a secret value s and a threshold value t and a user set U as input, and secret shares of each user i belonging to the U are output
Figure BDA0003574910330000082
Where | U | ═ N.
Figure BDA0003574910330000083
User collection
Figure BDA0003574910330000084
When the secret value is V | ≧ t, the secret reconstruction algorithm can recover the secret value s, otherwise, the output is null (i.e., ×).
The pseudo-random generator PRG may expand a short random string x into a long pseudo-random bit string PRG (x).
Chameleon hash algorithm (ch.gen, ch.hash, ch.hashcheck, ch.adapt):
CH.Gen(1κ) → (CHpp, TD): the algorithm takes a safety parameter kappa as input and outputs a common parameter CHpp and a trapdoor TD.
Hash (CHpp, m, r) → hash: and outputting the hash by taking the public parameter CHpp, the message m to be hashed and the random number r as input.
Hashcheck (CHpp, m, r, hash) → 0/1: if the verification passes the algorithm, 1 is output, and if the verification fails, 0 is output.
Adapt (TD, m, r, hash, m ') → r': the algorithm may output a new random number r 'with a trapdoor TD, a hash value hash, an original message m, an original random number r, and a new message m', such that ch.
In contrast to the general hash function, in addition to the need to satisfy collision resistance, the chameleon property needs to be satisfied, i.e., for any given m and m', one can find for any r
r '← CH.Adapt (TD, m, r, hash, m') satisfying
CH.Hash(CHpp,m,r)=CH.Hash(CHpp,m′,r′)。
And satisfy homomorphism, i.e.
CH.Hash(CHpp,m1+m2,r1+r2)=CH.Hash(CHpp,m1,r1)·CH.Hash(CHpp,m2,r2)。
Based on the encryption algorithm, referring to the flow of aggregation verification shown in fig. 2, before aggregation is performed, the process proceeds firstGenerating a line-common parameter, initializing a security parameter k, inputting the vector
Figure BDA0003574910330000091
Wherein R is the modulus and d is the dimension of the vector; polymerization number
Figure BDA0003574910330000092
Wherein B is more than or equal to N.R, and N is the number of clients participating in training in each round.
Param (1) is generated as a public parameter for key agreementκ)→KApp。
Gen (1) running chameleon Hash common parameter generation algorithmκ)→CHpp。
In the key generation and distribution phase:
for client i: two pairs of public and private keys (pk) are respectively generated according to KAppi,ski) Wen K, KA, KGen (KApp) and (mpk)i,mski) And (3) either ae o e, i.e. pkiAnd mpkiAnd sending the data to a server.
For the server: recording the client end set receiving the message as U1I.e., the first set of clients, will
Figure BDA0003574910330000093
Broadcast to set U1The client in (1).
In the key sharing phase:
for client i: receiving a message from a server
Figure BDA0003574910330000094
To generate the seed of the pseudo-random generator PRG, random extraction bi. To calculate homomorphic chameleon hash values, r is randomly extractedi. Generating msk through secret sharing algorithmi,biAnd riIs given. J ∈ U of calculation and client1Symmetric key k between \ { i }i,j←KA.Agree(ski,pkj) And computing a corresponding secret share ciphertext
Figure BDA0003574910330000095
Figure BDA0003574910330000096
The ciphertext cti,jAnd sending the data to a server and storing the data locally.
For a server: recording the client end set receiving the message as U2I.e. the second set of clients, will receive cti,jIs correspondingly sent to the set U2The client in (1).
In the stage of collecting the double mask ciphertext and homomorphic chameleon hash value:
for client i: computing symmetric Key maki,j←KA.Agree(mski,mpkj) Key maki,jAs a seed for a pseudo-random generator PRG, and then generating a model parameter ciphertext
Figure BDA0003574910330000097
Figure BDA0003574910330000098
Wherein
Figure BDA0003574910330000099
Is referred to as modulo arithmetic. Homomorphic chameleon hash value ch for calculating model parametersi. Msx to be generatediAnd chiAnd sending the data to a server.
For the server: recording the client end set receiving the message as U3I.e. the third set of clients, will receive
Figure BDA0003574910330000101
Broadcast to set U3The client in (1).
In the decryption stage:
for client i: according to a symmetric key ki,j←KA.Agree(ski,pkj) To which it receives
Figure BDA0003574910330000102
To carry outDecrypting and decrypting the model parameter ciphertext and collecting b in the third client side setjAnd rjAnd msk in the set dropped from the second set of clientsjIs sent to the server.
For the server: recording the set of clients receiving the message as U4And reconstructing the secret to obtain an aggregation value and sending the aggregation value to the clients in the fourth client set.
Finally, based on the received y and
Figure BDA0003574910330000103
authentication
Figure BDA0003574910330000104
Figure BDA0003574910330000105
If it is true.
In the whole process, the secret share of the client chameleon hash function random number is added into a secret share ciphertext generated in a key sharing stage, and in the generation stage of the model parameter ciphertext, the random number, the public parameter of the chameleon hash function and the model parameter are used as the input of the chameleon hash function to generate a homomorphic chameleon hash value of the model parameter. And in the decryption stage of the server, the server decrypts the secret shares of the random numbers in the secret shares decrypted by the client to obtain the corresponding random numbers. In the verification stage, the client side takes the random number obtained by decryption of the server, the aggregation result of the model parameters and the public parameters of the chameleon hash function as input to obtain the homomorphic chameleon hash value of the aggregation result, multiplies the homomorphic chameleon hash values of the model parameters of the client sides participating in the aggregation process, compares the product with the homomorphic chameleon hash value of the aggregation result, and verifies the aggregation result according to the homomorphism of the chameleon hash function. Compared with the existing verification scheme, the method does not need to share the related information of the extra opening commitment, reduces the number of information interaction rounds and improves the aggregation rate.
In some embodiments of the invention, in order to protect the security of the truthful participant's private model parameters (e.g. gradients) during the aggregation process, they are prevented from being detected by the adversary mentioned above. And the protocol can tolerate the disconnection of part of the clients in the midway, namely the disconnection of part of the clients in the midway, and the normal operation of the federal study is not influenced.
For the server: and if the number of the clients forming the current data set to be broadcasted or the fourth client set is less than a preset secret sharing threshold value, the data set to be broadcasted is not broadcasted, and the data set to be broadcasted is any one of a public key set, a secret share ciphertext set, a model parameter ciphertext set and a homomorphic chameleon hash value set.
For any client in any set of clients: and if the number of the clients forming the currently received data set is less than a preset secret sharing threshold value, stopping data transmission with the server, wherein the received data set is any one of a public key set, a secret share ciphertext set, a model parameter ciphertext and a homomorphic chameleon hash value set. And
for any client in the second set of clients: and decrypting the received secret share ciphertext of the other client and the client based on the first symmetric key of the client to obtain two client identifications, and stopping the decryption of the secret share ciphertext if the two client identifications obtained by decryption are not corresponding to the client identification and the client identification.
Thus, the security of the private model parameters (such as gradient) of honest participants can be protected, and the private model parameters can be prevented from being detected by the enemy. But also ensures that the integrity of the aggregate prevents an adversary from accepting a fake aggregate result by a honest client. And in the aggregation process, part of the clients can be tolerated to be disconnected midway, namely part of the clients are disconnected midway, and the normal operation of federal learning is not influenced.
A complete polymerization verification process after completion is as follows: adding a secret sharing threshold t in the common parameter generation stage
In the key generation and distribution stage:
for client i: KApp generates two pairs of public and private keys respectively(pki,ski) Wen K, KA, KGen (KApp) and (mpk)i,mski) And (3) either ae o e, i.e. pkiAnd mpkiAnd sending the data to a server.
For a server: recording the client end set receiving the message as U1If | U1If l < t, the subsequent processing steps are aborted.
Figure BDA0003574910330000111
Broadcast to set U1The client in (1).
In the key sharing phase:
for client i 1: receiving a message from a server
Figure BDA0003574910330000112
First, verify if | U1If | ≧ t and all public keys are different, preventing the server from forging the client data; otherwise, the subsequent processing steps are aborted.
