CN113065145A

CN113065145A - Privacy protection linear regression method based on secret sharing and random disturbance

Info

Publication number: CN113065145A
Application number: CN202110322472.9A
Authority: CN
Inventors: 魏立斐; 丁悦; 李梦思; 张蕾
Original assignee: Shanghai Ocean University
Current assignee: Shanghai Ocean University
Priority date: 2021-03-25
Filing date: 2021-03-25
Publication date: 2021-07-02
Anticipated expiration: 2041-03-25
Also published as: CN113065145B

Abstract

The invention discloses a privacy protection linear regression method based on secret sharing and random disturbance, which comprises the following steps: s1: multiplication of secret sharing values, S2: training data preprocessing, S3: parameter initialization, S4: model parameter update, S5: model parameter reconstruction, S6: prediction data preprocessing, S7: calculating a predicted share value, S8: and reconstructing a prediction result. The data provider can obtain the model parameters only by adding the parameter values of the two parties, and the privacy of the model parameters and the privacy of the original data can be protected. According to the technology, an enterprise or an organization can distribute data to the two cloud servers in a secret sharing mode, the cloud servers are used for storing the data, the two cloud servers can be used for calculating the linear regression model, and in the process, the cloud servers are used for calculating efficiently, and original data cannot be leaked.

Description

Privacy protection linear regression method based on secret sharing and random disturbance

Technical Field

The invention relates to the field of privacy protection of machine learning data, in particular to a privacy protection linear regression method based on secret sharing and random disturbance technologies of two parties.

Background

Gradient Descent (Gradient decision) is one of the most commonly used methods when solving model parameters of machine learning algorithms, i.e. unconstrained optimization problems. When the loss function is minimized, iterative solution can be performed step by step through a gradient descent method, and the minimized loss function and the model parameter value are obtained. However, a large amount of data is inevitably used for iteration in the process, and leakage of the original data can endanger the security of sensitive data of users or bring huge economic loss to service providers. This is also a major obstacle to cloud computing development. Therefore, the machine learning service system based on cloud computing should pay more attention to the privacy problem and continuously improve the privacy protection capability.

Secure multi-party computing (SMC) originates from the puyao wisdom of the millionaire problem, and is mainly used for solving the cooperative computing problem of keeping privacy among a group of distrusted parties. The data side does not want to hand all the training data to one server to train the model. He wishes to distribute the data set to multiple servers, collectively training the model. Each server does not have knowledge of the training data of the other servers. SecureML is a two-server model protocol that protects privacy. The data owner distributes private data to 2 non-colluding servers and trains the federated data using secure two-party computing techniques. An inadvertent transmission and encryption circuit and a multiparty computing-friendly activation function are adopted. The use of secure multiparty computing to address the privacy protection problem of data is the mainstream direction of current research. The main challenge of current secure multiparty computing is how to build a secure and efficient computing protocol over multiple parties.

Bose et al, in Vaidya-based thought and Clifton's research, propose an algebraic solution that hides the true values by placing them in equations masked with the random values by means of stochastic data perturbation, proposing computation protocols for one-way and two-way protocols of scalar product notation. Both sides obtain the sign of the scalar product through the same parallel action, and the complexity is reduced in the parallel computing scene. Without third party involvement, until the last step, one person must rely on the output of the other.

The scheme adopts a method based on safe two-party gradient descent iteration and combines with cryptology technologies such as secret sharing and random data disturbance, and the advantages are represented as follows: 1) compared with a homomorphic encryption scheme, the expensive calculation overhead can be replaced by a large amount of interaction between the two parties, and meanwhile, the privacy protection requirements of original data and model parameters can be met. 2) All training samples must be used for each iteration of the random descent gradient, so that the algorithm is slow in convergence, and therefore the scheme uses a small-batch gradient descent algorithm, and a small part of samples with fixed quantity are randomly selected for each iteration and updated. 3) And a randomization method and an algebraic method are adopted, so that the encryption overhead of safe multi-party calculation is further reduced.

Disclosure of Invention

The invention provides a privacy protection linear regression method based on secret sharing and random disturbance, which is characterized in that on the basis of safe two-party calculation, a small batch of descending gradient iteration is adopted, secret sharing addition operation is used in addition calculation, a random data disturbance method is used in multiplication, data operation is expanded to matrix operation, on the basis of the original two-party calculation protocol which is transmitted carelessly, encryption overhead and communication complexity are greatly reduced, meanwhile, in a training stage and a prediction stage, the privacy of original data is protected, and as final model parameters are reconstructed by a user, the privacy of the model parameters can be well protected. The scheme can be widely applied in the field of mechanical privacy protection.

A privacy protection linear regression method based on secret sharing and random disturbance comprises the following steps:

s1: multiplication of secret shared values

The step is mainly that two parties hide own true values into an equation with random values and send the equation to the other party on the premise of not revealing own shared values, one party depends on the other party to carry out calculation, and finally, one party obtains the product of the shared values, and for a given matrix M belongs to R_s×tThe sum vector v ∈ R_t，M_iAnd v_i(i ═ 0, 1) are their secret share shares and are each a calculator P_i(i＝0，1) Is owned by₀+M₁，v＝v₀+v₁I.e. the calculation party P₀Having a private matrix M₀And a private vector v₀Another party P₁Having a private matrix M₁And a private vector v₁After solving the problem by means of random data perturbation, P_i(i ═ 0, 1) secret shared share p by which product Mv can be obtained_i＝RPM(M₀，M₁，v₀，v₁)；

S2: training data preprocessing

The method adopts a mode of splitting original data into two parts and sending the two parts of data to two servers, wherein the two servers meet the non-collusion and semi-honest requirements, namely private data of the two servers cannot be leaked, but respective operation is completed through communication with the server of the other side; the data preprocessing is to split the secret into two calculation parties in a secret sharing mode, and finally, the data can be reconstructed by only adding calculation results of the two calculation parties. Here the data provider divides the required training data (X, y) into equal dimensional sizes (X)₀，y₀) And (X)₁，y₁) Satisfy X ═ X₀+X₁，y＝y₀+y₁. And sends the data to a calculator S through a safety channel₀And S₁. Where X ∈ R denotes a matrix with dimension size s × t, s is the number of samples, t is the number of features per sample, and y ∈ R denotes an s-dimensional column vector, called the target value of a sample.

S3: parameter initialization

The linear regression training model can adopt two methods, namely a least square method and a gradient descent method, the gradient descent method is adopted in the invention, the gradient descent method is divided into a batch gradient descent method, a random gradient descent method and a small-batch gradient descent method, and in order to enable the model parameters to be converged more quickly and the efficiency to be higher and to share the limiting condition of multiplication operation secretly, the small-batch gradient descent method is selected for iteration.

S_i(i is 0, 1) the learning rate alpha, the small batch sample number | B |, the maximum iteration time T and the loss threshold e are jointly preset, and the learning rate alpha, the small batch sample number | B |, the maximum iteration time T and the loss threshold e are respectively and initially setInitialized model parameter θ_iThe initial number of iterations is set to 1. Wherein theta is_ie.R represents the t-dimensional column vector. It should be noted that the number | B | of samples selected here needs to be larger than the number t of column vectors of samples, since the condition applicable to step S1a needs to be satisfied.

S4: model parameter updating

Parameter update for the small batch gradient descent algorithm for the training data set (X, y):

where m denotes the current number of iterations, X^BAnd y^BRespectively representing the characteristic values and the target values of the small-lot sample sets,

s5: model parameter reconstruction

The user receives the parameter value theta transmitted by the two servers_iThen, the parameter theta is calculated_iAdding to reconstruct a model parameter theta;

s6: predictive data pre-processing

Through the steps, the current cloud server S is known₀And S₁Having secret shared values theta of model parameters, respectively₀And theta₁The user can distribute the prediction data to the cloud servers for prediction, and finally the prediction values of the two cloud servers are added to obtain a final prediction result, so that the prediction data set X needs to be subjected to information leakage to the cloud servers to prevent the prediction data set information from being leaked to the cloud servers^PCarrying out pretreatment;

s7: calculating a predicted shared value

Since the prediction data set X cannot be guaranteed at this time^PThe number of samples is less than the number of features, so S_i(i is 0, 1) in case two of the step S1 is needed, the step S1b is invoked to calculate the secret sharing value

Namely, it is

S8: reconstructing a prediction result

S_i(i-0, 1) respectively sharing the secret

Sent to the user, the secret shared value being shared by the user

Adding to reconstruct the true prediction result y^P。

As a preferred embodiment of the present invention, the step S1 includes the steps of:

S1a：P₀can obtain M₀v₁One constraint required for this case is M₀∈R_s×tS < t, i.e. the number of rows is less than the number of columns,

S1a1：P₀and P₁Co-negotiating a set of random matrices

Wherein

Matrix C^(k)The vectors in (1) satisfy linear irrelevancy. P₀Selecting a set of random vectors

And a set of random numbers

Wherein

P₁Selecting a random vector r_y＝(r_y1，r_y2，…，r_yt) And a set of random numbers

Wherein P is₀Selected random vector

There are certain constraints, namely: ensuring random vectors

T random values of

Is composed of u different random values, such that

Wherein

Representing rounded-up symbols, then these random values (z)₁，z₂，...，z_u) And vector

In a relationship of

S1a2：P₁Computing

Wherein b is^(k)＝q^(k)v+C^(k)r_y，

And sends B to P₀，

S1a3：P₀Receiving P₁Transmitted by

Then, h ═ h is calculated⁽¹⁾，h⁽²⁾，...，h^(s)) And sent to P₁Wherein

M₀[k]Representation matrix M₀The k-th row vector of (a),

S1a4：P₀computing

Therein after that

Sending A to P₁，

S1a5：P₁Computing

Wherein g is^(k)＝r_ya^(k)，

S1a6：P₁From r_yIn the sequence, w random values are successively selected for summation, and the sum(s) is obtained₁，s₂，...，s_u) Is sent to P₀Wherein

S1a7：P₀Computing

And sends the result to P₁，

S1a8：P₁Computing

To obtain

And according to q^(k)Computing

To P₀，

S1a9：P₀According to

Is calculated to obtain

Similarly, step P is calculated by the above₁Can obtain M₁v₀。

As a preferred embodiment of the present invention,

S1b：P₁can obtain M₀v₁

S1b1：P₀And P₁Co-negotiating a set of random matrices

Wherein

Matrix C^(k)The vectors in (1) satisfy linear irrelevancy. P₀Selecting a random vector r_x＝(r_x1，r_x2，...，r_xt) e.R and a set of random numbers

Wherein P is₁Selected random vector r_yThere are certain constraints, namely: guarantee random vector r_yT random values r of_y1，r_y2，r_ytIs composed of u different random values, such that

Wherein

Indicating a rounded up symbol. Then these random values (z)₁，z₂，...，z_u) And vector r_yIn a relationship of

S1b2：P₀Computing

Wherein a is^(k)＝p^(k)(M₀k[^T+C^(k)(r_x)^T，M₀[k]Representation matrix M₀And sends a to P₁，

S1b3：P₁Receiving P₀Transmitted by

Then, h ═ h is calculated⁽¹⁾，h⁽²⁾，...，h^(s)) And is sent to P₀Wherein

S1b4：P₁Computing

Then, b therein^(k)＝q^(k)C^(k)v₁+r_ySending B to P₀，

S1b5：P₀Computing

Wherein

S1b6：P₀From r_xIn the sequence, w random values are successively selected for summation, and the sum(s) is obtained₁，s₂，...，s_u) Is sent to P₁Wherein

S1b7：P₁Computing

And sends the result to P₀，

S1b8：P₀Computing

To obtain

And according to

Will be provided with

To P₁，

S1b9：P₁According to q^kIs calculated to obtain

Similarly, by the above step P₀Can obtain M₁v₀。

As a preferred embodiment of the present invention, the step S4 includes the steps of:

S41：S_i(i is 0, 1) randomly selecting sample data with the quantity of | B |

S42：S_i(i equals 0, 1) calling step S1a1, according to the batch sample data

And the current model parameter θ_iSeparately deriving secret shared values

Namely, it is

S43：S_i(i is 0, 1) is obtained

Sharing a value with a true secret

Error between

S44：S_i(i is 0, 1) the calculation of the step S1a is called to obtain

Namely, it is

S45：S_i(i-0, 1) updating the formula according to the model parameters of MBGD

Updating model parameter θ_i，

S46：S_i(i-0, 1) calculating the current loss function value loss_i＝X_i×θ_i-y_iNumber of iterations t plus 1

S47：S_i(i is 0, 1) judging the current loss function value loss_iIf the loss function value is less than the loss threshold value e, recording the current theta_iThe training is finished for the secret shared value of the model parameter; otherwise, judging whether the current iteration time T is less than T, if so, continuing to iterate and executing S4, otherwise, ending the training.

In step S6, the user will predict the data set X^PSplitting the data set according to the mode of the step S2 to obtain two sub data sets

And

respectively sent to the cloud server S₀And S₁。

The principle of the invention is as follows: the data provider only needs to split the data into two parts and distribute the two parts to the two cloud servers, the two parties calculate respective parameter values by exchanging with each other by using methods such as secret sharing and random data disturbance without revealing secret sharing shares held by the two parties, and the data provider only needs to add the parameter values of the two parties to obtain model parameters, so that both the privacy of the model parameters and the privacy of original data can be protected.

Has the advantages that: at present, the event of data leakage is endlessly layered. Taking the medical industry as an example, a 2019 medical industry data security report issued by Protenus shows: in 2019, the hacker attack events in the medical industry are dramatically increased by 48% compared with 2018; since 2016, the medical industry has at least experienced an event of leakage of patient data with an average of at least one patient per day, with medical data continuing to "nude". Such an event seriously jeopardizes the personal privacy security of a large number of users. According to the technology, an enterprise or an organization can distribute data to the two cloud servers in a secret sharing mode, the cloud servers are used for storing the data, the two cloud servers can be used for calculating the linear regression model, and in the process, the cloud servers are used for calculating efficiently, and original data cannot be leaked.

Drawings

FIG. 1 is a general design of the present invention.

FIG. 2 is a diagram showing the relationship between steps and sequence in the operation of the present invention.

Fig. 3 is a flowchart of calculating a secret sharing value by using random number perturbation.

Detailed Description

The embodiments of the present invention will be described in detail below with reference to the accompanying drawings: the present embodiment is implemented on the premise of the technical solution of the present invention, and a detailed implementation manner and a specific operation process are given, but the protection scope of the present invention is not limited to the following embodiments.

Referring to fig. 1, which is a general design diagram of the present invention, a user may split training data into two cloud servers, here referring to step S2. The two servers communicate with each other according to the protocol, calculate their respective parameter values, and refer to steps S3 and S4. If the respective loss value calculated by the server is smaller than the predetermined loss threshold value, the iterative training is completed, the respective parameter is sent to the user, the user reconstructs the final model parameter, and refer to step S5. If the user needs to predict the data, the predicted data is sent to the two servers after being subjected to the same preprocessing, the two servers calculate respective predicted values and then transmit the predicted values to the user, and the user adds the two predicted values to obtain a predicted result, and the steps S6-S8 are referred.

As shown in fig. 2, which is a sequence diagram of each step during the operation of the present invention, the two servers in the prediction stage need to use the parameter values calculated in the training stage, wherein both the model parameter update in the training stage and the private prediction value calculation in the prediction stage need to use the multiplication operation of random number perturbation, that is, step S1.

Fig. 3 shows a flowchart for calculating the product of the secret sharing values by means of random number perturbation, which is exemplified by the case of step S1.

S1: multiplication of secret shared values

The first condition is as follows:

S1a1：P₀and P₁Co-negotiating a set of random matrices

Wherein

And a set of random numbers

Wherein

Wherein P is₀Selected random vector

There are certain constraints, namely: ensuring random vectors

T random values of

Is composed of u different random values.

S1a2：P₁Computing

Wherein b is^(k)＝q^(k)v+C^(k)r_y，

And sends B to P₀。

S1a3：P₀Receiving P₁Transmitted by

M₀[k]Representation matrix M₀The k-th row vector of (2).

S1a4：P₀Computing

Therein after that

Sending A to P₁。

S1a5：P₁Computing

Wherein g is^(k)＝r_ya^(k)。

S1a7：P₀Computing

And sends the result to P₁。

S1a8：P₁Computing

To obtain

And according to q^(k)Computing

To P₀。

Case two:

S1b1：P₀and P₁Co-negotiating a set of random matrices

Wherein

Wherein P is₁Selected random vector r_yThere are certain constraints, namely: guarantee random vector r_yT random values r of_y1，r_y2，r_ytIs composed of u different random values.

S1b2：P₀Computing

Wherein a is^(k)＝p^(k)(M₀k[^T+C^(k)(r_x)^T，M₀[k]Representation matrix M₀And sends a to P₁。

S1b3：P₁Receiving P₀Transmitted by

S1b4：P₁Computing

Then, b therein^(k)＝q^(k)C^(k)v₁+r_ySending B to P₀。

S1b5：P₀Computing

Wherein

S1b7：P₁Computing

And sends the result to P₀。

S1b8：P₀Computing

To obtain

And according to

Will be provided with

To P₁。

S1b9：P₁According to q^kIs calculated to obtain

S2: training data preprocessing

The data provider divides the required training data (X, y) into (X0, y0) and (X1, y1) of the same dimension size, and satisfies X0+ X1 and y0+ y 1. And sent to the calculators S0 and S1 through secure channels, respectively.

S3: parameter initialization

S_i(i is 0, 1) the learning rate alpha and the number of small-batch samples are preset togetherL B, maximum iteration time T and loss threshold e, and respectively initializing model parameters theta_iThe initial number of iterations is set to 1. Wherein theta is_ie.R represents the t-dimensional column vector. It should be noted that the number | B | of samples selected here needs to be larger than the number t of column vectors of samples, since the condition applicable to step S1a needs to be satisfied.

S4: model parameter updating

where m denotes the current number of iterations, X^BAnd y^BRespectively representing the characteristic values and the target values of the small-batch sample sets.

S41：S_i(i is 0, 1) randomly selecting sample data with the quantity of | B |

S42：S_i(i equals 0, 1) calling step S1a1, according to the batch sample data

And the current model parameter θ_iSeparately deriving secret shared values

Namely, it is

S43：S_i(i is 0, 1) is obtained

Sharing a value with a true secret

Error between

S44：S_i(i is 0, 1) the calculation of the step S1a is called to obtain

Namely, it is

S45：S_i(i-0, 1) updating equation (1) based on the model parameters of MBGD

Updating model parameter θ_i。

S46：S_i(i-0, 1) calculating the current loss function value loss_i＝X_i×θ_i-y_iThe number of iterations t is t +1

S47：S_i(i is 0, 1) judging whether the current loss function value satisfies loss_iIf loss_iIf < e, the current theta is recorded_iThe training is finished for the secret shared value of the model parameter; otherwise, judging whether the current iteration number meets T < T, if so, continuing to iterate and executing S4, otherwise, ending the training.

S5: model parameter reconstruction

The user receives the parameter value theta transmitted by the two servers_iThen, θ is calculated₀+θ₁And reconstructing the parameters of the model.

S6: predictive data pre-processing

Through the steps, the current cloud server S is known₀And S₁Having secret shared values theta of model parameters, respectively₀And theta₁The user will predict data set X^PSplitting the data set according to the mode of the step S2 to obtain two sub data sets

And

respectively sent to the cloud server S₀And S₁。

S7: calculating a predicted shared value

Since the prediction data set X cannot be guaranteed at this time^PSatisfies that the number of samples is less than the number of features, so S_i(i is 0, 1) in case two of the step S1 is needed, the step S1b is invoked to calculate the secret sharing value

Namely, it is

S8: reconstructing a prediction result

S_i(i-0, 1) respectively sharing the secret

Sending the prediction result to a user, and reconstructing a real prediction result by the user

The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims

1. A privacy protection linear regression method based on secret sharing and random disturbance is characterized by comprising the following steps:

s1: multiplication of secret shared values

The step is mainly that two parties can share the value through the method under the premise of not revealing the own shared valueHiding the true value of the user into an equation with a random value and sending the equation to the other party, calculating by one party depending on the other party, and finally obtaining the product of the shared value by one party, wherein the given matrix M belongs to R_s×tThe sum vector v ∈ R_t，M_iAnd v_i(i ═ 0, 1) are their secret share shares and are each a calculator P_i(i ═ 0, 1), where M ═ M₀+M₁，v＝v₀+v₁I.e. the calculation party P₀Having a private matrix M₀And a private vector v₀Another party P₁Having a private matrix M₁And a private vector v₁After solving the problem by means of random data perturbation, P_i(i ═ 0, 1) secret shared share p by which product Mv can be obtained_i＝RPM(M₀，M₁，v₀，v₁)；

S2: training data preprocessing

S3: parameter initialization

S_i(i is 0, 1) commonly presetting a learning rate alpha, a small batch sample quantity | B |, a maximum iteration time T and a loss threshold e, and respectively initializing a model parameter theta_iThe initial number of iterations is set to 1. Wherein theta is_ie.R represents the t-dimensional column vector. It should be noted that the number | B | of samples selected here needs to be larger than the number t of column vectors of samples, since the condition applicable to step S1a needs to be satisfied.

S4: model parameter updating

s5: model parameter reconstruction

s6: predictive data pre-processing

s7: calculating a predicted shared value

Since the prediction data set X cannot be guaranteed at this time^PThe number of samples is less than the number of features, so S_i(i-0, 1) using step S1In case two, the step S1b is invoked to respectively calculate the secret sharing value

Namely, it is

S8: reconstructing a prediction result

S_i(i-0, 1) respectively sharing the secret

Sent to the user, the secret shared value being shared by the user

Adding to reconstruct the true prediction result y^P。

2. The privacy-preserving linear regression method based on secret sharing and random perturbation as claimed in claim 1, wherein the step S1 comprises the following steps:

S1a1：P₀and P₁Co-negotiating a set of random matrices

Wherein

And a set of random numbers

Wherein

Wherein P is₀Selected random vector

There are certain constraints, namely: ensuring random vectors

T random values of

Is composed of u different random values, such that

Wherein

In a relationship of

S1a2：P₁Computing

Wherein b is^(k)＝q^(k)v+C^(k)r_y，

And sends B to P₀，

S1a3：P₀Receiving P₁Transmitted by

M₀[k]Representation matrix M₀The k-th row vector of (a),

S1a4：P₀computing

Therein after that

Sending A to P₁，

S1a5：P₁Computing

Wherein g is^(k)＝r_ya^(k)，

S1a7：P₀Computing

And will be knottedFruit is sent to P₁，

S1a8：P₁Computing

To obtain

And according to q^(k)Computing

To P₀，

S1a9：P₀According to

Is calculated to obtain

Similarly, step P is calculated by the above₁Can obtain M₁v₀。

3. The privacy-preserving linear regression method based on secret sharing and random perturbation as claimed in claim 1, wherein the step S1 comprises the following steps:

S1b：P₁can obtain M₀v₁

S1b1：P₀And P₁Co-negotiating a set of random matrices

Wherein

Wherein

S1b2：P₀Computing

Wherein a is^(k)＝p^(k)(M₀[k])^T+C^(k)(r_x)^T，M₀[k]Representation matrix M₀And sends a to P₁，

S1b3：P₁Receiving P₀Transmitted by

S1b4：P₁Computing

Then, b therein^(k)＝q^(k)C^(k)v₁+r_ySending B to P₀，

S1b5：P₀Computing

Wherein

S1b7：P₁Computing

And sends the result to P₀，

S1b8：P₀Computing

To obtain

And according to

Will be provided with

To P₁，

S1b9：P₁According to q^kIs calculated to obtain

Similarly, by the above step P₀Can obtain M₁v₀。

4. The privacy-preserving linear regression method based on secret sharing and random perturbation as claimed in claim 1, wherein the step S4 comprises the following steps:

S41：S_i(i is 0, 1) randomly selecting sample data with the quantity of | B |

S42：S_i(i equals 0, 1) calling step S1a1, according to the batch sample data

And the current model parameter θ_iSeparately deriving secret shared values

Namely, it is

S43：S_i(i is 0, 1) is obtained

Sharing a value with a true secret

Error between

S44：S_i(i is 0, 1) the calculation of the step S1a is called to obtain

Namely, it is

Updating model parameter θ_i，

5. The privacy-preserving linear regression method based on secret sharing and random disturbance as claimed in claim 1, wherein in step S6, the user predicts the data set X^PSplitting the data set according to the mode of the step S2 to obtain two sub data sets

And

respectively sent to the cloud server S₀And S₁。