Method and apparatus for determining whether query data belongs to a target data set

By using Bloom filters and homomorphic encryption, the first and second parties collaborate to determine whether the queried data belongs to the target data set, thus solving the security problem of anonymous queries and achieving efficient and secure determination of data query results.

CN114969806BActive Publication Date: 2026-07-10ANT BLOCKCHAIN TECHNOLOGY (SHANGHAI) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ANT BLOCKCHAIN TECHNOLOGY (SHANGHAI) CO LTD
Filing Date
2022-04-26
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

In multi-party secure computation, how can we determine whether the query data belongs to the target data set without disclosing the query data and the target data set, thus meeting the security requirements of anonymous queries?

Method used

Using Bloom filters and homomorphic encryption, the first and second parties collaborate to calculate the target location of the query data in the Bloom filter and extract the encrypted element. After performing homomorphic function operations, the data is sent to the second party for decryption. The second party then determines whether the query data belongs to the target data set based on the decryption result.

Benefits of technology

This method enables accurate determination of whether query data belongs to the target data set without disclosing the query data and the target data set, thus meeting the security requirements of anonymous queries, reducing the communication volume of online processing, and improving query efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN114969806B_ABST
    Figure CN114969806B_ABST
Patent Text Reader

Abstract

Embodiments of the present specification provide a method and device for determining whether query data belongs to a target data set, which is implemented by using multi-party secure computing technology to achieve privacy protection and achieve the purpose of anonymous query. The method comprises: a first party determines a preset number of target positions corresponding to the query data in a Bloom filter, extracts encrypted elements of the preset number of target positions in a first ciphertext array obtained from a second party, and obtains a preset number of encrypted values; the first ciphertext array is obtained by mapping the target data set to the Bloom filter by the second party, and each element in the first array is homomorphically encrypted; a homomorphic function operation is performed on the preset number of encrypted values to obtain a result ciphertext; the homomorphic function operation is used to aggregate the element values of the preset number of target positions; and the result ciphertext is sent to the second party, so that the second party decrypts the result ciphertext and determines whether the query data belongs to the target data set according to the decryption result.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This specification relates to one or more embodiments in the field of computers, and more particularly to a method and apparatus for determining whether query data belongs to a target data set. It employs multi-party secure computation technology to achieve privacy protection and anonymous querying. Background Technology

[0002] Secure multi-party computation (SMPC) solves the problem of privacy-preserving collaborative computation among a group of distrustful participants. SMPC ensures the independence of inputs, the correctness of computation, and does not disclose the input values ​​to other members participating in the computation.

[0003] In today's big data era, privacy protection and data security are increasingly valued by all parties. Secure multi-party computation provides a way to securely complete computational tasks without exposing data, offering strong support for the secure and compliant use of data.

[0004] In a typical application scenario of secure multi-party computation, the query data is held by the first party, and the target data set is held by the second party. It is necessary to determine whether the query data belongs to the target data set and to meet the security requirements of anonymous query. That is, the first party can only obtain the result of determining whether the query data belongs to the target data set, but cannot obtain the target data set itself. Similarly, the second party can only obtain the result of determining whether the query data belongs to the target data set, but cannot obtain the query data itself. Summary of the Invention

[0005] This specification describes one or more embodiments of a method and apparatus for determining whether query data belongs to a target dataset, which can meet the security requirements of anonymous queries.

[0006] Firstly, a method is provided for determining whether query data belongs to a target data set, wherein the query data is held by a first party, the target data set is held by a second party, and the method is executed by the first party, including:

[0007] The system determines a preset number of target positions corresponding to the query data it holds in the Bloom filter, extracts the encrypted elements of the preset number of target positions from the first ciphertext array obtained from the second party, and obtains a preset number of encrypted values; wherein, the first ciphertext array is obtained by the second party mapping its set of target data to the Bloom filter to obtain a first array, and performing homomorphic encryption on each element in the first array;

[0008] Homomorphic function operations are performed on the preset number of encrypted values ​​to obtain the resulting ciphertext; the homomorphic function operations are used to aggregate the element values ​​at the preset number of target positions;

[0009] The encrypted result is sent to the second party so that the second party can decrypt the encrypted result and determine whether the query data belongs to the target data set based on the decryption result.

[0010] In one possible implementation, determining the predetermined number of target locations corresponding to the query data held by it in the Bloom filter includes:

[0011] For the query data, a preset number of hash values ​​are calculated using a preset number of hash functions shared with the second party, and each hash value corresponds to one target position in the Bloom filter.

[0012] In one possible implementation, the first array is obtained by mapping each target data in the target data set to a preset number of first positions of the Bloom filter, and setting the values ​​of the elements in the preset number of first positions to 0.

[0013] Furthermore, the step of performing homomorphic function operations on the preset number of encrypted values ​​includes:

[0014] Homomorphically sum the encrypted values ​​to obtain the sum of the first ciphertext;

[0015] The summation result of the first ciphertext is multiplied by the random number selected by this party to obtain the result ciphertext.

[0016] Secondly, a method is provided for determining whether query data belongs to a target data set, wherein the query data is held by a first party, the target data set is held by a second party, and the method is executed by the second party, including:

[0017] During the preparation phase, the target data set is mapped to a Bloom filter to obtain a first array, and each element in the first array is homomorphically encrypted to obtain a first ciphertext array; the first ciphertext array is then provided to the first party.

[0018] During the query phase, the first party receives ciphertext results, which are obtained by the first party performing homomorphic function operations on a preset number of encrypted values. The preset number of encrypted values ​​are obtained by the first party mapping the query data it holds to a preset number of target positions in the Bloom filter and extracting encrypted elements from the preset number of target positions in the first ciphertext array. The homomorphic function operation is used to aggregate the element values ​​of the preset number of target positions.

[0019] The encrypted result is decrypted, and the result is used to determine whether the queried data belongs to the target data set; the result is then notified to the first party.

[0020] In one possible implementation, mapping the target data set to the Bloom filter to obtain the first array includes:

[0021] For any target data in the target data set, a preset number of hash values ​​are calculated using a preset number of hash functions shared with the first party. Each hash value corresponds to a first position in the Bloom filter. The Bloom filter includes elements at m positions, and the initial value of each element at each position is 1.

[0022] Set the values ​​of a predetermined number of first-position elements corresponding to any target data in the Bloom filter to 0 to obtain an m-bit first array.

[0023] In one possible implementation, the homomorphic encryption of each element in the first array includes:

[0024] Perform homomorphic encryption that supports addition homomorphism on each element in the first array.

[0025] In one possible implementation, determining whether the query data belongs to the target data set based on the decryption result includes:

[0026] If the decryption result is 0, it is determined that the queried data belongs to the target data set;

[0027] If the decryption result is not 0, it is determined that the queried data does not belong to the target data set.

[0028] In one possible implementation, the query data is the user identifier of the user to be queried, and the target data set is a set of user identifiers with a target category.

[0029] Thirdly, an apparatus is provided for determining whether query data belongs to a target data set, wherein the query data is held by a first party, the target data set is held by a second party, and the apparatus is disposed at the first party, comprising:

[0030] The determining unit is used to determine a preset number of target positions corresponding to the query data it holds in the Bloom filter, extract the encrypted elements of the preset number of target positions in the first ciphertext array obtained from the second party, and obtain a preset number of encrypted values; wherein, the first ciphertext array is obtained by the second party mapping its set of target data to the Bloom filter to obtain a first array, and performing homomorphic encryption on each element in the first array;

[0031] The arithmetic unit is used to perform homomorphic function operations on a preset number of encrypted values ​​obtained by the determining unit to obtain the resulting ciphertext; the homomorphic function operation is used to aggregate the element values ​​at the preset number of target positions;

[0032] The sending unit is used to send the encrypted result obtained by the calculation unit to the second party, so that the second party can decrypt the encrypted result and determine whether the query data belongs to the target data set based on the decryption result.

[0033] Fourthly, an apparatus is provided for determining whether query data belongs to a target data set, wherein the query data is held by a first party, the target data set is held by a second party, and the apparatus is disposed in the second party, comprising:

[0034] The mapping unit is used, during the preparation phase, to map the target data set onto a Bloom filter to obtain a first array, and to perform homomorphic encryption on each element in the first array to obtain a first ciphertext array; and to provide the first ciphertext array to the first party.

[0035] A receiving unit is configured to receive ciphertext results from the first party during the query phase. The ciphertext results are obtained by the first party performing a homomorphic function operation on a preset number of encrypted values. The preset number of encrypted values ​​are obtained by the first party mapping the query data it holds to a preset number of target positions in the Bloom filter and extracting encrypted elements from the preset number of target positions in the first ciphertext array. The homomorphic function operation is used to aggregate the element values ​​of the preset number of target positions.

[0036] The determining unit is used to decrypt the encrypted result received by the receiving unit, determine whether the query data belongs to the target data set based on the decryption result, and notify the first party of the determining result.

[0037] Fifthly, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed in a computer, causes the computer to perform the method of the first or second aspect.

[0038] In a sixth aspect, a computing device is provided, including a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, it implements the method of the first aspect or the second aspect.

[0039] Using the method and apparatus provided in the embodiments of this specification, firstly, a first party determines a preset number of target positions corresponding to the query data it holds in a Bloom filter, extracts encrypted elements of the preset number of target positions from a first ciphertext array obtained from the second party, and obtains a preset number of encrypted values; wherein, the first ciphertext array is obtained by the second party mapping its target data set to the Bloom filter to obtain a first array, and performing homomorphic encryption on each element in the first array; then, the first party performs a homomorphic function operation on the preset number of encrypted values ​​to obtain a result ciphertext; the homomorphic function operation is used to aggregate the element values ​​of the preset number of target positions; finally, the first party sends the result ciphertext to the second party so that the second party can decrypt the result ciphertext and determine whether the query data belongs to the target data set based on the decryption result. As can be seen from the above, in this embodiment of the specification, the first party can only obtain the first ciphertext array obtained by homomorphically encrypting each element in the first array from the second party. The first party cannot deduce any data included in the target data set through the first ciphertext array. The first party sends the result ciphertext to the second party. The result ciphertext is obtained by the first party performing homomorphic function operations on a preset number of encrypted values. The homomorphic function operation is used to aggregate the element values ​​of the preset number of target positions. The second party decrypts the result ciphertext. Based on the decryption result, it can only determine whether the query data belongs to the target data set. It cannot deduce the element values ​​of the preset number of target positions. Therefore, it cannot determine the query data, thereby satisfying the security requirements of anonymous query. Attached Figure Description

[0040] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0041] Figure 1 This is a schematic diagram illustrating an implementation scenario of one embodiment disclosed in this specification;

[0042] Figure 2 This diagram illustrates an interactive method for determining whether query data belongs to a target dataset according to one embodiment.

[0043] Figure 3 A schematic diagram of a Bloom filter according to one embodiment is shown;

[0044] Figure 4 This diagram illustrates homomorphic encryption according to one embodiment.

[0045] Figure 5 A schematic block diagram of an apparatus for determining whether query data belongs to a target dataset according to one embodiment is shown.

[0046] Figure 6 A schematic block diagram of an apparatus for determining whether query data belongs to a target dataset according to another embodiment is shown. Detailed Implementation

[0047] The solution provided in this specification will now be described with reference to the accompanying drawings.

[0048] Figure 1 This is a schematic diagram illustrating an implementation scenario of one embodiment disclosed in this specification. This scenario involves determining whether query data belongs to a target data set. The query data is held by a first party, and the target data set is held by a second party. The determination of whether the query data belongs to the target data set must meet corresponding security requirements. The first party can only obtain the determination result of whether the query data belongs to the target data set, but cannot obtain the target data set itself. Similarly, the second party can only obtain the determination result of whether the query data belongs to the target data set, but cannot obtain the query data itself. It is understood that the query data is the privacy data of the first party, and the target data set is the privacy data of the second party. Figure 1 As shown, the scenario of determining whether query data belongs to the target dataset involves participant A and participant B, also referred to as the first party and the second party, or the querying party and the data party. Each participant can be any device, platform, server, or device cluster with computing and processing capabilities. Both parties must jointly determine whether the query data belongs to the target dataset while protecting data privacy.

[0049] The querying party holds the query data x1, and the data party holds the target data set Y = {y1, y2, ...}. Without revealing their respective data holdings, the task is to determine whether the query data belongs to the target data set; that is, whether x1 belongs to Y. For example, if the query data is "Xiaoming" and the target data set Y = {Xiaoming, Xiaohong, Xiaoyun, Xiaolan}, then the query data belongs to the target data set. If the query data is "Xiaogang" and the target data set Y = {Xiaoming, Xiaohong, Xiaoyun, Xiaolan}, then the query data does not belong to the target data set.

[0050] This specification describes an embodiment that uses multi-party secure computation to determine whether query data belongs to a target dataset. This scheme is used by two parties, whose inputs are represented as x1 and Y, respectively. Both parties jointly want to calculate whether x1 belongs to Y without disclosing their respective privacy data. Even when it is determined that the query data belongs to the target dataset, the data party still cannot determine the query data itself.

[0051] Understandably, privacy data can be any data that is not convenient to disclose, including but not limited to data representing a user's personal information or trade secrets.

[0052] Secure multi-party computation, also known as secure multi-party computation, refers to multiple parties jointly calculating the result of a function without disclosing the input data of each party to the function, and the result of the computation is made public to one or more of the parties.

[0053] This specification provides embodiments that propose corresponding solutions to meet the relevant security requirements when determining whether query data belongs to a target data set.

[0054] Figure 2 This diagram illustrates an interactive method for determining whether query data belongs to a target dataset according to one embodiment. The method can be based on... Figure 1 In the implementation scenario shown, the query data is held by a first party, and the target data set is held by a second party. For example... Figure 2 As shown, the method for determining whether query data belongs to a target data set in this embodiment includes the following steps: Step 21, the second party maps the target data set to a Bloom filter to obtain a first array, and performs homomorphic encryption on each element in the first array to obtain a first ciphertext array; Step 22, the second party provides the first ciphertext array to the first party; Step 23, the first party determines a preset number of target positions corresponding to the query data it holds in the Bloom filter, extracts the encrypted elements of the preset number of target positions from the first ciphertext array obtained from the second party, and obtains a preset number of encrypted values; Step 24, the first party performs homomorphic function operation on the preset number of encrypted values ​​to obtain result ciphertext; the homomorphic function operation is used to aggregate the element values ​​of the preset number of target positions; Step 25, the first party sends the result ciphertext to the second party; Step 26, the second party decrypts the result ciphertext and determines whether the query data belongs to the target data set based on the decryption result; Step 27, the second party notifies the first party of the determination result. The specific execution method of each of the above steps is described below.

[0055] First, in step 21, the second party maps the target data set to a Bloom filter to obtain a first array, and then performs homomorphic encryption on each element in the first array to obtain a first ciphertext array. It is understood that the Bloom filter is used to represent the entire target data set, not just a single data item within it.

[0056] In the embodiments of this specification, the first party and the second party can pre-agree on the parameters of the encryption scheme and the parameters of the Bloom filter. For example, they can agree to use a semi-homomorphic encryption scheme or a fully homomorphic encryption scheme, and they can also agree on the number of elements in the array corresponding to the Bloom filter, the hash function used in the aforementioned mapping, etc.

[0057] The Bloom filter, proposed by Bloom in 1970, is essentially a long binary vector and a series of random mapping functions. A Bloom filter can be used to check whether an element is in a set. Its advantages include significantly higher space efficiency and shorter query time compared to general algorithms. The binary vector can also be called an array, and the random mapping functions can specifically be hash functions.

[0058] In one example, mapping the target dataset to the Bloom filter to obtain the first array includes:

[0059] For any target data in the target data set, a preset number of hash values ​​are calculated using a preset number of hash functions shared with the first party. Each hash value corresponds to a first position in the Bloom filter. The Bloom filter includes elements at m positions, and the initial value of each element at each position is 1.

[0060] Set the values ​​of a predetermined number of first-position elements corresponding to any target data in the Bloom filter to 0 to obtain an m-bit first array.

[0061] In this example, the implementation differs slightly from the usual one. The initial value of each element in the Bloom filter is 1. When inserting target data, the value of the element at the corresponding position in the Bloom filter is set to 0. It can be understood that when inserting target data, if the value of the element at the corresponding position is already 0, then the value of that element remains unchanged.

[0062] Figure 3 A schematic diagram of a Bloom filter according to one embodiment is shown. (Refer to...) Figure 3A Bloom filter is an array, assuming it contains 10 elements. The mapping process uses two hash functions, hash1 and hash2, with each element initially set to 1. Data in the set is mapped sequentially to the Bloom filter using the same method. Taking the target data id1 as an example, hash1(id1) = 2, hash2(id1) = 7, resulting in positions 2 and 7. Setting the values ​​of the elements at these positions to 0 completes the mapping process for id1. The same method can be used to map other data in the set to the Bloom filter. The resulting Bloom filter represents the entire set. Whether a data point's value is 0 at the corresponding position in the Bloom filter can be used to determine if that data exists in the set.

[0063] Homomorphic encryption is a form of encryption that allows specific algebraic operations on ciphertext to yield an encrypted result, and decrypting this result yields the same result as performing the same operation on the plaintext. In other words, this technique allows operations such as retrieval and comparison to be performed on encrypted data to obtain the correct result without decrypting the data during the entire processing. Compared to ordinary encryption, homomorphic encryption possesses the property of homomorphism, meaning that computation can be performed on data in its encrypted state. For example, performing a certain operation on the homomorphically encrypted ciphertext E(a) of 'a' and the homomorphically encrypted ciphertext E(b) of 'b' yields the ciphertext E(a+b) of 'a+b', and the operation does not reveal 'a', 'b', or 'a+b', nor does it require the use of a decryption key. This operation is called homomorphic addition.

[0064] In one example, the homomorphic encryption of each element in the first array includes:

[0065] Perform homomorphic encryption that supports addition homomorphism on each element in the first array.

[0066] In this example, homomorphic addition can be performed on the ciphertext obtained by homomorphic encryption to achieve the aggregation of element values.

[0067] Figure 4 A schematic diagram of homomorphic encryption according to one embodiment is shown. (Refer to...) Figure 4After mapping the data in the set to the Bloom filter in the same way, the first array is obtained in which each element has a value of 0 or 1. For example, the elements at positions 2 and 7 in the first array have a value of 0, and the elements at the other positions have a value of 1. Encrypting each element in the first array separately yields the first ciphertext array. For example, when the element at a position in the first array has a value of 1, the element at that position in the first ciphertext array has a value of E(1); when the element at a position in the first array has a value of 0, the element at that position in the first ciphertext array has a value of E(0). Other parties cannot know the meaning of E(1) or E(0).

[0068] Then, in step 22, the second party provides the first encrypted array to the first party. In this embodiment of the specification, the second party may provide the first encrypted array to the first party only after learning that the first party has a query request, or it may provide the first encrypted array to the first party in advance before learning that the first party has a query request.

[0069] In this scheme, the second party sends the first ciphertext array to the first party, and the first party can store the received first ciphertext array. This scheme has high storage efficiency.

[0070] Next, in step 23, the first party determines a preset number of target positions corresponding to the query data it holds in the Bloom filter, extracts the encrypted elements of the preset number of target positions from the first ciphertext array obtained from the second party, and obtains a preset number of encrypted values. It is understood that the first party can use the same mapping method as the second party to determine the preset number of target positions.

[0071] In one example, determining the preset number of target positions corresponding to the query data held by it in the Bloom filter includes:

[0072] For the query data, a preset number of hash values ​​are calculated using a preset number of hash functions shared with the second party, and each hash value corresponds to one target position in the Bloom filter.

[0073] It is understandable that the first party and the second party use the same hash function to determine the target positions. After obtaining each target position, the first party does not need to reset the element value of the corresponding position in the Bloom filter, but only uses it to extract the encrypted elements of each target position in the first ciphertext array to obtain each encrypted value.

[0074] by Figure 3 and Figure 4For example, if the query data of the first party is id1, the first party and the second party use the same hash function to determine that the target positions are position 2 and position 7. Then, the encrypted elements of position 2 and position 7 in the first ciphertext array are extracted to obtain the encrypted value E(0) of position 2 and the encrypted value E(0) of position 7.

[0075] In step 24, the first party performs a homomorphic function operation on the preset number of encrypted values ​​to obtain the resulting ciphertext; the homomorphic function operation is used to aggregate the element values ​​of the preset number of target positions. It is understood that the aggregation result depends on the element values ​​of the preset number of target positions, and the element value of a single target position cannot be inferred from the aggregation result, thus avoiding the leakage of additional information.

[0076] In one example, the first array is obtained by mapping each target data in the target data set to a preset number of first positions of the Bloom filter, and setting the value of the element in the preset number of first positions to 0;

[0077] The homomorphic function operation performed on the preset number of encrypted values ​​includes:

[0078] Homomorphically sum the encrypted values ​​to obtain the sum of the first ciphertext;

[0079] The summation result of the first ciphertext is multiplied by the random number selected by this party to obtain the result ciphertext.

[0080] For example, the encrypted values ​​mentioned above are specifically the encrypted value E(0) at position 2 and the encrypted value E(0) at position 7. By homomorphically summing E(0) + E(0) = E(0), the first ciphertext summation result E(0) is obtained. Then, the plaintext and ciphertext multiplication r*E(0) is calculated to obtain the final ciphertext E(0). Here, r is a random number selected by the first party.

[0081] In this example, because random numbers are introduced, at least one of the encrypted values ​​is E(1) when the query data does not belong to the target data set, so that the ciphertext of the result cannot reflect any information of the query data, and the second party cannot infer the query data from the ciphertext of the result.

[0082] It is understandable that the second party is the party being queried, and the first party is the party making the query. During the query process, the second party only obtains the aforementioned ciphertext of the result from the first party, and therefore cannot obtain the information of the element queried by the first party from the ciphertext of the result. In other words, the second party cannot obtain the information of the queried data.

[0083] In step 25, the first party sends the encrypted result to the second party. It is understood that there is only one encrypted result, corresponding to the aggregated result of the element values ​​at the preset number of target positions.

[0084] In step 26, the second party decrypts the encrypted result and determines whether the query data belongs to the target data set based on the decryption result. It is understood that the value of the decryption result can be used to determine whether the query data belongs to the target data set without revealing the query data itself.

[0085] In one example, determining whether the query data belongs to the target data set based on the decryption result includes:

[0086] If the decryption result is 0, it is determined that the queried data belongs to the target data set;

[0087] If the decryption result is not 0, it is determined that the queried data does not belong to the target data set.

[0088] This example corresponds to the mapping method of the Bloom filter provided in the embodiments of this specification.

[0089] Finally, in step 27, the second party notifies the first party of the result. It is understood that the first party only receives a determination of whether the queried data belongs to the target data set, and does not receive the target data set itself.

[0090] In this embodiment of the specification, the entire processing can be divided into two stages: steps 21 and 22 are called the preparation stage, and steps 23 to 27 are called the query stage. Optionally, the preparation stage is processed offline, while the query stage is processed online, thereby reducing the communication volume of online processing and increasing query efficiency.

[0091] The embodiments of this specification have a wide range of applications. In one example, the query data is the user identifier of the user to be queried, and the target data set is a set of user identifiers with target categories.

[0092] In this example, if it is determined that the queried data belongs to the target data set, then it is also determined that the user to be queried has the target category.

[0093] For example, blacklist queries are a common scenario in data services. However, with the introduction of various regulations protecting personal information, existing blacklist query services face compliance risks. On one hand, blacklists themselves contain sensitive data containing personal information, which providers cannot directly provide to querying parties due to the risk of leaking irrelevant personal data. On the other hand, many querying parties are unwilling to disclose user information not on the blacklist to the blacklist provider, as this would leak business information unrelated to the blacklist. The solution provided in this specification's embodiments can be used for anonymous queries in this scenario. Anonymous query: Party B has a database in (key, value) format. Party A queries Party B for the corresponding value without disclosing its key. This specification's embodiments can be seen as an optimization solution when the value only has two possible values: 0 and 1. Storage and query efficiency are significantly higher than general solutions.

[0094] The method provided in the embodiments of this specification firstly involves a first party determining a preset number of target positions corresponding to the query data it holds in a Bloom filter, extracting encrypted elements from the preset number of target positions in a first ciphertext array obtained from the second party, and obtaining a preset number of encrypted values. The first ciphertext array is obtained by the second party mapping its target data set to the Bloom filter, and then performing homomorphic encryption on each element in the first array. Next, the first party performs a homomorphic function operation on the preset number of encrypted values ​​to obtain a result ciphertext. The homomorphic function operation is used to aggregate the element values ​​of the preset number of target positions. Finally, the first party sends the result ciphertext to the second party so that the second party can decrypt the result ciphertext and determine whether the query data belongs to the target data set based on the decryption result. As can be seen from the above, in this embodiment of the specification, the first party can only obtain the first ciphertext array obtained by homomorphically encrypting each element in the first array from the second party. The first party cannot deduce any data included in the target data set through the first ciphertext array. The first party sends the result ciphertext to the second party. The result ciphertext is obtained by the first party performing homomorphic function operations on a preset number of encrypted values. The homomorphic function operation is used to aggregate the element values ​​of the preset number of target positions. The second party decrypts the result ciphertext. Based on the decryption result, it can only determine whether the query data belongs to the target data set. It cannot deduce the element values ​​of the preset number of target positions. Therefore, it cannot determine the query data, thereby satisfying the security requirements of anonymous query.

[0095] According to another embodiment, an apparatus for determining whether query data belongs to a target data set is also provided, wherein the query data is held by a first party and the target data set is held by a second party, and the apparatus is disposed at the first party, the apparatus being used to execute this specification. Figure 2 The actions performed by the first party in the method provided in the illustrated embodiment. Figure 5 A schematic block diagram of an apparatus for determining whether query data belongs to a target dataset according to one embodiment is shown. Figure 5 As shown, the device 500 includes:

[0096] The determining unit 51 is used to determine a preset number of target positions corresponding to the query data it holds in the Bloom filter, extract the encrypted elements of the preset number of target positions in the first ciphertext array obtained from the second party, and obtain a preset number of encrypted values; wherein, the first ciphertext array is obtained by the second party mapping its set of target data to the Bloom filter to obtain a first array, and performing homomorphic encryption on each element in the first array;

[0097] The operation unit 52 is used to perform homomorphic function operations on a preset number of encrypted values ​​obtained by the determining unit 51 to obtain the result ciphertext; the homomorphic function operation is used to aggregate the element values ​​of the preset number of target positions;

[0098] The sending unit 53 is used to send the encrypted result obtained by the calculation unit 52 to the second party so that the second party can decrypt the encrypted result and determine whether the query data belongs to the target data set based on the decryption result.

[0099] Optionally, as an embodiment, the determining unit 51 is specifically used to calculate a preset number of hash values ​​for the query data using a preset number of hash functions shared with the second party, where each hash value corresponds to one target position in the Bloom filter.

[0100] Optionally, as an embodiment, the first array is obtained by mapping each target data in the target data set to a preset number of first positions of the Bloom filter, and setting the values ​​of the elements in the preset number of first positions to 0.

[0101] Furthermore, the arithmetic unit 52 includes:

[0102] The summation subunit is used to perform homomorphic summation on each encrypted value to obtain the summation result of the first ciphertext.

[0103] The multiplication subunit is used to multiply the summation result of the first ciphertext obtained by the summation subunit by a random number selected by the user to obtain the result ciphertext.

[0104] According to another embodiment, an apparatus for determining whether query data belongs to a target data set is also provided, wherein the query data is held by a first party and the target data set is held by a second party, and the apparatus is disposed in the second party, the apparatus being used to perform the present specification. Figure 2 The actions performed by the second party in the method provided in the illustrated embodiment. Figure 6 A schematic block diagram of an apparatus for determining whether query data belongs to a target dataset according to another embodiment is shown. Figure 6 As shown, the device 600 includes:

[0105] Mapping unit 61 is used to, during the preparation phase, map the target data set onto a Bloom filter to obtain a first array, and perform homomorphic encryption on each element in the first array to obtain a first ciphertext array; and provide the first ciphertext array to the first party.

[0106] The receiving unit 62 is configured to receive ciphertext of the result from the first party during the query phase. The ciphertext of the result is obtained by the first party performing a homomorphic function operation on a preset number of encrypted values. The preset number of encrypted values ​​are obtained by the first party mapping the query data it holds to a preset number of target positions in the Bloom filter and extracting encrypted elements from the preset number of target positions in the first ciphertext array. The homomorphic function operation is used to aggregate the element values ​​of the preset number of target positions.

[0107] The determining unit 63 is used to decrypt the encrypted result received by the receiving unit 62, determine whether the query data belongs to the target data set based on the decryption result, and notify the first party of the determining result.

[0108] Optionally, as an embodiment, the mapping unit 61 includes:

[0109] The position determination subunit is used to calculate a preset number of hash values ​​for any target data in the target data set using a preset number of hash functions shared with the first party. Each hash value corresponds to one first position in the Bloom filter. The Bloom filter includes elements at m positions, and the initial value of each element at each position is 1.

[0110] The value setting subunit is used to set the values ​​of a preset number of first positions corresponding to any target data in the Bloom filter determined by the position determination subunit to 0, so as to obtain an m-bit first array.

[0111] Optionally, as an embodiment, the mapping unit 61 is specifically used to perform homomorphic encryption that supports addition homomorphism on each element in the first array.

[0112] Optionally, as an embodiment, the determining unit 63 includes:

[0113] The first determining subunit is used to determine that the query data belongs to the target data set if the decryption result is 0;

[0114] The second determining subunit is used to determine that the query data does not belong to the target data set if the decryption result is not 0.

[0115] Optionally, as an embodiment, the query data is the user identifier of the user to be queried, and the target data set is a set of user identifiers with target categories.

[0116] According to another embodiment, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed in a computer, causes the computer to perform a combination Figure 2 The method described.

[0117] According to another embodiment, a computing device is also provided, including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, it implements a combination... Figure 2 The method described.

[0118] Those skilled in the art will recognize that, in one or more of the examples above, the functions described in this invention can be implemented using hardware, software, firmware, or any combination thereof. When implemented in software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or code on a computer-readable medium.

[0119] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above description is only a specific embodiment of the present invention and is not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made on the basis of the technical solution of the present invention should be included within the scope of protection of the present invention.

Claims

1. A method for determining whether query data belongs to a target data set, wherein the query data is held by a first party, the target data set is held by a second party, and the method is executed by the first party, comprising: The system determines a preset number of target positions corresponding to the query data it holds in the Bloom filter, extracts the encrypted elements of the preset number of target positions from the first ciphertext array obtained from the second party, and obtains a preset number of encrypted values; wherein, the first ciphertext array is obtained by the second party mapping its set of target data to the Bloom filter to obtain a first array, and performing homomorphic encryption on each element in the first array; Homomorphic function operations are performed on the preset number of encrypted values ​​to obtain the resulting ciphertext; the homomorphic function operations are used to aggregate the element values ​​at the preset number of target positions; The encrypted result is sent to the second party so that the second party can decrypt the encrypted result and determine whether the query data belongs to the target data set based on the decryption result. The first array is obtained by mapping each target data in the target data set to a preset number of first positions of the Bloom filter, and setting the values ​​of the elements in the preset number of first positions to 0.

2. The method as described in claim 1, wherein, Determining the preset number of target positions corresponding to the query data held by it in the Bloom filter includes: For the query data, a preset number of hash values ​​are calculated using a preset number of hash functions shared with the second party, and each hash value corresponds to one target position in the Bloom filter.

3. The method as described in claim 1, wherein performing homomorphic function operations on the preset number of encrypted values ​​includes: Homomorphically sum the encrypted values ​​to obtain the sum of the first ciphertext; The summation result of the first ciphertext is multiplied by the random number selected by this party to obtain the result ciphertext.

4. A method for determining whether query data belongs to a target data set, wherein the query data is held by a first party, the target data set is held by a second party, and the method is executed by the second party, comprising: In the preparation phase, the target data set is mapped to a Bloom filter to obtain a first array, and each element in the first array is homomorphically encrypted to obtain a first ciphertext array. Provide the first ciphertext array to the first party; During the query phase, the first party receives ciphertext results, which are obtained by the first party performing homomorphic function operations on a preset number of encrypted values. The preset number of encrypted values ​​are obtained by the first party mapping the query data it holds to a preset number of target positions in the Bloom filter and extracting encrypted elements from the preset number of target positions in the first ciphertext array. The homomorphic function operation is used to aggregate the element values ​​of the preset number of target positions. Decrypt the encrypted result and determine whether the queried data belongs to the target data set based on the decryption result. The results will be communicated to the first party. The step of mapping the target data set to the Bloom filter to obtain the first array includes: For any target data in the target data set, a preset number of hash values ​​are calculated using a preset number of hash functions shared with the first party. Each hash value corresponds to a first position in the Bloom filter. The Bloom filter includes elements at m positions, and the initial value of each element at each position is 1. Set the values ​​of a predetermined number of first-position elements corresponding to any target data in the Bloom filter to 0 to obtain an m-bit first array.

5. The method of claim 4, wherein, The process of homomorphically encrypting each element in the first array includes: Perform homomorphic encryption that supports addition homomorphism on each element in the first array.

6. The method of claim 4, wherein, The step of determining whether the query data belongs to the target data set based on the decryption result includes: If the decryption result is 0, it is determined that the queried data belongs to the target data set; If the decryption result is not 0, it is determined that the queried data does not belong to the target data set.

7. The method of claim 4, wherein, The query data is the user identifier of the user to be queried, and the target data set is a set of user identifiers with target categories.

8. An apparatus for determining whether query data belongs to a target data set, wherein the query data is held by a first party, the target data set is held by a second party, and the apparatus is disposed at the first party, comprising: The determining unit is used to determine a preset number of target positions corresponding to the query data it holds in the Bloom filter, extract the encrypted elements of the preset number of target positions in the first ciphertext array obtained from the second party, and obtain a preset number of encrypted values; wherein, the first ciphertext array is obtained by the second party mapping its set of target data to the Bloom filter to obtain a first array, and performing homomorphic encryption on each element in the first array; The arithmetic unit is used to perform homomorphic function operations on a preset number of encrypted values ​​obtained by the determining unit to obtain the resulting ciphertext; the homomorphic function operation is used to aggregate the element values ​​at the preset number of target positions; The sending unit is used to send the encrypted result obtained by the calculation unit to the second party, so that the second party can decrypt the encrypted result and determine whether the query data belongs to the target data set based on the decryption result; The first array is obtained by mapping each target data in the target data set to a preset number of first positions of the Bloom filter, and setting the values ​​of the elements in the preset number of first positions to 0.

9. The apparatus of claim 8, wherein, The determining unit is specifically used to calculate a preset number of hash values ​​for the query data using a preset number of hash functions shared with the second party, where each hash value corresponds to one target position in the Bloom filter.

10. The apparatus of claim 8, wherein the computing unit comprises: The summation subunit is used to perform homomorphic summation on each encrypted value to obtain the summation result of the first ciphertext. The multiplication subunit is used to multiply the summation result of the first ciphertext obtained by the summation subunit by a random number selected by the user to obtain the result ciphertext.

11. An apparatus for determining whether query data belongs to a target data set, wherein the query data is held by a first party, the target data set is held by a second party, and the apparatus is disposed in the second party, comprising: The mapping unit is used to map the target data set into a Bloom filter to obtain a first array during the preparation phase, and to perform homomorphic encryption on each element in the first array to obtain a first ciphertext array. Provide the first ciphertext array to the first party; A receiving unit is configured to receive ciphertext results from the first party during the query phase. The ciphertext results are obtained by the first party performing a homomorphic function operation on a preset number of encrypted values. The preset number of encrypted values ​​are obtained by the first party mapping the query data it holds to a preset number of target positions in the Bloom filter and extracting encrypted elements from the preset number of target positions in the first ciphertext array. The homomorphic function operation is used to aggregate the element values ​​of the preset number of target positions. A determining unit is used to decrypt the ciphertext of the result received by the receiving unit, and determine whether the query data belongs to the target data set based on the decryption result; The results will be communicated to the first party. The mapping unit includes: The position determination subunit is used to calculate a preset number of hash values ​​for any target data in the target data set using a preset number of hash functions shared with the first party. Each hash value corresponds to one first position in the Bloom filter. The Bloom filter includes elements at m positions, and the initial value of each element at each position is 1. The value setting subunit is used to set the values ​​of a preset number of first positions corresponding to any target data in the Bloom filter determined by the position determination subunit to 0, so as to obtain an m-bit first array.

12. The apparatus of claim 11, wherein, The mapping unit is specifically used to perform homomorphic encryption that supports addition homomorphism on each element in the first array.

13. The apparatus of claim 11, wherein, The determining unit includes: The first determining subunit is used to determine that the query data belongs to the target data set if the decryption result is 0; The second determining subunit is used to determine that the query data does not belong to the target data set if the decryption result is not 0.

14. The apparatus of claim 11, wherein, The query data is the user identifier of the user to be queried, and the target data set is a set of user identifiers with target categories.

15. A computer-readable storage medium having a computer program stored thereon, which, when executed in a computer, causes the computer to perform the method of any one of claims 1-7.

16. A computing device comprising a memory and a processor, wherein the memory stores executable code, and the processor, when executing the executable code, implements the method of any one of claims 1-7.