CN116578950A - Model attribution right detection method, device, equipment and storage medium - Google Patents

Model attribution right detection method, device, equipment and storage medium Download PDF

Info

Publication number
CN116578950A
CN116578950A CN202310463453.7A CN202310463453A CN116578950A CN 116578950 A CN116578950 A CN 116578950A CN 202310463453 A CN202310463453 A CN 202310463453A CN 116578950 A CN116578950 A CN 116578950A
Authority
CN
China
Prior art keywords
model
training data
original
data
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310463453.7A
Other languages
Chinese (zh)
Inventor
王宇
慕鑫
黄正安
杨星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Peng Cheng Laboratory
Original Assignee
Peng Cheng Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peng Cheng Laboratory filed Critical Peng Cheng Laboratory
Priority to CN202310463453.7A priority Critical patent/CN116578950A/en
Publication of CN116578950A publication Critical patent/CN116578950A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method, a device, equipment and a storage medium for detecting model attribution right, and belongs to the technical field of model attribution right detection. The method acquires original training data; invoking a key generation algorithm to generate a public key and corresponding private key data; encrypting the original training data by using different encryption algorithms based on the public key to obtain an encrypted training data set; model training is carried out based on the encryption training data set, and a protected model is obtained; distributing the private key data and the protected model to corresponding authorized users, acquiring identity information of the authorized users, and binding the identity information with the protected model, verification training data in the encrypted training data set and the private key data to obtain binding information; and detecting the attribution right of the protected model based on the binding information, and distributing different keys and versions of the same model to different authorized users by adopting a public key encryption mechanism, so that whether the model or the keys are propagated can be detected, and the property protection of the model is improved.

Description

Model attribution right detection method, device, equipment and storage medium
Technical Field
The present invention relates to the field of model ownership detection technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting model ownership.
Background
With the increasing penetration of social informatization, life digitalization and social networking, the protection of intellectual property (Intellectual property, IP) of digital products is becoming more and more important. According to the data of the world intellectual property organization (WIPO 2), the number of patents related to digital products has increased drastically in the last 10 years, and the trading volume of digital products has also increased year after year, and the protection of digital products has become a topic of great importance to the industry. Simple copying is often much easier than creation and innovation in the digital world, acquisition, access, propagation and copying of digital products become more convenient, leading to frequent infringement of illegal acts, causing huge economic losses to the owners of digital products and even a great potential threat to national security and economic development.
The Machine Learning (ML) model is a data structure based on reasoning or prediction of data generation, and is an explicit digital product. It is a crystal of artificial intelligence technology, which aggregates a large amount of data resources, human resources, and electric power resources. The construction of the machine learning model requires continuous and long-term investment, and huge manpower, material resources and financial resources are consumed in the construction process, so that the method belongs to a digital product with extremely high acquisition cost. Property protection of machine learning models has become an important concern in recent years. How to prevent machine learning models from being illegally copied, distributed, and abused is a current urgent need.
The existing ML model property protection technology is divided into two main directions: the first is a watermark-based method. The basic idea is to design a specific embedding mechanism and use it in the training process. The specific embedded information may be regarded as a kind of watermark by which the user can verify ownership. The second is a trigger-based approach. Typically, the algorithm uses a set of instances as a trigger set and embeds the trigger set information into the machine learning model during training. The verification process is that the model can output a specific result when the trigger is set as input. Upon verification, the trigger set is input to the machine learning model, and a unique and specific result is output to prove ownership of the model.
While the above techniques are capable of generating a protected model and distributing it to authorized users, in practice, authorized users may pass the model to unauthorized users without permission, or the model may be stolen and used by unauthorized model users, resulting in poor protection of the property rights of the model.
Disclosure of Invention
The invention mainly aims to provide a method, a device, equipment and a storage medium for detecting model attribution right, which aim to solve the technical problem that model property protection effect is poor due to unauthorized transmission of a model in the prior art.
In order to achieve the above object, the present invention provides a method for detecting model ownership, comprising the steps of:
acquiring original training data, wherein the original training data comprises first original training data and second original training data, and the first original training data and the second original training data are data of the same category;
invoking a key generation algorithm to generate a public key and corresponding private key data;
encrypting the original training data by using different encryption algorithms based on the public key to obtain an encrypted training data set;
model training is carried out based on the encryption training data set, and a protected model is obtained;
distributing the private key data and the protected model to corresponding authorized users, acquiring identity information of the authorized users, and binding the identity information with the protected model, verification training data in the encrypted training data set and the private key data to obtain binding information;
and detecting the attribution right of the protected model based on the binding information.
Optionally, the encrypted training data set includes encrypted training data and verification training data;
the encrypting the original training data by using different encryption algorithms based on the public key to obtain an encrypted training data set comprises the following steps:
Encrypting the first original training data by using an encryption algorithm based on the public key to obtain encrypted training data;
encrypting the second original training data by using a fake encryption algorithm based on the public key to obtain verification training data;
and taking the encrypted training data and the verification training data as an encrypted training data set.
Optionally, the first original training data includes a first original instance and a first original tag;
the encrypting the first original training data by using an encryption algorithm based on the public key to obtain encrypted training data comprises the following steps:
acquiring a first original tag in the first original training data;
encrypting the first original tag by using an encryption algorithm based on the public key to obtain a first original ciphertext;
expanding the first original ciphertext through a transfer function to obtain trainable vector data;
splicing the trainable vector data to obtain a first trainable label;
encrypted training data is obtained based on the first original instance and the first trainable tag.
Optionally, the encrypting the second original training data based on the public key using a forging algorithm to obtain verification training data includes:
Acquiring a second original label in the second original training data;
encrypting the second original tag by using a fake encryption algorithm based on the public key to obtain a second original ciphertext;
expanding the second original ciphertext through a transfer function to obtain second trainable vector data;
splicing the second trainable vector data to obtain a second trainable label;
verification training data is obtained based on the second raw training data and the second trainable tag.
Optionally, the detecting the attribution right of the protected model based on the binding information includes:
when the user is detected to use the protected model, current identity information of the user is obtained;
invoking the verification training data, and inputting the verification training data into the protected model to obtain a detection label;
obtaining an inverse function of the transfer function;
converting the detection tag into a detection ciphertext through an inverse function of the transfer function;
sampling the detection ciphertext through a ciphertext sampling algorithm to obtain a sampling detection ciphertext;
the sampling detection ciphertext is sent to the user, so that the user decrypts the sampling detection ciphertext by using a decryption private key based on the sampling detection ciphertext, and the decryption result is fed back;
And inquiring the binding information according to the decryption result and the identity information to detect whether the protected model belongs to the user.
Optionally, after the sending the sample detection ciphertext to the user to enable the user to decrypt using a decryption private key based on the sample detection ciphertext, the method further includes:
detecting whether a decryption private key of a user is visible;
acquiring the decryption private key when the decryption private key is visible;
inquiring the binding information according to the decryption private key and the identity information, and detecting whether the private key of the corresponding identity information in the binding information is consistent with the decryption private key;
and when the private key is consistent with the decryption private key, determining that the protected model belongs to the user.
Optionally, the querying the binding information according to the decryption result and the identity information to detect whether the protected model belongs to the user includes:
inquiring the binding information according to the identity information to obtain a second original label corresponding to the identity information;
comparing the decryption result with the second original tag;
and when the decryption result is consistent with the second original label, determining that the protected model belongs to the user.
Optionally, after the model training is performed based on the encrypted training data to obtain the protected model, the method further includes:
obtaining data to be tested, wherein the data to be tested and the original training data belong to the same category;
inputting the data to be tested into the protected model for testing, and outputting a test value;
and verifying the protected model according to the test value.
Optionally, the verifying the protected model according to the test value includes:
obtaining an inverse function of the transfer function;
converting the test value into a test ciphertext according to an inverse function of the transfer function;
invoking a ciphertext sampling algorithm to sample the test ciphertext to obtain a sampling ciphertext;
decrypting by using a decryption algorithm based on the private key data and the sampling ciphertext to obtain a test tag;
and when the test tag is consistent with the tag in the data to be tested, determining that the protected model passes verification.
The method acquires original training data; invoking a key generation algorithm to generate a public key and corresponding private key data; encrypting the original training data by using different encryption algorithms based on the public key to obtain an encrypted training data set; model training is carried out based on the encryption training data set, and a protected model is obtained; distributing the private key data and the protected model to corresponding authorized users, acquiring identity information of the authorized users, and binding the identity information with the protected model, verification training data in the encrypted training data set and the private key data to obtain binding information; and detecting the attribution right of the protected model based on the binding information, and distributing different keys and versions of the same model to different authorized users by adopting a public key encryption mechanism, so that whether the model or the keys are propagated can be detected, and the property protection of the model is improved.
In addition, in order to achieve the above object, the present invention also proposes a model ownership detecting device, including:
the acquisition module is used for acquiring original training data, wherein the original training data comprises first original training data and second original training data, and the first original training data and the second original training data are data of the same class;
the calling module is used for calling a key generation algorithm to generate a public key and corresponding private key data;
the encryption module is used for encrypting the original training data by using different encryption algorithms based on the public key to obtain an encrypted training data set;
the training module is used for carrying out model training based on the encryption training data set to obtain a protected model;
the distribution module is used for distributing the private key data and the protected model to corresponding authorized users, acquiring identity information of the authorized users, and binding the identity information with the protected model, verification training data in the encrypted training data set and the private key data to obtain binding information;
and the detection module is used for detecting the attribution right of the protected model based on the binding information.
In addition, to achieve the above object, the present invention also proposes a model ownership detecting apparatus including: a memory, a processor, and a model ownership detection program stored on the memory and executable on the processor, the model ownership detection program configured to implement the steps of the model ownership detection method as described above.
In addition, in order to achieve the above object, the present invention also proposes a storage medium having stored thereon a model ownership detecting program which, when executed by a processor, implements the steps of the model ownership detecting method as described above.
According to the invention, the original training data is obtained; invoking a key generation algorithm to generate a public key and corresponding private key data; encrypting the original training data by using different encryption algorithms based on the public key to obtain an encrypted training data set; model training is carried out based on the encryption training data set, and a protected model is obtained; training model use can be provided for a plurality of model users only through one training, repetition in training time and calculation resources is avoided, production efficiency is effectively improved, private key data and protected models are distributed to corresponding authorized users, identity information of the authorized users is obtained, and the identity information is bound with the protected models, verification training data in an encrypted training data set and the private key data to obtain binding information; and detecting the attribution right of the protected model based on the binding information, and distributing different keys and versions of the same model to different authorized users by adopting a public key encryption mechanism, so that whether the model or the key is transmitted can be detected, unauthorized transmission of the model can be effectively checked and identified, and the property protection of the model is improved.
Drawings
FIG. 1 is a schematic diagram of a model ownership detecting device of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart of a first embodiment of a method for detecting model ownership according to the present invention;
FIG. 3 is a schematic diagram of a model ownership detecting system according to an embodiment of the model ownership detecting method of the present invention;
FIG. 4 is a flow chart of the encryption and training of the original training data to generate a protected model according to an embodiment of the model ownership detection method of the present invention;
FIG. 5 is a schematic diagram of distributing a protected model and generating binding information according to an embodiment of the model ownership detection method of the present invention;
FIG. 6 is a flow chart of model training and distribution in one embodiment of the model ownership detection method of the present invention;
FIG. 7 is a flowchart of a second embodiment of the model ownership detection method according to the present invention;
FIG. 8 is a schematic diagram of a first trainable tag generating process in an embodiment of a method for detecting a model ownership of the present invention;
FIG. 9 is a flowchart of a third embodiment of the method for detecting the ownership of a model according to the present invention;
FIG. 10 is a schematic diagram of a protected model checking and authentication process according to an embodiment of the present invention;
FIG. 11 is a schematic diagram of a process for checking and authenticating a protected model according to an embodiment of the present invention;
FIG. 12 is a flowchart of a fourth embodiment of the model ownership detecting method according to the present invention;
FIG. 13 is a schematic diagram illustrating a process of decrypting a test value according to an embodiment of the present invention;
FIG. 14 is a flow chart of testing a model in an embodiment of the model ownership detection method of the present invention;
fig. 15 is a block diagram showing the construction of a first embodiment of the model ownership detecting device according to the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a model ownership detecting device of a hardware running environment according to an embodiment of the present invention.
As shown in fig. 1, the model ownership detecting device may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a Wireless interface (e.g., a Wireless-Fidelity (Wi-Fi) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
It will be appreciated by those skilled in the art that the structure shown in fig. 1 does not constitute a limitation of the model ownership detection device, and may include more or fewer components than shown, or may combine certain components, or may be arranged in different components.
As shown in fig. 1, an operating system, a network communication module, a user interface module, and a model ownership detection program may be included in the memory 1005 as one type of storage medium.
In the model ownership detecting device shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the model ownership detecting device of the present invention may be provided in the model ownership detecting device, and the model ownership detecting device invokes the model ownership detecting program stored in the memory 1005 through the processor 1001 and executes the model ownership detecting method provided by the embodiment of the present invention.
The embodiment of the invention provides a model attribution right detection method, referring to fig. 2, fig. 2 is a flow chart of a first embodiment of the model attribution right detection method of the invention.
In this embodiment, the method for detecting the model ownership includes the following steps:
Step S10: the method comprises the steps of obtaining original training data, wherein the original training data comprise first original training data and second original training data, and the first original training data and the second original training data are data of the same category.
The execution subject of the present embodiment is a model ownership detecting system, and may be other devices or systems capable of realizing the same or similar functions, which is not limited in this embodiment, and the present embodiment is described by taking the model ownership detecting system as an example.
In a specific implementation, the model attribution right detection system comprises a model training module, a model testing module and a model checking module, wherein the model training module can be used for training data to generate a protected machine learning model, the model testing module is used for testing the protected model, and a predicted result can be output according to input test data. The model checking module is used for checking the attribution right of the protected model and detecting whether the protected model is used by an unauthorized user. The data processing in the model training module, the model testing module and the model checking module uses a public key encryption mechanism with a key 'many to one' property, and related data in the system is encrypted through the public key encryption mechanism. As shown in fig. 3, fig. 3 is a schematic structural diagram of a model ownership detecting system, where the system includes a model training module, a model testing module and a model checking module, and a public key encryption mechanism with a key "many-to-one" property is penetrated through three modules, so that the model ownership detecting system detects the user ownership of the model, and the system provided in this embodiment is combined with a public key encryption scheme with a key "many-to-one" property, so that other examples of public key encryption schemes with a key "many-to-one" property also belong to the protection category of this patent.
In a specific implementation, the model attribution right detection system mainly relates to two roles, namely a model producer and a model consumer, wherein the model producer is mainly responsible for training and checking the model, and particularly relates to a model training module and a model checking module, the model consumer is a user of the model, is an authorized user of the model producer, and mainly relates to a testing process of the model.
It should be understood that the original training data is data for training the model, where the original training data is not encrypted and includes first original training data and second original training data, and the first original training data and the second original training data belong to the same class of data, for example, belong to the same picture data or belong to the same text data, and the embodiment is not limited thereto. The first raw training data is used for training the model, and the second raw training data is used for training the model and detecting the attribution right of the model.
Step S20: and calling a key generation algorithm to generate a public key and corresponding private key data.
The key generation algorithm is a Gen algorithm, and takes a natural number P as an input, and outputs a public key pk and P private keys, so that the public key and corresponding private key data are generated by the key generation algorithm.
In the specific embodiment, denoted as G q Is a cyclic group with prime number q as order, g 1 Is a generator thereof, record Z q ={0,1,...,q-1},Z' q =Z q Public key encryption mechanism CS with a key "many-to-one" nature lite = (Gen, enc, dec, fake, sampDist) specifically constructed as follows: by inputting a natural number P, the key generation algorithm generates a public key and corresponding private key data including from Z' q T is selected out uniformly and randomly, g is calculated 2 ,g 2 The following formula 1 is calculated:
(1)
From Z q Uniformly and randomly selecting a 1 And b 1 Calculating h, which is calculated as formula 2:
(2)
From Z q Uniformly and randomly selecting b 2 ,...,b p ,b 2 ,...,b p Are not equal in pairs and are not equal to b 1 Calculating a 2 =a 1 +(b 1 -b 2 )t,...,a p =a 1 +(b 1 -b 2 ) t, let public key pk= (g) 1 ,g 2 ,h)Private key sk j =(a j ,b j ) Where j e {1,..p }, whereby the output (pk, sk), pk is public key, sk is private key data.
Step S30: and encrypting the original training data by using different encryption algorithms based on the public key to obtain an encrypted training data set.
It should be noted that the encryption algorithm specifically includes an encryption algorithm Enc and a Fake encryption algorithm Fake, where the encryption algorithm Enc may encrypt a first original training data in the original training data, and encrypt a second original training data in the original training data by using the Fake encryption algorithm Fake, so as to obtain an encrypted training data set.
Step S40: and performing model training based on the encryption training data set to obtain a protected model.
It should be appreciated that after the encrypted training data set is obtained, a model may be created and the created model may be model trained using the encrypted training data set to obtain a protected model.
As shown in fig. 4, fig. 4 is a schematic flow chart of generating a protected model through encryption and training of original training data, wherein the original training data comprises first original training data and second original training data, the original training data is encrypted through an encryption mechanism to obtain an encrypted training data set, the encrypted training data set comprises encrypted training data and verification training data, a new model is built, the new model is input into a model training module through the encrypted training data set and the new model, and the new model is trained to obtain the protected model. The different protected models have corresponding private keys.
Step S50: and distributing the private key data and the protected model to corresponding authorized users, acquiring identity information of the authorized users, and binding the identity information with the protected model, verification training data in the encrypted training data set and the private key data to obtain binding information.
It should be noted that, the key generation algorithm generates a plurality of private key data, different protected models correspond to different private keys, the corresponding private keys and the protected models in the private key data can be distributed to corresponding authorized users, the identity information of the authorized users is obtained, the identity information of the authorized users, the protected models, verification training data in the encrypted training data set and the private key data are bound, so that binding information is obtained, the binding information and the distribution result are recorded in the established identity information database, the identity information database can be directly queried in the subsequent detection of the attribution right of the protected models, and the identity information database of the model producer can be further determined by comparing the data in the identity information database of the model producer, so that the transmitted protected models and private keys belong to which model users, and the unauthorized transmission of the model can be effectively checked and identified.
In a specific implementation, in a networking state, the identity information of the authorized user can be obtained by obtaining a user use information log and uploading the log, and in an offline state, the identity information of the authorized user can be obtained by actively uploading a model use log which needs to be verified by the user.
As shown in fig. 5, fig. 5 is a schematic diagram of distributing a protected model and generating binding information, by distributing private key data and the protected model to corresponding model users, that is, authorized users, binding the private key data, the protected model, verification training data in the encrypted training data set, and identity information of the authorized users, generating binding information, and storing the binding information in an identity information database, where different private keys in the identity information database correspond to different protected models and different model users, for example, the private key in the protected model is sk1, the private key in the protected model is sk2, the private key in the protected model is sk3, and the private key in the protected model is sk 2. As shown in fig. 6, fig. 6 is a model training and distribution flow chart, in which original data is encrypted by using an encryption algorithm to obtain ciphertext c, the ciphertext c is processed by using a transfer function to obtain an encrypted training data set, model training is performed by using the encrypted training data set to obtain a protected model, and private key data in a key and the protected model are distributed to corresponding model usersFor example, to protect the model and private key sk 1 Distributed to model user o 1 The protected model and private key sk 2 Distributed to model user o 2 The protected model and private key sk n Distributed to model user o n
Step S60: and detecting the attribution right of the protected model based on the binding information.
In a specific implementation, when the attribution right of the protected model needs to be detected, binding information can be queried in the identity information database according to the use information of the protected model, so that the attribution right of the protected model is detected according to the binding information.
The embodiment obtains the original training data; invoking a key generation algorithm to generate a public key and corresponding private key data; encrypting the original training data by using different encryption algorithms based on the public key to obtain an encrypted training data set; model training is carried out based on the encryption training data set, and a protected model is obtained; training model use can be provided for a plurality of model users only through one training, repetition in training time and calculation resources is avoided, production efficiency is effectively improved, private key data and protected models are distributed to corresponding authorized users, identity information of the authorized users is obtained, and the identity information is bound with the protected models, verification training data in an encrypted training data set and the private key data to obtain binding information; and detecting the attribution right of the protected model based on the binding information, and distributing different keys and versions of the same model to different authorized users by adopting a public key encryption mechanism, so that whether the model or the key is transmitted can be detected, unauthorized transmission of the model can be effectively checked and identified, and the property protection of the model is improved.
Referring to fig. 7, fig. 7 is a flowchart of a second embodiment of the model ownership detecting method according to the present invention.
Based on the above first embodiment, the encrypted training data set in this embodiment includes encrypted training data and verification training data, and step S30 of the method for detecting the ownership of the model in this embodiment specifically includes:
step S301: and encrypting the first original training data by using an encryption algorithm based on the public key to obtain encrypted training data.
It should be noted that, the encryption processing algorithm for the first original training data is different from that for the second original training data, and the first original data can be encrypted by using the Enc encryption algorithm through the public key to obtain the encrypted training data.
In a specific implementation, the first raw training data includes a first raw instance and a first raw label, and the first raw training data is (x i ,y i ),x i As a first original example, y i Is the first original label.
Further, the step of encrypting the first original training data by using an encryption algorithm through the public key specifically includes: acquiring a first original tag in the first original training data; encrypting the first original tag by using an encryption algorithm based on the public key to obtain a first original ciphertext; expanding the first original ciphertext through a transfer function to obtain trainable vector data; splicing the trainable vector data to obtain a first trainable label; encrypted training data is obtained based on the first original instance and the first trainable tag.
It should be noted that, by acquiring the first original tag y in the first original training data i The public key pk is input into an encryption algorithm Enc, the first original tag yi is encrypted by the public key through the encryption algorithm to generate a first original ciphertext, and the public key pk= (g) is input 1 ,g 2 H) and a first original label y i First, from Z q Uniformly and randomly selecting r, and calculating u 1 、u 2 U 3 The calculation process is as follows formula 3:
(3)
In 3, the first original tag y is keyed to i Encryption is performed to generate a first original ciphertext c (u 1 ,u 2 ,u 3 )。
Optionally, since the first original ciphertext c is not a standard structure that can be used for training a machine learning model and cannot be directly trained, each ciphertext needs to be expanded into a trainable data structure and spliced to form a data type that can be used for training, so that the first original ciphertext c can be expanded through a transfer function phi to obtain trainable vector data, and the trainable vector data can be spliced to obtain the first trainable tag [ y ]]Thereby forming the encrypted training data { x } by the first original instance and the first trainable tag i ,[y i ]}. As shown in fig. 8, fig. 8 is a schematic diagram of a first trainable label generating process, for example, a handwriting picture of an existing MNIST data set, where the first original label y= {0,0,0,0,0,0,0,1,0,0}, first, the plaintext label y= {0,0,0,0,0,0,0,1,0,0} is converted into the first original ciphertext c= (4, 5, 8) through the encryption algorithm Enc and the public key pk, then the first original ciphertext c= (4, 5, 8) is expanded into trainable vector data, namely, 4= {0,0,0,0,1,0,0,0,0,0}, 5= {0,0,0,0,0,1,0,0,0,0}, 8= {0,0,0,0,0,0,0,0,1,0}, and finally, the trainable vector data is subjected to a memory concatenation to obtain the first trainable label [ y } ]。
First trainable tag [ y ] = {0,0,0,0,1,0,0,0,0,0
0,0,0,0,0,1,0,0,0,0
0,0,0,0,0,0,0,0,1,0}
The first trainable tag [ y ] may be used for model training, unlike direct encryption data, by encrypting the tag in the first raw training data, the dimension of the tag is generally smaller than the dimension of the data, and the time and computing resources required for encrypting the tag are generally smaller than those required for direct data and encryption, thereby improving the computing efficiency and the data processing efficiency.
Step S302: and encrypting the second original training data by using a fake encryption algorithm based on the public key to obtain verification training data.
In specific implementation, the Fake encryption algorithm is a Fake algorithm, and the Fake algorithm takes the public key pk as input to output an irregular ciphertext c ', so that the irregular ciphertext c' is processed to obtain verification training data.
Optionally, the process of encrypting the second original training data based on the public key using the fake encryption algorithm to obtain the verification training data includes: acquiring a second original label in the second original training data; encrypting the second original tag by using a fake encryption algorithm based on the public key to obtain a second original ciphertext; expanding the second original ciphertext through a transfer function to obtain second trainable vector data; splicing the second trainable vector data to obtain a second trainable label; verification training data is obtained based on the second raw training data and the second trainable tag.
In a specific implementation, the second original training data includes a second original tag y ', the second original tag y' is encrypted by forging an encryption algorithm and a public key pk, so as to obtain a second original ciphertext c ', and the second original ciphertext c' is obtained by inputting the public key pk= (g) 1 ,g 2 H), from Z q Uniformly and randomly selecting r 1 ,r 2 ,r 1 ≠r 2 Obtaining a second original ciphertext c', and calculating the following formula 4:
(4)
And from Z q Uniformly and randomly selecting u 3 'the second original ciphertext c' = (u) 1 ',u 2 ',u 3 ')。
In a specific implementation, the second original ciphertext may be expanded by a transfer function to obtain second trainable vector data, and the second trainable vector data may be spliced to obtain a second trainable tag [ y ]']Whereby the second raw training data and the second trainable tag obtain verification training data { x } i ',[y i ']}。
It should be appreciated that for any ciphertext c' generated by Fake encryption algorithm Fake (pk) and any different j 1 ,j 2 ∈{1,...,P}。
Step S303: and taking the encrypted training data and the verification training data as an encrypted training data set.
After obtaining the encrypted training data and the verification training data, the encrypted training sequence data and the verification training data are used as an encrypted training data set, so that model training is performed through the encrypted training data set, and a protected model is generated.
In the embodiment, encryption processing is performed on the first original training data by using an encryption algorithm based on the public key to obtain encrypted training data; encrypting the second original training data by using a fake encryption algorithm based on the public key to obtain verification training data; and encrypting the original training data by using the encrypted training data and the verification training data as an encrypted training data set through different encryption algorithms, so that model training is carried out through the encrypted training data set, and the calculation efficiency and the data processing efficiency are improved.
Referring to fig. 9, fig. 9 is a flowchart of a third embodiment of the model ownership detecting method according to the present invention.
Based on the above first embodiment, the step S60 of the method for detecting the model ownership of the present embodiment specifically includes:
step S601: and when the user is detected to use the protected model, acquiring the current identity information of the user.
It should be noted that, when the user is detected to use the protected model, the current identity information of the user can be obtained, so as to facilitate detection of the model attribution right.
Step S602: and calling the verification training data, and inputting the verification training data into the protected model to obtain a detection label.
It should be understood that when model ownership detection is required, verification training data may be invoked and input to the protected model to obtain a detection tag, and since the generated protected model is input as an instance in the encrypted training data set and output as a tag in the encrypted training data set, the verification training data (x, [ y ']) is input to the protected model and output as the detection tag [ y' ].
Step S603: an inverse of the transfer function is obtained.
In a specific implementation, when the detection tag [ y 'is obtained']The detection tag [ y 'can then be detected by the inverse of the transfer function']Converted into ciphertext, the inverse phi of the transfer function can be obtained -1
Step S604: and converting the detection tag into a detection ciphertext through an inverse function of the transfer function.
It should be noted that phi can be an inverse function of the transfer function -1 The detection tag [ y ]']Converted into a detection ciphertext c'.
Step S605: and sampling the detection ciphertext through a ciphertext sampling algorithm to obtain a sampling detection ciphertext.
The ciphertext sampling algorithm is a sampdit algorithm, takes ciphertext as input, outputs a new ciphertext, and inputs the detection ciphertext c' to the ciphertext sampling algorithm, thereby obtaining a sampling detection ciphertext c″.
In this embodiment, sampdit (Enc (pk, y)) is distributed with Enc (pk, y).
Step S606: and sending the sampling detection ciphertext to the user, so that the user decrypts the sampling detection ciphertext by using a decryption private key based on the sampling detection ciphertext, and feeding back a decryption result.
After the sampling detection ciphertext is obtained, the sampling detection ciphertext needs to be decrypted by using the private key, so that the sampling detection ciphertext can be sent to a user, the user can encrypt by using the decryption private key based on the sampling detection ciphertext, and a decryption result is fed back.
The decryption private key is private key data which is distributed to the user when the model producer distributes the protected model to the authorized user, if the user does not belong to the authorized user, the decryption private key is an error private key, and the decryption result is also an error result, so that the decryption result of the user can be received, and whether the user is used for the use right of the protected model is detected.
When the user uses the decryption private key to decrypt, the decryption algorithm Dec may be used to decrypt based on the decryption private key, and the private key sk and the sampling detection ciphertext c″ are used as inputs to output the decryption tag. For any j e { 1..p }, solution Secret algorithm Dec (sk) j ,Enc(pk,y))=y。
As shown in fig. 10, fig. 10 is a schematic diagram of a protected model checking and authentication flow, when the protected model needs to be subjected to the home right detection, the verification training data, the protected model and the private key of the user are input to the model checking module, the decryption result is output, and the identity information database is queried through the decryption result, so as to detect whether the user of the model uses the correct private key. As shown in fig. 11, fig. 11 is a schematic flow chart of checking and authenticating a protected model, in which verification training data and the protected model are input to a model checking module, a detection tag [ y ' ] is processed through an inverse transfer function to obtain a detection ciphertext c ', the detection ciphertext c ' is sampled to obtain a sampling detection ciphertext cd, the sampling detection ciphertext is decrypted through a decryption function and private key data of a model user to obtain a decryption result, and an identity information database is queried through the decryption result to determine whether the private key used by the user can correctly unlock the authorization model.
In a specific implementation, when the user uses the decryption private key to decrypt, if the decryption private key is visible, it can be directly determined whether the protected model belongs to the user according to the decryption private key, so after step S606, the method further includes: detecting whether a decryption private key of a user is visible; acquiring the decryption private key when the decryption private key is visible; inquiring the binding information according to the decryption private key and the identity information, and detecting whether the private key of the corresponding identity information in the binding information is consistent with the decryption private key; and when the private key is consistent with the decryption private key, determining that the protected model belongs to the user.
It should be understood that whether the decryption private key of the user is visible is detected, if the decryption private key is visible, the decryption private key of the user is obtained, binding information in an identity information database is queried according to the decryption private key and the identity information, whether the private key of the corresponding identity information in the binding information is consistent with the decryption private key is detected, and if the private key in the binding information is consistent with the decryption private key, the protected model is determined to belong to the user. And if the private key is inconsistent with the decryption private key, determining that the protected model does not belong to the user.
Step S607: and inquiring the binding information according to the decryption result and the identity information to detect whether the protected model belongs to the user.
In implementations, binding information may be queried based on the decryption results and the identity information to detect whether the protected model belongs to a user currently using the protected model.
In an implementation, the step of detecting whether the protected model belongs to the user specifically includes: inquiring the binding information according to the identity information to obtain a second original label corresponding to the identity information; comparing the decryption result with the second original tag; and when the decryption result is consistent with the second original label, determining that the protected model belongs to the user.
It should be noted that, after the decryption result is obtained, the binding information may be queried according to the identity information to obtain a second original tag corresponding to the identity information, the decryption result is compared with the second original tag, if the decryption result is consistent with the second original tag, the protected model is determined to belong to the user, and if the decryption and the matching of the decryption result and the second original tag are inconsistent, the protected model is determined not to belong to the user. Can be based on different private keys sk j And recovering different decryption results y ', inputting y' into the identity information database for matching, and outputting a final checking result.
The embodiment obtains the current identity information of the user when the user is detected to use the protected model; invoking the verification training data, and inputting the verification training data into the protected model to obtain a detection label; obtaining an inverse function of the transfer function; converting the detection tag into a detection ciphertext through an inverse function of the transfer function; sampling the detection ciphertext through a ciphertext sampling algorithm to obtain a sampling detection ciphertext; the sampling detection ciphertext is sent to the user, so that the user decrypts the sampling detection ciphertext by using a decryption private key based on the sampling detection ciphertext, and the decryption result is fed back; and inquiring the binding information according to the decryption result and the identity information to detect whether the protected model belongs to the user, and quickly inquiring the binding information through the decryption result so as to quickly and accurately determine whether the protected model belongs to the current user and improve the protection effect of the protected model.
Referring to fig. 12, fig. 12 is a flowchart of a fourth embodiment of the model ownership detecting method according to the present invention.
Based on the above first embodiment, the method for detecting the model ownership according to the present embodiment further includes, after the step S40:
step S41: and obtaining data to be tested, wherein the data to be tested and the original training data belong to the same category.
In a specific implementation, after the protected model is generated, in order to improve the use effect of the protected model, the protected model can be verified, and whether the protected model can correctly output the training result is judged, so that the protected model can be verified, and then the data to be tested can be obtained, wherein the data to be tested and the original training data belong to the same category.
Step S42: and inputting the data to be tested into the protected model for testing, and outputting a test value.
In a specific implementation, the data to be tested is input into the protected model for testing, so that a test value is output, and the test value is the tested label.
Step S43: and verifying the protected model according to the test value.
Optionally, the method may verify the protected model by using a test value, so as to determine whether the protected model passes the verification, and the step of verifying the protected model according to the test value specifically includes: obtaining an inverse function of the transfer function; converting the test value into a test ciphertext according to an inverse function of the transfer function; invoking a ciphertext sampling algorithm to sample the test ciphertext to obtain a sampling ciphertext; decrypting by using a decryption algorithm based on the private key data and the sampling ciphertext to obtain a test tag; and when the test tag is consistent with the tag in the data to be tested, determining that the protected model passes verification.
Transfer functionIs phi as the inverse function of -1 The test value is converted into a test ciphertext through an inverse function, a ciphertext sampling algorithm is invoked to sample the test ciphertext to obtain a sampling ciphertext, when the protected model is verified, a model user party has private key data of all the protected models, so that the private key data and the sampling ciphertext are decrypted through a decryption algorithm to obtain a test label, and when the test label is consistent with the label in the data to be tested, the verification of the protected model generated through training is confirmed to pass. FIG. 13 is a schematic diagram of a process of decrypting a test value, such as an Arabic numeral "7" handwriting picture of an existing MNIST dataset, and inputting the picture and a protected model into a model test module to obtain an output as a test value [ y ]]={0,0,0,0,1,0,0,0,0,0,
0,0,0,0,0,1,0,0,0,0
0,0,0,0,0,0,0,0,1,0}
And converting the test value [ y ] into test ciphertext c [4,5,8], inputting the test ciphertext into a ciphertext sampling algorithm to obtain a sampling ciphertext c '= [1,9,5], inputting the sampling ciphertext c' and a private key sk into a decryption algorithm to obtain an output test tag '7', comparing the test tag with the tag '7' in the input test data, and passing the model verification when the comparison is consistent. As shown in fig. 14, fig. 14 is a schematic flow chart of testing a model, by inputting test data into a protected model to obtain an output value, decrypting the output value by using a private key to obtain a test tag, and judging whether the test tag is consistent with a tag in the test data, thereby judging whether the protected model passes verification, and obtaining a y' =messy code result by using an incorrect private key.
In the embodiment, the data to be tested and the original training data belong to the same category by acquiring the data to be tested; inputting the data to be tested into the protected model for testing, and outputting a test value; and verifying the protected model according to the test value, so that the private key data can be rapidly used for verifying the protected model, and the accuracy of the use of the model is improved.
Referring to fig. 15, fig. 15 is a block diagram showing the structure of a first embodiment of the model ownership detecting device according to the present invention.
As shown in fig. 15, the model ownership detecting device according to the embodiment of the present invention includes:
the acquiring module 10 is configured to acquire original training data, where the original training data includes first original training data and second original training data, and the first original training data and the second original training data are data in the same class.
And the calling module 20 is used for calling the key generation algorithm to generate the public key and the corresponding private key data.
The encryption module 30 is configured to encrypt the original training data using different encryption algorithms based on the public key, so as to obtain an encrypted training data set.
The training module 40 is configured to perform model training based on the encrypted training data set, so as to obtain a protected model.
The distribution module 50 is configured to distribute the private key data and the protected model to corresponding authorized users, obtain identity information of the authorized users, and bind the identity information with the protected model, verification training data in the encrypted training data set, and the private key data to obtain binding information.
The detecting module 60 is configured to detect the ownership of the protected model based on the binding information.
The embodiment obtains the original training data; invoking a key generation algorithm to generate a public key and corresponding private key data; encrypting the original training data by using different encryption algorithms based on the public key to obtain an encrypted training data set; model training is carried out based on the encryption training data set, and a protected model is obtained; training model use can be provided for a plurality of model users only through one training, repetition in training time and calculation resources is avoided, production efficiency is effectively improved, private key data and protected models are distributed to corresponding authorized users, identity information of the authorized users is obtained, and the identity information is bound with the protected models, verification training data in an encrypted training data set and the private key data to obtain binding information; and detecting the attribution right of the protected model based on the binding information, and distributing different keys and versions of the same model to different authorized users by adopting a public key encryption mechanism, so that whether the model or the key is transmitted can be detected, unauthorized transmission of the model can be effectively checked and identified, and the property protection of the model is improved.
In an embodiment, the encrypted training data set includes encrypted training data and verification training data; the encryption module 30 is further configured to encrypt the first original training data using an encryption algorithm based on the public key to obtain encrypted training data; encrypting the second original training data by using a fake encryption algorithm based on the public key to obtain verification training data; and taking the encrypted training data and the verification training data as an encrypted training data set.
In an embodiment, the first raw training data includes a first raw instance and a first raw label; the encryption module 30 is further configured to obtain a first original tag in the first original training data; encrypting the first original tag by using an encryption algorithm based on the public key to obtain a first original ciphertext; expanding the first original ciphertext through a transfer function to obtain trainable vector data; splicing the trainable vector data to obtain a first trainable label; encrypted training data is obtained based on the first original instance and the first trainable tag.
In an embodiment, the encryption module 30 is further configured to obtain a second original tag in the second original training data; encrypting the second original tag by using a fake encryption algorithm based on the public key to obtain a second original ciphertext; expanding the second original ciphertext through a transfer function to obtain second trainable vector data; splicing the second trainable vector data to obtain a second trainable label; verification training data is obtained based on the second raw training data and the second trainable tag.
In an embodiment, the detection module 60 is further configured to obtain current identity information of the user when it is detected that the user uses the protected model; invoking the verification training data, and inputting the verification training data into the protected model to obtain a detection label; obtaining an inverse function of the transfer function; converting the detection tag into a detection ciphertext through an inverse function of the transfer function; sampling the detection ciphertext through a ciphertext sampling algorithm to obtain a sampling detection ciphertext; the sampling detection ciphertext is sent to the user, so that the user decrypts the sampling detection ciphertext by using a decryption private key based on the sampling detection ciphertext, and the decryption result is fed back; and inquiring the binding information according to the decryption result and the identity information to detect whether the protected model belongs to the user.
In one embodiment, the detecting module 60 is further configured to detect whether the decryption private key of the user is visible;
acquiring the decryption private key when the decryption private key is visible; inquiring the binding information according to the decryption private key and the identity information, and detecting whether the private key of the corresponding identity information in the binding information is consistent with the decryption private key; and when the private key is consistent with the decryption private key, determining that the protected model belongs to the user.
In an embodiment, the detection module 60 is further configured to query the binding information according to the identity information to obtain a second original tag corresponding to the identity information; comparing the decryption result with the second original tag; and when the decryption result is consistent with the second original label, determining that the protected model belongs to the user.
In an embodiment, the training module 40 is further configured to obtain data to be tested, where the data to be tested and the original training data belong to the same category; inputting the data to be tested into the protected model for testing, and outputting a test value; and verifying the protected model according to the test value.
In an embodiment, the training module 40 is further configured to obtain an inverse of the transfer function; converting the test value into a test ciphertext according to an inverse function of the transfer function; invoking a ciphertext sampling algorithm to sample the test ciphertext to obtain a sampling ciphertext; decrypting by using a decryption algorithm based on the private key data and the sampling ciphertext to obtain a test tag; and when the test tag is consistent with the tag in the data to be tested, determining that the protected model passes verification.
In addition, to achieve the above object, the present invention also proposes a model ownership detecting apparatus including: a memory, a processor, and a model ownership detection program stored on the memory and executable on the processor, the model ownership detection program configured to implement the steps of the model ownership detection method as described above.
The model attribution right detection equipment adopts all the technical schemes of all the embodiments, so that the model attribution right detection equipment has at least all the beneficial effects brought by the technical schemes of the embodiments, and is not described in detail herein.
In addition, the embodiment of the invention also provides a storage medium, wherein the storage medium stores a model attribution right detection program, and the model attribution right detection program realizes the steps of the model attribution right detection method when being executed by a processor.
Because the storage medium adopts all the technical schemes of all the embodiments, the storage medium has at least all the beneficial effects brought by the technical schemes of the embodiments, and the description is omitted here.
It should be understood that the foregoing is illustrative only and is not limiting, and that in specific applications, those skilled in the art may set the invention as desired, and the invention is not limited thereto.
It should be noted that the above-described working procedure is merely illustrative, and does not limit the scope of the present invention, and in practical application, a person skilled in the art may select part or all of them according to actual needs to achieve the purpose of the embodiment, which is not limited herein.
In addition, technical details not described in detail in this embodiment may refer to the model ownership detection method provided in any embodiment of the present invention, which is not described herein.
Furthermore, it should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. Read Only Memory)/RAM, magnetic disk, optical disk) and including several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims (12)

1. The model attribution right detection method is characterized by comprising the following steps of:
Acquiring original training data, wherein the original training data comprises first original training data and second original training data, and the first original training data and the second original training data are data of the same category;
invoking a key generation algorithm to generate a public key and corresponding private key data;
encrypting the original training data by using different encryption algorithms based on the public key to obtain an encrypted training data set;
model training is carried out based on the encryption training data set, and a protected model is obtained;
distributing the private key data and the protected model to corresponding authorized users, acquiring identity information of the authorized users, and binding the identity information with the protected model, verification training data in the encrypted training data set and the private key data to obtain binding information;
and detecting the attribution right of the protected model based on the binding information.
2. The model ownership detection method of claim 1, wherein said encrypted training data set comprises encrypted training data and verification training data;
the encrypting the original training data by using different encryption algorithms based on the public key to obtain an encrypted training data set comprises the following steps:
Encrypting the first original training data by using an encryption algorithm based on the public key to obtain encrypted training data;
encrypting the second original training data by using a fake encryption algorithm based on the public key to obtain verification training data;
and taking the encrypted training data and the verification training data as an encrypted training data set.
3. The model ownership detection method of claim 2, wherein said first raw training data comprises a first raw instance and a first raw label;
the encrypting the first original training data by using an encryption algorithm based on the public key to obtain encrypted training data comprises the following steps:
acquiring a first original tag in the first original training data;
encrypting the first original tag by using an encryption algorithm based on the public key to obtain a first original ciphertext;
expanding the first original ciphertext through a transfer function to obtain trainable vector data;
splicing the trainable vector data to obtain a first trainable label;
encrypted training data is obtained based on the first original instance and the first trainable tag.
4. The model ownership detection method according to claim 2, wherein said encrypting said second original training data using a forgery algorithm based on said public key to obtain verification training data comprises:
acquiring a second original label in the second original training data;
encrypting the second original tag by using a fake encryption algorithm based on the public key to obtain a second original ciphertext;
expanding the second original ciphertext through a transfer function to obtain second trainable vector data;
splicing the second trainable vector data to obtain a second trainable label;
verification training data is obtained based on the second raw training data and the second trainable tag.
5. The model ownership detection method according to claim 1, wherein said detecting ownership of a protected model based on said binding information comprises:
when the user is detected to use the protected model, current identity information of the user is obtained;
invoking the verification training data, and inputting the verification training data into the protected model to obtain a detection label;
Obtaining an inverse function of the transfer function;
converting the detection tag into a detection ciphertext through an inverse function of the transfer function;
sampling the detection ciphertext through a ciphertext sampling algorithm to obtain a sampling detection ciphertext;
the sampling detection ciphertext is sent to the user, so that the user decrypts the sampling detection ciphertext by using a decryption private key based on the sampling detection ciphertext, and the decryption result is fed back;
and inquiring the binding information according to the decryption result and the identity information to detect whether the protected model belongs to the user.
6. The model ownership detection method according to claim 5, wherein said sending said sample detection ciphertext to said user to cause said user to decrypt using a decryption private key based on said sample detection ciphertext further comprises:
detecting whether a decryption private key of a user is visible;
acquiring the decryption private key when the decryption private key is visible;
inquiring the binding information according to the decryption private key and the identity information, and detecting whether the private key of the corresponding identity information in the binding information is consistent with the decryption private key;
and when the private key is consistent with the decryption private key, determining that the protected model belongs to the user.
7. The model ownership detection method according to claim 5, wherein said querying said binding information based on said decryption result and said identity information to detect whether said protected model belongs to said user comprises:
inquiring the binding information according to the identity information to obtain a second original label corresponding to the identity information;
comparing the decryption result with the second original tag;
and when the decryption result is consistent with the second original label, determining that the protected model belongs to the user.
8. The method for detecting model ownership according to any of claims 1-7, wherein after model training based on the encrypted training data, further comprising:
obtaining data to be tested, wherein the data to be tested and the original training data belong to the same category;
inputting the data to be tested into the protected model for testing, and outputting a test value;
and verifying the protected model according to the test value.
9. The model ownership detection method according to claim 8, wherein said validating the protected model based on said test values comprises:
Obtaining an inverse function of the transfer function;
converting the test value into a test ciphertext according to an inverse function of the transfer function;
invoking a ciphertext sampling algorithm to sample the test ciphertext to obtain a sampling ciphertext;
decrypting by using a decryption algorithm based on the private key data and the sampling ciphertext to obtain a test tag;
and when the test tag is consistent with the tag in the data to be tested, determining that the protected model passes verification.
10. A model ownership detecting device, characterized in that the model ownership detecting device comprises:
the acquisition module is used for acquiring original training data, wherein the original training data comprises first original training data and second original training data, and the first original training data and the second original training data are data of the same class;
the calling module is used for calling a key generation algorithm to generate a public key and corresponding private key data;
the encryption module is used for encrypting the original training data by using different encryption algorithms based on the public key to obtain an encrypted training data set;
the training module is used for carrying out model training based on the encryption training data set to obtain a protected model;
The distribution module is used for distributing the private key data and the protected model to corresponding authorized users, acquiring identity information of the authorized users, and binding the identity information with the protected model, verification training data in the encrypted training data set and the private key data to obtain binding information;
and the detection module is used for detecting the attribution right of the protected model based on the binding information.
11. A model ownership detecting device, characterized in that the model ownership detecting device comprises: a memory, a processor, and a model ownership detection program stored on the memory and executable on the processor, the model ownership detection program configured to implement the model ownership detection method according to any of claims 1 to 9.
12. A storage medium having stored thereon a model ownership detection program which when executed by a processor implements the model ownership detection method according to any of claims 1 to 9.
CN202310463453.7A 2023-04-26 2023-04-26 Model attribution right detection method, device, equipment and storage medium Pending CN116578950A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310463453.7A CN116578950A (en) 2023-04-26 2023-04-26 Model attribution right detection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310463453.7A CN116578950A (en) 2023-04-26 2023-04-26 Model attribution right detection method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116578950A true CN116578950A (en) 2023-08-11

Family

ID=87540513

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310463453.7A Pending CN116578950A (en) 2023-04-26 2023-04-26 Model attribution right detection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116578950A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118133351A (en) * 2024-05-08 2024-06-04 安徽华云安科技有限公司 Privacy data protection method, device, equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118133351A (en) * 2024-05-08 2024-06-04 安徽华云安科技有限公司 Privacy data protection method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US8925109B2 (en) Client-side player file and content license verification
CN101262599A (en) Method and system for data processing
CN101719205A (en) Digital copyright management method and system
CN114499875B (en) Service data processing method, device, computer equipment and storage medium
US9075798B2 (en) Verifying authenticity of input using a hashing algorithm
CN115242553B (en) Data exchange method and system supporting safe multi-party calculation
CN110569672A (en) efficient credible electronic signature system and method based on mobile equipment
TW202336617A (en) Data matching method and apparatus, device, and medium
CN115002141B (en) File storage method and device based on block chain
CN113315745A (en) Data processing method, device, equipment and medium
Cao et al. A Privacy‐Preserving Outsourcing Data Storage Scheme with Fragile Digital Watermarking‐Based Data Auditing
CN116578950A (en) Model attribution right detection method, device, equipment and storage medium
CN113722767B (en) Data integrity verification method, system, storage medium and computing equipment
CN115001775A (en) Data processing method and device, electronic equipment and computer readable storage medium
CN108900472B (en) Information transmission method and device
CN112860933B (en) Ciphertext image retrieval method, device, terminal equipment and storage medium
CN101399663B (en) Method, system and device for digital content authentication
CN111934862B (en) Server access method and device, readable medium and electronic equipment
CN112528309A (en) Data storage encryption and decryption method and device
US20090319805A1 (en) Techniques for performing symmetric cryptography
CN117313119A (en) Application code encryption verification method and device and computer equipment
Salami et al. Collaborative integrity verification for blockchain-based cloud forensic readiness data protection
CN112507355B (en) Personal health data storage system based on block chain
CN101661573A (en) Method for producing electronic seal and method for using electronic seal
Penubadi et al. Sustainable electronic document security: A comprehensive framework integrating encryption, digital signature and watermarking algorithms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination