CN112800478A - Method, device and system for determining shared data for protecting private data - Google Patents

Method, device and system for determining shared data for protecting private data Download PDF

Info

Publication number
CN112800478A
CN112800478A CN202110370782.8A CN202110370782A CN112800478A CN 112800478 A CN112800478 A CN 112800478A CN 202110370782 A CN202110370782 A CN 202110370782A CN 112800478 A CN112800478 A CN 112800478A
Authority
CN
China
Prior art keywords
party
random vector
private data
random
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110370782.8A
Other languages
Chinese (zh)
Other versions
CN112800478B (en
Inventor
李漓春
尹栋
赵原
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202110370782.8A priority Critical patent/CN112800478B/en
Publication of CN112800478A publication Critical patent/CN112800478A/en
Application granted granted Critical
Publication of CN112800478B publication Critical patent/CN112800478B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/588Random number generators, i.e. based on natural stochastic processes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the specification provides a method, a device and a system for determining shared data for protecting private data. The method comprises the following steps: the method comprises the steps that a first party and a second party perform multi-party safety calculation to obtain a first random vector and a second random vector; the first random vector, the second random vector and the random value of the second party and the third random vector satisfy a first relation; obtaining corresponding first results aiming at the first privacy data; constructing an operation function so that an operation result of the operation function for each first privacy data is equal to the first result; sending the operation function to the second party; receiving a first result sequence obtained by performing first processing on each second privacy data from the second party; wherein the first processing utilizes a first relationship, an arithmetic function, and a hash operation; obtaining a second result sequence aiming at each first privacy data; the intersection of the first resulting sequence and the second resulting sequence is determined to determine the common data. The performance can be improved.

Description

Method, device and system for determining shared data for protecting private data
Technical Field
One or more embodiments of the present description relate to the field of computers, and more particularly, to a method, apparatus, and system for determining shared data for protecting private data.
Background
Many current scenarios involve the determination of data common to two parties, for example, where two parties find a common customer for joint marketing. It involves data privacy issues: on one hand, the two sides with the data do not want to directly output the private data plaintext to the outside, and the data leakage in the transmission process and the storage and illegal diffusion of the data after transmission by the other side are prevented; on the other hand, data collaboration requires both parties to find common data and does not want to reveal data other than the common data. Therefore, it is desirable to implement with secure multi-party computing.
In the prior art, a double-encryption ciphertext matching method is adopted to safely determine common data of two parties, and the adopted encryption algorithm relates to elliptic curve point multiplication or large integer modular exponentiation operation with large calculation amount and has poor performance.
Accordingly, improved approaches are desired that can improve performance in shared data determination that protects private data.
Disclosure of Invention
One or more embodiments of the present specification describe a method, an apparatus, and a system for determining shared data for protecting privacy data, which can improve performance in determining shared data for protecting privacy data.
In a first aspect, a method for determining shared data between a number of first private data owned by a first party and a number of second private data owned by a second party is provided, the method being performed by the first party and comprising:
performing multi-party security calculation with the second party to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value and the third random vector meet a first relation;
aiming at each first private data, respectively carrying out first local operation on the first private data and the second random vector to obtain respectively corresponding first results;
constructing a second operation function so that an operation result of the second operation function for each first privacy data is equal to the first result; and sending the second operation function to the second party;
receiving a first result sequence obtained by performing first processing on each second privacy data from the second party; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result;
aiming at each first private data, respectively carrying out the first local operation on the first private data and the first random vector, and then executing the Hash operation to obtain a second result sequence;
and determining the intersection of the first result sequence and the second result sequence, and determining the common data according to the intersection.
In one possible implementation, the multi-party security computation includes:
performing a random inadvertent linear vector evaluation (VOLE) protocol over a finite field in cooperation with the second party to obtain the first random vector and the second random vector; the second party obtains the third random vector and a random value.
In a possible implementation manner, the performing, for each first private data, a first local operation with the second random vector respectively includes:
respectively generating a pseudorandom vector corresponding to each first private data by using a pseudorandom function aiming at each first private data;
and performing dot product operation on each pseudo-random vector and the second random vector respectively to obtain first results corresponding to each first private data respectively.
In a possible embodiment, the second operation function is a polynomial operation function; the sending the second operation function to the second party includes:
sending coefficients of the polynomial operation function to the second party.
In a possible implementation manner, the performing the first local operation on each first private data and the first random vector, and then performing the hash operation includes:
respectively generating a pseudorandom vector corresponding to each first private data by using a pseudorandom function aiming at each first private data;
performing dot product operation on each pseudo-random vector and the first random vector to obtain intermediate results corresponding to each first privacy data;
and mapping each intermediate result to obtain a second result sequence formed by results corresponding to each first private data at least by using the Hash operation.
Further, the mapping each intermediate result to obtain a second result sequence formed by results corresponding to each first private data by using at least the hash operation includes:
mapping each intermediate result by using at least the hash operation to obtain a mapping result corresponding to each first private data;
and respectively intercepting preset bits in the mapping results respectively corresponding to each first privacy data to obtain a second result sequence formed by the results respectively corresponding to each first privacy data.
In a possible implementation manner, the receiving, from the second party, a first result sequence obtained by performing the first processing on each second private data includes:
receiving the first result sequence composed of the results of the first processing after the disordering from the second party.
In one possible implementation, the first party has n1 of the first private data, and the dimensions of the first random vector, the second random vector, and the third random vector are m1, satisfying m1> = n1+ 1.
In a second aspect, there is provided a shared data determination method for protecting private data, for determining shared data between a number of first private data possessed by a first party and a number of second private data possessed by a second party, comprising:
the first party and the second party perform multi-party security calculation to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value and the third random vector meet a first relation;
the first party carries out first local operation on each first private data and the second random vector respectively to obtain first results corresponding to the first private data and the second random vector respectively;
the first party constructs a second operation function so that the operation result of the second operation function for each first private data is equal to the first result; and sending the second operation function to the second party;
the second policy carries out first processing on each second private data to obtain a first result sequence; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result; and sending the first sequence of results to the first party;
the first party carries out the first local operation on each first private data and the first random vector respectively, and then executes the hash operation to obtain a second result sequence;
the first party determines an intersection of the first result sequence and the second result sequence, and determines the common data according to the intersection.
In a possible embodiment, the operation value of the first local operation with the third random vector is determined by:
respectively generating a pseudo-random vector corresponding to each second privacy data aiming at each second privacy data by using a pseudo-random function;
and performing dot product operation on each pseudo-random vector and the third random vector to obtain an operation value of the first local operation corresponding to each second private data.
Further, the first processing further includes:
and respectively intercepting preset bits from mapping results obtained by the hash operation corresponding to each second private data to obtain a first result sequence formed by results corresponding to each second private data.
In a third aspect, there is provided a shared data determining apparatus for protecting private data, which is configured to determine shared data between a plurality of first private data possessed by a first party and a plurality of second private data possessed by a second party, the apparatus being provided in the first party, and including:
the joint processing unit is used for carrying out multi-party safety calculation with the second party to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value and the third random vector meet a first relation;
the first local processing unit is used for respectively carrying out first local operation on each first private data and the second random vector obtained by the joint processing unit to obtain respectively corresponding first results;
a function construction unit, configured to construct a second operation function, so that an operation result of the second operation function for each piece of first private data is equal to the first result obtained by the first local processing unit; and sending the second operation function to the second party;
a receiving unit, configured to receive, from the second party, a first result sequence obtained by performing first processing on each second privacy data; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result;
the second local processing unit is used for respectively carrying out the first local operation on each first private data and the first random vector obtained by the joint processing unit, and then executing the hash operation to obtain a second result sequence;
and the determining unit is used for determining the intersection of the first result sequence received by the receiving unit and the second result sequence obtained by the second local processing unit, and determining the common data according to the intersection.
In a fourth aspect, there is provided a shared data determination system for protecting private data, for determining shared data between a number of first private data possessed by a first party and a number of second private data possessed by a second party, comprising:
the first party is used for carrying out multi-party security calculation with the second party to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value and the third random vector meet a first relation; aiming at each first private data, respectively carrying out first local operation on the first private data and the second random vector to obtain respectively corresponding first results; constructing a second operation function so that an operation result of the second operation function for each first privacy data is equal to the first result; and sending the second operation function to the second party;
the second party is used for carrying out first processing on each second private data to obtain a first result sequence; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result; and sending the first sequence of results to the first party;
the first party is further configured to perform the first local operation on each first private data and the first random vector, and then perform the hash operation to obtain a second result sequence; and determining the intersection of the first result sequence and the second result sequence, and determining the common data according to the intersection.
In a fifth aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first or second aspect.
In a sixth aspect, there is provided a computing device comprising a memory having stored therein executable code, and a processor that when executing the executable code, implements the method of the first or second aspect.
By the method, the device and the system provided by the embodiment of the specification, the first party and the second party perform multi-party security calculation to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value and the third random vector meet a first relation; then, aiming at each first private data, respectively carrying out first local operation on the first private data and the second random vector to obtain respectively corresponding first results; then constructing a second operation function, so that the operation result of the second operation function for each first private data is equal to the first result; and sending the second operation function to the second party; receiving a first result sequence obtained by performing first processing on each second privacy data from the second party; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result; performing the first local operation on each first private data and the first random vector respectively, and then executing the hash operation to obtain a second result sequence; and finally, determining the intersection of the first result sequence and the second result sequence, and determining the common data between a plurality of first private data of the first party and a plurality of second private data of the second party according to the intersection. As can be seen from the above, the embodiments of the present description are mainly implemented based on multi-party secure computation and hash operation, and do not use high-overhead cryptographic operation, so that performance can be improved in shared data determination for protecting private data.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram illustrating an implementation scenario of an embodiment disclosed herein;
FIG. 2 illustrates a mutual data determination method interaction diagram for protecting private data, according to one embodiment;
FIG. 3 illustrates a mutual data determination method interaction diagram for protecting private data, according to another embodiment;
FIG. 4 illustrates a mutual data determination method interaction diagram for protecting private data, according to another embodiment;
FIG. 5 shows a schematic block diagram of a shared data determination apparatus for protecting private data according to one embodiment;
FIG. 6 shows a schematic block diagram of a shared data determination system that protects private data, according to one embodiment.
Detailed Description
The scheme provided by the specification is described below with reference to the accompanying drawings.
Fig. 1 is a schematic view of an implementation scenario of an embodiment disclosed in this specification. The implementation scenario involves the determination of common data protecting private data, for determining common data between a number of first private data that a first party has and a number of second private data that a second party has. As shown in fig. 1, a scenario in which two parties determine common data involves a party a and a party B, or referred to as a first party and a second party, or referred to as a party a and a party B. The various participants may be implemented as any computing, processing capable device, platform, server, or cluster of devices. The two parties jointly determine the common data under the condition of protecting the data privacy.
The A side holds a set X of n1 private data = { X1, X2. }, the B side holds a set Y of n2 private data = { Y1, y2.. }, and the intersection of X and Y is obtained on the premise that the respective sets are not exposed, so that common data are jointly determined.
In the embodiment of the present specification, the common data determination for protecting the private data is implemented by Private Set Intersection (PSI). The scheme is applied to two parties, each party has a private set as input and is respectively represented as X and Y, the two parties want to calculate the intersection X and Y of the sets of the two parties together, and private data not contained in the intersection is not disclosed. In short, the two data sets intersect, but private data outside the intersection of any party is not revealed.
In the embodiments of the present specification, the meaning of the privacy data is not limited. The privacy data may represent a numerical value corresponding to one item of privacy information, for example, the privacy data represents a mobile phone number of the user, an identification number of the user, an age of the user, income of the user, or a city where the user is located; the privacy data may also represent values corresponding to a plurality of items of privacy information, for example, the privacy data is a vector, and each bit of the vector represents different privacy information, for example, a first bit of the vector represents whether the age of the user belongs to a preset age interval, and a second bit of the vector represents whether the income of the user belongs to a preset income interval.
It will be appreciated that the private data may be any data that is not convenient to disclose, and may be, but is not limited to, data representing personal information of the user, or trade secrets or the like.
The embodiment of the specification is mainly realized based on multi-party security calculation and hash operation, and high-overhead password operation is not used, so that the performance can be improved in the determination of shared data for protecting private data.
Fig. 2 shows an interaction diagram of a method for determining shared data for protecting private data according to an embodiment, which may be based on the implementation scenario shown in fig. 1, for determining shared data between a number of first private data possessed by a first party and a number of second private data possessed by a second party. As shown in fig. 2, the common data determination method for protecting privacy data in this embodiment includes the following steps: step 21, performing multi-party security calculation on a first party and a second party to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value and the third random vector meet a first relation; step 22, the first party performs first local operations on each first private data and the second random vector respectively to obtain corresponding first results; step 23, the first party constructs a second operation function, so that the operation result of the second operation function for each first private data is equal to the first result; step 24, the first party sends the second operation function to the second party; step 25, the second party performs first processing on each second private data to obtain a first result sequence; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result; step 26, the second party sends the first result sequence to the first party; step 27, the first party performs the first local operation on each first private data and the first random vector respectively, and then executes the hash operation to obtain a second result sequence; step 28, the first party determines the intersection of the first result sequence and the second result sequence, and determines the common data according to the intersection. Specific execution modes of the above steps are described below.
Firstly, in step 21, a first party and a second party perform multi-party security calculation to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value satisfy a first relation with the third random vector. It will be appreciated that the first party does not know the random value and the third random vector, and the second party does not know the first random vector and the second random vector.
In the embodiment of the present specification, the first relationship may be established through operations such as addition, subtraction, multiplication, and division, and a constant may be involved in the operation process. For example, if the first random vector is denoted by U, the second random vector is denoted by V, the random value is denoted by s, and the third random vector is denoted by W, the first relationship may be W = sU + V, or W = sU-V, or W =2sU + V, or W = U/s-V.
In one example, the multi-party security computation includes:
performing a random inadvertent linear vector evaluation (VOLE) protocol over a finite field in cooperation with the second party to obtain the first random vector and the second random vector; the second party obtains the third random vector and a random value.
It should be noted that there are many forms of multi-party secure computation, including various existing forms of VOLE or forms that may later appear: for example, in one form, the first party inputs U, V, the second party inputs s, outputs W to the second party; alternatively, the second party inputs s, outputs U, V to the first party, and outputs W to the second party.
In one example, the first party has n1 of the first private data, the first, second, and third random vectors have a dimension of m1, satisfying m1> = n1+ 1.
Then, in step 22, the first party performs a first local operation on each first private data and the second random vector to obtain corresponding first results. It is understood that the first local operation is directed to the object of the first private data and the second random vector.
In one example, the performing, for each piece of first privacy data, a first local operation with the second random vector includes:
respectively generating a pseudorandom vector corresponding to each first private data by using a pseudorandom function aiming at each first private data;
and performing dot product operation on each pseudo-random vector and the second random vector respectively to obtain first results corresponding to each first private data respectively.
Next, in step 23, the first party constructs a second arithmetic function such that the arithmetic result of the second arithmetic function for each first private data is equal to the first result. It is to be understood that the second operation function is identical to the operation result of the first local operation, and the operation results of the second operation function and the first local operation are identical to each other only if the target object is the first private data.
In one example, the second arithmetic function is a polynomial arithmetic function. For example, a2x2+a1x+a0Is a polynomial operation function with the coefficient a2、a1、a0
In step 24, the first party sends the second calculation function to the second party. It can be understood that the first party may directly send the formula of the function to the second party, or may send information capable of determining the formula of the function to the second party, and the second operation function does not cause the disclosure of the first private data.
In one example, the second arithmetic function is a polynomial arithmetic function; the sending the second operation function to the second party includes: sending coefficients of the polynomial operation function to the second party.
Then, in step 25, the second party performs first processing on each second private data to obtain a first result sequence; the first processing includes combining the function value of the second operation function and an operation value of the first local operation with the third random vector by using the first relationship, and performing a hash operation on a combined result. It is understood that the second private data cannot be deduced from the first sequence of results in reverse due to the unidirectional nature of the hash operation.
In one example, the operation value of the first local operation with the third random vector is determined by:
respectively generating a pseudo-random vector corresponding to each second privacy data aiming at each second privacy data by using a pseudo-random function;
and performing dot product operation on each pseudo-random vector and the third random vector to obtain an operation value of the first local operation corresponding to each second private data.
Further, the first processing further includes:
and respectively intercepting preset bits from mapping results obtained by the hash operation corresponding to each second private data to obtain a first result sequence formed by results corresponding to each second private data.
The second party sends the first sequence of results to the first party, again at step 26. It is understood that the first result sequence, although calculated from the second privacy data, does not result in the disclosure of the second privacy data.
In one example, the second party sending the first sequence of results to the first party includes:
and the second party sends the first result sequence consisting of the results obtained by the first processing after the disordering to the first party.
In step 27, the first party performs the first local operation on each first private data and the first random vector, and then performs the hash operation to obtain a second result sequence. It is understood that the operation for obtaining the second result sequence is different from the operation for obtaining the first result sequence, but the operation results of the first and second private data are the same when the first and second private data are the same.
In one example, the performing, for each first private data, the first local operation on the first private data and the first random vector, and then performing the hash operation includes:
respectively generating a pseudorandom vector corresponding to each first private data by using a pseudorandom function aiming at each first private data;
performing dot product operation on each pseudo-random vector and the first random vector to obtain intermediate results corresponding to each first privacy data;
and mapping each intermediate result to obtain a second result sequence formed by results corresponding to each first private data at least by using the Hash operation.
Further, the mapping each intermediate result to obtain a second result sequence formed by results corresponding to each first private data by using at least the hash operation includes:
mapping each intermediate result by using at least the hash operation to obtain a mapping result corresponding to each first private data;
and respectively intercepting preset bits in the mapping results respectively corresponding to each first privacy data to obtain a second result sequence formed by the results respectively corresponding to each first privacy data.
Finally, in step 28, the first party determines the intersection of the first resulting sequence and the second resulting sequence, and determines the common data from the intersection. It is understood that the first sequence of results has a mapping relationship with the first private data, so that the first private data having a mapping relationship can be found from the intersection, and these first private data are determined as the common data.
By the method provided by the embodiment of the specification, the first party and the second party perform multi-party security calculation to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value and the third random vector meet a first relation; then, aiming at each first private data, respectively carrying out first local operation on the first private data and the second random vector to obtain respectively corresponding first results; then constructing a second operation function, so that the operation result of the second operation function for each first private data is equal to the first result; and sending the second operation function to the second party; receiving a first result sequence obtained by performing first processing on each second privacy data from the second party; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result; performing the first local operation on each first private data and the first random vector respectively, and then executing the hash operation to obtain a second result sequence; and finally, determining the intersection of the first result sequence and the second result sequence, and determining the common data between a plurality of first private data of the first party and a plurality of second private data of the second party according to the intersection. As can be seen from the above, the embodiments of the present description are mainly implemented based on multi-party secure computation and hash operation, and do not use high-overhead cryptographic operation, so that performance can be improved in shared data determination for protecting private data.
Fig. 3 shows an interaction diagram of a mutual data determination method for protecting private data according to another embodiment, which is described by taking private data as an example of a user Identifier (ID), and which uses a specific first relationship with respect to the embodiment shown in fig. 2, that is, in the method, each random vector obtained by a first party (i.e., party a) and a second party (i.e., party B) through a multi-party secure computation satisfies a specific first relationship with a random value. As shown in fig. 3, the common data determination method for protecting privacy data in this embodiment includes the following steps: step 31, the two parties execute the VOLE protocol, wherein the party A obtains a random vector U, V, the party B obtains a random vector W and a random value s, the random vector W and the random value s meet W = sU + V, the vector length is m1, and the party A calculates an ID set X = { X1, X2. } with the size of n1 to obtain z 1i=<H1(xi),V>Constructing a polynomial P () of degree n1 satisfying P (x)i)=zi(ii) a Step 33, party a sends P () to party B; step 34, the A side calculates di=H2(<H1(xi,U>) (ii) a Step 35, the party B calculates an ID set Y = { Y1, y2. } with the size of n2, and obtains ti=H2((<H1(yi),W>-P(yi) S)/s), step 36, party B will tiSending the set to the party A after disorder; step 37, the A-side determines { diAnd tiAnd according to diAnd xiAnd (4) solving the plaintext corresponding to the intersection. Specific execution modes of the above steps are described below.
First, in step 31, both parties execute the VOLE protocol, wherein party A obtains a random vector U, V, party B obtains a random vector W and a random value s, and W = sU + V is satisfied, and the vector length is m 1. It is understood that, corresponding to the embodiment shown in fig. 2, U is the first random vector, V is the second random vector, and W is the third random vector.
In one example, both parties execute a finite field (e.g., extended field 2)m2) The above VOLE protocol, the input of the B party is a random value s, and the execution result of the protocol is: party a yields a random vector U, V, party B yields a random vector W, satisfying W = Us + V. Let the vector be m1 in length, and the vector be m2 bits per element and s.
Then, in step 32, party a calculates an ID set X = { X1, X2. }, whose size is n1, resulting in zi=<H1(xi),V>Constructing a polynomial P () of degree n1 satisfying P (x)i)=zi. It will be appreciated that x corresponds to the embodiment shown in figure 2iRepresenting the aforementioned first private data, i belonging to 1 to n1, ziRepresents the first result corresponding to each first private data, and P () represents the second operation function.
In one example, zi=<H1(xi),V>=
Figure 916729DEST_PATH_IMAGE001
Where H1 is a pseudo-random function of the m2 bit finite field to an m1 dimensional vector, each dimension of the vector being a random element of the m2 bit finite field.
Next, party a sends P () to party B at step 33. It is to be understood that the specific transmission form is not limited as long as the B-party can determine P ().
In one example, party a sends coefficients of P () to party B.
At step 34, party A calculates di=H2(<H1(xi,U>). It will be appreciated that d corresponds to the embodiment shown in figure 2iConstituting the aforementioned second sequence of results, H2() involves a hash operation.
In one example, H: m2 bit to m3 bit cryptographic secure hash function, Trun: a function that truncates the highest m4 bits, H2() = Trun (H ()).
Wherein, the 128-bit computation security level and the 40-bit statistical security level are as follows:
m2=m3=128, m4=40+log (n1*n2),
m1>=n1+1。
in step 35, the party B calculates the ID set Y = { Y1, y2. } with the size n2, and obtains ti=H2((<H1(yi),W>-P(yi) S)/s). It will be appreciated that t corresponds to the embodiment shown in figure 2iConstitute the first result sequence.
Then, in step 36, party B sends tiSending the set to the party A after disorder. It will be appreciated that t is sentiThe second private data is not revealed, and the security can be further improved by disorder.
Finally, in step 37, the A-side evaluates { diAnd tiAnd according to diAnd xiAnd (4) solving the plaintext corresponding to the intersection. It can be understood that after the plaintext corresponding to the intersection is found, the plaintext corresponding to the intersection can be sent to the party B.
For the present specification examples, the following correctness analyses are provided:
G(a)=H2((<H1(a),W>-P(a))/s)
in the embodiment of the present specification, the above multi-point pseudo-random function g (a) is essentially constructed. The B party can correctly calculate the value G (a) under any value of a; only if a is in the set X = { X1, X2. }, the last equal sign of the following equation holds, and the a-side can correctly calculate the value of g (a) by calculating the last edge of the following equation in step 34. It will be appreciated that party a does not know s and W and g (a) cannot be calculated by the other formulas below.
H2((<H1(a),W>-P(a))/s)
= H2((<H1(a),W>-<H1(a),V>+<H1(a),V>-P(a))/s)
= H2(<H1(a),sU>/s +(<H1(a),V>-P(a))/s)
= H2(<H1(a),U>+(<H1(a),V>-P(a))/s)
= H2(<H1(a),U>)
For the present specification examples, the following safety analyses are provided:
in this scheme, except for the VOLE, both parties send a message. Direction A and direction BParty A sends a polynomial P (), party B sends the set t to party Ai}. It is analyzed below that neither party can obtain the other party's private data from the interactive message.
Party B cannot obtain party A's { x from P ()i}: p () is n1 times with n1+1 coefficients, and m1 128-bit unknown random numbers (i.e. V [ j ] are used in P () construction]) (ii) a When m1>= n1+1, regardless of the guess set of party B { xiTake any value and try to find { V [ j ] from P ()]},{V[j]All have solutions, i.e., B side cannot be selected from { V [ j ]]Whether there is a solution to exclude xiAnd (4) taking the value of the factor.
Party A cannot be selected from { tiGet { y of B sidei}: let G (y)i) Denoted as H2(f (y)iS, W)); cannot be selected from t due to the unidirectionality of H2iReverse calculation of yi(ii) a For party A, { f (y)iS, W) have countless values that are not exhaustive; if yi!=yjMaximum probability f (y)i,s,W)!=f(yjS, W), collision attack cannot be performed.
As can be seen from the following equation, equation A knows the calculation of { t }iAll parameters required except s. When a is not in the ID set of A, a coefficient of 1/s ((1/s))<H1(a),V>P (a)) maximum probability is not 0, and party a must exhaustively enumerate s if the hash value is computed exhaustively. Number of bits of s>= calculate the security parameters, party a cannot determine a by exhaustive s.
H2((<H1(a),W>-P(a))/s)
= H2((<H1(a),W>-<H1(a),V>+<H1(a),V>-P(a))/s)
= H2(<H1(a),sU>/s +(<H1(a),V>-P(a))/s)
= H2(<H1(a),U>+(<H1(a),V>-P(a))/s)
Fig. 4 is an interaction diagram of a mutual data determination method for protecting privacy data according to another embodiment, which uses the same specific first relationship but uses a different operation manner with respect to the embodiment shown in fig. 3. As shown in fig. 4, the common data determination method for protecting privacy data in this embodiment includes the following steps: step 41, both parties execute VOLE protocol, wherein party A obtains a random vector U, V, party B obtains a random vector W and a random values, and satisfies W = sU + V, the vector length is m1, and step 42, the A side calculates the ID set X = { X1, X2. } with the size of n1 to obtain zi=<H1(xi),U>Constructing a polynomial P () of degree n1 satisfying P (x)i)=zi(ii) a Step 43, party a sends P () to party B; step 44, party A calculates di=H2(<H1(xi,V>) (ii) a Step 45, the party B calculates an ID set Y = { Y1, y2. } with the size of n2, and obtains ti=H2(<H1(yi),W>- sP(yi) 46, the B side will be tiSending the set to the party A after disorder; step 47, the A-side determines { diAnd tiAnd according to diAnd xiAnd (4) solving the plaintext corresponding to the intersection. Specific execution modes of the above steps are described below.
Firstly, in step 41, the two parties execute the VOLE protocol, wherein the party A obtains a random vector U, V, the party B obtains a random vector W and a random value s, and the random vector W = sU + V and the vector length is m 1. It is understood that, corresponding to the embodiment shown in fig. 2, U is the first random vector, V is the second random vector, and W is the third random vector.
In one example, both parties execute a finite field (e.g., extended field 2)m2) The above VOLE protocol, the input of the B party is a random value s, and the execution result of the protocol is: party a yields a random vector U, V, party B yields a random vector W, satisfying W = Us + V. Let the vector be m1 in length, and the vector be m2 bits per element and s.
Then, in step 42, party a calculates an ID set X = { X1, X2. }, whose size is n1, resulting in zi=<H1(xi),U>Constructing a polynomial P () of degree n1 satisfying P (x)i)=zi. It will be appreciated that x corresponds to the embodiment shown in figure 2iRepresenting the aforementioned first private data, i belonging to 1 to n1, ziRepresents the first result corresponding to each first private data, and P () represents the second operation function.
In one example, zi=<H1(xi),V>=
Figure 270088DEST_PATH_IMAGE002
Where H1 is a pseudo-random function of the m2 bit finite field to an m1 dimensional vector, each dimension of the vector being a random element of the m2 bit finite field.
Next, party a sends P () to party B at step 43. It is to be understood that the specific transmission form is not limited as long as the B-party can determine P ().
In one example, party a sends coefficients of P () to party B.
At step 44, party A calculates di=H2(<H1(xi,V>). It will be appreciated that d corresponds to the embodiment shown in figure 2iConstituting the aforementioned second sequence of results, H2() involves a hash operation.
In one example, H: m2 bit to m3 bit cryptographic secure hash function, Trun: a function that truncates the highest m4 bits, H2() = Trun (H ()).
Wherein, the 128-bit computation security level and the 40-bit statistical security level are as follows:
m2=m3=128, m4=40+log (n1*n2),
m1>=n1+1。
then, in step 45, the party B calculates an ID set Y = { Y1, y2. } with the size of n2 to obtain ti=H2(<H1(yi),W>- sP(yi)). It will be appreciated that t corresponds to the embodiment shown in figure 2iConstitute the first result sequence.
Then, in step 46, party B sends tiSending the set to the party A after disorder. It will be appreciated that t is sentiThe second private data is not revealed, and the security can be further improved by disorder.
Finally, in step 47, the A-side evaluates { d [)iAnd tiAnd according to diAnd xiAnd (4) solving the plaintext corresponding to the intersection. It can be understood that after the plaintext corresponding to the intersection is found, the plaintext corresponding to the intersection can be sent to the party B.
For the present specification examples, the following correctness analyses are provided:
G(a)=H2(<H1(a),W>-sP(a))
in the embodiment of the present specification, the above multi-point pseudo-random function g (a) is essentially constructed. The B party can correctly calculate the value G (a) under any value of a; party a can only compute correctly at some point: only if a is in the set X = { X1, X2. }, the first equal sign of the following equation holds, and the a-side can correctly calculate the value of g (a) by calculating the last edge of the following equation in step 44. It will be appreciated that party a does not know s and W and g (a) cannot be calculated by the other formulas below.
H2(<H1(a),W>-sP(a))
= H2((<H1(a),W>-s<H1(a),U>)
= H2(<H1(a),W-sU>)
= H2(<H1(a),V>)
For the present specification examples, the following safety analyses are provided:
in this scheme, except for the VOLE, both parties send a message. Party A sends a polynomial P () to party B, which sends the set ti}. It is analyzed below that neither party can obtain the other party's private data from the interactive message.
Party B cannot obtain party A's { x from P ()i}: p () is n1 times with n1+1 coefficients, and m1 128-bit unknown random numbers (i.e., U [ j ] are used in P () construction]) (ii) a When m1>= n1+1, regardless of the guess set of party B { xiTake any value and try to solve from P () for { U [ j } [ ]]},{U[j]All have solutions, i.e., B side cannot be selected from { U [ j ]]Whether there is a solution to exclude xiAnd (4) taking the value of the factor.
Party A cannot be selected from { tiGet { y of B sidei}: let G (y)i) Denoted as H2(f (y)iS, W)); cannot be selected from t due to the unidirectionality of H2iReverse calculation of yi(ii) a For party A, { f (y)iS, W) have countless values that are not exhaustive; if yi!=yjMaximum probability f (y)i,s,W)!=f(yjS, W), collision attack cannot be performed.
As can be seen from the following equation, equation A knows the calculation of { t }iAll parameters required except s. When a is not in the ID set of A, the coefficient of s: (<H1(a),U>P (a)) maximum probability is not 0, and the A party must calculate the hash value exhaustivelyS is exhaustive. Number of bits of s>= calculate the security parameters, party a cannot determine a by exhaustive s.
H2(<H1(a),W>-sP(a))
= H2(<H1(a),sU+V>-sP(a))
= H2(s(<H1(a),U>-P(a))+(<H1(a),V>)
The party A can construct P () by specially selecting U to satisfy the following conditions: there is a not in the ID set of a and < H1(a), U > -p (a) = = 0. That is, the n1 th degree polynomial P () has more than n1 a satisfying < H1(a), U > -P (a) = = 0. Party a can thus launch an attack. To protect against this attack, it may be required that the computation H1() uses a random number (e.g., salt) as a key, which is submitted by the B-party after the VOLE execution, and that the B-party also verifies that P () is an n1 degree polynomial with coefficients all being non-0, and that most dimensions of the a-party letting U be 0 or U are set to 0.
According to an embodiment of another aspect, there is also provided a shared data determining apparatus for protecting private data, configured to determine shared data between a number of first private data possessed by a first party and a number of second private data possessed by a second party, where the apparatus is provided for the first party, and is configured to perform an action performed by the first party in a method provided in an embodiment of the present specification. Fig. 5 shows a schematic block diagram of a shared data determining apparatus for protecting private data according to one embodiment. As shown in fig. 5, the apparatus 500 includes:
a joint processing unit 51, configured to perform multi-party security computation with the second party to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value and the third random vector meet a first relation;
the first local processing unit 52 is configured to perform, for each piece of first privacy data, a first local operation on the first privacy data and the second random vector obtained by the joint processing unit 51, respectively, to obtain first results corresponding to the first private data;
a function constructing unit 53, configured to construct a second operation function so that an operation result of the second operation function for each of the first private data is equal to the first result obtained by the first local processing unit 52; and sending the second operation function to the second party;
a receiving unit 54, configured to receive, from the second party, a first result sequence obtained by performing first processing on each second private data; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result;
the second local processing unit 55 is configured to perform, for each piece of first privacy data, the first local operation on the first privacy data and the first random vector obtained by the joint processing unit 51, and then perform the hash operation to obtain a second result sequence;
a determining unit 56, configured to determine an intersection of the first result sequence received by the receiving unit 54 and the second result sequence obtained by the second local processing unit 55, and determine the common data according to the intersection.
Optionally, as an embodiment, the joint processing unit 51 is specifically configured to execute, with the second party, a random inadvertent linear vector evaluation (VOLE) protocol over a finite field to obtain the first random vector and the second random vector; the second party obtains the third random vector and a random value.
Optionally, as an embodiment, the first local processing unit 52 includes:
the vector generation subunit is configured to generate, by using a pseudorandom function, a pseudorandom vector corresponding to each piece of first privacy data for each piece of first privacy data;
and the dot product processing subunit is configured to perform dot product operation on each pseudo-random vector obtained by the vector generation subunit and the second random vector, respectively, to obtain a first result corresponding to each first private data, respectively.
Optionally, as an embodiment, the second operation function is a polynomial operation function; the function constructing unit 53 is specifically configured to send coefficients of the polynomial operation function to the second party.
Optionally, as an embodiment, the second local processing unit 55 includes:
the vector generation subunit is configured to generate, by using a pseudorandom function, a pseudorandom vector corresponding to each piece of first privacy data for each piece of first privacy data;
the dot product processing subunit is configured to perform dot product operation on each pseudorandom vector obtained by the vector generation subunit and the first random vector, so as to obtain an intermediate result corresponding to each first private data;
and the Hash processing subunit is configured to map, by using at least the Hash operation, each intermediate result obtained by the dot product processing subunit to obtain a second result sequence formed by results corresponding to each piece of first privacy data.
Further, the hash processing subunit includes:
the mapping module is used for mapping each intermediate result by at least utilizing the Hash operation to obtain a mapping result corresponding to each first private data;
and the intercepting module is used for respectively intercepting preset bits in the mapping results respectively corresponding to the first privacy data obtained by the mapping module to obtain a second result sequence formed by the results respectively corresponding to the first privacy data.
Optionally, as an embodiment, the receiving unit 54 is specifically configured to receive, from the second party, the first result sequence formed by the results obtained by the first processing after the disordering.
Optionally, as an embodiment, the first party has n1 pieces of the first private data, and the first random vector, the second random vector, and the third random vector have a dimension of m1, and satisfy m1> = n1+ 1.
According to an embodiment of another aspect, there is also provided a shared data determination system for protecting private data for determining shared data between a number of first private data possessed by a first party and a number of second private data possessed by a second party. FIG. 6 shows a schematic block diagram of a shared data determination system that protects private data, according to one embodiment. As shown in fig. 6, the system 600 includes:
a first party 61, configured to perform multi-party security computation with the second party 62 to obtain a first random vector and a second random vector; the second party 62 obtains a third random vector and a random value, and the first random vector, the second random vector and the random value satisfy a first relationship with the third random vector; aiming at each first private data, respectively carrying out first local operation on the first private data and the second random vector to obtain respectively corresponding first results; constructing a second operation function so that an operation result of the second operation function for each first privacy data is equal to the first result; and sends the second arithmetic function to the second party 62;
the second party 62 is configured to perform first processing on each second private data to obtain a first result sequence; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result; and sending said first sequence of results to said first party 61;
the first party 61 is further configured to perform, for each first private data, the first local operation on the first private data and the first random vector, and then perform the hash operation to obtain a second result sequence; and determining the intersection of the first result sequence and the second result sequence, and determining the common data according to the intersection.
Optionally, as an embodiment, the operation value of the first local operation with the third random vector is determined by:
respectively generating a pseudo-random vector corresponding to each second privacy data aiming at each second privacy data by using a pseudo-random function;
and performing dot product operation on each pseudo-random vector and the third random vector to obtain an operation value of the first local operation corresponding to each second private data.
Further, the first processing further includes:
and respectively intercepting preset bits from mapping results obtained by the hash operation corresponding to each second private data to obtain a first result sequence formed by results corresponding to each second private data.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 2 to 4.
According to an embodiment of yet another aspect, there is also provided a computing device comprising a memory and a processor, the memory having stored therein executable code, the processor, when executing the executable code, implementing the method described in connection with fig. 2-4.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.

Claims (24)

1. A shared data determination method of protecting private data for determining shared data between a number of first private data possessed by a first party and a number of second private data possessed by a second party, the method being performed by the first party, comprising:
performing multi-party security calculation with the second party to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value and the third random vector meet a first relation;
aiming at each first private data, respectively carrying out first local operation on the first private data and the second random vector to obtain respectively corresponding first results;
constructing a second operation function so that an operation result of the second operation function for each first privacy data is equal to the first result; and sending the second operation function to the second party;
receiving a first result sequence obtained by performing first processing on each second privacy data from the second party; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result;
aiming at each first private data, respectively carrying out the first local operation on the first private data and the first random vector, and then executing the Hash operation to obtain a second result sequence;
and determining the intersection of the first result sequence and the second result sequence, and determining the common data according to the intersection.
2. The method of claim 1, wherein the multi-party security computation comprises:
executing a random inadvertent linear vector evaluation (VOLE) protocol over a finite field together with the second party to obtain the first random vector and the second random vector; the second party obtains the third random vector and a random value.
3. The method of claim 1, wherein the performing, for each first private data, a first local operation with the second random vector comprises:
respectively generating a pseudorandom vector corresponding to each first private data by using a pseudorandom function aiming at each first private data;
and performing dot product operation on each pseudo-random vector and the second random vector respectively to obtain first results corresponding to each first private data respectively.
4. The method of claim 1, wherein the second arithmetic function is a polynomial arithmetic function; the sending the second operation function to the second party includes:
sending coefficients of the polynomial operation function to the second party.
5. The method of claim 1, wherein the performing the first local operation on each first private data and the first random vector and then performing the hash operation respectively comprises:
respectively generating a pseudorandom vector corresponding to each first private data by using a pseudorandom function aiming at each first private data;
performing dot product operation on each pseudo-random vector and the first random vector to obtain intermediate results corresponding to each first privacy data;
and mapping each intermediate result to obtain a second result sequence formed by results corresponding to each first private data at least by using the Hash operation.
6. The method according to claim 5, wherein the mapping, by using at least the hash operation, each intermediate result to obtain a second result sequence formed by results corresponding to each first private data includes:
mapping each intermediate result by using at least the hash operation to obtain a mapping result corresponding to each first private data;
and respectively intercepting preset bits in the mapping results respectively corresponding to each first privacy data to obtain a second result sequence formed by the results respectively corresponding to each first privacy data.
7. The method of claim 1, wherein the receiving, from the second party, a first sequence of results of the first processing for each second private data comprises:
receiving the first result sequence composed of the results of the first processing after the disordering from the second party.
8. The method of claim 1, wherein the first party has n1 of the first private data, the first, second, and third random vectors have a dimension of m1, satisfying m1> = n1+ 1.
9. A common data determination method for protecting private data, for determining common data between a number of first private data possessed by a first party and a number of second private data possessed by a second party, comprising:
the first party and the second party perform multi-party security calculation to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value and the third random vector meet a first relation;
the first party carries out first local operation on each first private data and the second random vector respectively to obtain first results corresponding to the first private data and the second random vector respectively;
the first party constructs a second operation function so that the operation result of the second operation function for each first private data is equal to the first result; and sending the second operation function to the second party;
the second policy carries out first processing on each second private data to obtain a first result sequence; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result; and sending the first sequence of results to the first party;
the first party carries out the first local operation on each first private data and the first random vector respectively, and then executes the hash operation to obtain a second result sequence;
the first party determines an intersection of the first result sequence and the second result sequence, and determines the common data according to the intersection.
10. The method of claim 9, wherein the operation value of the first local operation with the third random vector is determined by:
respectively generating a pseudo-random vector corresponding to each second privacy data aiming at each second privacy data by using a pseudo-random function;
and performing dot product operation on each pseudo-random vector and the third random vector to obtain an operation value of the first local operation corresponding to each second private data.
11. The method of claim 10, wherein the first processing further comprises:
and respectively intercepting preset bits from mapping results obtained by the hash operation corresponding to each second private data to obtain a first result sequence formed by results corresponding to each second private data.
12. A shared data determination apparatus for protecting private data, which determines shared data between a number of first private data possessed by a first party and a number of second private data possessed by a second party, the apparatus being provided to the first party, comprising:
the joint processing unit is used for carrying out multi-party safety calculation with the second party to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value and the third random vector meet a first relation;
the first local processing unit is used for respectively carrying out first local operation on each first private data and the second random vector obtained by the joint processing unit to obtain respectively corresponding first results;
a function construction unit, configured to construct a second operation function, so that an operation result of the second operation function for each piece of first private data is equal to the first result obtained by the first local processing unit; and sending the second operation function to the second party;
a receiving unit, configured to receive, from the second party, a first result sequence obtained by performing first processing on each second privacy data; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result;
the second local processing unit is used for respectively carrying out the first local operation on each first private data and the first random vector obtained by the joint processing unit, and then executing the hash operation to obtain a second result sequence;
and the determining unit is used for determining the intersection of the first result sequence received by the receiving unit and the second result sequence obtained by the second local processing unit, and determining the common data according to the intersection.
13. The apparatus according to claim 12, wherein the joint processing unit is specifically configured to perform, in conjunction with the second party, a random oblivious linear vector evaluation (VOLE) protocol over a finite field, obtaining the first random vector and the second random vector; the second party obtains the third random vector and a random value.
14. The apparatus of claim 12, wherein the first local processing unit comprises:
the vector generation subunit is configured to generate, by using a pseudorandom function, a pseudorandom vector corresponding to each piece of first privacy data for each piece of first privacy data;
and the dot product processing subunit is configured to perform dot product operation on each pseudo-random vector obtained by the vector generation subunit and the second random vector, respectively, to obtain a first result corresponding to each first private data, respectively.
15. The apparatus of claim 12, wherein the second arithmetic function is a polynomial arithmetic function; the function building unit is specifically configured to send coefficients of the polynomial operation function to the second party.
16. The apparatus of claim 12, wherein the second local processing unit comprises:
the vector generation subunit is configured to generate, by using a pseudorandom function, a pseudorandom vector corresponding to each piece of first privacy data for each piece of first privacy data;
the dot product processing subunit is configured to perform dot product operation on each pseudorandom vector obtained by the vector generation subunit and the first random vector, so as to obtain an intermediate result corresponding to each first private data;
and the Hash processing subunit is configured to map, by using at least the Hash operation, each intermediate result obtained by the dot product processing subunit to obtain a second result sequence formed by results corresponding to each piece of first privacy data.
17. The apparatus of claim 16, wherein the hash processing subunit comprises:
the mapping module is used for mapping each intermediate result by at least utilizing the Hash operation to obtain a mapping result corresponding to each first private data;
and the intercepting module is used for respectively intercepting preset bits in the mapping results respectively corresponding to the first privacy data obtained by the mapping module to obtain a second result sequence formed by the results respectively corresponding to the first privacy data.
18. The apparatus according to claim 12, wherein the receiving unit is specifically configured to receive, from the second party, the first result sequence formed by results obtained from the first processing after the disordering.
19. The apparatus of claim 12, wherein the first party has n1 of the first private data, the first, second, and third random vectors have a dimension of m1, satisfying m1> = n1+ 1.
20. A shared data determination system for protecting private data, for determining shared data between a number of first private data possessed by a first party and a number of second private data possessed by a second party, comprising:
the first party is used for carrying out multi-party security calculation with the second party to obtain a first random vector and a second random vector; the second party obtains a third random vector and a random value, and the first random vector, the second random vector and the random value and the third random vector meet a first relation; aiming at each first private data, respectively carrying out first local operation on the first private data and the second random vector to obtain respectively corresponding first results; constructing a second operation function so that an operation result of the second operation function for each first privacy data is equal to the first result; and sending the second operation function to the second party;
the second party is used for carrying out first processing on each second private data to obtain a first result sequence; the first processing includes combining a function value of the second operation function and an operation value of a first local operation performed on the third random vector by using the first relationship, and performing a hash operation on a combined result; and sending the first sequence of results to the first party;
the first party is further configured to perform the first local operation on each first private data and the first random vector, and then perform the hash operation to obtain a second result sequence; and determining the intersection of the first result sequence and the second result sequence, and determining the common data according to the intersection.
21. The system of claim 20, wherein the operation value of the first local operation with the third random vector is determined by:
respectively generating a pseudo-random vector corresponding to each second privacy data aiming at each second privacy data by using a pseudo-random function;
and performing dot product operation on each pseudo-random vector and the third random vector to obtain an operation value of the first local operation corresponding to each second private data.
22. The system of claim 21, wherein the first process further comprises:
and respectively intercepting preset bits from mapping results obtained by the hash operation corresponding to each second private data to obtain a first result sequence formed by results corresponding to each second private data.
23. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-11.
24. A computing device comprising a memory having stored therein executable code and a processor that, when executing the executable code, implements the method of any of claims 1-11.
CN202110370782.8A 2021-04-07 2021-04-07 Method, device and system for determining shared data for protecting private data Active CN112800478B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110370782.8A CN112800478B (en) 2021-04-07 2021-04-07 Method, device and system for determining shared data for protecting private data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110370782.8A CN112800478B (en) 2021-04-07 2021-04-07 Method, device and system for determining shared data for protecting private data

Publications (2)

Publication Number Publication Date
CN112800478A true CN112800478A (en) 2021-05-14
CN112800478B CN112800478B (en) 2021-07-06

Family

ID=75816371

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110370782.8A Active CN112800478B (en) 2021-04-07 2021-04-07 Method, device and system for determining shared data for protecting private data

Country Status (1)

Country Link
CN (1) CN112800478B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113312641A (en) * 2021-06-02 2021-08-27 杭州趣链科技有限公司 Multipoint and multiparty data interaction method, system, electronic device and storage medium
CN113434886A (en) * 2021-07-01 2021-09-24 支付宝(杭州)信息技术有限公司 Method and device for jointly generating data tuples for security calculation
CN113688425A (en) * 2021-09-14 2021-11-23 支付宝(杭州)信息技术有限公司 Two-party combined feature processing method, device and system based on privacy protection
CN113821824A (en) * 2021-08-27 2021-12-21 交通银行股份有限公司 Triple generation method and system based on careless linear evaluation (OLE)
CN114153808A (en) * 2022-02-09 2022-03-08 支付宝(杭州)信息技术有限公司 Sorting method and system based on secret sharing
CN114218616A (en) * 2021-11-17 2022-03-22 鹏城实验室 Normalized exponential function safety calculation method and system
CN114640444A (en) * 2022-03-18 2022-06-17 哈尔滨理工大学 Privacy protection set intersection acquisition method and device based on domestic cryptographic algorithm
CN114978512A (en) * 2022-07-18 2022-08-30 华控清交信息科技(北京)有限公司 Privacy intersection method and device and readable storage medium
CN115333721A (en) * 2022-10-13 2022-11-11 北京融数联智科技有限公司 Privacy set intersection calculation method, device and system
CN114584294B (en) * 2022-02-28 2024-04-16 淘宝(中国)软件有限公司 Method and device for carelessly dispersing and arranging

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070162743A1 (en) * 2006-01-12 2007-07-12 Savant Protection, Inc. Sliding acoustical signatures
CN111125736A (en) * 2019-12-25 2020-05-08 暨南大学 Pathogenic gene detection method based on privacy protection intersection calculation protocol
CN111510464A (en) * 2020-06-24 2020-08-07 同盾控股有限公司 Epidemic situation information sharing method and system for protecting user privacy
CN111831662A (en) * 2020-07-24 2020-10-27 深圳市网通兴技术发展有限公司 Medical data information processing method and system
CN112073444A (en) * 2020-11-16 2020-12-11 支付宝(杭州)信息技术有限公司 Data set processing method and device and server
US10878108B1 (en) * 2020-02-03 2020-12-29 Qed-It Systems Ltd. Delegated private set intersection, and applications thereof
CN112367170A (en) * 2021-01-12 2021-02-12 四川新网银行股份有限公司 Data hiding query security sharing system and method based on multi-party security calculation
CN112434329A (en) * 2020-10-23 2021-03-02 上海点融信息科技有限责任公司 Private data intersection acquisition method, computing device and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070162743A1 (en) * 2006-01-12 2007-07-12 Savant Protection, Inc. Sliding acoustical signatures
CN111125736A (en) * 2019-12-25 2020-05-08 暨南大学 Pathogenic gene detection method based on privacy protection intersection calculation protocol
US10878108B1 (en) * 2020-02-03 2020-12-29 Qed-It Systems Ltd. Delegated private set intersection, and applications thereof
CN111510464A (en) * 2020-06-24 2020-08-07 同盾控股有限公司 Epidemic situation information sharing method and system for protecting user privacy
CN111831662A (en) * 2020-07-24 2020-10-27 深圳市网通兴技术发展有限公司 Medical data information processing method and system
CN112434329A (en) * 2020-10-23 2021-03-02 上海点融信息科技有限责任公司 Private data intersection acquisition method, computing device and storage medium
CN112073444A (en) * 2020-11-16 2020-12-11 支付宝(杭州)信息技术有限公司 Data set processing method and device and server
CN112367170A (en) * 2021-01-12 2021-02-12 四川新网银行股份有限公司 Data hiding query security sharing system and method based on multi-party security calculation

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
申立艳 等: "隐私保护集合交集计算技术研究综述", 《计算机研究与发展》 *
黄雄波: "云环境下隐私保护的集合交集计算协议研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113312641A (en) * 2021-06-02 2021-08-27 杭州趣链科技有限公司 Multipoint and multiparty data interaction method, system, electronic device and storage medium
CN113434886A (en) * 2021-07-01 2021-09-24 支付宝(杭州)信息技术有限公司 Method and device for jointly generating data tuples for security calculation
CN113434886B (en) * 2021-07-01 2022-05-17 支付宝(杭州)信息技术有限公司 Method and device for jointly generating data tuples for secure computation
CN113821824A (en) * 2021-08-27 2021-12-21 交通银行股份有限公司 Triple generation method and system based on careless linear evaluation (OLE)
CN113821824B (en) * 2021-08-27 2024-05-24 交通银行股份有限公司 Triplet generation method and system based on careless linear evaluation of OLE
CN113688425A (en) * 2021-09-14 2021-11-23 支付宝(杭州)信息技术有限公司 Two-party combined feature processing method, device and system based on privacy protection
CN114218616A (en) * 2021-11-17 2022-03-22 鹏城实验室 Normalized exponential function safety calculation method and system
CN114218616B (en) * 2021-11-17 2024-06-21 鹏城实验室 Normalized exponential function safe calculation method and system
CN114153808A (en) * 2022-02-09 2022-03-08 支付宝(杭州)信息技术有限公司 Sorting method and system based on secret sharing
CN114153808B (en) * 2022-02-09 2022-05-10 支付宝(杭州)信息技术有限公司 Sorting method and system based on secret sharing
CN114584294B (en) * 2022-02-28 2024-04-16 淘宝(中国)软件有限公司 Method and device for carelessly dispersing and arranging
CN114640444A (en) * 2022-03-18 2022-06-17 哈尔滨理工大学 Privacy protection set intersection acquisition method and device based on domestic cryptographic algorithm
CN114640444B (en) * 2022-03-18 2023-10-24 哈尔滨理工大学 Privacy protection set intersection acquisition method and device based on domestic cryptographic algorithm
CN114978512A (en) * 2022-07-18 2022-08-30 华控清交信息科技(北京)有限公司 Privacy intersection method and device and readable storage medium
CN115333721B (en) * 2022-10-13 2023-02-03 北京融数联智科技有限公司 Privacy set intersection calculation method, device and system
CN115333721A (en) * 2022-10-13 2022-11-11 北京融数联智科技有限公司 Privacy set intersection calculation method, device and system

Also Published As

Publication number Publication date
CN112800478B (en) 2021-07-06

Similar Documents

Publication Publication Date Title
CN112800478B (en) Method, device and system for determining shared data for protecting private data
US9571274B2 (en) Key agreement protocol
US8520844B2 (en) Methods and apparatus for providing secure two-party public key cryptosystem
CN111552978A (en) Privacy protection set intersection solving method based on DH encryption and Hash table
US20030059041A1 (en) Methods and apparatus for two-party generation of DSA signatures
CN112506469A (en) Method and device for processing private data
US8923519B2 (en) Method of efficient secure function evaluation using resettable tamper-resistant hardware tokens
CN112560107B (en) Method and device for processing private data
US6721771B1 (en) Method for efficient modular polynomial division in finite fields f(2{circumflex over ( )}m)
US9948463B2 (en) Multivariate public key signature/verification system and signature/verification method
Azarderakhsh et al. How not to create an isogeny-based PAKE
CN114092242A (en) Method and system for realizing private transaction based on range certification
JP2006210964A (en) Method and device for transferring information by elgamal encryption
US20160352689A1 (en) Key agreement protocol
CN113556225A (en) Efficient PSI (program specific information) method based on Hash and key exchange
US20020124031A1 (en) Method for efficient computation of point doubling operation of elliptic curve point scalar multiplication over finite fields F(2m)
Poulakis New lattice attacks on DSA schemes
JP4502817B2 (en) Elliptic curve scalar multiplication method and apparatus
Dossogne et al. Secure and practical threshold RSA
US11438146B1 (en) System and method for performing key exchange while overcoming a malicious adversary party
JP4769147B2 (en) Batch proof verification method, proof device, verification device, batch proof verification system and program
Ko et al. A privacy-preserving grouping proof protocol based on ECC with untraceability for RFID
US20220094532A1 (en) Methods and systems for homomorphic data representation and concealment powered by clifford geometric algebra
KR101006358B1 (en) Elliptic curve cryptography system based on real domain and method thereof
Tejashwini et al. Mobile communication security using Galios Field in elliptic curve Cryptography

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant