PRESERVATION SYSTEM FOR PRESERVING PRIVACY OF OUTSOURCED DATA IN CLOUD BASED ON DEEP CONVOLUTIONAL NEURAL NETWORK

Abstract

The present invention relates to a preservation system for preserving privacy of outsourced data in a cloud based on a deep convolutional neural network (CNN). The system includes a key generation center, a cloud platform, a data user, and a CNN service providing unit. The key generation center is an entity trusted by all other entities in the system, and is responsible for distributing and managing all keys of a data user or a CNN service provider, and all boot keys of the cloud platform. The cloud platform stores and manages encrypted data outsourced from a registrant in the system, and provides a computing capability to perform a homomorphic operation on the encrypted data. The CNN service provider provides a required deep classification model for the data user, and a decision result reflects a current situation of the data user.

Claims

1. A preservation system for preserving privacy of outsourced data in a cloud based on a deep convolutional neural network (CNN), wherein the system comprises a key generation center, a cloud platform, a data user, and a CNN service providing unit; the key generation center is an entity trusted by all other entities in the system, and is responsible for distributing and managing all keys of a data user or a CNN service provider, and all boot keys of the cloud platform; the cloud platform stores and manages encrypted data outsourced from a registrant in the system, and provides a computing capability to perform a homomorphic operation on the encrypted data; the CNN service provider provides a required deep CNN classification model for the data user, and a decision result reflects a current situation of the data user.

2. The preservation method for preserving privacy of outsourced data in a cloud based on a deep CNN according to claim 1, comprising the following steps: step S1: transferring, by the data user, the encrypted data to the CNN service providing unit by using the cloud platform; and step S2: after processing the encrypted data, outputting, by the CNN service providing unit, a ciphertext result and storing the ciphertext result on the cloud platform.

3. The preservation method for preserving privacy of outsourced data in a cloud based on a deep CNN according to claim 2, wherein step S2 is specifically as follows: step S21: converting a format of the encrypted data, to obtain converted encrypted data; step S22: processing the converted encrypted data sequentially by using a convolutional layer, a pooling layer, and an ReLU function of the CNN; and step S23: executing full connection calculation and activation function calculation of the CNN, and outputting the ciphertext result.

4. The preservation method for preserving privacy of outsourced data in a cloud based on a deep CNN according to claim 3, wherein the format conversion comprises secure data transformation, secure ciphertext length control, and unified conversion of secure data.

5. The preservation method for preserving privacy of outsourced data in a cloud based on a deep CNN according to claim 3, wherein the convolutional layer specifically inputs d.sub.1 encrypted matrixes {circumflex over (X)}.sub.i and a matrix .Math..sub.i,j having a size of d.sub.1d.sub.2 , the convolutional layer outputs d.sub.2 encrypted matrixes .sub.j, and an architecture is as follows: (1) initializing each element in .sub.j by encrypting 0; and (2) for i=0, . . . ,d.sub.11,j=0, . . . ,d.sub.21, calculating {circumflex over (X)}.sub.i,jF.conv({circumflex over (X)}.sub.i,.Math..sub.i,j) and .sub.jF.madd(.sub.j,{circumflex over (X)}.sub.i,j).

6. The preservation method for preserving privacy of outsourced data in a cloud based on a deep CNN according to claim 3, wherein the pooling layer specifically inputs a w.sub.1w.sub.1 encrypted matrix {circumflex over (X)} and obtains output (that is, a w.sub.2w.sub.2encrypted matrix ), and performs the following steps: for 0iw.sub.21 and 0jw.sub.21, (i) constructing each encrypted matrix .sub.i,j having a size of tt, wherein for .sub.i,j,a,b=.sub.ei+a,ej+b, 0at 1, 0bt1, and e is a step; and (ii) executing .sub.i,jF.pool(.sub.i,j), wherein after the calculation is performed, .sub.i,j is used as an element of .

7. The preservation method for preserving privacy of outsourced data in a cloud based on a deep CNN according to claim 3, wherein for the ReLU function, a tt encrypted matrix {circumflex over (X)} is specifically given, and a goal of an SReLU is to produce a tt encrypted matrix , such that msg(.sub.i,j)ReLU(msg({circumflex over (x)}.sub.x,j))=max(0, msg({circumflex over (x)}.sub.i,j)).

8. The preservation method for preserving privacy of outsourced data in a cloud based on a deep CNN according to claim 3, wherein the full connection calculation of the CNN is specifically as follows: inputting encrypted vectors =(.sub.0,L,.sub.a1) and =(.sub.i,0,L,.sub.i,a1)0ib1), and outputting, by a secure fully connected layer, =(.sub.0,L,.sub.b1), wherein msg({circumflex over (n)}.sub.j)=.sub.j=0.sup.a1msg({circumflex over (x)}.sub.j).Math.msg(.sub.i,j); and for i=0, . . . ,b1, calculating F.inp(,.sub.i).

9. The preservation method for preserving privacy of outsourced data in a cloud based on a deep CNN according to claim 3, wherein the activation function calculation of the CNN is specifically as follows: giving t encrypted tuples (.sub.0,.sub.0),L,(.sub.t1,.sub.t1); and finally outputting, by an SSOFT, an encrypted identity {circumflex over (d)}*, wherein construction is performed as follows: (1) p.sub.i is inserted into , wherein s() denotes a size of the set ; and (2) this process is similar to an F.pool architecture, except that F.maxe is replaced with F.maxt; wherein after the calculation is completed, only one tuple (*.sub.0,*.sub.0) is left in , and the encrypted identity that is finally output is denoted as {circumflex over (d)}*={circumflex over (d)}*.sub.0.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0032] FIG. 1 is a schematic diagram of a system according to the present invention; and

[0033] FIG. 2 is a system architectural diagram of a CNN according to the present invention.

DETAILED DESCRIPTION

[0034] The present invention is described in more detail with reference to the accompanying drawings and examples.

[0035] Referring to FIG. 1, the present invention provides a preservation system for preserving privacy of outsourced data in a cloud based on a deep CNN. The system includes a key generation center, a cloud platform, a data user, and a CNN service providing unit. The key generation center is an entity trusted by all other entities in the system and is responsible for distributing and managing all keys of a data user or a CNN service provider, and all boot keys of the cloud platform. The cloud platform stores and manages encrypted data outsourced from a registrant in the system and provides a computing capability to perform a homomorphic operation on the encrypted data. The CNN service provider provides a required deep CNN classification model for the data user, and a decision result reflects a current situation of the data user.

[0036] In this example, a basic safety unsigned/signed integer circuit is created, and the safety integer circuit is implemented in a plurality of encrypted domains. Details are as follows:

1. Initialize the System.

[0037] First, a Fully Homomorphic Encryption Scheme over Tours (TFHE) whose plaintext space is T.sub.8 used as a basis, and in a binary circuit architecture respectively denote 0 and 1. Then boot parameters .sub.0= and .sub.1= are set. One -bit unsigned integer a may be denoted as (a.sub.1,a.sub.2, . . . ,a.sub.0). To store a through encryption, each bit may be encrypted by using the TFHE, to obtain =(a.sub.1,a.sub.2, . . . ,a.sub.0)=((a.sub.1), . . . ,(a.sub.0)). is used to denote a length ciphertext.

2. Basic Secure Unsigned Integer Circuit

[0038] Some basic secure unsigned integers are to be constructed by using the TFHE ciphertext.

[0039] First, a secure full adder circuit (Badd) is designed: Three encrypted bits (a),(b), and (c.sub.n) are given, and a secure full adder outputs two encrypted bits (o) and (c.sub.t). Therefore, o=abc.sub.n and c.sub.t=(ab)(c.sub.n(ab)), where o is a bit addition result, and c.sub.t is denoted as bit carry-out. A procedure for constructing Badd is as follows:

[0040] (1) Calculate .sub.1Hand((a),(b)),.sub.2Hxor((a),(b)), and

.sub.3Hand(.sub.2,(c.sub.n)).

[0041] (2) Calculate (o)Hxor(.sub.2,(c.sub.n)) and (c.sub.t)Hxor(.sub.1,.sub.3). Herein, the secure full adder is denoted as ((o),(c.sub.t))Badd((a),(b),(c.sub.o)).

[0042] A secure signed integer addition circuit (UI.add) is designed: Two length ciphertexts =((a.sub.1),(a.sub.2), . . . ,(a.sub.0)) and {tilde over (b)}=((b.sub.1),(b.sub.2), . . . ,(b.sub.0)) are given, and a secure unsigned integer addition may securely output a (+1)length ciphertext =((n.sub.),(n.sub.2), . . . ,(n.sub.0)). Therefore, msg()=msg()+msg({tilde over (b)}). The secure signed integer addition circuit has a simple and intuitive idea: Since Badd can be considered as a bit addition with carry-out, Ui.add is directly constructed by using Badd, and details are as follows:

[0043] (1) Initialize (c.sub.0), such that, c.sub.0=0.

[0044] (2) For i=0, . . . , 1, calculate ((n.sub.i),(c.sub.i+1))Badd((a.sub.i),(b.sub.i),(c.sub.i)). After calculation is performed based on the foregoing formula, it is set that (n.sub.)(c.sub.) and the circuit is denoted as UI.add(,{tilde over (b)}).

[0045] Then, a preservation unsigned integer comparison circuit (UI.cmp) is designed:

[0046] Two length ciphertexts =((a.sub.1),(a.sub.2), . . . ,(a.sub.0)) and {tilde over (b)}=((b.sub.1),(b.sub.2), . . . ,(b.sub.0)) are given, and UI.cmp securely outputs an encrypted bit k(t). If msg()msg({tilde over (b)}), t=0. If msg()msg({tilde over (b)}),t=1. A final result is defined as msg() and msg({tilde over (b)}). A first different bit from high-order to low-order may be constructed as follows:

[0047] (1) Calculate (t.sub.0)Hand(Hnot((a.sub.0)),((b.sub.0)).

[0048] (2) For i=0, . . . , 1, calculate

[0049] (c.sub.i)Hand(Hnot((a.sub.i)),(b.sub.i));

[0050] (c.sub.i)Hand(Hnot((a.sub.i),(b.sub.i)),(t.sub.i));

[0051] (t.sub.i+1)Hxor((c.sub.i),(c.sub.i)).

[0052] In the foregoing formula, it is set that (t)(t.sub.i+1), and the circuit is denoted as (t)UI.cmp(,{tilde over (b)}).

[0053] Finally, a secure unsigned integer multiplication circuit (UI.mul) is designed: Two length ciphertexts and {tilde over (b)} are given, and a 2length ciphertext is obtained as a final multiplication result.

[0054] Step 1: first, for i=0 to 1, recurrently execute the following equations:

[0055] (1) for j=1, . . . ,1+i, calculating (c.sub.i,j)Hand((a.sub.ji),(b.sub.i));

[0056] (2) constructing an i-th encrypted vector as {tilde over (c)}.sub.i=((c.sub.i,i+1), . . . ,(c.sub.i,0)), where for i>0,c.sub.i,0=. . . =c.sub.i,i+1=0.

[0057] Step 2: add integers .sub.i, . . . .sub.1 together by using UI.add, in other words, it is denoted that .fwdarw..sub.0 and (n.sub.)=(0); then, for i=1, . . . , 1, calculate UI. add(, .sub.i), where the circuit is denoted as UI.mul(,{tilde over (b)}), and 2length is finally output, because the length of is increased by 1 when UI.add is executed.

3. Secure Signed Integer Storage and Computation

[0058] Herein, it is explained how to securely store a signed integer, and a basic signed integer operation is described.

[0059] First, a two's complement is represented, and a two's complement number system encodes positive and negative numbers into a binary number representation. A weight of each bit is a power of 2, except the most significant bit whose weight is a negative value of a power of a corresponding bit 2. An (integer) value of a -bit integer a=(a.sub.1,a.sub.2, . . . ,a.sub.0) is denoted by using the following formula:

[00002]$\mathrm{dsg}\left(a\right)=-a_{-1}.Math.2^{-1}+\underset{i=0}{\overset{-2}{.Math.}}.Math..Math.a_j.Math.2^i,$

where dsg(.Math.) denotes a decimal value of a binary vector. A two's complement number system may be used to denote all integers from 2.sup.1 to 2.sup.1. (a.sub.1,a.sub.2, . . . ,a.sub.0) is given, (1a.sub.1,1a.sub.2, . . . ,1a.sub.0) is executed for the first time, and then a decimal integer (0, . . . ,0,1) is added. After conversion is completed, the TFHE encrypts them bit by bit, and a length ciphertext is sent to a cloud for outsourced storage. Then how to securely implement basic secure signed integer computation is demonstrated.

[0060] Second, a secure signed integer equality test circuit (I.equ) is designed: Two ciphertexts =((a.sub.1),(a.sub.2), . . . ,(a.sub.0)) and {tilde over (b)}=((b.sub.1),(b.sub.2), . . . ,(b.sub.0)) having a length of bits and storing signed integers msg() and msg({tilde over (b)}) are given, and I.eq can securely output an SLWE instance (t). If msg()=msg({tilde over (b)}), t=1. If msg()msg({tilde over (b)}), t=0. A high-level idea is to compare the two integers bit by bit. If all bits are the same, the two integers are equal. An implementation procedure is as follows:

[0061] (1) Initialize (t)Hxor((a.sub.0),(b.sub.0)).

[0062] (2) For i=0, . . . , 1, calculate (.Math..sub.i)Hxor((a.sub.i),(b.sub.i)) and

(t)Hand((t),(.Math..sub.i)). Herein, the circuit is denoted as (t)<I. equ(,{tilde over (b)}).

[0063] Third, a secure signed integer addition circuit (I.add) is designed: Two ciphertexts and {tilde over (b)} having a length of bits and storing signed integers msg() and msg({tilde over (b)}) are given. UI.add outputs two ciphertexts, namely, and () that respectively store an addition result and an error/overflow information. UI.add is directly used during the construction, only a ciphertext having a length of bits is output, and a carry-out is discarded.

[0064] Step 1. when the two's complement number system is used, perform UI.add addition to add two numbers and reserve bits, that is, *UI.add(,{tilde over (b)}), and =((n*.sub.1), . . . ,(n*.sub.0)) is recorded.

[0065] Step 2. indicate one error when either of the following two cases occurs:

[0066] (1) two positive numbers produce a negative addition result

(a.sub.1=0,b.sub.1=0,n.sub.1=1) and

[0067] (2) two negative numbers produce a positive addition result

(a.sub.1=1,b.sub.1=1,n.sub.1=0), where an SLWE instance () is used to store overflow information, that is, .sub.0=(1a.sub.1b.sub.1)(b.sub.1n.sub.1) such that the overflow occurs when .sub.0=1; otherwise, .sub.0=0. Step 2 proceeds as follows:
()Hand(Hxnor(a.sub.1,b.sub.1), Hxor(b.sub.1,n.sub.1)) . . . Herein, the circuit is denoted as (,())I.add(;{tilde over (c)}.sub.0).

[0068] Fourth, a secure signed integer comparison circuit (I.cmp) is designed: Two ciphertexts and {tilde over (b)} having a length of bits are given, and I.cmp outputs an encrypted bit (n). A concept thereof is as follows: If sign bits are different, an integer with a positive sign bit is selected as a relatively large integer. Otherwise, two integers are compared directly by using UI.cmp and a result is output. I.cmp includes the following steps:

[0069] Step 1: calculate (d)UI.cmp(,{tilde over (b)}).

[0070] Step 2: herein, if two sign bits of the input are different (in other words, (a.sub.1,b.sub.1=1)), select a plaintext of final output as n=a.sub.1; otherwise, select the plaintext of the final output as n=d. Construction is performed as follows: t=Hxor((a.sub.1),(b.sub.1); c.sub.1=Hand((a.sub.1)t); and c.sub.2=Hand((d),Hnot(t)), and (n)Hxor(c.sub.1,c.sub.2). Fifth, secure integer obvious selection is designed: Two ciphertexts and {tilde over (b)} having a length of bits and an encrypted bit (s) are input, and is output. If s=1, sg()=msg(). If s=0, msg()=msg(). A construction procedure is as follows: For i=0, . . . , 1, calculating

(c.sub.i)Hand((a.sub.i),(s)),(c.sub.i)Hand((b.sub.i),(s)), and (n.sub.i)Hand((c.sub.i),(c.sub.i)). Herein, the algorithm is denoted as I.obv(,{tilde over (b)},(s)).

[0071] Sixth, secure multi-integer obvious selection (I.mobv) is designed: z encrypted unsigned integer values .sub.0, . . . , .sub.z1 having a length of bits and z encrypted bits (s.sub.0), . . . ,(s.sub.z1) are input, and is output. If s.sub.i=1, msg()=msg(.sub.i). Only one of s.sub.0, . . . ,s.sub.z1 is equal to 1 and remaining numbers are equal to 0. The algorithm is constructed as follows:

is initialized as a ciphertext which encrypts 0 having a length of bits. For i=0, . . . ,z1 and j=0, . . . ,1 , (e.sub.i,j)Hand((a.sub.i,j),(s.sub.i)) and (n.sub.j)Hxor((n.sub.j),(e.sub.i,j)) are calculated, where .sub.i=(a.sub.i,1), . . . ,(a.sub.i,0)). Finally, =((n.sub.1), . . . ,(n.sub.0)) is output, and the circuit is denoted as I.mobv(.sub.0, . . . ,.sub.z1;(s.sub.0), . . . ,(s.sub.z1)).

[0072] Based on I.cmp and I.obv, two new circuits are designed: a secure maximum number selection (I.maxe) circuit and a secure maximum tuple selection (I.maxt) circuit. Then constructions of the two protocols are separately provided.

[0073] A construction of I.maxe: and {tilde over (b)} having a length of bits are used as input, and I.maxe outputs . If msg()msg({tilde over (b)}), msg()=msg(); otherwise, msg()=msg({tilde over (b)}). It may be obtained as follows:

t.fwdarw.I.cmp(,{tilde over (b)}) and I.obv(,{tilde over (b)},t).

[0074] A construction of I.maxe: Two tuples (,{tilde over (d)}.sub.a) and ({tilde over (b)},{tilde over (d)}.sub.b) having a length of bits are used as input, I.maxe outputs (,{tilde over (d)}.sub.n), a plaintext value of is equal to a larger one of and {tilde over (b)}, but {tilde over (d)}.sub.n{{tilde over (d)}.sub.a,{tilde over (d)}.sub.b} is a corresponding identical equation of n%, and it may be obtained as follows:

t.fwdarw.I.cmp(,{tilde over (b)}),I.obv(,{tilde over (b)},t), and {tilde over (d)}.sub.nI.obv({tilde over (d)}.sub.a,{tilde over (d)}.sub.b,t).

[0075] Seventh, a secure signed integer multiplication circuit (I.mul) is designed: Two ciphertexts and {tilde over (b)} having a length of bits are given, and a ciphertext including a 2 SLWE instance is output as a storage result.

[0076] Step 1: same as step 1 of UI.mul.

[0077] Step 2: invert a plaintext bit of (c.sub.i,i+1) in {tilde over (c)}.sub.i(i=0, . . . ,2), in other words, for i=0, . . . ,2, calculate (c.sub.i,i+1)Hnot((c.sub.i,i+1)). For .sub.1, plaintext bits stored from a location 1 to a location 23 need to be inverted. In other words, for j=1, . . . ,23, (c.sub.1,j)Hnot((c.sub.u1j)) is calculated. Then, all {tilde over (c)}.sub.i are added together through integration to obtain . That is,

[0078] (1) Initialize as a length of +1 bits, where for j=0, . . . ,1;(n.sub.)=(0).

[0079] (2) For i=1, . . . ,1, calculate UI.add(,{tilde over (c)}*.sub.i) After I.add is executed times, UI.add(,{tilde over (v)}) is calculated. For j=0, . . . ,2;j, (v.sub.21)=(v.sub.)=(1), and (v.sub.j)=(0). Finally, relatively low 2 bits in are used as a final result, and the circuit is denoted as I.mul(,{tilde over (b)}).

4. Secure computation with multi-key is designed, and all secure unsigned/signed integer circuits constructed above can only be calculated with a same key. If calculation needs to be performed across different domains/keys, POCNet cannot be directly applied. A simple solution is to use a multi-key fully homomorphic encryption (MKFHE) scheme to construct a circuit. However, an existing MKFHE scheme is still inefficient compared to the TFHE in terms of storage requirements and computational overheads. Another solution is to use a bootstrap and a transformation key is used to map one encrypted domain to another encrypted domain. Since the bootstrap is remarkably effective in POCNet, the second method is used to achieve secure multi-key calculation.

[0080] To construct a secure computations layer in POCNet, all ciphertexts are transferred to a same encrypted domain for secure computation, that is, a DU j data domain is transformed into a data domain by using BK.sub.sj.fwdarw.and a CSP m s data domain is transformed into a data domain by using BK.sub.s.sub.m.sub..fwdarw.. After the computation is completed, for decryption, a CP uses BK.sub..fwdarw.s.sub.b to transform a final result to an authorized user b. Since a transformation key acts as a public key, the bootstrap may be stored and executed at the CP without compromising privacy of a DU/CSP.

[0081] Since a parameter used in a CNN is usually a non-integer, the parameter cannot be directly used by a constructed signed integer circuit. To store the non-integer value, the non-integer value needs to be converted into a fixed-point number, denoted as msg().Math.2.sup.x and (,2.sup.x), and a ciphertext is =(.sub.1, . . . , .sub.0). It is noted that information of msg() is not leaked when x is learned. For example, 0.25 may be denoted as 42.sup.4, and stored as ({tilde over (c)},4), where {tilde over (c)} stores an integer 4. When and {tilde over (c)} are not decrypted, it is very difficult for others to determine (,2) and ({tilde over (c)},2).

[0082] In this example, a lowercase letter and a hat are used to denote a fixed-point ciphertext, and an uppercase letter is used to denote an encrypted matrix. The latter stores an encrypted fixed-point number .sub.i,j (that is, a Scale-invariant LWE (SLWE) instance having a length of bits and an integer number) in each element, and i and j are limited by a size of the encrypted matrix.

[0083] In this example, secure data transformation (DT):=(, x) and y are given, where is a ciphertext having a length of bits, a goal of DT is to control a plaintext length value of and to produce a new ciphertext {circumflex over (n)}=({circumflex over (n)},z), such that msg(2.sup.x)msg()2.sup.z (xz). in the latter is a ciphertext having a length of bits, and a non-integer is converted into a fixed-point number, thereby implementing calculation of the non-integer. The construction is performed as follows: It is set that n.sub.1=. . . =n.sub.1+xz=.sub.1 and n.sub.j+xz=.sub.j(j=2, . . . ,zx), and the circuit in this case is denoted as {circumflex over (n)}DT(,z).

[0084] Secure ciphertext length control (CLC): CLC is used to securely control a length of a ciphertext, that is, is set to (,x) having a length of bits, to obtain a new ciphertext (,z) of length , such that msg()2.sup.xmsg()2.sup.z(). Construction is performed as follows: It is set n.sub.j=.sub.+j(j=1, . . . ,0) and z=x+. Herein, the circuit is denoted as (,z)CLC(,x),.

[0085] It is noted that a difference between DT and CLC is that ciphertexts of both input and output during DT are the same, while ciphertexts of both input and output during CLC may be different.

[0086] Secure data uniform transformation (Uni):.sub.a1=(.sub.a1,x.sub.a1), .sub.a2=(.sub.a2,x.sub.a2), .sub.a3=(.sub.a3,x.sub.a3) is input, and Uni outputs {circumflex over (n)}.sub.a1=(.sub.a1,z){circumflex over (n)}.sub.a2=(.sub.a2,z),{circumflex over (n)}.sub.a3=(.sub.a3,z) such that msg(.sub.j)2.sup.x=msg(.sub.j)2.sup.z. Construction is performed as follows:

[0087] (1) Calculate z=min(x.sub.a1, . . . ,x.sub.0).

[0088] For j=0, . . . , a1, calculate (.sub.j,z)DT((.sub.j,x.sub.j), z).

[0089] Based on Uni and secure integer computation, the following commonly used secure fixed-point calculation may be implemented:

[0090] Secure fixed-point number addition (F.add):=(, x) and {circumflex over (b)}=({tilde over (b)},y) are given, and a goal of F.add is to calculate {circumflex over (n)}=(,z), such that

msg(2.sup.z)=msg()2.sup.x+msg({tilde over (b)})2.sup.y. Construction is performed is as follows:

[0091] Step 1: execute {circumflex over (b)}*=({tilde over (b)}*,z).

[0092] Step 2: calculate I.add(*,{tilde over (b)}*) and output (,z).

[0093] A construction of a secure fixed-point number comparison circuit (F.cmp), a construction of a secure fixed-point number maximum selection circuit (F. maxe), and a construction of a secure fixed-point tuple maximum selection circuit (F. maxe) are similar to that of the F.add circuit. A difference lies in that in step 2 of F.add, I.add is correspondingly replaced with the secure integer circuits I.cmp, I.maxe, and I.maxt separately. Adding is performed separately. Next, secure fixed-point multiplication is constructed.

[0094] Secure fixed-point number multiplication (F.mul):=(,x) and {circumflex over (b)}=({tilde over (b)},y) are given, and a goal of F.mul is to securely calculate a fixed-point result {circumflex over (n)}=(,z), such that msg()2.sup.z=msg()msg({tilde over (b)})2.sup.x+y. Construction is performed is as follows:

[0095] Step 1: calculate {circumflex over (n)}I.mul(,{tilde over (b)}).

[0096] Step 2: calculate (,z)CLC((,x+y),2). After the calculation is completed, F.mul outputs (,z).

[0097] Remark 1: DT, CLC, and Uni need only a data copy operation and do not need any arithmetic calculation. Therefore, the above two operations do not incur any computational cost at the CP.

[0098] Remark 2: To uniform the ciphertexts, both DT and CLC can be used for fixed-point number approximation. Both the circuits may cause some precision losses but can save significant computational and storage costs.

[0099] In this example, a convolution layer.

[0100] To enable a general technician to better understand the technical solutions of the present invention, the following describes the present invention in detail below with reference to the accompanying drawings.

[0101] A matrix X having a size of w.sub.1h.sub.1d.sub.1 and each filter matrix w having a size of ssd.sub.1 are given, and a ciphertext CONV outputs a matrix Y having a size of w.sub.2h.sub.2d.sub.2, where w.sub.2=(w.sub.1s +2p)/e+1,h.sub.2=(h.sub.1s+2p)/e+1, and p is a zero padding amount on a border, and e a size of a filter sliding step. Mathematically, Y is calculated based on the following formula:

[00003]$y_{i,j,k}=\underset{=0}{\overset{d_i-1}{.Math.}}.Math..Math.\underset{=0}{\overset{s-1}{.Math.}}.Math..Math.\underset{=0}{\overset{s-1}{.Math.}}.Math..Math.u_{,,,k}.Math.x_{\mathrm{ai}+,\mathrm{aj}+,}.$

It is set that w.sub.1=h.sub.1, to obtain w.sub.2=h.sub.2. Before construction, calculation of two fixed-point matrixes is described and introduced.

[0102] Secure fixed-point matrix addition (F.madd): Two encrypted matrixes {circumflex over (X)} and having a size of ab are input, and F.madd outputs matrixes having a same size. An execution process is as follows: For 0i<a and 0i<b, calculate .sub.i,jF.add(.sub.i,j,.sub.i,j). Secure fixed-point convolutional computation (F.conv): An encrypted matrix X.sub.i having a size of w.sub.1w.sub.1 and an encrypted filter matrix .Math. having a size of ss are input, and F.conv outputs an encrypted matrix of having a size of w.sub.2w.sub.2 by using the following program: For 0i<w.sub.2, 0j<w.sub.2, 0a<s1, and 0b<s1, calculate .sub.a,b,i,jF. mul(.sub.a,b,{circumflex over (x)}.sub.ei+a,ej+b) and

.sub.i,jF.add(.sub.i,j,.sub.a,b,i,j).

[0103] An architecture of a SCONV layer: d.sub.1 encrypted matrixes {circumflex over (X)}.sub.i and a matrix .Math..sub.i,j having a size of d.sub.1d.sub.2 are input, and a SCONV layer outputs d.sub.2 encrypted matrixes .sub.j. The architecture is as follows:

[0104] (1) Initialize each element in .sub.j, and set an encrypted value to 0.

[0105] (2) For i=0, . . . ,d.sub.11,j=0, . . . ,d.sub.21, calculate {circumflex over (X)}.sub.i,jF. conv({circumflex over (X)}.sub.i,.Math..sub.i,j) and .sub.i,jF.madd(.sub.i,{circumflex over (X)}.sub.i,j).

[0106] In this example, a pooling layer is specifically as follows: Max-pooling is used as a pool, and a w.sub.1w.sub.1 encrypted matrix is input, and an w.sub.2w.sub.2 encrypted matrix is output. Because a secure extreme value function is used, each block of tt is reduced to a single encrypted value, where in w.sub.2 =(w.sub.1t+2p)/e+1, p is padding, t is a size of a filter, and e is a step (for example, w.sub.1=4,t=2,p=0,e=2,w.sub.2=2). Herein, F.maxe is used to construct a secure maximum pooling protocol, and then a secure pooling layer is constructed by using the secure maximum pooling protocol. A tt encrypted matrix {circumflex over (X)} is given, each encrypted fixed-point number {circumflex over (x)}.sub.i,j(0i,jt1) is an encrypted fixed-point number {circumflex over (x)}* output by F.pool, and {circumflex over (x)}* has a maximum plaintext value from the t.sup.2 encrypted elements. [0107] (i) X.sub.i,j(0i,jt1) is inserted into a set . They are denoted as {circumflex over (x)}.sub.0, . . . ,{circumflex over (x)}.sub.t.sub.2.sub.1, where s() denotes a size of the set . [0108] (ii) The following program is repeated, until the set has only one element. In other words, if s()=1, the element is used as a finally output {circumflex over (x)}*. Therefore, the algorithm is executed as follows:

[0109] If a size of s() is mod2=0 and s()>1, for i=0 to s()/21,{circumflex over (x)}*F.maxe({circumflex over (x)}.sub.2i;{circumflex over (x)}.sub.2i+1) is calculated, *.sub.0,L,.sub.(S()1)/21 is inserted into the set , and it is set that .

[0110] If a size of s() is mod20 and s()>1, for i=0 to (s()1)/21,{circumflex over (x)}* F.maxe({circumflex over (x)}.sub.2i;{circumflex over (x)}.sub.2i+1) is calculated. *.sub.0,L,.sub.(S()1)/21 is inserted into a set , and it is set that .

[0111] The secure pooling layer is implemented as follows: To construct the secure pooling layer, a w.sub.1w.sub.1 encrypted matrix {circumflex over (X)} is input and output is obtained (that is, an w.sub.2w.sub.2encrypted matrix ). The following steps are performed: for 0iw.sub.21 and 0jw.sub.21, [0112] (i) constructing each encrypted matrix .sub.i,j having a size of tt , where for .sub.i,j,a,b=.sub.ei+a,ej+b, 0at1,0bt1, and e is a step; and [0113] (ii) executing .sub.i,jF.pool(.sub.i,j), where after the calculation is performed, .sub.i,j is used as an element of .

[0114] In this example, an ReLU function is specifically as follows: A tt encrypted matrix {circumflex over (X)} is given, and a goal of an SReLU is to produce a tt encrypted matrix , such that msg(.sub.i,j)ReLU(msg({circumflex over (x)}.sub.x,j))=max(0,msg({circumflex over (x)}.sub.i,j)). To implement the SReLU, a simplest method is to securely calculate the ReLU function element by element. As an encrypted fixed-point number, .sub.0 stores an integer of 0.

[0115] In this example, a fully-connected layer is specifically a secure fixed-point inner product circuit (F.inp): Two encrypted vectors {circumflex over (X)}=({circumflex over (x)}.sub.0, . . . ,{circumflex over (x)}.sub.a1) and =(.sub.0, . . . ,.sub.a1) are given, and F.inp outputs {circumflex over (n)}, where

[00004]$\mathrm{msg}\left({\hat{n}}_i\right)=\underset{j=0}{\overset{n-1}{.Math.}}.Math..Math.\mathrm{msg}\left({\hat{x}}_j\right).Math.\mathrm{msg}\left({\hat{y}}_j\right).$

Then construction is performed as follows: F.mul({circumflex over (x)}.sub.0,.sub.0). For j=1, . . . ,a1,{tilde over (t)}.sub.jF.mul({circumflex over (x)}.sub.j,.sub.j) and {tilde over (f)}F.add(,{circumflex over (t)}.sub.j) are calculated.

[0116] The fully-connected layer (SFC) is implemented as follows: Encrypted vectors {circumflex over (X)}=({circumflex over (x)}.sub.0, . . . ,{circumflex over (x)}.sub.a1) and .sub.i =(.sub.i,0, . . . ,.sub.i,a1)(0ib1) are input, and the secure fully-connected layer outputs {circumflex over (N)}=({circumflex over (n)}.sub.0, . . . ,{circumflex over (n)}.sub.b1), where

[00005]$\mathrm{msg}\left({\hat{n}}_i\right)=\underset{j=0}{\overset{n-1}{.Math.}}.Math..Math.\mathrm{msg}\left({\hat{x}}_j\right).Math.\mathrm{msg}\left({\hat{y}}_{i,j}\right).$

The SFC is run as follows: For i=0, . . . ,b1, calculate .sub.iF.inp({circumflex over (X)},.sub.i).

[0117] In this example, secure Softmax regression needs to be used in conjunction with the secure fully-connected layer to achieve multi-class classification. For a plaintext version (x.sub.0,d.sub.0), . . . ,(x.sub.t1,d.sub.t1) of a softmax layer with input, a softmax function first produces y=(y.sub.0, . . . ,y.sub.t1), where

[00006]$y_i=\frac{e^{x_i}}{\underset{j=0}{\overset{t-1}{.Math.}}.Math..Math.e^{x_j}}.Math.\left(i=0,\mathrm{.Math.}.Math.,t-1\right),$

for all 0j<k and ja, if y.sub.a>y.sub.j, a finally output unit is d.sub.a. Since an SSOFT needs to output a ciphertext label, and e.sup.x is a monotonically increasing function, only a maximum x.sub.max needs to be found by using (x.sub.0, . . . ,x.sub.t1) and a corresponding d.sub.max is output. The above construction is performed as follows:

[0118] An SSOFT layer is implemented as follows: t encrypted tuples ({circumflex over (x)}.sub.0,{circumflex over (d)}.sub.0), . . . , {circumflex over (x)}.sub.t1,{circumflex over (d)}.sub.t1) are given; and the SSOFT finally outputs an encrypted identity {circumflex over (d)}*. Construction is performed as follows:

p.sub.i is inserted into , where S() denotes a size of the set .

[0119] This process is similar to an F.pool architecture, except that F.maxe is replaced with F.maxt.

[0120] After the calculation is completed, only one tuple ({circumflex over (x)}*.sub.0,{circumflex over (d)}*.sub.0) is left in , and the encrypted identity that is finally output is denoted as {circumflex over (d)}={tilde over (d)}*.sub.0.

[0121] In this example, the user-defined non-linear activation function is preferably implemented. During calculation of the non-linear function, a function structure is also preserved.

[0122] Details are as follows:

[0123] Privacy-preserving piecewise polynomial calculation protocol: A ciphertext {circumflex over (x)}.sub.0 and an encrypted piecewise function f(x)=f.sub.i(x) (if p.sub.ix<p.sub.i1) are given, where f.sub.i(x)=a.sub.i,k1x.sup.k1 +. . . +a.sub.i,1x+a.sub.i,0, 0iz , and k1 (all fixed-point coefficients a.sub.i,k1, . . . , a.sub.i,0 (stored as .sub.i,k1, . . . , .sub.i,0), and piecewise intervals and p.sub.i1 are encrypted (stored as {circumflex over (p)}.sub.i1, . . . ,{circumflex over (p)}.sub.i,0). A goal of the privacy-preserving piecewise polynomial calculation protocol is for secure computation and encryption f(msg({circumflex over (x)}.sub.0)). Details are as follows:

[0124] Step 1: calculate an encrypted value of x x.sup.2, . . . , x.sup.k1, where it is set that {circumflex over (t)}.sub.1={circumflex over (x)}.sub.0. If k>2, for j=2, . . . ,k1, calculate {circumflex over (t)}.sub.jF.mul({circumflex over (x)}.sub.0,{circumflex over (t)}.sub.j1). Before Uni is executed, if k=1, for i=0, . . . ,z1, it is set that .sub.i=.sub.i,0, and skip to step 3 for processing. Otherwise, step 2 is performed.

[0125] Step 2: output encryption f.sub.i (x) that is denoted as .sub.i. Construction thereof is performed as follows: For i=0, . . . , z1, record that .sub.i=.sub.i,0; then for i=0, . . . ,z1 and j=1, . . . ,k1, calculate .sub.i,jF.mul({circumflex over (t)}.sub.j,.sub.i,j) and .sub.iF.Math.add(.sub.i,.sub.i,j).

[0126] Step 3: normalize all encrypted fixed-point numbers to same precision, and calculate (.sub.0, . . . ,.sub.z1)Uni(.sub.0, . . . ,.sub.z1), where for i=0, . . . ,z1,.sub.i=({tilde over (y)},c).

[0127] Step 4: securely compare x and a relationship between piecewise intervals and p.sub.i1 and p.sub.i, that is,

[0128] (1) for i.sub.1=1, . . . ,z1, calculating .sub.i.sub.1F.cmp ({circumflex over (x)}.sub.0,{circumflex over (p)}.sub.i.sub.1).sub.;

[0129] (2) for i.sub.2=0, . . . ,z2, calculating .sub.i.sub.2H.not(.sub.i.sub.2);

[0130] (3) for i.sub.3=0, . . . ,z1 , calculating *.sub.i.sub.3H.xnor(.sub.i.sub.3,.sub.i.sub.3.sub.1). Note: For *.sub.0, . . . ,*.sub.z1, only one plaintext is equal to 1, and others are equal to 0.

[0131] Step 5: use encrypted bits *.sub.0, . . . ,*.sub.z1, and select an encrypted value from {tilde over (y)}.sub.0, . . . ,{tilde over (y)}.sub.z1 by calculating {tilde over (f)}I. movb({tilde over (y)}.sub.0, . . . ,{tilde over (y)}.sub.z1;*.sub.0, . . . ,*.sub.z1); finally, output {circumflex over (f)}=({tilde over (f)},c), where {tilde over (f)}=(f.sub.1, . . . ,f.sub.0).

[0132] Implement function privacy: Our privacy-preserving piecewise polynomial calculation protocol ensures privacy of user data and a user-defined function structure by performing the following setting: (1) Quantities of subfunctions used in a piecewise polynomial are the same for piecewise functions of all users. 2) Subfunctions of all the users share a same degree k.

[0133] The afore-mentioned are only preferred examples of the present invention, and all equivalent changes and modifications made in accordance with the claims of the present invention shall fall within the scope of the present invention.