CN115001674A - Execution method of sharing OT protocol, secure multi-party computing method and device - Google Patents

Execution method of sharing OT protocol, secure multi-party computing method and device Download PDF

Info

Publication number
CN115001674A
CN115001674A CN202210619377.XA CN202210619377A CN115001674A CN 115001674 A CN115001674 A CN 115001674A CN 202210619377 A CN202210619377 A CN 202210619377A CN 115001674 A CN115001674 A CN 115001674A
Authority
CN
China
Prior art keywords
privacy
value
sequence number
party
privacy value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210619377.XA
Other languages
Chinese (zh)
Inventor
李漓春
尹栋
赵原
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ant Blockchain Technology Shanghai Co Ltd
Original Assignee
Ant Blockchain Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ant Blockchain Technology Shanghai Co Ltd filed Critical Ant Blockchain Technology Shanghai Co Ltd
Priority to CN202210619377.XA priority Critical patent/CN115001674A/en
Publication of CN115001674A publication Critical patent/CN115001674A/en
Priority to PCT/CN2022/135294 priority patent/WO2023231340A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An execution method of a sharing OT protocol, a secure multi-party computing method and a secure multi-party computing device based on the sharing OT protocol relate to a first party and a second party. The second party holds N privacy values and N random numbers, and the first party holds a first serial number of a target privacy value in the N privacy values, the target random number and a second serial number of the target privacy value in the N random numbers. The execution method of the sharing OT protocol comprises the following steps: the second party receives a third serial number obtained by calculation according to the first serial number and the second serial number from the first party, then calculates intermediate data corresponding to the rest N-1 privacy numerical values except the serial number of the third serial number according to the third serial number, the N privacy numerical values and the N random numbers, and calculates a second fragment of a target privacy numerical value based on the random number with the serial number of the third serial number and the privacy numerical value arranged at the head; in addition, the second party can also send intermediate data corresponding to the rest N-1 privacy values to the first party, and then the first party calculates the first fragment of the target privacy value.