Random decimation biGenerating seed of pseudo random generator PRG, randomly extracting r for calculating chameleon hash valuei1. Generating msk through secret sharing algorithmi1,bi1And ri1Is given. Wherein
Figure BDA0003574910330000113
Figure BDA0003574910330000114
Figure BDA0003574910330000115
Calculating and client j 1E U1Symmetric keys between i1
ki1,j1←KA.Agree(ski1,pkj1)
Wherein k isi1,j1For the first symmetric key, i1 and j1 are the client identities in the first set of clients, kai1Is the first private key, pk, of the clientj1A first public key of other clients;
by passing
Figure BDA0003574910330000121
Obtaining a secret share ciphertext, wherein cti1,j1For the secret share ciphertext, se. enc () is a ciphertext encryption algorithm, ki1,j1I1 and j1 are client identifications in the first set of clients,
Figure BDA0003574910330000122
is a secret share of the client's second private key,
Figure BDA0003574910330000123
is a secret share of the first seed parameter,
Figure BDA0003574910330000124
a secret share of the random number of the chameleon hash function is changed for the client.
The ciphertext cti1,j1And sending the data to a server and storing the data locally.
Recording the set of clients receiving the message as U for the server2If | U2If l < t, the subsequent processing is terminated. To received cti1,j1Is correspondingly sent to the set U2The client in (1).
In the stage of collecting the double mask ciphertext and homomorphic chameleon Hash values:
for client i 2:
firstly, for the received message from the server end
Figure BDA0003574910330000125
Verify if | U2And | ≧ t. If | U2If l is less than t, the subsequent processing process is terminated. Computing symmetric keys after passing verification
maki2,j2←KA.Agree(mski2,mpkj2)
Mak thereini2,j2For the second symmetric key, i2 and j2 are the client identities in the second set of clients, kai2Is the second private key, mpk, of the clientj2A second public key for other clients;
by passing
Figure BDA0003574910330000126
Obtaining a model parameter ciphertext, wherein msxi2For model parameter ciphertext, xi2As model parameters of the client, PRG (b)i2) For the first pseudo-random bit string, PRG () for the pseudo-random generator, bi2Is a first sub-parameter, U, of the client2Is a second set of clients, PRG (mak)i2,j2) For a second pseudo-random bit string, maki2,j2Mod is the second seed parameter for the client, mod is the modulo operation, B is the dimension of the model parameters,
Figure BDA0003574910330000127
by passing
chi2←CH.Hash(CHpp,xi2,ri2)
Obtaining homomorphic chameleon hash values of the model parameters, wherein chi2Hash () is chameleon hash function, CHpp is public parameter of chameleon hash function, x is homomorphic chameleon hash value of model parameteri2Is a model parameter of the client, ri2Is the random number of the client. If any operation in the above process fails, the subsequent operation is directly suspended, otherwise the msx is generatedi2And chi2And sending the data to a server.
For the server:
recording the client end set receiving the message as U3If | U3If | < t, the subsequent processing flow is stopped, and msx is used after the verification is passedi2And chi2Is sent to U3The client in (1).
In the decryption stage:
for client i 3:
view received set of clients U3If the value of (1) is greater than or equal to t, if the value of (b) is less than t, the subsequent processing flow is directly stopped. After passing the verification, each client can be according to the symmetric key ki,j←KA.Agree(ski,pkj) To the received
Figure BDA0003574910330000131
Carry out decryption to obtain
Figure BDA0003574910330000132
If i2 and j2 are verified as j', the subsequent process flow is terminated as it is. And after the verification is passed, sending the related secret shares obtained by decryption to the server.
For the server:
recording the client end set receiving the message as U4If | U4If l < t, the subsequent processing flow is stopped. After the verification is passed, reconstructing and decrypting the secret share of the second private key for the clients which belong to the second client set but do not belong to the third client set to obtain a second symmetric key of the client:
Figure BDA0003574910330000133
wherein mskjIs a second private key, j is the identity of a client belonging to the second set of clients but not to the third set of clients, ss.recon () is a secret reconstruction algorithm,
Figure BDA0003574910330000134
is a secret share of the second private key, is U4And t is a preset secret sharing threshold value of the secret reconstruction algorithm, and is the fourth client set.
By passing
makj,i3←KA.Agree(mskj,mpki3)
Get a guestSecond symmetric key of the client, wherein makj,i3Agent () is the key agreement algorithm, msk, for the second symmetric key of the clientjIs a second private key, mpki3I3 is the identity of the client in the third set of clients, which is the second public key of the client in the third set of clients.
Respectively reconstructing the secret share of the first seed parameter of the client and the secret share of the random number in the third client set to obtain the first seed parameter of the client and the random number:
Figure BDA0003574910330000135
wherein b isi3As a first seed parameter for the client, ss.recon () is a secret reconstruction algorithm,
Figure BDA00035749103300001414
i3 is the secret share of the first seed parameter of the client, i3 is the identity of the client in the third set of clients, i4 is the identity of the client in the fourth set of clients, U4And t is a preset secret sharing threshold value of the secret reconstruction algorithm, and is the fourth client set.
For each client in the third set of clients, the secret is reconstructed using a secret sharing algorithm:
Figure BDA0003574910330000141
and aggregating the model parameters of the clients in the third client set based on the decrypted second symmetric key of the client, the first seed parameter of the client and the random number to obtain an aggregation result:
Figure BDA0003574910330000142
wherein y is the result of polymerization, xi3For the model parameters of the clients in the third set of clients, i3 isIdentification of clients in the third set of clients, U3For a third set of clients, msxi3Model parameter ciphertext, PRG (b), for a client in the third set of clientsi3) For the first pseudo-random bit string, PRG (mak), in the third set of clientsj,i3) A second pseudo-random bit string for clients belonging to the second set of clients but not to the third set of clients,
Figure BDA0003574910330000143
for any client in the fourth set of clients: by passing
Figure BDA0003574910330000144
Performing a verification comparison wherein
Figure BDA0003574910330000145
The homomorphic chameleon hash value of the aggregated result,
Figure BDA0003574910330000146
is the product of homomorphic chameleon hash values of the clients in the third set of clients. After the verification is passed, the polymerization process is reliable, and the model obtained by polymerization can be used.
In the specific implementation process of the invention, a homomorphic chameleon hash algorithm based on discrete logarithm hypothesis can be adopted:
Figure BDA0003574910330000147
wherein
Figure BDA0003574910330000148
Is a cyclic group of order p, g1,g2,…,gdH is a group element, trapdoor αiSatisfy the requirement of
Figure BDA0003574910330000149
Where i ∈ [ d ]]。
Figure BDA00035749103300001410
Wherein the vector m ═ m (m)i,m2,…,md),
Figure BDA00035749103300001411
Figure BDA00035749103300001412
If it is not
Figure BDA00035749103300001413
Then 1 is output, otherwise 0 is output.
Figure BDA0003574910330000151
The chameleon hash function can meet the requirements of correctness, homomorphism and collision resistance.
The key agreement protocol (ka.param, ka.kgen, ka.agene) may be adopted as:
KA.param(1κ) → KApp, wherein
Figure BDA0003574910330000152
Wherein,
Figure BDA0003574910330000153
for a cyclic group of order p with generator g, H is a hash algorithm, which may use SHA-256, SM3, etc.
Figure BDA0003574910330000154
KA.Agree(ski,pkj)→ki,jWherein ski=xiIs the private key of the user i,
Figure BDA0003574910330000155
negotiating a key for user j's public key, user i, j
Figure BDA0003574910330000156
The pseudo-random generator PRG may employ AES-CTR or the like.
The symmetric encryption algorithm may use AES or the cryptographic algorithm SM4, etc.
The verifiability of the aggregation process can be performed based on the homomorphism and collision resistance of the chameleon hash algorithm. For example: the aggregated results can be forged if an adversary is present
Figure BDA0003574910330000157
So that a certain honest client i is verified, i.e. passes
Figure BDA0003574910330000158
Due to the fact thatjAll generated in the client honesty, i.e. chj=CH.Hash(CHpp,xj,rj) According to the homomorphism of the chameleon hash function, the method can know
Figure BDA0003574910330000159
Will obtain
Figure BDA00035749103300001510
And
Figure BDA00035749103300001511
all satisfy chameleon hash value of h*This contradicts the collision resistance of chameleon hash, which also proves the verifiability of the aggregated results.
Through adopting chameleon hash function, thereby avoid using the promise scheme thereby at the verification stage, only need one round can, avoided the extra communication round number that the promise was opened. Construction based on discrete logarithm at the same timeHash algorithm of
Figure BDA00035749103300001512
The output being a group element
Figure BDA00035749103300001513
Independent of the length of the input parameter m. This increases verifiability while ensuring additional increased traffic O (N) in each round of federal learning, regardless of the size of the model parameter vector d.
In the federated learning aggregation verification method provided by the above embodiment of the present invention, the chameleon hash function is adopted, and the use of the commitment scheme is avoided, so that in the verification stage, only one round is needed to avoid the number of extra communication rounds committed to open, and meanwhile, the communication traffic of protocol interaction is reduced, and the verification efficiency is improved.
While, for purposes of simplicity of explanation, the foregoing method embodiments have been described as a series of acts or combination of acts, it will be appreciated by those skilled in the art that the present invention is not limited by the illustrated ordering of acts, as some steps may occur in other orders or concurrently with other steps in accordance with the invention. Further, those skilled in the art will appreciate that the embodiments described in this specification are presently preferred and that no acts or modules are required by the invention.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The steps in the method of each embodiment of the present invention may be sequentially adjusted, combined, and deleted according to actual needs, and the technical features described in each embodiment may be replaced or combined.
The modules and sub-modules in the device and the terminal of the embodiments of the invention can be combined, divided and deleted according to actual needs.
In the embodiments provided in the present invention, it should be understood that the disclosed terminal, apparatus and method may be implemented in other ways. For example, the above-described terminal embodiments are merely illustrative, and for example, the division of a module or a sub-module is only one logical division, and there may be other divisions when the terminal is actually implemented, for example, a plurality of sub-modules or modules may be combined or integrated into another module, or some features may be omitted or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
The modules or sub-modules described as separate components may or may not be physically separate, and the components described as modules or sub-modules may or may not be physical modules or sub-modules, may be located in one place, or may be distributed on a plurality of network modules or sub-modules. Some or all of the modules or sub-modules can be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, each functional module or sub-module in each embodiment of the present invention may be integrated into one processing module, or each module or sub-module may exist alone physically, or two or more modules or sub-modules may be integrated into one module. The integrated modules or sub-modules may be implemented in the form of hardware, or may be implemented in the form of software functional modules or sub-modules.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software unit executed by a processor, or in a combination of the two. The software cells may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising", without further limitation, means that the element so defined is not excluded from the group consisting of additional identical elements in the process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. The aggregation verification method for federated learning is characterized by comprising the following steps:
each client sends two public keys in the generated two public and private key pairs to a server, the server broadcasts a received public key set to each client connected with the server, and the clients receiving the public key sets form a first client set;
for any client in the first set of clients: adding the secret shares of the random number of the client chameleon hash function into the secret shares, sending each generated secret share ciphertext to the server by each client, broadcasting the received secret share ciphertext set to each client connected with the server by the server, and forming a second client set by the clients receiving the secret share ciphertext set;
for any client in the second set of clients: taking a public parameter, a random number and a model parameter of the chameleon hash function of the client as the input of the chameleon hash function, and generating a homomorphic chameleon hash value of the model parameter;
the server broadcasts the received model parameter ciphertext and the homomorphic chameleon hash value set to each client connected with the server, and the clients receiving the model parameter ciphertext and the homomorphic chameleon hash value set form a third client set;
for any client in the third set of clients: decrypting the received secret share ciphertext of other clients, sending the decrypted secret share to the server, and forming a fourth client set by the clients which are still connected with the server after the sending is finished;
reconstructing and decrypting secret shares in the server for clients belonging to the second set of clients but not to a third set of clients;
aggregating the model parameters of the clients in the third client set based on the random number and other secret values obtained by decryption to obtain an aggregation result;
sending the aggregation result and the random number of each client in the third client set to each client in the fourth client set;
for any client in the fourth set of clients: and taking the public parameter of the chameleon hash function of the client, the aggregation result and the sum of the random numbers of the clients in the third client set as the input of the chameleon hash function, generating a homomorphic chameleon hash value of the aggregation result, and comparing the product of the homomorphic chameleon hash value of the aggregation result and the homomorphic chameleon hash value of each client in the third client set.
2. The method of claim 1, further comprising:
for the server: if the number of the clients forming the current data set to be broadcasted or the fourth client set is smaller than a preset secret sharing threshold value, the data set to be broadcasted is not broadcasted, and the data set to be broadcasted is any one of the public key set, the secret share ciphertext set, the model parameter ciphertext and the homomorphic chameleon hash value set.
3. The method of claim 2, further comprising:
for any client in any set of clients: and if the number of the clients forming the currently received data set is smaller than the preset secret sharing threshold value, stopping data transmission with the server, wherein the received data set is any one of the public key set, the secret share ciphertext set, the model parameter ciphertext and the homomorphic chameleon hash value set.
4. The method of claim 1, wherein for any client in the first set of clients: adding the secret shares of the random number of the client chameleon hash function into the secret shares, and each client sends each generated secret share ciphertext to the server, wherein the method comprises the following steps:
calculating first symmetric keys between the client and the other clients respectively based on a first private key of the client and a first public key of each other client, and encrypting secret shares between the client and each other client respectively based on the first symmetric keys to generate secret share ciphertext:
ki1,j1←KA.Agree(ski1,pkj1)
wherein k isi1,j1For the first symmetric key, i1 and j1 are client identifications in the first set of clients, kai1Is the first private key, pk, of the clientj1The first public key of the other client side;
by passing
Figure FDA0003574910320000021
Obtaining the secret share ciphertext, wherein cti1,j1For the secret share ciphertext, se. enc () is the ciphertext encryption algorithm, ki1,j1For the first symmetric key, i1 and j1 are client identifications in the first set of clients,
Figure FDA0003574910320000022
is a secret share of the client's second private key,
Figure FDA0003574910320000023
is a secret share of the first seed parameter,
Figure FDA0003574910320000024
changing a secret share of a random number of a chameleon hash function for the client.
5. The method according to claim 4, wherein the generation process of the model parameter ciphertext comprises: for any client in the second set of clients: calculating second symmetric keys between the client and other clients respectively based on a second private key of the client and a second public key of each other client, taking the second symmetric keys as second seed parameters of a pseudo-random generator of the client, and encrypting model parameters of the client based on the first seed parameters and the second seed parameters of the client to generate a model parameter ciphertext:
maki2,j2←KA.Agree(mski2,mpkj2)
mak thereini2,j2For the second symmetric key, i2 and j2 are client identifications in the second set of clients, kai2Is a second private key, mpk, of the clientj2A second public key of the other client;
by passing
Figure FDA0003574910320000031
Obtaining the model parameter ciphertext, wherein msxi2For the model parameter ciphertext, xi2For the model parameters of the client, PRG (b)i2) For the first pseudo-random bit string, PRG () for the pseudo-random generator, bi2Is a first sub-parameter, U, of the client2For the second set of clients, a PRG (mak)i2,j2) For a second pseudo-random bit string, maki2,j2Mod is the second seed parameter of the client, modulo operation, B is the dimension of the model parameter,
Figure FDA0003574910320000032
6. the method of claim 5, wherein the taking the common parameter of the chameleon hash function of the client, the random number, and the model parameter as inputs of the chameleon hash function to generate a homomorphic chameleon hash value of the model parameter comprises: by passing
chi2←CH.Hash(CHpp,xi2,ri2)
Obtaining homomorphic chameleon hash values of the model parameters, wherein chi2The Hash () is chameleon hash function, the CHpp is the public parameter of chameleon hash function, xi2Is a model parameter of the client, ri2Is the random number of the client.
7. The method of claim 6, wherein the reconstructing and decrypting the secret shares in the server for the clients belonging to the second set of clients but not to a third set of clients comprises:
reconstructing and decrypting the secret share of the second private key of the client which belongs to the second client set but does not belong to the third client set to obtain a second symmetric key of the client:
Figure FDA0003574910320000033
wherein mskjJ is an identification of a client belonging to the second set of clients but not to a third set of clients, ss.recon () is a secret reconstruction algorithm,
Figure FDA0003574910320000034
is a secret share of the second private key, is U4For the fourth set of clients, t is a preset secret sharing threshold of the secret reconstruction algorithm;
by passing
makj,i3←KA.Agree(mskj,mpki3)
Obtaining a second symmetric key of the client, wherein makj,i3For the second symmetric key of the client, kajIs said second private key, mpki3I3 is a second public key of a client in the third set of clients, and is an identifier of the client in the third set of clients;
reconstructing the secret shares of the first seed parameters and the secret shares of the random numbers of the clients in the third client set respectively to obtain the first seed parameters and the random numbers of the clients:
Figure FDA0003574910320000041
wherein b isi3As a first seed argument of the client, ss.recon () is a secret reconstruction algorithm,
Figure FDA0003574910320000042
i3 being a secret share of the first seed parameter of the client, i4 being an identification of the client of the third set of clients, U4 being an identification of the client of the fourth set of clients4And t is a preset secret sharing threshold value of the secret reconstruction algorithm for the fourth client set.
8. The method according to claim 7, wherein the aggregating model parameters of each client in the third set of clients based on the decrypted random number and other secret values to obtain an aggregated result comprises:
aggregating the model parameters of the clients in the third client set based on the decrypted second symmetric key of the client, the first seed parameter of the client and the random number to obtain an aggregation result:
Figure FDA0003574910320000043
wherein y is the polymerization result, xi3I3 is the model parameter of the client in the third client setIdentification of clients in the set, U3For the third set of clients, msxi3Model parameter ciphertext, PRG (b), for a client in the third set of clientsi3) For a first pseudo-random bit string, PRG (mak), in the third set of clientsj,i3) A second pseudo-random bit string for clients belonging to the second set of clients but not to a third set of clients,
Figure FDA0003574910320000044
9. the method of claim 8, wherein for any client in the fourth set of clients: taking the public parameter of the chameleon hash function of the client, the aggregation result and the sum of the random numbers of the clients in the third client set as the input of the chameleon hash function, generating the homomorphic chameleon hash value of the aggregation result, and comparing the product of the homomorphic chameleon hash value of the aggregation result and the homomorphic chameleon hash value of the clients in the third client set, including: by passing
Figure FDA0003574910320000051
A comparison is made wherein
Figure FDA0003574910320000052
Is a homomorphic chameleon hash value of the aggregated result,
Figure FDA0003574910320000053
and hooking the product of homomorphic chameleon hash values of the clients in the third client set.
10. The method of claim 4, further comprising:
for any client in the second set of clients: and decrypting the received secret share ciphertext of the other client and the client based on the first symmetric key of the client to obtain two client identifications, and stopping the decryption of the secret share ciphertext if the two client identifications obtained by decryption are not corresponding to the client identification and the client identification.
CN202210329985.7A 2022-03-31 2022-03-31 Aggregation verification method for federal learning Active CN114650128B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210329985.7A CN114650128B (en) 2022-03-31 2022-03-31 Aggregation verification method for federal learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210329985.7A CN114650128B (en) 2022-03-31 2022-03-31 Aggregation verification method for federal learning

Publications (2)

Publication Number Publication Date
CN114650128A true CN114650128A (en) 2022-06-21
CN114650128B CN114650128B (en) 2024-10-11

Family

ID=81995142

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210329985.7A Active CN114650128B (en) 2022-03-31 2022-03-31 Aggregation verification method for federal learning

Country Status (1)

Country Link
CN (1) CN114650128B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115189950A (en) * 2022-07-12 2022-10-14 华东师范大学 Verifiable gradient security aggregation method and system based on multi-party security calculation
CN115186285A (en) * 2022-09-09 2022-10-14 闪捷信息科技有限公司 Parameter aggregation method and device for federal learning
CN115378572A (en) * 2022-07-12 2022-11-22 启明星辰信息技术集团股份有限公司 Decentralized multi-server security aggregation system and method
CN115913572A (en) * 2022-11-17 2023-04-04 国网智能电网研究院有限公司 Data verification method, device, equipment, medium and system for mimicry storage system
CN116049897A (en) * 2023-03-30 2023-05-02 北京华隐熵策数据科技有限公司 Verifiable privacy protection federal learning method based on linear homomorphic hash and signcryption
CN116996235A (en) * 2023-09-26 2023-11-03 中电科大数据研究院有限公司 Security authentication method, device and system for joint modeling

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110086599A (en) * 2019-04-24 2019-08-02 电子科技大学 Hash calculation method and label decryption method based on homomorphism chameleon hash function
WO2021232754A1 (en) * 2020-05-22 2021-11-25 深圳前海微众银行股份有限公司 Federated learning modeling method and device, and computer-readable storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110086599A (en) * 2019-04-24 2019-08-02 电子科技大学 Hash calculation method and label decryption method based on homomorphism chameleon hash function
WO2021232754A1 (en) * 2020-05-22 2021-11-25 深圳前海微众银行股份有限公司 Federated learning modeling method and device, and computer-readable storage medium

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115189950A (en) * 2022-07-12 2022-10-14 华东师范大学 Verifiable gradient security aggregation method and system based on multi-party security calculation
CN115378572A (en) * 2022-07-12 2022-11-22 启明星辰信息技术集团股份有限公司 Decentralized multi-server security aggregation system and method
CN115189950B (en) * 2022-07-12 2023-07-25 华东师范大学 Verifiable gradient security aggregation method and system based on multiparty security calculation
CN115186285A (en) * 2022-09-09 2022-10-14 闪捷信息科技有限公司 Parameter aggregation method and device for federal learning
CN115913572A (en) * 2022-11-17 2023-04-04 国网智能电网研究院有限公司 Data verification method, device, equipment, medium and system for mimicry storage system
CN116049897A (en) * 2023-03-30 2023-05-02 北京华隐熵策数据科技有限公司 Verifiable privacy protection federal learning method based on linear homomorphic hash and signcryption
CN116049897B (en) * 2023-03-30 2023-12-01 北京华隐熵策数据科技有限公司 Verifiable privacy protection federal learning method based on linear homomorphic hash and signcryption
CN116996235A (en) * 2023-09-26 2023-11-03 中电科大数据研究院有限公司 Security authentication method, device and system for joint modeling
CN116996235B (en) * 2023-09-26 2023-12-05 中电科大数据研究院有限公司 Security authentication method, device and system for joint modeling

Also Published As

Publication number Publication date
CN114650128B (en) 2024-10-11

Similar Documents

Publication Publication Date Title
CN114650128A (en) Aggregation verification method for federated learning
CN110740033B (en) Block chain multi-party data sharing method based on secret sharing technology
CN107342859B (en) Anonymous authentication method and application thereof
Eslami et al. Certificateless aggregate signcryption: Security model and a concrete construction secure in the random oracle model
CN107438006B (en) Full multi-receiver label decryption method of the anonymity without certificate
CN110120939B (en) Encryption method and system capable of repudiation authentication based on heterogeneous system
CN114338045A (en) Information data verifiability safety sharing method and system based on block chain and federal learning
CN114219483B (en) Method, equipment and storage medium for sharing block chain data based on LWE-CPBE
CN113507374A (en) Threshold signature method, device, equipment and storage medium
CN101431414A (en) Authentication group key management method based on identity
CN111797427A (en) Block chain user identity supervision method and system considering privacy protection
CN107248909A (en) It is a kind of based on SM2 algorithms without Credential-Security endorsement method
CN105187425B (en) Facing cloud calculus communication system safety without certificate thresholding decryption method
CN104754570B (en) Key distribution and reconstruction method and device based on mobile internet
CN111049647B (en) Asymmetric group key negotiation method based on attribute threshold
CN110120871B (en) Broadcast encryption method and system with fixed private key and ciphertext length
CN114491578A (en) Security data aggregation method for privacy calculation
Zhou et al. An efficient identity authentication scheme with dynamic anonymity for VANETs
CN113329371B (en) 5G Internet of vehicles V2V anonymous authentication and key agreement method based on PUF
CN111565108B (en) Signature processing method, device and system
CN114070549A (en) Key generation method, device, equipment and storage medium
CN114900283B (en) Deep learning user gradient aggregation method based on multiparty security calculation
CN111541669A (en) Broadcast encryption method and system
CN116232759A (en) Mist-blockchain assisted smart grid aggregation authentication method
CN114915402A (en) Verifiable privacy recommendation system based on secure multi-party computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant