WO2021239008A1 - 一种基于隐私保护的加密方法和系统 - Google Patents

一种基于隐私保护的加密方法和系统 Download PDF

Info

Publication number
WO2021239008A1
WO2021239008A1 PCT/CN2021/096168 CN2021096168W WO2021239008A1 WO 2021239008 A1 WO2021239008 A1 WO 2021239008A1 CN 2021096168 W CN2021096168 W CN 2021096168W WO 2021239008 A1 WO2021239008 A1 WO 2021239008A1
Authority
WO
WIPO (PCT)
Prior art keywords
formula
calculation
disturbance
random number
result
Prior art date
Application number
PCT/CN2021/096168
Other languages
English (en)
French (fr)
Inventor
谭晋
王磊
Original Assignee
支付宝(杭州)信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2021239008A1 publication Critical patent/WO2021239008A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Definitions

  • This manual relates to the field of information security, in particular to an encryption method and system based on privacy protection.
  • Secure Multi-Party Computation is a multi-party calculation method that protects data security and privacy. Secure multi-party computing allows multiple parties holding their own private data to jointly execute a calculation logic and obtain the calculation result. During the participation process, each party will not leak their own private data.
  • One of the embodiments of this specification provides an encryption method based on privacy protection.
  • the method includes: obtaining a ciphertext that the data owner encrypts the data through a semi-homomorphic encryption algorithm; performing a first calculation on the ciphertext based on an algorithm held by a computing server to obtain a standard formula; the standard formula Calculation for the data owner; generating a random number; perturbing the standard formula based on the random number to obtain a disturbance formula; sending the disturbance formula to the data owner for calculation to obtain the result of the disturbance formula Obtain an encrypted perturbed result obtained by the data owner encrypting the perturbed result based on the semi-homomorphic encryption algorithm; obtain an encrypted result based on the encrypted perturbed result, standard formula, random number and the perturbation.
  • the system includes: a ciphertext obtaining module, which is used to obtain the ciphertext after the data is encrypted by the data owner through a semi-homomorphic encryption algorithm; Perform the first calculation to obtain the standard formula; the standard formula is the calculation performed by the data owner; the random number generation module is used to generate random numbers; the disturbance module is used to perform the standard formula based on the random numbers Disturbed to obtain the disturbed formula; the first sending module is used to send the disturbed formula to the data owner for calculation to obtain the disturbed result; the first receiving module is used to obtain the data owner based on the semi-homomorphic An encrypted disturbed result obtained by encrypting the disturbed result by an encryption algorithm; the first calculation module is further configured to obtain an encrypted result based on the encrypted disturbed result, a standard formula, a random number, and the disturbance.
  • an encryption device based on privacy protection which includes a processor and a storage medium, the storage medium is used to store computer instructions, and the processor is used to execute the computer instructions to implement the aforementioned privacy protection based Encryption method.
  • a computer-readable storage medium stores computer instructions.
  • the above-mentioned encryption method based on privacy protection can be implemented.
  • One of the embodiments of this specification provides an encryption method based on privacy protection.
  • the method includes: encrypting data based on a semi-homomorphic encryption algorithm to obtain a ciphertext and sending it to a computing server; obtaining a disturbance formula sent by the computing server; and decrypting the disturbance formula based on the semi-homomorphic encryption algorithm to obtain decryption Data; calculating the decrypted data to obtain the perturbed result; encrypting the perturbed result based on the semi-homomorphic encryption algorithm to obtain an encrypted perturbed result; sending the encrypted perturbed result to the Computing server.
  • the system includes: an encryption module for encrypting data based on a semi-homomorphic encryption algorithm to obtain a ciphertext and sending it to a computing server; a second receiving module for obtaining the disturbance formula sent by the computing server; a decryption module, based on the The semi-homomorphic encryption algorithm decrypts the perturbed type to obtain decrypted data; the second calculation module calculates the decrypted data to obtain the result of the perturbed type; the encryption module is also used for encrypting based on the semi-homomorphic The algorithm encrypts the disturbed result to obtain an encrypted disturbed result; the second sending module is configured to send the encrypted disturbed result to the computing server.
  • One of the embodiments of this specification provides an encryption device based on privacy protection, which includes a processor and a storage medium, the storage medium is used to store computer instructions, and the processor is used to execute the computer instructions to implement the privacy-based Encryption method of protection.
  • a computer-readable storage medium stores computer instructions.
  • the above-mentioned encryption method based on privacy protection can be implemented.
  • Fig. 1 is a schematic diagram of an application scenario of an encryption system based on privacy protection according to some embodiments of this specification;
  • Fig. 2 is an exemplary flowchart of an encryption method based on privacy protection according to some embodiments of the present specification
  • Fig. 3 is an exemplary calculation flowchart of an encryption method based on privacy protection according to some embodiments of the present specification
  • FIG. 4 is an exemplary flow chart of sending the disturbing formula to the data owner for calculation according to some embodiments of the present specification
  • Fig. 5 is an exemplary flowchart of an encryption method based on privacy protection according to other embodiments of this specification.
  • Fig. 6 is an exemplary system block diagram on the computing server side according to some embodiments of the present specification.
  • Fig. 7 is an exemplary system block diagram on the data owner side according to some embodiments of the present specification.
  • system is a method for distinguishing different components, elements, parts, parts, or assemblies of different levels.
  • the words can be replaced by other expressions.
  • Fig. 1 is a schematic diagram of an application scenario of an encryption system based on privacy protection according to some embodiments of this specification.
  • the encryption system 100 based on privacy protection may include a data owner 110, a computing server 120 and a network 140.
  • the data owner 110 may refer to a node including a user terminal of one party or a user terminal device cluster belonging to one party and connected to the access network through a network interface.
  • the device cluster may be centralized or distributed.
  • the device cluster may be regional or remote.
  • the user terminal may refer to one or more terminal devices or software used by the user.
  • the user terminal may include a processing unit, a display unit, an input/output unit, a perception unit, a storage unit, and so on.
  • the sensing unit may include, but is not limited to, a light sensor, a distance sensor, an acceleration sensor, a gyroscope sensor, a sound detector, etc., or any combination thereof.
  • the user terminal may be one or any combination of other devices with input and/or output functions, such as a mobile device, a tablet computer, a laptop computer, and a desktop computer.
  • the user terminal may be one or more users, may include users who directly use the service, or may include other related users.
  • the computing server 120 may be used for aggregation of multiple data owners 110.
  • the computing server 120 may refer to a node that includes a single device of one party or a device cluster of one party and is connected to an access network through a network interface.
  • the device cluster may be centralized or distributed.
  • the device cluster may be regional or remote.
  • the computing server 120 may include a host, a terminal, and other devices. For example, servers, computers with computing resources, etc.
  • the network 140 may connect various components of the system and/or connect the system and external resource parts.
  • the network 140 enables communication between various components and with other parts outside the system, and facilitates the exchange of data and/or information.
  • the network 140 may be any one or more of a wired network or a wireless network.
  • the network 140 may include a cable network, a fiber optic network, a telecommunication network, the Internet, a local area network (LAN), a wide area network (WAN), a wireless local area network (WLAN), a metropolitan area network (MAN), a public switched telephone network (PSTN), Bluetooth network, ZigBee network (ZigBee), near field communication (NFC), intra-device bus, intra-device wiring, cable connection, etc.
  • the network 140 may include one or more network access points.
  • the network 140 may include wired or wireless network access points, such as base stations and/or network exchange points 140-1, 140-2,... Through these access points, one or more components of the system 100 can be connected to the network 140 to exchange data and/or information.
  • the encryption system 100 based on privacy protection can perform multi-party calculations by implementing the methods and/or processes disclosed in this specification.
  • the multi-party calculation may be data used in various industries, including but not limited to the financial industry, insurance industry, Internet industry, automobile industry, catering industry, telecommunications industry, energy industry, entertainment industry, sports Industry, logistics industry, medical industry, security industry, etc.
  • the data owner 110 when performing secure multi-party calculations, holds a portion of the data. In order to protect the privacy of the data, the data owner 110 needs to encrypt the data before sending the data to the calculation server 120 for calculation. In order to enable operations on the encrypted ciphertext, and the result obtained by decrypting the ciphertext after calculation is the same as the result obtained by the unencrypted calculation, in some embodiments, the data owner 110 adopts a fully homomorphic encryption algorithm to own the data. The data held by the user 110 is encrypted. Homomorphic encryption is to process the homomorphic encrypted data to obtain an output, and then decrypt this output. The result is the same as the output result obtained by processing the unencrypted original data in the same way.
  • Fully homomorphic means that the encrypted data can be multiplied and added at the same time. The result is the same as that of the unencrypted data with the same operation. However, the fully homomorphic encryption algorithm obtains larger ciphertext and high transmission cost. ; And the fully homomorphic encryption algorithm has a limit on the number of multiplication operations. When a certain expected number of multiplication operations is exceeded, the ciphertext will lose homomorphism, so the fully homomorphic encryption algorithm cannot meet the large-scale complex calculation scenarios.
  • the data owner 110 uses secret sharing-based dense multiplication to implement secure multi-party calculations.
  • dense multiplication requires Bill triples, and Bill triples need to be generated by a homomorphic encryption algorithm, so it is ultimately Homomorphic encryption algorithms are required, and multiplication based on secret sharing requires a large amount of data interaction in the online process of secure multi-party calculations, which increases transmission costs.
  • the data owner 110 uses a semi-homomorphic encryption algorithm with no limit on the number of calculations to encrypt the data.
  • Semi-homomorphic encryption can only be a multiplicative homomorphic or additive homomorphic encryption algorithm. According to the nature of homomorphic encryption, the use of a semi-homomorphic encryption algorithm can also reduce the size of the ciphertext and reduce the transmission cost.
  • the calculation server 120 since the calculation server 120 uses the algorithm it holds to perform calculations, it usually includes both multiplication and addition. Therefore, the calculation server 120210 can only perform calculations supported by the ciphertext encrypted by the semi-homomorphic encryption algorithm.
  • the user 110 can perform decryption based on the semi-homomorphic encryption algorithm, so the data owner 110 performs calculations that the calculation server 120 cannot perform.
  • this specification takes the additive homomorphic encryption algorithm as a semi-homomorphic encryption algorithm as an example to describe the disclosed technical solutions in detail, and is not intended to limit the scope of this specification.
  • Fig. 2 is an exemplary flowchart of an encryption method based on privacy protection according to some embodiments of the present specification.
  • One or more operations in the encryption method based on privacy protection shown in FIG. 2 may be implemented by the encryption system 100 based on privacy protection shown in FIG. 1.
  • the encryption method based on privacy protection may be applicable to scenarios where there are more than two data owners, such as three or more data owners 110, and the data owners 110 are on the computing server 120 or successively with the computing server 120. Interaction to achieve large-scale calculations.
  • two parties are mainly used as examples.
  • Step 210 The data owner encrypts the data based on a semi-homomorphic encryption algorithm to obtain a ciphertext and sends it to the computing server.
  • step 210 may be performed by the encryption module 610.
  • the data owned by the data owner may be part of multi-party computing, or it may include data that includes the privacy of the data owner, because there is no unconditional trust between the data owner and the computing server in secure multi-party computing.
  • the data owner needs to encrypt the data and send the encrypted ciphertext to the computing server.
  • the semi-homomorphic encryption algorithm is an additive homomorphic encryption algorithm (such as Paillier algorithm, Benaloh algorithm). It can be understood that an output is obtained by performing addition calculation on multiple data after the additive homomorphic encryption algorithm, and then This output is decrypted, and the result is the same as the output result obtained by processing multiple unencrypted original data with the same addition calculation.
  • an additive homomorphic encryption algorithm such as Paillier algorithm, Benaloh algorithm
  • Step 310 The computing server obtains the ciphertext that the data owner encrypts the data through a semi-homomorphic encryption algorithm.
  • step 310 may be performed by the ciphertext acquisition module 510.
  • the computing server holds the algorithm.
  • the computing server obtains the secret encrypted by the semi-homomorphic encryption algorithm sent by the data owner. Arts.
  • Step 320 The computing server performs a first calculation on the ciphertext based on the algorithm held by the computing server to obtain a standard formula; the standard formula is the calculation performed by the data owner. In some embodiments, step 320 may be performed by the first calculation module 520.
  • the first calculation is the calculation that the calculation server can perform based on the ciphertext.
  • the semi-homomorphic encryption algorithm is an additive semi-homomorphic encryption algorithm.
  • the first calculation can be understood as a calculation in addition to the data owner, for example, the data owner performs a multiplication operation, and the first calculation is other than the multiplication operation. Operations (such as addition and subtraction operations, selection operations).
  • the computing server sorts out the calculations that it cannot perform to obtain the standard formula.
  • the standard formula is the calculation performed by the data owner, that is, the multiplication operation.
  • Fig. 3 is an exemplary calculation flowchart of an encryption method based on privacy protection according to some embodiments of the present specification.
  • FIG. 3 shows the data transmission between the data owner 110 and the computing server 120 and the calculations made by all parties in some embodiments.
  • the standard formula includes a first monomial and a second monomial.
  • the multiplication operation includes two multipliers X and Y. Since the data in the calculation is encrypted by an additive homomorphic encryption algorithm, use [X] and [Y] to represent X respectively.
  • the ciphertext of and Y that is, the standard formula can be expressed as [X]*[Y], where [X] and [Y] are the first and second monomials, respectively.
  • the standard formula may include more than two monomials, such as the third monomial and the fourth monomial.
  • the semi-homomorphic encryption algorithm is a multiplicative homomorphic encryption algorithm
  • the standard formula can be expressed as [X]+[Y].
  • the computing server and the data owner may have reached a consensus on the calculation to be performed.
  • the data owner uses the additive homomorphic encryption algorithm to encrypt the data
  • the calculation performed by the data owner is a multiplication.
  • the standard formula can only include the first monomial and the second monomial, that is, the standard formula can be expressed as [X], [Y], excluding operators.
  • the result of the standard formula is the encryption result of the calculation required in this embodiment, and at the same time, the data owner holds a semi-homomorphic encryption algorithm.
  • the computing server directly sends the standard formula to the data owner, the data owner may be able to deduct the algorithm held by the computing server based on the original data held by the data owner after decrypting the standard formula. It has been explained in step 210 that since there is no unconditional trust between the data owner and the computing server in secure multi-party computing, the computing server needs to protect its algorithm from being leaked. Therefore, before sending the standard formula to the data owner, it is necessary to check Standard form for processing.
  • Step 330 The data owner generates a random number. In some embodiments, step 330 may be performed by the random number generation module 530.
  • the generation of random numbers is a common step in the field of information security, so I won't go into details here.
  • the random number generated by the data owner may be taken from the real number set.
  • Step 340 Perturb the standard formula based on the random number to obtain a disturbance formula.
  • step 340 may be performed by the disturbance module 540.
  • the computing server needs to protect its algorithm from being leaked, so it needs to process the standard formula before sending it to the data owner.
  • the random number generated in step 230 is used to perturb the standard formula, so as to ensure that the algorithm owned by the computing server will not be leaked due to the data owner's inversion or construction of the data.
  • the random number generated in step 330 includes a first random number and a second random number; perturbing the standard formula based on the random number includes: based on the first monomial formula and the first random number Obtain a first disturbance term; obtain a second disturbance term based on the second monomial formula and the second random number; obtain a disturbance formula based on the first disturbance term and the second disturbance term.
  • the disturbance can be a random number and The monomials in the standard formula are multiplied or added (subtracted).
  • the nature of the additive homomorphic encryption algorithm shows that the perturbed formula still has the property of additive homomorphism.
  • the perturbation formula can be expressed as [X-R]*[Y-S] or the operator is omitted.
  • the disturbance can be the multiplication or addition (subtraction) of a random number and the monomial in the standard formula, so the above-mentioned first disturbance term can also be expressed as [X+R], and the second disturbance term can also be expressed as [Y+S].
  • step 330 may also generate only one random number.
  • a random number is used to add (subtract) to disturb the first monomial and the second monomial respectively, which can also realize the disturbance and prevent the algorithm held by the computing server Leakage will not affect the calculation of the encryption result.
  • Step 350 The computing server sends the disturbance formula to the data owner for calculation to obtain the disturbance formula result.
  • step 350 may be performed by the first sending module 550.
  • the random number disturbance to the standard formula will not change the calculation of the standard formula, that is, the disturbance formula is still calculated by the data owner.
  • the calculation performed by the data owner is a multiplication operation. Therefore, after the standard formula is disturbed by random numbers, the disturbance formula obtained is still the form of multiplying two numbers.
  • the calculation performed by the data owner can be understood as a calculation that cannot be performed after the semi-homomorphic encryption algorithm is encrypted. Therefore, when the data owner performs the calculation, the semi-homomorphic encryption algorithm needs to be used to decrypt the perturbation, and then To obtain disturbed results, the specific decryption and calculation methods will be explained in detail from the perspective of the data owner below.
  • FIG. 4 is an exemplary flow chart of sending a disturbance type to the data owner for calculation according to some embodiments of the present specification. In some embodiments, the flow in FIG. 4 may be executed by the data owner.
  • Step 220 The data owner obtains the disturbance formula sent by the computing server. In some embodiments, step 220 may be performed by the second receiving module 620.
  • the data owner obtains the disturbance formula sent by the computing server.
  • step 230 the data owner obtains decrypted data by perturbed decryption based on the semi-homomorphic encryption algorithm.
  • step 230 may be performed by the decryption module 630.
  • the data owner can use the key of the semi-homomorphic encryption algorithm he holds to decrypt the perturbed type to obtain the decrypted data.
  • the semi-homomorphic encryption algorithm is continued to be used as an example, and the decrypted data obtained after the data owner decrypts the perturbed formula is an equation in which two perturbed numbers or two perturbed numbers are multiplied.
  • Step 240 The data owner calculates the decrypted data to obtain the disturbed result.
  • step 240 may be performed by the second calculation module 640.
  • the decrypted data obtained by decryption is calculated by the data owner, that is, two disturbed numbers are multiplied.
  • Step 250 Encrypt the disturbed result based on the semi-homomorphic encryption algorithm to obtain an encrypted disturbed result.
  • step 250 may be performed by the encryption module 610.
  • the disturbed result obtained by calculation is plaintext.
  • the result needs to be encrypted before the data owner sends the disturbed result.
  • the computing server since the result of the disturbance is sent to the computing server, the computing server may still need to perform the next operation.
  • the semi-homomorphic encryption algorithm can still be used for encryption, that is, the data owner performs the disturbance based on the semi-homomorphic encryption algorithm.
  • the result of the formula is encrypted, and the result of the encrypted disturbing formula is obtained.
  • the result of the encrypted perturbation (X-R)*(Y-S) is plaintext, and the encrypted perturbed result obtained by encrypting it can be expressed as [(X-R)*(Y-S)].
  • Step 260 The data owner sends the encrypted disturbed result to the computing server.
  • step 260 may be performed by the second sending module 650.
  • the data owner sends the disturbed result encrypted by the semi-homomorphic encryption algorithm to the computing server for the next calculation.
  • Step 360 is used to obtain an encrypted disturbed result obtained by the data owner encrypting the disturbed result based on the semi-homomorphic encryption algorithm.
  • step 360 may be performed by the first receiving module 560.
  • Step 370 The computing server obtains the encryption result based on the encryption disturbance type result, the standard formula, the random number and the disturbance. In some embodiments, step 370 may be performed by the first calculation module 520.
  • the computing server is based on the encrypted perturbation result, the standard formula, the random number and the perturbation. Get the encrypted result.
  • the computing server encrypts the result of the perturbed expression, the product of the first monomial and the first random number in a perturbed manner according to the multiplication calculation rule, The product of the second monomial and the second random number and the product of the first random number and the second random number are processed to obtain the encryption result.
  • the encryption result [X*Y] can be obtained by calculating the formula (2).
  • the encryption result is still in the form of semi-homomorphic encryption, but the calculation of [X]*[Y] that cannot be completed by the computing server is completed, the whole process of computing the server The algorithm held by it has not been leaked, and the data owner has not leaked the data held by it.
  • equation (1) can be written as:
  • Equation (3) The encryption result obtained by calculation is [X*Y]. It can be understood that the way the computing server disturbs will not affect the calculation of the encryption result.
  • the random number is one, assuming it is R, the above formula (1) can be expressed as:
  • Fig. 5 is an exemplary flowchart of an encryption method based on privacy protection according to other embodiments of this specification.
  • One or more operations in the encryption method 400 based on privacy protection shown in FIG. 5 can also be implemented by the encryption system 100 based on privacy protection shown in FIG. 1.
  • Steps 210 to 360 in FIG. 5 are the same as the encryption method based on privacy protection shown in some embodiments in FIG. 2, except that:
  • Step 380 The computing server performs a first calculation on the encryption result based on the algorithm held by the computing server to obtain the standard formula.
  • the encryption result obtained by the computing server may only be a part of the secure multi-party calculation, and after obtaining the encryption result, it may be necessary to perform the next calculation on the data.
  • the encrypted result can still only be subjected to the first calculation, so the computing server performs the first calculation on the encrypted result based on the algorithm held by the computing server, and the standard formula is obtained by sorting again.
  • the standard formula can be disturbed and calculated in the manner in the above-mentioned embodiment until the final result of the safe multi-party calculation is obtained.
  • steps 210 to 260 and steps 310 to 380 can be performed independently, and there is no necessary sequence for the two sets of steps. In some embodiments, from the perspective of the data owner, other steps can be interspersed before and after any of steps 310 to 380.
  • the computing server performs the first calculation on the ciphertext based on the algorithm held by the computing server to obtain the standard
  • the formula may be that the computing server sorts the ciphertext into a standard formula before performing the first calculation.
  • Fig. 6 is an exemplary system block diagram on the computing server side according to some embodiments of the present specification.
  • the encryption system 500 based on privacy protection may include a ciphertext acquisition module 510, a first calculation module 520, a random number generation module 530, a disturbance module 540, a first sending module 550 and a first receiving module 560.
  • These modules can also be implemented as applications or a set of instructions read and executed by the processing engine.
  • the module can be any combination of hardware circuits and applications/instructions. For example, when the processing engine or processor executes an application program/a set of instructions, the module may be a part of the processor.
  • the ciphertext obtaining module 510 may be used to obtain the ciphertext after the data owner encrypts the data through a semi-homomorphic encryption algorithm.
  • the first calculation module 520 may be configured to perform a first calculation on the ciphertext based on an algorithm held by the calculation server to obtain a standard formula; the standard formula is a calculation performed by the data owner.
  • the random number generation module 530 is used to generate random numbers; more descriptions about random numbers can be found elsewhere in this specification (such as step 330 and related descriptions), and will not be repeated here.
  • the disturbance module 540 is configured to perturb the standard formula based on the random number to obtain a disturbance formula.
  • the first sending module 550 may be used to send the disturbance type to the data owner for calculation to obtain the disturbance type result.
  • the first receiving module 560 may be configured to obtain an encrypted disturbed result obtained by the data owner encrypting the disturbed result based on the semi-homomorphic encryption algorithm.
  • the first calculation module 520 may also be used to obtain an encryption result based on the encryption disturbance type result, standard formula, random number and the disturbance.
  • the semi-homomorphic encryption algorithm in the ciphertext acquisition module 510 is an additive homomorphic encryption algorithm; the calculation performed by the data owner in the first calculation module 520 is a multiplication calculation.
  • the first sending module 550 sends the disturbed type to the data owner for calculation to obtain the disturbed result including: the data owner decrypts the disturbed type based on the additive homomorphic encryption algorithm to obtain Decrypted data; calculating the decrypted data to obtain the disturbed result.
  • the standard formula generated by the first calculation module 520 includes a first monomial and a second monomial.
  • the random number generated by the random number generation module 530 includes a first random number and a second random number; the perturbation of the standard formula based on the random number in the perturbation module 540 includes: based on the first monomial formula A first disturbance term is obtained with the first random number; a second disturbance term is obtained based on the second monomial formula and the second random number; a disturbance formula is obtained based on the first disturbance term and the second disturbance term.
  • the first calculation module 520 is further configured to perform a first calculation on the encryption result based on an algorithm held by the calculation server to obtain the standard formula.
  • Fig. 7 is an exemplary system block diagram on the data owner side according to some embodiments of the present specification.
  • the encryption system 600 based on privacy protection may include an encryption module 610, a second receiving module 620, a decryption module 630, a second calculation module 640, and a second sending module 650.
  • These modules can also be implemented as applications or a set of instructions read and executed by the processing engine.
  • the module can be any combination of hardware circuits and applications/instructions. For example, when the processing engine or processor executes an application program/a set of instructions, the module may be a part of the processor.
  • the encryption module 610 is configured to encrypt the data based on a semi-homomorphic encryption algorithm to obtain a ciphertext and send it to the computing server.
  • the second receiving module 620 is configured to obtain the disturbance formula sent by the computing server.
  • the decryption module 630 based on the semi-homomorphic encryption algorithm, decrypts the disturbed decryption to obtain decrypted data.
  • the second calculation module 640 calculates the decrypted data to obtain the result of the disturbance formula.
  • the encryption module 610 is further configured to encrypt the disturbed result based on the semi-homomorphic encryption algorithm to obtain an encrypted disturbed result.
  • the second sending module 650 is configured to send the encrypted disturbed result to the computing server.
  • the disturbance formula in the second receiving module 620 includes: performing a first calculation on the ciphertext based on an algorithm held by the computing server to obtain a standard formula; the standard formula is performed by the data owner Calculate; generate a random number; perturb the standard formula based on the random number to obtain a disturbance formula.
  • the semi-homomorphic encryption algorithm in the encryption module 610 is an additive homomorphic encryption algorithm; the calculation performed by the data owner is a multiplication calculation.
  • the devices and modules shown in FIG. 5 and FIG. 6 can be implemented in various ways.
  • the device and its modules may be implemented by hardware, software, or a combination of software and hardware.
  • the hardware part can be implemented using dedicated logic;
  • the software part can be stored in a memory and executed by an appropriate instruction execution device, such as a microprocessor or dedicated design hardware.
  • the above-mentioned methods and devices can be implemented using computer-executable instructions and/or included in processor control code, for example on a carrier medium such as a disk, CD or DVD-ROM, such as a read-only memory (firmware Such codes are provided on a programmable memory or a data carrier such as an optical or electronic signal carrier.
  • the device and its modules in this specification can not only be implemented by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, etc., or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc. It can also be implemented by, for example, software executed by various types of processors, or can be implemented by a combination of the above-mentioned hardware circuit and software (for example, firmware).
  • the encryption module 610 and the decryption module 630 in FIG. 6 may be the same module, and any module performs encryption and decryption based on the same encryption algorithm; the first sending module 550 and the first receiving module 560 in FIG. 5 may be the same module.
  • a sending module 550 is used to obtain data and send the data.
  • each module in an encryption system based on privacy protection can be located on the same server or belong to different servers. Such deformations are all within the protection scope of this specification.
  • the possible beneficial effects brought by the embodiments of this specification include but are not limited to: (1) The data owner and the computing server are transmitted in ciphertext, which guarantees the data and calculation of the data owner on the premise that secure multi-party calculations can be completed. The server's algorithm is not leaked; (2) The semi-homomorphic encryption algorithm is used to encrypt the data. Compared with the scheme that uses the fully homomorphic encryption algorithm, the number of calculations is not limited, which is suitable for large-scale computing scenarios; (3) ) The scheme of adopting a semi-homomorphic encryption algorithm, compared with the scheme of using Beer triplet, greatly reduces the size of the ciphertext and reduces the transmission cost.
  • the possible beneficial effects may be any one or a combination of the above, or any other beneficial effects that may be obtained.
  • a computer storage medium may contain a propagated data signal containing a computer program code, for example on a baseband or as part of a carrier wave.
  • the propagated signal may have multiple manifestations, including electromagnetic forms, optical forms, etc., or suitable combinations.
  • the computer storage medium may be any computer readable medium other than the computer readable storage medium, and the medium may be connected to an instruction execution system, device, or device to realize communication, dissemination, or transmission of the program for use.
  • the program code located on the computer storage medium can be transmitted through any suitable medium, including radio, cable, fiber optic cable, RF, or similar medium, or any combination of the above medium.
  • numbers describing the number of ingredients and attributes are used. It should be understood that such numbers used in the description of the embodiments use the modifiers "approximately”, “approximately” or “substantially” in some examples. Retouch. Unless otherwise stated, “approximately”, “approximately” or “substantially” indicates that the number is allowed to vary by ⁇ 20%.
  • the numerical parameters used in the description and claims are approximate values, and the approximate values can be changed according to the required characteristics of individual embodiments. In some embodiments, the numerical parameter should consider the prescribed effective digits and adopt the method of general digit retention. Although the numerical ranges and parameters used to confirm the breadth of the ranges in some embodiments of this specification are approximate values, in specific embodiments, the setting of such numerical values is as accurate as possible within the feasible range.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

本说明书实施例公开了一种基于隐私保护的加密方法。所述方法包括:获取数据拥有者对所述数据通过半同态加密算法加密后的密文;所述密文进行第一计算,得到标准式;所述标准式为所述数据拥有者进行的计算;生成随机数;基于所述随机数对所述标准式进行扰动,得到扰动式;将所述扰动式发送至所述数据拥有者进行计算得到扰动式的结果;获取加密扰动式结果;基于加密扰动式结果、标准式、随机数和所述扰动得到加密结果。

Description

一种基于隐私保护的加密方法和系统 技术领域
本说明书涉及信息安全领域,特别涉及一种基于隐私保护的加密方法和系统。
背景技术
安全多方计算(Secure Multi-Party Computation),是一种保护数据安全隐私的多方计算方法。安全多方计算允许多个持有各自私有数据的参与方,共同执行一个计算逻辑,并获得计算结果,参与过程中,每一方均不会泄漏各自的私有数据。
在进行多方安全计算过程中,通常各参与方之间并不完全信任,故除了保证计算能够顺利进行前提下,还需要保证各方数据的安全性。
发明内容
本说明书实施例之一提供一种基于隐私保护的加密方法。所述方法包括:获取数据拥有者对所述数据通过半同态加密算法加密后的密文;基于计算服务器持有的算法对所述密文进行第一计算,得到标准式;所述标准式为所述数据拥有者进行的计算;生成随机数;基于所述随机数对所述标准式进行扰动,得到扰动式;将所述扰动式发送至所述数据拥有者进行计算得到扰动式的结果;获取数据拥有者基于所述半同态加密算法对所述扰动式的结果加密得到的加密扰动式结果;基于加密扰动式结果、标准式、随机数和所述扰动得到加密结果。
本说明书实施例之一提供一种基于隐私保护的加密系统。该系统包括:密文获取模块,用于获取数据拥有者对所述数据通过半同态加密算法加密后的密文;第一计算模块,用于基于计算服务器持有的算法对所述密文进行第一计算,得到标准式;所述标准式为所述数据拥有者进行的计算;随机数生成模块,用于生成随机数;扰动模块,用于基于所述随机数对所述标准式进行扰动,得到扰动式;第一发送模块,用于将所述扰动式发送至所述数据拥有者进行计算得到扰动式的结果;第一接收模块,用于获取数据拥有者基于所述半同态加密算法对所述扰动式的结果加密得到的加密扰动式结果;所述第一计算模块还用于基于加密扰动式结果、标准式、随机数和所述扰动得到加密结果。
在本说明书实施例之一提供一种基于隐私保护的加密装置,其包括处理器及存储介质,所述存储介质用于存储计算机指令,所述处理器用于执行计算机指令以实现如上述基于隐私保护的加密方法。
在本说明书实施例之一提供一种计算机可读存储介质,所述存储介质存储有计算机指令,当所述计算机指令被处理器执行后,能够实现上述的基于隐私保护的加密方法。
本说明书实施例之一提供一种基于隐私保护的加密方法。所述方法包括:基于半同态加密算法对数据进行加密得到密文并发送至计算服务器;获取所述计算服务器发送的扰动式;基于所述半同态加密算法对所述扰动式解密得到解密数据;对所述解密数据进行计算得到所述扰动式的结果;基于所述半同态加密算法对所述扰动式的结果加密得到加密扰动式结果;将所述加密扰动式结果发送至所述计算服务器。
本说明书实施例之一提供一种基于隐私保护的加密系统。该系统包括:加密模块,用于基于半同态加密算法对数据进行加密得到密文并发送至计算服务器;第二接收模块,用于获取所述计算服务器发送的扰动式;解密模块,基于所述半同态加密算法对所述扰动式解密得到解密数据;第二计算模块,对所述解密数据进行计算得到所述扰动式的结果;所述加密模块还用于基于所述半同态加密算法对所述扰动式的结果加密得到加密扰动式结果;第二发送模块,用于将所述加密扰动式结果发送至所述计算服务器。
在本说明书实施例之一提供一种基于隐私保护的加密装置,其包括处理器及存储介质,所述存储介质用于存储计算机指令,所述处理器用于执行计算机指令以实现如上述的基于隐私保护的加密方法。
在本说明书实施例之一提供一种计算机可读存储介质,所述存储介质存储有计算机指令,当所述计算机指令被处理器执行后,能够实现上述的基于隐私保护的加密方法。
附图说明
本说明书将以示例性实施例的方式进一步说明,这些示例性实施例将通过附图进行详细描述。这些实施例并非限制性的,在这些实施例中,相同的编号表示相同的结构,其中:
图1是根据本说明书一些实施例所示的基于隐私保护的加密系统的应用场景示意图;
图2是根据本说明书一些实施例所示的基于隐私保护的加密方法示例性流程图;
图3是根据本说明书一些实施例所示的基于隐私保护的加密方法示例性计算流程图;
图4为是根据本说明书一些实施例所示的将扰动式发送至数据拥有者进行计算的示例性流程图;
图5是根据本说明书另一些实施例所示的基于隐私保护的加密方法示例性流程图;
图6是根据本说明书的一些实施例所示的计算服务器侧的示例性系统框图;
图7是根据本说明书的一些实施例所示的数据拥有者侧的示例性系统框图。
具体实施方式
为了更清楚地说明本说明书实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单的介绍。显而易见地,下面描述中的附图仅仅是本说明书的一些示例或实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图将本说明书应用于其它类似情景。除非从语言环境中显而易见或另做说明,图中相同标号代表相同结构或操作。
应当理解,本文使用的“系统”、“装置”、“单元”和/或“模块”是用于区分不同级别的不同组件、元件、部件、部分或装配的一种方法。然而,如果其他词语可实现相同的目的,则可通过其他表达来替换所述词语。
如本说明书和权利要求书中所示,除非上下文明确提示例外情形,“一”、“一个”、“一种”和/或“该”等词并非特指单数,也可包括复数。一般说来,术语“包括”与“包含”仅提示包括已明确标识的步骤和元素,而这些步骤和元素不构成一个排它性的罗列,方法或者设备也可能包含其它的步骤或元素。
本说明书中使用了流程图用来说明根据本说明书的实施例的系统所执行的操作。应当理解的是,前面或后面操作不一定按照顺序来精确地执行。相反,可以按照倒序或同时处理各个步骤。同时,也可以将其他操作添加到这些过程中,或从这些过程移除某一步或数步操作。
图1是根据本说明书一些实施例所示的基于隐私保护的加密系统的应用场景示意图。
如图1所示,基于隐私保护的加密系统100可以包括数据拥有者110、计算服务器120和网络140。
数据拥有者110可以是指包括一方的用户终端或属于一方的用户终端设备集群并通过网络接口与接入网相连的节点。在一些实施例中,该设备集群可以是集中式的或者分布式的。在一些实施例中,该设备集群可以是区域的或者远程的。用户终端可以是指用户所使用的一个或多个终端设备或软件。用户终端可以包括处理单元、显示单元、输入/输出单元、感知单元、存储单元等。感知单元可以包括但不限于光传感器、距离传感器、加速度传感器、陀螺仪传感器、声音探测器等或其任意组合。在一些实施例中,用户终端可以是移动设备、平板计算机、膝上型计算机、台式计算机等其他具有输入和/或输出功能的设备中的一种或其任意组合。在一些实施例中,使用用户终端的可以是一个或多个用户,可以包括直接使用服务的用户,也可以包括其他相关用户。
计算服务器120可以用于多个数据拥有者110的汇聚。计算服务器120可以是指包括一方的单台设备或属于一方的设备集群并通过网络接口与接入网相连的节点。在一些实施例中,该设备集群可以是集中式的或者分布式的。在一些实施例中,该设备集 群可以是区域的或者远程的。在一些实施例中,计算服务器120可以包括主机、终端等设备。例如服务器、拥有计算资源的计算机等。
网络140可以连接系统的各组成部分和/或连接系统与外部资源部分。网络140使得各组成部分之间,以及与系统之外其他部分之间可以进行通讯,促进数据和/或信息的交换。在一些实施例中,网络140可以是有线网络或无线网络中的任意一种或多种。例如,网络140可以包括电缆网络、光纤网络、电信网络、互联网、局域网络(LAN)、广域网络(WAN)、无线局域网(WLAN)、城域网(MAN)、公共交换电话网络(PSTN)、蓝牙网络、紫蜂网络(ZigBee)、近场通信(NFC)、设备内总线、设备内线路、线缆连接等或其任意组合。各部分之间的网络连接可以是采用上述一种方式,也可以是采取多种方式。在一些实施例中,网络可以是点对点的、共享的、中心式的等各种拓扑结构或者多种拓扑结构的组合。在一些实施例中,网络140可以包括一个或以上网络接入点。例如,网络140可以包括有线或无线网络接入点,例如基站和/或网络交换点140-1、140-2、…。通过这些进出点,系统100的一个或多个组件可连接到网络140上以交换数据和/或信息。
基于隐私保护的加密系统100可以通过实施本说明书中披露的方法和/或过程来进行多方计算。在一些实施例中,所述多方计算可以是各行业中使用的数据,该数据包括但不限于金融行业、保险行业、互联网行业、汽车行业、餐饮行业、电信行业、能源行业、娱乐行业、体育行业、物流行业、医疗行业、安全行业等。
在一些实施例中,在进行安全多方计算时,数据拥有者110持有一部分数据,数据拥有者110为了保护数据的隐私,在将数据发送计算服务器120进行计算前需要对数据进行加密。为了使加密后的密文能够进行运算,且对密文进行计算后解密得到的结果与不加密计算得到的结果相同,在一些实施例中,数据拥有者110采用全同态加密算法对数据拥有者110持有的数据进行加密。同态加密为对经过同态加密的数据进行处理得到一个输出,将这一输出进行解密,其结果与用同一方法处理未加密的原始数据得到的输出结果是一样的。全同态为经过加密后的数据能够同时进行乘法和加法运算得到的结果与用相同运算对未加密的数据得到相同的输出结果,但全同态加密算法得到的密文较大,传输成本高;并且全同态加密算法中对于乘法运算的次数有限制,当超过某一预期乘法运算次数后,密文会失去同态性,故全同态加密算法无法满足大规模复杂计算的场景。
在一些实施例中,数据拥有者110采用基于秘密分享的密态乘法实现安全多方计算,具体的,密态乘法需要比尔三元组,而比尔三元组需要同态加密算法生成,故最终还是需要同态加密算法,而且基于秘密分享的乘法在进行安全多方计算的在线过程还需要大量数据交互,增加了传输成本。
在一些实施例中,为了适应大规模复杂计算的场景,数据拥有者110采用对计 算次数没有限制的半同态加密算法对数据进行加密。半同态加密可以仅是乘法同态或加法同态加密算法。根据同态加密的性质可知,利用半同态加密算法还能够缩小密文尺寸,减少传输成本。但由于在计算服务器120利用其持有的算法进行计算时,通常是同时包括乘法和加法的,故计算服务器120210仅能够进行半同态加密算法加密得到的密文支持的计算,而由于数据拥有者110能够基于该半同态加密算法进行解密,故数据拥有者110进行计算服务器120不能及进行的计算。仅处于说明的目的,本说明书以加法同态加密算法作为半同态加密算法为例,对披露的技术方案进行详细描述,并不旨在限制本说明书的范围。
图2是根据本说明书一些实施例所示的基于隐私保护的加密方法示例性流程图。
图2所示的基于隐私保护的加密方法中一个或多个操作可以通过图1所示的基于隐私保护的加密系统100实现。在一些实施例中,基于隐私保护的加密方法可以适用于两个以上数据拥有者的场景,例如3个或更多数据拥有者110,数据拥有者110分别于计算服务器120或先后与计算服务器120进行交互,以实现大规模计算。为了方便阐述,在本说明书各实施例中主要以两方为例进行。
步骤210,数据拥有者基于半同态加密算法对所述数据进行加密得到密文并发送至计算服务器。在一些实施例中,步骤210可以由加密模块610执行。
在一些实施例中,数据拥有者拥有的数据可能是多方计算中的一部分,也可能是包括数据拥有者隐私的数据,由于安全多方计算中各数据拥有者和计算服务器之间并不存在无条件信任,数据拥有者为了保证其数据的隐私,需要对数据进行加密,并将加密后得到的密文发送至计算服务器。
在一些实施例中,半同态加密算法为加法同态加密算法(如Paillier算法、Benaloh算法),可以理解的是,对经过加法同态加密算法的多个数据进行加法计算得到一个输出,再将这一输出进行解密,其结果与用相同加法计算处理多个未加密的原始数据得到的输出结果相同。仅作为示例,假设两个数据明文分别为A和B,加法同态加密算法为f(X),则有f(A)+f(B)=f(A+B);额外的,加法同态加密算法还具备明文与密文相加或相乘,均可以得到结果正确且依旧具备加法同态的密文,可以记为f(A)+B=f(A+B)以及f(A)*B=f(A*B)。
步骤310,计算服务器获取数据拥有者对所述数据通过半同态加密算法加密后的密文。在一些实施例中,步骤310可以由密文获取模块510执行。
在前文中已经提到,计算服务器持有算法,为了利用计算服务器所持有的算法对数据拥有者所拥有的数据进行计算,计算服务器获取数据拥有者发送的通过半同态加密算法加密的密文。
步骤320,计算服务器基于计算服务器持有的算法对所述密文进行第一计算,得到标准式;所述标准式为所述数据拥有者进行的计算。在一些实施例中,步骤320可以 由第一计算模块520执行。
第一计算为计算服务器能够基于密文进行的运算。在一些实施例中,半同态加密算法为加法半同态加密算法,第一计算可以理解成除了数据拥有者的计算,例如数据拥有者进行乘法运算,第一计算为除了乘法运算外的其他运算(如加减法运算、选择运算)。
在一些实施例中,计算服务器将其不能进行的运算整理后得到标准式。继续采用加法同态加密算法为例,此时标准式为数据拥有者进行的计算即乘法运算。
图3是根据本说明书一些实施例所示的基于隐私保护的加密方法示例性计算流程图。
为了更好的对该方法进行解释,在后文中可以同时参考图3。图中表示在一些实施例中,数据拥有者110与计算服务器120之间的数据传输情况以及各方所做的计算。
在一些实施例中,标准式包括第一单项式和第二单项式。仅作为示例,假设数据拥有者进行的计算即乘法运算包括两个乘数X和Y,由于该计算中的数据是经过加法同态加密算法加密的,利用[X]和[Y]分别表示X和Y的密文,即标准式可以表示为[X]*[Y],标准式中[X]和[Y]分别为第一单项式和第二单项式。需要说明的是,在一些实施例中,标准式中可以包括两个以上单项式,如还包括第三单项式、第四单项式。此外,在半同态加密算法为乘法同态加密算法时,标准式可以表示为[X]+[Y]。
在一些实施例中,计算服务器和数据拥有者对其将要进行的计算可能已经达成共识,在数据拥有者利用加法同态加密算法对数据进行加密时就得知数据拥有者进行的计算为乘法,此时标准式中可以仅包括第一单项式和第二单项式,即标准式可以表示为[X]、[Y],不包括运算符。
可以理解的是,标准式的结果即为本实施例中所需计算的加密结果,而同时数据拥有者持有半同态加密算法。在一些实施例中,如果计算服务器直接将标准式发送至数据拥有者,数据拥有者对标准式进行解密后基于其持有的原始数据可能能够反推出计算服务器持有的算法。步骤210中已经说明,由于安全多方计算中各数据拥有者和计算服务器之间并不存在无条件信任,计算服务器需要保护其算法不被泄露,故在将标准式发送至数据拥有者前,需要对标准式进行处理。
步骤330,数据拥有者生成随机数。在一些实施例中,步骤330可以由随机数生成模块530执行。
随机数的生成为信息安全领域常见步骤,在此不过多赘述。在一些实施例中,数据拥有者生成的随机数可以取自实数集。
步骤340,基于所述随机数对所述标准式进行扰动,得到扰动式。在一些实施例中,步骤340可以由扰动模块540执行。
计算服务器需要保护其算法不被泄露,故在将标准式发送至数据拥有者前,需要对标准式进行处理。在一些实施例中,利用步骤230生成的随机数对标准式进行扰动,以保证计算服务器拥有的算法不会因为数据拥有者通过反推或对数据进行构造而造成泄露。
在一些实施例中,步骤330生成的随机数包括第一随机数和第二随机数;基于所述随机数对所述标准式进行扰动包括:基于所述第一单项式与所述第一随机数得到第一扰动项;基于所述第二单项式与所述第二随机数得到第二扰动项;基于所述第一扰动项和第二扰动项得到扰动式。
仅作为示例,假设将第一随机数和第二随机数分别表示为R和S,由于随机数为明文、标准式中的单项式为基于加法同态加密后的密文,扰动可以是随机数与标准式中的单项式相乘或相加(减),通过加法同态加密算法的性质可知,扰动式依旧具备加法同态的性质。由此,基于所述第一单项式与所述第一随机数得到第一扰动项,可以表示成[X]-R=[X-R];基于所述第二单项式与所述第二随机数得到第二扰动项,可以表示成[Y]-S=[Y-S]。基于第一扰动项[X-R]和第二扰动项[Y-S]得到扰动式可以表示为[X-R]*[Y-S]或省略运算符的形式。需要说明的是,扰动可以是随机数与标准式中的单项式相乘或相加(减),故上述第一扰动项还可以表示成[X+R],同理第二扰动项可以表示成[Y+S]。
在一些实施例中,步骤330还可以只生成一个随机数。在步骤320中计算服务器持有的算法较为复杂的情况下,利用一个随机数采用相加(减)分别对第一单项式和第二单项式进行扰动,同样能够实现扰动,防止计算服务器持有的算法泄露,也不会对加密结果的计算产生影响。
步骤350,计算服务器将所述扰动式发送至所述数据拥有者进行计算得到扰动式的结果。在一些实施例中,步骤350可以由第一发送模块550执行。
随机数对标准式的扰动不会改变标准式的运算,即扰动式依然为数据拥有者进行的计算。在一些实施例中,数据拥有者进行的计算为乘法运算,故标准式在经过随机数扰动后,得到的扰动式依旧是两个数相乘的形时式。
在一些实施例中,数据拥有者进行的计算可以理解成在半同态加密算法加密后不能进行的计算,故在数据拥有者进行计算时需要利用半同态加密算法对扰动式进行解密,进而获得扰动式的结果,具体解密和计算方法在下文中以数据拥有者的角度进行详细说明。
图4为是根据本说明书一些实施例所示的将扰动式发送至数据拥有者进行计算的示例性流程图,在一些实施例中,图4中流程可以由数据拥有者执行。
步骤220,数据拥有者获取所述计算服务器发送的扰动式。在一些实施例中,步骤220可以由第二接收模块620执行。
数据拥有者为了进行需要数据拥有者自身需要进行的运算,获取计算服务器发送的扰动式。
步骤230,数据拥有者基于所述半同态加密算法对所述扰动式解密得到解密数据。在一些实施例中,步骤230可以由解密模块630执行。
数据拥有者可以利用其持有的半同态加密算法的密钥对扰动式进行解密,得到解密数据。在一些实施例中,继续采用半同态加密算法为加法为例,数据拥有者对扰动式进行解密后得到的解密数据为两个经过扰动的数或两个经过扰动的数相乘的算式。
步骤240,数据拥有者对所述解密数据进行计算得到所述扰动式的结果。在一些实施例中,步骤240可以由第二计算模块640执行。
在一些实施例中,将解密得到的解密数据进行数据拥有者的计算,即将两个经过扰动的数相乘。
仅作为示例,当扰动式为[X-R]*[Y-S],数据拥有者解密后为(X-R)*(Y-S)的形式,由于该式为明文的乘法计算,数据拥有者可以直接进行计算。
步骤250,基于所述半同态加密算法对所述扰动式的结果加密得到加密扰动式结果。在一些实施例中,步骤250可以由加密模块610执行。
经过计算得到的扰动式的结果为明文,为了避免计算服务器通过反推导致的数据泄露,在数据拥有者发送扰动式的结果前还需要对该结果进行加密。在一些实施例中,由于将扰动式的结果发送计算服务器后,计算服务器可能还需要进行下一步运算,可以依旧采用半同态加密算法进行加密,即数据拥有者基于半同态加密算法对扰动式的结果进行加密,得到加密扰动式结果。
仅作为示例,加密扰动式的结果(X-R)*(Y-S)为明文,对其进行加密得到的加密扰动式结果可以表示为[(X-R)*(Y-S)]。
步骤260,数据拥有者将所述加密扰动式结果发送至所述计算服务器。在一些实施例中,步骤260可以由第二发送模块650执行。
在一些实施例中,数据拥有者将经过半同态加密算法加密的扰动式结果发送至计算服务器以进行下一步计算。
步骤360,用于获取数据拥有者基于所述半同态加密算法对所述扰动式的结果加密得到的加密扰动式结果。在一些实施例中,步骤360可以由第一接收模块560执行。
步骤370,计算服务器基于加密扰动式结果、标准式、随机数和所述扰动得到加密结果。在一些实施例中,步骤370可以由第一计算模块520执行。
再次参见图2和图3,加密扰动式结果中存在随机数的扰动,加密扰动式的结果与标准式的结果显然不同,故计算服务器基于加密扰动式结果、标准式、随机数和所述 扰动得到加密结果。
在一些实施例中,继续以半同态加密算法为加法同态加密算法为例,计算服务器根据乘法计算法则,基于扰动的方式对加密扰动式结果、第一单项式与第一随机数的乘积、第二单项式与第二随机数的乘积和第一随机数与第二随机数的乘积处理,得到所述加密结果。
仅作为示例,上述处理可以表示为:
[(X-R)*(Y-S)]+[X]*S+[Y]*R-R*S      (1)
根据加法同态加密算法的性质,可以将上述式(1)表示为:
[X*Y-X*S-Y*R-R*S]+[X*S]+[Y*R]-R*S     (2)
对式(2)计算可得加密结果[X*Y],该加密结果依旧为半同态加密的形式,但完成了计算服务器不能完成的[X]*[Y]的计算,整个过程计算服务器没有泄露其持有的算法,数据拥有者也没有泄露其持有的数据。
在一些实施例中,根据扰动的方式不同,假设第一扰动式为[X+R]、第二扰动式不变时,加密扰动式结果相应变化,此时式(1)可以写成:
[(X+R)*(Y-S)]+[X]*S-[Y]*R+R*S     (3)
式(3)通过计算同样得到的加密结果为[X*Y],可以理解,计算服务器扰动的方式对加密结果的计算不会产生影响。
在一些实施例中,随机数为一个,假设为R,可以将上述式(1)表示为:
[(X-R)*(Y-R)]+[X]*R+[Y]*R–R*R    (4)
式(4)通过计算同样得到的加密结果为[X*Y],可以理解,随机数的数量对加密结果的计算也不会产生影响。
图5是根据本说明书另一些实施例所示的基于隐私保护的加密方法示例性流程图。
图5所示的基于隐私保护的加密方法400中一个或多个操作同样可以通过图1所示的基于隐私保护的加密系统100实现。图5中步骤210~步骤360与图2中一些实施例所示的基于隐私保护的加密方法相同,区别在于:
步骤380,计算服务器基于计算服务器持有的算法对所述加密结果进行第一计算,得到所述标准式。
在一些实施例中,计算服务器得到的加密结果可能只是安全多方计算中的一部分,在获得加密结果后可能还需要针对数据进行下一步计算。此时,加密结果依旧只能进行第一计算,故计算服务器基于计算服务器持有的算法对所述加密结果进行第一计算, 再次通过整理得到标准式。该标准式可以依照上文提到的实施例中的方式进行扰动和计算,直至得到安全多方计算的最终结果。
应当注意的是,上述图1~图5中有关流程的描述仅仅是为了示例和说明,而不限定本说明书的一些实施例的适用范围。对于本领域技术人员来说,在本说明书的一些实施例的指导下可以对流程进行各种修正和改变。然而,这些修正和改变仍在本说明书的范围之内。例如,步骤210~260与步骤310~380可以独立进行,两组步骤没有必然的先后顺序。在一些实施例中,从数据拥有者来看,步骤310~380任一步骤的前后均可穿插其他步骤,例如计算服务器基于计算服务器持有的算法对所述密文进行第一计算,得到标准式可以是计算服务器先将密文整理成标准式的形式后再进行第一计算等。又例如,流程中步骤210和步骤310没有必然的先后顺序,两者的顺序可以改变,也可以同时进行。
图6是根据本说明书的一些实施例所示的计算服务器侧的示例性系统框图。
如图6所示,基于隐私保护的加密系统500可以包括密文获取模块510、第一计算模块520、随机数生成模块530、扰动模块540、第一发送模块550和第一接收模块560。这些模块也可以作为应用程序或一组由处理引擎读取和执行的指令实现。此外,模块可以是硬件电路和应用/指令的任何组合。例如,当处理引擎或处理器执行应用程序/一组指令时,模块可以是处理器的一部分。
密文获取模块510可以用于获取数据拥有者对所述数据通过半同态加密算法加密后的密文。
关于数据拥有者对所述数据通过半同态加密算法加密后的密文的更多描述可以在本说明书的其他地方(如步骤310及其相关描述中)找到,在此不作赘述。
第一计算模块520可以用于基于计算服务器持有的算法对所述密文进行第一计算,得到标准式;所述标准式为所述数据拥有者进行的计算。
关于第一计算和标准式的更多描述可以在本说明书的其他地方(如步骤320及其相关描述中)找到,在此不作赘述。
随机数生成模块530,用于生成随机数;关于随机数的更多描述可以在本说明书的其他地方(如步骤330及其相关描述中)找到,在此不作赘述。
扰动模块540,用于基于所述随机数对所述标准式进行扰动,得到扰动式。
关于对标准式进行扰动的更多描述可以在本说明书的其他地方(如步骤340及其相关描述中)找到,在此不作赘述。
第一发送模块550可以用于将所述扰动式发送至所述数据拥有者进行计算得到扰动式的结果。
关于扰动式的结果的更多描述可以在本说明书的其他地方(如步骤350及其相关描述中)找到,在此不作赘述。
第一接收模块560可以用于获取数据拥有者基于所述半同态加密算法对所述扰动式的结果加密得到的加密扰动式结果。
关于加密扰动式结果的更多描述可以在本说明书的其他地方(如步骤360及其相关描述中)找到,在此不作赘述。
所述第一计算模块520还可以用于基于加密扰动式结果、标准式、随机数和所述扰动得到加密结果。
关于加密结果的更多描述可以在本说明书的其他地方(如步骤370及其相关描述中)找到,在此不作赘述。
在一些实施例中,密文获取模块510中所述半同态加密算法为加法同态加密算法;第一计算模块520中所述数据拥有者进行的计算为乘法计算。
在一些实施例中,第一发送模块550将所述扰动式发送至所述数据拥有者进行计算得到扰动式的结果包括:数据拥有者基于所述加法同态加密算法对所述扰动式解密得到解密数据;对所述解密数据进行计算得到所述扰动式的结果。
在一些实施例中,第一计算模块520生成的标准式包括第一单项式和第二单项式。
在一些实施例中,随机数生成模块530生成的随机数包括第一随机数和第二随机数;扰动模块540中基于所述随机数对所述标准式进行扰动包括:基于所述第一单项式与所述第一随机数得到第一扰动项;基于所述第二单项式与所述第二随机数得到第二扰动项;基于所述第一扰动项和第二扰动项得到扰动式。
在一些实施例中,第一计算模块520还用于基于计算服务器持有的算法对所述加密结果进行第一计算,得到所述标准式。
图7是根据本说明书的一些实施例所示的数据拥有者侧的示例性系统框图。
如图7所示,基于隐私保护的加密系统600可以包括加密模块610、第二接收模块620、解密模块630、第二计算模块640和第二发送模块650。这些模块也可以作为应用程序或一组由处理引擎读取和执行的指令实现。此外,模块可以是硬件电路和应用/指令的任何组合。例如,当处理引擎或处理器执行应用程序/一组指令时,模块可以是处理器的一部分。
加密模块610,用于基于半同态加密算法对所述数据进行加密得到密文并发送至计算服务器。
关于半同态加密算法的更多描述可以在本说明书的其他地方(如步骤210及其 相关描述中)找到,在此不作赘述。
第二接收模块620,用于获取所述计算服务器发送的扰动式。
关于获取计算服务器发送的扰动式的更多描述可以在本说明书的其他地方(如步骤220及其相关描述中)找到,在此不作赘述。
解密模块630,基于所述半同态加密算法对所述扰动式解密得到解密数据。
关于解密数据的更多描述可以在本说明书的其他地方(如步骤230及其相关描述中)找到,在此不作赘述。
第二计算模块640,对所述解密数据进行计算得到所述扰动式的结果。
关于扰动式的结果的更多描述可以在本说明书的其他地方(如步骤240及其相关描述中)找到,在此不作赘述。
所述加密模块610还用于基于所述半同态加密算法对所述扰动式的结果加密得到加密扰动式结果。
关于加密扰动式结果的更多描述可以在本说明书的其他地方(如步骤250及其相关描述中)找到,在此不作赘述。
第二发送模块650,用于将所述加密扰动式结果发送至所述计算服务器。
关于将加密扰动式结果发送至计算服务器的更多描述可以在本说明书的其他地方(如步骤260及其相关描述中)找到,在此不作赘述。
在一些实施例中,第二接收模块620中的扰动式包括:基于计算服务器持有的算法对所述密文进行第一计算,得到标准式;所述标准式为所述数据拥有者进行的计算;生成随机数;基于所述随机数对所述标准式进行扰动,得到扰动式。
在一些实施例中,所述加密模块610中的半同态加密算法为加法同态加密算法;所述数据拥有者进行的计算为乘法计算。
应当理解,图5和图6所示的装置及其模块可以利用各种方式来实现。例如,在一些实施例中,装置及其模块可以通过硬件、软件或者软件和硬件的结合来实现。其中,硬件部分可以利用专用逻辑来实现;软件部分则可以存储在存储器中,由适当的指令执行装置,例如微处理器或者专用设计硬件来执行。本领域技术人员可以理解上述的方法和装置可以使用计算机可执行指令和/或包含在处理器控制代码中来实现,例如在诸如磁盘、CD或DVD-ROM的载体介质、诸如只读存储器(固件)的可编程的存储器或者诸如光学或电子信号载体的数据载体上提供了这样的代码。本说明书的装置及其模块不仅可以有诸如超大规模集成电路或门阵列、诸如逻辑芯片、晶体管等的半导体、或者诸如现场可编程门阵列、可编程逻辑设备等的可编程硬件设备的硬件电路实现,也可以用例如由各种类型的处理器所执行的软件实现,还可以由上述硬件电路和软件的结合 (例如,固件)来实现。
需要注意的是,以上对于基于隐私保护的加密系统及其模块的描述,仅为描述方便,并不能把本说明书限制在所举实施例范围之内。可以理解,对于本领域的技术人员来说,在了解该装置的原理后,可能在不背离这一原理的情况下,对各个模块进行任意组合,或者构成子装置与其他模块连接。例如,图6中加密模块610和解密模块630可以为同一个模块,任意模块基于同一加密算法进行加密和解密;图5中第一发送模块550和第一接收模块560可以为同一个模块,第一发送模块550用于获取数据,并发送数据。又例如,基于隐私保护的加密系统中的各个模块可以位于同一服务器上,也可以分属不同的服务器。诸如此类的变形,均在本说明书的保护范围之内。
上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。
本说明书实施例可能带来的有益效果包括但不限于:(1)数据拥有者和计算服务器之间通过密文传输,在能够完成安全多方计算的前提下,保证了数据拥有者的数据以及计算服务器的算法不被泄露;(2)采用半同态加密算法对数据进行加密,相较于利用全同态加密算法的方案,计算次数不受限值,适应于大规模计算的场景;(3)采用半同态加密算法的方案,相较于利用比尔三元组的方案,密文尺寸大大减小,降低了传输成本。
需要说明的是,不同实施例可能产生的有益效果不同,在不同的实施例里,可能产生的有益效果可以是以上任意一种或几种的组合,也可以是其他任何可能获得的有益效果。
上文已对基本概念做了描述,显然,对于本领域技术人员来说,上述详细披露仅仅作为示例,而并不构成对本说明书的限定。虽然此处并没有明确说明,本领域技术人员可能会对本说明书进行各种修改、改进和修正。该类修改、改进和修正在本说明书中被建议,所以该类修改、改进、修正仍属于本说明书示范实施例的精神和范围。
同时,本说明书使用了特定词语来描述本说明书的实施例。如“一个实施例”、“一实施例”、和/或“一些实施例”意指与本说明书至少一个实施例相关的某一特征、结构或特点。因此,应强调并注意的是,本说明书中在不同位置两次或多次提及的“一实施例”或“一个实施例”或“一个替代性实施例”并不一定是指同一实施例。此外,本说明书的一个或多个实施例中的某些特征、结构或特点可以进行适当的组合。
此外,本领域技术人员可以理解,本说明书的各方面可以通过若干具有可专利性的种类或情况进行说明和描述,包括任何新的和有用的工序、机器、产品或物质的组 合,或对他们的任何新的和有用的改进。相应地,本说明书的各个方面可以完全由硬件执行、可以完全由软件(包括固件、常驻软件、微码等)执行、也可以由硬件和软件组合执行。以上硬件或软件均可被称为“数据块”、“模块”、“引擎”、“单元”、“组件”或“系统”。此外,本说明书的各方面可能表现为位于一个或多个计算机可读介质中的计算机产品,该产品包括计算机可读程序编码。
计算机存储介质可能包含一个内含有计算机程序编码的传播数据信号,例如在基带上或作为载波的一部分。该传播信号可能有多种表现形式,包括电磁形式、光形式等,或合适的组合形式。计算机存储介质可以是除计算机可读存储介质之外的任何计算机可读介质,该介质可以通过连接至一个指令执行系统、装置或设备以实现通讯、传播或传输供使用的程序。位于计算机存储介质上的程序编码可以通过任何合适的介质进行传播,包括无线电、电缆、光纤电缆、RF、或类似介质,或任何上述介质的组合。
此外,除非权利要求中明确说明,本说明书所述处理元素和序列的顺序、数字字母的使用、或其他名称的使用,并非用于限定本说明书流程和方法的顺序。尽管上述披露中通过各种示例讨论了一些目前认为有用的发明实施例,但应当理解的是,该类细节仅起到说明的目的,附加的权利要求并不仅限于披露的实施例,相反,权利要求旨在覆盖所有符合本说明书实施例实质和范围的修正和等价组合。例如,虽然以上所描述的系统组件可以通过硬件设备实现,但是也可以只通过软件的解决方案得以实现,如在现有的服务器或移动设备上安装所描述的系统。
同理,应当注意的是,为了简化本说明书披露的表述,从而帮助对一个或多个发明实施例的理解,前文对本说明书实施例的描述中,有时会将多种特征归并至一个实施例、附图或对其的描述中。但是,这种披露方法并不意味着本说明书对象所需要的特征比权利要求中提及的特征多。实际上,实施例的特征要少于上述披露的单个实施例的全部特征。
一些实施例中使用了描述成分、属性数量的数字,应当理解的是,此类用于实施例描述的数字,在一些示例中使用了修饰词“大约”、“近似”或“大体上”来修饰。除非另外说明,“大约”、“近似”或“大体上”表明所述数字允许有±20%的变化。相应地,在一些实施例中,说明书和权利要求中使用的数值参数均为近似值,该近似值根据个别实施例所需特点可以发生改变。在一些实施例中,数值参数应考虑规定的有效数位并采用一般位数保留的方法。尽管本说明书一些实施例中用于确认其范围广度的数值域和参数为近似值,在具体实施例中,此类数值的设定在可行范围内尽可能精确。
针对本说明书引用的每个专利、专利申请、专利申请公开物和其他材料,如文章、书籍、说明书、出版物、文档等,特此将其全部内容并入本说明书作为参考。与本说明书内容不一致或产生冲突的申请历史文件除外,对本说明书权利要求最广范围有限制的文件(当前或之后附加于本说明书中的)也除外。需要说明的是,如果本说明书附 属材料中的描述、定义、和/或术语的使用与本说明书所述内容有不一致或冲突的地方,以本说明书的描述、定义和/或术语的使用为准。
最后,应当理解的是,本说明书中所述实施例仅用以说明本说明书实施例的原则。其他的变形也可能属于本说明书的范围。因此,作为示例而非限制,本说明书实施例的替代配置可视为与本说明书的教导一致。相应地,本说明书的实施例不仅限于本说明书明确介绍和描述的实施例。

Claims (28)

  1. 一种基于隐私保护的加密方法,包括:
    获取数据拥有者对所述数据通过半同态加密算法加密后的密文;
    基于计算服务器持有的算法对所述密文进行第一计算,得到标准式;所述标准式为所述数据拥有者进行的计算;
    生成随机数;
    基于所述随机数对所述标准式进行扰动,得到扰动式;
    将所述扰动式发送至所述数据拥有者进行计算得到扰动式的结果;
    获取数据拥有者基于所述半同态加密算法对所述扰动式的结果加密得到的加密扰动式结果;
    基于加密扰动式结果、标准式、随机数和所述扰动得到加密结果。
  2. 如权利要求1所述的方法,其中:
    所述半同态加密算法为加法同态加密算法;所述数据拥有者进行的计算为乘法计算。
  3. 如权利要求1所述的方法,其中,将所述扰动式发送至所述数据拥有者进行计算得到扰动式的结果包括:
    数据拥有者基于所述半同态加密算法对所述扰动式解密得到解密数据;
    对所述解密数据进行计算得到所述扰动式的结果。
  4. 如权利要求1所述的方法,其中:
    所述标准式包括第一单项式和第二单项式。
  5. 如权利要求4所述的方法,其中,所述随机数包括第一随机数和第二随机数;基于所述随机数对所述标准式进行扰动包括:
    基于所述第一单项式与所述第一随机数得到第一扰动项;
    基于所述第二单项式与所述第二随机数得到第二扰动项;
    基于所述第一扰动项和第二扰动项得到扰动式。
  6. 如权利要求1所述的方法,还包括:
    基于计算服务器持有的算法对所述加密结果进行第一计算,得到所述标准式。
  7. 一种基于隐私保护的加密系统,包括:
    密文获取模块,用于获取数据拥有者对所述数据通过半同态加密算法加密后的密文;
    第一计算模块,用于基于计算服务器持有的算法对所述密文进行第一计算,得到标准式;所述标准式为所述数据拥有者进行的计算;
    随机数生成模块,用于生成随机数;
    扰动模块,用于基于所述随机数对所述标准式进行扰动,得到扰动式;
    第一发送模块,用于将所述扰动式发送至所述数据拥有者进行计算得到扰动式的结果;
    第一接收模块,用于获取数据拥有者基于所述半同态加密算法对所述扰动式的结果加密得到的加密扰动式结果;
    所述第一计算模块还用于基于加密扰动式结果、标准式、随机数和所述扰动得到加密结果。
  8. 如权利要求7所述的系统,其中:
    所述半同态加密算法为加法同态加密算法;所述数据拥有者进行的计算为乘法计算。
  9. 如权利要求7所述的系统,其中,将所述扰动式发送至所述数据拥有者进行计算得到扰动式的结果包括:
    数据拥有者基于所述半同态加密算法对所述扰动式解密得到解密数据;
    对所述解密数据进行计算得到所述扰动式的结果。
  10. 如权利要求7所述的系统,其中:
    所述标准式包括第一单项式和第二单项式。
  11. 如权利要求10所述的系统,其中,所述随机数包括第一随机数和第二随机数;基于所述随机数对所述标准式进行扰动包括:
    基于所述第一单项式与所述第一随机数得到第一扰动项;
    基于所述第二单项式与所述第二随机数得到第二扰动项;
    基于所述第一扰动项和第二扰动项得到扰动式。
  12. 如权利要求7所述的系统,第一计算模块还用于:
    基于计算服务器持有的算法对所述加密结果进行第一计算,得到所述标准式。
  13. 一种基于隐私保护的加密装置,包括处理器及存储介质,所述存储介质用于存储计算机指令,所述处理器用于执行计算机指令以实现如权利要求1~6任一项所述的基于隐私保护的加密方法。
  14. 一种计算机可读存储介质,所述存储介质存储有计算机指令,当所述计算机指令被处理器执行后,能够实现如权利要求1~6任一项所述的基于隐私保护的加密方法。
  15. 一种隐私保护计算方法,其中,所述方法包括:
    基于半同态加密算法对数据进行加密得到密文并发送至计算服务器;
    获取所述计算服务器发送的扰动式;
    基于所述半同态加密算法对所述扰动式解密得到解密数据;
    对所述解密数据进行计算得到所述扰动式的结果;
    基于所述半同态加密算法对所述扰动式的结果加密得到加密扰动式结果;
    将所述加密扰动式结果发送至所述计算服务器。
  16. 如权利要求15所述的方法,其中,所述扰动式包括:
    基于计算服务器持有的算法对所述密文进行第一计算,得到标准式;所述标准式为所述数据拥有者进行的计算;
    生成随机数;
    基于所述随机数对所述标准式进行扰动,得到扰动式。
  17. 如权利要求15所述的方法,其中:
    所述半同态加密算法为加法同态加密算法;所述数据拥有者进行的计算为乘法计算。
  18. 如权利要求16所述的方法,其中:
    所述标准式包括第一单项式和第二单项式。
  19. 如权利要求18所述的方法,其中,所述随机数包括第一随机数和第二随机数;基于所述随机数对所述标准式进行扰动包括:
    基于所述第一单项式与所述第一随机数得到第一扰动项;
    基于所述第二单项式与所述第二随机数得到第二扰动项;
    基于所述第一扰动项和第二扰动项得到扰动式。
  20. 如权利要求16所述的方法,还包括:
    基于计算服务器持有的算法对所述加密结果进行第一计算,得到所述标准式。
  21. 一种隐私保护计算系统,其包括:
    加密模块,用于基于半同态加密算法对数据进行加密得到密文并发送至计算服务器;
    第二接收模块,用于获取所述计算服务器发送的扰动式;
    解密模块,基于所述半同态加密算法对所述扰动式解密得到解密数据;
    第二计算模块,对所述解密数据进行计算得到所述扰动式的结果;
    所述加密模块还用于基于所述半同态加密算法对所述扰动式的结果加密得到加密扰动式结果;
    第二发送模块,用于将所述加密扰动式结果发送至所述计算服务器。
  22. 如权利要求21所述的系统,其中,所述扰动式包括:
    基于计算服务器持有的算法对所述密文进行第一计算,得到标准式;所述标准式为所述数据拥有者进行的计算;
    生成随机数;
    基于所述随机数对所述标准式进行扰动,得到扰动式。
  23. 如权利要求21所述的系统,其中:
    所述半同态加密算法为加法同态加密算法;所述数据拥有者进行的计算为乘法计算。
  24. 如权利要求22所述的系统,其中:
    所述标准式包括第一单项式和第二单项式。
  25. 如权利要求24所述的系统,其中,所述随机数包括第一随机数和第二随机数;基于所述随机数对所述标准式进行扰动包括:
    基于所述第一单项式与所述第一随机数得到第一扰动项;
    基于所述第二单项式与所述第二随机数得到第二扰动项;
    基于所述第一扰动项和第二扰动项得到扰动式。
  26. 如权利要求22所述的系统,还包括:
    基于计算服务器持有的算法对所述加密结果进行第一计算,得到所述标准式。
  27. 一种基于隐私保护的加密装置,包括处理器及存储介质,所述存储介质用于存储计算机指令,所述处理器用于执行计算机指令以实现如权利要求15~20任一项所述的隐私保护计算方法。
  28. 一种计算机可读存储介质,所述存储介质存储有计算机指令,当所述计算机指令被处理器执行后,能够实现如权利要求15~20任一项所述的隐私保护计算方法。
PCT/CN2021/096168 2020-05-27 2021-05-26 一种基于隐私保护的加密方法和系统 WO2021239008A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010461733.0 2020-05-27
CN202010461733.0A CN111371545B (zh) 2020-05-27 2020-05-27 一种基于隐私保护的加密方法和系统

Publications (1)

Publication Number Publication Date
WO2021239008A1 true WO2021239008A1 (zh) 2021-12-02

Family

ID=71212244

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/096168 WO2021239008A1 (zh) 2020-05-27 2021-05-26 一种基于隐私保护的加密方法和系统

Country Status (2)

Country Link
CN (1) CN111371545B (zh)
WO (1) WO2021239008A1 (zh)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760367A (zh) * 2022-04-24 2022-07-15 华控清交信息科技(北京)有限公司 一种加密协议转换方法、第一节点和第二节点
CN114944935A (zh) * 2022-04-24 2022-08-26 华控清交信息科技(北京)有限公司 一种多方融合计算系统、多方融合计算方法和可读存储介质
CN115062331A (zh) * 2022-05-22 2022-09-16 北京理工大学 一种基于加性同态加密的隐私保护深度学习方法
CN115801449A (zh) * 2023-01-09 2023-03-14 深圳市迪博企业风险管理技术有限公司 风险评估数据的隐私保护方法、系统和可读存储介质

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111371545B (zh) * 2020-05-27 2020-09-11 支付宝(杭州)信息技术有限公司 一种基于隐私保护的加密方法和系统
CN112202542A (zh) * 2020-09-30 2021-01-08 清华-伯克利深圳学院筹备办公室 数据扰动方法、设备及存储介质
CN113225345A (zh) * 2021-04-30 2021-08-06 武汉天喻信息产业股份有限公司 一种具有隐私保护功能的数据处理方法、装置及系统
CN113468572A (zh) * 2021-07-16 2021-10-01 华控清交信息科技(北京)有限公司 密文特征提取方法、装置及电子设备
CN113849844B (zh) * 2021-11-26 2022-03-04 杭州安恒信息技术股份有限公司 一种多方数据安全计算方法、系统、装置及存储介质
CN115085897A (zh) * 2022-05-23 2022-09-20 支付宝(杭州)信息技术有限公司 用于保护隐私的数据处理方法、装置和计算机设备
CN115098883B (zh) * 2022-06-28 2024-08-16 国网福建省电力有限公司 一种基于安全多方计算的数据隐私保护方法和系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970143A (zh) * 2012-12-13 2013-03-13 中国科学技术大学苏州研究院 采用加法同态加密方法进行安全计算双方持有数和的指数的方法
CN105577357A (zh) * 2015-12-21 2016-05-11 东南大学 基于全同态加密的智能家居数据隐私保护方法
CN107347061A (zh) * 2017-06-16 2017-11-14 哈尔滨工业大学深圳研究生院 基于安全多方下的时间序列异常检测方法及系统
US10116437B1 (en) * 2015-12-14 2018-10-30 Ingram Micro, Inc. Method for protecting data used in cloud computing with homomorphic encryption
CN110991655A (zh) * 2019-12-17 2020-04-10 支付宝(杭州)信息技术有限公司 多方联合进行模型数据处理的方法及装置
CN111371545A (zh) * 2020-05-27 2020-07-03 支付宝(杭州)信息技术有限公司 一种基于隐私保护的加密方法和系统

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101815081B (zh) * 2008-11-27 2013-04-03 北京大学 一种分布式计算的逻辑比较方法
US9443092B2 (en) * 2014-11-18 2016-09-13 Pitney Bowes Inc. System and method for matching data sets while maintaining privacy of each data set
WO2017194469A1 (en) * 2016-05-13 2017-11-16 Abb Schweiz Ag Secure remote aggregation
US20190386814A1 (en) * 2016-11-07 2019-12-19 Sherjil Ahmed Systems and Methods for Implementing an Efficient, Scalable Homomorphic Transformation of Encrypted Data with Minimal Data Expansion and Improved Processing Efficiency
US11050725B2 (en) * 2018-07-16 2021-06-29 Sap Se Private benchmarking cloud service with enhanced statistics
CN109412786B (zh) * 2018-11-14 2022-09-06 沈阳航空航天大学 一种基于同态加密的整数密文算术运算方法
CN110061829A (zh) * 2019-04-26 2019-07-26 上海点融信息科技有限责任公司 基于区块链网络的安全多方计算方法、装置及存储介质

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970143A (zh) * 2012-12-13 2013-03-13 中国科学技术大学苏州研究院 采用加法同态加密方法进行安全计算双方持有数和的指数的方法
US10116437B1 (en) * 2015-12-14 2018-10-30 Ingram Micro, Inc. Method for protecting data used in cloud computing with homomorphic encryption
CN105577357A (zh) * 2015-12-21 2016-05-11 东南大学 基于全同态加密的智能家居数据隐私保护方法
CN107347061A (zh) * 2017-06-16 2017-11-14 哈尔滨工业大学深圳研究生院 基于安全多方下的时间序列异常检测方法及系统
CN110991655A (zh) * 2019-12-17 2020-04-10 支付宝(杭州)信息技术有限公司 多方联合进行模型数据处理的方法及装置
CN111371545A (zh) * 2020-05-27 2020-07-03 支付宝(杭州)信息技术有限公司 一种基于隐私保护的加密方法和系统

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760367A (zh) * 2022-04-24 2022-07-15 华控清交信息科技(北京)有限公司 一种加密协议转换方法、第一节点和第二节点
CN114944935A (zh) * 2022-04-24 2022-08-26 华控清交信息科技(北京)有限公司 一种多方融合计算系统、多方融合计算方法和可读存储介质
CN114760367B (zh) * 2022-04-24 2024-05-31 华控清交信息科技(北京)有限公司 一种加密协议转换方法、第一节点和第二节点
CN115062331A (zh) * 2022-05-22 2022-09-16 北京理工大学 一种基于加性同态加密的隐私保护深度学习方法
CN115801449A (zh) * 2023-01-09 2023-03-14 深圳市迪博企业风险管理技术有限公司 风险评估数据的隐私保护方法、系统和可读存储介质

Also Published As

Publication number Publication date
CN111371545A (zh) 2020-07-03
CN111371545B (zh) 2020-09-11

Similar Documents

Publication Publication Date Title
WO2021239008A1 (zh) 一种基于隐私保护的加密方法和系统
TWI706279B (zh) 多方安全計算方法及裝置、電子設備
EP3779717B1 (en) Multiparty secure computing method, device, and electronic device
US20230087864A1 (en) Secure multi-party computation method and apparatus, device, and storage medium
CN106534313B (zh) 面向云端数据发布保护安全及隐私的频度测定方法和系统
CN111767555B (zh) 区块链中实现隐私保护的方法及节点、存储介质
CN110089071B (zh) 安全的分布式数据处理
US11444752B2 (en) Systems and methods for data encryption and decryption in data transmission
JP2021501370A (ja) データ統計方法および装置
CN111586142B (zh) 一种安全多方计算方法及系统
CN114065252A (zh) 一种带条件检索的隐私集合求交方法、装置及计算机设备
US20220374544A1 (en) Secure aggregation of information using federated learning
TW202044082A (zh) 基於秘密分享的安全模型預測方法和裝置
CN110166423A (zh) 用户信用的确定方法、装置、系统和数据的处理方法
CN113541946B (zh) 一种多方安全计算方法、装置及电子设备
Rao et al. A hybrid elliptic curve cryptography (HECC) technique for fast encryption of data for public cloud security
US12105855B2 (en) Privacy-enhanced computation via sequestered encryption
Chen et al. Cryptanalysis and improvement of DeepPAR: Privacy-preserving and asynchronous deep learning for industrial IoT
Elmogazy et al. Towards healthcare data security in cloud computing
EP3376706B1 (en) Method and system for privacy-preserving order statistics in a star network
Rahaman et al. Secure Multi-Party Computation (SMPC) Protocols and Privacy
Yang et al. A review of blockchain-based privacy computing research
CN111125788B (zh) 一种加密计算方法、计算机设备及存储介质
CN115118411B (zh) 链下多方可信计算方法、装置、设备及存储介质
CN114398662B (zh) 基于安全多方计算的隐私保护机器学习推理方法及系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21813294

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21813294

Country of ref document: EP

Kind code of ref document: A1