Description

Execution method of sharing OT protocol, secure multi-party computing method and device
Technical Field
One or more embodiments of the present disclosure relate to the field of computers, and in particular, to an execution method of a sharing OT protocol, and a secure multi-party computing method and apparatus based on the sharing OT protocol.
Background
The Oblivious Transfer (OT) protocol is a more typical two-party protocol in cryptography, which is often used to support the execution of secure multi-party computations. When secure multi-party computing (SMPC) is supported by the OT protocol, a large amount of data generally needs to be transmitted between different parties participating in the secure multi-party computing, and even multiple rounds of communication may need to be performed between different parties.
A new scheme is desired to facilitate more efficient completion of secure multi-party computations.
Disclosure of Invention
One or more embodiments of the present specification provide an execution method of a shared OT protocol, a secure multi-party computing method based on the shared OT protocol, and an apparatus.
In a first aspect, an execution method of a sharing OT protocol is provided, involving a first party and a second party, where the second party holds N privacy numbers in sequence and N random numbers in sequence, and the first party holds a first sequence number of a target privacy number among the N privacy numbers, a target random number, and a second sequence number of the target privacy number among the N random numbers, and the method is applied to the second party. The method comprises the following steps: receiving, from the first party, a third sequence number calculated based on the first sequence number and the second sequence number; calculating intermediate data corresponding to the rest N-1 privacy numerical values except the third serial number based on the third serial number, the N privacy numerical values and the N random numbers; sending intermediate data corresponding to the N-1 privacy numerical values to the first party to enable the first party to calculate a first fragment of the target privacy numerical value; and calculating a second fragment of the target privacy value based on the random number with the sequence number as the third sequence number and the privacy value arranged at the head, wherein the result of processing the first fragment and the second fragment by utilizing a first preset operation rule is equal to the target privacy value.
In one possible embodiment, the method further comprises: receiving the N random numbers from a third party; wherein the target random number and the second sequence number are sent to the first party by the third party.
In a possible implementation, the third sequence number is obtained by performing a modulo operation on the sum of the first sequence number and the second sequence number by N, and the result of the summation operation on the first fragment and the second fragment is equal to the target privacy value.
In a possible implementation, the third sequence number is obtained by performing an exclusive-or operation on the first sequence number and the second sequence number, and the result of the exclusive-or operation on the first fragment and the second fragment is equal to the target privacy value.
In a possible implementation manner, calculating, based on the third sequence number, the N privacy values, and the N random numbers, intermediate data corresponding to each of the remaining N-1 privacy values except for the third sequence number, includes: and for any privacy numerical value with the sequence number j except the sequence number of the third sequence number, processing a random number with the sequence number j according to a second preset operation rule to obtain a corresponding first data item, and calculating intermediate data with the sequence number j corresponding to the privacy numerical value with the sequence number j based on the first data item, the second data item, a third data item and the privacy numerical value arranged at the head, wherein the second data item is obtained by processing the random number with the sequence number of the third sequence number by using the second preset operation rule, the third data item is a privacy numerical value with the sequence number of y, and the value of y is the same as the result obtained by performing modulo operation on the difference between the third sequence number and j by using N.
In one possible embodiment, calculating the second segment of the target privacy value based on the random number with the sequence number as the third sequence number and the first-ranked privacy value includes: a second fragment of the target privacy value is computed based on the second data item and the first-ranked privacy value.
In a possible implementation, the lengths of the N privacy numbers are all t bits; the processing the random number with the sequence number j according to the second preset operation rule to obtain the corresponding first data item comprises: calculating a hash value with the length of t bits of the random number with the sequence number of j as a corresponding first data item; or, for the random number with the sequence number j and the length larger than t bits, extracting a bit sequence with the length of t bits from a preset position, and taking the data represented by the bit sequence as a first data item corresponding to the random number with the sequence number j.
In a second aspect, an execution method of a shared OT protocol is provided, involving a first party and a second party, the second party holding N privacy numbers in sequence and N random numbers in sequence, the first party holding a first sequence number of a target privacy number among the N privacy numbers and a second sequence number thereof among the N random numbers, the method being applied to the first party. The method comprises the following steps: sending a third sequence number obtained by calculation based on the first sequence number and the second sequence number to the second party, enabling the second party to calculate a second fragment of the target privacy value based on a random number with the sequence number as the third sequence number and the privacy value arranged at the head, and returning intermediate data corresponding to the rest N-1 privacy values except the sequence number as the third sequence number; and calculating a first fragment of the target privacy value at least according to the first sequence number and the target random number, wherein a result obtained by processing the first fragment and the second fragment by using a first preset operation rule is equal to the target privacy value.
In one possible embodiment, the N random numbers are sent by a third party to the second party; the method further comprises the following steps: receiving the target random number and the second sequence number from the third party.
In a possible implementation, the third sequence number is obtained by performing a modulo operation on the sum of the first sequence number and the second sequence number by N, and the result of the summation operation on the first fragment and the second fragment is equal to the target privacy value.
In a possible implementation, the third sequence number is an exclusive or of the first sequence number and the second sequence number, and the exclusive or of the first fragment and the second fragment is equal to the target privacy value.
In one possible implementation, computing the first segment of the target privacy number value based on at least the first sequence number and the target random number includes: processing the target random number by using a second preset operation rule to obtain a fourth data item; and determining whether the target privacy numerical value is a privacy numerical value arranged at the head based on the first sequence number, if so, taking the fourth data item as a first fragment of the target privacy numerical value, otherwise, calculating the first fragment of the target privacy numerical value based on intermediate data corresponding to the privacy numerical value of which the fourth data item and the sequence number are the second sequence number.
In a possible implementation, the lengths of the N privacy numbers are all t bits; the processing the target random number by using a second preset operation rule to obtain a fourth data item includes: calculating a hash value of the target random number with the length of t bits as a fourth data item; or, for the target random number with the length larger than t bits, extracting a bit sequence with the length of t bits from a preset position, and taking data represented by the bit sequence with the length of t bits as a fourth data item.
In a third aspect, a secure multi-party computing method based on a shared OT protocol is provided, and relates to a first party and a second party, wherein the first party holds a third privacy value to be used as a first sequence number, the second party holds a second privacy value, and the method is applied to the second party. The method comprises the following steps: generating N privacy values arranged in sequence, wherein any privacy value with the sequence number j is obtained by processing the sequence number j and the second privacy value by using a target operation rule, and the privacy value with the sequence number of the third privacy value is equal to the result of processing the third privacy value and the second privacy value by using the target operation rule; performing, by the method according to any one of claims 1 to 7, a sharing OT protocol with the first party for the N privacy values and the third privacy value as the first sequence number in association with the first party, to obtain a second segment having a sequence number that is a target privacy value of the third privacy value, and enabling the first party to correspondingly obtain the first segment having a sequence number that is the target privacy value of the third privacy value.
In a possible implementation, the second privacy value and the third privacy value are two slices of a fourth privacy value in modulo-2 space, and the lengths of the first slice and the second slice are both t bits greater than 1; a result of the exclusive-or operation on the second privacy value and the third privacy value is equal to a result of the summation operation on the first shard and the second shard.
In a possible embodiment, the target operation rule comprises a sum operation, a product operation, a bitwise and operation, a bitwise or operation, or a bitwise xor operation.
In a possible embodiment, the first preset operation rule includes a summation operation or a bitwise exclusive-or operation.
In a possible embodiment, the first party further holds a fourth privacy value, the sum of the second privacy value and the fourth privacy value being equal to a fifth privacy value; a sum of the second and third tiles is equal to a product of the third privacy value and the fifth privacy value, wherein the third tile is calculated by the first party based on the third privacy value, the fourth privacy value, and the first tile.
In a possible embodiment, the first party further holds a fourth privacy value, the second party further holds a sixth privacy value and a seventh privacy value, the third privacy value and the sixth privacy value are two exclusive-or slices of a modulo-2 space of an eighth privacy value located in the modulo-2 space, and the sum of the fourth privacy value and the seventh privacy value is equal to a fifth privacy value; the second privacy value is calculated by the second party based on the sixth privacy value and the seventh privacy value, and the second segment is used for calculating a product of the fifth privacy value and the eighth privacy value.
In a fourth aspect, a secure multi-party computing method based on a shared OT protocol is provided, involving a first party and a second party, where the first party holds a third privacy value to be used as a first serial number, and the second party holds a second privacy value, and the method is applied to the first party. The method comprises the following steps: to as first serial number third privacy numerical value and a plurality of privacy numerical value of N adopt any one in the second aspect the method with the second party jointly carries out and shares the OT agreement, obtains the serial number and does the first fragmentation of the target privacy numerical value of three privacy numerical value, and makes the second party obtain the serial number and does the second fragmentation of the target privacy numerical value of third privacy numerical value, wherein arbitrary serial number is j the privacy numerical value by the second party utilizes target operation rule processing serial number j with second privacy numerical value obtains, makes the serial number do the privacy numerical value of third privacy numerical value equals to utilize target operation rule processing the third privacy numerical value with the result of second privacy numerical value.
In a possible implementation, the second privacy value and the third privacy value are two slices of a fourth privacy value in modulo-2 space, and the lengths of the first slice and the second slice are both t bits greater than 1; the result of the exclusive-or operation on the second privacy value and the third privacy value is equal to the result of the summation operation on the first and second shards.
In a possible embodiment, the target operation rule comprises a sum operation, a product operation, a bitwise and operation, a bitwise or operation, or a bitwise xor operation.
In a possible embodiment, the first preset operation rule includes a summation operation or a bitwise exclusive-or operation.
In a possible embodiment, the sum of the second privacy value and a fourth privacy value held by the first party is equal to a fifth privacy value. The method further comprises the following steps: calculating a third patch based on the third privacy value, the fourth privacy value, and the first patch such that a sum of the second patch and the third patch equals a product of the third privacy value and the fifth privacy value.
In a possible embodiment, the first party further holds a fourth privacy value, the second party further holds a sixth privacy value and a seventh privacy value, the third privacy value and the sixth privacy value are two exclusive-or slices of a modulo-2 space of an eighth privacy value located in the modulo-2 space, and the sum of the fourth privacy value and the seventh privacy value is equal to a fifth privacy value; the second privacy value is calculated by the second party based on the sixth privacy value and the seventh privacy value, and the first segment is used for calculating a product of the fifth privacy value and the eighth privacy value.
In a fifth aspect, a secure multi-party computing method based on a shared OT protocol is provided, involving a first party and a second party, where the first party holds a third privacy value to be used as a first sequence number, the second party holds a fifth privacy value and a sixth privacy value, and the third privacy value and the sixth privacy value are two xor fragments of an eighth privacy value located in a modulo-2 space in the modulo-2 space, and the method is applied to the first party. The method comprises the following steps: the second party generates N privacy values arranged in sequence, wherein any privacy value with a sequence number j is equal to a result obtained by processing an XOR result with a sequence number j and the fifth privacy value by using a target operation rule, the XOR result with the sequence number j is obtained by performing XOR operation on the sequence number j and the sixth privacy value, and the target privacy value with the sequence number of the third privacy value is equal to a result obtained by processing the fifth privacy value and the eighth privacy value by using the target operation rule; the first party and the second party jointly execute a sharing OT protocol on the third privacy value and the N privacy values serving as the first sequence number by using the method of any one of the first aspect and the second aspect, and respectively obtain a first fragment and a second fragment of a target privacy value of which the sequence number is the third privacy value.
In a sixth aspect, an execution apparatus for sharing OT is provided, involving a first party and a second party, the second party holding N privacy values in sequence and N random numbers in sequence, the first party holding a first sequence number of a target privacy value among the N privacy values, a target random number and a second sequence number thereof among the N random numbers, the apparatus being deployed at the second party. The device comprises: a communication processing unit configured to receive, from the first party, a third sequence number calculated based on the first sequence number and the second sequence number; a first calculating unit, configured to calculate, based on the third sequence number, the N privacy numerical values, and the N random numbers, intermediate data corresponding to each of the remaining N-1 privacy numerical values except for the third sequence number; the communication processing unit is further configured to send intermediate data corresponding to the N-1 privacy values to the first party, so that the first party calculates a first segment of the target privacy value; and the second calculating unit is configured to calculate a second fragment of the target privacy value based on the random number with the sequence number as the third sequence number and the privacy value arranged at the head, wherein the result of processing the first fragment and the second fragment by using a first preset operation rule is equal to the target privacy value.
In a seventh aspect, an execution apparatus for sharing OT is provided, involving a first party and a second party, the second party holding N privacy values in sequence and N random numbers in sequence, the first party holding a first sequence number of a target privacy value among the N privacy values, a target random number, and a second sequence number thereof among the N random numbers, the apparatus being deployed at the first party. The device comprises: a communication processing unit configured to send a third sequence number calculated based on the first sequence number and the second sequence number to the second party, so that the second party calculates a second segment of the target privacy value based on a random number with a sequence number as the third sequence number and a privacy value arranged at the head, and returns intermediate data corresponding to each of the remaining N-1 privacy values except for the sequence number as the third sequence number; and the calculation processing unit is configured to calculate a first fragment of the target privacy value at least according to the first sequence number and the target random number, wherein a result obtained by processing the first fragment and the second fragment by using a first preset operation rule is equal to the target privacy value.
In an eighth aspect, a secure multi-party computing device based on OT protocol is provided involving a first party holding a third privacy value to be a first serial number and a second party holding a second privacy value, the device being deployed at the second party. The device comprises: a calculation processing unit configured to generate N privacy values arranged in order, wherein any privacy value with a sequence number j is obtained by processing the sequence number j and the second privacy value using a target operation rule, and the privacy value with a sequence number j is made equal to a result of processing the third privacy value and the second privacy value using the target operation rule; and the calling processing unit is configured to execute an OT sharing protocol on the N privacy numerical values and the third privacy numerical value serving as the first sequence number in a combined manner through the OT sharing execution device and the first party in the sixth aspect, obtain a second fragment of the target privacy numerical value of which the sequence number is the third privacy numerical value, and enable the first party to correspondingly obtain the first fragment of the target privacy numerical value of which the sequence number is the third privacy numerical value.
In a ninth aspect, a secure multi-party computing device based on a shared OT protocol is provided, involving a first party and a second party, where the first party holds a third privacy value to be used as a first serial number, and the second party holds a second privacy value, and the device is deployed on the first party. The device is used for sharing OT's final controlling element and the second party's joint execution and share OT agreement as first serial number, through in the seventh aspect the executive device who shares OT with the second party, obtain the serial number and be the first fragmentation of the target privacy numerical value of three privacy numerical value, and make the second party obtain the serial number and be the second fragmentation of the target privacy numerical value of third privacy numerical value, wherein arbitrary serial number is the privacy numerical value of j by the second party utilizes target operation rule to handle serial number j with second privacy numerical value obtains, makes the serial number be the privacy numerical value of third privacy numerical value equals to utilize target operation rule to handle the result of third privacy numerical value with second privacy numerical value.
A tenth aspect provides a computer readable storage medium having stored thereon a computer program which, when executed in a computing device, the computing device performs the method of any one of the first to fourth aspects.
In an eleventh aspect, a computing device comprises a memory having a computer program stored therein and a processor that, when executing the computer program, implements the method of any of the first to fourth aspects.
By means of the method and the device provided in one or more embodiments of the present specification, when a second party holds N privacy values and a first party holds a sequence number of a target privacy value among the N privacy values, the first party and the second party can implement, by executing a sharing OT protocol, to enable the first party and the second party to obtain a fragment of the target privacy value while ensuring security of the target privacy value and the sequence number thereof. And then the first party and the second party can realize safe multi-party calculation of privacy values based on the OT sharing protocol, and the first party and the second party have smaller data volume and less communication turns when realizing the safe multi-party calculation, so that the safe multi-party calculation can be more efficiently completed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a process diagram of an execution method of a sharing OT protocol provided in an embodiment of the present disclosure;
FIG. 2 is a process diagram of an exemplary provided secure multi-party computing method based on a shared OT protocol;
FIG. 3 is a second process diagram of an exemplary provided secure multiparty computing method based on a shared OT protocol;
FIG. 4 is a third process diagram of an exemplary provided secure multiparty computing method based on a shared OT protocol;
FIG. 5 is a fourth process diagram of an exemplary provided secure multiparty computing method based on the shared OT protocol;
fig. 6 is a schematic diagram of an execution apparatus sharing an OT protocol according to an embodiment of the present disclosure;
fig. 7 is a second schematic diagram of an execution apparatus sharing an OT protocol according to an embodiment of the present disclosure;
FIG. 8 is a schematic diagram of a secure multi-party computing device based on the shared OT protocol.
Detailed Description
Various non-limiting embodiments provided by the present specification are described in detail below with reference to the attached figures.
The OT protocol is a more typical two-party protocol in cryptography. Taking the example that two parties executing the protocol include Alice and Bob, the OT protocol requires: alice holds a privacy number p as an OT receiver (or called a first party), where p is an integer and satisfies 0 ═ p<p=<N-1; bob as OT sender (or called second party) holds N privacy values { x) of length t bits and arranged in sequence 0 ,x 1 ,…,x N-1 }; after Alice and Bob jointly execute the OT protocol, Alice can obtain the privacy value x with the sequence number p in the N privacy values p But not other privacy values that Bob has, and Bob cannot know p that Alice has. It should be noted that, considering that the smallest non-negative integer of a value characterized by a bit sequence by a computing device is 0, for any jth data in a sequence data with a sequence number in the sequence data, it is usually set to j-1 instead of j in the embodiments of the present specification, for example, the aforementioned privacy value x 0 As the first privacy value of the N privacy values, it can be expressed as the 1 st privacy value of the N privacy values, but its sequence number in the N privacy values is 0 instead of being1, thus it is required that p is an integer and satisfies 0 ═ c<p=<N-1. It is understood that other sequence number setting rules may be adopted for technical implementation, for example, the sequence number of any jth data in any sequence data may be set as j instead of j-1, and specifically, for example, the above-mentioned privacy value x 0 The sequence number in the N privacy values may be set to 1, and it may be required that the sequence number p is an integer and satisfies 1 ═ corresponding to this<p=<And N is added. It should also be noted that Alice and Bob may each be implemented as any device, apparatus, platform, or cluster of devices having computing/processing capabilities.
The Random oblivious transport (Random OT) protocol is a variation of the OT protocol described above and may be used to construct the OT protocol described above, which may be implemented through a variety of cryptographic techniques. The requirements of the Random OT protocol are: bob can obtain N random numbers r arranged in sequence 0 ,r 1 ,…,r N-1 }; alice can obtain the (i + 1) th random number r in the N random numbers i And its serial number i in the N random numbers. The method of constructing the OT protocol by the Random OT protocol may include, but is not limited to, the following steps S01 to S03:
step S01, Alice calculates the intermediate sequence number e ═ N (i + p)% and sends e to Bob;
step S02, for N privacy values { x } 0 ,x 1 ,…,x N-1 Dividing privacy value r with sequence number e in the sequence e Other privacy value x for each sequence number j j Using N random numbers r 0 ,r 1 ,…,r N-1 In the sequence number (e-j)% N random number encryption x j To obtain ciphertext f with sequence number j j And cipher text f j Sending the data to Alice;
in step S03, Alice uses the random number r with serial number i i For which the privacy number x of sequence number i is received i Corresponding ciphertext f i The private numerical value x with the serial number p can be obtained after decryption p
The secure multi-party calculation is a calculation result of a certain function calculated by a plurality of parties together, and input data of the function held by the parties are not leaked in the calculation process, wherein the input data held by the parties are generally regarded as private data and cannot be known by other parties, but the calculation result is allowed to be disclosed to a specified object. For example, there may be the following secure multi-party computing needs: alice holds a privacy value A, Bob holds a privacy value B, Alice obtains a fragment c0 after safe multi-party calculation, Bob obtains a fragment c1, wherein the results of c0 and c1 are processed by a preset operation rule which is equal to the results of A and B processed by a target operation rule g. The aforementioned target operation rule g may include, but is not limited to, a secure modulo conversion, a summation operation, a product operation, a bitwise and operation, a bitwise or operation, or a bitwise xor operation, etc.; the aforementioned predetermined operation rule may include, but is not limited to, a summation operation or an exclusive-or operation.
The aforementioned OT protocol may be generally used to support the aforementioned secure multiparty computation, and the method for implementing the aforementioned secure multiparty computation by the aforementioned OT protocol may include, but is not limited to, the following steps S11 to S14:
step S11, Bob generates a random value as a fragment c 1;
at step S12, Bob calculates N privacy values arranged in sequence, wherein any j +1 th privacy value x j G (j, B) -c1, N privacy values generated by Bob, that is, N privacy values arranged in order in the OT protocol described above;
step S13, Alice takes A as p in the OT protocol;
in step S14, Alice jointly executes the OT protocol based on a, which is p in the OT protocol, and N privacy values calculated by Bob based on it, with the execution result being: alice obtains x to be the slice c0 A =g(A,B)-c1。
In the process of implementing the foregoing secure multiparty computation based on the OT protocol, Alice and Bob need to perform multiple rounds of communication and the amount of data to be transmitted is relatively large. In view of the foregoing problems, embodiments of the present disclosure provide an execution method of a shared OT protocol, a secure multi-party computing method and apparatus based on the shared OT protocol, so as to reduce the amount of data to be transmitted when implementing secure multi-party computing, thereby completing the secure multi-party computing more efficiently.
Fig. 1 is a process diagram of an execution method of a sharing OT protocol provided in an embodiment of the present disclosure. In which Alice acts as the OT receiver (i.e., the first party) sharing the OT protocol, and Bob acts as the OT sender (i.e., the second party) sharing the OT protocol, before performing the method shown in fig. 1, Alice and Bob may make Bob obtain N Random numbers { r } arranged in sequence by performing the Random OT protocol or other methods described above 0 ,r 1 ,…r N-1 And enabling Alice to obtain a target random number r i And its sequence number i in the N random numbers. For example, Bob may specifically receive the aforementioned N random numbers r from a third party 0 ,r 1 ,…,r N-1 R, Alice may receive r from a third party i And its sequence number i among the aforementioned N random numbers. Also, like the OT protocol described above, Bob may also hold N privacy values { x } arranged in sequence 0 ,x 1 ,…,x N-1 Alice can also hold a target privacy value x p In the aforementioned N privacy values { x } 0 ,x 1 ,…,x N-1 The first sequence number p in. On this basis, Alice and Bob may jointly perform the following method steps 100 to 110 as shown in fig. 1.
First, in step 100, Alice calculates a sequence number e from sequence number p and sequence number i. Alice may, for example, modulo the sum of sequence number p and sequence number i with N to obtain sequence number e, or may xor sequence number p and sequence number i to obtain sequence number e, or may modulo the difference of sequence number p and sequence number i with N to obtain sequence number e.
Next, at step 102, Alice sends a sequence number e to Bob.
Then, at step 104, Bob calculates intermediate data corresponding to each of the remaining N-1 privacy values except the sequence number e, based on the sequence number e, the N privacy values held by Bob, and the N random numbers.
For N privacy values { x 0 ,x 1 ,…,x N-1 Any of them except for the sequence number ePrivacy number x with sequence number j j Bob can process N random numbers { r } by using a second preset operation rule h 0 ,r 1 ,…,r N-1 Random number r with sequence number j in j Obtaining a privacy value x j Corresponding first data item h (r) j ) (ii) a And then again based on the first data item h (r) j ) A second data item, a third data item and a first-ranked privacy value x 0 Calculating a privacy number x j Corresponding intermediate data f with serial number j j . Wherein the second data item is processed by a second predetermined operation rule h to obtain a random number r with sequence number e e And h (r) obtained e ) The third data item is a privacy value x with sequence number y in the N privacy values y The value of y is the same as the result obtained by performing a modulo operation on the difference between e and j by using N.
N privacy values { x 0 ,x 1 ,…,x N-1 Can be both modulo-2 t And (3) processing any random number held by Bob by using a second preset operation rule h, and outputting data with the length of t bits corresponding to the random number. Illustratively, if N random numbers r 0 ,r 1 ,…,r N-1 Random number r with arbitrary sequence number j j Is not more than t bits, the random number r is processed by a second preset operation rule h j And the first data item h (r) obtained j ) It may be a random number r calculated by Bob j The length of (a) is a hash value of t bits; if N random numbers r 0 ,r 1 ,…,r N-1 Random number r with arbitrary sequence number j j Is greater than t bits, the random number r is processed by a second preset operation rule h j And the first data item h (r) obtained j ) Then this can be done from characterizing the random number r j The data characterized by the sub-bit sequence with the length of t bits is extracted from the preset position in the bit sequence. Bob processes random number r with sequence number e by using second preset operation rule e To obtain a second data item h (r) e ) Same as Bob processing the random number r by using the second predetermined operation rule j To obtain the correspondence thereofIs first data item h (r) j ) Therefore, the description is omitted.
More specifically, Bob can calculate the privacy value x by the following formula 1 j Corresponding intermediate data f j
f j =h(r j )+h(r e )-x 0 +x (e-j)%N (1)
It will be appreciated that the privacy value x may also be calculated by other methods j Corresponding intermediate data f j For example, a specific coefficient is added before part or all of the data items in the formula 1 or some deformation is performed on the formula 1, and more specifically, for example, all of the addition and subtraction operations referred to in the formula 1 may be replaced by an exclusive or operation.
And 106, Bob sends the intermediate data corresponding to the rest N-1 privacy values to Alice. That is, Bob needs to send each privacy value x except the sequence number e that Bob calculates to Alice j Respectively corresponding intermediate data f j
108, Alice compares the sequence number p with the target random number r i Calculating a target privacy number x p First segment c 0.
Alice can process the target random number r held by Alice by using the second predetermined operation rule h i To obtain a fourth data item h (r) i ) Alice obtains a fourth data item h (r) i ) May be the same as Bob obtaining the second data item h (r) e ) Or a privacy number x j Corresponding first data item h (r) j ) Therefore, the description is omitted. Alice can determine a target privacy value x according to the sequence number p p Whether or not it is the first-ranked privacy value x 0 If so, the fourth data item h (r) i ) As a target privacy number x p Otherwise Alice may be based on the fourth data item h (r) i ) And a privacy number x with a sequence number i i Corresponding intermediate data f i Calculating a target privacy number x p Of a first section c0, e.g. c0 ═ f i -h(r i ) Or c0 is the intermediate data f i And a fourth data item h (r) i ) And performing exclusive or operation.
Step 110, Bob bases on the random number r with sequence number e e And a privacy number x arranged at the top 0 Calculating a target privacy number x p And a second section c 1. Bob can process the random number r with the sequence number e by using a second operation rule h e To obtain a second data item h (r) e ) And may further specifically be based on the second data item h (r) in step 110 e ) And a privacy number x 0 Calculating to obtain a target privacy value x p Second section c1, e.g. c1 ═ x 0 -h(r e ) Or the second fragment c1 may also be a pair of privacy values x 0 And a second data item h (r) e ) And performing exclusive or operation.
