A secure service execution method and apparatus
By generating intermediate numbers and transformation parameters in secure multi-party computation, and simultaneously calculating carry values and transformation parameters using random numbers, the problem of high interaction frequency and low efficiency in existing technologies is solved, enabling efficient determination of the value range of secret data.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- ANT BLOCKCHAIN TECHNOLOGY (SHANGHAI) CO LTD
- Filing Date
- 2022-11-08
- Publication Date
- 2026-06-05
AI Technical Summary
Existing secure multi-party computation methods require multiple interactions to determine the range of values for secret data, resulting in numerous interactions, low efficiency, and a long computation time.
By generating intermediate numbers and conversion parameters, and using random numbers for interaction, the carry value and conversion parameters can be calculated simultaneously, reducing the number of interactions and improving computational efficiency.
It enables the determination of the value range of secret data with fewer interactions, improving the efficiency of interaction and calculation, while not revealing the secret data itself.
Smart Images

Figure CN115718933B_ABST
Abstract
Description
Technical Field
[0001] This specification relates to the field of secure multi-party computation technology, and in particular to a secure business execution method and apparatus. Background Technology
[0002] In the field of secure multi-party computation, secret data is typically stored in a shared form among different parties. Secure multi-party computation involves multiple parties jointly computing the result of a function based on portions of the secret data they hold (i.e., sub-data in a shared form), without revealing the sub-data that each party inputs to the function.
[0003] Currently, some secure multi-party computation processes involve calculating the range of values for secret data in order to perform business operations based on these ranges. This specification provides a secure business execution method for performing secure business operations. Summary of the Invention
[0004] This specification provides a secure business execution method and apparatus to at least partially solve existing technical problems.
[0005] The following technical solution is adopted in this specification:
[0006] This specification provides a secure business execution method for secure multi-party computation involving a first party, a second party, and a third party assisting in the computation; secret data is split into first secret data and second secret data in a shared manner, with the first secret data held by the first party and the second secret data held by the second party; the method includes:
[0007] The first party obtains a first random number from the third party;
[0008] Based on the first random number and the first secret data, a third intermediate number and a fourth intermediate number are generated and sent to the second party, so that the second party determines the second carry value and the second conversion parameter; and the first intermediate number and the second intermediate number sent by the second party are received, wherein the first intermediate number and the second intermediate number are determined by the second party based on the second secret data and the second random number obtained from the third party;
[0009] Based on the first secret data and the first intermediate number, a first carry value is determined, and based on the first secret data and the second intermediate number, a first conversion parameter between the secret data and the target data is determined.
[0010] Receive a fifth intermediate number sent by the second party, wherein the fifth intermediate number is determined by the second party based on the second carry value, the second conversion parameter and the third random number provided by the third party;
[0011] The target data corresponding to the secret data is determined based on the first carry value, the first conversion parameter, and the fifth intermediate number;
[0012] Based on the target data, determine the range of values for the secret data in the form of sharing, and perform secure business with the second party based on the range of values.
[0013] Optionally, based on the first random number and the first secret data, a third intermediate number and a fourth intermediate number are generated and sent to the second party, enabling the second party to determine the second carry value and the second conversion parameter; and the receiving of the first intermediate number and the second intermediate number sent by the second party specifically includes:
[0014] Based on the values of each bit of the first secret data and the first random number, generate the third intermediate number and the fourth intermediate number corresponding to each bit, and send them to the second party so that the second party can determine the second carry value of each bit and the second conversion parameter corresponding to each bit;
[0015] The system receives a first intermediate number and a second intermediate number corresponding to each bit of the secret data sent by the second party; the first intermediate number corresponding to each bit of the secret data is determined by the second party based on the value of each bit of the second secret data and a second random number obtained from the third party, and the second intermediate number corresponding to each bit of the secret data is determined by the second party based on the value of each bit of the second secret data and a second random number obtained from the third party.
[0016] Optionally, based on the values of each bit of the first secret data and the first random number, a third intermediate number and a fourth intermediate number corresponding to each bit are generated and sent to the second party, so that the second party determines the second carry value of each bit and the second conversion parameter corresponding to each bit; receiving the first intermediate number and the second intermediate number corresponding to each bit of the secret data sent by the second party specifically includes:
[0017] The first party, through multiple rounds of interaction with the second party, sends a third intermediate number and a fourth intermediate number to the second party, and receives the first intermediate number and a second intermediate number corresponding to each bit of the secret data sent by the second party; wherein each round of interaction is conducted in the following manner:
[0018] The highest bit of the determined first carry value corresponding to the secret data is used as the first input bit, and the lowest bit of the determined first conversion parameter is used as the second input bit.
[0019] Based on the first input bit value of the first secret data and the first random number obtained from the third party, a third intermediate number corresponding to the first input bit is generated, and based on the second input bit value of the first secret data and the first random number, a fourth intermediate number corresponding to the second input bit is generated. The third intermediate number and the fourth intermediate number are sent to the second party, so that the second party determines the second carry value of the higher bit of the first input bit based on the third intermediate number, and determines the second conversion parameter of the second input bit based on the fourth intermediate number.
[0020] The second party sends a first intermediate number corresponding to the first input bit and a second intermediate number corresponding to the second input bit.
[0021] Optionally, a first carry value is determined based on the first secret data and the first intermediate number, and a first conversion parameter between the secret data and the target data is determined based on the first secret data and the second intermediate number, specifically including:
[0022] Based on the values of each bit of the first secret data and the first intermediate number corresponding to each bit, the first carry value corresponding to each bit is determined. Based on the values of each bit of the first secret data and the second intermediate number corresponding to each bit, the first conversion parameter corresponding to each bit is determined.
[0023] Optionally, based on the values of each bit of the first secret data and the corresponding first intermediate number, a first carry value is determined for each bit; based on the values of each bit of the first secret data and the corresponding second intermediate number, a first conversion parameter is determined for each bit, specifically including:
[0024] Based on the first input bit value of the first secret data, the first carry value of the first input bit, and the first intermediate number corresponding to the first input bit, determine the first carry value of the next higher bit of the first input bit;
[0025] The first conversion parameter of the second input bit is determined based on the value of the second input bit of the first secret data and the second intermediate number corresponding to the second input bit.
[0026] Optionally, the first carry value of the next higher bit of the first input bit is determined based on the value of the first input bit of the first secret data, the first carry value of the first input bit, and the first intermediate number corresponding to the first input bit, specifically including:
[0027] Based on the value of the first input bit of the first secret data and the first intermediate number corresponding to the first input bit, determine the first product of the first input bit;
[0028] Based on the value of the first input bit of the first secret data, the first intermediate number corresponding to the first input bit, and the first carry value of the first input bit, determine the second product of the first input bit;
[0029] Based on the first product and the second product, determine the first carry value of the higher bit of the first input bit in the secret data.
[0030] Optionally, the first conversion parameter includes a third conversion parameter and a fourth conversion parameter;
[0031] Based on the value of the second input bit of the first secret data and the second intermediate number corresponding to the second input bit, the first transformation parameter of the second input bit is determined, specifically including:
[0032] Based on the value of the second input bit of the first secret data, the second intermediate number corresponding to the second input bit, the third conversion parameter corresponding to the higher bit of the second input bit, and the fourth conversion parameter, the third conversion parameter between the secret data and the target data corresponding to the second input bit is determined;
[0033] Based on the value of the second input bit of the first secret data, the second intermediate number corresponding to the second input bit, and the fourth conversion parameter corresponding to the higher bit of the second input bit, the fourth conversion parameter between the secret data and the target data corresponding to the second input bit is determined.
[0034] Optionally, the secret data has the same number of bits as the target data; the first conversion parameter includes a third conversion parameter and a fourth conversion parameter;
[0035] Based on the first carry value, the first conversion parameter, and the fifth intermediate number, the target data corresponding to the secret data is determined, specifically including:
[0036] For each bit of the secret data, based on the fifth intermediate number corresponding to the bit, the first carry value of the bit, and the third conversion parameter of the bit, determine the third product corresponding to the sum of the third conversion parameter of the bit and the sum of the first carry value of the bit;
[0037] Based on the determined third product and the fourth transformation parameter of that bit, determine the data of that bit of the target data corresponding to the secret data;
[0038] The target data is determined based on each bit of the target data.
[0039] Optionally, based on the target data, the range of values for the secret data in the sharing format is determined, specifically including:
[0040] The one-hot encoding of the target data is determined by bit-by-bit difference, in the order from the least significant bit to the most significant bit.
[0041] The one-hot encoding is used as the range of values for the secret data in the shared form.
[0042] This specification provides a secure business execution apparatus for performing secure multi-party computation involving a first party, a second party, and a third party assisting in the computation; secret data is split into first secret data and second secret data in a shared manner, the first secret data being held by the first party and the second secret data being held by the second party; the apparatus includes:
[0043] The acquisition module is used to acquire a first random number from the third party;
[0044] The first interaction module is used to generate a third intermediate number and a fourth intermediate number based on the first random number and the first secret data, and send them to the second party so that the second party can determine the second carry value and the second conversion parameter; and to receive the first intermediate number and the second intermediate number sent by the second party, wherein the first intermediate number and the second intermediate number are determined by the second party based on the second secret data and the second random number obtained from the third party;
[0045] The calculation module is used to determine a first carry value based on the first secret data and the first intermediate number, and to determine a first conversion parameter between the secret data and the target data based on the first secret data and the second intermediate number.
[0046] The second interaction module is used to receive the fifth intermediate number sent by the second party, wherein the fifth intermediate number is determined by the second party based on the second carry value, the second conversion parameter and the third random number provided by the third party;
[0047] The conversion module is used to determine the target data corresponding to the secret data based on the first carry value, the first conversion parameter, and the fifth intermediate number.
[0048] The execution module is used to determine the value range of the secret data in the sharing form based on the target data, and to perform security services with the second party based on the value range.
[0049] This specification provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the aforementioned secure service execution method.
[0050] This specification provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the aforementioned secure service execution method.
[0051] The above-mentioned technical solutions adopted in this specification can achieve the following beneficial effects:
[0052] In the aforementioned secure business execution method, the secret data, which is private information, is split into first secret data held by a first party and second secret data held by a second party in a shared form. The first party participating in the secure multi-party computation generates a third intermediate number and a fourth intermediate number based on the first secret data and a first random number obtained from a third party, and sends them to the second party, enabling the second party to determine a second carry value and a second conversion parameter. The first party receives the first intermediate number and the second intermediate number sent by the second party to determine the first carry value and the first conversion parameter of the secret data. The first party also receives a fifth intermediate number sent by the second party. Based on the first carry value, the first conversion parameter, and the fifth intermediate number, the target data corresponding to the secret data is determined to determine the value range of the secret data in the shared form, and secure business is executed with the second party.
[0053] As can be seen from the above, the secure service execution method provided in this specification enables the first party to calculate the first carry value corresponding to the secret data and the first conversion parameter between the secret data and the target data based on the intermediate number received from the second party through a few interactions, thereby determining the target data and further determining the value range of the secret data to execute secure services without disclosing the secret data itself. Furthermore, the calculation of the first carry value and the calculation of the first conversion parameter do not interfere with each other and can be performed simultaneously, resulting in high interaction and computational efficiency. Attached Figure Description
[0054] The accompanying drawings, which are included to provide a further understanding of this specification and form part of this specification, illustrate exemplary embodiments and are used to explain this specification, but do not constitute an undue limitation thereof. In the drawings:
[0055] Figure 1 This is a flowchart illustrating one of the security service execution methods described in this specification.
[0056] Figure 2 This is a schematic diagram of an interactive calculation provided in this specification;
[0057] Figure 3 This specification provides a schematic diagram of a secure business execution device.
[0058] Figure 4 This specification provides a corresponding Figure 1 A schematic diagram of an electronic device. Detailed Implementation
[0059] To make the objectives, technical solutions, and advantages of this specification clearer, the technical solutions of this specification will be clearly and completely described below in conjunction with specific embodiments and corresponding drawings. Obviously, the described embodiments are only a part of the embodiments of this specification, and not all of them. Based on the embodiments in this specification, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this specification.
[0060] This specification aims to calculate a range of values that can represent secret data without disclosing the calculation results of the secret data itself. It involves performing secure multi-party computation, obtaining the range of values, and then executing secure operations based on that range. The resulting calculation is the data used to represent the range of values for the secret data.
[0061] One method for securely calculating the range of values for secret data is:
[0062] Step 1: The first party participating in secure multi-party computation, based on the secure computation protocol, interacts with the second party and, according to the A2B (Arithmetic to Bool) protocol, collaboratively converts the secret data of arithmetic sharing into secret data of bool sharing.
[0063] Arithmetic sharing and Boolean sharing are different forms of sharing. When data Q is shared arithmetically by multiple parties, the data Q is obtained by adding the shared sub-data held by each party. When data Q is shared booleanly by multiple parties, the data Q is obtained by XORing the shared sub-data held by each party.
[0064] The process involves converting arithmetic-shared secret data into Boolean-shared secret data. Specifically, it transforms the shared sub-data stored in arithmetic-shared form into Boolean-shared sub-data. The reason for using the A2B protocol for this conversion is that shared sub-data in arithmetic-shared form cannot be bitwise ORed with the secret data in the ORing-shared form. Subsequent steps require bitwise ORing of the secret data to obtain an intermediate sequence.
[0065] Step 2: The first party interacts with the second party to collaboratively accumulate or process the secret data, obtaining an intermediate sequence shared by both parties in Boolean.
[0066] The first party and the second party each hold a shared sub-data of the intermediate sequence in Boolean shared form.
[0067] This involves performing a cumulative OR operation on the secret data, that is, performing an OR operation bit by bit from the most significant bit to the least significant bit (from left to right). The intermediate sequence obtained by the cumulative OR operation has the same number of bits as the secret data.
[0068] Step 3: Perform bit-by-bit difference on the intermediate sequence to obtain the final sequence shared by both parties in Boolean.
[0069] The intermediate sequence is differentially processed from the least significant bit to the most significant bit (from right to left). The final sequence after differential processing is a sequence with only one bit set to 1 and all other bits set to 0. This means the final sequence is a one-hot encoding. Furthermore, the only non-zero bit in the final sequence is the same as the first non-zero bit in the secret data. This unique non-zero bit in the final sequence, which is also the first non-zero bit in the secret data, is the index representing the range of values for the secret data.
[0070] The first and second parties can each perform bit-by-bit difference on the shared sub-data of their respective intermediate sequences to obtain the shared sub-data of the final sequence. The final sequence can then be reconstructed based on the shared sub-data of the first and second parties.
[0071] The first non-zero bit is the first non-zero bit from left to right, i.e., the highest non-zero bit. The interval index is the exponent of the binary weight corresponding to the first non-zero bit.
[0072] For example, suppose the secret data = 01001, its decimal number is 0×2. 4 +1×2 3 +0×2 2 +0×2 1 +1×2 0 =0+8+0+0+1=9.2 4 2 3 2 2 2 1 2 0 These are all binary weights corresponding to different bits. By accumulating and ORing the secret data from the most significant bit to the least significant bit, we can obtain the intermediate sequence = 01111. By performing bit-by-bit difference on the intermediate sequence from the least significant bit to the most significant bit, we can obtain the final sequence = 01000.
[0073] The only non-zero bit in the final sequence is the 3rd bit (the least significant bit is the 0th bit). Therefore, 3 is the interval exponent k, and the range of the secret data is [2]. 3 ,2 3+1 (i.e., between 8 and 16).
[0074] Of course, since the intermediate sequence already represents the value range of the secret data (the highest non-zero bit, i.e., the interval exponent) and does not reveal the secret data itself, in one or more embodiments of this specification, the intermediate sequence can also be used as the calculation result of the value range of the secret data. However, the final sequence has a lower similarity to the secret data and is less likely to reconstruct or reveal the secret data itself; therefore, the final sequence can also be used as the calculation result of the value range of the secret data. Which result to use can be set as needed.
[0075] The above method can securely calculate the range of values for the secret data. However, both steps 1 and 2 require the first party to interact with the second party for each bit of the secret data. Since the process of obtaining the Boolean-shared secret data through A2B and the process of obtaining the intermediate sequence are progressive, steps 1 and 2 must be executed sequentially. The first party must first collaboratively obtain the Boolean-shared secret data through interaction with the second party before it can further interact with the second party to calculate the shared sub-data of the intermediate sequence. Step 3, however, requires no interaction.
[0076] This means that determining the range of values for the secret data using this method requires multiple interactions between the first and second parties, with a total of 2^n interactions, where n represents the number of bits in the secret data. Furthermore, steps 1 and 2 consume a significant amount of time, resulting in low efficiency in determining the range of values for the secret data.
[0077] To reduce the number of interactions between the parties involved in secure computation and improve interaction efficiency, this specification provides a secure business execution method. It should be noted that "this method" mentioned later in this specification refers to this secure business execution method.
[0078] In the secure business execution method provided in this specification, compared with the aforementioned A2B-based method, the secure calculation of the value range of secret data in this method can be considered as including three processes: calculating the carry value, calculating the conversion parameters between the secret data and its converted data, and determining the target data of the converted data to obtain the value range in a shared form. The converted data in this method is similar to the intermediate sequence in the aforementioned A2B-based method; both are derived from the secret data and can reflect the value range of the secret data without disclosing the secret data itself. However, in this method, process 1 (calculating the carry value) and process 2 (calculating the conversion parameters) for determining the target data of the converted data can be executed simultaneously and can be considered as one step. Furthermore, a single interaction can simultaneously transmit the intermediate number used to determine the carry value corresponding to one bit of the secret data and the intermediate number used to determine the conversion parameter corresponding to one bit of the target data. For n-bit secret data, n interactions are required, while the process of determining the target data to obtain the value range only requires one interaction.
[0079] Therefore, this method requires fewer interactions, only n+1 times, which is equal to the number of bits in the secret data plus one. Consequently, this method is more efficient at determining the range of values for the secret data.
[0080] The target data is a shared sub-data component of the transformation data calculated by the first party. The other shared sub-data component of the transformation data is calculated by the second party. After both the first and second parties have calculated their respective shared sub-data components, the transformation data is then calculated.
[0081] The following explains some concepts involved in this manual:
[0082] Sharing format: In secure computation between two parties, an integer x (occupying n bits, ranging from 0 to n-1 bits) needs to be distributed and stored between P0 and P1 in the shared format x = x0 + x1, so that neither party knows the other's shared sub-data. Here, "+" represents addition in an Abelian group. x, x0, and x1 are all elements in the Abelian group. Bit 0 has a binary weight of 2. 0 The corresponding bit.
[0083] Secure computation in a shared format: Computation is performed in a shared format, and the results are still stored separately in shared formats by the participating parties. During the computation, none of the participating parties are aware of the shared sub-data held by the other parties.
[0084] Boolean sharing: A method of representing each bit of an n-bit number as a shared representation mod 2.
[0085] Arithmetic sharing: Representing an n-bit number as mod 2 nA shared representation method.
[0086] In this specification, the secure calculation of the value range of secret data is a secure calculation in the form of sharing, and the result of the calculation is still stored in the form of sharing among the parties involved in the secure calculation.
[0087] Group: In mathematics, a "group" represents an algebraic structure that satisfies closure, associativity, has an identity element, and has inverses, and performs binary operations. The multiplication symbol "*" (which can be omitted when unambiguous) or the addition symbol "+" is typically used as the symbol for this binary operation. However, it's important to note that this binary operation is not necessarily equivalent to multiplication or addition in arithmetic. The result of one or more binary operations on several elements is called the composite value.
[0088] A group that satisfies the commutative law is called an abelian group. An abelian group consists of its own set G and the binary operation *.
[0089] This specification relates to an abelian group, which is modulo 2. n The cyclic group of remainders, from 0 to 2 n-1 2 in total n It consists of 12 elements. And G = Z / 2 n Z. Where Z is the set of integers, and n is a positive integer.
[0090] The secret data in this specification is S = x + y, S ∈ G. There exists a unique interval exponent k ∈ {0, 1, ..., n-1} such that the secret data S ∈ [2]. k ,2 k+1 For binary S, k is the position of the first non-zero bit from the high-order bit to the low-order bit, which is the kth bit from the low-order bit to the high-order bit (the lowest bit is the zeroth bit).
[0091] In this system, secret data S is stored in a shared format between the first and second parties participating in the secure computation. Specifically, each party stores a portion of the secret data: the first party holds x, and the second party holds y (second secret data). Here, x is the first secret data, and y is the second secret data; both are shared sub-data of the secret data. The secret data is the sum of the first and second secret data.
[0092] In this specification, when data is divided into two parts held by a first party and a second party respectively under a shared arrangement, the parts held by the first party and the second party are the shared sub-data of that data. This data is then the sum of its own shared sub-data.
[0093] For example, the secret data S is the decimal number 4, modulo 4, which is 00 in binary. S0 (the 0th bit of S) is 0, and S1 (the 1st bit of S) is also 0. The first secret data x and the second secret data y are shared sub-data arithmetically of S. Assume that binary x is 01, i.e., 1 in decimal, and binary y is 11, i.e., 3 in decimal. x0 represents the 0th bit of x, which is 1, and x1 represents the 1st bit of x, which is 0. y0 represents the 0th bit of y, which is 1, and y1 represents the 1st bit of y, which is also 1. x0 and y0 are the shared sub-data of the 0th bit of the secret data S. x1 and y1 are the shared sub-data of the 1st bit of the secret data S.
[0094] Where S0 = x0 + y0 mod 2. S0 = x0 XOR y0. But S1 is not equal to x1 + y1 mod 2. That is, S1 is not equal to x1 XOR y1. Because x0 + y0 has a carry-in to the 1st bit. The carry-in value from the 0th bit to the 1st bit is 1.
[0095] In this specification, target data that has a transformation relationship with secret data is calculated, and the range of values for secret data in a shared format is obtained based on the target data to perform security operations. Furthermore, the obtained range of values can be stored in a Boolean shared format between the first and second parties.
[0096] The technical solutions provided in the various embodiments of this specification are described in detail below with reference to the accompanying drawings.
[0097] Figure 1 This is a flowchart illustrating one method for executing secure services as described in this specification, specifically including the following steps:
[0098] S100: The first party obtains a first random number from the third party.
[0099] In this specification, the secure business execution method is used for secure multi-party computation by a first party, a second party, and a third party assisting in the computation. This method can be executed by the first party participating in the secure computation, specifically by the first party's server. This specification only describes the process of obtaining the range of values for secret data in a shared format through the execution of this method from the perspective of the first party, in order to execute the business. From the second party's perspective, the process by which the second party obtains the range of values for secret data in a shared format is similar to the process by which the first party executes this secure business execution method.
[0100] As described above, the secret data is split into first secret data and second secret data in a shared manner. The first secret data is held by the first party participating in the secure multi-party computation, and the second secret data is held by the second party participating in the secure multi-party computation. The first secret data and the second secret data are shared sub-data of the secret data.
[0101] In order to obtain the range of values for secret data in a shared form through secure computation, and to ensure that neither party involved in the secure multi-party computation discloses its own stored first or second secret data, the first and second parties need to exchange intermediate numbers based on a secure computation protocol to perform computations based on these intermediate numbers. Furthermore, the intermediate numbers can be generated based on random numbers obtained from a third party.
[0102] First, the first party can obtain the first random number from the third party.
[0103] S102: Generate a third intermediate number and a fourth intermediate number based on the first random number and the first secret data, and send them to the second party so that the second party can determine the second carry value and the second conversion parameter; and receive the first intermediate number and the second intermediate number sent by the second party, wherein the first intermediate number and the second intermediate number are determined by the second party based on the second secret data and the second random number obtained from the third party.
[0104] In this specification, based on this method, the first party, through interaction with the second party, calculates a shared sub-data within the value range of the secret data. Through interaction with the first party, the second party then calculates another shared sub-data within the value range.
[0105] When interacting with the second party, the first party may send intermediate numbers to the second party to assist the second party in calculating a shared sub-data of the value range of the secret data, and receive intermediate numbers sent by the second party so that in subsequent steps, the first carry value and the first conversion parameter can be calculated based on the received intermediate numbers to further calculate another shared sub-data of the value range of the secret data.
[0106] Therefore, after obtaining the first random number, the first party can generate a third intermediate number and a fourth intermediate number based on the first random number and the first secret data, and send them to the second party, enabling the second party to determine the second carry value and the second conversion parameter. The first party then receives the first intermediate number and the second intermediate number sent by the second party.
[0107] The first intermediate number and the second intermediate number are determined by the second party based on the second secret data and the second random number obtained from the third party.
[0108] S104: Determine a first carry value based on the first secret data and the first intermediate number, and determine a first conversion parameter between the secret data and the target data based on the first secret data and the second intermediate number.
[0109] In one or more embodiments of this specification, after receiving the first intermediate number and the second intermediate number sent by the second party, the first party may determine the first carry value based on the first secret data and the first intermediate number, and determine the first conversion parameter between the secret data and the target data based on the first secret data and the second intermediate number.
[0110] Wherein, the first carry value is a shared sub-data of the carry value calculated by the first party. The second carry value is another shared sub-data of the carry value calculated by the second party. The first conversion parameter is a shared sub-data of the conversion parameters calculated by the first party, and the second conversion parameter is another shared sub-data of the conversion parameters calculated by the second party.
[0111] This transformation parameter is the transformation parameter for the transformation relationship between secret data and the corresponding transformed data.
[0112] S106: Receive the fifth intermediate number sent by the second party, the fifth intermediate number being determined by the second party based on the second carry value, the second conversion parameter, and the third random number provided by the third party.
[0113] In one or more embodiments of this specification, after the second party calculates the second carry value and the second conversion parameter, the second party can determine the fifth intermediate number based on the second carry value, the second conversion parameter, and the third random number provided by the third party, and send it to the first party.
[0114] The first party can then receive the fifth intermediate number sent by the second party. This fifth intermediate number is used to determine the target data corresponding to the secret data.
[0115] Of course, after the first party calculates the first carry value and the first conversion parameter, it can also determine the sixth intermediate number based on the first carry value, the first conversion parameter, and the fourth random number obtained from the third party, and send it to the second party. This allows the second party to determine another shared sub-data of the converted data corresponding to the secret data based on the sixth intermediate number. For ease of distinction, this target data is designated as the first target data, and the other shared sub-data of the converted data determined by the second party is designated as the second target data. Therefore, the first target data and the second target data are two shared sub-data of the converted data.
[0116] S108: Determine the target data corresponding to the secret data based on the first carry value, the first conversion parameter, and the fifth intermediate number.
[0117] In one or more embodiments of this specification, after receiving the fifth intermediate number, the first party can determine the target data of the converted data corresponding to the secret data based on the calculated first carry value, the first conversion parameter, and the received fifth intermediate number.
[0118] S110: Based on the target data, determine the value range of the secret data in the sharing form, and perform security operations with the second party based on the value range.
[0119] After identifying the target data, the first party can determine the range of values for the secret data in a shared format, that is, determine one of the shared sub-data within the range of values. The first party can then collaborate with the second party to execute security operations based on the shared sub-data within the range of values calculated by the first party and the shared sub-data calculated by the second party.
[0120] In one or more embodiments of this specification, the first party may use the determined target data as the range of values of secret data in a shared form, that is, the shared sub-data of the range of values.
[0121] Alternatively, after determining the target data, the first party can determine the one-hot encoding of the target data by bit-by-bit difference in the order of the low-bit to the high-bit of the target data, and use the one-hot encoding as the value range of the secret data in the form of sharing.
[0122] It should be noted that the sum of the one-hot codes of the target data calculated by the first party and the one-hot codes of the second target data calculated by the second party is the same as the result of bit-by-bit difference of the converted data from low to high bits.
[0123] This security service can be at least one of the following: normalizing features in machine learning, performing T-tests, or any other service that requires calculating the range of values for secret data. For example, secret data could be asset quantities; after calculating the range of values for different institutions, asset quantities between institutions can be compared based on each range.
[0124] Taking machine learning normalization as an example, the first party can obtain a fifth random number from a third party. Based on the shared sub-data of its own calculated value range and the fifth random number, it determines a seventh intermediate number and sends the seventh random number to the second party. The second party, based on the seventh random number and the shared sub-data of its own calculated value range, determines shared sub-data for the initial value used for normalization, which serves as the second initial value. The first party also receives an eighth intermediate number from the second party. Based on the eighth intermediate number and its own shared sub-data of value range, the first party can determine another shared sub-data for the initial value, which serves as the first initial value. Then, the first and second parties can perform Newton iterations based on these initial values and perform normalization based on the results of the Newton iterations.
[0125] In one or more embodiments of this specification, the highest non-zero bit of the converted data is the interval index of the value range of the secret data. For example, assuming the highest non-zero bit of the converted data is the 3rd bit, the interval index is 3.
[0126] In this context, the unique non-zero bit of the sum of the one-hot encoded data can also be the range index of the secret data's value range. Furthermore, the highest non-zero bit of the transformed data, the unique non-zero bit of the one-hot encoded data, and the highest non-zero bit of the secret data are the same.
[0127] For example, if the only non-zero bit of the sum data in one-hot encoding is the 4th bit, then the interval exponent of the secret data is 4, and the range of the secret data is [2]. 4 ,2 4+1 ).
[0128] It should be noted that, unless otherwise specified, all "numbers" in this manual are counted from the least significant bit to the most significant bit, starting from the zeroth bit. For example, for the binary number corresponding to the decimal number 8, i.e., 1000, from the least significant bit to the most significant bit (from right to left), the zeroth bit (the bit corresponding to 2 to the power of 0), the first bit (the bit corresponding to 2 to the power of 1), and the second bit (the bit corresponding to 2 to the power of 2) are all 0, and the third bit (the bit corresponding to 2 to the power of 3) is 1. However, when referring to the first non-zero bit, it refers to the first non-zero bit from the most significant bit to the least significant bit, i.e., the highest non-zero bit.
[0129] based on Figure 1 The security service execution method shown involves splitting secret data, which is considered private information, into first secret data held by a first party and second secret data held by a second party in a shared form. The first party, participating in the secure multi-party computation, generates a third intermediate number and a fourth intermediate number based on the first secret data and a first random number obtained from a third party, and sends them to the second party. This enables the second party to determine a second carry value and a second conversion parameter. The first party receives the first intermediate number and the second intermediate number sent by the second party to determine the first carry value and the first conversion parameter of the secret data. The first party also receives a fifth intermediate number sent by the second party. Based on the first carry value, the first conversion parameter, and the fifth intermediate number, the target data corresponding to the secret data is determined to determine the value range of the secret data in the shared form, and the secure service is executed with the second party.
[0130] As can be seen from the above method, based on this method, the first party can calculate the first carry value corresponding to the secret data and the first conversion parameter between the secret data and the target data based on the intermediate number received from the second party through a few interactions, thereby determining the target data and further determining the value range of the secret data to execute secure business operations, without disclosing the secret data itself. Furthermore, the calculation of the first carry value and the calculation of the first conversion parameter do not interfere with each other and can be performed simultaneously, resulting in high interaction and computational efficiency.
[0131] Furthermore, in this specification, the number of bits in the secret data and the converted data, the number of bits in the first secret data, the number of bits in the second secret data, and the number of bits in the first target data and the second target data corresponding to the converted data are all the same. For each bit of the converted data, the carry value corresponding to that bit of the secret data satisfies the conversion relationship.
[0132] In one or more embodiments of this specification, the calculation of the carry value refers to the calculation of a first carry value by the first party and a second carry value by the second party. The calculation of the conversion parameter refers to the calculation of a first conversion parameter by the first party and a second conversion parameter by the second party.
[0133] In this specification, the carry values corresponding to different bits of the secret data may be different, and the conversion parameters of the conversion relationship corresponding to different bits may also be different. Therefore, the first carry value corresponding to different bits may be different, and the first conversion parameter corresponding to different bits may also be different.
[0134] In step S102 of this specification, a third intermediate number and a fourth intermediate number are generated based on the first random number and the first secret data, and sent to the second party so that the second party can determine the second carry value and the second conversion parameter; and when receiving the first intermediate number and the second intermediate number sent by the second party, specifically, the first party can generate the third intermediate number and the fourth intermediate number corresponding to each bit based on the value of each bit of the first secret data and the first random number, and send them to the second party so that the second party can determine the second carry value of each bit and the second conversion parameter of each bit.
[0135] Furthermore, the first party receives the first intermediate number and the second intermediate number corresponding to each bit of the secret data sent by the second party.
[0136] The first intermediate number corresponding to each bit of the secret data is determined by the second party based on the values of each bit of the second secret data and a second random number obtained from the third party. The second intermediate number corresponding to each bit of the secret data is determined by the second party based on the values of each bit of the second secret data and a second random number obtained from the third party.
[0137] In one or more embodiments of this specification, the random numbers used to determine the intermediate numbers corresponding to different digits can be different or the same. Similarly, the first random number used by the first party to determine the third intermediate number corresponding to different digits and the first random number used to determine the fourth intermediate number corresponding to different digits can be the same or different. Likewise, the second random number used by the second party to determine the first intermediate number corresponding to different digits and the second random number used to determine the second intermediate number corresponding to different digits can be the same or different.
[0138] Furthermore, the second random number may contain a set of random numbers. And within the second random number, the random number used to determine the first intermediate number may be different from the random number used to determine the second intermediate number.
[0139] Furthermore, in one or more embodiments of this specification, in step S104, when determining the first carry value based on the first secret data and the first intermediate number, and determining the first conversion parameter between the secret data and the target data based on the first secret data and the second intermediate number, specifically, the first party may determine the first carry value corresponding to each bit based on the value of each bit of the first secret data and the first intermediate number corresponding to each bit, and determine the first conversion parameter corresponding to each bit based on the value of each bit of the first secret data and the second intermediate number corresponding to each bit.
[0140] In one or more embodiments of this specification, the first carry value corresponding to the carry value of each bit of the secret data and the first conversion parameter corresponding to each conversion parameter can be obtained by bitwise calculation.
[0141] Since the first carry value corresponding to the least significant bit in all bits of the secret data is known, the calculation of the first carry value is performed in order from least significant bit to most significant bit. The first party can receive the first intermediate number of that bit determined by the second party based on the second secret data for each bit of the secret data in order from least significant bit to most significant bit, so as to determine the first carry value corresponding to the next higher bit of the secret data based on the first intermediate number and the first carry value corresponding to that bit.
[0142] For the first conversion parameter, the first conversion parameter corresponding to the bit above the most significant bit in all bits of the secret data is known. Therefore, the calculation of the first conversion parameter is performed in order from the most significant bit to the least significant bit. The first party can receive the second intermediate number determined by the second party based on the second secret data for each bit of the secret data in order from the most significant bit to the least significant bit. Based on the second intermediate number and the first conversion parameter corresponding to the bit above the most significant bit, the first conversion parameter corresponding to the target data of the secret data and the transformed data at that bit can be determined. For ease of description, the first conversion parameter of the target data of the secret data and the transformed data will be referred to as the first conversion parameter of the secret data and the target data.
[0143] As described above, the bitwise calculation of the first carry value and the bitwise calculation of the first conversion parameter can be performed simultaneously without interference. Therefore, the first party can interact with the second party bit by bit in the order of high bit to low bit and low bit to high bit for the target data of the secret data to be generated, and receive the first intermediate number and the second intermediate number to determine the first carry value of each bit and the first conversion parameter of the secret data and the target data at each bit.
[0144] In one or more embodiments of this specification, for each bit of secret data, the carry value of that bit in the secret data is the carry value from the bit below that bit to that bit.
[0145] Among these, the highest bit of the first carry value is the highest digit among all bits of the first carry value. The first intermediate number is the intermediate number corresponding to this highest bit, used to determine the first carry value. The lowest bit of the first conversion parameter is the lowest digit among all bits of the first conversion parameter. The second intermediate number is the intermediate number corresponding to the bit below this lowest bit, used to determine the intermediate number of the first conversion parameter.
[0146] To distinguish the highest bit (absolute highest bit) of all bits in the secret data, target data, etc., from the highest bit of the determined first carry value, and to distinguish the lowest bit (absolute lowest bit) of all bits in the secret data, target data, etc., from the lowest bit of the determined first transformation parameter, the highest bit of the determined first carry value will be referred to as the current highest bit, and the lowest bit of the determined first transformation parameter will be referred to as the current lowest bit. When only the highest bit is mentioned, it refers to the absolute highest bit; when only the lowest bit is mentioned, it refers to the absolute lowest bit.
[0147] For the lowest bit (zeroth bit) of all the bits in the secret data, since there is no bit lower than this lowest bit, the carry value corresponding to this lowest bit is 0. The first carry value of this bit is also zero. Therefore, when the current highest bit with the first carry value has been determined to be the zeroth bit, the first carry value of this current highest bit is known, and the first carry value corresponding to the next higher bit can be determined based on the first carry value of the zeroth bit. This allows the first carry value to be obtained bit by bit.
[0148] For the highest bit of the transformed data W (which is also the highest bit of the secret data), i.e., the (n-1)th bit, since there is no bit higher than this highest bit, that is, the nth bit does not actually exist. Therefore, W n =0, meaning the conversion parameter corresponding to the nth bit is 0. The first conversion parameter corresponding to the nth bit is also 0. Therefore, when the lower bit of the current least significant bit of the first conversion parameter is determined to be the (n-1)th bit, the first conversion parameter of the current least significant bit "nth bit" is known. Based on the first conversion parameter of the current least significant bit, the first conversion parameter of the lower bit of the current least significant bit can be determined. The first conversion parameter can then be obtained bit by bit.
[0149] In one or more embodiments of this specification, the first party may continue to interact with the second party until the shared sub-data of the carry value and the shared sub-data of the conversion parameter corresponding to each bit are determined in sequence.
[0150] Therefore, in one or more embodiments of this specification, the first party can send a third intermediate number and a fourth intermediate number to the second party through multiple rounds of interaction, and receive the first intermediate number and the second intermediate number corresponding to each bit of the secret data sent by the second party.
[0151] Each round of interaction is conducted in the following manner:
[0152] The first party uses the highest bit of the determined first carry value corresponding to the secret data as the first input bit, and the bit lower than the lowest bit of the determined first conversion parameter as the second input bit. Based on the value of the first input bit of the first secret data and a first random number obtained from a third party, a third intermediate number corresponding to the first input bit is generated. Based on the value of the second input bit of the first secret data and the first random number, a fourth intermediate number corresponding to the second input bit is generated. The third and fourth intermediate numbers are then sent to the second party, enabling the second party to determine the second carry value of the higher bit of the first input bit based on the third intermediate number, and to determine the second conversion parameter of the second input bit based on the fourth intermediate number.
[0153] Furthermore, the first party receives the first intermediate number corresponding to the first input bit and the second intermediate number corresponding to the second input bit sent by the second party.
[0154] Furthermore, after receiving the first intermediate number corresponding to the first input bit and the second intermediate number corresponding to the second input bit, the first party can determine the first carry value of the next higher bit of the first input bit based on the value of the first input bit of the first secret data, the first carry value of the first input bit, and the first intermediate number corresponding to the first input bit. And based on the value of the second input bit of the first secret data and the second intermediate number corresponding to the second input bit, the first conversion parameter of the second input bit is determined.
[0155] As can be seen, through one round of interaction, the first party can determine the first carry value corresponding to one bit of the secret data and the first transformation parameter corresponding to one bit of the secret data. Of course, since the order of traversing the bits of the secret data when determining the first carry value is the reverse of the order when determining the first transformation parameter, the data bits corresponding to the first carry value determined in one round of interaction may be different from the first transformation parameter.
[0156] Specifically, when determining the first carry value corresponding to the first input bit, the first party can determine the first product of the first input bit based on the value of the first input bit of the first secret data and the first intermediate number corresponding to the first input bit.
[0157] The first product is a shared sub-data product of the value of the first input bit in the first secret data and the value of the first input bit in the second secret data.
[0158] Furthermore, the first party can determine the second product of the first input bit based on the value of the first input bit of the first secret data, the first intermediate number corresponding to the first input bit, and the first carry value of the first input bit.
[0159] The second product is a shared sub-data product of the value of the first input bit in the first secret data, the sum of the values of the first input bits in the second secret data, and the sum of the first carry values of the first input bits. The sum of the first carry values of the first input bits is the carry value of the first input bits.
[0160] Finally, the first party can determine the first carry value of the higher bit of the first input bit in the secret data based on the first product and the second product.
[0161] In one or more embodiments of this specification, the conversion parameters may include a first type of conversion parameters and a second type of conversion parameters. The first conversion parameter may include a third conversion parameter and a fourth conversion parameter. The third conversion parameter is a shared sub-data of the first type of conversion parameters corresponding to the first party, and the fourth conversion parameter is a shared sub-data of the second type of conversion parameters corresponding to the first party.
[0162] When determining the first conversion parameter of the second input bit, specifically, the first party can determine the third conversion parameter of the secret data and the target data corresponding to the second input bit based on the value of the second input bit of the first secret data, the second intermediate number corresponding to the second input bit, the third conversion parameter corresponding to the higher bit of the second input bit, and the fourth conversion parameter.
[0163] Furthermore, based on the value of the second input bit of the first secret data, the second intermediate number corresponding to the second input bit, and the fourth conversion parameter corresponding to the higher bit of the second input bit, the fourth conversion parameter between the secret data and the target data corresponding to the second input bit is determined.
[0164] In one or more embodiments of this specification, as described above, the secret data has the same number of bits as the target data.
[0165] In one or more embodiments of this specification, after determining the first carry value and the first conversion parameter corresponding to each bit, the first party can determine the target data based on the first carry value and the first conversion parameter it holds. In determining the target data, there is no need to calculate each bit individually; the first party can interact with the second party only once.
[0166] In step S108, when determining the target data corresponding to the secret data, specifically, the first party may, for each bit of the secret data, determine the third product corresponding to the sum of the third conversion parameters of the bit and the sum of the first conversion parameters of the bit, based on the fifth intermediate number corresponding to the bit, the first carry value of the bit, and the third conversion parameter of the bit.
[0167] The third product is one of the shared sub-data of the product of the sum of the third transformation parameters of that bit and the sum of the first carry value of that bit.
[0168] Then, the first party can determine the corresponding bit of the target data based on the determined third product and the fourth transformation parameter of that bit. The target data is then determined based on each bit of the target data.
[0169] In one or more embodiments of this specification, the conversion relationship between secret data and target data can be specifically described as follows:
[0170] w i =a i c i +b i
[0171] Among them, w i That is, the i-th data point of the transformed data, a i With b i This refers to the transformation parameter corresponding to this bit. i b is a type of transformation parameter corresponding to the i-th position. i c is the type II transformation parameter corresponding to the i-th position. i Let be the carry value corresponding to the i-th bit of the secret data, where i ∈ [0, n-1]. n is the total number of bits in the secret data.
[0172] As can be seen, the conversion parameters corresponding to different bits can be different. Based on the conversion relationship, the first carry value of each bit, and the first conversion parameter of each bit, each bit of the target data can be determined. After obtaining each bit of the target data, the complete target data can be obtained.
[0173] Of course, the first party does not calculate the complete a. i c i b i The complete w has not yet been determined. i Instead, it determines w i The shared sub-data: target data. Furthermore, in the process of determining the value range of the secret data based on this method, for each data such as the secret data, transformed data, carry values of each bit, and transformation parameters, the first party and the second party always store one of the shared sub-data of each data, and neither party discloses the shared sub-data they hold to the other, nor does they calculate or reconstruct each data based on the shared sub-data.
[0174] In steps S100 to S104 of this specification, the first party and the second party perform n interactions in total. In step S106, the first party and the second party perform 1 interaction in total. This 1 interaction is used to calculate the third product of the sum of the third transformation parameters of each bit and the sum of the corresponding first carry values during the calculation of the target data, that is, a i c i Shared sub-data. Due to a i Shared sub-data and c i Multiplication of 1 and 2 does not equal a. i c i Therefore, since the data consists of shared sub-data, it is necessary to determine a based on the fifth intermediate number of the i-th position through interaction. i c i Shared sub-data.
[0175] In one or more embodiments of this specification, c i+1 =x i y i +(x i +y i )c i
[0176] The matrix form is:
[0177]
[0178] Where i∈[0, n-1]. i+1 c represents the carry value corresponding to the (i+1)th bit. i This represents the carry value corresponding to the i-th bit. When i is 0, the carry value is also 0. xi is the i-th bit of the first secret data, and yi is the i-th bit of the second secret data. Starting from the 0th bit with a known carry value, each carry value can be determined bit by bit towards the higher bits. i y i The shared sub-data is the first product corresponding to the i-th bit. (x) i +y i )c i The shared sub-data is the second product corresponding to the i-th bit. Based on x i y i Shared sub-data, (x i +y i )c i Given the shared sub-data and the transformation relationship, c can be determined. i+1 Shared sub-data.
[0179] In one or more embodiments of this specification, the conversion parameters are determined based on the following formula:
[0180]
[0181] (a n b n +1)=(0,1)
[0182] Where i ∈ [0, n-1]. i That is, the type of transformation parameter at position i, b i That is, the type II transformation parameter at the i-th position. i+1 That is, the transformation parameter of the (i+1)th bit, b i+1 That is, the type II transformation parameter at the i-th position. x i That is, the i-th data of the first secret data, y i That is, the i-th bit of the second secret data. n That is, a type of transformation parameter that is the "highest bit" among all bits of the secret data, which is 0, b n That is, the type II transformation parameter of the "highest bit" among all bits of the secret data is also 0. Based on the known transformation parameter of the nth bit, the transformation parameter corresponding to the (n-1)th bit can be obtained from the lower bits, thus determining the transformation parameter corresponding to each bit. Where, a i =a i+1 x i y i +b i+1 +1, b i =(x i +y i (b) i+1 +1)-1.
[0183] It should be noted that, in one or more embodiments of this specification, all multiplication calculations can be performed based on a secure multiplication protocol. The process of converting secret data into target data based on a transformation relationship, as described in this specification, is also a process of accumulating the secret data bit by bit from the high byte to the low byte to obtain the target data.
[0184] This manual also provides proof of the correctness of the conversion relationship:
[0185] w n =a n c n +b n =0, a n c n b n All are 0.
[0186] Assuming the (i+1)th digit is correct, i.e., w i+1 =a i+1 c i+1 +b i+1 Then we have:
[0187] w i =(w i+1 +1)(Si +1)-1
[0188] =(a i+1 c i+1 +b i+1 +1)(x i +y i +c i +1)-1
[0189] =(a i+1 (x i +y i )c i +a i+1 x i y i +b i+1 +1)(x i +y i +c i )-1
[0190] =[a i+1 (x i +y i )+a i+1 x i y i +b i+1 +1+a i+1 (x i +y i )]c i +(a i+1 x i y i +b i+1 +1)(x i +y i )
[0191] -1=(a i+1 x i y i +b i+1 +1)c i +(x i +y i (b) i+1 +1)-1
[0192] Among them, S i This is the i-th bit of the secret data.
[0193] Therefore, w i =a i c i +b i
[0194] That is, i is correct.
[0195] It needs to be explained that the reason why w i=(w i+1 +1)(S i +1)-1, because w i equals w i+1 With S i The result of a logical OR. That is, w i =w i+1 or S i .
[0196] And w i+1 or S i =w i+1 ×S i +w i+1 +S i =(w i+1 +1)(S i +1)-1
[0197] Among them, w i+1 ×S i This is modulo 2 multiplication, equivalent to logical AND.
[0198] In addition, in step S106, the first party and the second party have a final interaction. When the first party determines the sixth intermediate number, the first party can obtain the fourth random number corresponding to each bit of the secret data from the third party, and determine the sixth intermediate number corresponding to the bit based on the first carry value, the first conversion parameter and the fourth random number. The determined sixth intermediate number is then sent to the second party so that the second party can determine the bit data of the second target data based on the sixth intermediate number.
[0199] It should be noted that, in determining the value range in this specification, the interaction between the first and second parties does not involve direct exchange of the first secret data, the second secret data, or specific bits of the first secret data or the second secret data. Instead, it involves the exchange of intermediate numbers, conducted in a manner that does not disclose the shared sub-data held by either party. However, calculations based on these intermediate numbers can still achieve results obtained by combining the values of the first and second secret data, or specific bits of the first and second secret data. Apart from the intermediate numbers, every data point calculated by the first party (such as a first carry value or a first conversion parameter) is considered "secret" data that cannot be disclosed.
[0200] For example, suppose it is necessary to calculate the product of the i-th bit of the first secret data and the i-th bit of the second secret data. The two parties do not need to interact with the first secret data, the second secret data, or the i-th bit of the first secret data and the i-th bit of the second secret data. Based on a secure multiplication protocol, they can perform secure calculations by exchanging intermediate numbers and using these intermediate numbers, without disclosing their own first or second secret data to the other party. For example... Figure 2 As shown.
[0201] Figure 2 This diagram illustrates an interactive computation process provided in this specification. As shown, the first and second parties generate intermediate numbers based on random numbers sent by a third party and interact to calculate their respective shared sub-data. Here, x and y are two "secret" data. Through interaction, the first and second parties calculate their respective shared sub-data, the product of x and y. The first party corresponds to shared sub-data F0, and the second party corresponds to shared sub-data F1. Furthermore, the first party holds the shared sub-data x0 for x and y0 for y. The second party holds the shared sub-data x1 for x and y1 for y.
[0202] Figure 2 In this context, u0, u1, v0, v1, d0, and d1 are all random numbers. Numbers ending in 0 correspond to the first party's random number, while those ending in 1 correspond to the second party's random number. Therefore, after the third party generates u0, u1, v0, v1, and d0, it calculates d1 using the formula d1 = (u0 + u1)(v0 + v1) - d0, and sends u0, v0, and d0 to the first party, while sending u1, v1, and d1 to the second party. The first party calculates dx0 and dy0 using the formulas dx0 = x0 - u0 and dy0 = y0 - v0, and sends them to the second party. The second party calculates dx1 and dy1 using the formulas dx1 = x1 - u1 and dy1 = y1 - v1, and then sends them to the first party. Then, the first party calculates dx and dy using the formulas dx = dx0 + dx1 and dy = dy0 + dy1, and determines F0 based on the formula F0 = dx*y0 + u0*dy + d0. The second party calculates dx and dy using the formulas dx = dx0 + dx1 and dy = dy0 + dy1, and determines F1 based on the formula F1 = dx*y1 + u1*dy + d1.
[0203] It is evident that when calculating F0, the first party did not disclose its stored x0 and y0 to the second party, and when calculating F1, the second party also did not disclose its stored x1 and y1 to the first party. Here, x0 and x1 are shared sub-data of x, and y0 and y1 are shared sub-data of y. As mentioned above, shared sub-data with a suffix of 0 is stored by the first party, and shared sub-data with a suffix of 1 is stored by the second party.
[0204] Furthermore, (x0+x1)×(y0+y1)=(x0+x1-u0-u1)×(y0+y1)+(u0+u1)×(y0+y1-v0-v1)+(u0+u1)×(v0+v1).
[0205] The above describes a secure service execution method provided by one or more embodiments of this specification. Based on the same idea, this specification also provides a secure service execution device, such as... Figure 3 As shown.
[0206] Figure 3 This specification provides a schematic diagram of a secure business execution device, which is used for secure multi-party computation by a first party, a second party, and a third party assisting in the computation; secret data is split into first secret data and second secret data in a shared manner, the first secret data being held by the first party and the second secret data being held by the second party, and the device includes:
[0207] The acquisition module 200 is used to acquire a first random number from the third party;
[0208] The first interaction module 201 is used to generate a third intermediate number and a fourth intermediate number based on the first random number and the first secret data, and send them to the second party so that the second party can determine the second carry value and the second conversion parameter; and receive the first intermediate number and the second intermediate number sent by the second party, wherein the first intermediate number and the second intermediate number are determined by the second party based on the second secret data and the second random number obtained from the third party;
[0209] Calculation module 202 is used to determine a first carry value based on the first secret data and the first intermediate number, and to determine a first conversion parameter between the secret data and the target data based on the first secret data and the second intermediate number;
[0210] The second interaction module 203 is used to receive the fifth intermediate number sent by the second party, wherein the fifth intermediate number is determined by the second party based on the second carry value, the second conversion parameter and the third random number provided by the third party;
[0211] The conversion module 204 is used to determine the target data corresponding to the secret data based on the first carry value, the first conversion parameter, and the fifth intermediate number;
[0212] The execution module 205 is used to determine the value range of the secret data in the sharing form based on the target data, and to perform security services with the second party based on the value range.
[0213] Optionally, the first interaction module 201 is further configured to generate a third intermediate number and a fourth intermediate number corresponding to each bit of the first secret data based on the value of each bit and the first random number, and send them to the second party, so that the second party determines the second carry value of each bit and the second conversion parameter corresponding to each bit, and receives the first intermediate number and the second intermediate number corresponding to each bit of the secret data sent by the second party, wherein the first intermediate number corresponding to each bit of the secret data is determined by the second party based on the value of each bit of the second secret data and the second random number obtained from the third party, and the second intermediate number corresponding to each bit of the secret data is determined by the second party based on the value of each bit of the second secret data and the second random number obtained from the third party.
[0214] Optionally, the first interaction module 201 is further configured to: send a third intermediate number and a fourth intermediate number to the second party through multiple rounds of interaction with the second party; and receive a first intermediate number and a second intermediate number corresponding to each bit of the secret data sent by the second party. Each round of interaction is performed as follows: the highest bit of the determined first carry value corresponding to the secret data is used as the first input bit, and the lowest bit of the determined first conversion parameter is used as the second input bit. Based on the value of the first input bit of the first secret data and a first random number obtained from the third party, a third intermediate number corresponding to the first input bit is generated. Based on the value of the second input bit of the first secret data and the first random number, a fourth intermediate number corresponding to the second input bit is generated. The third intermediate number and the fourth intermediate number are sent to the second party, enabling the second party to determine the second carry value of the higher bit of the first input bit based on the third intermediate number, and to determine the second conversion parameter of the second input bit based on the fourth intermediate number. The second party then receives the first intermediate number corresponding to the first input bit and the second intermediate number corresponding to the second input bit sent by the second party.
[0215] Optionally, the calculation module 202 is further configured to determine the first carry value corresponding to each bit based on the value of each bit of the first secret data and the first intermediate number corresponding to each bit, and to determine the first conversion parameter corresponding to each bit based on the value of each bit of the first secret data and the second intermediate number corresponding to each bit.
[0216] Optionally, the calculation module 202 is further configured to determine the first carry value of the next higher bit of the first input bit based on the first input bit value of the first secret data, the first carry value of the first input bit, and the first intermediate number corresponding to the first input bit, and to determine the first conversion parameter of the second input bit based on the second input bit value of the first secret data and the second intermediate number corresponding to the second input bit.
[0217] Optionally, the calculation module 202 is further configured to determine a first product of the first input bit based on the value of the first input bit of the first secret data and the first intermediate number corresponding to the first input bit; determine a second product of the first input bit based on the value of the first input bit of the first secret data, the first intermediate number corresponding to the first input bit and the first carry value of the first input bit; and determine a first carry value of the next higher bit of the first input bit in the secret data based on the first product and the second product.
[0218] Optionally, the first conversion parameter includes a third conversion parameter and a fourth conversion parameter. The calculation module 202 is further configured to determine the third conversion parameter between the secret data and the target data corresponding to the second input bit based on the value of the second input bit of the first secret data, the second intermediate number corresponding to the second input bit, the third conversion parameter corresponding to the higher bit of the second input bit, and the fourth conversion parameter, and to determine the fourth conversion parameter between the secret data and the target data corresponding to the second input bit based on the value of the second input bit of the first secret data, the second intermediate number corresponding to the second input bit, and the fourth conversion parameter corresponding to the higher bit of the second input bit.
[0219] Optionally, the secret data and the target data have the same number of bits. The first conversion parameter includes a third conversion parameter and a fourth conversion parameter. The conversion module 204 is further configured to, for each bit of the secret data, determine the third product corresponding to the sum of the third conversion parameter and the sum of the first conversion value of the bit, based on the fifth intermediate number corresponding to the bit, the first carry value of the bit, and the third conversion parameter of the bit. Based on the determined third product and the fourth conversion parameter of the bit, determine the data of the target data corresponding to the secret data. Based on the data of each bit of the target data, determine the target data.
[0220] Optionally, the execution module 205 is further configured to determine the one-hot code of the target data by bit-by-bit difference in the order of the low-bit to the high-bit of the target data, and use the one-hot code as the value range of the secret data in the form of sharing.
[0221] This specification also provides a computer-readable storage medium storing a computer program that can be used to execute the above-described security business execution method.
[0222] This instruction manual also provides Figure 4 The corresponding to Figure 1 A schematic diagram of the structure of an electronic device. (e.g.) Figure 4At the hardware level, the electronic device includes a processor, an internal bus, a network interface, memory, and non-volatile memory, and may also include other hardware required for the services. The processor reads the corresponding computer program from the non-volatile memory into memory and then runs it to implement the aforementioned secure service execution method. Of course, besides software implementation, this specification does not exclude other implementation methods, such as logic devices or a combination of hardware and software, etc. That is to say, the execution entity of the following processing flow is not limited to individual logic units, but can also be hardware or logic devices.
[0223] In the 1990s, improvements to a technology could be clearly distinguished as either hardware improvements (e.g., improvements to the circuit structure of diodes, transistors, switches, etc.) or software improvements (improvements to the methodology). However, with technological advancements, many methodological improvements today can be considered direct improvements to the hardware circuit structure. Designers almost always obtain the corresponding hardware circuit structure by programming the improved methodology into the hardware circuit. Therefore, it cannot be said that a methodological improvement cannot be implemented using hardware physical modules. For example, a Programmable Logic Device (PLD) (such as a Field Programmable Gate Array (FPGA)) is such an integrated circuit whose logic function is determined by the user programming the device. Designers can program and "integrate" a digital system onto a PLD themselves, without needing chip manufacturers to design and manufacture dedicated integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing integrated circuit chips, this programming is mostly implemented using "logic compiler" software. Similar to the software compiler used in program development, the original code before compilation must be written in a specific programming language, called a Hardware Description Language (HDL). There are many HDLs, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, and RHDL (Ruby Hardware Description Language). Currently, the most commonly used are VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. Those skilled in the art should understand that by simply performing some logic programming on the method flow using one of these hardware description languages and programming it into an integrated circuit, the hardware circuit implementing the logical method flow can be easily obtained.
[0224] The controller can be implemented in any suitable manner. For example, it can take the form of a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro)processor, logic gates, switches, application-specific integrated circuits (ASICs), programmable logic controllers, and embedded microcontrollers. Examples of controllers include, but are not limited to, the following microcontrollers: ARC625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicon Labs C8051F320. A memory controller can also be implemented as part of the control logic of the memory. Those skilled in the art will also recognize that, in addition to implementing the controller in purely computer-readable program code form, the same functionality can be achieved by logically programming the method steps to make the controller take the form of logic gates, switches, ASICs, programmable logic controllers, and embedded microcontrollers. Therefore, such a controller can be considered a hardware component, and the means included therein for implementing various functions can also be considered as structures within the hardware component. Alternatively, the means for implementing various functions can be considered as both software modules implementing the method and structures within the hardware component.
[0225] The systems, devices, modules, or units described in the above embodiments can be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. Specifically, a computer can be, for example, a personal computer, laptop computer, cellular phone, camera phone, smartphone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or any combination of these devices.
[0226] For ease of description, the above devices are described in terms of function, divided into various units. Of course, in implementing this specification, the functions of each unit can be implemented in one or more software and / or hardware components.
[0227] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0228] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0229] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0230] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0231] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.
[0232] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.
[0233] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.
[0234] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0235] Those skilled in the art will understand that the embodiments of this specification can be provided as methods, systems, or computer program products. Therefore, this specification may take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this specification may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0236] This specification can be described in the general context of computer-executable instructions that are executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform a specific task or implement a specific abstract data type. This specification can also be practiced in distributed computing environments, where tasks are performed by remote processing devices connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.
[0237] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on describing the differences from other embodiments. In particular, the system embodiments are basically similar to the method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions in the method embodiments.
[0238] The above description is merely an embodiment of this specification and is not intended to limit this specification. Various modifications and variations can be made to this specification by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this specification should be included within the scope of the claims of this specification.
Claims
1. A secure business execution method, the method being used for a first party, a second party, and a third party assisting in the computation to perform secure multi-party computation; secret data is split into first secret data and second secret data in a shared manner, the first secret data being held by the first party and the second secret data being held by the second party, the method comprising: The first party obtains a first random number from the third party; Based on the first random number and the first secret data, a third intermediate number and a fourth intermediate number are generated and sent to the second party, so that the second party determines the second carry value and the second conversion parameter; and the first intermediate number and the second intermediate number sent by the second party are received, wherein the first intermediate number and the second intermediate number are determined by the second party based on the second secret data and the second random number obtained from the third party; Based on the first secret data and the first intermediate number, a first carry value is determined, and based on the first secret data and the second intermediate number, a first conversion parameter between the secret data and the target data is determined. Receive a fifth intermediate number sent by the second party, wherein the fifth intermediate number is determined by the second party based on the second carry value, the second conversion parameter and the third random number provided by the third party; The target data corresponding to the secret data is determined based on the first carry value, the first conversion parameter, and the fifth intermediate number; Based on the target data, determine the range of values for the secret data in the form of sharing, and perform secure business with the second party based on the range of values.
2. The method as described in claim 1, wherein a third intermediate number and a fourth intermediate number are generated based on the first random number and the first secret data, and sent to the second party, so that the second party determines the second carry value and the second conversion parameter; and the method receives the first intermediate number and the second intermediate number sent by the second party, specifically including: Based on the values of each bit of the first secret data and the first random number, generate the third intermediate number and the fourth intermediate number corresponding to each bit, and send them to the second party so that the second party can determine the second carry value of each bit and the second conversion parameter corresponding to each bit; The system receives a first intermediate number and a second intermediate number corresponding to each bit of the secret data sent by the second party; the first intermediate number corresponding to each bit of the secret data is determined by the second party based on the value of each bit of the second secret data and a second random number obtained from the third party, and the second intermediate number corresponding to each bit of the secret data is determined by the second party based on the value of each bit of the second secret data and a second random number obtained from the third party.
3. The method as described in claim 2, wherein a third intermediate number and a fourth intermediate number are generated corresponding to each bit of the first secret data based on the value of each bit and the first random number, and sent to the second party, so that the second party determines the second carry value of each bit and the second conversion parameter corresponding to each bit; receiving the first intermediate number and the second intermediate number corresponding to each bit of the secret data sent by the second party specifically includes: The first party, through multiple rounds of interaction with the second party, sends a third intermediate number and a fourth intermediate number to the second party, and receives the first intermediate number and a second intermediate number corresponding to each bit of the secret data sent by the second party; wherein each round of interaction is conducted in the following manner: The highest bit of the determined first carry value corresponding to the secret data is used as the first input bit, and the lowest bit of the determined first conversion parameter is used as the second input bit. Based on the first input bit value of the first secret data and the first random number obtained from the third party, a third intermediate number corresponding to the first input bit is generated, and based on the second input bit value of the first secret data and the first random number, a fourth intermediate number corresponding to the second input bit is generated. The third intermediate number and the fourth intermediate number are sent to the second party, so that the second party determines the second carry value of the higher bit of the first input bit based on the third intermediate number, and determines the second conversion parameter of the second input bit based on the fourth intermediate number. The second party sends a first intermediate number corresponding to the first input bit and a second intermediate number corresponding to the second input bit.
4. The method as described in claim 3, wherein a first carry value is determined based on the first secret data and the first intermediate number, and a first conversion parameter between the secret data and the target data is determined based on the first secret data and the second intermediate number, specifically including: Based on the values of each bit of the first secret data and the first intermediate number corresponding to each bit, the first carry value corresponding to each bit is determined. Based on the values of each bit of the first secret data and the second intermediate number corresponding to each bit, the first conversion parameter corresponding to each bit is determined.
5. The method as described in claim 4, wherein a first carry value is determined for each bit based on the value of each bit of the first secret data and the first intermediate number corresponding to each bit, and a first conversion parameter is determined for each bit based on the value of each bit of the first secret data and the second intermediate number corresponding to each bit, specifically including: Based on the first input bit value of the first secret data, the first carry value of the first input bit, and the first intermediate number corresponding to the first input bit, determine the first carry value of the next higher bit of the first input bit; The first conversion parameter of the second input bit is determined based on the value of the second input bit of the first secret data and the second intermediate number corresponding to the second input bit.
6. The method as described in claim 5, wherein determining the first carry value of the next higher bit of the first input bit based on the first input bit value of the first secret data, the first carry value of the first input bit, and the first intermediate number corresponding to the first input bit, specifically includes: Based on the value of the first input bit of the first secret data and the first intermediate number corresponding to the first input bit, determine the first product of the first input bit; Based on the value of the first input bit of the first secret data, the first intermediate number corresponding to the first input bit, and the first carry value of the first input bit, determine the second product of the first input bit; Based on the first product and the second product, determine the first carry value of the higher bit of the first input bit in the secret data.
7. The method of claim 5, wherein the first conversion parameter includes a third conversion parameter and a fourth conversion parameter; Based on the value of the second input bit of the first secret data and the second intermediate number corresponding to the second input bit, the first transformation parameter of the second input bit is determined, specifically including: Based on the value of the second input bit of the first secret data, the second intermediate number corresponding to the second input bit, the third conversion parameter corresponding to the higher bit of the second input bit, and the fourth conversion parameter, the third conversion parameter between the secret data and the target data corresponding to the second input bit is determined; Based on the value of the second input bit of the first secret data, the second intermediate number corresponding to the second input bit, and the fourth conversion parameter corresponding to the higher bit of the second input bit, the fourth conversion parameter between the secret data and the target data corresponding to the second input bit is determined.
8. The method of claim 4, wherein the secret data has the same number of bits as the target data; the first conversion parameter includes a third conversion parameter and a fourth conversion parameter; Based on the first carry value, the first conversion parameter, and the fifth intermediate number, the target data corresponding to the secret data is determined, specifically including: For each bit of the secret data, based on the fifth intermediate number corresponding to the bit, the first carry value of the bit, and the third conversion parameter of the bit, determine the third product corresponding to the sum of the third conversion parameter of the bit and the sum of the first carry value of the bit; Based on the determined third product and the fourth transformation parameter of that bit, determine the data of that bit of the target data corresponding to the secret data; The target data is determined based on each bit of the target data.
9. The method as described in claim 1, wherein determining the value range of the secret data in a shared form based on the target data specifically includes: The one-hot encoding of the target data is determined by bit-by-bit difference, in the order from the least significant bit to the most significant bit. The one-hot encoding is used as the range of values for the secret data in the shared form.
10. A secure business execution apparatus, the apparatus being used for secure multi-party computation by a first party, a second party, and a third party assisting in the computation; secret data is split into first secret data and second secret data in a shared manner, the first secret data being held by the first party and the second secret data being held by the second party, the apparatus comprising: The acquisition module is used to acquire a first random number from the third party; The first interaction module is used to generate a third intermediate number and a fourth intermediate number based on the first random number and the first secret data, and send them to the second party so that the second party can determine the second carry value and the second conversion parameter; and to receive the first intermediate number and the second intermediate number sent by the second party, wherein the first intermediate number and the second intermediate number are determined by the second party based on the second secret data and the second random number obtained from the third party; The calculation module is used to determine a first carry value based on the first secret data and the first intermediate number, and to determine a first conversion parameter between the secret data and the target data based on the first secret data and the second intermediate number. The second interaction module is used to receive the fifth intermediate number sent by the second party, wherein the fifth intermediate number is determined by the second party based on the second carry value, the second conversion parameter and the third random number provided by the third party; The conversion module is used to determine the target data corresponding to the secret data based on the first carry value, the first conversion parameter, and the fifth intermediate number. The execution module is used to determine the value range of the secret data in the sharing form based on the target data, and to perform security services with the second party based on the value range.
11. A computer-readable storage medium storing a computer program that, when executed by a processor, implements the method described in any one of claims 1 to 9.
12. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the method described in any one of claims 1 to 9.