CN118520487B

CN118520487B - Full-hidden-trace service processing method and service system based on safe multi-party calculation

Info

Publication number: CN118520487B
Application number: CN202411000063.7A
Authority: CN
Inventors: 王勤; 屠家华; 殷奔鑫
Original assignee: Jishu Hangzhou Technology Co ltd
Current assignee: Jishu Hangzhou Technology Co ltd
Priority date: 2024-07-24
Filing date: 2024-07-24
Publication date: 2024-10-11
Anticipated expiration: 2044-07-24
Also published as: CN118520487A

Abstract

The embodiment of the invention provides a full-hidden-trace service processing method and a service system based on secure multi-party calculation, wherein the service processing method is applied to a service execution end and comprises the following steps: responding to a service request, acquiring a first object set of a target service and a first association set corresponding to the first object set, and encrypting the first object set to obtain a first encrypted object set; calling an unintentional pseudo-random function, and calculating a first identification set and a first encryption sharing set based on a first encryption object set input by a service execution end and an encryption key value pair input by a data providing end; updating the first encryption shared set based on the first association set; and calling a secure multiparty computing framework, and performing secure multiparty computing based on the first identification set imported by the service execution end, the updated first encryption sharing set, the second identification set imported by the data providing end and the second encryption sharing set to obtain a service processing result. The method realizes the complete trace of the data of the service execution end and the data providing end, and ensures the data security.

Description

Full-hidden-trace service processing method and service system based on safe multi-party calculation

Technical Field

The embodiment of the invention relates to the technical field of computers, in particular to a full-hidden-trace business processing method and a business system based on safe multi-party calculation.

Background

In the service processing process, for the same target service, different institutions may store associated data for the same object, and in this scenario, there is often a requirement for performing joint calculation on the associated data of the same object between different institutions, for example, a scenario of calculating the sum of consumption of users on two platforms. For data security, each organization does not want to expose its associated data to the other while performing the calculations.

In the related art, in order to ensure the safety of the data of all parties in the joint calculation, a privacy intersection technology is adopted, namely, all institutions encrypt the data of the institutions themselves, so that the data cannot be acquired or cracked by other participating institutions. However, the associated data specifically participating in the joint calculation in the method can still be acquired by each participant, and the data security cannot be completely ensured.

Therefore, a safe service processing method for realizing the complete hiding of the specific participation calculation data in the joint calculation process is needed.

Disclosure of Invention

In view of the above, the embodiments of the present invention provide a service processing method applied to a service execution end, so as to solve the technical defects existing in the prior art.

According to an aspect of the embodiment of the invention, there is provided a method for processing a full-track service based on secure multiparty computation, applied to a service execution end, including: responding to a service request, acquiring a first object set of a target service and a first association set corresponding to the first object set, and encrypting the first object set to obtain a first encrypted object set; invoking an unintentional pseudo-random function, and calculating to obtain a first identification set and a first encryption sharing set based on a first encryption object set input by a service execution end and an encryption key value pair input by a data providing end, wherein the encryption key value pair comprises a second encryption object set obtained by encrypting a second object set of a target service by the data providing end and a second encryption association set obtained by encrypting a second association set corresponding to the second object set, and identification data in the first identification set corresponds to encryption association values in the first encryption sharing set one by one; updating the first encryption sharing set based on the first association set to obtain an updated first encryption sharing set; and calling a secure multiparty computing framework, and performing secure multiparty computing based on a first identification set imported by the service execution end, an updated first encryption sharing set, a second identification set imported by the data providing end and a second encryption sharing set to obtain a service processing result, wherein the second encryption sharing set is constructed and obtained by the data providing end based on the second identification set and the key data set adopted for encrypting the second association set, and the identification data in the second identification set corresponds to the key data in the second encryption sharing set one by one.

According to the embodiment of the invention, for the data providing end, the second object set is encrypted into the second encrypted object set, the second associated set is encrypted into the second encrypted associated set before the data providing end invokes the secure multiparty computing framework, and then the encryption key value pair comprising the second encrypted object set and the second encrypted associated set is sent to the service executing end, so that the service executing end cannot directly acquire the second object set and the second associated set, and the data security of the data providing end is ensured. For the service execution end, the first encryption object set is obtained by encrypting the first object set before the secure multiparty computing framework is called, and the first association set is updated in the first encryption sharing set, so that the data providing end cannot directly obtain the first object set and the first association set when the secure multiparty computing framework is called, and the data security of the service execution end is ensured. Meanwhile, when the secure multiparty computing framework is called, a first identification set imported by the service execution end and an updated first encryption sharing set are received, a second identification set imported by the data providing end and a second encryption sharing set comprising a key set are received, because the identification data in the first identification set corresponds to the encryption association values in the first encryption sharing set one by one, the identification data in the second identification set corresponds to the key data in the second encryption sharing set one by one, the matching relation between the key data and the encryption association values is determined, and the real first association value and the second association value are obtained, so that the accurate secure multiparty computation is carried out based on the first association value and the second association value under the condition of ensuring the complete hiding of the data.

Drawings

FIG. 1 is a schematic diagram of a process for an inadvertent pseudorandom function provided by one embodiment of the invention;

FIG. 2 is a schematic diagram of a process for inadvertently programmable pseudo-random functions provided by one embodiment of the invention;

FIG. 3 is an interactive schematic diagram of a secure multiparty computing-based all-track business system according to an embodiment of the present invention;

FIG. 4 is a flow chart of a first method for secure multiparty computing-based full track business processing in accordance with an embodiment of the present invention;

FIG. 5 is a flow chart of a second method for secure multiparty computing-based full track business processing in accordance with an embodiment of the present invention;

FIG. 6 is a flow chart of a third method for secure multiparty computing-based full track business processing in accordance with an embodiment of the present invention;

FIG. 7 is a process flow diagram of a method for secure multiparty computing-based full track business processing in accordance with one embodiment of the present invention;

FIG. 8 is a process flow diagram of another method for secure multiparty computing-based full track business processing in accordance with one embodiment of the present invention;

FIG. 9 is a schematic structural diagram of a secure multiparty computing-based all-track business processing apparatus according to an embodiment of the present invention;

FIG. 10 is a schematic diagram of another embodiment of a secure multiparty computing-based all-track business processing apparatus according to the present invention;

FIG. 11 is a block diagram of a computing device provided in accordance with one embodiment of the present invention.

Detailed Description

First, terms related to one or more embodiments of the present invention will be explained.

OPRF: i.e., oblivious Pseudorandom Function, an unintentional pseudorandom function. Referring to fig. 1, fig. 1 is a schematic diagram of a process for an inadvertent pseudorandom function provided by an embodiment of the invention. OPRF is a two-party protocol in which the second terminal holds a key k to a pseudo-random function (PRF) and the first terminal holds an input x. The goal of the protocol is to have the first terminal get the output f (k, x) of the PRF on k and x, while the second terminal does not get any information.

OPPRF: i.e., oblivious Programmable Pseudo-Random Function, a programmable, unintentional pseudorandom Function. Referring to fig. 2, fig. 2 is a schematic diagram of a process for inadvertently programming a pseudo-random function in accordance with one embodiment of the invention. OPPRF is also a two-party protocol, the second terminal inputs a set of key value pairs { (Y _i,y_i ^{^}) }, the receiver inputs the query value x, if the query value x is the same as the input key Y _i, that is, x obtains the corresponding key value Y _i ^{^} if x is e Y, and obtains the random value if the corresponding key value x is different.

Cuckoo hash table: that is, the cuckoo hash is adopted, in the specification, if no special description exists, a subscript i generally indicates element sequence numbers in a set and a vector, a subscript j generally indicates sequence numbers of a hash function, and subscripts k and h generally indicate the number of first association values corresponding to a first object and the number of second association values corresponding to a second object.

In order to solve the problems, the invention provides a business processing method based on secure multiparty calculation, wherein the method is applied to a business execution end. One or more embodiments of the present invention relate to a method for processing a service by applying a total track on a data provider based on a secure multiparty calculation, a method for processing a service by applying a total track on a service system based on a secure multiparty calculation, a device for processing a service by applying a total track on a service execution end based on a secure multiparty calculation, a device for processing a service by applying a total track on a data provider based on a secure multiparty calculation, a system for processing a total track service based on a secure multiparty calculation, a computing device, a computer readable storage medium and a computer program product, which are described in detail in the following embodiments one by one.

Referring to fig. 3, fig. 3 is an interaction schematic diagram of a secure multiparty computing-based all-around service system according to an embodiment of the present invention, which specifically includes a service execution end 100 and a data providing end 200. The service execution end 100 is configured to obtain a first object set of a target service and a first association set corresponding to the first object set in response to a service request, and encrypt the first object set to obtain a first encrypted object set; the data providing end 200 is configured to obtain a second object set of the target service and a second association set corresponding to the second object set in response to the service request; encrypting the second object set to obtain a second encrypted object set, and encrypting the second association set to obtain a second encrypted association set based on a second identification set and a key data set generated by the random number; an encryption key pair constructed based on the second encryption object set and the second encryption association set; the service execution end 100 is further configured to wait for the data providing end 200 to call an inadvertent pseudorandom function while the data providing end 200 constructs an encryption key value pair, and call the inadvertent pseudorandom function to input the first encryption object set while the data providing end 200 calls the inadvertent pseudorandom function; the data providing end 200 is further configured to invoke an inadvertent pseudorandom function to input an encryption key value pair; the service execution end 100 is further configured to obtain a first identification set and a first encryption sharing set that are output by an unintentional pseudo-random function, where identification data in the first identification set corresponds to encryption association values in the first encryption sharing set one to one; the service execution end 100 is further configured to update the first encrypted shared set based on the first association set, to obtain an updated first encrypted shared set; the data providing end 200 is further configured to construct a second encrypted shared set based on the second identification set and the key data set, where the identification data in the second identification set corresponds to the key data in the second encrypted shared set one-to-one; the service execution end 100 is further configured to invoke a secure multiparty computing framework, and import a first identification set and an updated first encryption shared set; the data providing end 200 is further configured to wait for the service executing end 100 to call the secure multi-party computing framework while the service executing end 100 updates the first encrypted shared set, and call the secure multi-party computing framework while detecting that the service executing end 100 calls the secure multi-party computing framework, and import the second identifier set and the second encrypted shared set; the service execution end 100 is further configured to obtain a service processing result obtained by performing secure multiparty computation under the secure multiparty computing framework.

By the service system, for the data providing end, the second object set is encrypted into the second encrypted object set before the data providing end invokes the secure multiparty computing framework, the second associated set is encrypted into the second encrypted associated set, and then the encryption key value pair comprising the second encrypted object set and the second encrypted associated set is sent to the service executing end, so that the service executing end cannot directly acquire the second object set and the second associated set, and the data security of the data providing end is ensured. For the service execution end, the first encryption object set is obtained by encrypting the first object set before the secure multiparty computing framework is called, and the first association set is updated in the first encryption sharing set, so that the data providing end cannot directly obtain the first object set and the first association set when the secure multiparty computing framework is called, and the data security of the service execution end is ensured.

Meanwhile, when the secure multiparty computing framework is called, a first identification set imported by the service execution end and an updated first encryption sharing set are received, a second identification set imported by the data providing end and a second encryption sharing set comprising a key set are received, because the identification data in the first identification set corresponds to the encryption association values in the first encryption sharing set one by one, the identification data in the second identification set corresponds to the key data in the second encryption sharing set one by one, the matching relation between the key data and the encryption association values is determined, and the real first association value and the second association value are obtained, so that the accurate secure multiparty computation is carried out based on the first association value and the second association value under the condition of ensuring the complete hiding of the data.

Referring to fig. 4, fig. 4 is a flowchart of a first method for processing a full-track business based on secure multiparty computing according to an embodiment of the present invention, which specifically includes the following steps.

Step 402: and responding to the service request, acquiring a first object set of the target service and a first association set corresponding to the first object set, and encrypting the first object set to obtain a first encrypted object set.

Wherein the first object set includes at least one identification field or a unique identifier, such as a user ID, a product number, etc., for uniquely identifying an entity or object in the service execution end. The first association set includes association data of entities or objects in the service execution end, such as specific information of the user, attributes of the product, and the like.

Specifically, since the object data in the first object set is often acquired by the data providing end in the secure multiparty computing process, in order to ensure that the first object data in the first object set is not acquired by the data providing end in the subsequent service processing process, the first object set needs to be encrypted, including: the service execution end acquires first object data related to the target service from a data source according to the received service request of the target service to form a first object set, then forms first association data associated with the first object data into a first association set, and encrypts the first object set to obtain a first encrypted object set. The process of encrypting the first set of objects to obtain the first set of encrypted objects may be various, such as hash calculations, asymmetric encryption algorithms, and the like.

In practical application, the first object set is taken as a user set stored by the service execution end, and the first association set is taken as consumption data of each user as an example. The service execution end obtains each user identifier from a data source according to the received service request for calculating the total amount of service consumed by all users to form a first object set, then forms the consumption record of each user end into a first association set, and encrypts the first object set through a hash algorithm to obtain a first encrypted object set.

Further, encrypting the first set of objects to obtain a first set of encrypted objects includes: based on the first object set and the plurality of hash functions, a hash table is constructed by adopting a cuckoo hash strategy, and the first encrypted object set is obtained.

Specifically, since the object data in the first object set is often acquired by the data providing end in the secure multiparty computing process, in order to ensure that the first object data in the first object set is not acquired by the data providing end in the subsequent service processing process, the first object set may be encrypted by a cuckoo hash policy, including: selecting a preset number of hash functions Hi, calculating hash processing results H _i (x) of object data x in the first object set in each hash function, putting the hash processing results into a cuckoo hash table H _i (x) mod sigma, wherein sigma is the length of the cuckoo hash table, extracting other elements if the other elements exist at the position, and re-performing cuckoo hash processing until all hash processing results corresponding to the first object x are inserted into the cuckoo hash table. A cuckoo hash table (hereinafter referred to as Tx) is taken as a first encryption object set.

Based on the method, the Hash table is constructed through the cuckoo Hash strategy, so that the Hash conflict problem can be effectively solved, the searching efficiency is improved, and the first encryption object set is finally obtained. This approach is typically used to efficiently implement hash data structures, suitable for scenarios that require frequent searching and insertion of elements.

Step 404: and calling an unintentional pseudo-random function, and calculating to obtain a first identification set and a first encryption sharing set based on a first encryption object set input by a service execution end and an encryption key value pair input by a data providing end, wherein the encryption key value pair comprises a second encryption object set obtained by encrypting a second object set of a target service by the data providing end and a second encryption association set obtained by encrypting a second association set corresponding to the second object set, and identification data in the first identification set corresponds to encryption association values in the first encryption sharing set one by one.

Wherein the second set of objects comprises at least one identification field or one unique identifier, e.g. a user ID, a product number, etc., for uniquely identifying an entity or object in the data provider. The second association set includes association data of the entity or object in the data provision, such as specific information of the user, attributes of the product, etc. The identification data in the first set of identifications may be any identification. The encryption mode of the first encryption object set is the same as the encryption mode of the second encryption object set.

Specifically, since the object data in the second object set is often acquired by the service execution end in the secure multiparty computing process, in order to ensure that the second object data in the second object set is not acquired by the service execution end in the subsequent service processing process, the second object set needs to be encrypted, and the identifier data is newly added to the second object set after the encryption is recorded, so that the encrypted object data in the second object set can still correspond to the second encryption association data in the second encryption association set, including: the data providing end encrypts the associated data of the second object into an encrypted associated value, forms a second encrypted associated set according to the encrypted associated value, encrypts the second object set into a second encrypted object set, constructs an identification data set, and corresponds the identification data in the identification data set to the encrypted object data in the second encrypted object set one by one, constructs an encryption key value pair based on the second encrypted object set, the second encrypted associated set and the identification data set, and sends the encryption key value pair to the service executing end. The identification data can be generated by a random number, so that the service execution end cannot know which second object is specifically identified by the identification data according to the identification data.

In practical application, the above example is taken as an example, and the second object set is taken as the user set stored by the data providing end, and the second association set is taken as consumption data of each user. The data providing end firstly encrypts consumption data of a second user into an encrypted consumption value, a second encrypted consumption set is formed according to the encrypted consumption value, a second user list is encrypted into a second encrypted user set, an identification data set is constructed through generating pseudo-random numbers, the identification data in the identification data set corresponds to the encrypted user data in the second encrypted user set one by one, an encryption key value pair is constructed based on the second encrypted user set, the second encrypted consumption set and the identification data set and is sent to the service executing end, so that the service executing end uses the first encrypted user data as an inquiring value, and inquires out the second encrypted consumption value corresponding to the second encrypted user data equal to the first encrypted user data and the identification data in the encryption key value pair, thereby forming a first identification set and a first encrypted sharing set.

Further, calling an unintentional pseudo-random function, and calculating to obtain a first identification set and a first encryption sharing set based on a first encryption object set input by a service execution end and an encryption key value pair input by a data providing end, wherein the method comprises the following steps: calling an unintentional pseudo-random function, and obtaining a confusion data set based on a first encryption object set input by a service execution end; receiving a data coding set sent by a data providing end, wherein the data coding set carries out confusion processing on an encryption key value pair by using an intermediate key obtained by calling an unintentional pseudo-random function, and codes a confusion processing result by calling an unintentional key value pair storage structure coding strategy; invoking a decoding strategy of the unintentional key value on the storage structure, and decoding to obtain a target sharing set based on the confusion data set and the data encoding set; and splitting the target sharing set to obtain a first identification set and a first encryption sharing set.

Specifically, in order to prevent the encryption key pair from being directly acquired by the service execution end, the data providing end needs to further encrypt the encryption key pair, so that the service execution end can query the target sharing set in the encryption key pair but cannot acquire the specific encryption key pair, including: the service execution end and the data providing end call the careless pseudo-random function at the same time, and the confusion processing is carried out on the first encryption object set, so that the service execution end obtains the confusion data set, and the data providing end obtains the intermediate key. The data providing end carries out confusion processing on the encryption key value pair according to the intermediate key to obtain a confusion processing result, then invokes an encoding strategy of an unintentional key value pair storage structure to encode the confusion processing result to obtain a data encoding set, and the data encoding set is sent to the service executing end. Because the confusion processing is carried out on the first encryption object set and the intermediate key which carries out the confusion processing on the encryption key value pair are the same, the service execution end can carry out the confusion removing processing on the query result in the data encoding set based on the confusion data set to obtain a target sharing set, and then the target sharing set is split into a first identification set and a first encryption sharing set.

In practical application, taking the first encryption object set as Y 'as an example, the service execution end calls an OPRF function to obtain a mixed data set f (k, tx), the data providing end calls the OPRF function to obtain an intermediate key k, and the data providing end carries out mixing processing on the encryption key value pair based on k to obtain a mixed processing result M=L and f (k, Y'), wherein L is a sharing set, and the mixed data set comprises an identification data set and the first encryption sharing set. The data providing end calls OKSV encode (M), obtains the data encoding set P and sends the data encoding set P to the service executing end. The service execution end calls OKSV encode (Tx) to obtain a confusion result Lf (k, Y ') corresponding to the Tx, and then calculates based on f (k, tx) and Lf (k, Y'), so that a target sharing set L can be obtained.

Based on this, a process of calculating and obtaining the first identification set and the first encryption shared set from the first encryption object set input from the service execution end and the encryption key value pair input from the data providing end can be realized. These operations can increase the security of data, protect the privacy of data, and at the same time ensure the reliability of data transmission and processing.

Step 406: and updating the first encryption sharing set based on the first association set to obtain an updated first encryption sharing set.

Wherein the updated first encryption shared set includes a first encryption association set and a second encryption association set.

Specifically, since the intersection part of the first association set and the second association set is often acquired by the data provider, the first association set needs to be encrypted and updated into the first encryption shared set, so that the subsequent data provider cannot acquire the first association set according to the way of excluding the second encryption association set in the first encryption shared set when invoking the secure multiparty computing framework. Comprising the following steps: the service execution end firstly encrypts the associated data of the first object into an encrypted associated value and updates the encrypted associated value of the first object into a first encrypted sharing set. The means for encrypting the first set of objects may include random number obfuscation or the like.

In practical application, the service execution end encrypts the consumption data of the first user into encrypted consumption data and updates the encrypted consumption data of the first user into the first encrypted sharing set.

Further, updating the first encryption shared set based on the first association set to obtain an updated first encryption shared set, including: encrypting the first association set to obtain a first encrypted association set; determining a target filling position corresponding to the first encryption association set in the first encryption sharing set based on the first identification set; and filling the first encryption association set to a target filling position to obtain an updated first encryption sharing set.

Specifically, in the process of filling the first encryption shared set, it is to be ensured that the first encryption associated set is added to a position corresponding to the corresponding second encryption associated set, so that the MPC (Secure Multi-Party Computation) framework can simultaneously obtain the first associated value and the second associated value of the same object and perform Secure Multi-party calculation when performing Secure Multi-party calculation subsequently, including: encrypting the first encryption association set to obtain a first encryption association set, determining which second encryption association set corresponds to the same object as the first encryption association set based on the first identification set, determining the rear of the second encryption association set corresponding to the object as a filling position, and filling the first encryption association set to the filling position.

In practical application, the above example is used, and the service execution end uses the following formula according to the hash index relationship of Tx:

wherein mMaping [ i ] represents the location of item X in the cuckoo hash table. Taking idx= mMaping [ i ], filling X^~⊕T,X^~={（x^~ _i,1,…,y^~ _1,k）,…,（x^~ _n,1,…,y^~ _n,k）}, the idx item in the first encryption shared set as the first association set, X ^~ ∈t as the first encryption association set, and filling the item which is not idx with random numbers. And finally obtaining the updated encryption sharing set.

Based on the method, encryption, alignment and updating of the associated data set are realized, and the correlation and the structural correctness of the data are ensured. The series of operations can improve the confidentiality and the integrity of the data, and simultaneously ensure that the logical relationship and the sequence of each object data and the associated data in the whole business system are correctly maintained.

Further, encrypting the first association set to obtain a first encrypted association set, including: acquiring a random number seed; generating a set of random numbers based on the random number seed; and encrypting the first association set based on the random number set to obtain a first encrypted association set.

Specifically, since the intersection portion of the first association set and the second association set is often acquired by the data provider, encryption updating of the first association set into the first encryption shared set is required, including: the service execution end obtains a random number seed, generates a random number set based on the random number seed, encrypts first association data in a random number decibel first association set in the random number set, and obtains a first encryption association set.

In practical application, following the above example, the service execution end generates a random number vector t= (T ₁,...,t_i), the size is sigma, and encrypts the first association set X ^~ based on T to obtain a first encrypted association set X ^~ × T.

Based on the method, the random number seeds are obtained to generate a random number set, and the first association set is encrypted by utilizing the random numbers, so that the safety and confidentiality of data are ensured. The random number is introduced to increase the randomness of data encryption and improve the effect of data protection.

Further, after generating the set of random numbers based on the random number seed, further comprising: and sending the random number set to the data providing end, wherein the random number set is used for updating the second encryption sharing set by the data providing end based on the random number set.

Specifically, in order to ensure that the subsequent secure multiparty computing framework can decrypt the first encrypted association set to obtain a specific first association set, the random number seed is sent to the data providing end as a key, so that the data providing end updates the random number set corresponding to the random number seed in the second encrypted sharing set.

In practical application, following the above example, the service execution end sends the random number seed corresponding to T to the data providing end, and the data providing end fills label_share1 according to T to obtain label_share1= (w _i,1,...,w_i,h,t_i,1,...,t_i,k).

Based on the data, the second encryption sharing set is the key set, and the data anti-attack capability can be improved by updating the second encryption sharing set, so that the data is ensured not to be stolen or tampered in the transmission and storage processes.

Step 408: and calling a secure multiparty computing framework, and performing secure multiparty computing based on a first identification set imported by the service execution end, an updated first encryption sharing set, a second identification set imported by the data providing end and a second encryption sharing set to obtain a service processing result, wherein the second encryption sharing set is constructed and obtained by the data providing end based on the second identification set and the key data set adopted for encrypting the second association set, and the identification data in the second identification set corresponds to the key data in the second encryption sharing set one by one.

The second encryption sharing set is a key set corresponding to the updated first encryption sharing set and is used for decrypting the encrypted association data in the updated first encryption sharing set into a first association value and a second association value. The second identification set is the aforementioned identification data set.

Specifically, the data in the updated first encryption sharing set is directly imported into the secure multiparty computing framework, so that the operation complexity and the operation amount are greatly increased because the data alignment of the encrypted first association value and the encrypted second association value cannot be realized. Because the first identification set is essentially a subset of the second identification set, and is a set formed by identification data corresponding to second encryption object data, which is obtained by inquiring from the encryption key value pair, according to whether the first encryption object data is identical to the second encryption object data or not, the first multi-party computing framework can decrypt the first encryption sharing data according to the second encryption sharing data to obtain first association data and second association data of the same object, and perform secure multi-party computing when the first identification data is identical to the second identification data and the first encryption sharing data corresponding to the first identification data is indicated to correspond to the second encryption sharing data indicated by the second identification data.

In practical application, the above examples are used. The service execution end imports the first identification set and the updated first encryption sharing set into the secure multiparty computing framework together, and the data providing end imports the second identification set and the second encryption sharing set into the secure multiparty computing framework. Because the first identification set is essentially a subset of the second identification set, and is a set formed by identification data corresponding to second encrypted user data, which is obtained by inquiring from the encryption key value pair, according to whether the first encrypted user data is identical to the second encrypted user data or not, the first identification set is essentially a subset of the second identification set, so that under the condition that the first identification data is identical to the second identification data, data alignment is completed, the first encrypted shared data corresponding to the first identification data is indicated to correspond to the second encrypted shared data indicated by the second identification data, and the secure multiparty computing framework can decrypt the first encrypted shared data according to the second encrypted shared data to obtain the first consumption data and the second consumption data of the same user, and perform secure multiparty computation.

Further, before the secure multiparty computing framework is invoked, the secure multiparty computing is performed based on the first identification set imported by the service execution end, the updated first encryption sharing set, the second identification set imported by the data providing end and the second encryption sharing set, and the service processing result is obtained, the method further comprises: acquiring encryption parameters adopted for encrypting the first object set; and sending the encryption parameter to the data providing end, wherein the encryption parameter is used for encrypting the second object set of the target service by the data providing end based on the encryption parameter to obtain a second encrypted object set.

Specifically, since the object data in the second object set is often acquired by the service execution end in the secure multiparty computing process, in order to ensure that the second object data in the second object set is not acquired by the service execution end in the subsequent service processing process, the second object set needs to be encrypted, including: the service processing end sends the encryption parameters of the first object set to the data providing end after or while encrypting the first object set, so that the data providing end encrypts the second object set based on the same encryption parameters to obtain a second encrypted object set.

In practical application, along with the above example, the service processing end sends the lengths σ of the H _i (x) and cuckoo hash table to the data providing end after encrypting the first object set or while encrypting the first object set, so that the data providing end calculates H _j（y_i) according to Y _i and the hash function H _j in the second object set y= { Y ₁,…,y_n }, and constructs a vector Y '= { H _j（y_i) } basedon H _j（y_i), and uses Y' as the second encrypted object set.

Based on the method, the consistency and the reliability of the encryption operation of the data in different links are ensured, so that the subsequent service execution end can inquire according to whether the first encryption object set and the second encryption object set are the same.

Further, invoking a secure multiparty computing framework, performing secure multiparty computing based on the first identification set imported by the service execution end, the updated first encrypted sharing set, the second identification set imported by the data providing end and the second encrypted sharing set, and obtaining a service processing result, including: acquiring service parameters of a target service, and encrypting the service parameters to obtain encrypted service parameters; invoking a secure multiparty computing framework, and performing secure multiparty computing based on the encrypted service parameters imported by the service execution end, the first identification set, the updated first encrypted sharing set, the second identification set imported by the data providing end and the second encrypted sharing set to obtain a first service result fragment; and receiving a second service result fragment sent by the data providing end, and recovering to obtain a service processing result of the target service based on the first service result fragment and the second service result fragment.

Specifically, in order to ensure the security of private data in the processing process of service data, avoid the risk of data leakage in the data collaboration process, realize the secure multiparty computation between a data providing end and a service executing end, obtain a final service processing result without revealing data by computing encrypted service parameters and an identification set, and the process of invoking the secure multiparty computation framework by the service executing end to perform the specific computation comprises: the method comprises the steps that a service execution end imports a first identification set and an updated first encryption sharing set, a data providing end imports a second identification set and a second encryption sharing set, safe multiparty calculation is prepared, the service execution end imports the first identification set and the updated first encryption sharing set, the data providing end imports the second identification set and the second encryption sharing set, safe multiparty calculation is prepared, and based on encryption service parameters, the updated first encryption sharing set and the second encryption sharing set, a safe multiparty calculation framework is called to calculate, so that first service result fragments are obtained. The data providing end sends the second service result fragments to the service executing end, and the service executing end performs data processing and calculation based on the first service result fragments and the second service result fragments and by combining a secure multiparty calculation technology, and finally recovers the service processing result of the target service. Thus, the safe processing and collaborative computing of the business data are realized, and the data privacy is protected.

In practical application, following the above example, the service execution end starts the MPC framework, introduces R 'and label_share 0= { (Y ^~⊕W,X^~ ++t) }, the data providing end starts the MPC framework, inputs R and label_share 1= (w _i,1,...,w_i,h,t_i,1,...,t_i,k), calculates and obtains a first service result fragment res1 according to R' and R, label _share0 and the encrypted service parameter, and receives a first service result fragment res2 sent by the receiving data providing end, and resumes obtaining the service processing result of the target service based on the first service result fragment and the second service result fragment.

Based on the method, the overseas security multiparty computing framework processes the business data, ensures the data privacy security and simultaneously achieves the aim of data collaborative computing. The core of the step is to protect the data privacy, and simultaneously, the data providing end and the service executing end are combined to complete the safe processing and calculation of the data.

Further, invoking a secure multiparty computing framework, performing secure multiparty computing based on the encrypted service parameters, the first identification set, the updated first encrypted sharing set, the second identification set and the second encrypted sharing set imported by the data providing end, and obtaining a first service result fragment, including: invoking a secure multiparty computing framework, identifying whether the identification data of the corresponding positions in the first identification set and the second identification set are equal, obtaining a first arithmetic sharing set, and determining a first parameter fragment based on the encryption service parameter, wherein the data in the first arithmetic sharing set is equal in 1 representation identification data and unequal in 0 representation identification data; utilizing the first arithmetic sharing set to perform secure multiparty computation on the first encryption sharing set and the second encryption sharing set to obtain a first data fragment to be processed; and executing the target service on the first data fragment to be processed based on the first parameter fragment to obtain a first service result fragment.

Specifically, in order to reduce the computation complexity, only the intersected data is involved in the computation, whether the identification data of the corresponding positions in the first identification set and the second identification set are equal or not needs to be judged, if the corresponding first shared data and the corresponding second shared data are equal, only the safe multiparty computation result is reserved when the corresponding identification data of the corresponding positions in the first identification set and the second identification set are equal or not, the data generated in the safe multiparty computation process can be greatly reduced, the computation complexity is reduced, and the computation efficiency is improved, including: and identifying whether the identification data of the corresponding positions in the first identification set and the second identification set are equal or not through a secure multiparty calculation framework to obtain a first arithmetic sharing set, wherein in the first arithmetic sharing set, the data is 1 for indicating that the identification data are equal, the data is 0 for indicating that the identification data are unequal, and performing secure multiparty calculation on the updated first encryption sharing set and the second encryption sharing set by utilizing the first arithmetic sharing set to obtain a first data fragment to be processed, determining a first parameter fragment based on encryption service parameters, and then executing target service on the first data fragment to be processed to obtain a first service result fragment.

In practical application, following the above example, the service execution end determines whether R and R' are the same based on the MPC framework, to obtain a first arithmetic sharing setThe data providing end judges whether R and R' are the same based on the MPC framework to obtain a second arithmetic sharing setIf equal to each other=1, If not equal to=0. The service execution end calculates to obtain a first data fragment to be processed based on the first arithmetic sharing set, the label_share0 and the label_share1And executing the target service based on the data fragment to be processed and the first parameter fragment to obtain a first service result fragment res1.

Based on the calculation result under the condition that only the intersected data, namely the identification data of the corresponding positions in the first identification set and the second identification set are reserved, when the identification data of the corresponding positions in the first identification set and the second identification set are not equal=0, Due toThe calculation result of the situation is 0, the number of fragments to be processed is reduced, the calculation complexity is reduced, and the calculation efficiency is improved.

By the service processing method, the first encryption object set is obtained by encrypting the first object set before the secure multiparty computing framework is called, and the first association set is updated in the first encryption sharing set, so that the data providing end cannot directly obtain the first object set and the first association set when the secure multiparty computing framework is called, and the data security of the service executing end is ensured. Meanwhile, when the secure multiparty computing framework is called, a first identification set imported by the service execution end and an updated first encryption sharing set are received, a second identification set imported by the data providing end and a second encryption sharing set comprising a key set are received, because the identification data in the first identification set corresponds to the encryption association values in the first encryption sharing set one by one, the identification data in the second identification set corresponds to the key data in the second encryption sharing set one by one, the matching relation between the key data and the encryption association values is determined, and the real first association value and the second association value are obtained, so that the accurate secure multiparty computation is carried out based on the first association value and the second association value under the condition of ensuring the complete hiding of the data.

Referring to fig. 5, fig. 5 is a flowchart of a second method for processing a full-track business based on secure multiparty computing, according to an embodiment of the present invention, which comprises the following steps.

Step 502: and responding to the service request, and acquiring a second object set of the target service and a second association set corresponding to the second object set.

Wherein the second set of objects comprises at least one identification field or one unique identifier, e.g. a user ID, a product number, etc., for uniquely identifying the entity or object in the data provision. The second association set includes association data of entities or objects in the service execution end, such as specific information of the user, attributes of the product, and the like.

Specifically, the service execution end obtains second object data related to the target service from the data source according to the received service request of the target service to form a second object set, and then forms second association data associated with the second object data into a second association set.

In practical application, the second object set is taken as a user set stored in the data processing end, and the second association set is taken as consumption data of each user as an example. The data processing end obtains each user identifier from the data source according to the received service request for calculating the total amount service consumed by all the users to form a second object set, then forms the consumption record of each user end into a second association set, and encrypts the second object set through a hash algorithm to obtain a second encrypted object set.

Further, encrypting the second set of objects to obtain a second set of encrypted objects includes: receiving an encryption parameter sent by a service execution end, wherein the encryption parameter is adopted by the service execution end for encrypting a first object set; and encrypting the second object set based on the encryption parameters to obtain a second encrypted object set.

In practical application, taking a hash function H _i with an encryption parameter being cuckoo hash processing and a length sigma of a cuckoo hash table as an example, the data providing end calculates H _j（y_i) according to Y _i in a second object set y= { Y ₁,…,y_n } and a hash function H _j), and constructs a vector y= { Hj (yi) } based on H _j（y_i), and uses Y' as a second encryption object set.

Step 504: and encrypting the second object set to obtain a second encrypted object set, and encrypting the second association set to obtain a second encrypted association set based on the second identification set and the key data set generated by the random number.

Specifically, since the intersection part of the second association set is often acquired by the service processing end, the second association set needs to be encrypted to obtain a second encrypted association set. Comprising the following steps: the data providing terminal generates a second identification set and a key data set based on the random number, and encrypts the second association set based on the random number in the key data set to obtain a second encrypted association set.

Further, encrypting the second association set based on the second identification set and the key data set generated by the random number to obtain a second encrypted association set, including: generating a second identification set and a key data set comprising random numbers, wherein the number of the random numbers in the second identification set and the key data set is the same; and encrypting the second association set based on the encryption parameter, the second identification set and the key data set to obtain a second encrypted association set.

Specifically, the data providing end firstly encrypts the associated data of the second object into an encrypted associated value according to the random number in the key data set, forms a second encrypted associated set according to the encrypted associated value, encrypts the second object set into a second encrypted object set, constructs a second identification set, and corresponds the identification data in the second identification set to the encrypted object data in the second encrypted object set one by one.

In practical application, following the above example, according to the hash table size σ, the providing end creates two random vector second identification sets r= { R _j,...,r_σ } and a key data set w= { W ₁,...,w_σ }, and encrypts the second association set Y ^~ based on the random number in the key data set to obtain a second encrypted association set l= (R, Y ^~ × W).

Based on this, the security of data can be increased, the privacy of data is protected, and the reliability of data transmission and processing is ensured.

Step 506: and calling an unintentional pseudo-random function, and inputting an encryption key value pair constructed based on the second encryption object set and the second encryption association set, wherein the unintentional pseudo-random function is used for calculating a first identification set and a first encryption sharing set based on the first encryption object set input by the service execution end and the encryption key value pair input by the data providing end, and feeding the first identification set and the first encryption sharing set back to the service execution end, and the first encryption object set is obtained by encrypting the first object set of the target service by the service execution end.

In practical application, the above example is taken as an example, and the second object set is taken as the user set stored by the data providing end, and the second association set is taken as consumption data of each user. The data providing end firstly encrypts consumption data of a second user into an encrypted consumption value, forms a second encrypted consumption set according to the encrypted consumption value, encrypts a second user list into a second encrypted user set, constructs an identification data set by generating pseudo random numbers, and constructs an encryption key value pair based on the second encrypted user set, the second encrypted consumption set and the identification data set in a one-to-one correspondence manner with the encrypted user data in the second encrypted user set, and sends the encryption key value pair to the service executing end, so that the service executing end queries a second encrypted consumption value corresponding to second encrypted user data equal to the first encrypted user data in the encryption key value pair and the identification data to form a first identification set and a first encrypted sharing set.

Further, after invoking the unintentional pseudo-random function, inputting the encryption key pair constructed based on the second encryption object set and the second encryption association set, further comprising: obtaining an intermediate key obtained by an unintentional pseudo-random function based on a first encryption object set input by a service execution end; based on the intermediate key, carrying out confusion processing on the input encryption key value pair constructed based on the second encryption object set and the second encryption association set; calling an inadvertent key value to encode the confusion result by an encoding strategy of the storage structure to obtain a data encoding set; transmitting the data code set to a service execution end; the data encoding set is used for a service execution end to call a decoding strategy of the storage structure by using an careless key value, a target sharing set is obtained by decoding based on the confusion data set and the data encoding set, and a first identification set and a first encryption sharing set are obtained by splitting the target sharing set; the confusion data set is obtained by calling an unintentional pseudo-random function for the service execution end and based on a first encryption object set input by the service execution end.

In practical application, in the practical application, taking the first encryption object set as Y 'as an example, the service execution end calls an OPRF function to obtain a mixed data set f (k, tx), the data providing end calls the OPRF function to obtain an intermediate key k, and the data providing end carries out mixing processing on the encryption key value pair based on k to obtain a mixed processing result M=L f (k, Y'), wherein L is a sharing set and comprises an identification data set and the first encryption sharing set. The data providing end calls OKSV encode (M), obtains the data encoding set P and sends the data encoding set P to the service executing end. The service execution end calls OKSV encode (Tx) to obtain a confusion result Lf (k, Y ') corresponding to the Tx, and then calculates based on f (k, tx) and Lf (k, Y'), so that a target sharing set L can be obtained.

Step 508: a second encrypted shared set is constructed based on the second set of identifiers and the set of key data.

Specifically, in order to ensure that the subsequent secure multiparty computing framework can decrypt the second encrypted association set to obtain a specific second association set, the key data set and the second identification set are constructed into a second encrypted sharing set. The method comprises the step of filling random numbers in the key data set in positions indicated by identification data in the second identification set according to the positions of each element identification in the second identification set.

In practical application, the data provider constructs a two-dimensional associated value key vector labelshare 1= { (w _i,1,...,w_i,h) i e [1, n ] }. And using the label_share1 as a second encryption sharing set.

Further, after constructing the second encrypted shared set based on the second identification set and the key data set, further comprising: receiving a random number set sent by a service execution end, wherein the random number set is generated by the service execution end based on a random number seed; and updating the second encryption sharing set based on the random number set to obtain an updated second encryption sharing set.

In practical application, following the above example, the service execution end sends the random number seed corresponding to T to the data providing end, and the data providing end fills the label_share1 according to t= (T ₁,...,t_i) to obtain label_share1= (w _i,1,...,w_i,h,t_i,1,...,t_i,k).

Step 510: and calling a secure multiparty computing framework, and performing secure multiparty computing based on a first identification set imported by the service execution end, an updated first encryption sharing set, a second identification set imported by the data providing end and a second encryption sharing set to obtain a service processing result, wherein the updated first encryption sharing set is obtained by updating the first encryption sharing set by the service execution end based on a first association set corresponding to the first object set.

Further, invoking a secure multiparty computing framework, performing secure multiparty computing based on the first identification set imported by the service execution end, the updated first encrypted sharing set, the second identification set imported by the data providing end and the second encrypted sharing set, and obtaining a service processing result, including: invoking a secure multiparty computing framework, and performing secure multiparty computing based on the encrypted service parameters imported by the service execution end, the first identification set, the updated first encrypted sharing set, the second identification set imported by the data providing end and the second encrypted sharing set to obtain second service result fragments; transmitting the second service result fragments to a service execution end; the second service result fragments are used for the service execution end to recover the service processing result of the target service based on the first service result fragments and the second service result fragments; the first service result fragment is obtained by calling a secure multiparty computing framework for the service execution end and performing secure multiparty computing based on the encrypted service parameters imported by the service execution end, the first identification set, the updated first encryption sharing set, the second identification set imported by the data providing end and the second encryption sharing set.

Specifically, in order to ensure the security of private data in the processing process of service data, avoid the risk of data leakage in the data collaboration process, realize the secure multiparty computation between a data providing end and a service executing end, obtain a final service processing result without revealing data by computing encrypted service parameters and an identification set, and the process of invoking the secure multiparty computation framework by the service executing end to perform the specific computation comprises: the service execution end imports the first identification set and the updated first encryption sharing set, the data providing end imports the second identification set and the second encryption sharing set, the data providing end imports the secure multi-party calculation, and the secure multi-party calculation framework is called to calculate based on the encryption service parameters, the updated first encryption sharing set and the second encryption sharing set, so that the second service result fragments are obtained. The data providing end sends the second service result fragments to the service executing end, and the service executing end performs data processing and calculation based on the first service result fragments and the second service result fragments and by combining a secure multiparty calculation technology, and finally recovers the service processing result of the target service. Thus, the safe processing and collaborative computing of the business data are realized, and the data privacy is protected.

In practical application, following the above example, the service execution end starts the MPC framework, introduces R 'and label_share 0= { (Y ^~⊕W,X^~ ++t) }, the data providing end starts the MPC framework, inputs R and label_share 1= (w _i,1,...,w_i,h,t_i,1,...,t_i,k), calculates and obtains a first service result fragment res2 according to R', R, label _share0 and encrypted service parameters, and sends a second service result fragment res2 to the service execution end, so that the service execution end resumes obtaining the service processing result of the target service based on the first service result fragment and the second service result fragment.

Further, invoking a secure multiparty computing framework, performing secure multiparty computing based on the encrypted service parameters, the first identification set, the updated first encrypted sharing set, the second identification set and the second encrypted sharing set imported by the data providing end, and obtaining a second service result fragment, including: invoking a secure multiparty computing framework, identifying whether the identification data of the corresponding positions in the first identification set and the second identification set are equal, obtaining a second arithmetic sharing set, and determining second parameter fragments based on encryption service parameters, wherein the data in the second arithmetic sharing set is equal in 1 representation identification data and unequal in 0 representation identification data; utilizing the second arithmetic sharing set to perform secure multiparty calculation on the first encryption sharing set and the second encryption sharing set to obtain second data fragments to be processed; and executing the target service on the second data fragment to be processed based on the second parameter fragment to obtain a second service result fragment.

Specifically, in order to reduce the computation complexity, only the intersected data is involved in the computation, whether the identification data of the corresponding positions in the first identification set and the second identification set are equal or not needs to be judged, if the corresponding first shared data and the corresponding second shared data are equal, only the safe multiparty computation result is reserved when the corresponding identification data of the corresponding positions in the first identification set and the second identification set are equal or not, the data generated in the safe multiparty computation process can be greatly reduced, the computation complexity is reduced, and the computation efficiency is improved, including: and identifying whether the identification data of the corresponding positions in the first identification set and the second identification set are equal or not through a secure multiparty calculation framework to obtain a first arithmetic sharing set, wherein in the first arithmetic sharing set, the data is 1 for indicating that the identification data is equal, the data is 0 for indicating that the identification data is unequal, and performing secure multiparty calculation on the updated first encryption sharing set and the second encryption sharing set by utilizing the second arithmetic sharing set to obtain second data fragments to be processed, determining second parameter fragments based on encryption service parameters, and then executing target service on the second data fragments to be processed to obtain second service result fragments.

In practical application, a service execution end judges whether R and R' are identical based on an MPC framework to obtain a first arithmetic sharing setThe data providing end judges whether R and R' are the same based on the MPC framework to obtain a second arithmetic sharing setIf equal to each other=1, If not equal to=0. The service execution end performs based on the first arithmetic sharing set, the label_shared 0 and the label_shared 1Calculating to obtain a second data fragment to be processedAnd executing the target service based on the data fragment to be processed and the first parameter fragment to obtain a first service result fragment res2.

Based on the calculation result under the condition that only the intersected data, namely the identification data of the corresponding positions in the first identification set and the second identification set are reserved, when the identification data of the corresponding positions in the first identification set and the second identification set are not equal=0 Due toThe calculation result of the situation is 0, the number of fragments to be processed is reduced, the calculation complexity is reduced, and the calculation efficiency is improved.

By the service processing method, the data providing end encrypts the second object set into the second encrypted object set before invoking the secure multiparty computing framework, encrypts the second associated set into the second encrypted associated set, and sends the encrypted key value pair comprising the second encrypted object set and the second encrypted associated set to the service executing end, so that the service executing end cannot directly acquire the second object set and the second associated set, and the data security of the data providing end is ensured. Meanwhile, when the secure multiparty computing framework is called, a first identification set imported by the service execution end and an updated first encryption sharing set are received, a second identification set imported by the data providing end and a second encryption sharing set comprising a key set are received, because the identification data in the first identification set corresponds to the encryption association values in the first encryption sharing set one by one, the identification data in the second identification set corresponds to the key data in the second encryption sharing set one by one, the matching relation between the key data and the encryption association values is determined, and the real first association value and the second association value are obtained, so that the accurate secure multiparty computation is carried out based on the first association value and the second association value under the condition of ensuring the complete hiding of the data.

Referring to fig. 6, fig. 6 is a flowchart of a third method for processing a full-track business based on secure multiparty computing, according to an embodiment of the present invention, which comprises the following steps.

Step 602: the service execution end responds to the service request, acquires a first object set of the target service and a first association set corresponding to the first object set, and encrypts the first object set to obtain a first encrypted object set.

Step 604: the data providing end responds to the service request to obtain a second object set of the target service and a second association set corresponding to the second object set; encrypting the second object set to obtain a second encrypted object set, and encrypting the second association set to obtain a second encrypted association set based on a second identification set and a key data set generated by the random number; an encryption key pair constructed based on the second encryption object set and the second encryption association set.

Step 606: the method comprises the steps of calling an unintentional pseudo-random function, inputting a first encryption object set by a service execution end, inputting an encryption key value pair by a data providing end, and obtaining a first identification set and a first encryption sharing set by the service execution end, wherein identification data in the first identification set corresponds to encryption association values in the first encryption sharing set one by one.

Step 608: and the service execution end updates the first encryption sharing set based on the first association set to obtain an updated first encryption sharing set.

Step 610: the data providing end constructs a second encryption sharing set based on the second identification set and the key data set, wherein the identification data in the second identification set corresponds to the key data in the second encryption sharing set one by one.

Step 612: and calling a secure multiparty computing framework, introducing a first identification set and an updated first encryption sharing set by a service execution end, introducing a second identification set and a second encryption sharing set by a data providing end, and performing secure multiparty computing to obtain a service processing result.

It will be appreciated that the steps from step 602 to step 612 are the same as those performed in step 402 to step 408 and step 502 to step 510, and will not be repeated here.

The method for processing the full-track business based on the secure multiparty calculation is further described below with reference to fig. 7. Fig. 7 is a flowchart of a processing procedure of a method for processing a full-track business based on secure multiparty computation according to an embodiment of the present invention, which specifically includes the following steps.

Step 702: the service execution end constructs a hash table Tx based on the first object set X= { xi, …, xn } and hash functions H1, H2 and H3, and determines a hash index relation mMaping [ i ] = H _j(x_i) mod sigma, i epsilon [1, n ], j epsilon [1,3] of the sequence number i of X and the hash table position idx. And sends the hash table size sigma and the hash function to the data providing end.

Step 704: the data provider creates two random vectors r= { R _j,...,r_σ } and w= { W ₁,...,w_σ } according to the hash table size σ.

Step 706: the data providing end calculates H _j（y_i) according to Y _i in the second object set y= { Y ₁,…,y_n } and the hash function H _j, constructs a vector Y' = { H _j（y_i) } based on H _j（y_i), calculates an index value idx of H _j（y_i) in the hash table, and constructs a sender association value Y^~={（y^~ _i,1,…,y^~ _i,h）,…,（y^~ _n,1,…,y^~ _n,h）} encryption vector l= (r _idx,y^~ _i,1⊕w_idx,…,y^~ _i,h⊕w_idx).

Step 708: the service execution end calls an OPRF function to obtain an encrypted hash table f (k, tx).

Step 710: the data providing end calls the OPRF function to obtain the key k of the encryption hash table.

Step 712: the data provider calculates an intermediate vector m= (Y ', L = (k, Y').

Step 714: the data provider calls OKSV encode (M) to obtain the encrypted bit string P of the sender-associated value. And sending P to the service execution end.

Step 716: the service execution side inquires the bit string P based on Tx, and obtains Lf (k, Y ') corresponding to Y ' when Tx is Y '.

Step 718: the service execution end calculates the encryption hash table f (k, tx) and the L (k, Y ') to obtain L (R', Y ^~ (W)).

Step 720: the service execution end splits L into an R '= { R ₁`,...,r_σ' vector and a (Y ^~) vector, and names (Y ^~ W) as a two-dimensional associated value encryption vector label_share0.

Step 722: the data providing end constructs a two-dimensional association value key vector labelshare 1= { (w _i,1,...,w_i,h) i epsilon [1, n ] }.

Step 724: the service execution end generates a random number vector T with the size sigma. And sends T to the data provider.

Step 726: and filling the label_share1 by the data providing terminal according to T to obtain label_share1= (w _i,1,...,w_i,h,t_i,1,...,t_i,k).

Step 728: and the service execution end takes idx= mMaping [ i ] according to the hash index relation mMaping [ i ] =H _j(x_i) mod sigma, and fills X^~⊕T,X^~={（x^~ _i,1,…,y^~ _1,k）,…,（x^~ _n,1,…,y^~ _n,k）}, the item of which the idx item in the label_share0 is not idx with random numbers.

Step 730: the service execution end sends R' and label_share0 to the data providing end and receives R and label_share1 sent by the data providing end. And starts the MPC framework, inputs R', R, label _shar0= { (Y ^~⊕W,X^~ T) } and label_shar1.

Step 732: the data providing terminal sends R and label_share1 to the service executing terminal, and receives R' and label_share0 sent by the service executing terminal. The data provider initiates the MPC framework, inputs R', R, label _share0 = { (Y ^~⊕W,X^~ T) } and label_share1.

Step 734: the service execution end judges whether R and R' are the same based on the MPC framework to obtain judgment result fragments。

Step 736: the data providing end judges whether R and R' are the same based on the MPC framework to obtain judgment result fragments。

Step 738: the service execution end group fragments based on the judgment resultCalculating a first association value fragment by using label_share0 and label_share1。

Step 740: the data providing terminal fragments based on the judgment resultCalculating the label_share0 and label_share1 to obtain a second association value fragment。

Step 742: the service execution end is based on MPC framework according toThe calculation result fragment res1 is calculated.

Step 744: the data providing end is based on MPC framework according to the followingThe calculation result fragment res2 is calculated.

Step 746: and the service execution end obtains a final result according to res1 and res 2.

The method for processing the full-track business based on the secure multiparty calculation is further described below with reference to fig. 8. Fig. 8 is a flowchart of a processing procedure of another method for processing a full-hidden track service based on secure multiparty computation according to an embodiment of the present invention, where the method includes a mechanism a and a structure B, the mechanism a has a certain recognition algorithm F, an algorithm model parameter is param, and a list id to be recognized and feature data label_a are locally available. The institution B has a plurality of ID card numbers id and characteristic data label_B. When the algorithm F inputs the label_A and the label_B at the same time, the accuracy can be greatly improved. Mechanism a wishes to perform the recognition algorithm F based on the characteristic data of both parties. But organization a does not want its own confidential algorithm model and list and feature data to leak out, organization B does not want feature data to leak out, and there is no trusted third party. In this scenario:

step 802: the mechanism A imports the first identification list and the first characteristic data, and the mechanism B imports the second identification list and the second characteristic data to execute encryption sharing. A first encrypted shared data and a second encrypted shared data are obtained that are all suppressed. The encryption sharing process is described with reference to the foregoing steps 402-408 or steps 502-510, and will not be repeated here.

Step 804: and calling the MPC framework, and enabling the mechanism A to share the algorithm model parameter param in a secret sharing mode, and enabling the two parties to execute the algorithm F to obtain a first result fragment and a second result fragment of the calculation result in a secret sharing state.

Step 806: mechanism B sends the second resulting fragment to mechanism a.

Step 808: the mechanism a obtains the target recognition result.

Corresponding to the above method embodiment, the present invention further provides an embodiment of a service processing device, and fig. 9 is a schematic structural diagram of a full-track service processing device based on secure multiparty computation according to an embodiment of the present invention. As shown in fig. 9, the apparatus includes:

the first obtaining module 902 is configured to obtain a first object set of the target service and a first association set corresponding to the first object set in response to the service request, and encrypt the first object set to obtain a first encrypted object set;

The first calling module 904 is configured to call an unintentional pseudo-random function, and calculate and obtain a first identification set and a first encryption shared set based on a first encryption object set input by the service execution end and an encryption key value pair input by the data providing end, wherein the encryption key value pair comprises a second encryption object set obtained by encrypting a second object set of a target service by the data providing end and a second encryption associated set obtained by encrypting a second associated set corresponding to the second object set, and identification data in the first identification set corresponds to encryption associated values in the first encryption shared set one by one;

an updating module 906 configured to update the first encrypted shared set based on the first association set, resulting in an updated first encrypted shared set;

and a second invoking module 908 configured to invoke the secure multiparty computing framework, and perform secure multiparty computing based on the first identification set imported by the service execution end and the updated first encryption sharing set, the second identification set imported by the data providing end and the second encryption sharing set, to obtain a service processing result, where the second encryption sharing set is configured by the data providing end based on the second identification set and the key data set adopted for encrypting the second association set, and the identification data in the second identification set corresponds to the key data in the second encryption sharing set one by one.

It will be appreciated that the specific functional implementation of the modules of the service processing apparatus may be described with reference to the foregoing steps 402 to 408, and will not be described herein.

By the service processing device, the first encryption object set is obtained by encrypting the first object set before the secure multiparty computing framework is called, and the first association set is updated in the first encryption sharing set, so that the data providing end cannot directly obtain the first object set and the first association set when the secure multiparty computing framework is called, and the data security of the service executing end is ensured. Meanwhile, when the secure multiparty computing framework is called, a first identification set imported by the service execution end and an updated first encryption sharing set are received, a second identification set imported by the data providing end and a second encryption sharing set comprising a key set are received, because the identification data in the first identification set corresponds to the encryption association values in the first encryption sharing set one by one, the identification data in the second identification set corresponds to the key data in the second encryption sharing set one by one, the matching relation between the key data and the encryption association values is determined, and the real first association value and the second association value are obtained, so that the accurate secure multiparty computation is carried out based on the first association value and the second association value under the condition of ensuring the complete hiding of the data.

Corresponding to the above method embodiment, the present invention further provides an embodiment of a service processing device, and fig. 10 is a schematic structural diagram of another full-track service processing device based on secure multiparty computation according to an embodiment of the present invention. As shown in fig. 10, the apparatus includes:

a second obtaining module 1002, configured to obtain, in response to the service request, a second object set of the target service and a second association set corresponding to the second object set;

An encryption module 1004 configured to encrypt the second object set to obtain a second encrypted object set, and encrypt the second association set to obtain a second encrypted association set based on the second identification set and the key data set generated by the random number;

A third calling module 1006, configured to call an unintentional pseudo-random function, and input an encryption key value pair constructed based on the second encryption object set and the second encryption association set, where the unintentional pseudo-random function is used to calculate a first identification set and a first encryption sharing set based on the first encryption object set input by the service execution end and the encryption key value pair input by the data providing end, and feed back the first identification set and the first encryption sharing set to the service execution end, where the first encryption object set is obtained by encrypting the first object set of the target service by the service execution end;

A construction module 1008 configured to construct a second encrypted shared set based on the second identification set and the key data set;

And a fourth invoking module 1010, configured to invoke the secure multiparty computing framework, and perform secure multiparty computing based on the first identification set imported by the service execution end, the updated first encryption sharing set, the second identification set imported by the data providing end, and the second encryption sharing set, to obtain a service processing result, where the updated first encryption sharing set is obtained by updating the first encryption sharing set by the service execution end based on the first association set corresponding to the first object set.

It will be appreciated that the specific functional implementation of the modules of the service processing apparatus may be described with reference to the foregoing steps 502 to 510, and will not be described herein.

By the service processing device, the data providing end encrypts the second object set into the second encrypted object set before invoking the secure multiparty computing framework, encrypts the second associated set into the second encrypted associated set, and sends the encryption key value pair comprising the second encrypted object set and the second encrypted associated set to the service executing end, so that the service executing end cannot directly acquire the second object set and the second associated set, and the data security of the data providing end is ensured. Meanwhile, when the secure multiparty computing framework is called, a first identification set imported by the service execution end and an updated first encryption sharing set are received, a second identification set imported by the data providing end and a second encryption sharing set comprising a key set are received, because the identification data in the first identification set corresponds to the encryption association values in the first encryption sharing set one by one, the identification data in the second identification set corresponds to the key data in the second encryption sharing set one by one, the matching relation between the key data and the encryption association values is determined, and the real first association value and the second association value are obtained, so that the accurate secure multiparty computation is carried out based on the first association value and the second association value under the condition of ensuring the complete hiding of the data.

FIG. 11 illustrates a block diagram of a computing device 1100 provided according to one embodiment of the invention. The components of computing device 1100 include, but are not limited to, a memory 1110 and a processor 1120. Processor 1120 is coupled to memory 1110 via bus 1130, and database 1150 is used to hold data.

The computing device 1100 also includes an access device 1140, the access device 1140 enabling the computing device 1100 to communicate via one or more networks 1160. Examples of such networks include public switched telephone networks (PSTN, public Switched Telephone Network), local area networks (LAN, local Area Network), wide area networks (WAN, wide Area Network), personal area networks (PAN, personal Area Network), or combinations of communication networks such as the internet. The access device 1140 may include one or more of any type of network interface, wired or wireless, such as a network interface card (NIC, network interface controller), such as an IEEE802.11 wireless local area network (WLAN, wireless Local Area Network) wireless interface, a worldwide interoperability for microwave access (Wi-MAX, worldwide Interoperability for Microwave Access) interface, an ethernet interface, a universal serial bus (USB, universal Serial Bus) interface, a cellular network interface, a bluetooth interface, near Field Communication (NFC).

In one embodiment of the invention, the above-described components of computing device 1100, as well as other components not shown in FIG. 11, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device illustrated in FIG. 11 is for exemplary purposes only and is not intended to limit the scope of the present invention. Those skilled in the art may add or replace other components as desired.

Computing device 1100 may be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), mobile phone (e.g., smart phone), wearable computing device (e.g., smart watch, smart glasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or personal computer (PC, personal Computer). Computing device 1100 may also be a mobile or stationary server. Wherein the processor 1120 is configured to execute a computer program/instruction that when executed by the processor performs the steps of the service processing method described above.

An embodiment of the present invention also provides a computer-readable storage medium storing a computer program/instruction which, when executed by a processor, implements the steps of the service processing method described above.

An embodiment of the present invention also provides a computer program product, wherein the computer program, when executed in a computer, causes the computer to execute the steps of the service processing method described above.

The foregoing is a schematic illustration of a computing device, computer readable storage medium, computer program product of the present embodiments. It should be noted that, the technical solutions of the computing device, the computer readable storage medium, and the computer program product and the technical solutions of the service processing method described above belong to the same concept, and the details of the technical solutions not described in detail may be referred to the description of the technical solutions of the service processing method described above.

The computer instructions include computer program code that may be in source code form, object code form, executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the content of the computer readable medium can be increased or decreased appropriately according to the requirements of the patent practice, for example, in some areas, according to the patent practice, the computer readable medium does not include an electric carrier signal and a telecommunication signal.

It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of combinations of actions, but it should be understood by those skilled in the art that the embodiments of the present invention are not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred, and that the acts and modules referred to are not necessarily all required in the embodiments of the invention.

In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.

Claims

1. The method is characterized by being applied to a service execution end, and comprises the following steps:

Responding to a service request, acquiring a first object set of a target service and a first association set corresponding to the first object set, and encrypting the first object set to obtain a first encrypted object set;

Invoking an unintentional pseudo-random function, and calculating to obtain a first identification set and a first encryption sharing set based on an encryption key value pair input by the first encryption object set and the data providing end and input by the service executing end, wherein the encryption key value pair comprises a second encryption object set obtained by encrypting a second object set of the target service by the data providing end and a second encryption association set obtained by encrypting a second association set corresponding to the second object set, and identification data in the first identification set corresponds to encryption association values in the first encryption sharing set one by one;

Updating the first encryption sharing set based on the first association set to obtain an updated first encryption sharing set;

And invoking a secure multiparty computing framework, and performing secure multiparty computing based on the first identification set and the updated first encryption sharing set which are imported by the service execution end, and a second identification set and a second encryption sharing set which are imported by the data providing end, so as to obtain a service processing result, wherein the second encryption sharing set is constructed by the data providing end based on the second identification set and the key data set adopted for encrypting the second association set, and the identification data in the second identification set corresponds to the key data in the second encryption sharing set one by one.

2. The method of claim 1, wherein before the invoking the secure multiparty computing framework performs secure multiparty computing based on the first set of identifiers and the updated first set of encrypted shares imported by the service execution end, the second set of identifiers imported by the data providing end, and the second set of encrypted shares, obtaining a service processing result, further comprising:

obtaining encryption parameters adopted for encrypting the first object set;

And sending the encryption parameter to the data providing end, wherein the encryption parameter is used for encrypting a second object set of the target service based on the encryption parameter by the data providing end to obtain a second encrypted object set.

3. The method of claim 1, wherein said invoking the unintentional pseudorandom function computes a first identification set and a first encryption shared set based on the first encryption object set entered by the service execution side and an encryption key value pair entered by a data provider side, comprising:

Calling an unintentional pseudo-random function, and obtaining a confusion data set based on the first encryption object set input by the service execution end;

receiving a data coding set sent by the data providing end, wherein the data coding set is obtained by the data providing end by carrying out confusion processing on the encryption key value pair by using an intermediate key obtained by calling the careless pseudo-random function and calling a coding strategy of the careless key value pair storage structure to code a confusion processing result;

Invoking a decoding strategy of the unintentional key value on the storage structure, and decoding to obtain a target sharing set based on the confusion data set and the data encoding set;

And splitting the target sharing set to obtain a first identification set and a first encryption sharing set.

4. A method according to claim 1 or 3, wherein updating the first encrypted shared set based on the first association set to obtain an updated first encrypted shared set comprises:

encrypting the first association set to obtain a first encrypted association set;

determining a target filling position corresponding to the first encryption association set in the first encryption sharing set based on the first identification set;

and filling the first encryption association set to the target filling position to obtain an updated first encryption sharing set.

5. The method of claim 1, wherein the invoking the secure multiparty computing framework to perform secure multiparty computing based on the first set of identifiers and the updated first set of encrypted shares imported by the service execution end, the second set of identifiers and the second set of encrypted shares imported by the data provider end, and obtaining a service processing result comprises:

acquiring service parameters of the target service, and encrypting the service parameters to obtain encrypted service parameters;

Invoking a secure multiparty computing framework, identifying whether the identification data of the corresponding positions in the first identification set and the second identification set are equal, obtaining a first arithmetic sharing set, and determining a first parameter fragment based on the encryption service parameter, wherein the data in the first arithmetic sharing set is 1 to represent that the identification data are equal, and 0 to represent that the identification data are unequal;

Utilizing the first arithmetic sharing set to perform secure multiparty computation on the first encryption sharing set and the second encryption sharing set to obtain a first data fragment to be processed;

Executing the target service on the first data fragment to be processed based on the first parameter fragment to obtain a first service result fragment;

and receiving a second service result fragment sent by the data providing end, and recovering and obtaining a service processing result of the target service based on the first service result fragment and the second service result fragment.

6. A method for processing a full-track business based on secure multiparty computing, characterized in that it is applied to a data provider, said method comprising:

responding to a service request, and acquiring a second object set of a target service and a second association set corresponding to the second object set;

Encrypting the second object set to obtain a second encrypted object set, and encrypting the second association set to obtain a second encrypted association set based on a second identification set and a key data set generated by random numbers;

Invoking an unintentional pseudo-random function, and inputting an encryption key value pair constructed based on the second encryption object set and the second encryption association set, wherein the unintentional pseudo-random function is used for calculating a first identification set and a first encryption sharing set based on a first encryption object set input by a service execution end and the encryption key value pair input by the data providing end, and feeding back the first identification set and the first encryption sharing set to the service execution end, and the first encryption object set is obtained by encrypting the first object set of the target service by the service execution end;

constructing a second encryption sharing set based on the second identification set and the key data set;

And invoking a secure multiparty computing framework, and performing secure multiparty computing based on the first identification set and the updated first encryption sharing set imported by the service execution end, and the second identification set and the second encryption sharing set imported by the data providing end, so as to obtain a service processing result, wherein the updated first encryption sharing set is obtained by updating the first encryption sharing set by the service execution end based on a first association set corresponding to the first object set.

7. The method of claim 6, wherein encrypting the second set of objects results in a second set of encrypted objects, comprising:

receiving an encryption parameter sent by the service execution end, wherein the encryption parameter is adopted by the service execution end for encrypting the first object set;

encrypting the second object set based on the encryption parameters to obtain a second encrypted object set;

The second identification set and the key data set generated based on the random number encrypt the second association set to obtain a second encrypted association set, which comprises the following steps:

Generating a second set of identifications including random numbers and a set of key data, wherein the second set of identifications and the set of key data have the same number of random numbers;

And encrypting the second association set based on the encryption parameter, the second identification set and the key data set to obtain a second encryption association set.

8. The method of any of claims 6-7, further comprising, after the invoking the inadvertent pseudorandom function, after entering an encryption key pair constructed based on the second set of encryption objects and the second set of encryption associations:

obtaining an intermediate key obtained by the unintentional pseudo-random function based on the first encryption object set input by the service execution end;

performing confusion processing on the input encryption key value pairs constructed based on the second encryption object set and the second encryption association set based on the intermediate key;

calling an inadvertent key value to encode the confusion result by an encoding strategy of the storage structure to obtain a data encoding set;

Transmitting the data code set to the service execution end; the data encoding set is used for the service execution end to call a decoding strategy of the storage structure by using an unintentional key value, a target sharing set is obtained by decoding based on the confusion data set and the data encoding set, and a first identification set and a first encryption sharing set are obtained by splitting the target sharing set; and the confusion data set is obtained by calling an unintentional pseudo-random function for the service execution end and based on the first encryption object set input by the service execution end.

9. The method according to any of claims 6-7, wherein the invoking the secure multiparty computing framework to perform secure multiparty computing based on the first set of identifications and updated first set of encryption shares imported by the service execution side, the second set of identifications imported by the data providing side, and the second set of encryption shares, to obtain a service processing result, comprises:

Invoking a secure multiparty computing framework, identifying whether the identification data of the corresponding positions in the first identification set and the second identification set are equal, obtaining a second arithmetic sharing set, and determining second parameter fragments based on encryption service parameters, wherein the data in the second arithmetic sharing set is 1 for representing that the identification data are equal, and 0 for representing that the identification data are unequal;

Utilizing the second arithmetic sharing set to perform secure multiparty computation on the first encryption sharing set and the second encryption sharing set to obtain second data fragments to be processed;

Executing the target service on the second data fragment to be processed based on the second parameter fragment to obtain a second service result fragment;

Transmitting the second service result fragments to the service execution end; the second service result fragments are used for the service execution end to recover and obtain the service processing result of the target service based on the first service result fragments and the second service result fragments; and the first service result fragments are obtained by calling a secure multiparty computing framework for the service execution end and performing secure multiparty computing based on the encrypted service parameters, the first identification set, the updated first encryption sharing set, the second identification set and the second encryption sharing set which are imported by the service execution end, and the second identification set and the second encryption sharing set which are imported by the data providing end.

10. The full-hidden-track service system based on the safe multi-party calculation is characterized by comprising a service execution end and a data providing end;

The service execution end is used for responding to a service request, acquiring a first object set of a target service and a first association set corresponding to the first object set, and encrypting the first object set to obtain a first encrypted object set;

the data providing terminal is used for responding to the service request and acquiring a second object set of the target service and a second association set corresponding to the second object set; encrypting the second object set to obtain a second encrypted object set, and encrypting the second association set to obtain a second encrypted association set based on a second identification set and a key data set generated by random numbers; an encryption key pair constructed based on the second encryption object set and the second encryption association set;

the service execution end is further used for calling an unintentional pseudo-random function to input the first encryption object set;

the data providing end is also used for calling the unintentional pseudo-random function to input the encryption key value pair;

the service execution end is further configured to obtain a first identification set and a first encryption sharing set output by the inadvertent pseudorandom function, where identification data in the first identification set corresponds to encryption association values in the first encryption sharing set one to one;

The service execution end is further configured to update the first encryption shared set based on the first association set to obtain an updated first encryption shared set;

the data providing end is further configured to construct a second encrypted shared set based on the second identification set and the key data set, where the identification data in the second identification set corresponds to the key data in the second encrypted shared set one to one;

The service execution end is also used for calling a secure multiparty computing framework and importing the first identification set and the updated first encryption sharing set;

The data providing end is also used for calling the secure multiparty computing framework and importing the second identification set and the second encryption sharing set;

The service execution end is further used for obtaining a service processing result obtained by performing secure multiparty calculation under the secure multiparty calculation framework.