Referring to the previous process of Alice obtaining the partition c0 and Bob obtaining the partition c1, the result of processing the partitions c0 and c1 using the first predetermined operation rule is equal to the target privacy value x p The first preset operation rule may specifically be a summation operation or a bitwise xor operation, in other words, the result of the summation operation or the bitwise xor operation performed on the partition c0 and the partition c1 is equal to the target privacy value x p . In addition, in the process of making Alice and Bob obtain the fragment c0 and the fragment c1 respectively, Alice cannot know the target privacy value x p Ensuring the target privacy value x p The safety of (2).
The aforementioned sharing OT protocol may be used to support Alice and Bob to perform secure multiparty computation on two privacy values a and b. Secret sharing (secret sharing) is widely applied to secure multiparty computation, and the basic principle is to divide a secret value into a plurality of shards (shares) to be kept by different parties, and only the parties exceeding a threshold number can merge the shards held by the parties to recover the original secret value, wherein the threshold number is generally the same as the number of the parties participating in secure multiparty computation. Therefore, in the process of actually performing secure multiparty computation by Alice and Bob, typical data holding situations of the privacy value a and the privacy value b expected to be processed by the target operation rule include the following case 1, and data holding situations of Alice and Bob may include the following cases 2 to 4:
in case 1, Alice holds a and Bob holds b. Where a and b can both be single bit values 0 or 1 in modulo-2 space; or a and b can both be modulo-2 t An integer in space; or a is a single-bit value of 0 or 1 in modulo-2 space and b is modulo-2 t An integer within the space.
Case 2, a is a single bit value of 0 or 1 in modulo-2 space, b is an integer in modulo-2 space; alice holds a and b modulo 2 t Piece b0 in space, Bob holds b in mold 2 t Slice b1 within the space, where the result of the sum operation on b0 and b1 equals b.
Case 3, a is the single bit value 0 or 1 in modulo-2 space, b is an integer in modulo-2 space; alice holds a slice a0 in modulo-2 space and b in modulo-2 t Piece b0 in space, Bob holds piece a1 in space of die 2 and b in die 2 t Slice b1 within the space, where the result of the exclusive or operation on a0 and a1 equals a and the result of the sum operation on b0 and b1 equals b.
Case 4, a is the single bit value 0 or 1 in modulo-2 space, b is an integer in modulo-2 space; alice holds a slice a0 in modulo-2 space, Bob holds b and a1 in modulo-2 space, where the result of xoring a0 and a1 equals a.
For the foregoing cases 1 to 4, the foregoing shared OT protocol may be adopted to implement secure multiparty computation on the privacy value a and the privacy value b, but for different data holding cases, the process of Alice and Bob implementing secure multiparty computation on a and b based on the foregoing shared OT protocol may be different. The following describes in detail the process of Alice and Bob specifically implementing secure multi-party computation of the privacy value a and the privacy value b based on the aforementioned sharing OT protocol in the aforementioned 4 data possession cases.
FIG. 2 is a process diagram of a secure multiparty computing method based on a shared OT protocol. In the implementation shown in fig. 2, Alice will act as the receiver (i.e., the first party) of the sharing OT protocol, and Bob will act as the sender (i.e., the second party) of the sharing OT protocol. As shown in fig. 2. Alice and Bob may perform secure multi-party calculations of the privacy value a and the privacy value b through steps 200 and 202 in the aforementioned data holding case 1.
First, at step 200, Bob generates N privacy values in a sequential order from the privacy value b.
I.e. generating the N privacy values x in the aforementioned shared OT protocol in order 0 ,x 1 ,…,x N-1 }. For any privacy value x with the sequence number j in the N privacy values j In other words, the sequence number j and the privacy number b may be processed by the target operation rule g, so that the target privacy number x with the sequence number a a Equal to the result of processing the privacy value a and the privacy value b with the target operation rule g. Wherein when a and b are both integers or both single-bit privacy values in default 2 space, the target operation rule g may include, for example and without limitation, a sum operation, a product operation, a bitwise and operation, a bitwise or operation, or a bitwise xor operation; when a is a single bit value in modulo-2 space and b is modulo-2 t Integer in space, the target operation rule may include, for example, but is not limited to, a product operation. It should be noted that the value of N in step 200 should be greater than the privacy value a held by Alice.
Then, in step 202, Alice jointly executes the OT sharing protocol based on the privacy value a as the serial number p and the N privacy values generated by Bob based on the serial number p, so that Alice obtains the target privacy value x p C0, Bob obtains the target privacy value x p Second segment c 1. Since a equals p, the target privacy number x p Bob processes the sequence number p and the privacy number b by using a target operation rule g, so that the target privacy number x is processed by using a first preset operation rule p The results of the first slice c0 and the second slice c1 are equal to the results of processing a and b using the target operation rule g, so that Alice and Bob complete the secure multi-party computation of a and b. It should be noted that, when a and b are two xor slices of a certain privacy value in the modulo-2 space, that is, the result of performing xor operation on a and b is equal to a certain privacy value c in the modulo-2 space, the target privacy value x is used p Both the first part sheet c0 and the second part sheet c1 of (1) are die 2 t Integer in the space, therefore, the method can also realize the safe analog-to-digital conversion of the two fragments a and b of the privacy value c in the analog-to-2 space.
FIG. 3 is a second process diagram of a secure multiparty computing method based on the shared OT protocol. In the implementation shown in fig. 3, Alice will act as the receiver (i.e., the first party) of the sharing OT protocol, and Bob will act as the sender (i.e., the second party) of the sharing OT protocol. Referring to fig. 3, Alice and Bob may perform secure multi-party calculation on the privacy value a and the privacy value b through steps 300 to 306 in the aforementioned data holding case 2.
First, at step 300, Bob generates N privacy values in order from the slice b 1.
Namely, N privacy values { x, in sequence in the sharing OT protocol are generated 0 ,x 1 ,…,x N-1 }. For any privacy value x with the sequence number j in the N privacy values j Specifically, the target privacy value x with the sequence number a may be obtained by processing the sequence number j and the segment b1 by using the target operation rule g, for example, by performing an operation of taking the product of the sequence number j and the segment b1 a Equal to the results of processing a and b1 using the target operation rule g.
Then, in step 302, Alice jointly executes a sharing OT protocol based on the privacy value a as the sequence number p and N privacy values generated by Bob based on the sequence number p, so that Alice obtains a target privacy value x p C0, Bob obtains the target privacy value x p And a second section c 1. Since a is equal to p, x p Bob processes sequence number p and slice b1 using target operation rule g, so for x p The result of the summation operation or the exclusive-or operation performed on the first fragment c0 and the second fragment c1 is equal to the result of processing the sequence numbers a and b1 by using the target operation rule g, thereby completing the secure multi-party computation on a and b 1.
Next, in step 304, Alice bases on x p The first fragment c0, the privacy value a, and the fragment b0 calculate a third fragment c0 g. Alice may, for example, use c0g ═ a × b0+ c0 is computed to yield the patch c0g, such that the patches c0g and x are paired p The result of the summation operation performed by the second slice of (a) is equal to the result of processing a and b using the target operation rule. It should be noted that c0g may also be obtained by performing an exclusive-or operation on a, b0 and c 0.
FIG. 4 is a third process diagram of a secure multiparty computing method based on the sharing OT protocol. The implementation shown in fig. 4 includes performing process 1 and performing process 2: in the implementation process 1, Alice will act as a receiver (i.e., a first party) of the sharing OT protocol, and Bob will act as a sender (i.e., a second party) of the sharing OT protocol; in the implementation process 2, Alice will act as a sender of the sharing OT protocol, and Bob will act as a receiver of the sharing OT protocol. Referring to fig. 4, Alice and Bob can perform secure multi-party calculation on the privacy value a and the privacy value b through steps 400 to 407 in the aforementioned data holding case 3, where steps 400 to 402 belong to the execution process 1, steps 403 to 405 belong to the execution process 2, and the execution process 1 and the execution process 2 can be executed independently without a necessary sequential relationship.
At step 400, Bob calculates a privacy value L1 from shard a1 and shard b 1. The privacy value L1 can be calculated, for example, by the formula L1 ═ (b1-2a1 ═ b1) or by the deformation based on the formula.
At step 401, Bob generates N privacy values in a sequential order from the privacy value L1.
I.e. generating the N privacy values x in the aforementioned shared OT protocol in order 0 ,x 1 ,…,x N-1 }. For any privacy value x with the sequence number j in the N privacy values j Specifically, the sequence number j and the privacy value L1 may be processed by the target operation rule g, for example, the sequence number j and L1 may be subjected to an operation of taking the product of the sequence number j and L1, so that the target privacy value with the sequence number a0 may be equal to the result of processing a0 and L1 by the target operation rule g.
At step 402, Alice performs a share OT protocol based on privacy value a0, which is a serial number p, in conjunction with the N privacy values that Bob generates based on it, such that Alice obtains a first slice c00 of the target privacy value with serial number a0 of the N privacy values generated by Bob, and Bob obtains a second slice c01 of the target privacy value with serial number a0 of the N privacy values generated by Bob.
At step 403, Alice calculates a privacy value L0 based on slice a0 and slice b 0. The privacy value L0 can be calculated, for example, by the formula L0 ═ (b0-2a0 ═ b0) or by the deformation based on the formula.
At step 404, Alice generates N privacy values in a sequential order based on the privacy value L0.
I.e. generating the N privacy values x in the aforementioned shared OT protocol in order 0 ,x 1 ,…,x N-1 }. For any privacy value x with the sequence number j in the N privacy values j Specifically, the sequence number j and the privacy value L0 may be processed by the target operation rule g, for example, the sequence number j and L0 may be subjected to an operation of taking the product of the sequence number j and L0, so that the privacy value with the sequence number a1 may be equal to the result of processing a1 and L0 by the target operation rule g.
At step 405, Bob performs a share OT protocol based on the privacy value a1 as a sequence number p in conjunction with the N privacy values generated by Alice based thereon, such that Bob obtains a first slice c10 of the target privacy value with sequence number a1 among the N privacy values generated by Alice, and Alice obtains a second slice c11 of the target privacy value with sequence number a1 among the N privacy values generated by Alice.
