阅读说明：本技术 使用模整数进行安全多方计算的算法 (Algorithm for secure multiparty computation using modular integers ) 是由 M·格奥尔基耶娃 N·迦玛 D·杰特切夫 于 2020-02-24 设计创作，主要内容包括：一种安全多方计算在后端使用模整数表示实现实数运算。作为所述实现的一部分,由多个参与方以第一模表示共同存储的秘密共享值被投射为具有较大最高有效位的第二模表示。所述参与方使用第一表示的秘密共享掩蔽值来掩蔽和透露所述秘密共享值和所述秘密共享掩蔽值的总和,所述第一表示的范围被分为两半。所述参与方使用标识所述范围中包含所述掩蔽值的所述一半的秘密共享位,连同所述总和以协同构建以第二模格式表示所述秘密共享值的一组秘密份额。与先前的工作相比,所公开的解决方案在不牺牲效率或安全性的情况下消除了错误的非零概率。(A secure multi-party computation implements real operations using modulo integer representation at the back-end. As part of the implementation, a secret sharing value stored in common by multiple parties in a first modulo representation is projected as a second modulo representation with a larger most significant bit. The participant uses a secret-sharing masking value of a first representation, the range of which is divided in half, to mask and reveal the sum of the secret-sharing value and the secret-sharing masking value. The participants use a secret sharing bit that identifies the half of the range that includes the masking value, along with the sum, to cooperatively construct a set of secret shares that represent the secret sharing value in a second pattern. In contrast to previous work, the disclosed solution eliminates a non-zero probability of error without sacrificing efficiency or safety.)

1. A method performed by a secure multi-party computing system configured to perform multi-party computing on secret-shared values, the secure multi-party computing system comprising a trusted trader computing system and a plurality of participant computing systems in secure networked communication, the method for projecting the secret-shared values from a first modular representation to a second modular representation, the method comprising:

each of the participant-computing systems storing a respective secret share of the secret shared value in the first modulo representation,

wherein the first modulo representation has a range defined by a most significant bit position and a least significant bit position of the first modulo representation;

the trusted trader computing system storing a masking value in the first modulo representation and transmitting a respective secret share of the masking value to each of the participant computing systems such that the masking value is secret shared between the participant computing systems in the first modulo representation;

the trusted trader computing system:

determining a sub-range within which the masking value lies, wherein the sub-range is selected from a plurality of predetermined non-overlapping sub-ranges representing the range of the first modulo representation,

encoding the determined sub-range as a numerical sub-range identifier, an

Transmitting respective secret shares of the numeric sub-range identifier to each of the participant-computing systems, thereby causing the numeric sub-range identifier to be shared in secret between the participant-computing systems;

the trusted trader computing system converting the masking value into a converted masking value by performing at least a first mathematical boost on the masking value in a first conversion;

the trusted trader computing system transmitting respective secret shares of the converted masked value to each of the participant computing systems in the second modulo representation such that the converted masked value is secret shared between the participant computing systems in the second modulo representation,

wherein the second modulo representation has a range defined by a most significant bit position and a least significant bit position of the second modulo representation, and wherein the most significant bit position of the second modulo representation is greater than the most significant bit position of the first modulo representation;

the participant-computing system cooperatively computing and exposing a sum of the secret shared value and the masking value as a mask value without exposing the secret share of the secret shared value or the secret share of the masking value;

converting the mask value into a first converted mask value by performing at least a second mathematical lifting on the mask value in a second conversion;

converting the mask value into a second converted mask value by performing a third mathematical enhancement on at least the mask value in a third conversion,

wherein the first mathematical boost, the second mathematical boost, and the third mathematical boost are different from each other; and

the participant-computing systems cooperatively compute the secret-shared value of the second modulo representation such that each of the participant-computing systems computes the respective secret share of the secret-shared value of the second modulo representation based on:

the first translation mask value is a value of a translation mask,

the second translation mask value is a value that is,

the respective secret share of the numerical sub-range identifier for each participant-computing system, an

Computing the respective secret share of the transformed masked value for each participant.

2. The method of claim 1, wherein the first and second light sources are selected from the group consisting of,

wherein the first mathematical boost and the second mathematical boost produce values that are offset relative to each other by one-quarter of the range of the first modulo representation, and

wherein the second mathematical boost and the third mathematical boost produce values that are offset relative to each other by half of the range of the first modulo representation.

3. The method of claim 1, wherein the first mathematical boost, the second mathematical boost, and the third mathematical boost are each selected from the group consisting of:

byParameterized quartormod lifting, wherein (M)_msb-1) is the most significant bit position of the first modulo representation,

byParameterized centemmod promotion, an

ByParameterized posmod promotion.

4. The method of claim 1, wherein the first and second light sources are selected from the group consisting of,

wherein the first mathematical boost is toA quartormod boosting of the masked value parameterized,

wherein the second mathematical boost is toA centemid promotion of the parameterized mask value,

wherein the third mathematical boost is toOf parameterized mask valuesThe posmod is lifted, and

wherein (M)_msb-1) is the most significant bit position of the first modulo representation.

5. The method of claim 4, wherein the first and second light sources are selected from the group consisting of,

wherein the pair is composed of 2^MParameterized x's quartormod lifting is defined as a unique real numberSo that

Wherein the pair is composed of 2^MThe centemid lifting of parameterized x is defined as a unique real numberSo thatAnd is

Wherein the pair is composed of 2^MParameterized posmod lifting of x is defined as a unique real numberSo that

6. The method of claim 5, wherein the first and second light sources are selected from the group consisting of,

wherein the first converting further comprises:

rounding the result of the first mathematical boost toOf p'_lsbIs the least significant bit position of the second modulo representation, an

Taking the rounded modeWherein (M'_msb-1) is the most significant bit position of the second modulo representation;

wherein the second converting further comprises:

rounding the second mathematically boosted result toThe closest multiple of, and

taking the rounded modeAnd is

Wherein the third converting further comprises:

rounding the result of the third mathematical boost toThe closest multiple of, and

taking the rounded mode

7. The method of claim 1, wherein the first transformation, the second transformation, and the third transformation each comprise projecting an associated mathematically boosted result toWherein (M'_msb-1) is the most significant bit position of the second modulo representation.

8. The method of claim 1, wherein the "plurality of predetermined non-overlapping sub-ranges" consists of two sub-ranges of equal size, and wherein the numerical sub-range identifier is selected from the group consisting of the numbers 0 and 1.

9. The method of claim 8, wherein the secret sharing numerical value sub-range identifier is used cooperatively by the participant computing system to select between the first and second translation mask values for computing the secret sharing value of the second modulo representation.

10. The method of claim 1, wherein the first and second modulo representations are fixed-point integer representations of real numbers.

11. A method performed by a secure multi-party computing system configured to perform multi-party computing on a secret-shared value, the secure multi-party computing system comprising a plurality of participant computing systems in secure networked communication, the method for projecting the secret-shared value from a first modulo representation to a second modulo representation, the method comprising:

each of the participant-computing systems storing a respective secret share of the secret shared value in the first modulo representation,

wherein the first modulo representation has a range defined by a most significant bit position and a least significant bit position of the first modulo representation;

transmitting respective secret shares of a masking value to each of the participant-computing systems, thereby causing the masking value to be secret-shared between the participant-computing systems;

transmitting a respective secret share of an indication of a sub-range in which the masking value is located to each of the participant-computing systems, wherein the sub-range is selected from a plurality of predetermined non-overlapping sub-ranges representing the range of the first modulo representation, such that the sub-range indicates secret sharing between the participant-computing systems;

converting the masking value into a converted masking value by performing at least a first mathematical lifting on the masking value in a first conversion;

transmitting respective secret shares of the converted masked values to each of the participant-computing systems in the second modulo representation such that the converted masked values are secret-shared between the participant-computing systems in the second modulo representation,

wherein the second modulo representation has a range defined by a most significant bit position and a least significant bit position of the second modulo representation, and wherein the most significant bit position of the second modulo representation is greater than the most significant bit position of the first modulo representation;

the participant-computing system cooperatively computing and exposing a sum of the secret shared value and the masking value as a mask value without exposing the secret share of the secret shared value or the secret share of the masking value;

converting the mask value into a first converted mask value by performing at least a second mathematical lifting on the mask value in a second conversion;

converting the mask value into a second converted mask value by performing a third mathematical enhancement on at least the mask value in a third conversion;

wherein the first mathematical boost, the second mathematical boost, and the third mathematical boost are different from each other; and

the participant-computing systems cooperatively compute the secret-shared value of the second modulo representation such that each of the participant-computing systems computes the respective secret share of the secret-shared value of the second modulo representation based on:

the first translation mask value is a value of a translation mask,

the second translation mask value is a value that is,

the respective secret share indicated by the sub-range for each participant-computing system, an

Computing the respective secret share of the transformed masked value for each participant.

12. The method of claim 11, wherein the first transition, the second transitionAnd the third conversion each comprises projecting the result of the associated mathematical boost toWherein (M'_msb-1) is the most significant bit position of the second modulo representation.

13. The method of claim 11, wherein the "plurality of predetermined non-overlapping sub-ranges" consists of two sub-ranges of equal size, and wherein the numerical sub-range identifier is selected from the group consisting of the numbers 0 and 1.

14. The method of claim 13, wherein the secret sharing numerical value sub-range identifier is used cooperatively by the participant computing system to select between the first and second translation mask values for computing the secret sharing value of the second modulo representation.

15. The method of claim 11, wherein the first and second modulo representations are fixed-point integer representations of real numbers.

16. A method for performing multiplication of a stored first secret shared value in a respective initial modulo representation and a stored second secret shared value in a respective initial modulo representation, the method comprising:

the method of claim 11, projecting at least one of the first and second secret sharing values as a common-mode representation such that the first and second secret sharing values are both stored in the common-mode representation; and

performing a proportional multiplication (beaver multiplication) on the first and second secret-shared values of the common-mode representation.

17. A method for combining a plurality of secret-shared values and a corresponding plurality of static coefficients, each secret-shared value being stored in a respective initial modulo representation, the method comprising:

the method of claim 11, projecting at least one of the plurality of secret sharing values as a common mode representation such that the plurality of secret sharing values are all stored in the common mode representation; and

performing a linear combination of the plurality of secret sharing values stored in the common-mode representation and the corresponding plurality of static coefficients.

18. A method of evaluating a continuous function on a secret shared value, the method comprising:

selecting a Fourier series from a plurality of determined Fourier series based on the secret sharing value, wherein each of the plurality of determined Fourier series is configured to approximate the continuous function over a relevant subinterval of the domain of the continuous function;

based on the selection, the method of claim 11 projecting the secret-sharing value from a first modulo representation to a second modulo representation; and

approximating the value of the continuous function over the secret sharing value represented by the second modulus using the selected Fourier series.

19. A system comprising a plurality of computer systems, wherein the plurality of computer systems are configured to perform the method of any of claims 1-18.

20. A non-transitory computer readable medium encoded with computer code, which when executed by a plurality of computer systems, causes the plurality of computer systems to perform the method of any of claims 1-18.

Background

Privacy preserving multi-party computing (MPC) techniques enable multiple parties to cooperatively evaluate a function to produce a shared or exposed output while maintaining input privacy. Such calculations are used, for example, in medicine and finance, when input data comes from different private data sources, whose data cannot be disclosed, but public results based on confidential data are required.

MPCs typically span multiple participants in time and geography at the same time. Each participant represents a separate computing system, typically including k participants and a trusted trader. As used herein, the terms participant and player are used interchangeably and refer to a separate participant computer system that participates in a multi-party computation.

After compiling the code to implement the calculations, the trusted trader first performs the off-line phase of the MPC. In the offline phase, the trusted trader generates masks (masking data, also called triplets) and assigns the shares of these masks to the participants, so that each participant knows only its own mask share, and nobody knows the clear mask value represented by the sum of the shares. The determination of the mask typically depends on the data on which the operation is expected to be performed from a statistical analysis perspective, so that the mask is appropriately configured in relation to the data.

The k participants then collaboratively perform the online phase of the MPC with synchronization steps in which the participants can exchange or broadcast messages according to the defined MPC protocol. The online phase may run in a firewall environment that is inaccessible to trusted traders.

MPC can be a distributed equivalent of plaintext pseudo-code that we can describe as a Single Static Allocation (SSA) graph of MPC-friendly basic operations. The nodes of the SSA graph are plaintext variables and each participant obtains a local view (or secret share) of the variables. We represent this local view as an MPC container. The basic MPC-friendly operation is called a built-in function that takes as input the MPC vessel and optionally some static parameters and generates as output the MPC vessel.

Fig. 1 shows a schematic diagram of an MPC container for k participants for multi-party computation. Globally, an MPC container holds all the information about one variable in the SSA, i.e. the plaintext value x (which may be public (known to all parties but not to the trusted trader) or shared secret(each participant knows only his share), a mask(known to the trader and shared secret between all parties) and optionally a mask value of x + λ (known to all parties but not generally known to the trader). Description of the symbols: the double parenthesis symbols are used hereTo represent a secret shared value.

Locally, each participant has a trace of MPC containers, which may be a structure with the following fields:

common value x (if the container is publicly disclosed)

-a share x of the common value_j

-a share λ of the mask of the container_j

Mask value a (if the container is masked and revealed).

Analyzing the combination of k containers, the following holds: if the container is public, all participants know the plaintext value, and each participant is filled with the value x, the container's plaintextThe text value is by definition the sum of all the shares ∑ x_j. In this case, no other fields need to be used in the MPC protocol. The mask of the container is λ ═ Σ λ_j. The value of the mask is known only to the trusted trader (during the offline phase). During the online phase, no participant knows or knows the actual mask. The mask value a is equal to λ + x. Special masking and disclosure operations instruct each participant to broadcast its x_j+λ_jThis allows them to reconstruct and store the same field a x + λ in common. All other technical or local variables that appear in the built-in function are referred to as temporary variables.

Two previous works have proposed using fixed-point integer representations, rather than floating-point representations, to represent real numbers in the MPC context. The first prior work will be referred to hereinafter as "SecureML," by p.mohassel and y.zhang, entitled "securel: a system for extensible privacy-preserving machine learning (SecureML: A system for scalable privacy-preserving machine learning), "2017 IEEE Security and privacy seminar, SP 2017, san Jose, Calif., 2017, 5 months, 22-26 days, pages 19-38, 2017. The second prior work will be referred to as "ABY" hereinafter³", authors are p.mohassel and p.rindal, titled" ABY³: hybrid protocol framework for machine learning (ABY)³A mixed protocol frame for machine learning) ", ACM SIGSAC conclusion set of computer and communication security conferences in 2018, CCS 2018, toronto, ontario, canada, 10 months, 15-19 days in 2018, pages 35-52, 2018.

modReal indicates. In these works, the real number algorithm is performed by matching a fixed size integer type (e.g., int64, integer modulo 2⁶⁴) Performing an evaluation of the addition, subtraction, and rounding partitions. For example, to multiply two 30-bit integers x and y and retain the 30 most significant bits of the result (similar to floating point multiplication), xy may be calculated first (by fitting the product to a 64-bit integer without any overflow) and then the result shifted to the right by 30 bits. These two works adapt these operations to MPC settings where the plaintext isIn k participants (SecureML where k is 2, ABY)³K is not less than 3) is shared secretly(for some integer q) such that x is centermod_q(x₁+...+x_k) Signed mathematical boost centermod_q(x) Is defined as a unique integerSo thatWe represent this particular real number representation of the operation shares as modReal representation.

SecureML, section 4.1, a section entitled "Arithmetic Operations on Shared Decimal Numbers" is suggested as follows. Consider the fixed-point product of two binary decimals x and y stored in a common integer representation, such that each number' sA bit is defined as representing the fractional part of a number (a binary digit after a decimal point). In this case, it is preferable that the air conditioner,andwill be an integer that can be represented locally using the integer back end. However, the product z ═ x ' y ' (where for some integer, the product z is equal to x ' y ″)In thatIn multiplication) will be as much as in the fractional part of the representationA bit. However, it may be impractical to retain additional binary digits after a fraction, especially in the context of MPCs. SecureML suggests that the end is truncated or ignoredBits to reduce the number of bits representing the fractional part of the result. For example, the product can be expressed as:whereinAnd consider the result to include only

SecureML then extends the above truncation technique to secret shared valuesIn fact, holdMay truncate their respective shares. It is then shown in theorem 1 that the two truncated shares can reconstruct the truncation of z with high probabilityThis solution relies on the following premises: if x₁And x₂Is two secret shares of a very small x, then it is very likely that these two shares x₁And x₂In two opposite semi-circlesIn (1). This solution only works for two participants, relying on local processes to truncate shares, but the resulting probability of the secret shared value being incorrect is non-zero.

ABY³The limitations of the two-participant truncation technique of securmeml are addressed in section 5.1.1, and other truncation techniques for extending to three or more participants in MPC settings are addressed in section 5.2.2. However, these other techniques also have a non-negligible probability of failure in practice.

In the two previous works, where the multiplication was done using Bisfer triads modulo q, rounding may be performed locally on each share (to do so)At the cost of a small error in the plaintext value of the world) and the addition can be done locally on each share. Two variants of partitioning are proposed: the first, in SecureML, is a two-party solution with no communication between the two parties, and the second, in ABY³Is a solution for k participants based on a specific triplet. In both cases, the result of the partitioning is correct most of the time; however, a large undetected overflow occurs with little but not zero probability. The overflow probability of the plaintext range and the fraction modulo q of the M integer elements is M/q. In the example of multiplication of two 30-bit integers mentioned above, the overflow probability is 2⁶¹/2⁶⁴1/8, if we reduce the precision to 20 bits, then down to 2⁴¹/2⁶⁴. When this occurs, the overflow is large (due to SecureML, the overflow amplitude has been mitigated, but it will still alter the new ABY³The most significant bit of the result in the revision). Thus, any aggregation function that contains these erroneous values is affected. The probability of overflow is computed in coefficients, so if we compute a vector or matrix of N coefficients (for most ML use cases, e.g., logistic regression, linear regression, neural networks), there is at least one destructive overflow multiplied by N and becomes non-negligible.

Two possible countermeasures proposed by the previous two works to handle millions of coefficients are either to reduce the precision (providing up to 10 bits of precision on a 64-bit back-end) or to increase the back-end size to e.g. 128 bits (4 to 16 times slower). Note that 10-bit pointing accuracy is sufficient in numerically stable use cases where we know the exact distribution of the plaintext (e.g., feature scaling input, sigmoid output, etc.). However, if the fixed-point exponent is estimated to be 4 or 5 bits higher than the actual value, we may also encounter severe underflow conditions because of the uncertainty of the secret plaintext distribution.

Disclosure of Invention

In the context of secure multiparty computing, a secret sharing value stored in common by multiple participants in a first modulo representation is projected as a second modulo representation with a larger most significant bit. The projection includes a trusted trader secret that shares a masking value with each participant, the range of masking values being divided in half. Each participant uses the masking value to mask and reveal the sum of the secret sharing value and the masking value. The trusted trader also shares bits encoding half of the range containing the masking value with each participant secret. The participants use the secret sharing bits along with the sum to cooperatively reconstruct a set of secret shares that represent the secret shared value in a second modular format. In contrast to previous work, the disclosed solution eliminates a non-zero probability of error without sacrificing efficiency or safety. This method is described in more detail in section 3.1 of the detailed description below.

A method executable by a secure multi-party computing system (SMPCS) configured to perform multi-party computing on a secret shared value, wherein the SMPCS comprises a trusted trader computing system and a plurality of participant computing systems in secure networked communication. The method is for projecting the secret sharing value from a first modulo representation to a second modulo representation, wherein the first modulo representation has a range defined by a most significant bit position and a least significant bit position of the first modulo representation, and wherein the second modulo representation has a range defined by a most significant bit position and a least significant bit position of the second modulo representation, and wherein the most significant bit position of the second modulo representation is greater than the most significant bit position of the first modulo representation.

According to one embodiment, each of the participant-computing systems stores a respective secret share of the secret shared value in a first modulo representation. The trusted trader computing system stores the masking values in a first modulo representation and transmits respective secret shares of the masking values to each of the participant computing systems such that the masking values are secret shared between the participant computing systems in the first modulo representation. A trusted trader computing system: determining a sub-range within which the masking value lies, wherein the sub-range is selected from a plurality of predetermined non-overlapping sub-ranges representing the range of the first modulo representation; encoding the determined sub-range as a numerical sub-range identifier, and transmitting a respective secret share of the numerical sub-range identifier to each of the participant-computing systems, thereby enabling secret sharing of the numerical sub-range identifier between the participant-computing systems. The trusted trader computing system converts the masking value into a converted masking value in a first conversion by performing at least a first mathematical boost on the masking value. The trusted trader computing system transmits respective secret shares of the transformed masking value to each of the participant computing systems in a second modulo representation such that the transformed masking value is secret shared between the participant computing systems in the second modulo representation. The participant-computing systems cooperatively compute and expose the sum of the secret shared value and the masked value as a mask value, while not exposing secret shares of the secret shared value or secret shares of the masked value.

The SMPCS converts the mask value to the first converted mask value in a second conversion by performing at least a second mathematical upgrade on the mask value. The SMPCS converts the mask value to a second converted mask value in a third conversion by performing a third mathematical boost on at least the mask value, wherein the first, second and third mathematical boosts are different from each other. The participant-computing systems cooperatively compute the secret-shared value of the second modulo representation such that each of the participant-computing systems computes a respective secret share of the secret-shared value of the second modulo representation based on: the first conversion mask value, the second conversion mask value, a respective secret share of the numeric sub-range identifier for each participant computing system, and a respective secret share of the conversion mask value for each participant computing system.

The method may be performed wherein the first mathematical boost and the second mathematical boost produce values that are offset relative to each other by one quarter of the range of the first modulo representation, and wherein the second mathematical boost and the third mathematical boost produce values that are offset relative to each other by one half of the range of the first modulo representation.

The method may be performed wherein the first mathematical boost, the second mathematical boost, and the third mathematical boost are each selected from the group consisting of: byParameterized quartormod lifting, wherein (M)_msb-1) is the most significant bit position of the first modulo representation; byParameterized centemmod is promoted; and is composed ofParameterized posmod promotion.

The method may be performed wherein the first mathematical boost is toQuartormod boosting of parameterized masking values, where the second mathematical boost is to the sum ofCentemid lifting of parameterized mask values, wherein a third mathematical lifting is onA posmod promotion of the parameterized mask value, and wherein (M)_msb-1) is the most significant bit position of the first modulo representation.

The method can be performed wherein the pair is composed of 2^MParameterized x's quartormod lifting is defined as a unique real numberSo thatWherein the pair is composed of 2^MParameterizationThe centemid lifting of x is defined as the only real numberSo thatAnd wherein the pair is composed of 2^MParameterized posmod lifting of x is defined as a unique real numberSo that

The method may be performed wherein the first converting further comprises: rounding the result of the first mathematical boost toOf p'_lsbIs the least significant bit position of the second modulo representation and takes the modulo of the roundingWherein (M'_msb-1) is the most significant bit position of the second modulo representation; wherein the second converting further comprises: rounding the second mathematically boosted result toAnd takes the rounding moduloAnd wherein the third converting further comprises: rounding the result of the third mathematical boost toAnd takes the rounding modulo

The method may be performed wherein the first transformation, the second transformation and the third transformation each comprise projecting the associated mathematically boosted result toWherein (M'_msb-1) is the most significant bit position of the second modulo representation.

The method may be performed wherein the "plurality of predetermined non-overlapping sub-ranges" consists of two sub-ranges of equal size, and wherein the numerical sub-range identifier is selected from the group consisting of the numbers 0 and 1.

The method may be performed wherein the secret sharing value sub-range identifier is used cooperatively by the participant computing systems to select between a first conversion mask value and a second conversion mask value for use in computing the secret sharing value of the second modulo representation.

The method may be performed wherein the first modulo representation and the second modulo representation are fixed-point integer representations of real numbers.

A method may be performed by an SMPCS configured to perform multi-party computations on secret shared values, wherein the SMPCS comprises a plurality of participant computing systems in secure networked communication. The method is for projecting the secret sharing value from a first modulo representation to a second modulo representation, wherein the first modulo representation has a range defined by a most significant bit position and a least significant bit position of the first modulo representation, and wherein the second modulo representation has a range defined by a most significant bit position and a least significant bit position of the second modulo representation, and wherein the most significant bit position of the second modulo representation is greater than the most significant bit position of the first modulo representation.

According to one embodiment, each of the participant-computing systems stores a respective secret share of the secret shared value in a first modulo representation. The SMPCS communicates a respective secret share of the masking value to each of the participant-computing systems, thereby enabling secret sharing of the masking value between the participant-computing systems. The SMPCS communicates a respective secret share of an indication of a sub-range in which the masking value is located to each of the participant-computing systems, wherein the sub-range is selected from a plurality of predetermined non-overlapping sub-ranges representing a range of the first modulo representation such that the sub-range indicates secret sharing between the participant-computing systems. The SMPCS converts the mask value to a converted mask value in a first conversion by performing at least a first mathematical boost on the mask value. The SMPCS communicates respective secret shares of the converted masked value to each of the participant-computing systems in a second modulo representation such that the converted masked value is secret-shared between the participant-computing systems in the second modulo representation. The participant-computing systems cooperatively compute and expose the sum of the secret shared value and the masked value as a mask value, while not exposing secret shares of the secret shared value or secret shares of the masked value. The SMPCS converts the mask value to the first converted mask value in a second conversion by performing at least a second mathematical upgrade on the mask value. The SMPCS converts the mask value to a second converted mask value in a third conversion by performing a third mathematical boost on at least the mask value, wherein the first, second and third mathematical boosts are different from each other. The participant-computing systems cooperatively compute the secret-shared value of the second modulo representation such that each of the participant-computing systems computes a respective secret share of the secret-shared value of the second modulo representation based on: the first conversion mask value, the second conversion mask value, the respective secret share indicated for the sub-range of each participant-computing system, and the respective secret share of the conversion mask value for each participant-computing system.

The method may be performed wherein the first transformation, the second transformation and the third transformation each comprise projecting the associated mathematically boosted result toWherein (M'_msb-1) is the most significant bit position of the second modulo representation.

The method may be performed wherein the "plurality of predetermined non-overlapping sub-ranges" consists of two sub-ranges of equal size, and wherein the numerical sub-range identifier is selected from the group consisting of the numbers 0 and 1.

The method may be performed wherein the secret sharing value sub-range identifier is used cooperatively by the participant computing systems to select between a first conversion mask value and a second conversion mask value for use in computing the secret sharing value of the second modulo representation.

The method may be performed wherein the first modulo representation and the second modulo representation are fixed-point integer representations of real numbers.

A method for performing multiplication of a stored first secret shared value in a respective initial modulo representation and a stored second secret shared value in a respective initial modulo representation, the method may comprise: according to any of the preceding methods for projecting, projecting at least one of the first secret sharing value and the second secret sharing value as a common modular representation such that the first secret sharing value and the second secret sharing value are stored in the common modular representation; and performing a biffy multiplication on the first secret share value and the second secret share value represented by the common modulus. .

A method for combining a plurality of secret-shared values and a corresponding plurality of static coefficients, each secret-shared value being stored in a respective initial modulo representation, the method may comprise: according to any of the foregoing methods for projecting, projecting at least one of the plurality of secret sharing values as a common modular representation such that the plurality of secret sharing values are all stored in the common modular representation; and performing linear combination on the plurality of secret sharing values stored in the common-mode representation and the corresponding plurality of static coefficients.

A method of evaluating a continuous function over a secret shared value may include: selecting a Fourier series from a plurality of determined Fourier series based on the secret sharing value, wherein each of the plurality of determined Fourier series is configured to approximate a continuous function over a relevant subinterval of a domain of the continuous function; based on the selection, projecting the secret-sharing value from the first modulo representation to a second modulo representation in accordance with any of the aforementioned methods for projecting; and approximating the value of the continuous function over the secret sharing value represented by the second modulus using the selected fourier series.

A system may include a plurality of computer systems configured to perform any of the foregoing methods.

A non-transitory computer readable medium may be encoded with computer code that, when executed by a plurality of computer systems, causes the plurality of computer systems to perform any one of the aforementioned methods.

Drawings

Figure 1 shows a schematic of an MPC vessel.

Fig. 2 shows the relationship between bits in the fixed-point representation.

FIG. 3 illustrates four projection operations for projecting representations between classes.

FIG. 4 illustrates an exemplary application of each of four projection operations to exemplary input values.

FIG. 5 shows a pseudo-code implementation of an offline phase of a Lift operation.

FIG. 6 shows a pseudo-code implementation of an online phase of a Lift operation.

FIG. 7 shows a pseudo-code implementation of the offline phase of the Share Refresh operation.

FIG. 8 shows a pseudo-code implementation of an online phase of a Share Refresh operation.

FIG. 9 shows a pseudo-code implementation of a ratiometric multiplication operation of two secret shared values of a modal representation.

FIG. 10 shows a schematic diagram of a Biffy multiplication operation.

FIG. 11 shows a pseudo-code implementation of a proportional-inverse multiplication operation on a secret shared value and a public value of a modular representation.

FIG. 12 shows a schematic diagram of a Biffy multiplication operation.

FIG. 13 shows exemplary inputs upon which a purge step may be performed.

FIG. 14 shows a pseudo-code implementation of a linear combination operation using ModReal notation.

Fig. 15 shows a schematic diagram of a linear combination operation.

Fig. 16A shows a communication channel for a trusted trader model.

Fig. 16B shows a communication channel for an honest but curious model.

Fig. 17 shows a schematic diagram of the communication channels between the participants during the online phase.

FIG. 18 illustrates a general computer architecture that can be suitably configured to implement the components disclosed herein.

Detailed Description

In the following description, reference is made to various embodiments in which the disclosed subject matter may be practiced. Some embodiments may be described using the expression one/another, etc., multiple instances of which are not necessarily referring to the same embodiment. Unless otherwise specified, particular features, structures, or characteristics associated with such examples may be combined in any suitable manner in the various embodiments. For example, the present disclosure may list a set or list of options or possibilities for one embodiment, and in such cases, the present disclosure specifically contemplates all obviously feasible combinations and/or permutations of items in the set or list.

1 overview

In this disclosure, we propose a new technique for performing real arithmetic with high numerical precision using modulo integer representation in a multi-party computation (MPC) setup. In particular, we disclose a method for projecting a secret-shared value stored in a first modulo representation as a second modulo representation. In contrast to previous work, the disclosed solution advantageously eliminates errors without sacrificing efficiency and safety, which is important for machine learning techniques such as linear regression and logistic regression.

We use a full threshold security model for MPC and divide the computation into an offline phase and an online phase. The offline stage (independent of the input data) may be performed by a trusted trader or an honest but curious trader. More powerful models and verifiability at this stage can be achieved by standard techniques, such as ubiquitous transmission and segmentation-selection. The online phase calculates the shareable portion of the result.

In our work, we keep the same share definitions as in the previous work, but we modify the triplet (masked value) definitions by adding a small term that completely eliminates overflow (as long as M/q ≦ 1/2). This approach maintains a single round of communication during the online phase and adds only a small number of binary operations to preserve the overall runtime. The new method is always correct, security is unconditional, and it applies to any number of participants.

Brief summary, ABY³Overflow in (e) comes from the fact that, for example, during a division operation, a small plaintext x e Z must be reconstructed from a random mask r ' mod q (selected during the offline phase) and a mask value α ═ x ' -r ' mod q. The latter is disclosed during the online phase prior to applying a division operation incompatible with class mod q. To do this, r' and a are both implicitly raised to integers in [ -q/2, q/2). More precisely, in ABY³5.1.1, 5.1.2, these two implicit centering boosts occur during two operations: 1) in the triad r ═ r'/2^dIn the definition of (1), whereinIs random, and 2) is disclosed inAnd local calculation of (x '-r')/2^dIn the operation. These two lifts do not always match the further assumption that a-r 'equals x' on real numbers (the probability that the equations may differ by + q or-q is small). In our new setting, we preserve the full range of r', thus ensuring unconditional security. However, we will group Split in half, during the offline phase we share the additional bits encoding the half group containing r' in secret and add the secret sharing bits to the same triplet. Each half-group corresponds to a different boost for a-r', so each participant can compute two boosts and then blindly select the correct boost during the online phase using the sharing bit.

2 plain value and representation of secret shares

2.1 Floating-Point and fixed-Point representations

A plaintext real number x may be represented in floating-point form asWherein

The mantissa m is normalized so that 1/2 ≦ m | < 1, and

the exponent e ∈ Z (depending on the data).

This representation is obviously data dependent in the sense that both m and e depend on the plaintext value x. In particular, the value of the index e is exactlySince the floating-point representation requires information about the size of x to determine the exponent e, it relies on data and is not MPC friendly because the compiler does not know the value e before the multi-party computation.

The plaintext real number x may also be expressed in fixed-point (integer) form asWherein

The mantissa m is normalized such that 1/2 ≦ m | < 1, and

the index e ∈ Z (common value).

Before starting the multi-party computation, from the compiler's perspective, the exponent may be considered or treated as public, while the mantissa may be treated as private. Since the compiler does not know the secret number x before the calculation, the compiler cannot determine the exact value e that guarantees the above normalization for m. This representation is also unsuitable because it easily overflows or underflows, as shown in the following two examples:

and (4) overflowing. Suppose we want to multiply the following two numbers (binary): x is 10.1₍₂₎And y is 10₍₂₎. Both of which have an index of 2. However, if the pre-calculated common exponent of the result is still two, the calculation will overflow because: x y 101₍₂₎. Therefore, we need an index of at least 3 to avoid overflow.

Underflow. Suppose we are in mantissa digit bounded (ratio)E.g., 4 bits), we want to compute x²＝1.1₍₂₎×1.1₍₂₎＝10.01₍₂₎. If we pre-calculated the index to be 3 instead of 2, we will lose accuracy under the change limit, i.e. the result will be 010.0₍₂₎Instead of 10.01₍₂₎。

Therefore we have adopted an intermediate approach in which we note a good enough exponential boundary for each value in the program. The boundary can be statically estimated by a special compiler through a specific statistical analysis. The method tracks the common boundaries of the secret values as accurately as possible without revealing the secret values themselves. From this perspective, our real representation is a mixture of features by combining fixed and floating point numbers.

From the compiler perspective, the exponent may be considered public, while the mantissa may be considered private. However, since the compiler of course does not know the secret number x, the compiler cannot determine the exact exponent e that guarantees the above normalization for m, but only an upper bound.

2.2 Mixed plaintext representation of real numbers

We introduce the following parameters to represent real numbers in a fixed-point (integer) representation:

—p_lsba bit position representing a least significant bit;

—(p_msb-1) a bit position representing the most significant bit;

—ρ＝p_msb-p_lsbrepresenting a window of plaintext values, i.e., fixed point precision.

Parameter p_msbAnd p_lsbMay be determined by a compiler based on statistical analysis of data for the desired operation. In practice, the limiting factor is the size of the numeric window ρ (i.e., the number of bits of the mantissa m; corresponding to the difference between the exponent boundary held by the compiler and the number of binary bits in the fractional part to be held). The smaller ρ is, the higher the operation efficiency of the back end is. Therefore, the static analysis needs to guarantee the following two conditions:

statically determined boundaries are sufficient to avoid overflow.

The boundaries are as precise as possible to avoid loss of precision (given the limit of p).

Definitions 1 (integer representation of real numbers). Given parameter p_msbAnd p_lsbThe plain text value class expressed by these parameters is represented byExpressed and defined as:

for example, x is 1 then p_msb1, x 3, then p_msb2. Note that this classMeans strictly betweenAndstep length of betweenAll real numbers (rational numbers in this example). Note that p_lsbUsually negative (when we want to compute a few bits precision for the exact integer and fractional parts), but in general this is not the case. Negative p_lsbMeaning that we consider the bits of the fractional part. P ═ p_msb-p_lsbEssentially telling us how many bits are needed to represent the value. p is a radical of_lsbThe more negative, the higher the precision of the floating-point number and the more bits needed to represent it.

Example 1 for p_msb40 and p_lsbWe have p-40- (-10) ═ 50. In this case, the least significant bit would be at position-10, the most significant bit would be at position 39, and the least significant non-fractional bit at position 0.

Example 2 for p_lsbIs-2 and p_msbThe numerical value is represented in binary 1011.1, 5₍₂₎And is andis shown as 01011.10₍₂₎. In this case, two decimal places will occupy bit positions-2 and-1, while the non-decimal places will occupy positions 0 to 4. Note that a given real number may belong to a number of different plaintext classes (i.e., 11.5 in the above example belongs toBut it also belongs toAnd)。

FIG. 2 shows a bit p in a fixed-point representation_msbAnd position p_lsbThe relationship between them, and the associated bits that would be affected in the case of underflow and overflow.

The plaintext overflows. CollectionNeither group nor ring; it is unstable especially under actual arithmetic operations such as addition, subtraction, multiplication, and the like. For example, the number 3 belongs toBut 3+3, -3-3 and 3 x 3 all exceed the boundaryMore generally, where the result of an expression exceeds the set of output plaintextIn any case, we will refer to as a plaintext overflow.

To avoid the risk of plaintext overflow, we ensure p_msbAt least isog₂(x) In that respect But the parameter p of the variable_msbAnd p_lsbMust be specified at compile time (before the actual value of the value x is known), so to reduce the risk we need to assign p_msbSet to the upper bound of all possible values. This ensures that no overflow occurs when assigning the actual value to the variable. This also means that the actual (or floating point) precision is always less than the fixed point precision p_msb-p_lsb。

The plaintext underflows. If the fixed exponent is chosen to be too large, the plaintext information may be lost completely. For example, if x is 1 × 10^-3And y is 6 × 10^-6，xy＝6×10^-6Then for floating point representation, a one-decimal digit is sufficient to represent the mantissa of the product, and the exponent is calculated as

On the other hand, in the fixed-point world, if the plaintext parameter of the input has been set to (p)_msb，p_lsb) Corresponding to a precision of 4 decimal digits, (0, -14), a common error is to assume the product p_msbIs two inputs p_msbAnd at this point, the same result of 14-bit fixed point precision is expected, so for the parameter (p)_msb，p_lsb) (0, -14): in this case, the result is calculated as: 0.0010 × 0.0060 ═ 0.0000, this completely lost the results. This case is called plaintext underflow, and although in this example we actually have a fixed point precision of 14 bits, the calculation result is completely erroneous from a floating point perspective.

2.3 modulo representation of ModReal-real numbers

ModReal representation refers to modulo integer representation of a real operation, which may be based on, for example, 64-bit or 128-bit integers. The representation may use a fixed point unit of a computer processor with a fixed point representation of a real number, with a fixed number of binary bits after the decimal point.

To achieve security in multi-party computing, plaintext values of a certain size are shared secretly to share values that typically belong to a class of values with larger parameters.In addition, secret shares are masked by values of a larger class. These larger secret share classes are composed of two integers M_msbAnd p_lsbAnd (4) parameterizing. By itself we use the same symbol p_lsbSince in all cases it matches the plaintext least significant bit position; however, parameter M for secret shared data_msbWill typically be larger than p for the corresponding plaintext_msb。

—p_lsbBit positions representing the least significant bits of the mask/quantum;

—(M_msb-1) bit positions representing the most significant bits of the mask/share.

Definition 2 (modulo representation of real numbers). Given parameter M_msbAnd p_lsbThe class for the modulo representation of real secret shares is defined as a finite Abelian group

It is noted that,andisomorphism (as abelian group) and has the nature we will use-a mould structure.

Class of information theory security attributes that ultimately allows us to implement MPC computations(with the set of all real numbers)Different) is that it allows for even distribution.

For p_lsbIs-2 and p_msb6, the number x 11.5 + 12+1+2+8, represented in binary as 1011.1 and inIndicated as 001011.10. The opposite number x' — 11.5 ═ 52.5 ═ 1/2+4+16+32 mod 64, represented in binary 110100.1 and in binary 110100.1Indicated as 110100.10. Note that the bits of the integer part of x and x' are reversed. The first bit gives the sign of the number: if the first bit is 0, the number is a positive number, otherwise it is a negative number.

2.4 ModReal math boosting

Before we defined the concept of secret shares, we showed a torus(for positive integers M) toSeveral natural lifts (real numbers) that will be used throughout the process. Here, the elevation means the natural flood shotA part of (a). We define fromToAre raised by the integer 2^MThe parameterization is as follows:

—real numbers defined as being uniqueSo that

—Real numbers defined as being uniqueSo that

—Real numbers defined as being uniqueSo that

—Is defined asThe difference is either 0 or 2^MDepending on which half-space x belongs to.

2.5 fraction modulus representation

The modulo representation may advantageously be used to represent the share of the secret shared real number.

Definition 3 (Modular representation of secret shares). In one embodiment, the numberAre as followsIs secretly shared asIf it is not

If log₂|x|＜M_msb1, when M is_msb≥p_msb+1 meets the condition, the share is correct and unconditionally safe.

The advantage of the modular representation over the non-modular representation of the MPC shares can be shown by way of example.

Example 1 We first consider using the non-modular classes described aboveThe case of non-modulo representation of each share. The plaintext integer 42 may be shared secretly among the three parties toOf [33,97, -88]Or byOf [ 164301-806845,642586]. In both cases, we need all three shares to recalculate the exact plaintext integer. However, in the first case, the sum of the first two shares is equal to 2⁷128 is quite large and strongly indicates that the plaintext integer is a positive number. This problem is alleviated in a second example, which uses a larger p_msbBut at the cost of greater representation.

Example 2: next, we consider the same integer 42 toShared among three participants as [33,97,40 ]]. We need all three shares to recalculate the exact integer plaintext, but this time becauseAre groups and have a uniform distribution, the first two shares provide no information at all about the plaintext value. For a federation of k-1 of k participants, the security of such shares is information theory.

3 projection operation

To support basic arithmetic operations such as addition and multiplication on secret shared real numbers expressed in modulo integer form, we first need to ensure that the two operands can be projected in compatible classes (plaintext and secret share classes). It is therefore important to enable a projection operation to efficiently convert a representation on a given parameter set into a representation on another parameter set. In this section, we will explain how to use different parameters M'_msb、p′_lsbWill come from a given classIs converted to a set of modulus shares from another classAnother set of module shares. The projection operation may or may not require communication, depending on whether we decrease or increase the parameter p_lsbAnd M_msb。

FIG. 3 shows the parameter p being increased or decreased depending on whether we are_lsbAnd M_msbAny of the four projection operations of the representation are projected between classes. These four projection operations include extended, Round, Project, and Lift (Lift is different from the four natural lifts mentioned above).

FIG. 4 illustrates an exemplary application of each of four projection operations to exemplary input values. In the example shown, 1011.1 for the plaintext value x₍₂₎Is shared secretly between the two parties, whereinModulus fraction x of₁001000.10 and x₂000011.00. This example shows howWith different parameters p_lsbOr M_msbWill share x₁Projected as another modulus. For simplicity, the operations are given on a scalar, but more generally, all of these operations will be performed independently on each coefficient of any vector/matrix/tensor.

Extended (p'_lsb＜p_lsb): the extended projection operation adds additional least significant bits to each input share and sets the new least significant bits to 0 in the new representation to fill in the new bits in the representation. The extended operation does not require communication between the participants.

Round (rounded) (p'_lsb＞p_lsb): the rounded projection operation removes the least significant bits from each input share. The rounded projection operation may be performed with or without communication between the participants holding the share. In the case where the rounded projection operation is performed without communication, each participant rounds to remove the least significant bit from its share locally. This implementation does not guarantee p 'of the plaintext due to carry-related errors'_lsbThe least significant bit is correct. However, the rounded projection operation may be implemented through communication between the participants to ensure that the secret shares add up to p'_lsbThe correct plaintext value. The implementation of such precision-preserving rounded projection operations, called sharereresh, is described below, but it is more costly in terms of runtime, memory, and communications.

Project (M'_msb＜M_msb): projection operations, which also do not require communication between the participants, transform shares homomorphically according to the following natural flood:

lift (Lift) (M'_msb＞M_msb): the Lift projection operation requires communication between the participants as well as an offline phase and an online phase. The implementation of the Lift projection operation with 100% correct computation results is described below. The implementation improves where the operation is probabilistic and hasPrevious work with non-zero probability of failure.

In the following, we explain the implementation of the Lift projection operation with an online phase and an offline phase according to one embodiment. We do this in a somewhat more general way, not necessarily assuming p'_lsb＝p_lsb. This has the practical advantage that the Lift operation and the sharereresh operation can generally be combined into one communication-requiring operation, rather than two separate operations.

3.1 implementation of Lift projection operation on secret shares of integer-to-digital representation

In this section, we will explain how to separate a set of shares from the first model classConversion or projection into a second modeAnother group of shares of (1), wherein M 'of the second type'_msbM greater than first class_msbAnd wherein p 'of the second class'_lsbP can be less than, equal to, or greater than the first class_lsb. We call this special projection operation of the secret share of the integer-modulus representation Lift (capitalized to distinguish from the more general natural lifting described above). In one embodiment, the Lift operation is performed part-off-line (without communication between the participants) and part-on-line (with communication between the participants) in a system for multi-party computing including trusted traders.

According to one embodiment, the Lift operation runs on a secret shared MPC container (recall, as described in the background section above), which is masked and disclosed as follows:

-plaintextSecret share ofWherein p is_msb≤M_msb-2

-mask sharesThe sum lambda of which isAre uniformly random and unknown to each participant.

-mask valueIs disclosed and known by the participants.

The goal of the Lift operation is to compute secret shares for the same plaintext xWherein M'_msbGreater than M_msb。

Definition 4.

Order toAnd is

We shall define the scopePartitioning into disjoint union setsWhereinAnd isWe define a selection variable or bit as follows

In particular, b_λ0 is equivalent toCan be rewritten asSimilarly, b_λIs equal to 1Can be rewritten as

The projection operation takes advantage of these two possibilities and can encode it into bit b_λIn, for quartz mod_N(λ)：λ∈I₀Or λ ∈ I₁. Order toTwo mathematical lifts (both) may be considered)

We can require that the secret sharing value x be within the range x e-N/4, and in case this condition is met, we observe the following equation:

or more succinctly

This equation can be logically rewritten as

So as to be according to b_λIs effectively at a value ofAndto select between.

To obtain a fraction modulo for x(unmasking x into the second class), by natural flood-shootingProjecting the above equation to the torusSince the trusted trader can pre-compute and secret the shared quartermod_NImage v of (λ) (in order of) Thus, each participant can be in the online phase in conjunction with v based on equation (1) aboveKnowledge recovery

This may be done more specifically as follows. For j e {0, 1} orderEach participant may determine (a) based on the revealed mask value a₁-a₀). Trusted trader precomputation b_λAnd share their secrets asAlbeit b_λMay be shared withCompleted, but we need to note that except (a)₁-a₀) Is the highest M 'of binary representation'_msb-M_msbAll but one bit will always be zero. Thus, for trusted traders, smaller models are usedFrom secret sharing bit b_λIt is sufficient for each participant pairAnd (a)₁-a₀) The shares of (a) perform the multiplication.

In summary, a trusted trader needs to:

1. generating random masks

2. Computing selection bit b_λAnd are provided withShare its secret

3. Calculating the lambda toAnd with a specific lift v, andit is shared in secret.

That is to say, the temperature of the molten steel is set to be,

wherein the functionUsing real z and integerAnd round z toThe closest integer multiple of. Then can be made up ofSharing v secrets as

In the online phase of the computation, each participant uses the boost a₀And a₁ToAnd above centermod_N(x)+quartermod_N(λ) extraction of highest M 'only for the perplexing selection in the calculation'_msb-M_msbA bit.

Pseudo code implementation of 3.1.1 Lift operations

FIG. 5 illustrates a pseudo-code implementation of an offline phase of a Lift operation, according to one embodiment. FIG. 6 shows a pseudo-code implementation of the online phase of the Lift operation according to this embodiment.

In addition to the roundTo function described above, the Lift operation shown in fig. 5 and 6 utilizes the secretShares function, which takes as input a value and a specification of a class and outputs a plurality of secret shares to be added to the input value in a representation of the provided specification of the class.

For the online phase of the operation shown in FIG. 6, we will operate(forAnd) Is defined as

Last using M_msb-p′_lsbExtended by zeroIn this definition, the function msb_N(x) The N most significant bits of x are output.

3.2 ShareRefresh operation

Definition 5. In addition (M)_msb，p_lsb) And (M'_msb≤p′_lsb) Two pairs of parameters are formed, so that M'_msb≤M_msb. Mapping

The definition is as follows: for theLet z₀Is composed ofAnd optionally represent and set

It can be observed that this can be rewritten as:

description of the symbols: symbol as used hereinNumber (C)Indicating that the number x is rounded to the nearest integer.

Proposition 1. Definition 5 is well-defined, i.e. it does not depend on the representation z₀Selection of (2).

And (5) proving. Let z be equal to M_paramsAnd let z₁，z₂Is composed ofTwo of z in (1). By definition, existSo thatDue to p'_lsb≤M′_msb≤M_msbWe getIn particular, the amount of the solvent to be used,due to M'_msb≤M_msbWe get

From this point, we assume that params and params' satisfy the assumption of proposition 1.

In one embodiment, the Share Refresh operation is performed partially offline (without communication between the participants) and partially online (with communication between the participants). FIG. 7 illustrates a pseudo-code implementation of an offline phase of a Share Refresh operation, according to one embodiment. FIG. 8 shows a pseudo-code implementation of the online phase of the Share Refresh operation according to this embodiment.

4 Bifumultiply

4.1 ModReal Back-end multiplication

Two secret sharesAndthe multiplication between is defined as follows:

whereinAndreferred to as output parameters. These parameters are typically determined by a compiler during static analysis.

4.2 Parametric calculation expressions

The following expressions show the calculation of various parameters used in conjunction with the following figures and description of the Biffy multiplication:

—

—

—

—

—

—

—

—

4.3 Bisfer multiplication (Secret-Secret) of the modulo back end

FIG. 9 illustrates a pseudo-code implementation of a proportional-inverse multiplication operation on two secret shared values of a modular representation, according to one embodiment. FIG. 10 shows a schematic diagram of a Biffy multiplication operation.

4.4 Bisfer multiplication (Secret-Public) of the modulo back end

FIG. 11 illustrates a pseudo-code implementation of a proportional-inverse multiplication operation on a secret shared value and a public value of a modular representation, according to one embodiment. FIG. 12 shows a schematic diagram of a Biffy multiplication operation.

5 Linear combination

Let c⁽¹⁾,...,c⁽ⁿ⁾As a common real number given as a double-precision floating-point number, andis provided with corresponding parametersIs given. Order toAnd k is⁽ⁱ⁾：＝24-v₂(β⁽ⁱ⁾) Wherein for prime p, v_p(m) represents an integerP-dic estimate of. In practice, these integers may be represented as 64-bit signed integers. Common vector

Will be an approximation of our coefficients. The above choice of 24 is for plaintext like the float32 type, where the mantissa is 24 bits.

The goal is then to calculateWherein the corresponding parameter isAndwe assume that the input shares are simultaneously either floating point representation or modulo representation. In one embodiment, mixed input is not supported and explicit casting is required. However, the output back-end may be different from the input back-end (e.g., an input with a floating-point representation and an output with a modulo representation are also possible).

5.1 Default output parameters

When no plaintext parameters are available for output, the statistical analyzer of the compiler may estimate the statistical information of the result using the following propagation formula: if all plaintext is mean and varianceVar(x⁽ⁱ⁾) The independent variable of (2) is then output

The mean and variance of (a) are:

note that the last formula only applies to arguments. In one embodiment, we use the following estimate for the variance of the sum:

based on the propagation formula, the compiler can already infer reasonable p for the output container_msb、p_lsbThen allocate M_msb＞p_msbTo ensure the correctness and safety of the calculation. If the compiler cannot make independence assumptions, other techniques should be used to estimate the statistics of the results, such as modeling false values.

5.2 cleaning step

In one embodiment, prior to running the linear combination, the compiler preprocesses the linear combination input as follows: for all 1. ltoreq. i. ltoreq.n,

-deleting of α in⁽ⁱ⁾All indices i of 0.

-deleting pairs thereinAll indices i. This means that the item is negligible and can be discarded. Note that if we delete terms dynamically term by term, the right side of the inequality above does not change (the deleted term cannot have p equal to the maximum value)_lsb)。

FIG. 13 shows exemplary inputs upon which a purge step may be performed. In this example, the interval labeled 1 should be discarded because it can be ignored, because p_msbMaximum p of position in remaining interval_lsbTo the left of the position.

In addition, letIs the remaining index set, we can test according to the following criteria (output parameters should intersect the input parameter window):

-ensuring inequality

Otherwise, the declaration result may be ignored or zero.

-ensuring the following inequality

Otherwise, undefined behavior will occur.

5.3 Linear combination built-in function: ModReal example

In one embodiment, the compiler provides two operating parameters for linear combination:andthese parameters are selected in such a way that the following properties are met:

promotion to incoming ModReal share classEnsuring that a single scalar product can be calculatedWithout overflowing and with sufficient precision (the latter requiring precise definition).

The sum of all secret shares (k) of all individual terms (scalar product; n of them) can be computed in the class without overflow (the latter needs to be defined exactly).

This makes reasonable the default selection of the following parameters:

—

—

—

—

for each 1. ltoreq. i.ltoreq.n, the ith input container is first parameterized byAndprojected as ModReal numbers. When in useThis requires, at the time, one lifting triplet (mask λ relating to the container, and two temporary precomputed data b, v. then, multiplicationGenerating parametersAndcan be serialized and the value can be accumulated with other values. Finally, the sum is projected as an output parameter.

FIG. 14 illustrates a pseudo-code implementation of a linear combination operation using ModReal representation, according to one embodiment. Fig. 15 shows a schematic diagram of a linear combination operation.

Fourier approximation of 6 real valued functions

Generally, the Fourier approximation of the complex-valued function f (x) will be given in the following form

Wherein T is a period andcoefficient a_nUsually complex, but if f (x) is a real-valued functionWherein n > 0 andthen we have

This produces a transition

The fourier term will be a tripletN is 0, 1Is a real coefficient, andis the phase.

As an example, consider the sigmoid functionThe real-valued function f (x) - σ (x) -1/2 is odd, which means that the phase is oddAre all equal to pi/2.

6.1 Fourier series evaluation: ModReal example

We now explain how to addressAnd secret sharesExpression (2) is evaluated.

Recall mask

The trusted trader first calculates the mask lambda, the corresponding bit b_λThen compute and secret the shared (in the off-line phase) vectorWherein N is 0, 1.

The online calculation is then performed as follows:

1. computingAsOf (2) is used.

2. Use ofAnd b_λIs correctly calculated and promotedThis is possible because

3. E is calculated for N ═ 0, 1^2πna/T(this requires lifting a, not just the original)。

4. ComputingIs given. This requires determining the local multiplication in a certain plaintext class.

To determine the plaintext parameters of the result, we impose a constraint that the entire computation occurs within a maximum number window of η bits (e.g., if we only want to use a 64-bit integer at the back end, then η is 64).

First, a tiny boundary estimate may be usedNamely, it is

In order to obtain optimumLet p be a numerical window, i.e.Order toOur constraints are given by the following inequality

2p+ε+2≤η，

Namely, it is

This means that we need to determine the maximum numerical window for computing the output. To understand why this inequality should hold, note that, if p-bit precision is required for each multiplier in the following product,

then it is 2 p. We must take the sum of these terms, epsilon, and add two additional bits for the modular share class. Therefore, we can set

In addition, the compiler needs to provide the operating parameters for the fourier series built-in function:

—a boosting parameter for a mask value a ═ x + λ,

—-a boost parameter for the mask λ.

To determine the operating parameters, we first determine the least significant bit position (we do so to ensure sufficient accuracy). The following formula is reasonable:

—and is

—And isThis choice requires a certain reason: parameter(s)Ensure that we are calculating e^2πina/TThere is a window of values of size p. In practice, the most significant bit position of this number is 0, so we need at least p binary bits in the fractional part. However, the same window of values is required to compute both inputs of the hypothetical ratio (Beaver), i.e., the multiplication we do can be viewed as a mapping

7 communication model

Fig. 16A and 16B show schematic diagrams of communication channels between computing systems during an offline phase of multi-party computing (MPC). Fig. 16A shows the communication channel for the trusted trader model, while fig. 16B shows the channel for the honest but curious model. In the trusted trader model, the trader sends digitally masked data (also called triplets) to each participant through a private channel. In an honest but curious model, the participants have access to a private broadcast channel shared between their owners, and each share an additional private channel with the trader. The private channel is indicated by a dashed line. In the trusted trader model, the trader generates masking data and sends a respective share of the data to each participant using a private channel (one-way arrow). In an honest but curious model, the parties collaborate to generate digital masking data, for which they need to establish an additional private broadcast channel between them that is inaccessible to the trader. Although only three participants are shown, the model can be extended to any number of participants.

Fig. 17 shows a schematic diagram of the communication channels between the participants during the online phase according to one embodiment. Each participant transmits and receives a mask value through a common broadcast channel indicated by a solid line. The online phase is the same in a trusted trader and an honest but curious model, and the trader is not present.

Although the methods disclosed herein are described with respect to trusted trader models in some cases, the methods are applicable to honest but curious models.

8 computer implementation

The components of the embodiments disclosed herein may be referred to as methods, procedures, applications, programs, modules, engines, functions, etc., which may be implemented by configuring one or more computers or computer systems using specialized software embodied as instructions on non-transitory computer-readable media. The one or more computers or computer systems may be or include one or more separate client and/or server computers, which may optionally be networked via a wired and/or wireless network as a networked computer system.

The application specific software may include one or more instances thereof, each of which may include, for example, one or more of client software, server software, desktop application software, database software, operating system software, and driver software. The client software is configured to operate the system as a client that sends information requests to and receives information from one or more servers and/or databases. The server software may be configured to operate the system as one or more servers that receive requests for information from and send information to one or more clients. Desktop application software and/or application software desktop applications or applications may be run on desktop and/or portable computers. The database software may be configured to run one or more databases on the system to store data and/or information and to retrieve, store, and/or update data in response to requests by the client software. The operating system software and driver software may be configured to provide an interface for the operating system as a platform and/or to drive it as hardware or a process for use by a computer or other software of a computer system. For example, any data created, used, or executed by embodiments disclosed herein may be stored in, accessed from, and/or modified from a database running on a computer system.

FIG. 18 illustrates a general computer architecture 1800 that can be suitably configured to implement the disclosed components in accordance with various embodiments. The computing architecture 1800 may include a variety of common computing elements, such as a computer 1801, a network 1818, and one or more remote computers 1830. However, the embodiments disclosed herein are not limited to implementation by the general computing architecture 1800.

Referring to fig. 18, the computer 1801 may be any of a variety of general purpose computers, such as, for example, a server, a desktop computer, a laptop computer, a tablet computer, or a mobile computing device. The computer 1801 may include a processing unit 1802, a system memory 1804, and a system bus 1806.

The processing unit 1802 can be or include any one or more of a variety of commercially available computer processors, each of which can include one or more processing cores that can operate independently of each other. Additional co-processing units, such as graphics processing unit 1803, may also be present in the computer.

The system memory 1804 may include volatile devices such as Dynamic Random Access Memory (DRAM) or other random access memory devices. The system memory 1804 may also or alternatively include non-volatile devices, such as read-only memory or flash memory.

The computer 1801 may include local non-volatile secondary storage 1808, such as a disk drive, a solid state disk, or a removable memory card. The local storage 1808 may include one or more removable and/or non-removable storage units. The local storage 1808 may be used to store an operating system that launches and manages various application programs that execute on the computer. Local storage 1808 may also be used to store components configured to implement embodiments disclosed herein and specialized software that may be executed as one or more applications under a running system.

The computer 1801 may also include a communication device 1812 by which the computer communicates with other devices, such as one or more remote computers 1830 via a wired and/or wireless computer network 1818. The communication device 1812 may include a network interface, for example, for communicating data over a wired computer network. The communication device 1812 may include, for example, one or more radio transmitters for communicating over a Wi-Fi, bluetooth, and/or mobile phone network.

The computer 1801 may also access a network storage 1820 via a computer network 1818. The network storage may include, for example, network attached storage located on a local network, or cloud-based storage hosted at one or more remote data centers. The operating system and/or specialized software may alternatively be stored in the network storage 1820.

The computer 1801 may have various input devices 1814 such as a keyboard, mouse, touch screen, camera, microphone, accelerometer, thermometer, magnetometer, or any other sensor. An output device 1816 such as a display, speakers, printer, or eccentric rotating mass vibrating motor may also be included.

The various storage devices 1808, communication devices 1812, output devices 1816 and input devices 1814 may be integrated within the housing of the computer or may be connected by various input/output interface devices on the computer, in which case the reference numerals 1808, 1812, 1814 and 1816 may indicate interfaces for connecting to the devices or the devices themselves, as the case may be.

Any of the preceding aspects may be embodied in one or more instances as a computer system, a process performed by such a computer system, any individual component of such a computer system, or an article of manufacture that comprises a computer storage device, wherein computer program instructions are stored in the computer storage device and, when processed by one or more computers, configure the one or more computers to provide such a computer system or any individual component of such a computer system. A server, computer server, host, or client device may each be embodied as a computer or computer system. Computer systems may be practiced in distributed computing environments where operations are performed by multiple computers that are linked through a communications network. In a distributed computing environment, computer programs may be located in both local and remote computer storage media.

Each component of a computer system, such as described herein and running on one or more computers, may be implemented using one or more processing units of the computer and one or more computer programs processed by the one or more processing units. The computer programs include computer-executable instructions and/or computer-interpreted instructions, such as program modules, that are processed by one or more processing units in the computer. Generally, such instructions define routines, programs, objects, components, data structures, etc., that, when processed by a processing unit, instruct the processing unit to perform operations on data or configure a processor or computer to implement various components or data structures.

The components of the embodiments disclosed herein may be referred to as modules, engines, processes, functions, and the like, which may be implemented in hardware, such as by using dedicated hardware logic components, by configuring general purpose computing resources using dedicated software, or by a combination of dedicated hardware and configured general purpose computing resources. Illustrative types of hardware logic components that may be used include, for example, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), and Complex Programmable Logic Devices (CPLDs).

9 concluding sentence

While the subject matter has been described in terms of certain embodiments, other embodiments that may or may not provide the various features and aspects set forth herein should be understood as contemplated by the present disclosure. The specific embodiments described above are disclosed by way of example only, and the scope of patented subject matter is defined by the appended claims. In the claims, the term "based on" shall include the case where one factor is considered directly and/or indirectly in producing a result or effect, and possibly in combination with other factors. In the claims, a portion shall include more than none and up to the entire thing; the encrypting of the item includes encrypting a portion of the item. In the method claims, any reference characters are used for descriptive convenience only and do not denote a particular order of execution for the methods.