CN112784315A - Multiplication calculation method, device and storage medium in SPDZ series protocol - Google Patents
Multiplication calculation method, device and storage medium in SPDZ series protocol Download PDFInfo
- Publication number
- CN112784315A CN112784315A CN201911067155.6A CN201911067155A CN112784315A CN 112784315 A CN112784315 A CN 112784315A CN 201911067155 A CN201911067155 A CN 201911067155A CN 112784315 A CN112784315 A CN 112784315A
- Authority
- CN
- China
- Prior art keywords
- multiplication
- elements
- level
- participant
- input
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/03—Protocol definition or specification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/26—Special purpose or proprietary protocols or architectures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Complex Calculations (AREA)
Abstract
The invention provides a multiplication calculation method, a device and a storage medium in an SPDZ series protocol, wherein the method comprises a preprocessing stage and an online calculation stage, and the preprocessing stage comprises the following steps: generating a plurality of multiplication multi-element groups with different element numbers, wherein for the multiplication multi-element group used for d times of multiplication, the included elements comprise d basic elements and L expansion elements, d is more than or equal to 3,
1, …, d-1; the generation process of the multiplication tuple for the multiplication d times comprises the following steps: randomly selecting d random numbers as d basic elements; respectively taking 2 elements of the d basic elements as input to generate
A level 1 extension element associated with each input element(ii) a Generating based on generated elements as input
L-level extension elements associated with respective input elements; the online calculation step comprises: and randomly selecting the multiple groups matched with the multiplication times of the current online calculation to be performed, and performing the calculation of multiple multiplications locally by the participant based on the selected multiple groups.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a multiplication calculation method and device in an SPDZ series protocol and a storage medium.
Background
The general concept of Secure Multi-Party computing (MPC) is to compute a plurality of nodes P at n participants P1,P2,...,Pi,...PnCo-computing a public function f (x)1,x2,...,xi,...xn) Wherein x isiIs PiThe private data of (1). The technology has very important application in the fields of cloud, big data, artificial intelligence and the like. Current research on the MPC protocol indicates that its safety and performance have met the initial requirements for industrial productions. The SPDZ series protocol is one of well-known MPC protocols for arithmetic circuits, and includes SPDZ, MASCOT, SPDZ2k, and the like.
For MPC protocols for arithmetic circuits, the supported f-function is with respect to x1,x2,...,xi...,xnIs determined by the polynomial of (1). Thus, a major part of the MPC protocol design is to define the addition and multiplication rules on the data structures that protect private data. The same is true of the SPDZ series of protocols. In the SPDZ series protocol, the multiplication rule is defined between two private data, which results in that the SPDZ series protocol needs to call d-1 times of multiplication calculation in an iteration way when calculating d times of multiplication, and the communication complexity O (2)d) The local computational complexity of each party is O (3)d) Resulting in difficulty in improving the calculation efficiency.
How to reduce the complexity of local computation of each party in the secure multiparty computation so as to improve the efficiency is a problem to be solved.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide a multiplication method in SPDZ series protocols to obviate or mitigate one or more of the disadvantages in the prior art.
The technical scheme of the invention is as follows:
according to an aspect of the present invention, there is provided a multiplication calculation method in an SPDZ series protocol, the method comprising a preprocessing step and an online calculation step:
the pretreatment step comprises: generating a plurality of multiplication tuples with different element numbers for different times of multiple multiplication, wherein the multiplication tuples comprise a multiplication 3 tuple for 2 times of multiplication and an expansion multiplication tuple for more than 3 times of multiplication, wherein for the expansion multiplication tuple for d times of multiplication, the included elements comprise d basic elements and L expansion elements, wherein d is an integer and d is more than or equal to 3,
the generation process of the extended multiplication tuple for the multiplication d times comprises the following steps:
a basic element generation step, wherein d random numbers are randomly selected as d basic elements, wherein d is more than or equal to 3;
a step of generating 1-level extension elements, which respectively take 2 elements in the d basic elements as input and generate together
A level 1 extension element associated with a respective input element;
a l-level extended element generation step of generating an extended element based on the generated element as an input
L-level extension elements associated with respective input elements, wherein 2 ≦ l ≦ d-1;
the online calculation step includes: and selecting a multiplication tuple matched with the multiplication times of the current online calculation to be performed, and performing the calculation of the multiple multiplications locally by the participant based on the selected multiplication tuple.
In some embodiments of the present invention, where d is 3In this case, the l-level extension element generating step includes: selecting the
Taking elements in 1-level extension elements as first input, selecting elements in other basic elements except the input element associated with the selected extension element as second input, and passing IITripleModule generation
And 2-level extension elements.
In some embodiments of the present invention, in the case that d > 3, the l-level extension element generating step includes: selecting the
Taking elements in 1-level extension elements as first input, selecting elements in other basic elements except the input element associated with the selected extension element as second input, and passing IITripleModule generation
2-level extension elements; respectively taking the generated l-1 level extension element and an l-2 level extension element except the extension element associated with the l-1 level extension element as input through piTripleModule generation
And l-level extension elements.
In some embodiments of the present invention, the step of each participant performing multiple multiplication calculations locally based on the selected multiplication tuple comprises: each participant calculates [ x ] locally1-a first base element],...,[xlFirst basic element],..., [xd-the d-th basic element]And disclose [ s ] accordingly1]=[x1-a first base element],[sl]=[xlFirst basic element],...,[sd]=[xd-the d-th basic element]In which xlRepresenting the l-th term, s, in multiple multiplicationslRepresenting the ciphertext value corresponding to the item I; and decomposing the multiple multiplication into linear operation of the ciphertext value and the multiplication tuple, thereby obtaining the result of the multiple multiplication.
In some embodiments of the present invention, for the case of d-3, the online calculation step includes:
each participant PiCalculating locally
And disclose
Each participant PiCalculating locally
And disclose
Each participant PiCalculating locally
And disclose
Each participant PiCalculating locally:
wherein, a(i)、b(i)、c(i)Is a slice of the basic element;
is a slice of a level 1 extension element;
is a slice of a level 2 extension element; 1,2, n; n is the number of participants;
are respectively x1,x2,x3Slicing;
are respectively s1,s2,s3To be divided into pieces.
In some embodiments of the present invention, for the case of d-4, the online calculation step includes:
each participant PiCalculating locally
And disclose
Each participant PiCalculating locally
And disclose
Each participant PiCalculating locally
And disclose
Each participant PiCalculating locally
And disclose
Each participant locally calculates:
wherein, a(i)、b(i)、c(i)、d(i)Is a slice of the basic element;
is a slice of a level 1 extension element;
is a slice of a level 2 extension element;
is a slice of a level 3 extension element; 1,2, n; n is the number of participants;
are respectively x1,x2,x3,x4Slicing;
are respectively s1,s2,s3,s4To be divided into pieces.
In some embodiments of the present invention, the method further comprises the data computation initiator obtaining the computation results of multiple multiplications based on the computed slices of the respective participants.
In some embodiments of the invention, the multiplicative tuple is generated by individual participants by tuningBy ΠTripleModule consisting of |)TripleAnd (4) module generation.
In another aspect of the present invention, there is also provided a multiplication computation apparatus in an SPDZ series protocol, the apparatus includes a processor and a memory, the memory stores computer instructions, the processor is configured to execute the computer instructions stored in the memory, and when the computer instructions are executed by the processor, the apparatus implements the steps of the method as described above.
The invention also provides a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method as set forth above.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present invention are not limited to the specific details set forth above, and that these and other objects that can be achieved with the present invention will be more clearly understood from the detailed description that follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. The components in the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the invention. For purposes of illustrating and describing some portions of the present invention, corresponding parts of the drawings may be exaggerated, i.e., may be larger, relative to other components in an exemplary apparatus actually manufactured according to the present invention. In the drawings:
fig. 1 is a flowchart of a multiplication method in the SPDZ series protocol according to an embodiment of the present invention.
Fig. 2 is a flowchart of each participant generating a multiplier tuple patch according to the number d of multiple multiplications to be calculated according to another embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following embodiments and accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
It should be noted that, in order to avoid obscuring the present invention with unnecessary details, only the structures and/or processing steps closely related to the scheme according to the present invention are shown in the drawings, and other details not so relevant to the present invention are omitted.
It should be emphasized that the term "comprises/comprising" when used herein, is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.
Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In the drawings, the same reference numerals denote the same or similar parts, or the same or similar steps.
In the prior art, in order to efficiently and safely complete the function of multi-party cooperative computing, the existing SPDZ series protocol includes two stages: a pre-treatment phase and an on-line phase. The preprocessing stage is independent of the function to be calculated and its input, and prepares data materials for the calculation of the on-line stage, so that the on-line stage can quickly complete the calculation of the cooperative function. The preprocessing stage of the SPDZ-series protocol can be implemented by an oblivious transport protocol or homomorphic encryption, which is not described in detail herein.
Take SPDZ series protocol against half-honest adversary version as an example, in order to protect private data
Without revealing itself to other parties than the data owner, the SPDZ family of protocols employ data structures based on additive secret sharing schemes:
[x]=(x(1),...,x(i),...,x(n))。
wherein, the middle bracket [ alpha ], []"indicates that the element in the middle brackets is based on the data slicing structure of the addition on the finite field, and the participant PiHolding random data fragments x(i)In a finite field
Go up x ═ Σix(i)(i is more than or equal to 1 and less than or equal to n), and n is the number of participants.
Clearly, it is easy to compute additions on this data structure: [ x + y ]]=[x]+[y]. The multiplication is complex, and the calculation of x.y]The assistance of the Beaver triples is required. A beacon triplet refers to a co-generated by parties ([ a ]],[b],[c]) Wherein a and b are random numbers, and c satisfies the following conditions: c is a.b, participant PiHas [ a ]],[b],[c]Segment a of(i)、b(i)、 c(i). Most of the work of the existing preprocessing stage is to generate a large number of Beaver multiplication triplets (called Beaver triplets or triplets for short) so as to meet the requirement of safely calculating multiplication in the online stage. In the SPDZ series protocol, the module for generating Beaver triples in the preprocessing stage is piTripleBy an oblivious transport protocol or a homomorphic encryption algorithm. Beaver triplets ([ a ] are successfully generated],[b],[c]) Calculating [ x.y ]]The rule of (1) is as follows:
1) multiple participants compute [ x-a ] locally and disclose the cryptogram s as x-a (each party broadcasts a slice of the cryptogram s). Although the s value depends on the private data x, x is hidden by the mask value a and thus does not reveal any information of x.
That is, party PiComputing x locally(i)-a(i)And disclose
2) Likewise, multiple participants compute [ y-b ] locally and disclose t as y-b (each broadcasting a slice of t).
That is, party PiCalculating y locally(i)-b(i)And disclose
3) Since s and t are public and each participant PiHold [ a ]],[b],[c]Of these participants, x.y]Can be calculated by local calculation [ x.y [)]=s·t+t[a]+s[b]+[c]And (4) finishing.
More specifically, each participant PiBy carrying out [ x.y ]]After the computation is completed, the fragment can be sent to a data demand party, such as a computation initiator, and the initiator obtains [ x.y ] based on the computation result of each fragment]。
The inventor finds that the existing operation rule needs multiple iterations to call multiplication when the multiplication is calculated for multiple times, so that the communication and calculation complexity in an online stage is increased rapidly along with the algebraic times of the function to be calculated. When d multiplications are calculated, the (d-1) multiplications are required to be called iteratively, and then the communication complexity O (2)d) The local computational complexity of each party is O (3)d) Resulting in difficulty in further improvement of the calculation efficiency.
In order to solve the problems in the prior art, the invention improves the multiplication rule in the SPDZ series protocol, provides a multiplication method of any limited private data, and can multiply [ x ] for multiple times without loss of generality1·x2·...·xd]The calculation process of (2). The invention can apply multiplication between any limited private data, and moves the expensive operation in the multiplication operation to the preprocessing stage, so that the communication complexity of d multiplications completed in the online stage is O (2)d) Reduced to d, the local computational complexity of the parties is from O (3)d) Reduced to O (d 2)d) Therefore, the performance of the SPDZ series protocol for completing the safety calculation is optimized to a great extent. Meanwhile, the invention has little change to the SPDZ series protocol on the basis of obtaining the performance optimization, so that the cost of the deployed protocol is little when the related change is executed.
Fig. 1 is a flowchart illustrating a multiplication method in the SPDZ series protocol according to an embodiment of the present invention. As shown in fig. 1, the method still includes a preprocessing stage S110 and an online computation stage S120, but moves the expensive operations of the multiplication operations to the preprocessing stage.
More specifically, the preprocessing stage or preprocessing step S110 includes: a large number of multiplier tuples having different numbers of elements are generated for different ones of the multiple multiplications. The multiplication tuple includes a multiplication 3 tuple for 2 multiplications and an extended multiplication tuple for more than 3 multiplications.
Wherein, for an extended multiplication tuple used for more than three multiplications (d multiplications, d is an integer and d ≧ 3), the included elements include d basic elements and L extended elements,
among the L extension elements, include
A level 1 extension element is added to the data,
a one-level 2 extension element, a.
L-level extension elements, and 1 d-1 level extension element.
As shown in fig. 2, the generation process of the multiplier tuple for the multiplication d times includes:
a basic element generation step S210, wherein d random numbers are randomly selected as d basic elements;
a level 1 extended element generation step S220 of co-generating 2 elements of the d basic elements as inputs
A level 1 extension element associated with a respective input element;
a l-level extended element generation step S230 of generating an extended element based on the generated element as an input
L-level extension elements associated with respective input elements, where 2 ≦ l ≦ d-1.
The step of generating the level l extension elements is repeated for different values of l until the level d-1 extension elements of the multiplicative tuple are generated.
For example, in the case where d is 3, the l-level extension element generating step S230 may include:
selecting
Taking elements in 1-level extension elements as first input, selecting elements in other basic elements except the input element associated with the selected extension element as second input, and passing IITripleModule generation
And 2-level extension elements.
For another example, in the case that d > 3, the l-level extension element generating step S230 may include:
selecting the
Taking elements in 1-level extension elements as first input, selecting elements in other basic elements except the input element associated with the selected extension element as second input, and passing IITripleModule generation
2-level extension elements;
respectively taking the generated l-1 level extension element and an l-2 level extension element except the extension element associated with the l-1 level extension element as input through piTripleModule generation
And l-level extension elements.
Based on a large number of multiplication tuples with different element numbers and corresponding to different multiplication times generated in the preprocessing stage, in the linear calculation stage, each participant can select a corresponding multiplication tuple for multiple times of multiplication calculation.
Referring to fig. 1 again, the online calculation stage or online calculation step S120 includes: and randomly selecting a multiplication tuple matched with the multiplication times of the current online calculation to be performed, and performing multiple multiplication calculations locally by the participant based on the selected multiplication tuple.
The step of the participant performing multiple multiplication calculations locally based on the selected multiplication tuple may include:
(1) each participant calculates [ x ] locally1-a first base element],...,[xlFirst basic element],..., [xd-the d-th basic element]And disclose [ s ] accordingly1]=[x1-a first base element],[sl]=[xlFirst basic element],...,[sd]=[xd-the d-th basic element]In which xlRepresenting the l-th term, s, in multiple multiplicationslRepresenting the ciphertext value corresponding to the item I; and
(2) and decomposing the multiple multiplication into linear operation of the ciphertext value and the multiplication tuple, thereby obtaining the result of the multiple multiplication.
The present invention differs significantly from the prior preprocessing stage, where only Beaver triplets ([ a ] were generated],[b],[c]The Beaver triple ([ a ] is generated by multiple times in multiple multiplication calculation],[b],[c]And the computation is completed by calling multiplication in a multi-iteration mode, so that the complexity is high. In the embodiment of the invention, in Beaver triple ([ a ]],[b],[c]The method comprises the following steps of (1) performing expansion on the basis of (1), namely generating a large number of multiplication tuple comprising d + L elements in a preprocessing stage to prevent multiple iterations of an online stage, namely, generating not only Beaver triples for 2 times of multiplication calculation but also a large number of multiplication tuple comprising d + L elements for more than 3 times of multiplication calculation in the preprocessing stage, wherein the multiplication tuple can also be called an expanded Beaver multiplication tuple, and is called an expanded multiplication tuple for short. The multiply in the embodiment of the inventionThe tuple includes d base elements and L extension elements generated based on the d base elements. For each participant, pi may be calledTripleThe module generates a tuple.
In the following, the multiplication method of any finite number of private data will be given by taking d-3 and d-4 as examples, respectively, without loss of generality, i.e., [ x ═ 41·x2·...·xd]The calculation process of (2).
When d is 3, the corresponding tuple is a 7-tuple, i.e., an extended bearer 7-tuple, which includes [ a [],[b],[c],[pab],[pbc],[pca],[pabc]Wherein [ a ]],[b],[c]As a basic element, [ p ]ab],[pbc],[pca],[pabc]To extend elements, i.e.
[pab],[pbc],[pca]May be referred to as a level 2 extension element, [ p ]abc]May be referred to as a level 3 extension element. And wherein the extension element satisfies: p is a radical ofab=a·b,pbc=b·c,pcaC, a and pabcA, b, c. In this embodiment, the extended Beaver multiplier group may be implemented by calling piTripleAnd generating the module.
The specific process of generating the extended bearer 7 tuple is as follows:
1) random selection of [ a],[b]As input, by ΠTripleGeneration of [ pab](ii) a At this time, [ p ] can be consideredab]Is a and]、[b]and (4) correlating.
2) Random selection of [ c]And [ b ]]As input, by ΠTripleGeneration of [ pbc](ii) a At this time, [ p ] can be consideredbc]Is a reaction of [ b ] with]、[c]And (4) correlating.
3) Input [ c],[a]Passing through piTripleGeneration of [ pac](ii) a At this time, [ p ] can be consideredac]Is a and]、[c]and (4) correlating.
4)[pab]And [ c)]As input, by ΠTripleGeneration of [ pabc]At this time, [ p ] can be consideredabc]Is a andab]and [ c)]And (4) correlating.
In the case where d is 3, [ x ] performed in the online calculation step S1201·x2·x3]The operation of (1) comprises:
(1) each participant PiCalculating locally
And disclose
(2) Each participant PiCalculating locally
And disclose
(3) Each participant PiCalculating locally
And disclose
(4) Each participant PiCalculating locally:
wherein, a(i)、b(i)、c(i)Is a slice of the basic element;
is a slice of a level 1 extension element;
is a slice of a level 2 extension element; 1,2, n; n is the number of participantsMesh;
are respectively x1,x2,x3Slicing;
are respectively s1,s2,s3To be divided into pieces.
That is, the plurality of participants operate based on the following operation rule: [ x ] of1·x2·x3]=s1s2s3+s2s3[a]+ s3s1[b]+s1s2[c]+s3[pab]+s1[pbc]+s2[pca]+[pabc]。
The data calculation initiator calculates a calculation result [ x ] of multiplying 3 data based on each participant1·x2·x3]。
For another example, for the case of d ═ 4, the corresponding tuple is a 15-tuple, i.e., an extended bearer 15 tuple, which includes: [ a ] A],[b],[c],[d],[pab],[pac],[pad],[pbc],[pbd],[pcd],[pabc],[pabd],[pbcd],[pacd],[pabcd]Wherein p isjk=j·k,(j,k∈[a,b,c,d]),pjkm=j·k·m,(j,k,m∈[a,b,c,d]) And pabcd=a· b·c·d。[a],[b],[c],[d]May be called a base element, [ p ]ab],[pac],[pad],[pbc],[pbd],[pcd],[pabc], [pabd],[pbcd],[pacd],[pabcd]Can be called an extension element, where [ p ]ab],[pac],[pad],[pbc],[Pbd],[pcd]Is a level 2 extended element, [ p ]abc],[pabd],[pbcd],[pacd]Is a 3-level extension element, [ p ]abcd]Is 4A level extension element. Such an extended Beaver multiplier group is also obtained by calling the module piTripleAnd (4) generating.
The specific process of generating the extended bearer 15 tuple is as follows:
1) randomly selecting [ a ], [ b ], [ c ], [ d ];
2)[a]and [ b ]]As input, by ΠTripleGeneration of [ pab];
3)[a]And [ c)]As input, by ΠTripleGeneration of [ pac];
4)[a]And [ d ]]As input, by ΠTripleGeneration of [ pad];
5)[b]And [ c)]As input, by ΠTripleGeneration of [ pbc];
6)[b]And [ d ]]As input, by ΠTripleGeneration of [ pbd];
7)[c]And [ d ]]As input, by ΠTripleGeneration of [ pcd];
8)[pab]And [ c)]As input, by ΠTripleGeneration of [ pabc];
9)[pab]And [ d ]]As input, by ΠTripleGeneration of [ pabd];
10)[pbc]And [ d ]]As input, by ΠTripleGeneration of [ pbcd];
11)[pac]And [ d ]]As input, by ΠTripleGeneration of [ pacd];
12)[pab]And [ p ]cd]As input, by ΠTripleGeneration of [ pabcd]。
In the case where d is 4, [ x ] performed in the online calculation step S1201·x2·x3·x4]The operation of (1) comprises:
(1) each participant PiCalculating locally
And disclose
(2) Each participant PiCalculating locally
And disclose
(3) Each participant PiCalculating locally
And disclose
(4) Each participant PiCalculating locally
And disclose
(5) Each participant locally calculates:
wherein, a(i)、b(i)、c(i)、d(i)Is a slice of the basic element;
is a slice of a level 1 extension element;
is a slice of a level 2 extension element;
is a slice of a level 3 extension element; 1,2, n; n is the number of participants;
are respectively x1,x2,x3,x4Slicing;
are respectively s1,s2,s3,s4To be divided into pieces.
That is, the plurality of participants operate based on the following operation rule: [ x ] of1·x2·x3·x4]=s1s2s3s4+ s1s2s3[d]+s1s2s4[c]+s1s3s4[b]+s2s3s4[a]+s1s2[pcd]+s1s3[pbd]+s1s4[pbc]+ s2s3[pad]+s2s4[pac]+s3s4[pab]+s1[pbcd]+s2[pacd]+s3[pabd]+s4[pabc]+[pabcd].
The data calculation initiator calculates a calculation result [ x ] of multiplying 4 data based on each participant1·x2·x3·x4]。
Such an operation rule can be easily extended to the case where d > 4.
The invention improves the multiplication operation in the SPDZ series protocol, and moves the expensive operation to the preprocessing based on the special data structure adopted by the SPDZ series protocolThe physical phase, so that the multiplication only used between two private data in the SPDZ series protocol is expanded to any limited number of private data, which greatly reduces the communication complexity and the calculation complexity required for calculating the multiplication in the online phase. That is, the invention generates a large number of extended Beaver multiplier tuples in the preprocessing stage, and the expressions obtained based on the extended Beaver multiplier tuples have 2 ^ d added monomials, and the maximum number of d in each monomials is multiplied, thereby leading the communication complexity in the online stage to be O (2)d) Reduced to d, the local computational complexity of the parties is from O (3)d) Reduced to O (d 2)d)。
Therefore, the invention optimizes the performance of the SPDZ series protocol for completing the safety calculation to a great extent.
Furthermore, considering that modifications to a deployed protocol require a lot of work, the longer the protocol is used, wherein the more components that are optimized, the more costly the modifications are. The present invention has been made with great effort in an effort to find a solution that minimizes modifications to deployed protocols to achieve maximum performance optimization or greater security. The invention has little change to the SPDZ series protocol on the basis of obtaining the performance optimization, so that the cost of the deployed protocol is little when the related change is executed, but the invention obtains the beneficial effect of improving the performance. That is, the invention greatly reduces the communication and calculation complexity required by the safety calculation by fine tuning the SPDZ series protocol.
Accordingly, the present invention also provides a multiplication computation apparatus in an SPDZ series protocol, the apparatus comprising a processor and a memory, the memory for storing computer instructions, the processor for executing the computer instructions stored in the memory, the apparatus implementing the steps of the method as described above when the computer instructions are executed by the processor.
In some embodiments of the present disclosure, the multiplication computation apparatus may further include a transceiver unit in addition to the processor and the memory, the transceiver unit may include a receiver and a transmitter, the processor, the memory, the receiver and the transmitter may be connected by a bus system, the memory is used for storing computer instructions, and the processor is used for executing the computer instructions stored in the memory to control the transceiver unit to transmit and receive signals, so as to implement the foregoing method steps.
The present disclosure also relates to storage media, which may be tangible storage media such as optical disks, U-disks, floppy disks, hard disks, etc., on which computer program code may be stored, which when executed may implement various embodiments of the method of the present invention.
It is to be understood that the invention is not limited to the specific arrangements and instrumentality described above and shown in the drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions or change the order between the steps after comprehending the spirit of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein may be implemented as hardware, software, or combinations of both. Whether this is done in hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
It should also be noted that the exemplary embodiments mentioned in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.
Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments in the present invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes may be made to the embodiment of the present invention by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A multiplication computation method in an SPDZ series protocol, the method comprising a preprocessing step and an online computation step:
the pretreatment step comprises: generating a plurality of multiplication tuples with different element numbers for different times of multiple multiplication, wherein the multiplication tuples comprise a multiplication 3 tuple for 2 times of multiplication and an expansion multiplication tuple for more than 3 times of multiplication, and for the expansion multiplication tuple for d times of multiplication, the included elements comprise d basic elements and L expansion elements, wherein d is an integer and d is more than or equal to 3,
l=1,…,d-1;
the generation process of the extended multiplication tuple for the multiplication d times comprises the following steps:
a basic element generation step, wherein d random numbers are randomly selected to serve as d basic elements;
a step of generating 1-level extension elements, which respectively take 2 elements in the d basic elements as input and generate together
A level 1 extension element associated with a respective input element;
a l-level extended element generation step of generating an extended element based on the generated element as an input
L-level extension elements associated with respective input elements, wherein 2 ≦ l ≦ d-1;
the online calculation step includes: and selecting a multiplication tuple matched with the multiplication times of the current online calculation to be performed, and performing the calculation of the multiple multiplications locally by the participant based on the selected multiplication tuple.
2. The method of claim 1, wherein in case of d-3, the l-level extension element generating step comprises:
selecting the
Taking elements in 1-level extension elements as first input, selecting elements in other basic elements except the input element associated with the selected extension element as second input, and passing IITripleModule generation
And 2-level extension elements.
3. The method according to claim 1, wherein in case d > 3, the l-level extension element generating step comprises:
selecting the
Taking elements in 1-level extension elements as first input, selecting elements in other basic elements except the input element associated with the selected extension element as second input, and passing IITripleModule generation
2-level extension elements;
respectively taking the generated l-1 level extension element and an l-2 level extension element except the extension element associated with the l-1 level extension element as input through piTripleModule generation
And l-level extension elements.
4. The method of claim 1, wherein the step of each participant performing multiple multiplication calculations locally based on the selected multiplier tuple comprises:
each participant calculates [ x ] locally1-a first base element],…,[xlFirst basic element],…,[xd-the d-th basic element]And disclose [ s ] accordingly1]=[x1-a first base element],[sl]=[xlFirst basic element],…,[sd]=[xd-the d-th basic element]In which xlRepresenting the l-th term, s, in multiple multiplicationslRepresenting the ciphertext value corresponding to the item I;
and decomposing the multiple multiplication into linear operation of the ciphertext value and the multiplication tuple, thereby obtaining the result of the multiple multiplication.
5. The method of claim 4, wherein for the case of d-3, the online calculation step comprises:
each participant PiCalculating locally
And disclose
Each participant PiCalculating locally
And disclose
Each participant PiCalculating locally
And disclose
Each participant PiCalculating locally:
wherein, a(i)、b(i)、c(i)Is a slice of the basic element;
is a slice of a level 1 extension element;
is a slice of a level 2 extension element; 1,2, …, n; n is the number of participants;
are respectively x1,x2,x3Slicing;
are respectively s1,s2,s3To be divided into pieces.
6. The method of claim 4, wherein for the case of d-4, the online calculation step comprises:
each participant PiCalculating locally
And disclose
Each participant PiCalculating locally
And disclose
Each participant PiCalculating locally
And disclose
Each participant PiCalculating locally
And disclose
Each participant locally calculates:
wherein, a(i)、b(i)、c(i)、d(i)Is a slice of the basic element;
is a slice of a level 1 extension element;
is a slice of a level 2 extension element;
is a slice of a level 3 extension element; 1,2, …, n; n is the number of participants;
are respectively x1,x2,x3,x4Slicing;
are respectively s1,s2,s3,s4To be divided into pieces.
7. The method according to claim 5 or 6, wherein the method further comprises the step that the data computation initiator obtains the computation results of multiple multiplications based on the shards computed by the respective participants.
8. The method of claim 1, wherein the multiplicative tuple is pi-tuple passed by the respective participant through a callTripleModule consisting of |)TripleAnd (4) module generation.
9. A multiplication computation apparatus in an SPDZ series protocol, the apparatus comprising a processor and a memory, wherein the memory has stored therein computer instructions, the processor being configured to execute the computer instructions stored in the memory, and wherein the apparatus implements the steps of the method of any one of claims 1-7 when the computer instructions are executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911067155.6A CN112784315A (en) | 2019-11-04 | 2019-11-04 | Multiplication calculation method, device and storage medium in SPDZ series protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911067155.6A CN112784315A (en) | 2019-11-04 | 2019-11-04 | Multiplication calculation method, device and storage medium in SPDZ series protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112784315A true CN112784315A (en) | 2021-05-11 |
Family
ID=75748708
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911067155.6A Pending CN112784315A (en) | 2019-11-04 | 2019-11-04 | Multiplication calculation method, device and storage medium in SPDZ series protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112784315A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115865311A (en) * | 2022-09-16 | 2023-03-28 | 河南理工大学 | Optimization method and system for efficient constant-round secure multi-party computing protocol |
| CN117009723A (en) * | 2023-09-27 | 2023-11-07 | 长春吉大正元信息技术股份有限公司 | Multiparty computing method, device, equipment and storage medium |
| CN117910024A (en) * | 2024-03-19 | 2024-04-19 | 深圳市纽创信安科技开发有限公司 | Key generation method and device, electronic equipment and storage medium |
-
2019
- 2019-11-04 CN CN201911067155.6A patent/CN112784315A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115865311A (en) * | 2022-09-16 | 2023-03-28 | 河南理工大学 | Optimization method and system for efficient constant-round secure multi-party computing protocol |
| CN115865311B (en) * | 2022-09-16 | 2023-09-26 | 河南理工大学 | Optimization method and system for constant round secure multiparty computing protocol |
| CN117009723A (en) * | 2023-09-27 | 2023-11-07 | 长春吉大正元信息技术股份有限公司 | Multiparty computing method, device, equipment and storage medium |
| CN117009723B (en) * | 2023-09-27 | 2024-01-30 | 长春吉大正元信息技术股份有限公司 | Multiparty computing method, device, equipment and storage medium |
| CN117910024A (en) * | 2024-03-19 | 2024-04-19 | 深圳市纽创信安科技开发有限公司 | Key generation method and device, electronic equipment and storage medium |
| CN117910024B (en) * | 2024-03-19 | 2024-05-24 | 深圳市纽创信安科技开发有限公司 | Key generation method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112784315A (en) | Multiplication calculation method, device and storage medium in SPDZ series protocol | |
| CN111475854B (en) | Collaborative computing method and system for protecting data privacy of two parties | |
| JP6009717B2 (en) | Low complexity receiver and method for low density signature modulation | |
| CN112506469B (en) | Method and device for processing private data | |
| CN112822005A (en) | Secure transfer learning system based on homomorphic encryption | |
| US7995764B2 (en) | Sharing a secret using hyperplanes over GF(2m) | |
| Hussain et al. | Coinn: Crypto/ml codesign for oblivious inference via neural networks | |
| CN112560107B (en) | Method and device for processing private data | |
| CN112182488B (en) | Distributed outsourcing calculation processing method and device based on edge calculation | |
| CN113746620A (en) | Homomorphic encryption method, apparatus, medium, and computer program product | |
| CN115906126A (en) | Data processing method and device in multi-party security computing | |
| CN111523556A (en) | Model training method, device and system | |
| CN114978510A (en) | Security processing method and device for privacy vector | |
| CN116090002A (en) | Multiparty privacy set intersection method, device, system and storage medium | |
| CN116633526A (en) | Data processing method, device, equipment and medium | |
| US20120039462A1 (en) | Rsa signature method and apparatus | |
| CN115766009A (en) | Method and device for power-of-2 inversion in multi-party security computation | |
| CN115001675A (en) | Execution method of sharing OT protocol, secure multi-party computing method and device | |
| CN114880693A (en) | Method and device for generating activation function, electronic equipment and readable medium | |
| Zhang et al. | Joint Linear and Nonlinear Computation across Functions for Efficient Privacy-Preserving Neural Network Inference | |
| US20220368723A1 (en) | Shuffle system, shuffle method, and program | |
| CN114553505B (en) | Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties | |
| CN113824546B (en) | Method and device for generating information | |
| CN117972761A (en) | Data processing method and device based on SM2 cryptographic algorithm | |
| CN114968900A (en) | Secret sharing method and device, computer node and secret sharing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |