CN117134906A

CN117134906A - Multiparty privacy exchange method and related device

Info

Publication number: CN117134906A
Application number: CN202311205086.7A
Authority: CN
Inventors: 贺双洪; 李昊轩; 廖飞强; 鄢新义; 王朝阳; 李辉忠; 张开翔; 范瑞彬
Original assignee: WeBank Co Ltd
Current assignee: WeBank Co Ltd
Priority date: 2023-09-18
Filing date: 2023-09-18
Publication date: 2023-11-28

Abstract

The application discloses a multiparty privacy intersection method and a related device, wherein the multiparty privacy intersection method comprises the steps of generating a first ciphertext set according to a first random number and an initial data set of first equipment; transmitting the first ciphertext set to the second device, and transmitting the first random number to each of the at least one third device; receiving a third ciphertext set, a fourth ciphertext set, and a first number set from the second device; removing the first encryption attribute of the data in the third ciphertext set by using the third random number to obtain a fifth ciphertext set; performing intersection on the fourth ciphertext set and the fifth ciphertext set to obtain a second intersection, and recording a third number set of the second intersection; the technical scheme can reduce the encryption and decryption operation times in the exchange process, improve the calculation efficiency and save the calculation cost and the communication cost by selecting one party from a plurality of data processing devices as the data processing party by determining the target data with the same number of the data in the initial data set of the first device and the third data set.

Description

Multiparty privacy exchange method and related device

Technical Field

The application relates to the technical field of privacy computation, in particular to a multiparty privacy intersection method and a related device.

Background

Privacy protection set intersection (abbreviated as privacy intersection, priaate Set Intersection, PSI) is a widely applied protocol in the field of multiparty security computing, and is used for completing data collision between parties under the premise of privacy protection to obtain a data intersection part, wherein the parties cannot acquire specific sensitive information of the data set of the other party. PSI plays a very important role in finding scenes such as contacts, marketing advertisement release effect, data sharing compliance flow, federal science and the like.

In the related art, although the security is higher, the encoding is complex, and a large amount of calculation and communication overhead is usually introduced, so that the whole calculation process needs a long time.

Disclosure of Invention

The application provides a multiparty privacy intersection method and a related device, wherein one party is selected from all data participants as a data processing party, so that the number of encryption and decryption operations in the intersection process can be reduced as much as possible, the calculation efficiency is improved, and the calculation cost and the communication cost are saved.

In a first aspect, an embodiment of the present application provides a multiparty privacy intersection method, which is applied to a first device in a privacy intersection system, where the privacy intersection system includes the first device, a second device, and at least one third device; the method comprises the following steps:

Generating a first ciphertext set according to a first random number and an initial data set of the first device, wherein each data in the initial data set of the first device has a unique number, the numbers of any two data are different, and the number of the same data before encryption is the same as the number after encryption;

transmitting the first ciphertext set to the second device, and transmitting the first random number to each of the at least one third device, wherein the first random number is used for indicating at least one second ciphertext set, and a single second ciphertext set is a ciphertext set generated by encrypting an initial data set of the corresponding third device by the first random number;

receiving a third ciphertext set, a fourth ciphertext set and a first number set from the second device, wherein the third ciphertext set is a ciphertext set with a first intersection generated by a second random number, the first intersection is an intersection of the first ciphertext set and the at least one second ciphertext set, the fourth ciphertext set is a ciphertext set generated by encrypting an initial data set of the second device by the second random number, the first number set is a set of numbers of data contained in the third ciphertext set, the first number set is the same as a second number set corresponding to the first intersection, and the second number set is a set of numbers of data contained in the first intersection;

Removing a first encryption attribute of data in the third ciphertext set by using a third random number to obtain a fifth ciphertext set, wherein the first encryption attribute is a ciphertext feature attribute encrypted by using the first random number;

performing intersection on the fourth ciphertext set and the fifth ciphertext set to obtain a second intersection, and recording a third number set of the second intersection, wherein the third number set is a set of numbers of data contained in the second intersection;

and determining target data with the same number as the number in the third number set in the initial data set of the first device, wherein the set of the target data is an intersection of a plurality of initial data sets corresponding to the plurality of data processing devices.

In a second aspect, an embodiment of the present application provides a multiparty privacy intersection device, including:

the encryption unit is used for generating a first ciphertext set according to the first random number and an initial data set of the first device, wherein each data in the initial data set of the first device has a unique number, the numbers of any two data are different, and the number of the same data before encryption is the same as the number after encryption;

A transmitting unit, configured to transmit the first ciphertext set to the second device, and transmit the first random number to each of the at least one third device, where the first random number is used to indicate at least one second ciphertext set, and a single second ciphertext set is a ciphertext set generated by encrypting an initial data set of the corresponding third device with the first random number;

a receiving unit, configured to receive a third ciphertext set, a fourth ciphertext set and a first number set from the second device, where the third ciphertext set is a ciphertext set whose first intersection is generated by a second random number, the first intersection is an intersection of the first ciphertext set and the at least one second ciphertext set, the fourth ciphertext set is a ciphertext set generated by encrypting an initial data set of the second device by the second random number, the first number set is a set of numbers of data included in the third ciphertext set, the first number set is the same as a second number set corresponding to the first intersection, and the second number set is a set of numbers of data included in the first intersection;

A decryption unit, configured to remove a first encryption attribute of data in the third ciphertext set by using a third random number to obtain a fifth ciphertext set, where the first encryption attribute is a ciphertext feature attribute that is encrypted by using the first random number;

the encryption unit is further configured to perform intersection on the fourth ciphertext set and the fifth ciphertext set to obtain a second intersection, and record a third number set of the second intersection, where the third number set is a set of numbers of data included in the second intersection;

the processing unit is used for determining target data with the same number as the number in the third number set in the initial data set of the first device, wherein the set of the target data is an intersection of a plurality of initial data sets corresponding to the plurality of data processing devices.

It can be seen that in the embodiment of the present application, first, a first ciphertext set is generated according to a first random number and an initial data set of a first device, each data in the initial data set of the first device has a unique number, the numbers of any two data are different, and the number of the same data before encryption and the number after encryption are the same; the method comprises the steps of sending a first ciphertext set to a second device, and sending a first random number to each third device in at least one third device, wherein the first random number is used for indicating at least one second ciphertext set, and a single second ciphertext set is a ciphertext set generated by encrypting an initial data set of the corresponding third device by the first random number; secondly, receiving a third ciphertext set, a fourth ciphertext set and a first number set from the second device, wherein the third ciphertext set is a ciphertext set of which the first intersection is generated by the second random number, the first intersection is an intersection of the first ciphertext set and at least one second ciphertext set, the fourth ciphertext set is a ciphertext set generated by encrypting an initial data set of the second device by the second random number, the first number set is a set of numbers of data contained in the third ciphertext set, the first number set is the same as a second number set corresponding to the first intersection, and the second number set is a set of numbers of data contained in the first intersection; thirdly, removing the first encryption attribute of the data in the third ciphertext set by using the third random number to obtain a fifth ciphertext set, wherein the first encryption attribute is ciphertext characteristic attribute encrypted by using the first random number; finally, the fourth ciphertext set and the fifth ciphertext set are subjected to intersection to obtain a second intersection, a third number set of the second intersection is recorded, and the third number set is a set of numbers of data contained in the second intersection; the method and the device for processing the data in the data processing device determine target data with the same number in the initial data set of the first device and the same number in the third number set, wherein the set of the target data is the intersection of a plurality of initial data sets corresponding to a plurality of data processing devices.

Drawings

In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic flow chart of a multiparty privacy intersection method provided in an embodiment of the present application;

fig. 1a is a schematic structural diagram of a single privacy intersection device according to an embodiment of the present application;

FIG. 2 is a schematic diagram of a data set encryption and decryption flow provided in an embodiment of the present application;

FIG. 3 is a schematic diagram of a multiparty privacy-solving communication procedure according to an embodiment of the present application;

fig. 4 is a functional unit composition block diagram of a multiparty privacy intersection device provided in an embodiment of the present application.

Detailed Description

In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.

The following will describe in detail.

The terms "first," "second," "third," and "fourth" and the like in the description and in the claims and drawings are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.

Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.

The multiparty privacy intersection method provided by the application is mainly applied to the technical fields of privacy protection, safe multiparty calculation, federal learning and the like.

Privacy protection refers to taking a series of measures to protect personal sensitive information and privacy during data processing and sharing. The measures comprise technical means such as data encryption, anonymization, access control, data desensitization and the like, and aim to reduce the risk of personal information disclosure, ensure legal use of data and protect user privacy.

Secure Multi-Party Computation, SMPC, is a protocol and technique for computing between multiple parties. In conventional computing models, it is often necessary to collect data into one place for computation, but this can present data leakage and privacy risks. And the SMPC allows a plurality of participants to perform joint calculation under the condition of not sharing sensitive data, so that the specific calculation task is finished while the data privacy and the security are realized.

Federal learning is a distributed machine learning method that aims to solve the problems of data privacy and data barriers. In traditional machine learning, data is usually required to be concentrated into a central server for model training, but this involves security problems of data privacy and data transmission. The federal learning is realized by performing model training on local equipment and sharing only model parameters, so that model cooperation and knowledge sharing among a plurality of participants can be realized on the premise of protecting data privacy.

All three concepts are closely related to data security and privacy. Privacy protection aims at protecting personal sensitive information and privacy, safe multi-party calculation can carry out joint calculation under the condition of not sharing sensitive data, and federal learning can carry out distributed model training and knowledge sharing on the premise of protecting data privacy. The technical means and the method are important to promote the safety and privacy protection of data, and are widely applied to various fields such as medical health, finance, internet of things and the like.

In order to better understand the above technical solutions, the following detailed description will refer to the accompanying drawings and specific embodiments.

Referring to fig. 1, fig. 1 is a schematic flow chart of a multiparty privacy intersection method provided in an embodiment of the present application, where, as shown in the figure, the method is applied to a first device in a privacy intersection system, and the privacy intersection system includes the first device, a second device and at least one third device;

in the embodiment of the application, the first device, the second device and the third device can be different servers of the data center.

Referring to fig. 1a, fig. 1a is a schematic structural diagram of a single privacy intersection device according to an embodiment of the present application. As shown in fig. 1a, the single privacy-rendering device may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a stable memory (non-volatile memory), such as a disk memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.

Those skilled in the art will appreciate that the device structure shown in fig. 1a does not constitute a limitation of the device, and may include more or fewer components than shown, or may combine certain components, or may be arranged in a different arrangement of components.

As shown in fig. 1a, an operating system, a network communication module, a user interface module, and a multiparty privacy handoff program may be included in a memory 1005, which is a type of computer storage medium.

In the device shown in fig. 1a, the network interface 1004 is mainly used for connecting to a background server, and performing data communication with the background server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; the processor 1001 may be configured to call the multiparty privacy intersection program stored in the memory 1005 and execute operations in the multiparty privacy intersection method described below, and the method implemented when the multiparty privacy intersection program running on the processor is executed may refer to various embodiments of the multiparty privacy intersection method of the present application, which are not described herein.

In the embodiment of the application, the first device, the second device and the third device can also be data processing nodes in the server cluster.

Based on the hardware structure, the method comprises the following steps:

S101, generating a first ciphertext set according to a first random number and an initial data set of first equipment, wherein each data in the initial data set of the first equipment has a unique number, the numbers of any two data are different, and the number of the same data before encryption is the same as the number after encryption;

wherein the number of the original data set of the first device is used to identify each data in the original data set of the first device.

The serial number is used for successfully finding out the plaintext data in the original data set of the first device even in a ciphertext state after each data in the original data set of the first device is encrypted, so that the decryption times and the exchange efficiency can be reduced, and the calculation cost is saved.

In one possible embodiment, before the generating the first ciphertext set from the first random number and the initial data set of the first device, the method further comprises:

the first random number is generated.

In one possible embodiment of the present invention,

the generating the first random number includes:

acquiring a random number seed and a preset multiplier;

determining a random number basic quantity according to the random number seed and the preset multiplier, wherein the random number basic quantity is obtained by multiplying the random number seed by the preset multiplier;

Acquiring a random number increment and a preset modulus;

determining the first random number according to the random number basic quantity, the random number increment and the preset modulus, wherein the first random number is the result of modulus taking of the preset modulus by the sum of the random number basic quantity and the random number increment.

The basic idea is that the next number is obtained by performing linear operation on the previous number and taking a modulus, so that a data stream similar to the random is generated by periodic iteration, and a recursive formula is as follows: x is x _m+1 ＝(a·x _n +c)％m；

Wherein a is called a preset multiplier, c is called a random number increment, m is called a preset modulus, x _n+1 I.e. the generated random number, the result of which requires the random number x obtained from the previous calculation _n Calculated as parameter substitution, therefore, an input value x is required in generating the first random number ₀ Calculated as initial value, we will x ₀ Known as a random number seed, the value of the random number seed generally does not have a significant effect on the quality of the generated random sequence when the values of the parameters a, c, m are relatively suitable.

The sum congruence method when a=0, the multiplication congruence method when c=0, and the mixed congruence method when c+.0. The selection of the multiplier, increment and modulus can be varied, so long as the generated random number is ensured to have better uniformity and randomness, and m=2 is generally adopted ^k Is a mixed congruence method.

The specific calculation process of the algorithm is as follows:

the first device obtains a random number seed x ₀ Presetting a multiplier a;

the first device is based on a random number seed x ₀ Determining a random number base vector a.x by a preset multiplier a ₀ ；

The method comprises the steps that first equipment obtains a random integer increment c and a preset modulus m;

the first device is based on the random number basis vector a.x ₀ Determining a first random integer x by a random integer increment c and a preset modulus m ₁ ＝(a·x ₀ +c)％m；

For example, an initial random integer x ₀ 1234, multiplier a= 25214903917, random integer increment c=11, modulus m=2 ⁴⁸ According to the recursive formula, calculating: x is x ₁ ＝(25214903917×1234+11)％2 ⁴⁸ ＝31115191433589；

The first device may iterate once generated x ₁ Directly assigning to the first random number, or alternatively, after iterating n (n is an integer greater than 1) times, x is obtained _n The first random number is assigned, and the specific times are determined by the user according to actual needs.

Wherein the first random number is also obtainable according to a meisen rotation algorithm.

The specific process of obtaining the first random number through the Meissen rotation algorithm comprises the following steps:

the first device creates a null array MT array for storing a random number sequence, wherein the MT array is an integer array of length n=624, wherein each element is a 32-bit unsigned integer, denoted by MT [ i ], i e [0, n-1];

The first device performs initialization assignment on the MT array to obtain a basic Meissen rotating chain, which is specifically as follows: 1) Acquiring a random number seed, and assigning the seed to MT [0]; wherein, the seed can be a preset random value, the generated random number has repeatability, and the seed can also use the system time as a seed; 2) According to a recurrence formula MT [ i ] = f× (MT [ i-1] > > (w-2))) and +i (i epsilon [1, n-1 ]) at this time, recurrence is performed, wherein f, w and n are predefined constants, f is a parameter required for initializing the Meissen rotation chain, w is the length of each element in the MT array in bit units, and w is 32 if MT19937-32 is used; being an exclusive or operator, > > being a right shift operator;

specific: when i=1, MT [1] =f× (MT [0] > > (w-2))) +1;

……

when i=623, MT [623] =f× (MT [622] (MT [622] > > (w-2))) +623;

the first device traverses the initialized MT [ i ] to generate a random number sequence, which specifically comprises the following steps:

1) Taking the result of bit-wise AND operation (reserved high bit) with upper_mask for each MT [ i ], and adding the result of bit-wise AND lower_mask operation (reserved low bit) with MT [ (i+1) mod n ] to obtain x (aiming at extracting enough bits from MT array elements at different positions and increasing randomness and mixedness);

Wherein lower_mask is a low-order mask, representing that the lower r bits of the binary system are all 1's, the remaining bits are all 0's, and the corresponding binary system representation is 0111 11111111 11111111 11111111 1111; upper_mask high-order mask is the result obtained by inverting lower_mask;

the formula is: x= (MT [ i ] & upper_mask) + (MT [ (i+1)% n ] & lower_mask); MT [ i ] is the MT array element at the current position i, MT [ (i+1)% n ] represents the MT array element at the next position (i+1)% n), and represents shifting the index i forward by 1 position and making it fall in the array length range through modulo operation;

2) If the lowest bit of x is 0, shifting x by one bit to the right to obtain xA, wherein A is a matrix of w multiplied by w;

3) If the lowest x is 1, performing exclusive OR operation on xA and a specific constant a, wherein a is the last row of the matrix A;

4) Performing exclusive OR operation on MT [ (i+m) mod n ] and xA, and assigning the result to MT [ i ] to finish element transformation; wherein, (i+m) mod n represents shifting index i forward by m positions and falls within the array length range by modulo arithmetic, m is the offset, m=397;

the first device determines an element in the MT array as a first random number, specifically:

if an element in the MT array is directly taken as the first random number, for example, if the ith random number is to be obtained, taking the MT [ i ] and assigning the MT [ i ] to the first random number;

If a random number within a specific integer range is obtained, for example, a random integer between 0 and n-1 is generated, MT [ i ]% n is assigned to the first random number;

if a random floating point number within a specified range is obtained, e.g., a random floating point number between 0 and 1 is generated, (MT [ i ]/4294967296.0) and the value of (MT [ i ]/4294967296.0) is assigned to the first random number.

It should be noted that, the method of generating the random number may be determined according to other suitable methods, and this embodiment provides only two examples thereof.

S102, sending the first ciphertext set to the second device, and sending the first random number to each third device in the at least one third device, wherein the first random number is used for indicating at least one second ciphertext set, and a single second ciphertext set is a ciphertext set generated by encrypting an initial data set of the corresponding third device by the first random number;

in a possible embodiment, the second device is a device with a largest number of elements in a target device set, where the target device set includes data processing devices other than the first device in the plurality of data processing devices, and the number of elements refers to a number of data in an initial data set of a single data processing device.

And selecting one device with the largest data volume as the second device, and calculating ciphertext intersection of the rest participants, so that the intersection range of the rest participants can be effectively reduced.

In one possible embodiment, each device in the set of target devices has a device number, and the second device further comprises:

and if the number of the elements is the same, determining the equipment with the largest equipment number as the second equipment.

Wherein the device number has uniqueness.

It can be seen that in the present embodiment, the amount of data to be transmitted and processed is reduced by using the information of the party having the largest amount of data, thereby improving the calculation efficiency and protecting the data privacy.

In one possible embodiment, the process of encrypting individual data in the initial data set of the individual third device by the first random number comprises the following operations:

converting individual data in the initial data set of the individual third device into corresponding hash values;

converting the corresponding hash value to a point on an elliptic curve;

repeatedly squaring points on the elliptic curve for a first preset number of times to obtain single data of the single second ciphertext set corresponding to the initial data set of the single third device, wherein the value of the first preset number of times is the first random number.

The encryption algorithm provided in this embodiment is an elliptic curve discrete logarithm hypothesis, and its basic principle is that: given a base G of the elliptic curve and a finite field element x, it is feasible to calculate G x, whereas given G and G x, it is difficult to solve for x, the sign "≡" representing the power operation in the elliptic curve discrete logarithm assumption.

Wherein converting individual data in the initial data set of the individual third device into corresponding hash values, converting the corresponding hash values into points on an elliptic curve means: when an initial data set of a plurality of data processing apparatuses is encrypted for the first time, each data in the initial data set needs to be mapped to a point on an elliptic Curve, i.e. a Hash-to-Curve operation (Hash-to-Curve) is performed, and the specific process includes:

the individual data in the initial data set is converted to a hash value of a fixed length according to a hash function, typically expressed as an integer. Common hash functions include SHA-256, SHA-3, MD5, and the like, among others.

Converting the hash value to a point on the elliptic curve comprises:

and performing modular operation on the hash result to enable the hash result to fall in the order range of the elliptic curve. If the range of the order is exceeded, the processing is circularly performed by modulo operation so as to be within a proper range. Where the order refers to the number of points on the elliptic curve.

And taking the result after the modular operation as an x coordinate, and calculating a corresponding y coordinate according to an equation of an elliptic curve.

If the y coordinate of the satisfying mode exists, the point of the hash value on the elliptic curve is found; if there is no y-coordinate satisfying the equation, indicating that the corresponding point is not found, it may be necessary to adjust the parameters or select other methods for mapping.

Outputting the points on the found elliptic curve as a preliminary encryption result of the initial data;

and executing encryption operation again on the primary encryption result.

It should be noted that in practical applications, it is important to select the appropriate elliptic curve parameters and hash functions. The parameters are chosen to take into account security and performance requirements and to follow the relevant standards or protocols. There may be more specific mapping rules and requirements for a particular standard or protocol. Thus, in practice, operations should be performed with reference to the relevant documents and guidelines.

Wherein the finite field element x1 is a first random number.

The specific implementation process of the encryption algorithm is as follows:

determining a base point G1 of an elliptic curve as a point on the elliptic curve corresponding to the initial data;

determining a finite field element x1 as a first random integer;

And determining that the encryption result of the initial data is G1 x1 according to the determined base point G1 and the finite field element x1, wherein the meaning is that G1 repeatedly takes a square x1 time.

Therefore, in this embodiment, the encryption is performed by using the elliptic curve discrete logarithm encryption algorithm, so that the encryption result has higher security, and has higher encryption and decryption speeds and lower computing resource consumption compared with other encryption algorithms (such as RSA) elliptic curve discrete logarithm encryption algorithms.

S103, receiving a third ciphertext set, a fourth ciphertext set and a first number set from the second device, wherein the third ciphertext set is a ciphertext set with a first intersection generated by a second random number, the first intersection is an intersection of the first ciphertext set and at least one second ciphertext set, the fourth ciphertext set is a ciphertext set generated by encrypting an initial data set of the second device by the second random number, the first number set is a set of numbers of data contained in the third ciphertext set, the first number set is the same as a second number set corresponding to the first intersection, and the second number set is a set of numbers of data contained in the first intersection;

In one possible embodiment, the process of encrypting the single data in the first intersection with the two random numbers includes the following operations:

and repeatedly squaring the single data in the first intersection by a second preset number of times to obtain the single data of the third ciphertext set, wherein the value of the second preset number of times is the second random number.

The first intersection is an intersection of the first ciphertext set and the second ciphertext set, so that the first intersection is a ciphertext data set, when the first intersection is encrypted by using an elliptic Curve discrete logarithm encryption algorithm, each data in the set does not need to be subjected to Hash to Curve operation, and each data in the first intersection can be directly encrypted by using the elliptic Curve discrete logarithm encryption algorithm.

The specific implementation process of the encryption algorithm is as follows:

determining a base point G2 of the elliptic curve as single data in the first intersection;

determining the finite field element x2 as a second random integer;

and determining that the encryption result of the initial data is G2 x2 according to the determined base point G2 and the finite field element x2, wherein the meaning is that the G2 repeatedly takes a square x2 times.

S104, removing a first encryption attribute of data in the third ciphertext set by using a third random number to obtain a fifth ciphertext set, wherein the first encryption attribute is a ciphertext characteristic attribute encrypted by using the first random number;

in one possible embodiment, the third random number is an inverse of the first random number.

The inverse element is a mathematical concept, which means that under a certain operation, an element is multiplied by its corresponding inverse element to obtain a unit element under the operation, and for integer multiplication operation, the inverse element can be understood as the corresponding reciprocal.

In the present application, an inverse is used to characterize the decryption of the result encrypted with the first random integer by the first device through the inverse.

In one possible embodiment, before the removing the first encryption attribute of the data in the third ciphertext set using the third random number to obtain the fifth ciphertext set, the method further comprises:

and generating the third random number according to the first random number and a preset modulus and an extended Euclidean algorithm.

The extended Euclidean algorithm is a method for solving a linear congruential equation, and can be used for generating an inverse element under the mode p. The following is a specific step of expanding the Euclidean algorithm to generate an inverse element:

The first random number is a;

let it be assumed that a linear congruence equation ax≡1 (mod p) is to be solved for the first random number a, where a and p are known integers and p is a prime number.

The expression of equation ax≡1 (mod p) has the meaning:

the greatest common divisor (gcd) of a and p is calculated using the euclidean algorithm:

assuming the greatest common divisor d, the equation ax+p x y = d, where x and y are integers.

If the greatest common divisor d is not equal to 1, it means that a and p are not mutually equal, i.e. a has no inverse element in the sense of modulo p, and in this case the solution of the inverse element cannot be continued.

If the greatest common divisor d is equal to 1, it is stated that a and p are mutually prime, i.e., a has an inverse element in the sense of modulo p, and the process proceeds to the next step.

From the calculation result of the extended euclidean algorithm, a set of integer solutions (x 0, y 0) of equation ax+pχy=1 can be obtained. Where x0 is the inverse of a in the sense of modulo p.

For example: if the modulus r1 is set to 97 and the first random number r2 is set to 31115191433589, an extended euclidean algorithm is used to calculate 31115191433589 the inverse of the modulus 97. The calculation is carried out according to the steps:

step one: initializing: r1=97, r2= 31115191433589, x1=1, y1=0, x2=0, y2=1.

Step two: and (5) iterative updating:

calculating quotient and remainder: the quotient q=r1// r2=97// 31115191433589 =0, the remainder r3=r1-q r2=97-0 x 31115191433589=97.

Updating r1 and r2: r1=r2= 31115191433589, r2=r3=97.

Updating x: x3=x1-q x2=1-0*0 =1, then update x1=x2=0, x2=x3=1.

Updating y: y3=y1-q y2=0-0*1 =0, then y1=y2=1, y2=y3=0 is updated.

Step three: step 2 is repeated until r3=0. At this time, d=r2=97 is the greatest common divisor.

Finally, a set of integer solutions for equation 31115191433589x+97y=97 is (x, y) = (1, 0).

Since we require the inverse of 31115191433589 at modulo 97, we need to ensure that the value of x is in the range of [0, p-1 ]. In this example we have x=1, and the inverse of 31115191433589 is 1 at modulo 97.

It can be seen that, in this embodiment, the inverse element of the first random number is calculated by expanding the euclidean algorithm, and is used to remove the first encryption attribute of the data in the third ciphertext set, so that the first device can calculate the intersection between the fourth ciphertext set and the fifth ciphertext set.

Referring to fig. 2, fig. 2 is a schematic diagram of a data set encryption and decryption flow provided in an embodiment of the present application, as shown in the following:

the first device encrypts and generates a first ciphertext set by using a first random number;

the third device encrypts and generates a second ciphertext set by using the first random number;

The second device obtains a first intersection set by intersecting the first ciphertext set and the second ciphertext set, and generates a third ciphertext set by encrypting the second random number;

it can thus be seen that the third ciphertext set has both the first encryption attribute and the second encryption attribute.

And the second device encrypts the initial data set of the second device by using the second random number to obtain a fourth ciphertext set, wherein the fourth ciphertext set only has the second encryption attribute.

Therefore, when the second device sends the first intersection and the fourth ciphertext set to the first device, the first device cannot directly cross the two sets with different encryption properties, so the first device needs to decrypt the first intersection encrypted by the first random number through the third random number (the inverse element of the first random number) to obtain a fifth ciphertext set, wherein the fifth ciphertext set only has the second encryption property.

In this case, the fourth ciphertext set and the fifth ciphertext set having the same second encryption attribute may be interleaved.

In one possible embodiment, the data in the fifth ciphertext set has a second encryption attribute that is a ciphertext feature attribute that is encrypted using the second random number, and the data in the fourth ciphertext set has the second encryption attribute.

The fifth ciphertext set is a data set of the first intersection after the first encryption attribute is removed by the third random number, and the fifth ciphertext set only has the second encryption attribute.

The fourth ciphertext set is a result of the second device encrypting by using the second random number, and has a second encryption attribute.

The first device can perform a mating operation on a set of ciphertext having the same encryption attribute.

It can be seen that, in this embodiment, by the concept of encryption attribute, it can be clearly inferred which random number the related ciphertext is encrypted, and the data device is convenient to know the encryption status of the current ciphertext set.

S105, intersecting the fourth ciphertext set and the fifth ciphertext set to obtain a second intersection, and recording a third number set of the second intersection, wherein the third number set is a set of numbers of data contained in the second intersection;

the second intersection is actually a ciphertext intersection of a plurality of data processing devices, for the number of the data in the second intersection, the number of the data in the first intersection corresponds to the number of the data in the first ciphertext set, and the number of the data in the first ciphertext set corresponds to the number of the data in the initial data combination of the first device.

Therefore, the number of the data in the initial data of the first device is fixed, the whole encryption and decryption process can be traced back through the number, after the second intersection is obtained, the intersection of the initial data sets of a plurality of data processing devices can be obtained without decrypting the second intersection, the calculation cost is saved, and the risk of secret leakage is avoided.

S106, determining target data with the same number as the number in the third number set in the initial data set of the first device, wherein the set of the target data is an intersection of a plurality of initial data sets corresponding to the plurality of data processing devices.

The third number set is a set of numbers of data in a second intersection, the second intersection is actually a ciphertext intersection of a plurality of data processing devices, for the numbers of the data in the second intersection, the numbers of the same data in a fifth ciphertext set can be found, the fifth ciphertext set is a decryption result of the third ciphertext set, therefore, the numbers of the data in the fifth ciphertext set are the same as the numbers of the data in the third ciphertext set, the third ciphertext set is an encryption result of the first intersection, therefore, the numbers of the data in the third ciphertext set are the numbers of the data in the first intersection, the numbers of the data in the first intersection correspond to the numbers of the data in the first ciphertext set, and the numbers of the data in the first ciphertext set correspond to the numbers of the data in the initial data combination of the first device.

In one possible embodiment, the information transmission between the first device, the second device and the at least one third device is performed through an encrypted channel.

The encryption channel is used for protecting the communication channel by using an encryption technology, so that confidentiality and security of data in a transmission process are ensured.

For example, the TLS (Transport Layer Security) protocol is a secure transport protocol, via TLS protocol, for providing secure communication connections over computer networks. It is a successor to the SSL (Secure Sockets Layer) protocol for protecting confidentiality, integrity and authentication of network communications.

Consistent with fig. 1, please participate in fig. 3, fig. 3 is a schematic diagram of a multiparty privacy request exchange procedure provided in an embodiment of the present application, as shown in the following:

s301, the first device receives the device number and the element number of the target device set, and finds out the party with the largest data volume as a second device;

S302, a first device generates a first random number;

s303, the first device encrypts an initial data set by using a first random number to obtain a first ciphertext set, and sends the first ciphertext set to the second device;

s304, the first device sends a first random number to the third device;

s305, the third device encrypts the initial data set by using the first random number to obtain a second ciphertext set, and sends the second ciphertext set to the second device;

s306, the second device receives the first ciphertext set and the second ciphertext set, performs intersection on the first ciphertext set and the second ciphertext set to obtain a first intersection, and records the number of data in the first intersection to obtain a second number set;

s307, the second device generates a second random number;

s308, the second device encrypts the first intersection set by using the second random number to obtain a third ciphertext set, and records the number of data in the third ciphertext set to obtain a first number set;

s309, the second device encrypts the initial data set by using the second random number to obtain a fourth ciphertext set;

s310, the second device sends a third ciphertext set, a fourth ciphertext set and a first number set to the first device;

S311, the first device receives a third ciphertext set, a fourth ciphertext set and a first number set which are sent by the second device;

s312, the first device generates a third random number;

s313, the first device removes the first encryption attribute of the third ciphertext set by using the third random number to obtain a fifth ciphertext set;

s314, the first device performs intersection on the fifth ciphertext set and the fourth ciphertext set to obtain a second intersection, and records the number of data in the second intersection to obtain a third number set;

s315, the first device determines the target data whose number of the data in the initial data set is the same as the number in the third number set.

A specific example is provided below:

taking the financial industry white list sharing scenario as an example, three financial institutions wish to jointly mine out the intersection of high-value clients, namely three-party white list clients, and meanwhile do not wish to additionally expose the white list client information of the non-intersection of the three-party white list clients, so that the multi-party privacy intersection solving scheme can be adopted to realize the requirement. The organization P1 owns a whitelisted customer (bob), the organization P2 owns (bob, candy, tom), the organization P3 owns (bob, david), and P1 is the first device.

S01: p2 sends the own device number and the number of clients (2, 3) to P1, and P3 sends the own device number and the number of elements (3, 2) to P1.

S02: p1 compares the number of clients P2 and P3, 3>2, and P2 with the largest number of clients is the second device.

S03: p1 generates a first random number a.

S04: p1 sends a message 'ACK 1' to P2, and sends a message 'ACK 0' and a first random number a to P3; the "ACK1" message is used for notifying P2 that it is considered as a second device (needs to execute a cooperative algorithm process in a next preset period), and the "ACK0" message carries a first random number and a number identifier of P2, and is used for notifying a third device that receives the "ACK0" message, encrypts its plaintext set into a ciphertext set by using the first random number a, and sends the ciphertext set to P2;

s05: p1 encrypts customer data set using a to get SH ₁ = (H (alice) ≡a, H (bob) ≡a), P3 encrypts the client data set using a to obtain SH ₃ = (H (bob)/(a), H (david)/(a)); h denotes the Hash To Curve operation.

S06: p1 will SH ₁ Send to P2, P3 will SH ₃ And sent to P2.

S07: p2 calculates CS after collecting 2 ciphertext sets ₁ ＝SH ₁ ∩SH ₃ = (H (bob) ≡a) to obtain the first ciphertext set.

S08: when P2 calculates the first ciphertext set, the ciphertext set SH of each ciphertext intersection element on the P1 side is also required to be recorded ₁ The number in (a) is marked as a first number set IDX ₁ ＝(2)。

S09: p2 randomly generates a second random integer b.

S10: p2 re-encrypts each element in the first ciphertext set by using the second random integer b to obtain a second ciphertext set, and the second ciphertext set uses a symbol CS ₂ = (H (bob) ≡a≡b).

S11: p2 encrypts each element in the own data set by using the second random integer b to obtain a third ciphertext set, and the third ciphertext set uses a symbol CS ₃ = (H (bob)/(b), H (candy)/(b), H (tom)/(b)) means.

S12: pk will first number set IDX ₁ Second ciphertext set CS ₂ Third ciphertext set CS ₃ And sent to P1.

S13: p1 calculates an inverse a of the first random integer a ^-1 。

S14: p1 uses a third random integer a ^-1 Decrypting each element in the second ciphertext set to obtain a fourth ciphertext set, and the fourth ciphertext set uses the symbol CS ₄ ＝(H(bob)^a^b^a ^-1 ) = (H (bob) ≡b).

S15: p1 calculation of the third ciphertext set CS ₃ And a fourth ciphertext set CS ₄ Is used for the intersection of (a) and (b),

CS ₃ ∩CS ₄ ＝(H(bob) ^b )∩(H(bob) ^b ,H(candy) ^b ,H(tom) ^b )＝(H(bob) ^b ) And record each intersection element corresponding to the first number set IDX ₁ The number in (2) is recorded as a second number set IDX ₂ ＝(2)。

S16: p1 is according to the second numbering set IDX ₂ In its own plaintext data set S ₁ The corresponding numbered element is found, resulting in a first intersection set (bob), which is the intersection of the 3 participants.

The foregoing description of the embodiments of the present application has been presented primarily in terms of a method-side implementation. It will be appreciated that the server, in order to implement the above-described functions, includes corresponding hardware structures and/or software modules that perform the respective functions. Those of skill in the art will readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In accordance with the above-described embodiments, referring to fig. 4, fig. 4 is a block diagram illustrating functional units of a multiparty privacy interaction device according to an embodiment of the present application, and as shown in fig. 4, the device is applied to each of a plurality of data processing apparatuses, and the device includes:

an encryption unit 401, configured to generate a first ciphertext set according to a first random number and an initial data set of the first device, where each data in the initial data set of the first device has a unique number, and numbers of any two data are different, and a number of the same data before encryption is the same as a number after encryption;

A transmitting unit 402, configured to transmit the first ciphertext set to the second device, and transmit the first random number to each of the at least one third device, where the first random number is used to indicate at least one second ciphertext set, and a single second ciphertext set is a ciphertext set generated by encrypting an initial data set of the corresponding third device by the first random number;

a receiving unit 403, configured to receive a third ciphertext set, a fourth ciphertext set and a first number set from the second device, where the third ciphertext set is a ciphertext set whose first intersection is generated by a second random number, the first intersection is an intersection of the first ciphertext set and the at least one second ciphertext set, the fourth ciphertext set is a ciphertext set generated by encrypting an initial data set of the second device by the second random number, the first number set is a set of numbers of data included in the third ciphertext set, the first number set is the same as a second number set corresponding to the first intersection, and the second number set is a set of numbers of data included in the first intersection;

A decryption unit 404, configured to remove, by using a third random number, a first encryption attribute of data in the third ciphertext set to obtain a fifth ciphertext set, where the first encryption attribute is a ciphertext feature attribute that is encrypted by using the first random number;

the encryption unit 401 is further configured to perform intersection on the fourth ciphertext set and the fifth ciphertext set to obtain a second intersection, and record a third number set of the second intersection, where the third number set is a set of numbers of data included in the second intersection;

and a processing unit 405, configured to determine target data having the same number as the number in the third number set in the initial data set of the first device, where the set of target data is an intersection of a plurality of initial data sets corresponding to the plurality of data processing devices.

In a possible embodiment, the encryption unit is further configured to:

the first random number is generated.

In a possible embodiment, in said generating said first random number, said encryption unit is further configured to:

acquiring a random number seed and a preset multiplier;

acquiring a random number increment and a preset modulus;

In a possible embodiment, in that individual data in the initial data set of the individual third device is encrypted by the first random number, the encryption unit is further adapted to:

converting the corresponding hash value to a point on an elliptic curve;

In a possible embodiment, in that the single data in the first intersection is encrypted by the two random numbers, the encryption unit is further configured to:

In a possible embodiment, the encryption unit is further configured to:

It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.

In the several embodiments provided in the present application, it should be understood that the disclosed method, apparatus and system may be implemented in other manners. For example, the device embodiments described above are merely illustrative; for example, the division of the unit is just one logic function division, and there may be another division manner when actually implementing the unit; for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may be physically included separately, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.

The integrated units implemented in the form of software functional units described above may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium, and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: u disk, removable hard disk, magnetic disk, optical disk, volatile memory or nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of random access memory (random access memory, RAM) are available, such as Static RAM (SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced Synchronous Dynamic Random Access Memory (ESDRAM), synchronous Link DRAM (SLDRAM), direct memory bus RAM (DR RAM), and the like, various mediums that can store program code.

Although the present application is disclosed above, the present application is not limited thereto. Variations and modifications, including combinations of the different functions and implementation steps, as well as embodiments of the software and hardware, may be readily apparent to those skilled in the art without departing from the spirit and scope of the application.

Claims

1. The multiparty privacy intersection method is characterized by being applied to first equipment in a privacy intersection system, wherein the privacy intersection system comprises the first equipment, second equipment and at least one third equipment; the method comprises the following steps:

And determining the data with the same number as the data in the third number set in the initial data set of the first device, wherein the set of target data is the intersection of a plurality of initial data sets corresponding to the plurality of data processing devices.

2. The method of claim 1, wherein the data in the fifth ciphertext set has a second encryption attribute that is a ciphertext feature attribute that is encrypted using the second random number, and wherein the data in the fourth ciphertext set has the second encryption attribute.

3. The method according to claim 1 or 2, wherein the second device is the largest one of a set of target devices, the set of target devices comprising data processing devices of the plurality of data processing devices other than the first device, the number of elements being the number of data of an initial data set of a single data processing device.

4. A method according to any of claims 1-3, wherein prior to the generating a first ciphertext set from a first random number and an initial data set of the first device, the method further comprises:

The first random number is generated.

5. The method of claim 4, wherein the generating the first random number comprises:

acquiring a random number seed and a preset multiplier;

acquiring a random number increment and a preset modulus;

6. The method according to any of claims 1-5, wherein the process of encrypting individual data in the initial data set of an individual third device by the first random number comprises the operations of:

converting the corresponding hash value to a point on an elliptic curve;

7. The method according to any of claims 1-5, wherein the process of encrypting the single data in the first intersection with the two random numbers comprises the operations of:

8. The method of claim 1, wherein the third random number is an inverse of the first random number.

9. The method of claim 8, wherein the removing the first encryption attribute of the data in the third ciphertext set using the third random number results in generating a fifth ciphertext set, the method further comprising:

10. A multiparty privacy engagement apparatus for use with each of a plurality of data processing devices, the apparatus comprising: