CN115967491A - Privacy intersection method, system and readable storage medium - Google Patents
Privacy intersection method, system and readable storage medium Download PDFInfo
- Publication number
- CN115967491A CN115967491A CN202310236753.1A CN202310236753A CN115967491A CN 115967491 A CN115967491 A CN 115967491A CN 202310236753 A CN202310236753 A CN 202310236753A CN 115967491 A CN115967491 A CN 115967491A
- Authority
- CN
- China
- Prior art keywords
- party
- data
- hash table
- sequence
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a privacy interaction method, a privacy interaction system and a readable storage medium. The method comprises the following steps: a first party executes a first hash operation on a first data set to obtain a first hash table; the second party executes a second hash operation on the second data set to obtain a second hash table; the first party and the second party execute an out-of-order secret sharing protocol; the second party conducts disorder operation on the second hash table by using the first disorder sequence, and subtracts data at corresponding positions in the first sharing sequence from each data in the disorder second hash table respectively to obtain an updated second hash table; the first party and the second party execute an OPRF protocol; the first party compares the first OPRF result with the second OPRF result to obtain a first target set; and the first party acquires a secret sharing result of intersection data of the first data set and the second data set based on the first target set and the second party based on the first sharing sequence. The embodiment of the invention can protect the data privacy security of privacy intersection.
Description
Technical Field
The invention relates to the field of multi-party secure computing, in particular to a privacy intersection method, a privacy intersection system and a readable storage medium.
Background
PSI (Private Set Intersection) for a two-party scenario refers to Intersection of data sets of two parties based on privacy protection. PSI is an important scene which is aroused in the field of multi-party security calculation in cryptography in recent years, plays an important role in sensitive privacy data circulation in the fields of finance, government affairs, industry and the like, and a participant performing privacy calculation can preprocess own privacy data through PSI, so that two parties can screen out valuable shared data for subsequent calculation.
For example, banks and hospitals want to screen out financial and medical data of some users who own in common for subsequent machine learning model training, so that both parties utilize the own user identification data to perform PSI operation, and can screen out the user identification data who own in common on the premise of not revealing other user privacy data owned by themselves, thereby being capable of utilizing the financial and medical data corresponding to the user identification data who own in common to perform subsequent privacy calculation.
However, with current PSI methods, participants can obtain intersection data in the clear, thereby exposing privacy data of the participants.
Disclosure of Invention
The embodiment of the invention provides a privacy intersection method, a privacy intersection system and a readable storage medium, wherein a secret sharing result of intersection data is obtained by two parties participating in privacy intersection, so that the data privacy security of the parties can be protected.
In order to solve the above problem, an embodiment of the present invention discloses a privacy interaction method for performing privacy interaction on a first data set of a first party and a second data set of a second party, where the method includes:
the first party executes a first hash operation on the first data set to obtain a first hash table; the second party executes a second hash operation on the second data set to obtain a second hash table;
the first party executes an out-of-order secret sharing protocol based on the first hash table and the second party, so that the first party obtains an updated first hash table, and the second party obtains a first sharing sequence; the updated first hash table and the first sharing sequence form an out-of-order secret sharing result of the first hash table after being disordered by a first out-of-order sequence, wherein the first out-of-order sequence is owned by the second party;
the second party conducts disorder operation on the second hash table by using the first disorder sequence, and subtracts data at corresponding positions in the first sharing sequence from each data in the disorder second hash table respectively to obtain an updated second hash table;
the first party and the second party execute an oblivious pseudorandom function OPRF protocol, so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table;
the second party sends the second OPRF result to the first party, the first party compares the first OPRF result with the second OPRF result and obtains a first target set according to the comparison result, and the first target set comprises data of the corresponding position of the first OPRF result equal to the second OPRF result in the updated first hash table;
the first party acquires a secret sharing result of intersection data of the first data set and the second data set based on the first target set and the second party based on the first sharing sequence.
In another aspect, an embodiment of the present invention discloses a privacy interaction system, configured to perform privacy interaction on a first data set of a first party and a second data set of a second party, where the system includes the first party and the second party, where:
the first party is configured to perform a first hash operation on the first data set to obtain a first hash table, and execute an out-of-order secret sharing protocol based on the first hash table and the second party, so that the first party obtains an updated first hash table and the second party obtains a first sharing sequence; the updated first hash table and the first sharing sequence form an out-of-order secret sharing result of the first hash table after being disordered by a first out-of-order sequence, wherein the first out-of-order sequence is owned by the second party;
the second party is used for executing a second hash operation on the second data set to obtain a second hash table, performing the disorder operation on the second hash table by using the first disorder sequence, and subtracting data at corresponding positions in the first sharing sequence from each data in the disorder second hash table to obtain an updated second hash table;
the first party is further configured to execute an oblivious pseudorandom function OPRF protocol with the second party, so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table;
the second party further to send the second OPRF result to the first party;
the first party is further configured to compare the first OPRF result with the second OPRF result, and obtain a first target set according to the comparison result, where the first target set includes data of a corresponding position of the first OPRF result equal to the second OPRF result in the updated first hash table;
the first party is further configured to obtain a secret sharing result of intersection data of the first data set and the second data set based on the first sharing sequence and the second party.
Optionally, the first hash operation includes a cuckoo hash operation, the second hash operation includes a simple hash operation, the first hash operation and the second hash operation use the same hash function, and the lengths of the first hash table and the second hash table are equal.
In yet another aspect, an embodiment of the present invention discloses an apparatus for privacy negotiation, comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by one or more processors, and the one or more programs comprise instructions for performing one or more of the privacy negotiation methods described in the foregoing.
In yet another aspect, embodiments of the invention disclose a machine-readable storage medium having instructions stored thereon, which when executed by one or more processors of an apparatus, cause the apparatus to perform a privacy rendezvous method as described in one or more of the preceding.
The embodiment of the invention has the following advantages:
the embodiment of the invention realizes a privacy intersection method which outputs an intersection result in a privacy sharing mode by using technologies such as a Hash technology, a Shuffle-SS (disorder-secret sharing protocol) and an OPRF (Oblivious pseudo random Function), so that two parties (such as a first party and a second party) participating in privacy intersection obtain the privacy sharing result of intersection data of data sets of the two parties. The first party and the second party respectively obtain half of secret sharing results, the two participating parties cannot obtain the specific information of the intersection data, only the number of the intersection data can be known, and the privacy safety of the intersection data can be protected. Further, since the first party and the second party obtain the secret sharing result of the intersection data, the first party and the second party can directly perform any multi-party secure computation taking the intersection data as input based on the secret sharing protocol by using the secret sharing result of the intersection data held by the first party and the second party, for example, machine learning training is performed by using the secret sharing result of the intersection data, and the efficiency of subsequent multi-party secure computation can be improved, and the plaintext information of each intersection data is not exposed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
FIG. 1 is a flow diagram of the steps of one embodiment of a privacy rendezvous method of the present invention;
FIG. 2 is a diagram illustrating the result of a first time an out-of-order secret sharing protocol is performed by a first party and a second party in accordance with an example of the present invention;
FIG. 3 is a schematic of a first OPRF result and a second OPRF result in one example of the invention;
FIG. 4 is a diagram illustrating the result of a second execution of an out-of-order secret sharing protocol by a first party and a second party in accordance with an example of the present invention;
FIG. 5 is a block diagram of an embodiment of a privacy negotiation system of the present invention;
FIG. 6 is a block diagram of an apparatus 800 for privacy negotiation of the present invention;
fig. 7 is a schematic diagram of a server in some embodiments of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
The terms first, second and the like in the description and in the claims, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that embodiments of the invention may be practiced other than those illustrated or described herein, and that the objects identified as "first," "second," etc. are generally a class of objects and do not limit the number of objects, e.g., a first object may be one or more. Furthermore, the term "and/or" in the specification and claims is used to describe an association relationship of associated objects, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. The term "plurality" in the embodiments of the present invention means two or more, and other terms are similar thereto.
Referring to fig. 1, a flowchart illustrating steps of an embodiment of a privacy rendezvous method of the present invention, which may be used for privacy rendezvousing a first data set of a first party and a second data set of a second party, may include the steps of:
102, the first party executes an out-of-order secret sharing protocol based on the first hash table and the second party, so that the first party obtains an updated first hash table, and the second party obtains a first sharing sequence; the updated first hash table and the first sharing sequence form an out-of-order secret sharing result after the first hash table is disturbed by a first out-of-order sequence, wherein the first out-of-order sequence is owned by the second party;
103, the second party performs disorder operation on the second hash table by using the first disorder sequence, and subtracts data at corresponding positions in the first sharing sequence from each data in the second hash table after disorder to obtain an updated second hash table;
and 106, the first party acquires a secret sharing result of intersection data of the first data set and the second data set based on the first target set and the second party based on the first sharing sequence.
The privacy transaction method provided by the embodiment of the invention can be applied to a scene of performing privacy transaction on data sets of two parties in multi-party secure computing (MPC). The multi-party security calculation is a cryptographic technology, and the parties participating in the calculation can perform security calculation together based on the input data held by each party by executing a multi-party security calculation algorithm to obtain a calculation result without revealing the input data held by the parties to other parties.
In this embodiment of the present invention, the first party and the second party are parties involved in privacy negotiation, the first party and the second party may be data providers for multi-party secure computing, and the first party and the second party may also be parties involved in multi-party secure computing. In a specific implementation, the first party and the second party may be two parties of a peer, and the roles of the first party and the second party may be interchanged. In the embodiment of the present invention, the first party is also referred to as a client (client) side, and the second party is referred to as a server (server) side.
The embodiment of the invention uses a multi-party security computing framework based on secret sharing, so that the intersection result obtained by two parties (such as a first party and a second party) executing the PSI protocol is in a secret sharing mode. Secret sharing is a cryptographic technology for dividing and storing a secret, and the idea of secret sharing is to split the secret in a proper manner, each split share is managed by different parties, a single party cannot recover secret information, and only a plurality of parties cooperate together can recover the secret information. That is, the first party and the second party finally obtain the secret sharing result of the intersection data, and both the first party and the second party cannot obtain the plaintext information of the intersection data, and only the number of the intersection data can be known. Furthermore, since the first party and the second party obtain the secret sharing result of the intersection data, the first party and the second party can perform any multiparty secure calculation with the intersection data as an input based on the secret sharing protocol by using the secret sharing result of the intersection data held by each party, and the plaintext information of each intersection data is not exposed.
It should be noted that secret sharing in the embodiment of the present invention refers to addition secret sharing, and a secret sharing result refers to an addition secret sharing result. For example, if a first party obtains r1 and a second party obtains r2, and r1+ r2= x, with respect to data x, it is said that r1 held by the first party and r2 held by the second party constitute an additive secret sharing result of data x. Only if r1 and r2 are obtained simultaneously can x be recovered.
The privacy intersection method provided by the embodiment of the invention constructs a privacy intersection protocol with an output intersection Result in a secret sharing mode, and the privacy intersection protocol is called as an RS-PSI (Result-Shared PSI) protocol. The embodiment of the invention realizes the RS-PSI by using the Hash technology, the Shuffle-SS technology, the OPRF technology and the like, so that two participants participating in privacy intersection can obtain the secret sharing result of the intersection data of the data sets of the two parties.
Specifically, first, a first party performs a first hash operation on a first data set owned by the first party to obtain a first hash table; and the second party executes a second hash operation on the second data set owned by the second party to obtain a second hash table.
In an optional embodiment of the present invention, the first hash operation may include a cuckoo hash (cuckoo hash) operation, the second hash operation may include a simple hash (simple hash) operation, the first hash operation and the second hash operation use the same hash function, and the first hash table and the second hash table have the same length.
The embodiment of the invention does not limit the number of hash functions of cuckoo, optionally, the number of hash functions of cuckoo can be selected to be 3, which means that at most 3 hash positions can be selected for each piece of data when cuckoo hash operation is executed. In an embodiment of the present invention, the first hash operation and the second hash operation use the same hash function, for example, the first party performs cuckoo hash operation and the second party performs simple hash operation, which use 3 identical hash functions together, so that the lengths of the first hash table and the second hash table are equal. Each piece of data in the first data set of the first party is mapped to one hash position in the first hash table, each piece of data can only be stored in one of 3 hash positions calculated by using 3 hash functions, and each hash position in the first hash table is provided with 1 piece of data at most. The second hash table of the second party does not need to specify the maximum capacity at each hash position, that is, the second party calculates each piece of data in the second data set once by using 3 hash functions the same as those of the first party, and places the data at the obtained 3 hash positions. That is, each piece of data in the second data set of the second party is mapped to 3 positions in the second hash table, and the data are stacked in sequence. It should be noted that, in the embodiment of the present invention, 3 hash functions are taken as an example, and the number of the hash functions is not limited in the embodiment of the present invention.
In one example, assume that a first set of data owned by the first party includes the following: x1, x2, x3, x4, x5; the second data set owned by the second party includes the following data: x2, x3, x4, x5, x6. Referring to table 1, an example of a first hash table is shown, and referring to table 2, an example of a second hash table is shown.
TABLE 1
TABLE 2
In a specific implementation, the lengths of the first hash table and the second hash table may be determined according to the data amount of the first data set of the first party. The length of the first hash table should be such that all data of the first data set can be dropped. Further, the lengths of the first hash table and the second hash table may be selected to be 1.3 times or 1.4 times of the data amount of the first data set. In this example, the length of the first hash table and the second hash table is chosen to be 8.
As shown in table 1, the first set of data owned by the first party includes the following data: x1, x2, x3, x4, x5. The length of the first hash table is 8, after the first party performs cuckoo hash operation on the first data set, data x1 is stored at the 4 th position in the first hash table, data x2 is stored at the 2 nd position in the first hash table, data x3 is stored at the 6 th position in the first hash table, data x4 is stored at the 3 rd position in the first hash table, and data x5 is stored at the 8 th position in the first hash table.
Further, the method may further include: and if the length of the first hash table is greater than that of the first data set, the first party fills the free position in the first hash table by using a random number. As shown in table 1, the free positions 1, 5,7 in the first hash table are filled with random numbers random, respectively.
As shown in table 2, the second data set owned by the second party includes the following data: x2, x3, x4, x5, x6. The length of the second hash table is 8, after the second party performs the simple hash operation on the second data set, the data x2 is stored in the positions 2, 3 and 7 in the second hash table, the data x3 is stored in the positions 4, 6 and 8 in the second hash table, the data x4 is stored in the positions 1, 3 and 5 in the second hash table, the data x5 is stored in the positions 1,6 and 8 in the second hash table, and the data x6 is stored in the positions 2, 3 and 5 in the second hash table. It should be noted that table 2 is shown in three columns for ease of illustration only.
Next, the first party executes an out-of-order secret sharing protocol with the second party based on the first hash table, so that the first party obtains the updated first hash table, and the second party obtains the first sharing sequence. The updated first hash table and the first sharing sequence form an out-of-order secret sharing result of the first hash table after being disordered by the first out-of-order sequence, and the first out-of-order sequence is owned by a second party.
Out-of-order secret sharing refers to: a has a sequence of m pieces of data (x) 1 ,x 2 ,…,x m ) A and B execute an out-of-order secret sharing protocol, and finally B obtains an out-of-order sequence pi of 1~m and a random number sequence (r) 1 ,r 2 ,…,r m ) A obtains a random number sequence (x) π(1) -r 1 , x π(2) -r 2 ,…, x π(m) -r m ). That is, A and B respectively have data sequences (x) π(1) ,x π(2) ,…,x π(m) ) The result of secret sharing by addition of (c), i.e. possession of the data sequence (x) 1 ,x 2 ,…,x m ) And secretly sharing the result through the addition of the data sequence subjected to pi out-of-order. The security requirement is that A cannot know out-of-order pi and random number sequence (r) 1 ,r 2 ,…,r m ) Information of (A), B cannot know the data sequence (x) of A 1 ,x 2 ,…,x m ) The information of (a).
The embodiment of the invention does not limit the implementation mode of the disorder secret sharing protocol. In an optional embodiment of the present invention, the out-of-order secret sharing protocol may be implemented based on an addition homomorphic encryption algorithm, or the out-of-order secret sharing protocol may be implemented based on an oblivious transmission protocol.
In an optional embodiment of the present invention, the performing, by the first party, an out-of-order secret sharing protocol with the second party based on the first hash table may include:
step S11, the first party generates a homomorphic encrypted private key and a public key, the public key is used for encrypting the first hash table, and the encrypted first hash table and the public key are sent to the second party;
step S12, the second party generates a first out-of-order sequence and a local random number sequence, and the local random number sequence is subjected to out-of-order operation by utilizing the first out-of-order sequence to obtain a first sharing sequence;
step S13, the second party performs homomorphic operation on each data in the encrypted first hash table and the data at the corresponding position in the local random number sequence by using the public key to obtain an intermediate sequence;
s14, the second party conducts disorder operation on the intermediate sequence by using the first disorder sequence to obtain a target disorder result;
step S15, the second party sends the target out-of-order result to the first party;
and S16, the first party decrypts the target out-of-order result by using the public key and the private key to obtain an updated first hash table.
The embodiment of the invention can realize the disorder secret sharing protocol based on the addition homomorphic encryption algorithm.
In the above example, the first hash is represented as [ random, x2, x4, x1, random, x3, random, x5]. The first party generates a homomorphic encrypted private key and a homomorphic encrypted public key, encrypts data in the first hash table by using the public key, and sends the encrypted first hash table and the public key to the second party.
And the second party generates a first disorder sequence and a local random number sequence, and the lengths of the first disorder sequence and the local random number sequence are equal to the lengths of the first hash table and the second hash table. Assume that the first out-of-order sequence is [2,5,7,3,8,4,1,6] and the local random number sequence is [ r1, r2, r3, r4, r5, r6, r7, r8]. And the second party carries out disorder operation on the local random number sequence by using the first disorder sequence to obtain a first sharing sequence, wherein the first sharing sequence is [ r2, r5, r7, r3, r8, r4, r1 and r6].
And the second party performs homomorphic operation on each piece of data in the encrypted first hash table and the data at the corresponding position in the local random number sequence by using the received public key to obtain an intermediate sequence. The homomorphic operation may include homomorphic addition or homomorphic subtraction, and for example, the second party calculates E (random-r 1), E (x 2-r 2), …, and E (x 5-r 8) by using the received public key to obtain an intermediate sequence, where E represents homomorphic operation.
And the second party conducts disorder operation on the intermediate sequence by using the first disorder sequence to obtain a target disorder result and sends the target disorder result to the first party. The target out-of-order result is as follows: [ E (x 2-r 2), E (random-r 5), E (random-r 7), E (x 4-r 3), E (x 5-r 8), E (x 1-r 4), E (random-r 1), E (x 3-r 6) ].
The first party decrypts the target out-of-order result by using the public key and the private key, and an updated first hash table is obtained as shown in table 3.
TABLE 3
As shown in table 3, the updated first hash table includes the following data: [ x2-r2, random-r5, random-r7, x4-r3, x5-r8, x1-r4, random-r1, x3-r6]. Since x2-r2+ r2= x2, random-r5+ r5= random, and so on. Therefore, the first sharing sequence [ r2, r5, r7, r3, r8, r4, r1, r6] and the updated first hash table [ x2-r2, random-r5, random-r7, x4-r3, x5-r8, x1-r4, random-r1, x3-r6] form the scrambled secret sharing result after the first hash table [ random, x2, x4, x1, random, x3, random, x5] is scrambled by the first scrambling sequence [2,5,7,3,8,4,1,6]. Because the first hash table is confused by the local random number of the second party, the first party does not know the first out-of-order sequence nor the meaning of the data in the updated first hash table obtained after decryption, and the first party only sees a stack of random numbers. Since the second party cannot perform the homomorphic decryption operation, the second party cannot know the information of the data in the first hash table. Thus, the first and second parties inadvertently possess the out-of-order secret sharing results of the first hash table.
In an optional embodiment of the present invention, the performing, by the first party, an out-of-order secret sharing protocol with the second party based on the first hash table may include:
step S21, the second party generates a first random number sequence with the length of m, wherein m is the length of the first hash table;
step S22, the first party and the second party perform nx2 n-1 The preset operator based on an accidental transmission protocol enables the first party to obtain an updated first hash table, the second party to obtain a second random number sequence with the length of m, the sum of data of a first position in the updated first hash table and the second random number sequence is equal to the sum of data of a second position in the first hash table and the first random number sequence, and the first position is a position where the second position is disturbed by the first disorder sequence;
step S23, the second party calculates to obtain a first sharing sequence according to the first random number sequence and the second random number sequence, so that the first sharing sequence and the updated first hash table form an out-of-order secret sharing result of the first hash table.
Further, the definition of a preset operator may be as follows: assuming that a first party owns data x1 and x2, a second party owns random numbers r1 and r2 and a selection bit b, b =0 or b =1; then the two parties execute preset operators, so that the first party obtains random numbers x1 'and x2', and the second party obtains random numbers r1 'and r2'; if b =0, x1'+ r1' = x1+ r1, x2'+ r2' = x2+ r2; if b =1, x1'+ r1' = x2+ r2, x2'+ r2' = x1+ r1.
It should be noted that the symbols x1, x2, r1, r2, b, x1', x2', r1', and r2' in the definition of the preset operator are general symbols for describing the use of the preset operator, and do not refer to specific data.
In the embodiment of the invention, the preset operator is called SS-select operator, and after the first party and the second party execute a single SS-select operator, two pieces of data owned by the first party and the second party are changed into two new random numbers. For example, x1 and x2 owned by the first party become x1 'and x2', and r1 and r2 owned by the second party become r1 'and r2'. The new random numbers obtained by the two parties are just the addition secret sharing result of the sum of the original corresponding data, and transposition is carried out according to the selected bit b. For example, when b =0, the new random numbers x1 'and r1' are the result of addition secret sharing by x1+ r1, and the new random numbers x2 'and r2' are the result of addition secret sharing by x2+ r2; when b =1, the new random numbers x1 'and r1' are the result of addition secret sharing by x2+ r2, and the new random numbers x2 'and r2' are the result of addition secret sharing by x1+ r1.
The SS-select operator in the embodiment of the invention can be regarded as a black box, the first party inputs data x1 and x2, the second party inputs random numbers r1 and r2 and a selection bit b, the two parties can obtain results output by the black box to the respective parties, the first party obtains random numbers x1 'and x2', and the second party obtains random numbers r1 'and r2'; and satisfies that if b =0, then x1'+ r1' = x1+ r1, x2'+ r2' = x2+ r2; if b =1, x1'+ r1' = x2+ r2, x2'+ r2' = x1+ r1.n x2 n-1 The selection bits of the SS-select operators are combined to form 1 data volume of 2 n And the second party only knows the out-of-order sequence of the Shuffle-SS protocol.
In the embodiment of the present invention, an SS-select operator can be implemented by an OT (Objective Transfer). In an alternative embodiment of the invention, the first party has data x1 and x2, the second party has random numbers r1 and r2 and a selection bit b, b =0 or b =1; the step of executing a preset operator by both the first party and the second party may include:
step S31, the first party generates a random number t, and acquiring the to-be-queried message that is transmitted unintentionally includes: t and t + (x 2-x 1); the second party takes the selection bit b as a query bit which is transmitted carelessly;
step S32, the first party and the second party execute a 2-to-1 oblivious transmission protocol with the first party as a sending party and the second party as a receiving party, and the second party obtains a query result (t + b x (x 2-x 1));
step S33, the first party structure obtains (x 1-t) and (x 2+ t);
step S34, the second configuration yields ((t + b × (x 2-x 1)) + b × (r 2-r 1) + r 1) and ((t + b × (x 2-x 1)) -b × (r 2-r 1) + r 2).
In the embodiment of the invention, the first party serves as a sender of the inadvertent transmission, generates the random number t, and takes t and t + (x 2-x 1) as the message to be inquired of the inadvertent transmission. The second party is used as a receiver of the inadvertent transmission, the selection bit b of the SS-select operator is used as a query bit of the inadvertent transmission, the first party and the second party execute a 2-to-1 inadvertent transmission protocol with the first party as a sender and the second party as a receiver, and the second party obtains an OT query result (t + b x (x 2-x 1)). Since the random number t is randomly generated by the first party, the information of x1 and x2 is completely masked, and thus the second party cannot acquire valid information of x1 and x 2. In addition, the first party cannot get the information of the selected bit b, so n × 2 n-1 The first party is also unaware of the out-of-order sequence formed by the combination of the select bits of the SS-select operators. The first party may construct new random numbers of (x 1-t) and (x 2+ t), and the second party may construct new random numbers of ((t + b × (x 2-x 1)) + b × (r 2-r 1) + r 1) and ((t + b × (x 2-x 1)) -b × (r 2-r 1) + r 2) using the OT query result. It can be verified that the new random numbers constructed by the first party and the second party (both the generated data and the data obtained by the OT query, which are owned locally) together form the additive secret sharing result after inversion transposition of (x 1+ r 1) and (x 2+ r 2) by the selection bit b,in accordance with the definition of the SS-select operator in the embodiments of the present invention.
In a specific implementation, the disorder secret sharing protocol may be regarded as a black box, where a first party inputs data in a first hash table into the black box, a second party generates a first disorder sequence and a random number sequence (such as a local random number sequence or a first random number sequence), and inputs the first disorder sequence and the random number sequence into the black box, and the two parties respectively obtain disorder secret sharing results, and a result of adding the disorder secret sharing results of the two parties is data obtained by scrambling data in the first hash table by the first disorder sequence, and some filled random numbers.
Referring to fig. 2, a diagram illustrating a result of a first time the first party and the second party perform an out-of-order secret sharing protocol according to an example of the present invention is shown. As shown in fig. 2, the data of the black box input by the first party in the out-of-order secret sharing protocol includes data in a first hash table, and taking the first hash table shown in table 1 as an example, the data input by the first party into the black box is as follows: [ random, x2, x4, x1, random, x3, random, x5]. The second party generates a first random number sequence of [ r1, r2, r3, r4, r5, r6, r7, r8], and a first disorder sequence of [2,5,7,3,8,4,1,6]. The data input into the black box by the second party includes [ r1, r2, r3, r4, r5, r6, r7, r8] and [2,5,7,3,8,4,1,6]. After the two parties execute the disorder secret sharing protocol, the first party obtains the updated first hash table and comprises the following data: [ x2-r2, random-r5, random-r7, x4-r3, x5-r8, x1-r4, random-r1, x3-r6]. The second party obtains the first share sequence as follows: [ r2, r5, r7, r3, r8, r4, r1, r6].
And then, the second party conducts disorder operation on the second hash table by using the first disorder sequence, and subtracts the data at the corresponding position in the first sharing sequence from each data in the second hash table after disorder to obtain an updated second hash table.
In an optional embodiment of the present invention, the subtracting, from each data in the second hash table after the disorder, data at a corresponding position in the first sharing sequence respectively may include: and when more than two pieces of data exist at a certain position in the second hash table after disorder, subtracting the data at the corresponding position in the first sharing sequence from the more than two pieces of data respectively.
In the embodiment of the present invention, when two or more pieces of data exist at a certain position in the hash table, processing the data at the certain position means processing each piece of data at the certain position.
For example, in the example above, the second party gets a first out-of-sequence of [2,5,7,3,8,4,1,6] and a first share sequence of [ r2, r5, r7, r3, r8, r4, r1, r6]. The second party uses the first disorder sequence [2,5,7,3,8,4,1,6] to perform disorder operation on the second hash table shown in table 2, and the second hash table after disorder can be obtained and is shown in table 4.
TABLE 4
And then, subtracting the data at the corresponding position in the first sharing sequence from each data in the second hash table after disorder. As shown in table 4, the following two pieces of data exist at the 1 st position in the second hash table after being scrambled: x2 and x6, and therefore, the data r2 at the corresponding position in the first sharing sequence is subtracted from the two data; as another example, in table 4, the following two pieces of data exist at the 2 nd position in the second hash table after being sorted: x4 and x6, and therefore, subtracting the data r5 at the corresponding position in the first sharing sequence from the two data respectively; by analogy, an updated second hash table can be obtained as shown in table 5.
TABLE 5
At this time, the first party gets the updated first hash table (as shown in table 3), and the second party gets the updated second hash table (as shown in table 5).
Next, the first party and the second party perform an oblivious pseudorandom function OPRF protocol, so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table.
OPRF belongs to an extended protocol for inadvertent transmission. The function of the OPRF protocol is described as follows: the sender and receiver implement a two-party OPRF protocol, the sender has no input, the receiver inputs data x _ i, the sender outputs a key k, and the receiver outputs an OPRF result F (k, x _ i).
In an optional embodiment of the present invention, the performing, by the first party and the second party, an oblivious pseudo random function OPRF protocol so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table may include:
step S41, the first party serves as a receiving party, the data in the updated first hash table and the location information thereof serve as input data of an OPRF protocol, the second party serves as a sending party, and both parties execute a batch of OPRF protocols, so that the first party obtains a first OPRF result corresponding to the data in the updated first hash table under the location information thereof, and the second party obtains an OPRF key corresponding to each location information;
step S42, the second party calculates a second OPRF result corresponding to each piece of data in the updated second hash table under the position information thereof by using the OPRF key corresponding to each piece of position information and each piece of data in the updated second hash table and the position information thereof.
In the embodiment of the invention, the first party is the receiver of the OPRF protocol, the second party is the sender of the OPRF protocol, and the two parties execute the OPRF protocol in batches. Specifically, the first party uses each piece of data and the location information thereof in the updated first hash table as input data of the OPRF protocol, and executes the batch OPRF protocol with the second party.
Taking the updated first hash table shown in table 3 as an example, if the data at the 1 st position in table 3 is x2-r2 and the position information of the data is 1, the data x2-r2 and the position information 1 of the data are used as input data of the OPRF protocol, and the second party executes the OPRF protocol, so that the first party obtains a first OPRF result, such as OPRF (k 1, (x 2-r2, 1)), corresponding to the data x2-r2 under the position information 1; wherein k1 represents an OPRF key corresponding to the position information 1, and (x 2-r2, 1) represents that the position information corresponding to the data x2-r2 is 1; the second party gets the OPRF key, e.g. k1, corresponding to the location information 1. If the data at the 2 nd position in table 3 is random-r5, and the position information of the data is 2, the data random-r5 and the position information 2 of the data are used as input data of the OPRF protocol, and the OPRF protocol is executed with the second party, so that the first party obtains a first OPRF result corresponding to the data random-r5 under the position information 2, which is denoted as OPRF (k 2, (random-r 5, 2)); wherein k2 represents an OPRF key corresponding to the position information 2, and (random-r 5, 2) represents that the position information corresponding to the data random-r5 is 2; the second party gets the OPRF key, e.g. k2, corresponding to the location information 2. And so on.
After both parties execute the batch OPRF protocol, the second party calculates a second OPRF result corresponding to each data in the updated second hash table under the position information by using the OPRF key corresponding to each position information and each data in the updated second hash table and the position information thereof. For example, in the above example, the second party can obtain OPRF keys corresponding to 8 pieces of location information, as denoted by k1 to k8. Since the second party possesses the OPRF key, it can calculate a second OPRF result corresponding to each data in the updated second hash table under its location information. Taking the updated second hash table shown in table 5 as an example, the data at the 1 st position in table 5 includes x2-r2 and x6-r2, and the second party can calculate to obtain an OPRF (k 1, (x 2-r2, 1)) and an OPRF (k 1, (x 6-r2, 1)); where k1 denotes an OPRF key corresponding to the location information 1, (x 2-r2, 1) denotes that the location information corresponding to the data x2-r2 is 1, and (x 6-r2, 1) denotes that the location information corresponding to the data x6-r2 is 1. By analogy, the second party can calculate a second OPRF result corresponding to each data in the second hash table under the position information of the data.
Referring to fig. 3, a schematic diagram of a first OPRF result and a second OPRF result in one example of the invention is shown. Note that the OPRF key is not shown in fig. 3.
And then, the second party sends a second OPRF result thereof to the first party, the first party compares the first OPRF result owned by the first party with the second OPRF result of the second party, and obtains a first target set according to the comparison result, wherein the first target set comprises data of the corresponding position of the first OPRF result equal to the second OPRF result in the updated first hash table.
Since the first party is the receiver of the OPRF protocol and does not calculate the key of the OPRF, even if the first party obtains the second OPRF result sent by the second party, the first party cannot acquire any effective information from the second OPRF result, and the data privacy and safety can be ensured.
The first party may perform equivalence comparison on a first OPRF result of the first party and a second OPRF result of the second party based on privacy calculation, and obtain the first target set in the updated first hash table according to a comparison result. The first target set comprises data of a corresponding position of a first OPRF result equal to a second OPRF result in the updated first hash table, and the data are a part of secret sharing results of intersection data of the first data set and the second data set. Therefore, in the embodiment of the present invention, data of a corresponding position of the first OPRF result in the first target set, which is equal to the second OPRF result, in the updated first hash table is referred to as intersection related data.
