Method and apparatus for performing matrix safe multiplication

Abstract

The embodiment of the present specification provides a method and device for performing matrix secure multiplication. In the process of determining the matrix product of a first party holding an m*n matrix M and a second party holding an n-dimensional vector v based on multi-party secure calculation, the second party fills the dimension of the vector v to a minimum power of 2 greater than n, that is, n', and encodes it in a circular arrangement in T' dimensions, and then provides the ciphertext encoding vector E(v') to the first party. After the first party expands, transposes and rearranges the matrix M in the row and column directions, the rearranged matrix u' is multiplied with the ciphertext encoding vector E(v') row by row, and the ciphertext sum vector is obtained based on the addition of each ciphertext product vector to determine the ciphertext of the matrix product. After the first direction second party provides the ciphertext information of the matrix product, the second party decrypts to obtain the result data corresponding to the matrix product. In this way, in the case where the row of the matrix M is greater than the column, the calculation amount is greatly reduced.

Description

Technical Field

[0001] This specification relates to the field of secure computing technology, and more particularly to a method and apparatus for performing secure matrix multiplication. Background Technology

[0002] Secure multi-party computation, also known as secure multi-party computation or MPC, involves multiple parties collaboratively computing a function without disclosing their individual input data. The result is then made public to one or more of the parties. Secure multi-party computation can be applied to privacy-preserving intersection problems, joint training of machine learning models, data querying, and more. A typical application is joint statistical analysis and machine learning of privacy-preserving multi-party data. Secure multi-party computation allows participating parties to compute statistical and machine learning results based on joint data without exposing their individual raw data. The function used in secure multi-party computation can be a statistical operation function, a machine learning algorithm, etc., such as secure multi-party multiplication or secure matrix multiplication. As a fundamental operation in business processing within a secure multi-party computation architecture, the performance of secure multi-party function computation directly impacts the processing efficiency of related business processes. Summary of the Invention

[0003] This specification describes one or more embodiments of a method and apparatus for performing matrix-safe multiplication to solve one or more problems mentioned in the background art.

[0004] According to a first aspect, a method for performing matrix-secure multiplication is provided, applicable to a first party holding an m×n-dimensional matrix M, in the process of determining the matrix product of matrix M and vector v based on multi-party secure computation with a second party holding an n-dimensional vector v. The method includes: expanding matrix M in the row and column directions by padding with zeros to obtain an expanded matrix M', wherein the number of rows m' of the expanded matrix M' is a power of 2 greater than m, and the number of columns n' is a power of 2 greater than n; and rearranging the elements of the transpose matrix u of the expanded matrix M' to obtain a rearranged matrix u', such that the rearranged matrix u' has n' rows and T' columns, where T' is a power of 2 not less than the minimum order T supported by a predetermined homomorphic encryption method, and the rearranged matrix u'... The element in the i-th row and j-th column is the element in the s-th row and j-th column of the transpose matrix u, where s is the modulus of the sum of i and j relative to n'. Each row of the rearranged matrix u' is calculated row-by-row through plaintext-ciphertext multiplication to obtain the corresponding ciphertext product vectors of the ciphertext encoded vector E(v'). After calculating for a single row, the ciphertext encoded vector E(v') is updated by cyclic shifting. The ciphertext encoded vector E(v') is obtained by the second party through cyclically arranging the n'-dimensional vector obtained by padding vector v with zeros in T dimensions and then encrypting it. The ciphertext and vector of each ciphertext product vector are determined. Based on the ciphertext and vector, the ciphertext information of the matrix product is provided to the second party so that the second party can decrypt the ciphertext information to obtain the result data corresponding to the matrix product.

[0005] In one embodiment, the predetermined homomorphic encryption method is one of BFV, BGV, and CKKS.

[0006] In one embodiment, the step of calculating the ciphertext product vectors corresponding to each row of the rearranged matrix u' and the ciphertext coding vector E(v') by ciphertext multiplication row by row includes: for a single row, multiplying each element in the single row with the corresponding ciphertext element in the ciphertext coding vector E(v'), and using the resulting product as the corresponding element in the corresponding ciphertext product vector.

[0007] In one embodiment, the cyclic shift operation is as follows: the first element is moved to the last position, and all other elements are moved forward by one position.

[0008] In one embodiment, the cyclic shift operation is implemented using a rotation key provided by a second party for rotating data encrypted with an encryption key provided by the second party. The second party also holds a decryption key for decrypting data processed by the encryption key and the rotation key.

[0009] In one embodiment, the step of calculating the ciphertext product vectors corresponding to each row of the rearranged matrix u' and the ciphertext encoding vector E(v') through row-by-row plaintext multiplication includes: performing a homomorphic vector bitwise multiplication on a single row and the ciphertext encoding vector E(v') to obtain the corresponding single ciphertext product vector.

[0010] In one embodiment, providing the ciphertext information of the matrix product to the second party based on the ciphertext and vector includes: providing the ciphertext and vector as the ciphertext information of the matrix product to the second party so that the second party can decrypt the matrix product as the result data corresponding to the matrix product.

[0011] In one embodiment, providing the ciphertext information of the matrix product to the second party based on the ciphertext and vector includes: determining a first slice b1 of the matrix product based on a generated random vector r with the same dimension as the ciphertext and vector; calculating the plaintext-ciphertext difference between the ciphertext and vector and the random vector r; and providing the plaintext-ciphertext difference as the ciphertext information of the matrix product to the second party so that the second party can decrypt the plaintext-ciphertext difference to obtain a second slice b2 of the matrix product as the result data of the matrix product to the second party.

[0012] In a further embodiment, determining the first slice b1 of the product vector based on the generated random vector r with the same dimension as the ciphertext and vector includes: dividing the random vector r into multiple sub-vectors according to the number of rows m of the matrix M; and determining the first slice b1 of the matrix product based on the sum of the sub-vectors.

[0013] According to the second aspect, a method for performing matrix secure multiplication is provided, applicable to a second party holding an n-dimensional vector v, in the process of determining the matrix product of matrix M and vector v based on multi-party secure computation with a first party holding an m×n-dimensional matrix M. The method includes: padding the dimension of vector v to a minimum power of 2 n' greater than n by padded with zeros to obtain an expanded vector v'; circumferentially arranging the n'-dimensional expanded vector v' in a dimension T' not less than T to obtain an encoded vector R(v'), where T is the minimum order supported by a predetermined homomorphic encryption method, and T' is a power of 2; encrypting the encoded vector R(v') using a pre-generated encryption key to obtain a ciphertext encoded vector E(v') to provide to the first party; and receiving ciphertext information of the matrix product fed back by the first party, wherein the ciphertext information of the matrix product is determined by: [The method then describes the process of circumferentially arranging the dimension of vector v' to a minimum power of 2 n' greater than n, by padding with zeros to obtain an expanded vector v'; circumferentially arranging the n'-dimensional expanded vector v' in a dimension T' not less than T to obtain an encoded vector R(v'), where T is the minimum order supported by a predetermined homomorphic encryption method, and T' is a power of 2; encrypting the encoded vector R(v') using a pre-generated encryption key to obtain a ciphertext encoded vector E(v') to be provided to the first party; and receiving ciphertext information of the matrix product fed back by the first party, wherein the ciphertext information of the matrix product is determined by: [The method then describes the process of circumferentially arranging the dimension of vector v' to a minimum power of 2 n' greater than n' greater than n' greater than n' greater than n' greater than n' greater than n' greater than n' greater than n' greater than n' greater than n' greater than n' greater than n' The rearranged elements of the transpose matrix u of the filling matrix M' are used to obtain the rearranged matrix u'. The ciphertext product vectors corresponding to each row of the rearranged matrix u' and the ciphertext encoding vector E(v') are calculated row by row through plaintext-ciphertext multiplication. The ciphertext information of the matrix product is determined based on the ciphertext sum obtained by summing the ciphertext product vectors. Here, the number of rows m' of the expanded matrix M' is a power of 2 greater than m, and the number of columns is n'. The rearranged matrix u'... The matrix ' has n' rows and no less than T columns. The element in the i-th row and j-th column of the rearranged matrix u' is the element in the s-th row and j-th column of the transpose matrix u, where s is the modulus of the sum of i and j relative to n'. After calculating for a single row, the ciphertext encoding vector E(v') is updated by cyclic shifting. The ciphertext information of the matrix product is decrypted using the decryption key corresponding to the encryption key to obtain the result data corresponding to the matrix product.

[0014] In one embodiment, the predetermined homomorphic encryption method is one of BFV, BGV, and CKKS.

[0015] In one embodiment, the cyclic shift operation is implemented using a rotation key, which is a Galois key and forms a key group with the encryption key and the decryption key. The method further includes generating the rotation key based on the encryption key and providing it to a first party.

[0016] In one embodiment, the ciphertext information of the matrix product is the ciphertext of the matrix product, and the result data is the matrix product; or, the ciphertext of the matrix product is the difference between the plaintext and ciphertext of the random vector r, and the result data is the second slice b2 of the matrix product, wherein b2 and the first slice b1 of the matrix product determined by the first party based on the random vector r constitute the sum-shared form of the matrix product.

[0017] In a further embodiment, the step of decrypting the ciphertext information of the matrix product fed back by the first party using the decryption key corresponding to the encryption key to obtain the result data corresponding to the matrix product includes: dividing the plaintext result obtained by decrypting the ciphertext information of the matrix product into multiple sub-vectors according to the number of rows m of the matrix M; and determining the result data corresponding to the matrix product based on the sum of the sub-vectors.

[0018] According to a third aspect, an apparatus for performing matrix-safe multiplication is provided, wherein a first party holding an m×n-dimensional matrix M is configured to determine, based on multi-party secure computation, the matrix product of matrix M and vector v with a second party holding an n-dimensional vector v, the apparatus comprising:

[0019] An expansion unit is configured to expand matrix M in both row and column directions by padding with zeros to obtain an expanded matrix M', wherein the number of rows m' of the expanded matrix M' is the least power of 2 greater than m, and the number of columns n' is the least power of 2 greater than n;

[0020] The rearrangement unit is configured to obtain a rearrangement matrix u' based on the rearrangement of the elements in the transpose matrix u of the extended matrix M', such that the number of rows of the rearrangement matrix u' is n' and the number of columns is T', where T' is a power of 2 of the minimum order T supported by the predetermined homomorphic encryption method, and the element in the i-th row and j-th column of the rearrangement matrix u' is the element in the s-th row and j-th column of the transpose matrix u, where s is the modulus of the sum of i and j with respect to n';

[0021] The computation unit is configured to calculate, row by row, the ciphertext product vectors corresponding to each row of the rearranged matrix u' and the ciphertext encoded vector E(v'), wherein, after calculating a single row, the ciphertext encoded vector E(v') is updated by cyclic shifting. The ciphertext encoded vector E(v') is obtained by encrypting an n'-dimensional vector obtained by cyclically arranging the vector v in T' dimensions after padding with zeros.

[0022] Determine the ciphertext and vector of each ciphertext product vector;

[0023] The providing unit is configured to provide the second party with the ciphertext information of the matrix product based on the ciphertext and the vector, so that the second party can decrypt the ciphertext information to obtain the result data corresponding to the matrix product.

[0024] According to a fourth aspect, an apparatus for performing matrix-safe multiplication is provided, wherein a second party holding an n-dimensional vector v is configured to determine, based on multi-party secure computation, the matrix product of matrix M and vector v with a first party holding an m×n-dimensional matrix M, the apparatus comprising:

[0025] The expansion unit is configured to fill the dimension of vector v to the smallest power of 2 n' greater than n by padding with zeros, thus obtaining the expanded vector v'.

[0026] The permutation unit is configured to cyclically permutate the n'-dimensional extended vector v' on a dimension T' not less than T to obtain the encoded vector R(v'), where T is the minimum order supported by the predetermined homomorphic encryption method, and T' is a power of 2;

[0027] The encryption unit is configured to encrypt the encoding vector R(v') using a pre-generated encryption key to obtain the ciphertext encoding vector E(v') and provide it to the first party.

[0028] The receiving unit is configured to receive the ciphertext information of the matrix product fed back by the first party. The ciphertext information of the matrix product is determined by the first party in the following manner: rearranging the elements of the transpose matrix u of the extended matrix M' of matrix M to obtain a rearranged matrix u'; calculating the respective ciphertext product vectors corresponding to each row of the rearranged matrix u' and the ciphertext encoding vector E(v') through plaintext-ciphertext multiplication; and summing the ciphertext product vectors to obtain the ciphertext product information. The vector determines the ciphertext information of the matrix product, wherein the number of rows m' of the extended matrix M' is the least power of 2 greater than m, and the number of columns is n'. The number of rows u' of the rearranged matrix is ​​n' and the number of columns is not less than T. The element in the i-th row and j-th column of the rearranged matrix u' is the element in the s-th row and j-th column of the transpose matrix u, where s is the modulus of the sum of i and j with respect to n'. After the calculation is completed for a single row, the ciphertext encoding vector E(v') is updated by cyclic shifting.

[0029] The decryption unit is configured to decrypt the ciphertext information of the matrix product using a decryption key corresponding to the encryption key, so as to obtain the result data corresponding to the matrix product.

[0030] According to a fifth aspect, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed in a computer, causes the computer to perform the method of the first or second aspect.

[0031] According to a sixth aspect, a computing device is provided, including a memory and a processor, characterized in that the memory stores executable code, and when the processor executes the executable code, it implements the method of the first aspect or the second aspect.

[0032] The method and apparatus provided in the embodiments of this specification, in the process of determining the matrix product of matrix M and vector v based on multi-party secure computation between a first party holding an m×n-dimensional matrix M and a second party holding an n-dimensional vector v, the second party fills the dimension of vector v to a minimum power of 2 n' greater than n, and encodes it in a cyclic arrangement along T' dimensions. This encoded ciphertext vector E(v') is then provided to the first party after encryption. The first party expands, transposes, and rearranges matrix M in the row and column directions, and multiplies the rearranged matrix u' row by row with the encoded ciphertext vector E(v'). The ciphertext information determining the matrix product is obtained by summing the resulting ciphertext and vector product vectors. After the first party provides the ciphertext information of the matrix product to the second party, the second party decrypts it to obtain the result data corresponding to the matrix product. In this way, the matrix and vector multiplication calculation can be transformed into a transpose case. When the number of rows is greater than the number of columns, the computational load can be greatly reduced, improving the computational efficiency of secure computation and related business processing efficiency. Attached Figure Description

[0033] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0034] Figure 1 The diagram illustrates the two-way interaction flowchart for performing matrix-safe multiplication according to an example of conventional techniques.

[0035] Figure 2 This diagram illustrates the two-party interaction flowchart for performing matrix-safe multiplication according to the technical concept of this specification.

[0036] Figure 3 This diagram illustrates the data relationships for a simple example of matrix-safe multiplication as described in this specification.

[0037] Figure 4 A flowchart illustrating matrix-safe multiplication performed by the matrix holder according to one embodiment is shown.

[0038] Figure 5 A flowchart illustrating matrix-safe multiplication performed by the holding vector side according to one embodiment is shown;

[0039] Figure 6 A schematic block diagram of an apparatus for performing matrix-safe multiplication, located on one side of a matrix holder, is shown according to one embodiment.

[0040] Figure 7 A schematic block diagram of an apparatus for performing matrix-safe multiplication on one side of a vector according to one embodiment is shown. Detailed Implementation

[0041] The technical solutions provided in this specification are described below with reference to the accompanying drawings.

[0042] First, let's describe some concepts that may be involved in this instruction manual.

[0043] Secret sharing, also known as secret splitting or secret sharing, is a cryptographic technique originally used for managing secret information. Its basic principle is to split a secret (such as a key) into multiple shares, each held by a different person. The secret can only be recovered by merging the shares of more than a threshold number of participants; no information can be recovered from fewer shares. In multi-party secure computation, the threshold number is usually the same as the number of participants.

[0044] In multi-party secure computation, in addition to secure addition and secure multiplication of numerical values, basic operations such as matrix addition and matrix multiplication can also be included. Here, basic operations refer to the basic operational modules that the business process can be broken down into. For example, secure addition and secure multiplication are basic operational modules; a squaring operation of a numerical value shared by all participants can be broken down into secure multiplication and secure addition operations.

[0045] In secure computation, privacy protection requirements may necessitate significant increases in auxiliary computation and communication. This specification proposes improvements to matrix multiplication operations in multi-party secure computation. Matrix multiplication can be understood as a combination of multiple matrix and vector multiplication operations. For example, the multiplication of an m×n matrix M and an n×p matrix V results in an m×p matrix B. The multiplication of M and V can be viewed as p product operations, one-to-one with the p n-dimensional column vectors of M and V. These p product operations yield p vectors, each representing a column of matrix B. Therefore, this specification uses the secure multiplication of matrix M and vector v as an example. Here, m, n, and p are all positive integers. When p = 1, V and B are n-dimensional and m-dimensional column vectors, respectively. The secure multiplication of matrix M and vector v can also be called a matrix multiplication tuple; that is, any matrix multiplication can be decomposed into at least one matrix multiplication tuple.

[0046] Specifically, in a two-party secure computation architecture, when performing matrix multiplication tuple computation, one party (let's call it the first party) holds matrix M, and the other party (let's call it the second party) holds vector v (assumed to be a column vector in this specification). The two parties can then securely compute the product of matrix M and vector v (hereinafter referred to as the matrix product) based on homomorphic encryption. This matrix product (let's call it z) can be obtained by the party holding vector v, or it can be shared between the two parties. For example, one party obtains the matrix product z = Mv, or both parties each obtain a fragment of the matrix product z (one party obtains z1, the other party obtains z2, and the fragments are modulo 2...). N In the case of z = z1 + z2, where N is the number of bits representing the slice held by a single participant. When the matrix product z is obtained by one party, it is typically obtained by the party holding the decryption key (e.g., the second party). In secure computation based on homomorphic encryption, the party holding the decryption key can usually generate key pairs, such as a public-private key pair, which serve as the encryption key and decryption key, respectively. Typically, the public key can be made public to other participants, thus serving as the encryption key, and the private key as the decryption key. The generation of key pairs can be done in a conventional way, which will not be elaborated upon here.

[0047] BFV (Bound-Homomorphic Encryption based on the RLWE (Ring-Learning With Errors) problem) is a commonly used fully homomorphic encryption method. Due to the limitations of the BFV scheme, the matrix needs to be filled with at least 4096 columns (this is determined by the BFV algorithm itself; too few columns will reduce usability due to limited computational space), and the number of rows in the matrix must be less than or equal to the number of columns. However, in real-world scenarios, the number of rows in a matrix may far exceed the number of columns, such as 256 rows * 8 columns. Since computational performance is primarily linearly related to the number of rows, matrix multiplication with a greater number of rows than columns can result in significant performance degradation.

[0048] Similar homomorphic encryption methods include BGV (Fully Homomorphic Encryption without Bootstrapping), CKKS (Cheon-Kim-Kim-Song scheme, which supports homomorphic operations on floating-point addition and multiplication for real or complex numbers), and so on.

[0049] Taking the matrix product of matrix M and vector v mentioned earlier as an example, the first party holds an m×n matrix M, and the second party holds an n×1 vector v. The matrix product of M and v is denoted as z, where z is an m×1 vector. m is less than the vector dimension supported by BFV. In determining z, the first party can obtain the first fragment z1 of z, and the second party can obtain the second fragment z2 of z. Under a predetermined homomorphic encryption method (such as one of BFV, BGV, or CKKS), the second party can generate a key pair, which includes an encryption key (such as a public key) and a decryption key (such as a private key). The encryption key can be made public to the first party, and the decryption key is used to decrypt data encrypted with the encryption key. However, simply possessing the encryption key is not enough to decrypt data encrypted with the encryption key.

[0050] refer to Figure 1 As shown, in one computational method using conventional technology, the first and second parties can perform the following interactive operations:

[0051] Step 101: The second party fills the dimension of vector v with zeros to the smallest power of 2 greater than n, to obtain the extended vector v', and provides the encrypted extended vector ciphertext to the first party.

[0052] For example, if n = 5, then the dimension of vector v can be expanded to the smallest power of 2 greater than 5, i.e., 2^n. 3 =8. Assume v = [v1, v2, v3, v4, v5] T Then, expanding to 8 dimensions, we get v' = [v1, v2, v3, v4, v5, 0, 0, 0]. T Then, the first party encrypts v' using the encryption key (let's call it E) to obtain the extended vector ciphertext E0(v'), which the second party can then provide to the first party. For ease of description, the smallest power of 2 greater than n can be denoted as n' = 2. t .

[0053] Step 102: The first party expands matrix M in both rows and columns by padding with zeros, obtaining an expanded matrix M', where the number of rows and columns of the expanded matrix M' are both powers of 2. Specifically, the number of rows m' of the expanded matrix is ​​the smallest power of 2 greater than m, and the number of columns n'' is not less than the smallest power of 2 supported by the predetermined homomorphic encryption method, such as n'' being 4096 = 2. 12 Or a power of 2 or higher. The expansion method is similar to that of vector v, except that matrix M is padded with zeros in both rows and columns, which will not be elaborated here.

[0054] Step 103: According to the principle of matrix multiplication, rearrange the extended matrix M' so that the sum of the vectors obtained after multiplying each row of matrix M' with the extended vector v' by the positional multiplication under the cyclic shift operation is consistent with the product of the extended matrix M' and the extended vector v'.

[0055] It can be understood that, according to the principle of matrix multiplication, in the product of matrix M and matrix V, the element in the i-th row and j-th column is the sum of the products of the corresponding elements of the i-th row of matrix M and the j-th column of matrix V. When matrix V is a column vector v, the product of matrix M and vector v is a column vector, and each element is the product of the corresponding row in matrix M and vector v.

[0056] As an example, suppose matrix M is 4×4 in size, denoted as:

[0057]

[0058] The vector v is of size 4×1, denoted as: The product of matrix M and vector v is:

[0059]

[0060] Considering that homomorphic encryption methods like BFV allow vector operations such that multiplying corresponding elements of any pair of vectors results in a new vector of the same dimension, we can first calculate the following matrix P:

[0061]

[0062] Observation shows that by adding the corresponding elements of each row of matrix P, we can obtain the transpose of the product z of matrix M and vector v. Furthermore, in adjacent rows or columns of matrix P, the elements in vector v undergo a cyclic shift (cyclic index offset, which can also be understood as a cyclic numerical shift with carry-over from top to bottom), and the corresponding elements m in matrix M... ij The following pattern holds: the i-th column of P corresponds to the i-th row of M, and a cyclic shift occurs in a single column of P, consistent with the shift of vector v.

[0063] To successfully calculate vector products, matrix M can be rearranged to satisfy the pattern in P. Alternatively, vector v can be cyclically shifted so that the corresponding tuples after rearranging matrix M and cyclically shifting vector v correspond in the order specified in P.

[0064] In this specification, the calculation in the ciphertext is performed by multiplying the extended matrix M' with the extended vector ciphertext E0(v').

[0065] It is understandable that, in actual calculations, the number of columns in the extended matrix M' is much greater than the number of columns in the extended vector v' or its ciphertext E(v'). To ensure that the dimensions of the extended matrix M' correspond to those of the extended vector v', during the rearrangement of the extended matrix M', it can be split into multiple matrices with the same number of columns as the dimensions of the extended vector v'.

[0066] According to one specific implementation, the rearranged matrix is ​​denoted as M'', and the rearrangement method for the extended matrix M' is: M'' ij =M' (j％m ' )((i+j)％n '' ) Here, % represents modulo, the value of i can be from 0 to m'-1, and the value of j can be from 0 to the number of columns of the extended matrix M', such as 4096. After rearrangement, the number of columns is still n'', and the number of rows is still m'.

[0067] As an example, let's assume a 3×5 dimensional matrix M is as follows:

[0068]

[0069] After padding with zeros and rearranging, we obtain matrix M'', for example:

[0070]

[0071] Step 104: The first party performs plaintext-ciphertext multiplication on each row of the rearranged matrix M'' and the extended vector ciphertext E0(v') to obtain each ciphertext product vector.

[0072] Those skilled in the art will understand that homomorphic encryption algorithms such as BFV support vectorized operations, allowing for the calculation of pairwise vector products (bitwise multiplication) in a single operation. A single row in the rearranged matrix M'' undergoes plaintext-ciphertext multiplication with the ciphertext of vector v, which can be element-wise multiplication. Multiplying the plaintext of a single element with the ciphertext elements of the ciphertext of vector v yields the corresponding ciphertext product. A single ciphertext product is an n''-dimensional ciphertext product vector. After each row multiplication operation, the expanded ciphertext vector E0(v') undergoes a cyclic shift operation to correspond with the next row in the rearranged matrix M'' as described in the previous section, representing the matrix P.

[0073] Step 105: The first party sums the ciphertext product vectors to obtain the ciphertext product E(z) of the extended matrix M' and the extended vector ciphertext E(v').

[0074] Step 106: The first party provides the second party with the ciphertext information of the ciphertext product E(z), so that the second party can decrypt the ciphertext information in step 107 to obtain the result data of the matrix product b.

[0075] Given a matrix product z of matrix M and vector v, formed and shared by the first and second parties, the first party can perform plaintext-ciphertext subtraction with the first local slice z1 = r of the matrix product z of matrix M and vector v using the ciphertext E(z), obtaining the ciphertext form E(zr) of the second slice of the matrix product, and provide E(zr) as ciphertext information to the second party. Here, r can be an m'-dimensional random vector generated by the first party. The second party decrypts E(zr) using the decryption key to obtain zr, and after decoding zr, obtains the second slice z2 = zr.

[0076] If the product vector z of matrix M and vector v is obtained by the second party, the first party can provide the second party with the ciphertext E(z) of the matrix product z as ciphertext information. The second party decrypts E(z) using the decryption key to obtain the matrix product z.

[0077] Understandably, because multiple positions are padded with 0 during the expansion of matrix M and vector v, there may be many elements with a value of 0 during the cyclic shift process. Therefore, each ciphertext product vector determined in step 104 may contain multiple 0 elements (invalid elements). For example, a 5-dimensional vector v = [v1, v2, v3, v4, v5, 0, 0, 0] T During the cyclic shift process, multiple zero elements are multiplied by elements in M'', resulting in elements with a product of 0. Therefore, the second party can truncate and sum the plaintext result data after decryption, depending on the actual situation. For example, it can truncate it into multiple 8-dimensional sub-vectors (in practice, the dimensions of the expanded matrix usually meet the algorithm's requirements, such as 4096 dimensions) and then sum them. Here, the purpose of summing the sub-vectors is to eliminate invalid elements (zero-value elements) obtained by multiplying the zero-padded elements with other elements.

[0078] In the above process, since the number of columns in matrix M needs to be expanded to powers of 2 (4096 or higher), the computational complexity in at least step 104 is determined by the number of rows. Therefore, the computational performance of matrix M and vector v depends on the number of rows in matrix M. To address this, this specification proposes an improved scheme for cases where the number of rows is much greater than the number of columns (e.g., the ratio of rows to columns is greater than a predetermined threshold). This involves transposing the expanded matrix before constructing the corresponding vector multiplication, thereby effectively reducing the amount of expanded matrix data, decreasing computational overhead, and improving computational efficiency.

[0079] Furthermore, as is known from conventional techniques, due to the padding of zeros, the expanded matrices and vectors contain a large number of zero values, consuming significant redundant computational resources in multiplication and addition calculations. To address this, the technical concept outlined in this specification proposes a method of cyclically arranging the elements, allowing multiple sets of data to be processed simultaneously during explicit-ciphertext multiplication of matrix rows and vectors.

[0080] The technical concept of this specification is described in detail below.

[0081] Figure 2 This diagram illustrates the interaction flow of two parties performing secure matrix multiplication according to an embodiment of this specification. The two parties are denoted as Party A and Party B. This flow is applicable to the process where Party A and Party B cooperate based on a multi-party security architecture to complete secure multiplication of matrix M and vector v, especially suitable for situations where the number of rows in matrix M is much greater than the number of columns. It is assumed that Party A holds matrix M, and Party B holds vector v. Matrix M is an m x n matrix, and vector v is an n-dimensional vector.

[0082] The following is for reference. Figure 2 The diagram illustrates the interaction flow between the first and second parties in matrix-secure multiplication performed based on multi-party secure computation.

[0083] First, through step 201, the second party provides the first party with at least the rotation key from the key group of the generated encryption key, decryption key, and rotation key.

[0084] In this context, the encryption key, for example, is the public key in a public-private key pair, used to encrypt data. The decryption key, for example, is the private key, used to decrypt data encrypted with the encryption key. The rotation key, for example, is the Galois key, which can move plaintext within the same ciphertext. For instance, a plaintext vector (1, 2, 3) corresponds to ciphertext c. During ciphertext field computation, the Galois key can be used to move the plaintext, such as making 2 correspond to the first position, resulting in the ciphertext c' of the plaintext vector (2, 3, 1). It is important to note that when using the Galois key to manipulate vectors in the ciphertext field, the operations on each element are synchronized. Therefore, in the above position-shifting operation, each element moves forward one position, and the first element rolls back to the last element.

[0085] Since the rotation key is used to manipulate data encrypted with the encryption key, the encryption key, decryption key, and rotation key can be referred to as a key set. The key set can be generated in advance and stored as reserve data by the second party, or it can be generated in real-time during the current matrix-secure multiplication process; this specification does not limit this. If generated in advance, the current matrix-secure multiplication process may not include the higher step 201. It is worth noting that for a key set used for matrix-secure multiplication, the second party must provide at least the aforementioned rotation key to the first party. In an optional implementation, the second party may also provide the encryption key to the first party.

[0086] In step 202, the second party fills the dimension of vector v to the smallest power of 2 greater than n by padding with zeros to obtain the extended vector v', and encodes the extended vector v' into the encoded vector R(v') under the predetermined homomorphic encryption method.

[0087] Among them, the predetermined homomorphic encryption methods are, for example, homomorphic encryption methods that support vector operations, such as BFV and CKKs. The dimension of the encoded vector (e.g., represented as poly) degree The value is determined by a predetermined homomorphic encryption method, for example, not less than 4096 (i.e., 2^32). 12 ), and is a power of 2. It can be understood that the dimension of the extended vector v' (denoted as n') is usually much smaller than the dimension supported by the above homomorphic encryption methods, so the dimension of the encoded vector is usually a multiple of the dimension of the extended vector v'.

[0088] Therefore, when encoding the extended vector v', we can consider tiling the extended vector across the dimensions supported by homomorphic encryption. That is, the values ​​of each dimension of the extended vector v' are repeated cyclically until the dimension of the encoded vector is reached. As an example, let w' denote the i-th dimension of the encoded vector. [i] (e.g., 0≤i≤poly) degree -1), then we have: w' [i] = v'[i%n']. Thus, the values ​​of each dimension of the extended vector v' repeat in the 0th to n'-1st dimension, the n' to 2n'-1st dimension, and so on, of the encoded vector. Therefore, the extended vector v' can be encoded into the encoded vector R(v') supported by each level of the predetermined homomorphic encryption method.

[0089] Then, in step 203, the second party provides the first party with the ciphertext encoded vector E(v') obtained by encrypting the encoded vector R(v') with the encryption key.

[0090] On the other hand, the first party can expand the matrix M to obtain the expanded matrix M' through step 204, such that the number of rows m' of the expanded matrix M' is the smallest power of 2 greater than m, and the number of columns n' is the smallest power of 2 greater than n, and then transpose and rearrange the expanded matrix M'.

[0091] It can be seen that the number of columns in the extended matrix M' is the same as the dimension of the extended vector v'. When the number of rows is much greater than the number of columns, in order to reduce the number of rows, the extended matrix M' can be transposed, thus swapping the number of rows and columns. Matrix transposition can be implemented using regular transpose components or modules, such as the "transpose()" component. The transpose matrix is ​​denoted as u, then u is an n' row m' column matrix.

[0092] Then, the transpose matrix u can be rearranged to satisfy the correspondences required for matrix multiplication, such as the matrix P mentioned earlier. Considering the dimension of vector operations supported by homomorphic encryption methods (such as BFV, CKKs, etc.), the number of columns T' of the rearranged matrix can be no less than the minimum order T supported by the corresponding homomorphic encryption method (such as 4096), for example, T, 2T, 2... 2T, etc. The extended vector v' uses multiple cyclic repetitions during encoding. To ensure consistent operations, the rearranged matrix u' of the transpose matrix u can also be cyclically arranged in its columns. Specifically, when rearranging the transpose matrix u, the number of rows ranges from 0 to n'-1, and the elements in each column satisfy the following rule: u' ij =u sj In this matrix, row index i is a number between 0 and n'-1, column index j is a number between 0 and T'-1, and row index s is (i+j) modulo n'. Thus, the elements of the transpose matrix u can be rearranged over n' rows, with each row containing T' elements. The elements in the columns of the transpose matrix u are arranged diagonally along the rows of the rearranged matrix u'.

[0093] As an example, the expansion, transpose, and rearrangement process of the expanded matrix M' is as follows: Figure 3 As shown. In Figure 3 In this context, assuming the extended matrix M' is a 4x2 matrix (rows are greater than columns), after transpose processing, we obtain a 2x4 transpose matrix u. Then, during the encoding rearrangement process, it is equivalent to dividing the transpose matrix u into multiple 2x2 square matrices (submatrices), and rearranging each square matrix and splicing them along the column dimensions in the corresponding order.

[0094] Then, in step 205, the first party can calculate the ciphertext product vector of each row in the rearranged matrix u' with the ciphertext coding vector E(v'), and sum the ciphertext product vectors to obtain the ciphertext vector.

[0095] After each row is calculated, the ciphertext encoded vector E(v') is rotated in ciphertext form based on the current vector, causing the ciphertext encoded vector E(v') to be cyclically shifted based on the current vector. Optionally, the ciphertext rotation operation can be performed using the rotation key determined in step 201. Figure 3 In the specific example shown, the ciphertext encoded vector E(v') is (v0, v1, v0, v1), which rearranges the first row vector (u') of the matrix u'. 00 u 11 u 20 u 31 Multiplying the ciphertext encoded vector E(v') with the ciphertext encoded vector E(v') yields the ciphertext product vector (u) corresponding to the first row. 00 v0, u 11 v1, u 20 v0, u 31 v1). Then, by rotating the ciphertext encoded vector E(v') in ciphertext form using the rotation key, a cyclically shifted vector E'(v') = (v1, v0, v1, v0) is obtained, which rearranges the second row vector (u) of matrix u'.01 u 10 u 21 u 30 Multiplying the ciphertext encoded vector E'(v') with the ciphertext encoded vector E'(v') yields the ciphertext product vector (u) corresponding to the second row. 01 v1, u 10 v0, u 21 v1, u 30 v0).

[0096] In an optional embodiment, the product vector of a single row of the rearranged matrix u' and the ciphertext encoded vector can also be calculated based on the homomorphic vector bitwise multiplication operation. It can be understood that the homomorphic vector bitwise multiplication can be a vector bitwise multiplication (also called element-wise multiplication) calculation under homomorphic encryption. Specifically, under homomorphic encryption, for a plaintext A and a ciphertext E(B) of data B, when performing the operation f(A, B) corresponding to the mapping f, the ciphertext E(f(A,B)) of f(A,B) can be calculated using the plaintext and ciphertext. This plaintext and ciphertext calculation process can be implemented through a complex operation g, as denoted as: E(f(A,B)) = g(A, E(B)). Here, in the positional multiplication operation of the homomorphic vector of the ciphertext product vector of a single row and the ciphertext encoded vector, a single row of the rearranged matrix u' corresponds to the plaintext A, and the ciphertext encoded vector corresponds to the ciphertext E(B). The complex operation g can be implemented by polynomial encoding, etc. Polynomial multiplication is equivalent to the point-wise multiplication of vectors, which will not be elaborated here.

[0097] Sum the product vectors of the individual ciphertexts to obtain the corresponding ciphertext and vector. For example, Figure 3 In the example shown, E(z) = (u 00 v0, u 11 v1, u 20 v0, u 31 v1)+(u 01 v1, u 10 v0, u 21 v1, u 30 v0)=(u 00 v0+u 01 v1, u 11 v1+u 10 v0, u 20 v0+u 21 v1, u 31 v1+u 30v0). This ciphertext and vector correspond to the ciphertext product E(z) of the extended matrix M' and the ciphertext encoded vector E(v'). Specifically, if the elements of vector v and matrix M do not repeat cyclically, the ciphertext and vector can be the ciphertext product E(z). If the elements of vector v and matrix M repeat cyclically, the ciphertext and vector is equivalent to flattening some elements in the extended dimension during the ciphertext product E(z).

[0098] Then, via step 206, the first party provides the corresponding ciphertext information to the second party based on the ciphertext and the vector.

[0099] In one embodiment, the first party can locally generate an n'-dimensional random vector r, determine the first slice b1 of the matrix product based on the n'-dimensional random vector, and then subtract the plaintext from the ciphertext and the random vector r to obtain the plaintext-ciphertext difference, which is then provided to the second party as ciphertext information.

[0100] In another embodiment, the first party provides the ciphertext and vector as ciphertext information to the second party.

[0101] Next, via step 207, the second party decrypts the ciphertext information using the decryption key to obtain the result data of matrix product b.

[0102] Specifically: when the first party uses the plaintext-ciphertext difference between the ciphertext and vector and the random vector r as ciphertext information, the second party decrypts the plaintext-ciphertext difference to obtain the corresponding plaintext result, and based on the processing of the plaintext result, obtains the second slice b2 of the matrix product as the result data of the matrix product b; when the first party uses the above ciphertext and vector as ciphertext information, the second party decrypts the ciphertext and vector to obtain the corresponding plaintext result, and based on the processing of the plaintext result, determines the result data of the matrix product b.

[0103] It is worth noting that when the second party expands the vector v by tiling it to repeat the arrangement, the first party expands and rearranges the matrix M by performing corresponding cyclic repetition on the matrix elements for the repeating arrangement. This allows the operation of the repeated data to be taken into account when a single row of the rearranged matrix is ​​multiplied by the ciphertext encoded vector E(v'), which is equivalent to merging some of the ciphertext multiplication operations. This effectively reduces the invalid operations caused by the introduction of 0 elements and improves the efficiency of secure operation.

[0104] Because some plaintext-ciphertext multiplication operations are combined, the final ciphertext and vector carry information about the matrix product. Therefore, the decrypted plaintext result carries information about the matrix product, not the matrix product data itself. Thus, further processing of the decrypted plaintext result is needed to obtain the matrix product.

[0105] Specifically, the first party, upon obtaining the first slice, can decode the locally generated random vector *r* into an *m*-dimensional sub-vector and sum these sub-vectors to obtain the *m*-dimensional first slice. The second party, based on the plaintext result obtained from the ciphertext decryption, can truncate the plaintext result into multiple sub-vectors with the same dimension as the number of rows *m* of matrix *M* (e.g., 8 dimensions), and determine the result of the matrix multiplication based on the sum of these sub-vectors. Here, the purpose of summing the sub-vectors is to reconstruct the product of matrix *M* and vector *v*.

[0106] Figure 2 The interactive flow of a first party and a second party jointly performing matrix-safe multiplication is illustrated. The following describes the process of performing matrix-safe multiplication from the operations performed by the first party and the second party respectively. Figure 4 The diagram illustrates the process of performing matrix-safe multiplication on the first side of an m×n dimensional matrix M. For example... Figure 4 As shown, the process executed by the first party includes:

[0107] Step 401: Expand matrix M in both row and column directions by padding with zeros to obtain expanded matrix M';

[0108] In this case, the number of rows m' of the extended matrix M' is the least power of 2 greater than m, and the number of columns n' is the least power of 2 greater than n;

[0109] Step 402: Based on the rearrangement of the elements in the transpose matrix u of the extended matrix M', a rearranged matrix u' is obtained, such that the number of rows of the rearranged matrix u' is n', and the number of columns is a power of 2 T' that is not less than the minimum order T supported by the predetermined homomorphic encryption method.

[0110] In this context, the element in the i-th row and j-th column of the rearranged matrix u' is the element in the s-th row and j-th column of the transpose matrix u, where s is the modulus of the sum of i and j with respect to n'.

[0111] Step 403: Calculate the ciphertext product vectors corresponding to each row of the rearranged matrix u' and the ciphertext encoding vector E(v') by performing plaintext-ciphertext multiplication row by row;

[0112] After calculating a single row, the ciphertext encoding vector E(v') is updated by cyclic shifting. The ciphertext encoding vector E(v') is obtained by encrypting the n'-dimensional vector obtained by cyclically arranging the vector v in T dimensions after padding with zeros.

[0113] Step 404: Determine the ciphertext and vector of each ciphertext product vector;

[0114] Step 405: Based on the above ciphertext and vector, provide the second party with the ciphertext information of the matrix product so that the second party can decrypt the ciphertext information to obtain the result data corresponding to the matrix product.

[0115] Figure 5 The flowchart illustrates the process of performing matrix-safe multiplication using a second party holding an n-dimensional vector v. For example... Figure 5 As shown, the process executed by the second party includes:

[0116] Step 501: The dimension of vector v is filled to the smallest power of 2 n' greater than n by padding with zeros to obtain the extended vector v'.

[0117] Step 502: Circularly arrange the n'-dimensional extended vector v' on a dimension T' not less than T to obtain the encoded vector R(v'), where T is the minimum order supported by the predetermined homomorphic encryption method, and T' is a power of 2.

[0118] Step 503: Encrypt the encoding vector R(v') using the pre-generated encryption key to obtain the ciphertext encoding vector E(v') and provide it to the first party;

[0119] Step 504: Receive the ciphertext information of the matrix product fed back by the first party. The ciphertext information of the matrix product is determined by the first party in the following way: rearrange the elements of the transpose matrix u of the extended matrix M' of matrix M to obtain a rearranged matrix u'; calculate the respective ciphertext product vectors corresponding to each row of the rearranged matrix u' and the ciphertext encoded vector E(v') by plaintext-ciphertext multiplication row by row; and determine the ciphertext and vector based on the sum of the ciphertext product vectors. The ciphertext information of the matrix product is defined, wherein the number of rows m' of the extended matrix M' is the least power of 2 greater than m, and the number of columns is n'; the number of rows u' of the rearranged matrix is ​​n' and the number of columns is not less than T; the element in the i-th row and j-th column of the rearranged matrix u' is the element in the s-th row and j-th column of the transpose matrix u, where s is the modulus of the sum of i and j with respect to n'; after the calculation is completed for a single row, the ciphertext encoding vector E(v') is updated by cyclic shifting.

[0120] Step 505: Decrypt the ciphertext information of the matrix product using the decryption key corresponding to the encryption key to obtain the result data corresponding to the matrix product.

[0121] It is worth noting that, Figure 4 , Figure 5 The processes shown are respectively Figure 2 The process is executed unilaterally by the first and second parties, therefore... Figure 2 The procedures for first-party and second-party execution also apply to this. Figure 4 , Figure 5 The process shown will not be repeated here.

[0122] To recap the process above, in the multi-party secure computation process where a first party holding an m×n matrix M and a second party holding an n-dimensional vector v determine the matrix product of matrix M and vector v, the second party pads the dimension of vector v with zeros to a minimum power of 2 n' greater than n, and then cyclically arranges it along T' dimensions that are not less than the minimum order T supported by the predetermined homomorphic encryption method. This is then encrypted and provided to the first party as a ciphertext encoded vector E(v'). The first party then expands, transposes, and rearranges matrix M in the row and column directions, multiplies the rearranged matrix u' row by row with the ciphertext encoded vector E(v'), and sums the ciphertext product vectors to obtain the ciphertext and vector. Finally, the first party provides the second party with the ciphertext information of the matrix product determined based on the ciphertext and vector, allowing the second party to decrypt the ciphertext information and obtain the result data corresponding to the matrix product. In this way, matrix and vector multiplication can be transformed into a transpose operation. When the number of rows is greater than the number of columns, this significantly reduces the computational load, improving the efficiency of secure computation and related business processing. Typically, the efficiency improvement is the ratio of T' to m. For example, experiments have shown that with a 256×8-dimensional matrix and a pre-defined homomorphic encryption method supporting an order T = 4096, extending the matrix to 4096 columns improves computational efficiency by 16 times.

[0123] According to another embodiment, an apparatus for performing matrix-safe multiplication is also provided. This apparatus may be positioned on a first party holding an m×n-dimensional matrix M, for determining, with a second party holding an n-dimensional vector v, the matrix product of matrix M and vector v based on privacy protection.

[0124] Figure 6 An embodiment of a first-party apparatus 600 for performing matrix-safe multiplication is shown. Figure 6 As shown, the device 600 includes:

[0125] The expansion unit 601 is configured to expand the matrix M in the row and column directions by padding with zeros to obtain the expanded matrix M', wherein the number of rows m' of the expanded matrix M' is the least power of 2 greater than m, and the number of columns n' is the least power of 2 greater than n.

[0126] The rearrangement unit 602 is configured to obtain a rearrangement matrix u' based on the rearrangement of the elements in the transpose matrix u of the extended matrix M', such that the number of rows of the rearrangement matrix u' is n' and the number of columns is T', where T' is a power of 2 of the minimum order T supported by the predetermined homomorphic encryption method, and the element in the i-th row and j-th column of the rearrangement matrix u' is the element in the s-th row and j-th column of the transpose matrix u, where s is the modulus of the sum of i and j with respect to n'.

[0127] The computing unit 603 is configured to calculate, row by row, the ciphertext product vectors corresponding to each row of the rearranged matrix u' and the ciphertext encoded vector E(v'). After calculating a single row, the ciphertext encoded vector E(v') is updated by cyclic shifting. The ciphertext encoded vector E(v') is obtained by encrypting an n'-dimensional vector obtained by cyclically arranging the vector v in T' dimensions.

[0128] Determine the ciphertext and vector of each ciphertext product vector;

[0129] The providing unit 604 is configured to provide ciphertext information of a matrix multiplication to a second party based on the ciphertext and the vector, so that the second party can decrypt the ciphertext information to obtain the result data corresponding to the matrix multiplication.

[0130] Figure 7 An embodiment of a second-party apparatus 700 for performing matrix-safe multiplication is shown. Figure 7 As shown, the device 700 includes:

[0131] The expansion unit 701 is configured to fill the dimension of vector v to the smallest power of 2 n' greater than n by padding with zeros to obtain the expanded vector v'.

[0132] The permutation unit 702 is configured to cyclically permutate the n'-dimensional extended vector v' on a dimension T' not less than T to obtain the encoded vector R(v'), where T is the minimum order supported by the predetermined homomorphic encryption method, and T' is a power of 2;

[0133] The encryption unit 703 is configured to encrypt the encoding vector R(v') using a pre-generated encryption key to obtain the ciphertext encoding vector E(v') and provide it to the first party.

[0134] The receiving unit 704 is configured to receive the ciphertext information of the matrix product fed back by the first party. The ciphertext information of the matrix product is obtained by the first party through the following determination operation: rearranging the elements of the transpose matrix u of the extended matrix M' of matrix M to obtain a rearranged matrix u'; calculating the respective ciphertext product vectors corresponding to each row of the rearranged matrix u' and the ciphertext encoding vector E(v') through plaintext-ciphertext multiplication; and summing the ciphertext product vectors to obtain the ciphertext product information. The ciphertext information of the matrix product is determined by the text and vector, wherein the number of rows m' of the extended matrix M' is the least power of 2 greater than m, and the number of columns is n'. The number of rows u' of the rearranged matrix is ​​n' and the number of columns is not less than T. The element in the i-th row and j-th column of the rearranged matrix u' is the element in the s-th row and j-th column of the transpose matrix u, where s is the modulus of the sum of i and j with respect to n'. After the calculation is completed for a single row, the ciphertext encoding vector E(v') is updated by cyclic shifting.

[0135] The decryption unit 705 is configured to decrypt the ciphertext information of the matrix product using a decryption key corresponding to the encryption key, and obtain the result data corresponding to the matrix product.

[0136] It is worth noting that, Figure 6 , Figure 7 The devices 600 and 700 shown are respectively with Figure 4 , Figure 5 The methods described correspond to, Figure 4 , Figure 5 The corresponding descriptions in the method embodiments also apply to devices 600 and 700, and will not be repeated here.

[0137] According to another embodiment, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed in a computer, causes the computer to perform a combination Figure 4 , Figure 5 The methods described above.

[0138] According to another embodiment, a computing device is also provided, including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, it implements a combination... Figure 4 , Figure 5 The methods described above.

[0139] Those skilled in the art will recognize that the functions described in the embodiments of this specification in one or more of the above examples can be implemented using hardware, software, firmware, or any combination thereof. When implemented in software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or code on a computer-readable medium.

[0140] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the technical concept in this specification. It should be understood that the above description is only a specific embodiment of the technical concept in this specification and is not intended to limit the scope of protection of the technical concept in this specification. Any modifications, equivalent substitutions, improvements, etc., made on the basis of the technical solutions of the embodiments in this specification should be included within the scope of protection of the technical concept in this specification.

Claims

1. A method for performing matrix-safe multiplication, applicable to a first party holding an m×n-dimensional matrix M, in the process of determining the matrix product of matrix M and vector v based on multi-party safe computation with a second party holding an n-dimensional vector v, the method comprising: The matrix M is expanded in both the row and column directions by padding with zeros to obtain the expanded matrix M', where the number of rows m' of the expanded matrix M' is the smallest power of 2 greater than m, and the number of columns n' is the smallest power of 2 greater than n. The rearranged matrix u' is obtained by rearranging the elements of the transpose matrix u of the extended matrix M', such that the number of rows of the rearranged matrix u' is n' and the number of columns is T', where T' is a power of 2 of the minimum order T supported by the predetermined homomorphic encryption method. The element in the i-th row and j-th column of the rearranged matrix u' is the element in the s-th row and j-th column of the transpose matrix u, where s is the modulus of the sum of i and j with respect to n'. The ciphertext product vectors corresponding to each row of the rearranged matrix u' and the ciphertext encoding vector are calculated row by row through the plaintext-ciphertext multiplication. After the calculation of a single row is completed, the ciphertext encoding vector is updated by cyclic shifting. The ciphertext encoding vector is obtained by encrypting the n'-dimensional vector obtained by cyclically arranging the vector v in T dimensions after padding with zeros. Determine the ciphertext and vector of each ciphertext product vector; Based on the ciphertext and vector, the ciphertext information of the matrix product is provided to the second party so that the second party can decrypt the ciphertext information to obtain the result data corresponding to the matrix product.

2. The method as described in claim 1, wherein, The predetermined homomorphic encryption method is one of BFV, BGV, and CKKS.

3. The method as described in claim 1, wherein, The step of calculating each ciphertext product vector corresponding to each row of the rearranged matrix u' and the ciphertext encoding vector through plaintext-ciphertext multiplication row by row includes: For a single row, each element in that row is multiplied by the corresponding ciphertext element in the ciphertext encoding vector, and the resulting product is used as the corresponding element in the corresponding ciphertext product vector.

4. The method of claim 1, wherein, Through the cyclic shift operation, the first element moves to the last position, and all other elements move forward one position.

5. The method of claim 1, wherein, The cyclic shift operation is implemented using a rotation key provided by a second party. The rotation key is used to perform rotation operations on data encrypted with an encryption key provided by the second party. The second party also holds a decryption key for decrypting data processed by the encryption key and the rotation key.

6. The method of claim 1, wherein, The step of calculating each ciphertext product vector corresponding to each row of the rearranged matrix u' and the ciphertext encoding vector through plaintext-ciphertext multiplication row by row includes: By performing a homomorphic vector bitwise multiplication on a single row and the ciphertext encoded vector, the corresponding single ciphertext product vector is obtained.

7. The method of claim 1, wherein, The provision of ciphertext information of the matrix product to the second party based on the ciphertext and vector includes: The ciphertext and vector are provided to the second party as ciphertext information of the matrix product, so that the second party can decrypt the matrix product as the result data corresponding to the matrix product.

8. The method of claim 1, wherein, The provision of ciphertext information of the matrix product to the second party based on the ciphertext and vector includes: The first slice b1 of the matrix product is determined based on the generated random vector r that has the same dimensions as the ciphertext and the vector; Calculate the difference between the ciphertext and the vector and the plaintext and ciphertext of the random vector r; The plaintext-ciphertext difference is provided to the second party as the ciphertext information of the matrix product, so that the second party can decrypt the plaintext-ciphertext difference and obtain the second fragment b2 of the matrix product as the result data of the matrix product in the second party.

9. The method of claim 8, wherein, Determining the first slice b1 of the product vector based on the generated random vector r with the same dimensions as the ciphertext and vector includes: The random vector r is divided into multiple sub-vectors according to the number of rows m of the matrix M; The first slice b1 of the matrix product is determined by the sum of the individual subvectors.

10. A method for performing matrix-safe multiplication, applicable to a second party holding an n-dimensional vector v, wherein, in the process of determining the matrix product of matrix M and vector v based on multi-party safe computation with a first party holding an m×n-dimensional matrix M, the method includes: The dimension of vector v is filled to the smallest power of 2 n' greater than n by padding with zeros, resulting in the extended vector v'. The n'-dimensional extended vector v' is cyclically arranged on a dimension T' of not less than T to obtain the encoded vector R(v'), where T is the minimum order supported by the predetermined homomorphic encryption method, and T' is a power of 2; The encoded vector is encrypted using a pre-generated encryption key to obtain a ciphertext encoded vector, which is then provided to the first party. The first party receives the ciphertext information of the matrix product fed back by the first party. The ciphertext information of the matrix product is determined by the first party in the following way: rearranging the elements in the transpose matrix u of the extended matrix M' of matrix M to obtain the rearranged matrix u', calculating each ciphertext product vector corresponding to each row of the rearranged matrix u' and the ciphertext encoding vector by plaintext-ciphertext multiplication, and determining the ciphertext information of the matrix product based on the ciphertext sum vector obtained by summing each ciphertext product vector. In this case, the number of rows m' of the extended matrix M' is the least power of 2 greater than m, and the number of columns is n'. The number of rows of the rearranged matrix u' is n' and the number of columns is not less than T. The element in the i-th row and j-th column of the rearranged matrix u' is the element in the s-th row and j-th column of the transpose matrix u, where s is the modulus of the sum of i and j with respect to n'. After calculating for a single row, the ciphertext encoding vector is updated by cyclic shifting. The ciphertext information of the matrix product is decrypted using the decryption key corresponding to the encryption key to obtain the result data corresponding to the matrix product.

11. The method of claim 10, wherein, The predetermined homomorphic encryption method is one of BFV, BGV, and CKKS.

12. The method of claim 10, wherein, The cyclic shift operation is implemented using a rotation key, which is a Galois key, and forms a key group with the encryption key and the decryption key. The method further includes: The rotation key is generated based on the encryption key and provided to the first party.

13. The method of claim 10, wherein, The ciphertext information of the matrix product is the ciphertext of the matrix product, and the result data is the matrix product; or, The difference between the ciphertext of the matrix product and the plaintext of the random vector r, and the resulting data is the second piece b2 of the matrix product, wherein b2 and the first piece b1 of the matrix product determined by the first party based on the random vector r constitute the sum-shared form of the matrix product.

14. The method of claim 10 or 13, wherein, The step of decrypting the ciphertext information of the matrix product fed back by the first party using the decryption key corresponding to the encryption key to obtain the result data corresponding to the matrix product includes: The plaintext result obtained by decrypting the ciphertext information of the matrix product is divided into multiple sub-vectors according to the number of rows m of the matrix M; The result data corresponding to the matrix product is determined by summing the individual subvectors.

15. An apparatus for performing matrix-safe multiplication, comprising a first party holding an m×n-dimensional matrix M, for determining, based on multi-party secure computation, the matrix product of matrix M and vector v with a second party holding an n-dimensional vector v, the apparatus comprising: An expansion unit is configured to expand matrix M in both row and column directions by padding with zeros to obtain an expanded matrix M', wherein the number of rows m' of the expanded matrix M' is a power of 2 greater than m, and the number of columns n' is a power of 2 greater than n. The rearrangement unit is configured to obtain a rearrangement matrix u' based on the rearrangement of the elements in the transpose matrix u of the extended matrix M', such that the number of rows of the rearrangement matrix u' is n' and the number of columns is T', where T' is a power of 2 of the minimum order T supported by the predetermined homomorphic encryption method, and the element in the i-th row and j-th column of the rearrangement matrix u' is the element in the s-th row and j-th column of the transpose matrix u, where s is the modulus of the sum of i and j with respect to n'; The computation unit is configured to calculate, row by row, the ciphertext product vectors corresponding to each row of the rearranged matrix u' and the ciphertext encoded vector, wherein, after calculating a single row, the ciphertext encoded vector is updated by cyclic shifting. The ciphertext encoded vector is obtained by encrypting an n'-dimensional vector obtained by cyclically arranging the vector v in T dimensions (by padding the vector with zeros). Determine the ciphertext and vector of each ciphertext product vector; The providing unit is configured to provide the second party with the ciphertext information of the matrix product based on the ciphertext and the vector, so that the second party can decrypt the ciphertext information to obtain the result data corresponding to the matrix product.

16. An apparatus for performing matrix-safe multiplication, wherein a second party holding an n-dimensional vector v is configured to determine, based on multi-party secure computation, the matrix product of matrix M and vector v with a first party holding an m×n-dimensional matrix M, the apparatus comprising: The expansion unit is configured to fill the dimension of vector v to the smallest power of 2 n' greater than n by padding with zeros, thus obtaining the expanded vector v'. The permutation unit is configured to cyclically permutate the n'-dimensional extended vector v' on a dimension T' not less than T to obtain the encoded vector, where T is the minimum order supported by the predetermined homomorphic encryption method, and T' is a power of 2; The encryption unit is configured to encrypt the encoding vector using a pre-generated encryption key to obtain a ciphertext encoding vector for provision to the first party. The receiving unit is configured to receive the ciphertext information of the matrix product fed back by the first party. The ciphertext information of the matrix product is determined by the first party in the following way: rearranging the elements in the transpose matrix u of the extended matrix M' of matrix M to obtain a rearranged matrix u'; calculating each ciphertext product vector corresponding to each row of the rearranged matrix u' and the ciphertext encoding vector by plaintext-ciphertext multiplication row by row; and determining the ciphertext information of the matrix product based on the ciphertext sum vector obtained by summing each ciphertext product vector. In this case, the number of rows m' of the extended matrix M' is the least power of 2 greater than m, and the number of columns is n'. The number of rows of the rearranged matrix u' is n' and the number of columns is not less than T. The element in the i-th row and j-th column of the rearranged matrix u' is the element in the s-th row and j-th column of the transpose matrix u, where s is the modulus of the sum of i and j relative to n'. After calculating for a single row, the ciphertext encoding vector is updated by cyclic shifting. The decryption unit is configured to decrypt the ciphertext information of the matrix product using a decryption key corresponding to the encryption key, so as to obtain the result data corresponding to the matrix product.

17. A computer-readable storage medium having a computer program stored thereon, which, when executed in a computer, causes the computer to perform the method of any one of claims 1-14.

18. A computing device, comprising a memory and a processor, characterized in that, The memory stores executable code, and when the processor executes the executable code, it implements the method of any one of claims 1-14.

Images