WO2023216403A1 - Ciphertext restoration method for private set intersection based on homomorphic encryption - Google Patents

Ciphertext restoration method for private set intersection based on homomorphic encryption Download PDF

Info

Publication number
WO2023216403A1
WO2023216403A1 PCT/CN2022/103668 CN2022103668W WO2023216403A1 WO 2023216403 A1 WO2023216403 A1 WO 2023216403A1 CN 2022103668 W CN2022103668 W CN 2022103668W WO 2023216403 A1 WO2023216403 A1 WO 2023216403A1
Authority
WO
WIPO (PCT)
Prior art keywords
ciphertext
value
homomorphic encryption
intersection
privacy
Prior art date
Application number
PCT/CN2022/103668
Other languages
French (fr)
Chinese (zh)
Inventor
周朕
谢翔
李升林
孙立林
Original Assignee
上海阵方科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海阵方科技有限公司 filed Critical 上海阵方科技有限公司
Publication of WO2023216403A1 publication Critical patent/WO2023216403A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption

Definitions

  • the invention relates to the field of computer software, and in particular to a ciphertext restoration method under homomorphic encryption privacy set intersection.
  • Privacy set intersection is a private computing technology based on modern cryptography, which allows both execution parties holding corresponding data sets to calculate the intersection of the data sets while ensuring that any content outside the intersection in their respective data sets will not be exposed to the other party.
  • Fully homomorphic encryption is one of the popular methods, especially when the size of the data sets of both execution parties is relatively unbalanced. For example, one party's data entries are thousands of levels, and the other's are. One side is in the billions range. Paper 1(Resende A C D,Aranha D F. Faster unbalanced private set intersection[C]//International Conference on Financial Cryptography and Data Security. Springer,Berlin,Heidelberg,2018:203-22)1.
  • the function of fully homomorphic encryption is to allow data to be added, subtracted, multiplied, etc. in an encrypted state, which makes it possible to outsource calculations of private data.
  • the party holding the small set data is generally called the user side
  • the party holding the large set data is generally called the server side.
  • the client randomly generates the private key sk used to encrypt the client data, and the conversion key evk used for ciphertext homomorphic calculation;
  • the client sends the conversion key evk to the server and securely stores the private key sk to ensure that sk will not be leaked;
  • the client encrypts the client data plaintext Y through the private key sk to generate the data ciphertext cY, and sends cY to the server;
  • the server calculates the intersection result ciphertext cInsec through the conversion key evk, the server-side data plaintext X and the received user-side data ciphertext cY, and sends cInsec to the client;
  • the client decrypts the ciphertext cInsec through the private key sk, obtains the intersection result plaintext Insec, and then obtains the set intersection result.
  • the server-side data ensuring that the server will not know any information other than the intersection in Y; for details, please refer to Figure 1; after 1)-6) is executed, the client has obtained the intersection information of X and Y, and the client can directly pass Some secure transmission methods (such as symmetric encryption) send intersection information to the server, but this requires that the client must be completely honest.
  • Some secure transmission methods such as symmetric encryption
  • the intersection results of data sets are not required to be bidirectional, that is, the server does not need to know the intersection results.
  • the fully homomorphic encryption scheme is essentially an encryption scheme that introduces noise, and the calculation of the ciphertext state will increase the noise of the ciphertext, especially the multiplication calculation of the ciphertext. Once the noise reaches a certain level, the ciphertext will not be able to decrypt the correct result.
  • the cost of increasing the number of allowable additions and multiplications of the ciphertext is the increase in the parameters of the homomorphic encryption scheme, which also means greater calculation and storage requirements.
  • volume communication transmission volume.
  • directly calculating (yx 1 )(yx 2 )(yx 3 )...(yx m ) means m-1 ciphertext multiplication operations.
  • the maximum number of layers allowed for the ciphertext multiplication operation is L, and the total number of ciphertexts at different powers provided by the user for the same data y is s.
  • the server needs to use the initial cipher given by the user.
  • the maximum ciphertext power restored by ciphertext multiplication is m.
  • the value of L is also determined; the size of the s value corresponds to the amount of data sent from the client to the server; the size of the m value corresponds to the single result encryption
  • the maximum number of equality judgments corresponding to the text in summary, a problem that needs to be solved is how to determine the power value corresponding to the seed ciphertext sent by the user, so that the value of s is as small as possible and the value of m is as large as possible.
  • the positive integer z of (h, A k ), the summation form corresponds to the reduction route of the ciphertext cy z . Specifically, if then pass The multiplication route restores the ciphertext cy z .
  • the method lacks sufficient generality.
  • the number of ciphertext multiplication layers L allowed by it is generally up to 5-6 layers, and the corresponding h value can be up to 64.
  • the ready-made solution list given in Paper 4 is not enough. Covers all situations.
  • the solution of the stamp problem itself only guarantees the existence of the restoration route of the ciphertext under each power, and cannot directly reflect the specific content of the restoration route.
  • the purpose of the present invention is to overcome the shortcomings of the prior art and provide a method with a smaller numerical value
  • the method of converting the solution of the problem instance into the solution of the M(h,A k ) problem instance with a larger value solves the problem of solution vacancy under the larger value, and the total number of summation expressions required to be stored is only Compared with the total number m required in the optimal solution, this method can significantly save storage costs and is a ciphertext restoration method under the intersection of homomorphic encryption privacy sets.
  • the technical solution of the present invention is as follows: a ciphertext restoration method under the intersection of homomorphic encryption privacy sets.
  • the multiplication structure of a complete binary tree is adopted;
  • a k ⁇ a 1 , a 2 , a 3 , ..., the ciphertext power value of each a i in a k ⁇ corresponding to data y is
  • the one with the smaller k value among all the solutions recorded in 4) is selected according to the requirements. Ciphertext recovery route planning for privacy set intersection.
  • the present invention solves the problem of designing a ciphertext restoration method for privacy set intersection under homomorphic encryption by using the stamp problem, which has the problem of known existing solution gaps and the need for additional information storage.
  • the theoretical minimum i.e., optimal value
  • the total number of summation expressions required to be stored under this method is only Therefore, compared with the total number m required in the optimal solution, this method can significantly save storage costs.
  • Figure 1 is a schematic diagram of the intersection concept of privacy sets in the prior art
  • Figure 2 is a schematic diagram of the ciphertext restoration process under homomorphic encryption in the prior art
  • Figure 3 is a schematic diagram 2 of the ciphertext restoration process under homomorphic encryption in the prior art.
  • This embodiment provides a ciphertext restoration method under the intersection of homomorphic encryption privacy sets.
  • the core solution idea of the present invention is to reuse the small parameter solution of the stamp problem at multiple scales.
  • this embodiment corresponds to the ciphertext reduction method. Considering the allowable number of layers of multiplication operations L, the maximum ciphertext power is fixed to m, and the total number of ciphertexts provided by the user is reduced as much as possible.
  • the solutions k D and corresponding to the problem instance Among them, h h D means that the value of h in the dual version is h D . If yes, go to step 4), otherwise go to step 5); 4) Record the current D, All corresponding sum expressions, and records:
  • Figure 2 shows the situation where the user only sends the ciphertext cy.
  • Figure 3 shows the situation where the user sends the ciphertext cy at the same time.
  • the present invention uses the stamp problem to solve and design a ciphertext restoration method for privacy set intersection under homomorphic encryption.
  • There are known problems in the existing solution gaps and the need for additional information storage. Provides a smaller value
  • the method of converting the solution of the problem instance (which can basically be found in the known existing solution list) into the solution of the M(h, A k ) problem instance with a larger value solves the problem of solution vacancies under larger values; and
  • the method of the present invention does not reach the theoretical minimum value (ie, the optimal value) in terms of the k value, the total number of summation expressions required to be stored under this method is only Therefore, compared with the total number m required in the optimal solution, this method can significantly save storage costs.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Disclosed in the present invention is a ciphertext restoration method for a private set intersection based on homomorphic encryption. A dual version corresponding to a known existing postage stamp problem is: given that h=2 L and M(h, A k )=m + 1 are known, solving for the smallest possible k and a corresponding set A k . In the present invention, a method for converting a solution of a problem instance with a relatively small numerical value M(h/D, A KD ) into a solution of a problem instance with a relatively large numerical value M(h, A k ) is implemented, and the problem of lacking a solution in the case of a relatively large numerical value is solved. Moreover, the total number of addition expressions needing to be stored is only as in formula (I), and compared with the total number m of addition expressions needing to be stored in the case of the optimal solution, the storage cost can be greatly saved on by means of this method.

Description

一种同态加密隐私集合求交下的密文还原方法A ciphertext restoration method under the intersection of homomorphic encryption privacy sets 技术领域Technical field
本发明涉及计算机软件领域,尤其涉及的是一种同态加密隐私集合求交下的密文还原方法。The invention relates to the field of computer software, and in particular to a ciphertext restoration method under homomorphic encryption privacy set intersection.
背景技术Background technique
隐私集合求交是一种基于现代密码学的隐私计算技术,它允许各自持有相应数据集合的执行双方能够计算数据集的交集而同时保证各自数据集中交集以外的任何内容不会暴露给对方。能够实现隐私集合求交的密码学技术有多种,采用全同态加密为热门方法之一,特别是在执行双方的数据集大小较为不平衡的情况下,例如一方数据条目为千级,另一方为亿级。论文1(Resende A C D,Aranha D F.Faster unbalanced private set intersection[C]//International Conference on Financial Cryptography and Data Security.Springer,Berlin,Heidelberg,2018:203-22)1。Privacy set intersection is a private computing technology based on modern cryptography, which allows both execution parties holding corresponding data sets to calculate the intersection of the data sets while ensuring that any content outside the intersection in their respective data sets will not be exposed to the other party. There are many cryptographic techniques that can realize the intersection of privacy sets. Fully homomorphic encryption is one of the popular methods, especially when the size of the data sets of both execution parties is relatively unbalanced. For example, one party's data entries are thousands of levels, and the other's are. One side is in the billions range. Paper 1(Resende A C D,Aranha D F. Faster unbalanced private set intersection[C]//International Conference on Financial Cryptography and Data Security. Springer,Berlin,Heidelberg,2018:203-22)1.
全同态加密的作用在于允许数据在加密状态下进行加、减、乘等操作,这使得私有数据外包计算成为可能。对于基于全同态加密的隐私集合求交应用场景而言,持有小集合数据方一般称为用户端,持有大集合数据方一般称为服务器端,具体操作流程简述如下:The function of fully homomorphic encryption is to allow data to be added, subtracted, multiplied, etc. in an encrypted state, which makes it possible to outsource calculations of private data. For the privacy set intersection application scenario based on fully homomorphic encryption, the party holding the small set data is generally called the user side, and the party holding the large set data is generally called the server side. The specific operation process is briefly described as follows:
1)用户端与服务器端共同协商全同态加密方案Scheme-FHE,并确定方案的相关公共参数pparams;1) The client and the server jointly negotiate the fully homomorphic encryption scheme Scheme-FHE, and determine the relevant public parameters pparams of the scheme;
2)用户端根据协商所确定的Scheme-FHE和pparams,随机生成用于加密用户端数据的私钥sk,和用于密文同态计算的转化钥evk;2) Based on the Scheme-FHE and pparams determined by the negotiation, the client randomly generates the private key sk used to encrypt the client data, and the conversion key evk used for ciphertext homomorphic calculation;
3)用户端将转化钥evk发送给服务器端,并安全储存私钥sk,确保sk不会泄露;3) The client sends the conversion key evk to the server and securely stores the private key sk to ensure that sk will not be leaked;
4)用户端通过私钥sk对用户端数据明文Y进行加密生成数据密文cY,并将cY发送给服务器端;4) The client encrypts the client data plaintext Y through the private key sk to generate the data ciphertext cY, and sends cY to the server;
5)服务器端通过转化钥evk,服务器端数据明文X以及接收到的用户端数据密文cY,计算出求交结果密文cInsec,并将cInsec发送给用户端;5) The server calculates the intersection result ciphertext cInsec through the conversion key evk, the server-side data plaintext X and the received user-side data ciphertext cY, and sends cInsec to the client;
6)用户端通过私钥sk对密文cInsec进行解密,得到求交结果明文Insec,进而得出集合求交结果。6) The client decrypts the ciphertext cInsec through the private key sk, obtains the intersection result plaintext Insec, and then obtains the set intersection result.
在以上隐私集合求交流程中,服务器端的数据X没有对外发出,保证用户端不会获得X中交集之外的内容;用户端的数据Y则是以加密后的密文cY的形式发送给服务器端,保证服务器端也不会得知Y中交集之外的任何信息;具体可以参考图1;在1)-6)执行完毕之后,用户端得到了X与Y的交集信息,用户端可直接通过一些安全传输手段(如对称加密)将交集信息发送给服务器端,但这就要求用户端必须完全诚实。然而,目前的一些隐私集合求交应用场景中(诸如数据对齐、隐私检索),不需要数据集求交结果是双向的,即服务器端不需要获知求交结果。In the above privacy set intersection process, the server-side data , ensuring that the server will not know any information other than the intersection in Y; for details, please refer to Figure 1; after 1)-6) is executed, the client has obtained the intersection information of X and Y, and the client can directly pass Some secure transmission methods (such as symmetric encryption) send intersection information to the server, but this requires that the client must be completely honest. However, in some current privacy set intersection application scenarios (such as data alignment, privacy retrieval), the intersection results of data sets are not required to be bidirectional, that is, the server does not need to know the intersection results.
在基于同态的隐私集合求交中,相交集合的确定是通过遍历每一个用户数据y,并判定其是否在服务器端的数据X={x 1,x 2,x 3,...,x m}中存在相同数据来计算的。 In the homomorphism-based privacy set intersection, the intersection set is determined by traversing each user data y and determining whether it is in the server-side data X = {x 1 , x 2 , x 3 ,..., x m } is calculated based on the same data existing in .
更具体而言,计算表达式(y-x 1)(y-x 2)(y-x 3)...(y-x m)的值,如果值为0,则证明该y位于交集中,否则不然。然而,在全同态加密的前提下,表达式中的y均为密文状态。 More specifically, the expression (yx 1 )(yx 2 )(yx 3 )...(yx m ) is evaluated. If the value is 0, it proves that y is in the intersection, otherwise it is not. However, under the premise of fully homomorphic encryption, all y in the expression are ciphertext states.
值得注意地是,全同态加密方案本质上是一种引入噪声的加密方案,而密文状态的计算会增大密文的噪声,尤其是密文的乘法计算。一旦噪声达到一定水平,密文就会无法解密出正确结果,增大密文可允许加乘次数所带来的代价就是同态加密方案参数的增大,也意味着更大的计算量、储存量、通讯传输量。对于用户数据密文cy而言,直接计算(y-x 1)(y-x 2)(y-x 3)...(y-x m)便意味着m-1次的密文乘法操作。 It is worth noting that the fully homomorphic encryption scheme is essentially an encryption scheme that introduces noise, and the calculation of the ciphertext state will increase the noise of the ciphertext, especially the multiplication calculation of the ciphertext. Once the noise reaches a certain level, the ciphertext will not be able to decrypt the correct result. The cost of increasing the number of allowable additions and multiplications of the ciphertext is the increase in the parameters of the homomorphic encryption scheme, which also means greater calculation and storage requirements. volume, communication transmission volume. For the user data ciphertext cy, directly calculating (yx 1 )(yx 2 )(yx 3 )...(yx m ) means m-1 ciphertext multiplication operations.
论文2(Chen H,Laine K,Rindal P.Fast private set intersection from homomorphic encryption[C]//Proceedings of the 2017ACM SIGSAC Conference on Computer and Communications Security.2017:1243-1255)中的工作指出,若是将该表达式中的y视为多项式自变量,按照多项式运算法则对其进行展开为y m+a m-1y m-1+a m-2y m-2+...+a 1y+a 0,则可以通过由用户端同时发送数据y的多个特定幂次的对应密文cy i,在减少密文乘法所需次数的前提下还原出所有的cy,cy 2,cy 3,...,cy m,进而完成上述表达式的密文计算。如图2和图3所示,举例说明,对于表达式y 15+a 14y 14+a 13y 13+...+a 1y+a 0,在用户端仅提供数据密文cy的前提下,还原所有幂次下的密文需要进行4层密文乘法;若用户端同时提供数据密文cy,cy 2,cy 4,cy 6,则只需要2层密文乘法。 The work in paper 2 (Chen H, Laine K, Rindal P. Fast private set intersection from homomorphic encryption [C]//Proceedings of the 2017ACM SIGSAC Conference on Computer and Communications Security.2017:1243-1255) points out that if the The y in the expression is regarded as a polynomial independent variable, and it is expanded according to the polynomial operation rules as y m +a m-1 y m-1 +a m-2 y m-2 +...+a 1 y+a 0 , then the client can simultaneously send the corresponding ciphertext cy i of multiple specific powers of the data y, and all cy, cy 2 , cy 3 ,... can be restored while reducing the number of ciphertext multiplications required. ., cy m , and then complete the ciphertext calculation of the above expression. As shown in Figure 2 and Figure 3, for example, for the expression y 15 +a 14 y 14 +a 13 y 13 +...+a 1 y+a 0 , only the premise of data ciphertext cy is provided on the user side , restoring the ciphertext under all powers requires 4 layers of ciphertext multiplication; if the client provides data ciphertext cy, cy 2 , cy 4 , cy 6 at the same time, only 2 layers of ciphertext multiplication are required.
现有技术中,记密文乘法操作允许最大层数为L,用户端针对同一个数据y所提供的不同幂次下密文总个数为s,服务器端需要利用用户端给定的初始密文通过密文乘法所还原出的最大密文幂次为m。经过以上叙述分析可知,全同态加密方案参数固定时,L的值也随之确定;s值的大小则对应这用户端发送至服务器端的数据量大小;m值的大小则对应着单个结果密文对应的相等判定最大数量;综上所述,一个需解决的问题是如何确定用户端所发送的种子密文对应的幂次值,使得s的值尽可能小,m的值尽可能大。In the existing technology, the maximum number of layers allowed for the ciphertext multiplication operation is L, and the total number of ciphertexts at different powers provided by the user for the same data y is s. The server needs to use the initial cipher given by the user. The maximum ciphertext power restored by ciphertext multiplication is m. From the above description and analysis, it can be seen that when the parameters of the fully homomorphic encryption scheme are fixed, the value of L is also determined; the size of the s value corresponds to the amount of data sent from the client to the server; the size of the m value corresponds to the single result encryption The maximum number of equality judgments corresponding to the text; in summary, a problem that needs to be solved is how to determine the power value corresponding to the seed ciphertext sent by the user, so that the value of s is as small as possible and the value of m is as large as possible.
论文3(Cong K,Moreno R C,da Gama M B,et al.Labeled PSI from Homomorphic Encryption with Reduced Computation and  Communication[C]//Proceedings of the 2021ACM SIGSAC Conference on Computer and Communications Security.2021:1135-1150)中的研究工作指出,以上问题可以被抽象为组合数学上的一个经典问题:邮票问题。该问题定义如下:设h,k为正整数,A k={a 1,a 2,a 3,...,a k}为一含有k个元素的正整数集,其中a 1=1<a 2<a 3<...<a k,而M(h,A k)表示不能够由A k中不超过h个元素(可重复)的加和所表示的最小数。 Paper 3 (Cong K, Moreno R C, da Gama M B, et al. Labeled PSI from Homomorphic Encryption with Reduced Computation and Communication [C]//Proceedings of the 2021ACM SIGSAC Conference on Computer and Communications Security.2021:1135-1150) The research work pointed out that the above problem can be abstracted into a classic problem in combinatorial mathematics: the stamp problem. The problem is defined as follows: Let h and k be positive integers, A k ={a 1 , a 2 , a 3 ,..., a k } is a positive integer set containing k elements, where a 1 =1< a 2 <a 3 <...<a k , and M(h,A k ) represents the smallest number that cannot be represented by the sum of no more than h elements (repeatable) in A k .
下面举一实例具体说明:h=3,k=4,A 4={1,4,7,8},那么此时M(3,A 4)=25(因为1=1,2=1+1,3=1+1+1,4=4,5=4+1,6=4+1+1,7=7,8=7+1,9=8+1,10=8+1+1,11=7+4,12=8+4,13=8+4+1,14=7+7,15=7+8,16=8+8,17=8+8+1,18=7+7+4,19=8+7+4,20=8+8+4,21=7+7+7,22=7+7+8,23=7+8+8,24=8+8+8,而25则无法表示成取自{1,4,7,8}的三个以内的和。)邮票问题求解目标即为在已知h,k的前提下,求解M(h,A k)的最大值以及对应的正整数集合A k={a 1,a 2,a 3,...,a k},邮票问题是一个NP困难问题。同时,邮票问题还有一些相应的对偶版本,即已知h,M(h,A k)的前提下求解k的最小值,或已知k,M(h,A k)的前提下求解h的最小值。 Let’s give an example to explain in detail: h=3, k=4, A 4 ={1, 4, 7, 8}, then at this time M (3, A 4 )=25 (because 1=1, 2=1+ 1,3=1+1+1,4=4,5=4+1,6=4+1+1,7=7,8=7+1,9=8+1,10=8+1+ 1,11=7+4, 12=8+4, 13=8+4+1, 14=7+7, 15=7+8, 16=8+8, 17=8+8+1, 18= 7+7+4, 19=8+7+4, 20=8+8+4, 21=7+7+7, 22=7+7+8, 23=7+8+8, 24=8+ 8+8, and 25 cannot be expressed as the sum of within three of {1, 4, 7, 8}.) The goal of solving the stamp problem is to solve M(h, The maximum value of A k ) and the corresponding set of positive integers A k ={a 1 , a 2 , a 3 ,..., a k }, the stamp problem is an NP-hard problem. At the same time, there are some corresponding dual versions of the stamp problem, that is, solving the minimum value of k when h, M(h, A k ) is known, or solving h when knowing k, M(h, A k ). the minimum value.
在基于全同态加密的隐私集合求交流程中:用户端针对同一个数据y的不同幂次下密文总个数s值即对应邮票问题中的k值,具体为k=s;密文乘法操作允许最大层数为L对应邮票问题中的h值,具体为h=2 L,这是因为采用了完全二叉树的乘法结构;A k={a 1,a 2,a 3,...,a k}中的每个a i对应于数据y的密文幂次值(即
Figure PCTCN2022103668-appb-000001
);M(h,A k)值的定义对应于密文乘法所还原出的最大密文的幂次m值,具体为m=M(h,A k)-1;而对于任一小于M(h,A k)的正整数z,加和的表示形式就对应着密文cy z的还原路线,具体而言,若
Figure PCTCN2022103668-appb-000002
则通过
Figure PCTCN2022103668-appb-000003
的乘法路线还原密文cy zIn the intersection process of privacy sets based on fully homomorphic encryption: the user-side value of the total number of ciphertexts for different powers of the same data y corresponds to the k value in the stamp problem, specifically k=s; ciphertext The maximum number of layers allowed for the multiplication operation is L corresponding to the h value in the stamp problem, specifically h=2 L. This is because the multiplication structure of a complete binary tree is adopted; A k = {a 1 , a 2 , a 3 ,... , each a i in a k } corresponds to the ciphertext power value of data y (i.e.
Figure PCTCN2022103668-appb-000001
); the definition of the M(h, A k ) value corresponds to the power m value of the maximum ciphertext restored by ciphertext multiplication, specifically m=M(h, A k )-1; and for any value less than M The positive integer z of (h, A k ), the summation form corresponds to the reduction route of the ciphertext cy z . Specifically, if
Figure PCTCN2022103668-appb-000002
then pass
Figure PCTCN2022103668-appb-000003
The multiplication route restores the ciphertext cy z .
论文3中的隐私集合求交方案设计中也实际利用了邮票问题求解的优化技巧,但是由于邮票问题的求解为NP困难问题,在任何参数组设定下均获取精确最优的A k={a 1,a 2,a 3,...,a k}以辅助隐私集合求交的实现是几乎不显示的。而论 文3中对于此问题则是仅考虑小参数情况,具体而言,是通过直接使用论文4(Challis M F,Robinson J P.Some extremal postage stamp bases[J].Journal of Integer Sequences,2010,13(2):3)中针对部分h,k较小情况下(h=2,3,4,5,6,k=2,3,4,5,6,7,8)的现成解来实现的。 The design of the privacy set intersection scheme in Paper 3 also actually utilizes the optimization techniques of solving the stamp problem. However, since the solution of the stamp problem is an NP-hard problem, the accurate and optimal A k ={ can be obtained under any parameter group setting. The implementation of the intersection of a 1 , a 2 , a 3 ,..., a k } with auxiliary privacy sets is hardly shown. In Paper 3, only small parameters are considered for this problem. Specifically, by directly using Paper 4 (Challis M F, Robinson J P. Some extremal postage stamp bases[J]. Journal of Integer Sequences, 2010, 13 (2): 3) is implemented with ready-made solutions when part h and k are small (h = 2, 3, 4, 5, 6, k = 2, 3, 4, 5, 6, 7, 8) of.
对于基于全同态加密的隐私集合求交,邮票问题求解这一优化技巧的使用所带来的直接收益就是可以减少用户端与服务器端之间发送密文的数量,从而节约通讯的开销成本。然而论文3中仅通过论文4给出的h=2,3,4,5,6,k=2,3,4,5,6,7,8情况下的现成解来规划从种子幂次密文到全体幂次密文的还原路线。For the intersection of privacy sets based on fully homomorphic encryption, the direct benefit brought by the use of the optimization technique of solving the stamp problem is that it can reduce the number of ciphertexts sent between the client and the server, thereby saving communication overhead costs. However, Paper 3 only uses the ready-made solutions in the case of h=2, 3, 4, 5, 6, k= 2, 3, 4, 5, 6, 7, 8 given in Paper 4 to plan the starting power density from the seed. The restoration route from text to all power ciphertext.
这种方法主要存在以下两个缺点:This method mainly has the following two disadvantages:
首先,该方法缺乏足够的通用性。目前在全同态加密的具体使用其所允许的密文乘法层数L最深一般可达5-6层,对应的h值最高可至64,显然论文4中已给出的现成解列表不足以涵盖所有的情况。First, the method lacks sufficient generality. At present, in the specific use of fully homomorphic encryption, the number of ciphertext multiplication layers L allowed by it is generally up to 5-6 layers, and the corresponding h value can be up to 64. Obviously, the ready-made solution list given in Paper 4 is not enough. Covers all situations.
其次,邮票问题的解本身只保证了每个幂次下密文的还原路线存在性,并不能直接体现出还原路线的具体内容。对于某一问题实例的最优解,隐私集合求交在使用时往往还需额外在服务器端储存所有的加和表达式,由于每个加和表达之间没有任何共性和关联,无法通过循环表达等方法进行压缩,因此需要储存的加和表达式共m个,这就意味着额外的储存开销和控制难度。Secondly, the solution of the stamp problem itself only guarantees the existence of the restoration route of the ciphertext under each power, and cannot directly reflect the specific content of the restoration route. For the optimal solution to a certain problem instance, when using private set intersection, it is often necessary to additionally store all the summation expressions on the server side. Since there is no commonality or correlation between each summation expression, it cannot be expressed through a loop. For compression, a total of m summation expressions need to be stored, which means additional storage overhead and control difficulty.
因此,现有技术存在缺陷,需要改进。Therefore, the existing technology is defective and needs improvement.
发明内容Contents of the invention
本发明的目的是克服现有技术的不足,提供一种由较小数值的
Figure PCTCN2022103668-appb-000004
问题实例的解转化为较大数值的M(h,A k)问题实例的解的方法,解决了较大数值下解空缺的问题,并且,所需储存的加和表达式总数仅为
Figure PCTCN2022103668-appb-000005
其与最优解情况下所需总数m相比,该方法可以大幅度节约储存成本的同态加密隐私集合求交下的密文还原方法。 The purpose of the present invention is to overcome the shortcomings of the prior art and provide a method with a smaller numerical value
Figure PCTCN2022103668-appb-000004
The method of converting the solution of the problem instance into the solution of the M(h,A k ) problem instance with a larger value solves the problem of solution vacancy under the larger value, and the total number of summation expressions required to be stored is only
Figure PCTCN2022103668-appb-000005
Compared with the total number m required in the optimal solution, this method can significantly save storage costs and is a ciphertext restoration method under the intersection of homomorphic encryption privacy sets.
本发明的技术方案如下:一种同态加密隐私集合求交下的密文还原方法,对应已知现有邮票问题的对偶版本为:已知h=2 L,M(h,A k)=m+1的前提下求解尽可能小的k以及对应的集合A k,包括如下步骤:1)选取D=2;2)设定h D=h/D,
Figure PCTCN2022103668-appb-000006
其中
Figure PCTCN2022103668-appb-000007
表示向上取整;3)查询已知现有邮票问题的对偶版本的解列表,寻找是否有在对偶版本中
Figure PCTCN2022103668-appb-000008
对应问题实例下的解k D
Figure PCTCN2022103668-appb-000009
若有,进入步骤4),否则进入步骤5);4)记录当前的D,
Figure PCTCN2022103668-appb-000010
对应的所有加和表达式,以及:k=D·k D
Figure PCTCN2022103668-appb-000011
Figure PCTCN2022103668-appb-000012
5)将2D作为新的D值,判定是否有关系
Figure PCTCN2022103668-appb-000013
或h=D成立,若有则进入步骤6),若无则,返回步骤2)继续执行;6)按照需求选取出4)中记录的所有解中最优的一个用于隐私集合求交的密文还原路线规划。 The technical solution of the present invention is as follows: a ciphertext restoration method under the intersection of homomorphic encryption privacy sets. The dual version corresponding to the known existing stamp problem is: known h=2 L , M(h,A k )= Under the premise of m+1, solving k and the corresponding set A k as small as possible includes the following steps: 1) Select D = 2; 2) Set h D = h/D,
Figure PCTCN2022103668-appb-000006
in
Figure PCTCN2022103668-appb-000007
means rounding up; 3) Query the solution list of the dual version of the known existing stamp problem to find out whether there is any solution in the dual version
Figure PCTCN2022103668-appb-000008
The solutions k D and corresponding to the problem instance
Figure PCTCN2022103668-appb-000009
If yes, go to step 4), otherwise go to step 5); 4) Record the current D,
Figure PCTCN2022103668-appb-000010
All corresponding summation expressions, and: k=D·k D ,
Figure PCTCN2022103668-appb-000011
Figure PCTCN2022103668-appb-000012
5) Use 2D as the new D value to determine whether there is a relationship
Figure PCTCN2022103668-appb-000013
Or h=D is established, if yes, go to step 6), if not, return to step 2) to continue execution; 6) According to the requirements, select the best one among all the solutions recorded in 4) for privacy set intersection Cipher text restoration route planning.
应用于上述技术方案,所述的同态加密隐私集合求交下的密文还原方法中,步骤6)中,采用完全二叉树的乘法结构;将A k={a 1,a 2,a 3,...,a k}中的每个a i对应于数据y的密文幂次值为
Figure PCTCN2022103668-appb-000014
M(h,A k)值的定义对应于密文乘法所还原出的最大密文的幂次m值,具体为m=M(h,A k)-1;对于任一小于M(h,A k)的正整数z,加和的表示形式就对应着密文cy z的还原路线,具体为,若
Figure PCTCN2022103668-appb-000015
则通过
Figure PCTCN2022103668-appb-000016
的乘法路线还原密文cy zApplied to the above technical solution, in the ciphertext restoration method under the intersection of homomorphic encryption privacy sets, in step 6), the multiplication structure of a complete binary tree is adopted; A k = {a 1 , a 2 , a 3 , ..., the ciphertext power value of each a i in a k } corresponding to data y is
Figure PCTCN2022103668-appb-000014
The definition of the M(h, A k ) value corresponds to the power m value of the maximum ciphertext restored by ciphertext multiplication, specifically m=M(h, A k )-1; for any value less than M(h, The positive integer z of A k ), the summation expression corresponds to the restoration route of the ciphertext cy z , specifically, if
Figure PCTCN2022103668-appb-000015
then pass
Figure PCTCN2022103668-appb-000016
The multiplication route restores the ciphertext cy z .
应用于上述各个技术方案,所述的同态加密隐私集合求交下的密文还原方法中,步骤6)中,按照需求选取出4)中记录的所有解中k值更小的一个用于隐私集合求交的密文还原路线规划。Applied to each of the above technical solutions, in the ciphertext restoration method under the intersection of homomorphic encryption privacy sets, in step 6), the one with the smaller k value among all the solutions recorded in 4) is selected according to the requirements. Ciphertext recovery route planning for privacy set intersection.
应用于上述各个技术方案,所述的同态加密隐私集合求交下的密文还原方法中,当同态加密方案所允许的密文乘法层数为L=5层,所需恢复的密文最大幂次m=1000000;步骤6)中,选取所有解中k值最小的一个为:k=8,A k={1,11,78,216,1001,11011,78078,216216},长度为1001的加和表达式列表。 Applied to each of the above technical solutions, in the ciphertext restoration method under the intersection of homomorphic encryption privacy sets, when the number of ciphertext multiplication layers allowed by the homomorphic encryption scheme is L = 5 layers, the ciphertext to be restored Maximum power m = 1000000; in step 6), select the one with the smallest k value among all solutions: k = 8, A k = {1, 11, 78, 216, 1001, 11011, 78078, 216216}, and the length is A list of 1001 summation expressions.
应用于上述各个技术方案,所述的同态加密隐私集合求交下的密文还原方法中,步骤6)中,按照需求选取出4)中记录的所有解中加和表达式列表长度更短的一个用于隐私集合求交的密文还原路线规划。Applied to each of the above technical solutions, in the ciphertext restoration method under the intersection of homomorphic encryption privacy sets, in step 6), all solutions recorded in 4) are selected according to the requirements, and the length of the sum expression list is shorter. A ciphertext restoration route planning for privacy set intersection.
应用于上述各个技术方案,所述的同态加密隐私集合求交下的密文还原方法中,当同态加密方案所允许的密文乘法层数为L=5层,所需恢复的密文最大幂次m=1000000;步骤6)中,选取所有解中加和表达式列表长度更短的一个为:k=12,A k={1,6,7,32,192,224,1024,6144,7168,32768,196608,229376},长度为32的加和表达式列表。 Applied to each of the above technical solutions, in the ciphertext restoration method under the intersection of homomorphic encryption privacy sets, when the number of ciphertext multiplication layers allowed by the homomorphic encryption scheme is L = 5 layers, the ciphertext to be restored Maximum power m = 1000000; in step 6), select the shorter summation expression list length among all solutions: k = 12, A k = {1, 6, 7, 32, 192, 224, 1024, 6144, 7168, 32768, 196608, 229376}, a list of summation expressions with a length of 32.
采用上述方案,本发明通过利用邮票问题求解设计同态加密下隐私集合求交中密文还原方法存在已知现有解空缺、需要额外信息储存的问题。提供了由 较小数值的
Figure PCTCN2022103668-appb-000017
问题实例的解转化为较大数值的M(h,A k)问题实例的解的方法,其中,基本一定可在已知现有解列表中找到,解决了较大数值下解空缺的问题;与此同时,虽然在k值大小方面没有达到理论最小值(即最优值),但该方法下所需储存的加和表达式总数仅为
Figure PCTCN2022103668-appb-000018
因此与最优解情况下所需总数m相比,该方法可以大幅度节约储存成本。 Adopting the above solution, the present invention solves the problem of designing a ciphertext restoration method for privacy set intersection under homomorphic encryption by using the stamp problem, which has the problem of known existing solution gaps and the need for additional information storage. Provides a smaller value
Figure PCTCN2022103668-appb-000017
The method of converting the solution of the problem instance into the solution of the M(h, A k ) problem instance with a larger value, which can basically be found in the known existing solution list, solving the problem of solution vacancy for larger values; At the same time, although the theoretical minimum (i.e., optimal value) has not been reached in terms of the size of the k value, the total number of summation expressions required to be stored under this method is only
Figure PCTCN2022103668-appb-000018
Therefore, compared with the total number m required in the optimal solution, this method can significantly save storage costs.
附图说明Description of the drawings
为了更清楚地说明本发明的技术方案,下面将对实施方式中需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以从这些附图获得其他的附图。In order to explain the technical solutions of the present invention more clearly, the drawings that need to be used in the implementation will be briefly introduced below. Obviously, the drawings in the following description are only some implementations of the present invention. For those of ordinary skill in the art, As far as workers are concerned, other drawings can also be obtained from these drawings without exerting creative work.
图1为现有技术隐私集合求交概念示意图;Figure 1 is a schematic diagram of the intersection concept of privacy sets in the prior art;
图2为现有技术同态加密下密文还原过程示意图一;Figure 2 is a schematic diagram of the ciphertext restoration process under homomorphic encryption in the prior art;
图3为现有技术同态加密下密文还原过程示意图二。Figure 3 is a schematic diagram 2 of the ciphertext restoration process under homomorphic encryption in the prior art.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without making creative efforts fall within the scope of protection of the present invention.
本实施例提供了一种同态加密隐私集合求交下的密文还原方法,本发明的核心解决思想是将邮票问题的小参数解进行多尺度下的复用。其中,本实施例对应密文还原方法的,考虑乘法操作允许层数L,最大密文幂次为m固定,尽可能减小用户端提供密文总个数s值大小的情况,已知现有邮票问题的对偶版本为:已知h=2 L,M(h,A k)=m+1的前提下求解尽可能小的k以及对应的集合A k,包括如下步骤:1)选取D=2;2)设定h D=h/D,
Figure PCTCN2022103668-appb-000019
其中
Figure PCTCN2022103668-appb-000020
表示向上取整;例如
Figure PCTCN2022103668-appb-000021
3)查询已知现有邮票问题的对偶版本的解列表,寻找是否有在对偶版本中
Figure PCTCN2022103668-appb-000022
对应问题实例下的解k D
Figure PCTCN2022103668-appb-000023
其中,h=h D指的是对偶版本中的h取值为h D,若有,进入步骤4),否则进入步骤5);4)记录当前的D,
Figure PCTCN2022103668-appb-000024
对应的所有加和表达式,以及记录: This embodiment provides a ciphertext restoration method under the intersection of homomorphic encryption privacy sets. The core solution idea of the present invention is to reuse the small parameter solution of the stamp problem at multiple scales. Among them, this embodiment corresponds to the ciphertext reduction method. Considering the allowable number of layers of multiplication operations L, the maximum ciphertext power is fixed to m, and the total number of ciphertexts provided by the user is reduced as much as possible. It is known that the current The dual version of the stamp problem is: given that h=2 L and M(h, A k )=m+1, solve for the smallest possible k and the corresponding set A k , including the following steps: 1) Select D =2; 2) Set h D =h/D,
Figure PCTCN2022103668-appb-000019
in
Figure PCTCN2022103668-appb-000020
Indicates rounding up; for example
Figure PCTCN2022103668-appb-000021
3) Query the solution list of the dual version of the known existing stamp problem to find out whether there is one in the dual version
Figure PCTCN2022103668-appb-000022
The solutions k D and corresponding to the problem instance
Figure PCTCN2022103668-appb-000023
Among them, h=h D means that the value of h in the dual version is h D . If yes, go to step 4), otherwise go to step 5); 4) Record the current D,
Figure PCTCN2022103668-appb-000024
All corresponding sum expressions, and records:
k=D·k Dk=D·k D ,
Figure PCTCN2022103668-appb-000025
Figure PCTCN2022103668-appb-000026
Figure PCTCN2022103668-appb-000025
Figure PCTCN2022103668-appb-000026
5)将2D作为新的D值,判定是否有关系
Figure PCTCN2022103668-appb-000027
或h=D成立,若有则进入步骤6),若无则,返回步骤2)继续执行;6)按照需求选取出4)中记录的所有解中最优的一个用于隐私集合求交的密文还原路线规划。 5) Use 2D as the new D value to determine whether there is a relationship
Figure PCTCN2022103668-appb-000027
Or h=D is established, if yes, go to step 6), if not, return to step 2) to continue execution; 6) According to the requirements, select the best one among all the solutions recorded in 4) for privacy set intersection Cipher text restoration route planning.
其中,所述的同态加密隐私集合求交下的密文还原方法中,步骤6)中,采用完全二叉树的乘法结构;将A k={a 1,a 2,a 3,...,a k}中的每个a i对应于数据y的密文幂次值为
Figure PCTCN2022103668-appb-000028
M(h,A k)值的定义对应于密文乘法所还原出的最大密文的幂次m值,具体为m=M(h,A k)-1;对于任一小于M(h,A k)的正整数z,加和的表示形式就对应着密文cy z的还原路线,具体为,若
Figure PCTCN2022103668-appb-000029
则通过
Figure PCTCN2022103668-appb-000030
的乘法路线还原密文cy z,同态加密下密文还原过程如图2和图3所示,图2为用户端只发送密文cy的情况,图3为用户端同时发送密文cy,cy 2,cy 4,cy 8的情况。 Among them, in the ciphertext restoration method under the intersection of homomorphic encryption privacy sets, in step 6), the multiplication structure of a complete binary tree is adopted; A k = {a 1 , a 2 , a 3 ,..., The ciphertext power value of each a i in a k } corresponding to data y is
Figure PCTCN2022103668-appb-000028
The definition of the M(h, A k ) value corresponds to the power m value of the maximum ciphertext restored by ciphertext multiplication, specifically m=M(h, A k )-1; for any value less than M(h, The positive integer z of A k ), the summation expression corresponds to the restoration route of the ciphertext cy z , specifically, if
Figure PCTCN2022103668-appb-000029
then pass
Figure PCTCN2022103668-appb-000030
The multiplication route restores the ciphertext cy z . The ciphertext restoration process under homomorphic encryption is shown in Figure 2 and Figure 3. Figure 2 shows the situation where the user only sends the ciphertext cy. Figure 3 shows the situation where the user sends the ciphertext cy at the same time. The situation of cy 2 , cy 4 and cy 8 .
下面给出一个本实施例中所介绍的同态加密隐私集合求交下的密文还原方法的具体应用实例。A specific application example of the ciphertext restoration method under the intersection of homomorphic encryption privacy sets introduced in this embodiment is given below.
假定用户端和服务器端共同协商确定的同态加密方案所允许的密文乘法层数为L=5层,所需恢复的密文最大幂次m=1000000(一百万)。根据对偶版本为:已知h=2 L,M(h,A k)=m+1,此需求设定下对应的邮票问题实例为h=32,M(h,A k)=1000001。 Assume that the number of ciphertext multiplication layers allowed by the homomorphic encryption scheme jointly negotiated by the client and the server is L = 5 layers, and the maximum power of the ciphertext to be recovered is m = 1000000 (one million). According to the dual version: it is known that h=2 L and M(h, A k )=m+1. The corresponding stamp problem example under this requirement setting is h=32, M(h, A k )=1000001.
该问题实例在目前已知的邮票问题解集中不存在,即便存在,直接加以使用也意味着要将一百万条加和表达式全部储存在服务器端用作一百万个幂次密文的还原计算;数据量非常大。This problem instance does not exist in the currently known solutions to the stamp problem. Even if it does exist, using it directly means that all one million summation expressions must be stored on the server side to be used as one million power ciphertexts. Restore calculations; the amount of data is very large.
下面我们本发明中所述的方法进行求解(为了使叙述更加简洁,我们直接以单次循环为条目单位):Below we use the method described in this invention to solve it (in order to make the description more concise, we directly use a single cycle as the item unit):
1)D=2时,计算得出h D=16,m D=1001;查询已知现有解列表,寻找h=16,
Figure PCTCN2022103668-appb-000031
对应问题实例下的解,找到一个解k D=4,
Figure PCTCN2022103668-appb-000032
记录D=2,
Figure PCTCN2022103668-appb-000033
所有加和表达式(1=1,2=1+1,...,16=11+1+1+1+1+1,17=11+1+1+1+1+1+1,...,1001=216+216+216+216+78+11+11+11+11+11+1+1+1+1,共1001条)以及原始问题实例对偶版本的一个解k=8,A k={1,11,78,216,1001,11011,78078,216216}; 1) When D=2, it is calculated that h D =16, m D =1001; query the known existing solution list to find h=16,
Figure PCTCN2022103668-appb-000031
Corresponding to the solution under the problem instance, find a solution k D = 4,
Figure PCTCN2022103668-appb-000032
Record D=2,
Figure PCTCN2022103668-appb-000033
All summation expressions (1=1, 2=1+1,..., 16=11+1+1+1+1+1, 17=11+1+1+1+1+1+1, ...,1001=216+216+216+216+78+11+11+11+11+11+1+1+1+1, a total of 1001) and a solution to the dual version of the original problem instance k=8 , A k = {1, 11, 78, 216, 1001, 11011, 78078, 216216};
此时对于小于M=1000001的任何一个数N,均可以用h=32以内个A k中 的数进行相加表示,举例说明:设N=234567<M,首先将其表示成N=234×1001+333,从记录的1001条加和表达式中抽取出234和333的表达式(每个表达式的右端加数个数在16以内),得到234=216+11+1+1+1+1+1+1+1和333=216+78+11+11+11+1+1+1+1+1+1,由此推导出N=234567在A k={1,11,78,216,1001,11011,78078,216216}中的加和表达式,即234567=234×1001+333=(216+11+1+1+1+1+1+1+1)×1001+(216+78+11+11+11+1+1+1+1+1+1)=216216+11011+1001+1001+1001+1001+1001+1001+1001+216+78+11+11+11+1+1+1+1+1+1; At this time, any number N less than M=1000001 can be expressed by adding the numbers in A k within h=32. For example: assuming N=234567<M, first express it as N=234× 1001+333, extract the expressions 234 and 333 from the 1001 recorded summation expressions (the number of right-hand addends of each expression is within 16), and get 234=216+11+1+1+1 +1+1+1+1 and 333=216+78+11+11+11+1+1+1+1+1+1, from which it is deduced that N=234567 in A k ={1, 11, 78 , 216, 1001, 11011, 78078, 216216}, that is, 234567=234×1001+333=(216+11+1+1+1+1+1+1+1)×1001+( 216+78+11+11+11+1+1+1+1+1+1)=216216+11011+1001+1001+1001+1001+1001+1001+1001+216+78+11+11+11 +1+1+1+1+1+1;
2)D=4时,计算得出h D=8,m D=32;查询已知现有解列表,寻找h=8,
Figure PCTCN2022103668-appb-000034
对应问题实例下的解,找到一个解k D=3,
Figure PCTCN2022103668-appb-000035
记录D=4,
Figure PCTCN2022103668-appb-000036
所有加和表达式(1=1,2=1+1,...,31=7+6+6+6+6,32=7+7+6+6+6共32条)以及原始问题实例对偶版本的一个解k=12,A k={1,6,7,32×1,32×6,32×7,32 2×1,32 2×6,32 2×7,32 3×1,32 3×6,32 3×7}={1,6,7,32,192,224,1024,6144,7168,32768,196608,229376};此时对于小于M=1000001的任何一个数N,均可以用h=32以内个A k中的数进行相加表示,举例说明:设N=666666<M,首先将其表示成 2) When D=4, it is calculated that h D =8, m D =32; query the known existing solution list to find h=8,
Figure PCTCN2022103668-appb-000034
Corresponding to the solution under the problem instance, find a solution k D = 3,
Figure PCTCN2022103668-appb-000035
Record D=4,
Figure PCTCN2022103668-appb-000036
All summation expressions (1=1, 2=1+1,..., 31=7+6+6+6+6, 32=7+7+6+6+6, 32 in total) and the original question A solution to the dual version of the example k = 12, A k = {1, 6, 7, 32 × 1, 32 × 6, 32 × 7, 32 2 × 1, 32 2 × 6, 32 2 × 7, 32 3 × 1, 32 3 × 6, 32 3 × 7} = {1, 6, 7, 32, 192, 224, 1024, 6144, 7168, 32768, 196608, 229376}; at this time, for any number less than M = 1000001 N can be expressed by adding the numbers in A k within h=32. For example: assuming N=666666<M, first express it as
N=20×32 3+11×32 2+1×32 1+10=20×32768+11×1024+1×32+10,从记录的32条加和表达式中抽取出20,11,1和10的表达式(每个表达式的右端加数个数在8以内),得到20=7+7+6,11=7+1+1+1+1,1=1,10=7+1+1+1,由此推导出N=666666在A k={1,6,7,32,192,224,1024,6144,7168,32768,196608,229376}中的表达式,即666666=20×32 3+11×32 2+1×32 1+10=(7+7+6)×32768+(7+1+1+1+1)×1024+1×32+(7+1+1+1)=229376+229376+196608+7168+1024+1024+1024+1024+32+7+1+1+1 N=20×32 3 +11×32 2 +1×32 1 +10=20×32768+11×1024+1×32+10, extract 20,11,1 from the 32 recorded summation expressions and the expression of 10 (the number of right-hand addends of each expression is within 8), we get 20=7+7+6, 11=7+1+1+1+1, 1=1, 10=7+ 1+1+1, from which the expression of N=666666 in A k ={1, 6, 7, 32, 192, 224, 1024, 6144, 7168, 32768, 196608, 229376} is derived, that is, 666666= 20×32 3 +11×32 2 +1×32 1 +10=(7+7+6)×32768+(7+1+1+1+1)×1024+1×32+(7+1+ 1+1)=229376+229376+196608+7168+1024+1024+1024+1024+32+7+1+1+1
I)D=8时,计算得出h D=4,m D=4<10;循环终止,最终得到D=2和D=4下的两组解: I) When D=8, it is calculated that h D =4, m D =4<10; the loop is terminated, and two sets of solutions under D=2 and D=4 are finally obtained:
解一:k=8,A k={1,11,78,216,1001,11011,78078,216216},长度为1001的加和表达式列表; Solution 1: k = 8, A k = {1, 11, 78, 216, 1001, 11011, 78078, 216216}, a list of summation expressions with a length of 1001;
解二:k=12,A k={1,6,7,32,192,224,1024,6144,7168,32768,196608,229376},长度为32的加和表达式列表; Solution 2: k = 12, A k = {1, 6, 7, 32, 192, 224, 1024, 6144, 7168, 32768, 196608, 229376}, a list of summation expressions with a length of 32;
可以看出以上两解各自具有一定优势,解一的种子密文幂次个数,即k值更少,相应的用户端与服务器端的信息交互量更小,而解二的加和表达式列表总长度更短,会更加节约服务器端的储存成本,与此同时,可以观察到无论是32条表达式还是1001条表达式,其长度相对于h=32,M=1000001下的最优解对应的1000000条表达式而言储存成本均大幅度减小。至于如何在该两个解中作出进一步选择,具体可结合实际的方案性能需求指标来判断,但无论如何两个解的存在性都足以说明本发明中的密文还原方法可以一定程度解决现有技术中存在所述的问题。It can be seen that the above two solutions each have certain advantages. The number of seed ciphertext powers in the first solution, that is, the k value is smaller, and the corresponding amount of information interaction between the client and the server is smaller. The summation expression list of the second solution A shorter total length will save storage costs on the server side. At the same time, it can be observed that whether it is 32 expressions or 1001 expressions, its length is corresponding to the optimal solution under h=32 and M=1000001. For 1,000,000 expressions, the storage cost is greatly reduced. As for how to make further choices between the two solutions, it can be judged based on the actual solution performance requirement indicators. However, the existence of the two solutions is sufficient to show that the ciphertext restoration method in the present invention can solve the existing problem to a certain extent. The problems described exist in the technology.
因此,本发明利用邮票问题求解设计同态加密下隐私集合求交中密文还原方法存在已知现有解空缺、需要额外信息储存的问题。提供了由较小数值的
Figure PCTCN2022103668-appb-000037
问题实例的解(基本一定可在已知现有解列表中找到)转化为较大数值的M(h,A k)问题实例的解的方法,解决了较大数值下解空缺的问题;与此同时,本发明所述方法虽然在k值大小方面没有达到理论最小值(即最优值),但该方法下所需储存的加和表达式总数仅为
Figure PCTCN2022103668-appb-000038
因此与最优解情况下所需总数m相比,该方法可以大幅度节约储存成本。 Therefore, the present invention uses the stamp problem to solve and design a ciphertext restoration method for privacy set intersection under homomorphic encryption. There are known problems in the existing solution gaps and the need for additional information storage. Provides a smaller value
Figure PCTCN2022103668-appb-000037
The method of converting the solution of the problem instance (which can basically be found in the known existing solution list) into the solution of the M(h, A k ) problem instance with a larger value solves the problem of solution vacancies under larger values; and At the same time, although the method of the present invention does not reach the theoretical minimum value (ie, the optimal value) in terms of the k value, the total number of summation expressions required to be stored under this method is only
Figure PCTCN2022103668-appb-000038
Therefore, compared with the total number m required in the optimal solution, this method can significantly save storage costs.

Claims (7)

  1. 一种同态加密隐私集合求交下的密文还原方法,对应已知现有邮票问题的对偶版本为:已知h=2 L,M(h,A k)=m+1的前提下求解尽可能小的k以及对应的集合A k,其特征在于,包括如下步骤: A ciphertext restoration method under the intersection of homomorphic encryption privacy sets, corresponding to the dual version of the known existing stamp problem: solving it under the premise of knowing h=2 L , M(h, A k )=m+1 The smallest possible k and the corresponding set A k are characterized by including the following steps:
    1)选取D=2;1) Select D=2;
    2)设定h D=h/D,
    Figure PCTCN2022103668-appb-100001
    其中
    Figure PCTCN2022103668-appb-100002
    表示向上取整;     2) Set h D =h/D,
    Figure PCTCN2022103668-appb-100001
    in
    Figure PCTCN2022103668-appb-100002
    means rounding up;
    3)查询已知现有邮票问题的对偶版本的解列表,寻找是否有在对偶版本中h=h D
    Figure PCTCN2022103668-appb-100003
    对应问题实例下的解k D
    Figure PCTCN2022103668-appb-100004
    若有,进入步骤4),否则进入步骤5);     3) Query the solution list of the dual version of the known existing stamp problem and find out whether h=h D in the dual version,
    Figure PCTCN2022103668-appb-100003
    The solutions k D and corresponding to the problem instance
    Figure PCTCN2022103668-appb-100004
    If yes, go to step 4), otherwise go to step 5);
    4)记录当前的D,
    Figure PCTCN2022103668-appb-100005
    对应的所有加和表达式,以及记录:k=D·k D    4) Record the current D,
    Figure PCTCN2022103668-appb-100005
    All corresponding summation expressions, and records: k=D·k D ,
    Figure PCTCN2022103668-appb-100006
    Figure PCTCN2022103668-appb-100006
    5)将2D作为新的D值,判定是否有关系
    Figure PCTCN2022103668-appb-100007
    或h=D成立,若有则进入步骤6),若无则,返回步骤2)继续执行;     5) Use 2D as the new D value to determine whether there is a relationship
    Figure PCTCN2022103668-appb-100007
    Or h=D is established, if yes, go to step 6), if not, return to step 2) to continue execution;
    6)按照需求选取出4)中记录的所有解中最优的一个用于隐私集合求交的密文还原路线规划。6) According to the requirements, select the best one among all the solutions recorded in 4) for ciphertext restoration route planning for the intersection of privacy sets.
  2. 根据权利要求1所述的同态加密隐私集合求交下的密文还原方法,其特征在于:步骤6)中,采用完全二叉树的乘法结构;将A k={a 1,a 2,a 3,...,a k}中的每个a i对应于数据y的密文幂次值为
    Figure PCTCN2022103668-appb-100008
    M(h,A k)值的定义对应于密文乘法所还原出的最大密文的幂次m值,具体为m=M(h,A k)-1;对于任一小于M(h,A k)的正整数z,加和的表示形式就对应着密文cy z的还原路线,具体为,若
    Figure PCTCN2022103668-appb-100009
    则通过
    Figure PCTCN2022103668-appb-100010
    的乘法路线还原密文cy z    The ciphertext restoration method under homomorphic encryption privacy set intersection according to claim 1, characterized in that: in step 6), the multiplication structure of a complete binary tree is adopted; A k = {a 1 , a 2 , a 3 ,..., a k } The ciphertext power value of each a i corresponding to data y is
    Figure PCTCN2022103668-appb-100008
    The definition of the M(h, A k ) value corresponds to the power m value of the maximum ciphertext restored by ciphertext multiplication, specifically m=M(h, A k )-1; for any value less than M(h, The positive integer z of A k ), the summation expression corresponds to the restoration route of the ciphertext cy z , specifically, if
    Figure PCTCN2022103668-appb-100009
    then pass
    Figure PCTCN2022103668-appb-100010
    The multiplication route restores the ciphertext cy z .
  3. 根据权利要求2所述的同态加密隐私集合求交下的密文还原方法,其特征在于:步骤6)中,按照需求选取出4)中记录的所有解中k值更小的一个用于隐私集合求交的密文还原路线规划。The ciphertext restoration method under homomorphic encryption privacy set intersection according to claim 2, characterized in that: in step 6), the one with a smaller k value among all the solutions recorded in 4) is selected according to the requirements. Ciphertext recovery route planning for privacy set intersection.
  4. 根据权利要求3所述的同态加密隐私集合求交下的密文还原方法,其特征在于:当同态加密方案所允许的密文乘法层数为L=5层,所需恢复的密文最 大幂次m=1000000;步骤6)中,选取所有解中k值更小的一个为:k=8,A k={1,11,78,216,1001,11011,78078,216216},长度为1001的加和表达式列表。 The ciphertext restoration method under homomorphic encryption privacy set intersection according to claim 3, characterized in that: when the number of ciphertext multiplication layers allowed by the homomorphic encryption scheme is L=5 layers, the ciphertext to be restored Maximum power m = 1000000; in step 6), select the smaller k value among all solutions: k = 8, A k = {1, 11, 78, 216, 1001, 11011, 78078, 216216}, length A list of summation expressions for 1001.
  5. 根据权利要求2所述的同态加密隐私集合求交下的密文还原方法,其特征在于:步骤6)中,按照需求选取出4)中记录的所有解中加和表达式列表长度更短的一个用于隐私集合求交的密文还原路线规划。The ciphertext restoration method under homomorphic encryption privacy set intersection according to claim 2, characterized in that: in step 6), all the solutions recorded in 4) are selected according to the requirements, and the length of the sum expression list is shorter. A ciphertext restoration route planning for privacy set intersection.
  6. 根据权利要求5所述的同态加密隐私集合求交下的密文还原方法,其特征在于:当同态加密方案所允许的密文乘法层数为L=5层,所需恢复的密文最大幂次m=1000000;步骤6)中,选取所有解中加和表达式列表长度更短的一个为:k=12,The ciphertext restoration method under homomorphic encryption privacy set intersection according to claim 5, characterized in that: when the number of ciphertext multiplication layers allowed by the homomorphic encryption scheme is L=5 layers, the ciphertext to be restored The maximum power m=1000000; in step 6), select the one with the shorter summation expression list length among all solutions: k=12,
    A k={1,6,7,32,192,224,1024,6144,7168,32768,196608,229376},长度为32的加和表达式列表。 A k = {1, 6, 7, 32, 192, 224, 1024, 6144, 7168, 32768, 196608, 229376}, a list of summation expressions with a length of 32.
  7. 一种同态加密隐私集合求交下的密文还原方法,对应已知现有邮票问题的对偶版本为:已知h=2 L,M(h,A k)=m+1的前提下求解尽可能小的k以及对应的集合A k,其特征在于,包括如下步骤: A ciphertext restoration method under the intersection of homomorphic encryption privacy sets, corresponding to the dual version of the known existing stamp problem: solving it under the premise of knowing h=2 L , M(h, A k )=m+1 The smallest possible k and the corresponding set A k are characterized by including the following steps:
    1)选取D=2;1) Select D=2;
    2)设定h D=h/D,,
    Figure PCTCN2022103668-appb-100011
    其中
    Figure PCTCN2022103668-appb-100012
    表示向上取整;     2) Set h D =h/D,,
    Figure PCTCN2022103668-appb-100011
    in
    Figure PCTCN2022103668-appb-100012
    means rounding up;
    3)查询已知现有邮票问题的对偶版本的解列表,寻找是否有在对偶版本中h=h D
    Figure PCTCN2022103668-appb-100013
    对应问题实例下的解k D
    Figure PCTCN2022103668-appb-100014
    若有,进入步骤4),否则进入步骤5);     3) Query the solution list of the dual version of the known existing stamp problem and find out whether h=h D in the dual version,
    Figure PCTCN2022103668-appb-100013
    The solutions k D and corresponding to the problem instance
    Figure PCTCN2022103668-appb-100014
    If yes, go to step 4), otherwise go to step 5);
    4)记录当前的D,
    Figure PCTCN2022103668-appb-100015
    对应的所有加和表达式,以及记录:k=D·k D    4) Record the current D,
    Figure PCTCN2022103668-appb-100015
    All corresponding summation expressions, and records: k=D·k D ,
    Figure PCTCN2022103668-appb-100016
    Figure PCTCN2022103668-appb-100016
    5)将2D作为新的D值,判定是否有关系
    Figure PCTCN2022103668-appb-100017
    或h=D成立,若有则进入步骤6),若无则,返回步骤2)继续执行;     5) Use 2D as the new D value to determine whether there is a relationship
    Figure PCTCN2022103668-appb-100017
    Or h=D is established, if yes, go to step 6), if not, return to step 2) to continue execution;
    6)按照需求选取出4)中记录的所有解中最优的一个用于隐私集合求交的密文还原路线规划。6) According to the requirements, select the best one among all the solutions recorded in 4) for ciphertext restoration route planning for the intersection of privacy sets.
    步骤6)中,采用完全二叉树的乘法结构;将A k={a 1,a 2,a 3,...,a k}中的每个a i对应于数据y的密文幂次值为
    Figure PCTCN2022103668-appb-100018
    M(h,A k)值的定义 对应于密文乘法所还原出的最大密文的幂次m值,具体为m=M(h,A k)-1;对于任一小于M(h,A k)的正整数z,加和的表示形式就对应着密文cy z的还原路线,具体为,若
    Figure PCTCN2022103668-appb-100019
    则通过
    Figure PCTCN2022103668-appb-100020
    的乘法路线还原密文cy z    In step 6), the multiplication structure of a complete binary tree is adopted; the ciphertext power value of each a i in A k = {a 1 , a 2 , a 3 ,..., a k } corresponding to the data y is
    Figure PCTCN2022103668-appb-100018
    The definition of the M(h, A k ) value corresponds to the power m value of the maximum ciphertext restored by ciphertext multiplication, specifically m=M(h, A k )-1; for any value less than M(h, The positive integer z of A k ), the summation expression corresponds to the restoration route of the ciphertext cy z , specifically, if
    Figure PCTCN2022103668-appb-100019
    then pass
    Figure PCTCN2022103668-appb-100020
    The multiplication route restores the ciphertext cy z ;
    步骤6)中,按照需求选取出4)中记录的所有解中k值更小的一个用于隐私集合求交的密文还原路线规划;In step 6), according to the requirements, select the ciphertext restoration route planning with the smaller k value among all the solutions recorded in 4) for the intersection of privacy sets;
    当同态加密方案所允许的密文乘法层数为L=5层,所需恢复的密文最大幂次m=1000000;步骤6)中,选取所有解中k值更小的一个为:k=8,A k={1,11,78,216,1001,11011,78078,216216},长度为1001的加和表达式列表; When the number of ciphertext multiplication layers allowed by the homomorphic encryption scheme is L = 5 layers, the maximum power of the ciphertext required to be recovered is m = 1000000; in step 6), select the smaller k value among all solutions: k =8, A k ={1, 11, 78, 216, 1001, 11011, 78078, 216216}, a list of summation expressions with a length of 1001;
    步骤6)中,按照需求选取出4)中记录的所有解中加和表达式列表长度更短的一个用于隐私集合求交的密文还原路线规划;In step 6), according to the requirements, select the ciphertext restoration route plan for privacy set intersection that has a shorter summation expression list length among all the solutions recorded in 4);
    当同态加密方案所允许的密文乘法层数为L=5层,所需恢复的密文最大幂次m=1000000;步骤6)中,选取所有解中加和表达式列表长度更短的一个为:k=12,When the number of ciphertext multiplication layers allowed by the homomorphic encryption scheme is L = 5 layers, the maximum power of the ciphertext required to be recovered is m = 1000000; in step 6), select the shorter summation expression list length among all solutions One is: k=12,
    Ak={1,6,7,32,192,224,1024,6144,7168,32768,196608,229376},长度为32的加和表达式列表。Ak={1, 6, 7, 32, 192, 224, 1024, 6144, 7168, 32768, 196608, 229376}, a list of summation expressions with a length of 32.
PCT/CN2022/103668 2022-05-07 2022-07-04 Ciphertext restoration method for private set intersection based on homomorphic encryption WO2023216403A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210492879.0 2022-05-07
CN202210492879.0A CN114826552A (en) 2022-05-07 2022-05-07 Ciphertext restoration method under homomorphic encryption privacy set intersection

Publications (1)

Publication Number Publication Date
WO2023216403A1 true WO2023216403A1 (en) 2023-11-16

Family

ID=82511209

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/103668 WO2023216403A1 (en) 2022-05-07 2022-07-04 Ciphertext restoration method for private set intersection based on homomorphic encryption

Country Status (2)

Country Link
CN (1) CN114826552A (en)
WO (1) WO2023216403A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009026771A1 (en) * 2007-08-24 2009-03-05 Guan, Haiying The method for negotiating the key, encrypting and decrypting the information, signing and authenticating the information
CN104283669A (en) * 2014-08-25 2015-01-14 东南大学 Heavy encryption depth optimization method in fully homomorphic encryption
CN104618098A (en) * 2015-01-12 2015-05-13 北京科技大学 Cryptographic construction method and system for set member relation determination
US20180183570A1 (en) * 2015-04-21 2018-06-28 Kewei ZHENG Polynomial fully homomorphic encryption system based on coefficient mapping transform
CN110309674A (en) * 2019-07-04 2019-10-08 浙江理工大学 A kind of sort method based on full homomorphic cryptography
CN114124349A (en) * 2021-11-19 2022-03-01 北京数牍科技有限公司 Rapid decryption method for homomorphic encryption scheme

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009026771A1 (en) * 2007-08-24 2009-03-05 Guan, Haiying The method for negotiating the key, encrypting and decrypting the information, signing and authenticating the information
CN104283669A (en) * 2014-08-25 2015-01-14 东南大学 Heavy encryption depth optimization method in fully homomorphic encryption
CN104618098A (en) * 2015-01-12 2015-05-13 北京科技大学 Cryptographic construction method and system for set member relation determination
US20180183570A1 (en) * 2015-04-21 2018-06-28 Kewei ZHENG Polynomial fully homomorphic encryption system based on coefficient mapping transform
CN110309674A (en) * 2019-07-04 2019-10-08 浙江理工大学 A kind of sort method based on full homomorphic cryptography
CN114124349A (en) * 2021-11-19 2022-03-01 北京数牍科技有限公司 Rapid decryption method for homomorphic encryption scheme

Also Published As

Publication number Publication date
CN114826552A (en) 2022-07-29

Similar Documents

Publication Publication Date Title
Alkim et al. Post-quantum key {Exchange—A} new hope
Ostrovsky et al. A survey of single-database private information retrieval: Techniques and applications
US20230087864A1 (en) Secure multi-party computation method and apparatus, device, and storage medium
Zhou et al. Efficient homomorphic encryption on integer vectors and its applications
US9049023B2 (en) Outsourcing the decryption of functional encryption ciphertexts
Chang et al. Privacy preserving keyword searches on remote encrypted data
Yi et al. Single-database private information retrieval from fully homomorphic encryption
WO2018205549A1 (en) Fully homomorphic encryption-based ciphertext query method and system
Noroozi et al. Public-key encryption with keyword search: a generic construction secure against online and offline keyword guessing attacks
CN114039785B (en) Data encryption, decryption and processing methods, devices, equipment and storage medium
CN110750796A (en) Encrypted data duplication removing method supporting public audit
CN113783683A (en) Cloud platform privacy protection verifiable data aggregation method based on sensor network
Shao-hui et al. Public auditing for ensuring cloud data storage security with zero knowledge Privacy
Backes et al. Reactively secure signature schemes
Paul et al. A provably secure conditional proxy re-encryption scheme without pairing
WO2023216403A1 (en) Ciphertext restoration method for private set intersection based on homomorphic encryption
WO2002054664A2 (en) R-conversion encryption method and system
US20080181397A1 (en) Secure data transmission and storage using limited-domain functions
US10116439B2 (en) Encrypted data computation system, device, and program
CN114153382B (en) Efficient data migration method and system supporting verifiable deletion of data in cloud storage
Shen et al. A multivariate public key encryption scheme with equality test
Tang et al. Two-party signing for ISO/IEC digital signature standards
Chavan et al. Secure CRM cloud service using RC5 algorithm
Zhu et al. Efficient group proof of storage with malicious-member distinction and revocation
CN114553412B (en) Data transmission method, device, equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22941348

Country of ref document: EP

Kind code of ref document: A1