阅读说明：本技术 一种基于可信第三方的隐私数据两方安全相等测试方法 (Trusted third party-based private data two-party security equality testing method ) 是由 张晋升 仇钧 姚利虎 沈稚源 韩静 于 2021-06-10 设计创作，主要内容包括：本发明涉及一种基于可信第三方的隐私数据两方安全相等测试方法,包括步骤：利用可信第三方,随机选择两个随机数作为计算双方的输入的掩码,并将随机生成的两个随机数分别发送至计算双方；在可信第三方随机选择两个随机数的同时,分别为计算双方生成用以进行相等测试运算的运算密钥；计算双方根据自身输入,生成加有掩码的输入,并发送给对方；计算双方根据加有掩码的输入以及自身的运算密钥,进行相等测试计算,获取自身相应的计算结果。与现有技术相比,本发明具有提高计算效率,降低通信量等优点。(The invention relates to a trusted third party-based private data two-party security equality testing method, which comprises the following steps: randomly selecting two random numbers as masks input by both computing parties by using a trusted third party, and respectively sending the two random numbers generated randomly to both computing parties; when a trusted third party randomly selects two random numbers, operation keys for performing equal test operation are respectively generated for two calculation parties; the two calculation parties generate an input added with a mask according to the input of the two calculation parties and send the input to the other calculation party; and the two calculation parties perform equal test calculation according to the input added with the mask and the own operation key to obtain the own corresponding calculation result. Compared with the prior art, the method has the advantages of improving the calculation efficiency, reducing the communication traffic and the like.)

1. A private data two-party security equal testing method based on a trusted third party is characterized by comprising the following steps:

randomly selecting two random numbers as masks input by both computing parties by using a trusted third party, and respectively sending the two random numbers generated randomly to both computing parties;

when a trusted third party randomly selects two random numbers, operation keys for performing equal test operation are respectively generated for two calculation parties;

the two calculation parties generate an input added with a mask according to the input of the two calculation parties and send the input to the other calculation party;

and the two calculation parties perform equal test calculation according to the input added with the mask and the own operation key to obtain the own corresponding calculation result.

2. The trusted third party-based private data two-party security equivalence test method of claim 1, wherein the trusted third party computes both parties according to the algorithm KeyGen to generate an arithmetic key for performing equivalence test operations.

3. The trusted third party-based private data two-party security equivalence testing method of claim 1, wherein in the process of selecting two random numbers by the trusted third party, a CTR/ECB encryption mode of AES is used to speed up random number performance.

4. The trusted third party-based private data two-party security equivalence test method of claim 3, wherein the trusted third party transmits AES encryption keys via Diffie-Hellman's key exchange protocol.

Technical Field

The invention relates to the technical field of computers, in particular to a private data two-party security equality testing method based on a trusted third party.

Background

In the era of big data networking, the privacy protection problem of sensitive data becomes a prominent problem which needs to be solved urgently, and particularly under the condition that various laws related to privacy protection are issued at home and abroad in recent years, important items related to the sensitive data are stranded due to the lack of privacy protection on key data. In order to enable data to flow (invisible) without exposure, privacy computing plays an important role as a main tool and means in a series of environments requiring privacy protection, such as blockchains, federal learning, and the like.

In common privacy computation, operators of two-party privacy protection computation based on a trusted third party, such as two-party safe four-rule operation, comparison operation, EQT operation (testing whether two integers are equal) and the like, become the basis for constructing privacy computation. However, due to the calculation overhead and the network overhead of the existing implementation scheme, the calculation efficiency of the existing scheme cannot be improved well when the existing scheme is applied to large-scale data operation.

One of the solutions of the EQT technology in the prior art that can implement privacy protection is implemented by using a secret sharing method through a secure subtraction, a bit decomposition algorithm, and an EQZ (test whether a current integer is 0) algorithm. To better understand the process of the entire scheme, we first introduce the EQT procedure for the non-privacy protected version:

1) performing subtraction calculation on two input numbers, namely z is x-y;

2) decomposing z into bit form, i.e. z ═ z₁z₂…z_lWherein z is assumed to be an integer l bits long;

3) and performing an EQZ test on z, namely performing OR operation on all bits of z after bit decomposition, and if the result is 0, indicating that x and y are equal. Otherwise, the two are not equal.

The privacy protection method of the EQT is to construct the whole process from secret sharingThe essence of secret sharing is that for each input x, it is decomposed into two random numbers and distributed to two parties, i.e. x ═ x]₀+[x]₁Wherein [ x ]]₀And [ x ]]₁Each represents P₀And P₁The resulting secret shard for x, P₀And P₁Representing two parties involved in the privacy computation, respectively. The subtraction is based on secret sharing, and in short, the two parties subtract the secret slices x and y corresponding to each other. The secret sharing multiplication needs to generate random multiplication pairs by a trusted third party and needs to be completed by two parties through one interaction.

Subsequently, the bit decomposition and EQZ testing of z is an efficiency bottleneck for this approach. The bit decomposition of z can be understood as bit decomposition of z slices, and after the decomposition, it is ensured that the addition of bits after decomposition corresponds to the addition result after the decomposition of the original bits of z. In addition, secret sharing of bits after decomposition becomesThat is to say that the exclusive or of the bits replaces the addition (equivalent in binary addition and exclusive or operations), while the sum of the bits then replaces the multiplication.

Finally, the EQZ test, i.e. performing a privacy-preserving or operation on a bit-by-bit basis, may be replaced by two exclusive-or operations and one and operation, and thus the privacy-preserving or operation is performed l times. That is, here P₀And P₁At least one round of interaction is performed to complete the sequence or operation. I.e. complexity of bit decomposition and EQZ operation leading to P₀And P₁The number of communication rounds. Assuming that l is 64, a generic 64-bit integer, then performing an equality test requires at least 64 rounds of communication. However, as the demand for internet services increases, current privacy protection is facing the challenge of processing and analyzing private data, especially where near real-time processing of such data is required. According to the comparison method, the calculation amount is large and time is consumedThe method is long, occupies a large amount of network space, cannot help to process a huge data set and provide response in real time, and is unacceptable in the current internet era; in the big data era, the application ratio of the general operator is high, and the network overhead caused by the method cannot be accepted.

The second prior art scheme is to use the garbled circuit to implement the encoding of the logic circuit to obtain an encrypted garbled circuit. For the garbled circuit, the main steps and the secret sharing are basically similar, but because the operation is not performed on the original plaintext circuit, for each bit, the encoding party needs to encode by using a 128-bit random number to achieve the purpose of encryption. Meanwhile, since the garbled circuit calculator is required to obtain the random codes corresponding to the corresponding inputs of the garbled circuit calculator between the calculation of the garbled circuit result, the overhead of the part which is transmitted carelessly is involved, and the overhead of the part which is transmitted carelessly can be reduced by a trusted third party.

Generally, in the garbled circuit scheme, both computing parties can compute the final result through one round of communication. The network overhead can be divided into the overhead of inadvertent transmissions and the overhead of garbled circuits. The overhead of the inadvertent transmission is at least 128l bits, and the overhead of the garbled circuit is at least 256l bits. However, for 64-bit integers, the garbled circuit scheme requires at least 3KB of data to be transferred to complete a comparison. For large-scale comparison operation, the network overhead cost is too large. Therefore, for large data operations, the amount of network traffic will become an important performance bottleneck.

Disclosure of Invention

The invention aims to overcome the defects of the prior art and provide a method for testing the safety equality of two parties based on private data of a trusted third party.

The purpose of the invention can be realized by the following technical scheme:

a private data two-party security equal testing method based on a trusted third party comprises the following steps:

randomly selecting two random numbers as masks input by both computing parties by using a trusted third party, and respectively sending the two random numbers generated randomly to both computing parties;

when a trusted third party randomly selects two random numbers, operation keys for performing equal test operation are respectively generated for two calculation parties;

the two calculation parties generate an input added with a mask according to the input of the two calculation parties and send the input to the other calculation party;

and the two calculation parties perform equal test calculation according to the input added with the mask and the own operation key to obtain the own corresponding calculation result.

Further, the trusted third party calculates both parties according to the algorithm KeyGen to generate an operation key for performing the equality test operation.

Further, in the process that the trusted third party selects two random numbers, the CTR/ECB encryption mode of AES is adopted to accelerate the performance of the random numbers.

Further, the trusted third party transmits the AES encryption key via Diffie-Hellman's key exchange protocol.

Compared with the prior art, the private data security equality testing method based on the trusted third party at least has the following beneficial effects:

1) the method improves the existing scheme from the aspect of communication wheel number and communication traffic, and the equivalent comparison requires less consumed bandwidth and calculation amount, so that the network communication traffic can be further reduced while the network communication wheel number is minimized; the traffic is reduced by nearly 50% compared to at least 128l +256l for a garbled circuit; compared with a secret sharing mode, the number of communication rounds is reduced by more than 90%.

2) The invention constructs a special data structure and a method, the data structure is constructed based on a tree-shaped data structure, and the internal operation only relates to simple addition, subtraction and exclusive-or operation; in addition, the generation of random numbers adopts a special instruction set mode to accelerate speed. The calculation efficiency can be further improved, and the communication traffic can be reduced.

Drawings

Fig. 1 is a schematic flowchart of a private data two-party security equivalence testing method based on a trusted third party in the embodiment.

Detailed Description

The invention is described in detail below with reference to the figures and specific embodiments. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, shall fall within the scope of protection of the present invention.

Examples

In order to facilitate a better understanding of the present application, the technical parameter terms related to the present embodiment will be briefly described below.

EQT: the two integers are tested for equality and are typically written as EQT (x, y) as a functional form.

EQZ: test whether the current integer is 0, usually written as eqz (x) as a functional form.

P₀And P₁: representing two parties involved in the privacy computation.

The random number generator has an input of a seed s with a length of in bits and an output of a random number with out bits.

An input x of length in bits is converted to an output of length out bits.

λ: representing the security parameters of the system.

Representing an exclusive or operation of two bit strings or two integers.

The invention relates to a method for testing the security equivalence of two parties of private data based on a trusted third party, the flow of the complete technical scheme of the method is shown in figure 1, b E {0, 1} is used for representing one of the two parties (correspondingly, 1-b represents the other party), and the method comprises the following specific steps:

step one, acquiring initial data of a target user through data acquisition equipment, dividing the initial data into first grouped data and second grouped data which are shared randomly, wherein the two grouped data respectively represent a computing party P₀And P₁。

A trusted third party randomly selects two random numbers r with the length of lambda bits₀And r₁As P₀And P₁The input mask, and then sends the two numbers to both parties separately (note: P)_bThe random number r cannot be obtained_1-b)。

Step two, simultaneously with the step above, the trusted third party needs to generate the key k for calculating the EQT for the two parties according to the KeyGen algorithm₀And k₁This key will be used by both parties to calculate the EQT (the algorithm KeyGen will be introduced later).

And step three, the two parties generate the input added with the mask according to the input of the two parties and send the input to the other party.

Step four, the two parties operate the EQT to calculate the corresponding result z according to the input of the added mask and the operation key of the two parties₀And z₁Wherein z is₀+z₁X-y (algorithm EQT will be described later).

The main contents of the algorithm KeyGen are: trusted third party computing k₀,k₁KeyGen (alpha, 1), where alpha r₀-r₁The difference between the two masks is indicated. The specific steps of the algorithm are as follows:

1: let alpha be alpha₀α₁…α_l-1Bit representation of alpha, where alpha₀Represents the highest bit of alpha;

2: let s, t, and cw be three empty lists;

3: generating two random numbers with the length of lambda bits and adding the random numbers into a list s;

4: adding two numbers of 0 and 1 into the list t respectively;

5: repeating the steps from i to l-1 from 0 to 6-12;

6: order toAndwhereinRespectively representing random numbers of length lambda bits,also respectively represent random numbers of length lambda bits,respectively represent random bits;

7: computingWherein s is_cwIs a bit string of length λ bits;

8: computingAndwherein the content of the first and second substances,represents two bits;

9: will s_cw,v_cw,Adding the list cw;

10: let t₀＝t[-2]And t₁＝t[-1]I.e. t₀,t₁Respectively representing the values of the penultimate and penultimate bits of the list t so far;

11: will be provided withAndadding the list s;

12: will be provided withAndadding the list t;

13: will be provided withAdding to the list cw, where s-2],s[-1]Respectively representing the values of the penultimate and penultimate bit strings of the list s up to now;

14：return k₀＝(s[0]cw) and k₁＝(s[1]Cw) in which s [0 ]],s[1]Respectively representing the values, k, of the first and second bit strings of the list s₀,k₁Respectively indicate to be sent to P₀And P₁The key of (2).

The general idea of the algorithm KeyGen is: each bit of α corresponds to each layer of the for loop. For the ith layer, s_cwCorresponding to the seed 1-alpha on the upper layer_i-1Generating random numbers corresponding to the two child nodes;corresponding is a complementary entry to the control bit queue t. At the ith layer, two terms are generated that add to s and two terms that add to t:

a. two terms added to s are two random numbers in the form ofThe exclusive or result of the two terms is the exclusive or of the 4 random numbers generated by the layer;

b. two terms added to t are two random bits, which are shaped asThe exclusive or result of these two terms is 1.

The following description, in conjunction with the EQT algorithm, will clearly understand the significance of the above:

1: let w be w₀w₁…w_l-1Bit representation of w, where w₀Represents the highest bit of w;

2: let s and t be two empty lists;

3: resolution of k_b＝s[b]Cw, mixing k_bFirst term of (1 s b)]Adding the list s;

4: b is added into the list t respectively;

5: repeating the steps from i to l-1 from 0 to 6-9;

6: let s_cw＝cw[3i]，Wherein s is_cw,Values representing items 3i to 3i +2 of the list cw, respectively;

7: order toWherein, s < -1 [ - ]]Represents the value of the last-but-one bit string of the list s so far, t-1]Representing the value of the last bit of the list t so far, s⁰,s¹Respectively representing a random bit string of length lambda bits, t⁰,t¹Each representing a random bit. If t [ -1 ]]Is 0, thenIf not, then,the exclusive-or operation here means performing an exclusive-or operation on two input sides by bits;

8: will be provided withAdding the list s;

9: will be provided withAdding the list t;

10：returnwherein, s < -1 [ - ]]Represents the value of the last-but-one bit string of the list s so far, t-1]Represents the value of the last bit of the list t so far, cw [ -1 [, in]Represents the value of the penultimate item of the list cw so far.

The general idea of the algorithm EQT is: for each layer, if the current input w_i＝α_iThen, two random number seeds s generated by both parties on line 7 of the EQT are calculated⁰,s¹It is equal to the two values, two control bits t, respectively, added to the current layer s list in KeyGen⁰,t¹The same is also equal to the two values added to the current layer t list in KeyGen, respectively. Otherwise, two random number seeds s generated by the two parties in the 7 th line of the EQT are calculated⁰＝s¹Two control bits t⁰＝t¹. Thus, the output result of the last row is the w of all layers_i＝α_iWhen y is₀+y₁1, otherwise, y₀+y₁＝0。

The following factors are considered in the implementation of the embodiment:

1) the safety parameter is set to λ 128 to meet moderate safety performance requirements. Unlike conventional random number generator generation methods, the methods hereinThe generation of (A) is to encrypt the seed(s) to generate random numbers to improve the performance by using the CTR/ECB encryption mode of AES (AES is one of the common implementations of symmetric block encryption, CTR and ECB are two of them the implementation efficiency is fasterA kind of encryption mode). The AES can be further realized by utilizing an AES-NI instruction set of hardware so as to further improve the realization efficiency. The CTR/ECB encryption mode of AES is a common approach in the prior art and is not described herein in detail.

2) The calculation two parties need to agree on the encryption key of AES before the protocol starts, this step can transmit AES encryption key through the secure key exchange protocol of Diffie-Hellman, in the concrete implementation, two parties need to select a calculation number field F first_pThen, a generator g on the number field is negotiated together, and then the generator is operated by secret random numbers a and b respectively selected by the two parties according to the generator to respectively obtain g^aAnd g^bAnd sent to the other party, and finally the two parties calculate g^abAnd the randomly generated AES key is encrypted by taking the AES key as a key to complete key exchange.

3) For a complete EQT example, due to the random number r₀,r₁Embedded into the algorithm at the KeyGen stage, the entire KeyGen + EQT cannot be reused, mainly for security concerns.

The traffic is reduced by nearly 50% compared to at least 128l +256l for a garbled circuit, but the number of communication rounds remains the same as for a garbled circuit. Compared with a secret sharing mode, the number of communication rounds is reduced by more than 90%. In conclusion, the effect of the technical scheme of the method is very obvious and can also achieve a good practical effect compared with the existing scheme. In addition, the communication traffic can be further reduced by considering the difference compression using the sorting arrays during the transmission.

The technical key point of the invention is to construct a special data structure and a method, the data structure is constructed based on a tree-shaped data structure, and the internal operation only involves simple addition, subtraction and exclusive-or operation. In addition, the generation of random numbers adopts a special instruction set mode to accelerate speed. Therefore, this EQT generation technique is currently the most effective method.

While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and those skilled in the art can easily conceive of various equivalent modifications or substitutions within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.