CN116484395A

CN116484395A - Security calculation method based on privacy data and related equipment

Info

Publication number: CN116484395A
Application number: CN202310224647.1A
Authority: CN
Inventors: 尹栋; 包义保
Original assignee: Ant Blockchain Technology Shanghai Co Ltd
Current assignee: Ant Blockchain Technology Shanghai Co Ltd
Priority date: 2023-03-08
Filing date: 2023-03-08
Publication date: 2023-07-25

Abstract

The specification provides a secure computing method and related equipment based on private data, which are applied to first computing equipment. The method comprises the following steps: encoding the obtained multiple sub-matrixes based on an encoding rule corresponding to the supported homomorphic encryption algorithm to obtain a target matrix; obtaining a ciphertext vector transmitted by the second computing device; the ciphertext vector is a vector obtained by encrypting the target vector by the second computing equipment; the number of columns of the target matrix and the number of elements contained in the target vector are equal to the polynomial order adopted by the homomorphic encryption algorithm; performing homomorphic encryption calculation on the target matrix and the ciphertext vector to obtain a homomorphic encryption calculation result, and decoding the homomorphic encryption calculation result based on a corresponding decoding rule to obtain multiplication tuples corresponding to the plurality of submatrices and the plurality of submatrices one by one; and taking the plurality of multiplication tuples as calculation auxiliary parameters, and performing multiparty security calculation aiming at the privacy data maintained by the first computing device and the privacy data maintained by the second computing device.

Description

Security calculation method based on privacy data and related equipment

Technical Field

One or more embodiments of the present disclosure relate to the field of data computing technology, and in particular, to a secure computing method based on private data and related devices.

Background

Under the big data age, privacy protection and data security are increasingly being watched by all parties. The multiparty secure computing technology can accurately complete the computing task of private data under the condition that the data is not exposed, and provides strong support for the secure and compliant use of the data. Secret sharing (SecretSharing, SS) is a common security protocol in multiparty security computing. In computing multiplications based on SS, computation assistance using multiplication tuples is often required.

Therefore, how to improve the computing efficiency of the multiplication tuple to realize efficient and reliable multiparty secure computation is a problem to be solved.

Disclosure of Invention

In view of this, one or more embodiments of the present disclosure provide a secure computing method and related device based on private data.

In a first aspect, the present specification provides a secure computing method based on private data, applied to a first computing device, the method comprising:

acquiring a plurality of sub-matrixes, and coding the plurality of sub-matrixes based on coding rules corresponding to the supported homomorphic encryption algorithm to obtain a corresponding target matrix;

Obtaining a ciphertext vector transmitted by the second computing device; the ciphertext vector is a vector obtained by encrypting a target vector by the second computing device, and the target vector is a vector obtained by encoding a plurality of sub-vectors which are obtained by the second computing device and are in one-to-one correspondence with the plurality of sub-matrices based on an encoding rule corresponding to a supported homomorphic encryption algorithm; the number of columns of the target matrix and the number of elements contained in the target vector are equal to the polynomial order adopted by the homomorphic encryption algorithm;

performing homomorphic encryption calculation on the target matrix and the ciphertext vector to obtain a homomorphic encryption calculation result, and decoding the homomorphic encryption calculation result based on a decoding rule corresponding to the coding rule to obtain a plurality of multiplication tuples corresponding to the plurality of submatrices and the plurality of submatrices one by one;

and taking the plurality of multiplication tuples as calculation auxiliary parameters, and carrying out multiparty security calculation on the privacy data maintained by the first computing device and the privacy data maintained by the second computing device.

In a second aspect, the present specification provides a secure computing method based on private data, for use with a second computing device, the method comprising:

Obtaining a plurality of sub-vectors, and encoding the plurality of sub-vectors based on an encoding rule corresponding to a supported homomorphic encryption algorithm to obtain a corresponding target vector;

encrypting the target vector to obtain a corresponding ciphertext vector, and sending the ciphertext vector to a first computing device, so that the first computing device performs homomorphic encryption calculation on the ciphertext vector and a target matrix to obtain a homomorphic encryption calculation result; the target matrix is a matrix obtained by the first computing device through encoding the obtained multiple sub-matrices corresponding to the multiple sub-vectors one by one based on an encoding rule corresponding to the supported homomorphic encryption algorithm; the number of columns of the target matrix and the number of elements contained in the target vector are equal to the polynomial order adopted by the homomorphic encryption algorithm;

decoding the homomorphic encryption calculation result based on a decoding rule corresponding to the encoding rule to obtain a plurality of multiplication tuples corresponding to the plurality of submatrices and the plurality of subvectors one to one;

In a third aspect, the present specification provides a secure computing apparatus based on private data for application to a first computing device, the apparatus comprising:

the first acquisition unit is used for acquiring a plurality of sub-matrixes, and encoding the plurality of sub-matrixes based on an encoding rule corresponding to a supported homomorphic encryption algorithm to obtain a corresponding target matrix;

a second obtaining unit, configured to obtain a ciphertext vector sent by a second computing device; the ciphertext vector is a vector obtained by encrypting a target vector by the second computing device, and the target vector is a vector obtained by encoding a plurality of sub-vectors which are obtained by the second computing device and are in one-to-one correspondence with the plurality of sub-matrices based on an encoding rule corresponding to a supported homomorphic encryption algorithm; the number of columns of the target matrix and the number of elements contained in the target vector are equal to the polynomial order adopted by the homomorphic encryption algorithm;

the encryption calculation unit is used for executing homomorphic encryption calculation on the target matrix and the ciphertext vector to obtain homomorphic encryption calculation results, and decoding the homomorphic encryption calculation results based on decoding rules corresponding to the coding rules to obtain a plurality of multiplication tuples which are in one-to-one correspondence with the plurality of submatrices and the plurality of submatrices;

And the security calculation unit is used for carrying out multiparty security calculation aiming at the privacy data maintained by the first computing device and the privacy data maintained by the second computing device by taking the multiplication tuples as calculation auxiliary parameters.

In a fourth aspect, the present specification provides a secure computing apparatus for use with a second computing device based on private data, the apparatus comprising:

the acquisition unit is used for acquiring a plurality of sub-vectors, and encoding the plurality of sub-vectors based on an encoding rule corresponding to the supported homomorphic encryption algorithm to obtain a corresponding target vector;

the sending unit is used for encrypting the target vector to obtain a corresponding ciphertext vector, and sending the ciphertext vector to the first computing device so that the first computing device can execute homomorphic encryption calculation on the obtained ciphertext vector and the target matrix to obtain a homomorphic encryption calculation result; the target matrix is a matrix obtained by the first computing device through encoding the obtained multiple sub-matrices corresponding to the multiple sub-vectors one by one based on an encoding rule corresponding to the supported homomorphic encryption algorithm; the number of columns of the target matrix and the number of elements contained in the target vector are equal to the polynomial order adopted by the homomorphic encryption algorithm;

The decoding unit is used for decoding the homomorphic encryption calculation result based on a decoding rule corresponding to the encoding rule to obtain a plurality of multiplication tuples corresponding to the plurality of submatrices and the plurality of subvectors one by one;

Accordingly, the present specification also provides a computing device comprising: a memory and a processor; the memory has stored thereon a computer program executable by the processor; the processor, when executing the computer program, performs the secure computing method based on private data according to the first aspect or the second aspect.

Accordingly, the present specification also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the privacy data based security calculation method of the first or second aspect described above.

In summary, the first computing device participating in the computation of the multiplication tuple may encode the local multiple small matrices into a target matrix based on the encoding rule corresponding to the homomorphic encryption algorithm, so that the column number of the target matrix is equal to the polynomial order adopted by the homomorphic encryption algorithm. Similarly, the second computing device involved in the multiplication tuple computation may also encode the local plurality of small vectors into a target vector such that the target vector contains a number of elements equal to the polynomial order employed by the homomorphic encryption algorithm. Then, the first computing device may perform homomorphic encryption calculation based on the target matrix and the encrypted target vector sent by the second device, to obtain a corresponding homomorphic addition calculation result. Finally, decoding the homomorphic addition calculation result through a decoding rule corresponding to the encoding rule, so as to obtain a plurality of multiplication tuples corresponding to the plurality of small matrixes and the plurality of small vectors one by one at a time. Each multiplication tuple contains a small matrix and a small vector corresponding to the small matrix. Therefore, the method and the device have the advantages that the multiple small matrixes and the small vectors are encoded into the target matrixes and the target vectors meeting the polynomial order requirements adopted by the homomorphic encryption algorithm, and the homomorphic encryption calculation is directly carried out on the target matrixes and the target vectors, so that redundant matrix filling and vector filling processes are avoided, batch calculation on the multiple small matrixes and the multiple small vectors is realized, the corresponding multiple multiplication tuples are obtained at one time, the calculation efficiency of the multiplication tuples is greatly improved, the high efficiency of multiparty safety calculation is further guaranteed, and the performance of the computing equipment is improved.

Drawings

FIG. 1 is a flow chart of a secure computing method based on private data according to an exemplary embodiment;

FIG. 2 is a flow chart of another secure computing method based on private data provided by an exemplary embodiment;

FIG. 3a is a schematic diagram of an encoding method for a matrix according to an exemplary embodiment;

FIG. 3b is a schematic diagram of a coding method for vectors according to an exemplary embodiment;

FIG. 4 is a diagram of homomorphic encryption computation for matrices and vectors provided by an exemplary embodiment;

FIG. 5 is a schematic diagram of a homomorphic encryption computing settlement provided by an exemplary embodiment;

FIG. 6 is a schematic diagram of a secure computing device based on private data according to an exemplary embodiment;

FIG. 7 is a schematic diagram of another secure computing device based on private data according to an example embodiment;

FIG. 8 is a schematic diagram of a computing device provided in an exemplary embodiment.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with aspects of one or more embodiments of the present description as detailed in the accompanying claims.

It should be noted that: in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; while various steps described in this specification may be combined into a single step in other embodiments.

In addition, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in this application are information and data authorized by the user or sufficiently authorized by the parties, and the collection, use and processing of relevant data requires compliance with relevant laws and regulations and standards of relevant countries and regions, and is provided with corresponding operation portals for the user to select authorization or denial.

First, some terms in the present specification are explained for the convenience of understanding by those skilled in the art.

(1) BFV homomorphic encryption algorithm: a homomorphic encryption algorithm supports homomorphism and limited times of multiplication homomorphism, and simultaneously supports ciphertext rotation.

(3) Multiparty Secure computing (Secure Multi-Party Computation, SMPC): the method is used for solving the cooperative computing problem of protecting privacy among a group of mutually-untrusted participants. The SMPC can ensure the independence of data input and the correctness of data calculation, and meanwhile, each input data is not leaked to other parties participating in calculation. In multiparty secure computing, how to secure computing additions and multiplications is two of the most important issues, and for contemporary computers, after secure additions and multiplications are supported, any secure computing task can theoretically be supported.

(2) Matrix vector multiplication tuple (mt): refers to a tuple (u, v, z0, z 1) satisfying u×v=z0+z1, where u is a matrix of shape (m, n), v is a vector of shape (n, 1), and z0, z1 are both vectors of shape (m, 1). The matrix vector multiplication tuple is used to assist in implementing multiplication computations in multiparty security computations. The first party holds a matrix u in multiparty security calculation, the second party holds a vector v, and a vector z0 in the calculated multiplication tuple is held by the first party, and a vector z1 is held by the second party. The first party cannot acquire the vector v and the vector z1 held by the second party, and the second party cannot acquire the matrix u and the vector z0 held by the first party.

(4) Secret sharing (SecretSharing, SS): the secret information is split in a proper mode, each split part is managed by different participants, each participant cannot independently recover the secret information, and only a plurality of participants cooperate together to recover the secret information. Secret sharing is a common security protocol in multiparty security computing. In computing multiplications based on secret sharing, computation assistance is typically required using matrix vector multiplication tuples.

The scheme of calculating the matrix vector multiplication tuple by using BFV homomorphic encryption is mature, but when calculating the matrix vector multiplication tuple by using BFV homomorphic encryption algorithm, the number of columns of the matrix participating in the calculation of the matrix vector multiplication tuple and the number of elements contained in the vector are limited to be at least 4096 because the polynomial order adopted by the BFV homomorphic encryption algorithm is 4096 or even larger. In practical cases, however, the general matrix obtained by the computing device is often a small matrix of 128 columns or 256 columns, and the general vector contains only 128 elements, or even less. In this way, when the computing device calculates the multiplication tuple of each matrix and each vector, a large amount of padding is required for each matrix and each vector, so that the number of columns of the matrix is at least equal to 4096, and the number of elements contained in the vector is at least equal to 4096, which results in extremely low efficiency of computing the multiplication tuple by the computing device. Alternatively, in order to reduce the workload of the computing device and ensure the performance of the computing device, a third party (e.g., a random number server) may be used to calculate the multiplication tuples corresponding to the matrix held by the first party and the vector held by the second party, and the calculation results may be sent to the first party and the second party respectively. However, when the third party is adopted to calculate the multiplication tuple, the hidden danger of the safety response of the multiplication tuple to the third party exists, and the safety and the reliability of the subsequent multiparty safety calculation cannot be ensured.

Based on the above, the present disclosure provides a technical solution for encoding a plurality of matrices and vectors into a target matrix and a target vector that meet the polynomial order requirement adopted by a homomorphic encryption algorithm, and directly performing homomorphic encryption calculation on the target matrix and the target vector, so as to decode a plurality of multiplication tuples corresponding to the plurality of matrices and vectors based on the homomorphic encryption calculation result, thereby improving the calculation efficiency of the multiplication tuples.

In implementation, the first computing device participating in the computation of the multiplication tuple in the present application may encode a plurality of local small matrices into a target matrix based on the encoding rule corresponding to the homomorphic encryption algorithm, so that the column number of the target matrix is equal to the polynomial order adopted by the homomorphic encryption algorithm. Similarly, the second computing device involved in the multiplication tuple computation may also encode the local plurality of small vectors into a target vector such that the target vector contains a number of elements equal to the polynomial order employed by the homomorphic encryption algorithm. Then, the first computing device may perform homomorphic encryption calculation based on the target matrix and the encrypted target vector sent by the second device, to obtain a corresponding homomorphic addition calculation result. Finally, decoding the homomorphic addition calculation result through a decoding rule corresponding to the encoding rule, so as to obtain a plurality of multiplication tuples corresponding to the plurality of small matrixes and the plurality of small vectors one by one at a time. The multiple multiplication tuples obtained through calculation can be used as calculation auxiliary parameters in the follow-up process, and multiparty security calculation is carried out on the privacy data maintained by the first computing device and the privacy data maintained by the second computing device.

In the technical scheme, the multiple small matrixes and the small vectors are encoded into the target matrix and the target vector which meet the polynomial order requirement adopted by the homomorphic encryption algorithm, so that homomorphic encryption calculation is directly carried out on the target matrix and the target vector, redundant matrix filling and vector filling processes are avoided, batch calculation on the multiple small matrixes and the multiple small vectors is realized, multiple corresponding multiplication tuples are obtained at one time, and the calculation efficiency and the equipment performance of the multiplication tuples are greatly improved. Meanwhile, as the third party is not needed to execute the calculation of the multiplication tuple, the potential safety hazard of the leakage of the multiplication tuple is avoided, and the safety and reliability of multiparty safety calculation are further ensured.

Referring to fig. 1, fig. 1 is a flowchart of a secure computing method based on private data according to an exemplary embodiment. As shown in fig. 1, the method may be applied to a first computing device performing multiparty security calculations. The first computing device may be, for example, a smart wearable device, a smart phone, a tablet computer, a notebook computer, a desktop computer, an on-board computer, a server, etc., which is not specifically limited in this specification. As shown in fig. 1, the method may specifically include the following steps S101-S104.

Step S101, a plurality of sub-matrixes are obtained, and the sub-matrixes are encoded based on an encoding rule corresponding to a supported homomorphic encryption algorithm, so that a corresponding target matrix is obtained.

In an illustrated embodiment, the device currently performing the multiparty security computation may include a first computing device and a second computing device. Before multiparty security computation is performed on private data maintained by a first computing device and private data maintained by a second computing device, corresponding multiplication tuples are typically required to be obtained by homomorphic encryption algorithms based on a matrix held by the first computing device and a vector held by the second computing device. Subsequently, the first computing device and the second computing device may perform multiparty security computation on the private data maintained by the first computing device and the private data maintained by the second computing device using the multiplication tuple as a computation assistance parameter.

In an illustrated embodiment, the homomorphic encryption algorithm may be a BFV homomorphic encryption algorithm. In an embodiment, the homomorphic encryption algorithm may also be a CKKS homomorphic encryption algorithm, or any other possible homomorphic encryption algorithm, which is not specifically limited in this specification.

In an illustrated embodiment, a first computing device obtains a plurality of sub-matrices, wherein each of the plurality of sub-matrices has a number of columns less than a polynomial order employed by a homomorphic encryption algorithm. Illustratively, the homomorphic encryption algorithm is a BFV homomorphic encryption algorithm, the order of a polynomial adopted by the BFV homomorphic encryption algorithm is generally 4096, the number of columns of each of the plurality of submatrices may be 128, 256 or 64, etc., which is not particularly limited in this specification.

In an embodiment, the first computing device may obtain the multiple sub-matrices locally from the device, or the first computing device may obtain the multiple sub-matrices from other computing devices or storage devices that belong to a platform in a wired or wireless manner, which is not specifically limited in this specification.

Further, the first computing device may encode the plurality of sub-matrices into a corresponding target matrix such that a column number of the target matrix is equal to a polynomial order employed by the homomorphic encryption algorithm to support subsequent computation of the corresponding multiplication tuples using the homomorphic encryption algorithm.

In an illustrated embodiment, the first computing device may encode the plurality of sub-matrices based on encoding rules corresponding to the supported homomorphic encryption algorithm, resulting in a corresponding target matrix. Specifically, the first computing device may first reorder the elements included in each of the plurality of sub-matrices, and then encode the rearranged plurality of sub-matrices into corresponding target matrices.

Illustratively, still taking the BFV homomorphic encryption algorithm as an example, the first computing device may reorder the 1 st row of each of the plurality of submatrices into a 1 st column, and sequentially shift the elements in the i-th row of each of the submatrices by i-1 bit to the left, and reorder the i-th row after shifting into an i-th column, to obtain the reordered plurality of submatrices. It should be understood that, based on the rearrangement rule, each sub-matrix before rearrangement includes K rows, and each sub-matrix after rearrangement may include K columns, where i sequentially takes values of 2, 3, … … K, and K is an integer greater than or equal to 1.

Illustratively, taking the polynomial order of 8 adopted by the BFV homomorphic encryption algorithm, each sub-matrix includes 4 rows×4 columns as an example, the rearrangement process of the first computing device for each sub-matrix may be as follows:

(1) The 1 st row of each submatrix is rearranged to the 1 st column.

(2) Each element included in the 2 nd row is sequentially shifted to the left by 1 bit (including shifting the original 2 nd element to the 1 st bit, shifting the original 3 rd element to the 2 nd bit, shifting the original 4 th element to the 3 rd bit, shifting the original 1 st element to the 4 th bit) and rearranging the shifted 2 nd row to the 2 nd column.

(3) Each element contained in the 3 rd row is sequentially moved to the left by 2 bits (including moving the original 3 rd element to the 1 st bit, moving the original 4 th element to the 2 nd bit, moving the original 1 st element to the 3 rd bit, moving the original 2 nd element to the 4 th bit), and the 3 rd row after the shift is rearranged into the 3 rd column.

(4) Each element contained in the 4 th row is sequentially moved to the left by 3 bits (including moving the original 4 th element to the 1 st bit, moving the original 1 st element to the 2 nd bit, moving the original 2 nd element to the 3 rd bit, moving the original 3 rd element to the 4 th bit) and the shifted 4 th row is rearranged into the 4 th column.

To this end, each of the submatrices after rearrangement is obtained, wherein each of the submatrices after rearrangement includes 4 rows×4 columns.

In an embodiment, the target matrix obtained based on the rearranged multiple sub-matrices may include K matrix blocks corresponding to K columns of each sub-matrix, where each matrix block of the K matrix blocks may include multiple columns, and specifically, each matrix block includes a column number equal to the number of the multiple sub-matrices.

For example, still taking the BFV homomorphic encryption algorithm as an example, the first computing device may sequentially arrange the j-th columns of each of the rearranged plurality of sub-matrices to form a plurality of columns in the j-th matrix block in the target matrix, thereby obtaining a final target matrix. Wherein j takes the values of 1, 2 and 3 … … K in sequence.

Illustratively, the first computing device obtains 2 rearranged sub-matrices, and each sub-matrix comprises 4 rows by 4 columns as an example. The process by which the first computing device encodes the 2 rearranged sub-matrices into corresponding target matrices may be as follows:

(1) And sequentially arranging the 1 st column of the rearranged 1 st submatrix and the 1 st column of the rearranged 2 nd submatrix adjacently to form a 1 st matrix block in the target matrix. The 1 st matrix block comprises two columns, wherein the 1 st column is the 1 st column of the rearranged 1 st submatrix, and the 2 nd column is the 1 st column of the rearranged 2 nd submatrix.

(2) And sequentially arranging the 2 nd column of the rearranged 1 st submatrix and the 2 nd column of the rearranged 2 nd submatrix adjacently to form a 2 nd matrix block in the target matrix. The 2 nd matrix block comprises two columns, wherein the 1 st column is the 2 nd column of the rearranged 1 st submatrix, and the 2 nd column is the 2 nd column of the rearranged 2 nd submatrix.

(3) And sequentially arranging the 3 rd column of the rearranged 1 st submatrix and the 3 rd column of the rearranged 2 nd submatrix adjacently to form a 3 rd matrix block in the target matrix. The 3 rd matrix block comprises two columns, wherein the 1 st column is the 3 rd column of the rearranged 1 st submatrix, and the 2 nd column is the 3 rd column of the rearranged 2 nd submatrix.

(4) And sequentially arranging the 4 th column of the rearranged 1 st submatrix and the 4 th column of the rearranged 2 nd submatrix adjacently to form a 4 th matrix block in the target matrix. The 4 th matrix block comprises two columns, wherein the 1 st column is the 4 th column of the rearranged 1 st submatrix, and the 2 nd column is the 4 th column of the rearranged 2 nd submatrix.

To this end, the encoding results in a target matrix comprising 4 rows by 8 columns. Wherein the target matrix comprises 4 matrix blocks, each matrix block comprising 4 rows by 2 columns.

Step S102, a ciphertext vector sent by the second computing device is obtained.

In one illustrated embodiment, the second computing device obtains a plurality of sub-vectors corresponding one-to-one to the plurality of sub-matrices. The number of elements contained in each of the plurality of sub-vectors is smaller than the polynomial order adopted by the homomorphic encryption algorithm. The homomorphic encryption algorithm is exemplified by a BFV homomorphic encryption algorithm, the polynomial order adopted by the BFV homomorphic encryption algorithm is generally 4096, and the number of elements contained in each of the plurality of subvectors may be 128, 256 or 64, etc., which is not particularly limited in this specification.

In an embodiment, the second computing device may obtain the multiple sub-vectors locally from the device, or the second computing device may obtain the multiple sub-vectors from other computing devices or storage devices that belong to a platform in a wired or wireless manner, which is not specifically limited in this specification.

Further, the second computing device may encode the plurality of sub-vectors into corresponding target vectors such that the number of elements included in the target vector (or the length of the target vector) is equal to the polynomial order employed by the homomorphic encryption algorithm to support subsequent computation of the corresponding multiplication tuples using the homomorphic encryption algorithm.

In an illustrated embodiment, the second computing device may encode the plurality of sub-vectors based on encoding rules corresponding to the supported homomorphic encryption algorithm, resulting in corresponding target vectors.

In an illustrated embodiment, each of the plurality of sub-vectors may include P elements, the target vector encoded based on the plurality of sub-vectors may include P element groups corresponding to the P elements, and each of the P element groups may include a plurality of elements, specifically, the number of elements included in each element group is equal to the number of the plurality of sub-vectors.

Illustratively, still taking the BFV homomorphic encryption algorithm as an example, the second computing device may sequentially arrange the x-th elements of each of the plurality of sub-vectors to form a plurality of elements in the x-th element group in the target vector. Wherein, x takes the values of 1, 2 and 3 … … P in sequence.

Illustratively, taking the polynomial order of 8 employed by the BFV homomorphic encryption algorithm as an example, the second computing device obtains 2 subvectors, each subvector containing 4 elements. The process by which the second computing device encodes the 2 sub-vectors into corresponding target vectors may be as follows:

(1) And arranging the 1 st element in the 1 st subvector and the 1 st element in the 2 nd subvector adjacently in sequence to form the 1 st element group in the target vector.

(2) The 2 nd element in the 1 st subvector and the 2 nd element in the 2 nd subvector are arranged adjacently in turn to form the 2 nd element group in the target vector.

(3) And arranging the 3 rd element in the 1 st subvector and the 3 rd element in the 2 nd subvector adjacently in sequence to form the 3 rd element group in the target vector.

(4) And arranging the 4 th element in the 1 st subvector and the 4 th element in the 2 nd subvector adjacently in sequence to form the 4 th element group in the target vector.

To this end, the encoding results in a target vector, which includes 8 elements. Wherein the target vector includes 4 element groups, each element group including 2 elements.

Further, the second computing device encrypts the target vector obtained by encoding to obtain a corresponding ciphertext vector. The second computing device may then transmit the ciphertext vector to the first computing device, and the first computing device receives the ciphertext vector transmitted by the second computing device, accordingly.

Note that, the order of execution of the step S101 and the step S102 is not particularly limited in this specification. In some possible embodiments, the first computing device may also receive the ciphertext vector sent by the second computing device, then encode the ciphertext vector to obtain the target matrix, and so on, which is not limited in this specification.

Step S103, performing homomorphic encryption computation on the target matrix and the ciphertext vector to obtain a homomorphic encryption computation result, and decoding the homomorphic encryption computation result based on a decoding rule corresponding to the encoding rule to obtain a plurality of multiplication tuples corresponding to the plurality of submatrices and the plurality of submatrices one to one.

In an illustrated embodiment, after obtaining the target matrix and the ciphertext vector, the first computing device may perform homomorphic encryption computation on the target matrix and the ciphertext vector to obtain a corresponding homomorphic encryption computation result. The first computing device may then decode the homomorphic encryption computation result based on a decoding rule corresponding to the encoding rule, thereby obtaining a plurality of multiplication tuples that are in one-to-one correspondence with the plurality of submatrices and the plurality of subvectors.

In one illustrated embodiment, again taking the BFV homomorphic encryption algorithm as an example, the target matrix comprises M rows by N columns, the target vector comprises N elements, and M, N is an integer greater than 1. The first computing device may multiply M rows in the target matrix with the ciphertext vectors, respectively, to obtain M computing results corresponding to the M rows. In one illustrated embodiment, after each operation of one row in the target matrix, the first computing device may perform a rotation operation on the current ciphertext vector, and perform a multiplication operation on a next row in the target matrix and the rotated ciphertext vector until a multiplication operation on a last row of the target matrix and the ciphertext vector rotated M-1 times is completed.

Then, the first computing device may perform an addition operation on the elements at the corresponding positions in the M computing results, so as to obtain a corresponding homomorphic encryption computing result.

In an illustrated embodiment, taking a BFV homomorphic encryption algorithm as an example, after calculating a corresponding homomorphic encryption calculation result, the first computing device may obtain a target random vector, and decode the target random vector based on a decoding rule corresponding to the encoding rule, so as to obtain a first random vector included in each of a plurality of multiplication tuples corresponding to the plurality of submatrices and the plurality of subvectors one to one.

Further, the first computing device may perform a subtraction operation on the homomorphic encryption computation result and the target random vector to obtain a corresponding ciphertext random result, and send the ciphertext random result to the second computing device. Correspondingly, the second computing device receives the ciphertext random result sent by the first device and decrypts the ciphertext random result to obtain a corresponding plaintext random result. The second computing device may then decode the plaintext random result based on a decoding rule corresponding to the encoding rule, thereby obtaining a second random vector that is included in each of a plurality of multiplication tuples that are one-to-one corresponding to the plurality of submatrices and the plurality of subvectors.

It should be appreciated that any of the target multiplication tuples of the plurality of multiplication tuples include, as described in the above-described term interpretation section: a target sub-matrix of the plurality of sub-matrices, a target sub-vector of the plurality of sub-vectors corresponding to the target sub-matrix, a first random vector and a second random vector corresponding to the target sub-matrix and the target sub-vector. And the multiplication result of the target submatrix and the target submatrix is equal to the addition result of the corresponding first random vector and the second random vector.

In summary, under the condition that the first computing device holds a plurality of submatrices and the second computing device holds a plurality of submatrices, a plurality of multiplication tuples corresponding to the plurality of submatrices and the plurality of submatrices one by one can be obtained through one-time computing by the method, so that the computing efficiency of the multiplication tuples is greatly improved. Wherein the first computing device obtains a plurality of first random vectors in the plurality of multiplication tuples and the second computing device obtains a plurality of second random vectors in the plurality of multiplication tuples.

Step S104, the multiple multiplication tuples are used as calculation auxiliary parameters, and multiparty security calculation is carried out on the privacy data maintained by the first computing device and the privacy data maintained by the second computing device.

Further, the first computing device and the second computing device may perform multiparty security calculations with respect to the privacy data maintained by the first computing device and the privacy data maintained by the second computing device using the plurality of multiplication tuples as calculation assistance parameters.

In an illustrated embodiment, the first computing device may perform a multiparty security calculation for the privacy data maintained by the first computing device and the privacy data maintained by the second computing device using the first plurality of random vectors in the plurality of multiplication tuples as calculation assistance parameters. Accordingly, the second computing device may perform multiparty security calculations with respect to the privacy data maintained by the first computing device and the privacy data maintained by the second computing device, and so on, using the plurality of second random vectors in the plurality of multiplication tuples as calculation assistance parameters.

Further, referring to fig. 2, fig. 2 is a flow chart of another security computing method based on private data according to an exemplary embodiment. The secure computing method based on privacy data provided in this specification will be described in detail below with reference to fig. 2 from the interactive side of the first computing device and the second computing device. As shown in fig. 2, the method may include the following steps S11 to S24.

Step S11, the second computing device generates a private key, a public key, and a galois key.

In one illustrated embodiment, taking still a first computing device holding multiple matrices and a second computing device holding multiple vectors, homomorphic encryption calculations are performed on the first computing device side. First, the second computing device may generate the private, public, and galois keys required for this calculation. Wherein the private key may be used by the second computing device to encrypt vectors held by the second computing device, and the public key and the galois key may be used to perform rotation operations involved in subsequent homomorphic encryption calculations by the first computing device.

In step S12, the second computing device sends the public key and the galois key to the first computing device.

In an illustrated embodiment, the second computing device sends the public key and the galois key to the first computing device so that the subsequent first computing device may perform the rotation operations involved in homomorphic encryption calculations using the public key and the galois key, and in particular reference is made to the description of the embodiments described below and not described in detail herein.

In step S13, the first computing device obtains a plurality of original matrices, and fills at least some of the plurality of original matrices to obtain a plurality of sub-matrices corresponding to the plurality of original matrices.

In an illustrated embodiment, it should be appreciated that for ease of computation, the number of rows and columns of each of the plurality of submatrices involved in encoding is equal to the power of 2. However, in practical cases, the number of rows and/or columns of the original matrix held by the first computing device cannot be equal to the power of 2, for example, 2 rows by 6 columns, or 10 rows by 32 columns, and so on.

Based on this, the first computing device may obtain a plurality of original matrices, and fill at least some of the plurality of original matrices, thereby obtaining a plurality of sub-matrices corresponding to the plurality of original matrices, such that a number of rows and a number of columns of each sub-matrix are equal to a power of 2.

Illustratively, the first computing device may populate the number of rows of the original matrix to the nearest power of 2 and the number of columns of the original matrix to the nearest power of 2 by populating 0. For example, if a certain original matrix contains 2 rows by 6 columns, the first computing device may fill the number of columns of the original matrix to the nearest power of 2 (i.e. 8) by filling 0, so as to obtain a sub-matrix (2 rows by 8 columns) corresponding to the original matrix.

In step S14, the first computing device encodes the plurality of sub-matrices based on a preset encoding rule, so as to obtain a corresponding target matrix.

In an illustrated embodiment, after obtaining the plurality of sub-matrices, the first computing device may encode the plurality of sub-matrices based on encoding rules corresponding to the supported homomorphic encryption algorithm to obtain the corresponding target matrix. Reference may be made specifically to the description in step S101 in the corresponding embodiment of fig. 1, and no further description is given here.

Referring to fig. 3a, fig. 3a is a schematic diagram of a coding method for a matrix according to an exemplary embodiment. The encoding process in step S14 will be described in detail below with reference to fig. 3a, taking two sub-matrices of 2 rows by 2 columns, and the polynomial order adopted by the BFV homomorphic encryption algorithm being 4 as an example.

As shown in FIG. 3a, the first computing device obtains two sub-matrices, u1 and u 2, respectively, where it is apparent that the number of columns of u1 and u 2 are smaller than the polynomial order used by the BFV homomorphic encryption algorithm. Wherein, line 1 of u [1] includes two elements of u00 and u01, and line 2 of u [1] includes two elements of u10 and u 11. Wherein, line 1 of u 2 includes two elements of x00 and x01, and line 2 of u 2 includes two elements of x10 and x 11.

As shown in FIG. 3a, the first computing device rearranges the 1 st row of u [1] into the 1 st column, moves the 2 nd element of u [1] to the left by 1 bit, rearranges the shifted 2 nd row into the 1 st column, and thereby obtains a rearranged submatrix u [1]'. As shown in FIG. 3a, column 1 of u [1] 'includes two elements u00 and u01, and column 2 of u [1]' includes two elements u11 and u 10.

Accordingly, as shown in FIG. 3a, the first computing device rearranges the 1 st row of u [2] into the 1 st column, moves the 2 nd element of u [2] to the left by 1 bit, rearranges the shifted 2 nd row into the 1 st column, and thereby obtains a rearranged submatrix u [2]'. As shown in FIG. 3a, column 1 of u [2] 'includes two elements of x00 and x01, and column 2 of u [2]' includes two elements of x11 and x 10.

Further, as shown in fig. 3a, the first computing device sequentially and adjacently arranges the 1 st column of u [1] 'and the 1 st column of u [2]' and the 2 nd column of u [1] 'to obtain a target matrix u' as shown in fig. 3 a. The target matrix u' comprises 2 rows and 4 columns, and meets the requirement of polynomial orders adopted by the BFV homomorphic encryption algorithm.

When implemented, the specific rules for encoding the target matrix u' may be as follows:

when actually participating in the calculation, if the number of rows of the target matrix is greater than the number of columns, the number of columns of the target matrix needs to be filled to be equal to the number of rows by a method of filling 0.

In step S15, the second computing device obtains a plurality of original vectors, and fills at least some of the plurality of original vectors to obtain a plurality of sub-vectors corresponding to the plurality of original vectors.

In the same manner as in step S13, for the sake of convenience of calculation, the number of elements included in each of the plurality of sub-vectors participating in encoding (or the length of the sub-vector) is equal to the power of 2. However, in practical situations, the number of elements contained in the original vector held by the second computing device cannot be equal to the power of 2, for example, 6 elements, or 12 elements, or the like.

Based on this, the second computing device may obtain a plurality of original vectors, and fill at least some of the plurality of original vectors, thereby obtaining a plurality of sub-vectors corresponding to the plurality of original vectors, such that the number of elements contained in each sub-vector is equal to the power of 2.

Illustratively, the second computing device may populate the number of elements contained by the original vector to the nearest power of 2 by way of populating 0. For example, if a certain original vector contains 12 elements, the second computing device may fill the number of elements contained in the original vector to the nearest power of 2 (i.e. 16) by filling 0, so as to obtain a sub-vector (containing 16 elements) corresponding to the original vector.

In step S16, the second computing device encodes the plurality of sub-vectors based on a preset encoding rule, so as to obtain corresponding target vectors.

In an illustrated embodiment, after obtaining the plurality of sub-vectors, the second computing device may encode the plurality of sub-vectors based on encoding rules corresponding to the supported homomorphic encryption algorithm to obtain the corresponding target vectors. Reference may be made specifically to the description in step S102 in the corresponding embodiment of fig. 1, and no further description is given here.

For example, referring to fig. 3b, fig. 3b is a schematic diagram of a coding method for vectors according to an exemplary embodiment. The encoding process in step S16 will be described in detail below with reference to fig. 3b, taking two subvectors of length 2 and the polynomial order of 4 adopted by the BFV homomorphic encryption algorithm as an example.

As shown in FIG. 3b, the second computing device obtains two sub-vectors, v1 and v 2, respectively, where it is apparent that v1 and v 2 each contain less elements than the polynomial order employed by the BFV homomorphic encryption algorithm. Wherein v1 comprises two elements v0 and v1, and v 2 comprises two elements y0 and y 1.

As shown in FIG. 3b, the first computing device sequentially aligns the 1 st element of v [1], the 1 st element of v [2], the 2 nd element of v [1], and the 2 nd element of v [2] adjacently to obtain a target vector v' as shown in FIG. 3 b. The target vector v' contains 4 elements and meets the requirement of polynomial orders adopted by the BFV homomorphic encryption algorithm.

When implemented, the specific rules for encoding the resulting target vector v' may be as follows:

in step S17, the second computing device encrypts the target vector based on the generated private key, to obtain a corresponding ciphertext vector.

In an illustrated embodiment, as shown in fig. 3b, after the second computing device obtains the target vector v ' by encoding, the target vector v ' may be encrypted based on the private key generated in step S11 to obtain the corresponding ciphertext vector enc (v '). Therefore, the vector held by the second computing device can be prevented from being leaked to the first computing device, and the safety and reliability of subsequent multiparty safe computation are further ensured.

In step S18, the second computing device sends the ciphertext vector to the first computing device.

Further, the second computing device transmits the ciphertext vector enc (v ') to the first computing device, and, accordingly, the first computing device receives the ciphertext vector enc (v').

In step S19, the first computing device performs homomorphic encryption computation on the target matrix and the ciphertext vector, to obtain a homomorphic encryption computation result.

Further, the first computing device may perform homomorphic encryption computation on the target matrix and the ciphertext vector after obtaining the target matrix and the target vector, to obtain a homomorphic encryption computation result. Reference may be made specifically to the description in step S101 in the corresponding embodiment of fig. 1, and no further description is given here.

Referring to fig. 4, fig. 4 is a schematic diagram illustrating homomorphic encryption computation for matrices and vectors according to an exemplary embodiment. Taking the target matrix and the target vector obtained by encoding in fig. 3a and fig. 3b as an example, the homomorphic encryption calculation process of the target matrix and the target vector in the present specification will be described in detail with reference to fig. 4.

As shown in fig. 4, the first computing device performs a multiplication operation (i.e., a plaintext-ciphertext multiplication operation) of the 1 st row (u 00, x00, u11, x 11) of the target matrix u ' and the ciphertext vector enc (v ') to obtain a calculation result corresponding to the 1 st row of the target matrix u '.

Then, as shown in fig. 4, the first computing device performs a rotation operation (rotation) on the ciphertext vector enc (v ') based on the rotation key (i.e., the galois key) for vector rotation transmitted by the second computing device, resulting in a rotated ciphertext vector enc (v ') '. In an illustrated embodiment, the first computing device may also perform a rotation operation on the ciphertext vector enc (v') based on the galois key and the public key sent by the second computing device. Alternatively, the first computing device may perform the rotation operation on the ciphertext vector enc (v') by other methods than the galois key, which is not specifically limited in this specification.

The number of rotation bits corresponding to the rotation operation is equal to the number of the plurality of sub-vectors used for encoding. As shown in fig. 4, if the number of sub-vectors is 2, the number of rotation operation bits is 2, and the ciphertext vector enc (v ')' obtained by rotating 2 bits sequentially includes v1, y1, v0, and y 0.

Then, as shown in fig. 4, the first computing device performs a multiplication operation (i.e., a plaintext-ciphertext multiplication operation) of the plaintext and the ciphertext vector enc (v ')' obtained after rotation on the 2 nd line (u 01, x01, u10, x 10) of the target matrix u ', to obtain a calculation result corresponding to the 2 nd line of the target matrix u'.

Then, as shown in fig. 4, the first computing device may perform an addition operation on the elements at the corresponding positions in the two calculated results, so as to obtain a homomorphic encryption calculation result enc (z) corresponding to the ciphertext vector enc (v ') and the target matrix u'.

As shown in fig. 4, the homomorphic encryption calculation result enc (z) is a vector containing 4 elements. Wherein the 1 st element in enc (z) isI.e. submatrix u1]Line 1 and subvector v [1 ]]Is a result of multiplication (u00×v0+u01×v1). Wherein the 2 nd element in enc (z) is +.>I.e. submatrix u 2]Line 1 and subvector v 2 ](x 00 x y0+x01 x y 1). Wherein the 3 rd element in enc (z) is +.>I.e. submatrix u1]Line 2 and subvector v [1]]Is a result of multiplication (u10×v0+u11×v1). Wherein the 4 th element in enc (z) is +.>I.e. submatrix u 2]Line 2 and subvector v 2](x10×y0+x11×y1).

Further, referring to fig. 5, fig. 5 is a schematic diagram of a homomorphic encryption computing settlement according to an exemplary embodiment. As shown in FIG. 5, based on the homomorphic encryption calculation result of the target matrix u 'and the ciphertext vector enc (v'), the homomorphic encryption calculation result of the submatrix u [1] and the submatrix v [1] and the homomorphic encryption calculation result of the submatrix u [2] and the submatrix v [2] can be obtained by decoding and splitting. Therefore, the method and the device realize that the homomorphic encryption calculation results of a plurality of submatrices and a plurality of subvectors are obtained in batches by carrying out homomorphic encryption calculation on the target matrix and the target vector obtained by encoding. Similarly, the subsequent multiplication tuples corresponding to the sub-vector v [1] and the multiplication tuples corresponding to the sub-vector v [2] of the sub-matrix u [1] can be obtained based on the homomorphic encryption calculation result enc (z), so that a plurality of multiplication tuples corresponding to a plurality of sub-matrices and a plurality of sub-vectors are calculated in batches.

In step S20, the first computing device obtains the target random vector, and decodes the target random vector based on the decoding rule corresponding to the encoding rule, to obtain a plurality of submatrices and a plurality of first random vectors respectively included in the multiplication tuples corresponding to the plurality of submatrices.

In an illustrated embodiment, the first computing device may randomly acquire a vector, such as the target random vector r, after computing the homomorphic encryption computing result enc (z). The first computing device may then decode the target random vector r based on a decoding rule corresponding to the encoding rule described above, thereby obtaining a first random vector that is included by each of the plurality of multiplication tuples in one-to-one correspondence with the plurality of submatrices.

Illustratively, the above-described submatrix u 1, submatrix u 2, submatrix v 1, and submatrix v 2 are also taken as examples. The first computing device obtains a target random vector r, and decodes the target random vector r based on a decoding rule corresponding to the encoding rule to obtain a first random vector z0[1] in a multiplication tuple mt [1] corresponding to the sub-vector v [1] of the sub-matrix u [1], and a first random vector z0[2] in a multiplication tuple mt [2] corresponding to the sub-vector v [2].

In implementation, the specific rule for obtaining the first random vector z0 based on the target random vector r may be as follows:

in step S21, the first computing device performs a subtraction operation on the homomorphic encryption calculation result and the target random vector, to obtain a corresponding ciphertext random result.

Further, the first computing device may perform a subtraction operation on the homomorphic encryption computing result enc (z) and the randomly acquired target random vector r, so as to obtain a corresponding ciphertext random result enc (z-r).

It should be noted that, the sequence of calculating the first random vector and the ciphertext random result is not specifically limited in this specification. In some possible embodiments, after the first computing device obtains the target random vector, the first computing device may also calculate the ciphertext random result first, and then decode the target random vector to obtain the plurality of first random vectors.

In step S22, the first computing device sends the ciphertext random result to the second computing device.

Further, the first computing device sends the ciphertext random result enc (z-r) to the second computing device, and the second computing device receives the ciphertext random result enc (z-r), accordingly. The ciphertext random result enc (z-r) may be used by a subsequent second computing device to compute a second random vector that is included by each of the plurality of multiplication tuples having a one-to-one correspondence with the plurality of submatrices.

And S23, the second computing equipment decrypts the ciphertext random result based on the private key to obtain a corresponding plaintext random result.

In an embodiment, after receiving the ciphertext random result enc (z-r) sent by the first computing device, the second computing device may decrypt the ciphertext random result enc (z-r) based on the private key generated in step S11, to obtain a corresponding plaintext random result (z-r). Therefore, the private key is only owned by the second computing device, so that the first computing device cannot know a plurality of sub-vectors owned by the second computing device and a plurality of second random vectors obtained by subsequent computation.

In step S24, the second computing device decodes the plaintext random result based on a decoding rule corresponding to the encoding rule, to obtain a plurality of submatrices and a plurality of second random vectors respectively included in the plurality of multiplication tuples corresponding to the plurality of submatrices.

In an illustrated embodiment, the second computing device may decode the plaintext random result (z-r) based on a decoding rule corresponding to the encoding rule described above, thereby obtaining a second random vector that is included in each of a plurality of multiplication tuples in one-to-one correspondence with a plurality of sub-matrices and a plurality of sub-vectors.

Illustratively, the above-described submatrix u 1, submatrix u 2, submatrix v 1, and submatrix v 2 are also taken as examples. The second computing device decrypts the plaintext random result (z-r) and decodes the plaintext random result (z-r) based on a decoding rule corresponding to the encoding rule, resulting in a second random vector z1 in the multiplication tuple mt [1] corresponding to the sub-vector v [1] of the sub-matrix u [1], and a second random vector z1[2] in the multiplication tuple mt [2] corresponding to the sub-vector v [2].

As described above, in the multiplication tuple mt [1], u [1] ×v [1] =z01 ] +z11 [1]; in the multiplication tuple mt [2], u [2] ×v [2] =z0 [2] +z12 ] is satisfied.

When implemented, a specific rule for obtaining the second random vector z1 based on the ciphertext random result enc (z-r) may be as follows:

in summary, the first computing device participating in the computation of the multiplication tuple can encode the local multiple small matrices into a target matrix based on the encoding rule corresponding to the homomorphic encryption algorithm, so that the column number of the target matrix is equal to the polynomial order adopted by the homomorphic encryption algorithm. Similarly, the second computing device involved in the multiplication tuple computation may also encode the local plurality of small vectors into a target vector such that the target vector contains a number of elements equal to the polynomial order employed by the homomorphic encryption algorithm. Then, the first computing device may perform homomorphic encryption calculation based on the target matrix and the encrypted target vector sent by the second device, to obtain a corresponding homomorphic addition calculation result. Finally, decoding the homomorphic addition calculation result through a decoding rule corresponding to the encoding rule, so as to obtain a plurality of multiplication tuples corresponding to the plurality of small matrixes and the plurality of small vectors one by one at a time. Each multiplication tuple contains a small matrix and a small vector corresponding to the small matrix. Therefore, the method and the device have the advantages that the multiple small matrixes and the small vectors are encoded into the target matrixes and the target vectors meeting the polynomial order requirements adopted by the homomorphic encryption algorithm, and the homomorphic encryption calculation is directly carried out on the target matrixes and the target vectors, so that redundant matrix filling and vector filling processes are avoided, batch calculation on the multiple small matrixes and the multiple small vectors is realized, the corresponding multiple multiplication tuples are obtained at one time, the calculation efficiency of the multiplication tuples is greatly improved, the high efficiency of multiparty safety calculation is further guaranteed, and the performance of the computing equipment is improved.

Corresponding to the implementation of the method flow, the embodiment of the specification also provides a secure computing device based on the private data, which is applied to the first computing equipment. Referring to fig. 6, fig. 6 is a schematic structural diagram of a secure computing device based on private data according to an exemplary embodiment. As shown in fig. 6, the apparatus 30 includes:

a first obtaining unit 301, configured to obtain a plurality of sub-matrices, and encode the plurality of sub-matrices based on an encoding rule corresponding to a supported homomorphic encryption algorithm, to obtain a corresponding target matrix;

a second obtaining unit 302, configured to obtain a ciphertext vector sent by the second computing device; the ciphertext vector is a vector obtained by encrypting a target vector by the second computing device, and the target vector is a vector obtained by encoding a plurality of sub-vectors which are obtained by the second computing device and are in one-to-one correspondence with the plurality of sub-matrices based on an encoding rule corresponding to a supported homomorphic encryption algorithm; the number of columns of the target matrix and the number of elements contained in the target vector are equal to the polynomial order adopted by the homomorphic encryption algorithm;

an encryption calculation unit 303, configured to perform homomorphic encryption calculation on the target matrix and the ciphertext vector, obtain a homomorphic encryption calculation result, and decode the homomorphic encryption calculation result based on a decoding rule corresponding to the encoding rule, so as to obtain a plurality of multiplication tuples corresponding to the plurality of submatrices and the plurality of submatrices one to one;

A secure computing unit 304, configured to perform multiparty secure computation with respect to the private data maintained by the first computing device and the private data maintained by the second computing device, using the plurality of multiplication tuples as computation assistance parameters.

In an illustrated embodiment, the homomorphic encryption algorithm comprises a BFV homomorphic encryption algorithm.

In an illustrated embodiment, the first obtaining unit 301 is specifically configured to:

acquiring a plurality of original matrixes, and filling rows and/or columns of at least part of the original matrixes in the plurality of original matrixes to obtain a plurality of sub-matrixes corresponding to the plurality of original matrixes; wherein the number of rows and columns of each sub-matrix is equal to the power of 2.

rearranging the 1 st row of each submatrix into a 1 st column, sequentially moving the elements in the i th row of each submatrix leftwards by i-1 bit, and rearranging the i th row after the displacement into an i th column to obtain a plurality of rearranged submatrices; wherein each of the rearranged plurality of sub-matrices includes K columns, and the target matrix includes K matrix blocks corresponding to the K columns; i takes the values of 2 and 3 … … K in sequence;

Sequentially arranging the j-th columns of each of the rearranged multiple sub-matrices to form multiple columns in a j-th matrix block in the target matrix; j takes the values of 1, 2 and 3 … … K in sequence.

In an illustrated embodiment, the target matrix comprises M rows by N columns, M, N being an integer greater than 1; the encryption calculation unit 303 is specifically configured to:

multiplying M rows in the target matrix with the ciphertext vector respectively to obtain M calculation results corresponding to the M rows;

and performing addition operation on elements at corresponding positions in the M calculation results to obtain corresponding homomorphic encryption calculation results.

In an illustrated embodiment, the encryption calculation unit 303 is specifically configured to:

multiplying the y-th row in the target matrix with the ciphertext vector to obtain a corresponding y-th calculation result; y is an integer greater than or equal to 1 and less than M;

based on a rotation key for vector rotation sent by the second computing device, performing corresponding rotation operation on the ciphertext vector, and multiplying the y+1st row in the target matrix by the rotated ciphertext vector to obtain a corresponding y+1st calculation result.

In an illustrated embodiment, the rotation key comprises a galois key.

In an embodiment, the number of rotation bits corresponding to the rotation operation is equal to the number of the plurality of sub-vectors.

and obtaining a target random vector, and decoding the target random vector based on a decoding rule corresponding to the coding rule to obtain a first random vector which is respectively included by the plurality of multiplication tuples and corresponds to the plurality of submatrices and the plurality of submatrices one by one.

Subtracting the homomorphic encryption calculation result from the target random vector to obtain a corresponding ciphertext random result, sending the ciphertext random result to the second computing device, decrypting the ciphertext random result by the second computing device to obtain a corresponding plaintext random result, and decoding the plaintext random result based on a decoding rule corresponding to the encoding rule to obtain a second random vector respectively included by the plurality of multiplication tuples;

wherein any target multiplication tuple of the plurality of multiplication tuples comprises: a target sub-matrix of the plurality of sub-matrices, a target sub-vector of the plurality of sub-vectors corresponding to the target sub-matrix, a first random vector and a second random vector corresponding to the target sub-matrix and the target sub-vector.

In an illustrated embodiment, the multiplication result of the target sub-matrix and the target sub-vector is equal to the addition result of the corresponding first random vector and the second random vector.

Accordingly, embodiments of the present disclosure also provide a secure computing device based on private data, applied to a second computing device. Referring to fig. 6, fig. 6 is a schematic structural diagram of a secure computing device based on private data according to an exemplary embodiment. As shown in fig. 6, the apparatus 40 includes:

an obtaining unit 401, configured to obtain a plurality of sub-vectors, and encode the plurality of sub-vectors based on an encoding rule corresponding to a supported homomorphic encryption algorithm, to obtain a corresponding target vector;

a sending unit 402, configured to encrypt the target vector to obtain a corresponding ciphertext vector, and send the ciphertext vector to a first computing device, so that the first computing device performs homomorphic encryption computation on the obtained ciphertext vector and a target matrix to obtain a homomorphic encryption computation result; the target matrix is a matrix obtained by the first computing device through encoding the obtained multiple sub-matrices corresponding to the multiple sub-vectors one by one based on an encoding rule corresponding to the supported homomorphic encryption algorithm; the number of columns of the target matrix and the number of elements contained in the target vector are equal to the polynomial order adopted by the homomorphic encryption algorithm;

A decoding unit 403, configured to decode the homomorphic encryption calculation result based on a decoding rule corresponding to the encoding rule, to obtain a plurality of multiplication tuples corresponding to the plurality of submatrices and the plurality of subvectors one-to-one;

a secure computing unit 404, configured to perform multiparty secure computation with respect to the private data maintained by the first computing device and the private data maintained by the second computing device, using the plurality of multiplication tuples as computation assistance parameters.

In an illustrated embodiment, the obtaining unit 401 is specifically configured to:

acquiring a plurality of original vectors, and filling at least part of the original vectors in the plurality of original vectors to obtain a plurality of sub-vectors corresponding to the plurality of original vectors; wherein each sub-vector contains elements in a number equal to the power of 2.

In an illustrated embodiment, each sub-vector of the plurality of sub-vectors includes P elements, and the target vector includes P element groups corresponding to the P elements; the acquiring unit 401 is specifically configured to:

Sequentially arranging the x-th elements of each of the plurality of sub-vectors to form a plurality of elements in an x-th element group in the target vector; x takes the values of 1, 2 and 3 … … P in sequence.

In an illustrated embodiment, the target matrix comprises M rows by N columns, M, N being an integer greater than 1; the sending unit 402 is specifically configured to:

and sending the ciphertext vector to the first computing device, so that the first computing device multiplies M rows in the target matrix with the ciphertext vector respectively to obtain M computing results corresponding to the M rows, and performs addition operation on elements in corresponding positions in the M computing results to obtain corresponding homomorphic encryption computing results.

In an illustrated embodiment, the sending unit 402 is specifically configured to:

sending the ciphertext vector and a rotation key for vector rotation to the first computing device, so that the first computing device multiplies the y-th row in the target matrix with the ciphertext vector to obtain a corresponding y-th calculation result, and executes corresponding rotation operation on the ciphertext vector based on the rotation key, and multiplies the y+1-th row in the target matrix with the rotated ciphertext vector to obtain a corresponding y+1-th calculation result; y is an integer greater than or equal to 1 and less than M.

In an illustrated embodiment, the rotation key comprises a galois key.

In an illustrated embodiment, the decoding unit 403 is specifically configured to:

acquiring a ciphertext random result sent by the first computing device, and decrypting the ciphertext random result to obtain a corresponding plaintext random result; the ciphertext random result is obtained by subtracting the homomorphic encryption calculation result from the obtained target random vector by the first calculation device; the target random vector is used for decoding by the first computing device based on a decoding rule corresponding to the encoding rule so as to obtain first random vectors respectively included by the plurality of multiplication tuples in one-to-one correspondence with the plurality of submatrices and the plurality of submatrices;

decoding the plaintext random result based on a decoding rule corresponding to the encoding rule to obtain a second random vector included in each of the plurality of multiplication tuples;

In an illustrated embodiment, the result of multiplying the target sub-matrix by the target sub-vector is equal to the result of adding the corresponding first and second random vectors.

The implementation process of the functions and roles of the units in the above-mentioned device 30 and device 40 is specifically described in the above-mentioned corresponding embodiments of fig. 1 to 5, and will not be described in detail herein. It should be understood that the above-mentioned apparatus 30 may be implemented by software, or may be implemented by hardware or a combination of hardware and software. Taking software implementation as an example, the device in a logic sense is formed by reading corresponding computer program instructions into a memory through a CPU (Central Process Unit, central processing unit) of the device. In addition to the CPU and the memory, the device in which the above apparatus is located generally includes other hardware such as a chip for performing wireless signal transmission and reception, and/or other hardware such as a board for implementing a network communication function.

The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the units or modules may be selected according to actual needs to achieve the purposes of the present description. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

The apparatus, units, modules illustrated in the above embodiments may be implemented in particular by a computer chip or entity or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.

Corresponding to the method embodiments described above, embodiments of the present specification also provide a computing device. Referring to fig. 7, fig. 7 is a schematic structural diagram of a computing device according to an exemplary embodiment. The computing device 1000 shown in fig. 7 may be the first computing device described above or the second computing device described above. As shown in fig. 7, the computing device 1000 includes a processor 1001 and memory 1002, and may further include an input device 1004 (e.g., keyboard, etc.) and an output device 1005 (e.g., display, etc.). The processor 1001, memory 1002, input devices 1004, and output devices 1005 may be connected by a bus or other means. As shown in fig. 7, the memory 1002 includes a computer-readable storage medium 1003, which computer-readable storage medium 1003 stores a computer program executable by the processor 1001. The processor 1001 may be a general purpose central processing unit, a microprocessor, or an integrated circuit for controlling the execution of the above method embodiments. The processor 1001 may execute the steps of the security calculation method based on the privacy data in the embodiment of the present specification when executing the stored computer program, including: acquiring a plurality of sub-matrixes, and coding the plurality of sub-matrixes based on coding rules corresponding to the supported homomorphic encryption algorithm to obtain a corresponding target matrix; obtaining a ciphertext vector transmitted by the second computing device; the ciphertext vector is a vector obtained by encrypting a target vector by the second computing device, and the target vector is a vector obtained by encoding a plurality of sub-vectors which are obtained by the second computing device and are in one-to-one correspondence with the plurality of sub-matrices based on an encoding rule corresponding to a supported homomorphic encryption algorithm; the number of columns of the target matrix and the number of elements contained in the target vector are equal to the polynomial order adopted by the homomorphic encryption algorithm; performing homomorphic encryption calculation on the target matrix and the ciphertext vector to obtain a homomorphic encryption calculation result, and decoding the homomorphic encryption calculation result based on a decoding rule corresponding to the coding rule to obtain a plurality of multiplication tuples corresponding to the plurality of submatrices and the plurality of submatrices one by one; taking the plurality of multiplication tuples as calculation auxiliary parameters, performing multiparty security calculation on the privacy data maintained by the first computing device and the privacy data maintained by the second computing device, and the like. For a detailed description of each step of the above secure computing method based on privacy data, please refer to the previous contents, and the detailed description is omitted here.

Corresponding to the above-described method embodiments, embodiments of the present description also provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the secure computing method based on private data in the embodiments of the present description. Please refer to the above description of the corresponding embodiments of fig. 1-5, and detailed descriptions thereof are omitted herein.

The foregoing description of the preferred embodiments is provided for the purpose of illustration only, and is not intended to limit the scope of the disclosure, since any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the disclosure are intended to be included within the scope of the disclosure.

In a typical configuration, the terminal device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data.

Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

It will be appreciated by those skilled in the art that embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, embodiments of the present specification may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Moreover, embodiments of the present description may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

Claims

1. A secure computing method based on private data, applied to a first computing device, the method comprising:

2. The method of claim 1, the homomorphic encryption algorithm comprising a BFV homomorphic encryption algorithm.

3. The method of claim 1, the obtaining a plurality of sub-matrices, comprising:

4. The method of claim 2, wherein the encoding the plurality of sub-matrices based on the encoding rules corresponding to the supported homomorphic encryption algorithm results in a corresponding target matrix, comprising:

5. The method of claim 1, the target matrix comprising M rows by N columns, M, N being an integer greater than 1; and executing homomorphic encryption calculation on the target matrix and the ciphertext vector to obtain a homomorphic encryption calculation result, wherein the homomorphic encryption calculation result comprises the following steps of:

6. The method of claim 5, wherein multiplying M rows in the target matrix with the ciphertext vector to obtain M calculation results corresponding to the M rows, respectively, includes:

7. The method of claim 6, the rotation key comprising a galois key.

8. The method of claim 6, the rotation operation corresponding to a number of rotation bits equal to a number of the plurality of sub-vectors.

9. The method of claim 5, the decoding the homomorphic encryption computation result based on a decoding rule corresponding to the encoding rule, resulting in a plurality of multiplication tuples that are in one-to-one correspondence with the plurality of submatrices and the plurality of subvectors, comprising:

obtaining a target random vector, and decoding the target random vector based on a decoding rule corresponding to the encoding rule to obtain a first random vector which is respectively included by the plurality of multiplication tuples and corresponds to the plurality of submatrices and the plurality of submatrices one by one;

10. The method of claim 9, the multiplication result of the target submatrix and the target submatrix being equal to the addition result of the corresponding first and second random vectors.

11. A secure computing method based on private data applied to a second computing device, the method comprising:

12. The method of claim 11, the homomorphic encryption algorithm comprising a BFV homomorphic encryption algorithm.

13. The method of claim 11, the obtaining a plurality of sub-vectors, comprising:

14. The method of claim 12, each sub-vector of the plurality of sub-vectors comprising P elements, the target vector comprising P element groups corresponding to the P elements;

the coding of the plurality of sub-vectors based on the coding rules corresponding to the supported homomorphic encryption algorithm to obtain corresponding target vectors comprises the following steps:

15. The method of claim 11, the target matrix comprising M rows by N columns, M, N being an integer greater than 1; the sending the ciphertext vector to the first computing device, so that the first computing device performs homomorphic encryption computation on the obtained ciphertext vector and a target matrix to obtain a homomorphic encryption computation result, including:

16. The method of claim 15, the sending the ciphertext vector to the first computing device to cause the first computing device to multiply M rows in the target matrix with the ciphertext vector, respectively, to obtain M computation results corresponding to the M rows, including:

17. The method of claim 16, the rotation key comprising a galois key.

18. The method of claim 16, the rotation operation corresponding to a number of rotation bits equal to a number of the plurality of sub-vectors.

19. The method of claim 15, the decoding the homomorphic encryption computation result based on a decoding rule corresponding to the encoding rule, resulting in a plurality of multiplication tuples that are one-to-one corresponding to the plurality of submatrices and the plurality of subvectors, comprising:

20. The method of claim 19, the multiplication result of the target sub-matrix and the target sub-vector being equal to the addition result of the corresponding first and second random vectors.

21. A secure computing device based on private data for application to a first computing device, the device comprising:

22. A secure computing device based on private data for application to a second computing device, the device comprising:

23. A computing device, comprising: a memory and a processor; the memory has stored thereon a computer program executable by the processor; the processor, when running the computer program, performs the method of any one of claims 1 to 10 or claims 11 to 21.

24. A computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of any of claims 1 to 10 or claims 11 to 21.