At step 406, Alice computes slice m0 from slice a0, slice b0, slice c00, and slice c 11. For example, Alice may calculate the slice m0 by using the formula m0 ═ a0 × b0+ c00+ c11 or its deformation.
At step 407, Bob computes shard m1 from shard a1, shard b1, shard c01, and shard c 10. Bob can calculate the segment m1 by using the formula m1 ═ a1 ═ b1+ c01+ c10 or its deformation, for example.
Referring to the calculation process of calculating m0 and m1 by Alice and Bob, the result of summing m0 and m1 is equal to the result of processing a and b by using the target operation rule, so that Alice and Bob complete the secure multi-party calculation of the privacy value a and the privacy value b through the above-mentioned steps 400 to 407 based on the sharing OT protocol. It will also be appreciated that the addition and multiplication operations in the aforementioned formulas for computing slices may also be replaced with exclusive-or operations.
FIG. 5 is a fourth process diagram of a secure multiparty computing method based on a shared OT protocol. In the implementation shown in fig. 5, Alice will act as the receiver (i.e., the first party) of the shared OT protocol, and Bob will act as the sender (i.e., the second party) of the shared OT protocol. As shown in fig. 5. Alice and Bob can perform secure multi-party calculation on the privacy value a and the privacy value b through steps 500 to 502 in the data holding case 4.
First, at step 500, Bob generates N privacy values in a sequential order from the slice a1 and the privacy value b.
I.e. generating the N privacy values x in the aforementioned shared OT protocol in order 0 ,x 1 ,…,x N-1 }. Privacy number x with arbitrary sequence number j j The equality is obtained by processing the xor result with sequence number j and the privacy value b (i.e. the fifth privacy value) with the target operation rule g, and the xor result with sequence number j is obtained by performing an xor operation on sequence number j and the segment a1 (i.e. the sixth privacy value), so that the target privacy value with sequence number a0 (i.e. the third privacy value) among the N privacy values is equal to the result of processing the privacy value b and the privacy value a with the target operation rule, for example, equal to the result of performing an operation of taking the product of the privacy value a and the privacy value b.
Next, at step 502, Alice performs a share OT protocol based on slice a0, which is a sequence number p, in conjunction with the N privacy values that Bob generates based on it, such that Alice obtains a first slice c0 of the target privacy value with sequence number a0 of the N privacy values generated by Bob, and Bob obtains a second slice c1 of the target privacy value with sequence number a0 of the N privacy values generated by Bob. Wherein the result of the summation operation or the exclusive-or operation performed on the first slice c0 and the second slice c1 is equal to the result of processing a and b using the target operation rule.
Through the technical scheme of the embodiment of the specification, under the condition that the second party holds N privacy numerical values and the first party holds the sequence numbers of the target privacy numerical values in the N privacy numerical values, the first party and the second party can respectively obtain one fragment of the target privacy numerical value by executing the OT sharing protocol under the condition that the target privacy numerical value and the sequence numbers thereof are ensured to be safe. And then the first party and the second party can realize the safe multi-party calculation of two privacy values based on the OT sharing protocol, and the first party and the second party have smaller data volume and less communication turns when realizing the safe multi-party calculation, thereby being capable of more efficiently finishing the safe multi-party calculation.
It should be particularly noted that in the foregoing method embodiments shown in fig. 2 to fig. 5, when the privacy value a is a single-bit value in a modulo-2 space, the value of N may generally be 2, so that the amount of computation performed by Alice and Bob when implementing secure multiparty computation on a and b may be reduced more effectively.
Based on the same concept as the foregoing method embodiments, in an embodiment of the present specification, an execution apparatus for sharing OT is further provided, where the execution apparatus involves a first party and a second party, the second party holds N privacy values arranged in sequence and N random numbers arranged in sequence, the first party holds a first sequence number of a target privacy value among the N privacy values, a target random number, and a second sequence number thereof among the N random numbers, and the apparatus is disposed at the second party. As shown in fig. 6, the apparatus includes: a communication processing unit 61 configured to receive, from the first party, a third sequence number calculated based on the first sequence number and the second sequence number; a first calculating unit 63, configured to calculate, based on the third sequence number, the N privacy values, and the N random numbers, intermediate data corresponding to each of the remaining N-1 privacy values except for the third sequence number; the communication processing unit 61 is further configured to send intermediate data corresponding to each of the N-1 privacy values to the first party, so that the first party calculates a first segment of the target privacy value; a second calculating unit 65 configured to calculate a second segment of the target privacy value based on the random number with the third sequence number and the privacy value arranged at the top, wherein a result of processing the first segment and the second segment by using a first preset operation rule is equal to the target privacy value.
Based on the same concept as the foregoing method embodiments, in an embodiment of the present specification, an execution apparatus for sharing OT is further provided, where the execution apparatus involves a first party and a second party, the second party holds N privacy values arranged in sequence and N random numbers arranged in sequence, the first party holds a first sequence number of a target privacy value among the N privacy values, a target random number, and a second sequence number thereof among the N random numbers, and the apparatus is deployed at the first party. As shown in fig. 7, the apparatus includes: a communication processing unit 71, configured to send a third sequence number calculated based on the first sequence number and the second sequence number to the second party, so that the second party calculates a second segment of the target privacy value based on a random number with a sequence number as the third sequence number and a privacy value arranged at the top, and returns intermediate data corresponding to each of the remaining N-1 privacy values except for the sequence number as the third sequence number; a calculation processing unit 73 configured to calculate a first segment of the target privacy value at least according to the first sequence number and the target random number, wherein a result obtained by processing the first segment and the second segment by using a first preset operation rule is equal to the target privacy value.
The method is based on the same concept, and the secure multi-party computing device based on the OT protocol is further provided in the embodiment of the specification, wherein the secure multi-party computing device relates to a first party and a second party, the first party holds a third privacy value to be used as a first serial number, the second party holds a second privacy value, and the device is arranged on the second party. As shown in fig. 8, the apparatus includes: a calculation processing unit 81 configured to generate N privacy values arranged in order, where any privacy value with a sequence number j is obtained by processing the sequence number j and the second privacy value using a target operation rule, and the privacy value with a sequence number j is made equal to a result of processing the third privacy value and the second privacy value using the target operation rule; the call processing unit 83 is configured to, for the N privacy values and the third privacy value serving as the first sequence number, jointly execute, by using the OT sharing execution device deployed on the second party and the first party in the embodiment of the present specification, the OT sharing protocol, to obtain a second segment whose sequence number is the target privacy value of the third privacy value, and enable the first party to correspondingly obtain a first segment whose sequence number is the target privacy value of the third privacy value.
Based on the same concept as the foregoing method embodiments, in an embodiment of the present specification, there is also provided a secure multi-party computing device based on a shared OT protocol, involving a first party and a second party, the first party holding a third privacy value to be used as a first serial number, the second party holding a second privacy value, and the device being deployed on the first party. The device is used for executing, by the execution device disposed on the sharing OT of the first party and the second party, the sharing OT protocol jointly for the third privacy value and the N privacy values as the first sequence number, obtaining a first segment of the target privacy value with the third privacy value as the sequence number, and enabling the second party to obtain a second segment of the target privacy value with the third privacy value as the sequence number, wherein the privacy value with any sequence number j is obtained by the second party processing the sequence number j and the second privacy value by using the target operation rule, and the privacy value with the sequence number as the third privacy value is made equal to a result of processing the third privacy value and the second privacy value by using the target operation rule.
Those skilled in the art will recognize that in one or more of the examples described above, the functions described in this specification can be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, a computer program corresponding to these functions may be stored in a computer-readable medium or transmitted as one or more instructions/codes on the computer-readable medium, so that when the computer program corresponding to these functions is executed by a computer, the method described in any one of the embodiments of the present specification is implemented by the computer.
Also provided in an embodiment of the present specification is a computer-readable storage medium having stored thereon a computer program/instruction, which, when executed in a computing device, executes an execution method for sharing OT implemented by a first party or a second party provided in any one of the embodiments of the present specification, or executes a secure multi-party computing method based on a shared OT protocol implemented by a first party or a second party provided in any one of the embodiments of the present specification.
An embodiment of the present specification further provides a computing device, including a memory and a processor, where the memory stores a computer program/instruction, and when the processor executes the computer program/instruction, the computing device implements an execution method of the shared OT protocol implemented by the first party or the second party provided in any one embodiment of the present specification, or implements a secure multi-party computing method based on the shared OT protocol implemented by the first party or the second party provided in any one embodiment of the present specification.
In the present specification, each embodiment is described in a progressive manner, and the same and similar parts in each embodiment are referred to each other, and each embodiment focuses on differences from other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The foregoing description of specific embodiments has been presented for purposes of illustration and description. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.

Claims (30)

1. An execution method for sharing an OTA protocol relates to a first party and a second party, wherein the second party holds N privacy numerical values and N random numbers, the first party holds a first sequence number of a target privacy numerical value in the N privacy numerical values, a target random number and a second sequence number thereof in the N random numbers, and the method is applied to the second party and comprises the following steps:
receiving, from the first party, a third sequence number calculated based on the first sequence number and the second sequence number;
calculating intermediate data corresponding to the rest N-1 privacy numerical values except the third serial number based on the third serial number, the N privacy numerical values and the N random numbers;
sending intermediate data corresponding to the N-1 privacy numerical values to the first party to enable the first party to calculate a first fragment of the target privacy numerical value;
and calculating a second fragment of the target privacy value based on the random number with the sequence number as the third sequence number and the privacy value arranged at the head, wherein the result of processing the first fragment and the second fragment by utilizing a first preset operation rule is equal to the target privacy value.
2. The method of claim 1, further comprising: receiving the N random numbers from a third party; wherein the target random number and the second sequence number are sent to the first party by the third party.
3. The method of claim 1, wherein the third sequence number is a result of a modulo operation of N on a sum of the first sequence number and the second sequence number, and a result of a summation operation on the first tile and the second tile is equal to the target privacy value.
4. The method of claim 1, wherein the third sequence number is obtained by xoring the first sequence number and the second sequence number, and wherein xoring the first and second splits results in equality to the target privacy value.
5. The method according to any one of claims 1 to 4, wherein calculating, based on the third sequence number, the N privacy number values and the N random numbers, respective corresponding intermediate data of the remaining N-1 privacy number values except the sequence number of the third sequence number comprises: and for any privacy numerical value with the sequence number j except the sequence number of the third sequence number, processing a random number with the sequence number j according to a second preset operation rule to obtain a corresponding first data item, and calculating intermediate data with the sequence number j corresponding to the privacy numerical value with the sequence number j based on the first data item, the second data item, a third data item and the privacy numerical value arranged at the head, wherein the second data item is obtained by processing the random number with the sequence number of the third sequence number by using the second preset operation rule, the third data item is a privacy numerical value with the sequence number of y, and the value of y is the same as the result obtained by performing modulo operation on the difference between the third sequence number and j by using N.
6. The method of claim 5, calculating a second slice of the target privacy value based on the random number with a sequence number as the third sequence number and the first-ranked privacy value, comprising: a second fragment of the target privacy value is computed based on the second data item and the first-ranked privacy value.
7. The method of claim 5, the N privacy values each being t bits in length; the processing the random number with the sequence number j according to the second preset operation rule to obtain the corresponding first data item comprises: calculating a hash value with the length of t bits of the random number with the sequence number of j as a corresponding first data item; or, for the random number with the sequence number j and the length larger than t bits, extracting a bit sequence with the length of t bits from a preset position, and taking the data represented by the bit sequence as a first data item corresponding to the random number with the sequence number j.
8. An execution method for sharing an Oblivious Transport (OT) protocol, involving a first party and a second party, the second party holding N privacy values and N random numbers, the first party holding a first sequence number of a target privacy value among the N privacy values, a target random number and a second sequence number thereof among the N random numbers, the method being applied to the first party, the method comprising: sending a third sequence number obtained by calculation based on the first sequence number and the second sequence number to the second party, enabling the second party to calculate a second fragment of the target privacy value based on a random number with the sequence number as the third sequence number and the privacy value arranged at the first position, and returning intermediate data corresponding to the rest N-1 privacy values except the sequence number as the third sequence number;
and calculating a first fragment of the target privacy value at least according to the first sequence number and the target random number, wherein a result obtained by processing the first fragment and the second fragment by using a first preset operation rule is equal to the target privacy value.
9. The method of claim 8, the N random numbers being sent by a third party to the second party; the method further comprises the following steps: receiving the target random number and the second sequence number from the third party.
10. The method of claim 8, wherein the third sequence number is a result of a modulo operation of N on a sum of the first sequence number and the second sequence number, and a result of a summation operation on the first tile and the second tile is equal to the target privacy value.
11. The method of claim 1, the third sequence number being a result of an exclusive-or operation on the first sequence number and the second sequence number, the result of the exclusive-or operation on the first tile and the second tile being equal to the target privacy value.
12. The method of any of claims 8-11, calculating a first fractional piece of the target privacy number value based at least on the first sequence number and the target random number, comprising: processing the target random number by using a second preset operation rule to obtain a fourth data item; and determining whether the target privacy numerical value is a privacy numerical value arranged at the head based on the first sequence number, if so, taking the fourth data item as a first fragment of the target privacy numerical value, otherwise, calculating the first fragment of the target privacy numerical value based on intermediate data corresponding to the privacy numerical value of which the fourth data item and the sequence number are the second sequence number.
13. The method of claim 12, the N privacy values each being t bits in length; the processing the target random number by using a second preset operation rule to obtain a fourth data item includes: calculating a hash value of the target random number with the length of t bits as a fourth data item; or, for the target random number with the length larger than t bits, extracting a bit sequence with the length of t bits from a preset position, and taking data represented by the bit sequence with the length of t bits as a fourth data item.
14. A secure multiparty computing method based on a shared oblivious transport, OT, protocol involving a first party holding a third privacy value to be a first sequence number and a second party holding a second privacy value, the method being applied to the second party, the method comprising:
generating N privacy values arranged in sequence, wherein any privacy value with the sequence number j is obtained by processing the sequence number j and the second privacy value by using a target operation rule, and the privacy value with the sequence number of the third privacy value is equal to the result of processing the third privacy value and the second privacy value by using the target operation rule;
performing, by the method according to any one of claims 1 to 7, a sharing OT protocol with the first party for the N privacy values and the third privacy value as the first sequence number in association with the first party, to obtain a second segment having a sequence number that is a target privacy value of the third privacy value, and enabling the first party to correspondingly obtain the first segment having a sequence number that is the target privacy value of the third privacy value.
15. The method of claim 14, the second and third privacy values being two slices of a fourth privacy value in modulo-2 space, the first and second slices each being t bits greater than 1 in length; the result of the exclusive-or operation on the second privacy value and the third privacy value is equal to the result of the summation operation on the first and second shards.
16. The method of claim 14, the target operation rule comprising a sum operation, a product operation, a bitwise and operation, a bitwise or operation, or a bitwise xor operation.
17. The method of claim 14, the first party further holding a fourth privacy value, the sum of the second privacy value and the fourth privacy value being equal to a fifth privacy value; a sum of the second and third tiles is equal to a product of the third privacy value and the fifth privacy value, wherein the third tile is calculated by the first party based on the third privacy value, the fourth privacy value, and the first tile.
18. The method of claim 14, the first party further holding a fourth privacy value, the second party further holding a sixth privacy value and a seventh privacy value, the third privacy value and the sixth privacy value being two exclusive-or slices of an eighth privacy value within a modulo-2 space, the sum of the fourth privacy value and the seventh privacy value being equal to a fifth privacy value; the second privacy value is calculated by the second party based on the sixth privacy value and the seventh privacy value, and the second segment is used for calculating a product of the fifth privacy value and the eighth privacy value.
19. A secure multiparty computing method based on a shared oblivious transport, OT, protocol involving a first party holding a third privacy value to be a first sequence number and a second party holding a second privacy value, the method being applied to the first party, the method comprising: for the third privacy value and the N privacy values as the first sequence number, the method according to any one of claims 8 to 13 is used in combination with the second party to execute a sharing OT protocol, to obtain a first segment with a sequence number of the target privacy value of the third privacy value, and to make the second party obtain a second segment with a sequence number of the target privacy value of the third privacy value, where any privacy value with a sequence number j is obtained by the second party processing the sequence number j and the second privacy value using a target operation rule, and the privacy value with a sequence number of the third privacy value is equal to a result of processing the third privacy value and the second privacy value using a target operation rule.
20. The method of claim 19, the second and third privacy values being two slices of a fourth privacy value in modulo-2 space, the first and second slices each being t bits greater than 1 in length; the result of the exclusive-or operation on the second privacy value and the third privacy value is equal to the result of the summation operation on the first and second shards.
21. The method of claim 19, the target operation rule comprising a sum operation, a product operation, a bitwise and operation, a bitwise or operation, or a bitwise xor operation.
22. The method of claim 19, a sum of the second privacy value and a fourth privacy value held by the first party being equal to a fifth privacy value; the method further comprises the following steps: calculating a third patch based on the third privacy value, the fourth privacy value, and the first patch such that a sum of the second patch and the third patch equals a product of the third privacy value and the fifth privacy value.
23. The method of claim 19, the first party further holding a fourth privacy value, the second party further holding a sixth privacy value and a seventh privacy value, the third privacy value and the sixth privacy value being two exclusive-or slices of an eighth privacy value within a modulo-2 space, the sum of the fourth privacy value and the seventh privacy value being equal to a fifth privacy value; the second privacy value is calculated by the second party based on the sixth privacy value and the seventh privacy value, and the first segment is used for calculating a product of the fifth privacy value and the eighth privacy value.
24. A secure multiparty computing method based on sharing an oblivious transport OT protocol involving a first party holding a third privacy value to be a first sequence number and a second party holding a fifth privacy value and a sixth privacy value, the third privacy value and the sixth privacy value being two xor slices of an eighth privacy value in a modulo-2 space located in the modulo-2 space, the method being applied to the first party, the method comprising: the second party generates N privacy values arranged in sequence, wherein any privacy value with a sequence number j is equal to a result obtained by processing an XOR result with a sequence number j and the fifth privacy value by using a target operation rule, the XOR result with the sequence number j is obtained by performing XOR operation on the sequence number j and the sixth privacy value, and the target privacy value with the sequence number of the third privacy value is equal to a result obtained by processing the fifth privacy value and the eighth privacy value by using the target operation rule;
the first party and the second party jointly execute a sharing OT protocol for the third privacy value and the N privacy values as first sequence numbers by using the method of any one of claims 1 to 13, and obtain a first segment and a second segment of a target privacy value having sequence numbers of the three privacy values, respectively.
25. An apparatus for performing sharing of an oblivious transport protocol, OT, involving a first party and a second party, the second party holding N privacy values and N random numbers, the first party holding a first sequence number of a target privacy value among the N privacy values, a target random number and a second sequence number thereof among the N random numbers, the apparatus being deployed at the second party, the apparatus comprising:
a communication processing unit configured to receive, from the first party, a third sequence number calculated based on the first sequence number and the second sequence number;
a first calculating unit, configured to calculate, based on the third sequence number, the N privacy numerical values, and the N random numbers, intermediate data corresponding to each of the remaining N-1 privacy numerical values except for the third sequence number;
the communication processing unit is further configured to send intermediate data corresponding to each of the N-1 privacy values to the first party, so that the first party calculates a first segment of the target privacy value;
and the second calculating unit is configured to calculate a second fragment of the target privacy value based on the random number with the sequence number as the third sequence number and the privacy value arranged at the head, wherein the result of processing the first fragment and the second fragment by using a first preset operation rule is equal to the target privacy value.
26. An apparatus for performing sharing of an oblivious transport protocol, OT, involving a first party and a second party, the second party holding N privacy values and N random numbers, the first party holding a first sequence number of a target privacy value among the N privacy values, a target random number and a second sequence number thereof among the N random numbers, the apparatus being deployed at the first party, the apparatus comprising:
a communication processing unit configured to send a third sequence number calculated based on the first sequence number and the second sequence number to the second party, so that the second party calculates a second segment of the target privacy value based on a random number with a sequence number as the third sequence number and a privacy value arranged at the head, and returns intermediate data corresponding to each of the remaining N-1 privacy values except for the sequence number as the third sequence number;
and the calculation processing unit is configured to calculate a first fragment of the target privacy value at least according to the first sequence number and the target random number, wherein a result obtained by processing the first fragment and the second fragment by using a first preset operation rule is equal to the target privacy value.
27. A secure multi-party computing device based on a shared oblivious transport, OT, protocol involving a first party holding a third privacy value to be a first serial number and a second party holding a second privacy value, the device being deployed at the second party, the device comprising:
a calculation processing unit configured to generate N privacy values arranged in order, wherein any privacy value with a sequence number j is obtained by processing the sequence number j and the second privacy value using a target operation rule, and the privacy value with a sequence number j is made equal to a result of processing the third privacy value and the second privacy value using the target operation rule;
a call processing unit, configured to execute, by the OT sharing execution apparatus of claim 26, an OT sharing protocol in conjunction with the first party, on the N privacy values and the third privacy value serving as the first sequence number, obtain a second segment whose sequence number is the target privacy value of the three privacy values, and make the first party correspondingly obtain the first segment whose sequence number is the target privacy value of the third privacy value.
28. A secure multiparty computing device based on a shared oblivious transfer OT protocol, involving a first party holding a third privacy value to be a first number and a second party holding a second privacy value, said device being deployed at said first party, said device being configured to perform a shared OT protocol in conjunction with said second party on said third privacy value and N privacy values as first numbers by said shared OT performing means of claim 27, to obtain a first slice having a number equal to a target privacy value of said third privacy value, and to enable said second party to obtain a second slice having a number equal to a target privacy value of said third privacy value, wherein any privacy value having a number j is obtained by said second party processing a number j and said second privacy value using a target operation rule, such that a privacy value having a number equal to said third privacy value is obtained by processing said first privacy value using a target operation rule A result of the three privacy values and the second privacy value.
29. A computer-readable storage medium having stored thereon a computer program which, when executed in a computing device, performs the method of any of claims 1-23.
30. A computing device comprising a memory having stored therein a computer program and a processor that, when executing the computer program, implements the method of any of claims 1-23.
CN202210619377.XA 2022-06-02 2022-06-02 Execution method of sharing OT protocol, secure multi-party computing method and device Pending CN115001674A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210619377.XA CN115001674A (en) 2022-06-02 2022-06-02 Execution method of sharing OT protocol, secure multi-party computing method and device
PCT/CN2022/135294 WO2023231340A1 (en) 2022-06-02 2022-11-30 Execution method and device for shared ot protocol, and secure multi-party computation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210619377.XA CN115001674A (en) 2022-06-02 2022-06-02 Execution method of sharing OT protocol, secure multi-party computing method and device

Publications (1)

Publication Number Publication Date
CN115001674A true CN115001674A (en) 2022-09-02

Family

ID=83030326

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210619377.XA Pending CN115001674A (en) 2022-06-02 2022-06-02 Execution method of sharing OT protocol, secure multi-party computing method and device

Country Status (2)

Country Link
CN (1) CN115001674A (en)
WO (1) WO2023231340A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023231340A1 (en) * 2022-06-02 2023-12-07 蚂蚁区块链科技(上海)有限公司 Execution method and device for shared ot protocol, and secure multi-party computation method and device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117520970B (en) * 2024-01-05 2024-03-29 同盾科技有限公司 Symbol position determining method, device and system based on multiparty security calculation

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11190496B2 (en) * 2019-02-12 2021-11-30 Visa International Service Association Fast oblivious transfers
WO2021237437A1 (en) * 2020-05-26 2021-12-02 云图技术有限公司 Data processing method and apparatus employing secure multi-party computation, and electronic device
CN114297726A (en) * 2021-12-28 2022-04-08 支付宝(杭州)信息技术有限公司 Multiplication execution method and device based on secure multi-party calculation
CN115001674A (en) * 2022-06-02 2022-09-02 蚂蚁区块链科技(上海)有限公司 Execution method of sharing OT protocol, secure multi-party computing method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023231340A1 (en) * 2022-06-02 2023-12-07 蚂蚁区块链科技(上海)有限公司 Execution method and device for shared ot protocol, and secure multi-party computation method and device

Also Published As

Publication number Publication date
WO2023231340A1 (en) 2023-12-07

Similar Documents

Publication Publication Date Title
CN111512589B (en) Method for fast secure multiparty inner product with SPDZ
US11323444B2 (en) Method for faster secure multiparty inner product computation with SPDZ
EP3583739B1 (en) Key exchange devices and method
US20210167946A1 (en) One-Round Secure Multiparty Computation of Arithmetic Streams and Evaluation of Functions
EP2882132B1 (en) Encryption device, decryption device, encryption method, decryption method, and program
CN115001674A (en) Execution method of sharing OT protocol, secure multi-party computing method and device
RU2534944C2 (en) Method for secure communication in network, communication device, network and computer programme therefor
CN109067538B (en) Security protocol method, computer device, and storage medium
US20180115415A1 (en) Secure computation system, server apparatus, secure computation method, and program
CN108055128B (en) RSA key generation method, RSA key generation device, storage medium and computer equipment
TWI688250B (en) Method and device for data encryption and decryption
CN114785480A (en) Multi-party secure computing method, device and system
JP2022533950A (en) Systems and methods for performing equality and less than operations on encrypted data containing quasigroup operations
CN107888385B (en) RSA modulus generation method, RSA key generation method, computer device, and medium
CN115001675A (en) Execution method of sharing OT protocol, secure multi-party computing method and device
CN114021198A (en) Method and device for determining common data for protecting data privacy
JPWO2017038761A1 (en) Secret calculation system, secret calculation device, and secret calculation method
JP7023584B2 (en) Public key cryptosystem, public key cryptosystem, public key crypto program
US20190215148A1 (en) Method of establishing anti-attack public key cryptogram
US11895230B2 (en) Information processing apparatus, secure computation method, and program
Rososhek et al. Non-commutative analogue of Diffie-Hellman protocol in matrix ring over the residue ring
WO2022172041A1 (en) Asymmetric cryptographic schemes
Lochter Blockchain as cryptanalytic tool
CN114024674B (en) Method and system for safety comparison of two parties
You et al. Secure two-party computation approach for ntruencrypt

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination