Method and apparatus for secure computation of matrix multiplication

By encoding matrices and vectors as polynomials for homomorphic encryption computation, the problem of high computational complexity in matrix multiplication is solved, achieving efficient and secure computation.

CN115994546BActive Publication Date: 2026-06-05ANT BLOCKCHAIN TECHNOLOGY (SHANGHAI) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ANT BLOCKCHAIN TECHNOLOGY (SHANGHAI) CO LTD
Filing Date
2023-02-14
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies suffer from high computational complexity when performing secure matrix multiplication calculations, leading to decreased computational performance and failing to effectively protect private data.

Method used

Homomorphic encryption is used to encode matrices and vectors as polynomials. Matrix multiplication is then performed using polynomial multiplication, avoiding cyclic shift operations and improving computational efficiency.

Benefits of technology

While protecting privacy data, it reduces the computational complexity of matrix multiplication and improves the efficiency of secure computation.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115994546B_ABST
    Figure CN115994546B_ABST
Patent Text Reader

Abstract

The embodiment of the present specification provides a kind of matrix multiplication security calculation method and device, it is suitable for the multi-party security calculation architecture of two participants, one party holds matrix, another party holds vector, and the product of the security calculation of the matrix and vector is calculated.The embodiment of the present specification makes full use of the characteristics that efficient homomorphic encryption mode can process polynomial data under the multi-party security calculation architecture, and each matrix and vector is encoded as polynomial, and the polynomial corresponding to the product of the matrix and vector is determined based on polynomial multiplication, and then each dimension element in the product vector of the matrix and vector is extracted from the polynomial of multiplication result.The implementation can improve the efficiency of the matrix security multiplication operation based on homomorphic encryption.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This specification relates to the field of secure computing technology, and more particularly to secure computing methods and apparatus for matrix multiplication. Background Technology

[0002] Secure multi-party computation, also known as secure multi-party computation, involves multiple parties collaboratively calculating the result of a function without disclosing their input data. The result is then made public to one or more of the parties. In secure multi-party computation, numerical addition and multiplication, matrix addition and multiplication, etc., serve as fundamental operations in business processing within the secure multi-party computation architecture, and their computational efficiency directly impacts the processing efficiency of related business processes. Summary of the Invention

[0003] This specification describes one or more embodiments of a secure matrix multiplication method and apparatus to solve one or more problems mentioned in the background art.

[0004] According to a first aspect, a secure matrix multiplication computation method is provided for secure computation between a first party and a second party, wherein secure multiplication computation is performed on a matrix M held by the first party and a vector v held by the second party based on a predetermined homomorphic encryption method; the method is executed by the first party and includes: encoding each column element of matrix M into a set of first polynomials of degree t, wherein t is determined based on the predetermined homomorphic encryption method, the set of first polynomials corresponding to a single column of matrix M includes at least one first polynomial of degree t, and each element in the single column is sequentially encoded as the coefficient of each term of the first polynomial in the corresponding set of first polynomials, and the coefficients of each term of the single first polynomial from the constant term to the t-th term are corresponding to the elements in the single column. The order of the terms is consistent; calculate the ciphertext product polynomials of each first polynomial set and the corresponding ciphertext second polynomial, wherein the ciphertext polynomials are obtained by the second party based on the second polynomial that encodes the elements of the corresponding dimension of vector v to degree t; sum the corresponding ciphertext product polynomials in each ciphertext product polynomial set to obtain the ciphertext polynomial set describing the product vector of matrix M and vector v, wherein the coefficients of each degree term in the ciphertext polynomial set correspond to the elements of the product vector of matrix M and vector v; provide the ciphertext information of the product vector to the second party according to the ciphertext polynomial set, so that the second party can decrypt the ciphertext information to obtain the result data corresponding to the product vector.

[0005] In one embodiment, matrix M has m rows and n columns, where m is a multiple of k times t+1 and k is a positive integer. For the i-th column of matrix M, encoding each column element of matrix M into a set of first polynomials of degree t includes: dividing the m elements of the i-th column into k groups in order; encoding each group of elements to obtain each first polynomial in the set of first polynomials corresponding to the i-th column, wherein the elements of a single group are sequentially encoded as the coefficients of the constant term to the t-th term in the corresponding first polynomial.

[0006] In one embodiment, matrix M has m rows and n columns, where m is greater than k-1 times t+1 and less than k times t+1, and k is a positive integer. For the i-th column of matrix M, encoding each column element of matrix M into a set of first polynomials of degree t includes: expanding the m elements of the i-th column to a multiple of k elements of degree t+1 by padding with zeros at the end; dividing the expanded elements into k groups in order; and encoding each group of elements to obtain each first polynomial in the set of first polynomials corresponding to the i-th column, wherein the elements in a single group are sequentially encoded as the coefficients of the constant term to the term of degree t in the corresponding first polynomial.

[0007] In one embodiment, a single ciphertext product polynomial set includes ciphertext product polynomials corresponding one-to-one with each first polynomial in a single first polynomial set, wherein the single ciphertext product polynomial is determined by the product of the single first polynomial and the corresponding ciphertext second polynomial in the case of the sum of terms of degree modulo t+1 and 1.

[0008] In one embodiment, the ciphertext product polynomials in a single ciphertext product polynomial set are arranged sequentially according to the correspondence between the corresponding first polynomial and the elements in a single column of matrix M. The step of summing the corresponding ciphertext product polynomials in each ciphertext product polynomial set to obtain a ciphertext polynomial set describing the product vector of matrix M and vector v includes: summing the ciphertext product polynomials corresponding to the same row elements in each ciphertext product polynomial set to obtain the corresponding ciphertext polynomials. The ciphertext polynomial set is composed of each ciphertext polynomial.

[0009] In one embodiment, providing the ciphertext information of the product vector to the second party based on the ciphertext polynomial set includes: providing the ciphertext polynomial set as the ciphertext information of the product vector to the second party so that the second party can decrypt each ciphertext polynomial set and extract the coefficients of each polynomial to obtain the product vector b as the result data corresponding to the product vector.

[0010] In one embodiment, providing the ciphertext information of the product vector to the second party based on the ciphertext polynomial set includes: generating a random vector b1 as a first slice of the product vector, wherein the dimension of the random vector b1 is the same as the number of rows in matrix M; encoding the random vector b1 into a first slice polynomial set of degree t; calculating a ciphertext difference polynomial set based on the predetermined homomorphic encryption method, wherein the difference between the corresponding polynomials in the ciphertext polynomial set and the first slice polynomial set constitutes a ciphertext difference polynomial set; providing the ciphertext difference polynomial set as the ciphertext information of the product vector to the second party, so that the second party can decrypt the ciphertext difference polynomial set and extract the corresponding coefficients from the obtained difference polynomial set to obtain a second slice of the product vector as the result data of the product vector in the second party.

[0011] In one embodiment, the predetermined homomorphic encryption method is one of BFV, BGV, and CKKS.

[0012] According to the second aspect, a secure matrix multiplication computation method is provided for secure computation between a first party and a second party, wherein secure multiplication computation is performed on a matrix M held by the first party and a vector v held by the second party based on a predetermined homomorphic encryption method; the method is executed by the second party and includes: encoding the elements of each dimension of vector v into second polynomials of degree t, wherein t is determined based on the predetermined homomorphic encryption method, the constant term of a single second polynomial is an element of the corresponding single dimension of vector v, and the coefficients of other terms are 0; providing the first party with ciphertext second polynomials obtained by encrypting each second polynomial, so that the first party can feed back the product direction based on each ciphertext second polynomial. The encrypted information of the quantity, wherein the encrypted information of the product vector is determined based on the first calculation of each encrypted product polynomial group of each first polynomial group and the corresponding encrypted second polynomial, and the encrypted polynomial group obtained by summing the encrypted product polynomial groups, wherein a single first polynomial group corresponds to a single column of matrix M and includes at least one first polynomial of degree t, wherein each element in the single column is sequentially encoded as the coefficient of each degree term of the first polynomial in the corresponding first polynomial group, and the coefficients of each term of the single first polynomial from the constant term to the t-th degree term are consistent with the order of the corresponding elements in the single column; the encrypted information is decrypted to obtain the result data corresponding to the product vector.

[0013] In one embodiment, the ciphertext information is the ciphertext polynomial set, and the decryption of the ciphertext information to obtain the result corresponding to the product vector includes: decrypting each ciphertext polynomial in the ciphertext polynomial set; extracting the coefficients of each ciphertext polynomial sequentially from the constant term to the term of degree t; arranging the extracted coefficients in the order of the ciphertext polynomials to obtain the product vector as the result data.

[0014] In one embodiment, the ciphertext information is a set of difference polynomials between the ciphertext polynomial set and the first piecewise polynomial set based on the predetermined homomorphic encryption method. The first piecewise polynomial set includes at least one polynomial obtained by encoding the first piecewise portion of the product vector by a first party. The first piecewise portion is a random vector b1 generated by the first party with the same dimension as the number of rows in matrix M. Decrypting the ciphertext information to obtain the result corresponding to the product vector includes: decrypting each difference polynomial in the set of difference polynomials; extracting the coefficients of each difference polynomial sequentially from the constant term to the t-th degree term; arranging the extracted coefficients in the order of the difference polynomials to obtain the second piecewise portion of the product vector as the result data.

[0015] In one embodiment, the predetermined homomorphic encryption method is one of BFV, BGV, and CKKS.

[0016] According to a third aspect, a secure matrix multiplication computation apparatus is provided for secure computation between a first party and a second party, performing secure multiplication computation on a matrix M held by the first party and a vector v held by the second party based on a predetermined homomorphic encryption method; the apparatus is located on the first party and includes:

[0017] The encoding unit is configured to encode each column element of matrix M into a set of first polynomials of degree t, wherein t is determined based on the predetermined homomorphic encryption method, and the set of first polynomials corresponding to a single column of matrix M includes at least one first polynomial of degree t. Each element in the single column is sequentially encoded into the coefficients of each term of the first polynomial in the corresponding set of first polynomials, and the coefficients of each term of the single first polynomial from the constant term to the t-th term are in the same order as the corresponding elements in the single column.

[0018] The homomorphic computation unit is configured to compute the ciphertext product polynomials of each first polynomial set and the corresponding ciphertext second polynomial, wherein the ciphertext polynomials are obtained by encrypting a second polynomial based on encoding the elements of the corresponding dimension of vector v to degree t; and

[0019] Summing the corresponding ciphertext product polynomials in each ciphertext product polynomial group yields a ciphertext polynomial group describing the product vector of matrix M and vector v. The coefficients of each term in each ciphertext polynomial group correspond sequentially to the elements of the product vector of matrix M and vector v.

[0020] The providing unit is configured to provide the second party with the ciphertext information of the product vector based on the ciphertext polynomial set, so that the second party can decrypt the ciphertext information to obtain the result data corresponding to the product vector.

[0021] According to the fourth aspect, a secure computation apparatus for matrix multiplication is provided for secure computation between a first party and a second party, wherein secure multiplication is performed on a matrix M held by the first party and a vector v held by the second party based on a predetermined homomorphic encryption method; the apparatus is located on the second party and includes:

[0022] The encoding unit is configured to encode the elements of each dimension of vector v into a second polynomial of degree t, wherein t is determined based on the predetermined homomorphic encryption method, the constant term of a single second polynomial is the element of the corresponding single dimension of vector v, and the coefficients of other terms are 0.

[0023] The encryption unit is configured to encrypt each second polynomial to obtain each ciphertext second polynomial.

[0024] A providing unit is configured to provide each encrypted second polynomial to a first party, so that the first party can feed back the encrypted information of the product vector based on each encrypted second polynomial. The encrypted information of the product vector is determined by the first party calculating each encrypted product polynomial group of each first polynomial group and the corresponding encrypted second polynomial, and summing the encrypted product polynomial groups to obtain the encrypted polynomial group. Each first polynomial group corresponds to a single column of matrix M and includes at least one first polynomial of degree t. Each element in the single column is sequentially encoded as the coefficient of each degree term of each first polynomial in the corresponding first polynomial group, and the coefficients of each term of the single first polynomial from the constant term to the t-th degree term are consistent with the order of the corresponding elements in the single column.

[0025] The decryption unit is configured to decrypt the ciphertext information to obtain the result data corresponding to the product vector.

[0026] According to a fifth aspect, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed in a computer, causes the computer to perform the method of the first or second aspect.

[0027] According to a sixth aspect, a computing device is provided, including a memory and a processor, characterized in that the memory stores executable code, and when the processor executes the executable code, it implements the method of the first aspect or the second aspect.

[0028] The methods and apparatus provided in the embodiments of this specification improve computational efficiency by employing homomorphic encryption that supports polynomial computation during secure matrix multiplication calculations. Under this technical concept, on one hand, the party holding the vector can encode each element of the vector into a polynomial, with one element corresponding to one polynomial and the element serving as a constant term in the corresponding polynomial. On the other hand, the party holding the matrix can encode the matrix into a set of polynomials column-wise, with each column corresponding to one set of polynomials. Thus, the matrix-vector multiplication calculation can be transformed into a polynomial product based on homomorphic encryption computation, followed by summing the polynomial products. The resulting polynomial contains the elements of each dimension of the matrix-vector product vector in coefficient form. This allows for the use of homomorphic encryption that supports polynomials, processing one polynomial at a time, thereby reducing the computational complexity of matrix multiplication and improving the efficiency of corresponding business processing while protecting privacy data. Attached Figure Description

[0029] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0030] Figure 1 This document illustrates a flowchart of the secure computational interaction process for matrix multiplication based on the technical concept outlined in this specification.

[0031] Figure 2 This is a schematic diagram of a secure computation process for matrix multiplication performed by the matrix holder according to one embodiment.

[0032] Figure 3 This is a schematic diagram of a secure computation process for matrix multiplication performed by the holding vector party according to one embodiment.

[0033] Figure 4 A schematic block diagram of a secure computing apparatus for matrix multiplication holding one side of a matrix is ​​shown according to one embodiment;

[0034] Figure 5 A schematic block diagram of a secure computation apparatus for matrix multiplication on one side of a holding vector is shown according to one embodiment. Detailed Implementation

[0035] The solution provided in this specification will now be described with reference to the accompanying drawings.

[0036] First, let's clarify some technical terms that may be used in this instruction manual:

[0037] Secret sharing, also known as secret splitting or secret sharing, is a cryptographic technique originally used for managing secret information. Its basic principle is to split a secret (such as a key) into multiple shares, each held by a different person. The secret can only be recovered by merging the shares of more than a threshold number of participants; no information can be recovered from fewer shares. In multi-party secure computation, the threshold number is usually the same as the number of participants. Data sharing methods for secret sharing can include arithmetic sharing, Boolean sharing, Yao's sharing, etc., which will not be elaborated upon here. In some business scenarios, various sharing methods can also be interchanged.

[0038] When secret sharing is used in a multi-party secure computation architecture, a share conversion technique can be adopted: First, the input data of each party is split into shares and the shares are exchanged with each other; then, each party merges its local multiple shares and uses the merged result as a new share. Based on the new shares of each party, secure computation can be performed to obtain the business processing result.

[0039] In multi-party secure computation, in addition to secure addition and secure multiplication of numerical values, basic operations such as matrix addition and matrix multiplication can also be included. Here, basic operations refer to the basic operational modules that the business process can be broken down into. For example, secure addition and secure multiplication are basic operational modules; a squaring operation of a numerical value shared by all participants can be broken down into secure multiplication and secure addition operations.

[0040] In secure computation, privacy protection requirements may necessitate significant increases in auxiliary computation and communication. This specification proposes improvements to matrix operations in multi-party secure computation. Matrix operations can be understood as combinations of multiple matrix and vector multiplications. For example, the multiplication of an m×n matrix M and an n×s matrix V results in an m×s matrix B. The multiplication of M and V can be viewed as s product operations, one-to-one with the s n-dimensional column vectors of M and V. These s product operations yield s vectors, each representing a column of matrix B. Therefore, this specification uses the secure multiplication of matrix M and vector v as an example. Here, m, n, and s are all positive integers. When s = 1, V and B are n-dimensional and m-dimensional column vectors, respectively.

[0041] Specifically, in the implementation architecture of two-party secure computation, one party (denoted as Party 1) holds matrix M, and the other party (denoted as Party 2) holds vector v (assumed to be a column vector in this specification). The two parties can then securely compute the product of matrix M and vector v (hereinafter referred to as the product vector) based on homomorphic encryption. This product vector (denoted as b) can be obtained by one party or shared between the two parties. For example, one party obtains the product vector b = Mv, or both parties each obtain a fragment of the product vector b (one party obtains b1, the other party obtains b2, and the product vector is shared modulo 2). N In the case of b = b1 + b2, where N is the number of bits representing the slice held by a single participant. When the product vector b is obtained by one party, it is typically obtained by the party holding the decryption key (e.g., the second party). In secure computation based on homomorphic encryption, the party holding the decryption key can usually generate key pairs, such as a public-private key pair, which serve as the encryption key and decryption key, respectively. Typically, the public key can be made public to other participants, thus serving as the encryption key, and the private key as the decryption key. The generation of key pairs can be done in a conventional way, which will not be elaborated upon here.

[0042] In one conventional method of matrix multiplication described above, the second party generates the key pair. This second party encrypts the vector v using the encryption key and provides the ciphertext E(v) to the first party. The first party can then expand the ciphertext E(v) to obtain an expanded matrix with the same dimensions as matrix M. This expansion can be achieved using cyclic shifting. Specifically, each column of the expanded matrix is ​​shifted cyclically by a predetermined number of elements compared to the previous column (e.g., left / top carry, right / bottom carry, or left / top carry, right / bottom carry). For example, suppose vector v is a 4-dimensional column vector, and its ciphertext is denoted as (v1, v2, v3, v4). T If M is a 4×4 matrix, then each column is expanded relative to the previous column according to the expansion rule of cyclically expanding by 1 position from the top and carrying over from the bottom, resulting in the following 4×4 expanded matrix:

[0043]

[0044] On the other hand, the first party can rearrange the elements in matrix M according to the expansion rules for vector v to obtain the corresponding reference matrix M'. For example, the first party can transpose matrix M and cyclically shift each column of the transposed matrix according to the cyclic shift expansion rules for vector v. That is, the first row becomes the first column and remains unchanged (cyclic 0 positions), the second row becomes the second column and cyclically shifts by 1 position (out of position) and (into position) the next column, the third row becomes the third column and cyclically shifts by 2 positions (out of position) and (into position) the next column, the fourth row becomes the fourth column and cyclically shifts by 3 positions (out of position) and (into position) the next column, and so on, with each column cyclically shifted by 1 position relative to the previous column. For example:

[0045] Then the corresponding reference matrix

[0046] Furthermore, the first party multiplies the plaintext reference matrix M' with the ciphertext extended matrix E(V') bitwise (e.g., multiplying the elements of the first row and first column of M' with the elements of the first row and first column of E(V'), and so on), to obtain a 4×4 matrix. Then, the first party sums and merges the rows of this 4×4 matrix to obtain the ciphertext product of matrix M and vector v, denoted as E(Mv) = E(b). The bitwise multiplication of the reference matrix M' and E(V') yields:

[0047]

[0048] exist When the row vectors in the result are superimposed, they are consistent with the ciphertext of the product vector b (hereinafter referred to as the ciphertext product) E(b).

[0049] Thus, the first party obtains the ciphertext product vector of matrix M and vector v. Depending on specific business needs, the first party can provide the second party with the corresponding ciphertext data of this ciphertext product vector, allowing the second party to encrypt the ciphertext data and obtain the corresponding product result.

[0050] Specifically: When the business requirement is for the second party to obtain the product vector b of matrix M and vector v, the first party can provide E(b) to the second party, who can then decrypt it using the decryption key to obtain the product vector b. When the business requirement is for the product vector b of matrix M and vector v to be shared by the first and second parties, the first party can generate a random vector b1 as the first slice of the product vector b, or denoted as the first integral slice. Then, through homomorphic vector subtraction, the first party obtains the ciphertext slice E(b2) = E(b-b1) of the second slice (or second integral slice) b2 of the product vector b, and provides it to the second party, who can then decrypt it to obtain the second slice b2 of the product vector b. b1 and b2 constitute the shared form of the product vector b.

[0051] In the above process, the first party needs to perform multiple cyclic shift operations on the encrypted vector, which involves a large amount of computation and may reduce computational performance. In view of this, this specification proposes a design concept based on homomorphic encryption to encode matrices (including vectors) as polynomials for computation, combining an efficient homomorphic encryption algorithm that can handle polynomials of degree t. This design ensures that the coefficients of each term in the polynomial correspond to the elements in the vector, thereby avoiding cyclic shift operations and improving the computational performance of secure matrix multiplication under a multi-party secure computation architecture.

[0052] Figure 1 This illustrates the interactive flow of secure matrix multiplication computation based on the technical concept of this specification, involving two participants. Figure 1In the illustrated interaction flow, the first party holds matrix M, the second party holds vector v, and the two parties calculate the product vector b = Mv of matrix M and vector v based on homomorphic encryption. Under the technical concept of this specification, the party that generates the key pair containing the encryption key and decryption key is still referred to as the second party. The encryption key (e.g., as a public key) can be made public to the first party, while the decryption key (e.g., as a private key) is held by the second party as private data.

[0053] like Figure 1 As shown, in step 110, the second party encodes each element of vector v into a second polynomial according to a predetermined homomorphic encryption method, and encrypts each second polynomial using a pre-generated encryption key to obtain each ciphertext second polynomial. Each second polynomial is a polynomial of degree t, containing t+1 terms from a constant term (degree 0) to a term of degree t.

[0054] Under the technical concept described in this specification, a homomorphic encryption method that supports polynomial encryption and is computationally efficient can be used. The predetermined homomorphic encryption method here can be such as BFV (a fully homomorphic encryption scheme based on the RLWE (Ring-LearningWith Errors) problem), BGV (Fully Homomorphic Encryption without Bootstrapping), or CKKS (a Cheon-Kim-Kim-Song scheme that supports homomorphic operations on floating-point addition and multiplication for real or complex numbers). The degree t of the polynomial is determined by the size of the polynomial space processed by the predetermined encryption method itself.

[0055] The second party can encode each dimension of vector v into a second polynomial according to a predetermined encryption method. Here, the "second" in "second polynomial" is for the purpose of corresponding with "second party" in name, and does not substantially limit the polynomial itself.

[0056] Specifically, in the single second polynomial obtained by encoding a single element of vector v, the corresponding single element is encoded as a constant term, and the coefficients of the terms from degree 1 to degree t are all 0. For example, for the element v_i in the i-th dimension of vector v... i It can be encoded as Q using the encoding algorithm Q. i =Q(v) i ) = v i +0×x+0×x 2 +……+0×x t When v is an n-dimensional column vector, the value of i ranges from 1 to n, or from 0 to n-1, for a total of n elements, which can be used to encode n such t-th degree second polynomials.

[0057] This specification employs a predefined homomorphic encryption method capable of handling polynomials of degree t. A pre-generated encryption key is used to encrypt each second polynomial of degree t, yielding the ciphertext of the corresponding second polynomial of degree t, referred to here as the ciphertext second polynomial. For example, the ciphertext second polynomial of degree t corresponding to the i-th dimension is denoted as E(Q). i It is worth noting that, in a single second polynomial, the ciphertext of the coefficients of terms with a coefficient of 0 after encryption may no longer be 0.

[0058] Next, after step 120, the second party can provide each ciphertext second polynomial to the first party.

[0059] On the other hand, through step 130, the first party can encode each column element of matrix M into a set of first polynomials. A single set of first polynomials may include one or more first polynomials. Under a predetermined homomorphic encryption method, the first polynomial is also a polynomial of degree t.

[0060] Here, the "first" in "first polynomial" is used to correspond with "first power" in the name, without substantially limiting the polynomial itself. The number of columns in matrix M is usually the same as the dimension of vector v, and the number of elements in a single column is the same as the number of rows m in matrix M. To ensure that a single column of matrix M is encoded as a polynomial of degree t, the coefficients of the constant term to the tth term (a total of t+1 terms) of the tth-degree polynomial can be sequentially assigned to the elements in a single column of matrix M. Thus, a single column of matrix M can be encoded as a set of first polynomials.

[0061] Since t is determined by the homomorphic encryption method and m is determined by the dimension of matrix M, m and t+1 may or may not be equal. The predetermined homomorphic encryption method typically handles polynomials containing terms of a fixed degree (t being a positive integer). To encode a single column of matrix M into a first polynomial of degree t, a multiple-multiple method can be used. This involves obtaining multiples of t+1 from the m elements, such that each t+1 element encodes a first polynomial.

[0062] Specifically, when m = t + 1, no expansion is needed; each element of a single column can be directly encoded sequentially as the coefficients of the constant to the t-th degree term of the corresponding first polynomial. When m < t + 1, the m-dimensional vector can be expanded to t + 1 dimensions by padding with zeros at the end (e.g., expanding a two-dimensional vector (1, 2) to a four-dimensional vector (1, 2, 0, 0). Then, each element of the expanded single column is sequentially encoded as the coefficients of the t+1 degree term of the corresponding first polynomial. When m > t + 1, if m is k times t + 1 (where k is an integer greater than 1; if k = 1, it is equivalent to the case of m = t + 1), the single column can be split into k t + 1 dimensional vectors, and k t-th degree first polynomials can be obtained through encoding, serving as the first polynomial group corresponding to the single column. If m is not a multiple of t+1, then by padding with trailing zeros, the m-dimensional elements of a single column are expanded to the smallest multiple of t+1, such as k(t+1) dimensions. This is then encoded to obtain k first polynomials of degree t, which form the set of first polynomials corresponding to a single column. As a concrete example, assuming m = t+1, the set of first polynomials of degree t obtained from encoding the i-th column can contain only one first polynomial, for example, R. i =R(M i ) = M 1i +M 2i ×x+M 3i ×x 2 +……+M ti ×x t .

[0063] Further derivation based on the data in plaintext form reveals that the product of the second polynomial corresponding to the i-th element of vector v and the first polynomial corresponding to the i-th column of matrix M is: R i ×Q i =M 1i v i +M 2i v i ×x+M 3i v i ×x 2 +……+M ti v i ×x t In this case, terms with coefficients of 0 in the second polynomial are eliminated. When the set of first polynomials corresponding to the i-th column of matrix M contains multiple first polynomials, the product of each first polynomial and the second polynomial can be calculated separately to obtain a set of product polynomials. For ease of description, the set of product polynomials corresponding to the i-th column can be represented by R. i ×Q i Logo.

[0064] It is evident that the product polynomial contains the product of each element in the i-th column of matrix M with the i-th dimension element of vector v. According to the matrix multiplication principle, the sum of the product polynomials of each element in the j-th row of matrix M with each dimension element of vector v is the j-th dimension element of the product matrix of matrix M and vector v. Therefore, by summing the corresponding product polynomials of each column of matrix M, the coefficients of each term in the resulting polynomial are exactly the elements of each dimension of the product vector b of matrix M and vector v. Since the number of elements in each column of matrix M is the same, the number of first polynomials in the first polynomial group obtained by encoding each column is consistent, and the number of product polynomials in the resulting product polynomial group is also consistent. Therefore, during summation, they can be summed one-to-one. For example, summing the first product polynomials in each product polynomial group, summing the second product polynomials in each product polynomial group, and so on.

[0065] Accordingly, through step 140, the first party can calculate the product polynomials of each first polynomial set and the corresponding ciphertext second polynomial.

[0066] In a single first polynomial group corresponding to a single column of matrix M, when the number of first polynomials is greater than 1, the number of product polynomials in the product polynomial group corresponding to the i-th column of matrix M can be the same as the number of first polynomials in the corresponding first polynomial group.

[0067] According to the properties of homomorphic encryption, the product of plaintext and ciphertext is the ciphertext form of the plaintext product. The first side can be obtained through polynomial multiplication R. i ×E(Q i ), thus obtaining the encrypted product polynomial system E(R) i ×Q i Because in encrypted form, E(Q) i The ciphertext form of a term with a coefficient of 0 in a polynomial multiplication scheme may be non-zero; therefore, terms with a maximum degree of 2t may appear. For computational convenience and to meet the requirements of the predetermined homomorphic encryption method, the ciphertext can be modulo (x) when performing polynomial multiplication. t+1 The process is performed in the form of +1), which can eliminate terms that are multiplied more than t times. Terms that contain 0 as a multiplier can be eliminated after decryption.

[0068] It is worth noting that when the number of rows in matrix M is greater than t+1, the number of first polynomials corresponding to a single column (such as the i-th column) is multiple. These first polynomials are multiplied by the ciphertext of the second polynomial generated by vector v in the corresponding dimension i, resulting in a ciphertext form of a product polynomial, i.e., a ciphertext product polynomial set. A single ciphertext product polynomial set can be denoted as E(S... i )=E(R i ×Q i ).

[0069] Then, in step 150, the first party sums up each set of ciphertext product polynomials to obtain the ciphertext polynomial describing the product vector of matrix M and vector v.

[0070] It can be understood that in the ciphertext product polynomials, without merging terms of the same degree, the polynomials are concatenated sequentially, and the coefficients of each term can be viewed as the product of the corresponding dimension element of vector v and the corresponding column element of the matrix. The product polynomials at corresponding positions in each product polynomial set are combined and summed. The coefficients of the ciphertext polynomials in the resulting ciphertext polynomial set are arranged sequentially from the constant term to the t-th degree term, corresponding to the ciphertext form of each element of the product vector b of matrix M and vector v. This ciphertext polynomial can also be understood as the result of these coefficients and at least one t-th degree polynomial obtained by encoding the product vector b with R, encrypted with the encryption key, denoted as E(R(b)). Since the decryption key is held by the second party, the first party cannot know the plaintext information of each element of the product vector of matrix M and vector v.

[0071] In order to obtain the product vector of matrix M and vector v, in step 160, the first party provides the second party with the ciphertext information corresponding to the product vector b of matrix M and vector v according to the above-mentioned ciphertext polynomial.

[0072] In step 170, the second party decrypts the ciphertext information using the decryption key to obtain the corresponding result data of the product vector b.

[0073] Depending on the specific business requirements, the encrypted information provided by the first party to the second party will vary, and the corresponding results obtained by the second party will also differ.

[0074] Specifically, given that the second party receives the product vector b (without revealing the first party's matrix data), the ciphertext information provided by the first party can be the aforementioned ciphertext polynomial, such as E(R(b)). The second party decrypts this ciphertext information to obtain the polynomial R(b). It is understood that the dimension of the polynomial R(b) is the same as the number of rows in matrix M, which may exceed t+1, and is composed of multiple polynomials of degree t (without merging terms of the same degree). Since the predetermined homomorphic encryption method processes at most one polynomial of degree t at a time, the polynomial R(b) transmitted from the first party to the second party can maintain the form of a ciphertext polynomial set. The second party can sequentially decrypt each polynomial of degree t in the ciphertext polynomial set, then extract the constant terms to the coefficients of each term t and concatenate them to obtain the product vector b as the result data.

[0075] It is worth noting that for the last polynomial of degree t, since its coefficients may be determined by padding with zeros and the result is still 0, or the product vector calculation result may originally be 0, for the coefficients of each polynomial of degree t after decryption, the first m coefficients are taken after arranging them in order to form the product vector b.

[0076] On the other hand, the product vector b requires a shared form between the first and second parties. The first party can generate an m-dimensional random vector b1 as the first slice of the product vector b. Then, the random vector b1 can be encoded into one or more polynomials of degree t, denoted as R(b1). The encoding method here is consistent with the encoding method for the i-th column of matrix M. When m is not a multiple of t+1, the polynomial coefficients are extended by padding with zeros at the end to obtain the first polynomial set. Then, under a predetermined homomorphic encryption method, the difference between the ciphertext polynomial set and the first polynomial set in the encrypted state is calculated, denoted as the encrypted state difference polynomial set E(R(b)-R(b1))=E(R(b2)) as the corresponding ciphertext information. The first party provides the ciphertext information E(R(b2)) to the second party. The second party decrypts and recovers vector b2 as the second slice of the product vector b, i.e., the result data corresponding to the second party. Specifically, the second party decrypts each polynomial of degree t in the difference polynomial group of the ciphertext in turn, then extracts the coefficients from the constant term to the coefficients of each polynomial of degree t, and concatenates the first m dimensions to form the vector b2. In this way, b1 and b2 constitute the product vector b in a form shared by the first and second parties.

[0077] Those skilled in the art will understand that, when the second party holds matrix V, matrix V can be viewed as an arrangement of multiple vectors v. According to the meaning of matrix multiplication, each column of the product matrix B of matrix M and matrix V corresponds to each column of matrix V. Therefore, matrix V can be viewed as a combination of multiple column vectors v, and the multiplication can be performed on each column vector v separately. Figure 1 The safe multiplication operation shown yields various product vectors b, and the matrix obtained by arranging the column vectors b in sequence is the product matrix B.

[0078] exist Figure 1 In the illustrated implementation architecture, since the first party may perform plaintext computation on its local data, or plaintext-ciphertext computation on both the local plaintext and the second party's ciphertext, the step of obtaining the encryption key is unnecessary. In cases where the encryption involves the first party's local data, the encryption key can be obtained from the second party, which will not be elaborated further here.

[0079] Figure 1This specification describes secure matrix multiplication computation based on the technical concept of this specification from the perspective of first-party and second-party interaction. In practice, the first and second parties can refer to cooperating business partners, and they can refer to the devices used by the respective business partners to perform secure computations. The business partners corresponding to the first and second parties can have independent data systems and data processing systems, thus performing different operations independently and exchanging data according to agreed-upon protocols.

[0080] like Figure 2 As shown, the process executed by the first party in the secure computation of matrix multiplication may include:

[0081] Step 210: Encode each column element of matrix M into a set of first polynomials of degree t.

[0082] Where t is determined based on a predetermined homomorphic encryption method, the first polynomial group corresponding to a single column of matrix M includes at least one first polynomial of degree t, and each element in a single column is sequentially encoded as the coefficient of each term of the first polynomial in the corresponding first polynomial group, and the coefficients of each term of a single first polynomial from the constant term to the t-th term are consistent with the order of the corresponding elements in the single column.

[0083] Step 220: Calculate the ciphertext product polynomials of each first polynomial set and the corresponding ciphertext second polynomial.

[0084] The ciphertext polynomial is obtained by encrypting the vector v using a second polynomial of degree t based on the elements of the corresponding dimension.

[0085] Step 230: Summate the corresponding ciphertext product polynomials in each ciphertext product polynomial group to obtain the ciphertext polynomial group describing the product vector of matrix M and vector v.

[0086] In the ciphertext polynomial system, the coefficients of each term of each ciphertext polynomial correspond to the elements of the product vector of matrix M and vector v.

[0087] Step 240: Provide the second party with the ciphertext information of the product vector according to the ciphertext polynomial set, so that the second party can decrypt the ciphertext information to obtain the result data corresponding to the product vector.

[0088] Here, the predefined homomorphic encryption method is one of BFV, BGV, or CKKS. The predefined homomorphic encryption method can handle polynomials of degree t and has high processing efficiency.

[0089] Where, assuming matrix M has m rows and n columns, then:

[0090] When m is a multiple of t+1 (k is a positive integer), for the i-th column of matrix M, the m elements of the i-th column can be divided into k groups in order, and then the elements of each group are encoded to obtain the first polynomials in the first polynomial group corresponding to the i-th column. The elements of a single group are encoded in sequence as the coefficients of the constant term to the t-th term in the corresponding first polynomial.

[0091] When m is greater than k-1 times t+1 and less than k times t+1, for the i-th column of matrix M, the m elements of the i-th column can be expanded to k times t+1 by padding with zeros at the end. Then, the expanded elements are divided into k groups in order, and the elements of each group are encoded to obtain the first polynomials in the first polynomial group corresponding to the i-th column. In this case, the elements of a single group are encoded in sequence as the coefficients of the constant term to the t-th term in the corresponding first polynomial.

[0092] The single ciphertext product polynomial set includes each ciphertext product polynomial corresponding one-to-one with each first polynomial in the single first polynomial set. The single ciphertext product polynomial is determined by the product of the single first polynomial and the corresponding ciphertext second polynomial in the case of the sum of the terms of degree modulo t+1 and 1.

[0093] In one embodiment, the ciphertext product polynomials in a single ciphertext product polynomial set are arranged sequentially according to the correspondence between the corresponding first polynomial and the elements in a single column of matrix M. In step 230, the ciphertext product polynomials corresponding to the same row elements in each ciphertext product polynomial set can be summed to obtain the corresponding ciphertext polynomial. The ciphertext polynomial set is composed of each ciphertext polynomial.

[0094] In one possible design, the product vector b needs to be obtained by the second party. In step 240, the ciphertext information of the product vector provided by the first party to the second party is the ciphertext polynomial set obtained in step 230.

[0095] In another possible design, where the first and second parties need to obtain the product vector b through secret sharing, in step 240, the first party can generate a random vector b1 as the first slice of the product vector. Then, the random vector b1 is encoded into a set of polynomials of degree t for the first slice. Based on the aforementioned predetermined homomorphic encryption method, a set of ciphertext difference polynomials is calculated, consisting of the difference between the ciphertext polynomial set and the corresponding polynomials in the first slice polynomial set. This set of ciphertext difference polynomials is then provided to the second party as the ciphertext information of the product vector. Here, the dimension of the random vector b1 is the same as the number of rows in matrix M.

[0096] like Figure 3 As shown, the process performed by the second party in the secure computation of matrix multiplication may include:

[0097] Step 310: Encode the elements of each dimension of vector v into second polynomials of degree t respectively;

[0098] Where t is determined based on the aforementioned predetermined homomorphic encryption method, the constant term of a single second polynomial is an element of the corresponding single dimension of vector v, and the coefficients of other terms are 0;

[0099] Step 320: Provide the first party with each ciphertext second polynomial obtained by encrypting each second polynomial, so that the first party can feed back the ciphertext information of the above product vector based on each ciphertext second polynomial.

[0100] The encrypted information of the product vector is determined by calculating each encrypted product polynomial group of each first polynomial group and the corresponding encrypted second polynomial, and summing the encrypted product polynomial groups. Each first polynomial group corresponds to a single column of matrix M and includes at least one first polynomial of degree t. Each element in the single column is sequentially encoded as the coefficient of each degree term of the first polynomial in the corresponding first polynomial group, and the coefficients of each term of the single first polynomial from the constant term to the t-th degree term are consistent with the order of the corresponding elements in the single column.

[0101] Step 330: Decrypt the above ciphertext information to obtain the result data corresponding to the above product vector.

[0102] In one possible design, the above-mentioned ciphertext information is the above-mentioned ciphertext polynomial set. In step 330, the second party can decrypt each ciphertext polynomial in the above-mentioned ciphertext polynomial set, and then extract the coefficients of each ciphertext polynomial from the constant term to the t-th degree term in sequence. The extracted coefficients are arranged in the order of the ciphertext polynomials to obtain the above-mentioned product vector as the result data.

[0103] In another possible design, the aforementioned ciphertext information is a set of difference polynomials between the aforementioned ciphertext polynomial set and the first piecewise polynomial set based on the aforementioned predetermined homomorphic encryption method. The first piecewise polynomial set includes at least one polynomial obtained by the first party encoding the first piecewise part of the aforementioned product vector. The first piecewise part is a random vector b1 generated by the first party with the same dimension as the number of rows in matrix M. In step 330, the second party can decrypt each difference polynomial in the aforementioned set of difference polynomials, extract the coefficients of each difference polynomial from the constant term to the t-th degree term in sequence, arrange the extracted coefficients in the order of the difference polynomials, and obtain the second piecewise part of the aforementioned product vector as the result data held by the second party.

[0104] It is worth noting that, Figure 2 , Figure 3 The processes executed by the first and second parties shown are respectively... Figure 1 The operations performed by the first and second parties are consistent. Figure 1The operations performed by the first and second parties are also adapted Figure 2 , Figure 3 The process shown will not be repeated here. Figure 1 , Figure 2 , Figure 3 Some of the steps shown are merely implementation examples. In practice, some steps may be performed in different orders, in parallel, or not at all, without substantially affecting the result. This specification does not limit this. For example, Figure 1 In this process, step 130 can be executed after step 120, before step 120, or simultaneously with steps 110 and 120. For example, if the second party obtains the product vector b, the first party processes its local data in plaintext, performs plaintext-ciphertext multiplication and ciphertext addition on the local data and the second party's ciphertext data, ultimately obtaining the ciphertext form of the product polynomial R(b). Since the entire process is not encrypted using an encryption key, the second party does not need to provide the encryption key to the first party (e.g., ...). Figure 1 As shown), if the second party needs to encrypt the first piecewise polynomial group, the second party can also perform the step of providing the encryption key to the first party.

[0105] Reviewing the above process, in a multi-party secure computation architecture involving two parties, one party holds a matrix and the other holds a vector. Secure matrix multiplication is used to calculate the product of the matrix and the vector. This specification fully utilizes the polynomial processing characteristics of efficient homomorphic encryption to encode both the matrix and the vector as polynomials. Based on polynomial multiplication, the polynomial corresponding to the product of the matrix and the vector is determined. Then, the elements of each dimension of the product vector are extracted from the resulting polynomial. Since no vector cyclic shifting or polynomial coefficient cyclic shifting is required, compared with conventional techniques, the computational load can be reduced, improving the efficiency of matrix secure multiplication operations based on homomorphic encryption, thereby improving the business processing efficiency based on matrix multiplication under a multi-party secure computation architecture.

[0106] According to another embodiment, a secure computation apparatus for matrix multiplication that can be located in a single participant is also provided. The secure computation apparatus for matrix multiplication provided in this specification is used in secure computation between a first party and a second party to perform secure multiplication computation based on a predetermined homomorphic encryption method on a matrix M held by the first party and a vector v held by the second party.

[0107] Among them, such as Figure 4 As shown, the secure computational device 400 for matrix multiplication on the first side may include:

[0108] Encoding unit 401 is configured to encode each column element of matrix M into a set of first polynomials of degree t.

[0109] Where t is determined based on a predetermined homomorphic encryption method, the first polynomial group corresponding to a single column of matrix M includes at least one first polynomial of degree t, and each element in the single column is sequentially encoded as the coefficient of each term of the first polynomial in the corresponding first polynomial group, and the coefficients of each term of the single first polynomial from the constant term to the t-th term are consistent with the order of the corresponding elements in the single column.

[0110] The homomorphic computation unit 402 is configured to compute each of the ciphertext product polynomials of each first polynomial set and the corresponding ciphertext second polynomial; and to sum the corresponding ciphertext product polynomials in each ciphertext product polynomial set to obtain a ciphertext polynomial set describing the product vector of matrix M and vector v.

[0111] The ciphertext polynomial is obtained by the second party through encryption based on the second polynomial that encodes the elements of the corresponding dimension of vector v to the order of t. The coefficients of each term in the ciphertext polynomial set correspond to the elements of the product vector of matrix M and vector v.

[0112] The providing unit 403 is configured to provide the second party with the ciphertext information of the product vector according to the ciphertext polynomial set, so that the second party can decrypt the ciphertext information to obtain the result data corresponding to the product vector.

[0113] On the other hand, reference Figure 5 As shown, the secure computational device 500 for matrix multiplication on the second side may include:

[0114] Encoding unit 501 is configured to encode the elements of each dimension of vector v into second polynomials of degree t respectively;

[0115] Where t is determined based on a predetermined homomorphic encryption method, the constant term of a single second polynomial is an element of the corresponding single dimension of vector v, and the coefficients of other terms are 0;

[0116] Encryption unit 502 is configured to encrypt each second polynomial to obtain each ciphertext second polynomial;

[0117] The providing unit 503 is configured to provide each ciphertext second polynomial to the first party so that the first party can feed back the ciphertext information of the product vector based on each ciphertext second polynomial;

[0118] The encrypted information of the product vector is determined based on the first calculation of each encrypted product polynomial group of each first polynomial group and the corresponding encrypted second polynomial, and the encrypted polynomial group obtained by summing each encrypted product polynomial group. Each first polynomial group corresponds to a single column of matrix M and includes at least one first polynomial of degree t. Each element in the single column is sequentially encoded as the coefficient of each degree term of each first polynomial in the corresponding first polynomial group, and the coefficients of each term of the single first polynomial from the constant term to the t-th degree term are consistent with the order of the corresponding elements in the single column.

[0119] Decryption unit 504 is configured to decrypt ciphertext information and obtain the result data corresponding to the product vector.

[0120] It is worth noting that, Figure 4 , Figure 5 The devices shown are respectively with Figure 2 , Figure 3 The illustrated method embodiments correspond to, and respectively correspond to, the following embodiments. Figure 1 The first party and the second party in the illustrated embodiments, therefore, Figure 1 , Figure 2 , Figure 3 The corresponding descriptions in the method embodiments are respectively applicable to Figure 4 , Figure 5 The apparatus shown will not be described in detail here.

[0121] According to another embodiment, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed in a computer, causes the computer to perform a combination Figure 2 or Figure 3 The methods described above.

[0122] According to another embodiment, a computing device is also provided, including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, it implements a combination... Figure 2 or Figure 3 The methods described above.

[0123] Those skilled in the art will recognize that the functions described in the embodiments of this specification in one or more of the above examples can be implemented using hardware, software, firmware, or any combination thereof. When implemented in software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or code on a computer-readable medium.

[0124] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the technical concept in this specification. It should be understood that the above description is only a specific embodiment of the technical concept in this specification and is not intended to limit the scope of protection of the technical concept in this specification. Any modifications, equivalent substitutions, improvements, etc., made on the basis of the technical solutions of the embodiments in this specification should be included within the scope of protection of the technical concept in this specification.

Claims

1. A secure matrix multiplication computation method for secure computation between a first party and a second party, wherein secure multiplication computation is performed on a matrix M held by the first party and a vector v held by the second party based on a predetermined homomorphic encryption method; The method is performed by a first party and includes: Each column element of matrix M is encoded into a set of first polynomials of degree t, where t is determined based on the predetermined homomorphic encryption method. The set of first polynomials corresponding to a single column of matrix M includes at least one first polynomial of degree t. Each element in a single column is sequentially encoded into the coefficients of each term of the first polynomial in the corresponding set of first polynomials, and the coefficients of each term of a single first polynomial from the constant term to the t-th term are in the same order as the corresponding elements in the single column. Calculate each ciphertext product polynomial set of each first polynomial set and the corresponding ciphertext second polynomial, wherein the ciphertext second polynomial is obtained by the second party based on the second polynomial that encodes the elements of the corresponding dimension of vector v to the order of t, and each ciphertext product polynomial in the ciphertext product polynomial set is the product of a single first polynomial in a single first polynomial set and the corresponding ciphertext second polynomial. Summing the corresponding ciphertext product polynomials in each ciphertext product polynomial group yields a ciphertext polynomial group describing the product vector of matrix M and vector v. The coefficients of each term of each ciphertext polynomial in the ciphertext polynomial group correspond to the elements of the product vector of matrix M and vector v. The encrypted information of the product vector is provided to the second party according to the encrypted polynomial set, so that the second party can decrypt the encrypted information to obtain the result data corresponding to the product vector.

2. The method as described in claim 1, wherein, Matrix M has m rows and n columns, where m is a multiple of k (t+1) and k is a positive integer. For the i-th column of matrix M, encoding each column element of matrix M into a group of first polynomials of degree t includes: Divide the m elements in the i-th column into k groups in order; Encode each group of elements to obtain each first polynomial in the first polynomial group corresponding to the i-th column. The elements in a single group are sequentially encoded as the coefficients of the constant term to the t-th term in the corresponding first polynomial.

3. The method as described in claim 1, wherein, Matrix M has m rows and n columns, where m is greater than k-1 times t+1 and less than k times t+1, and k is a positive integer. For the i-th column of matrix M, encoding each column element of matrix M into a group of first polynomials of degree t includes: The m elements in the i-th column are expanded to a multiple of k elements of t+1 by padding with zeros at the end; Divide the expanded elements into k groups in order; Encode each group of elements to obtain each first polynomial in the first polynomial group corresponding to the i-th column. The elements in a single group are sequentially encoded as the coefficients of the constant term to the t-th term in the corresponding first polynomial.

4. The method of claim 1, wherein, A single ciphertext product polynomial set comprises ciphertext product polynomials corresponding one-to-one with each first polynomial in a single first polynomial set. A single ciphertext product polynomial is formed by the first polynomial and its corresponding ciphertext second polynomial modulo (x). t+1 The product is determined in the form of +1), x t+1 Let x represent the (t+1)th term of the corresponding polynomial, modulo (x) t+1 +1) is used to eliminate terms that have been eliminated more than t times.

5. The method of claim 1, wherein, The ciphertext product polynomials in a single ciphertext product polynomial set are arranged sequentially according to the correspondence between the corresponding first polynomial and the elements in a single column of matrix M. The step of summing the corresponding ciphertext product polynomials in each ciphertext product polynomial set to obtain the ciphertext polynomial set describing the product vector of matrix M and vector v includes: Summing the ciphertext product polynomials with corresponding row elements in each ciphertext product polynomial set yields the corresponding ciphertext polynomial, and the ciphertext polynomial set is composed of each ciphertext polynomial.

6. The method of claim 1, wherein, The step of providing the ciphertext information of the product vector to the second party based on the ciphertext polynomial set includes: The encrypted polynomial set is provided to the second party as the encrypted information of the product vector, so that the second party can decrypt each encrypted polynomial set and extract the coefficients of each polynomial to obtain the product vector b as the result data corresponding to the product vector.

7. The method of claim 1, wherein, The step of providing the ciphertext information of the product vector to the second party based on the ciphertext polynomial set includes: Generate a random vector b1 as the first slice of the product vector, wherein the dimension of the random vector b1 is the same as the number of rows of matrix M; The random vector b1 is encoded as a first piecewise polynomial of degree t; Based on the predetermined homomorphic encryption method, calculate the ciphertext difference polynomial set formed by the difference between the ciphertext polynomial set and the corresponding polynomials in the first piecewise polynomial set. The encrypted difference polynomial set is provided to the second party as the encrypted information of the product vector, so that the second party can decrypt the encrypted difference polynomial set and extract the corresponding coefficients from the obtained difference polynomial set to obtain the second slice of the product vector as the result data of the product vector in the second party.

8. The method of claim 1, wherein, The predetermined homomorphic encryption method is one of BFV, BGV, and CKKS.

9. A secure matrix multiplication method for secure computation between a first party and a second party, wherein secure multiplication is performed on a matrix M held by the first party and a vector v held by the second party based on a predetermined homomorphic encryption method; the method is executed by the second party and includes: The elements of each dimension of vector v are encoded into second polynomials of degree t, where t is determined based on the predetermined homomorphic encryption method, the constant term of a single second polynomial is the element of the corresponding single dimension of vector v, and the coefficients of other terms are 0. Each encrypted second polynomial is provided to the first party so that the first party can feed back the encrypted information of the product vector based on each encrypted second polynomial. The encrypted information of the product vector is determined by the first party calculating each encrypted product polynomial group of each first polynomial group and the corresponding encrypted second polynomial, and summing the encrypted product polynomial groups. Each first polynomial group corresponds to a single column of matrix M and includes at least one first polynomial of degree t. Each element in the single column is sequentially encoded as the coefficient of each degree term of each first polynomial in the corresponding first polynomial group, and the coefficients of each term from the constant term to the t-th degree term of the single first polynomial are consistent with the order of the corresponding elements in the single column. Decrypt the ciphertext information to obtain the result data corresponding to the product vector.

10. The method of claim 9, wherein, The ciphertext information is the ciphertext polynomial set, and the decryption of the ciphertext information to obtain the result corresponding to the product vector includes: Decrypt each ciphertext polynomial in the ciphertext polynomial set; Extract the coefficients of each ciphertext polynomial sequentially from the constant term to the term of degree t; The extracted coefficients are arranged in the order of the ciphertext polynomials to obtain the product vector as the result data.

11. The method of claim 9, wherein, The ciphertext information is a difference polynomial set between the ciphertext polynomial set and the first piecewise polynomial set based on the predetermined homomorphic encryption method. The first piecewise polynomial set includes at least one polynomial obtained by encoding the first piecewise part of the product vector by the first party. The first piecewise part is a random vector b1 with the same dimension as the number of rows in matrix M generated by the first party. The process of decrypting the ciphertext information to obtain the result corresponding to the product vector includes: Decipher each difference polynomial in the system of difference polynomials; Extract the coefficients of each difference polynomial, from the constant term to the term of degree t. The extracted coefficients are arranged in the order of the difference polynomials to obtain the second slice of the product vector as the result data.

12. The method of claim 9, wherein, The predetermined homomorphic encryption method is one of BFV, BGV, and CKKS.

13. A secure computation apparatus for matrix multiplication, used in secure computation between a first party and a second party, for performing secure multiplication computation based on a predetermined homomorphic encryption method on a matrix M held by the first party and a vector v held by the second party; The device is located in the first party and includes: The encoding unit is configured to encode each column element of matrix M into a set of first polynomials of degree t, wherein t is determined based on the predetermined homomorphic encryption method, and the set of first polynomials corresponding to a single column of matrix M includes at least one first polynomial of degree t. Each element in the single column is sequentially encoded into the coefficients of each term of the first polynomial in the corresponding set of first polynomials, and the coefficients of each term of the single first polynomial from the constant term to the t-th term are in the same order as the corresponding elements in the single column. The homomorphic computation unit is configured to compute each ciphertext product polynomial set of each first polynomial set and its corresponding ciphertext second polynomial, wherein the ciphertext second polynomial is obtained by encrypting a second polynomial based on encoding the elements of the corresponding dimension of vector v to degree t, and each ciphertext product polynomial in the ciphertext product polynomial set is the product of a single first polynomial in a single first polynomial set and its corresponding ciphertext second polynomial; and Summing the corresponding ciphertext product polynomials in each ciphertext product polynomial group yields a ciphertext polynomial group describing the product vector of matrix M and vector v. The coefficients of each term in each ciphertext polynomial group correspond sequentially to the elements of the product vector of matrix M and vector v. The providing unit is configured to provide the second party with the ciphertext information of the product vector based on the ciphertext polynomial set, so that the second party can decrypt the ciphertext information to obtain the result data corresponding to the product vector.

14. A secure computation apparatus for matrix multiplication, used in secure computation between a first party and a second party, for performing secure multiplication computation based on a predetermined homomorphic encryption method on a matrix M held by the first party and a vector v held by the second party; The device is located on the second party and includes: The encoding unit is configured to encode the elements of each dimension of vector v into a second polynomial of degree t, wherein t is determined based on the predetermined homomorphic encryption method, the constant term of a single second polynomial is the element of the corresponding single dimension of vector v, and the coefficients of other terms are 0. The encryption unit is configured to encrypt each second polynomial to obtain each ciphertext second polynomial. A providing unit is configured to provide each encrypted second polynomial to a first party, so that the first party can feed back encrypted information of the product vector based on each encrypted second polynomial. The encrypted information of the product vector is determined based on the first party calculating each encrypted product polynomial group of each first polynomial group and the corresponding encrypted second polynomial, and summing the encrypted product polynomial groups to obtain the encrypted polynomial group. Each first polynomial group corresponds to a single column of matrix M and includes at least one first polynomial of degree t. Each element in the single column is sequentially encoded as the coefficient of each degree term of each first polynomial in the corresponding first polynomial group, and the coefficients of each term of the single first polynomial from the constant term to the t-th degree term are consistent with the order of the corresponding elements in the single column. The decryption unit is configured to decrypt the ciphertext information to obtain the result data corresponding to the product vector.

15. A computer-readable storage medium having a computer program stored thereon, which, when executed in a computer, causes the computer to perform the method of any one of claims 1-12.

16. A computing device, comprising a memory and a processor, characterized in that, The memory stores executable code, and when the processor executes the executable code, it implements the method of any one of claims 1-12.