As shown in fig. 3, the first party has 4 first OPRF results and equal second OPRF results, which are: OPRF (k 1, (x 2-r2, 1)), OPRF (k 4, (x 4-r3, 4)), OPRF (k 5, (x 5-r8, 5)), OPRF (k 8, (x 3-r6, 8)), and the corresponding positional information is: 1.4, 5, and 8, the data with location information of 1, 4, 5, and 8 can be obtained from the updated first hash table shown in table 3, and the data includes: x2-r2, x4-r3, x5-r8, x3-r6, thereby obtaining a first target set. Referring to table 6, a first set of targets in one example of the invention is shown. The first target set comprises a part of the secret sharing result of the intersection data of the first data set and the second data set (also called intersection related data) and some random numbers, the blank positions in table 6 being random numbers, which are not shown in table 6. The length of the first target set is equal to the lengths of the first hash table and the second hash table, and the position information of the intersection related data in the first target set is consistent with the position information in the updated first hash table.
TABLE 6
At this time, x2-r2, x4-r3, x5-r8 and x3-r6 in the first target set obtained by the first party and r2, r3, r8 and r6 in the first sharing sequence obtained by the second party together form a secret sharing result of intersection data. X2-r2, x4-r3, x5-r8 and x3-r6 in the first target set shown in table 6 are intersection related data. However, at this time, the second party does not know the information of the intersection data, and the second party has not obtained another part of the secret sharing result of the intersection data.
Therefore, the embodiment of the present invention also needs to enable the second party to obtain the secret sharing result of the intersection data. Specifically, the first party and the second party based on the first target set and the first sharing sequence enable the two parties to obtain a secret sharing result of intersection data of the first data set and the second data set.
In order to enable the second party to obtain the secret sharing result of the intersection data and not to cause data leakage, the embodiment of the invention enables the second party to obtain the secret sharing result of the intersection data through an out-of-order operation.
In an optional embodiment of the present invention, the obtaining, by the first party, a secret sharing result of intersection data of the first data set and the second data set based on the first target set and the second party based on the first sharing sequence may include:
step S51, the second party executes an out-of-order secret sharing protocol with the first party based on the first sharing sequence, so that the second party obtains an updated first sharing sequence, and the first party obtains a second sharing sequence; the updated first sharing sequence and the updated second sharing sequence form an out-of-order secret sharing result of the first sharing sequence after being scrambled by a second out-of-order sequence, wherein the second out-of-order sequence is owned by the first party;
step S52, the first party conducts disorder operation on the first target set by using the second disorder sequence, and adds data of corresponding positions in the second sharing sequence to each data in the disorder first target set to obtain an updated first target set;
step S53, the first party sends the position information of the intersection related data in the updated first target set to the second party, and the second party extracts the data corresponding to the position information from the updated first sharing sequence to obtain a second target set; the updated first target set and the second target set constitute a secret sharing result of intersection data of the first data set and the second data set.
The first party and the second party execute the disorder secret sharing protocol again, the second party takes a first sharing sequence owned by the second party as input data, after the two parties execute the disorder secret sharing protocol, the second party obtains an updated first sharing sequence, the first party obtains a second sharing sequence, the updated first sharing sequence and the second sharing sequence form a disorder secret sharing result of the first sharing sequence after being disorder by the second disorder sequence, and the second disorder sequence is owned by the first party.
Referring to fig. 4, a diagram illustrating a result of a second execution of an out-of-order secret sharing protocol by a first party and a second party in an example of the present invention is shown.
As shown in fig. 4, when the out-of-order secret sharing protocol is executed for the second time, the data of the black box that the second party inputs the out-of-order secret sharing protocol includes data in the first sharing sequence, such as [ r2, r5, r7, r3, r8, r4, r1, r6]. The first party generates a local random number sequence of [ t1, t2, t3, t4, t5, t6, t7, t8], and the second out-of-order sequence of [4,3,7,8,5,1,6,2]. The data that the first party inputs into the black box includes [ t1, t2, t3, t4, t5, t6, t7, t8] and [4,3,7,8,5,1,6,2]. After the two parties execute the out-of-order secret sharing protocol, the second party obtains the updated first sharing sequence as follows: [ r3-t4, r7-t3, r1-t7, r6-t8, r8-t5, r2-t1, r4-t6, r5-t2]. The first party obtains the second share sequence as follows: [ t4, t3, t7, t8, t5, t1, t6, t2].
And the first party conducts disorder operation on the first target set by using the second disorder sequence, and adds data at corresponding positions in the second sharing sequence to each data in the disorder first target set to obtain an updated first target set. For example, in the above example, after the first party performs the out-of-order operation on the first target set by using the second out-of-order sequence [4,3,7,8,5,1,6,2], the out-of-order first target set is obtained as shown in table 7.
TABLE 7
And adding the data at the corresponding position in the second sharing sequence to the data in the first target set after disorder. Specifically, data x4-r3 at the first position in the first target set is added to data t4 at the first position in the second sharing sequence, data (a certain random number) at the 2 nd position in the first target set is added to data t3 at the 2 nd position in the second sharing sequence, data (a certain random number) at the 3 rd position in the first target set is added to data t7 at the 3 rd position in the second sharing sequence, data x3-r6 at the 4 th position in the first target set is added to data t8 at the 4 th position in the second sharing sequence, and so on, data (a certain random number) at the 8 th position in the first target set is added to data t2 at the 8 th position in the second sharing sequence, and the updated first target set is shown in table 8. The updated first target set contains intersection related data and some random numbers. It will be appreciated that the intersection-related data in Table 8 has changed from the intersection-related data in Table 6. The blank positions in table 8 are random numbers, which are not shown in table 8. Since the first party has the second out-of-order sequence, the first party can know which positions in the updated first target set are intersection related data, and it should be noted that all data in the updated first target set are meaningless random numbers when viewed by the first party, so that privacy and security of intersection data can be protected.
TABLE 8
Finally, the first party sends the position information of the intersection related data in the updated first target set to the second party, and the second party obtains data of corresponding positions in the updated first sharing sequence according to the received position information to obtain a second target set; the updated first target set and the second target set constitute a secret sharing result of intersection data of the first data set and the second data set.
As shown in table 8, the updated first target set obtained by the first party includes the following intersection related data: x4-r3+ t4, x3-r6+ t8, x5-r8+ t5, and x2-r2+ t1, since the first party has the second out-of-order sequence for scrambling the first target set into the updated first target set, the first party can obtain the location information corresponding to the 4 intersection related data in the updated first target set, such as 1, 4, 5, and 6, respectively. And the first party sends the updated position information of the intersection related data in the first target set to the second party, and the second party can acquire data of corresponding positions in the updated first sharing sequence according to the received position information to obtain a second target set. In the above example, the updated first sharing sequence is [ r3-t4, r7-t3, r1-t7, r6-t8, r8-t5, r2-t1, r4-t6, r5-t2], and the second party may obtain the data of the 1 st, 4 th, 5 th, and 6 th positions from the first sharing sequence, including r3-t4, r6-t8, r8-t5, and r2-t1, thereby obtaining the second target set. At this time, the updated first target set includes the following data: x4-r3+ t4, x3-r6+ t8, x5-r8+ t5, x2-r2+ t1; the second target set includes the following data: r3-t4, r6-t8, r8-t5, r2-t1. Since x4-r3+ t4+ r3-t4= x4, x3-r6+ t8+ r6-t8= x3, x5-r8+ t5+ r8-t5= x5, and x2-r2+ t1+ r2-t1= x2, the updated first target set and second target set may constitute a secret sharing result of the intersection data of the first data set and the second data set.
In the above process, the first party informs the second party of the updated position information of the intersection related data in the first target set, and the second party cannot acquire any related information of the original data through the position information informed by the first party because the second party cannot acquire the information of the second out-of-order sequence. In addition, for the first party, each piece of data in the updated first target set acquired by the first party is a meaningless random number; for the second party, the data in the second target set acquired by the second party are meaningless random numbers; the first party and the second party can only obtain the secret sharing result of the intersection data of the two parties and the number of the intersection data, but cannot obtain other effective information of the intersection data, and privacy safety of the data can be guaranteed.
In summary, the embodiments of the present invention utilize technologies such as a hash technology, a Shuffle-SS (out-of-order secret sharing protocol) and an OPRF, and implement a privacy intersection method in which an output intersection result is in a secret sharing form, so that two parties (e.g., a first party and a second party) participating in privacy intersection obtain a secret sharing result of intersection data of data sets of the two parties. The first party and the second party respectively obtain half of secret sharing results, the two participating parties cannot obtain the specific information of the intersection data, only the number of the intersection data can be known, and the privacy safety of the intersection data can be protected. Further, since the first party and the second party obtain the secret sharing result of the intersection data, the first party and the second party can directly perform any multi-party secure computation taking the intersection data as input based on the secret sharing protocol by using the secret sharing result of the intersection data held by the first party and the second party, for example, machine learning training is performed by using the secret sharing result of the intersection data, and the efficiency of subsequent multi-party secure computation can be improved, and the plaintext information of each intersection data is not exposed.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 5, a block diagram of an embodiment of a privacy rendezvous system according to the present invention for privacy rendezvousing a first data set of a first party and a second data set of a second party is shown, the system including a first party 501 and a second party 502, where:
the first party 501 is configured to perform a first hash operation on the first data set to obtain a first hash table, and execute an out-of-order secret sharing protocol based on the first hash table and the second party, so that the first party obtains an updated first hash table, and the second party obtains a first sharing sequence; the updated first hash table and the first sharing sequence form an out-of-order secret sharing result of the first hash table after being disordered by a first out-of-order sequence, wherein the first out-of-order sequence is owned by the second party;
the second party 502 is configured to perform a second hash operation on the second data set to obtain a second hash table, perform an out-of-order operation on the second hash table by using the first out-of-order sequence, and subtract data at a corresponding position in the first sharing sequence from each data in the out-of-order second hash table to obtain an updated second hash table;
the first party 501, further configured to execute an oblivious pseudorandom function OPRF protocol with the second party, so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table;
the second party 502, further configured to send the second OPRF result to the first party;
the first party 501 is further configured to compare the first OPRF result with the second OPRF result, and obtain a first target set according to the comparison result, where the first target set includes data of a corresponding position of the first OPRF result equal to the second OPRF result in the updated first hash table;
the first party 501 is further configured to obtain a secret sharing result of intersection data of the first data set and the second data set based on the first sharing sequence and the second party 502.
Optionally, the first hash operation includes a cuckoo hash operation, the second hash operation includes a simple hash operation, the first hash operation and the second hash operation use the same hash function, and the lengths of the first hash table and the second hash table are equal.
Optionally, the second party is specifically configured to, when two or more pieces of data exist at a certain position in the second hash table after the out-of-order processing, subtract data at a corresponding position in the first share sequence from the two or more pieces of data, respectively.
Optionally, the first party is specifically configured to, as a receiving party, use each piece of data in the updated first hash table and the location information thereof as input data of an OPRF protocol, and execute a batch of OPRF protocol with the second party; the second party is specifically configured to execute a batch OPRF protocol with the first party as a sending party, so that the first party obtains a first OPRF result corresponding to each piece of data in the updated first hash table under the location information of the data, and the second party obtains an OPRF key corresponding to each piece of location information;
the second party is further configured to calculate, by using the OPRF key corresponding to each piece of location information and each piece of data in the updated second hash table and the location information of the data, a second OPRF result corresponding to each piece of data in the updated second hash table under the location information of the data.
Optionally, the lengths of the first target set, the first hash table, and the second hash table are equal, and the second party is specifically configured to execute an out-of-order secret sharing protocol based on the first sharing sequence and the first party, so that the second party obtains an updated first sharing sequence, and the first party obtains a second sharing sequence; the updated first shared sequence and the updated second shared sequence form an out-of-order secret sharing result of the first shared sequence after being scrambled by a second out-of-order sequence, wherein the second out-of-order sequence is owned by the first party;
the first party is specifically configured to perform an out-of-order operation on the first target set by using the second out-of-order sequence, and add data at a corresponding position in the second sharing sequence to each piece of data in the out-of-order first target set to obtain an updated first target set; sending the updated position information of the intersection related data in the first target set to the second party;
the second party is further configured to extract data corresponding to the location information from the updated first sharing sequence to obtain a second target set; the updated first target set and the second target set constitute a secret sharing result of intersection data of the first data set and the second data set.
Optionally, the out-of-order secret sharing protocol is implemented based on an additively homomorphic encryption algorithm, or the out-of-order secret sharing protocol is implemented based on an oblivious transmission protocol.
Optionally, the first party is specifically configured to generate a homomorphic encrypted private key and a public key, encrypt the first hash table by using the public key, and send the encrypted first hash table and the public key to the second party;
the second party is specifically configured to generate a first out-of-order sequence and a local random number sequence, and perform out-of-order operation on the local random number sequence by using the first out-of-order sequence to obtain a first sharing sequence;
the second party is further configured to perform homomorphic operation on each piece of data in the encrypted first hash table and data at a corresponding position in the local random number sequence by using the public key to obtain an intermediate sequence; carrying out disorder operation on the intermediate sequence by utilizing the first disorder sequence to obtain a target disorder result; sending the target out-of-order result to the first party;
the first party is further configured to decrypt the target out-of-order result by using the public key and the private key to obtain an updated first hash table.
Optionally, the second party is specifically configured to generate a first random number sequence with a length of m, where m is the length of the first hash table;
the first party and the second party are specifically for performing nx2 n-1 The preset operator based on an accidental transmission protocol enables the first party to obtain an updated first hash table, the second party to obtain a second random number sequence with the length of m, the sum of data of a first position in the updated first hash table and the second random number sequence is equal to the sum of data of a second position in the first hash table and the first random number sequence, and the first position is a position where the second position is disturbed by the first disorder sequence;
the second party is further configured to calculate a first sharing sequence according to the first random number sequence and the second random number sequence, so that the first sharing sequence and the updated first hash table form an out-of-order secret sharing result of the first hash table.
The embodiment of the invention realizes a privacy intersection system with an output intersection result in a secret sharing mode by using technologies such as a Hash technology, a Shuffle-SS (disorder secret sharing protocol), an OPRF (optical fiber RF) and the like, so that two parties (such as a first party and a second party) participating in privacy intersection can obtain the secret sharing result of the intersection data of the data sets of the two parties. The first party and the second party respectively obtain half of secret sharing results, and both the two parties cannot obtain specific information of the intersection data and only can know the number of the intersection data, so that the privacy and the safety of the intersection data can be protected. Further, since the first party and the second party obtain the secret sharing result of the intersection data, the first party and the second party can directly perform any multi-party secure computation taking the intersection data as input based on the secret sharing protocol by using the secret sharing result of the intersection data held by the first party and the second party, for example, machine learning training is performed by using the secret sharing result of the intersection data, and the efficiency of subsequent multi-party secure computation can be improved, and the plaintext information of each intersection data is not exposed.
For the system embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
With regard to the system in the above embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
An embodiment of the present invention provides an apparatus for privacy interaction, comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs are configured to be executed by one or more processors and comprise instructions for performing the privacy interaction method described in one or more embodiments above.
Fig. 6 is a block diagram illustrating an apparatus 800 for privacy negotiation according to an example embodiment. For example, the apparatus 800 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, an exercise device, a personal digital assistant, and the like.
Referring to fig. 6, the apparatus 800 may include one or more of the following components: processing component 802, memory 804, power component 806, multimedia component 808, audio component 810, input/output (I/O) interface 812, sensor component 814, and communication component 816.
The processing component 802 generally controls overall operation of the device 800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing elements 802 may include one or more processors 820 to execute instructions to perform all or a portion of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interaction between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.
The memory 804 is configured to store various types of data to support operation at the device 800. Examples of such data include instructions for any application or method operating on device 800, contact data, phonebook data, messages, pictures, videos, and so forth. The memory 804 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
A power supply component 806 provides power to the various components of the device 800. The power components 806 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the apparatus 800.
The multimedia component 808 includes a screen that provides an output interface between the device 800 and a user. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 808 includes a front facing camera and/or a rear facing camera. The front-facing camera and/or the rear-facing camera may receive external multimedia data when the device 800 is in an operating mode, such as a shooting mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have a focal length and optical zoom capability.
The audio component 810 is configured to output and/or input audio signals. For example, the audio component 810 includes a Microphone (MIC) configured to receive external audio signals when the apparatus 800 is in an operational mode, such as a call mode, a recording mode, and a voice information processing mode. The received audio signals may further be stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 also includes a speaker for outputting audio signals.
The I/O interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to: a home button, a volume button, a start button, and a lock button.
The sensor assembly 814 includes one or more sensors for providing various aspects of state assessment for the device 800. For example, the sensor assembly 814 may detect the open/closed state of the device 800, the relative positioning of components, such as a display and keypad of the apparatus 800, the sensor assembly 814 may also search for a change in the position of the apparatus 800 or a component of the apparatus 800, the presence or absence of user contact with the apparatus 800, orientation or acceleration/deceleration of the apparatus 800, and a change in the temperature of the apparatus 800. Sensor assembly 814 may include a proximity sensor configured to detect the presence of a nearby object without any physical contact. The sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication component 816 is configured to facilitate communications between the apparatus 800 and other devices in a wired or wireless manner. The device 800 may access a wireless network based on a communication standard, such as WiFi,2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component 816 receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 816 further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on radio frequency information processing (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the apparatus 800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors or other electronic components for performing the above-described methods.
In an exemplary embodiment, a non-transitory computer-readable storage medium comprising instructions, such as the memory 804 comprising instructions, executable by the processor 820 of the device 800 to perform the above-described method is also provided. For example, the non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
Fig. 7 is a schematic diagram of a server in some embodiments of the invention. The server 1900, which may vary considerably in configuration or performance, may include one or more Central Processing Units (CPUs) 1922 (e.g., one or more processors) and memory 1932, one or more storage media 1930 (e.g., one or more mass storage devices) storing applications 1942 or data 1944. Memory 1932 and storage medium 1930 can be, among other things, transient or persistent storage. The program stored in the storage medium 1930 may include one or more modules (not shown), each of which may include a sequence of instructions operating on a server. Still further, a central processor 1922 may be provided in communication with the storage medium 1930 to execute a series of instruction operations in the storage medium 1930 on the server 1900.
The server 1900 may also include one or more power supplies 1926, one or more wired or wireless network interfaces 1950, one or more input-output interfaces 1958, one or more keyboards 1956, and/or one or more operating systems 1941, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, etc.
A non-transitory computer readable storage medium having instructions therein, which when executed by a processor of an apparatus (server or terminal), enable the apparatus to perform the privacy rendezvous method shown in fig. 1.
A non-transitory computer-readable storage medium, wherein instructions in the storage medium, when executed by a processor of an apparatus (server or terminal), enable the apparatus to perform the description of the privacy assignment method in the embodiment corresponding to fig. 1, and therefore, the description thereof will not be repeated herein. In addition, the beneficial effects of the same method are not described in detail. For technical details not disclosed in the embodiments of the computer program product or the computer program referred to in the present application, reference is made to the description of the embodiments of the method of the present application.
Further, it should be noted that: embodiments of the present application also provide a computer program product or computer program, which may include computer instructions, which may be stored in a computer-readable storage medium. The processor of the computer device reads the computer instruction from the computer-readable storage medium, and the processor can execute the computer instruction, so that the computer device executes the description of the privacy submission method in the embodiment corresponding to fig. 1, which is described above, and therefore, details are not repeated here. In addition, the beneficial effects of the same method are not described in detail. For technical details not disclosed in the embodiments of the computer program product or the computer program referred to in the present application, reference is made to the description of the embodiments of the method of the present application.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This invention is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements that have been described above and shown in the drawings, and that various modifications and changes can be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and should not be taken as limiting the scope of the present invention, which is intended to cover any modifications, equivalents, improvements, etc. within the spirit and scope of the present invention.
The privacy transaction method, the privacy transaction system, the device for privacy transaction and the readable storage medium provided by the invention are described in detail above, and specific examples are applied in the text to explain the principles and embodiments of the invention, and the description of the above embodiments is only used to help understand the method and the core ideas of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (11)
1. A privacy rendezvous method for privacy rendezvous of a first data set of a first party and a second data set of a second party, the method comprising:
the first party executes a first hash operation on the first data set to obtain a first hash table; the second party executes a second hash operation on the second data set to obtain a second hash table;
the first party executes an out-of-order secret sharing protocol based on the first hash table and the second party, so that the first party obtains an updated first hash table, and the second party obtains a first sharing sequence; the updated first hash table and the first sharing sequence form an out-of-order secret sharing result of the first hash table after being disordered by a first out-of-order sequence, wherein the first out-of-order sequence is owned by the second party;
the second party conducts disorder operation on the second hash table by using the first disorder sequence, and subtracts data at corresponding positions in the first sharing sequence from each data in the disorder second hash table respectively to obtain an updated second hash table;
the first party and the second party execute an oblivious pseudorandom function OPRF protocol, so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table;
the second party sends the second OPRF result to the first party, the first party compares the first OPRF result with the second OPRF result and obtains a first target set according to the comparison result, and the first target set comprises data of the corresponding position of the first OPRF result equal to the second OPRF result in the updated first hash table;
the first party acquires a secret sharing result of intersection data of the first data set and the second data set based on the first target set and the second party based on the first sharing sequence.
2. The method of claim 1, wherein the first hash operation comprises a cuckoo hash operation and the second hash operation comprises a simple hash operation, wherein the first hash operation and the second hash operation use the same hash function, and wherein the first hash table and the second hash table are equal in length.
3. The method according to claim 1, wherein the subtracting, from each piece of data in the out-of-order second hash table, the piece of data at the corresponding position in the first share sequence includes:
and when more than two pieces of data exist at a certain position in the second hash table after disorder, subtracting the data at the corresponding position in the first sharing sequence from the more than two pieces of data respectively.
4. The method of claim 1, wherein the first party and the second party perform an oblivious pseudorandom function OPRF protocol so that the first party obtains a first OPRF result corresponding to each data in the updated first hash table, and the second party obtains a second OPRF result corresponding to each data in the updated second hash table, the method comprising:
the first party serves as a receiving party, the data in the updated first hash table and the position information of the data are used as input data of an OPRF protocol, the second party serves as a sending party, the two parties execute a batch OPRF protocol, so that the first party obtains a first OPRF result corresponding to the data in the updated first hash table under the position information of the data, and the second party obtains an OPRF key corresponding to each piece of position information;
and the second party calculates and obtains a second OPRF result corresponding to each data in the updated second hash table under the position information thereof by using the OPRF key corresponding to each position information and each data in the updated second hash table and the position information thereof.
5. The method of claim 1, wherein the first target set and the first and second hash tables are equal in length, and wherein the first party obtains a secret sharing result of intersection data of the first and second data sets based on the first target set and the second party based on the first sharing sequence, and comprises:
the second party executes an out-of-order secret sharing protocol with the first party based on the first sharing sequence, so that the second party obtains an updated first sharing sequence, and the first party obtains a second sharing sequence; the updated first sharing sequence and the updated second sharing sequence form an out-of-order secret sharing result of the first sharing sequence after being scrambled by a second out-of-order sequence, wherein the second out-of-order sequence is owned by the first party;
the first party conducts disorder operation on the first target set by using the second disorder sequence, and adds data at corresponding positions in the second sharing sequence to each data in the disorder first target set to obtain an updated first target set;
the first party sends the position information of the intersection related data in the updated first target set to the second party, and the second party extracts data corresponding to the position information from the updated first sharing sequence to obtain a second target set; the updated first target set and the second target set constitute a secret sharing result of intersection data of the first data set and the second data set.
6. The method of claim 1, wherein the out-of-order secret sharing protocol is implemented based on an additively homomorphic encryption algorithm or the out-of-order secret sharing protocol is implemented based on an oblivious transmission protocol.
7. The method of claim 1, wherein the first party performs an out-of-order secret sharing protocol with the second party based on the first hash table, comprising:
the first party generates a homomorphic encrypted private key and a public key, encrypts the first hash table by using the public key, and sends the encrypted first hash table and the public key to the second party;
the second party generates a first disorder sequence and a local random number sequence, and performs disorder operation on the local random number sequence by using the first disorder sequence to obtain a first sharing sequence;
the second party performs homomorphic operation on each data in the encrypted first hash table and the data at the corresponding position in the local random number sequence by using the public key to obtain an intermediate sequence;
the second party conducts disorder operation on the intermediate sequence by using the first disorder sequence to obtain a target disorder result;
the second party sends the target out-of-order result to the first party;
and the first party decrypts the target out-of-order result by using the public key and the private key to obtain an updated first hash table.
8. The method of claim 1, wherein the first party performs an out-of-order secret sharing protocol with the second party based on the first hash table, comprising:
the second party generates a first random number sequence with the length of m, wherein m is the length of the first hash table;
the first party and the second party perform n × 2 n-1 The preset operator based on the protocol of oblivious transmission enables the first party to obtain an updated first hash table, the second party to obtain a second random number sequence with the length of m, the sum of the data of a first position in the updated first hash table and the second random number sequence is equal to the sum of the data of a second position in the first hash table and the first random number sequence, and the first position is a position where the second position is disturbed by the first disorder sequence;
and the second party calculates to obtain a first sharing sequence according to the first random number sequence and the second random number sequence, so that the first sharing sequence and the updated first hash table form a disordered secret sharing result of the first hash table.
9. A privacy deal system for privacy dealing with a first data set of a first party and a second data set of a second party, the system comprising the first party and the second party, wherein:
the first party is configured to perform a first hash operation on the first data set to obtain a first hash table, and execute an out-of-order secret sharing protocol based on the first hash table and the second party, so that the first party obtains an updated first hash table and the second party obtains a first sharing sequence; the updated first hash table and the first sharing sequence form an out-of-order secret sharing result after the first hash table is disturbed by a first out-of-order sequence, wherein the first out-of-order sequence is owned by the second party;
the second party is used for executing a second hash operation on the second data set to obtain a second hash table, performing the disorder operation on the second hash table by using the first disorder sequence, and subtracting data at corresponding positions in the first sharing sequence from each data in the disorder second hash table to obtain an updated second hash table;
the first party is further configured to, by executing an oblivious pseudorandom function OPRF protocol with the second party, enable the first party to obtain a first OPRF result corresponding to each data in the updated first hash table, and enable the second party to obtain a second OPRF result corresponding to each data in the updated second hash table;
the second party further configured to send the second OPRF result to the first party;
the first party is further configured to compare the first OPRF result with the second OPRF result, and obtain a first target set according to the comparison result, where the first target set includes data of a corresponding position of a first OPRF result equal to the second OPRF result in the updated first hash table;
the first party is further configured to obtain a secret sharing result of intersection data of the first data set and the second data set based on the first sharing sequence and the second party.
10. An apparatus for privacy claiming, comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs comprising instructions for performing the privacy claiming method of any one of claims 1-8.
11. A readable storage medium having stored thereon instructions that, when executed by one or more processors of an apparatus, cause the apparatus to perform the privacy claiming method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310236753.1A CN115967491B (en) | 2023-03-07 | 2023-03-07 | Privacy intersection method, system and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310236753.1A CN115967491B (en) | 2023-03-07 | 2023-03-07 | Privacy intersection method, system and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115967491A true CN115967491A (en) | 2023-04-14 |
| CN115967491B CN115967491B (en) | 2023-05-23 |
Family
ID=85905157
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310236753.1A Active CN115967491B (en) | 2023-03-07 | 2023-03-07 | Privacy intersection method, system and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115967491B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116488789A (en) * | 2023-04-23 | 2023-07-25 | 北京火山引擎科技有限公司 | Data processing method, device, equipment and medium |
| CN117171779A (en) * | 2023-11-02 | 2023-12-05 | 闪捷信息科技有限公司 | Data processing device based on intersection protection |
| CN117574412A (en) * | 2024-01-16 | 2024-02-20 | 国家计算机网络与信息安全管理中心天津分中心 | Multiparty privacy exchange method and device and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190342270A1 (en) * | 2018-05-07 | 2019-11-07 | Microsoft Technology Licensing, Llc | Computing a private set intersection |
| CN113259106A (en) * | 2021-06-28 | 2021-08-13 | 华控清交信息科技(北京)有限公司 | Data processing method and system |
| CN114329527A (en) * | 2021-12-17 | 2022-04-12 | 阿里巴巴(中国)有限公司 | Intersection data acquisition method, equipment and system |
| CN115186145A (en) * | 2022-09-09 | 2022-10-14 | 华控清交信息科技(北京)有限公司 | Privacy keyword query method, device and system |
| CN115333721A (en) * | 2022-10-13 | 2022-11-11 | 北京融数联智科技有限公司 | Privacy set intersection calculation method, device and system |
-
2023
- 2023-03-07 CN CN202310236753.1A patent/CN115967491B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190342270A1 (en) * | 2018-05-07 | 2019-11-07 | Microsoft Technology Licensing, Llc | Computing a private set intersection |
| CN113259106A (en) * | 2021-06-28 | 2021-08-13 | 华控清交信息科技(北京)有限公司 | Data processing method and system |
| CN114329527A (en) * | 2021-12-17 | 2022-04-12 | 阿里巴巴(中国)有限公司 | Intersection data acquisition method, equipment and system |
| CN115186145A (en) * | 2022-09-09 | 2022-10-14 | 华控清交信息科技(北京)有限公司 | Privacy keyword query method, device and system |
| CN115333721A (en) * | 2022-10-13 | 2022-11-11 | 北京融数联智科技有限公司 | Privacy set intersection calculation method, device and system |
Non-Patent Citations (1)
| Title |
|---|
| ZENGPENG LI; ZHENG YANG; PAWEL SZALACHOWSKI; JIANYING ZHOU: "Building Low-Interactivity Multifactor Authenticated Key Exchange for Industrial Internet of Things", IEEE INTERNET OF THINGS JOURNAL * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116488789A (en) * | 2023-04-23 | 2023-07-25 | 北京火山引擎科技有限公司 | Data processing method, device, equipment and medium |
| CN116488789B (en) * | 2023-04-23 | 2024-06-07 | 北京火山引擎科技有限公司 | Data processing method, device, equipment and medium |
| CN117171779A (en) * | 2023-11-02 | 2023-12-05 | 闪捷信息科技有限公司 | Data processing device based on intersection protection |
| CN117171779B (en) * | 2023-11-02 | 2024-02-27 | 闪捷信息科技有限公司 | Data processing device based on intersection protection |
| CN117574412A (en) * | 2024-01-16 | 2024-02-20 | 国家计算机网络与信息安全管理中心天津分中心 | Multiparty privacy exchange method and device and electronic equipment |
| CN117574412B (en) * | 2024-01-16 | 2024-04-02 | 国家计算机网络与信息安全管理中心天津分中心 | Multiparty privacy exchange method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115967491B (en) | 2023-05-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114756886B (en) | Method and device for inquiring hiding trace | |
| CN115967491B (en) | Privacy intersection method, system and readable storage medium | |
| CN115396100B (en) | Careless random disorganizing method and system based on secret sharing | |
| CN114301594B (en) | Inadvertent transmission method, multi-party secure computing platform and device for inadvertent transmission | |
| CN114978512B (en) | Privacy intersection method and device and readable storage medium | |
| CN113449325B (en) | Data processing method and device and data processing device | |
| CN115396101A (en) | Secret sharing based careless disorganizing method and system | |
| CN109246110B (en) | Data sharing method and device and computer readable storage medium | |
| CN114884645B (en) | Privacy calculation method and device and readable storage medium | |
| CN114969830B (en) | Privacy intersection method, system and readable storage medium | |
| CN116305206A (en) | Secure multiparty computing method, device, electronic equipment and storage medium | |
| CN114666048A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN112307056A (en) | Data processing method and device and data processing device | |
| CN105120452B (en) | Transmit the method, apparatus and system of information | |
| CN115941181B (en) | Out-of-order secret sharing method, system and readable storage medium | |
| CN113254956A (en) | Data processing method and device and data processing device | |
| CN114885038B (en) | Encryption protocol conversion method, result acquisition node and privacy calculation node | |
| CN114448631B (en) | Multi-party security computing method, system and device for multi-party security computing | |
| CN112671530B (en) | Data processing method and device and data processing device | |
| CN113868505A (en) | Data processing method and device, electronic equipment, server and storage medium | |
| CN115499254B (en) | User data processing method, device and system and readable storage medium | |
| CN114448630B (en) | Multi-party secure computing method, system and device for multi-party secure computing | |
| CN114969164B (en) | Data query method and device and readable storage medium | |
| CN114880691B (en) | Character encoding and decoding method and device for character encoding and decoding | |
| CN112580063B (en) | Data processing method and device and data processing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |