CN114692133A

CN114692133A - Program running method and system

Info

Publication number: CN114692133A
Application number: CN202210280620.XA
Authority: CN
Inventors: 谭晋; 王磊
Original assignee: Alipay Hangzhou Information Technology Co Ltd
Current assignee: Alipay Hangzhou Information Technology Co Ltd
Priority date: 2021-01-22
Filing date: 2021-01-22
Publication date: 2022-07-01
Also published as: CN112818338B; CN112818338A

Abstract

The specification discloses a program running method and a program running system. The method comprises the following steps: carrying out fragmentation processing on the value of each data in the original data set to obtain N fragmentation values of each data; determining N fragmented data sets; the values of the same data in the N fragmented data sets correspond to the N fragmented values of the same data one by one; under the specified condition, the N running devices respectively run the target program based on different fragment data sets; each running device shares and executes the target program based on at least two threads; wherein, through pre-configuration, an operation result obtained by inputting any one group of values into each basic operation unit corresponding to the target program for operation is equal to: and after each group of the sliced values of any group of values are respectively input into the basic operation unit to be respectively operated, all the obtained operation results are subjected to inverse slicing processing to obtain processing results.

Description

Program running method and system

Technical Field

The embodiment of the specification relates to the field of computers, in particular to a program running method and system.

Background

When a device runs a program, it often operates a data set according to an operation logic in the program to obtain an operation result as an output of the program. Wherein the data set comprises at least data for assigning values to the program variables.

In some scenarios, it is undesirable for sensitive information carried by the data set to be leaked to the device running the program due to the need for information security. For example, in a model training scenario, a device running a model training program needs to obtain a plurality of user samples and perform operations with corresponding tags, which means that the device can obtain user privacy information based on the obtained plurality of user samples and corresponding tags.

Therefore, a program running method for ensuring information security is needed.

Disclosure of Invention

In order to ensure information security, the specification provides a program running method and a program running system. The technical scheme is as follows.

A program execution method comprising:

carrying out fragmentation processing on the value of each data in the original data set to obtain N fragmentation values of each data; the original data set comprises data used for assigning values to variables in the program;

determining N fragmented data sets; determining each sharded data set, including: carrying out reassignment on each data in the original data set by adopting a fragment value of the data; the values of the same data in the N fragmented data sets correspond to the N fragmented values of the same data one by one;

under the specified condition, the N running devices respectively run the same target program based on different fragment data sets; the specified cases include: consistency is satisfied between the variable attribute sets predefined by the N running devices respectively; a variable attribute comprises a variable symbol and a variable data type; the threads with the same identification appointed by the target program among different running devices share the same interaction task in the target program; the interaction task is used for interacting the encrypted fragment values of the same data by the thread with the same identifier in other running equipment;

through pre-configuration, aiming at each basic operation unit corresponding to the target program, inputting any group of values into an operation result obtained by operation of the basic operation unit before configuration, wherein the operation result is equal to: and after each group of slicing values of any group of values are respectively input into the configured basic operation unit to be respectively operated, all the obtained operation results are subjected to inverse slicing processing to obtain processing results.

A program running system carries out fragmentation processing on the value of each data in an original data set in advance to obtain N fragmentation values of each data; the original data set comprises data used for assigning values to variables in the program; determining N fragmented data sets; determining each sharded data set, including: carrying out reassignment on each data in the original data set by adopting a fragment value of the data; the values of the same data in the N fragmented data sets correspond to the N fragmented values of the same data one by one;

the system comprises N operating devices, each operating device being configured to: running the same target program based on the fragmented data set under a specified condition, wherein the specified condition comprises the following steps: consistency is satisfied between the variable attribute sets predefined by the N running devices respectively; a variable attribute comprises a variable symbol and a variable data type; the threads with the same identification appointed by the target program among different running devices share the same interaction task in the target program; the interaction task is used for interacting the encrypted fragment values of the same data by the thread with the same identifier in other running equipment;

the N running devices respectively run the target program based on different fragment data sets; through pre-configuration, aiming at each basic operation unit corresponding to the target program, inputting any group of values into an operation result obtained by operation of the basic operation unit before configuration, wherein the operation result is equal to: and after each group of slicing values of any group of values are respectively input into the configured basic operation unit to be respectively operated, all the obtained operation results are subjected to inverse slicing processing to obtain processing results.

According to the technical scheme, the N running devices can run the target program based on the fragmented data set through pre-configuration, and the running result of the target program based on the original data set is obtained. Therefore, on the premise that the target program operation result based on the original data set can be obtained, each operation device can only obtain the fragment value in the fragment data set, cannot obtain any plaintext data in the original data set, cannot obtain the sensitive information in the original data set, and information safety is protected.

Drawings

In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present specification, and other drawings can be obtained by those skilled in the art according to the drawings.

Fig. 1 is a schematic flow chart of a program running method provided in an embodiment of the present specification;

FIG. 2 is a schematic diagram illustrating a method for determining a fragmented data set according to an embodiment of the present disclosure;

FIG. 3 is a schematic diagram illustrating another fragmented data set determination method provided by an embodiment of the present specification;

fig. 4 is a schematic structural diagram of a virtual execution device provided in an embodiment of the present specification;

FIG. 5 is a schematic flowchart of a method for operating a model training program according to an embodiment of the present disclosure;

fig. 6 is a schematic structural diagram of a program running system provided in an embodiment of the present specification.

Detailed Description

In order to make those skilled in the art better understand the technical solutions in the embodiments of the present specification, the technical solutions in the embodiments of the present specification will be described in detail below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all the embodiments. All other embodiments, which can be derived from the description herein, and which are intended to be within the scope of the disclosure, by a person of ordinary skill in the art.

In some scenarios, it is undesirable for sensitive information carried by the data set to be leaked to the device running the program due to the need for information security.

For example, in a model training scenario, a device running a model training program needs to obtain a plurality of user samples and operate with corresponding tags, which means that the device can obtain user privacy information based on the obtained plurality of user samples and corresponding tags.

The present specification provides a program running method. Because a single device usually acquires all plaintext data in a data set operated by a program when running the program (for convenience of description, a data set containing all plaintext data is referred to as an original data set), in the program running method provided by this specification, a slicing process may be performed on a value of each plaintext data in the original data set to obtain a plurality of sliced values; and then, a plurality of fragmented data sets containing all data (values are fragmented values) in the original data set can be obtained, and the obtained fragmented data sets are respectively deployed on a plurality of devices, so that the devices can run the same program based on the fragmented data sets.

When the program is specifically operated, the operation on the fragmented data set in the program can be executed through a specific fragmentation operation algorithm, so that after a plurality of program operation results based on the fragmented data set of a plurality of devices are subjected to inverse fragmentation processing, an obtained inverse fragmentation processing result is equal to a program operation result based on the original data set.

For ease of understanding, a specific example is given below.

The original data set contains data X, whose value is a. The data X may be subjected to fragmentation processing by splitting the value a into N parts, specifically, a₁，a₂，a₃，...，a_N. Wherein,

and determining N fragmented data sets, wherein the N fragmented data sets all contain data X. For the fragmented data set i, the value of the contained data X is a_i，i＝1，2，3，...，N。

And the program needing to be operated is F (X), and the F (X) is configured and modified based on a specific slicing operation algorithm to obtain F' (X), so that

Wherein each device may be based on a local data fragmentation value a_iCalculate F' (a)_i)。

In the above method embodiment, because a specific fragmentation operation algorithm is used, a plurality of program operation results obtained by a plurality of devices based on a fragmented data set can still obtain a program operation result based on an original data set after inverse fragmentation processing, and therefore, on the premise that an actually required program operation result (i.e., a program operation result based on an original data set) can be obtained, fragmentation processing is performed on a value of each data in the original data set, a plurality of fragmented values without an actual meaning can be obtained, and no information (including sensitive information) is included, so that sensitive information included in the data is removed, and desensitization processing is realized. Each device cannot obtain any sensitive information from the acquired data fragment values.

That is to say, the data set (i.e., the fragmented data set) operated by each device running program in the multiple devices does not contain sensitive information, and the sensitive information carried by the original data set is not leaked to any device running the program in the program running process, so that the security of the sensitive information is protected.

The following explains a specific slicing algorithm in the above method embodiment.

When the program is executed, the program may include any operation, such as addition, subtraction, multiplication, division, derivation, and evolution. Each operation needs to be performed on a device running the program, and may specifically be performed by a computing unit of the device, for example, a central processing unit CPU.

To facilitate better understanding of the above-mentioned specific slicing algorithm, two notable preconditions are introduced below.

Precondition 1: data on a device has precision due to the limited storage space allocated by the device for the data.

It should be noted that when the device operates on data, the storage space of each piece of data is limited, and the size and the precision of the data are further limited. For example, for integer data, 4 bytes can be occupied in the storage space of the device, and the size of data that can be represented has a limit, with the precision of 1; for data of double-precision floating-point number type, generally 8 bytes can be occupied in the storage space of the device, and there is a limit to the precision that can be expressed.

Based on this, when the device operates the program to operate the data, if the operation result cannot be accurately represented due to the limitation of the data storage space, an approximate value is taken as the operation result. A specific example is that when using a double precision floating point type data representation 1/3, the device is generally represented as 0.333333, and not as an infinite loop fraction.

Precondition 2: any operation included in the program is decomposed into basic operation operations that can be executed by the computing unit.

The computational units of a device are typically only capable of performing a portion of the basic operational operations, such as addition, multiplication, and nor equal logic operations. Any operation included in the program needs to be executed by the computing unit, and specifically, any operation is converted into one or more basic operation operations that can be realized by the computing unit.

Since any one of the logical operations can be represented by an exclusive-or operation, an and operation, and a non-operation, any one of the logical operations can be converted into a basic operation.

For arithmetic operations, it is obvious that the conversion can be to basic operation operations. For example, a subtraction operation between two data may be converted into an addition operation between one data and the inverse of the other data, and a division operation between two data may be converted into a multiplication budget between a dividend and the reciprocal of the divisor.

For more complex operations, the operations may be converted into one or more basic operations by some approximation. Such as newton's iteration, dichotomy, taylor's expansion equations, and so forth. Because the accuracy of the data stored in the equipment is limited, the accuracy of the approximate values can be improved to be higher than the accuracy of the operation result on the equipment by the methods for solving the approximate values, so that the accuracy can be reduced to obtain the operation result; in the case of performing a forward operation using the original data, the difference between the reverse operation result of the approximate value and the original data may not be represented by the device, and the approximate value may be used as the forward operation result.

Two specific examples of complex operations are given below.

As a first example, the derivative value may be calculated directly from the definition of the derivative value. Can directly calculate the derivative value

Where Δ x may take on a very small value. The device has strong calculation capability, can quickly perform complex numerical calculation, and can directly calculate the derivative value, thereby converting the complex operation of obtaining the derivative value into a subtraction operation and a division operation, namely an addition operation and a multiplication operation.

It should be noted that the derivative value obtained by this calculation method is an approximate value, but since there is a limit to the accuracy of the data itself on the device, the accuracy of the derivative value obtained by this calculation method can be made higher than the accuracy of the derivative value on the device by controlling the magnitude of Δ x.

For example, in the case where the precision of the derivative value data is 0.1, the calculation may be performed by substituting a plurality of times while continuously decreasing Δ x so that

The first decimal of the result of the plurality of operations of (2) is kept constant, so that a derivative value with an accuracy of 0.1 can be obtained.

As a second example, the squaring operation may be calculated using a dichotomy. In a particular calculation

The following calculation can be performed in the calculation of (2).

1*1＝1＜2

1.5*1.5＝2.25＞2

1.25*1.25＝1.5625＜2

1.375*1.375＝1.890625＜2

1.4375*1.4375＝2.06640625＞2

1.40625*1.40625＝1.9775390625＜2

1.421875*1.421875＝2.021728515625＞2

1.4140625*1.4140625＝1.9995727539062...

In the case where the difference between the product and 2 is smaller than the precision of the operation result, 0.00042 ° cannot be expressed by the apparatus for the operation result, and 2 may be actually expressed for the square operation result of 1.4140625, and thus, it may be determined that the operation result is 1.41.

Through the analysis of the above two prerequisites, any operation contained in the program, if it can be executed by the device, can be generally converted into one or more basic operation operations that can be executed by the computing unit.

If each basic operation of the computing unit meets the condition that a plurality of basic operation results based on the fragment data set are subjected to inverse fragmentation processing to obtain inverse fragmentation processing results which are equal to the basic operation results based on the original data set based on a specific fragmentation operation algorithm, because any one operation in the program is realized by one or more basic operation operations, any one operation in the program also meets the condition that a plurality of operation results based on the fragment data set are subjected to inverse fragmentation processing to obtain inverse fragmentation processing results which are equal to the operation results based on the original data set.

Further, the final operation result of the program is obtained through a plurality of operation operations in the program, and the program operation result also satisfies the condition that "after the program operation results of a plurality of fragmentation data sets of a plurality of devices are subjected to inverse fragmentation processing, the obtained inverse fragmentation processing result is equal to the program operation result based on the original data set".

Therefore, if "the inverse sharding processing result obtained after the inverse sharding processing is performed on the program operation results of the plurality of sharded data sets based on the plurality of devices is equal to the program operation result based on the original data set", it is necessary to make each basic operation of the computing unit satisfy "the inverse sharding processing result obtained after the inverse sharding processing is performed on the basic operation results of the plurality of sharded data sets based on the original data set is equal to the basic operation result based on the original data set".

Before explaining the configuration of basic operation operations based on a specific slicing operation algorithm, specific operations of slicing processing need to be explained first. In the slicing process, it is necessary to distinguish between two cases of participation in an arithmetic operation and participation in a logical operation.

For a value of the same data (referred to as an initial value for convenience of description), in a case where it is necessary to participate in an arithmetic operation, the split sliced value needs to satisfy "the sum of the sliced values is equal to the initial value"; in the case of participating in the logical operation, the split fragment values need to satisfy "the result of exclusive or of each fragment value is equal to the initial value".

For example, for data X with a value a, in the case of needing to participate in arithmetic operation, the obtained fragment value a is split₁，a₂，a₃，...，a_NNeed to satisfy

And under the condition of needing to participate in logic operation, the obtained fragment value a is split_N+1，a_N+2，a_N+3，...，a_2NNeed to satisfy

In this specification

Indicating an exclusive or operation.

The slicing processing may specifically be: and (4) carrying out fragmentation based on a random algorithm. For example, N-1 random numbers are obtained as a based on a random algorithm₁，a₂，a₃，...，a_N-1Then calculate a_NSo as to satisfy the above conditions

Or

In addition, the slice values satisfying different conditions may be mutually converted based on the existing manner. Therefore, under the condition that the program comprises arithmetic operation and logic operation, the fragment values can be immediately converted according to requirements, and two groups of different fragment values are obtained without respectively carrying out different fragment processing twice.

The inverse slicing processing corresponding to the two slicing processing cases is also different, and is an addition operation for an arithmetic operation and an exclusive or operation for a logical operation.

Since the fragmentation processing is a desensitization processing mode, on the premise of completing the calculation, the device cannot acquire sensitive information contained in the fragmented data. Therefore, the data which needs to hide sensitive information and protect information security can be subjected to fragmentation processing, such as input of a program, partial constants and values of partial variables.

However, there are also some data in the program that do not need to secure information, such as some constants, some weights, some fixed values, and so on. Sensitive information is not contained, so that fragmentation processing is not required.

Therefore, the data participating in the operation in the program includes data subjected to fragmentation processing and data not subjected to fragmentation processing.

For ease of understanding, the following configurations for the basic operation operations are for two data, and it is understood that the basic operation for an operation including more than two data can be split into a plurality of groups of two data.

1. And (4) adding.

For the addition operation between two pieces of data processed in a slicing mode, each device can directly add slicing values of the two pieces of data to obtain an addition operation result. The sum of the addition results of all the devices based on the slice values is equal to the addition result based on the initial value.

For example, for data X with a value a and data Y with a value b, after the fragmentation processing, the value of the data X on the device i is a_iThe value of data Y is b_iWherein i ═ 1,2, 3. A fragmentation value of

And is

For X + Y executed in the program, the device i specifically executes a_i+b_i. And based on the following derivation, the sum of the N addition results is equal to a + b for all N devices (i.e., the N sliced data set-based addition results, after being subjected to inverse slicing processing (addition operation), result in inverse slicing processing that is equal to the original data set-based addition result).

For the addition operation between one piece of non-fragmentation processed data and one piece of fragmentation processed data, one piece of equipment can be selected from N pieces of equipment to execute the addition operation, and the other N-1 pieces of equipment do not execute the addition operation; each device may also fragment the data that is not subjected to fragment processing in real time, for example, divide the value N of the data equally, and add the fragment values of the two data to obtain the addition result.

Also, based on the following derivation, a is an initial value of the non-sliced data, and the sum of N addition results is equal to a + b for all N devices (i.e., N inverse-slicing processing results obtained after the addition results based on the sliced data set are subjected to inverse-slicing processing (addition operation) are equal to the addition results based on the original data set).

For the addition operation between two pieces of data which are not subjected to fragmentation processing, the addition operation can be normally executed because fragmentation processing is not involved and inverse fragmentation processing is not performed.

2. And (4) multiplication operation.

Aiming at the multiplication operation between two pieces of data processed in a slicing mode, a group of random numbers can be appointed between N pieces of equipment, and the slicing values of the two pieces of data are encrypted based on the group of random numbers, so that the encrypted data slicing values can be interacted without leaking original values and sensitive information of the data, and further specified operation is carried out, and the sum of specified operation results of the N pieces of equipment based on the slicing values is equal to the multiplication operation result of the initial values of the two pieces of data. The sum of the specified operation results of all devices based on the tile value is equal to the multiplication result based on the initial value.

For convenience of explanation of the specified operation, a specific example is given below.

For example, for data X with a value a and data Y with a value b, after the fragmentation processing, the value of the data X on the device i is a_iThe value of data Y is b_iWherein i ═ 1,2, 3. A slicing value of

And is provided with

The method comprises the following steps: a set of random numbers, including 3 random numbers α, β, δ, needs to be agreed between N devices for the multiplication operation between the current data X and the data Y, where α β ═ δ.

The 3 random numbers are also subjected to fragmentation processing to obtain

Where i is 1,2, 3.., N, and the respective tile values are respectively deployed to N devices such that there is α for device i_i，β_i，δ_i。

N devices interact with each other (a)_i-α_i) And (b)_i-β_i) So that each device can calculate

And

thereby obtaining (a-alpha) and (b-beta). Due to the introduction of the random numbers α, β, the original values a and b, and the sensitive information contained therein, are still not available to each device.

Step two: each device i performs a specified operation

And may take the result of this specified operation as the result of a multiplication operation of data X and data Y on the device.

Based on the following derivation, the sum of the N multiplication results of the N devices is equal to ab for all the N devices (i.e., N designated operation results (multiplication results for the devices) based on the sliced data set are equal to the multiplication result based on the original data set after being subjected to inverse slicing processing (addition operation)).

In addition, in step two, a device may be designated to calculate (a- α) (b- β) + (b- β) α_i+(a-α)β_i+δ_iAs a result of the multiplication operation of this device, while the other N-1 devices can calculate (b- β) α_i+(a-α)β_i+δ_iAs a result of the multiplication operation. Obviously, in this case, the sum of the N multiplication results of the N devices is also equal to ab for all the N devices.

For the multiplication operation between one piece of data processed without fragmentation and one piece of data processed with fragmentation, each device may directly determine a product of a data value processed without fragmentation and a fragmentation value as a multiplication operation result, and derive based on the following, for example, a is a data value processed without fragmentation, and for all N devices, the sum of N multiplication results of N devices is equal to Ab.

Of course, the data value which is not subjected to the fragmentation processing can also be subjected to the fragmentation processing in real time, so that the multiplication result can be obtained based on the first step and the second step.

For the multiplication operation between two data which are not processed in a slicing mode, the multiplication operation can be normally executed because neither the slicing processing nor the inverse slicing processing is involved.

3. And (4) performing exclusive-or operation.

For the logical operation, the slicing value obtained by the slicing processing may specifically satisfy "the result of exclusive or of each slicing value is equal to the initial value".

For the exclusive or operation between two pieces of data processed in a slicing mode, each device can directly perform the exclusive or operation on the slicing values of the two pieces of data to obtain the execution result of the exclusive or operation. All devices perform exclusive-OR operations based on the slice values, and the results of exclusive-OR operations with each other are equal to the results of exclusive-OR operations based on the initial values.

And

based on the following derivation, the results of the execution of the N XOR operations are equal to the results of XOR operations performed by the N devices with respect to each other

(that is, N execution results of the exclusive or operation based on the sliced data set, after being subjected to inverse slicing processing (exclusive or operation), obtain an inverse slicing processing result equal to the execution result of the exclusive or operation based on the original data set).

For the xor operation between one piece of data processed without fragmentation and one piece of data processed with fragmentation, it may be determined that one device performs the xor operation between the data value processed without fragmentation and the local fragmentation value to obtain a result, and the other N-1 devices do not perform the operation and directly use the fragmentation value as the result of the xor operation. All devices perform exclusive-OR operations based on the slice values, and the results of exclusive-OR operations with each other are equal to the results of exclusive-OR operations based on the initial values.

For example, for data X with a value a, after the slicing process, the data X on the device i has a value a_iWherein i ═ 1,2, 3. A fragmentation value of

Based on the following pushWhere A is an initial value of data not subjected to slicing processing, and the results of the execution of N XOR operations are equal to those of the exclusive OR operations of all N devices

Of course, the fragment processing may also be performed on a in real time, and the xor operation is directly performed on the fragment values of the two pieces of data to obtain the execution result of the xor operation.

For the exclusive or operation between two pieces of data which are not processed by fragmentation, since neither fragmentation processing nor inverse fragmentation processing is involved, the exclusive or operation can be normally executed.

4. And (7) operating.

For the and operation between two pieces of data in the slicing processing, a group of random numbers can be agreed between N pieces of equipment, the slicing values of the two pieces of data are encrypted by the random numbers based on the group of random numbers, so that the encrypted data slicing values can be interacted without leaking original values and sensitive information of the data, and further, the specified operation is carried out, so that the result of the execution result of the N pieces of equipment through the mutual exclusive or operation (inverse slicing processing) based on the specified operation of the slicing values is equal to the and operation execution result of the initial values of the two pieces of data.

And

the method comprises the following steps: a set of random numbers needs to be agreed between the N devices for the and operation between the current data X and the data Y, wherein the set of random numbers includes 3 random numbers α, β, δ, and α ^ β ═ δ.

The 3 random numbers are also subjected to fragmentation processing to obtain

And

and deploying the respective sliced values to the N devices respectively so as to have alpha for the device i_i，β_i，δ_i。

N devices interact with each other

And

so that each device can be calculated

And

due to the introduction of the random numbers α, β, the original values a and b, and the sensitive information contained therein, are still not available to each device.

Step two: specifying a device to compute

As a result of the AND operation execution, other N-1 devices can calculate

As a result of the execution of the and operation.

Based on the following derivation, the results of the N and operation execution results subjected to the exclusive or operation are equal to a ^ b for all the N devices (i.e., the results of the N designated operation execution results based on the sliced data set (and operation execution results for the device) are equal to the results of the inverse slicing process (exclusive or operation) after being subjected to the inverse slicing process (exclusive or operation) based on the original data set).

For the and operation between one piece of non-sharded data and one piece of sharded data, each device may directly determine the and operation execution result between the non-sharded data value and the sharded value as the and operation execution result, based on the derivation that, for example, a is the non-sharded data value, and the results of the N and operation execution results subjected to the mutual exclusive or operation are equal to a ^ b for all N devices (i.e., N designated operation execution results based on the sharded data set (and operation execution results for the devices) obtain the inverse sharded processing result after being subjected to the inverse sharded processing (exclusive or operation), which is equal to the and operation execution result based on the original data set).

Of course, the data value which is not subjected to the fragmentation processing can also be subjected to the fragmentation processing in real time, so that the result of the execution of the operation can be obtained based on the steps one and two.

For the and operation between two pieces of data which are not processed in a fragmentation mode, the and operation can be normally executed because neither the fragmentation processing nor the reverse fragmentation processing is involved.

5. And (4) not operating.

Therefore, for the non-operation of one data of the slicing processing, one device can be designated among the N devices, the designated device can execute the non-operation of the slicing value to obtain a non-operation execution result, and the other N-1 devices can directly take the slicing value as the non-operation execution result.

Based on the following derivation, for all the N devices, the results of the N non-operation execution results of the N devices subjected to the exclusive or operation are equal to

(i.e., N designated operation execution results (non-operation execution results for the device) based on the fragmented data set, after being subjected to the inverse fragmentation processing (exclusive or operation), the obtained inverse fragmentation processing result is equal to the non-operation execution result based on the original data set).

For the non-operation of one piece of data which is not processed in a fragmentation mode, the non-operation can be normally executed because fragmentation processing is not involved and reverse fragmentation processing is not carried out.

6. Or an operation.

For the or operation between two pieces of data in the slicing processing, a group of random numbers can be agreed between the N devices, the slicing values of the two pieces of data are encrypted by the random numbers based on the group of random numbers, so that the encrypted data slicing values can be interacted without leaking original values and sensitive information of the data, and further, the specifying operation is performed, so that the result of the mutual exclusive or operation (inverse slicing processing) performed on the result of the execution of the specifying operation of the slicing values by the N devices is equal to the result of the or operation of the initial values of the two pieces of data.

And

the method comprises the following steps: a set of random numbers needs to be agreed between the N devices for the or operation between the current data X and the data Y, where the random numbers include 3 random numbers α, β, δ, where α ^ β ═ δ.

The 3 random numbers are also subjected to fragmentation processing to obtain

And

N devices interact with each other

And

so that each device can be calculated

And

Step two: 1 device computing

As a result of the OR operation performed by the specified device, while the other N-1 devices may compute

As a result of the or operation execution.

Based on the following derivation, the result obtained by mutually exclusive-oring the N or operation execution results is equal to a v for all N devices (i.e., the result obtained by inversely slicing (exclusive-or operation) the N designated operation execution results based on the sliced data set (or operation execution results for the devices) is equal to the or operation execution result based on the original data set).

For an or operation between one piece of data not subjected to the fragmentation processing and one piece of data subjected to the fragmentation processing, each device may perform a specified operation such that a result of the N devices subjected to the exclusive or operation (inverse fragmentation processing) based on a specified operation execution result of the fragmentation value is equal to an or operation execution result of initial values of the two pieces of data.

The value of the data which is not processed by fragmentation is A.

Can specify a device to perform

While other N-1 devices may perform

Based on the following derivation, the result of the exclusive or operation on the N or operation execution results for all N devices is equal to a v £ (i.e., the result of the inverse fragmentation processing (exclusive or operation) obtained after the inverse fragmentation processing (exclusive or operation) on the N designated operation execution results (and operation execution results for the device) based on the fragmented data set is equal to the or operation execution result based on the original data set).

Of course, the data value which is not subjected to the fragmentation processing can also be subjected to the fragmentation processing in real time, so that the result can be obtained or operated and executed based on the steps one and two.

For the or operation between two pieces of data which are not processed in a fragmentation mode, the or operation can be normally executed because neither the fragmentation processing nor the reverse fragmentation processing is involved.

Through the explanation of the specific fragmentation operation algorithm, for the operations including addition operation, multiplication operation, and-or-not operation and exclusive-or operation, it is possible to realize that "the inverse fragmentation processing result obtained after inverse fragmentation processing of multiple basic operation results based on the fragmentation data set is equal to the basic operation result based on the original data set" so as to realize that "the inverse fragmentation processing result obtained after inverse fragmentation processing of multiple program operation results based on the fragmentation data set of multiple devices is equal to the program operation result based on the original data set".

A program operating method provided in the present specification is explained in detail below with reference to the accompanying drawings.

Fig. 1 is a schematic flow chart of a program running method provided in this specification. The method may comprise at least the following steps S101-S103.

S101: and carrying out fragmentation processing on the value of each data in the original data set to obtain N fragmentation values of each data.

The raw data set may include data required to protect sensitive information, such as data used to assign values to variables in a program, data used to assign values to constants in a program, input data of a program, and so on. Sensitive information contained in the data values can be hidden through the fragmentation process.

And N is a preset number of devices participating in program execution. N is more than or equal to 2. For convenience of description, a device to participate in the program execution is referred to as an execution device.

S102: determining N fragment data sets; determining each sharded data set, including: carrying out reassignment on each data in the original data set by adopting a fragment value of the data; the values of the same data in the N sliced data sets correspond to the N sliced values of the same data one to one.

The explanation is made by combining the above S101 and S102.

There may be at least two embodiments of the storage location of the original data set, and correspondingly, the specific manner of determining the N sharded data sets is also different.

The first embodiment is as follows: the raw data set may be stored on a target device other than the N running devices.

The target device may be any storage device other than the N running devices, and stores all data in the original data set. The target device may perform fragmentation processing on each data in the original data set to obtain N fragmentation values, thereby creating N fragmentation data sets, where each fragmentation data set may include all data in the original data set, and reassign the N fragmentation values to the data in the N fragmentation data sets, respectively, so that the values of the same data in the N fragmentation data sets correspond to the N fragmentation values of the same data one to one.

The target device may send the created N fragmented data sets to the N operating devices, respectively, so that the N operating devices correspond to the N fragmented data sets one to one.

For ease of understanding, in an alternative embodiment, as shown in fig. 2, a schematic diagram of a fragmented data set determination method provided in this specification includes a target device, a device 1, and a device 2, where the target device stores an original data set { X ═ a, Y ═ b }.

For the original data set { X ═ a, Y ═ b }, the devices participating in program execution include device 1 and device 2. Target equipment carries out fragmentation processing on each data in the original data set to obtain a₁、a₂、b₁、b₂And 2 fragment data sets are created, and the fragment values are reassigned to each fragment data set to obtain a fragment data set { X ═ a₁，Y＝b₁And { X ═ a }₂，Y＝b₂}。

Target equipment sets fragment data { X ═ a₁，Y＝b₁Send to device 1 and set of sliced data { X ═ a }₂，Y＝b₂It is sent to device 2.

Example two: the raw data set may be stored in a distributed manner on the N running devices.

That is, each of the N running devices may store a portion of the data in the original data set.

The N fragmentation values of each data are obtained and N fragmentation data sets are determined, specifically, N running devices respectively perform fragmentation processing on locally stored data values (data values stored by the running devices and belonging to the original data set), and interact fragmentation processing results with each other, so that each running device can obtain one fragmentation value of each data in the original data set, that is, a fragmentation data set.

For ease of understanding, in an alternative embodiment, as shown in fig. 3, a schematic diagram of another fragmented data set determination method provided in the present specification includes device 1 and device 2.

For the original data set { X ═ a, Y ═ b }, the devices participating in program execution include device 1 and device 2.The device 1 stores data X with value a, and the device 2 stores data Y with value b. The device 1 performs fragmentation processing on the locally stored data X to obtain a fragmentation value a₁And a₂And a is₂To the device 2; the device 2 performs fragmentation processing on the locally stored data Y to obtain a fragmentation value b₁And b₂And b is₁To the device 1.

The apparatus 1 making use of₁Reassign data X, create data Y, utilize b₁And re-assigning the data Y to obtain a fragment data set { X ═ a₁，Y＝b₁}; the device 2 may similarly obtain the fragmented data set { X ═ a }₂，Y＝b₂}。

For the second situation, the present specification further provides a specific embodiment, which is specifically defined for the interaction between the running devices and the form of the fragmented data set.

The N running devices may create symbol tables in advance. The symbol table may be used at least to store variables predefined by the operating device. The symbol table may specifically include a variable name, a variable data type, and a variable value storage address.

Each of the N running devices has stored thereon a portion of the data in the original data set. The running device may create a corresponding variable in the symbol table based on the local data.

Under the condition that any one of the operation devices creates a variable in the symbol table according to any one of the local data, the operation device can generate a corresponding variable name, a corresponding variable data type and a corresponding variable value storage address. Meanwhile, the data can be fragmented, one fragment value is selected to assign values to variables in the symbol table, and the variable name, the variable data type and the other N-1 fragment values of the variable are respectively sent to the other N-1 running devices, so that each running device in the other N-1 running devices can acquire the variable name, the variable data type and the 1 fragment value, and the other N-1 running devices can conveniently create variables with the same variable name and the same variable data type in the local symbol table and assign values by using the obtained 1 fragment value.

Variables are created in the symbol tables of the N operating devices respectively according to locally stored data values (the data values which are stored by the operating devices and belong to the original data set), fragmentation processing is carried out, and interaction is carried out, so that the symbol table of each operating device comprises the variables corresponding to each data in the original data set and the fragmentation values of each data.

For ease of understanding, in an alternative embodiment, the devices participating in the program run include device 1 and device 2 for the original data set { X ═ a, Y ═ b }. The device 1 stores data X with value a, and the device 2 stores data Y with value b.

The device 1 may create a variable X, a variable name of which is X, in a local symbol table according to the locally stored data X, where the variable data type is integer data, and a variable value storage address may be specified by the device. The device 1 may perform fragmentation processing on a to obtain a fragmentation value a₁And a₂By using a₁Assigning a variable X in the symbol table, specifically assigning a₁And writing back to the variable value storage address corresponding to the variable X.

Meanwhile, the device 1 may classify the variable name X, the variable data type as integer data, and the sliced value a₂To the device 2. The device 2 can create the variables X with the same variable name and the same variable data type in the local symbol table according to the received information, and utilize a₂And assigning the variable X.

Similarly, device 2 creates a variable Y in the local symbol table, using b₂Assigning a variable Y; the device 1 creates variables Y with the same variable name and the same variable data type in the local symbol table according to the information sent by the device 2, and uses b₁And assigning a value to the variable Y.

Thus, the device 1 local symbol table may contain a sliced data set { X ═ a }₁，Y＝b₁The device 2 local symbol table may contain a sliced data set { X ═ a }₂，Y＝b₂}。

It should be noted that two variables with the same name cannot appear in the same symbol table. Therefore, before actual interaction, variable name conflict check is performed between the N running devices, so that two variables with the same name do not exist in the symbol table of any running device after the interaction.

In an alternative embodiment, before N running devices interact with each other to create a new variable in their respective symbol tables, it may be determined whether there is a variable with the same name between different running devices, and if so, the name may be replaced; if not, the interaction may continue.

In addition, the symbol table may also be used to store constants predefined by the operating devices, and the constants are also subjected to the above-mentioned fragmentation processing and interact with each other, so that the N operating devices synchronize the constants in the symbol table.

S103: under the specified condition, the N running devices respectively run the target program based on different fragmented data sets. Through the pre-configuration, aiming at each basic operation unit corresponding to the target program, any group of values are input into the basic operation unit to obtain an operation result, and the operation result is equal to: and after each group of the sliced values of any group of values are respectively input into the basic operation unit to be respectively operated, all the obtained operation results are subjected to inverse slicing processing to obtain processing results.

After S102, the shard data sets are respectively deployed on the N running devices, and the program may be run according to the locally deployed shard data sets.

S103 is explained below from 4 angles, respectively.

1. A situation is specified.

The specified condition may be a condition that preconditions that the N running devices specified by the flow of the method can run the target program are satisfied.

In an alternative embodiment, the specified condition may be that the N running devices complete deployment of the sharded data set and the target program. For example, if it is determined that each running device has a sharded data set and an object program deployed, the object program may be run based on the sharded data set.

In another optional embodiment, the running of the target program requires one or more data in the original data set, and the specified condition may be that the fragmented data set deployed by each running device contains all data in the original data set, so as to ensure that any running device can run the target program normally, and there is no condition that a certain running device cannot run the target program due to lack of any data in the original data set. Based on the above embodiment of the symbol table, the specific case may be that the symbol table of each operating device contains variables created from all data in the original data set.

In a specific embodiment, before the target program runs, it needs to determine that consistency is satisfied between variable attribute sets predefined by N running devices, so that the same variable has definition among the N running devices, and a fragment value can be stored. If the tile value for a variable does not exist on any of the running devices, the target program may not run successfully on that running device.

Therefore, in order to ensure that the N running devices can successfully run the target program, each running device has a fragment value of all variables, and the specified condition may be that consistency is satisfied between variable attribute sets predefined by the N running devices respectively. One of the variable attributes may include a variable symbol and a variable data type. Specifically, the method includes that the designated device receives N variable attribute sets predefined by N operating devices respectively, and determines that the variable attributes contained in the N variable attribute sets are the same; or any running device receives N variable attribute sets respectively predefined by other N-1 running devices, and the variable attributes contained in the N variable attribute sets are determined to be the same; or each running device receives N predefined variable attribute sets of other N-1 running devices, and all the variable attribute sets are determined to have the same variable attribute.

In addition, the predefined variable attribute set of the operating device can be obtained according to a predefined symbol table. The symbol table predefined by the operating device may at least include variable symbols, variable data types, and variable value storage addresses corresponding to variables predefined by the operating device; the variable attribute set may include variable symbols in a symbol table and variable data types.

2. And (4) target program.

In the flow of the method, the relationship between the target program and the original data set may have at least the following two embodiments.

The first embodiment is as follows: the target program may be written based on the data in the original data set.

For ease of understanding, a specific example may be given.

For example, the original data set is { X ═ 1, Y ═ 2, and Z ═ 3 }. When writing the target program, the target program may be written based on one or more data in the original data set, specifically, X, Y or Z may be used to write the target program, so that the target program may successfully run according to the used data values (initial values or slice values), and a program running result is obtained. In one specific example, the target program may be written using X and Y, and may specifically be computing (X + Y)²) So that the target program can be successfully operated under the condition of having values of X and Y to obtain a program operation result (1+ 2)²)＝5。

Thus, either running device may run the target program based on the data slice values in the sliced data set (which contains all the data in the original data set).

Example two: the original data set may be created from data required for the target program to run.

For ease of understanding, a specific example may be given.

For example, calculate (X + Y) for written target program²) Where variables X and Y are involved, the target program can be run with only the values of X and Y. Therefore, an original data set can be constructed, wherein X and Y are contained, and assignment is carried out on X and Y in the original data set according to actual requirements.

And for the fragment data set containing all data in the original data set, variables X and Y in the target program can also be assigned and the target program is operated.

Therefore, in the flow of the method, how the target program is specifically written is not limited, as long as the target program can successfully run based on the data values in the original data set, that is, the target program can successfully run based on the fragment values in the fragmented data set.

It is worth emphasizing that the N running devices can run the same target program, and obtain the program running result based on different fragmented data sets.

3. And (4) configuring in advance.

For ease of understanding, the base arithmetic operation may be considered a base arithmetic unit having an input and an output. Based on the specific slicing operation algorithm, the basic operation unit is configured, and specifically, the configured basic operation unit executes the corresponding basic operation in the specific slicing operation algorithm.

For example, the multiplication operation may be regarded as a multiplication operation unit, and based on the specific slicing operation algorithm, any one group of values is input to the multiplication operation unit before the specific slicing operation algorithm is configured, and the operation result obtained by outputting is equal to: and after each group of sliced values of the arbitrary group of values are respectively input into a multiplication unit configured with a specific slicing operation algorithm for respective operation, all output operation results are subjected to inverse slicing processing to obtain processing results.

In the configured multiplication unit, for the two input data subjected to slicing processing, a first step and a second step corresponding to multiplication in the specific slicing operation algorithm may be specifically executed. For other cases, for example, inputting two pieces of data that are not sliced, or inputting one piece of sliced data and one piece of data that are not sliced, the multiplication operation may be specifically directly performed.

While for a specific configuration method, there may be at least the following 2 embodiments.

The first embodiment is as follows: and configuring the operation logic corresponding to the basic operation in the instruction set of the operation equipment.

In the running device, the functions of different basic operations are realized by calling corresponding operation instructions in the system instruction set. Wherein the system instruction set is an instruction set to run an operating system of the device. For example, for multiplication, a multiplication instruction in the system instruction set may be called, and the computing unit of the execution device executes the operation logic corresponding to the multiplication instruction to complete the multiplication.

Thus, the pre-configuration may specifically be to determine, for each basic arithmetic unit, an arithmetic instruction in the system instruction set corresponding to the basic arithmetic unit; and configuring the operation logic corresponding to the determined operation instruction based on the specific slicing operation algorithm in the operation system.

In the specific process of running the object program, for any basic operation unit corresponding to the object program, the instruction set configured by the running device can be called in the compiling process, the operation instruction corresponding to the basic operation unit is determined, and the operation logic corresponding to the basic operation unit in the specific slicing operation algorithm is obtained.

For example, for a multiplication unit corresponding to the target program, when the input is two pieces of data subjected to fragmentation processing, the translation may be performed based on the configured instruction set to obtain a first step and a second step corresponding to the multiplication in the specific fragmentation operation algorithm, so as to obtain an output by performing the first step and the second step using the input.

Example two: and configuring the operation logic corresponding to the basic operation in the computing unit of the operating equipment.

In the running equipment, aiming at each basic operation unit corresponding to the target program, the calculation unit calls the operation logic of the basic operation of the calculation unit to carry out operation. For example, a plurality of multiplication units corresponding to a target program are all operated by calling its own multiplier by the CPU of the execution device.

Therefore, the pre-configuration may specifically be to configure, for the operation logic corresponding to each basic operation in the computing unit of the running device, the operation logic corresponding to each basic operation based on the specific slicing operation algorithm. For example, for a configured compute unit, the multiplication logic therein is configured to: for two input data subjected to fragmentation processing, a first step and a second step corresponding to multiplication in the specific fragmentation operation algorithm can be executed; specifically, the multiplication operation may be directly performed for inputting two pieces of data that are not subjected to the fragmentation processing, or inputting one piece of data that is subjected to the fragmentation processing and one piece of data that is not subjected to the fragmentation processing.

Furthermore, based on the above-described specific slicing operation algorithm, in which non-sliced data and sliced data are distinguished, and the same basic operation may also correspond to different operation logics for different cases. Therefore, in the target program, the non-fragmentation processed data and the fragmentation processed data can be distinguished by the designation identification.

For example, a data type is newly set as a fragment type, and a variable data type may be specified as a fragment type for a variable of the fragment processing. The fragmentation type does not distinguish whether a particular data type is integer, floating point, or other type.

After the target program is deployed to the running device, for the variable of the fragment type, a variable having a variable name that is the same as the variable name of the fragment type in the symbol table may be determined according to a predefined symbol table on the running device, and the variable of the fragment type is re-determined as the variable determined in the symbol table.

For ease of understanding, a specific example is provided below.

In the target program, the slice type may be represented using ashr. A fragment type variable X may be created in the target program.

After the target program is deployed to the running device, a variable with a variable name X (the variable data type may be integer data, and the value may be a fragment value) is determined in the symbol table, and then the variable X of the fragment type may be determined as the variable X determined in the symbol table and the value is the fragment value.

The variable which is not subjected to the fragmentation processing is not of an ashr type, so that the variable does not need to be determined according to the symbol table, and the value is also an initial value, so that the variable which is not subjected to the fragmentation processing can be distinguished from the variable which is subjected to the fragmentation processing.

4. And (5) program operation results.

After the N running devices respectively run the target program based on the fragmented data set and obtain respective program running results, it can be regarded that the target program has been run completely. However, it should be noted that when it is necessary to obtain a program operation result of the target program based on the original data set, it is necessary to obtain program operation results of N operating devices, and then perform inverse fragmentation processing.

Because the N running devices run the same target program, although the running is based on different fragment data sets, for each operation in the target program, the operation results obtained on the N running devices based on the fragment data sets are subjected to inverse fragment processing, and the obtained processing results are all equal to the operation results obtained by a single running device based on the original data sets, so that the N running devices can be integrally regarded as a virtual running device, and the target program can be run based on the original data sets.

For convenience of understanding, fig. 4 is a schematic structural diagram of a virtual execution device provided in this specification. The system comprises 3 running devices, namely a running device 1, a running device 2 and a running device 3.

And (3) carrying out fragmentation processing on the original data set to obtain a fragmentation data set 1, a fragmentation data set 2 and a fragmentation data set 3. The operation device 1 operates the target program based on the fragment data set 1 to obtain a program operation result 1, the operation device 2 operates the target program based on the fragment data set 2 to obtain a program operation result 2, the operation device 3 operates the target program based on the fragment data set 3 to obtain a program operation result 3, and the program operation result 1, the program operation result 2 and the program operation result 3 are subjected to inverse fragment processing to obtain a program operation result obtained by the virtual operation device operating the target program based on the original data set.

Therefore, the execution device 1, the execution device 2, and the execution device 3 that execute the same program can be regarded as one virtual execution device.

And particularly on actual running equipment, each running equipment cannot acquire plaintext data in an original data set required by running a target program, and any sensitive information cannot be leaked.

It can be understood that, in order to protect the security of sensitive information and make devices unable to obtain plaintext data, the above method processes through fragmentation of an original data set, and N running devices run the same target program based on different fragmented data sets, respectively, so that on the premise that the target program normally runs and a correct target program running result can be obtained, each running device actually running the target program cannot obtain any plaintext data in the original data set, and only a fragmentation value can be obtained. The fragment value itself does not have any actual meaning, i.e., does not contain any information (e.g., sensitive information), and the intermediate operation result of the target program obtained based on the fragment value does not have any actual meaning, i.e., does not contain any information.

Since the specific slicing operation algorithm has a slicing value that requires N running devices to exchange random number encryption in the operation logic corresponding to part of basic operations, this specification further provides an optional embodiment based on the above method flow.

Under the condition that N running devices need to exchange fragment values aiming at any variable in a target program, random number encryption can be respectively carried out on the fragment values of the variable which are locally stored.

Therefore, based on the above method flow, in the process that the N running devices respectively run the target program, for each variable in the target program, when the random number encryption is performed on the fragment value of the variable for the first time, a random number may be requested from the random number provider and allocated to the variable; when random number encryption is performed again on the sliced value of the variable, the random number assigned to the variable may be multiplexed; when the random number encryption is performed on the transformation result obtained by mathematically transforming the fragment value of the variable, the random number assigned to the variable may also be multiplexed.

When the random number encryption is performed on the transformation result obtained by mathematically transforming the fragment value of the variable, specifically, the random number allocated to the variable is multiplexed, the same mathematical transformation is performed on the random number, and the transformed random number is used for performing the random number encryption on the transformation result of the fragment value; the random number assigned to the variable may be directly multiplexed to encrypt the random number of the conversion result of the slice value. The mathematical transformation may specifically be: transpose, matrix cut, multiplication by coefficients, etc.

Wherein the random number provider may be a trusted third party providing the random number. Based on the specific fragmentation operation algorithm, the random number provider may specifically generate a group of random numbers, where 3 random numbers meet a specific condition, perform fragmentation processing on the 3 random numbers, and send N fragmentation values of each random number to N running devices one by one, respectively, for encrypting the same variable on the N running devices.

After a random number is requested from a random number provider and assigned to the variable, if the fragment value of the variable needs to be encrypted with the random number at least 1 time in the target program, the random number assigned to the variable may be stored locally. The random number assigned to the variable is multiplexed, and specifically, the locally stored random number assigned to the variable may be multiplexed.

Obviously, in this embodiment, the random number is multiplexed and encrypted in different operation processes by aiming at the same variable or a mathematical transformation result of the same variable, so that data transmission between the operation device and the random number provider can be reduced, and the operation speed of the operation device is increased.

It should be noted that, in an alternative embodiment, since the random number provider generally generates a set of random numbers for two pieces of data subjected to fragmentation processing, when multiplexing specifically, if there are random numbers that can be multiplexed in both pieces of data, the random number corresponding to at least one piece of data can be multiplexed, so that two identical sets of random numbers (each set including 3 random numbers) are avoided being used in different operations, and the risk of breaking the random number encryption is further avoided.

For ease of understanding, an example is provided below.

For the first multiplication between data X and data Y, a set of random numbers (a, b, c) may be generated by the random number provider for (X, Y) that satisfies a + b ═ c. And after the fragment processing is carried out on the a, the b and the c, each running device carries out random number encryption by using the fragment value.

For the second multiplication between data X and data Y, c is multiplexed if a and b are multiplexed, since the random number needs to satisfy a specific condition. In order to avoid that the whole set of random numbers (a, b, c) are all multiplexed, so that the risk of breaking the encryption of the random numbers exists, only a or b can be multiplexed, and other random numbers are regenerated to obtain that (a, d, e) satisfies a + d ═ e; or (f, b, g) satisfies f + b ═ g, and random number encryption is performed.

For the first multiplication between data X and data Z, a set of random numbers may be re-requested; the random number encryption may be performed by multiplexing a among the random numbers, regenerating other random numbers, and obtaining (a, x, y) that satisfies a + x ═ y.

For the first multiplication between data Y and data Z, a set of random numbers may be requested again; b or x in the random numbers can be multiplexed; it is also possible to multiplex b and x in the random numbers to obtain z ═ b + x, and since z was not used in the previous operation, it is avoided that two identical sets of random numbers are used in different operations.

In addition, based on the above method flow, this specification further provides another optional embodiment, where each running device may share to execute the target program based on at least two threads, so that the program execution efficiency of the running device may be improved.

At least two threads on each running device may be specifically multiple threads obtained by splitting threads. And the overhead of the split thread is small and can be ignored.

The shared execution of the target program may specifically be shared execution of different tasks in the target program, such as an interaction task, an operation task, and the like.

For convenience of understanding, based on the above specific slicing operation algorithm, when the N running devices run the target program, slicing values may need to be interacted, which may be regarded as an interaction task; operations based on the slice values may be required, and may be regarded as operation tasks.

For the interaction task, under the condition that N running devices need to interact fragment values aiming at any variable in the target program, random number encryption is respectively carried out on the fragment values of the variable which are locally stored; the target program may contain at least two interaction tasks for interacting the encrypted fragment values; at least two threads of each running device may share different interaction tasks of the target program.

Wherein each of the at least two threads of each runtime device may be specified by the target program. Because the target programs run by the N running devices are the same, the thread identifiers sharing the same interaction task are also the same for different running devices.

For ease of understanding, an example is given below.

In the target program, there is an interactive task of interactively encrypting the fragment value for the multiplication operation between the data X and the data Y. Based on the target program, the running device creates a thread to share the interaction task and specifies the thread identification as root 1. Then on each of the N running devices there is a thread identified as root1 and the interaction task is shared.

Similarly, for the multiplication operation between the data Y and the data Z, the N running devices also create the thread 2 based on the target program to share the interaction task.

That is, the same identification thread designated by the target program among different running devices shares the same interaction task in the target program.

In addition, for different interaction tasks, the N running devices may interact with each other using the same channel, which also requires distinguishing for the interaction tasks.

Therefore, during specific interaction, specific data can be specifically interacted among the N running devices; the specifying data may include a variable fragment value to be interacted with (i.e., a fragment value encrypted by a random number) and a thread identification that sent the variable fragment value, so as to determine that a thread identified the same in other running devices receives the variable fragment value.

The thread identification carried in the designated data is used for distinguishing threads which share the same interaction task in other equipment.

For example, between N running devices, specified data containing a root1 identification and specified data containing a root2 identification may be interacted with. After receiving the specified data, the running device may determine, according to the thread identifier included in the specified data, the thread corresponding to the specified data being received and processed (i.e., identify the same thread). Specifically, after receiving the specified data including the root2 identifier, the running device receives and processes the specified data by the thread identified as the root2 on the running device.

Because the threads with the same identification appointed by the target program between different running devices share the same interaction task in the target program, before the appointed data is sent, the thread identification needing communication does not need to be interacted between the different running devices in advance, but the identification of the thread per se can be directly used as the thread identification received in other running devices, and thus, the network overhead is reduced.

In addition, since the N running devices use the same channel and the same thread may share multiple interaction tasks, in order to further distinguish different interaction tasks in the same thread, the specific designated data may additionally carry a sequence identifier.

For example, the specified data may carry sequence identifier 3 in addition to thread identifier root1, which represents the 3 rd interactive task on thread root 1. After receiving the specified data, the other operating devices can determine the threads sharing the same interaction task according to the thread identifiers, and further determine the 3 rd interaction task on the threads, so that the variable fragment value in the specified data can be used for the 3 rd interaction task to complete the operation.

In this embodiment, the thread sharing the same interaction task between different running devices (i.e., the thread needing to communicate in other running devices) can be directly determined without interacting the two thread identifiers needing to communicate between different running devices in advance, thereby reducing the overhead of network communication and improving the program running speed of the running devices.

To facilitate further understanding, an application example is provided below.

Under a more specific model training scenario, there is a need for a plurality of data holders to train a model together to improve the training effect, and the plurality of data holders need to synthesize respective sample data to train the model together. Specifically, different data holders may store sample data of different users, or different data holders may store different sample feature data of the same user. In order to protect information security, each data holder does not want user sample data (carrying sensitive information) stored by the data holder to go out of a domain, and does not want equipment running a model training program to be capable of acquiring the user sample data in a plaintext.

Based on the above method flow, the present embodiment can be implemented by the following steps. Fig. 5 is a schematic flow chart of a method for operating a model training program according to the present disclosure.

For convenience of description, the number of data holders participating in model training is determined as N, and the target program required to be run is the model training program. Each data holder provides one running device, and a user sample set of the data holder is stored and coexists in N running device running model training programs. And the raw data set of operations required for the model training program to run successfully may include all user samples for N data holders.

S201: the N running devices respectively perform fragmentation processing on the locally stored user samples, and mutually interact fragmentation processing results, so that each running device can obtain a fragmentation value of each feature of each user sample in the original data set, namely the fragmentation data set.

For ease of understanding, examples of two cases are provided below.

Example one: different data holders store sample data of different users. For example, the operating device 1 stores sample data of the user 1, including the feature X ═ a; the operating device 2 stores sample data of the user 2, including the feature X ═ b.

The two running devices perform slicing processing on each feature of each sample data, and the running device 1 obtains a1 and a2, and the running device 2 obtains b1 and b 2. Through interaction with each other, the running device 1 has a sharded data set { X ═ a1 (user 1), X ═ b1 (user 2) }, and the running device 2 has a sharded data set { X ═ a2, X ═ b2 }.

Example two: different data holders store different sample characteristic data of the same user. For example, the operating device 1 stores sample data of the user 1, including the feature X ═ a; the operating device 2 stores sample data of the user 1, including the feature Y ═ b.

The two running devices perform slicing processing on each feature of each sample data, and the running device 1 obtains a1 and a2, and the running device 2 obtains b1 and b 2. Through interaction with each other, the runtime device 1 has a sharded data set { X ═ a1, Y ═ b1}, and the runtime device 2 has a sharded data set { X ═ a2, Y ═ b2 }.

Obviously, for the scenario of horizontal federal learning or vertical federal learning, each running device can obtain the shard value of each feature of each user sample in the raw data set through the sharding process.

S202: each running device runs a model training program based on the sliced data set. Based on the pre-configuration, after the program operation results based on the fragmented data set of the multiple operation devices are subjected to inverse fragmentation processing, the obtained inverse fragmentation processing result is equal to the program operation result based on the original data set.

The model training program may involve operations such as derivation, summation, calculation loss, parameter updating and the like, and based on the analysis, the operations may be split into a plurality of basic operation operations, so that an effect that "a plurality of program operation results based on a fragment data set of a plurality of devices are subjected to inverse fragment processing, and an obtained inverse fragment processing result is equal to a program operation result based on an original data set" can be achieved based on the specific fragment operation algorithm.

In the fragmented data set, although all samples (all data) in the original data set are included, each feature value in each sample is a fragment value and does not have any meaning. As a result, the running device also cannot obtain sensitive information (e.g., user privacy information) contained in the user sample.

S203: the appointed equipment collects the model training program operation results of the N operation equipment, carries out inverse fragmentation processing on the N model training program operation results, and takes the obtained processing result as the operation result of the model training program based on the original data set.

The specified device may be any one of the N operating devices, or any device other than the N operating devices. The obtained inverse fragmentation processing result is the result obtained by performing model training based on the original data set (all user samples of N data holders).

Each of the N running devices cannot acquire plaintext feature data of any user sample in the original data set, and only can acquire a feature data fragmentation value which has no actual meaning and does not contain any information (for example, sensitive information), and an intermediate result obtained based on the fragmentation value also has no actual meaning, so that data security and sensitive information security of the original data set (a user sample of each data holder) are protected.

The present specification also provides a system embodiment.

Fig. 6 is a schematic structural diagram of a program execution system provided in this specification, where the program execution system includes N execution devices, which are execution device 1, execution device 2, execution device 3, and execution device N.

In the program running system, the value of each data in the original data set can be subjected to fragmentation processing in advance to obtain N fragmentation values of each data; the raw data set may include data for assigning values to variables in the program.

N fragmented data sets can be predetermined; determining each sharded data set may include: carrying out reassignment on each data in the original data set by adopting a fragment value of the data; the values of the same data in the N sliced data sets correspond to the N sliced values of the same data one to one.

In addition, the configuration is made in advance, so that for each basic operation unit corresponding to the target program, the operation result obtained by inputting any one group of values into the basic operation unit for operation is equal to: and after each group of the sliced values of any group of values are respectively input into the basic operation unit to be respectively operated, all the obtained operation results are subjected to inverse slicing processing to obtain processing results.

And each execution device in the program execution system may be configured to: and running the target program based on the sharded data set under the specified condition.

The functions of different basic operation units are realized by calling different operation instructions in a system instruction set; the system instruction set is an instruction set for operating an operating system of the equipment; the pre-configuration may specifically include: for each basic operation unit, determining an operation instruction corresponding to the basic operation unit in the system instruction set; in the operating system, arithmetic logic corresponding to the determined arithmetic instruction is configured.

And the N running devices respectively run the target program based on different fragment data sets.

The specified circumstances may include: consistency is satisfied among the variable attribute sets respectively predefined by the N operating devices; a variable attribute includes a variable symbol and a variable data type.

Under the condition that N running devices need to interact fragment values aiming at any variable in a target program, each running device can also be used for carrying out random number encryption on the fragment values of the variable stored locally; in the process that the N running devices respectively run the target program, each running device is used for: for each variable in the target program, when the fragment value of the variable is encrypted by a random number for the first time, a random number is requested from a random number provider and is distributed to the variable; when the slice value of the variable is again subjected to random number encryption, the random number assigned to the variable is multiplexed.

Each operational device may also be configured to: and multiplexing the random numbers distributed to the variables when random number encryption is carried out on a transformation result obtained by carrying out mathematical transformation on the fragment values of the variables.

Each operating device may also be configured to: after a random number is requested from a random number provider and allocated to the variable, if the fragment value of the variable needs to be encrypted for at least 1 time in the target program, the random number allocated to the variable is stored locally. When the fragment value of the variable is again subjected to random number encryption, the locally stored random number assigned to the variable is multiplexed.

Under the condition that N operating devices need to interact fragment values aiming at any variable in a target program, each operating device can also be used for respectively carrying out random number encryption on the fragment values of the variable which are locally stored; the target program can comprise at least two interaction tasks for interacting the encrypted fragment values; at least two threads of each running device share different interaction tasks of the target program.

Wherein each thread identification of the at least two threads of each running device is specified by the target program; the threads with the same identification appointed by the target program among different running devices share the same interaction task in the target program; different interaction tasks can use the same channel to interact with the specified data; the designated data may include a variable fragment value to be interacted with and a thread identifier for sending the variable fragment value, so as to determine that a thread with the same identifier in other running devices receives the variable fragment value.

The data in the original data set can be stored on the N running devices in a distributed mode; the N operating devices may be specifically configured to: and respectively carrying out fragmentation processing on the locally stored data values and mutually interacting the processing results, so that each running device obtains one fragmentation value of each data in the original data set.

The program execution system may further include a target device; the data in the original data set may be stored on the target device; the target device may be configured to: and respectively sending the N sliced data sets to N running devices.

The raw data set may also include data for assigning values to constants in the program.

The program execution system may further include a specified device; the specified device may be for: receiving N variable attribute sets respectively predefined by N running devices, and determining that the variable attributes contained in the N variable attribute sets are the same.

The operating device may be further specifically configured to: receiving N variable attribute sets respectively predefined by other N-1 running devices, and determining that the variable attributes contained in the N variable attribute sets are the same.

The symbol table predefined by the operating device may at least include variable symbols, variable data types, and variable value storage addresses corresponding to variables predefined by the operating device; the variable attribute set may include variable symbols in a symbol table and variable data types.

The above-described method flow can be referred to for explanation of the system embodiments.

The foregoing is only a detailed description of the embodiments of the present disclosure, and it should be noted that, for those skilled in the art, many modifications and decorations can be made without departing from the principle of the embodiments of the present disclosure, and these modifications and decorations should also be regarded as protection for the embodiments of the present disclosure.

Claims

1. A program execution method, comprising:

carrying out fragmentation processing on the value of each data in the original data set to obtain N fragmentation values of each data; the original data set comprises data used for assigning values to variables in a program;

through the pre-configuration, aiming at each basic operation unit corresponding to the target program, inputting any group of values into the basic operation unit before configuration to obtain an operation result, wherein the operation result is equal to: and after each group of slicing values of any group of values are respectively input into the configured basic operation unit to be respectively operated, all the obtained operation results are subjected to inverse slicing processing to obtain processing results.

2. The method of claim 1, wherein data in the raw data set is stored in a distributed manner on the N running devices;

the slicing processing of the value of each data in the original data set to obtain N sliced values of each data includes:

and the N operating devices respectively perform fragmentation processing on the locally stored data values and interact processing results with each other, so that each operating device obtains one fragmentation value of each data in the original data set.

3. The method of claim 1, wherein data in the raw data set is stored on a target device;

the method further comprises the following steps:

and the target equipment respectively sends the N fragmented data sets to the N running equipment.

4. The method of claim 1, wherein the raw data set further comprises data for assigning values to constants in a program.

5. The method of claim 1, wherein each running device shares execution of the target program based on at least two threads.

6. The method of claim 5, further comprising:

respectively encrypting random numbers of the locally stored fragment values of the variables under the condition that the N running devices need to exchange the fragment values aiming at any variable in the target program; the target program comprises at least two interaction tasks for interacting the encrypted fragment values; at least two threads of each running device share different interaction tasks of the target program;

wherein each thread identification of the at least two threads of each running device is specified by the target program; the threads with the same identification appointed by the target program among different running devices share the same interaction task in the target program; the different interaction tasks use the same channel to interact specified data; the specified data comprises a variable fragment value to be interacted and a thread identifier for sending the variable fragment value, so that the thread with the same identifier in other running equipment is determined to receive the variable fragment value.

7. The method of claim 1, wherein the determining that consistency is satisfied between N sets of variable attributes respectively predefined by N running devices comprises:

the method comprises the steps that appointed equipment receives N variable attribute sets predefined by N running equipment respectively, and the variable attributes contained in the N variable attribute sets are determined to be the same;

or

Any operating device receives N variable attribute sets respectively predefined by other N-1 operating devices, and the variable attributes contained in the N variable attribute sets are determined to be the same.

8. The method according to claim 7, wherein the symbol table predefined by the operating device at least includes a variable symbol, a variable data type and a variable value storage address corresponding to a variable predefined by the operating device; the variable attribute set comprises variable symbols and variable data types in the symbol table.

9. A program running system carries out fragmentation processing on the value of each data in an original data set in advance to obtain N fragmentation values of each data; the original data set comprises data used for assigning values to variables in the program; determining N fragmented data sets; determining each sharded data set, including: carrying out reassignment on each data in the original data set by adopting a fragment value of the data; the values of the same data in the N fragmented data sets correspond to the N fragmented values of the same data one by one;

the system comprises N operating devices, each operating device being configured to: running the same target program based on the fragmented data set under a specified condition, wherein the specified condition comprises the following steps: consistency is satisfied among the variable attribute sets respectively predefined by the N operating devices; a variable attribute comprises a variable symbol and a variable data type; the threads with the same identification appointed by the target program among different running devices share the same interaction task in the target program; the interaction task is used for interacting the encrypted fragment values of the same data by the thread with the same identifier in other running equipment;

the N running devices respectively run the target program based on different fragment data sets; through pre-configuration, aiming at each basic operation unit corresponding to the target program, inputting any group of values into an operation result obtained by operation of the basic operation unit before configuration, wherein the operation result is equal to: and after each group of fragment values of the arbitrary group of values are respectively input into the configured basic operation unit to be respectively operated, all obtained operation results are subjected to inverse fragment processing to obtain processing results.

10. The system of claim 9, wherein data in the raw data set is stored in a distributed manner on the N running devices;

the N pieces of operating equipment are used for: and respectively carrying out fragmentation processing on the locally stored data values and mutually interacting the processing results, so that each running device obtains one fragmentation value of each data in the original data set.