WO2021197035A1 - Method and device for jointly training service prediction model by two parties for protecting data privacy - Google Patents

Method and device for jointly training service prediction model by two parties for protecting data privacy Download PDF

Info

Publication number
WO2021197035A1
WO2021197035A1 PCT/CN2021/080718 CN2021080718W WO2021197035A1 WO 2021197035 A1 WO2021197035 A1 WO 2021197035A1 CN 2021080718 W CN2021080718 W CN 2021080718W WO 2021197035 A1 WO2021197035 A1 WO 2021197035A1
Authority
WO
WIPO (PCT)
Prior art keywords
parameter
party
encrypted
segment
gradient
Prior art date
Application number
PCT/CN2021/080718
Other languages
French (fr)
Chinese (zh)
Inventor
陈超超
王力
王磊
周俊
Original Assignee
支付宝(杭州)信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2021197035A1 publication Critical patent/WO2021197035A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption

Definitions

  • One or more embodiments of this specification relate to the fields of data security and machine learning, and in particular, to methods and devices for joint training of business prediction models by both parties.
  • the data needed for machine learning often involves multiple fields.
  • the electronic payment platform owns the merchant's transaction flow data
  • the e-commerce platform stores the merchant's sales data
  • the banking institution owns the merchant's loan data.
  • Data often exists in the form of islands. Due to industry competition, data security, user privacy and other issues, data integration is facing great resistance. It is difficult to integrate data scattered on various platforms to train machine learning models. Under the premise of ensuring that data is not leaked, the use of multi-party data to jointly train machine learning models has become a major challenge at present.
  • Machine learning models include logistic regression models, linear regression models, and neural network models, among which logistic regression models can effectively perform tasks such as sample classification and prediction, linear regression models can effectively predict the regression values of samples, neural network models Various prediction tasks can be performed through the combination of multiple layers of neurons.
  • logistic regression models can effectively perform tasks such as sample classification and prediction
  • linear regression models can effectively predict the regression values of samples
  • neural network models Various prediction tasks can be performed through the combination of multiple layers of neurons.
  • how to coordinate the operations of the above-mentioned various stages without revealing the private data of all parties, including feature data and model parameter data is a practical problem to be solved.
  • One or more embodiments of this specification describe a method and device for jointly training a business prediction model by both parties, in which parameter fragmentation in the iterative process is used to ensure that data privacy is not leaked, and to ensure the security of private data in joint training.
  • a method for two parties to jointly train a business prediction model to protect data privacy includes a first party and a second party, and the first party stores first characteristic parts of a plurality of business objects.
  • the second party stores a second feature matrix X B formed by the second feature parts of the multiple business objects, and a label vector Y formed by label values;
  • the method is applied to The second party, the method includes performing model parameter update multiple iterations, wherein each iteration includes:
  • the second encrypted multiplication integral piece of homomorphic encryption is calculated through local matrix multiplication and secure matrix multiplication with the first party, and receiving from the first party a first encrypted by integral piece; wherein a first slice is the second parameter of the second slice for a first characteristic portion of the first process parameter W a portion; a second parameter The second fragment is a second fragment used to process the second parameter part W B of the second characteristic part;
  • a first integrator by the first encryption and the second encryption sheet by sheet integral homomorphic summed and the result is encrypted product Z, which corresponds to the first feature matrix X A W A and the first parameter section multiplied Product, and the encrypted value of the sum of the second product of the second feature matrix X B and the second parameter part W B;
  • update the second segment of the second parameter According to the second segment of the second gradient, update the second segment of the second parameter; update the second segment of the first parameter according to the second segment of the second part of the first gradient.
  • the method before performing multiple iterations to perform model parameter update, the method further includes: initializing the second parameter part W B , and splitting it into the second parameter first segment and the second parameter second segment through secret sharing. receiving a first parameter from a first side portion of the first parameter W a secret sharing; fragment, retaining the second parameter of the second fragment, transmits the first fragment of the second parameter to the first party The second fragment.
  • the method further includes: sending the second segment of the first parameter updated in the last iteration to the first party, and receiving the update from all The first party receives the updated first segment of the second parameter; the second segment of the second parameter updated in the last iteration is combined with the received first segment of the second parameter to obtain the service The second parameter part W B after the prediction model is trained.
  • the business object may include one of the following: users, merchants, commodities, and events; the business prediction model is used to predict the classification or regression value of the business object.
  • the service prediction model is a linear regression model; in this case, the homomorphic difference between the encrypted product result Z and the label vector Y can be calculated as the encrypted error vector E.
  • the service prediction model is a logistic regression model; in this case, the encrypted prediction result can be obtained based on the encrypted product result Z according to the Taylor expansion form of the sigmoid function, and the encrypted prediction result and the The encrypted value of the label vector Y is subjected to a homomorphic difference operation to obtain the encrypted error vector E.
  • the encryption error vector E before obtaining the encryption error vector E, it also includes calculating the encrypted multi-order product at least according to the first multiplier integral piece and the second multiplier integral piece; in this way, the sigmoid function can be calculated according to In a multi-order Taylor expansion form, an encrypted prediction result is obtained based on the encrypted product result Z and the encrypted multi-factor product, and a homomorphic difference operation is performed on the encrypted prediction result and the encrypted value of the label vector Y to obtain the encrypted error Vector E.
  • the second multiplicative integral piece of homomorphic encryption is calculated by the following method: the second piece of the first parameter is used to perform the security matrix with the first characteristic matrix X A in the first party Multiply to obtain the second segment of the second processing result of the first feature; locally calculate the product of the second feature matrix X B and the second segment of the second parameter to obtain the first processing result of the second feature; use the second feature
  • the matrix X B is multiplied by a security matrix with the first segment of the second parameter in the first party to obtain the second segment of the second processing result of the second feature;
  • the second segment of the second processing result of the first feature is Two shards, the first processing result of the second characteristic, the second shard of the second processing result of the second characteristic are added, and the sum result is homomorphically encrypted with the public key of the first party, Obtain the second encrypted multiplication integral piece.
  • the second segment of the second parameter is updated in the following manner, that is, the second parameter is updated by subtracting the product of the second segment of the second gradient and a preset step size. Fragmentation.
  • a method for two parties to jointly train a business prediction model to protect data privacy is applied to the aforementioned first party.
  • the method includes: performing model parameter update multiple iterations, wherein each iteration includes:
  • the homomorphic encrypted first encrypted multiplication integral slice is calculated through the local matrix multiplication operation and the secure matrix multiplication operation with the second party ;
  • the first segment of the first parameter is used to process the first segment of the first parameter part W A of the first characteristic part;
  • the first segment of the second parameter is used to process the second The first segment of the second parameter part W B of the characteristic part;
  • the method before performing multiple iterations to perform the model parameter update, the method further includes: initializing the first parameter part W A , and splitting it into the first parameter first segment and the first parameter part through secret sharing. Two fragments, the first fragment of the first parameter is reserved, and the second fragment of the first parameter is sent to the second party; the second parameter part W B secretly shared from the second party is received The first segment of the parameter.
  • the method further includes: sending the first segment of the second parameter updated in the last iteration to the second party, and receiving the update from the second party.
  • the party receives the updated first parameter second segment; the updated first parameter first segment in the last iteration is combined with the received first parameter second segment to obtain the service prediction model training After the first parameter part W A.
  • the first multiplicative integral slice of homomorphic encryption is calculated by the following method: the product of the first characteristic matrix X A and the first slice of the first parameter is calculated locally to obtain the first processing result of the first characteristic; Use the first feature matrix X A to perform security matrix multiplication with the first parameter second segment in the second party to obtain the first segment of the first feature second processing result; use the second parameter The first segment is multiplied by a security matrix with the second feature matrix X B in the second party to obtain the first segment of the second processing result of the second feature; the first processing result of the first feature is obtained, so The first fragment of the second processing result of the first feature, the first fragment of the second processing result of the second feature is added, and the sum result is homomorphically encrypted with the public key of the first party, Obtain the first encrypted multiplication integral piece.
  • the first segment of the first parameter is updated in the following manner: the product of the sum of the first segment of the first part of the first gradient and the first segment of the second part of the first gradient and a preset step is taken as The adjustment amount is to update the first segment of the first parameter by subtracting the adjustment amount.
  • a device for two parties to jointly train a business prediction model to protect data privacy includes a first party and a second party, and the first party stores first characteristic parts of a plurality of business objects.
  • the second party stores a second feature matrix X B formed by the second feature parts of the multiple business objects, and a label vector Y formed by label values;
  • the device is deployed in The second party, the device includes an iterative unit for performing model parameter update multiple times, which further includes:
  • the multiplication-integral piece calculation unit is configured to calculate the homomorphic encryption based on the locally maintained first parameter second piece and the second parameter second piece through local matrix multiplication and secure matrix multiplication with the first party second encryption by integral sheet, and receiving encrypted by a first integral sheet from the first party; wherein the second fragment is the first parameter for processing the first feature of the first portion of the parameter W a portion of The second fragment; the second parameter second fragment is the second fragment used to process the second parameter part W B of the second characteristic part;
  • the product result determining unit is configured to perform a homomorphic summation on the first encrypted multiplying integral piece and the second encrypted multiplying integral piece to obtain an encrypted product result Z, which corresponds to the first characteristic matrix X A and the first parameter part The encrypted value of the sum of the first product of W A and the second product of the second feature matrix X B and the second parameter part W B;
  • the error vector determining unit is configured to perform a homomorphic operation based on the encrypted product result Z and the encrypted value of the label vector Y to obtain an encrypted error vector E, and secretly share the encrypted error vector E to obtain a second error fragment ;
  • the first gradient determining unit is configured to perform matrix multiplication under the homomorphic operation on the encryption error vector E and the second characteristic matrix X B to obtain a second encryption gradient, and perform secret sharing of the second encryption gradient to obtain a second encryption gradient.
  • the second gradient determining unit is configured to use the second error segment to perform a security matrix multiplication with the first feature matrix X A in the first party to obtain a second segment of the second part of the first gradient;
  • the parameter update unit is configured to update the second parameter second slice according to the second slice of the second gradient; update the first parameter second slice according to the second slice of the second part of the first gradient Two slices.
  • an apparatus for both parties to jointly train a service prediction model to protect data privacy which is deployed in the aforementioned first party.
  • the apparatus includes: an iterative unit for performing model parameter update multiple iterations, which further includes :
  • the multiply-integral piece calculation unit is configured to calculate the homomorphism based on the first piece of the first parameter and the first piece of the second parameter maintained locally, through the local matrix multiplication operation and the safe matrix multiplication operation with the second party multiply encrypting the encrypted first integral sheet; wherein the first parameter of the first fragment is a first fragment for a first characteristic portion of the first process parameter W a portion; a second parameter of the first fragment Is the first segment used to process the second parameter part W B of the second characteristic part;
  • the multiplying integral piece sending unit is configured to send the first encrypted multiplying integral piece to the second party, so that the second party performs a homomorphic summation of the first encrypted multiplying integral piece and the second encrypted multiplying integral piece calculated by the first encrypted multiplying integral piece to encryption obtained multiplication result Z, which corresponds to a first product of the first feature matrix X a W a portion of the first parameter multiplied, and a second product of the second feature matrix X B W B with the second parameter section multiplied
  • the encrypted value of the sum
  • the error fragment receiving unit is configured to receive the first error fragment secretly shared with the encrypted error vector E from the second party, wherein the encrypted error vector E is based on a homomorphic operation of the encrypted product result Z and the encrypted value of the label vector Y Sure;
  • a first gradient determining unit configured to perform a local multiplication operation on the transposition of the first error segment and the first feature matrix X A to obtain the first part of the first gradient;
  • the second gradient determining unit is configured to use the first feature matrix X A to perform a security matrix multiplication with the second error segment retained in the second party to obtain the first segment of the second part of the first gradient;
  • the third gradient determining unit is configured to receive, from the second party, the second gradient first fragment that is secretly shared with the second encrypted gradient;
  • the parameter update unit is configured to update the first segment of the first parameter according to the first segment of the first part of the first gradient and the first segment of the second part of the first gradient; update the second segment of the first parameter according to the first segment of the second gradient The first segment of the parameter.
  • a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method of the first aspect or the second aspect.
  • a computing device including a memory and a processor, characterized in that executable code is stored in the memory, and when the processor executes the executable code, the first aspect or the first aspect is implemented. Two-sided approach.
  • the two parties participating in the joint training each have a part of characteristic data.
  • the two parties In the iterative process of joint training, the two parties not only do not exchange the plaintext of feature data, but also split the model parameter part into parameter shards, and each only maintains the iterative update of the sharding parameters. The model will not be reconstructed until the end of the iteration. parameter.
  • all parties In the iterative process, all parties only maintain parameter shards and exchange some sharding results, and it is almost impossible to infer useful information about private data based on these sharding results. This greatly enhances the privacy data in the joint training process. safety.
  • Fig. 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification
  • Figure 2 shows a secret sharing scheme under homomorphic encryption in one embodiment
  • Figure 3 shows an implementation scheme of secure matrix multiplication in one embodiment
  • Fig. 4 shows a schematic diagram of a process of joint training of a linear regression model by two parties according to an embodiment
  • Figure 5 shows part of the implementation process of the first sub-phase in an embodiment
  • Fig. 6 shows a schematic diagram of a process of joint training of a logistic regression model between two parties according to an embodiment
  • Fig. 7 shows a schematic block diagram of a joint training device deployed in a second party according to an embodiment
  • Fig. 8 shows a schematic block diagram of a joint training device deployed in a first party according to an embodiment.
  • the training process of a typical machine learning model includes a process of obtaining a prediction result from the calculation between feature data and model parameter data, determining the gradient according to the prediction result, and then adjusting the model parameters according to the gradient.
  • the training data set used to train the machine learning model has n samples
  • the sample feature of each sample is expressed as x (x can be a vector)
  • the label is expressed as y
  • the training data set can be expressed as:
  • the predicted value of the sample can be obtained If the machine learning model is a linear regression model, the predicted value can be expressed as: If the machine learning model is a logistic regression model, the predicted value can be expressed as:
  • the obtained gradient can be expressed as:
  • the parameter w can be updated according to the gradient to achieve model training.
  • the training process includes several core operations: calculate the product xw of the sample feature x and the model parameter w, and the product xw is used to determine the predicted value pass through Obtain the prediction error E; then according to the product of the prediction error E and x, the gradient is obtained.
  • the inventor proposed that in the scenario where the two parties jointly train the machine learning model, the model parameters of each party should be disassembled into secure parameter fragments.
  • the above The operation is also correspondingly disassembled into a safe and secret sharding operation.
  • Figure 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification. As shown in Figure 1, the scenario of joint training between the two parties involves participant A and participant B, or called the first party and the second party. Each participant can be implemented as any device, platform, server or device cluster with computing and processing capabilities. Both parties must jointly train a business prediction model while protecting data privacy.
  • the first party A stores part of the features of n business objects in the training sample set, which is called the first feature part. Assuming that the first feature part of each business object is a d1-dimensional vector, then the first feature parts of n business objects constitute an n*d1-dimensional first feature matrix X A.
  • the second party B stores the second characteristic parts of the n business objects. Assuming that the second feature part of each business object is a d2-dimensional vector, then the second feature parts of n business objects constitute an n*d2-dimensional second feature matrix X B. It is assumed that the label values of n business objects are also stored in the second party, and the n label values constitute a label vector Y.
  • the above-mentioned first party A and second party B are electronic payment platforms and banking institutions, and the two parties need to jointly train a business prediction model to evaluate the user's credit rating.
  • the business object is the user.
  • Both parties can maintain part of the user's characteristic data.
  • the electronic payment platform maintains the user's electronic payment and transfer related characteristics, which constitutes the above-mentioned first characteristic matrix
  • the banking institution maintains the user's credit record related characteristics, which constitutes the above-mentioned second Feature matrix.
  • the banking institution also has a label Y for the user's credit rating.
  • the above-mentioned first party A and second party B are an e-commerce platform and an electronic payment platform, and both parties need to jointly train a business prediction model to assess the merchant's fraud risk.
  • the business object is the merchant.
  • Both parties can maintain part of the characteristic data of the merchants respectively.
  • the e-commerce platform stores the sales data of sample merchants as part of the sample characteristics, and this part of the sample characteristics constitutes the above-mentioned first characteristic matrix; the electronic payment platform maintains the merchant's transaction flow data as another part of the sample Special, constitute the second characteristic matrix.
  • the electronic payment platform also maintains the label of the sample merchant (whether it is a fraudulent merchant or not), which constitutes a label vector Y.
  • the business object may also be other objects to be evaluated, such as commodities, interaction events (for example, transaction events, login events, click events, purchase events), and so on.
  • the participating parties may be different business parties that maintain different characteristic parts of the above-mentioned business objects.
  • the business prediction model may be a model that performs classification prediction or regression prediction for the corresponding business object.
  • the business object features maintained by both parties belong to private data.
  • plaintext exchanges are not allowed to protect the security of private data.
  • the first party A wants to train to obtain the model parameter part used to process the first feature part, called the first parameter part W A ;
  • the second party wants to train to obtain the second parameter part used to process the second feature part W B , these two parts of parameters together constitute a business forecasting model.
  • the first party A and the second party B will initialize the first parameter part W to be trained A and the second parameter part W B are secretly shared and disassembled into parameter fragments, so the first party obtains the first parameter first fragment ⁇ W A > 1 and the second parameter first fragment ⁇ W B > 1 , The second party obtains the second segment of the first parameter ⁇ W A > 2 and the second segment of the second parameter ⁇ W B > 2 .
  • both parties obtain the encrypted fragments Z 1 , Z 2 of the product result of the total feature matrix X and the total parameter matrix W through the security matrix multiplication.
  • the second party with the label sums up the two encrypted fragments, and obtains the encrypted product result Z.
  • the second party obtains the encrypted error vector E based on the product result Z and the encrypted label vector Y, and performs secret sharing under homomorphic encryption. Therefore, both parties obtain error fragments E 1 and E 2 respectively .
  • the two parties obtain the corresponding gradient fragments G 1 and G 2 through secret sharing and security matrix multiplication based on the error fragments and their respective feature matrices.
  • the first party uses its gradient segment G 1 to update its maintained parameter segments ⁇ W A > 1 and ⁇ W B > 1
  • the second party uses its gradient segment G 2 to update its maintained parameter segments ⁇ W A > 2 and ⁇ W B > 2 .
  • the two parties exchange their parameter fragments and perform parameter reconstruction. Therefore, the first party reconstructs the first parameter part after training based on the first parameter first fragment ⁇ W A > 1 maintained by itself and the second parameter second fragment ⁇ W A > 2 sent by the second party W a; second party based on a second parameter which is maintained by a second fragment ⁇ W B> 2 and the second parameter of the first party sends a first fragment ⁇ W B> 1, to give a second reconstructed training The parameter part W B.
  • Figure 2 shows a secret sharing scheme under homomorphic encryption in one embodiment.
  • the first party A owns the public key PK-a and the corresponding private key SK-a for homomorphic encryption
  • the second party B owns the public key PK-b and the corresponding private key SK- b.
  • the matrix Z is currently to be secretly shared, and the matrix Z has been homomorphically encrypted with the public key PK-a of the first party A.
  • the second party B randomly generates a second fragment ⁇ Z> 2 locally.
  • angle brackets ⁇ > are used to indicate the secretly shared fragment, and the corner mark indicates the holder of the fragment.
  • the second party B uses the public key PK-a of the first party A and the same homomorphic encryption algorithm to encrypt the second fragment ⁇ Z> 2 to obtain the second encrypted fragment [ ⁇ Z> 2 ] a .
  • the homomorphism of the homomorphic encryption algorithm is used, that is, the operation of the plaintext is performed before encryption, and the corresponding operation of the ciphertext after encryption is performed, and the result is equivalent.
  • the same public key PK to encrypt v 1 and v 2 to obtain E PK (v 1 ) and E PK (v 2 ), if it satisfies:
  • the encryption algorithm satisfies the additive homomorphism, where Add operation for the corresponding homomorphism.
  • Operations can correspond to regular addition, multiplication, etc.
  • Paillier's algorithm Corresponds to regular multiplication.
  • the above calculation of the homomorphic subtraction in the first encrypted segment is the corresponding subtraction operation of the homomorphic addition operation.
  • the second party B sends the above-mentioned first encrypted fragment [ ⁇ Z> 1 ] a to the first party A. Since the first encrypted fragment is encrypted using the public key of the first party A, the first party can decrypt it with the corresponding private key SK-a to obtain the first fragment ⁇ Z> 1 .
  • the first party A owns the first shard ⁇ Z> 1
  • the second party B owns the second shard ⁇ Z> 2
  • Figure 3 shows the implementation of secure matrix multiplication in one embodiment.
  • the first party A owns the matrix X and the second party B owns the matrix Y. Both parties hope to jointly calculate the product matrix X*Y without revealing their respective matrix plaintexts.
  • a secure matrix multiplication based on homomorphic encryption can be used.
  • the first party A can use its public key PK-a to encrypt its original matrix X using a homomorphic encryption algorithm to obtain an encryption matrix [X] a , and send the encryption matrix to the second party B.
  • the above-mentioned encrypted product matrix [Z] a is used as the homomorphic encryption matrix [Z] a to be shared in Figure 2, and the secret sharing under homomorphic encryption is performed.
  • the first party A owns the first shard ⁇ Z> 1
  • the second party B owns the second shard ⁇ Z> 2
  • Figure 3 is an implementation example of secure matrix multiplication.
  • secure matrix multiplication implementations such as matrix multiplication based on secret sharing, etc., which will not be detailed here.
  • Fig. 4 shows a schematic diagram of a process of joint training of a linear regression model by two parties according to an embodiment.
  • the data holding status of the first party A and the second party B in the scenario of FIG. 4 is the same as that of FIG. 1, and will not be repeated here.
  • the first party A and the second party B can send their own public keys PK-a and PK-b to each other.
  • the two parties jointly train a linear regression model as a business prediction model.
  • the first party A and the second party B initialize the model parameters and share secretly, each maintaining parameter slicing.
  • the first parameter may be initialized W A portion obtained by way of randomly generated.
  • the first party A secretly shares the above-mentioned first parameter part, that is, splits it into the first parameter first segment ⁇ W A > 1 and the first parameter second segment ⁇ W A > 2 , Hold the first segment of the first parameter ⁇ W A > 1 and send the second segment of the first parameter ⁇ W A > 2 to the second party B.
  • the second party B initializes the second parameter part W B for processing the second characteristic part.
  • the second parameter part W B can be initialized in a randomly generated manner.
  • the second party A secretly shares the above-mentioned second parameter part, and splits it into the second parameter first segment ⁇ W B > 1 and the second parameter second segment ⁇ W B > 2 , Holds the second parameter second fragment ⁇ W B > 2 and sends the second parameter first fragment ⁇ W B > 1 to the first party A.
  • steps S11-S12 and steps S13-S14 can be executed in parallel or in any order, which is not limited here.
  • the first party A maintains the first parameter first fragment ⁇ W A > 1 and the second parameter first fragment ⁇ W B > 1
  • the second party B maintains the first parameter The second segment ⁇ W A > 2 and the second parameter of the second segment ⁇ W B > 2 .
  • the number of iterations is a preset hyperparameter. In another embodiment, the number of iterations is not preset, but the iteration is stopped when a certain convergence condition is met.
  • the above convergence conditions may be, for example, that the error is low enough, the gradient is small enough, and so on.
  • Each iteration process can include 4 sub-phases: calculate the product of the total feature matrix X and the total parameter W; calculate the error vector E; calculate the gradient G; update the parameters.
  • step S21 the first party A and the second party B respectively calculate the first multiplication integral piece ⁇ Z> 1 and the second multiplication based on the local matrix multiplication operation and the safety matrix multiplication operation of both parties.
  • integral sheet ⁇ Z> 2 such that the two fragments corresponds to the total sum of the product of the feature matrix X parameter W, which is equal to a first feature matrix X a portion of the first product of the first parameter multiplied W a , And the sum of the second product of the second feature matrix X B and the second parameter part W B.
  • Fig. 5 shows part of the implementation process of the first sub-stage in one embodiment.
  • step S211 the first party A locally calculates the product of the first feature matrix X A and the first segment of the first parameter ⁇ W A > 1 to obtain the first feature first processing result ⁇ Z A > 1 , that is :
  • step S212 the first party A uses the first feature matrix X A held by the first party A to perform a security matrix multiplication with the first parameter second slice ⁇ W A> 2 held by the second party B.
  • the safe matrix multiplication can be implemented in the manner shown in Figure 3, or implemented in other safe calculation methods.
  • the product of the first feature matrix X A and the second segment of the first parameter ⁇ W A > 2 is recorded as the first feature second processing result ⁇ Z A > 2 , namely:
  • ⁇ Z A > 2 X A ⁇ ⁇ W A > 2
  • the result of processing with local parameters is referred to as the first processing result
  • the result of processing with the other party's parameters through secure matrix multiplication is referred to as the second processing result.
  • the first party A obtains the first feature of the second processing result ⁇ Z A > 2 of the first fragment ⁇ Z A > 2 > 1
  • the second party B obtains the first feature of the second
  • the second segment of the processing result ⁇ Z A > 2 is ⁇ Z A > 2 > 2
  • the sum of the two segments is the second processing result of the first feature.
  • step S213 the second party B locally calculates the product of the second feature matrix X B and the second parameter second segment ⁇ W B > 2 to obtain the first processing result of the second feature ⁇ Z B > 1 , namely:
  • ⁇ Z B > 1 X B ⁇ ⁇ W B > 2
  • step S214 the second party B uses the second feature matrix X B held by the second party B to perform the security matrix multiplication with the second parameter first slice ⁇ W B> 1 held by the first party A, and the product is denoted as second The second processing result of the feature ⁇ Z B > 2 , namely:
  • ⁇ Z B > 2 X B ⁇ ⁇ W B > 1
  • the first party A obtains the first segment of the second feature second processing result ⁇ Z B > 2 ⁇ Z B > 2 > 1
  • the second party B obtains the second feature second processing
  • the second fragment of the result ⁇ Z B > 2 ⁇ Z B > 2 > 2 , the sum of the two fragments is the second processing result of the second feature.
  • step S215 the first party A adds up the pieces of the processing results obtained by the above calculations, that is, the first processing result of the first feature ⁇ Z A > 1 , the second processing result of the first feature
  • the first segment ⁇ Z A > 2 > 1 , the first segment of the second processing result of the second feature ⁇ Z B > 2 > 1 is added to obtain the first multiplied integral ⁇ Z> 1 , namely:
  • ⁇ Z> 1 ⁇ Z A > 1 + ⁇ Z A > 2 > 1 + ⁇ Z B > 2 > 1
  • step S216 the second party B adds up the pieces of each processing result obtained by it, that is, the second piece of the second processing result of the first feature ⁇ Z A > 2 > 2 , The first processing result of the second feature ⁇ Z B > 1 , and the second segment of the second processing result of the second feature ⁇ Z B > 2 > 2 is added to obtain the second multiplication-integral segment ⁇ Z> 2 , namely:
  • ⁇ Z> 2 ⁇ Z B > 1 + ⁇ Z A > 2 > 2 + ⁇ Z B > 2 > 2
  • the sum of the first multiplying integral piece ⁇ Z> 1 and the second multiplying integral piece ⁇ Z> 2 is the product of the total feature matrix X and the total parameter W, that is, the first feature matrix X A and the first parameter part
  • the sum of the first product of W A and the second product of the second feature matrix X B and the second parameter part W B is the product of the total feature matrix X and the total parameter W, that is, the first feature matrix X A and the first parameter part.
  • the first party A and the second party B have calculated the first multiplying integral piece ⁇ Z> 1 and the second multiplying integral piece ⁇ Z> 2 respectively .
  • the first party A uses its public key PK-a to homomorphically encrypt the above-mentioned first multiplier piece ⁇ Z> 1 , Get the first encrypted multiplication integral piece [ ⁇ Z> 1 ] a , and send the first encrypted multiplication integral piece [ ⁇ Z> 1 ] a to the second party B.
  • step S23 the second party B also uses the public key PK-a of the first party to perform homomorphic encryption on the second multiplier ⁇ Z> 2 obtained by calculation to obtain the second encrypted multiplier [ ⁇ Z > 2 ] a .
  • step S24 the second party B performs a homomorphic summation on the first encrypted multiplication integral piece [ ⁇ Z> 1 ] a and the second encrypted multiplication integral piece [ ⁇ Z> 2 ] a to obtain the encrypted product result [Z ] a :
  • [Z] a [ ⁇ Z> 1 ] a +[ ⁇ Z> 2 ] a
  • the encrypted product result [Z] a obtained in this way corresponds to the first characteristic matrix X A and the first parameter part
  • the encrypted value of the sum of the first product of W A and the second product of the second characteristic matrix X B and the second parameter part W B namely [X A ⁇ W A +X B ⁇ W B ] a ,
  • the encrypted value of the product of the total feature matrix X and the total parameter W is
  • the second party B obtains the encrypted product result [Z] a through the security calculation performed by both parties, which corresponds to the encrypted value of the product of the total feature matrix X and the total parameter W. Then, enter the second sub-stage, and calculate the error vector E.
  • step S31 of the second sub-stage the second party B performs a homomorphic operation based on the encrypted product result [Z] a and the encrypted value of the label vector Y to obtain the encrypted error vector [E] a .
  • the predicted value Therefore, the prediction error It can be expressed as the difference between the product result X*W of the feature matrix and the model parameters and the label vector Y.
  • the product result currently obtained is in the encrypted form [Z] a . Therefore, the label vector Y can be homomorphically encrypted first to obtain [Y] a , and then the encrypted product result [Z] a and the label vector encryption value [Y] ] of a difference with the state, as an encryption error vector [E] a, namely:
  • step S32 the encryption error vector [E] a is secretly shared using, for example, the secret sharing under homomorphic encryption as shown in FIG. 2.
  • the first party A obtains the first error fragment ⁇ E> 1
  • the second party B obtains the second error fragment ⁇ E> 2
  • ⁇ E> 1 + ⁇ E> 2 E.
  • the gradient calculation involves the multiplication of the error vector and the feature matrix.
  • the error vector and the feature matrix are still distributed between the first party A and the second party B. Therefore, a piecewise calculation method is still needed to obtain each gradient piece.
  • step S41 the second party B locally performs matrix multiplication under the homomorphic operation on the encryption error vector [E] a and the second eigen matrix X B to obtain the second encryption gradient [G B ] a , namely :
  • [E] a T represents [E] a transposition
  • the operations between a T and X B [E] is [E] a T ciphertext elements X B each row expressly each column
  • the homomorphic addition operation between elements is similar to the homomorphic matrix multiplication in the secure matrix multiplication process in Figure 3.
  • the second party on the second B encryption gradient [G B] a secret sharing at the homomorphic encryption, for example, FIG. 2 is used.
  • the first party A obtains the second gradient first fragment ⁇ G B > 1
  • the second party B obtains the second gradient second fragment ⁇ G B > 2
  • step S43 the first party A performs a local multiplication operation on the transposition of the first error segment ⁇ E> 1 and the first feature matrix X A to obtain the first part of the first gradient ⁇ G A > 1 , namely:
  • the above operations are local operations of the first party.
  • step S44 the first party uses the first feature matrix X A to perform a safety matrix multiplication with the second error slice ⁇ E> 2 in the second party, and the result of the multiplication is recorded as the first gradient second part ⁇ G A > 2 , namely:
  • the first party A gets the first slice of the second part of the first gradient ⁇ G A > 2 > 1
  • the second party B gets the second slice of the second part of the first gradient ⁇ G A > 2 > 2 .
  • the parameter update phase includes the following steps.
  • step S51 the first portion of the first gradient of the first party A calculated according to step S43 ⁇ G A> 1 obtained in step S44 and the first slice ⁇ G A second portion of the first gradient> 2> 1, the first update One parameter first fragment ⁇ W A > 1 .
  • the product of the sum of the first part of the first gradient ⁇ G A > 1 and the first slice of the second part of the first gradient ⁇ G A > 2 > 1 and the preset step size ⁇ is used as the adjustment amount, and the Subtract the adjustment amount, update the first parameter, the first slice ⁇ W A > 1 , which can be expressed as:
  • step S52 the first party A updates the second parameter first fragment ⁇ W B > 1 according to the second gradient first fragment ⁇ G B > 1 obtained in step S42, which can be expressed as:
  • step S53 the second party B updates the first parameter and the second segment ⁇ W A > 2 according to the second segment ⁇ G A > 2 > 2 of the second part of the first gradient obtained in step S44, which can mean for:
  • step S54 the second party B updates the second parameter second segment ⁇ W B > 2 according to the second gradient second segment ⁇ G B > 2 obtained in step S42, which can be expressed as:
  • the update of the first parameter part W A is jointly completed by both parties, where the first party A updates the first parameter first fragment ⁇ W A > 1 , and the second party B updates the first parameter second fragment ⁇ W A > 2 , the sum of the two parties' common update is:
  • the update of the second parameter part W B is also done by both parties.
  • the first party A updates the second parameter first segment ⁇ W B > 1
  • the second party B updates the second parameter second segment ⁇ W B > 2.
  • the sum of the two parties' joint updates is:
  • the model reconstruction phase is entered.
  • the first party A sends its iteratively maintained second parameter first fragment ⁇ W B > 1 to the second party B; the second party B will iteratively maintain the first parameter second fragment ⁇ W A > 2 is sent to the first party A.
  • the first party A reconstructs the first parameter part after training based on the first parameter first fragment ⁇ W A > 1 maintained by itself and the first parameter second fragment ⁇ W A > 2 sent by the second party W A.
  • the second parameter part after training is reconstructed W B.
  • the first party the second party A and B have completed the training of the linear regression model, respectively, to give each model parameter section W A and W B used to treat the corresponding characteristic portion.
  • the two parties not only do not exchange the plaintext of the feature data, but also split the model parameters into parameter shards, and each only maintains the iterative update of the sharding parameters.
  • the model will not be reconstructed until the end of the iteration. parameter.
  • all parties only maintain parameter shards and exchange some sharding results, and it is almost impossible to infer useful information about private data based on these sharding results. This greatly enhances the privacy data in the joint training process. safety.
  • the sigmoid function in order to facilitate linear calculation, can be expanded by Taylor Taylor.
  • the sigmod function 1/(1+e ⁇ x) can perform the following Taylor decomposition:
  • the gradient form can be obtained.
  • the gradient form is
  • Fig. 6 shows a schematic diagram of a process of joint training of a logistic regression model by two parties according to an embodiment.
  • the training process of Figure 6 is basically the same as that of Figure 4, except that in step S31, when calculating the encryption error vector, according to the Taylor expansion form of the sigmoid function , the encrypted prediction result is obtained based on the encrypted product result [Z] a , and the encrypted prediction result and label vector The encrypted value of Y is subjected to homomorphic difference operation, and the encrypted error vector E is obtained.
  • the prediction result can be expressed as (0.5+Z/4), and the error term can be divided into (0.5-Y) and Z/4 accordingly. Therefore, the approximate encryption error vector [E] a under logistic regression can be obtained through the following operations:
  • the encrypted prediction result is obtained based on the encrypted product result [Z] a and the encrypted multi-factor product [Z k ] a , and the homomorphic difference between the encrypted prediction result and the encrypted value of the label vector Y is performed Only by calculation can the encryption error vector be obtained.
  • the encryption error vector [E] a can be calculated based on the homomorphic operation of [Z] a , [Z 3 ] a and the encrypted label vector Y according to formula (5).
  • each neuron is connected to each neuron in the previous layer with different weights. Therefore, the output of each neuron in the previous layer can be regarded as feature data, and the feature data is distributed between the two sides; the connection weight can be regarded as the model parameter part, which is used to process the corresponding feature data in a linear combination. Therefore, the aforementioned training process can be applied to the parameter training of each neuron in the neural network to realize the joint safety training of the two parties of the neural network model.
  • the training methods described above can be used.
  • this training method through the fragmented maintenance of parameters, high strength ensures that private data will not be leaked or reversed, and data security is ensured.
  • a device for two parties to jointly train a service prediction model to protect data privacy The two parties include a first party and a second party, and the device can be deployed in the second party.
  • the first party stores a first feature matrix X A composed of first feature parts of multiple business objects
  • the second party stores a second feature matrix X B composed of second feature parts of the multiple business objects,
  • the label vector Y formed by the label value.
  • the second party can be implemented as any device, platform or device cluster with computing and processing capabilities.
  • Fig. 7 shows a schematic block diagram of a joint training device deployed in a second party according to an embodiment.
  • the device 700 includes an iterative unit 710 for performing model parameter update multiple iterations.
  • the iteration unit 710 further includes:
  • the multiplication-integral piece calculation unit 711 is configured to calculate the homomorphism based on the locally maintained first parameter second piece and the second parameter second piece through local matrix multiplication and safe matrix multiplication with the first party
  • the encrypted second encrypted multiplying integral piece and receiving the first encrypted multiplying integral piece from the first party; wherein the first parameter second piece is used to process the first parameter part W A of the first characteristic part
  • the second segment of the second parameter is the second segment used to process the second parameter part W B of the second characteristic part;
  • the product result determination unit 712 is configured to perform a homomorphic summation on the first encrypted multiplying integral piece and the second encrypted multiplying integral piece to obtain an encrypted product result Z, which corresponds to the first characteristic matrix X A and the first parameter The encrypted value of the sum of the first product of the part W A and the second product of the second feature matrix X B and the second parameter part W B;
  • the error vector determining unit 713 is configured to perform a homomorphic operation based on the encrypted product result Z and the encrypted value of the tag vector Y to obtain an encrypted error vector E, and secretly share the encrypted error vector E to obtain a second error score piece;
  • the first gradient determining unit 714 is configured to perform matrix multiplication under the homomorphic operation on the encryption error vector E and the second characteristic matrix X B to obtain the second encryption gradient, and perform secret sharing on the second encryption gradient to obtain the first Two-gradient second slice;
  • the second gradient determining unit 715 is configured to use the second error segment to perform a security matrix multiplication with the first feature matrix X A in the first party to obtain a second segment of the second part of the first gradient;
  • the parameter update unit 716 is configured to update the second parameter second slice according to the second slice of the second gradient; update the first parameter according to the second slice of the second part of the first gradient The second fragment.
  • the above-mentioned apparatus 700 further includes an initialization unit 720 configured to:
  • the above-mentioned apparatus 700 further includes a parameter reconstruction unit 730, configured to: send the second segment of the first parameter updated in the last iteration to the first party, and receive the update from the first party.
  • a parameter reconstruction unit 730 configured to: send the second segment of the first parameter updated in the last iteration to the first party, and receive the update from the first party.
  • One party receives the updated first segment of the second parameter;
  • the foregoing business objects include one of the following: users, merchants, commodities, and events; the business prediction model is used to predict the classification or regression value of the business objects.
  • the service prediction model is a linear regression model; at this time, the error vector determining unit 713 is configured to calculate the homomorphic difference between the encrypted product result Z and the label vector Y as the Encryption error vector E.
  • the service prediction model is a logistic regression model; at this time, the error vector determining unit 713 is configured to obtain an encrypted prediction result based on the encrypted product result Z according to the Taylor expansion form of the sigmoid function, and The encrypted prediction result and the encrypted value of the label vector Y are subjected to a homomorphic difference operation to obtain the encrypted error vector E.
  • the product result determining unit 712 is further configured to calculate the encrypted multi-order product at least according to the first multiplying integral piece and the second multiplying integral piece; correspondingly, the error vector determining unit 713 is configured To obtain an encrypted prediction result based on the encrypted product result Z and the encrypted multi-order product according to the multi-order Taylor expansion form of the sigmoid function, and perform a homomorphic difference operation on the encrypted prediction result and the encrypted value of the label vector Y , The encryption error vector E is obtained.
  • the above-mentioned multiply-integral piece calculation unit 711 is specifically configured to: use the first parameter second piece to perform a safe matrix multiplication with the first feature matrix X A in the first party to obtain the first A second segment of the second processing result of a feature; locally calculating the product of the second feature matrix X B and the second segment of the second parameter to obtain the first processing result of the second feature; using the second feature matrix X B , Perform a security matrix multiplication with the first segment of the second parameter in the first party to obtain the second segment of the second processing result of the second feature; for the second segment of the second processing result of the first feature, The first processing result of the second feature, the second segment of the second processing result of the second feature are added, and the addition result is homomorphically encrypted with the public key of the first party to obtain the first Two encrypted multiplying integral pieces.
  • the above parameter update unit 716 is configured to update the second parameter second slice by subtracting the product of the second gradient second slice and the preset step size.
  • a device for two parties to jointly train a business prediction model can be deployed in the aforementioned first party, and the first party can be implemented as any device or platform with computing and processing capabilities. Or device cluster.
  • the first party stores the first feature matrix X A formed by the first feature parts of the multiple business objects;
  • the second party stores the second features formed by the second feature parts of the multiple business objects Matrix X B , and label vector Y composed of label values.
  • Fig. 8 shows a schematic block diagram of a joint training device deployed in a first party according to an embodiment.
  • the device 800 includes an iterative unit 810 for performing model parameter update multiple iterations.
  • the iteration unit 810 further includes:
  • the multiply-integral piece calculation unit 811 is configured to calculate the same value based on the locally maintained first parameter first piece and the second parameter first piece through the local matrix multiplication operation and the secure matrix multiplication operation with the second party. multiply encrypting the encrypted first state integral piece; wherein the first parameter is a first fragment of the first fragment processing a first portion of the first characteristic parameter W a portion; a second parameter of the first minutes A slice is the first slice used to process the second parameter part W B of the second characteristic part;
  • the multiplying integral piece sending unit 812 is configured to send the first encrypted multiplying integral piece to the second party, so that the second party performs a homomorphic summation of the first encrypted multiplying integral piece and the second encrypted multiplying integral piece calculated by the first encrypted multiplying integral piece, encryption result to obtain a product Z, which corresponds to a first product of the first feature matrix X a W a portion of the first parameter multiplied, and the second feature matrix X B W B with the second parameter multiplied by a second portion
  • the encrypted value of the sum of products
  • the error fragment receiving unit 813 is configured to receive the first error fragment secretly shared with the encrypted error vector E from the second party, wherein the encrypted error vector E is based on the homomorphism of the encrypted product result Z and the encrypted value of the label vector Y Operational determination;
  • the first gradient determining unit 814 is configured to perform a local multiplication operation on the transposition of the first error segment and the first feature matrix X A to obtain the first part of the first gradient;
  • the second gradient determining unit 815 is configured to use the first feature matrix X A to perform a security matrix multiplication with the second error segment retained in the second party to obtain the first segment of the second part of the first gradient;
  • the third gradient determining unit 816 is configured to receive, from the second party, the second gradient first fragment that is secretly shared with the second encrypted gradient;
  • the parameter update unit 817 is configured to update the first parameter first slice according to the first slice of the first part of the first gradient and the first slice of the second part of the first gradient; update the first slice according to the first slice of the second gradient The first segment with two parameters.
  • the device 800 further includes an initialization unit 820 configured to: initialize the first parameter part W A , and split it into a first parameter first segment and a first parameter second segment through secret sharing. , Reserve the first fragment of the first parameter, and send the second fragment of the first parameter to the second party; receive from the second party the second parameter first that is secretly shared with the second parameter part W B Fragmentation.
  • an initialization unit 820 configured to: initialize the first parameter part W A , and split it into a first parameter first segment and a first parameter second segment through secret sharing. , Reserve the first fragment of the first parameter, and send the second fragment of the first parameter to the second party; receive from the second party the second parameter first that is secretly shared with the second parameter part W B Fragmentation.
  • the device 800 further includes a parameter reconstruction unit 830, configured to: send the first fragment of the second parameter updated in the last iteration to the second party, and from the second party The party receives the updated first parameter second segment; the updated first parameter first segment in the last iteration is combined with the received first parameter second segment to obtain the service prediction model training After the first parameter part W A.
  • a parameter reconstruction unit 830 configured to: send the first fragment of the second parameter updated in the last iteration to the second party, and from the second party The party receives the updated first parameter second segment; the updated first parameter first segment in the last iteration is combined with the received first parameter second segment to obtain the service prediction model training After the first parameter part W A.
  • the multiplication-integral piece calculation unit 811 is specifically configured to: locally calculate the product of the first feature matrix X A and the first piece of the first parameter to obtain the first processing result of the first feature; using the first feature The matrix X A is multiplied by a security matrix with the first parameter second slice in the second party to obtain the first slice of the first characteristic second processing result; the first slice with the second parameter is used with Perform security matrix multiplication on the second feature matrix X B in the second party to obtain the first segment of the second processing result of the second feature; for the first feature of the first processing result, the first feature is the second The first segment of the processing result is added, and the first segment of the second processing result of the second feature is added, and the result of the addition is homomorphically encrypted with the public key of the first party to obtain the first encryption Multiply the integral piece.
  • the above-mentioned parameter update unit 817 is at least configured to take the product of the sum of the first part of the first gradient and the first part of the second part of the first gradient and the preset step length as the adjustment amount, and The first segment of the first parameter is updated by subtracting the adjustment amount.
  • a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method described in conjunction with FIG. 4 to FIG. 5.
  • a computing device including a memory and a processor, the memory stores executable code, and when the processor executes the executable code, a combination of FIGS. 4 to 5 is provided. The method described.
  • the functions described in the present invention can be implemented by hardware, software, firmware, or any combination thereof.
  • these functions can be stored in a computer-readable medium or transmitted as one or more instructions or codes on the computer-readable medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Medical Informatics (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Databases & Information Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Molecular Biology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Embodiments of the present invention provide a method and device for jointly training a service prediction model by two parties for protecting data privacy. The two parties each has a part of feature data. In a model iteration process, the two parties obtain encrypted fragments of a product result of a total feature matrix X and a total parameter matrix W by means of security matrix multiplication; the two encrypted fragments are summarized by a second party having a label to obtain an encrypted product result Z; the second party obtains an encrypted error E on the basis of the product result Z and an encrypted label Y, and carries out secret sharing on the encrypted error E under homomorphic encryption; thus the two parties respectively obtain error fragments; then the two parties obtain corresponding gradient fragments by means of secret sharing and security matrix multiplication on the basis of the error fragments and respective feature matrixes; then a first party updates, by utilizing the gradient fragments of the first party, the parameter fragments maintained by the first party, and the second party updates, by utilizing the gradient fragments of the second party, the parameter fragments maintained by the second party. Therefore, secure joint training for protecting data privacy is realized.

Description

保护数据隐私的双方联合训练业务预测模型的方法和装置Method and device for joint training of business prediction model by two parties that protect data privacy 技术领域Technical field
本说明书一个或多个实施例涉及数据安全和机器学习领域,具体地,涉及双方联合训练业务预测模型的方法和装置。One or more embodiments of this specification relate to the fields of data security and machine learning, and in particular, to methods and devices for joint training of business prediction models by both parties.
背景技术Background technique
机器学习所需要的数据往往会涉及到多个领域。例如在基于机器学习的商户分类分析场景中,电子支付平台拥有商户的交易流水数据,电子商务平台存储有商户的销售数据,银行机构拥有商户的借贷数据。数据往往以孤岛的形式存在。由于行业竞争、数据安全、用户隐私等问题,数据整合面临着很大阻力,将分散在各个平台的数据整合在一起训练机器学习模型难以实现。在保证数据不泄露的前提下,使用多方数据联合训练机器学习模型变成目前的一大挑战。The data needed for machine learning often involves multiple fields. For example, in a business classification analysis scenario based on machine learning, the electronic payment platform owns the merchant's transaction flow data, the e-commerce platform stores the merchant's sales data, and the banking institution owns the merchant's loan data. Data often exists in the form of islands. Due to industry competition, data security, user privacy and other issues, data integration is facing great resistance. It is difficult to integrate data scattered on various platforms to train machine learning models. Under the premise of ensuring that data is not leaked, the use of multi-party data to jointly train machine learning models has become a major challenge at present.
常用的机器学习模型包括,逻辑回归模型,线性回归模型,以及神经网络模型等,其中逻辑回归模型可以有效地执行样本分类预测等任务,线性回归模型可以有效地预测样本的回归值,神经网络模型可以通过多层神经元的组合,执行各种预测任务。以上这些模型的训练过程中,都会涉及利用特征数据与模型参数数据之间的运算得到预测结果,以及根据预测结果确定出梯度,进而调整模型参数的过程。在多方共同训练机器学习模型的情况下,如何在不泄露各方隐私数据,包括特征数据和模型参数数据,的情况下,协同进行上述各个阶段的运算,是实际要解决的问题。Commonly used machine learning models include logistic regression models, linear regression models, and neural network models, among which logistic regression models can effectively perform tasks such as sample classification and prediction, linear regression models can effectively predict the regression values of samples, neural network models Various prediction tasks can be performed through the combination of multiple layers of neurons. In the training process of the above models, the process of using the calculation between the feature data and the model parameter data to obtain the prediction result, and determining the gradient according to the prediction result, and then adjusting the model parameters. In the case of multiple parties jointly training a machine learning model, how to coordinate the operations of the above-mentioned various stages without revealing the private data of all parties, including feature data and model parameter data, is a practical problem to be solved.
因此,希望提供改进的方案,在双方联合训练业务预测模型的情况下,保证各方的隐私数据不泄露,确保数据安全。Therefore, it is hoped to provide an improved solution to ensure that the private data of each party is not leaked and ensure data security when the two parties jointly train the business prediction model.
发明内容Summary of the invention
本说明书一个或多个实施例描述了双方联合训练业务预测模型的方法和装置,其中通过迭代过程中参数分片的方式,保证数据隐私不泄露,确保联合训练中隐私数据的安全。One or more embodiments of this specification describe a method and device for jointly training a business prediction model by both parties, in which parameter fragmentation in the iterative process is used to ensure that data privacy is not leaked, and to ensure the security of private data in joint training.
根据第一方面,提供了一种保护数据隐私的双方联合训练业务预测模型的方法,所述双方包括第一方和第二方,所述第一方存储有多个业务对象的第一特征部分构成的第 一特征矩阵X A;所述第二方存储有所述多个业务对象的第二特征部分构成的第二特征矩阵X B,以及标签值构成的标签向量Y;所述方法应用于所述第二方,该方法包括,多次迭代执行模型参数更新,其中每次迭代包括: According to a first aspect, there is provided a method for two parties to jointly train a business prediction model to protect data privacy. The two parties include a first party and a second party, and the first party stores first characteristic parts of a plurality of business objects. A first feature matrix X A formed by the second party; the second party stores a second feature matrix X B formed by the second feature parts of the multiple business objects, and a label vector Y formed by label values; the method is applied to The second party, the method includes performing model parameter update multiple iterations, wherein each iteration includes:
基于本地维护的第一参数第二分片和第二参数第二分片,通过本地矩阵乘法以及与所述第一方的安全矩阵乘法运算,计算得到同态加密的第二加密乘积分片,并从所述第一方接收第一加密乘积分片;其中,第一参数第二分片是用于处理所述第一特征部分的第一参数部分W A的第二分片;第二参数第二分片是用于处理所述第二特征部分的第二参数部分W B的第二分片; Based on the locally maintained first parameter second segment and the second parameter second segment, the second encrypted multiplication integral piece of homomorphic encryption is calculated through local matrix multiplication and secure matrix multiplication with the first party, and receiving from the first party a first encrypted by integral piece; wherein a first slice is the second parameter of the second slice for a first characteristic portion of the first process parameter W a portion; a second parameter The second fragment is a second fragment used to process the second parameter part W B of the second characteristic part;
对所述第一加密乘积分片和第二加密乘积分片进行同态加和,得到加密乘积结果Z,其对应于,第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘的第二乘积之和的加密值; A first integrator by the first encryption and the second encryption sheet by sheet integral homomorphic summed and the result is encrypted product Z, which corresponds to the first feature matrix X A W A and the first parameter section multiplied Product, and the encrypted value of the sum of the second product of the second feature matrix X B and the second parameter part W B;
基于所述加密乘积结果Z和所述标签向量Y的加密值进行同态运算,得到加密误差向量E,对该加密误差向量E进行秘密分享,得到第二误差分片;Perform a homomorphic operation based on the encrypted product result Z and the encrypted value of the label vector Y to obtain an encrypted error vector E, and secretly share the encrypted error vector E to obtain a second error fragment;
对该加密误差向量E和第二特征矩阵X B进行同态操作下的矩阵相乘,得到第二加密梯度,对该第二加密梯度进行秘密分享,得到第二梯度第二分片; Perform matrix multiplication under homomorphic operation on the encryption error vector E and the second characteristic matrix X B to obtain the second encryption gradient, and perform secret sharing on the second encryption gradient to obtain the second gradient second slice;
用所述第二误差分片,与所述第一方中的第一特征矩阵X A进行安全矩阵乘法,得到第一梯度第二部分的第二分片; Use the second error fragment to perform a security matrix multiplication with the first feature matrix X A in the first party to obtain the second fragment of the second part of the first gradient;
根据所述第二梯度第二分片,更新所述第二参数第二分片;根据所述第一梯度第二部分的第二分片,更新所述第一参数第二分片。According to the second segment of the second gradient, update the second segment of the second parameter; update the second segment of the first parameter according to the second segment of the second part of the first gradient.
根据一个实施例,在执行多次迭代执行模型参数更新之前,还包括:初始化所述第二参数部分W B,通过秘密分享将其拆分为第二参数第一分片和第二参数第二分片,保留所述第二参数第二分片,将所述第二参数第一分片发送给第一方;从第一方接收对所述第一参数部分W A秘密分享的第一参数第二分片。 According to one embodiment, before performing multiple iterations to perform model parameter update, the method further includes: initializing the second parameter part W B , and splitting it into the second parameter first segment and the second parameter second segment through secret sharing. receiving a first parameter from a first side portion of the first parameter W a secret sharing; fragment, retaining the second parameter of the second fragment, transmits the first fragment of the second parameter to the first party The second fragment.
在一个实施例中,在执行所述多次迭代执行模型参数更新之后,还包括:将最后一次迭代中更新后的所述第一参数第二分片发送给所述第一方,并从所述第一方接收更新后的第二参数第一分片;将最后一次迭代中更新后的第二参数第二分片,和所接收的第二参数第一分片进行组合,得到所述业务预测模型训练后的第二参数部分W BIn an embodiment, after performing the multiple iterations to perform the model parameter update, the method further includes: sending the second segment of the first parameter updated in the last iteration to the first party, and receiving the update from all The first party receives the updated first segment of the second parameter; the second segment of the second parameter updated in the last iteration is combined with the received first segment of the second parameter to obtain the service The second parameter part W B after the prediction model is trained.
在不同实施例中,业务对象可以包括以下之一:用户,商户,商品,事件;所述业务预测模型用于预测所述业务对象的分类或回归值。In different embodiments, the business object may include one of the following: users, merchants, commodities, and events; the business prediction model is used to predict the classification or regression value of the business object.
根据一个实施例,所述业务预测模型为线性回归模型;在这样的情况下,可以计算所述加密乘积结果Z和所述标签向量Y的同态差值,作为所述加密误差向量E。According to an embodiment, the service prediction model is a linear regression model; in this case, the homomorphic difference between the encrypted product result Z and the label vector Y can be calculated as the encrypted error vector E.
根据另一实施例,所述业务预测模型为逻辑回归模型;在这样的情况下,可以根据sigmoid函数的泰勒展开形式,基于所述加密乘积结果Z得到加密预测结果,对加密预测结果和所述标签向量Y的加密值进行同态差值运算,得到所述加密误差向量E。According to another embodiment, the service prediction model is a logistic regression model; in this case, the encrypted prediction result can be obtained based on the encrypted product result Z according to the Taylor expansion form of the sigmoid function, and the encrypted prediction result and the The encrypted value of the label vector Y is subjected to a homomorphic difference operation to obtain the encrypted error vector E.
进一步的,在一个例子汇总,在得到加密误差向量E之前,还包括,至少根据所述第一乘积分片和所述第二乘积分片,计算加密多阶乘积;如此,可以根据sigmoid函数的多阶泰勒展开形式,基于所述加密乘积结果Z和所述加密多阶乘积得到加密预测结果,对加密预测结果和所述标签向量Y的加密值进行同态差值运算,得到所述加密误差向量E。Further, in an example summary, before obtaining the encryption error vector E, it also includes calculating the encrypted multi-order product at least according to the first multiplier integral piece and the second multiplier integral piece; in this way, the sigmoid function can be calculated according to In a multi-order Taylor expansion form, an encrypted prediction result is obtained based on the encrypted product result Z and the encrypted multi-factor product, and a homomorphic difference operation is performed on the encrypted prediction result and the encrypted value of the label vector Y to obtain the encrypted error Vector E.
在一个具体实施例中,通过以下方式计算得到同态加密的第二乘积分片:用所述第一参数第二分片,与所述第一方中的第一特征矩阵X A进行安全矩阵乘法,得到第一特征第二处理结果的第二分片;本地计算第二特征矩阵X B与第二参数第二分片的乘积,得到第二特征第一处理结果;用所述第二特征矩阵X B,与所述第一方中的第二参数第一分片进行安全矩阵乘法,得到第二特征第二处理结果的第二分片;对所述第一特征第二处理结果的第二分片,所述第二特征第一处理结果,所述第二特征第二处理结果的第二分片进行加和,并用所述第一方的公钥对加和结果进行同态加密,得到所述第二加密乘积分片。 In a specific embodiment, the second multiplicative integral piece of homomorphic encryption is calculated by the following method: the second piece of the first parameter is used to perform the security matrix with the first characteristic matrix X A in the first party Multiply to obtain the second segment of the second processing result of the first feature; locally calculate the product of the second feature matrix X B and the second segment of the second parameter to obtain the first processing result of the second feature; use the second feature The matrix X B is multiplied by a security matrix with the first segment of the second parameter in the first party to obtain the second segment of the second processing result of the second feature; the second segment of the second processing result of the first feature is Two shards, the first processing result of the second characteristic, the second shard of the second processing result of the second characteristic are added, and the sum result is homomorphically encrypted with the public key of the first party, Obtain the second encrypted multiplication integral piece.
在一个实施例中,通过以下方式更新所述第二参数第二分片,即,通过减去所述第二梯度第二分片与预设步长的乘积,更新所述第二参数第二分片。In an embodiment, the second segment of the second parameter is updated in the following manner, that is, the second parameter is updated by subtracting the product of the second segment of the second gradient and a preset step size. Fragmentation.
根据第二方面,提供了一种保护数据隐私的双方联合训练业务预测模型的方法,该方法应用于前述第一方,该方法包括:多次迭代执行模型参数更新,其中每次迭代包括:According to a second aspect, there is provided a method for two parties to jointly train a business prediction model to protect data privacy. The method is applied to the aforementioned first party. The method includes: performing model parameter update multiple iterations, wherein each iteration includes:
基于本地维护的第一参数第一分片和第二参数第一分片,通过本地矩阵乘法运算以及与所述第二方的安全矩阵乘法运算,计算得到同态加密的第一加密乘积分片;其中,所述第一参数第一分片是用于处理所述第一特征部分的第一参数部分W A的第一分片;第二参数第一分片是用于处理所述第二特征部分的第二参数部分W B的第一分片; Based on the locally maintained first parameter first slice and the second parameter first slice, the homomorphic encrypted first encrypted multiplication integral slice is calculated through the local matrix multiplication operation and the secure matrix multiplication operation with the second party ; Wherein, the first segment of the first parameter is used to process the first segment of the first parameter part W A of the first characteristic part; the first segment of the second parameter is used to process the second The first segment of the second parameter part W B of the characteristic part;
将该第一加密乘积分片发送给第二方,使得第二方将该第一加密乘积分片与其计算的第二加密乘积分片进行同态加和,以得到加密乘积结果Z,其对应于,第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘 的第二乘积之和的加密值; Send the first encrypted multiplication integral piece to the second party, so that the second party homomorphically sums the first encrypted multiplication integral piece and the second encrypted multiplication integral piece calculated to obtain the encrypted product result Z, which corresponds to in the first feature with the first parameter matrix X a W a portion of the first product of multiplication, and the second feature matrix X B and the encrypted value and a second product portion of the second parameter multiplied W B;
从第二方接收对加密误差向量E秘密分享的第一误差分片,其中加密误差向量E基于所述加密乘积结果Z和标签向量Y的加密值的同态运算确定;Receiving, from the second party, the first error fragment secretly shared with the encryption error vector E, where the encryption error vector E is determined based on the homomorphic operation of the encryption product result Z and the encrypted value of the label vector Y;
将所述第一误差分片的转置与第一特征矩阵X A进行本地乘法操作,得到第一梯度第一部分; Performing a local multiplication operation on the transposition of the first error segment and the first feature matrix X A to obtain the first part of the first gradient;
用所述第一特征矩阵X A,与第二方中保留的第二误差分片进行安全矩阵乘法,得到第一梯度第二部分的第一分片; Use the first feature matrix X A to perform a security matrix multiplication with the second error segment retained in the second party to obtain the first segment of the second part of the first gradient;
从第二方接收对第二加密梯度秘密分享的第二梯度第一分片;Receiving, from the second party, the second gradient first segment that is secretly shared with the second encryption gradient;
根据所述第一梯度第一部分和第一梯度第二部分的第一分片,更新第一参数第一分片;根据所述第二梯度第一分片,更新第二参数第一分片。According to the first slice of the first part of the first gradient and the first slice of the second part of the first gradient, update the first slice of the first parameter; according to the first slice of the second gradient, update the first slice of the second parameter.
根据一种实施方式,在执行多次迭代执行模型参数更新之前,还包括:初始化所述第一参数部分W A,通过秘密分享将其拆分为第一参数第一分片和第一参数第二分片,保留所述第一参数第一分片,将所述第一参数第二分片发送给第二方;从所述第二方接收对第二参数部分W B秘密分享的第二参数第一分片。 According to an embodiment, before performing multiple iterations to perform the model parameter update, the method further includes: initializing the first parameter part W A , and splitting it into the first parameter first segment and the first parameter part through secret sharing. Two fragments, the first fragment of the first parameter is reserved, and the second fragment of the first parameter is sent to the second party; the second parameter part W B secretly shared from the second party is received The first segment of the parameter.
根据一种实施方式,在多次迭代执行模型参数更新之后,还包括:将最后一次迭代中更新后的所述第二参数第一分片发送给所述第二方,并从所述第二方接收更新后的第一参数第二分片;将最后一次迭代中更新后的第一参数第一分片,和所接收的第一参数第二分片进行组合,得到所述业务预测模型训练后的第一参数部分W AAccording to an embodiment, after performing the model parameter update multiple iterations, the method further includes: sending the first segment of the second parameter updated in the last iteration to the second party, and receiving the update from the second party. The party receives the updated first parameter second segment; the updated first parameter first segment in the last iteration is combined with the received first parameter second segment to obtain the service prediction model training After the first parameter part W A.
在一个具体实施例中,通过以下方式计算得到同态加密的第一乘积分片:本地计算第一特征矩阵X A与第一参数第一分片的乘积,得到第一特征第一处理结果;用所述第一特征矩阵X A,与所述第二方中的第一参数第二分片进行安全矩阵乘法,得到第一特征第二处理结果的第一分片;用所述第二参数第一分片,与所述第二方中的第二特征矩阵X B进行安全矩阵乘法,得到第二特征第二处理结果的第一分片;对所述第一特征第一处理结果,所述第一特征第二处理结果的第一分片,所述第二特征第二处理结果的第一分片进行加和,并用所述第一方的公钥对加和结果进行同态加密,得到所述第一加密乘积分片。 In a specific embodiment, the first multiplicative integral slice of homomorphic encryption is calculated by the following method: the product of the first characteristic matrix X A and the first slice of the first parameter is calculated locally to obtain the first processing result of the first characteristic; Use the first feature matrix X A to perform security matrix multiplication with the first parameter second segment in the second party to obtain the first segment of the first feature second processing result; use the second parameter The first segment is multiplied by a security matrix with the second feature matrix X B in the second party to obtain the first segment of the second processing result of the second feature; the first processing result of the first feature is obtained, so The first fragment of the second processing result of the first feature, the first fragment of the second processing result of the second feature is added, and the sum result is homomorphically encrypted with the public key of the first party, Obtain the first encrypted multiplication integral piece.
根据一个实施例,通过以下方式更新所述第一参数第一分片:将所述第一梯度第一部分和第一梯度第二部分的第一分片之和与预设步长的乘积,作为调整量,通过减去所述调整量,更新所述第一参数第一分片。According to an embodiment, the first segment of the first parameter is updated in the following manner: the product of the sum of the first segment of the first part of the first gradient and the first segment of the second part of the first gradient and a preset step is taken as The adjustment amount is to update the first segment of the first parameter by subtracting the adjustment amount.
根据第三方面,提供了一种保护数据隐私的双方联合训练业务预测模型的装置,所述双方包括第一方和第二方,所述第一方存储有多个业务对象的第一特征部分构成的第一特征矩阵X A;所述第二方存储有所述多个业务对象的第二特征部分构成的第二特征矩阵X B,以及标签值构成的标签向量Y;所述装置部署于所述第二方,该装置包括,用于多次迭代执行模型参数更新的迭代单元,其进一步包括: According to a third aspect, there is provided a device for two parties to jointly train a business prediction model to protect data privacy. The two parties include a first party and a second party, and the first party stores first characteristic parts of a plurality of business objects. A first feature matrix X A formed by the second party; the second party stores a second feature matrix X B formed by the second feature parts of the multiple business objects, and a label vector Y formed by label values; the device is deployed in The second party, the device includes an iterative unit for performing model parameter update multiple times, which further includes:
乘积分片计算单元,配置为基于本地维护的第一参数第二分片和第二参数第二分片,通过本地矩阵乘法以及与所述第一方的安全矩阵乘法运算,计算得到同态加密的第二加密乘积分片,并从所述第一方接收第一加密乘积分片;其中,第一参数第二分片是用于处理所述第一特征部分的第一参数部分W A的第二分片;第二参数第二分片是用于处理所述第二特征部分的第二参数部分W B的第二分片; The multiplication-integral piece calculation unit is configured to calculate the homomorphic encryption based on the locally maintained first parameter second piece and the second parameter second piece through local matrix multiplication and secure matrix multiplication with the first party second encryption by integral sheet, and receiving encrypted by a first integral sheet from the first party; wherein the second fragment is the first parameter for processing the first feature of the first portion of the parameter W a portion of The second fragment; the second parameter second fragment is the second fragment used to process the second parameter part W B of the second characteristic part;
乘积结果确定单元,配置为对所述第一加密乘积分片和第二加密乘积分片进行同态加和,得到加密乘积结果Z,其对应于,第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘的第二乘积之和的加密值; The product result determining unit is configured to perform a homomorphic summation on the first encrypted multiplying integral piece and the second encrypted multiplying integral piece to obtain an encrypted product result Z, which corresponds to the first characteristic matrix X A and the first parameter part The encrypted value of the sum of the first product of W A and the second product of the second feature matrix X B and the second parameter part W B;
误差向量确定单元,配置为基于所述加密乘积结果Z和所述标签向量Y的加密值进行同态运算,得到加密误差向量E,对该加密误差向量E进行秘密分享,得到第二误差分片;The error vector determining unit is configured to perform a homomorphic operation based on the encrypted product result Z and the encrypted value of the label vector Y to obtain an encrypted error vector E, and secretly share the encrypted error vector E to obtain a second error fragment ;
第一梯度确定单元,配置为对该加密误差向量E和第二特征矩阵X B进行同态操作下的矩阵相乘,得到第二加密梯度,对该第二加密梯度进行秘密分享,得到第二梯度第二分片; The first gradient determining unit is configured to perform matrix multiplication under the homomorphic operation on the encryption error vector E and the second characteristic matrix X B to obtain a second encryption gradient, and perform secret sharing of the second encryption gradient to obtain a second encryption gradient. Gradient second slice;
第二梯度确定单元,配置为用所述第二误差分片,与所述第一方中的第一特征矩阵X A进行安全矩阵乘法,得到第一梯度第二部分的第二分片; The second gradient determining unit is configured to use the second error segment to perform a security matrix multiplication with the first feature matrix X A in the first party to obtain a second segment of the second part of the first gradient;
参数更新单元,配置为根据所述第二梯度第二分片,更新所述第二参数第二分片;根据所述第一梯度第二部分的第二分片,更新所述第一参数第二分片。The parameter update unit is configured to update the second parameter second slice according to the second slice of the second gradient; update the first parameter second slice according to the second slice of the second part of the first gradient Two slices.
根据第四方面,提供了一种保护数据隐私的双方联合训练业务预测模型的装置,部署于前述第一方中,该装置包括:用于多次迭代执行模型参数更新的迭代单元,其进一步包括:According to a fourth aspect, there is provided an apparatus for both parties to jointly train a service prediction model to protect data privacy, which is deployed in the aforementioned first party. The apparatus includes: an iterative unit for performing model parameter update multiple iterations, which further includes :
乘积分片计算单元,配置为基于本地维护的第一参数第一分片和第二参数第一分片,通过本地矩阵乘法运算以及与所述第二方的安全矩阵乘法运算,计算得到同态加密的第一加密乘积分片;其中,所述第一参数第一分片是用于处理所述第一特征部分的第一参 数部分W A的第一分片;第二参数第一分片是用于处理所述第二特征部分的第二参数部分W B的第一分片; The multiply-integral piece calculation unit is configured to calculate the homomorphism based on the first piece of the first parameter and the first piece of the second parameter maintained locally, through the local matrix multiplication operation and the safe matrix multiplication operation with the second party multiply encrypting the encrypted first integral sheet; wherein the first parameter of the first fragment is a first fragment for a first characteristic portion of the first process parameter W a portion; a second parameter of the first fragment Is the first segment used to process the second parameter part W B of the second characteristic part;
乘积分片发送单元,配置为将该第一加密乘积分片发送给第二方,使得第二方将该第一加密乘积分片与其计算的第二加密乘积分片进行同态加和,以得到加密乘积结果Z,其对应于,第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘的第二乘积之和的加密值; The multiplying integral piece sending unit is configured to send the first encrypted multiplying integral piece to the second party, so that the second party performs a homomorphic summation of the first encrypted multiplying integral piece and the second encrypted multiplying integral piece calculated by the first encrypted multiplying integral piece to encryption obtained multiplication result Z, which corresponds to a first product of the first feature matrix X a W a portion of the first parameter multiplied, and a second product of the second feature matrix X B W B with the second parameter section multiplied The encrypted value of the sum;
误差分片接收单元,配置为从第二方接收对加密误差向量E秘密分享的第一误差分片,其中加密误差向量E基于所述加密乘积结果Z和标签向量Y的加密值的同态运算确定;The error fragment receiving unit is configured to receive the first error fragment secretly shared with the encrypted error vector E from the second party, wherein the encrypted error vector E is based on a homomorphic operation of the encrypted product result Z and the encrypted value of the label vector Y Sure;
第一梯度确定单元,配置为将所述第一误差分片的转置与第一特征矩阵X A进行本地乘法操作,得到第一梯度第一部分; A first gradient determining unit, configured to perform a local multiplication operation on the transposition of the first error segment and the first feature matrix X A to obtain the first part of the first gradient;
第二梯度确定单元,配置为用所述第一特征矩阵X A,与第二方中保留的第二误差分片进行安全矩阵乘法,得到第一梯度第二部分的第一分片; The second gradient determining unit is configured to use the first feature matrix X A to perform a security matrix multiplication with the second error segment retained in the second party to obtain the first segment of the second part of the first gradient;
第三梯度确定单元,配置为从第二方接收对第二加密梯度秘密分享的第二梯度第一分片;The third gradient determining unit is configured to receive, from the second party, the second gradient first fragment that is secretly shared with the second encrypted gradient;
参数更新单元,配置为根据所述第一梯度第一部分和第一梯度第二部分的第一分片,更新第一参数第一分片;根据所述第二梯度第一分片,更新第二参数第一分片。The parameter update unit is configured to update the first segment of the first parameter according to the first segment of the first part of the first gradient and the first segment of the second part of the first gradient; update the second segment of the first parameter according to the first segment of the second gradient The first segment of the parameter.
根据第五方面,提供了一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行第一方面或第二方面的方法。According to a fifth aspect, there is provided a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method of the first aspect or the second aspect.
根据第六方面,提供了一种计算设备,包括存储器和处理器,其特征在于,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现第一方面或第二方面的方法。According to a sixth aspect, there is provided a computing device, including a memory and a processor, characterized in that executable code is stored in the memory, and when the processor executes the executable code, the first aspect or the first aspect is implemented. Two-sided approach.
根据本说明书实施例提供的方法和装置,参与联合训练的双方各自拥有一部分特征数据。在联合训练的迭代过程中,双方不仅不进行特征数据的明文交换,其模型参数部分也拆分为参数分片,各自只维护分片参数的迭代更新,直到迭代结束,才会重构得到模型参数。由于迭代过程中各方仅维护参数的分片,交换一些分片结果,而基于这些分片结果几乎不可能反推出隐私数据的有用信息,如此,极大地增强了联合训练过程中,隐私数据的安全性。According to the method and device provided in the embodiments of this specification, the two parties participating in the joint training each have a part of characteristic data. In the iterative process of joint training, the two parties not only do not exchange the plaintext of feature data, but also split the model parameter part into parameter shards, and each only maintains the iterative update of the sharding parameters. The model will not be reconstructed until the end of the iteration. parameter. In the iterative process, all parties only maintain parameter shards and exchange some sharding results, and it is almost impossible to infer useful information about private data based on these sharding results. This greatly enhances the privacy data in the joint training process. safety.
附图说明Description of the drawings
为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to explain the technical solutions of the embodiments of the present invention more clearly, the following will briefly introduce the drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. A person of ordinary skill in the art can obtain other drawings based on these drawings without creative work.
图1为本说明书披露的一个实施例的实施场景示意图;Fig. 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification;
图2示出在一个实施例中同态加密下的秘密分享方案;Figure 2 shows a secret sharing scheme under homomorphic encryption in one embodiment;
图3示出在一个实施例中安全矩阵乘法的实现方案;Figure 3 shows an implementation scheme of secure matrix multiplication in one embodiment;
图4示出根据一个实施例的双方联合训练线性回归模型的过程示意图;Fig. 4 shows a schematic diagram of a process of joint training of a linear regression model by two parties according to an embodiment;
图5示出在一个实施例中第一子阶段的部分实施过程;Figure 5 shows part of the implementation process of the first sub-phase in an embodiment;
图6示出根据一个实施例的双方联合训练逻辑回归模型的过程示意图;Fig. 6 shows a schematic diagram of a process of joint training of a logistic regression model between two parties according to an embodiment;
图7示出根据一个实施例的部署在第二方中的联合训练装置的示意性框图;Fig. 7 shows a schematic block diagram of a joint training device deployed in a second party according to an embodiment;
图8示出根据一个实施例的部署在第一方中的联合训练装置的示意性框图。Fig. 8 shows a schematic block diagram of a joint training device deployed in a first party according to an embodiment.
具体实施方式Detailed ways
下面结合附图,对本说明书提供的方案进行描述。The following describes the solutions provided in this specification with reference to the accompanying drawings.
如前所述,典型的机器学习模型的训练过程包括,利用特征数据与模型参数数据之间的运算得到预测结果,根据预测结果确定出梯度,进而根据梯度调整模型参数的过程。As mentioned above, the training process of a typical machine learning model includes a process of obtaining a prediction result from the calculation between feature data and model parameter data, determining the gradient according to the prediction result, and then adjusting the model parameters according to the gradient.
具体地,假设用于训练机器学习模型的训练数据集有n个样本,每个样本的样本特征表示为x(x可以是一个向量),标签表示为y,则该训练数据集可表示为:Specifically, assuming that the training data set used to train the machine learning model has n samples, the sample feature of each sample is expressed as x (x can be a vector), and the label is expressed as y, then the training data set can be expressed as:
Figure PCTCN2021080718-appb-000001
Figure PCTCN2021080718-appb-000001
通过各个样本的样本特征x与模型参数w的运算,可以得到对该样本的预测值
Figure PCTCN2021080718-appb-000002
如果机器学习模型为线性回归模型,预测值可表示为:
Figure PCTCN2021080718-appb-000003
如果机器学习模型为逻辑回归模型,预测值可表示为:
Figure PCTCN2021080718-appb-000004
Through the calculation of the sample feature x of each sample and the model parameter w, the predicted value of the sample can be obtained
Figure PCTCN2021080718-appb-000002
If the machine learning model is a linear regression model, the predicted value can be expressed as:
Figure PCTCN2021080718-appb-000003
If the machine learning model is a logistic regression model, the predicted value can be expressed as:
Figure PCTCN2021080718-appb-000004
在使用最大似然概率及随机梯度下降方式的情况下,得到的梯度可以表示为:In the case of using maximum likelihood probability and stochastic gradient descent, the obtained gradient can be expressed as:
Figure PCTCN2021080718-appb-000005
Figure PCTCN2021080718-appb-000005
其中,
Figure PCTCN2021080718-appb-000006
为预测值,y为标签值,上标T表示转置,x为特征;于是,可以根据该梯度,更新参数w,从而实现模型训练。
in,
Figure PCTCN2021080718-appb-000006
Is the predicted value, y is the label value, the superscript T is the transposition, and x is the feature; therefore, the parameter w can be updated according to the gradient to achieve model training.
从以上过程可以看到,训练过程包含几项核心的运算:计算样本特征x与模型参数w的乘积xw,该乘积xw用于确定出预测值
Figure PCTCN2021080718-appb-000007
通过
Figure PCTCN2021080718-appb-000008
得到预测误差E;然后根据预测误差E与x的乘积,得到梯度。
As can be seen from the above process, the training process includes several core operations: calculate the product xw of the sample feature x and the model parameter w, and the product xw is used to determine the predicted value
Figure PCTCN2021080718-appb-000007
pass through
Figure PCTCN2021080718-appb-000008
Obtain the prediction error E; then according to the product of the prediction error E and x, the gradient is obtained.
在单方独立训练模型的情况下,可以容易地进行上述的运算。但是在多方联合训练机器学习模型的情况下,同一样本的特征可能分布在不同参与方中,每个参与方维护模型的一部分参数,如何在不泄露各方明文数据的情况下,实施上述各项运算,是实现联合训练中数据隐私保护的核心挑战。In the case of a single-party independent training model, the above-mentioned calculations can be easily performed. However, in the case of multi-party joint training of machine learning models, the characteristics of the same sample may be distributed among different participants. Each participant maintains some of the parameters of the model. How to implement the above items without revealing the plaintext data of all parties Computation is the core challenge for realizing data privacy protection in joint training.
针对上述问题,发明人提出,在双方联合训练机器学习模型的场景下,将各方模型参数拆解为安全的参数分片,借助于秘密分享,同态加密和安全矩阵乘法,将以上各项运算也相应拆解为安全而秘密的分片运算,通过双方对分片运算结果的交互和联合计算,实现上述各项运算,从而实现安全的协同训练。In response to the above problems, the inventor proposed that in the scenario where the two parties jointly train the machine learning model, the model parameters of each party should be disassembled into secure parameter fragments. With the help of secret sharing, homomorphic encryption and secure matrix multiplication, the above The operation is also correspondingly disassembled into a safe and secret sharding operation. Through the interaction and joint calculation of the results of the sharding operation by both parties, the above-mentioned operations are realized, thereby realizing safe collaborative training.
图1为本说明书披露的一个实施例的实施场景示意图。如图1所示,双方联合训练的场景涉及参与方A和参与方B,或称为第一方和第二方。各个参与方可以实现为任何具有计算、处理能力的设备、平台、服务器或设备集群。双方要在保护数据隐私的情况下,联合训练一个业务预测模型。Figure 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification. As shown in Figure 1, the scenario of joint training between the two parties involves participant A and participant B, or called the first party and the second party. Each participant can be implemented as any device, platform, server or device cluster with computing and processing capabilities. Both parties must jointly train a business prediction model while protecting data privacy.
第一方A存储有训练样本集中n个业务对象的一部分特征,称为第一特征部分。假定每个业务对象的第一特征部分为d1维向量,那么n个业务对象的第一特征部分构成一个n*d1维的第一特征矩阵X A。第二方B存储有该n个业务对象的第二特征部分。假定每个业务对象的第二特征部分为d2维向量,那么n个业务对象的第二特征部分构成一个n*d2维的第二特征矩阵X B。假定第二方中还存储有n个业务对象的标签值,n个标签值构成一个标签向量Y。 The first party A stores part of the features of n business objects in the training sample set, which is called the first feature part. Assuming that the first feature part of each business object is a d1-dimensional vector, then the first feature parts of n business objects constitute an n*d1-dimensional first feature matrix X A. The second party B stores the second characteristic parts of the n business objects. Assuming that the second feature part of each business object is a d2-dimensional vector, then the second feature parts of n business objects constitute an n*d2-dimensional second feature matrix X B. It is assumed that the label values of n business objects are also stored in the second party, and the n label values constitute a label vector Y.
例如,在一个示例性场景中,上述第一方A和第二方B为电子支付平台和银行机构,双方需要联合训练一个业务预测模型,来评估用户的信用等级。此时,业务对象即为用户。双方可以各自维护用户的一部分特征数据,例如,电子支付平台维护用户的电子支付和转账相关特征,构成上述的第一特征矩阵;银行机构维护用户的信贷记录方面的相关特征,构成上述的第二特征矩阵。此外,银行机构还具有用户信用等级的标签Y。For example, in an exemplary scenario, the above-mentioned first party A and second party B are electronic payment platforms and banking institutions, and the two parties need to jointly train a business prediction model to evaluate the user's credit rating. At this point, the business object is the user. Both parties can maintain part of the user's characteristic data. For example, the electronic payment platform maintains the user's electronic payment and transfer related characteristics, which constitutes the above-mentioned first characteristic matrix; the banking institution maintains the user's credit record related characteristics, which constitutes the above-mentioned second Feature matrix. In addition, the banking institution also has a label Y for the user's credit rating.
在另一个示例中,上述第一方A和第二方B为电子商务平台和电子支付平台,双方 需要联合训练一个业务预测模型,来评估商户的欺诈风险。此时,业务对象即为商户。双方可以各自维护商户的一部分特征数据,例如,电子商务平台存储样本商户的销售数据作为一部分样本特征,该部分样本特征构成上述第一特征矩阵;电子支付平台维护商户的交易流水数据作为另一部分样本特,构成第二特征矩阵。电子支付平台还维护样本商户的标签(是或不是欺诈商户的标记),构成标签向量Y。In another example, the above-mentioned first party A and second party B are an e-commerce platform and an electronic payment platform, and both parties need to jointly train a business prediction model to assess the merchant's fraud risk. At this time, the business object is the merchant. Both parties can maintain part of the characteristic data of the merchants respectively. For example, the e-commerce platform stores the sales data of sample merchants as part of the sample characteristics, and this part of the sample characteristics constitutes the above-mentioned first characteristic matrix; the electronic payment platform maintains the merchant's transaction flow data as another part of the sample Special, constitute the second characteristic matrix. The electronic payment platform also maintains the label of the sample merchant (whether it is a fraudulent merchant or not), which constitutes a label vector Y.
在其他场景示例中,业务对象还可以是待评估的其他对象,比如商品,交互事件(例如交易事件,登录事件,点击事件,购买事件),等等。相应的,参与方可以是维护有上述业务对象的不同特征部分的不同业务方。业务预测模型可以是针对相应业务对象进行分类预测或回归预测的模型。In other scenario examples, the business object may also be other objects to be evaluated, such as commodities, interaction events (for example, transaction events, login events, click events, purchase events), and so on. Correspondingly, the participating parties may be different business parties that maintain different characteristic parts of the above-mentioned business objects. The business prediction model may be a model that performs classification prediction or regression prediction for the corresponding business object.
需要理解,双方各自维护的业务对象特征属于隐私数据,在联合训练过程中,不可以进行明文交换,以保护隐私数据安全。并且,最终,第一方A希望训练得到用于处理第一特征部分的模型参数部分,称为第一参数部分W A;第二方希望训练得到用于处理第二特征部分的第二参数部分W B,这两部分参数共同构成业务预测模型。 It needs to be understood that the business object features maintained by both parties belong to private data. During the joint training process, plaintext exchanges are not allowed to protect the security of private data. And, finally, the first party A wants to train to obtain the model parameter part used to process the first feature part, called the first parameter part W A ; the second party wants to train to obtain the second parameter part used to process the second feature part W B , these two parts of parameters together constitute a business forecasting model.
为了在不泄露隐私数据的情况下,进行模型的联合训练,根据本说明书的实施例,如图1所示,第一方A和第二方B将初始化生成、有待训练的第一参数部分W A和第二参数部分W B进行秘密分享,拆解为参数分片,于是,第一方得到第一参数第一分片<W A> 1和第二参数第一分片<W B> 1,第二方得到第一参数第二分片<W A> 2和第二参数第二分片<W B> 2In order to conduct joint training of the model without leaking private data, according to the embodiment of this specification, as shown in FIG. 1, the first party A and the second party B will initialize the first parameter part W to be trained A and the second parameter part W B are secretly shared and disassembled into parameter fragments, so the first party obtains the first parameter first fragment <W A > 1 and the second parameter first fragment <W B > 1 , The second party obtains the second segment of the first parameter <W A > 2 and the second segment of the second parameter <W B > 2 .
在模型迭代训练过程中,双方通过安全矩阵乘法,得到总的特征矩阵X与总的参数矩阵W的乘积结果的加密分片Z 1,Z 2。由具有标签的第二方将这两个加密分片进行汇总,得到加密的乘积结果Z。第二方基于该乘积结果Z与加密的标签向量Y,得到加密的误差向量E,并对其进行同态加密下的秘密分享。于是,双方各自得到误差分片E 1和E 2。进一步地,双方基于误差分片和各自的特征矩阵,通过秘密分享和安全矩阵乘法,得到对应的梯度分片G 1和G 2。然后,第一方利用其梯度分片G 1,更新其维护的参数分片<W A> 1和<W B> 1,第二方利用其梯度分片G 2,更新其维护的参数分片<W A> 2和<W B> 2 In the iterative training process of the model, both parties obtain the encrypted fragments Z 1 , Z 2 of the product result of the total feature matrix X and the total parameter matrix W through the security matrix multiplication. The second party with the label sums up the two encrypted fragments, and obtains the encrypted product result Z. The second party obtains the encrypted error vector E based on the product result Z and the encrypted label vector Y, and performs secret sharing under homomorphic encryption. Therefore, both parties obtain error fragments E 1 and E 2 respectively . Further, the two parties obtain the corresponding gradient fragments G 1 and G 2 through secret sharing and security matrix multiplication based on the error fragments and their respective feature matrices. Then, the first party uses its gradient segment G 1 to update its maintained parameter segments <W A > 1 and <W B > 1 , and the second party uses its gradient segment G 2 to update its maintained parameter segments <W A > 2 and <W B > 2 .
直到整个迭代过程结束,双方交换其参数分片,进行参数重构。于是第一方基于其自身维护的第一参数第一分片<W A> 1和第二方发送的第一参数第二分片<W A> 2,重构得到训练后的第一参数部分W A;第二方基于其自身维护的第二参数第二分片<W B> 2和第一方发送的第二参数第一分片<W B> 1,重构得到训练后的第二参数部分W BUntil the end of the entire iterative process, the two parties exchange their parameter fragments and perform parameter reconstruction. Therefore, the first party reconstructs the first parameter part after training based on the first parameter first fragment <W A > 1 maintained by itself and the second parameter second fragment <W A > 2 sent by the second party W a; second party based on a second parameter which is maintained by a second fragment <W B> 2 and the second parameter of the first party sends a first fragment <W B> 1, to give a second reconstructed training The parameter part W B.
在整个训练过程中,双方不仅不进行特征数据的明文交换,其模型参数部分也拆分为参数分片,各自只维护分片参数的迭代更新,直到迭代结束,才会重构得到模型参数。如此,极大地增强了联合训练过程中,隐私数据的安全性。During the entire training process, not only did the two parties not exchange the feature data in plaintext, but the model parameters were also split into parameter shards, and each only maintained the iterative update of the sharding parameters. The model parameters would not be reconstructed until the end of the iteration. In this way, the security of private data in the joint training process is greatly enhanced.
可以看到,在以上训练方式中,需要利用同态加密下的秘密分享方案,以及安全矩阵乘法方案。下面首先对这两种方案进行简单描述。It can be seen that in the above training methods, a secret sharing scheme under homomorphic encryption and a secure matrix multiplication scheme are needed. The two schemes are briefly described below.
图2示出在一个实施例中同态加密下的秘密分享方案。在图2的示例场景中,第一方A拥有用于同态加密的公钥PK-a和对应的私钥SK-a,第二方B拥有公钥PK-b和对应的私钥SK-b。假定当前要对矩阵Z进行秘密分享,且该矩阵Z已经用第一方A的公钥PK-a进行了同态加密。Figure 2 shows a secret sharing scheme under homomorphic encryption in one embodiment. In the example scenario in Figure 2, the first party A owns the public key PK-a and the corresponding private key SK-a for homomorphic encryption, and the second party B owns the public key PK-b and the corresponding private key SK- b. Assume that the matrix Z is currently to be secretly shared, and the matrix Z has been homomorphically encrypted with the public key PK-a of the first party A.
在本文上下文中,用方括号[]表示加密,角标表示加密所用的公钥。如此,待分享的矩阵记为[Z] aIn the context of this article, square brackets [] are used to indicate encryption, and the superscripts indicate the public key used for encryption. In this way, the matrix to be shared is denoted as [Z] a .
为了对同态加密的矩阵[Z] a进行秘密分享,第二方B本地随机生成第二分片<Z> 2In order to secretly share the homomorphic encrypted matrix [Z] a , the second party B randomly generates a second fragment <Z> 2 locally.
在本文上下文中,用尖括号<>表示秘密分享的分片,角标表示该分片的持有方。In the context of this article, angle brackets <> are used to indicate the secretly shared fragment, and the corner mark indicates the holder of the fragment.
然后,第二方B用第一方A的公钥PK-a和同样的同态加密算法,对该第二分片<Z> 2进行加密,得到第二加密分片[<Z> 2] aThen, the second party B uses the public key PK-a of the first party A and the same homomorphic encryption algorithm to encrypt the second fragment <Z> 2 to obtain the second encrypted fragment [<Z> 2 ] a .
接着,第二方B对矩阵[Z] a和第二加密分片[<Z> 2] a进行同态减法操作,得到第一加密分片[<Z> 1] a=[Z] a-[<Z> 2] aNext, the second party B performs a homomorphic subtraction operation on the matrix [Z] a and the second encrypted fragment [<Z> 2 ] a to obtain the first encrypted fragment [<Z> 1 ] a = [Z] a- [<Z> 2 ] a .
这里利用了同态加密算法的同态性,即,对明文进行运算后再加密,与加密后对密文进行相应的运算,结果是等价的。例如,用同样的公钥PK加密v 1和v 2得到E PK(v 1)和E PK(v 2),如果满足: Here, the homomorphism of the homomorphic encryption algorithm is used, that is, the operation of the plaintext is performed before encryption, and the corresponding operation of the ciphertext after encryption is performed, and the result is equivalent. For example, using the same public key PK to encrypt v 1 and v 2 to obtain E PK (v 1 ) and E PK (v 2 ), if it satisfies:
Figure PCTCN2021080718-appb-000009
Figure PCTCN2021080718-appb-000009
那么则认为,该加密算法满足加法同态,其中
Figure PCTCN2021080718-appb-000010
为对应的同态加操作。实践中,
Figure PCTCN2021080718-appb-000011
操作可以对应于常规的加法,乘法等。例如,在Paillier算法中,
Figure PCTCN2021080718-appb-000012
对应于常规乘法。
Then it is considered that the encryption algorithm satisfies the additive homomorphism, where
Figure PCTCN2021080718-appb-000010
Add operation for the corresponding homomorphism. Practice,
Figure PCTCN2021080718-appb-000011
Operations can correspond to regular addition, multiplication, etc. For example, in Paillier's algorithm,
Figure PCTCN2021080718-appb-000012
Corresponds to regular multiplication.
以上计算第一加密分片时的同态减法,即为同态加操作的对应减操作。The above calculation of the homomorphic subtraction in the first encrypted segment is the corresponding subtraction operation of the homomorphic addition operation.
然后,第二方B将上述第一加密分片[<Z> 1] a发送给第一方A。由于该第一加密分片是采用第一方A的公钥加密的,第一方可以用对应的私钥SK-a对其进行解密,得到第一分片<Z> 1Then, the second party B sends the above-mentioned first encrypted fragment [<Z> 1 ] a to the first party A. Since the first encrypted fragment is encrypted using the public key of the first party A, the first party can decrypt it with the corresponding private key SK-a to obtain the first fragment <Z> 1 .
于是,最终,第一方A拥有第一分片<Z> 1,第二方B拥有第二分片<Z> 2,并且根据 以上的同态性,两个分片之和为原矩阵Z:<Z> 1+<Z> 2=Z。如此,实现了双方在同态加密下的秘密分享。 Therefore, in the end, the first party A owns the first shard <Z> 1 , and the second party B owns the second shard <Z> 2 , and according to the above homomorphism, the sum of the two shards is the original matrix Z : <Z> 1 +<Z> 2 =Z. In this way, the secret sharing between the two parties under homomorphic encryption is realized.
图3示出在一个实施例中安全矩阵乘法的实现方案。在图3的示例场景中,第一方A拥有矩阵X,第二方B拥有矩阵Y,双方希望共同计算乘积矩阵X*Y,而不泄露各自的矩阵明文。为此,可以采用基于同态加密的安全矩阵乘法。Figure 3 shows the implementation of secure matrix multiplication in one embodiment. In the example scenario in Figure 3, the first party A owns the matrix X and the second party B owns the matrix Y. Both parties hope to jointly calculate the product matrix X*Y without revealing their respective matrix plaintexts. To this end, a secure matrix multiplication based on homomorphic encryption can be used.
具体地,第一方A可以采用其公钥PK-a,利用同态加密算法,对其原始矩阵X加密,得到加密矩阵[X] a,并将该加密矩阵发送给第二方B。 Specifically, the first party A can use its public key PK-a to encrypt its original matrix X using a homomorphic encryption algorithm to obtain an encryption matrix [X] a , and send the encryption matrix to the second party B.
第二方B将加密矩阵[X] a中的密文元素,与其矩阵Y中的明文元素,进行行列间的同态加和运算,得到一个加密乘积矩阵[Z] a=[X] a*Y。根据加密算法的同态性,该加密乘积矩阵[Z] a对应于,使用A方公钥PK-a,利用同态加密算法对原始矩阵X和Y的乘积矩阵X*Y加密得到的矩阵,即,[Z] a=[X*Y] aThe second party B performs the homomorphic summation between the ciphertext elements in the encrypted matrix [X] a and the plaintext elements in the matrix Y to obtain an encrypted product matrix [Z] a = [X] a * Y. According to the homomorphism of the encryption algorithm, the encrypted product matrix [Z] a corresponds to the matrix obtained by encrypting the product matrix X*Y of the original matrices X and Y using the public key PK-a of Party A using the homomorphic encryption algorithm. That is, [Z] a =[X*Y] a .
然后,将上述加密乘积矩阵[Z] a作为图2中同态加密的待分享矩阵[Z] a,进行同态加密下的秘密分享。于是最终,第一方A拥有第一分片<Z> 1,第二方B拥有第二分片<Z> 2,并且,两个分片之和即为乘积矩阵X*Y:<Z> 1+<Z> 2=X*Y。 Then, the above-mentioned encrypted product matrix [Z] a is used as the homomorphic encryption matrix [Z] a to be shared in Figure 2, and the secret sharing under homomorphic encryption is performed. So in the end, the first party A owns the first shard <Z> 1 , and the second party B owns the second shard <Z> 2 , and the sum of the two shards is the product matrix X*Y: <Z> 1 +<Z> 2 =X*Y.
如此,实现了双方之间的安全矩阵乘法。In this way, a secure matrix multiplication between the two parties is realized.
需要理解,图3是安全矩阵乘法的一种实现示例。还存在其他的安全矩阵乘法实现方式,例如基于秘密分享的矩阵乘法等,在此不一一详述。It needs to be understood that Figure 3 is an implementation example of secure matrix multiplication. There are other secure matrix multiplication implementations, such as matrix multiplication based on secret sharing, etc., which will not be detailed here.
利用同态加密下的秘密分享,和安全矩阵乘法,可以实现图1中所示的模型联合训练。下面描述双方联合进行模型训练的具体过程。Using secret sharing under homomorphic encryption and secure matrix multiplication, the joint training of the model shown in Figure 1 can be realized. The following describes the specific process of the two parties jointly conducting model training.
图4示出根据一个实施例的双方联合训练线性回归模型的过程示意图。图4场景中的第一方A和第二方B的数据持有状况与图1相同,不再赘述。并且,第一方A和第二方B可以彼此向对方发送自己的公钥PK-a和PK-b。在图4的场景中,双方联合训练一个线性回归模型作为业务预测模型。Fig. 4 shows a schematic diagram of a process of joint training of a linear regression model by two parties according to an embodiment. The data holding status of the first party A and the second party B in the scenario of FIG. 4 is the same as that of FIG. 1, and will not be repeated here. In addition, the first party A and the second party B can send their own public keys PK-a and PK-b to each other. In the scenario in Figure 4, the two parties jointly train a linear regression model as a business prediction model.
首先,在模型初始化阶段,第一方A和第二方B对模型参数初始化,并进行秘密分享,各自维持参数分片。First, in the model initialization stage, the first party A and the second party B initialize the model parameters and share secretly, each maintaining parameter slicing.
具体地,在步骤S11,第一方A初始化用于处理第一特征部分的第一参数部分W A。该第一参数部分W A可以通过随机生成的方式初始化得到。然后,在S12,第一方A对上述第一参数部分进行秘密分享,即将其拆分为第一参数第一分片<W A> 1和第一参 数第二分片<W A> 2,自己持有第一参数第一分片<W A> 1,将第一参数第二分片<W A> 2发送给第二方B。可以理解,两个参数分片之和为第一参数部分,即:W A=<W A> 1+<W A> 2Specifically, in step S11, the first party for processing the first initialization parameter A W A portion of the first feature section. The first parameter may be initialized W A portion obtained by way of randomly generated. Then, at S12, the first party A secretly shares the above-mentioned first parameter part, that is, splits it into the first parameter first segment <W A > 1 and the first parameter second segment <W A > 2 , Hold the first segment of the first parameter <W A > 1 and send the second segment of the first parameter <W A > 2 to the second party B. It can be understood that the sum of the two parameter fragments is the first parameter part, namely: W A =<W A > 1 +<W A > 2 .
相应地,在步骤S13,第二方B初始化用于处理第二特征部分的第二参数部分W B。该第二参数部分W B可以通过随机生成的方式初始化得到。然后,在S14,第二方A对上述第二参数部分进行秘密分享,将其拆分为第二参数第一分片<W B> 1和第二参数第二分片<W B> 2,自己持有第二参数第二分片<W B> 2,将第二参数第一分片<W B> 1发送给第一方A。相应的,这两个参数分片之和为第二参数部分,即:W B=<W B> 1+<W B> 2Correspondingly, in step S13, the second party B initializes the second parameter part W B for processing the second characteristic part. The second parameter part W B can be initialized in a randomly generated manner. Then, in S14, the second party A secretly shares the above-mentioned second parameter part, and splits it into the second parameter first segment <W B > 1 and the second parameter second segment <W B > 2 , Holds the second parameter second fragment <W B > 2 and sends the second parameter first fragment <W B > 1 to the first party A. Correspondingly, the sum of these two parameter fragments is the second parameter part, namely: W B =<W B > 1 +<W B > 2 .
需要理解,步骤S11-S12,以及步骤S13-S14之间,可以并行执行,或者以任意先后顺序执行,在此不做限定。It should be understood that steps S11-S12 and steps S13-S14 can be executed in parallel or in any order, which is not limited here.
在进行上述初始化和秘密分享之后,第一方A维持有第一参数第一分片<W A> 1和第二参数第一分片<W B> 1,第二方B维持有第一参数第二分片<W A> 2和第二参数第二分片<W B> 2After the above initialization and secret sharing, the first party A maintains the first parameter first fragment <W A > 1 and the second parameter first fragment <W B > 1 , and the second party B maintains the first parameter The second segment <W A > 2 and the second parameter of the second segment <W B > 2 .
接下来,进入模型迭代阶段,该阶段一般包含多次迭代过程。在一个实施例中,迭代次数为预先设定的超参数。在另一实施例中,迭代次数并不预先设定,而是在满足一定收敛条件时,停止迭代。上述收敛条件例如可以是,误差足够低,梯度足够小,等等。Next, enter the model iteration stage, which generally includes multiple iterations. In one embodiment, the number of iterations is a preset hyperparameter. In another embodiment, the number of iterations is not preset, but the iteration is stopped when a certain convergence condition is met. The above convergence conditions may be, for example, that the error is low enough, the gradient is small enough, and so on.
每次迭代过程可以包括4个子阶段:计算总特征矩阵X与总参数W的乘积;计算误差向量E;计算梯度G;更新参数。下面分别描述各个子阶段的具体执行方式。Each iteration process can include 4 sub-phases: calculate the product of the total feature matrix X and the total parameter W; calculate the error vector E; calculate the gradient G; update the parameters. The following describes the specific implementation of each sub-phase.
在第一子阶段,在步骤S21,第一方A和第二方B,各自基于本地矩阵乘法运算以及双方的安全矩阵乘法运算,分别计算得到第一乘积分片<Z> 1和第二乘积分片<Z> 2,使得两个分片之和对应于总特征矩阵X与总参数W的乘积,也就是等于,第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘的第二乘积之和。 In the first sub-stage, in step S21, the first party A and the second party B respectively calculate the first multiplication integral piece <Z> 1 and the second multiplication based on the local matrix multiplication operation and the safety matrix multiplication operation of both parties. integral sheet <Z> 2, such that the two fragments corresponds to the total sum of the product of the feature matrix X parameter W, which is equal to a first feature matrix X a portion of the first product of the first parameter multiplied W a , And the sum of the second product of the second feature matrix X B and the second parameter part W B.
图5示出在一个实施例中第一子阶段的部分实施过程。Fig. 5 shows part of the implementation process of the first sub-stage in one embodiment.
具体地,在步骤S211,第一方A本地计算第一特征矩阵X A与第一参数第一分片<W A> 1的乘积,得到第一特征第一处理结果<Z A> 1,即: Specifically, in step S211, the first party A locally calculates the product of the first feature matrix X A and the first segment of the first parameter <W A > 1 to obtain the first feature first processing result <Z A > 1 , that is :
<Z A> 1=X A ˙<W A> 1 <Z A > 1 = X A ˙ <W A > 1
在步骤S212,第一方A用其持有的第一特征矩阵X A,与第二方B持有的第一 参数第二分片<W A> 2进行安全矩阵乘法。安全矩阵乘法可以采用图3所示的方式实现,或采用其他安全计算方式实现。第一特征矩阵X A与第一参数第二分片<W A> 2的乘积记为第一特征第二处理结果<Z A> 2,即: In step S212, the first party A uses the first feature matrix X A held by the first party A to perform a security matrix multiplication with the first parameter second slice <W A> 2 held by the second party B. The safe matrix multiplication can be implemented in the manner shown in Figure 3, or implemented in other safe calculation methods. The product of the first feature matrix X A and the second segment of the first parameter <W A > 2 is recorded as the first feature second processing result <Z A > 2 , namely:
<Z A> 2=X A ˙<W A> 2 <Z A > 2 = X A ˙ <W A > 2
在本文上下文中,将用本地参数处理的结果称为第一处理结果,将通过安全矩阵乘法采用对方参数进行处理的结果称为第二处理结果。In the context of this article, the result of processing with local parameters is referred to as the first processing result, and the result of processing with the other party's parameters through secure matrix multiplication is referred to as the second processing result.
则通过步骤S212的安全矩阵乘法,第一方A得到第一特征第二处理结果<Z A> 2的第一分片<<Z A> 2> 1,第二方B得到第一特征第二处理结果<Z A> 2的第二分片<<Z A> 2> 2,两个分片之和为第一特征第二处理结果。 Then through the security matrix multiplication in step S212, the first party A obtains the first feature of the second processing result <Z A > 2 of the first fragment <<Z A > 2 > 1 , and the second party B obtains the first feature of the second The second segment of the processing result <Z A > 2 is <<Z A > 2 > 2 , and the sum of the two segments is the second processing result of the first feature.
在步骤S213,第二方B本地计算第二特征矩阵X B与第二参数第二分片<W B> 2的乘积,得到第二特征第一处理结果<Z B> 1,即: In step S213, the second party B locally calculates the product of the second feature matrix X B and the second parameter second segment <W B > 2 to obtain the first processing result of the second feature <Z B > 1 , namely:
<Z B> 1=X B ˙<W B> 2 <Z B > 1 = X B ˙ <W B > 2
在步骤S214,第二方B用其持有的第二特征矩阵X B,与第一方A持有的第二参数第一分片<W B> 1进行安全矩阵乘法,乘积记为第二特征第二处理结果<Z B> 2,即: In step S214, the second party B uses the second feature matrix X B held by the second party B to perform the security matrix multiplication with the second parameter first slice <W B> 1 held by the first party A, and the product is denoted as second The second processing result of the feature <Z B > 2 , namely:
<Z B> 2=X B ˙<W B> 1 <Z B > 2 = X B ˙ <W B > 1
通过步骤S214的安全矩阵乘法,第一方A得到第二特征第二处理结果<Z B> 2的第一分片<<Z B> 2> 1,第二方B得到第二特征第二处理结果<Z B> 2的第二分片<<Z B> 2> 2,两个分片之和为第二特征第二处理结果。 Through the security matrix multiplication in step S214, the first party A obtains the first segment of the second feature second processing result <Z B > 2 <<Z B > 2 > 1 , and the second party B obtains the second feature second processing The second fragment of the result <Z B > 2 <<Z B > 2 > 2 , the sum of the two fragments is the second processing result of the second feature.
需要理解,以上的各个步骤S211-S214,可以以任意的先后顺序执行。It should be understood that the above steps S211-S214 can be performed in any order.
然后,在步骤S215,第一方A对以上运算得到的各个处理结果的分片进行加和,也就是,对第一特征第一处理结果<Z A> 1,第一特征第二处理结果的第一分片<<Z A> 2> 1,第二特征第二处理结果的第一分片<<Z B> 2> 1进行加和,得到第一乘积分片<Z> 1,即: Then, in step S215, the first party A adds up the pieces of the processing results obtained by the above calculations, that is, the first processing result of the first feature <Z A > 1 , the second processing result of the first feature The first segment <<Z A > 2 > 1 , the first segment of the second processing result of the second feature <<Z B > 2 > 1 is added to obtain the first multiplied integral <Z> 1 , namely:
<Z> 1=<Z A> 1+<<Z A> 2> 1+<<Z B> 2> 1 <Z> 1 =<Z A > 1 +<<Z A > 2 > 1 +<<Z B > 2 > 1
相应地,在步骤S216,第二方B对其得到的各个处理结果的分片进行加和,也就是,对第一特征第二处理结果的第二分片<<Z A> 2> 2,第二特征第一处理结果<Z B> 1,第二特征第二处理结果的第二分片<<Z B> 2> 2进行加和,得到第二乘积分片<Z> 2,即: Correspondingly, in step S216, the second party B adds up the pieces of each processing result obtained by it, that is, the second piece of the second processing result of the first feature <<Z A > 2 > 2 , The first processing result of the second feature <Z B > 1 , and the second segment of the second processing result of the second feature <<Z B > 2 > 2 is added to obtain the second multiplication-integral segment <Z> 2 , namely:
<Z> 2=<Z B> 1+<<Z A> 2> 2+<<Z B> 2> 2 <Z> 2 =<Z B > 1 +<<Z A > 2 > 2 +<<Z B > 2 > 2
可以验证,第一乘积分片<Z> 1和第二乘积分片<Z> 2之和,为总特征矩阵X与总参数W的乘积,即为第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘的第二乘积之和: It can be verified that the sum of the first multiplying integral piece <Z> 1 and the second multiplying integral piece <Z> 2 is the product of the total feature matrix X and the total parameter W, that is, the first feature matrix X A and the first parameter part The sum of the first product of W A and the second product of the second feature matrix X B and the second parameter part W B :
<Z> 1+<Z> 2 <Z> 1 +<Z> 2
=<Z A> 1+<<Z A> 2> 1+<<Z B> 2> 1+<Z B> 1+<<Z A> 2> 2+<<Z B> 2> 2 =<Z A > 1 +<<Z A > 2 > 1 +<<Z B > 2 > 1 +<Z B > 1 +<<Z A > 2 > 2 +<<Z B > 2 > 2
=<Z A> 1+(<<Z A> 2> 1+<<Z A> 2> 2)+<Z B> 1+(<<Z B> 2> 1+<<Z B> 2> 2) =<Z A > 1 +(<<Z A > 2 > 1 +<<Z A > 2 > 2 )+<Z B > 1 +(<<Z B > 2 > 1 +<<Z B > 2 > 2 )
=X A ˙<W A> 1+X A ˙<W A> 2+X B ˙<W B> 1+X B ˙<W B> 2 =X A ˙ <W A > 1 +X A ˙ <W A > 2 +X B ˙ <W B > 1 +X B ˙ <W B > 2
=X A ˙W A+X B ˙W B =X A ˙ W A +X B ˙ W B
至此第一方A和第二方B分别计算得到了第一乘积分片<Z> 1和第二乘积分片<Z> 2So far, the first party A and the second party B have calculated the first multiplying integral piece <Z> 1 and the second multiplying integral piece <Z> 2 respectively .
回到图4的第一子阶段。由于第二方B拥有标签数据,且为了保护数据隐私安全,在图4的步骤S22,第一方A用其公钥PK-a,对上述第一乘积分片<Z> 1进行同态加密,得到第一加密乘积分片[<Z> 1] a,并将该第一加密乘积分片[<Z> 1] a发送给第二方B。 Go back to the first sub-stage in Figure 4. Since the second party B owns the tag data, and in order to protect the privacy of the data, in step S22 of Figure 4, the first party A uses its public key PK-a to homomorphically encrypt the above-mentioned first multiplier piece <Z> 1 , Get the first encrypted multiplication integral piece [<Z> 1 ] a , and send the first encrypted multiplication integral piece [<Z> 1 ] a to the second party B.
在步骤S23,第二方B也用上述第一方的公钥PK-a,对其计算得到的第二乘积分片<Z> 2进行同态加密,得到第二加密乘积分片[<Z> 2] aIn step S23, the second party B also uses the public key PK-a of the first party to perform homomorphic encryption on the second multiplier <Z> 2 obtained by calculation to obtain the second encrypted multiplier [<Z > 2 ] a .
然后,在步骤S24,第二方B对第一加密乘积分片[<Z> 1] a和第二加密乘积分片[<Z> 2] a进行同态加和,得到加密乘积结果[Z] aThen, in step S24, the second party B performs a homomorphic summation on the first encrypted multiplication integral piece [<Z> 1 ] a and the second encrypted multiplication integral piece [<Z> 2 ] a to obtain the encrypted product result [Z ] a :
[Z] a=[<Z> 1] a+[<Z> 2] a [Z] a =[<Z> 1 ] a +[<Z> 2 ] a
根据加密算法的同态性,以及上述第一乘积分片和第二乘积分片的关系可以确定,如此得到的加密乘积结果[Z] a对应于,第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘的第二乘积之和的加密值,即[X A ˙W A+X B ˙W B] a,或者说,总特征矩阵X与总参数W的乘积的加密值。 According to the homomorphism of the encryption algorithm and the relationship between the first multiplier integral piece and the second multiplier integral piece, the encrypted product result [Z] a obtained in this way corresponds to the first characteristic matrix X A and the first parameter part The encrypted value of the sum of the first product of W A and the second product of the second characteristic matrix X B and the second parameter part W B , namely [X A ˙ W A +X B ˙ W B ] a , In other words, the encrypted value of the product of the total feature matrix X and the total parameter W.
如此,在迭代的第一子阶段,通过双方共同进行的安全计算,第二方B得到了加密乘积结果[Z] a,其对应于总特征矩阵X与总参数W的乘积的加密值。于是,进入第二子阶段,计算误差向量E。 In this way, in the first sub-stage of the iteration, the second party B obtains the encrypted product result [Z] a through the security calculation performed by both parties, which corresponds to the encrypted value of the product of the total feature matrix X and the total parameter W. Then, enter the second sub-stage, and calculate the error vector E.
在第二子阶段的步骤S31,第二方B基于上述加密乘积结果[Z] a和标签向量Y的加密值进行同态运算,得到加密误差向量[E] aIn step S31 of the second sub-stage, the second party B performs a homomorphic operation based on the encrypted product result [Z] a and the encrypted value of the label vector Y to obtain the encrypted error vector [E] a .
在图4所示的线性回归模型的场景下,预测值
Figure PCTCN2021080718-appb-000013
因此,预测误差
Figure PCTCN2021080718-appb-000014
可表示为,特征矩阵与模型参数的乘积结果X*W,与标签向量Y的差值。而目前获得的乘积结果为加密形式[Z] a,因此,可以首先对标签向量Y也进行同态加密,得到[Y] a,然后计算加密乘积结果[Z] a和标签向量加密值[Y] a的同态差值,作为加密误差向量[E] a,即:
In the scenario of the linear regression model shown in Figure 4, the predicted value
Figure PCTCN2021080718-appb-000013
Therefore, the prediction error
Figure PCTCN2021080718-appb-000014
It can be expressed as the difference between the product result X*W of the feature matrix and the model parameters and the label vector Y. The product result currently obtained is in the encrypted form [Z] a . Therefore, the label vector Y can be homomorphically encrypted first to obtain [Y] a , and then the encrypted product result [Z] a and the label vector encryption value [Y] ] of a difference with the state, as an encryption error vector [E] a, namely:
[E] a=[Z] a-[Y] a [E] a = [Z] a -[Y] a
然后,在步骤S32,采用例如图2所示的同态加密下的秘密分享,对该加密误差向量[E] a进行秘密分享。通过该秘密分享,第一方A得到第一误差分片<E> 1,第二方B得到第二误差分片<E> 2,并且,<E> 1+<E> 2=E。 Then, in step S32, the encryption error vector [E] a is secretly shared using, for example, the secret sharing under homomorphic encryption as shown in FIG. 2. Through this secret sharing, the first party A obtains the first error fragment <E> 1 , the second party B obtains the second error fragment <E> 2 , and <E> 1 +<E> 2 =E.
接着,进入迭代的第三子阶段,计算梯度。根据之前的公式(1),梯度计算涉及误差向量与特征矩阵的相乘。然而,误差向量和特征矩阵依然分布在第一方A和第二方B双方之间,因此,仍需采用分片计算的方式,得到各个梯度分片。Then, enter the third sub-phase of the iteration to calculate the gradient. According to the previous formula (1), the gradient calculation involves the multiplication of the error vector and the feature matrix. However, the error vector and the feature matrix are still distributed between the first party A and the second party B. Therefore, a piecewise calculation method is still needed to obtain each gradient piece.
具体的,在步骤S41,第二方B本地对该加密误差向量[E] a和第二特征矩阵X B进行同态操作下的矩阵相乘,得到第二加密梯度[G B] a,即: Specifically, in step S41, the second party B locally performs matrix multiplication under the homomorphic operation on the encryption error vector [E] a and the second eigen matrix X B to obtain the second encryption gradient [G B ] a , namely :
[G B] a=[E] a X B [G B ] a =[E] a X B
其中,[E] a T表示[E] a的转置,且[E] a T与X B之间的运算,是[E] a T中各行的密文元素与X B中各列的明文元素之间的同态加和运算,与图3安全矩阵乘法过程中的同态矩阵相乘相似。 Wherein, [E] a T represents [E] a transposition, and the operations between a T and X B [E], is [E] a T ciphertext elements X B each row expressly each column The homomorphic addition operation between elements is similar to the homomorphic matrix multiplication in the secure matrix multiplication process in Figure 3.
然后,在步骤S42,第二方B对该第二加密梯度[G B] a进行同态加密下的秘密分享,例如使用图2的方式。通过该秘密分享,第一方A得到第二梯度第一分片<G B> 1,第二方B得到第二梯度第二分片<G B> 2,且分片之和为第二梯度G B=E X BThen, at step S42, the second party on the second B encryption gradient [G B] a secret sharing at the homomorphic encryption, for example, FIG. 2 is used. Through this secret sharing, the first party A obtains the second gradient first fragment <G B > 1 , and the second party B obtains the second gradient second fragment <G B > 2 , and the sum of the fragments is the second gradient G B = E X B.
在步骤S43,第一方A将上述第一误差分片<E> 1的转置与第一特征矩阵X A进行本地乘法操作,得到第一梯度第一部分<G A> 1,即: In step S43, the first party A performs a local multiplication operation on the transposition of the first error segment <E> 1 and the first feature matrix X A to obtain the first part of the first gradient <G A > 1 , namely:
<G A> 1=<E> 1 X A <G A > 1 =<E> 1 X A
以上运算为第一方的本地运算。The above operations are local operations of the first party.
然后,在步骤S44,第一方用第一特征矩阵X A,与第二方中的第二误差分片<E> 2进行安全矩阵乘法,相乘的结果记为第一梯度第二部分<G A> 2,即: Then, in step S44, the first party uses the first feature matrix X A to perform a safety matrix multiplication with the second error slice <E> 2 in the second party, and the result of the multiplication is recorded as the first gradient second part< G A > 2 , namely:
<G A> 2=<E> 2 X A <G A > 2 =<E> 2 X A
通过上述安全矩阵乘法,第一方A得到第一梯度第二部分的第一分片<<G A> 2> 1,第二方B得到第一梯度第二部分的第二分片<<G A> 2> 2Through the above security matrix multiplication, the first party A gets the first slice of the second part of the first gradient<<G A > 2 > 1 , and the second party B gets the second slice of the second part of the first gradient <<G A > 2 > 2 .
至此,实现了对于梯度分片的计算。接着,进入迭代的第四子阶段,参数更新。在该阶段中,各方根据自己得到的梯度分片,更新自己维护的参数分片。参数更新阶段包括以下步骤。So far, the calculation of gradient slicing is realized. Then, enter the fourth sub-phase of the iteration, parameter update. In this stage, each party updates the parameter shards maintained by themselves according to the gradient shards obtained by themselves. The parameter update phase includes the following steps.
在步骤S51,第一方A根据步骤S43计算的第一梯度第一部分<G A> 1和步骤S44得到的第一梯度第二部分的第一分片<<G A> 2> 1,更新第一参数第一分片<W A> 1In step S51, the first portion of the first gradient of the first party A calculated according to step S43 <G A> 1 obtained in step S44 and the first slice << G A second portion of the first gradient>2> 1, the first update One parameter first fragment <W A > 1 .
具体地,将第一梯度第一部分<G A> 1和第一梯度第二部分的第一分片<<G A> 2> 1之和与预设步长α的乘积,作为调整量,通过减去该调整量,更新第一参数第一分片<W A> 1,这可以表示为: Specifically, the product of the sum of the first part of the first gradient <G A > 1 and the first slice of the second part of the first gradient <<G A > 2 > 1 and the preset step size α is used as the adjustment amount, and the Subtract the adjustment amount, update the first parameter, the first slice <W A > 1 , which can be expressed as:
<W A> 1←<W A> 1-α(<G A> 1+<<G A> 2> 1) <W A > 1 ←<W A > 1 -α(<G A > 1 +<<G A > 2 > 1 )
在步骤S52,第一方A根据步骤S42得到的第二梯度第一分片<G B> 1,更新第二参数第一分片<W B> 1,这可以表示为: In step S52, the first party A updates the second parameter first fragment <W B > 1 according to the second gradient first fragment <G B > 1 obtained in step S42, which can be expressed as:
<W B> 1←<W B> 1-α<G B> 1 <W B > 1 ←<W B > 1 -α<G B > 1
在步骤S53,第二方B根据步骤S44得到的第一梯度第二部分的第二分片<<G A> 2> 2,更新第一参数第二分片<W A> 2,这可以表示为: In step S53, the second party B updates the first parameter and the second segment <W A > 2 according to the second segment <<G A > 2 > 2 of the second part of the first gradient obtained in step S44, which can mean for:
<W A> 2←<W A> 2-α<<G A> 2> 2 <W A > 2 ←<W A > 2 -α<<G A > 2 > 2
在步骤S54,第二方B根据步骤S42得到的第二梯度第二分片<G B> 2,更新第二参数第二分片<W B> 2,这可以表示为: In step S54, the second party B updates the second parameter second segment <W B > 2 according to the second gradient second segment <G B > 2 obtained in step S42, which can be expressed as:
<W B> 2←<W B> 2-α<G B> 2 <W B > 2 ←<W B > 2 -α<G B > 2
即,在原分片值基础上,减去预设步长α与对应梯度分片的乘积,从而更新各个参数分片。可以理解,以上的步骤S51-S54之间,可以以任意的先后顺序执行,或者并行执行。That is, on the basis of the original slice value, the product of the preset step size α and the corresponding gradient slice is subtracted, thereby updating each parameter slice. It can be understood that the above steps S51-S54 can be executed in any order, or executed in parallel.
可以看到,对于第一参数部分W A的更新由双方共同完成,其中第一方A更新第一参数第一分片<W A> 1,第二方B更新第一参数第二分片<W A> 2,两方共同更新的总和为: It can be seen that the update of the first parameter part W A is jointly completed by both parties, where the first party A updates the first parameter first fragment <W A > 1 , and the second party B updates the first parameter second fragment < W A > 2 , the sum of the two parties' common update is:
<G A> 1+<<G A> 2> 1+<<G A> 2> 2 <G A > 1 +<<G A > 2 > 1 +<<G A > 2 > 2
=<G A> 1+<G A> 2 =<G A > 1 +<G A > 2
=<E> 1 X A+<E> 2 X A =<E> 1 X A +<E> 2 X A
=E X A =E X A
即,误差向量(的转置)与第一特征矩阵X A的乘积。 That is, the product of (transpose of) the error vector and the first feature matrix X A.
对于第二参数部分W B的更新也是由双方共同完成,其中第一方A更新第二参数第一分片<W B> 1,第二方B更新第二参数第二分片<W B> 2,两方共同更新的总和为: The update of the second parameter part W B is also done by both parties. The first party A updates the second parameter first segment <W B > 1 , and the second party B updates the second parameter second segment <W B > 2. The sum of the two parties' joint updates is:
<G B> 1+<G B> 2 <G B > 1 +<G B > 2
=G B=E X B =G B =E X B
即,误差向量(的转置)与第二特征矩阵X B的乘积。 That is, the product of the error vector (transpose of) and the second feature matrix X B.
但是,在每轮迭代后,双方无需交换更新后的参数分片,而是继续进行下一轮迭代,也就是回到步骤S21,基于更新后的参数分片,再次执行第一子阶段。如此,在迭代过程中,任意一方都不具有完整的模型参数,也不交换特征矩阵的明文信息,高强度确保了隐私数据的安全。However, after each round of iteration, the two parties do not need to exchange updated parameter fragments, but continue to the next iteration, that is, return to step S21, and execute the first sub-phase again based on the updated parameter fragments. In this way, in the iterative process, neither party has complete model parameters, nor does it exchange the plaintext information of the feature matrix, which ensures the security of private data with high strength.
直到整个迭代过程结束,例如达到了预设迭代次数,或达到了预定收敛条件,进入模型重构阶段。Until the end of the entire iteration process, for example, the preset number of iterations is reached, or the predetermined convergence condition is reached, the model reconstruction phase is entered.
在模型重构阶段,第一方A将其迭代维护的第二参数第一分片<W B> 1发送给第二方B;第二方B将其迭代维护的第一参数第二分片<W A> 2发送给第一方A。 In the model reconstruction phase, the first party A sends its iteratively maintained second parameter first fragment <W B > 1 to the second party B; the second party B will iteratively maintain the first parameter second fragment <W A > 2 is sent to the first party A.
第一方A基于其自身维护的第一参数第一分片<W A> 1和第二方发送的第一参数第二分片<W A> 2,重构得到训练后的第一参数部分W AThe first party A reconstructs the first parameter part after training based on the first parameter first fragment <W A > 1 maintained by itself and the first parameter second fragment <W A > 2 sent by the second party W A.
第二方B基于其自身维护的第二参数第二分片<W B> 2和第一方发送的第二参数第一分片<W B> 1,重构得到训练后的第二参数部分W BBased on the second parameter second fragment <W B > 2 maintained by the second party itself and the second parameter first fragment <W B > 1 sent by the first party, the second parameter part after training is reconstructed W B.
至此,第一方A和第二方B共同完成了线性回归模型的训练,分别各自得到了用于处理其对应特征部分的模型参数部分W A和W BThus, the first party the second party A and B have completed the training of the linear regression model, respectively, to give each model parameter section W A and W B used to treat the corresponding characteristic portion.
回顾整个训练过程可以看到,双方不仅不进行特征数据的明文交换,其模型参数部分也拆分为参数分片,各自只维护分片参数的迭代更新,直到迭代结束,才会重构得到模型参数。由于迭代过程中各方仅维护参数的分片,交换一些分片结果,而基于这些分片结果几乎不可能反推出隐私数据的有用信息,如此,极大地增强了联合训练过程中,隐私数据的安全性。Looking back at the entire training process, it can be seen that the two parties not only do not exchange the plaintext of the feature data, but also split the model parameters into parameter shards, and each only maintains the iterative update of the sharding parameters. The model will not be reconstructed until the end of the iteration. parameter. In the iterative process, all parties only maintain parameter shards and exchange some sharding results, and it is almost impossible to infer useful information about private data based on these sharding results. This greatly enhances the privacy data in the joint training process. safety.
以上结合图4线性回归模型的联合训练进行了详细描述。下面描述逻辑回归模型的场景。本领域技术人员了解,在使用逻辑回归模型作为业务预测模型的情况下,预测值可表示为:
Figure PCTCN2021080718-appb-000015
可以看到,逻辑回归模型的预测值是基于非线性的sigmoid函数的,而非线性函数不利于同态加密等安全计算。
The joint training of the linear regression model in Figure 4 is described in detail above. The following describes the scenario of the logistic regression model. Those skilled in the art understand that when a logistic regression model is used as a business prediction model, the predicted value can be expressed as:
Figure PCTCN2021080718-appb-000015
It can be seen that the predicted value of the logistic regression model is based on the non-linear sigmoid function, and the non-linear function is not conducive to secure calculations such as homomorphic encryption.
因此,在逻辑回归模型的情况下,为了便于进行线性计算,可以将其中的sigmoid函数进行泰勒Taylor展开。具体的,sigmod函数1/(1+e^x)可以进行以下泰勒分解:Therefore, in the case of a logistic regression model, in order to facilitate linear calculation, the sigmoid function can be expanded by Taylor Taylor. Specifically, the sigmod function 1/(1+e^x) can perform the following Taylor decomposition:
Figure PCTCN2021080718-appb-000016
Figure PCTCN2021080718-appb-000016
相应的,逻辑回归预测值可以展开为:Correspondingly, the predicted value of logistic regression can be expanded into:
Figure PCTCN2021080718-appb-000017
Figure PCTCN2021080718-appb-000017
将以上预测值展开式代入公式(1)中可以得到梯度的形式,比如1阶展开下,梯度形式为Substituting the above predicted value expansion into formula (1), the gradient form can be obtained. For example, under the first-order expansion, the gradient form is
Figure PCTCN2021080718-appb-000018
Figure PCTCN2021080718-appb-000018
三阶展开的梯度形式为The gradient form of the third-order expansion is
Figure PCTCN2021080718-appb-000019
Figure PCTCN2021080718-appb-000019
如此,通过泰勒Taylor展开,将逻辑回归的预测值转换成了可以使用同态加密的方案。于是,可以对图4所示的方案过程稍作修改,使得训练过程适用于逻辑回归模型。In this way, through Taylor Taylor expansion, the predicted value of logistic regression is converted into a scheme that can use homomorphic encryption. Therefore, the program process shown in Figure 4 can be slightly modified to make the training process suitable for the logistic regression model.
图6示出根据一个实施例的双方联合训练逻辑回归模型的过程示意图。图6的训练过程与图4基本相同,只是在步骤S31,计算加密误差向量时,根据sigmoid函数的泰勒展开形式,基于加密乘积结果[Z] a得到加密预测结果,对加密预测结果和标签向量Y的加密值进行同态差值运算,得到加密误差向量E。 Fig. 6 shows a schematic diagram of a process of joint training of a logistic regression model by two parties according to an embodiment. The training process of Figure 6 is basically the same as that of Figure 4, except that in step S31, when calculating the encryption error vector, according to the Taylor expansion form of the sigmoid function , the encrypted prediction result is obtained based on the encrypted product result [Z] a , and the encrypted prediction result and label vector The encrypted value of Y is subjected to homomorphic difference operation, and the encrypted error vector E is obtained.
在采用1阶泰勒展开的情况下,根据公式(4),预测结果可以表示为(0.5+Z/4),相应的可以将误差项拆分为(0.5-Y)和Z/4。因此,可以通过以下运算,得到逻辑回归下的近似加密误差向量[E] aIn the case of adopting the first-order Taylor expansion, according to formula (4), the prediction result can be expressed as (0.5+Z/4), and the error term can be divided into (0.5-Y) and Z/4 accordingly. Therefore, the approximate encryption error vector [E] a under logistic regression can be obtained through the following operations:
[E] a=[0.5-Y] a-[Z] a/4 [E] a = [0.5-Y] a -[Z] a /4
其他训练步骤均与图4相同。The other training steps are the same as in Figure 4.
在采用多阶泰勒展开的情况下,还需要进一步得到wx的多阶计算结果,即多阶乘积结果Z k的加密值[Z k] a。在计算加密误差向量[E] a时,基于加密乘积结果[Z] a和加密多阶乘积[Z k] a得到加密预测结果,对加密预测结果和标签向量Y的加密值进行同态差值运算,才能得到加密误差向量。 In the case of using multi-order Taylor expansion, it is also necessary to further obtain the multi-order calculation result of wx, that is, the encrypted value [Z k ] a of the multi-order product result Z k . When calculating the encryption error vector [E] a , the encrypted prediction result is obtained based on the encrypted product result [Z] a and the encrypted multi-factor product [Z k ] a , and the homomorphic difference between the encrypted prediction result and the encrypted value of the label vector Y is performed Only by calculation can the encryption error vector be obtained.
具体的,例如采用3阶展开的情况下,即k=3,则需要进一步获得[Z 3] a。为此,可以在图6中S21双方各自计算得到第一乘积分片<Z> 1和第二乘积分片<Z> 2基础上,进行高阶运算和结果交换,得到[Z 3] a。例如可以通过下式,计算得到3阶乘积结果的加密值[Z 3] aSpecifically, for example, in the case of adopting the third-order expansion, that is, k=3, it is necessary to further obtain [Z 3 ] a . For this reason, on the basis of the first multiplying integral piece <Z> 1 and the second multiplying integral piece <Z> 2 obtained by both parties in S21 in Fig. 6, high-order calculations and result exchanges can be performed to obtain [Z 3 ] a . For example, the encrypted value [Z 3 ] a of the result of the third-order product can be calculated by the following formula.
Figure PCTCN2021080718-appb-000020
Figure PCTCN2021080718-appb-000020
之后,可以根据公式(5),基于[Z] a,[Z 3] a和加密标签向量Y的同态运算,计算加密误差向量[E] aAfter that, the encryption error vector [E] a can be calculated based on the homomorphic operation of [Z] a , [Z 3 ] a and the encrypted label vector Y according to formula (5).
可以理解,泰勒展开的阶数越高,结果越准确,但是计算的复杂度越高。但是原则上,高阶乘积结果可以基于低阶的分片来计算得到。如此,对于用逻辑回归模型实现的业务预测模型,通过以上描述的方式,实现保护数据隐私的双方联合训练。It can be understood that the higher the order of Taylor expansion, the more accurate the result, but the higher the computational complexity. But in principle, the high-order product result can be calculated based on the low-order shards. In this way, for the business prediction model implemented by the logistic regression model, the two-party joint training to protect data privacy can be realized through the method described above.
以上训练方式也适用于通过神经网络实现的业务预测模型。对于典型的前馈全连接神经网络而言,每个神经元与其前一层的各个神经元以不同的权重相连接。于是,前一层各个神经元的输出可以视为特征数据,特征数据分布于双方之中;连接权重可以视为模型参数部分,用于以线性组合的方式,处理对应的特征数据。从而,可以将前述训练过程应用于神经网络中每个神经元的参数训练,实现神经网络模型的双方联合安全训练。The above training methods are also applicable to business prediction models implemented by neural networks. For a typical feedforward fully connected neural network, each neuron is connected to each neuron in the previous layer with different weights. Therefore, the output of each neuron in the previous layer can be regarded as feature data, and the feature data is distributed between the two sides; the connection weight can be regarded as the model parameter part, which is used to process the corresponding feature data in a linear combination. Therefore, the aforementioned training process can be applied to the parameter training of each neuron in the neural network to realize the joint safety training of the two parties of the neural network model.
总体而言,对于各种以特征数据与模型参数之间的线性组合为基础的业务预测模型,都可以采用以上描述的训练方式。在该训练方式中,通过参数的分片维护,高强度确保了隐私数据不会被泄露或反推,保证了数据安全。In general, for various business prediction models based on linear combinations of feature data and model parameters, the training methods described above can be used. In this training method, through the fragmented maintenance of parameters, high strength ensures that private data will not be leaked or reversed, and data security is ensured.
根据另一方面的实施例,提供了一种保护数据隐私的双方联合训练业务预测模型的装置,所述双方包括第一方和第二方,该装置可以部署在其中的第二方中。其中,第一方存储有多个业务对象的第一特征部分构成的第一特征矩阵X A;第二方存储有所述多个业务对象的第二特征部分构成的第二特征矩阵X B,以及标签值构成的标签向量Y。第二方可以实现为任何具有计算、处理能力的设备、平台或设备集群。图7示出根据一个实施例的部署在第二方中的联合训练装置的示意性框图。如图7所示,该装置700包 括迭代单元710,用于多次迭代执行模型参数更新。该迭代单元710进一步包括: According to another embodiment, there is provided a device for two parties to jointly train a service prediction model to protect data privacy. The two parties include a first party and a second party, and the device can be deployed in the second party. Wherein, the first party stores a first feature matrix X A composed of first feature parts of multiple business objects; the second party stores a second feature matrix X B composed of second feature parts of the multiple business objects, And the label vector Y formed by the label value. The second party can be implemented as any device, platform or device cluster with computing and processing capabilities. Fig. 7 shows a schematic block diagram of a joint training device deployed in a second party according to an embodiment. As shown in FIG. 7, the device 700 includes an iterative unit 710 for performing model parameter update multiple iterations. The iteration unit 710 further includes:
乘积分片计算单元711,配置为基于本地维护的第一参数第二分片和第二参数第二分片,通过本地矩阵乘法以及与所述第一方的安全矩阵乘法运算,计算得到同态加密的第二加密乘积分片,并从所述第一方接收第一加密乘积分片;其中,第一参数第二分片是用于处理所述第一特征部分的第一参数部分W A的第二分片;第二参数第二分片是用于处理所述第二特征部分的第二参数部分W B的第二分片; The multiplication-integral piece calculation unit 711 is configured to calculate the homomorphism based on the locally maintained first parameter second piece and the second parameter second piece through local matrix multiplication and safe matrix multiplication with the first party The encrypted second encrypted multiplying integral piece, and receiving the first encrypted multiplying integral piece from the first party; wherein the first parameter second piece is used to process the first parameter part W A of the first characteristic part The second segment of the second parameter; the second segment of the second parameter is the second segment used to process the second parameter part W B of the second characteristic part;
乘积结果确定单元712,配置为对所述第一加密乘积分片和第二加密乘积分片进行同态加和,得到加密乘积结果Z,其对应于,第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘的第二乘积之和的加密值; The product result determination unit 712 is configured to perform a homomorphic summation on the first encrypted multiplying integral piece and the second encrypted multiplying integral piece to obtain an encrypted product result Z, which corresponds to the first characteristic matrix X A and the first parameter The encrypted value of the sum of the first product of the part W A and the second product of the second feature matrix X B and the second parameter part W B;
误差向量确定单元713,配置为基于所述加密乘积结果Z和所述标签向量Y的加密值进行同态运算,得到加密误差向量E,对该加密误差向量E进行秘密分享,得到第二误差分片;The error vector determining unit 713 is configured to perform a homomorphic operation based on the encrypted product result Z and the encrypted value of the tag vector Y to obtain an encrypted error vector E, and secretly share the encrypted error vector E to obtain a second error score piece;
第一梯度确定单元714,配置为对该加密误差向量E和第二特征矩阵X B进行同态操作下的矩阵相乘,得到第二加密梯度,对该第二加密梯度进行秘密分享,得到第二梯度第二分片; The first gradient determining unit 714 is configured to perform matrix multiplication under the homomorphic operation on the encryption error vector E and the second characteristic matrix X B to obtain the second encryption gradient, and perform secret sharing on the second encryption gradient to obtain the first Two-gradient second slice;
第二梯度确定单元715,配置为用所述第二误差分片,与所述第一方中的第一特征矩阵X A进行安全矩阵乘法,得到第一梯度第二部分的第二分片; The second gradient determining unit 715 is configured to use the second error segment to perform a security matrix multiplication with the first feature matrix X A in the first party to obtain a second segment of the second part of the first gradient;
参数更新单元716,配置为根据所述第二梯度第二分片,更新所述第二参数第二分片;根据所述第一梯度第二部分的第二分片,更新所述第一参数第二分片。The parameter update unit 716 is configured to update the second parameter second slice according to the second slice of the second gradient; update the first parameter according to the second slice of the second part of the first gradient The second fragment.
在一个实施例中,上述装置700还包括初始化单元720,配置为:In an embodiment, the above-mentioned apparatus 700 further includes an initialization unit 720 configured to:
初始化所述第二参数部分W B,通过秘密分享将其拆分为第二参数第一分片和第二参数第二分片,保留所述第二参数第二分片,将所述第二参数第一分片发送给第一方; Initialize the second parameter part W B , split it into a second parameter first fragment and a second parameter second fragment through secret sharing, retain the second parameter second fragment, and divide the second parameter The first fragment of the parameter is sent to the first party;
从第一方接收对所述第一参数部分W A秘密分享的第一参数第二分片。 Receiving a first secret parameter sharing part W A second fragment of the first parameter from the first party.
根据一种实施方式,上述装置700还包括参数重构单元730,配置为:将最后一次迭代中更新后的所述第一参数第二分片发送给所述第一方,并从所述第一方接收更新后的第二参数第一分片;According to an implementation manner, the above-mentioned apparatus 700 further includes a parameter reconstruction unit 730, configured to: send the second segment of the first parameter updated in the last iteration to the first party, and receive the update from the first party. One party receives the updated first segment of the second parameter;
将最后一次迭代中更新后的第二参数第二分片,和所接收的第二参数第一分片 进行组合,得到所述业务预测模型训练后的第二参数部分W BCombine the updated second parameter second segment in the last iteration with the received second parameter first segment to obtain the second parameter part W B after the service prediction model is trained.
在不同实施例中,前述业务对象包括以下之一:用户,商户,商品,事件;所述业务预测模型用于预测所述业务对象的分类或回归值。In different embodiments, the foregoing business objects include one of the following: users, merchants, commodities, and events; the business prediction model is used to predict the classification or regression value of the business objects.
在一个具体实施例中,所述业务预测模型为线性回归模型;此时,误差向量确定单元713配置为,计算所述加密乘积结果Z和所述标签向量Y的同态差值,作为所述加密误差向量E。In a specific embodiment, the service prediction model is a linear regression model; at this time, the error vector determining unit 713 is configured to calculate the homomorphic difference between the encrypted product result Z and the label vector Y as the Encryption error vector E.
在另一具体实施例中,所述业务预测模型为逻辑回归模型;此时,误差向量确定单元713配置为,根据sigmoid函数的泰勒展开形式,基于所述加密乘积结果Z得到加密预测结果,对加密预测结果和所述标签向量Y的加密值进行同态差值运算,得到所述加密误差向量E。In another specific embodiment, the service prediction model is a logistic regression model; at this time, the error vector determining unit 713 is configured to obtain an encrypted prediction result based on the encrypted product result Z according to the Taylor expansion form of the sigmoid function, and The encrypted prediction result and the encrypted value of the label vector Y are subjected to a homomorphic difference operation to obtain the encrypted error vector E.
进一步的,在一个例子中,乘积结果确定单元712还配置为,至少根据所述第一乘积分片和所述第二乘积分片,计算加密多阶乘积;相应的,误差向量确定单元713配置为,根据sigmoid函数的多阶泰勒展开形式,基于所述加密乘积结果Z和所述加密多阶乘积得到加密预测结果,对加密预测结果和所述标签向量Y的加密值进行同态差值运算,得到所述加密误差向量E。Further, in an example, the product result determining unit 712 is further configured to calculate the encrypted multi-order product at least according to the first multiplying integral piece and the second multiplying integral piece; correspondingly, the error vector determining unit 713 is configured To obtain an encrypted prediction result based on the encrypted product result Z and the encrypted multi-order product according to the multi-order Taylor expansion form of the sigmoid function, and perform a homomorphic difference operation on the encrypted prediction result and the encrypted value of the label vector Y , The encryption error vector E is obtained.
在一个具体实施例中,上述乘积分片计算单元711具体配置为:用所述第一参数第二分片,与所述第一方中的第一特征矩阵X A进行安全矩阵乘法,得到第一特征第二处理结果的第二分片;本地计算第二特征矩阵X B与第二参数第二分片的乘积,得到第二特征第一处理结果;用所述第二特征矩阵X B,与所述第一方中的第二参数第一分片进行安全矩阵乘法,得到第二特征第二处理结果的第二分片;对所述第一特征第二处理结果的第二分片,所述第二特征第一处理结果,所述第二特征第二处理结果的第二分片进行加和,并用所述第一方的公钥对加和结果进行同态加密,得到所述第二加密乘积分片。 In a specific embodiment, the above-mentioned multiply-integral piece calculation unit 711 is specifically configured to: use the first parameter second piece to perform a safe matrix multiplication with the first feature matrix X A in the first party to obtain the first A second segment of the second processing result of a feature; locally calculating the product of the second feature matrix X B and the second segment of the second parameter to obtain the first processing result of the second feature; using the second feature matrix X B , Perform a security matrix multiplication with the first segment of the second parameter in the first party to obtain the second segment of the second processing result of the second feature; for the second segment of the second processing result of the first feature, The first processing result of the second feature, the second segment of the second processing result of the second feature are added, and the addition result is homomorphically encrypted with the public key of the first party to obtain the first Two encrypted multiplying integral pieces.
在一个具体例子中,上述参数更新单元716配置为,通过减去所述第二梯度第二分片与预设步长的乘积,更新所述第二参数第二分片。In a specific example, the above parameter update unit 716 is configured to update the second parameter second slice by subtracting the product of the second gradient second slice and the preset step size.
根据又一方面的实施例,提供了一种双方联合训练业务预测模型的装置,该装置可以部署在前述的第一方中,该第一方可以实现为任何具有计算、处理能力的设备、平台或设备集群。如前所述,第一方中存储有多个业务对象的第一特征部分构成的第一特征矩阵X A;第二方存储有所述多个业务对象的第二特征部分构成的第二特征矩阵X B, 以及标签值构成的标签向量Y。图8示出根据一个实施例的部署在第一方中的联合训练装置的示意性框图。如图8所示,该装置800包括迭代单元810,用于多次迭代执行模型参数更新。该迭代单元810进一步包括: According to another embodiment, there is provided a device for two parties to jointly train a business prediction model. The device can be deployed in the aforementioned first party, and the first party can be implemented as any device or platform with computing and processing capabilities. Or device cluster. As mentioned above, the first party stores the first feature matrix X A formed by the first feature parts of the multiple business objects; the second party stores the second features formed by the second feature parts of the multiple business objects Matrix X B , and label vector Y composed of label values. Fig. 8 shows a schematic block diagram of a joint training device deployed in a first party according to an embodiment. As shown in FIG. 8, the device 800 includes an iterative unit 810 for performing model parameter update multiple iterations. The iteration unit 810 further includes:
乘积分片计算单元811,配置为基于本地维护的第一参数第一分片和第二参数第一分片,通过本地矩阵乘法运算以及与所述第二方的安全矩阵乘法运算,计算得到同态加密的第一加密乘积分片;其中,所述第一参数第一分片是用于处理所述第一特征部分的第一参数部分W A的第一分片;第二参数第一分片是用于处理所述第二特征部分的第二参数部分W B的第一分片; The multiply-integral piece calculation unit 811 is configured to calculate the same value based on the locally maintained first parameter first piece and the second parameter first piece through the local matrix multiplication operation and the secure matrix multiplication operation with the second party. multiply encrypting the encrypted first state integral piece; wherein the first parameter is a first fragment of the first fragment processing a first portion of the first characteristic parameter W a portion; a second parameter of the first minutes A slice is the first slice used to process the second parameter part W B of the second characteristic part;
乘积分片发送单元812,配置为将该第一加密乘积分片发送给第二方,使得第二方将该第一加密乘积分片与其计算的第二加密乘积分片进行同态加和,以得到加密乘积结果Z,其对应于,第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘的第二乘积之和的加密值; The multiplying integral piece sending unit 812 is configured to send the first encrypted multiplying integral piece to the second party, so that the second party performs a homomorphic summation of the first encrypted multiplying integral piece and the second encrypted multiplying integral piece calculated by the first encrypted multiplying integral piece, encryption result to obtain a product Z, which corresponds to a first product of the first feature matrix X a W a portion of the first parameter multiplied, and the second feature matrix X B W B with the second parameter multiplied by a second portion The encrypted value of the sum of products;
误差分片接收单元813,配置为从第二方接收对加密误差向量E秘密分享的第一误差分片,其中加密误差向量E基于所述加密乘积结果Z和标签向量Y的加密值的同态运算确定;The error fragment receiving unit 813 is configured to receive the first error fragment secretly shared with the encrypted error vector E from the second party, wherein the encrypted error vector E is based on the homomorphism of the encrypted product result Z and the encrypted value of the label vector Y Operational determination;
第一梯度确定单元814,配置为将所述第一误差分片的转置与第一特征矩阵X A进行本地乘法操作,得到第一梯度第一部分; The first gradient determining unit 814 is configured to perform a local multiplication operation on the transposition of the first error segment and the first feature matrix X A to obtain the first part of the first gradient;
第二梯度确定单元815,配置为用所述第一特征矩阵X A,与第二方中保留的第二误差分片进行安全矩阵乘法,得到第一梯度第二部分的第一分片; The second gradient determining unit 815 is configured to use the first feature matrix X A to perform a security matrix multiplication with the second error segment retained in the second party to obtain the first segment of the second part of the first gradient;
第三梯度确定单元816,配置为从第二方接收对第二加密梯度秘密分享的第二梯度第一分片;The third gradient determining unit 816 is configured to receive, from the second party, the second gradient first fragment that is secretly shared with the second encrypted gradient;
参数更新单元817,配置为根据所述第一梯度第一部分和第一梯度第二部分的第一分片,更新第一参数第一分片;根据所述第二梯度第一分片,更新第二参数第一分片。The parameter update unit 817 is configured to update the first parameter first slice according to the first slice of the first part of the first gradient and the first slice of the second part of the first gradient; update the first slice according to the first slice of the second gradient The first segment with two parameters.
在一个实施例中,装置800还包括初始化单元820,配置为:初始化所述第一参数部分W A,通过秘密分享将其拆分为第一参数第一分片和第一参数第二分片,保留所述第一参数第一分片,将所述第一参数第二分片发送给第二方;从所述第二方接收对第二参数部分W B秘密分享的第二参数第一分片。 In one embodiment, the device 800 further includes an initialization unit 820 configured to: initialize the first parameter part W A , and split it into a first parameter first segment and a first parameter second segment through secret sharing. , Reserve the first fragment of the first parameter, and send the second fragment of the first parameter to the second party; receive from the second party the second parameter first that is secretly shared with the second parameter part W B Fragmentation.
根据一种实施方式,装置800还包括参数重构单元830,配置为:将最后一次迭代中更新后的所述第二参数第一分片发送给所述第二方,并从所述第二方接收更新后的 第一参数第二分片;将最后一次迭代中更新后的第一参数第一分片,和所接收的第一参数第二分片进行组合,得到所述业务预测模型训练后的第一参数部分W AAccording to an embodiment, the device 800 further includes a parameter reconstruction unit 830, configured to: send the first fragment of the second parameter updated in the last iteration to the second party, and from the second party The party receives the updated first parameter second segment; the updated first parameter first segment in the last iteration is combined with the received first parameter second segment to obtain the service prediction model training After the first parameter part W A.
根据一个具体实施例,乘积分片计算单元811具体配置为:本地计算第一特征矩阵X A与第一参数第一分片的乘积,得到第一特征第一处理结果;用所述第一特征矩阵X A,与所述第二方中的第一参数第二分片进行安全矩阵乘法,得到第一特征第二处理结果的第一分片;用所述第二参数第一分片,与所述第二方中的第二特征矩阵X B进行安全矩阵乘法,得到第二特征第二处理结果的第一分片;对所述第一特征第一处理结果,所述第一特征第二处理结果的第一分片,所述第二特征第二处理结果的第一分片进行加和,并用所述第一方的公钥对加和结果进行同态加密,得到所述第一加密乘积分片。 According to a specific embodiment, the multiplication-integral piece calculation unit 811 is specifically configured to: locally calculate the product of the first feature matrix X A and the first piece of the first parameter to obtain the first processing result of the first feature; using the first feature The matrix X A is multiplied by a security matrix with the first parameter second slice in the second party to obtain the first slice of the first characteristic second processing result; the first slice with the second parameter is used with Perform security matrix multiplication on the second feature matrix X B in the second party to obtain the first segment of the second processing result of the second feature; for the first feature of the first processing result, the first feature is the second The first segment of the processing result is added, and the first segment of the second processing result of the second feature is added, and the result of the addition is homomorphically encrypted with the public key of the first party to obtain the first encryption Multiply the integral piece.
在一个实施例中,上述参数更新单元817至少配置为,将所述第一梯度第一部分和第一梯度第二部分的第一分片之和与预设步长的乘积,作为调整量,通过减去所述调整量,更新所述第一参数第一分片。In one embodiment, the above-mentioned parameter update unit 817 is at least configured to take the product of the sum of the first part of the first gradient and the first part of the second part of the first gradient and the preset step length as the adjustment amount, and The first segment of the first parameter is updated by subtracting the adjustment amount.
通过以上部署在第一方和第二方中的装置,实现双方的保护数据隐私的安全联合训练。Through the above devices deployed in the first party and the second party, the security joint training of the two parties to protect data privacy is realized.
根据另一方面的实施例,还提供一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行结合图4到图5所描述的方法。According to another embodiment, there is also provided a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method described in conjunction with FIG. 4 to FIG. 5.
根据再一方面的实施例,还提供一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现结合图4到图5所述的方法。According to an embodiment of still another aspect, there is also provided a computing device, including a memory and a processor, the memory stores executable code, and when the processor executes the executable code, a combination of FIGS. 4 to 5 is provided. The method described.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本发明所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。Those skilled in the art should be aware that, in one or more of the above examples, the functions described in the present invention can be implemented by hardware, software, firmware, or any combination thereof. When implemented by software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or codes on the computer-readable medium.
以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本发明的保护范围之内。The specific embodiments described above further describe the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention. The protection scope, any modification, equivalent replacement, improvement, etc. made on the basis of the technical solution of the present invention shall be included in the protection scope of the present invention.

Claims (22)

  1. 一种保护数据隐私的双方联合训练业务预测模型的方法,所述双方包括第一方和第二方,所述第一方存储有多个业务对象的第一特征部分构成的第一特征矩阵X A;所述第二方存储有所述多个业务对象的第二特征部分构成的第二特征矩阵X B,以及标签值构成的标签向量Y;所述方法应用于所述第二方,该方法包括,多次迭代执行模型参数更新,其中每次迭代包括: A method for two parties to jointly train a business prediction model to protect data privacy. The two parties include a first party and a second party. The first party stores a first feature matrix X composed of first feature parts of multiple business objects. A ; the second party stores a second feature matrix X B composed of the second feature parts of the multiple business objects, and a label vector Y composed of label values; the method is applied to the second party, the The method includes performing model parameter update multiple iterations, where each iteration includes:
    基于本地维护的第一参数第二分片和第二参数第二分片,通过采用在本地直接执行的矩阵乘法运算,以及采用在所述第二方与所述第一方之间进行的安全矩阵乘法运算,计算得到同态加密的第二加密乘积分片,并从所述第一方接收第一加密乘积分片;其中,第一参数第二分片是用于处理所述第一特征部分的第一参数部分W A的第二分片;第二参数第二分片是用于处理所述第二特征部分的第二参数部分W B的第二分片; Based on the locally maintained first parameter second fragment and the second parameter second fragment, by using the matrix multiplication operation directly performed locally, and using the security performed between the second party and the first party Matrix multiplication operation, the second encrypted multiplication integral piece of homomorphic encryption is obtained by calculation, and the first encrypted multiplication integral piece is received from the first party; wherein the second piece of the first parameter is used to process the first feature the second fragment of the first part of the parameter W a portion; a second parameter of the second slice is the second slice for processing the second portion of the second characteristic parameter W B of the portion;
    对所述第一加密乘积分片和第二加密乘积分片进行同态加和,得到加密乘积结果Z,其对应于,第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘的第二乘积之和的加密值; A first integrator by the first encryption and the second encryption sheet by sheet integral homomorphic summed and the result is encrypted product Z, which corresponds to the first feature matrix X A W A and the first parameter section multiplied Product, and the encrypted value of the sum of the second product of the second feature matrix X B and the second parameter part W B;
    基于所述加密乘积结果Z和所述标签向量Y的加密值进行同态差值运算,得到加密误差向量E,对该加密误差向量E进行秘密分享,得到第二误差分片;Perform a homomorphic difference operation based on the encrypted product result Z and the encrypted value of the label vector Y to obtain an encrypted error vector E, and secretly share the encrypted error vector E to obtain a second error fragment;
    对该加密误差向量E和第二特征矩阵X B进行同态操作下的矩阵相乘,得到第二加密梯度,对该第二加密梯度进行秘密分享,得到第二梯度第二分片; Perform matrix multiplication under homomorphic operation on the encryption error vector E and the second characteristic matrix X B to obtain the second encryption gradient, and perform secret sharing on the second encryption gradient to obtain the second gradient second slice;
    用所述第二误差分片,与所述第一方中的第一特征矩阵X A进行安全矩阵乘法运算,得到第一梯度第二部分的第二分片; Use the second error fragment to perform a security matrix multiplication operation with the first feature matrix X A in the first party to obtain the second fragment of the second part of the first gradient;
    根据所述第二梯度第二分片,更新所述第二参数第二分片;根据所述第一梯度第二部分的第二分片,更新所述第一参数第二分片。According to the second segment of the second gradient, update the second segment of the second parameter; update the second segment of the first parameter according to the second segment of the second part of the first gradient.
  2. 根据权利要求1所述的方法,在多次迭代执行模型参数更新之前,还包括:The method according to claim 1, before performing model parameter update multiple iterations, further comprising:
    初始化所述第二参数部分W B,通过秘密分享将其拆分为第二参数第一分片和第二参数第二分片,保留所述第二参数第二分片,将所述第二参数第一分片发送给第一方; Initialize the second parameter part W B , split it into a second parameter first fragment and a second parameter second fragment through secret sharing, retain the second parameter second fragment, and divide the second parameter The first fragment of the parameter is sent to the first party;
    从第一方接收对所述第一参数部分W A秘密分享的第一参数第二分片。 Receiving a first secret parameter sharing part W A second fragment of the first parameter from the first party.
  3. 根据权利要求1所述的方法,在多次迭代执行模型参数更新之后,还包括:The method according to claim 1, after performing model parameter update multiple iterations, further comprising:
    将最后一次迭代中更新后的所述第一参数第二分片发送给所述第一方,并从所述第一方接收更新后的第二参数第一分片;Sending the updated second segment of the first parameter in the last iteration to the first party, and receiving the updated first segment of the second parameter from the first party;
    将最后一次迭代中更新后的第二参数第二分片,和所接收的第二参数第一分片进行组合,得到所述业务预测模型训练后的第二参数部分W BCombine the updated second parameter second segment in the last iteration with the received second parameter first segment to obtain the second parameter part W B after the service prediction model is trained.
  4. 根据权利要求1所述的方法,其中,所述业务对象包括以下之一:用户,商户,商品,事件;所述业务预测模型用于预测所述业务对象的分类或回归值。The method according to claim 1, wherein the business object includes one of the following: users, merchants, commodities, and events; and the business prediction model is used to predict the classification or regression value of the business object.
  5. 根据权利要求1所述的方法,其中,所述业务预测模型为线性回归模型;The method according to claim 1, wherein the business prediction model is a linear regression model;
    所述基于所述加密乘积结果Z和所述标签向量Y的加密值进行同态差值运算,得到加密误差向量E,包括:The performing a homomorphic difference operation based on the encrypted product result Z of the encrypted product Z and the encrypted value of the label vector Y to obtain the encrypted error vector E includes:
    计算所述加密乘积结果Z和所述标签向量Y的同态差值,作为所述加密误差向量E。The homomorphic difference between the encrypted product result Z and the label vector Y is calculated as the encrypted error vector E.
  6. 根据权利要求1所述的方法,其中,所述业务预测模型为逻辑回归模型;The method according to claim 1, wherein the business prediction model is a logistic regression model;
    所述基于所述加密乘积结果Z和所述标签向量Y的加密值进行同态差值运算,得到加密误差向量E,包括:The performing a homomorphic difference operation based on the encrypted product result Z of the encrypted product Z and the encrypted value of the label vector Y to obtain the encrypted error vector E includes:
    根据sigmoid函数的泰勒展开形式,基于所述加密乘积结果Z得到加密预测结果,对加密预测结果和所述标签向量Y的加密值进行同态差值运算,得到所述加密误差向量E。According to the Taylor expansion form of the sigmoid function, an encrypted prediction result is obtained based on the encrypted product result Z, and a homomorphic difference operation is performed on the encrypted prediction result and the encrypted value of the tag vector Y to obtain the encrypted error vector E.
  7. 根据权利要求6所述的方法,其中,在得到加密误差向量E之前,还包括,至少根据所述第一乘积分片和所述第二乘积分片,计算加密多阶乘积;The method according to claim 6, wherein before obtaining the encryption error vector E, further comprising: calculating an encrypted multi-order product at least according to the first multiplying integral piece and the second multiplying integral piece;
    所述得到加密误差向量E,包括:The obtaining of the encryption error vector E includes:
    根据sigmoid函数的多阶泰勒展开形式,基于所述加密乘积结果Z和所述加密多阶乘积得到加密预测结果,对加密预测结果和所述标签向量Y的加密值进行同态差值运算,得到所述加密误差向量E。According to the multi-order Taylor expansion form of the sigmoid function, the encrypted prediction result is obtained based on the encrypted product result Z and the encrypted multi-order product, and the homomorphic difference operation is performed on the encrypted prediction result and the encrypted value of the label vector Y to obtain The encryption error vector E.
  8. 根据权利要求1所述的方法,其中,计算得到同态加密的第二加密乘积分片,包括:The method according to claim 1, wherein calculating the second encrypted multiplication integral piece of homomorphic encryption comprises:
    用所述第一参数第二分片,与所述第一方中的第一特征矩阵X A进行安全矩阵乘法运算,得到第一特征第二处理结果的第二分片; Use the first parameter second segment to perform a security matrix multiplication operation with the first feature matrix X A in the first party to obtain the second segment of the first feature second processing result;
    本地计算第二特征矩阵X B与第二参数第二分片的乘积,得到第二特征第一处理结果; Locally calculating the product of the second feature matrix X B and the second segment of the second parameter to obtain the first processing result of the second feature;
    用所述第二特征矩阵X B,与所述第一方中的第二参数第一分片进行安全矩阵乘法运算,得到第二特征第二处理结果的第二分片; Use the second feature matrix X B to perform a security matrix multiplication operation with the first segment of the second parameter in the first party to obtain the second segment of the second processing result of the second feature;
    对所述第一特征第二处理结果的第二分片,所述第二特征第一处理结果,所述第二特征第二处理结果的第二分片进行加和,并用所述第一方的公钥对加和结果进行同态加密,得到所述第二加密乘积分片。Add the second segment of the second processing result of the first feature, the first processing result of the second feature, and the second segment of the second processing result of the second feature, and use the first party Perform homomorphic encryption on the addition result with the public key of to obtain the second encrypted multiplication integral piece.
  9. 根据权利要求1所述的方法,其中,根据所述第二梯度第二分片,更新所述第二参数第二分片,包括:通过减去所述第二梯度第二分片与预设步长的乘积,更新所述第 二参数第二分片。The method according to claim 1, wherein, according to the second gradient second fragment, updating the second parameter second fragment includes: subtracting the second gradient second fragment from a preset The product of the step size, the second segment of the second parameter is updated.
  10. 一种保护数据隐私的双方联合训练业务预测模型的方法,所述双方包括第一方和第二方,所述第一方存储有多个业务对象的第一特征部分构成的第一特征矩阵X A;所述第二方存储有所述多个业务对象的第二特征部分构成的第二特征矩阵X B,以及标签值构成的标签向量Y;所述方法应用于所述第一方,该方法包括:多次迭代执行模型参数更新,其中每次迭代包括: A method for two parties to jointly train a business prediction model to protect data privacy. The two parties include a first party and a second party. The first party stores a first feature matrix X composed of first feature parts of multiple business objects. A ; the second party stores a second feature matrix X B composed of the second feature parts of the multiple business objects, and a label vector Y composed of label values; the method is applied to the first party, the The method includes: multiple iterations to perform model parameter update, where each iteration includes:
    基于本地维护的第一参数第一分片和第二参数第一分片,通过采用在本地直接执行的矩阵乘法运算,以及采用在所述第一方与所述第二方之间进行的安全矩阵乘法运算,计算得到同态加密的第一加密乘积分片;其中,所述第一参数第一分片是用于处理所述第一特征部分的第一参数部分W A的第一分片;第二参数第一分片是用于处理所述第二特征部分的第二参数部分W B的第一分片; The first shard based on the first parameter and the first shard of the second parameter maintained locally, by using the matrix multiplication operation directly performed locally, and the security performed between the first party and the second party matrix multiplication operation, the first encryption calculated by integrating homomorphic encryption substrate; wherein the first parameter of the first fragment is a first fragment for a first characteristic portion of the first process parameter W a portion of ; The first fragment of the second parameter is the first fragment used to process the second parameter part W B of the second characteristic part;
    将该第一加密乘积分片发送给第二方,使得第二方将该第一加密乘积分片与其计算的第二加密乘积分片进行同态加和,以得到加密乘积结果Z,其对应于,第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘的第二乘积之和的加密值; Send the first encrypted multiplication integral piece to the second party, so that the second party homomorphically sums the first encrypted multiplication integral piece and the second encrypted multiplication integral piece calculated to obtain the encrypted product result Z, which corresponds to in the first feature with the first parameter matrix X a W a portion of the first product of multiplication, and the second feature matrix X B and the encrypted value and a second product portion of the second parameter multiplied W B;
    从第二方接收对加密误差向量E秘密分享的第一误差分片,其中加密误差向量E基于所述加密乘积结果Z和标签向量Y的加密值的同态差值运算确定;Receiving, from the second party, the first error fragment secretly shared with the encryption error vector E, where the encryption error vector E is determined based on the homomorphic difference operation of the encrypted product result Z and the encrypted value of the label vector Y;
    将所述第一误差分片的转置与第一特征矩阵X A进行本地乘法操作,得到第一梯度第一部分; Performing a local multiplication operation on the transposition of the first error segment and the first feature matrix X A to obtain the first part of the first gradient;
    用所述第一特征矩阵X A,与第二方中保留的第二误差分片进行安全矩阵乘法运算,得到第一梯度第二部分的第一分片; Use the first feature matrix X A to perform a security matrix multiplication operation with the second error segment retained in the second party to obtain the first segment of the second part of the first gradient;
    从第二方接收对第二加密梯度秘密分享的第二梯度第一分片;Receiving, from the second party, the second gradient first segment that is secretly shared with the second encryption gradient;
    根据所述第一梯度第一部分和第一梯度第二部分的第一分片,更新第一参数第一分片;根据所述第二梯度第一分片,更新第二参数第一分片。According to the first slice of the first part of the first gradient and the first slice of the second part of the first gradient, update the first slice of the first parameter; according to the first slice of the second gradient, update the first slice of the second parameter.
  11. 根据权利要求10所述的方法,在多次迭代执行模型参数更新之前,还包括:The method according to claim 10, before performing the model parameter update for multiple iterations, further comprising:
    初始化所述第一参数部分W A,通过秘密分享将其拆分为第一参数第一分片和第一参数第二分片,保留所述第一参数第一分片,将所述第一参数第二分片发送给第二方; Initializing the first parameter part W A, a secret shared by a first parameter which is split into a first slice and a second slice of the first parameter, the first parameter of the first retention fragments, the first The second fragment of the parameter is sent to the second party;
    从所述第二方接收对第二参数部分W B秘密分享的第二参数第一分片。 Receive the first fragment of the second parameter secretly shared with the second parameter part W B from the second party.
  12. 根据权利要求10所述的方法,在多次迭代执行模型参数更新之后,还包括:The method according to claim 10, after performing model parameter update for multiple iterations, further comprising:
    将最后一次迭代中更新后的所述第二参数第一分片发送给所述第二方,并从所述第二方接收更新后的第一参数第二分片;Sending the updated first segment of the second parameter in the last iteration to the second party, and receiving the updated second segment of the first parameter from the second party;
    将最后一次迭代中更新后的第一参数第一分片,和所接收的第一参数第二分片进行组合,得到所述业务预测模型训练后的第一参数部分W AThe updated after the last iteration of the first slice of the first parameter, the first parameter and the second slice the received combination parameters to obtain the first portion of the rear of the train traffic prediction model W A.
  13. 根据权利要求10所述的方法,其中,计算得到同态加密的第一加密乘积分片,包括:The method according to claim 10, wherein calculating the first encrypted multiplication integral piece of homomorphic encryption comprises:
    本地计算第一特征矩阵X A与第一参数第一分片的乘积,得到第一特征第一处理结果; Locally calculating the product of the first feature matrix X A and the first segment of the first parameter to obtain the first processing result of the first feature;
    用所述第一特征矩阵X A,与所述第二方中的第一参数第二分片进行安全矩阵乘法运算,得到第一特征第二处理结果的第一分片; Using the first feature matrix X A to perform a security matrix multiplication operation with the second segment of the first parameter in the second party to obtain the first segment of the second processing result of the first feature;
    用所述第二参数第一分片,与所述第二方中的第二特征矩阵X B进行安全矩阵乘法运算,得到第二特征第二处理结果的第一分片; Use the first segment with the second parameter to perform a security matrix multiplication operation with the second feature matrix X B in the second party to obtain the first segment with the second processing result of the second feature;
    对所述第一特征第一处理结果,所述第一特征第二处理结果的第一分片,所述第二特征第二处理结果的第一分片进行加和,并用所述第一方的公钥对加和结果进行同态加密,得到所述第一加密乘积分片。The first processing result of the first feature, the first segment of the second processing result of the first feature, and the first segment of the second processing result of the second feature are added, and the first segment is used. Perform homomorphic encryption on the addition result with the public key of to obtain the first encrypted multiplication integral piece.
  14. 根据权利要求10所述的方法,其中,根据所述第一梯度第一部分和第一梯度第二部分的第一分片,更新所述第一参数第一分片,包括:将所述第一梯度第一部分和第一梯度第二部分的第一分片之和与预设步长的乘积,作为调整量,通过减去所述调整量,更新所述第一参数第一分片。The method according to claim 10, wherein, according to the first slice of the first part of the first gradient and the first slice of the second part of the first gradient, updating the first slice of the first parameter comprises: changing the first slice of the first parameter The product of the sum of the first segment of the first part of the gradient and the second part of the first gradient and the preset step size is used as the adjustment amount, and the first parameter first segment is updated by subtracting the adjustment amount.
  15. 一种保护数据隐私的双方联合训练业务预测模型的装置,所述双方包括第一方和第二方,所述第一方存储有多个业务对象的第一特征部分构成的第一特征矩阵X A;所述第二方存储有所述多个业务对象的第二特征部分构成的第二特征矩阵X B,以及标签值构成的标签向量Y;所述装置部署于所述第二方,该装置包括,用于多次迭代执行模型参数更新的迭代单元,其进一步包括: A device for two parties to jointly train a business prediction model to protect data privacy. The two parties include a first party and a second party. The first party stores a first feature matrix X composed of first feature parts of multiple business objects. A ; the second party stores a second feature matrix X B composed of the second feature parts of the multiple business objects, and a label vector Y composed of tag values; the device is deployed on the second party, the The device includes an iterative unit for performing model parameter update multiple times, and further includes:
    乘积分片计算单元,配置为基于本地维护的第一参数第二分片和第二参数第二分片,通过采用在本地直接执行的矩阵乘法运算,以及采用在所述第二方与所述第一方之间进行的安全矩阵乘法运算,计算得到同态加密的第二加密乘积分片,并从所述第一方接收第一加密乘积分片;其中,第一参数第二分片是用于处理所述第一特征部分的第一参数部分W A的第二分片;第二参数第二分片是用于处理所述第二特征部分的第二参数部分W B的第二分片; The multiplication-integral piece calculation unit is configured to be based on the locally maintained first parameter second piece and the second parameter second piece, by adopting the matrix multiplication operation directly executed locally, and adopting the method between the second party and the The secure matrix multiplication operation performed between the first party is calculated to obtain the second encrypted multiplication integral piece of homomorphic encryption, and the first encrypted multiplication integral piece is received from the first party; wherein, the second piece of the first parameter is The second slice of the first parameter part W A used to process the first characteristic part; the second slice of the second parameter is the second slice used to process the second parameter part W B of the second characteristic part piece;
    乘积结果确定单元,配置为对所述第一加密乘积分片和第二加密乘积分片进行同态加和,得到加密乘积结果Z,其对应于,第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘的第二乘积之和的加密值; The product result determining unit is configured to perform a homomorphic summation on the first encrypted multiplying integral piece and the second encrypted multiplying integral piece to obtain an encrypted product result Z, which corresponds to the first characteristic matrix X A and the first parameter part The encrypted value of the sum of the first product of W A and the second product of the second feature matrix X B and the second parameter part W B;
    误差向量确定单元,配置为基于所述加密乘积结果Z和所述标签向量Y的加密值进行同态差值运算,得到加密误差向量E,对该加密误差向量E进行秘密分享,得到第二误差分片;The error vector determining unit is configured to perform a homomorphic difference operation based on the encrypted product result Z and the encrypted value of the label vector Y to obtain an encrypted error vector E, and secretly share the encrypted error vector E to obtain a second error Fragmentation;
    第一梯度确定单元,配置为对该加密误差向量E和第二特征矩阵X B进行同态操作下的矩阵相乘,得到第二加密梯度,对该第二加密梯度进行秘密分享,得到第二梯度第二分片; The first gradient determining unit is configured to perform matrix multiplication under the homomorphic operation on the encryption error vector E and the second characteristic matrix X B to obtain a second encryption gradient, and perform secret sharing of the second encryption gradient to obtain a second encryption gradient. Gradient second slice;
    第二梯度确定单元,配置为用所述第二误差分片,与所述第一方中的第一特征矩阵X A进行安全矩阵乘法运算,得到第一梯度第二部分的第二分片; The second gradient determining unit is configured to use the second error segment to perform a security matrix multiplication operation with the first feature matrix X A in the first party to obtain the second segment of the second part of the first gradient;
    参数更新单元,配置为根据所述第二梯度第二分片,更新所述第二参数第二分片;根据所述第一梯度第二部分的第二分片,更新所述第一参数第二分片。The parameter update unit is configured to update the second parameter second slice according to the second slice of the second gradient; update the first parameter second slice according to the second slice of the second part of the first gradient Two slices.
  16. 根据权利要求15所述的装置,还包括初始化单元,配置为:The device according to claim 15, further comprising an initialization unit configured to:
    初始化所述第二参数部分W B,通过秘密分享将其拆分为第二参数第一分片和第二参数第二分片,保留所述第二参数第二分片,将所述第二参数第一分片发送给第一方; Initialize the second parameter part W B , split it into a second parameter first fragment and a second parameter second fragment through secret sharing, retain the second parameter second fragment, and divide the second parameter The first fragment of the parameter is sent to the first party;
    从第一方接收对所述第一参数部分W A秘密分享的第一参数第二分片。 Receiving a first secret parameter sharing part W A second fragment of the first parameter from the first party.
  17. 根据权利要求15所述的装置,还包括参数重构单元,配置为:将最后一次迭代中更新后的所述第一参数第二分片发送给所述第一方,并从所述第一方接收更新后的第二参数第一分片;The device according to claim 15, further comprising a parameter reconstruction unit, configured to: send the second fragment of the first parameter updated in the last iteration to the first party, and send the second fragment from the first The party receives the updated first segment of the second parameter;
    将最后一次迭代中更新后的第二参数第二分片,和所接收的第二参数第一分片进行组合,得到所述业务预测模型训练后的第二参数部分W BCombine the updated second parameter second segment in the last iteration with the received second parameter first segment to obtain the second parameter part W B after the service prediction model is trained.
  18. 一种保护数据隐私的双方联合训练业务预测模型的装置,所述双方包括第一方和第二方,所述第一方存储有多个业务对象的第一特征部分构成的第一特征矩阵X A;所述第二方存储有所述多个业务对象的第二特征部分构成的第二特征矩阵X B,以及标签值构成的标签向量Y;所述装置部署于所述第一方,该装置包括:用于多次迭代执行模型参数更新的迭代单元,其进一步包括: A device for two parties to jointly train a business prediction model to protect data privacy. The two parties include a first party and a second party. The first party stores a first feature matrix X composed of first feature parts of multiple business objects. A ; the second party stores a second feature matrix X B composed of the second feature parts of the multiple business objects, and a label vector Y composed of tag values; the device is deployed on the first party, the The device includes: an iterative unit for performing model parameter update multiple times, and further includes:
    乘积分片计算单元,配置为基于本地维护的第一参数第一分片和第二参数第一分片,通过采用在本地直接执行的矩阵乘法运算,以及采用在所述第一方与所述第二方之间进行的安全矩阵乘法运算,计算得到同态加密的第一加密乘积分片;其中,所述第一参数第一分片是用于处理所述第一特征部分的第一参数部分W A的第一分片;第二参数第一分片是用于处理所述第二特征部分的第二参数部分W B的第一分片; The multiplying-integral piece calculation unit is configured to be based on the first piece of the first parameter maintained locally and the first piece of the second parameter, by adopting the matrix multiplication operation directly executed locally, and adopting the method between the first party and the The secure matrix multiplication operation performed between the second party is calculated to obtain the first encrypted multiplication integral piece of homomorphic encryption; wherein, the first parameter first piece is the first parameter used to process the first characteristic part W a first slicing portion; a second parameter for processing a first fragment of the first fragment of the second parameter part W B of the second characteristic portion;
    乘积分片发送单元,配置为将该第一加密乘积分片发送给第二方,使得第二方将该第一加密乘积分片与其计算的第二加密乘积分片进行同态加和,以得到加密乘积结果Z, 其对应于,第一特征矩阵X A与第一参数部分W A相乘的第一乘积,和第二特征矩阵X B与第二参数部分W B相乘的第二乘积之和的加密值; The multiplying integral piece sending unit is configured to send the first encrypted multiplying integral piece to the second party, so that the second party performs a homomorphic summation of the first encrypted multiplying integral piece and the second encrypted multiplying integral piece calculated by the first encrypted multiplying integral piece to encryption obtained multiplication result Z, which corresponds to a first product of the first feature matrix X a W a portion of the first parameter multiplied, and a second product of the second feature matrix X B W B with the second parameter section multiplied The encrypted value of the sum;
    误差分片接收单元,配置为从第二方接收对加密误差向量E秘密分享的第一误差分片,其中加密误差向量E基于所述加密乘积结果Z和标签向量Y的加密值的同态差值运算确定;The error fragment receiving unit is configured to receive the first error fragment secretly shared with the encrypted error vector E from the second party, wherein the encrypted error vector E is based on the homomorphic difference between the encrypted product result Z and the encrypted value of the label vector Y Value calculation is determined;
    第一梯度确定单元,配置为将所述第一误差分片的转置与第一特征矩阵X A进行本地乘法操作,得到第一梯度第一部分; A first gradient determining unit, configured to perform a local multiplication operation on the transposition of the first error segment and the first feature matrix X A to obtain the first part of the first gradient;
    第二梯度确定单元,配置为用所述第一特征矩阵X A,与第二方中保留的第二误差分片进行安全矩阵乘法运算,得到第一梯度第二部分的第一分片; The second gradient determining unit is configured to use the first feature matrix X A to perform a security matrix multiplication operation with the second error segment retained in the second party to obtain the first segment of the second part of the first gradient;
    第三梯度确定单元,配置为从第二方接收对第二加密梯度秘密分享的第二梯度第一分片;The third gradient determining unit is configured to receive, from the second party, the second gradient first fragment that is secretly shared with the second encrypted gradient;
    参数更新单元,配置为根据所述第一梯度第一部分和第一梯度第二部分的第一分片,更新第一参数第一分片;根据所述第二梯度第一分片,更新第二参数第一分片。The parameter update unit is configured to update the first segment of the first parameter according to the first segment of the first part of the first gradient and the first segment of the second part of the first gradient; update the second segment of the first parameter according to the first segment of the second gradient The first segment of the parameter.
  19. 根据权利要求18所述的装置,还包括初始化单元,配置为:The device according to claim 18, further comprising an initialization unit configured to:
    初始化所述第一参数部分W A,通过秘密分享将其拆分为第一参数第一分片和第一参数第二分片,保留所述第一参数第一分片,将所述第一参数第二分片发送给第二方; Initializing the first parameter part W A, a secret shared by a first parameter which is split into a first slice and a second slice of the first parameter, the first parameter of the first retention fragments, the first The second fragment of the parameter is sent to the second party;
    从所述第二方接收对第二参数部分W B秘密分享的第二参数第一分片。 Receive the first fragment of the second parameter secretly shared with the second parameter part W B from the second party.
  20. 根据权利要求18所述的装置,还包括参数重构单元,配置为:The device according to claim 18, further comprising a parameter reconstruction unit configured to:
    将最后一次迭代中更新后的所述第二参数第一分片发送给所述第二方,并从所述第二方接收更新后的第一参数第二分片;Sending the updated first segment of the second parameter in the last iteration to the second party, and receiving the updated second segment of the first parameter from the second party;
    将最后一次迭代中更新后的第一参数第一分片,和所接收的第一参数第二分片进行组合,得到所述业务预测模型训练后的第一参数部分W AThe updated after the last iteration of the first slice of the first parameter, the first parameter and the second slice the received combination parameters to obtain the first portion of the rear of the train traffic prediction model W A.
  21. 一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行权利要求1-14中任一项的所述的方法。A computer-readable storage medium having a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method according to any one of claims 1-14.
  22. 一种计算设备,包括存储器和处理器,其特征在于,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现权利要求1-14中任一项所述的方法。A computing device, comprising a memory and a processor, characterized in that executable code is stored in the memory, and when the processor executes the executable code, the method described in any one of claims 1-14 is implemented. method.
PCT/CN2021/080718 2020-04-01 2021-03-15 Method and device for jointly training service prediction model by two parties for protecting data privacy WO2021197035A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010251506.5A CN111160573B (en) 2020-04-01 2020-04-01 Method and device for protecting business prediction model of data privacy joint training by two parties
CN202010251506.5 2020-04-01

Publications (1)

Publication Number Publication Date
WO2021197035A1 true WO2021197035A1 (en) 2021-10-07

Family

ID=70567693

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/080718 WO2021197035A1 (en) 2020-04-01 2021-03-15 Method and device for jointly training service prediction model by two parties for protecting data privacy

Country Status (2)

Country Link
CN (1) CN111160573B (en)
WO (1) WO2021197035A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114093465A (en) * 2021-10-28 2022-02-25 广东珠江智联信息科技股份有限公司 Medical image labeling system based on homomorphic encryption and data processing method thereof
CN114884645A (en) * 2022-07-11 2022-08-09 华控清交信息科技(北京)有限公司 Privacy calculation method and device and readable storage medium
CN117724854A (en) * 2024-02-08 2024-03-19 腾讯科技(深圳)有限公司 Data processing method, device, equipment and readable storage medium
CN117973488A (en) * 2024-03-29 2024-05-03 蓝象智联(杭州)科技有限公司 Large language model training and reasoning method and system with privacy protection
CN117973488B (en) * 2024-03-29 2024-06-07 蓝象智联(杭州)科技有限公司 Large language model training and reasoning method and system with privacy protection

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111162896B (en) * 2020-04-01 2020-06-26 支付宝(杭州)信息技术有限公司 Method and device for data processing by combining two parties
CN111160573B (en) * 2020-04-01 2020-06-30 支付宝(杭州)信息技术有限公司 Method and device for protecting business prediction model of data privacy joint training by two parties
CN111178549B (en) * 2020-04-10 2020-07-07 支付宝(杭州)信息技术有限公司 Method and device for protecting business prediction model of data privacy joint training by two parties
CN111539535B (en) * 2020-06-05 2022-04-12 支付宝(杭州)信息技术有限公司 Joint feature binning method and device based on privacy protection
CN113824546B (en) * 2020-06-19 2024-04-02 百度在线网络技术(北京)有限公司 Method and device for generating information
CN111783129A (en) * 2020-07-24 2020-10-16 支付宝(杭州)信息技术有限公司 Data processing method and system for protecting privacy
CN111738360B (en) * 2020-07-24 2020-11-27 支付宝(杭州)信息技术有限公司 Two-party decision tree training method and system
CN111740815A (en) * 2020-07-31 2020-10-02 支付宝(杭州)信息技术有限公司 Ciphertext-based two-party secret sharing method, device, equipment and storage medium
CN111931216B (en) * 2020-09-16 2021-03-30 支付宝(杭州)信息技术有限公司 Method and system for obtaining joint training model based on privacy protection
CN112347500B (en) * 2021-01-11 2021-04-09 腾讯科技(深圳)有限公司 Machine learning method, device, system, equipment and storage medium of distributed system
CN112990475B (en) * 2021-02-05 2022-05-06 支付宝(杭州)信息技术有限公司 Model training method and system based on multi-party safety calculation
CN112989368B (en) * 2021-02-07 2022-05-17 支付宝(杭州)信息技术有限公司 Method and device for processing private data by combining multiple parties
CN112800466B (en) * 2021-02-10 2022-04-22 支付宝(杭州)信息技术有限公司 Data processing method and device based on privacy protection and server
CN113094739B (en) * 2021-03-05 2022-04-22 支付宝(杭州)信息技术有限公司 Data processing method and device based on privacy protection and server
CN113095514A (en) * 2021-04-26 2021-07-09 深圳前海微众银行股份有限公司 Data processing method, device, equipment, storage medium and program product
CN113407987B (en) * 2021-05-24 2023-10-20 支付宝(杭州)信息技术有限公司 Method and device for determining effective value of service data characteristic for protecting privacy
CN113472524B (en) * 2021-06-09 2022-05-17 湖北工业大学 Data aggregation signature system and method for resisting malicious transmission data attack
CN113434878B (en) * 2021-06-25 2023-07-07 平安科技(深圳)有限公司 Modeling and application method, device, equipment and storage medium based on federal learning
CN113434886B (en) * 2021-07-01 2022-05-17 支付宝(杭州)信息技术有限公司 Method and device for jointly generating data tuples for secure computation
CN117708852A (en) * 2021-09-29 2024-03-15 支付宝(杭州)信息技术有限公司 Training method, device and equipment for security model and data processing method
CN114091651B (en) * 2021-11-03 2024-05-24 支付宝(杭州)信息技术有限公司 Method, device and system for multi-party combined training of graph neural network
CN113987559B (en) * 2021-12-24 2022-04-08 支付宝(杭州)信息技术有限公司 Method and device for jointly processing data by two parties for protecting data privacy
CN114996449A (en) * 2022-05-25 2022-09-02 支付宝(杭州)信息技术有限公司 Clustering method and device based on privacy protection
CN115310121B (en) * 2022-07-12 2023-04-07 华中农业大学 Real-time reinforced federal learning data privacy security method based on MePC-F model in Internet of vehicles
CN116092683B (en) * 2023-04-12 2023-06-23 深圳达实旗云健康科技有限公司 Cross-medical institution disease prediction method without original data out of domain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109165515A (en) * 2018-08-10 2019-01-08 深圳前海微众银行股份有限公司 Model parameter acquisition methods, system and readable storage medium storing program for executing based on federation's study
CN109214404A (en) * 2017-07-07 2019-01-15 阿里巴巴集团控股有限公司 Training sample generation method and device based on secret protection
US20190188386A1 (en) * 2018-12-27 2019-06-20 Intel Corporation Protecting ai payloads running in gpu against main cpu residing adversaries
CN110472439A (en) * 2019-08-09 2019-11-19 阿里巴巴集团控股有限公司 Model parameter determines method, apparatus and electronic equipment
CN111160573A (en) * 2020-04-01 2020-05-15 支付宝(杭州)信息技术有限公司 Method and device for protecting business prediction model of data privacy joint training by two parties

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110537191A (en) * 2017-03-22 2019-12-03 维萨国际服务协会 Secret protection machine learning
CN109426861A (en) * 2017-08-16 2019-03-05 阿里巴巴集团控股有限公司 Data encryption, machine learning model training method, device and electronic equipment
CN108133294B (en) * 2018-01-10 2020-12-04 阳光财产保险股份有限公司 Prediction method and device based on information sharing
US10430727B1 (en) * 2019-04-03 2019-10-01 NFL Enterprises LLC Systems and methods for privacy-preserving generation of models for estimating consumer behavior
CN110555525B (en) * 2019-08-09 2021-08-13 创新先进技术有限公司 Model parameter determination method and device and electronic equipment
CN110851786B (en) * 2019-11-14 2023-06-06 深圳前海微众银行股份有限公司 Inter-enterprise data interaction method, device, equipment and storage medium based on longitudinal federal learning
CN110851785B (en) * 2019-11-14 2023-06-06 深圳前海微众银行股份有限公司 Longitudinal federal learning optimization method, device, equipment and storage medium
CN110942147B (en) * 2019-11-28 2021-04-20 支付宝(杭州)信息技术有限公司 Neural network model training and predicting method and device based on multi-party safety calculation
CN110929886B (en) * 2019-12-06 2022-03-22 支付宝(杭州)信息技术有限公司 Model training and predicting method and system
CN110874637B (en) * 2020-01-16 2020-04-28 支付宝(杭州)信息技术有限公司 Multi-target fusion learning method, device and system based on privacy data protection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109214404A (en) * 2017-07-07 2019-01-15 阿里巴巴集团控股有限公司 Training sample generation method and device based on secret protection
CN109165515A (en) * 2018-08-10 2019-01-08 深圳前海微众银行股份有限公司 Model parameter acquisition methods, system and readable storage medium storing program for executing based on federation's study
US20190188386A1 (en) * 2018-12-27 2019-06-20 Intel Corporation Protecting ai payloads running in gpu against main cpu residing adversaries
CN110472439A (en) * 2019-08-09 2019-11-19 阿里巴巴集团控股有限公司 Model parameter determines method, apparatus and electronic equipment
CN111160573A (en) * 2020-04-01 2020-05-15 支付宝(杭州)信息技术有限公司 Method and device for protecting business prediction model of data privacy joint training by two parties

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114093465A (en) * 2021-10-28 2022-02-25 广东珠江智联信息科技股份有限公司 Medical image labeling system based on homomorphic encryption and data processing method thereof
CN114884645A (en) * 2022-07-11 2022-08-09 华控清交信息科技(北京)有限公司 Privacy calculation method and device and readable storage medium
CN114884645B (en) * 2022-07-11 2022-09-09 华控清交信息科技(北京)有限公司 Privacy calculation method and device and readable storage medium
CN117724854A (en) * 2024-02-08 2024-03-19 腾讯科技(深圳)有限公司 Data processing method, device, equipment and readable storage medium
CN117724854B (en) * 2024-02-08 2024-05-24 腾讯科技(深圳)有限公司 Data processing method, device, equipment and readable storage medium
CN117973488A (en) * 2024-03-29 2024-05-03 蓝象智联(杭州)科技有限公司 Large language model training and reasoning method and system with privacy protection
CN117973488B (en) * 2024-03-29 2024-06-07 蓝象智联(杭州)科技有限公司 Large language model training and reasoning method and system with privacy protection

Also Published As

Publication number Publication date
CN111160573B (en) 2020-06-30
CN111160573A (en) 2020-05-15

Similar Documents

Publication Publication Date Title
WO2021197035A1 (en) Method and device for jointly training service prediction model by two parties for protecting data privacy
WO2021204271A1 (en) Data privacy protected joint training of service prediction model by two parties
CN111177791B (en) Method and device for protecting business prediction model of data privacy joint training by two parties
CN111241570B (en) Method and device for protecting business prediction model of data privacy joint training by two parties
CN112989368B (en) Method and device for processing private data by combining multiple parties
WO2021197037A1 (en) Method and apparatus for jointly performing data processing by two parties
CN108712260B (en) Multi-party deep learning computing agent method for protecting privacy in cloud environment
Zhang et al. GELU-Net: A Globally Encrypted, Locally Unencrypted Deep Neural Network for Privacy-Preserved Learning.
CN111177768A (en) Method and device for protecting business prediction model of data privacy joint training by two parties
CN112541593B (en) Method and device for jointly training business model based on privacy protection
WO2021082633A1 (en) Multi-party joint neural network training method and apparatus for achieving security defense
CN113516256B (en) Third-party-free federal learning method and system based on secret sharing and homomorphic encryption
CN112199702A (en) Privacy protection method, storage medium and system based on federal learning
CN111738361B (en) Joint training method and device for business model
CN113221105B (en) Robustness federated learning algorithm based on partial parameter aggregation
CN113065145B (en) Privacy protection linear regression method based on secret sharing and random disturbance
CN110059501B (en) Safe outsourcing machine learning method based on differential privacy
CN113051586B (en) Federal modeling system and method, federal model prediction method, medium, and device
He et al. Secure logistic regression for vertical federated learning
CN115225405A (en) Matrix decomposition method based on security aggregation and key exchange under federated learning framework
Byrd et al. Collusion resistant federated learning with oblivious distributed differential privacy
Zhang et al. SecureTrain: An approximation-free and computationally efficient framework for privacy-preserved neural network training
Li et al. Privacy-preserving quantum federated learning via gradient hiding
CN114862416A (en) Cross-platform credit evaluation method under federated learning environment
CN114547684A (en) Method and device for protecting multi-party joint training tree model of private data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21782123

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21782123

Country of ref document: EP

Kind code of ref document: A1