Data processing method and device for two-party joint

By employing a joint data processing method, a reasonable encoding design is implemented for batch matrix-vector multiplication, reducing or even eliminating rotation operations in homomorphic encryption. This solves the problems of high computational load and low performance in existing technologies, achieving both reduced computational load and improved performance.

CN116366226BActive Publication Date: 2026-07-10ANT BLOCKCHAIN TECHNOLOGY (SHANGHAI) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ANT BLOCKCHAIN TECHNOLOGY (SHANGHAI) CO LTD
Filing Date
2023-03-30
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing matrix-vector multiplication methods based on homomorphic encryption are computationally intensive and have low performance, making them difficult to meet the needs of practical applications.

Method used

By designing a reasonable encoding scheme for batch matrix-vector multiplication, reducing or even eliminating rotation operations in homomorphic encryption, and employing a two-party joint data processing method, multiple matrix-vector multiplications can be performed in batches for secure computation.

Benefits of technology

It effectively reduces the computational cost of secure matrix-vector multiplication and improves computational performance.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116366226B_ABST
    Figure CN116366226B_ABST
Patent Text Reader

Abstract

This specification discloses a two-party joint data processing method for performing secure product operations on n original matrices held by a first party and n m-dimensional column vectors held by a second party. In this method, the first party determines m reconstructed matrices based on the n original matrices, where any j-th reconstructed matrix includes the j-th column element of each original matrix; the second party determines the corresponding first vector ciphertext by homomorphically encrypting several reconstructed vectors and sends it to the first party; subsequently, the first party performs homomorphic operations on the first vector ciphertext and the m reconstructed matrices to obtain the product result ciphertext, which is used to construct the result of the secure product operation.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This specification relates to the field of data security processing technology, and in particular to a method and apparatus for joint data processing by two parties. Background Technology

[0002] Secure Multi-Party Computation (MPC), also known as multi-party secure computation, involves multiple parties collaboratively computing a function without revealing their input data. The result is then shared with one or more of the parties. Underlying technologies in MPC include homomorphic encryption (HE) and secret sharing (SS).

[0003] Matrix-to-vector multiplication is a common computation, used in machine learning for example, in logistic regression modeling and inference. Matrix-to-vector multiplication based on a matrix hexadecimal (HE) can protect the privacy of all parties involved.

[0004] However, the current method of calculating matrix-vector multiplication based on HE has limited performance. Therefore, a solution is needed that can better meet the needs of practical applications, such as reducing the computational cost of matrix-vector multiplication. Summary of the Invention

[0005] This specification describes a two-party joint data processing method and apparatus, which can better meet the needs of practical applications. By reasonably designing the encoding of batch matrix-vector multiplication, the amount of computation is effectively reduced.

[0006] According to a first aspect, a joint data processing method is provided for performing a secure product operation on n original matrices held by a first party and n m-dimensional column vectors held by a second party. The method is executed by the first party and includes: determining m reconstructed matrices based on the n original matrices; wherein any j-th reconstructed matrix includes elements in the j-th column of each original matrix; receiving a first ciphertext vector from the second party, which is obtained by homomorphically encrypting several reconstructed vectors; a single reconstructed vector consists of n elements in the same row of the n m-dimensional column vectors; performing a homomorphic operation based on the m reconstructed matrices and the first ciphertext vector to obtain a ciphertext of the product result, used to construct the result of the secure product operation.

[0007] In one embodiment, each original matrix is ​​k*m dimensional, and the first ciphertext vector is obtained by encrypting a single reconstructed vector; wherein, performing homomorphic operations based on the m reconstructed matrices and the first ciphertext vector to obtain the product result ciphertext includes: performing homomorphic operations based on the m reconstructed matrices and the m first ciphertext vectors to obtain the product result ciphertext, which includes k second ciphertext vectors corresponding to k rows in the result plaintext matrix, wherein the i-th column in the result plaintext matrix is ​​the product of the i-th original matrix and the i-th m-dimensional column vector.

[0008] In a specific embodiment, the product result ciphertext is obtained by performing homomorphic operations based on the m reconstruction matrices and m first ciphertext vectors, including: performing homomorphic plaintext-ciphertext vector multiplication on the m row vectors in the h-th row of the m reconstruction matrices and the m first ciphertext vectors respectively to obtain m third ciphertext vectors; and performing homomorphic summation on the m third ciphertext vectors to obtain the h-th second ciphertext vector.

[0009] In one embodiment, each original matrix is ​​k*m dimensional; wherein receiving the first ciphertext vector from the second party includes: receiving multiple first ciphertext vectors obtained by homomorphically encrypting multiple first concatenated vectors respectively, wherein the multiple first concatenated vectors are obtained by dividing the m reconstructed vectors into multiple groups in units of t and then concatenating them within each group; wherein performing homomorphic operations based on the m reconstructed matrices and the first ciphertext vectors to obtain the product result ciphertext includes: performing homomorphic operations based on the m reconstructed matrices and the multiple first ciphertext vectors to obtain the product result ciphertext, which includes a fourth ciphertext vector corresponding to the second concatenated vector formed by adjacent t rows in the result plaintext matrix, wherein the i-th column in the result plaintext matrix is ​​the product of the i-th original matrix and the i-th m-dimensional column vector.

[0010] In a specific embodiment, homomorphic operations are performed based on the m reconstruction matrices and the plurality of first ciphertext vectors to obtain the ciphertext of the product result, including: performing multiple cyclic shifts on each first ciphertext vector, with the length of the reconstruction vector as the unit, to obtain a plurality of shifted ciphertext vectors; for each adjacent t row, obtaining t vectors located in the same row from the m reconstruction matrices to obtain m*t row vectors; and performing homomorphic operations on the plurality of first ciphertext vectors, the plurality of shifted ciphertext vectors corresponding to each first ciphertext vector, and the m*t row vectors to obtain a fourth ciphertext vector corresponding to the adjacent t row, which is used to form the ciphertext of the product result.

[0011] In one embodiment, after performing homomorphic operations based on the m reconstruction matrices and the first ciphertext vector to obtain the ciphertext of the product result, the method further includes: sending the ciphertext of the product result to the second party so that the second party can decrypt it to obtain the plaintext of the product result.

[0012] In another embodiment, after performing homomorphic operations based on the m reconstruction matrices and the first ciphertext vector to obtain the ciphertext of the product result, the method further includes: generating a random number as a first secret sharing fragment of the plaintext of the product result; performing a homomorphic subtraction operation on the random number and the ciphertext of the product result to obtain a homomorphic operation result; and sending the homomorphic operation result to the second party so that the second party can obtain a second secret sharing fragment of the plaintext of the product result by decrypting the homomorphic operation result.

[0013] According to the second aspect, a joint data processing method is provided for performing a secure product operation on n original matrices held by a first party and n m-dimensional column vectors held by a second party. The method is executed by the second party and includes: determining m reconstructed vectors based on the n m-dimensional column vectors; a single reconstructed vector is composed of n elements in the same row of the n m-dimensional column vectors; homomorphically encrypting a subset of the m reconstructed vectors to obtain a corresponding first ciphertext vector; sending the first ciphertext vector to the first party, so that the first party performs a homomorphic operation based on the first ciphertext vector and the m reconstructed matrices to obtain a ciphertext of the product result; wherein any j-th reconstructed matrix includes the j-th column element of each original matrix, and the ciphertext of the product result is used to construct the result of the secure product operation.

[0014] In one embodiment, homomorphic encryption is performed on several of the m reconstructed vectors to obtain corresponding first ciphertext vectors, including: homomorphic encryption is performed on each of the m reconstructed vectors to obtain m first ciphertext vectors.

[0015] In one embodiment, homomorphic encryption is performed on several of the m reconstructed vectors to obtain corresponding first ciphertext vectors, including: dividing the m reconstructed vectors into multiple groups in units of t and then concatenating them within each group to obtain multiple first concatenated vectors; and homomorphic encryption is performed on each of the multiple first concatenated vectors to obtain multiple first ciphertext vectors.

[0016] In one embodiment, after sending the first ciphertext vector to the first party, the method further includes: receiving the ciphertext of the product result from the first party; and decrypting the ciphertext of the product result to obtain the plaintext of the product result.

[0017] In one embodiment, after sending the first ciphertext vector to the first party, the method further includes: receiving a homomorphic operation result from the first party, which is obtained by the first party performing a homomorphic subtraction operation on a locally generated random number and the ciphertext of the product result; the random number is used by the first party as a first secret-sharing fragment of the plaintext of the product result; and decrypting the homomorphic operation result to obtain a second secret-sharing fragment of the plaintext of the product result.

[0018] According to a third aspect, a joint data processing apparatus is provided for performing a secure product operation on n original matrices held by a first party and n m-dimensional column vectors held by a second party. The apparatus is integrated into the first party and includes: a matrix reconstruction unit configured to determine m reconstruction matrices based on the n original matrices; wherein any j-th reconstruction matrix includes the j-th column element of each original matrix; a ciphertext vector receiving unit configured to receive a first ciphertext vector from the second party, which is obtained by homomorphically encrypting several reconstruction vectors; a single reconstruction vector consists of n elements in the same row of the n m-dimensional column vectors; and a homomorphic operation unit configured to perform a homomorphic operation based on the m reconstruction matrices and the first ciphertext vector to obtain a ciphertext product result, used to construct the result of the secure product operation.

[0019] According to the fourth aspect, a joint data processing method is provided for performing a secure product operation on n original matrices held by a first party and n m-dimensional column vectors held by a second party. The device is integrated into the second party and includes: a vector reconstruction unit configured to determine m reconstructed vectors based on the n m-dimensional column vectors; a single reconstructed vector consists of n elements in the same row of the n m-dimensional column vectors; a ciphertext vector determination unit configured to perform homomorphic encryption on a subset of the m reconstructed vectors to obtain a corresponding first ciphertext vector; and a ciphertext vector sending unit configured to send the first ciphertext vector to the first party, so that the first party performs a homomorphic operation based on the first ciphertext vector and the m reconstructed matrices to obtain a ciphertext product result; wherein any j-th reconstructed matrix includes the j-th column element of each original matrix, and the ciphertext product result is used to construct the result of the secure product operation.

[0020] According to a fifth aspect, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed in a computer, causes the computer to perform the method provided in the first or second aspect.

[0021] According to an eighth aspect, a computing device is provided, including a memory and a processor, wherein the memory stores executable code, and the processor, when executing the executable code, implements the method provided in the first or second aspect.

[0022] By employing the two-party joint data processing method and apparatus disclosed in the embodiments of this specification, multiple matrix-vector multiplications can be batch-securely computed together, which can reduce or even eliminate the rotation operation of homomorphic encryption, thereby effectively reducing the computational load of secure matrix-vector multiplication. Attached Figure Description

[0023] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0024] Figure 1 This is an example diagram illustrating how a matrix-multiplied vector ciphertext E(Mv) is obtained by performing homomorphic operations on the rearrangement of the plaintext matrix M and the rotation and shift of the ciphertext vector E(v) in the prior art.

[0025] Figure 2 This is one of the communication interaction diagrams of two parties jointly processing data, as disclosed in the embodiments of this specification;

[0026] Figure 3 This is a schematic diagram of vector reconstruction disclosed in the embodiments of this specification;

[0027] Figure 4 This is a schematic diagram of matrix reconstruction disclosed in the embodiments of this specification;

[0028] Figure 5 This is the second schematic diagram of the communication interaction between two parties jointly processing data, as disclosed in the embodiments of this specification.

[0029] Figure 6 This diagram illustrates the structure of the data processing apparatus integrated into a first party as disclosed in the embodiments of this specification.

[0030] Figure 7 This diagram illustrates the structure of a data processing device integrated into a second party, as disclosed in an embodiment of this specification. Detailed Implementation

[0031] The solution provided in this specification will now be described with reference to the accompanying drawings.

[0032] As mentioned earlier, homomorphic encryption algorithms are a class of encryption algorithms commonly used for secure multi-party computation. Compared to ordinary encryption, homomorphic encryption possesses the property of homomorphism, meaning that computation can be performed on data in its encrypted state. For example, performing a operation on the homomorphic ciphertext E(a) of 'a' and the homomorphic ciphertext E(b) of 'b' yields the ciphertext E(a+b) of 'a+b', without revealing 'a', 'b', or 'a+b', and without requiring a decryption key.

[0033] Matrix-vector multiplication based on homomorphic encryption can protect privacy information. In this scenario, party A holds vector v, and party B holds matrix M. After performing secure computation using homomorphic encryption, party A obtains the result of matrix-vector multiplication c = Mv, or each party obtains a fragment of the result c (party A obtains c1, party B obtains c2, and c1 + c2 = c).

[0034] Existing technologies are based on homomorphic encryption for matrix multiplication, with the following scheme:

[0035] 1) Party A generates a homomorphic encrypted public-private key pair, and shares the public key with Party B.

[0036] 2) Party A generates ciphertext E(v) and sends it to Party B.

[0037] Homomorphic encryption algorithms based on the Ring Learning With Errors (RLWE) problem, such as BFV, BGV, and CKKS, are adopted. These homomorphic encryption algorithms support operations on vectors.

[0038] 3) Party B performs a homomorphic cyclic shift operation on E(v) to obtain ciphertexts such as E(L1(v)), E(L2(v)), and E(L3(v)).

[0039] The BFV, BGV, and CKKS homomorphic encryption algorithms support cyclic shift operations on the encryption vector. i The function represents a left circular shift of i bits.

[0040] 4) Party B rearranges matrix M, or in other words, extracts elements from matrix M to form multiple vectors. These vectors are then homomorphically multiplied with the ciphertexts E(L1(v)), E(L2(v)), E(L3(v)), etc., by positional multiplication. The resulting vector ciphertexts are then homomorphically summed to obtain E(Mv). For more details, see [link to relevant documentation]. Figure 1 The example shown.

[0041] 5) Party B sends E(Mv) to Party A for decryption, and Party A obtains b = Mv. Alternatively, Party B generates a random vector c2, subtracts the homomorphic vectors to obtain E(Mv-c2), sends it to Party A for decryption, and Party A obtains c1 = Mv-c2.

[0042] The existing calculations described above require multiple cyclic shift operations on the encrypted vector, resulting in high computational cost and low performance.

[0043] Based on the above observations and analysis, this specification proposes a batch matrix-vector multiplication method based on homomorphic encryption, which calculates multiple matrix-vector multiplications together. Through reasonable encoding design, the rotation operation of homomorphic encryption is reduced or even eliminated, thereby effectively reducing the amount of computation.

[0044] Figure 2 This is one of the communication interaction diagrams of two parties jointly processing data, as disclosed in the embodiments of this specification. Figure 2 The two participating parties are illustrated as Party 1 (P1) and Party 2 (P2). It can be understood that both parties can be implemented as any device, server, platform, or cluster of devices with computing and processing capabilities, such as a secure computing node.

[0045] The following section will first describe the data processing scenario, and then introduce the secure computing process.

[0046] Scenario: P1 and P2 need to perform n matrix-vector multiplications in total, where the matrix and vector for the i-th multiplication are A and B, respectively. (i) and r (i) The result of the i-th iteration is vector s. (i) Assume r (i) Let A be an m-dimensional column vector. (i) For k*m dimensions, s (i) Let S be a k-dimensional column vector. Let S be a k*n-dimensional matrix composed of n column vectors s, which may be referred to as the plaintext matrix in this paper.

[0047] In one implementation, matrix A (i) Let r be the feature matrix of the i-th sample, and r be the vector. (i) For model parameters, s (i) Let A be the prediction result for the i-th sample. For example, in the recommendation business domain, matrix A... (i) It can be a user feature matrix, vector r (i) For the model parameters of the business recommendation model, s (i) The included k vector elements indicate the user's level of interest in k types of goods.

[0048] like Figure 2 As shown, the secure computation process includes the following interactive steps:

[0049] Step S210, P2 is based on n m-dimensional column vectors {r (i)} [n] Determine m n-dimensional reconstruction vectors {v (j)} [m] , where v (j) By all r (i) The j-th dimension constitutes the structure. It should be noted that the abbreviation [n] in the text represents i∈[1,n] and i∈N. * Similarly, the abbreviation [m] indicates that j∈[1,m] and j∈N * .

[0050] Figure 3 This is a schematic diagram of vector reconstruction disclosed in the embodiments of this specification, wherein {r} (i)} [n]and {v (j)} [m] A diagram illustrating the element-to-element correspondence between them. Therefore, we can deduce the relationship between {r}. (i)} [n] Extracting elements of the same dimension in m rounds yields m reconstructed vectors v, i.e., {v... (j)} j∈[m] .

[0051] In step S220, P2 uses the generated homomorphic public key to reconstruct the vector v. (j) Homomorphic encryption is performed to obtain the first ciphertext vector E(v) (j) Therefore, P2 can obtain the corresponding m reconstructed vectors {v}. (j)} [m] m first ciphertext vectors {E(v (j) )} [m] It should be understood that the "first" in the first ciphertext vector, and similar terms such as "second" elsewhere in the text, are used to distinguish similar things and do not have any other limiting function such as ordering.

[0052] For example, homomorphic encryption algorithms based on RLWE, such as BFV, BGV, and CKKS, can be used first to generate homomorphic public-private key pairs. Then, the homomorphic public key can be used to encrypt m reconstructed vectors {v} respectively. (j)} [m] This corresponds to obtaining m first ciphertext vectors {E(v (j) )} [m] .

[0053] Step S230, P2 will divide the m first ciphertext vectors {E(v (j) )} [m] Send to P1.

[0054] Step S240, P1 is based on n original matrices {A (i)} [n] Determine m reconstruction matrices {W (j)} [m] , where any j-th reconstruction matrix W (j) Including all original matrices {A (i)} [n] The element in the j-th column of the array.

[0055] Figure 4 This is a schematic diagram of matrix reconstruction disclosed in the embodiments of this specification, illustrating the extraction of the j-th column elements from all original matrices A to form the j-th reconstruction matrix W. (j) Since the original matrix A contains m columns, we can obtain m reconstructed matrices, i.e., {W}. (j)} [m] .

[0056] Step S250, P1 is based on m reconstruction matrices {W (j)} [m] and m first ciphertext vectors {E(v (j) )} [m] Perform homomorphic operations to obtain the ciphertext E(S) of the product result.

[0057] Specifically, P1 homomorphic summation calculates the third ciphertext vector E(S[h]) corresponding to any h-th row in the resulting plaintext matrix S, i.e., S[h]. It should be understood that S is a k*n dimensional matrix composed of n vectors obtained from n matrix-vector-plaintext multiplications (the plaintext multiplication actually does not occur). The formula for calculating E(S[h]) is as follows:

[0058]

[0059] Therefore, the ciphertext of the product result E(S) = {E(S[h])} can be obtained. [k] Where [k] represents h∈[1,k] and j∈N * .

[0060] Subsequently, in one embodiment, the above interaction process further includes steps S261 and S262. In step S261, P1 sends the ciphertext E(S) of the product result to P2, and then in step S262, P2 uses its homomorphic private key to decrypt the ciphertext E(S) of the product result to obtain the plaintext matrix S.

[0061] In another embodiment, the above-described interaction process further includes steps S263, S264, S265, and S266.

[0062] In step S263, P1 generates a first secret-sharing fragment S1 of the resulting plaintext matrix S. For example, P1 generates a random vector as the first secret-sharing fragment S1. It should be noted that prior art provides an introduction to secret sharing, which will not be elaborated upon here.

[0063] In step S264, P1 performs a homomorphic subtraction operation on the first secret sharing segment S1 and the ciphertext E(S) of the product result to obtain the ciphertext E(S-S1) of the second secret sharing segment S2.

[0064] In step S265, P1 sends the fragmented ciphertext E(S-S1) to P2.

[0065] In step S266, P2 uses the homomorphic private key to decrypt the fragmented ciphertext E(S-S1) to obtain the second secret-sharing fragment S2. It can be understood that S2 = S-S1.

[0066] In this way, the result of the constructed secure product operation can be obtained. For example, P2 obtains the plaintext matrix S, or P1 and P2 obtain the secret sharing fragments S1 and S2 of the plaintext matrix S.

[0067] In summary, by employing the two-party joint data processing method disclosed in the embodiments of this specification, multiple matrix-vector multiplications can be batch-securely computed together, eliminating the rotation operation of homomorphic encryption and thus significantly reducing the computational load of secure matrix-vector multiplications.

[0068] Note that, Figure 2 In the data processing process shown, P2 performs steps S220 on the m reconstructed vectors {v} (j)} [m] Homomorphic encryption is performed one by one. In fact, when the dimension n of the reconstructed vector is small, it is also possible to perform homomorphic encryption on m reconstructed vectors {v (j)} [m] The vector is then concatenated into groups, homomorphically encrypted, and sent to P1. This involves homomorphic cyclic shifting, but compared to existing technologies, it can still effectively reduce the number of cyclic shifts.

[0069] Specifically, Figure 5 This is the second schematic diagram of the communication interaction between the two parties jointly processing data, as disclosed in the embodiments of this specification. Figure 5 Similarly, the two participating parties are illustrated as the first party (P1 party) and the second party (P2 party).

[0070] For an introduction to the implementation carriers and data processing scenarios of the two participating parties, please refer to the relevant content in the foregoing embodiments, which will not be repeated here.

[0071] like Figure 5 As shown, the secure computation process includes the following interactive steps:

[0072] Step S510, P2 is based on n m-dimensional column vectors {r (i)} [n] Determine m reconstructed vectors {v (j)} [m] , where v (j) By all r (i) The j-th dimension constitutes it.

[0073] It should be noted that the description of step S510 can be found in the foregoing description of step S210.

[0074] Step S520, P2 reconstructs m vectors {v} in units of t. (j)} [m]The data is divided into multiple groups and concatenated within each group to obtain multiple first concatenated vectors. It should be understood that t is a positive integer greater than 1 and less than m, and the actual value of t can be set and adjusted by staff according to actual needs.

[0075] In one embodiment, m is divisible by t, in which case {v} can be used. (j)} [m] The vectors are divided into m / t groups, and then the reconstructed vectors from each group are concatenated. In another embodiment, if m is not divisible by t, the number of reconstructed vectors can be increased (e.g., using an n-dimensional zero vector as a padding reconstructed vector) so that the total number of reconstructed vectors m′ after the increase is divisible by t, thereby reducing {v} (j)} [m′] Divide the vectors into m′ / t groups, and then concatenate the reconstructed vectors from each group.

[0076] For clarity, the first concatenated vector of any given vector is denoted as v in this paper. (j) ||v (j+1) ||…||v (j+t-1) , where the symbol || denotes the concatenation of vectors.

[0077] In step S530, P2 uses the generated homomorphic public key to perform homomorphic encryption on multiple first concatenated vectors to obtain multiple first ciphertext vectors.

[0078] For example, for any first concatenation vector v (j) ||v (j+1) ||…||v (j+t-1) Homomorphic encryption yields the corresponding first ciphertext vector E(v) (j) ||v (j+1) ||…||v (j+t-1) ).

[0079] In step S540, P2 sends multiple first ciphertext vectors to P1.

[0080] Step S550, P1 is based on n original matrices {A (i)} [n] Determine m reconstruction matrices {W (j)} [m] , where any j-th reconstruction matrix W (j) Including all original matrices {A (i)} [n] The element in the j-th column of the array.

[0081] It should be noted that the description of step S550 can be found in the foregoing description of step S240.

[0082] Step S560, P1 is based on m reconstruction matrices {W (j)}[m] Perform homomorphic operations with multiple first ciphertext vectors to obtain the ciphertext of the product result.

[0083] Specifically, P1 homomorphically sums to calculate the fourth ciphertext vector E(S[h]||S[h+1]||…||S[h+t-1]), where S[h]||S[h+1]||…||S[h+t-1] represents the second concatenation vector formed by adjacent t rows starting from row h in the resulting plaintext matrix S. It can be understood that the resulting plaintext matrix includes k rows, thus dividing it into units of t yields k / t second concatenation vectors. Correspondingly, P1 can calculate k / t fourth ciphertext vectors corresponding to the k / t second concatenation vectors, which together form the ciphertext E(S[h]||S[h+1]||…||S[h+t- ... || ).

[0084] There are multiple implementation methods for calculating the fourth ciphertext vector E(S[h]||S[h+1]||…||S[h+t-1]).

[0085] In implementation method A, for the second concatenation vector S[h]||S[h+1]||…||S[h+t-1], a predetermined calculation is performed on each of the multiple (denoted as p) first ciphertext vectors to obtain t intermediate ciphertext vectors corresponding to the first ciphertext vector. Then, all p*t intermediate ciphertext vectors can be summed to obtain the fourth ciphertext vector E(S[h]||S[h+1]||…||S[h+t-1]).

[0086] The following starts from any first ciphertext vector E(v) (j) ||v (j+1) ||…||v (j+t-1) Starting from this point, the calculation process of the predetermined calculation described above in Implementation Method A is described, specifically including:

[0087] On the one hand, taking n bits as the unit, for the first ciphertext vector E(v) (j) ||v (j+1) ||…||v (j+t-1) Performing t-1 cyclic shifts yields t-1 shifted ciphertext vectors. Therefore, the first ciphertext vector and the t-1 shifted ciphertext vectors can be collectively denoted as {E(v...} (j+(q-1)%t) ||v (j+q%t) ||…||v (j+(q+t-2)%t) )} [t] In the text, the abbreviation [t] represents q∈[1,t] and q∈N. * % is the modulo operator.

[0088] On the other hand, from the j-th to the (j+t-1)-th reconstruction matrix of the m reconstruction matrices, t row vectors located in rows h to h+t-1 are extracted respectively, for a total of t*t row vectors. These are then organized into t mutually exclusive batches of vectors, and vectors in the same batch are concatenated to obtain t third concatenated vectors, denoted as {(W (j+(q-1)%t) [h]||W (j+q%t) [h+1]||…||W (j+(q+t-2)%t) [h+t-1])} [t] .

[0089] Based on the above two aspects, further discussion will be conducted on (W) (j+(q-1)%t) [h]||W (j+q%t) [h+1]||…||W (j+(q+t-2)%t) [h+t-1]) and E(v (j+(q-1)%t) ||v (j+q%t) ||…||v (j+(q+t-2)%t) Perform homomorphic plaintext-ciphertext vector multiplication to obtain the q-th intermediate ciphertext vector, which is then incorporated into the aforementioned t intermediate ciphertext vectors.

[0090] In one example, for q=1, for (W) (j) [h]||W (j+1) [h+1]||…||W (j+t-1) [h+t-1]) and E(v (j) ||v (j+1) ||…||v (j+t-1) Perform homomorphic plaintext-ciphertext vector multiplication to obtain the first intermediate vector result.

[0091] In another example, for q = 2, for (W) (j+1) [h]||W (j+2) [h+1]||…||W (j) [h+t-1]) and E(v (j +1) ||v (j+2) ||…||v (j) Perform homomorphic plaintext-ciphertext vector multiplication to obtain the second intermediate vector result.

[0092] The above-described predetermined calculation method in Implementation A yields a fourth ciphertext vector E(S[h]||S[h+1]||…||S[h+t-1]) corresponding to any second concatenation vector. Thus, k / t fourth ciphertext vectors corresponding to k / t second concatenation vectors are obtained, collectively serving as the ciphertext E(S[h]||S[h+t-1]). || ).

[0093] It should be noted that Implementation A involves performing m / t*(t-1) cyclic shifts on all the first ciphertext vectors. In practice, the cyclic shifting method in Implementation A can be optimized to further reduce the number of cyclic shifts to O(m / t*sqrt(t-1)), thus proposing Implementation B.

[0094] In implementation method B, an existing cyclic shift optimization method can be used. The following is a brief description of the process for calculating the fourth ciphertext vector E(S[h]||S[h+1]||…||S[h+t-1]) using the optimized cyclic shift method in implementation method B:

[0095] 1) For any first ciphertext vector E(v) (j) ||v (j+1) ||…||v (j+t-1) Perform sqrt(m)-1 cyclic shifts, shifting n*sqrt(m) positions each time, to obtain sqrt(m) ciphertext vectors (including the ciphertext before the shift).

[0096] 2) The plaintext matrix formed by the t*t row vectors extracted above is rearranged to obtain sqrt(m) groups of plaintext vectors. Each group of plaintext vectors is homomorphically multiplied with a ciphertext vector. Each group yields sqrt(m) product ciphertext vectors, which need to be shifted by 0, 1, 2...sqrt(m)-1 positions to reach the target position.

[0097] 3) Homomorphically sum the ciphertexts that need to be shifted by the same number of bits in step 2), and shift the required number of bits.

[0098] 4) Homomorphically sum the ciphertext obtained from the above steps to obtain the fourth ciphertext vector E(S[h]||S[h+1]||…||S[h+t-1]).

[0099] Based on this, the k / t fourth ciphertext vectors corresponding to the k / t second concatenation vectors can be used together as the ciphertext E(S) of the product result. || ).

[0100] The above yields the ciphertext E(S) of the product. || ).

[0101] Subsequently, in one embodiment, the above interaction process further includes steps S571 and S572. In step S571, P1 transmits the ciphertext of the product result E(S) to... || The product result ciphertext E(S) is sent to P2, and in step S572, P2 uses its homomorphic private key to decrypt the ciphertext E(S) of the product result. || ), thus obtaining the plaintext matrix S || This includes the aforementioned k / t second concatenation vectors.

[0102] In another embodiment, the above-described interaction process further includes steps S573, S574, S575, and S576.

[0103] In step S573, P1 generates the plaintext matrix S || First Secret Sharing For example, P1 generates a random vector as the first secret sharing shard.

[0104] In step S574, P1 shares a fragment with the first secret. The ciphertext of the product result E(S) || Perform homomorphic subtraction to obtain the second secret sharing fragment. ciphertext

[0105] In step S575, P1 will fragment the ciphertext. Send to P2.

[0106] In step S576, P2 uses the homomorphic private key to decrypt the fragmented ciphertext. The second secret sharing shard, S2, is obtained. This is understandable.

[0107] In this way, it is possible to utilize the ciphertext E(S) of the product result. || Construct the result of a secure product operation; for example, P2 yields the plaintext matrix S. || Alternatively, P1 and P2 correspond to obtain the plaintext matrix S. || Secret Sharing and

[0108] In summary, by employing the two-party joint data processing method disclosed in the embodiments of this specification, multiple matrix-vector multiplications can be batch-securely computed together, which can reduce the rotation operations of homomorphic encryption, thereby effectively reducing the computational load of secure matrix-vector multiplication.

[0109] It should be noted that, in Figure 5 In step S520, the m reconstructed vectors are grouped in units of t, ensuring that each group has the same number of reconstructed vectors. In practice, the groups can be unequal, arbitrarily divided into multiple mutually exclusive groups. For example, each group could contain a random number of reconstructed vectors, and then concatenated within each group to obtain multiple first concatenated vectors. Based on this, the execution method of subsequent steps can be adaptively adjusted to ultimately achieve safe computation of batch matrix-vector multiplication.

[0110] In addition, regarding the above Figure 2 and Figure 5The steps shown are not executed in a unique order, and the order of operations within a single step is also not unique, as long as the flow of data is logically consistent.

[0111] In summary, by employing the two-party joint data processing method disclosed in the embodiments of this specification, multiple matrix-vector multiplications can be batch-securely computed together, which can reduce or even eliminate the rotation operation of homomorphic encryption, thereby effectively reducing the computational load of secure matrix-vector multiplication.

[0112] Corresponding to the above data processing method, the embodiments of this specification also disclose a data processing apparatus. Figure 6 The diagram shows a schematic of a data processing device integrated into a first party, as disclosed in an embodiment of this specification. The device is used to perform a secure product operation on n original matrices held by the first party and n m-dimensional column vectors held by the second party.

[0113] The device is integrated into the first party, including Figure 6 The following units are shown:

[0114] Matrix reconstruction unit 610 is configured to determine m reconstruction matrices based on the n original matrices; wherein any j-th reconstruction matrix includes the j-th column element of each original matrix. Ciphertext vector receiving unit 620 is configured to receive a first ciphertext vector from a second party, which is obtained by homomorphically encrypting several reconstruction vectors; a single reconstruction vector consists of n elements in the same row of the n m-dimensional column vectors. Homomorphic operation unit 630 is configured to perform homomorphic operations based on the m reconstruction matrices and the first ciphertext vector to obtain a ciphertext product result, used to construct the result of the secure product operation.

[0115] In one embodiment, the homomorphic operation unit 630 is specifically configured to: perform homomorphic plaintext-ciphertext vector multiplication on the m row vectors located in the h-th row of the m reconstruction matrices and the m first ciphertext vectors to obtain m third ciphertext vectors; and perform homomorphic summation on the m third ciphertext vectors to obtain the h-th second ciphertext vector.

[0116] In one embodiment, each original matrix is ​​k*m dimensional; wherein, the ciphertext vector receiving unit 620 is specifically configured to receive from a second party multiple first ciphertext vectors obtained by homomorphically encrypting multiple first concatenated vectors respectively, wherein the multiple first concatenated vectors are obtained by dividing the m reconstructed vectors into multiple groups in units of t and then concatenating them within each group. The homomorphic operation unit 630 is specifically configured to perform homomorphic operations based on the m reconstructed matrices and the multiple first ciphertext vectors to obtain the ciphertext of the product result, which includes a fourth ciphertext vector corresponding to the second concatenated vector formed by adjacent t rows in the result plaintext matrix, wherein the i-th column in the result plaintext matrix is ​​the product of the i-th original matrix and the i-th m-dimensional column vector.

[0117] In one embodiment, the homomorphic operation unit 630 is further configured to: perform multiple cyclic shifts on each first ciphertext vector, using the length of the reconstructed vector as the unit, to obtain multiple shifted ciphertext vectors; for each adjacent t row, obtain t vectors located in the same row from the m reconstructed matrices, to obtain m*t row vectors; and perform homomorphic operations on the multiple first ciphertext vectors, the multiple shifted ciphertext vectors corresponding to each first ciphertext vector, and the m*t row vectors to obtain a fourth ciphertext vector corresponding to the adjacent t row, which is used to form the ciphertext of the product result.

[0118] In one embodiment, the apparatus 600 further includes a result ciphertext sending unit 640, configured to send the product result ciphertext to the second party so that the second party can decrypt it to obtain the product result plaintext.

[0119] In one embodiment, the apparatus further includes: a random number generation unit 650 configured to generate random numbers as a first secret sharing fragment of the plaintext of the product result; a homomorphic subtraction unit 660 configured to perform a homomorphic subtraction operation on the random numbers and the ciphertext of the product result to obtain a homomorphic operation result; and an operation result sending unit 670 configured to send the homomorphic operation result to the second party so that the second party can obtain a second secret sharing fragment of the plaintext of the product result by decrypting the homomorphic operation result.

[0120] Figure 7 This diagram illustrates a data processing device integrated into a second party, as disclosed in an embodiment of this specification. The device performs a secure product operation on n original matrices held by a first party and n m-dimensional column vectors held by the second party. The device is integrated into the second party and includes... Figure 7 The following units are shown:

[0121] Vector reconstruction unit 710 is configured to determine m reconstructed vectors based on the n m-dimensional column vectors; a single reconstructed vector consists of n elements in the same row of the n m-dimensional column vectors. Ciphertext vector determination unit 720 is configured to perform homomorphic encryption on a subset of the m reconstructed vectors to obtain a corresponding first ciphertext vector. Ciphertext vector sending unit 730 is configured to send the first ciphertext vector to the first party, enabling the first party to perform homomorphic operations based on the first ciphertext vector and the m reconstructed matrices to obtain a ciphertext product result; wherein any j-th reconstructed matrix includes the j-th column element of each original matrix, and the ciphertext product result is used to construct the result of the secure product operation.

[0122] In one embodiment, the ciphertext vector determination unit 720 is specifically configured to: perform homomorphic encryption on the m reconstructed vectors respectively to obtain m first ciphertext vectors.

[0123] In one embodiment, the ciphertext vector determination unit 720 is specifically configured to: divide the m reconstructed vectors into multiple groups in units of t and then concatenate them within each group to obtain multiple first concatenated vectors; and perform homomorphic encryption on each of the multiple first concatenated vectors to obtain multiple first ciphertext vectors.

[0124] In one embodiment, the apparatus 700 further includes: a result ciphertext receiving unit 740 configured to receive the product result ciphertext from the first party; and a first decryption unit 750 configured to decrypt the product result ciphertext to obtain the product result plaintext.

[0125] In one embodiment, the apparatus 700 further includes: a calculation result receiving unit 760, configured to receive a homomorphic operation result from the first party, which is obtained by the first party performing a homomorphic subtraction operation on a locally generated random number and the ciphertext of the product result; the random number is used by the first party as a first secret sharing fragment of the plaintext of the product result; and a second decryption unit 770, configured to decrypt the homomorphic operation result to obtain a second secret sharing fragment of the plaintext of the product result.

[0126] It should be understood that for a description of the data processing device, please also refer to the foregoing introduction to the data processing method.

[0127] According to another embodiment, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed in a computer, causes the computer to perform a combination Figure 2 or Figure 5 The method described.

[0128] According to another embodiment, a computing device is also provided, including a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, it implements a combination... Figure 2 or Figure 5 The methods described herein. Those skilled in the art will recognize that, in one or more of the examples above, the functions described in this invention can be implemented using hardware, software, firmware, or any combination thereof. When implemented in software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or code on a computer-readable medium.

[0129] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above description is only a specific embodiment of the present invention and is not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made on the basis of the technical solution of the present invention should be included within the scope of protection of the present invention.

Claims

1. A joint data processing method for two parties, used to perform a secure product operation on n original matrices held by a first party and n m-dimensional column vectors held by a second party, wherein the method is executed by the first party, comprising: Based on the n original matrices, m reconstruction matrices are determined; wherein any j-th reconstruction matrix includes the j-th column element of each original matrix. The first ciphertext vector is received from the second party, which is obtained by homomorphically encrypting several reconstructed vectors; a single reconstructed vector consists of n elements in the same row of the n m-dimensional column vectors; Homomorphic operations are performed based on the m reconstructed matrices and the first ciphertext vector to obtain the ciphertext of the product result, which is used to construct the result of the secure product operation.

2. The method according to claim 1, wherein, Each original matrix is ​​k*m dimensional. The first ciphertext vector is obtained by encrypting a single reconstructed vector. Homomorphic operations are performed based on the m reconstructed matrices and the first ciphertext vector to obtain the ciphertext of the product result, including: Homomorphic operations are performed on the m reconstructed matrices and m first ciphertext vectors to obtain the ciphertext of the product result, which includes k second ciphertext vectors corresponding to k rows in the result plaintext matrix. The i-th column in the result plaintext matrix is ​​the product of the i-th original matrix and the i-th m-dimensional column vector.

3. The method according to claim 2, wherein, Homomorphic operations are performed based on the m reconstruction matrices and m first ciphertext vectors to obtain the ciphertext of the product result, including: Homomorphic plaintext-ciphertext vector multiplication is performed on the m row vectors in the h-th row of the m reconstruction matrices and the m first ciphertext vectors to obtain m third ciphertext vectors; Homomorphic summation is performed on the m third ciphertext vectors to obtain the h-th second ciphertext vector.

4. The method according to claim 1, wherein, Each original matrix is ​​k*m dimensional; where the first ciphertext vector received from the second party includes: The second party receives multiple first ciphertext vectors obtained by homomorphically encrypting multiple first concatenated vectors, wherein the multiple first concatenated vectors are obtained by dividing the m reconstructed vectors into multiple groups in units of t and then concatenating them within each group, where t is an integer greater than 1 and less than m; Among them, homomorphic operations are performed based on the m reconstruction matrices and the first ciphertext vector to obtain the ciphertext of the product result, including: Homomorphic operations are performed on the m reconstructed matrices and the plurality of first ciphertext vectors to obtain the ciphertext of the product result, which includes a fourth ciphertext vector corresponding to the second concatenation vector formed by adjacent t rows in the result plaintext matrix. The i-th column in the result plaintext matrix is ​​the product of the i-th original matrix and the i-th m-dimensional column vector.

5. The method according to claim 4, wherein, Homomorphic operations are performed based on the m reconstruction matrices and the plurality of first ciphertext vectors to obtain the ciphertext of the product result, including: For each first ciphertext vector, perform multiple cyclic shifts using the length of the reconstructed vector as the unit to obtain multiple shifted ciphertext vectors; For each adjacent t rows, t vectors located in the same row are obtained from the m reconstruction matrices, resulting in m*t row vectors; Homomorphic operations are performed on the plurality of first ciphertext vectors and the plurality of shifted ciphertext vectors corresponding to each of the first ciphertext vectors, as well as the m*t row vectors, to obtain a fourth ciphertext vector corresponding to the adjacent t rows, which is used to form the ciphertext of the product result.

6. The method according to claim 1, wherein, After performing homomorphic operations based on the m reconstruction matrices and the first ciphertext vector to obtain the ciphertext of the product result, the method further includes: The encrypted product result is sent to the second party so that the second party can decrypt it to obtain the plaintext product result.

7. The method according to claim 1, wherein, After performing homomorphic operations based on the m reconstruction matrices and the first ciphertext vector to obtain the ciphertext of the product result, the method further includes: Generate a random number and share it as the first secret shard of the plaintext product result; Perform a homomorphic subtraction operation on the random number and the ciphertext of the product result to obtain the homomorphic operation result; The homomorphic operation result is sent to the second party, so that the second party can decrypt the homomorphic operation result to obtain the second secret sharing fragment of the plaintext of the product result.

8. A joint data processing method for two parties, used to perform a secure product operation on n original matrices held by a first party and n m-dimensional column vectors held by a second party, wherein the method is executed by the second party, comprising: Based on the n m-dimensional column vectors, m reconstructed vectors are determined; a single reconstructed vector is composed of n elements of the n m-dimensional column vectors in the same row; Homomorphic encryption is performed on some of the m reconstructed vectors to obtain the corresponding first ciphertext vector; The first ciphertext vector is sent to the first party so that the first party performs a homomorphic operation based on the first ciphertext vector and m reconstruction matrices to obtain a ciphertext of the product result; wherein any j-th reconstruction matrix includes the j-th column element of each original matrix, and the ciphertext of the product result is used to construct the result of the secure product operation.

9. The method according to claim 8, wherein, Homomorphic encryption is performed on several of the m reconstructed vectors to obtain the corresponding first ciphertext vector, including: Homomorphic encryption is performed on the m reconstructed vectors to obtain m first ciphertext vectors.

10. The method according to claim 8, wherein, Homomorphic encryption is performed on several of the m reconstructed vectors to obtain the corresponding first ciphertext vector, including: The m reconstructed vectors are divided into multiple groups with t as the unit, and then the groups are concatenated to obtain multiple first concatenated vectors, where t is an integer greater than 1 and less than m; Homomorphic encryption is performed on the multiple first concatenated vectors to obtain multiple first ciphertext vectors.

11. The method according to claim 8, wherein, After sending the first ciphertext vector to the first party, the method further includes: Receive the encrypted product result from the first party; The ciphertext of the product result is decrypted to obtain the plaintext of the product result.

12. The method according to claim 8, wherein, After sending the first ciphertext vector to the first party, the method further includes: The first party receives the homomorphic operation result, which is obtained by the first party performing a homomorphic subtraction operation on a locally generated random number and the ciphertext of the product result; the random number is used by the first party as the first secret sharing fragment of the plaintext of the product result; The homomorphic operation result is decrypted to obtain the second secret-sharing fragment of the plaintext of the product result.

13. A data processing apparatus for two parties, used to perform secure multiplication on n original matrices held by a first party and n m-dimensional column vectors held by a second party; The device is integrated into the first party and includes: The matrix reconstruction unit is configured to determine m reconstruction matrices based on the n original matrices; Any j-th reconstruction matrix includes the j-th column elements of each original matrix; The ciphertext vector receiving unit is configured to receive a first ciphertext vector from a second party, which is obtained by homomorphically encrypting a plurality of reconstructed vectors; a single reconstructed vector is composed of n elements in the same row of the n m-dimensional column vectors; The homomorphic operation unit is configured to perform homomorphic operations based on the m reconstruction matrices and the first ciphertext vector to obtain the ciphertext of the product result, which is used to construct the result of the secure product operation.

14. A data processing apparatus for two parties, used to perform a secure product operation on n original matrices held by a first party and n m-dimensional column vectors held by a second party; The device is integrated into the second party and includes: The vector reconstruction unit is configured to determine m reconstructed vectors based on the n m-dimensional column vectors; a single reconstructed vector is composed of n elements of the n m-dimensional column vectors in the same row; The ciphertext vector determination unit is configured to perform homomorphic encryption on a number of the m reconstructed vectors to obtain the corresponding first ciphertext vector. The ciphertext vector sending unit is configured to send the first ciphertext vector to the first party, so that the first party performs homomorphic operations based on the first ciphertext vector and m reconstruction matrices to obtain a ciphertext of the product result; wherein any j-th reconstruction matrix includes the j-th column element in each original matrix, and the ciphertext of the product result is used to construct the result of the secure product operation.

15. A computer-readable storage medium having a computer program stored thereon, wherein, When the computer program is executed in the computer, it causes the computer to perform the method according to any one of claims 1-12.

16. A computing device comprising a memory and a processor, wherein, The memory stores executable code, and when the processor executes the executable code, it implements the method of any one of claims 1-12.