CN117768180A - Privacy set intersection calculating method based on symmetric key pseudo-random function - Google Patents

Privacy set intersection calculating method based on symmetric key pseudo-random function Download PDF

Info

Publication number
CN117768180A
CN117768180A CN202311777469.1A CN202311777469A CN117768180A CN 117768180 A CN117768180 A CN 117768180A CN 202311777469 A CN202311777469 A CN 202311777469A CN 117768180 A CN117768180 A CN 117768180A
Authority
CN
China
Prior art keywords
pseudo
random
representing
user
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311777469.1A
Other languages
Chinese (zh)
Inventor
张乐友
单壮
韩宝乐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202311777469.1A priority Critical patent/CN117768180A/en
Publication of CN117768180A publication Critical patent/CN117768180A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The present invention relates to a communication processing method featuring a protocol, and more particularly, to a privacy set intersection calculating method based on a pseudo-random function of a symmetric key, which is used for solving the disadvantages that the existing PSI protocol generally has high communication and calculation costs, especially the calculation costs based on a Public Key Encryption (PKE) scheme and a circuit are high, and although some schemes based on an unintentional transmission (OT) attempt to balance the communication and calculation costs, they generally require additional communication rounds, resulting in increased communication and transmission costs. The privacy set intersection calculating method based on the symmetric key pseudo-random function comprises an organizer P 1 Establishing privacy set intersection system and organizer P according to security parameter kappa output parameter 1 Encryption of careless key values with all users, decryption of careless key values with a server, calculation of user privacy intersection with the server, and organization party P 1 And (5) performing verification.

Description

Privacy set intersection calculating method based on symmetric key pseudo-random function
Technical Field
The invention relates to a communication processing method characterized by a protocol, in particular to a privacy set intersection calculating method based on a symmetric key pseudo-random function.
Background
Privacy Set Intersection (PSI) is a research problem in the area of multiparty secure computing (MPC) aimed at enabling parties holding a set of inputs to determine their common elements without revealing any additional information beyond the intersection itself. PSI has a variety of potential privacy preserving applications, such as patient case sharing and Internet friend hobby exchanges. Recent, interdisciplinary efforts have developed a privacy contact tracking system. In this case, the privacy protection solution relies heavily on PSI.
In the last decade, some important research efforts have focused on the structural simplicity of developing privacy set intersection algorithms. These structures are typically designed based on a protocol of circuits for processing the logic or computing arithmetic circuits of the parties. The use of a circuit-based protocol can improve computational efficiency and accommodate variations of the various PSI algorithms.
However, existing PSI protocols typically suffer from high communication and computational costs, especially those based on Public Key Encryption (PKE) schemes and circuitry.
In the recent studies of Chase and Miao (M; chase and P; miao, "Private set intersection in the internet setting from lightweight oblivious prf," in Advances in Cryptology-CRYPTO 2020;Springer International Publishing,2020,pp;34-63; they focused on exploring trade-offs between communication and computational costs to achieve optimal efficiency. They propose a simplified multi-point OPRF protocol to implement an efficient semi-honest secure two-party PSI protocol. The protocol is based on a random predictor model and can be further enhanced to achieve single party malicious security. By employing a multi-point OPRF architecture rather than a traditional single point version, the communication complexity of the protocol is reduced by a constant factor, since the evaluation of each set element only needs to be performed once.
However, chase and Miao schemes rely on public key encryption and require complex circuitry for privacy interactions, which results in increased computational complexity and reduced efficiency. Furthermore, chase and Miao schemes require additional communication rounds, thereby bringing about higher communication costs and additional financial burden (not by way of example). Thus, care must be taken in the actual scenario.
Disclosure of Invention
The present invention aims to solve the problems of high communication and computation costs of the existing PSI protocol, especially the high computation costs based on Public Key Encryption (PKE) scheme and circuit, and although some schemes based on unintentional transmission (0T) attempt to balance the communication and computation costs, they generally require additional communication rounds, resulting in the disadvantage of increasing the communication and transmission costs, and to provide a privacy set intersection computation method based on a symmetric key pseudo-random function.
In order to solve the defects existing in the prior art, the invention provides the following technical solutions:
the privacy set intersection calculating method based on the symmetric key pseudo-random function is characterized by comprising the following steps of:
step 1, organizing Party P 1 Output parameter params according to security parameter κ:
params=(k i ,Φ ii+1 ,r,k',F,F * ,P,f);
wherein k is i The representation being sent to the user P i I e {2,., n-2}, n represents the total number of participants, Φ i The representation being sent to the user P i Virtual set of phi i+1 The representation being sent to the user P i+1 R denotes the virtual set sent to user P n-1 And user P n And k' represents the random number sent to the user P n-1 And user P n F represents a pseudo-random function, F * A pseudo-random function representing the homomorphism of the approximate key, P representing the pseudo-random permutation, f representing the encoding function;
step 2, encryption of the careless key value;
first, organize Party P 1 Function value f (d) using self-assembled element 1j ) As a key, user P is used i Key k of (2) i As seed for the pseudo-random function F, the value is obtained by an exclusive OR operationAnd generating an inadvertent key value storing function a using the inadvertent key value storing code 1 Sent to the server CS 1 ;d 1j Representing organization partner P 1 The j-th element in the set,representing the key as k i Is a pseudo-random function of>Representing an exclusive or operation from i=2 to i=n-2;
second, user P i Function value f (d) using self-assembled element ij ) As a key, calculateGenerating an inadvertent key value store function A as a value and using an inadvertent key value store encoding i Sent to the server CS 2 ;d ij Representing user P i The j-th element in the set;
finally, user P n-1 Will encrypt the set S n-1 Pseudo-random function value F r * (k n-1 ) Respectively sent to the server CS 1 Server CS 2 The method comprises the steps of carrying out a first treatment on the surface of the User P n Will encrypt the set S n Pseudo-random function value F r * (k n ) Respectively sent to the server CS 1 And server CS 2 ;F r * () Pseudo-random function, k, representing approximate key homomorphism for a key being a random number r n-1 Representing user P n-1 Is a pseudo-random function seed, k n Representing user P n Is a pseudo-random function seed of (a);
step 3, decrypting the careless key value;
server CS 1 And server CS 2 Pseudo-random function F based on approximate key homomorphism * Re-encrypting the received encrypted set S n-1 And an encryption set S n And generates a set S' n-1 And set S' A The method comprises the steps of carrying out a first treatment on the surface of the Then the server CS 1 Storing function A using unintentional key values 1 To decode the set S' n-1 And generate a setServer CS 2 Storing function A with inadvertent key values i To decode the set S' n And generate the set->Sent to the server CS 1
Step 4, server CS 1 Computing multiparty intersections I * And according to multiparty intersection I * Calculating the re-encrypted intersection I' is returned to the organizer P 1
Step 5, organizing the parties P 1 Verifying the re-encrypted intersection I', if verification is successful, outputting a privacy intersection i= { d ij :d ij ∈(I k′n+1 ) To user P i Otherwise, the verification fails and a termination symbol is output; inverse permutation representing a pseudo-random permutation of the key k->Represents a binary exclusive nor operation, lambda represents the organizer P 1 The self-collection element is duplicated lambda times, and lambda is more than or equal to 1.
Further, the step 1 specifically includes:
step 1.1, organizing Party P 1 Generating a key k from a security parameter k i ∈{0,1} κ And virtual set Φ ii+1 And send to user P i The method comprises the steps of carrying out a first treatment on the surface of the Organizing party P 1 A random number r and a secret key k' are generated according to the security parameter k and sent to the user P n-1 And user P n
Step 1.2, organizing Party P 1 Selecting a pseudo-random function F and a pseudo-random function F that approximates the identity of the key * : kx→y, and selecting a pseudo-random permutation P: {0,1} κ ×D→{0,1} ≥κ K represents a key, X represents an input space, Y represents an output space, D represents a userA plaintext form of the collection;
step 1.3, organizing Party P 1 Copy self set element lambda times, define set D λ = { d||1,..: d.epsilon.D }, and has (D) λ ) =D;
Organizing party P 1 Pseudo-random function F based on approximate key homomorphism * With pseudo-random permutation P, constructing a coding function f and satisfyingWherein->And returns the coding function f to the user P i ,P k′ Pseudo-random permutation representing a key k #>Representing user P i Set and set D λ Is a complex of the two.
Further, in step 1.2, the pseudo-random function F is configured in the following manner:
step 1a, constructing a pseudo-random synthesizer G (x), wherein x is an input parameter;
defining a matrixVector->Error term->Constructing a pseudo-random synthesizer G'(s) =b=a·s+e; />Representing all m 1 ×n 1 The set of order matrices and the elements are modular q integer rings, < >>Representing a length n 1 Is a modulo q integer ring, ">Representing a length m 1 And the element is modulo q integer ring, χ 1 Representing a random error distribution in the fault tolerant learning problem;
definition s 0 S, and constructing a pseudo-random synthesizer G(s) =σ 1 ,...,σ p(|s|) Wherein the Nezha isIs the first bit data of +.>Wherein->Is->Data of length bit of |s| from back to front, | +>i 1 ∈[1,p(|s|)],i 1 Represents the ith 1 Iteration, l (n 1 )≤p(n 1 );l(n 1 ) A seed length spread function, p (n), representing a pseudo-random synthesizer G'(s) 1 ) A seed length spread function, n, representing a pseudo-random synthesizer G(s) 1 Representing the seed length of the pseudo-random synthesizer G(s); s=n1, p (|s|) =p (n 1);
step 1b, constructing a pseudo-random synthesizer F s (x) X is an input parameter;
n of the pseudo-random synthesizer G(s) constructed in step 1a 1 S of length extends to 2n 1 Length, i.e. pseudo-random synthesizerLet function G 0 (s) the first n of G(s) 1 Data of length of one bit, G 1 (s) is the latter n of G(s) 1 Data of length of several bits, i.e. G(s) =g 0 (s)G 1 (s);
For any oneDefinition of the function->
For each function f s Key of (2)The following operations are performed:
step 1c, defining a pseudo-random functionWherein->Let-> R And (3) randomly selecting elements from the set, wherein N represents a positive integer set, and thus a random function F is obtained.
Further, in step 1.2, the pseudo-random function F of the approximate key homomorphism * The construction mode of (a) is as follows:
step 2a, constructing a pseudo-random synthesizer G (x), wherein x is an input parameter;
defining a matrixVector->Error term->Constructing a pseudo-random synthesizer G'(s) =b=a·s+e; />Representing all m 2 ×n 2 The set of order matrices and the elements are modular q integer rings, < >>Representing a length n 2 Is a modulo q integer ring, ">Representing a length m 2 And the element is modulo q integer ring, χ 2 Representing a random error distribution in the fault tolerant learning problem;
definition s 0 Constructing a pseudo-random synthesizerWherein the method comprises the steps ofσ j Is G'(s) j-1 ) Sigma of the first bit data of (a) j =pref 1 (G 1 (s j-1 )),s j Is G'(s) j-1 ) Data of the length bit of |s| from back to front, s j =suff |s| (G 1 (s j-1 ));n 2 Representing the seed length of the pseudo-random synthesizer G(s);
step 2b, constructing the following functions:
wherein p represents a positive integer smaller than q, Λ represents a positive integer represented byA matrix of components;
defining a pseudo-random functionLet->Obtaining the pseudo-random function F with similar key homomorphism *
Further, in step 2, the encryption set S n-1 Encryption set S n The method comprises the following steps:
wherein P is k′ Pseudo-random permutation denoted by key k', Φ n-1 、Φ n The representation being sent to the user P n-1 、P n Is defined in the virtual set of (a),representing user P n-1 Set and set D λ Is->Representing user P n Set and set D λ Intersection of phi n+1 Representing user P i User P n-1 And user P n Is defined by a virtual set intersection of (a);
in step 3, the set S' n-1 And set S' n The method comprises the following steps:
the set ofSet->The method comprises the following steps:
wherein d' n-1j ∈S′ n-1 ,d′ n-1j Representation set S' n-1 The j-th element of (a); d' nj ∈S′ n ,d′ nj Representation set S' n The j-th element of (a); m represents the total number of attributes of the user.
Further, in step 4, the multiparty intersectionRe-encrypted intersection->x' represents the re-encrypted ciphertext form of the user attribute, x * A decrypted ciphertext form representing the user attribute.
Further, the step 5 specifically includes:
organizing party P 1 After receiving the re-encrypted intersection I', a calculation is made And check I k′ Whether or not the elements in (a) satisfy the following conditions:
and-> Representing an empty set;
α∈[λ],d||α∈I k′ representing that for a positive integer α within each element d and λ in the privacy intersection I, d is present at I k′ In, i represents a connection;
if any one of the conditions is not satisfied, the verification fails and a termination symbol is output; if the two conditions are satisfied at the same time, the verification is successful, and the privacy intersection I= { d is output ij :d ij ∈(I k′n+1 ) To user P i
Compared with the prior art, the invention has the beneficial effects that:
(1) The invention relates to a privacy set intersection calculating method based on a symmetric key pseudo-random function, which comprises an organizer P 1 Establishing privacy set intersection system and organizer P according to security parameter kappa output parameter 1 Encryption of careless key values with all users, decryption of careless key values with a server, calculation of user privacy intersection with the server, and organization party P 1 By verifying, the invention not only allows a plurality of participants to compare respective sets, but also can ensure that specific elements in the sets are not revealed, and can realize safe and efficient set intersection operation in a multiparty private scene under the condition of processing large-scale data and a large number of participants.
(2) The privacy set intersection calculating method based on the symmetric key pseudo-random function not only ensures the privacy protection of users, but also can verify the calculation result and realize low calculation cost; this innovation has made an important breakthrough in addressing the limitations of existing PSI protocols and provides a promising solution for achieving a better balance between communication, computation, and data transmission costs.
(3) The invention relates to a privacy set intersection calculating method based on a symmetric key pseudo-random function, which adopts two pseudo-random functions constructed based on LWE (Learning With Errors) problems and variants thereof, wherein one of the two pseudo-random functions is an approximate key pseudo-random function; these technical choices are based on widely accepted security principles in the current cryptography arts to ensure privacy and security of protocols; the pseudo-random function constructed by LWE problem and its variant shows the innovation and foresight of the invention in the aspect of cryptography safety.
(2) Compared with the traditional scheme, the privacy set intersection calculating method based on the symmetric key pseudo-random function has obvious calculation efficiency advantage, and particularly in the intersection calculating stage, the running time of a CPU (Central processing Unit) can be almost ignored due to the symmetric encryption used by the method.
Drawings
FIG. 1 is a schematic diagram of a privacy set intersection system in an embodiment of a method for calculating privacy set intersections based on a pseudorandom function of a symmetric key;
FIG. 2 is a flow chart of an embodiment of the present invention;
FIG. 3 is a schematic diagram of CPU running time of step 2 inadvertent key encryption corresponding to the total number n of different participants in the embodiment of the invention;
FIG. 4 is a schematic diagram of CPU running time of steps 3-5 corresponding to the total number n of different participants in the embodiment of the present invention;
FIG. 5 is a simulation result of the CPU running time at the encryption stage corresponding to the total number n of different participants in the first and second prior art according to the embodiment of the present invention;
FIG. 6 is a simulation result of CPU run time at the decryption and verification stage corresponding to the total number n of different participants in the first and second prior art embodiments of the present invention;
FIG. 7 is a simulation result of the CPU running time at the intersection calculation stage corresponding to the total number n of different participants in the first and second prior arts according to the embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the drawings and exemplary embodiments.
Referring to fig. 1 to 4, a privacy set intersection calculating method based on a symmetric key pseudo random function is based on a privacy set intersection system including a participant P 1 ,P 2 ,...,P n Server CS 1 And server CS 2 The P is 1 Is the organization prescription, P 2 ,...,P n Is a user;
the privacy set intersection calculating method comprises the following steps:
step 1, organizing Party P 1 According to the safety parameter kappa output parameter:
params=(k i ,Φ ii+1 ,r,k',F,F * ,P,f);
wherein k is i The representation being sent to the user P i Key of phi ii+1 The representation being sent to the user P i I e {2,.,. N-2}, r represents the transmission to the user P n-1 And user P n And k' represents the random number sent to the user P n-1 And user P n Key of phi i The representation being sent to the user P i Virtual set of phi i+1 The representation being sent to the user P i+1 F represents a pseudo-random function, F * Pseudo-random function representing approximate key homomorphism, P representing pseudo-random permutation, f representing the organizer P 1 A function of self-collection element λ, n representing the total number of participants;
step 1.1, organizing Party P 1 Generating a key k from a security parameter k i ∈{0,1} κ And virtual set Φ ii+1 And send to user P i The method comprises the steps of carrying out a first treatment on the surface of the Organizing party P 1 A random number r and a secret key k' are generated according to the security parameter k and sent to the user P n-1 And user P n
Step 1.2, organizing Party P 1 Selecting a pseudo-random function F and a pseudo-random function F that approximates the identity of the key * : kxX→Y; and selecting a pseudo-random permutation P: (0,1} κ ×D→{0,1} ≥κ The method comprises the steps of carrying out a first treatment on the surface of the K represents a key, X represents an input space, Y represents an output space, and D represents a plaintext form of a user set;
the construction mode of the pseudo-random function F is as follows:
step 1a, constructing a pseudo-random synthesizer G (x), wherein x is an input parameter;
defining a matrixVector->Error term->Constructing a pseudo-random synthesizer G'(s) =b=a·s+e; />Representing all m 1 ×n 1 The set of order matrices and the elements are modular q integer rings, < >>Representing a length n 1 Is a vector of (2), and the element is modulo q 1 Integer ring (s)/(S)>Representing a length m 1 And the element is modulo q integer ring, χ 1 Representing a random error distribution in the fault tolerant learning problem;
definition s 0 S, and constructing a pseudo-random synthesizer G(s) =σ 1 ,...,σ p(|s|) Wherein sigma 1 Is thatIs the first bit data of +.>Wherein->Is->Data of length bit of |s| from back to front, | +>i 1 ∈[1,p(|s|)],i 1 Represents the ith 1 Iteration, l (n 1 )≤p(n 1 );l(n 1 ) Seed length representing a pseudo-random synthesizer G'(s)A degree spread function, p (n 1 ) A seed length spread function, n, representing a pseudo-random synthesizer G(s) 1 Representing the seed length of the pseudo-random synthesizer G(s); s=n1, p (|s|) =p (n 1);
step 1b, constructing a pseudo-random synthesizer F s (x) X is an input parameter;
n of the pseudo-random synthesizer G(s) constructed in step 1a 1 S of length extends to 2n 1 Length, i.e. pseudo-random synthesizerLet function G 0 (s) the first n of G(s) 1 Data of length of one bit, G 1 (s) is the latter n of G(s) 1 Data of length of several bits, i.e. G(s) =g 0 (s)G 1 (s);
For any oneDefinition of the function->
For each function f s Key of (2)The following operations are performed:
step 1c, defining a pseudo-random functionWherein->Let-> R Representing randomly selected elements from a collection, N tableShowing a positive integer set to obtain a random function F;
step 2a, constructing a pseudo-random synthesizer G (x), wherein x is an input parameter;
defining a matrixVector->Error term->Constructing a pseudo-random synthesizer G'(s) =b=a·s+e; />Representing all m 2 ×n 2 The set of order matrices and the elements are modular q integer rings, < >>Representing a length n 2 Is a modulo q integer ring, ">Representing a length m 2 And the element is modulo q integer ring, χ 2 Representing a random error distribution in the fault tolerant learning problem;
definition s 0 Constructing a pseudo-random synthesizerWherein the method comprises the steps ofσ j Is G'(s) j-1 ) Sigma of the first bit data of (a) j =pref 1 (G 1 (s j-1 )),s j Is G'(s) j-1 ) Data of the length bit of |s| from back to front, s j =suff |s| (G 1 (s j-1 ));
Step 2b, constructing the following functions:
wherein p represents a positive integer smaller than q, Λ represents a positive integer represented byA matrix of components;
defining a pseudo-random functionLet->Obtaining the pseudo-random function F with similar key homomorphism *
Step 1.3, organizing Party P 1 Replicating self set elements lambda times, lambda being greater than or equal to 1, defining set D λ = { d||1,..: d.epsilon.D }, and has (D) λ ) =D;
Organizing party P 1 Pseudo-random function F based on approximate key homomorphism * With pseudo-random permutation P, constructing a coding function f and satisfyingWherein->And returns the coding function f to the user P i ;d ij Representing user P i The j-th element in the collection, F r * () Pseudo-random function, k, representing approximate key homomorphism for a key being a random number r n-1 Representing user P n-1 Is a pseudo-random function seed, k n Representing user P n Pseudo-random function seed of->Representing a binary nor operation,/->Representing user P i Set and set D λ Is a complex of the intersection of (a) and (b);
step 2, encryption of the careless key value;
step 2.1, organizing Party P 1 Function value f (d) using self-assembled element 1j ) As a key, user P is used i Is used as the seed of the pseudo-random function F, and the seeds of n-3 pseudo-random functions F are subjected to exclusive OR operation to obtain the value Representing an exclusive or operation from i=2 to i=n-2 and generating an inadvertent key value store function a using an inadvertent key value store encoding 1 And sent to the server CS 1
Wherein d 1j Representing organization partner P 1 The j-th element in the set;
step 2.2, user P i Function value f (d) using self-assembled element ij ) As a key, calculateGenerating an inadvertent key value store function A as a value and using an inadvertent key value store encoding i And sent to the server CS 2
Step 2.3, user P n-1 Will encrypt the set S n-1 Pseudo-random function value F r * (k n-1 ) Respectively sent to the server CS 1 Server CS 2
Wherein P is k′ Representing a pseudo-random permutation of the key k',representing user P n-1 Set and set D λ Is a complex of the intersection of (a) and (b);
user P n Will encrypt the set S n Pseudo-random function value F r * (k n ) Respectively sent to the server CS 1 And server CS 2
In the method, in the process of the invention,representing user P n Set and set D λ Is a complex of the intersection of (a) and (b);
step 3, decrypting the careless key value;
step 3.1, server CS 1 And server CS 2 According to a pseudo-random function F * Re-encrypting the received encrypted set S n-1 And an encryption set S n And generates a new set S' n-1 And set S' n
Wherein phi is n+1 Representing user P i User P n-1 And user P n Is defined by a virtual set intersection of (a);
step 3.2, server CS 1 Storing function A using received careless key values 1 To decode the set S' n-1 And generates a new setWherein d' n-1j ∈S′ n-1 ,d′ n-1j Representation set S' n-1 The j-th element of (a); server CS 2 Storing function A using received careless key values i To decode the set S' n And generates a new set +.>Wherein d' nj ∈S′ n ,d′ nj Representation set S' n The j-th element of (a);
step 3.3, server CS 2 Will be set S n * Sent to the server CS 1
Wherein m represents the total number of attributes of the user;
step 4, calculating user privacy intersections;
server CS 1 Computing multiparty intersections I * ={x′||x * :x′||x * ∈S n-1 * ∩S n * And according to multiparty intersection I * Calculate the re-encrypted intersection I' = { x: x' | I x * ∈S n-1 * ∩S n * },x'∈S n-1 * ∩S n * The method comprises the steps of carrying out a first treatment on the surface of the Finally, the server CS 1 Returning the re-encrypted intersection I' to the organizer P 1 The method comprises the steps of carrying out a first treatment on the surface of the x' represents the re-encrypted ciphertext form of the user attribute, x * A decrypted ciphertext form representative of the user attribute;
step 5, verification;
organizing party P 1 After receiving the re-encrypted intersection v', a calculation is made Inverse permutation representing pseudo-random permutation of the key k' and checking I k′ Whether or not the elements in (a) satisfy the following conditions:
and-> Representing an empty set;
α∈[λ],d||α∈I k′ representing that for a positive integer α within each element d and λ in the privacy intersection I, d is present at I k′ In, i represents a connection;
if any one of the conditions is not satisfied, the verification fails and a termination symbol is output; if the two conditions are satisfied at the same time, the verification is successful, and the privacy intersection I= { d is output ij :d ij ∈(I k′n+1 ) To user P i
The tools used in the invention are Python 3.8 and Mathlab 2021b, all the programs are executed on a Vostro-Del desktop computer configured as a 11th Gen Intel Core i5-11400 processor with frequencies of 2.60GHz and 2.59GHz and memory of 8.00GB.
Comparing the examples of the present invention with the first and second prior arts, the results are shown in fig. 5 to 7.
The first prior art is A.Abadi, S.Terzis, and C.Dong, "Vd-psi: verifiable delegated private set intersection on outsourced private datasets, "in Financial Cryptography,2016 [ Online ]. Available: https: semantischolar. Org/CorpusID:13164375
The second prior art is Q.Wang, F.Zhou, J.Xu and S.Peng, "Tag-based verifiable delegated set intersection over outsourced private datasets," IEEE Transactions on Cloud Computing, vol.10, no.2, pp.1201-1214, 2022.
Fig. 5 shows simulation results of the encryption stage CPU run time showing that all three schemes exhibit instability and are generally positively correlated with the total number n of participants. When the total number of participants n < 9, the CPU runtime of embodiments of the present invention is relatively small. However, in the portion where the total number n of participants is greater than or equal to 10, the embodiment of the present invention is substantially consistent with the CPU run times of the first and second prior arts.
Fig. 6 represents the simulation results of the CPU run time during the decryption and verification stage. In the embodiment of the invention, when n is less than or equal to 26, the running time of the CPU is almost 0; however, when n > 26, the CPU runtime of embodiments of the present invention gradually increases. On the other hand, both the first and second prior art techniques exhibit highly unstable CPU run times, and when n.gtoreq.26, the CPU run times of embodiments of the present invention increase rapidly.
FIG. 7 depicts simulation results of CPU runtime during the intersection computation phase. Because of the symmetric encryption used in embodiments of the present invention, CPU run time is almost negligible. However, both prior art one and prior art two exhibit significant CPU run time and instability. The CPU run times of the first and second prior art are almost the same.

Claims (7)

1. The privacy set intersection calculating method based on the symmetric key pseudo-random function is characterized by comprising the following steps of:
step 1, organizing Party P 1 Output parameter params according to security parameter κ:
params=(k i ,Φ ii+1 ,r,k',F,F * ,P,f);
wherein k is i The representation being sent to the user P i I e {2,., n-2}, n represents the total number of participants, Φ i The representation being sent to the user P i Virtual set of phi i+1 The representation is sent to the userP i+1 R denotes the virtual set sent to user P n-1 And user P n And k' represents the random number sent to the user P n-1 And user P n F represents a pseudo-random function, F * A pseudo-random function representing the homomorphism of the approximate key, P representing the pseudo-random permutation, f representing the encoding function;
step 2, encryption of the careless key value;
first, organize Party P 1 Function value f (d) using self-assembled element 1j ) As a key, user P is used i Key k of (2) i As seed for the pseudo-random function F, the value is obtained by an exclusive OR operationAnd generating an inadvertent key value storing function a using the inadvertent key value storing code 1 Sent to the server CS 1 ;d 1j Representing organization partner P 1 The j-th element in the collection,>representing the key as k i Is a pseudo-random function of>Representing an exclusive or operation from i=2 to i=n-2;
second, user P i Function value f (d) using self-assembled element ij ) As a key, calculateGenerating an inadvertent key value store function A as a value and using an inadvertent key value store encoding i Sent to the server CS 2 ;d ij Representing user P i The j-th element in the set;
finally, user P n-1 Will encrypt the set S n-1 Pseudo-random function value F r * (k n-1 ) Respectively sent to the server CS 1 Server CS 2 The method comprises the steps of carrying out a first treatment on the surface of the User P n Will encrypt the set S n Pseudo-random function value F r * (k n ) Respectively sent to the server CS 1 And server CS 2 ;F r * () Pseudo-random function, k, representing approximate key homomorphism for a key being a random number r n-1 Representing user P n-1 Is a pseudo-random function seed, k n Representing user P n Is a pseudo-random function seed of (a);
step 3, decrypting the careless key value;
server CS 1 And server CS 2 Pseudo-random function F based on approximate key homomorphism * Re-encrypting the received encrypted set S n-1 And an encryption set S n And generates a set S' n-1 And set S' n The method comprises the steps of carrying out a first treatment on the surface of the Then the server CS 1 Storing function A using unintentional key values 1 To decode the set S' n-1 And generate a setServer CS 2 Storing function A with inadvertent key values i To decode the set S' n And generate the set->Sent to the server CS 1
Step 4, server CS 1 Computing multiparty intersections I * And according to multiparty intersection I * Calculating the re-encrypted intersection I' is returned to the organizer P 1
Step 5, organizing the parties P 1 Verifying the re-encrypted intersection I', if verification is successful, outputting a privacy intersection i= { d ij :d ij ∈(I k′n+1 ) To user P i Otherwise, the verification fails and a termination symbol is output; inverse permutation representing a pseudo-random permutation of the key k->Represents a binary exclusive nor operation, lambda represents the organizer P 1 The self-collection element is duplicated lambda times, and lambda is more than or equal to 1.
2. The method for calculating the intersection of privacy sets based on the pseudo-random function of the symmetric key according to claim 1, wherein the step 1 is specifically:
step 1.1, organizing Party P 1 Generating a key k from a security parameter k i ∈{0,1} κ And virtual set Φ ii+1 And send to user P i The method comprises the steps of carrying out a first treatment on the surface of the Organizing party P 1 A random number r and a secret key k' are generated according to the security parameter k and sent to the user P n-1 And user P n
Step 1.2, organizing Party P 1 Selecting a pseudo-random function F and a pseudo-random function F that approximates the identity of the key * : kx→y, and selecting a pseudo-random permutation P: (0,1} κ ×D→{0,1} ≥κ K represents a key, X represents an input space, Y represents an output space, and D represents a plaintext form of the user set;
step 1.3, organizing Party P 1 Copy self set element lambda times, define set D λ = { d||1,..: d.epsilon.D }, and has (D) λ ) =D;
Organizing party P 1 Pseudo-random function F based on approximate key homomorphism * With pseudo-random permutation P, constructing a coding function f and satisfyingWherein->And returns the coding function f to the user P i ,P k′ Pseudo-random permutation representing a key k #>Representing user P i Set and set D λ Is a complex of the two.
3. The method for calculating the intersection of privacy sets based on pseudo-random function of symmetric key according to claim 2, wherein in step 1.2, the pseudo-random function F is constructed in the following manner:
step 1a, constructing a pseudo-random synthesizer G (x), wherein x is an input parameter;
defining a matrixVector->Error term->Constructing a pseudo-random synthesizer G'(s) =b=a·s+e; />Representing all m 1 ×n 1 The set of order matrices, and the elements are modular q integer rings,representing a length n 1 Is a modulo q integer ring, ">Representing a length m 1 And the element is modulo q integer ring, χ 1 Representing fault tolerant learning problemsRandom error distribution;
definition s 0 S, and constructing a pseudo-random synthesizer G(s) =σ 1 ,...,σ p(|s|) Wherein sigma 1 Is thatIs the first bit data of +.>Wherein->Is->Data of length bit of |s| from back to front, | +>i 1 Represents the ith 1 Iteration, l (n 1 )≤p(n 1 );l(n 1 ) A seed length spread function, p (n), representing a pseudo-random synthesizer G'(s) 1 ) A seed length spread function, n, representing a pseudo-random synthesizer G(s) 1 Representing the seed length of the pseudo-random synthesizer G(s); s=n1, p (|s|) =p (n 1);
step 1b, constructing a pseudo-random synthesizer F s (x) X is an input parameter;
n of the pseudo-random synthesizer G(s) constructed in step 1a 1 S of length extends to 2n 1 Length, i.e. pseudo-random synthesizerLet function G 0 (s) the first n of G(s) 1 Data of length of one bit, G 1 (s) is the latter n of G(s) 1 Data of length of several bits, i.e. G(s) =g 0 (s)G 1 (s);
For any oneDefinition of the function f s :/>
For each function f s Key of (2)The following operations are performed:
step 1c, defining a pseudo-random functionWherein->Let-> R And (3) randomly selecting elements from the set, wherein N represents a positive integer set, and thus a random function F is obtained.
4. The method for calculating the intersection of privacy sets based on pseudo-random functions of symmetric keys according to claim 2, wherein in step 1.2, the pseudo-random function F of similar key homomorphism * The construction mode of (a) is as follows:
step 2a, constructing a pseudo-random synthesizer G (x), wherein x is an input parameter;
defining a matrixVector->Error term->Constructing a pseudo-random synthesizer G'(s) =b=a·s+e; />Representing all m 2 ×n 2 The set of order matrices, and the elements are modular q integer rings,representing a length n 2 Is a modulo q integer ring, ">Representing a length m 2 And the element is modulo q integer ring, χ 2 Representing a random error distribution in the fault tolerant learning problem;
definition s 0 Constructing a pseudo-random synthesizerWherein the method comprises the steps ofσ j Is G'(s) j-1 ) Sigma of the first bit data of (a) j =pref 1 (G 1 (s j-1 )),s j Is G'(s) j-1 ) Data of the length bit of |s| from back to front, s j =suff |s| (G 1 (s j-1 ));n 2 Representing the seed length of the pseudo-random synthesizer G(s);
step 2b, constructing the following functions:
wherein p represents a positive integer smaller than q, Λ represents a positive integer represented byA matrix of components;
defining a pseudo-random functionLet->Obtaining the pseudo-random function F with similar key homomorphism *
5. A method of calculating a privacy set intersection based on a pseudo-random function of a symmetric key according to any one of claims 1 to 4, wherein:
in step 2, the encryption set S n-1 Encryption set S n The method comprises the following steps:
wherein P is k′ Pseudo-random permutation denoted by key k', Φ n-1 、Φ n The representation being sent to the user P n-1 、P n Is defined in the virtual set of (a),representing user P n-1 Set and set D λ Is->Representing user P n Set and set D λ Intersection of phi n+1 Representing user P i User P n-1 And user P n Is defined by a virtual set intersection of (a);
in step 3, the set S' n-1 And set S' n The method comprises the following steps:
the set ofSet->The method comprises the following steps:
wherein d' n-1j ∈S′ n-1 ,d′ n-1j Representation set S' n-1 The j-th element of (a); d' nj ∈S′ n ,d′ nj Representation set S' n The j-th element of (a); m represents the total number of attributes of the user.
6. The privacy set intersection calculating method based on the symmetric key pseudo-random function according to claim 5, wherein:
in step 4, the multiparty intersectionRe-encrypted intersectionx' represents the re-encrypted ciphertext form of the user attribute, x * A decrypted ciphertext form representing the user attribute.
7. The method for calculating the intersection of privacy sets based on the pseudo-random function of the symmetric key according to claim 6, wherein the step 5 is specifically:
organizing party P 1 After receiving the re-encrypted intersection I', a calculation is made And check I k′ Whether or not the elements in (a) satisfy the following conditions:
and-> Representing an empty set;
α∈[λ],d||α∈I k′ representing that for a positive integer α within each element d and λ in the privacy intersection I, d is present at I k′ In, i represents a connection;
if either condition is not satisfiedIf yes, the verification fails and a termination symbol is output; if the two conditions are satisfied at the same time, the verification is successful, and the privacy intersection v= { d is output ij :d ij ∈(I k′n+1 ) To user P i
CN202311777469.1A 2023-12-21 2023-12-21 Privacy set intersection calculating method based on symmetric key pseudo-random function Pending CN117768180A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311777469.1A CN117768180A (en) 2023-12-21 2023-12-21 Privacy set intersection calculating method based on symmetric key pseudo-random function

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311777469.1A CN117768180A (en) 2023-12-21 2023-12-21 Privacy set intersection calculating method based on symmetric key pseudo-random function

Publications (1)

Publication Number Publication Date
CN117768180A true CN117768180A (en) 2024-03-26

Family

ID=90325157

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311777469.1A Pending CN117768180A (en) 2023-12-21 2023-12-21 Privacy set intersection calculating method based on symmetric key pseudo-random function

Country Status (1)

Country Link
CN (1) CN117768180A (en)

Similar Documents

Publication Publication Date Title
WO2020253234A1 (en) Data homomorphic encryption and decryption method and apparatus for implementing privacy protection
US20210279342A1 (en) Neural-network training using secure data processing
CN110557245B (en) Method and system for SPDZ fault tolerant and secure multiparty computing
CN112989368B (en) Method and device for processing private data by combining multiple parties
US8891766B2 (en) Input consistency verification for two-party secure function evaluation
CN113424185A (en) Fast inadvertent transmission
TW498233B (en) Method of authenticating anonymous users while reducing potential for &#34;&#34;middleman&#34;&#34; fraud
JP2007510947A (en) Method and apparatus for efficient multi-party multiplication
CN116204912B (en) Data processing method and device based on isomorphic encryption
Kumari et al. Preserving health care data security and privacy using Carmichael's theorem-based homomorphic encryption and modified enhanced homomorphic encryption schemes in edge computing systems
EP4376350A2 (en) Computer implemented system and method for distributing shares of digitally signed data
JP4835831B2 (en) Method and apparatus for computing a function from multiple inputs
JP2022528925A (en) Computer-implemented methods and systems for encrypting data
CN111010285B (en) SM2 two-party collaborative signature method and medium suitable for lightweight client
JP2008513811A (en) Calculation conversion method and system
Moon et al. An Efficient Encrypted Floating‐Point Representation Using HEAAN and TFHE
CN118160275A (en) Threshold signature scheme
Wang et al. Privacy preserving computations over healthcare data
US11599681B2 (en) Bit decomposition secure computation apparatus, bit combining secure computation apparatus, method and program
US8325913B2 (en) System and method of authentication
CN117917041A (en) Generating a shared encryption key
CN117795901A (en) Generating digital signature shares
CN117768180A (en) Privacy set intersection calculating method based on symmetric key pseudo-random function
Kindberg A usability study of post-quantum algorithms
Hinkelmann et al. A cryptographically t‐private auction system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination