WO2023207735A1 - Method and system for realizing secure multi-party computation by using hardware chips - Google Patents

Method and system for realizing secure multi-party computation by using hardware chips Download PDF

Info

Publication number
WO2023207735A1
WO2023207735A1 PCT/CN2023/089372 CN2023089372W WO2023207735A1 WO 2023207735 A1 WO2023207735 A1 WO 2023207735A1 CN 2023089372 W CN2023089372 W CN 2023089372W WO 2023207735 A1 WO2023207735 A1 WO 2023207735A1
Authority
WO
WIPO (PCT)
Prior art keywords
random number
participant
participants
pseudo
number generator
Prior art date
Application number
PCT/CN2023/089372
Other languages
French (fr)
Chinese (zh)
Inventor
周兴
许保安
Original Assignee
上海紫先科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海紫先科技有限公司 filed Critical 上海紫先科技有限公司
Publication of WO2023207735A1 publication Critical patent/WO2023207735A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Definitions

  • the present invention belongs to the subfield of secure multi-party computation in the field of privacy computing, and more specifically, relates to a method and system for implementing secure multi-party computation using hardware chips.
  • Secure Multi-Party Computation is an important branch of privacy computing technology.
  • the idea of secure multi-party computing is that each party participating in the calculation holds a part of the data and completes the calculation through a certain communication protocol without exposing their own data.
  • a method based on using hardware chips to implement secure multi-party computation which is used to efficiently implement multiplication operations in secret sharing secure multi-party computation schemes. It is characterized by including N participants (0,1,...,N-1), each One of the participants (0,1,...,N-1) includes a physical chip, and each of the physical chips contains an externally unreadable and unique private key corresponding to the corresponding physical chip; Each physical chip has a corresponding asymmetric encryption public key calculated through its respective private key, and each of the encryption public keys is read externally as a characteristic that uniquely identifies the corresponding physical chip; wherein, the The method includes the following steps:
  • Step S1 Before performing multiplicative secret sharing secure multi-party computation, all participants The physical chips of (0,1,...,N-1) negotiate to determine a common pseudo-random number generator seed, which is used to initialize their respective first pseudo-random number generators and second pseudo-random number generators. , where N is greater than or equal to 2;
  • Step S3 Both participant A and participant B use the first pseudo-random number generator of their respective physical chips to generate two random numbers r1 and r2, and use the second pseudo-random number generator of their respective physical chips. 2Generate a random number r3;
  • the letter memory space is sent to the participant B;
  • 1 [y] 1 +e 1
  • v N [x] N +d N
  • the key is written once by the manufacturer of the physical chip, or is implemented by using the process noise of the physical chip during the manufacturing process of the chip as a feature.
  • step S1 the generation of the pseudo-random number generator seed includes:
  • the participant A sends Enc B ( SA ) to the participant B; after the physical chip of the participant B receives the Enc B ( SA ), it uses the local truth inside the physical chip to The random number generator generates a true random number SB, and decrypts Enc B (S A ) with the local private key to obtain SA, and splices SA and SB into the pseudo-random number generator seed of the pseudo-random number generator, Moreover, the participant B also encrypts S B using the public key of the physical chip of the participant A to become Enc A ( SB ), and then sends Enc A ( SB ) to A;
  • the participant A decrypts Enc A ( SB ) with the local private key to obtain SB , and uses S A and SB to splice into the same pseudo-random number generator seed to allow secure multi-party calculation for all participants
  • the same pseudo-random number generator seed is determined between the physical chips.
  • the first pseudo-random number generator and the second pseudo-random number generator are used to generate a common pseudo-random number negotiated between the physical chips of all the participants (0,1,...,N-1) Number generator seed; both participant A and participant B use the first pseudo-random number generator of their respective physical chips to generate two random numbers r1 and r2, and use the second pseudo-random number of their respective physical chips.
  • Generator 2 generates a random number r3;
  • the multiplication unit obtains the value z of the multiplication operation x*y in the untrusted memory space of the computer outside the physical chip by executing steps S3 to S6 in claim 1.
  • the multiplication unit includes a secret shared bit operator, a random number register group and a secret shared multiplier; the pseudo-random number sequence generated by the first pseudo-random number generator and the second pseudo-random number generator, Some or all of them are cached in the random number register bank to provide the secret Secret shared bit operators and secret shared multipliers perform calculations.
  • the output terminal performs a masking operation on the regenerated random numbers in a secret sharing manner to ensure that the output data does not contain an amount of information exceeding any random number.
  • the mask operation performed on the regenerated random numbers includes one of adding points or and bitwise XOR.
  • the physical chips used by the N participants (0,1,...,N-1) are FPGAs.
  • the method proposed by the present invention to use hardware chips to implement secure multi-party computation is by changing the communication modes of the participants. Different from the classic scheme that requires two-way communication between all participants, in the embodiment of the present invention Communication is one-way. That is, only participant A sends data to participant B, and participant B does not need to send any data to participant A during the entire multiplication operation. In other words, the above secure multi-party computation of multiplication secret sharing is of great significance to complex operations involving multi-step multiplication operations.
  • One-way communication means that the calculations of participant A and participant B can be completely asynchronous, that is, there is no need to wait for the other party Once the corresponding pre-steps are completely completed, subsequent calculation steps can be carried out directly, thus achieving insensitivity to network communication delays and improving the efficiency of secure multi-party calculations.
  • Figure 1 shows a system block diagram of a database index based on a polynomial commitment mechanism in an embodiment of the present invention.
  • Figure 2 shows a schematic flow chart of a database indexing method based on a polynomial commitment mechanism in an embodiment of the present invention.
  • the secret-sharing (additive secret-sharing) scheme in secure multi-party computation is based on the classic additive secret-sharing (additive secret-sharing) secure multi-party computation scheme, addition, subtraction, multiplication and division, etc.
  • Basic operations are all in the form of cipher-text computation, that is, all parties involved in the calculation will not leak their own data, but only exchange some encrypted data, but can collaborate to complete the overall operation.
  • the key is that the basic operations such as multiplication and division of the present invention can eliminate two-way communication and replace it with one-way communication. That is to say, the communication is not on the critical path of the calculation, eliminating the performance bottleneck of secure multi-party calculation, which is performed by participant A and participating The completely asynchronous calculation improves the efficiency of secure multi-party calculation.
  • FIG. 1 is a block diagram of a database indexing system based on a polynomial commitment mechanism in an embodiment of the present invention.
  • the system includes N participants (0,1,...,N-1) and the computer's untrusted memory space.
  • each participant (0,1,...,N-1) includes a physical chip, a first pseudo-random number generator, a second pseudo-random number generator and a multiplication unit .
  • the area inside the physical chip is a trusted area, that is, the logic in this area cannot be tampered with, and the data in this area cannot be read (except for data that can be read by the API interface design of the physical chip).
  • Each of the physical chips contains an externally unreadable and unique The private key HK1 corresponding to the processing chip can be used to decrypt externally input encrypted messages.
  • Each physical chip has a corresponding asymmetric encryption public key calculated through its respective private key, and each of the encryption public keys is externally read as a characteristic that uniquely identifies the corresponding physical chip.
  • the private key can be written into the chip once by the manufacturer during the chip manufacturing process, or it can be implemented by using the process noise during the chip manufacturing process as a feature.
  • the implementation method of the unique private key is a mature technology in the industry and will not be discussed here. Again.
  • the asymmetric encryption public key calculated using the private key as the private key can be read externally; thus, the public key can also be unique Identify any physical chip.
  • the physical chip used by the N participants (0, 1,..., N-1) is FPGA.
  • secure multi-party computing participants holding the physical chip can confirm whether the other party's chip is trustworthy by requiring the other party to use the chip's internal key signature. Even if the participants are geographically far apart, they can also communicate through the network to build trust.
  • the above is the remote authentication (Remote Attestation) process.
  • FIG. 2 is a schematic flowchart of a database indexing method based on a polynomial commitment mechanism in an embodiment of the present invention. As shown in Figure 2, this method is used for multiplication secret sharing secure multi-party computation, including the following steps:
  • Step S1 Before performing the multiplication secret sharing secure multi-party calculation, the physical chips of all participants (0,1,...,N-1) negotiate to determine a common pseudo-random number generator seed for initializing their respective The first pseudo-random number generator and the second pseudo-random number generator, wherein N is greater than or equal to 2.
  • the physical chips of all participants (0,1,...,N-1) need to negotiate to determine a common seed for initializing their respective pseudo-random number generators, but this seed cannot be leaked.
  • the true random number generator inside the participant's physical chip is able to generate true random numbers generated by the physical thermal noise of the chip as part of the seed of the pseudo-random number generator (the other part of the seed is encrypted by other participants) The message is decrypted).
  • N 2 as an example for explanation.
  • the generation of the pseudo-random number generator seed may include the following steps:
  • the participant A uses the true random number generator inside the local physical chip to generate a true random number SA , and encrypts it with the public key of the participant B's chip to become Enc B ( SA );
  • the participant A sends Enc B ( SA ) to the participant B; after the physical chip of the participant B receives the Enc B ( SA ), it uses the local truth inside the physical chip to The random number generator generates a true random number S B , and decrypts Enc B ( SA ) with the local private key to obtain S A , and uses S A and SB to splice it into a pseudo-random number of the pseudo-random number generator.
  • Generator seed, and the participant B also encrypts SB with the public key of the physical chip of the participant A to become Enc A ( SB ), and then sends Enc A ( SB ) to A;
  • the participant A decrypts Enc A ( SB ) with the local private key to obtain SB , and uses SA and SB to splice it into the same pseudo-random number generator seed to allow secure multi-party calculation of all participants.
  • the same pseudo-random number generator seed is determined between the above physical chips.
  • the multiplication unit may include a secret shared bit operator, a random number register register group and secret sharing multiplier; the pseudo-random number sequence generated by the first pseudo-random number generator and the second pseudo-random number generator is partially or fully cached in the random number register group to provide the The secret shared bit operator and the secret shared multiplier perform calculations, and output the multiplication operation to the untrusted memory space of the computer outside the physical chip, and finally obtain the value of x*y.
  • the secret sharing multiplier includes an input terminal and an output terminal.
  • the input terminal receives the secret sharing of the input operands of the untrusted memory space of the computer.
  • the output terminal is used to output the operands to the untrusted memory space.
  • the result of the multiplication operation is output through secret sharing.
  • the output terminal outputs a mask operation using a regenerated random number in a secret sharing manner (the mask operation performed on the regenerated random number includes one of addition points or bitwise XOR). ) to ensure that the output data does not contain more information than any random number.
  • N random numbers [x] 0 ,[x] 1 ,...,[x] N-1 together are called the secret sharing of the original number x, written as [x]; the participant i of the calculation will never put himself Share the secret share [x]i you have with any other participant.
  • the participant performing work B owns the secret shares of x and y ([x] 0 and [y] 0 ), leaving
  • Step S3 Both participant A and participant B use the first pseudo-random number generator of their respective physical chips to generate two random numbers r1 and r2, and use the second pseudo-random number generator of their respective physical chips. 2Generate a random number r3.
  • [z] B + (N-1)*[z] A x*y.
  • the present invention uses specially designed chip hardware to improve the classic addition Secret sharing of secure multi-party computation schemes greatly reduces the communication cost of multiplication operations by several orders of magnitude, thus greatly improving the performance of secure multi-party computation schemes in practical applications.
  • Participant A and Participant B After the secure multi-party computation participants (Participant A and Participant B) confirm that the chip used by the other party is trustworthy, the participants can jointly decide on a common random number seed, which is determined by the number of chips held by the participants.
  • the true random numbers generated by the internal true random number generator that reflect the random thermal noise of the physical hardware are calculated together, and the communication process of the calculation is protected by asymmetric encryption using the key inside the physical chip, and the calculation results are only retained inside the physical chip. This random number seed cannot be read by any participant outside the physical chip.
  • the physical chips of all participants use this common random number seed to initialize two independent pseudo-random number generators (the first pseudo-random number generator and the second pseudo-random number generator) inside their respective chips. Of course, they can also be generated by random numbers. Different parts of the number seed are used as initialization seeds for the two pseudo-random number generators to achieve complete independence of the two pseudo-random number generators.
  • the random number generation algorithm of the pseudo-random number generator must be cryptographically strong, that is, without knowing the initialization seed of the pseudo-random number generator, the next random number cannot be inferred from the current random number. any information.
  • the multiplication operation process in the secure multi-party computation scheme can be performed:
  • Step 1 Party A owns the secret sharing [x] 0 and [y] 0 of x and y, while Party B owns x and y's secret shares [x] 1 and [y] 1 .
  • Both participant A and participant B use the first pseudo-random number generator of their respective chips to generate two random numbers r1 and r2, and the second pseudo-random number generator generates a random number r3.
  • Step 3 Because the pseudo-random number generators of A and B's chips use the same initialization seed, B's chip internally generates the same random numbers r1, r2, and r3.
  • the main advantage of the above-mentioned scheme is that it changes the communication mode of the participants. Unlike the classic scheme that requires two-way communication between all participants, the communication in the above scheme is one-way, that is, only participant A sends data to participant B, and participant B does not need to send data to participant during the entire multiplication operation. A sends any data.
  • One-way communication means that the calculations of participant A and participant B can be completely asynchronous, that is, they can proceed directly without waiting for the corresponding previous steps of the other party to be completely completed.
  • the subsequent calculation steps are therefore not sensitive to the delay of network communication; if the communication is bidirectional, participant A or participant B must wait for the corresponding step of the other party to complete and receive the intermediate results through the network before proceeding to subsequent calculation steps. , so that the network delay will be included on the critical path, thus becoming the performance bottleneck of the entire computing process.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
  • Storage Device Security (AREA)

Abstract

A method and system for realizing secure multi-party computation by using hardware chips. The method comprises: a unique physical feature which is included in a physical chip of each participant and cannot be externally read is used as a private key, and an asymmetric encryption public key calculated according to the private key can be externally read, the public key also uniquely identifying any physical chip; prior to computation, one common seed is determined by means of negotiation amongst the physical chips of all the participants and is used for initializing respective pseudo-random number generators; and one party is selected from all the participants to execute the work of B and other N-1 parties execute the work of A. During a whole multiplication operation process, only participants A send data to participant B and participant B does not need to send any data to participants A. Therefore, the present invention has great significance for complex operations involving multi-step multiplication operations, one-way communication meaning that the computation of participants A and the computation of participant B can be completely asynchronous, thus being insensitive to delay of network communication, and improving the efficiency of secure multi-party computation.

Description

一种用硬件芯片实现安全多方计算的方法及系统A method and system for implementing secure multi-party computation using hardware chips
交叉引用cross reference
本申请要求2022年4月25日提交的申请号为202210437157.5的中国专利申请的优先权。上述申请的内容以引用方式被包含于此。This application claims priority to the Chinese patent application with application number 202210437157.5 submitted on April 25, 2022. The contents of the above application are incorporated herein by reference.
技术领域Technical field
本发明属于隐私计算领域中的安全多方计算子领域,更具体地,涉及一种用硬件芯片实现安全多方计算的方法及系统。The present invention belongs to the subfield of secure multi-party computation in the field of privacy computing, and more specifically, relates to a method and system for implementing secure multi-party computation using hardware chips.
技术背景technical background
隐私计算(Privacy-preserving Computing,也称为Privacy Computing),旨在不暴露原始数据的情况下,使用原始数据进行计算得出结果。如果不使用隐私计算,由于信息的可复制性,将数据交由他方进行计算(使用)意味着数据的暴露,造成数据的使用权和所有权不可分离,由此限制了包含敏感信息或者隐私信息的数据的跨域流动。而隐私计算技术能够将数据的所有权和使用权分离,即做到数据可用不可见,从而实现数据安全合规的跨域流通,创造多方协作挖掘数据价值的机会。Privacy-preserving Computing, also known as Privacy Computing, aims to use original data to calculate results without exposing the original data. If privacy computing is not used, due to the reproducibility of information, handing over data to others for calculation (use) means the exposure of the data, resulting in the inseparability of the right to use and ownership of the data, thus limiting the use of sensitive or private information. Cross-domain flow of data. Privacy computing technology can separate the ownership and use rights of data, making the data available and invisible, thereby realizing safe and compliant cross-domain circulation of data and creating opportunities for multi-party collaboration to mine the value of data.
安全多方计算(Secure Multi-Party Computation,MPC)是隐私计算技术的一个重要分支。安全多方计算的思想是参与计算的多方各持有一部分数据,在不暴露各自数据的前提下,通过一定的通信协议来完成计算。Secure Multi-Party Computation (MPC) is an important branch of privacy computing technology. The idea of secure multi-party computing is that each party participating in the calculation holds a part of the data and completes the calculation through a certain communication protocol without exposing their own data.
安全多方计算是实现隐私计算(Privacy-preserving Computing,简称PPC)的重要技术,安全多方计算技术的安全性有数学上的保证。安全多方计算中, 加减乘除等基本运算都是加密计算(cipher-text computation)的形式,也即参与计算的各方都不会泄露自己本身的数据,而是只交换一些加密后的数据,但是又能协同完成整体的运算。安全多方计算技术包括秘密分享(Secret Sharing)和混淆电路(Garbled Circuit)等技术。Secure multi-party computing is an important technology for realizing privacy-preserving computing (PPC), and the security of secure multi-party computing technology is mathematically guaranteed. In secure multi-party computation, Basic operations such as addition, subtraction, multiplication and division are all in the form of cipher-text computation, that is, all parties involved in the calculation will not leak their own data, but only exchange some encrypted data, but they can complete it collaboratively. overall operation. Secure multi-party computing technology includes technologies such as Secret Sharing and Garbled Circuit.
安全多方计算中的加法秘密分享(additive secret-sharing)方案简介如下:假设有N个参与者(编号为0,1,…,N-1),则每一个参与计算的数x会被表示为成N个彼此独立的随机数[x]0,[x]1,…,[x]N-1,其中,第i个参与者仅仅掌握[x]i,且满足[x]0+[x]1+…+[x]N-1=x。这N个随机数[x]0,[x]2,…,[x]N-1合在一起被称作原数x的秘密分享,写作[x]。The additive secret-sharing scheme in secure multi-party computation is introduced as follows: Assume there are N participants (numbered 0, 1,...,N-1), then each number x participating in the calculation will be expressed as into N mutually independent random numbers [x] 0 ,[x] 1 ,…,[x] N-1 , among which the i-th participant only masters [x] i and satisfies [x] 0 +[x ] 1 +…+[x] N-1 =x. These N random numbers [x] 0 , [x] 2 ,..., [x] N-1 together are called the secret sharing of the original number x, written as [x].
计算的参与者i永远不会把自己掌握的那一份秘密分享[x]i告诉任何其它参与者,也就是说,只要有一个参与者不和其它参与者共谋,则无论是哪个参与者都无法知道关于原数据x的任何信息。The calculated participant i will never tell any other participant the secret share [x]i he holds. That is to say, as long as one participant does not collude with other participants, no matter which participant Neither can know any information about the original data x.
虽然,参与者并不会透露自己的那一份秘密分享,但是N个参与者依然可以共同完成一些运算。例如,如果数x的秘密分享是[x]0,[x]1,…,[x]N-1,数y的秘密分享是[y]0,[y]1,…,[y]N-1,则多个参与者可在不泄露信息的情况下,计算出数z=x+y的秘密分享。也就是说,参与者i只需要在其本地计算[z]i=[x]i+[y]i,那么由此得出的N个随机数[z]0,[z]1,…,[z]N-1自然成为数z的秘密分享,很容易验证:
[z]0+[z]1+…+[z]N-1=([x]0+[y]0)+([x]1+[y]1)+…+([x]N-1+[y]N-1)
=([x]0+[x]1+…+[x]N-1)+([y]0+[y]1+…+[y]N-1)=x+y=zAlthough the participants will not reveal their share of the secret, N participants can still complete some operations together. For example, if the secret sharing of number x is [x] 0 ,[x] 1 ,…,[x] N-1 , the secret sharing of number y is [y] 0 ,[y] 1 ,…,[y] N -1 , then multiple participants can calculate the secret sharing of the number z=x+y without leaking information. That is to say, participant i only needs to calculate [z] i = [x] i + [y] i locally, and then the N random numbers [z] 0 ,[z] 1 ,…, obtained thereby [z] N-1 naturally becomes the secret sharing of number z, which is easy to verify:
[z] 0 +[z] 1 +…+[z] N-1 =([x] 0 +[y] 0 )+([x] 1 +[y] 1 )+…+([x] N -1 +[y] N-1 )
=([x] 0 +[x] 1 +…+[x] N-1 )+([y] 0 +[y] 1 +…+[y] N-1 )=x+y=z
也就是说:基于秘密分享的安全多方计算中,计算数之间的加法操作是不需要通信的,各个参与者可以各自本地计算。类似地,操作数之间的减法 也是这样,不需要通信。In other words: in secure multi-party computation based on secret sharing, the addition operation between calculated numbers does not require communication, and each participant can calculate locally. Similarly, subtraction between operands This is also the case, no communication is required.
然而,在秘密分享安全多方计算方案中,乘法秘密分享一般会有较大的通信代价,在经典的乘法操作秘密分享安全多方计算方案,乘法操作z=x*y需要分为三步进行。However, in the secret sharing secure multi-party computing scheme, multiplication secret sharing generally has a large communication cost. In the classic multiplication operation secret sharing secure multi-party computing scheme, the multiplication operation z=x*y needs to be divided into three steps.
①、随机生成一个辅助计算的三元组a,b,c,使得a*b=c,并且在N个参与者间秘密分享,即第i个参与者得到一个三元组[a]i,[b]i和[c]i,而且,有[a]0+[a]1+…+[a]N-1=a,[b]0+[b]1+…+[b]N-1=b,[c]0+[c]1+…+[c]N-1=c。在现有的方案中,该步骤(创建三元组并安全地在N个参与者间秘密分享)可通过一些复杂的密码学操作(如同态加密、不经意传输),或者引入一个可信的第三方来实现;然而,上述两种实现方法都必须在参与者之间,或者参与者和可信第三方之间进行一轮或多轮通信。① Randomly generate an auxiliary calculation triplet a, b, c, such that a*b=c, and secretly share it among N participants, that is, the i-th participant gets a triplet [a] i , [b] i and [c] i , and, there are [a] 0 +[a] 1 +…+[a] N-1 =a, [b] 0 +[b] 1 +…+[b] N -1 =b,[c] 0 +[c] 1 +…+[c] N-1 =c. In the existing scheme, this step (creating triples and securely sharing them secretly among N participants) can be done through some complex cryptographic operations (such as homomorphic encryption, oblivious transmission), or by introducing a trusted third Three parties must be implemented; however, both of the above implementation methods must conduct one or more rounds of communication between participants, or between participants and a trusted third party.
②、第i个参与者计算[d]i=[x]i-[a]i,[e]i=[y]i-[b]i,并且把[d]i和[e]i发送给其它所有的N-1个参与者。此步骤在N个参与者之间也引入了一轮多对多的通信。②. The i-th participant calculates [d] i = [x] i - [a] i , [e] i = [y] i - [b] i , and sends [d] i and [e] i to all other N-1 participants. This step also introduces a round of many-to-many communication among N participants.
③、每一个参与者都收到了d和e的所有秘密分享,因此可以计算出:③. Each participant has received all the secret shares of d and e, so it can be calculated:
d=[d]0+[d]1+…+[d]N-1和e=[e]0+[e]1+…+[e]N-1d=[d] 0 +[d] 1 +…+[d] N-1 and e=[e] 0 +[e] 1 +…+[e] N-1 .
第i个参与者计算[z]i=[c]i+e*[x]i+d*[y]i,(特别地,当i=0时第0个参与者计算[z]0=[c]0+e*[x]0+d*[y]0–e*d)。The ith participant calculates [z] i = [c] i +e*[x] i +d*[y] i , (especially, when i=0, the 0th participant calculates [z] 0 = [c] 0 +e*[x] 0 +d*[y] 0 –e*d).
上述容易验算z=[z]0+[z]1+…+[z]N-1=x*y,所以[z]i是乘积z=x*y的秘密分享,而整个计算过程中,没有任何有用的数据暴露。The above is easy to check z=[z] 0 +[z] 1 +...+[z] N-1 =x*y, so [z] i is the secret sharing of the product z=x*y, and during the entire calculation process, No useful data is exposed.
在以上步骤中,第二步和第三步都包含通信过程,更重要的是,通信过程均在完成计算操作的关键路径上,也就是在总计算时间中,本地计算时间 会叠加通信的延迟。In the above steps, the second and third steps both include the communication process. More importantly, the communication process is on the critical path to complete the computing operation, that is, in the total computing time, the local computing time Communication delays will be superimposed.
从上述步骤可以看出,每个乘法基本运算就需要一轮双向通信,那么至少占用一个网络延迟的时间(根据网络状况不同,通常在几毫秒至几百毫秒之间),大大慢于明文计算(plain-text computation)的计算时间。如果在实际应用中,例如,深度学习模型,包含有上百亿个乘法操作,而参与计算的多方常常位于距离遥远的地理位置,通过带宽有限的网络进行通信,即频繁大量地双向通信,直接导致了它的性能较低,乘法秘密分享的安全多方计算通常会比不安全的明文计算慢百倍、几千甚至上万倍不等。It can be seen from the above steps that each basic multiplication operation requires a round of two-way communication, which takes at least one network delay time (usually between a few milliseconds and hundreds of milliseconds depending on the network conditions), which is much slower than plain text calculation. (plain-text computation) calculation time. If in practical applications, for example, a deep learning model contains tens of billions of multiplication operations, and the multiple parties involved in the calculation are often located in distant geographical locations, communicating through a network with limited bandwidth, that is, frequent and large-scale two-way communication, directly As a result, its performance is lower. Secure multi-party computations with multiplicative secret sharing are usually hundreds, thousands or even tens of thousands of times slower than insecure plaintext computations.
发明概要Summary of the invention
本发明的目的在于提供一种用硬件芯片实现安全多方计算的方法,可在保护各方隐私的前提下,高性能地执行共同运算,来达成跨组织机构间的数据共享和协作,且其可以确保索引的不可篡改性,以及查询数据的准确性。The purpose of the present invention is to provide a method for implementing secure multi-party computation using hardware chips, which can perform joint operations with high performance on the premise of protecting the privacy of all parties to achieve data sharing and collaboration across organizations, and which can Ensure the immutability of the index and the accuracy of the query data.
为实现上述目的,本发明的技术方案如下:In order to achieve the above objects, the technical solutions of the present invention are as follows:
一种基于用硬件芯片实现安全多方计算的方法,用于高效实现秘密分享安全多方计算方案中的乘法运算,其特征在于,包括N个参与者(0,1,…,N-1),每一个所述的参与者(0,1,…,N-1)包括一个物理芯片,每一个所述物理芯片包含有一个外部无法读取的和唯一与相应所述物理芯片对应的私有密钥;每一个物理芯片通过各自的所述私有密钥计算得出的相应的非对称加密公钥,每一个所述加密公钥被外部读取作为唯一标识相应所述物理芯片的特征;其中,所述方法包括如下步骤:A method based on using hardware chips to implement secure multi-party computation, which is used to efficiently implement multiplication operations in secret sharing secure multi-party computation schemes. It is characterized by including N participants (0,1,...,N-1), each One of the participants (0,1,...,N-1) includes a physical chip, and each of the physical chips contains an externally unreadable and unique private key corresponding to the corresponding physical chip; Each physical chip has a corresponding asymmetric encryption public key calculated through its respective private key, and each of the encryption public keys is read externally as a characteristic that uniquely identifies the corresponding physical chip; wherein, the The method includes the following steps:
步骤S1:在进行乘法秘密分享安全多方计算之前,所有参与者 (0,1,…,N-1)的所述物理芯片之间协商确定一个共同的伪随机数发生器种子,用于初始化各自的第一伪随机数发生器和第二伪随机数发生器,其中,N大于等于2;Step S1: Before performing multiplicative secret sharing secure multi-party computation, all participants The physical chips of (0,1,...,N-1) negotiate to determine a common pseudo-random number generator seed, which is used to initialize their respective first pseudo-random number generators and second pseudo-random number generators. , where N is greater than or equal to 2;
步骤S2:在乘法操作z=x*y时,将所述N个参与者(0,1,…,N-1)中的一个参与者选择为执行B的工作,其它剩余的N-1参与者则执行A的工作;其中,执行B工作的所述参与者拥有x和y的秘密分享([x]0和[y]0),剩余执行A工作的所述N-1个参与者(1,2,…,N-1)分别拥有x和y的秘密分享([x]1+[y]1),([x]2+[y]2)…,([x]N-1+[y]N-1),满足[x]0+[x]1+…+[x]N-1=x,[y]0+[y]1+…+[y]N-1=y;Step S2: When the multiplication operation z=x*y, select one of the N participants (0,1,...,N-1) to perform the work of B, and the other remaining N-1 will participate. The other performs the work of A; among them, the participants who perform the work of B own the secret sharing of x and y ([x] 0 and [y] 0 ), and the remaining N-1 participants who perform the work of A ( 1,2,…,N-1) have the secret sharing of x and y respectively ([x] 1 +[y] 1 ), ([x] 2 +[y] 2 )…,([x] N-1 +[y] N-1 ), satisfying [x] 0 +[x] 1 +…+[x] N-1 =x, [y] 0 +[y] 1 +…+[y] N-1 = y;
步骤S3:所述参与者A和参与者B都使用各自所述物理芯片的第一伪随机数发生器生成两个随机数r1和r2,使用各自所述物理芯片的第二伪随机数发生器2生成一个随机数r3;Step S3: Both participant A and participant B use the first pseudo-random number generator of their respective physical chips to generate two random numbers r1 and r2, and use the second pseudo-random number generator of their respective physical chips. 2Generate a random number r3;
步骤S4:执行A工作的所述N-1个参与者(1,…,N-1)分别计算d1=[x]1-r1,e1=[y]1-r2,…,dN=[x]N-r1,eN=[y]N-r2,并且把d1,d2…,dN和e1,e2…,dN的值通过所述物理芯片外部的计算机不可信内存空间发送给所述参与者B;Step S4: The N-1 participants (1,...,N-1) who perform work A respectively calculate d 1 =[x] 1 -r1,e 1 =[y] 1 -r2,...,d N =[x] N -r1,e N =[y] N -r2, and the values of d 1, d 2 ..., d N and e 1, e 2 ..., d N cannot be passed to a computer outside the physical chip The letter memory space is sent to the participant B;
步骤S5:所述参与者B接收来自所述参与者A的d1,d2…,dN和e1,e2…,dN,分别计算u1=[x]1+d1和v1=[y]1+e1,…,uN=[x]N+dN和vN=[y]N+eN,从而分别得到:
[z]1=u1*v1+u*r2+v1*r1-r3=[x]1+[x]0)*([y]1+[y]0)–r1*r2–r3;
[z]2=u2*v2+u*r2+v2*r1-r3=[x2+[x]0)*([y]2+[y]0)–r1*r2–r3;
……
[z]N=uN*vN+u*r2+vN*r1-r3=[x]N+[x]0)*([y]N+[y]0)–r1*r2–r3;Step S5: The participant B receives d 1, d 2 ..., d N and e 1, e 2 ..., d N from the participant A, and calculates u 1 = [x] 1 + d 1 and v respectively. 1 =[y] 1 +e 1 ,…,u N =[x] N +d N and v N =[y] N +e N , thus respectively obtaining:
[z] 1 =u 1 *v 1 +u*r2+v 1 *r1-r3=[x] 1 +[x] 0 )*([y] 1 +[y] 0 )–r1*r2–r3 ;
[z] 2 =u 2 *v 2 +u*r2+v 2 *r1-r3=[x 2 +[x] 0 )*([y] 2 +[y] 0 )–r1*r2–r3;

[z] N =u N *v N +u*r2+v N *r1-r3=[x] N +[x] 0 )*([y] N +[y] 0 )–r1*r2–r3 ;
并将[z]1,[z]2,…[z]N输出到所述物理芯片外部的计算机不可信内存空间, 并得到:[z]B=[z]1+[z]2+…+[z]NAnd output [z] 1 , [z] 2 ,...[z] N to the computer's untrusted memory space outside the physical chip, And get: [z] B = [z] 1 + [z] 2 +…+[z] N ;
步骤S6:在执行A工作的所述N-1个参与者(1,…,N-1)内部分别计算得到[z]A=r1*r2+r3,输出到所述物理芯片外部的计算机不可信内存空间就可得到:
[z]B+(N-1)*[z]A=x*y。Step S6: [z] A =r1*r2+r3 is calculated separately within the N-1 participants (1,...,N-1) performing work A, and cannot be output to a computer outside the physical chip. By lettering the memory space, you can get:
[z] B + (N-1)*[z] A =x*y.
进一步地,所述密钥由所述物理芯片的制造方一次性的写入,或利用芯片所述物理芯片在制造过程中的工艺噪音作为特征来实现。Further, the key is written once by the manufacturer of the physical chip, or is implemented by using the process noise of the physical chip during the manufacturing process of the chip as a feature.
进一步地,在步骤S1中,所述伪随机数发生器种子的产生包括:Further, in step S1, the generation of the pseudo-random number generator seed includes:
首先,所述参与者A用本地物理芯片内部的真随机数发生器生成真随机数SA,并用所述参与者B的芯片的公钥加密成为EncB(SA);First, the participant A uses the true random number generator inside the local physical chip to generate a true random number SA , and encrypts it with the public key of the participant B's chip to become Enc B ( SA );
第二,所述参与者A将EncB(SA)发送给所述参与者B;所述参与者B的物理芯片收到EncB(SA)之后,用本地所述物理芯片内部的真随机数发生器生成一个真随机数SB,并将EncB(SA)用本地的所述私有密钥解密得到SA,用SA和SB拼接成为伪随机数发生器的伪随机数发生器种子,并且,所述参与者B也将SB用所述参与者A的物理芯片的公钥加密成为EncA(SB)后,将EncA(SB)发送给A;Second, the participant A sends Enc B ( SA ) to the participant B; after the physical chip of the participant B receives the Enc B ( SA ), it uses the local truth inside the physical chip to The random number generator generates a true random number SB, and decrypts Enc B (S A ) with the local private key to obtain SA, and splices SA and SB into the pseudo-random number generator seed of the pseudo-random number generator, Moreover, the participant B also encrypts S B using the public key of the physical chip of the participant A to become Enc A ( SB ), and then sends Enc A ( SB ) to A;
第三,所述参与者A将EncA(SB)用本地的私钥解密得到SB,并用SA和SB拼接成为同样的伪随机数发生器种子,以让安全多方计算所有参与者的所述物理芯片之间确定同一个伪随机数发生器种子。Third, the participant A decrypts Enc A ( SB ) with the local private key to obtain SB , and uses S A and SB to splice into the same pseudo-random number generator seed to allow secure multi-party calculation for all participants The same pseudo-random number generator seed is determined between the physical chips.
进一步地,所述N为2。Further, the N is 2.
为实现上述目的,本发明又一技术方案如下:In order to achieve the above object, another technical solution of the present invention is as follows:
一种用硬件芯片实现安全多方计算的系统,用于高效实现秘密分享安全 多方计算方案中的乘法运算,其包括N个参与者(0,1,…,N-1)和计算机不可信内存空间:其中,所述N个参与者(0,1,…,N-1)被划分成参与者A和参与者B,并且,所述N个参与者(0,1,…,N-1)中的一个参与者选择为执行B的工作,而其它剩余的N-1参与者则执行A的工作;执行B工作的所述参与者拥有x和y的秘密分享([x]0和[y]0),剩余执行A工作的所述N-1个参与者(1,2,…,N-1)分别拥有x和y的秘密分享([x]1+[y]1),([x]2+[y]2)…,([x]N-1+[y]N-1);且满足[x]0+[x]1+…+[x]N-1=x,[y]0+[y]1+…+[y]N-1=y;A system that uses hardware chips to implement secure multi-party computation to efficiently achieve secret sharing security Multiplication operation in multi-party computing scheme, which includes N participants (0,1,...,N-1) and computer untrusted memory space: where, the N participants (0,1,...,N-1 ) is divided into participant A and participant B, and one of the N participants (0,1,...,N-1) is selected to perform the work of B, and the other remaining N-1 Participants perform work A; the participants who perform work B own the secret shares of x and y ([x] 0 and [y] 0 ), and the remaining N-1 participants who perform work A (1 ,2,…,N-1) have the secret sharing of x and y respectively ([x] 1 +[y] 1 ),([x] 2 +[y] 2 )…,([x] N-1 + [y] N-1 ); and satisfy [x] 0 +[x] 1 +…+[x] N-1 =x, [y] 0 +[y] 1 +…+[y] N-1 = y;
每一个所述的参与者(0,1,…,N-1)包括:Each of the participants (0,1,…,N-1) includes:
一个物理芯片,每一个所述物理芯片包含有一个外部无法读取的和唯一与相应所述物理芯片对应的私有密钥;每一个物理芯片通过各自的所述私有密钥计算得出的相应的非对称加密公钥,每一个所述加密公钥被外部读取作为唯一标识相应所述物理芯片的特征;A physical chip. Each physical chip contains an externally unreadable and unique private key corresponding to the corresponding physical chip; each physical chip calculates the corresponding private key through its respective private key. Asymmetric encryption public keys, each of which is externally read as a unique identifier of the corresponding physical chip;
第一伪随机数发生器和第二伪随机数发生器,用于产生所有所述参与者(0,1,…,N-1)的所述物理芯片之间协商确定的一个共同的伪随机数发生器种子;所述参与者A和参与者B都使用各自所述物理芯片的第一伪随机数发生器生成两个随机数r1和r2,使用各自所述物理芯片的第二伪随机数发生器2生成一个随机数r3;The first pseudo-random number generator and the second pseudo-random number generator are used to generate a common pseudo-random number negotiated between the physical chips of all the participants (0,1,...,N-1) Number generator seed; both participant A and participant B use the first pseudo-random number generator of their respective physical chips to generate two random numbers r1 and r2, and use the second pseudo-random number of their respective physical chips. Generator 2 generates a random number r3;
乘法运算单元,通过执行权利要求1中的步骤S3-步骤S6,在所述物理芯片外部的计算机不可信内存空间得到乘法操作x*y的值z。The multiplication unit obtains the value z of the multiplication operation x*y in the untrusted memory space of the computer outside the physical chip by executing steps S3 to S6 in claim 1.
进一步地,所述乘法运算单元包括秘密分享位运算器、随机数寄存器组和秘密分享乘法运算器;所述第一伪随机数发生器和第二伪随机数发生器生成的伪随机数序列,部分或全部缓存在所述随机数寄存器组,以供给所述秘 密分享位运算器和秘密分享乘法运算器进行计算。Further, the multiplication unit includes a secret shared bit operator, a random number register group and a secret shared multiplier; the pseudo-random number sequence generated by the first pseudo-random number generator and the second pseudo-random number generator, Some or all of them are cached in the random number register bank to provide the secret Secret shared bit operators and secret shared multipliers perform calculations.
进一步地,所述秘密分享乘法运算器包括输入端和输出端,所述输入端接收所述计算机不可信内存空间的输入操作数的秘密分享,所述输出端用于将输出至所述不可信内存空间的乘法运算结果通过秘密分享的方式输出。Further, the secret sharing multiplier includes an input terminal and an output terminal. The input terminal receives the secret sharing of input operands of the untrusted memory space of the computer, and the output terminal is used to output to the untrusted memory space. The multiplication result of the memory space is output through secret sharing.
进一步地,所述输出端按秘密分享的方式输出为由重新生成的随机数进行掩码操作,以确保输出的数据不会包含超过任意随机数的信息量。Further, the output terminal performs a masking operation on the regenerated random numbers in a secret sharing manner to ensure that the output data does not contain an amount of information exceeding any random number.
进一步地,所述重新生成的随机数进行掩码操作包括加分或和按位异或中的一种。Further, the mask operation performed on the regenerated random numbers includes one of adding points or and bitwise XOR.
进一步地,所述N个参与者(0,1,…,N-1)采用的物理芯片为FPGA。Further, the physical chips used by the N participants (0,1,...,N-1) are FPGAs.
从上述技术方案可以看出,本发明提出的用硬件芯片实现安全多方计算的方法是通过改变参与者的通信模式,与经典方案需要在所有参与者之间双向通信不同,本发明实施例中的通信是单向的。即只有参与者A向参与者B发送数据,而整个乘法操作过程中参与者B不需要向参与者A发送任何数据。也就是说,上述乘法秘密分享的安全多方计算对包含多步骤的乘法操作的复杂运算具有重大意义,单向通信意味着参与者A和参与者B的计算可以是完全异步的,即不必等对方对应的前置步骤完全完成,就可以直接进行后续的计算步骤,因而获得对于网络通信的延迟不敏感,提高了安全多方计算的效率。It can be seen from the above technical solutions that the method proposed by the present invention to use hardware chips to implement secure multi-party computation is by changing the communication modes of the participants. Different from the classic scheme that requires two-way communication between all participants, in the embodiment of the present invention Communication is one-way. That is, only participant A sends data to participant B, and participant B does not need to send any data to participant A during the entire multiplication operation. In other words, the above secure multi-party computation of multiplication secret sharing is of great significance to complex operations involving multi-step multiplication operations. One-way communication means that the calculations of participant A and participant B can be completely asynchronous, that is, there is no need to wait for the other party Once the corresponding pre-steps are completely completed, subsequent calculation steps can be carried out directly, thus achieving insensitivity to network communication delays and improving the efficiency of secure multi-party calculations.
附图说明Description of drawings
图1所示为本发明实施例中基于多项式承诺机制的数据库索引的系统框图 Figure 1 shows a system block diagram of a database index based on a polynomial commitment mechanism in an embodiment of the present invention.
图2所示为本发明实施例中基于多项式承诺机制的数据库索引的方法流程示意图Figure 2 shows a schematic flow chart of a database indexing method based on a polynomial commitment mechanism in an embodiment of the present invention.
发明内容Contents of the invention
下面结合附图1-2,对本发明的具体实施方式作进一步的详细说明。The specific embodiments of the present invention will be further described in detail below with reference to the accompanying drawings 1-2.
需要说明的是,在本发明的安全多方计算方案中,安全多方计算中的秘密分享(additive secret-sharing)方案基于经典的加法秘密分享(additive secret-sharing)安全多方计算方案,加减乘除等基本运算都是加密计算(cipher-text computation)的形式,也即参与计算的各方都不会泄露自己本身的数据,而是只交换一些加密后的数据,但是又能协同完成整体的运算。It should be noted that in the secure multi-party computation scheme of the present invention, the secret-sharing (additive secret-sharing) scheme in secure multi-party computation is based on the classic additive secret-sharing (additive secret-sharing) secure multi-party computation scheme, addition, subtraction, multiplication and division, etc. Basic operations are all in the form of cipher-text computation, that is, all parties involved in the calculation will not leak their own data, but only exchange some encrypted data, but can collaborate to complete the overall operation.
关键是本发明的乘除等基本运算可以消除双向通信,取而代之的是单向通信,也就是说,通信不处于计算的关键路径上,消除了安全多方计算的性能瓶颈,其通过参与者A和参与者B完全异步的计算,提高了安全多方计算的效率。The key is that the basic operations such as multiplication and division of the present invention can eliminate two-way communication and replace it with one-way communication. That is to say, the communication is not on the critical path of the calculation, eliminating the performance bottleneck of secure multi-party calculation, which is performed by participant A and participating The completely asynchronous calculation improves the efficiency of secure multi-party calculation.
请参阅图1,图1所示为本发明实施例中基于多项式承诺机制的数据库索引系统的框图。如图1所示,该系统包括N个参与者(0,1,…,N-1)和计算机不可信内存空间。Please refer to FIG. 1 , which is a block diagram of a database indexing system based on a polynomial commitment mechanism in an embodiment of the present invention. As shown in Figure 1, the system includes N participants (0,1,...,N-1) and the computer's untrusted memory space.
在本发明的实施例中,每一个所述的参与者(0,1,…,N-1)包括一个物理芯片、第一伪随机数发生器、第二伪随机数发生器和乘法运算单元。该物理芯片内部的区域为可信区域,即该区域内的逻辑不可篡改,该区域内部的数据也不可被读取(除该物理芯片的API接口设计可读取的数据外)。In the embodiment of the present invention, each participant (0,1,...,N-1) includes a physical chip, a first pseudo-random number generator, a second pseudo-random number generator and a multiplication unit . The area inside the physical chip is a trusted area, that is, the logic in this area cannot be tampered with, and the data in this area cannot be read (except for data that can be read by the API interface design of the physical chip).
每一个所述物理芯片包含有一个外部无法读取的和唯一与相应所述物 理芯片对应的私有密钥HK1,但可以用于解密外部输入的加密消息。每一个物理芯片通过各自的所述私有密钥计算得出的相应的非对称加密公钥,每一个所述加密公钥被外部读取作为唯一标识相应所述物理芯片的特征。Each of the physical chips contains an externally unreadable and unique The private key HK1 corresponding to the processing chip can be used to decrypt externally input encrypted messages. Each physical chip has a corresponding asymmetric encryption public key calculated through its respective private key, and each of the encryption public keys is externally read as a characteristic that uniquely identifies the corresponding physical chip.
该私有密钥可以在芯片制造的时候由生产方一次性的写入芯片,也可以利用芯片制造过程中的工艺噪音作为特征来实现,唯一私有密钥的实现方法是业界成熟技术,在此不再赘述。The private key can be written into the chip once by the manufacturer during the chip manufacturing process, or it can be implemented by using the process noise during the chip manufacturing process as a feature. The implementation method of the unique private key is a mature technology in the industry and will not be discussed here. Again.
由于物理芯片的设计上确保该私有密钥不可被外部读出,但以该私有密钥作为私钥计算得出的非对称加密公钥可以被外部读取;由此,该公钥也可以唯一标识任一物理芯片。Since the design of the physical chip ensures that the private key cannot be read externally, the asymmetric encryption public key calculated using the private key as the private key can be read externally; thus, the public key can also be unique Identify any physical chip.
在本发明的实施例中,所述N个参与者(0,1,…,N-1)采用的物理芯片为FPGA。In the embodiment of the present invention, the physical chip used by the N participants (0, 1,..., N-1) is FPGA.
基于以上的特性,持有该物理芯片的安全多方计算参与者可以通过要求对方使用芯片内部密钥签名来确认对方的芯片是否是可信的,即使参与者之间地理距离遥远,也可以通过网络来建立信任。以上为远程认证(Remote Attestation)过程。Based on the above characteristics, secure multi-party computing participants holding the physical chip can confirm whether the other party's chip is trustworthy by requiring the other party to use the chip's internal key signature. Even if the participants are geographically far apart, they can also communicate through the network to build trust. The above is the remote authentication (Remote Attestation) process.
请参阅图2,图2所示为本发明实施例中基于多项式承诺机制的数据库索引的方法流程示意图。如图2所示,该方法用于乘法秘密分享安全多方计算,包括如下步骤:Please refer to FIG. 2 , which is a schematic flowchart of a database indexing method based on a polynomial commitment mechanism in an embodiment of the present invention. As shown in Figure 2, this method is used for multiplication secret sharing secure multi-party computation, including the following steps:
步骤S1:在进行乘法秘密分享安全多方计算之前,所有参与者(0,1,…,N-1)的所述物理芯片之间协商确定一个共同的伪随机数发生器种子,用于初始化各自的第一伪随机数发生器和第二伪随机数发生器,其中,N大于等于2。 Step S1: Before performing the multiplication secret sharing secure multi-party calculation, the physical chips of all participants (0,1,...,N-1) negotiate to determine a common pseudo-random number generator seed for initializing their respective The first pseudo-random number generator and the second pseudo-random number generator, wherein N is greater than or equal to 2.
具体地,在进行安全多方计算之前,所有参与者(0,1,…,N-1)的物理芯片之间需要协商确定一个共同的种子用于初始化各自的伪随机数发生器,但是该种子不能被泄露。进一步地,参与者的物理芯片内部的真随机数发生器能够生成由芯片物理热噪声生成的真随机数,作为伪随机数发生器的种子的一部分(种子的另一部分由其它参与者提供的加密消息解密得到)。Specifically, before performing secure multi-party computation, the physical chips of all participants (0,1,...,N-1) need to negotiate to determine a common seed for initializing their respective pseudo-random number generators, but this seed cannot be leaked. Further, the true random number generator inside the participant's physical chip is able to generate true random numbers generated by the physical thermal noise of the chip as part of the seed of the pseudo-random number generator (the other part of the seed is encrypted by other participants) The message is decrypted).
下面以N=2为例进行说明。The following takes N=2 as an example for explanation.
所述伪随机数发生器种子的产生可以包括如下步骤:The generation of the pseudo-random number generator seed may include the following steps:
首先,所述参与者A用本地物理芯片内部的真随机数发生器生成真随机数SA,并用所述参与者B的芯片的公钥加密成为EncB(SA);First, the participant A uses the true random number generator inside the local physical chip to generate a true random number SA , and encrypts it with the public key of the participant B's chip to become Enc B ( SA );
第二,所述参与者A将EncB(SA)发送给所述参与者B;所述参与者B的物理芯片收到EncB(SA)之后,用本地所述物理芯片内部的真随机数发生器生成一个真随机数SB,并将EncB(SA)用本地的所述私有密钥解密得到SA,用SA和SB拼接成为伪随机数发生器的伪随机数发生器种子,并且,所述参与者B也将SB用所述参与者A的物理芯片的公钥加密成为EncA(SB)后,将EncA(SB)发送给A;Second, the participant A sends Enc B ( SA ) to the participant B; after the physical chip of the participant B receives the Enc B ( SA ), it uses the local truth inside the physical chip to The random number generator generates a true random number S B , and decrypts Enc B ( SA ) with the local private key to obtain S A , and uses S A and SB to splice it into a pseudo-random number of the pseudo-random number generator. Generator seed, and the participant B also encrypts SB with the public key of the physical chip of the participant A to become Enc A ( SB ), and then sends Enc A ( SB ) to A;
第三,所述参与者A将EncA(SB)用本地的私钥解密得到SB,并用SA和SB拼接成为同样的伪随机数发生器种子,以让安全多方计算所有参与者的所述物理芯片之间确定同一个伪随机数发生器种子。Third, the participant A decrypts Enc A ( SB ) with the local private key to obtain SB , and uses SA and SB to splice it into the same pseudo-random number generator seed to allow secure multi-party calculation of all participants. The same pseudo-random number generator seed is determined between the above physical chips.
在本发明的实施例中,安全多方计算参与者(0,1,…,N-1)之间建立了由共同的随机数种子初始化的伪随机数发生器之后,就可以通过乘法运算单元执行乘法操作z=x*y了。In the embodiment of the present invention, after a pseudo-random number generator initialized by a common random number seed is established among the secure multi-party computing participants (0, 1,..., N-1), it can be executed through the multiplication unit The multiplication operation z=x*y is done.
请再参阅图1,该乘法运算单元可以包括秘密分享位运算器、随机数寄 存器组和秘密分享乘法运算器;所述第一伪随机数发生器和第二伪随机数发生器生成的伪随机数序列,部分或全部缓存在所述随机数寄存器组,以供给所述秘密分享位运算器和秘密分享乘法运算器进行计算,并将得到乘法操作输出到在所述物理芯片外部的计算机不可信内存空间,最后得到x*y的值。Please refer to Figure 1 again. The multiplication unit may include a secret shared bit operator, a random number register register group and secret sharing multiplier; the pseudo-random number sequence generated by the first pseudo-random number generator and the second pseudo-random number generator is partially or fully cached in the random number register group to provide the The secret shared bit operator and the secret shared multiplier perform calculations, and output the multiplication operation to the untrusted memory space of the computer outside the physical chip, and finally obtain the value of x*y.
所述秘密分享乘法运算器包括输入端和输出端,所述输入端接收所述计算机不可信内存空间的输入操作数的秘密分享,所述输出端用于将输出至所述不可信内存空间的乘法运算结果通过秘密分享的方式输出。The secret sharing multiplier includes an input terminal and an output terminal. The input terminal receives the secret sharing of the input operands of the untrusted memory space of the computer. The output terminal is used to output the operands to the untrusted memory space. The result of the multiplication operation is output through secret sharing.
较佳地,所述输出端按秘密分享的方式输出为由重新生成的随机数进行掩码操作(所述重新生成的随机数进行掩码操作包括加分或和按位异或中的一种),以确保输出的数据不会包含超过任意随机数的信息量。Preferably, the output terminal outputs a mask operation using a regenerated random number in a secret sharing manner (the mask operation performed on the regenerated random number includes one of addition points or bitwise XOR). ) to ensure that the output data does not contain more information than any random number.
具体地,可以通过执行如下步骤实现:Specifically, this can be achieved by performing the following steps:
步骤S2:在乘法操作z=x*y时,将所述N个参与者(0,1,…,N-1)中的一个参与者选择为执行B的工作,其它剩余的N-1参与者则执行A的工作。每个参与计算的数x会被表示为成N个彼此独立的随机数[x]0,[x]1,…,[x]N-1,第i个参与者仅掌握[x]i,满足[x]0+[x]1+…+[x]N-1=x。Step S2: When the multiplication operation z=x*y, select one of the N participants (0,1,...,N-1) to perform the work of B, and the other remaining N-1 will participate. The other performs the work of A. Each number x participating in the calculation will be represented as N independent random numbers [x] 0 , [x] 1 ,..., [x] N-1 , and the i-th participant only knows [x] i , It satisfies [x] 0 +[x] 1 +…+[x] N-1 =x.
N个随机数[x]0,[x]1,…,[x]N-1合在一起被称作原数x的秘密分享,写作[x];计算的参与者i永远不会把自己掌握的那一份秘密分享[x]i告诉任何其它参与者。同理,每个参与计算的数y会被表示为成N个彼此独立的随机数y]0,[y]1,…,[y]N-1,第i个参与者仅掌握[y]i,满足[y]0+[y]1+…+[y]N-1=y。N random numbers [x] 0 ,[x] 1 ,…,[x] N-1 together are called the secret sharing of the original number x, written as [x]; the participant i of the calculation will never put himself Share the secret share [x]i you have with any other participant. In the same way, each number y participating in the calculation will be represented as N independent random numbers y] 0 , [y] 1 ,..., [y] N-1 , and the i-th participant only masters [y] i , satisfying [y] 0 +[y] 1 +…+[y] N-1 =y.
也就是说,只要有一个参与者不和其它参与者共谋,则无论是哪个参与者都无法知道关于原数据x和y的任何信息。In other words, as long as one participant does not collude with other participants, no one can know any information about the original data x and y.
其中,执行B工作的所述参与者拥有x和y的秘密分享([x]0和[y]0),剩 余执行A工作的所述N-1个参与者(1,2,…,N-1)分别拥有x和y的秘密分享([x]1+[y]1),([x]2+[y]2)…,([x]N-1+[y]N-1),满足[x]0+[x]1+…+[x]N-1=x,[y]0+[y]1+…+[y]N-1=y。Among them, the participant performing work B owns the secret shares of x and y ([x] 0 and [y] 0 ), leaving The N-1 participants (1, 2,...,N-1) who perform work A have secret shares of x and y respectively ([x] 1 + [y] 1 ), ([x] 2 + [y] 2 )…,([x] N-1 +[y] N-1 ), satisfying [x] 0 +[x] 1 +…+[x] N-1 =x,[y] 0 + [y] 1 +…+[y] N-1 =y.
步骤S3:所述参与者A和参与者B都使用各自所述物理芯片的第一伪随机数发生器生成两个随机数r1和r2,使用各自所述物理芯片的第二伪随机数发生器2生成一个随机数r3。Step S3: Both participant A and participant B use the first pseudo-random number generator of their respective physical chips to generate two random numbers r1 and r2, and use the second pseudo-random number generator of their respective physical chips. 2Generate a random number r3.
步骤S4:执行A工作的所述N-1个参与者(1,…,N-1)分别计算d1=[x]1-r1,e1=[y]1-r2,…,dN=[x]N-r1,eN=[y]N-r2,并且把d1,d2…,dN和e1,e2…,dN的值通过所述物理芯片外部的计算机不可信内存空间发送给所述参与者B。Step S4: The N-1 participants (1,...,N-1) who perform work A respectively calculate d 1 =[x] 1 -r 1 , e 1 =[y] 1 -r2,...,d N = [x] N -r1,e N = [y] N -r2, and the values of d 1, d 2 ..., d N and e 1, e 2 ..., d N are passed to the computer outside the physical chip Untrusted memory space is sent to the participant B.
步骤S5:所述参与者B接收来自所述参与者A的d1,d2…dN和e1,e2…dN,分别计算u1=[x]1+d1和v1=[y]1+e1,…,uN=[x]N+dN和vN=[y]N+eN,从而分别得到:
[z]1=u1*v1+u*r2+v1*r1-r3=[x]1+[x]0)*([y]1+[y]0)–r1*r2–r3;
[z]2=u2*v2+u*r2+v2*r1-r3=[x2+[x]0)*([y]2+[y]0)–r1*r2–r3;
……
[z]N=uN*vN+u*r2+vN*r1-r3=[x]N+[x]0)*([y]N+[y]0)–r1*r2–r3Step S5: The participant B receives d1, d2...dN and e1, e2...dN from the participant A, and calculates u 1 =[x] 1 +d 1 and v 1 =[y] 1 +e respectively. 1 ,…,u N =[x] N +d N and v N =[y] N +e N , thus respectively obtaining:
[z] 1 =u 1 *v 1 +u*r2+v 1 *r1-r3=[x] 1 +[x] 0 )*([y] 1 +[y] 0 )–r1*r2–r3 ;
[z] 2 =u 2 *v 2 +u*r2+v 2 *r1-r3=[x 2 +[x] 0 )*([y] 2 +[y] 0 )–r1*r2–r3;

[z] N =u N *v N +u*r2+v N *r1-r3=[x] N +[x] 0 )*([y] N +[y] 0 )–r 1 *r 2 -r 3 ;
并将[z]1,[z]2,…[z]N输出到所述物理芯片外部的计算机不可信内存空间,并得到:[z]B=[z]1+[z]2+…+[z]NAnd output [z] 1 , [z] 2 ,...[z] N to the computer's untrusted memory space outside the physical chip, and get: [z] B = [z] 1 + [z] 2 +... +[z] N ;
步骤S6:在执行A工作的所述N-1个参与者(1,…,N-1)内部分别计算得到[z]A=r1*r2+r3,输出到所述物理芯片外部的计算机不可信内存空间就可得到:
[z]B+(N-1)*[z]A=x*y。Step S6: [z] A =r1*r2+r3 is calculated separately within the N-1 participants (1,...,N-1) performing work A, and cannot be output to a computer outside the physical chip. By lettering the memory space, you can get:
[z] B + (N-1)*[z] A =x*y.
从上述可以看出,本发明通过特殊设计的芯片硬件,以改进经典的加法 秘密分享安全多方计算方案,大大减小乘法操作的通信代价,减小的程度可达几个数量级,从而极大地提供安全多方计算方案在实际应用中的性能。It can be seen from the above that the present invention uses specially designed chip hardware to improve the classic addition Secret sharing of secure multi-party computation schemes greatly reduces the communication cost of multiplication operations by several orders of magnitude, thus greatly improving the performance of secure multi-party computation schemes in practical applications.
实施例1Example 1
为便于理解,下面以2个参与方为例对用硬件芯片实现安全多方计算的方法进行详细说明。For ease of understanding, the method of using hardware chips to implement secure multi-party computation will be described in detail below, taking two participants as an example.
在安全多方计算参与者(参与者A和参与者B)确认了对方使用的芯片可信之后,参与者之间可以共同决定一个共用的随机数种子,该种子由参与者所持有的芯片的内部的真随机数发生器产生的反应物理硬件随机热噪声的真随机数共同计算得到,且计算的通信过程由物理芯片内部的密钥通过非对称加密保护,计算结果只保留在物理芯片内部,任何一个参与者在物理芯片外部无法读取该随机数种子。After the secure multi-party computation participants (Participant A and Participant B) confirm that the chip used by the other party is trustworthy, the participants can jointly decide on a common random number seed, which is determined by the number of chips held by the participants. The true random numbers generated by the internal true random number generator that reflect the random thermal noise of the physical hardware are calculated together, and the communication process of the calculation is protected by asymmetric encryption using the key inside the physical chip, and the calculation results are only retained inside the physical chip. This random number seed cannot be read by any participant outside the physical chip.
所有参与者的物理芯片用这个共用的随机数种子来初始化各自芯片内部的两个独立伪随机数发生器(第一伪随机数发生器和第二伪随机数发生器),当然,也可由随机数种子不同部分分别作为两个伪随机数发生器的初始化种子,以实现两个伪随机数发生器完全独立。The physical chips of all participants use this common random number seed to initialize two independent pseudo-random number generators (the first pseudo-random number generator and the second pseudo-random number generator) inside their respective chips. Of course, they can also be generated by random numbers. Different parts of the number seed are used as initialization seeds for the two pseudo-random number generators to achieve complete independence of the two pseudo-random number generators.
较佳地,该伪随机数发生器的随机数生成算法必须是密码学强度的,即在不知道伪随机数发生器初始化种子的情况下,无法由当前的随机数推测出下一个随机数的任何信息。Preferably, the random number generation algorithm of the pseudo-random number generator must be cryptographically strong, that is, without knowing the initialization seed of the pseudo-random number generator, the next random number cannot be inferred from the current random number. any information.
当上述安全多方计算参与者之间建立了由共同的随机数种子初始化的伪随机数发生器之后,就可以进行安全多方计算方案中的乘法操作过程:After the above-mentioned secure multi-party computation participants establish a pseudo-random number generator initialized by a common random number seed, the multiplication operation process in the secure multi-party computation scheme can be performed:
第一步:参与方A拥有x和y的秘密分享[x]0和[y]0,而参与方B拥有x 和y的秘密分享[x]1和[y]1。参与方A和参与方B都使用各自芯片的第一伪随机数发生器生成两个随机数r1和r2,第二伪随机数发生器生成一个随机数r3。参与方A计算d=[x]0-r1,e=[y]0-r2,并且把d和e的值发送(例如,通过网络)给参与方B。Step 1: Party A owns the secret sharing [x] 0 and [y] 0 of x and y, while Party B owns x and y's secret shares [x] 1 and [y] 1 . Both participant A and participant B use the first pseudo-random number generator of their respective chips to generate two random numbers r1 and r2, and the second pseudo-random number generator generates a random number r3. Party A calculates d=[x] 0 -r1, e=[y] 0 -r2, and sends the values of d and e (for example, via the network) to Party B.
第二步:参与方B收到参与方A发送来的d和e,计算u=[x]1+d和v=[y]1+e。需要说明的是,参与方B接收参与方A发送的信息,参与方B并不需要给参与方A发送任何信息,因此是单向通信。Step 2: Participant B receives d and e sent by participant A, and calculates u=[x] 1 +d and v=[y] 1 +e. It should be noted that Participant B receives the information sent by Participant A. Participant B does not need to send any information to Participant A, so it is a one-way communication.
第三步:因为A和B的芯片伪随机数发生器使用的是同样的初始化种子,B的芯片内部生成同样的随机数r1、r2和r3。B的芯片内部计算:
[z]1=u*v+u*r2+v*r1-r3=([x]1+d)*([y]1+e)+([x]1+d)*r2+([y]1+e)*r1
=([x]1+[x]0–r1)*([y]1+[y]0–r2)+([x]1+[x]0–r1)*r2+([y]1+[y]0–r2)*r1–r3
=([x]1+[x]0)*([y]1+[y]0)–r1*([y]1+[y]0)–r2*([x]1+[x]0)+r1*r2+([x]1+[x]0)*r2–
r1*r2+([y]1+[y]0)*r1–r2*r1–r3
=([x]1+[x]0)*([y]1+[y]0)–r1*r2–r3Step 3: Because the pseudo-random number generators of A and B's chips use the same initialization seed, B's chip internally generates the same random numbers r1, r2, and r3. B’s chip internal calculation:
[z] 1 =u*v+u*r2+v*r1-r3=([x] 1 +d)*([y] 1 +e)+([x] 1 +d)*r2+([y] ] 1 +e)*r1
=([x] 1 +[x] 0 –r1)*([y] 1 +[y] 0 –r2)+([x] 1 +[x] 0 –r1)*r2+([y] 1 + [y] 0 –r2)*r1–r3
=([x] 1 +[x] 0 )*([y] 1 +[y] 0 )–r1*([y] 1 +[y] 0 )–r2*([x] 1 +[x] 0 )+r1*r2+([x] 1 +[x] 0 )*r2–
r1*r2+([y] 1 +[y] 0 )*r1–r2*r1–r3
=([x] 1 +[x] 0 )*([y] 1 +[y] 0 )–r1*r2–r3
即([x]1+[x]0)*([y]1+[y]0)–r1*r2–r3就是B这边的乘法结果。That is, ([x] 1 +[x] 0 )*([y] 1 +[y] 0 )–r1*r2–r3 is the multiplication result on B’s side.
此时,参与者A则计算[z]0=r1*r2+r3。At this time, participant A calculates [z] 0 =r1*r2+r3.
由此可以很容易验证[z]0+[z]1=([x]0+[x]1)*([y]0+[y]1)=x*y,也就是说参与者A和参与者B各自持有乘法结果的秘密分享。From this, it can be easily verified that [z] 0 +[z] 1 =([x] 0 +[x] 1 )*([y] 0 +[y] 1 )=x*y, that is to say, participant A and participant B each hold the secret sharing of the multiplication result.
本领域技术人员清楚,上述的例子是针对2个参与者,但是其计算方案可以很容易的扩展到N个参与者:只需要在N个参与者中选择一方执行参与者B的工作,而其它N-1方则执行参与者A的工作,这样N个参与者之间的通信仍然是单向的,N-1个参与者A向执行参与者B的工作的另一方单 向发送数据。It is clear to those skilled in the art that the above example is for 2 participants, but its calculation scheme can be easily extended to N participants: only one of the N participants needs to be selected to perform the work of participant B, and the other The N-1 party performs the work of participant A, so that the communication between N participants is still one-way, and N-1 participant A sends a single message to the other party that performs the work of participant B. Send data to.
小结一下,对比上述本发明的计算方案和经典的方案,上述方案的主要优势是改变了参与者的通信模式。与经典方案需要在所有参与者之间双向通信不同,上述方案中的通信是单向的,即只有参与者A向参与者B发送数据,而整个乘法操作过程中参与者B不需要向参与者A发送任何数据。To summarize, comparing the above-mentioned computing scheme of the present invention and the classic scheme, the main advantage of the above-mentioned scheme is that it changes the communication mode of the participants. Unlike the classic scheme that requires two-way communication between all participants, the communication in the above scheme is one-way, that is, only participant A sends data to participant B, and participant B does not need to send data to participant during the entire multiplication operation. A sends any data.
对包含多步骤的乘法操作的复杂运算具有重大意义,单向通信意味着参与者A和参与者B的计算可以是完全异步的,即不必等对方对应的前置步骤完全完成,就可以直接进行后续的计算步骤,因而对于网络通信的延迟不敏感;而如果通信的双向的,参与者A或参与者B必须等待对方对应的步骤完成且通过网络接收到中间结果之后,才能进行后续的计算步骤,这样网络的延迟就会被包含在关键路径上,从而成为整个计算过程的性能瓶颈。It is of great significance to complex operations involving multi-step multiplication operations. One-way communication means that the calculations of participant A and participant B can be completely asynchronous, that is, they can proceed directly without waiting for the corresponding previous steps of the other party to be completely completed. The subsequent calculation steps are therefore not sensitive to the delay of network communication; if the communication is bidirectional, participant A or participant B must wait for the corresponding step of the other party to complete and receive the intermediate results through the network before proceeding to subsequent calculation steps. , so that the network delay will be included on the critical path, thus becoming the performance bottleneck of the entire computing process.
实验结果显示,本发明能够将安全多方计算的性能相比传统方案提高100-1000倍,特别是在安全多方计算的参与者处于延续较高的网络环境的条件下。以下是本发明的方案(基于FPGA硬件实现)跟传统方案分别在CPU和GPU的性能对比(网络通信延迟为200毫秒):
Experimental results show that the present invention can improve the performance of secure multi-party computation by 100-1000 times compared with traditional solutions, especially when the participants of secure multi-party computation are in a continuously high network environment. The following is a performance comparison of the CPU and GPU between the solution of the present invention (implemented based on FPGA hardware) and the traditional solution (network communication delay is 200 milliseconds):
以上所述仅为本发明的优选实施例,所述实施例并非用于限制本发明的专利保护范围,因此凡是运用本发明的说明书及附图内容所作的等同结构变 化,同理均应包含在本发明所附权利要求的保护范围内。 The above are only preferred embodiments of the present invention. The embodiments are not intended to limit the scope of patent protection of the present invention. Therefore, any equivalent structural changes made using the description and drawings of the present invention will , should be included in the protection scope of the appended claims of the present invention.

Claims (10)

  1. 一种用硬件芯片实现安全多方计算的方法,用于实现秘密分享安全多方计算方案中的乘法操作,其特征在于,包括N个参与者(0,1,…,N-1),每一个所述的参与者(0,1,…,N-1)包括一个物理芯片,每一个所述物理芯片包含有一个外部无法读取的和唯一与相应所述物理芯片对应的私有密钥;每一个物理芯片通过各自的所述私有密钥计算得出的相应的非对称加密公钥,每一个所述加密公钥被外部读取作为唯一标识相应所述物理芯片的特征;其中,所述方法包括如下步骤:A method of implementing secure multi-party computation using hardware chips, which is used to implement multiplication operations in a secret-sharing secure multi-party computation scheme. It is characterized by including N participants (0,1,...,N-1), each of which The above-mentioned participants (0,1,...,N-1) include a physical chip, and each physical chip contains an externally unreadable and unique private key corresponding to the corresponding physical chip; each The physical chip calculates the corresponding asymmetric encryption public key through its respective private key, and each of the encryption public keys is read externally as a characteristic that uniquely identifies the corresponding physical chip; wherein the method includes Follow these steps:
    步骤S1:在进行秘密分享安全多方计算之前,所有参与者(0,1,…,N-1)的所述物理芯片之间协商确定一个共同的伪随机数发生器种子,用于初始化各自的第一伪随机数发生器和第二伪随机数发生器,其中,N大于等于2;Step S1: Before performing secret sharing secure multi-party computation, the physical chips of all participants (0,1,...,N-1) negotiate to determine a common pseudo-random number generator seed for initializing their respective A first pseudo-random number generator and a second pseudo-random number generator, where N is greater than or equal to 2;
    步骤S2:在乘法操作z=x*y时,将所述N个参与者(0,1,…,N-1)中的一个参与者选择为执行B的工作,其它剩余的N-1参与者则执行A的工作;其中,执行B工作的所述参与者拥有x和y的秘密分享([x]0和[y]0),剩余执行A工作的所述N-1个参与者(1,2,…,N-1)分别拥有x和y的秘密分享([x]1+[y]1),([x]2+[y]2)…,([x]N-1+[y]N-1),满足[x]0+[x]1+…+[x]N-1=x,[y]0+[y]1+…+[y]N-1=y;Step S2: When the multiplication operation z=x*y, select one of the N participants (0,1,...,N-1) to perform the work of B, and the other remaining N-1 will participate. The other performs the work of A; among them, the participants who perform the work of B own the secret sharing of x and y ([x] 0 and [y] 0 ), and the remaining N-1 participants who perform the work of A ( 1,2,…,N-1) have the secret sharing of x and y respectively ([x] 1 +[y] 1 ), ([x] 2 +[y] 2 )…,([x] N-1 +[y] N-1 ), satisfying [x] 0 +[x] 1 +…+[x] N-1 =x, [y] 0 +[y] 1 +…+[y] N-1 = y;
    步骤S3:所述参与者A和参与者B都使用各自所述物理芯片的第一伪随机数发生器生成两个随机数r1和r2,使用各自所述物理芯片的第二伪随机数发生器2生成一个随机数r3;Step S3: Both participant A and participant B use the first pseudo-random number generator of their respective physical chips to generate two random numbers r1 and r2, and use the second pseudo-random number generator of their respective physical chips. 2Generate a random number r3;
    步骤S4:执行A工作的所述N-1个参与者(1,…,N-1)分别计算d1=[x]1-r1,e1=[y]1-r2,…,dN=[x]N-r1,eN=[y]N-r2,并且把d1,d2…,dN和e1,e2…,dN 的值通过所述物理芯片外部的计算机不可信内存空间发送给所述参与者B;Step S4: The N-1 participants (1,...,N-1) who perform work A respectively calculate d 1 =[x] 1 -r1,e 1 =[y] 1 -r2,...,d N =[x] N -r1,e N =[y] N -r2, and put d 1, d 2 …, d N and e 1, e 2 …, d N The value of is sent to the participant B through the computer's untrusted memory space outside the physical chip;
    步骤S5:所述参与者B接收来自所述参与者A的d1,d2…dN和e1,e2…dN,分别计算u1=[x]1+d1和v1=[y]1+e1,…,uN=[x]N+dN和vN=[y]N+eN,从而分别得到:
    [z]1=u1*v1+u*r2+v1*r1-r3=[x]1+[x]0)*([y]1+[y]0)–r1*r2–r3;
    [z]2=u2*v2+u*r2+v2*r1-r3=[x2+[x]0)*([y]2+[y]0)–r1*r2–r3;
    ……
    [z]N=uN*vN+u*r2+vN*r1-r3=[x]N+[x]0)*([y]N+[y]0)–r1*r2–r3;    Step S5: The participant B receives d1, d2...dN and e1, e2...dN from the participant A, and calculates u 1 =[x] 1 +d 1 and v 1 =[y] 1 +e respectively. 1 ,…,u N =[x] N +d N and v N =[y] N +e N , thus respectively obtaining:
    [z] 1 =u 1 *v 1 +u*r2+v 1 *r1-r3=[x] 1 +[x] 0 )*([y] 1 +[y] 0 )–r1*r2–r3 ;
    [z] 2 =u 2 *v 2 +u*r2+v 2 *r1-r3=[x 2 +[x] 0 )*([y] 2 +[y] 0 )–r1*r2–r3;

    [z] N =u N *v N +u*r2+v N *r1-r3=[x] N +[x] 0 )*([y] N +[y] 0 )–r1*r2–r3 ;
    并将[z]1,[z]2,…[z]N输出到所述物理芯片外部的计算机不可信内存空间,并得到:[z]B=[z]1+[z]2+…+[z]NAnd output [z] 1 , [z] 2 ,...[z] N to the computer's untrusted memory space outside the physical chip, and get: [z] B = [z] 1 + [z] 2 +... +[z] N ;
    步骤S6:在执行A工作的所述N-1个参与者(1,…,N-1)内部分别计算得到[z]A=r1*r2+r3,输出到所述物理芯片外部的计算机不可信内存空间就可得到:
    [z]B+(N-1)*[z]A=x*y。    Step S6: [z] A =r1*r2+r3 is calculated separately within the N-1 participants (1,...,N-1) performing work A, and cannot be output to a computer outside the physical chip. By lettering the memory space, you can get:
    [z] B + (N-1)*[z] A =x*y.
  2. 根据权利要求1所述的用硬件芯片实现安全多方计算的方法,其特征在于,所述密钥由所述物理芯片的制造方一次性的写入,或利用芯片所述物理芯片在制造过程中的工艺噪音作为特征来实现。The method for implementing secure multi-party computation using hardware chips according to claim 1, characterized in that the key is written once by the manufacturer of the physical chip, or the physical chip is used during the manufacturing process. Process noise is implemented as a feature.
  3. 根据权利要求1所述的用硬件芯片实现安全多方计算的方法,其特征在于,在步骤S1中,所述伪随机数发生器种子的产生包括如下步骤:The method for implementing secure multi-party computation using hardware chips according to claim 1, characterized in that, in step S1, the generation of the pseudo-random number generator seed includes the following steps:
    首先,所述参与者A用本地物理芯片内部的真随机数发生器生成真随机数SA,并用所述参与者B的芯片的公钥加密成为EncB(SA);First, the participant A uses the true random number generator inside the local physical chip to generate a true random number SA , and encrypts it with the public key of the participant B's chip to become Enc B ( SA );
    第二,所述参与者A将EncB(SA)发送给所述参与者B;所述参与者 B的物理芯片收到EncB(SA)之后,用本地所述物理芯片内部的真随机数发生器生成一个真随机数SB,并将EncB(SA)用本地的所述私有密钥解密得到SA,用SA和SB拼接成为伪随机数发生器的伪随机数发生器种子,并且,所述参与者B也将SB用所述参与者A的物理芯片的公钥加密成为EncA(SB)后,将EncA(SB)发送给A;Second, the participant A sends Enc B (S A ) to the participant B; the participant After B's physical chip receives Enc B (S A ), it uses the true random number generator inside the local physical chip to generate a true random number SB, and uses Enc B (S A ) with the local private key. Decrypt to obtain S A , use S A and SB to splice into the pseudo-random number generator seed of the pseudo-random number generator, and the participant B also encrypts SB with the public key of the physical chip of the participant A After becoming Enc A ( SB ), send Enc A ( SB ) to A;
    第三,所述参与者A将EncA(SB)用本地的私钥解密得到SB,并用SA和SB拼接成为同样的伪随机数发生器种子,以让安全多方计算所有参与者的所述物理芯片之间确定同一个伪随机数发生器种子。Third, the participant A decrypts Enc A ( SB ) with the local private key to obtain SB, and uses SA and SB to splice them into the same pseudo-random number generator seed, so as to allow secure multi-party calculation of the said The same pseudo-random number generator seed is determined between physical chips.
  4. 根据权利要求1所述的用硬件芯片实现安全多方计算的方法,其特征在于,所述N为2。The method for implementing secure multi-party computation using hardware chips according to claim 1, wherein N is 2.
  5. 一种用硬件芯片实现安全多方计算的系统,用于实现乘法秘密分享安全多方计算,其特征在于,包括N个参与者(0,1,…,N-1)和计算机不可信内存空间:其中,所述N个参与者(0,1,…,N-1)被划分成参与者A和参与者B,并且,所述N个参与者(0,1,…,N-1)中的一个参与者选择为执行B的工作,而其它剩余的N-1参与者则执行A的工作;执行B工作的所述参与者拥有x和y的秘密分享([x]0和[y]0,剩余执行A工作的所述N-1个参与者(1,2,…,N-1)分别拥有x和y的秘密分享([x]1+[y]1),([x]2+[y]2)…,([x]N-1+[y]N-1);且满足[x]0+[x]1+…+[x]N-1=x,[y]0+[y]1+…+[y]N-1=y;A system that uses hardware chips to implement secure multi-party computation and is used to implement multiplication secret sharing secure multi-party computation. It is characterized by including N participants (0,1,...,N-1) and an untrusted memory space of the computer: where , the N participants (0,1,...,N-1) are divided into participant A and participant B, and, among the N participants (0,1,...,N-1) One participant is chosen to perform work B, while the remaining N-1 participants perform work A; the participant performing work B owns the secret shares of x and y ([x] 0 and [y] 0 , the remaining N-1 participants (1, 2,...,N-1) who perform work A respectively own the secret sharing of x and y ([x] 1 + [y] 1 ), ([x] 2 +[y] 2 )…,([x] N-1 +[y] N-1 ); and satisfy [x] 0 +[x] 1 +…+[x] N-1 =x,[y] 0 +[y] 1 +…+[y] N-1 =y;
    每一个所述的参与者(0,1,…,N-1)包括:Each of the participants (0,1,…,N-1) includes:
    一个物理芯片,每一个所述物理芯片包含有一个外部无法读取的和唯一与相应所述物理芯片对应的私有密钥;每一个物理芯片通过各自的所述私有密钥计算得出的相应的非对称加密公钥,每一个所述加密公钥被外部读取作 为唯一标识相应所述物理芯片的特征;A physical chip. Each physical chip contains an externally unreadable and unique private key corresponding to the corresponding physical chip; each physical chip calculates the corresponding private key through its respective private key. Asymmetric encryption public keys, each of which is read externally as A characteristic that uniquely identifies the corresponding physical chip;
    第一伪随机数发生器和第二伪随机数发生器,用于产生所有所述参与者(0,1,…,N-1)的所述物理芯片之间协商确定的一个共同的伪随机数发生器种子;所述参与者A和参与者B都使用各自所述物理芯片的第一伪随机数发生器生成两个随机数r1和r2,使用各自所述物理芯片的第二伪随机数发生器2生成一个随机数r3;The first pseudo-random number generator and the second pseudo-random number generator are used to generate a common pseudo-random number negotiated between the physical chips of all the participants (0,1,...,N-1) Number generator seed; both participant A and participant B use the first pseudo-random number generator of their respective physical chips to generate two random numbers r1 and r2, and use the second pseudo-random number of their respective physical chips. Generator 2 generates a random number r3;
    乘法运算单元,通过执行权利要求1中的步骤S3-步骤S6,在所述物理芯片外部的计算机不可信内存空间得到乘法操作x*y的值z。The multiplication unit obtains the value z of the multiplication operation x*y in the untrusted memory space of the computer outside the physical chip by executing steps S3 to S6 in claim 1.
  6. 根据权利要求5所述的基于多项式承诺机制的数据库索引的系统,所述乘法运算单元包括秘密分享位运算器、随机数寄存器组和秘密分享乘法运算器;所述第一伪随机数发生器和第二伪随机数发生器生成的伪随机数序列,部分或全部缓存在所述随机数寄存器组,以供给所述秘密分享位运算器和秘密分享乘法运算器进行计算。According to the system of database indexing based on polynomial commitment mechanism according to claim 5, the multiplication unit includes a secret shared bit operator, a random number register group and a secret shared multiplier; the first pseudo-random number generator and A part or all of the pseudo-random number sequence generated by the second pseudo-random number generator is cached in the random number register group to provide the secret shared bit operator and the secret shared multiplier operator for calculation.
  7. 根据权利要求6所述的基于多项式承诺机制的数据库索引的系统,其特征在于,所述秘密分享乘法运算器包括输入端和输出端,所述输入端接收所述计算机不可信内存空间的输入操作数的秘密分享,所述输出端用于将输出至所述不可信内存空间的乘法运算结果通过秘密分享的方式输出。The system of database indexing based on polynomial commitment mechanism according to claim 6, characterized in that the secret sharing multiplier includes an input terminal and an output terminal, and the input terminal receives input operations of the untrusted memory space of the computer. Secret sharing of numbers, the output terminal is used to output the multiplication result output to the untrusted memory space in a secret sharing manner.
  8. 根据权利要求7所述的基于多项式承诺机制的数据库索引的系统,其特征在于,所述输出端按秘密分享的方式输出为由重新生成的随机数进行掩码操作,以确保输出的数据不会包含超过任意随机数的信息量。The database indexing system based on polynomial commitment mechanism according to claim 7, characterized in that the output terminal outputs a regenerated random number in a secret sharing manner to perform a masking operation to ensure that the output data will not Contains more information than any random number.
  9. 根据权利要求5所述的基于多项式承诺机制的数据库索引的系统,其特征在于,所述重新生成的随机数进行掩码操作包括加分或和按位异或中 的一种。The database indexing system based on polynomial commitment mechanism according to claim 5, characterized in that, the regenerated random numbers are masked including adding points or and bitwise XOR. kind of.
  10. 根据权利要求5所述的基于多项式承诺机制的数据库索引的系统,其特征在于,所述N个参与者(0,1,…,N-1)采用的物理芯片为FPGA。 The database indexing system based on polynomial commitment mechanism according to claim 5, characterized in that the physical chip used by the N participants (0, 1,..., N-1) is an FPGA.
PCT/CN2023/089372 2022-04-25 2023-04-20 Method and system for realizing secure multi-party computation by using hardware chips WO2023207735A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210437157.5A CN115913525A (en) 2022-04-25 2022-04-25 Method and system for realizing safe multi-party calculation by using hardware chip
CN202210437157.5 2022-04-25

Publications (1)

Publication Number Publication Date
WO2023207735A1 true WO2023207735A1 (en) 2023-11-02

Family

ID=86487031

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/089372 WO2023207735A1 (en) 2022-04-25 2023-04-20 Method and system for realizing secure multi-party computation by using hardware chips

Country Status (2)

Country Link
CN (1) CN115913525A (en)
WO (1) WO2023207735A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115913525A (en) * 2022-04-25 2023-04-04 上海紫先科技有限公司 Method and system for realizing safe multi-party calculation by using hardware chip

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021018306A1 (en) * 2019-07-31 2021-02-04 华为技术有限公司 Method and system for protecting authentication credentials
CN113128697A (en) * 2020-01-16 2021-07-16 复旦大学 Extensible machine learning system based on secure multi-party computing protocol
CN113268744A (en) * 2020-02-14 2021-08-17 株式会社野村综合研究所 Apparatus for secret sharing based multi-party computing
US20220129567A1 (en) * 2019-02-12 2022-04-28 Nec Corporation Information processing apparatus, secure computation method, and program
CN115913525A (en) * 2022-04-25 2023-04-04 上海紫先科技有限公司 Method and system for realizing safe multi-party calculation by using hardware chip

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220129567A1 (en) * 2019-02-12 2022-04-28 Nec Corporation Information processing apparatus, secure computation method, and program
WO2021018306A1 (en) * 2019-07-31 2021-02-04 华为技术有限公司 Method and system for protecting authentication credentials
CN113128697A (en) * 2020-01-16 2021-07-16 复旦大学 Extensible machine learning system based on secure multi-party computing protocol
CN113268744A (en) * 2020-02-14 2021-08-17 株式会社野村综合研究所 Apparatus for secret sharing based multi-party computing
CN115913525A (en) * 2022-04-25 2023-04-04 上海紫先科技有限公司 Method and system for realizing safe multi-party calculation by using hardware chip

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHEN ZHEN-HUA; LI SHUN-DONG; WANG BAO-CANG; LI JI-LIANG; LIU XIN: "New Secure Distributed Secret Sharing Scheme of n Product", JOURNAL ON COMMUNICATIONS, RENMIN YOUDIAN CHUBANSHE, BEIJING, CN, vol. 35, no. 11, 30 November 2014 (2014-11-30), CN , pages 139 - 145, XP009550016, ISSN: 1000-436X *

Also Published As

Publication number Publication date
CN115913525A (en) 2023-04-04

Similar Documents

Publication Publication Date Title
US11349645B2 (en) Determining a common secret for the secure exchange of information and hierarchical, deterministic cryptographic keys
Araki et al. High-throughput semi-honest secure three-party computation with an honest majority
CN113424185B (en) Fast inadvertent transmission
WO2022237450A1 (en) Secure multi-party computation method and apparatus, and device and storage medium
AU2003202511B2 (en) Methods for authenticating potential members invited to join a group
WO2022121623A1 (en) Data set intersection method and apparatus
CN113711564A (en) Computer-implemented method and system for encrypting data
Gupta et al. Single secret image sharing scheme using neural cryptography
US11101980B2 (en) System and method for adding and comparing integers encrypted with quasigroup operations in AES counter mode encryption
US20100005307A1 (en) Secure approach to send data from one system to another
WO2023207735A1 (en) Method and system for realizing secure multi-party computation by using hardware chips
CN112039883A (en) Data sharing method and device for block chain
Sekar et al. Comparative study of encryption algorithm over big data in cloud systems
CN116011014A (en) Privacy computing method and privacy computing system
Yang Application of hybrid encryption algorithm in hardware encryption interface card
CN117353912A (en) Three-party privacy set intersection base number calculation method and system based on bilinear mapping
CN115865311A (en) Optimization method and system for efficient constant-round secure multi-party computing protocol
CN112182657B (en) Desensitization method for big data in urban planning
CN114629620A (en) Homomorphic encryption calculation method and system, homomorphic request, calculation and key system
Zhao et al. Oblivious DFA evaluation on joint input and its applications
Sarumi A review of encryption methods for secure data communication
Yin et al. A symmetric key exchange protocol bsaed on virtual S-box
TWI840358B (en) Computer-implemented systems and methods for using a blockchain to perform an atomic swap
Binks Cross-chain Atomic Swaps between Ethereum and Monero
Ciucanu et al. Secure Intersection with MapReduce.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23795168

Country of ref document: EP

Kind code of ref document: A1