CN115865311A - Optimization method and system for efficient constant-round secure multi-party computing protocol - Google Patents
Optimization method and system for efficient constant-round secure multi-party computing protocol Download PDFInfo
- Publication number
- CN115865311A CN115865311A CN202211358995.XA CN202211358995A CN115865311A CN 115865311 A CN115865311 A CN 115865311A CN 202211358995 A CN202211358995 A CN 202211358995A CN 115865311 A CN115865311 A CN 115865311A
- Authority
- CN
- China
- Prior art keywords
- participant
- protocol
- triples
- value
- secret
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000005457 optimization Methods 0.000 title claims abstract description 17
- 238000011156 evaluation Methods 0.000 claims abstract description 37
- 238000004364 calculation method Methods 0.000 claims abstract description 20
- 238000013507 mapping Methods 0.000 claims description 24
- 238000007781 pre-processing Methods 0.000 claims description 21
- 238000012795 verification Methods 0.000 claims description 18
- 239000000470 constituent Substances 0.000 claims description 12
- 150000001875 compounds Chemical class 0.000 claims description 6
- 238000004891 communication Methods 0.000 abstract description 11
- 238000012545 processing Methods 0.000 abstract description 4
- 241000499489 Castor canadensis Species 0.000 abstract 1
- 235000011779 Menyanthes trifoliata Nutrition 0.000 abstract 1
- 238000005516 engineering process Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000006872 improvement Effects 0.000 description 3
- 230000001427 coherent effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000126 substance Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 239000004020 conductor Substances 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Communication Control (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to the technical field of computers, and provides an optimization method and system for a high-efficiency constant-round safe multi-party computing protocol. The method comprises the following steps: executing the optimized Tiny-OT protocol in parallel by all participants to generate a plurality of Beaver multiplication triples (AND triples for short); the AND triple is used for generating relevant random information for constructing the confusion circuit without identity authentication AND for performing multiplication calculation of random shares in an online evaluation phase to decrypt the circuit; each participant P i Carrying out linear combination on the commitment values of the plurality of AND triples to obtain a commitment combination result; each participant P i Opens the commitment combination result AND checks the correctness of multiple AND triples. By processing the correctness check of the AND triples in batches in the optimized Tiny-OT protocol, the generation of the AND triples AND the correctness check are integrated into one protocol, the commitment number of the correctness check of the AND triples is reduced, AND a hash function is calledThe number of numbers and the avoidance of using additional OT operations to decrypt the circuit optimizes communication efficiency.
Description
Technical Field
The application relates to the technical field of computers, in particular to an optimization method and system of an efficient constant round secure multi-party computing protocol.
Background
In secure multi-party computing (MPC), each participant has its private input and computes the function f jointly, while ensuring privacy of the input and correctness of the computation.
The safety two-party calculation protocol based on the Yao's confusion circuit (GC) realizes the safety under the semi-honest hostile model. However, secure multiparty computing protocols for n participants are of less interest, especially with respect to dishonest majority and constant rounds, and progress is relatively slow. In the safe multiparty computing protocol setting of n participants, the construction complexity of the garbled circuit is increased, each participant needs to construct the garbled circuit in a distributed mode, the method for realizing the distributed garbled is called as a BMR protocol, the BMR protocol divides an MPC protocol into a preprocessing stage and an online evaluation stage, and only one constant-depth circuit is needed.
In particular, the preprocessing stage of the BMR protocol includes the Tiny-OT protocol for generating relevant random information and the distributed obfuscation protocol for generating an unauthenticated obfuscated circuit, which structure transfers a large number of computations to the preprocessing stage, with the main cost of F2 multiplication computations per and gate. Although this structure effectively improves the computational efficiency of the online evaluation phase, there are many key building blocks in the Tiny-OT protocol that need improvement.
Therefore, there is a need to provide an improved solution to the above-mentioned deficiencies of the prior art.
Disclosure of Invention
The application aims to provide an optimization method AND system for an efficient constant-round safe multi-party computing protocol, AND the problems in the prior art are solved or alleviated by improving AND triples AND key building blocks for correctness check in a Tiny-OT protocol.
In order to achieve the above purpose, the present application provides the following technical solutions:
the application provides an optimization method of an efficient constant round safe multi-party computing protocol, wherein the safe multi-party computing protocol comprises a preprocessing stage and an online evaluation stage; the secure multiparty agreement has a plurality of participants, P i Representing the ith participant, wherein the value of i is 1,2 and … n; n represents the total number of participants; the method comprises the following steps:
executing the optimized Tiny-OT protocol in parallel by all the participants to generate a plurality of AND triples; the AND triplets are used to generate garbled circuits for the pre-processing phase AND for the calculations of the online evaluation phase;
each participant P i Carrying out linear combination on the commitment values of the plurality of AND triples to obtain a commitment combination result;
each participant P i Opening the commitment combination result AND checking the correctness of the plurality of AND triples.
Preferably, each AND-triple of the plurality of AND-triples comprises a first secret share [ x ], a second secret share [ y ], a third secret share [ z ]; the step of performing the optimized Tiny-OT protocol to generate the τ -th AND-triple of the plurality of AND-triples is as follows:
step S201, each participant P i Generating a global key delta i And is and
wherein, delta i K is a k-bit binary number, and k is a preset safety parameter; lsb (. DELTA. i ) Is expressed by taking Δ i The last bit of (a);
represents an exclusive or operation;
step S202, each participant P i Obtaining a first secret share x by executing a coherent oblivious transport protocol COT]Second secret share [ y]Fourth secret sharing [ r ]](ii) a The first secret sharing [ x]Second secret share [ y]Fourth secret sharing r]Respectively comprise a participant P i Held secret sharing value x i 、y i 、r i And x i 、y i 、r i Respectively corresponding message authentication code and x i 、y i 、r i Respectively corresponding keys;
step S203, each participant P i Locally calculating a first intermediate value
In the formula:
represents P i Held y l A corresponding key; y is l Represents the ith participant P l Second secret share held [ y]A value of (d); />
Represents P i Held y i A corresponding message authentication code; y is i Is P i Second secret share held [ y]A value of (d); delta i As a global key delta i ;
Step S204, for the participant P i And P j Ordered pair of constituents (P) i ,P j ),j≠i:
Each participant P i Calculating a second intermediate value u i,j :
u i,j =H(K i [x j ],i||j||τ)
In the formula, H represents a hash function; k i [x j ]Represents P i Held x j A corresponding key; x is the number of j As the first participant P j Held first secret share [ x]A value of (d);
participant P i Calculating a third intermediate value v i,j :
In the formula (I), the compound is shown in the specification,
is a first intermediate value; delta of j As a participant p j A held global key;
participant P i V is to be i,j Is sent to p j ;
Participant P j Calculating a fourth intermediate value w i,j :
Step S205, each participant P i Calculating a fifth intermediate value U i :
Step S206, each participant P i Calculate the commitment value for each AND triplet:
wherein d = { d = { d =) i };d i =lsb(U i );lsb(U i ) Express and get U i The last bit of (a);
step S207, when i ≠ 1, let [ z ≠ 1 i ] i =[r i ] i (ii) a Otherwise, it orders
To obtain [ x ]]、[y]、[z]。
Preferably, in step S202, each participant P is i Obtaining a first secret share x by executing a related oblivious transport protocol COT]The method specifically comprises the following steps:
step S301, each participant P i Generating a random bit sequence of length m
As the first random bit sequence x and additionally generates a random bit sequence of length k->
As an extra random bit sequence o for ensuring the global key delta i The consistency of (2); />
Step S302, for participant P i And P j Ordered pair of constituents (P) i ,P j ) J ≠ i, with participant P i As a sender, a related oblivious transport protocol COT is executed to obtain a first secret sharing [ x ] corresponding to a first random bit sequence x and an additional random bit sequence o respectively]Fourth secret sharing o]And [ x ]]、[o]Respectively corresponding message verification codes and keys;
step S303, share [ x ] based on first secret]Fourth secret sharing o]For the global key Δ i Performing consistency verification, and if the consistency verification is passed, outputting a first secret share [ x]。
In the above technical solution, in step S303, the random share [ x ] is used as the basis]、[o]For the global key Δ i Performing consistency verification, including:
for participant P i And P j Ordered pair of constituents (P) i ,P j ),P i 、P j For any two of the n participants, j ≠ i, participant P i Share [ x ] according to a first secret]Fourth secret sharing o]Locally calculating a first mapping value C i And obtaining C i Corresponding message authentication code M j [C i ]And a secret key K i [C j ];
Each participant P i Obtaining random zero sharing
Wherein it is present>
Each participant P i According to the first mapping value C i And random zero-sharing rho i Calculating a second mapping value
And combining a second mapped value +>
Broadcast to various participants;
each participant P i According to the second mapping value
Reconstructing a third mapping value c;
each participant P i According to the first mapping value C i A third mapping value C and C i Corresponding message authentication code M j [C i ]And a secret key K i [C j ]Checking the global key delta i The consistency of (c).
In the above technical solution, after all participants execute an optimized Tiny-OT protocol in parallel to generate a plurality of AND triples, the method further includes:
grouping a plurality of AND triples;
for each packet, combining all AND triples within the packet into one to obtain a plurality of combinations;
pairing the plurality of combinations pairwise, for a first combination of the pairwise { [ x ] 1 ],[y 1 ],[z 1 ]And a second combination of pairings { [ x { [ 2 ],[y 2 ],[z 2 ]Executing the following steps to eliminate leakage:
each participant checks
The consistency of (2);
order to
[y]=[y 1 ],/>
AND triplets [ x ], [ y ], [ z ] are output, where [ z ] = [ x ] × [ y ].
In the above technical solution, each participant P i After opening the commitment combination result AND checking the correctness of the plurality of AND triples, the method further comprises:
acquiring a Boolean circuit;
generating relevant random information for constructing an unidentified garbled circuit based on the plurality of AND triples;
and generating the confusion circuit corresponding to the Boolean circuit according to the related random information.
In the above technical solution, the and confusion table of the confusion circuit includes a confusion square half gate and an evaluation square half gate; the AND gate of the garbled circuit comprises a first input line, a second input line and an output line;
the method further comprises the following steps:
splitting a mask value of an output line into a first sub-mask and a second sub-mask, and splitting a key of the output line into a first sub-key and a second sub-key;
calculating an obfuscator half-gate and an evaluator half-gate based on the first sub-mask, the second sub-mask, the first sub-key and the second sub-key, respectively;
and carrying out exclusive-OR operation on the confusion side half gate and the evaluation side half gate to obtain an external value of the output line.
The embodiment of the application also provides an optimization system of the efficient constant round secure multiparty computing protocolThe system, the secure multiparty computing protocol includes a preprocessing phase and an online evaluation phase; the secure multiparty agreement has a plurality of participants, P i Representing the ith participant, wherein the value of i is 1,2 and … n; n represents the total number of participants; the method comprises the following steps:
the generating unit is configured to execute the optimized Tiny-OT protocol in parallel by all the participants so as to generate a plurality of AND triples; the AND triple is used for generating relevant random information for constructing the confusion circuit without identity authentication AND for performing multiplication calculation of random shares in an online evaluation phase to decrypt the circuit;
a combination unit configured to each participant P i Linearly combining the commitment values of the plurality of AND triples to obtain a commitment combination result;
a checking unit configured as each participant P i Opening the commitment combination result AND checking the correctness of the plurality of AND triples.
In the foregoing technical solution, each AND triple in the plurality of AND triples includes a first secret sharing [ x ], a second secret sharing [ y ], AND a third secret sharing [ z ]; the generating unit is further configured to:
the step of performing the optimized Tiny-OT protocol to generate the τ -th AND-triple of the plurality of AND-triples is as follows:
step S201, each participant P i Generating a global key delta i And is and
wherein, delta i K is a k-bit binary number, and k is a preset safety parameter; lsb (. DELTA. i ) Represents taking Δ i The last bit of (a);
represents an exclusive or operation;
step S202, each participant P i Obtaining a first secret share x by executing a related oblivious transport protocol COT]Second secret share [ y]Fourth secret sharing r](ii) a The first secret share [ x ]]Second secret sharing[y]Fourth secret sharing r]Respectively comprise a participant P i Held secret sharing value x i 、y i 、r i And x i 、y i 、r i Respectively corresponding message authentication code and x i 、y i 、r i Respectively corresponding keys;
step S203, each participant P i Locally calculating a first intermediate value
In the formula:
represents P i Held y l A corresponding key; y is l Represents the ith participant P l Second secret share held [ y]A value of (d); />
Represents P i Held y i A corresponding message authentication code; y is i Is P i Second secret share held [ y]A value of (d); delta i As a global key delta i ;
Step S204, for the participant P i And P j Ordered pair of constituents (P) i ,P j ),j≠i:
Each participant P i Calculating a second intermediate value u i,j :
u i,j =H(K i [x j ],i||j||τ)
In the formula, H represents a hash function; k is i [x j ]Is represented by P i Held x j A corresponding key; x is the number of j As the first participant P j Held first secret share [ x]A value of (d);
participant P i Calculating a third intermediate value v i,j :
In the formula (I), the compound is shown in the specification,
is a first intermediate value; delta of j As a participant p j A held global key;
participant P i V is to be i,j Is sent to p j ;
Participant P j Calculating a fourth intermediate value w i,j :
Step S205, each participant P i Calculating a fifth intermediate value U i :
Step S206, each participant P i Calculate the commitment value for each AND triplet:
wherein d = { d = { d =) i };d i =lsb(U i );lsb(U i ) Express and get U i The last bit of (a);
step S207, when i ≠ 1, let [ z ≠ 1 i ] i =[r i ] i (ii) a Otherwise, it orders
To obtain [ x ]]、[y]、[z]。
Has the beneficial effects that:
in the technical scheme of the application, all participants execute optimized T in paralleliny-OT protocol to generate a plurality of AND triples; the AND triple is used for generating relevant random information for constructing the confusion circuit without identity authentication AND for performing multiplication calculation of random shares in an online evaluation phase to decrypt the circuit; each participant P i Performing linear combination on the commitment values of the plurality of AND triples to obtain a commitment combination result; each participant P i Opens the commitment combination result AND checks the correctness of multiple AND triplets. By processing the correctness check of the AND triples in batch in the optimized Tiny-OT protocol, the generation of the AND triples AND the correctness check are integrated into one protocol, the communication quantity of the correctness check of the AND triples AND the quantity of the called hash functions are reduced, AND the communication efficiency is optimized.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application. Wherein:
FIG. 1 is a schematic flow diagram of a method for optimizing an efficient constant round secure multi-party computing protocol according to some embodiments of the present application;
FIG. 2 is a schematic flow diagram of generating AND triples according to the Tiny-OT protocol for performing optimization provided in accordance with some embodiments of the present application;
fig. 3 is a schematic flow diagram of obtaining a first secret share [ x ] by executing a related oblivious transport protocol COT according to some embodiments of the present application;
FIG. 4 is a block diagram of an optimization system for an efficient constant round secure multi-party computing protocol according to some embodiments of the present application.
Detailed Description
The present application will be described in detail below with reference to the embodiments with reference to the attached drawings. Various examples are provided by way of explanation of the present application and not limitation of the present application. In fact, it will be apparent to those skilled in the art that modifications and variations can be made in the present application without departing from the scope or spirit of the application. For instance, features illustrated or described as part of one embodiment, can be used with another embodiment to yield a still further embodiment. It is therefore intended that the present application cover the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents.
In the following description, references to the terms "first/second/third" merely distinguish between similar items and do not denote a particular order, but rather the terms "first/second/third" may, where permissible, be interchanged with a particular order or sequence, such that embodiments of the application described herein may be practiced in other than the order shown or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. The terminology used herein is for the purpose of describing embodiments of the disclosure only and is not intended to be limiting of the disclosure.
In secure multi-party computing (MPC), each participant has its private input and computes the function f jointly, while ensuring privacy of the input and correctness of the computation. The safety two-party calculation protocol based on the Yao's confusion circuit (GC) realizes the safety under the semi-honest hostile model. Later, cut-and-choose technology, proposed by Lindell and Pinkas, enabled security in a malicious adversary model. Currently, the computational efficiency of two-party protocols in malicious models is increased by several orders of magnitude. However, the n-party computing protocol is less concerned and its progress is relatively slow, particularly in terms of dishonest majority and constant rounds. In the n-party arrangement, the configuration of the garbled circuit becomes complicated. Parties need to build the garbled circuit in a distributed manner. This method of implementing distributed obfuscation, known as the BMR protocol, separates the MPC protocol into a pre-processing phase and an on-line phase and requires only one constant depth circuit. Distributed obfuscation is a core tool of the constant round MPC protocol.
Existing multi-party constant round MPC protocols can be divided into two styles, depending on the method of confusion. One is the certificate confusion proposed by Wang et al, and the other is the improved SPDZ-BMR by Hazay et al. They all construct the circuit in a distributed fashion, but the underlying protocols are different. The Wang et al protocol must generate some authenticated information and their computational protocol is asymmetric in that the authenticated circuit is constructed by one party and then evaluated by the other n-1 parties. In contrast, the SPDZ-BMR protocol of Hazay et al is symmetric and follows the BMR paradigm with the n parties together building an unauthenticated circuit and obtaining a share of the circuit.
For the SPDZ-BMR protocol, the preprocessing phase includes the Tiny-OT protocol AND the distributed confusion protocol for creating unidentified AND triples. This general architecture shifts a large number of computations to the preprocessing stage, with the main cost of multiplication being per AND gate. Although this paradigm has significantly improved the efficiency of the online phase, we have found that there are still many key building blocks that need improvement, mainly including the generation of unidentified AND triples, correctness checking. Intuitively, the Tiny-OT protocol is very practical for secure multiparty computing protocols based on secret sharing and on the BMR protocol, but its computational complexity still remains to be increased.
Therefore, the method and the system for optimizing the efficient constant round secure multi-party computing protocol are provided based on the structure of the SPDZ-BMR protocol, and can tolerate any n-1 victims by executing the active constant round secure multi-party computing (MPC) protocol. In particular, the method follows the Tiny-OT protocol AND the obfuscated scheme without identity verification, AND at a high level, an optimized Tiny-OT protocol is firstly proposed for generating unidentified AND triples, which reduces the number of consistency checks AND the number of called hash functions when generating the AND triples, AND avoids using additional OT operation to calculate the obfuscated circuit, thereby improving the communication efficiency. Specifically, with the method provided herein, approximately 50% less calls to hash functions can be made for generating shared random bits AND reducing the number of commitments used in the consistency check protocol for AND triples to 1. The communication complexity is O (Bnk) (wherein, B = O (k + s/logC; n is the total number of participants, k is a calculation safety parameter, and C represents the number of AND gates in a circuit), and the communication efficiency is greatly optimized.
In order to facilitate understanding of the technical scheme of the present application, the relevant parameters are defined as follows:
f: a function computed collectively by a plurality of participants;
k: preset calculation safety parameters;
s: preset statistical security parameters;
a.b: represents a range of values of
Multiplication or logical and calculation;
quadruplet (x, y, z.): representing a gate in the circuit, where x, y represent the input lines and z represents the output lines of the gate in the circuit. Represents the type of gate, which in a garbled circuit may be an XOR gate or an AND gate. The triplet (x, y, z) represents an AND triplet (AND triple) where x, y, z are shares shared in secret.
In a garbled circuit, W represents any one line, all W forming a set of lines, denoted W, wherein the set of input lines is denoted W in Indicating that W is a collection of output lines out And (4) showing.
The related art is explained in detail below:
the BMR protocol is explained first.
In a yao-based garbled circuit secure two-way calculation protocol, the garbled table of the AND gate can be expressed by the following formula:
C 0,0 =E x,0 (E y,0 (k z,0 ))
C 0,1 =E x,0 (E y,1 (k z,0 ))
C 1,0 =E x,1 (E y,0 (k z,0 ))
C 1,1 =E x,1 (E y,1 (k z,1 ))
wherein C represents the output value, E is the symmetric encryption algorithm, and k is the secret key.
The BMR protocol is an extension of the yao garbled circuit protocol in a multi-party setting, the basic idea being to generate the circuit in a distributed manner so that no party (or a subset of all parties) is able to know all the information generated by the circuit. In addition, the confusion table can be generated in a parallel mode based on the BMR protocol, so that the generation of the confusion circuit can be independent of the calculation circuit depth, and the generation process of the confusion circuit is completed in a preprocessing stage. After the garbled circuit is generated, each participant gets a share of the garbled circuit and associated key and then evaluates it locally at the online stage.
In the BMR confusion protocol, each participant P i Randomly selecting a pair of keys for each line w in the garbled circuit
And &>
The key on the output line is then encrypted using the key on the input line to construct an obfuscated table of AND gates. In particular, a key using an input line>
(/>
Or->
) And &>
(
Or->
) Encrypting the key of the output line, the resulting confusion table formula is as follows:
where F is a Pseudo-Random Function (PRF), and | represents concatenation, and g is the index of the gate.
The above confusion table for the AND gate can be abbreviated as:
wherein j belongs to [ n ], a, b, c belongs to [0,1].
It can be seen from the confusion table of the AND gate that in the secure multiparty computing protocol of n participants, one AND gate needs 4n encrypted ciphertexts which are n times of the confusion circuit of the secure two-party computing protocol, AND if any participant is honest, the encryption is secure.
In a secure multiparty computing protocol with n participants, the use of Free-XOR techniques may make the evaluation of the XOR gate Free. In particular, when computing the XOR gates in the garbled circuit, the use of Free-XOR techniques eliminates the need to send the ciphertext and perform encryption and decryption operations, and also eliminates the need to deal with the scrambling code of the XOR gates. In Free-XOR techniques, each participant P of n participants i Randomly selecting a global key delta i Is provided with
And &>
Is the key of line w, x, y are the inputs of line w, z is the output of line w, λ w Is the mask value for the line w. In conjunction with the Free-XOR technique, the obfuscation of the AND gate is as follows:
wherein j is an element of [ n ]],a,b,λ x ,λ y ,λ z ∈[0,1]。
On-line evaluation phase, each participant has private input v w And obtained external value Λ w Wherein
In the obfuscation phase, the key of the output line is all entered into the obfuscation table of line keys +>
Is covered. Due to the mask value λ w Is random, so the external value Λ is w Does not reveal the relevant true value v w Any of (3). Finally, each participant obtains the external value Λ of the output line z And the corresponding key, and then evaluate the garbled gate in the garbled circuit.
To achieve active security, the SPDZ-BMR protocol allows adversary-controlled corrupters to enter incorrect PRF values
Because of honest participants P j The obfuscated gate may be evaluated in an online evaluation stage to obtain the key ≥>
Or->
If there are any incorrect PRF values, P j The protocol will be aborted. Another benefit is evident: the SPDZ-BMR protocol shifts a large number of computations to a preprocessing stage, thereby improving on-line evaluationThe efficiency of (c). Furthermore, the main overhead of the preprocessing stage is to compute unauthenticated secret sharing of the obfuscated gates.
Exemplary method
The embodiment of the application provides an optimization method of an efficient constant round safe multi-party computing protocol, wherein the safe multi-party computing protocol comprises a preprocessing stage and an online evaluation stage; the secure multiparty agreement has a plurality of participants, P i Representing the ith participant, wherein the value of i is 1,2 and … n; n represents the total number of participants; including, as shown in fig. 1-3, the method comprising:
s101, executing an optimized Tiny-OT protocol in parallel by all participants to generate a plurality of AND triples; the AND triplets are used to generate the relevant random information for constructing the garbled circuit without identity verification, AND to perform the multiplication of random shares in the online evaluation phase to decrypt the circuit.
In the embodiment of the application, the MPC protocol is active and in a constant turn, uses the structure of SPDZ-BMR, is executed based on the optimized Tiny-OT protocol, and can tolerate any n-1 corruption parties. The specific flow of the MPC protocol is as follows: each participant generates a correct AND triple in a preprocessing stage; then, using a distributed obfuscation protocol to create an obfuscated circuit; subsequently, each participant obtains secret sharing of the garbled circuit and the related key in an online stage; finally, each participant evaluates the garbled circuit locally to obtain an output.
Unlike the traditional SPDZ-BMR, the present embodiment optimizes the Tiny-OT protocol in two structural blocks of AND triplet generation AND correctness checking. Specifically, the conventional Tiny-OT protocol performs the correctness check of the AND triples based on the cut-AND-choose technology, AND the embodiment of the application provides a new AND triplet generation method based on the optimized Tiny-OT protocol, in the optimized Tiny-OT protocol, by integrating the generation AND the correctness check of the AND triples into one protocol, AND adopting a method of performing the correctness check of the AND triples in batch, the correctness check of a plurality of (for example, m ') AND triples only needs one commitment instead of the conventional m ' commitments, wherein m ' is the number of the AND triples, AND half of the hash function calls are reduced. The batch processing of the examination of the AND triples reduces the computational complexity of the MPC protocol from m' x k bits to k bits, AND achieves higher computational efficiency than the traditional Tiny-OT protocol.
In addition, the MPC protocol based on the optimized Tiny-OT protocol enables active security and communication complexity per participant is O (| C | Bnk). Table 1 shows the comparison result of the communication complexity of the multi-party MPC protocol provided in the embodiment of the present application and other multi-party MPC protocols, and table 1 is as follows:
table 1 comparison results of communication complexity
In the above table, O (·) represents complexity, | C | represents the number of and gates in the circuit, d represents the circuit depth, and B = O (k + s/logC). As can be seen from the table, the method provided by the embodiment of the present application greatly improves communication efficiency.
In specific implementation, the optimized Tiny-OT protocol is used for generating random secret sharing with consistency check AND AND triple with correctness check in the preprocessing stage, AND the generated AND triple is used for calculation in the online evaluation stage. The optimized Tiny-OT protocol will be described in detail below.
Before generating random secret sharing with consistency check AND triple with correctness check, the optimized Tiny-OT protocol further includes initialization that performs the following steps:
step S2011, for i ∈ [ n ]],P i Randomly selecting a global key delta i ←{0,1} k 。
Step S2012, for each ordered pair (P) i ,P j ) Where j ≠ i, P i And P j Send (init, Δ) separately j ) And (init) to
To obtain an AND-triple with correctness check, in some embodiments, each AND-triple of the plurality of AND-triples includes a first secret share [ x ], a second secret share [ y ], a third secret share [ z ]; executing the optimized Tiny-OT protocol to generate the τ -th AND triple of the plurality of AND triples comprises the following steps:
step S201, each participant P i Generating a global key delta i ←{0,1} k And is made of
Wherein, delta i K is a k-bit binary number, and k is a preset safety parameter; lsb (. DELTA. i ) Represents taking Δ i The last bit of (a);
indicating an exclusive or operation.
Step S202, each participant P i Obtaining a first secret share x by executing a related oblivious transport protocol COT]Second secret share [ y]Fourth secret sharing r](ii) a The first secret share [ x ]]Second secret share [ y]Fourth secret sharing r]Respectively comprise a participant P i Held secret sharing value x i 、y i 、r i And x i 、y i 、r i Respectively corresponding message verification code and x i 、y i 、r i Respectively corresponding keys.
Step S203, each participant P i Locally calculating a first intermediate value
In the formula:
represents P i Held y l A corresponding key; y is l Represents the ith participant P l Second secret share held [ y]A value of (d); />
Is represented by P i Held y i A corresponding message authentication code; y is i Is P i Second secret share held [ y]A value of (d); delta i As a global key delta i 。
Step S204, for the participant P i And P j Ordered pair of constituents (P) i ,P j ),j≠i:
Each participant P i Calculating a second intermediate value u i,j :
u i,j =H(K i [x j ],i||j||τ)
In the formula, H represents a hash function; k i [x j ]Represents P i Held x j A corresponding key; x is the number of j As the first participant P j Held first secret share [ x]A value of (d);
participant P i Calculating a third intermediate value v i,j :
In the formula (I), the compound is shown in the specification,
is a first intermediate value; delta j As a participant p j A held global key;
participant P i V is to be i,j Is sent to p j ;
Participant P j Calculating a fourth intermediate value w i,j :
Step S205, each participant P i Calculating a fifth intermediate value U i :
Step S206, each participant P i Calculate the commitment value for each AND triplet:
wherein d = { d = { d =) i };d i =lsb(U i );lsb(U i ) Express and get U i The last bit of (c).
Step S207, when i ≠ 1, let [ z ≠ 1 i ] i =[r i ] i (ii) a Otherwise, it orders
To obtain [ x ]]、[y]、[z]。
In the embodiment of the present application, creating an AND triplet includes two steps: AND-triplet generation AND correctness checking of AND triplets. Malicious adversaries may guess information about random secret sharing, such as queries and global keys and x i Because a malicious adversary cannot acquire the relevant x i ,y i And z i Therefore, the above guessing behavior has no effect on the optimized Tiny-OT protocol of the embodiment of the present application. The conventional Tiny-OT protocol uses cut-AND-choose technology to ensure the correctness of AND triples, which results in great waste of AND triples AND low efficiency. The optimized Tiny-OT protocol does not use cut-AND-choose, but rather combines AND triplet generation AND correctness checking together, effectively reducing the number of hash functions used for correctness checking. The execution of the optimized Tiny-OT protocol is analyzed in detail as follows:
in the above step S203, the first intermediate value
Comprises the following steps:
that is to say:
when an AND triple is created in step S204, there are:
then, the following equation can be calculated:
in step S206, there are:
thus, it is possible to obtain:
finally, in step S207 there are:
therefore, [ z ] = [ x ] · [ y ], AND an AND triplet ([ x ], [ y ], [ z ]) is obtained.
To generate random secret sharing with consistency checks, in some embodiments, each participant P is provided with a consistency check in step S202 i Obtaining a first secret share x by executing a coherent oblivious transport protocol COT]The method specifically comprises the following steps:
step S301, each participant P i Generating a random bit sequence of length m
As the first random bit sequence x and additionally generates a random bit sequence of length k->
As an extra random bit sequence o for ensuring the global key delta i The consistency of (2);
step S302, for participant P i And P j Ordered pair of constituents (P) i ,P j ) J ≠ i, for participant P i As a sender, a related oblivious transport protocol COT is executed to obtain a first secret sharing [ x ] corresponding to a first random bit sequence x and an additional random bit sequence o respectively]Fourth secret sharing o]And [ x ]]、[o]Respectively corresponding message verification codes and keys;
step S303, share [ x ] based on first secret]Fourth secret sharing o]For the global key Δ i Performing consistency verification, and if the consistency verification is passed, outputting a first secret share [ x]。
And repeating the steps S301 to S303 to obtain a second secret share [ y ] and a third secret share [ z ].
In the embodiment of the application, each pair of participants (P) i ,P j ) Can be transmitted by executing a related careless transmission protocol
However, a malicious party may input an inconsistent global key in each execution, so that a plurality of different random secret shares are verified by a plurality of global keys, and in order to ensure the consistency of the global keys, the implementation of the present application introduces a re-random skillAnd (4) performing the operation.
Specifically, each P is mapped linearly i Random secret sharing mapping to
Random value C in i Then, each party P i All through random zero-sharing re-randomization C i To generate m random secret shares, in the optimized Tiny-OT protocol, each party generates an additional k random bits, which are then turned on to check the global key Δ i The consistency of (c).
To verify the global key delta i In some embodiments, step S303 is based on random shares [ x [ ]]、[o]For the global key Δ i Performing consistency verification, including:
for participant P i And P j Ordered pair of constituents (P) i ,P j ),P i 、P j For any two of the n participants, j ≠ i, participant P i Share [ x ] according to a first secret]Fourth secret sharing o]Locally calculating a first mapping value C i And obtaining C i Corresponding message authentication code M j [C i ]And a secret key K i [C j ];
Each participant P i Obtaining random zero sharing
Wherein it is present>
Each participant P i According to the first mapping value C i And random zero-sharing rho i Calculating a second mapping value
And to £ the second mapping value>
Broadcast to the various participants;
each participant P i According to the second mapping value
Reconstructing a third mapping value c;
each participant P i According to the first mapping value C i A third mapping value C and C i Corresponding message authentication code M j [V i ]And a secret key K i [C j ]Checking the global key delta i The consistency of (c). The method specifically comprises the following steps:
each P i Is provided with
Then call->
And promise of
The parties open their commitments and check
If the check fails, the parties abort the protocol.
The above global key Δ i In the consistency verification process, the global key delta can be verified only by making a commitment by each participant i The consistency of the global key is ensured to prevent the malicious participants from communicating with each other.
Wherein:
thus, the parties only need to commit and check
The consistency of the global key can be ensured.
In one example, the optimized Tiny-OT protocol is as follows:
wherein the associated inadvertent transmission protocol
The execution process of (2) is as follows:
called function
Including the commitment command and the opening command, the execution process is as follows: />
It should be noted that during the process of checking the correctness of the AND triplets, a malicious adversary may find some leaks, AND for this reason, in some embodiments, after all the participants execute the optimized Tiny-OT protocol in parallel to generate a plurality of AND triplets, the method further includes:
grouping a plurality of AND triples; for each packet, combining all AND triples within the packet into one to obtain a plurality of combinations; pairwise pairing the plurality of combinations, for a first combination { [ x ] of the pairings 1 ],[y 1 ],[z 1 ]And arrangements ofSecond combination of pairs { [ x ] 2 ],[y 2 ],[z 2 ]Executing the following steps to eliminate leakage:
each participant checks
The consistency of (2);
order to
[y]=[y 1 ],/>
AND triplets [ x ], [ y ], [ z ] are output, where [ z ] = [ x ] × [ y ].
In the embodiment of the present application, a bucket (bucket) technique is adopted in the subprotocol, AND several AND triples are combined in each bucket to eliminate the leakage of the AND triples.
Specifically, in one example, a sub-protocol employing bucket (bucket) technology is as follows:
step S102, each participant P i AND carrying out linear combination on the commitment values of the plurality of AND triples to obtain a commitment combination result.
The optimized Tiny-OT protocol can generate an AND triple, AND in practical application, the MPC protocol execution process consumes a large number of AND triples, so the AND triples are usually generated in batch mode. In specific implementation, a plurality of AND triples may be generated by executing the optimized Tiny-OT protocol in parallel, for example, m' AND triples may be generated in parallel, AND a commitment value of each AND triplet may be calculated. After parallel execution of m 'suboptimal Tiny Tiny-OT protocols, proceed with m' AND triplesFor correctness checking, each participant P i All by the following formula:
calculating to obtain a linear combination of the commitment values of the plurality of AND triples;
in the formula, σ τ To pass through a random function
The generated random number.
Then, a function is called
Commitment command commitment Z i 。
The above random function
The specific process is as follows:
step S103, each participant P i Opening the commitment combination result AND checking the correctness of the plurality of AND triples.
Each participant calls a function
Open command of (2), open promise Z i And checking whether or not +>
When equal to 0, the parties terminate the protocol.
In some embodiments, at each participant P i After opening the commitment combination result AND checking the correctness of the plurality of AND triples, the method further comprises: acquiring a Boolean circuit;
generating, based on the plurality of AND triples, associated random information for generating a non-authenticated obfuscated circuit;
and generating the confusion circuit corresponding to the Boolean circuit according to the related random information.
The Boolean circuit is constructed based on the operation logic of the function f.
In the embodiment of the application, each participant generates a correct AND triple in a preprocessing stage; then, creating an obfuscation circuit of the boolean circuit using a distributed obfuscation protocol based on the AND triplets;
the garbled circuits are generated by a multi-party garbled protocol. In the multi-party confusion protocol, confusion circuits are generated by all the parties together through distributed confusion. Specifically, each P i First, a key for a circuit gate in a garbled circuit and a global key are generated, wherein
Then the mask value on each line of the random selection circuit gate is secretly shared by lambda w Then, each party calculates the product λ of secret sharing w ·Δ i And defines the garbled circuit and finally calculates the mask value of the output line to each party.
The following is an example of a distributed obfuscation protocol:
wherein the opening sub-protocol Π open The method comprises the following steps:
in the process of generating the confusion circuit, tiny-OT generates secret sharing, and unverified garbled circuits are constructed based on optimized Tiny-OT protocol distributed garbled, and no extra overhead is needed to obtain verified information. In the preprocessing stage, an optimized Tiny-OT protocol with MACs is used to obtain unverified AND triples that are used to compute the mask-value-shared product λ x ·λ y And each participant P j Separately calculate lambda x ,λ y ,λ x ·λ y And delta j The product of (a) and (b). The online phase is aborted if the garbled circuit checks incorrectly by opening the circuit based on a checking mechanism and checking the correctness of the garbled circuit to prevent corrupt parties from changing their secret sharing resulting in the generation of incorrect garbled gates.
In the on-line evaluation phase, each P i Calculating the external value Λ on its input line w Then broadcast Λ w And a value Λ from the external value w Corresponding key
Then, each P i These values are used to evaluate the garbled circuit to obtain the key ≥ for the output line>
And an external value Λ z (ii) a Finally, each P i Calculating an output true value based on the mask value>
One specific MPC protocol implementation is as follows:
wherein the confusion protocol Π is opened Open garbling For reconstructing a garbled table in a garbled circuit to detect the garbled circuit and ensure the circuit is correct, the protocol is executed according to the following steps:
since during the preprocessing phase, parties generate secret sharing of the garbled circuit without identity verification, which means that malicious parties may introduce errors into the garbled circuit, in this embodiment, a simple confusion protocol pi is opened during the online evaluation phase Open garbling To check to ensure the circuit is correct. In contrast, authenticated garbled circuits are more expensive than non-authenticated garbled circuits.
In order to reduce the amount of data transfer between circuit gates and the size of the obfuscation table during the construction of the obfuscation circuit, in some embodiments the and-gate obfuscation table of the obfuscation circuit comprises an obfuscating-side half-gate and an evaluator-side half-gate; the AND gate of the garbled circuit comprises a first input line, a second input line and an output line; the method further comprises the following steps: splitting a mask value of an output line into a first sub-mask and a second sub-mask, and splitting a key of the output line into a first sub-key and a second sub-key; calculating an obfuscator half-gate and an evaluator half-gate based on the first sub-mask, the second sub-mask, the first sub-key and the second sub-key, respectively; and carrying out exclusive-OR operation on the confusion side half gate and the evaluation side half gate to obtain an external value of the output line.
In the embodiment of the application, the Half-Gate technology is introduced into the multi-party distributed confusion protocol, AND the Half-Gate technology is optimally compatible with the free-XOR technology, so that the confusion table of each AND Gate in the confusion circuit only consumes 2n bits of data transmission quantity, the size of the confusion table is reduced, AND the efficiency of the MPC protocol is improved.
The method optimizes the Half-Gate technology, so that an AND Gate in the multi-party distributed confusion circuit only needs to consume two ciphertexts AND is compatible with Free-XOR. The following details the optimization of the Half-Gate technique:
in the embodiment of the application, two Half-gates are respectively expressed as a confusion side Half-Gate and an evaluation side Half-Gate. Is provided with
Is an external value, v w Are true values.
For an AND gate v z =v x ∧v y Wherein, x, y are input lines of the AND gate, AND z is an output line of the AND gate, AND the output line comprises:
in the two-party based Half-Gate technique, the calculation involves two Half-gates, the first Half-Gate being used to calculate λ y ·v x The second half being used for calculation
Finally, the result v obtained by two computations through XOR z =v x ·v y The following were used: />
In the embodiment of the application, the Half-Gate technology is introduced into the process of the multi-party distributed confusion protocol, and the following adjustment is carried out: first, the mask value of the output line is divided into first sub-masks λ' z And a second sub-mask λ ″) z Wherein, in the step (A),
by splitting the mask value of the output line into a first sub-mask λ' z And a second sub-mask λ ″) z The outputs of the two half gates can be prevented from being leaked. Then, the key of the output line is ≥ v>
Split into a first sub-key->
And a second subkey +>
Wherein the content of the first and second substances,
zero key by splitting output line->
For the first and second subkeys, it can be ensured that the keys of the output lines of the two half-gates do not reveal the global key Δ of each party i 。
For AND gates in the garbled circuit, there are:
the detailed description of the confusion party half gate and the evaluation party half gate is described below.
Confusion square half door:
since the mask values are random and shared in secret, the fact that an obfuscating party knows its mask value can be exploited to compute obfuscated half-gates in a multi-party security computing scenario. In the online evaluation phase, the obfuscator obtains an external value of the line x
From the above analysis, the confusing square half-gate is used to calculate:
note that the external value Λ is x Calculated at the online stage, then the confuser half-gate is as follows:
By decryption
To verify the correctness of the equation to obtain the key for the output line, as follows:
evaluation of the square and half door:
in the on-line evaluation phase, the evaluator obtains the external value of the conductor
Similar to the confusing square half gate, the evaluating square half gate is used to calculate: />
Wherein the content of the first and second substances,
calculated in a manner similar to that of a confusing square half gate.
The emphasis of the above formula is: calculating Lambda x ·Λ y I.e. by
Because in the on-line evaluation phase,
and &>
Both are disclosed, therefore, Λ x ·Λ y Can be directly calculated in the online evaluation stage.
In addition, the calculation of Λ is also required x ·Λ y The corresponding key. Secure computing protocol at two participants, input line xNeed to be transferred to the key of the output line z when
The xor value of the key of the input line x and the key of the output line z needs to be calculated. In a multi-party secure computing scenario with n participants, the evaluator multiplies the number of keys of the input line x by the external value Λ during the online evaluation y And then XOR the result with the key of output line z, then the half-gate of the evaluator is as follows:
By decryption
Obtain the requested value->
Corresponding key to verify the correctness of the above equation:
then, will
Key and external value a with input line x y The XOR calculation is performed on the product of (a), the result of which is indeed the requested value @>
The corresponding key is:
after the confusion square half gate and the evaluation square half gate are calculated through the steps, the external value Lambda of the output line z can be obtained only by carrying out XOR on the confusion square half gate and the evaluation square half gate z 。
To sum up, in the present application, all participants execute an optimized Tiny-OT protocol in parallel to generate a plurality of AND triples; the AND triple is used for generating relevant random information for constructing the confusion circuit without identity authentication AND for performing multiplication calculation of random shares in an online evaluation phase to decrypt the circuit; each participant P i Carrying out linear combination on the commitment values of the plurality of AND triples to obtain a commitment combination result; each participant P i Opens the commitment combination result AND checks the correctness of multiple AND triples. By processing the correctness check of the AND triples in batch in the optimized Tiny-OT protocol, the generation of the AND triples AND the correctness check are integrated into one protocol, the promised number of the correctness check of the AND triples AND the number of the called hash functions are reduced, AND the communication efficiency is optimized.
In the embodiment of the application, the MPC protocol is active and in a constant turn, uses the structure of SPDZ-BMR, is executed based on the optimized Tiny-OT protocol, and can tolerate any n-1 corruption parties. In the process of generating the confusion circuit, the secret sharing is generated by using the Tiny-OT with the message verification codes MACs, and the unverified confusion circuit is constructed based on the optimized Tiny-OT protocol distributed confusion, so that the verified information can be acquired without extra overhead.
In the embodiment of the application, the Half-Gate technology is introduced into the multi-party distributed confusion protocol, AND the Half-Gate technology is optimized AND compatible with the free-XOR technology, so that the confusion table of each AND Gate in the confusion circuit only consumes 2n bits of data transmission quantity, the size of the confusion table is reduced, AND the efficiency of the MPC protocol is improved.
Exemplary System
The embodiment of the application provides an optimization system of an efficient constant round secure multi-party computing protocol, wherein the secure multi-party computing protocol comprises a preprocessing stage and an online evaluation stage; the secure multiparty agreement has a plurality of participants, P i Represents the ithThe value of i is 1,2 and … n; n represents the total number of participants; the system comprises: a generating unit 401, a combining unit 402 and an examining unit 403, wherein:
a generating unit 401 configured to execute the optimized Tiny-OT protocol in parallel by all participants to generate a plurality of AND triples; the AND triple is used for generating relevant random information for constructing the confusion circuit without identity authentication AND for performing multiplication calculation of random shares in an online evaluation phase to decrypt the circuit;
a combination unit 402 configured as each participant P i Carrying out linear combination on the commitment values of the plurality of AND triples to obtain a commitment combination result;
a checking unit 403 configured to each participant P i Opening the commitment combination result AND checking the correctness of the plurality of AND triples.
Each AND triple in the plurality of AND triples comprises a first secret share [ x ], a second secret share [ y ], AND a third secret share [ z ]; the generating unit 401 is further configured to:
the step of performing the optimized Tiny-OT protocol to generate the τ -th AND-triple of the plurality of AND-triples is as follows:
first, each participant P i Generating a global key delta i And is and
wherein, delta i K is a k-bit binary number, and k is a preset safety parameter; lsb (. DELTA. i ) Is expressed by taking Δ i The last bit of (a);
represents an exclusive or operation;
step S202, each participant P i Obtaining a first secret share x by executing a related oblivious transport protocol COT]Second secret share [ y]Fourth secret sharing r](ii) a The first secret share [ x ]]Second secret share [ y]Fourth secret sharing r]Respectively comprise a participant P i Held secret sharing value x i 、y i 、r i And x i 、y i 、r i Respectively corresponding message authentication code and x i 、y i 、r i Respectively corresponding keys;
step S203, each participant P i Locally calculating a first intermediate value
In the formula:
represents P i Held y l A corresponding key; y is l Represents the ith participant P l Second secret share held [ y]A value of (d); />
Represents P i Held y i A corresponding message authentication code; y is i Is P i Second secret share held [ y]A value of (d); delta i As a global key delta i ;
Step S204, for the participant P i And P j Ordered pair of constituents (P) i ,P j ),j≠i:
Each participant P i Calculating a second intermediate value u i,j :
u i,j =H(K i [x j ],i||j||τ)
In the formula, H represents a hash function; k i [x j ]Represents P i Held x j A corresponding key; x is the number of j As the first participant P j Held first secret share [ x]A value of (d);
participant P i Calculating a third intermediate value v i,j :
In the formula (I), the compound is shown in the specification,
is a first intermediate value; delta j As a participant p j A held global key;
participant P i V is to be i,j Is sent to p j ;
Participant P j Calculating a fourth intermediate value w i,j :
Step S205, each participant P i Calculating a fifth intermediate value U i :
Step S206, each participant P i Calculate the commitment value for each AND triplet:
wherein d = { d = { d =) i };d i =lsb(U i );lsb(U i ) Express and get U i The last bit of (a);
step S207, when i ≠ 1, let [ z ≠ 1 i ] i =[r i ] i (ii) a Otherwise, it orders
To obtain [ x ]]、[y]、[z]。
The optimization system for the efficient constant round secure multi-party computing protocol provided in the embodiment of the present application can implement the steps and flows of the optimization method for the efficient constant round secure multi-party computing protocol of any embodiment described above, and achieve the same technical effects, which are not described in detail herein.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (9)
1. An optimization method of an efficient constant round secure multi-party computing protocol is characterized in that the secure multi-party computing protocol comprises a preprocessing stage and an online evaluation stage; the secure multiparty agreement has a plurality of participants, P i Representing the ith participant, wherein the value of i is 1,2 and … n; n represents the total number of participants; the method comprises the following steps:
executing the optimized Tiny-OT protocol in parallel by all the participants to generate a plurality of AND triples; the AND triple is used for generating relevant random information for constructing the confusion circuit without identity authentication AND for performing multiplication calculation of random shares in an online evaluation phase to decrypt the circuit;
each participant P i Carrying out linear combination on the commitment values of the plurality of AND triples to obtain a commitment combination result;
each participant P i Opening the commitment combination result AND checking the correctness of the plurality of AND triples.
2. The method for optimizing an efficient constant round secure multi-party computing protocol according to claim 1, wherein each AND-triple of the plurality of AND-triples comprises a first secret share [ x ], a second secret share [ y ], a third secret share [ z ]; executing the optimized Tiny-OT protocol to generate the τ -th AND-triple of the plurality of AND-triples comprises the following steps:
step S201, each participant P i Generating a global key delta i And is and
wherein, delta i K is a k-bit binary number, and k is a preset safety parameter; lsb (. DELTA.s) i ) Is expressed by taking Δ i The last bit of (a);
represents an exclusive or operation;
step S202, each participant P i Obtaining a first secret share x by executing a related oblivious transport protocol COT]Second secret share [ y]Fourth secret sharing r](ii) a The first secret share [ x ]]Second secret share [ y]Fourth secret sharing r]Respectively comprise a participant P i Held secret sharing value x i 、y i 、r i And x i 、y i 、r i Respectively corresponding message authentication code and x i 、y i 、r i Respectively corresponding keys;
step S203, each participant P i Locally calculating a first intermediate value
In the formula:
represents P i Held by y l A corresponding key; y is l Represents the ith participant P l Second secret share held [ y]A value of (d); />
Represents P i Held by y i A corresponding message authentication code; y is i Is P i Second secret share held [ y]A value of (d); delta i As a global key delta i ;
Step S204, for the participant P i And P j Ordered pair of constituents (P) i ,P j ),j≠i:
Each participant P i Calculating a second intermediate value u i,j :
u i,j =H(K i [x j ],i||j||τ)
In the formula, H represents a hash function; k i [x j ]Represents P i Held x j A corresponding key; x is the number of j As the first participant P j Held first secret share [ x]A value of (d);
participant P i Calculating a third intermediate value v i,j :
In the formula (I), the compound is shown in the specification,
is a first intermediate value; delta j As a participant p j A held global key;
participant P i V is to be i,j Is sent to p j ;
Participant P j Calculating a fourth intermediate value w i,j :
Step S205, each participant P i Calculating a fifth intermediate value U i :
Step S206, each participant P i Calculate the commitment value for each AND triplet:
wherein d = { d = i };d i =lsb(U i );lsb(U i ) Express and get U i The last bit of (a);
step S207, when i ≠ 1, let [ z ≠ 1 i ] i =[r i ] i (ii) a Otherwise, make it
To obtain [ x ]]、[y]、[z]。
3. The method for optimizing an efficient constant round secure multiparty computing protocol according to claim 2, wherein in step S202, each of said participants P i Obtaining a first secret share x by executing a related oblivious transport protocol COT]The method specifically comprises the following steps:
step S301, each participant P i Generating a random bit sequence of length m
As the first random bit sequence x and additionally generates a random bit sequence of length k->
As an extra random bit sequence o for ensuring the global key delta i The consistency of (2);
step S302, for participant P i And P j Ordered pair of constituents (P) i ,P j ) J ≠ i, with participant P i As a sender, a related oblivious transport protocol COT is executed to obtain a first secret sharing [ x ] corresponding to a first random bit sequence x and an additional random bit sequence o respectively]Fourth secret sharing o]And [ x ]]、[o]Respectively corresponding message verification codes and keys;
step S303, share [ x ] based on first secret]Fourth secret sharing o]For the global key Δ i Performing consistency verification, and if the consistency verification is passed, outputting a first outputSecret sharing x]。
4. The method for optimizing an efficient constant round secure multiparty computing protocol according to claim 3, wherein in step S303, the random share [ x ] is used as a basis]、[o]For the global key Δ i Performing consistency verification, including:
for participant P i And P j Ordered pair of constituents (P) i ,P j ),P i 、P j For any two of the n participants, j ≠ i, participant P i Share [ x ] according to a first secret]Fourth secret sharing o]Locally calculating a first mapping value C i And obtaining C i Corresponding message authentication code M j [C i ]And a secret key K i [C j ];
Each participant P i Obtaining random zero sharing
Wherein +>
Each participant P i According to the first mapping value C i And random zero-sharing rho i Calculating a second mapping value
And the second mapping value
Broadcast to various participants;
each participant P i According to the second mapping value
Reconstructing a third mapping value c;
each participant P i According to the first mapping value C i A third mapping value C and C i Corresponding message authentication code M j [C i ]And a secret key K i [C j ]Checking the global key delta i The consistency of (c).
5. The method for optimizing an efficient constant round secure multi-party computing protocol according to claim 1, wherein after all participants perform the optimized Tiny-OT protocol in parallel to generate a plurality of AND triples, the method further comprises:
grouping a plurality of AND triples;
for each packet, combining all AND triples within the packet into one to obtain a plurality of combinations;
pairing the plurality of combinations pairwise, for a first combination of the pairwise { [ x ] 1 ],[y 1 ],[z 1 ]A second combination of { [ x ] and a pair 2 ],[y 2 ],[z 2 ]Executing the following steps to eliminate leakage:
each participant P i Examination of
The consistency of (2);
order to
[y]=[y 1 ],/>
/>
AND triplets [ x ], [ y ], [ z ] are output, where [ z ] = [ x ] × [ y ].
6. The method for optimizing an efficient constant round secure multiparty computing protocol according to claim 1, wherein P is a policy for each participant i After opening the commitment combination result AND checking the correctness of the plurality of AND triples, the method further comprises:
acquiring a Boolean circuit;
generating relevant random information for constructing an unidentified garbled circuit based on the plurality of AND triples;
and generating the confusion circuit corresponding to the Boolean circuit according to the related random information.
7. The method for optimizing an efficient constant round secure multiparty computation protocol according to claim 6, wherein the AND gate obfuscation table of the obfuscation circuit comprises an obfuscating half-gate and an evaluating half-gate; the AND gate of the garbled circuit comprises a first input line, a second input line and an output line;
the method further comprises the following steps:
splitting a mask value of an output line into a first sub-mask and a second sub-mask, and splitting a key of the output line into a first sub-key and a second sub-key;
calculating an obfuscating party half-gate and an evaluator half-gate based on the first sub-mask, the second sub-mask, the first sub-key and the second sub-key, respectively;
and carrying out exclusive-OR operation on the confusion side half gate and the evaluation side half gate to obtain an external value of the output line.
8. An optimization system of an efficient constant round secure multi-party computing protocol is characterized in that the secure multi-party computing protocol comprises a preprocessing stage and an online evaluation stage; the secure multiparty agreement has a plurality of participants, P i Representing the ith participant, wherein the value of i is 1,2 and … n; n represents the total number of participants; the method comprises the following steps:
the generating unit is configured to execute the optimized Tiny-OT protocol in parallel by all the participants so as to generate a plurality of AND triples; the AND triple is used for generating relevant random information for constructing the confusion circuit without identity authentication AND for performing multiplication calculation of random shares in an online evaluation phase to decrypt the circuit;
a combination unit configured to each participant P i Carrying out linear combination on the commitment values of the plurality of AND triples to obtain a commitment combination result;
a checking unit configured as each participant P i Opening the commitment combination result AND checking the correctness of the plurality of AND triples.
9. The system for efficient constant round secure multiparty computation protocol optimization according to claim 8,
each AND triple of the plurality of AND triples comprises a first secret share [ x ], a second secret share [ y ], AND a third secret share [ z ]; the generating unit is further configured to:
executing the optimized Tiny-OT protocol to generate the τ -th AND-triple of the plurality of AND-triples comprises the following steps:
step S201, each participant P i Generating a global key delta i And is and
wherein, delta i K is a k-bit binary number, and k is a preset safety parameter; lsb (. DELTA.s) i ) Is expressed by taking Δ i The last bit of (a);
represents an exclusive or operation;
step S202, each participant P i Obtaining a first secret share x by executing a related oblivious transport protocol COT]Second secret share [ y]Fourth secret sharing [ r ]](ii) a The first secret share [ x ]]Second secret share [ y]Fourth secret sharing r]Respectively comprise a participant P i Held secret sharing value x i 、y i 、r i And x i 、y i 、r i Respectively corresponding message authentication code and x i 、y i 、r i Respectively corresponding keys;
step S203, each participant P i Locally calculating a first intermediate value
In the formula:
represents P i Held y l A corresponding key; y is l Represents the ith participant P l Second secret share held [ y]A value of (d); />
Represents P i Held y i A corresponding message authentication code; y is i Is P i Second secret share held [ y]A value of (d); delta i As a global key delta i ;
Step S204, for the participant P i And P j Ordered pair of constituents (P) i ,P j ),j≠i:
Each participant P i Calculating a second intermediate value u i,j :
u i,j =H(K i [x j ],i∥j∥τ)
In the formula, H represents a hash function; k i [x j ]Represents P i Held x j A corresponding key; x is the number of j As the first participant P j Held first secret share [ x]A value of (d);
participant P i Calculating a third intermediate value v i,j :
In the formula (I), the compound is shown in the specification,
is a first intermediate value; delta j As a participant p j A held global key;
participant P i V is to be i,j Is sent to p j ;
Participant P j Calculating a fourth intermediate value w i,j :
Step S205, each participant P i Calculating a fifth intermediate value U i :
Step S206, each participant P i Calculate the commitment value for each AND triplet:
wherein d = { d = { d =) i };d i =lsb(U i );lsb(U i ) Represents taking U i The last bit of (a);
step S207, when i ≠ 1, let [ z ≠ 1 i ] i =[r i ] i (ii) a Otherwise, it orders
To obtain [ x ]]、[y]、[z]。/>
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2023/128096 WO2024051864A1 (en) | 2022-09-16 | 2023-10-31 | Method for optimizing constant round secure multi-party computation protocol |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2022111285678 | 2022-09-16 | ||
| CN202211128567 | 2022-09-16 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115865311A true CN115865311A (en) | 2023-03-28 |
| CN115865311B CN115865311B (en) | 2023-09-26 |
Family
ID=85662287
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211358995.XA Active CN115865311B (en) | 2022-09-16 | 2022-11-02 | Optimization method and system for constant round secure multiparty computing protocol |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115865311B (en) |
| WO (1) | WO2024051864A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024051864A1 (en) * | 2022-09-16 | 2024-03-14 | 河南理工大学 | Method for optimizing constant round secure multi-party computation protocol |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10083310B1 (en) * | 2013-03-13 | 2018-09-25 | Hrl Laboratories, Llc | System and method for mobile proactive secure multi-party computation (MPMPC) using commitments |
| US20190372760A1 (en) * | 2018-06-04 | 2019-12-05 | Robert Bosch Gmbh | Method and System for Fault Tolerant and Secure Multiparty Computation with SPDZ |
| CN110719159A (en) * | 2019-09-24 | 2020-01-21 | 河南师范大学 | Multi-party privacy set intersection method for resisting malicious enemies |
| CN112784315A (en) * | 2019-11-04 | 2021-05-11 | 电科云(北京)科技有限公司 | Multiplication calculation method, device and storage medium in SPDZ series protocol |
| CN113591146A (en) * | 2021-07-29 | 2021-11-02 | 北京航空航天大学 | High-efficiency and safe two-party computing system and computing method based on cooperation |
| US20210391987A1 (en) * | 2020-05-26 | 2021-12-16 | Visa International Service Association | Round-efficient fully secure solitary multi-party computation with honest majority |
| CN114444069A (en) * | 2021-12-17 | 2022-05-06 | 中国科学院信息工程研究所 | Efficient threshold safety multi-party calculation method under malicious model |
| CN114614983A (en) * | 2022-02-28 | 2022-06-10 | 北京理工大学 | Feature fusion privacy protection method based on secure multi-party computation |
| CN114911608A (en) * | 2021-02-10 | 2022-08-16 | 罗伯特·博世有限公司 | Distributed secure multi-party computing |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11663521B2 (en) * | 2019-11-06 | 2023-05-30 | Visa International Service Association | Two-server privacy-preserving clustering |
| US11783812B2 (en) * | 2020-04-28 | 2023-10-10 | Bloomberg Finance L.P. | Dialogue act classification in group chats with DAG-LSTMs |
| CN112016126B (en) * | 2020-09-11 | 2023-03-07 | 山东大学 | Safe dot product calculation method and system based on vast transmission |
| CN115865311B (en) * | 2022-09-16 | 2023-09-26 | 河南理工大学 | Optimization method and system for constant round secure multiparty computing protocol |
-
2022
- 2022-11-02 CN CN202211358995.XA patent/CN115865311B/en active Active
-
2023
- 2023-10-31 WO PCT/CN2023/128096 patent/WO2024051864A1/en unknown
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10083310B1 (en) * | 2013-03-13 | 2018-09-25 | Hrl Laboratories, Llc | System and method for mobile proactive secure multi-party computation (MPMPC) using commitments |
| US20190372760A1 (en) * | 2018-06-04 | 2019-12-05 | Robert Bosch Gmbh | Method and System for Fault Tolerant and Secure Multiparty Computation with SPDZ |
| CN110719159A (en) * | 2019-09-24 | 2020-01-21 | 河南师范大学 | Multi-party privacy set intersection method for resisting malicious enemies |
| CN112784315A (en) * | 2019-11-04 | 2021-05-11 | 电科云(北京)科技有限公司 | Multiplication calculation method, device and storage medium in SPDZ series protocol |
| US20210391987A1 (en) * | 2020-05-26 | 2021-12-16 | Visa International Service Association | Round-efficient fully secure solitary multi-party computation with honest majority |
| CN114911608A (en) * | 2021-02-10 | 2022-08-16 | 罗伯特·博世有限公司 | Distributed secure multi-party computing |
| CN113591146A (en) * | 2021-07-29 | 2021-11-02 | 北京航空航天大学 | High-efficiency and safe two-party computing system and computing method based on cooperation |
| CN114444069A (en) * | 2021-12-17 | 2022-05-06 | 中国科学院信息工程研究所 | Efficient threshold safety multi-party calculation method under malicious model |
| CN114614983A (en) * | 2022-02-28 | 2022-06-10 | 北京理工大学 | Feature fusion privacy protection method based on secure multi-party computation |
Non-Patent Citations (2)
| Title |
|---|
| SAI SHESHANK BURRA: "High-Performance Multi-party Computation for Binary Circuits Based on Oblivious Transfer", JOURNAL OF CRYPTOLOGY * |
| 蒋瀚: "实用安全多方计算协议关键技术研究进展", 计算机研究与发展 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024051864A1 (en) * | 2022-09-16 | 2024-03-14 | 河南理工大学 | Method for optimizing constant round secure multi-party computation protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2024051864A1 (en) | 2024-03-14 |
| CN115865311B (en) | 2023-09-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2022237450A1 (en) | Secure multi-party computation method and apparatus, and device and storage medium | |
| Wang et al. | Authenticated garbling and efficient maliciously secure two-party computation | |
| CN110719159A (en) | Multi-party privacy set intersection method for resisting malicious enemies | |
| Dong et al. | Approximating private set union/intersection cardinality with logarithmic complexity | |
| Hassan et al. | An efficient outsourced privacy preserving machine learning scheme with public verifiability | |
| CN112865953B (en) | Safe multi-party computing method, device and system based on auxiliary server | |
| Peng | Danger of using fully homomorphic encryption: A look at Microsoft SEAL | |
| Akavia et al. | Linear-regression on packed encrypted data in the two-server model | |
| WO2024051864A1 (en) | Method for optimizing constant round secure multi-party computation protocol | |
| CN114465708B (en) | Privacy data processing method, device, system, electronic equipment and storage medium | |
| Degabriele et al. | The security of ChaCha20-Poly1305 in the multi-user setting | |
| CN116011014A (en) | Privacy computing method and privacy computing system | |
| CN111917533A (en) | Privacy preserving benchmark analysis with leakage reducing interval statistics | |
| CN111355587B (en) | Authenticated encryption secure communication system and method based on countermeasure network | |
| CN117675270A (en) | Multi-mode data encryption transmission method and system for longitudinal federal learning | |
| WO2023207735A1 (en) | Method and system for realizing secure multi-party computation by using hardware chips | |
| CN115102689B (en) | Two-party cooperative S box generation method, encryption method and storage medium | |
| CN104601323B (en) | Solves the method for socialism millionaires' problem based on BDD | |
| Wang et al. | Analysis of two countermeasures against the signal leakage attack | |
| Sharma et al. | Privacy-preserving deep learning with SPDZ | |
| Catrina | Towards practical secure computation with floating-point numbers | |
| Innocent et al. | Universal gates on garbled circuit construction | |
| Khairallah et al. | SoK: on DFA vulnerabilities of substitution-permutation networks | |
| Sheikh et al. | Secure sum computation for insecure networks | |
| Kerschbaum | Oblivious outsourcing of garbled circuit generation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |