A communication and computing efficient privacy-preserving distributed k-th smallest value solving method and program product

By using a secret-sharing-based multi-party computation model, and combining linear and additive secret sharing with iterative truncation and randomized multiplication, the problem of high communication overhead and low efficiency in distributed solutions for the k-th minimum value with privacy protection is solved, achieving a low-complexity privacy-preserving solution.

CN122316632APending Publication Date: 2026-06-30JINLING INST OF TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
JINLING INST OF TECH
Filing Date
2026-05-14
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing technologies for distributed solutions to the k-th minimum value with privacy protection suffer from high communication overhead, low efficiency, and poor scalability, making it difficult to simultaneously meet the requirements of high security and low computational complexity.

Method used

A secret-sharing-based multi-party computation model is adopted. Through a multi-party double random number protocol and a secure comparison protocol, linear secret sharing and additive secret sharing are used, combined with iterative truncation and randomized multiplication, to solve for the k-th minimum value with privacy protection.

Benefits of technology

It reduces the number of interaction rounds and message volume, avoids the linear increase in communication volume with the size of the participants and the data bit width, protects data privacy, outputs only necessary information, and avoids additional leakage.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure SMS_42
    Figure SMS_42
  • Figure SMS_47
    Figure SMS_47
  • Figure SMS_70
    Figure SMS_70
Patent Text Reader

Abstract

This invention relates to the field of data security and privacy computing, specifically to a secret-sharing-based method for solving the k-th minimum value in a distributed dataset D, efficiently solving for the k-th minimum value under a semi-honest security model. The core of this method lies in adaptively managing the data state of the participants and designing and utilizing a lightweight secure comparison algorithm to determine each bit value of the k-th minimum value sequentially from the most significant bit to the least significant bit. While ensuring the correctness of the result, it reduces the number of interaction rounds and message volume, avoiding a linear increase in communication volume with the size of the participants and the data bit width, thus reducing the heavy reliance on multiple secure comparisons and bit-by-bit determinations. Simultaneously, it tightens the information leakage surface, allowing only the minimum necessary information that can be derived from the result to be output, avoiding the leakage of additional information.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of data security and privacy computing, specifically to a privacy-preserving distributed method and program product for solving the k-th minimum value with high communication and computing efficiency. Background Technology

[0002] The rapid popularization of the Internet of Things (IoT) and edge computing has led to the continuous collection and uploading of a large amount of data scattered on the terminal side. In scenarios such as transportation, environmental monitoring, and mobile health, business decisions often do not require knowledge of individual raw data, but rely on statistical functions (such as minimum value, quantile, and more generally the k-th minimum value) to determine thresholds and allocate resources. However, this data often contains sensitive information such as geographical location and physiological indicators. Directly aggregating raw data in a distributed environment will bring privacy leakage risks and high transmission costs. Therefore, how to efficiently solve for the k-th minimum value in a distributed environment without exposing individual data has become a key issue.

[0003] To achieve the above objectives, existing research has mainly formed three technical routes: (1) Based on multi-party secure computation. Aggarwal et al. (Gagan Aggarwal, Nina Mishra, Benny Pinkas: Secure Computation of the kth-Ranked Element[C]. International Conference on the Theory and Applications of Cryptographic Techniques, 2004: 40-55) proposed a dedicated multi-party secure computation (MPC) protocol based on secure comparison and obfuscation circuits. The statistical function such as the kth minimum value is reduced to several rounds of secure comparison and secure summation. It has a clear cryptographic security model. Some schemes can be extended to malicious security and support repeated values. However, it relies on multiple rounds of interaction, and the communication and implementation complexity is relatively high when deployed on a large scale (the number of iterations of this protocol depends on the number of bits of the data value (i.e., the data range), rather than the size of k. If the data range is large, even if k is small, the number of rounds of the protocol will be high); (2) Based on bitwise XOR and probabilistic coding. Zhang et al. (Yuan Zhang, Qingjun Chen, Sheng Zhong. Efficient and Privacy-Preserving Min and kth MinComputations in Mobile Sensing Systems[J]. IEEE Transactions on Dependable and Secure Computing. 2017, 14(1): 9-21) and Yu et al. (Jiahui Yu, Kun Wang, DezeZeng, Chunsheng Zhu, Song Guo. Privacy-preserving Data Aggregation Computing in Cyber-Physical[J] Social Systems. ACM Transactions on Cyber-Physical Systems, 2019, 3(1): 8:1-8:23) proposed plaintext-free aggregation schemes based on this technology, which calculate the kth minimum value through bit-by-bit statistics and bit selection mechanisms under untrusted aggregators.The scheme is relatively simple to implement and suitable for high-concurrency environments, but its accuracy and convergence are sensitive to parameters. It usually requires multiple rounds of statistics to stabilize the error and may leak additional structural information such as "whether the kth minimum value is unique"; (3) Based on (fully) homomorphic encryption. Jiang et al. (BingbingJiang, Yuan Zhang. Securely min and k-th min computations with fullyhomomorphic encryption. SCIENCE CHINA Information Sciences. 61(5): 058103:1-058103:3 (2018)) based on fully homomorphic encryption. Under the semi-honest model, the minimum value and the kth minimum value are calculated by comparing the ciphertext bit by bit and adding homomorphic counting. Its advantages are strong privacy, low number of interaction rounds and zero exposure of plaintext, but its inherent computational complexity is extremely high, especially when it involves ciphertext multiplication and bootstrapping operations. This results in high latency and energy consumption for the k-th minimum value calculation scheme based on fully homomorphic encryption, making it difficult to deploy and apply on a large scale in resource-constrained mobile devices and distributed systems with real-time requirements.

[0004] In summary, existing technologies in the field of privacy-preserving distributed solutions for the k-th minimum value present a significant contradiction: it is difficult to simultaneously satisfy both performance (high computational / communication overhead) and security (risks such as parameter sensitivity and leakage of additional information (e.g., uniqueness)). Therefore, designing a privacy-preserving distributed solution for the k-th minimum value that provides strong encryption security while maintaining low communication rounds and low computational overhead is a pressing technical challenge that needs to be addressed. Summary of the Invention

[0005] This invention aims to overcome the shortcomings of the prior art and provide a privacy-preserving distributed method for solving the k-th minimum value based on secret sharing, achieving a communication complexity of O(n log n). This aims to address the problems of high communication overhead, low efficiency, and poor scalability in existing solutions when solving for the k-th minimum value in multi-party scenarios.

[0006] This invention provides a privacy-preserving distributed method for solving the k-th minimum value in a set D with high communication and computation efficiency, where k is the target index. ;in, Indicates the first Private data of each participant The total number of participants; the method includes the following steps:

[0007] S1: All participants initialize the state of their private data to "active" and obtain the value of k;

[0008] All parties collaborate to execute the multi-party dual random number function protocol, the first... The participating party is targeting the first Get the private data of the bit and ; ;

[0009] in, The bit length of private data;

[0010] In order to target the A random number representing the private data of a given bit;

[0011] For the first Each participating party received of - Linear secret sharing of shares;

[0012] For the first Each participating party received of -Additive secret sharing share;

[0013] Threshold value for linear secret sharing;

[0014] S2: All participants, for The value ranges from The following steps are executed sequentially up to 0:

[0015] 1) Each participant calculates the number according to the following rules. Encrypted contribution share of private data:

[0016] If the The private data of each participant is in an "active" state, and ,but ;

[0017] If the The private data of each participant is in an "active" state, and ,but ;

[0018] If the If the private data of each participant is in an "inactive" state, then ;

[0019] in, Indicates the first The private data of each participant Bit;

[0020] Indicates the first The first participating party Encrypted contribution share of private data;

[0021] 2) Each participating party shall submit its first... The encrypted contribution share of the private data is sent to the aggregator, which can be any designated participant.

[0022] Aggregate calculation of the first Bit-based aggregate mask value:

[0023]

[0024] in, Indicates the first The aggregate mask value of the bits;

[0025] The aggregator will Disclosed to all participants;

[0026] 3) Each participant calculates the corresponding deblinded number of... Sharing the secrets of bit comparison parameters:

[0027]

[0028] in, Indicates the first The comparison parameter for the bit;

[0029] Indicates the first The calculations obtained by each participant of - Linear secret sharing of shares;

[0030] 4) All parties collaborate to execute the security comparison protocol, by inputting... and k, so that the aggregator obtains The relative magnitude relationship with k;

[0031] Aggregate calculation of the first The small value is in the first The bit value of the bit:

[0032] when hour, ;when hour, ;

[0033] in, Indicates the first The small value is in the first The bit value of the bit;

[0034] The aggregator will Disclosed to all participants;

[0035] 5) All participants update the status of their private data:

[0036] when At that time, and And the first If the private data of one participant is in an "active" state, then the first participant's private data will be... The status of each participant's private data is updated to "inactive";

[0037] S3: The aggregation method calculates the kth smallest value:

[0038]

[0039] in, Let represent the k-th smallest value in set D.

[0040] Preferably, the secure comparison protocol is implemented through iterative truncation and randomized multiplication.

[0041] Preferably, the secure comparison protocol includes the following steps:

[0042] SC1: All participants collaborate to execute a multi-party random number generation protocol, the first... Each participant received ;

[0043] in, For the first Each participant receives a random number. of - Linear secret sharing of shares;

[0044] SC2: Execute The next iteration, in which... +1; Definition For the first Reference value at the next iteration ;

[0045] No. Second-rate( From 0 to The iteration content is:

[0046] 1) If When it is even:

[0047] All parties collaborate to execute the multi-party cutoff protocol, the first... Each participant input ,get , ;

[0048] in, For the first Intermediate values ​​of comparison parameters during round iterations; , ;

[0049] For the first Each participant of - Linear secret sharing of shares; ;

[0050] For the first Each participant of - Linear secret sharing of shares;

[0051] if When it is an odd number:

[0052] All parties collaborate to execute the multi-party cutoff protocol, the first... Each participant input ,get , ;

[0053] in , , ;

[0054] 2) Calculation of all participants :

[0055] if When it is even:

[0056]

[0057] if When it is an odd number:

[0058]

[0059] SC3: All parties collaborate to execute the multi-party multiplication agreement, the first... Each participant input and ,get , ;

[0060] in, Indicates the first Each participant received of - Linear secret sharing of shares;

[0061] All participants will receive their respective shares. of - Linear secret sharing shares are sent to the aggregator;

[0062] The aggregated calculation And make a judgment:

[0063] if Then determine ;if Then determine .

[0064] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements the above-described method.

[0065] Beneficial effects:

[0066] This invention employs a multi-party computation model involving s parties (s ≥ 2), each holding a single piece of private data (with duplicate values ​​allowed). The parties collaborate on computation through a secure communication channel, without relying on a trusted third party (such as a central aggregation server), and only publish the results to the authorized receiving set after completion; no additional shared plaintext or intermediate plaintext states are generated beyond the necessary output information.

[0067] While ensuring the correctness of the results, this invention reduces the number of interaction rounds and message volume, avoids the communication volume from increasing linearly with the size of the participants and the data bit width, and weakens the heavy reliance on multiple security comparisons and bit-by-bit judgments; at the same time, it tightens the information leakage surface, allowing only the minimum information necessary and deducible from the results to be output, avoiding the leakage of additional information (such as data uniqueness). Detailed Implementation

[0068] To make the objectives, features, and advantages of this invention more apparent and understandable, the technical solutions in the embodiments of this invention will be clearly and completely described below. Obviously, the embodiments described below are only a part of the embodiments of this invention, and not all of them. Based on the embodiments of this invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this invention.

[0069] This invention employs a multi-party computation model involving multiple participants, each holding a single private input (allowing duplicate values, with the maximum integer value for a single private input being M). The participants collaborate on computation through a secure communication channel, without relying on a trusted third party (such as a central aggregation server), and only publish the results to the authorized receiving set after completion; no additional shared plaintext or intermediate plaintext states are generated beyond the necessary output information.

[0070] A privacy-preserving distributed method for solving the k-th minimum value in a set D is proposed, which is characterized by efficient communication and computation. The method is used to obtain the k-th minimum value in the set D, where k is the target index. ;in, Indicates the first Private data of each participant The total number of participants; the method includes the following steps:

[0071] S1: All participants initialize the state of their private data to "active" and obtain the value of k;

[0072] All parties collaborate to execute the multi-party dual random number function protocol, the first... The participating party is targeting the first Get the private data of the bit and ; ;

[0073] in, The bit length of private data;

[0074] In order to target the A random number representing the private data of a given bit;

[0075] For the first Each participating party received of - Linear secret sharing of shares;

[0076] For the first Each participating party received of -Additive secret sharing share;

[0077] For linear secret sharing thresholds; in this invention It refers to a preset range of values;

[0078] In this embodiment, the multi-party dual random number function protocol executed collaboratively by all participating parties is a prior art. For example, the method mentioned in (Nishanth Chandran, Nishka Dasgupta, Divya Gupta, Sai Lakshmi BhavanaObbattu, Sruthi Sekar, Akash Shah: Efficient Linear Multiparty PSI and Extensions to Circuit / Quorum PSI. CCS 2021: 1182-1204) is one of the ways that can be implemented in the prior art.

[0079] S2: All participants, for The value ranges from To proceed from 0 (from most significant bit to least significant bit, i.e., from MSB to LSB), execute the following steps sequentially:

[0080] 1) Each participant calculates the number according to the following rules. Encrypted contribution share of private data:

[0081] If the The private data of each participant is in an "active" state, and ,but ;

[0082] If the The private data of each participant is in an "active" state, and ,but ;

[0083] If the If the private data of each participant is in an "inactive" state, then ;

[0084] in, Indicates the first The private data of each participant Bit;

[0085] Indicates the first The first participating party Encrypted contribution share of private data;

[0086] 2) Each participating party shall submit its first... The encrypted contribution share of the private data is sent to the aggregator, which can be any designated participant; in this embodiment, the aggregator is the first participant.

[0087] Aggregate calculation of the first Bit-based aggregate mask value:

[0088] ;

[0089] in, Indicates the first bit aggregation mask value

[0090] The aggregator will Disclosed to all participants;

[0091] 3) Each participant calculates the corresponding deblinded number of... Sharing the secrets of bit comparison parameters:

[0092]

[0093] in, Indicates the first The comparison parameter for the bit;

[0094] Indicates the first The calculations obtained by each participant of - Linear secret sharing of shares;

[0095] 4) All parties collaborate to execute the security comparison protocol, by inputting... and k, so that the aggregator obtains The relative magnitude relationship with k;

[0096] Aggregate calculation of the first The small value is in the first The bit value of the bit:

[0097] when hour, ;when hour, ;

[0098] in, Indicates the first The small value is in the first The bit value of the bit;

[0099] The aggregator will Disclosed to all participants;

[0100] 5) All participants update the status of their private data:

[0101] when At that time, and And the first If the private data of one participant is in an "active" state, then the first participant's private data will be... The status of each participant's private data is updated to "inactive";

[0102] S3: The aggregation method calculates the kth smallest value:

[0103]

[0104] in, Let represent the k-th smallest value in set D.

[0105] As one possible implementation, the secure comparison protocol is implemented through iterative truncation and randomized multiplication, specifically including the following steps:

[0106] SC1: All participants collaborate to execute a multi-party random number generation protocol, the first... Each participant received ;

[0107] in, For the first Each participant receives a random number. of - Linear secret sharing of shares;

[0108] SC2: Execute The next iteration, in which... +1; Definition For the first Reference value at the next iteration ;

[0109] No. Second-rate( From 0 to The iteration content is:

[0110] 1) If When it is even:

[0111] All parties collaborate to execute the multi-party cutoff protocol, the first... Each participant input ,get , ;

[0112] in, For the first Intermediate values ​​of comparison parameters during round iterations; , ;

[0113] For the first Each participant of - Linear secret sharing of shares; ;

[0114] For the first Each participant of - Linear secret sharing of shares;

[0115] The multiparty interception protocol is existing technology, and the method mentioned in (Octavian Catrina, Sebastiaan de Hoogh: Improved Primitives for Secure Multiparty Integer Computation. SCN 2010: 182-199) is one of the ways that can be implemented in the prior art.

[0116] if When it is an odd number:

[0117] All parties collaborate to execute the multi-party cutoff protocol, the first... Each participant input ,get , ;

[0118] in , , ;

[0119] 2) Calculation of all participants :

[0120] if When it is even:

[0121]

[0122] if When it is an odd number:

[0123]

[0124] SC3: All parties collaborate to execute the multi-party multiplication agreement, the first... Each participant input and ,get , ;

[0125] in, Indicates the first Each participant received of - Linear secret sharing of shares;

[0126] All participants will receive their respective shares. of - Linear secret sharing shares are sent to the aggregator;

[0127] The aggregated calculation And make a judgment:

[0128] if Then determine ;if Then determine .

[0129] The multi-party multiplication protocol mentioned is existing technology, and the method described in (Nishanth Chandran, Nishka Dasgupta, Divya Gupta, Sai Lakshmi Bhavana Obbattu, Sruthi Sekar, Akash Shah: EfficientLinear Multiparty PSI and Extensions to Circuit / Quorum PSI. CCS 2021: 1182-1204) is one of the ways that can be implemented in the prior art.

[0130] The lightweight secure comparison protocol described in this embodiment utilizes truncation and randomization techniques in multi-party secure computation. It iteratively processes the published data... and private numbers Perform synchronous halving, if It was eventually reduced to 0 (in) (Before it reaches zero), then it means Smaller; conversely The value was relatively large. Ultimately, random number multiplication was used to hide the specific numerical value, exposing only the zero or non-zero comparison states. This ensured both computational accuracy and strict protection of private numerical values. Your privacy will not be leaked.

[0131] The above description is only a preferred embodiment of the present invention. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the principle of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.

Claims

1. A privacy-preserving distributed method for solving the k-th minimum value in a set D that is efficient in both communication and computation, wherein... k is the target index. ;in, Indicates the first Private data of each participant The total number of participants; characterized in that the method includes the following steps: S1: All participants initialize the state of their private data to "active" and obtain the value of k; All parties collaborate to execute the multi-party dual random number function protocol, the first... The participating party is targeting the first Get the private data of the bit and ; ; in, The bit length of private data; In order to target the A random number representing the private data of a given bit; For the first Each participating party received of - Linear secret sharing of shares; For the first Each participating party received of -Additive secret sharing share; Threshold value for sharing linear secrets; S2: All participants, for The value ranges from The following steps are executed sequentially up to 0: 1) Each participant calculates the number according to the following rules. Encrypted contribution share of private data: If the The private data of each participant is in an "active" state, and ,but ; If the The private data of each participant is in an "active" state, and ,but ; If the If the private data of each participant is in an "inactive" state, then ; in, Indicates the first The private data of each participant Bit; Indicates the first The first participating party Encrypted contribution share of private data; 2) Each participating party shall submit its first... The encrypted contribution share of the private data is sent to the aggregator, which can be any designated participant. Aggregate calculation of the first Bit-based aggregate mask value: ; in, Indicates the first The aggregate mask value of the bits; The aggregator will Disclosed to all participants; 3) Each participant calculates the corresponding deblinded number of... Sharing the secrets of bit comparison parameters: in, Indicates the first The comparison parameter for the bit; Indicates the first The calculations obtained by each participant of - Linear secret sharing of shares; 4) All parties collaborate to execute the security comparison protocol, by inputting... and k, so that the aggregator obtains The relative magnitude relationship with k; Aggregate calculation of the first The small value is in the first The bit value of the bit: when hour, ;when hour, ; in, Indicates the first The small value is in the first The bit value of the bit; The aggregator will Disclosed to all participants; 5) All participants update the status of their private data: when At that time, and And the first If the private data of the first participant is in an "active" state, then the first participant's private data will be... The status of each participant's private data is updated to "inactive"; S3: The aggregation method calculates the kth minimum value: in, Let represent the k-th smallest value in set D.

2. The method for solving the k-th minimum value with efficient communication and computation and privacy protection in a distributed manner, as described in claim 1, is characterized in that, The secure comparison protocol is implemented through iterative truncation and randomized multiplication.

3. The method for solving the k-th minimum value with efficient communication and computation and privacy protection in a distributed manner, as described in claim 1, is characterized in that... The security comparison protocol includes the following steps: SC1: All participants collaborate to execute a multi-party random number generation protocol, the first... Each participant received ; in, For the first Each participant receives a random number. of - Linear secret sharing of shares; SC2: Execute The next iteration, in which... +1; Definition For the first Reference value at the next iteration ; No. Second-rate( From 0 to The iteration content is: 1) If When it is even: All parties collaborate to execute the multi-party cutoff protocol, the first... Each participant input ,get , ; in, For the first Intermediate values ​​of comparison parameters during round iterations; , ; For the first Each participant of - Linear secret sharing; ; For the first Each participant of - The share of linear secret sharing; if When it is an odd number: All parties collaborate to execute the multi-party cutoff protocol, the first... Each participant input ,get , ; in , , ; 2) Calculation of all participants : if When it is even: if When it is an odd number: SC3: All parties collaborate to execute the multi-party multiplication agreement, the first... Each participant input and ,get , ; in, Indicates the first Each participant received of - Linear secret sharing of shares; All participants will receive their respective shares. of - Linear secret sharing shares are sent to the aggregator; The aggregated calculation And make a judgment: if Then determine ;if Then determine .

4. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the method described in any one of claims 1 to 4.