METHOD, APPARATUS, MEDIUM AND DEVICE FOR GENERATING DATA TUPLE FOR SECURE COMPUTATION

Abstract

The present disclosure relates to a method and apparatus for generating a data tuple for secure computation, a medium, and a device. The method is applied to a first participant, and the method includes: separately obtaining a first pseudo-random number pair and a second pseudo-random number pair by jointly executing the R-OT protocol with a second participant twice; and generating a first element slice of a data tuple for secure computation based on the two pseudo-random number pairs, where the data tuple includes the first element slice and a second element slice, and the second element slice is generated by the second participant.

Claims

1. A method for generating a data tuple for secure computation, wherein the method is applied to a first participant, the first participant is one of two participants of the secure computation, and the method comprises: separately obtaining a first pseudo-random number pair and a second pseudo-random number pair by jointly executing a random oblivious transfer (R-OT) protocol with a second participant twice, wherein the second participant is the other one of the two participants; and generating a first element slice of a data tuple for secure computation based on the first pseudo-random number pair and the second pseudo-random number pair, wherein the data tuple comprises the first element slice and a second element slice, and the second element slice is generated by the second participant based on a third pseudo-random number pair and a fourth pseudo-random number pair, and the third pseudo-random number pair and the fourth pseudo-random number pair are separately obtained when the second participant executes the R-OT protocol twice.

2. The method according to claim 1, wherein the secure computation is used for the two participants to collaboratively compute a product of first data and second data, the first data forms an arithmetic sharing form between the two participants, and the second data forms a Boolean sharing form between the two participants; and wherein the first pseudo-random number pair comprises a first pseudo-random number b.sub.0 and a second pseudo-random number u.sub.0, the second pseudo-random number pair comprises a third pseudo-random number a.sub.0 and a fourth pseudo-random number v.sub.0, the third pseudo-random number pair comprises a fifth pseudo-random number a.sub.1 and a sixth pseudo-random number u.sub.1, the fourth pseudo-random number pair comprises a seventh pseudo-random number b.sub.1 and an eighth pseudo-random number v.sub.1, wherein the first pseudo-random number pair and the third pseudo-random number pair are obtained by executing the R-OT protocol for one time, the second pseudo-random number pair and the fourth pseudo-random number pair are obtained by executing the R-OT protocol for another time, the first to eighth pseudo-random numbers satisfy relationships (b.sub.0, a1)=u.sub.0+u.sub.1, and (b.sub.1, a.sub.0)=v.sub.0+v.sub.1, if b=1, then (b, a)=a, if b=0, then (b, a)=0, b.sub.0 b.sub.1 and b belong to a modulus 2 space, and a w.sub.0, a.sub.0, v.sub.0, a.sub.1, u.sub.1 and v.sub.1 all belong to a modulus 2 to the power of N space.

3. The method according to claim 2, wherein the generating a first element slice of a data tuple for secure computation based on the first pseudo-random number pair and the second pseudo-random number pair comprises: determining a first value based on the first pseudo-random number and the third pseudo-random number; determining a second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value; and generating the first element slice of the data tuple for secure computation using the first pseudo-random number, the first value, and the second value as elements.

4. The method according to claim 3, wherein the determining a second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value comprises: determining the second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value by using the following formula: $y_0=f\left(b_{0^{}}{\tilde{a}}_0\right)+u_0+v_0$ where y.sub.0 is the second value, and .sub.0 is the first value.

5. The method according to claim 3, wherein the determining a first value based on the first pseudo-random number and the third pseudo-random number comprises: when the first pseudo-random number is 0, determining the third pseudo-random number as the first value; or when the first pseudo-random number is 1, determining an opposite of the third pseudo-random number as the first value.

6. The method according to claim 2, further comprising: generating a first intermediate result based on the first element slice, a first arithmetic slice of the first data held by the first participant, and a first Boolean slice of the second data held by the first participant.

7. The method according to claim 6, further comprising: obtaining a second intermediate result generated by the second participant, wherein the second intermediate result is generated based on the second element slice, a second arithmetic slice of the first data held by the second participant, and a second Boolean slice of the second data held by the second participant; and determining a sum of the first intermediate result and the second intermediate result as the product of the first data and the second data.

8. A computer-readable medium having a computer program stored thereon, wherein the program upon executed by a processor, cause the processor to: separately obtain a first pseudo-random number pair and a second pseudo-random number pair by jointly executing a random oblivious transfer (R-OT) protocol with a second participant twice, wherein the second participant is the other one of the two participants; and generate a first element slice of a data tuple for secure computation based on the first pseudo-random number pair and the second pseudo-random number pair, wherein the data tuple comprises the first element slice and a second element slice, and the second element slice is generated by the second participant based on a third pseudo-random number pair and a fourth pseudo-random number pair, and the third pseudo-random number pair and the fourth pseudo-random number pair are separately obtained when the second participant executes the R-OT protocol twice.

9. The medium according to claim 8, wherein the secure computation is used for the two participants to collaboratively compute a product of first data and second data, the first data forms an arithmetic sharing form between the two participants, and the second data forms a Boolean sharing form between the two participants; and wherein the first pseudo-random number pair comprises a first pseudo-random number b.sub.0 and a second pseudo-random number u.sub.0, the second pseudo-random number pair comprises a third pseudo-random number a.sub.0 and a fourth pseudo-random number v.sub.0, the third pseudo-random number pair comprises a fifth pseudo-random number a.sub.1 and a sixth pseudo-random number u.sub.1, the fourth pseudo-random number pair comprises a seventh pseudo-random number b.sub.1 and an eighth pseudo-random number v.sub.1, wherein the first pseudo-random number pair and the third pseudo-random number pair are obtained by executing the R-OT protocol for one time, the second pseudo-random number pair and the fourth pseudo-random number pair are obtained by executing the R-OT protocol for another time, the first to eighth pseudo-random numbers satisfy relationships (b.sub.0, a.sub.1)=u.sub.0+u.sub.1, and (b.sub.1, a.sub.0)=v.sub.0+v.sub.1, if b=1, then (b, a)=a, if b=0, then (b, a)=0, b.sub.0 b.sub.1 and b belong to a modulus 2 space, and a u.sub.0, a.sub.0, v.sub.0, a.sub.1, u.sub.1 and v.sub.1 all belong to a modulus 2 to the power of N space.

10. The medium according to claim 9, wherein the processor is further caused to: determine a first value based on the first pseudo-random number and the third pseudo-random number; determine a second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value; and generate the first element slice of the data tuple for secure computation using the first pseudo-random number, the first value, and the second value as elements.

11. The medium according to claim 10, wherein the processor is further caused to: determine the second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value by using the following formula: $y_0=f\left(b_{0^{}}{\tilde{a}}_0\right)+u_0+v_0$ where y.sub.0 is the second value, and .sub.0 is the first value.

12. The medium according to claim 10, wherein the processor is further caused to: when the first pseudo-random number is 0, determine the third pseudo-random number as the first value; or when the first pseudo-random number is 1, determine an opposite of the third pseudo-random number as the first value.

13. The medium according to claim 9, wherein the processor is further caused to: generate a first intermediate result based on the first element slice, a first arithmetic slice of the first data held by the first participant, and a first Boolean slice of the second data held by the first participant; obtain a second intermediate result generated by the second participant, wherein the second intermediate result is generated based on the second element slice, a second arithmetic slice of the first data held by the second participant, and a second Boolean slice of the second data held by the second participant; and determine a sum of the first intermediate result and the second intermediate result as the product of the first data and the second data.

14. An electronic device, comprising: a memory having a computer-readable instructions stored thereon; and a processor, wherein when the computer-readable instructions are executed by the processor, the processor is caused to: separately obtain a first pseudo-random number pair and a second pseudo-random number pair by jointly executing a random oblivious transfer (R-OT) protocol with a second participant twice, wherein the second participant is the other one of the two participants; and generate a first element slice of a data tuple for secure computation based on the first pseudo-random number pair and the second pseudo-random number pair, wherein the data tuple comprises the first element slice and a second element slice, and the second element slice is generated by the second participant based on a third pseudo-random number pair and a fourth pseudo-random number pair, and the third pseudo-random number pair and the fourth pseudo-random number pair are separately obtained when the second participant executes the R-OT protocol twice.

15. The electronic device according to claim 14, wherein the secure computation is used for the two participants to collaboratively compute a product of first data and second data, the first data forms an arithmetic sharing form between the two participants, and the second data forms a Boolean sharing form between the two participants; and wherein the first pseudo-random number pair comprises a first pseudo-random number b.sub.0 and a second pseudo-random number u.sub.0, the second pseudo-random number pair comprises a third pseudo-random number a.sub.0 and a fourth pseudo-random number v.sub.0, the third pseudo-random number pair comprises a fifth pseudo-random number a.sub.1 and a sixth pseudo-random number u.sub.1, the fourth pseudo-random number pair comprises a seventh pseudo-random number b.sub.1 and an eighth pseudo-random number v.sub.1, wherein the first pseudo-random number pair and the third pseudo-random number pair are obtained by executing the R-OT protocol for one time, the second pseudo-random number pair and the fourth pseudo-random number pair are obtained by executing the R-OT protocol for another time, the first to eighth pseudo-random numbers satisfy relationships (b.sub.0, a.sub.1)=u.sub.0+u.sub.1, and (b.sub.1, a.sub.0)=v.sub.0+v.sub.1, if b=1, then (b, a)=a, if b=0, then (b, a)=0, b.sub.0 b.sub.1 and b belong to a modulus 2 space, and a u.sub.0, a.sub.0, v.sub.0, a.sub.1, u.sub.1 and v.sub.1 all belong to a modulus 2 to the power of N space.

16. The electronic device according to claim 15, wherein the processor is further caused to: determine a first value based on the first pseudo-random number and the third pseudo-random number; determine a second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value; and generate the first element slice of the data tuple for secure computation using the first pseudo-random number, the first value, and the second value as elements.

17. The electronic device according to claim 16, wherein the processor is further caused to: determine the second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value by using the following formula: $y_0=f\left(b_{0^{}}{\tilde{a}}_0\right)+u_0+v_0$ where y.sub.0 is the second value, and .sub.0 is the first value.

18. The electronic device according to claim 16, wherein the processor is further caused to: when the first pseudo-random number is 0, determine the third pseudo-random number as the first value; or when the first pseudo-random number is 1, determine an opposite of the third pseudo-random number as the first value.

19. The electronic device according to claim 15, wherein the processor is further caused to: generate a first intermediate result based on the first element slice, a first arithmetic slice of the first data held by the first participant, and a first Boolean slice of the second data held by the first participant.

20. The electronic device according to claim 19, wherein the processor is further caused to: obtain a second intermediate result generated by the second participant, wherein the second intermediate result is generated based on the second element slice, a second arithmetic slice of the first data held by the second participant, and a second Boolean slice of the second data held by the second participant; and determine a sum of the first intermediate result and the second intermediate result as the product of the first data and the second data.

Description

BRIEF DESCRIPTION OF DRAWINGS

[0012] The above and other features, advantages, and aspects of the embodiments of the present disclosure become more apparent with reference to the following embodiments in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numerals denote the same or similar elements. It should be understood that the accompanying drawings are schematic and that parts and elements are not necessarily drawn to scale. In the drawings:

[0013] FIG. 1 is a flowchart of a method for generating a data tuple for secure computation according to an exemplary embodiment;

[0014] FIG. 2 is a block diagram of an apparatus for generating a data tuple for secure computation according to another exemplary embodiment; and

[0015] FIG. 3 is a schematic diagram of a structure of an electronic device according to another exemplary embodiment.

DETAILED DESCRIPTION

[0016] Before describing embodiments of the present disclosure, an exemplary application scenario of multi-party secure computation and terms related to the present disclosure are described as follows.

[0017] In actual applications, for the purpose of privacy protection, a multi-party secure computation algorithm is usually a black box algorithm, and data transmission behavior between computing nodes carrying the multi-party secure computation algorithm is opaque. As discussed in the Background section, a typical application of multi-party secure computation includes machine learning. In machine learning, multi-party secure computation technology may be used to protect private data in an inference stage and a training stage, which mainly involves protection of model parameters and protection of data of each participant in a training process.

[0018] At present, common privacy-protected machine learning solution strategies based on secure multi-party computation include: a privacy-protected machine learning protocol based on technologies such as garbled circuit and oblivious transfer, and a two-party secure multi-party computation protocol is executed to complete calculation of a non-linear operation such as an activation function. Secret sharing technology allows multiple parties to participate in training or prediction of a machine learning network model, and this process will not cause data or model information leakage.

[0019] In addition to the foregoing application fields, multi-party secure computation may also be applied to fields such as privacy-protected network security detection, privacy-protected federated statistical analysis of multi-party data, spam filtering of encrypted emails, and advertisement conversion.

[0020] Ring refers to a set, two operations of addition and multiplication are defined, and an additive commutative group is formed for addition, a semi-group is formed for multiplication of elements other than 0, and multiplication satisfies a distributive law for addition.

[0021] A ring formed by addition and multiplication is defined in /N={0, 1, . . . , N1}. The addition is defined as integer addition modulo (mod) N, and the multiplication is defined as integer multiplication mod N, where N is an integer greater than 1.

[0022] A random oblivious transfer (R-OT) protocol is participated by two participants, in which input messages of both of the two participants are null, that is, both of the two participants do not input any messages. After the two participants jointly execute the R-OT protocol, both of the two participants can obtain two pseudo-random numbers (that is, a pseudo-random number pair), where one participant can obtain two pseudo-random numbers i and c, and the other participant can obtain two pseudo-random numbers w.sub.0 w.sub.1, where c=w.sub.i, c, w.sub.0 and w.sub.1 all belong to a modulus 2.sup.Nspace, that is, c, w.sub.0 w.sub.1 /2.sup.n, and i belongs to a modulus 2 space, that is, i/2.

[0023] Secret sharing, also referred to as secret splitting, is based on a basic principle of splitting a secret (such as a key, private data, or the like) into a plurality of shares that are separately held by different data parties. Only when more than a threshold number of parties combine their shares, can the secret be restored; and shares obtained from less than the threshold number of parties cannot restore any information of the secret. In multi-party secure computation, the threshold number is usually the same as the number of participants, and the shares into which the secret is split may also be referred to as slices.

[0024] Secret sharing is an important means in a multi-party secure computation process. Several common forms of secret sharing in multi-party secure computation include, for example, arithmetic sharing, Boolean sharing, and Yao's sharing. Hereinafter, various sharing methods will be described by using sharing of secret data x as an example.

[0025] Arithmetic sharing is also referred to as sum sharing. In two-party secure computation, an integer x is distributed and stored in two parties in a sharing form of two slices x=x.sub.L+x.sub.R modulo 2.sup.N (translated to an interval [0, 2.sup.N1]), that is, X is stored in the two parties in a sharing form in a ring A, A=/2.sup.N (N>1), so that one party does not know x.sub.R, the other party does not know x.sub.L, and either of the two parties cannot obtain a complete form of x, where x.sub.R and x.sub.L are arithmetic slices (arithmetic shares) or A-Shares of x. Further, the two parties may be extended to multiple parties, for example, denoted as x=x.sub.1+x.sub.2+ . . . +x.sub.d. Assuming that N=64, a single slice of x held by a single participant can be represented by a 64-byte (bit) binary number. A method of splitting one piece of data x into a sum sharing form includes, for example, randomly generating (d1) numerical values within 2.sup.64 (for example, randomly generating a 64-byte binary number) as (d1) slices, for example, denoted as x.sub.1, x.sub.2, . . . , x.sub.d-1, and performing modulo operation on 2.sup.64 (translated to an interval [0, 2.sup.641]) to obtain another slice, for example, denoted as x.sub.d=xx.sub.1x.sub.2 . . . x.sub.d-1.

[0026] Boolean sharing is a secret sharing method for performing exclusive OR (XOR) operation on a bit. For example, still using two participants as an example, assuming that x is one bit of data (with a value of 0 or 1), and x.sub.0x.sub.1 forms a Boolean sharing form between the two participants, x.sub.0 and x.sub.1 are respectively two Boolean slices (Boolean shares) or B-Shares of x held by the two participants, and both take values of 0 or 1, that is, x is stored in the two parties in a sharing form in a ring B, B=/2, where represents an XOR operation. A single participant does not know the slice held by the other participant, and therefore cannot infer the data x.

[0027] Yao's sharing is a sharing method related to a garbled circuit. The present disclosure does not involve this sharing method, which is not elaborated herein.

[0028] In two-party secure computation, the A-Shares form is more suitable for arithmetic operations, for example, addition and multiplication operations. The B-Shares form is more suitable for logical operations, for example, AND and OR. However, sometimes, mixed operations are performed on A-Shares and B-Shares.

[0029] For example, when an expression if (x>y) then k else 0 is computed, h=(x>y) is first computed, and a result obtained is a B-Shares, and then h*k is computed.

[0030] However, when h*k is computed, h is B-Shares and k is A-Shares, and multiplication cannot be directly performed between them.

[0031] For another example, when an operation select k.key, max (h.value) from k join h group by k.key is performed, one-hot encoding is performed on k.key, that is, each row of k.key is converted into an m-dimensional vector (m is the number of value classes that k.key may take), only one dimension of m dimensions of the vector is 1, and the remaining dimensions are 0, and then each dimension of the one-hot encoding is multiplied by h.value. The multiplication operation herein is also multiplication between B-Shares and A-Shares.

[0032] To multiply B-Shares by A-Shares, a commonly used way is to use Boolean-to-arithmetic sharing (B2A) conversion to convert B-Shares into A-Shares, and then multiply the A-Shares.

[0033] However, the B2A conversion usually has huge communication and computation overheads, as shown in the following Table 1:

TABLE-US-00001 TABLE 1 Overheads of multiplying B-Shares by A-Shares Online communication Offline Online round Total1 B2A N log N 4N log N log N 5N log N Multiplication N 4N 1 5N Total2 N(log N +1) 4N(log N + 1) log N + 1 5N(log N + 1)

[0034] Because the B2A conversion usually has huge communication and computation overheads, the inventors propose a computation security protocol that can directly multiply B-Shares by A-Shares, to eliminate the communication and computation overheads of the B2A conversion. The secure computation protocol requires that a data tuple be generated in advance for use in a secure computation process.

[0035] In view of this, the present disclosure provides a method, apparatus, a medium, and a device for generating a data tuple for secure computation.

[0036] Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although some embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the accompanying drawings and the embodiments of the present disclosure are only for illustrative purposes, and are not intended to limit the scope of protection of the present disclosure.

[0037] It should be understood that the various steps described in the method implementations of the present disclosure may be performed in different orders, and/or performed in parallel. In addition, additional steps may be included and/or the execution of the illustrated steps may be omitted in the method implementations. The scope of the present disclosure is not limited in this respect.

[0038] The term include/comprise used herein and variations thereof are an open-ended inclusion, that is, include/comprise but not limited to. The term based on means at least partially based on. The term an embodiment means at least one embodiment; the term another embodiment means at least one another embodiment; and the term some embodiments means at least some embodiments. Related definitions of other terms will be given in the description below.

[0039] It should be noted that concepts such as first and second mentioned in the present disclosure are only used to distinguish different apparatuses, modules, or units, and are not used to limit the sequence of functions performed by these apparatuses, modules, or units or interdependence.

[0040] It should be noted that the modifiers one and a plurality of mentioned in the present disclosure are illustrative and not restrictive, and those skilled in the art should understand that unless the context clearly indicates otherwise, the modifiers should be understood as one or more.

[0041] The names of messages or information exchanged between a plurality of apparatuses in the implementations of the present disclosure are used for illustrative purposes only, and are not used to limit the scope of these messages or information.

[0042] It may be understood that before using the technical solutions disclosed in the embodiments of the present disclosure, users should be informed of the types, scope of use, scenarios, and the like of personal information involved in the present disclosure in an appropriate manner in accordance with relevant laws and regulations, and the users' authorization should be obtained.

[0043] For example, when a user's active request is received, prompt information is sent to the user to explicitly prompt the user that an operation requested by the user requires the user's personal information to be obtained and used. In this way, the user can independently choose whether to provide personal information to the software or hardware, such as an electronic device, an application, a server, or a storage medium, that executes the operation of the technical solution of the present disclosure according to the prompt information.

[0044] As an optional but non-restrictive implementation, for example, in response to receiving the user's active request, the prompt information may be sent to the user in the form of a pop-up window. The prompt information may be presented in the pop-up window in the form of text. In addition, the pop-up window may further carry a selection control for the user to select Agree or Disagree to provide personal information to the electronic device.

[0045] It may be understood that the foregoing process of notifying the user and obtaining the user's authorization is only illustrative and does not limit the implementation of the present disclosure. Other methods that meet relevant laws and regulations may also be applied to the implementation of the present disclosure.

[0046] In addition, it may be understood that the data involved in the technical solution of the present disclosure (including but not limited to the data itself, the obtaining or use of the data) should comply with the requirements of the corresponding laws, regulations, and relevant provisions.

[0047] FIG. 1 is a flowchart of a method for generating a data tuple for secure computation according to an exemplary embodiment. As shown in FIG. 1, the above data tuple generation method may include the following S101 and S102.

[0048] In S101, a first pseudo-random number pair and a second pseudo-random number pair are separately obtained by jointly executing a random oblivious transfer (R-OT) protocol with a second participant twice.

[0049] In the present disclosure, the above method is applied to a first participant, the first participant is one of two participants of the secure computation, and the second participant is the other one of the two participants, that is, the above data tuple generation method may be applied to any one of the two participants.

[0050] For example, the two participants include a participant A and a participant B. The first participant is the participant A, and the second participant is the participant B. Alternatively, the first participant is the participant B, and the second participant is the participant A.

[0051] In S102, a first element slice of a data tuple for secure computation is generated based on the first pseudo-random number pair and the second pseudo-random number pair.

[0052] In the present disclosure, the data tuple for secure computation comprises the first element slice and a second element slice, where the first element slice is generated by the first participant based on the first pseudo-random number pair and the second pseudo-random number pair, and the second element slice is generated by the second participant based on a third pseudo-random number pair and a fourth pseudo-random number pair, and the third pseudo-random number pair and the fourth pseudo-random number pair are separately obtained when the second participant executes the R-OT protocol for two times.

[0053] In the above technical solution, the two participants of the secure computation separately obtain two pseudo-random number pairs by jointly executing a random oblivious transfer (R-OT) protocol twice; and then, the two parties can separately generate element slices of a data tuple for secure computation based on the two pseudo-random number pairs obtained by the two parties, so that the data tuple for secure computation can be obtained. In this way, the two participants can generate the data tuple for secure computation by jointly executing the R-OT protocol for two times, which is convenient and efficient, and improves business processing efficiency of secure computation. In addition, the two participants can generate the data tuple for secure computation through interaction, without the need of a third party, which simplifies the data interaction process, makes generation of the data tuple autonomous and controllable, reduces the risk of data tuple leakage, and can achieve the effect of saving resources.

[0054] In an implementation, the secure computation may be used for the two participants to collaboratively compute a product of first data and second data, the first data forms an arithmetic sharing form between the two participants, and the second data forms a Boolean sharing form between the two participants. The first pseudo-random number pair comprises a first pseudo-random number b.sub.0 and a second pseudo-random number u.sub.0, the second pseudo-random number pair comprises a third pseudo-random number a.sub.0 and a fourth pseudo-random number v.sub.0, the third pseudo-random number pair comprises a fifth pseudo-random number a.sub.1 and a sixth pseudo-random number u.sub.1, and the fourth pseudo-random number pair comprises a seventh pseudo-random number b.sub.1 and an eighth pseudo-random number v.sub.1.

[0055] In the present disclosure, the secure computation is used for the two participants to collaboratively compute a product of first data and second data, the first data forms an arithmetic sharing form between the two participants, and the second data forms a Boolean sharing form between the two participants. It may be understood that the first data and the second data in the present disclosure may be any data that is not convenient to disclose, and may include, but are not limited to, data representing user personal information, trade secrets, model parameters of a neural network model, and the like. The multi-party secure computation method provided in the embodiments of the present disclosure can be applied to ciphertext multiplication in a task such as data computation, cleaning, analysis, model training, storage, and database query based on a ciphertext.

[0056] The first participant holds a first arithmetic slice k.sub.0 of first data k and a first Boolean slice h.sub.0 of second data h, and the second participant holds a second arithmetic slice k.sub.1 of the first data k and a second Boolean slice h.sub.1 of the second data h; k/2.sup.N, h/2, and N>1.

[0057] In addition, the first pseudo-random number pair and the third pseudo-random number pair are obtained by executing the R-OT protocol for one time, and the second pseudo-random number pair and the fourth pseudo-random number pair are obtained by executing the R-OT protocol for another time.

[0058] In an implementation, when the first participant and the second participant jointly execute an R-OT for the first time, the first participant obtains the first pseudo-random number pair, that is, a first pseudo-random number b.sub.0 and a second pseudo-random number u.sub.0, and the second participant obtains the third pseudo-random number pair, that is, a fifth pseudo-random number a.sub.1 and a sixth pseudo-random number u.sub.1, where the above four pseudo-random numbers obtained by the two parties satisfy a relationship (b.sub.0, a.sub.1)=u.sub.0+u.sub.1. When the first participant and the second participant jointly execute an R-OT for the second time, the first participant obtains the second pseudo-random number pair, that is, a third pseudo-random number a.sub.0 and a fourth pseudo-random number v.sub.0, and the second participant obtains the fourth pseudo-random number pair, that is, a seventh pseudo-random number b.sub.1 and an eighth pseudo-random number v.sub.1, where the above four pseudo-random numbers obtained by the two parties satisfy a relationship (b.sub.1, a.sub.0)=v.sub.0+v.sub.1.

[0059] A function (b, a) is used to represent an expression if (b) then a else 0. That is, if b=1, then (b, a)=a, and if b=0, then (b, a)=0, that is, (b, a)=a if b=1 else 0.

[0060] In the above example, b.sub.0 b.sub.1 and b belong to a modulus 2 space, and a u.sub.0, a.sub.0, v.sub.0, a.sub.1, u.sub.1, and v.sub.1 all belong to a modulus 2.sup.N space, that is, a u.sub.0, a.sub.0, v.sub.0, a.sub.1, u.sub.1, and v.sub.1 are in a range of [0, 2.sup.N1], that is, b.sub.0 b.sub.1/2, a u.sub.0, a.sub.0, v.sub.0, a.sub.1, and u.sub.1 v.sub.1/2.sup.N, that is, a value of b.sub.0 b.sub.1 is 0 or 1.

[0061] In another implementation, when the first participant and the second participant jointly execute an R-OT for the first time, the first participant obtains the second pseudo-random number pair, that is, the third pseudo-random number a.sub.0 and the fourth pseudo-random number v.sub.0, and the second participant obtains the fourth pseudo-random number pair, that is, the seventh pseudo-random number b.sub.1 and the eighth pseudo-random number v.sub.1, where the four pseudo-random numbers obtained by the two parties satisfy a relationship (b.sub.1, a.sub.0)=v.sub.0+v.sub.1. When the first participant and the second participant jointly execute an R-OT for the second time, the first participant obtains the first pseudo-random number pair, that is, the first pseudo-random number b.sub.0 and the second pseudo-random number u.sub.0, and the second participant obtains the third pseudo-random number pair, that is, the fifth pseudo-random number a.sub.1 and the sixth pseudo-random number u.sub.1, where the four pseudo-random numbers obtained by the two parties satisfy a relationship (b.sub.0, a.sub.1)=u.sub.0+u.sub.1.

[0062] An exemplary implementation of generating a first element slice of a data tuple for secure computation based on the first pseudo-random number pair and the second pseudo-random number pair in S102 is described in detail below. The following steps (s1) to (s3) may be used to implement the S102.

[0063] Step (s1): Determine a first value based on the first pseudo-random number and the third pseudo-random number.

[0064] If the first pseudo-random number is 0, the third pseudo-random number is determined as the first value; or if the first pseudo-random number is 1, an opposite of the third pseudo-random number is determined as the first value.

[0065] For example, the first value may be determined based on the first pseudo-random number and the third pseudo-random number by using the following equation (1):

[00001]$\begin{array}{cc}{\tilde{a}}_0={\left(-1\right)}^{b_0}{a}_0& \left(1\right)\end{array}$ [0066] where .sub.0 is the first value.

[0067] Step (s2): Determine a second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value.

[0068] For example, the second value may be determined based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value by using the following equation (2):

[00002]$\begin{array}{cc}{y}_0=f\left(b_0,{\tilde{a}}_0\right)+u_0+v_0& \left(2\right)\end{array}$ [0069] where y.sub.0 is the second value.

[0070] Step (s3): Generate the first element slice of the data tuple for secure computation using the first pseudo-random number, the first value, and the second value as elements.

[0071] After obtaining the first value and the second value, the first participant may generate the first element slice of the data tuple for secure computation using the first pseudo-random number, the first value, and the second value as elements, that is, the first element slice is (b.sub.0, .sub.0, y.sub.0).

[0072] Meanwhile, the second participant may generate the second element slice of the data tuple for secure computation based on the third pseudo-random number pair and the fourth pseudo-random number pair. The following steps (t1) to (t3) may be used to implement this generation:

[0073] Step (t1): Determine a third value based on the fifth pseudo-random number and the seventh pseudo-random number.

[0074] For example, the third value may be determined based on the fifth pseudo-random number and the seventh pseudo-random number by using the following equation (3):

[00003]$\begin{array}{cc}{\tilde{a}}_1={\left(-1\right)}^{b_1}{a}_1& \left(3\right)\end{array}$ [0075] where .sub.1 is the third value.

[0076] Step (t2): Determine a fourth value based on the sixth pseudo-random number, the seventh pseudo-random number, the eighth pseudo-random number, and the third value.

[0077] For example, the fourth value may be determined based on the sixth pseudo-random number, the seventh pseudo-random number, the eighth pseudo-random number, and the third value by using the following equation (4):

[00004]$\begin{array}{cc}{y}_1=f\left(b_1,{\tilde{a}}_1\right)+u_1+v_1& \left(4\right)\end{array}$ [0078] where y.sub.1 is the fourth value.

[0079] Step (t3): Generate the second element slice of the data tuple for secure computation using the seventh pseudo-random number, the third value, and the fourth value as elements.

[0080] After obtaining the third value and the fourth value, the second participant may generate the second element slice of the data tuple for secure computation using the seventh pseudo-random number, the third value, and the fourth value as elements, that is, the second element slice is (b.sub.1, .sub.1, y.sub.1).

[0081] The first element slice is (b.sub.0, .sub.0, y.sub.0), and the second element slice is (b.sub.1, .sub.1, y.sub.1), which constitute the data tuple for secure computation, where the data tuple is a Boolean-Arithmetic-Arithmetic triple (that is, BA2A triple), and elements in the data tuple satisfy a relationship (b.sub.0b.sub.1, .sub.0+.sub.1)=y.sub.0+y.sub.1.

[0082] After the first participant and the second participant jointly execute R-OT for one time, the first participant obtains a first pseudo-random number b.sub.0 and a second pseudo-random number u.sub.0, and the second participant obtains a fifth pseudo-random number a.sub.1 and a sixth pseudo-random number u.sub.1, and the above four pseudo-random numbers constitute a semi-Boolean-Arithmetic-Arithmetic triple (that is, Half BA2A triple), where elements in the Half BA2A triple satisfy a relationship (b.sub.0, a.sub.1)=u.sub.0+u.sub.1.

[0083] Similarly, after the first participant and the second participant jointly execute R-OT for another time, the first participant obtains a third pseudo-random number a.sub.0 and a fourth pseudo-random number v.sub.0, and the second participant obtains a seventh pseudo-random number b.sub.1 and an eighth pseudo-random number v.sub.1, and the above four pseudo-random numbers constitute another semi-Boolean-Arithmetic-Arithmetic triple (that is, Half BA2A triple), where elements in the Half BA2A triple satisfy a relationship (b.sub.0, a.sub.1)=u.sub.0+u.sub.1.

[0084] In this way, the two participants can obtain two element slices, that is, two Half BA2A triples, by jointly executing the R-OT protocol for two times, and then the data tuple for secure computation, that is, the BA2A triple, can be obtained based on the two Half BA2A triples.

[0085] Correctness of the foregoing protocol (that is, (b.sub.0b.sub.1, .sub.0+.sub.1)=y.sub.0+y.sub.1) is ensured by the following equation:

[00005]$f\left(b_0{b_{1^{}}\left(-1\right)}^{b_0}{a}_0+{\left(-1\right)}^{b_1}{a}_1\right)=f\left(b_0{b_{1^{}}\left(-1\right)}^{b_0}{a}_0\right)+f\left(b_0{b_{1^{}}\left(-1\right)}^{b_1}{a}_1\right)=f\left({b_{0^{}}\left(-1\right)}^{b_0}{a}_0\right)+{\left(-1\right)}^{b_0}f\left({b_{1^{}}\left(-1\right)}^{b_0}{a}_0\right)+f\left({b_{1^{}}\left(-1\right)}^{b_1}{a}_1\right)+{\left(-1\right)}^{b_1}f\left({b_{0^{}}\left(-1\right)}^{b_1}{a}_1\right)=f\left({b_{0^{}}\left(-1\right)}^{b_0}{a}_0\right)+f\left(b_{1^{}}{a}_0\right)+f\left({b_{1^{}}\left(-1\right)}^{b_1}{a}_1\right)+f\left(b_{0^{}}{a}_1\right)$ [0086] where (b.sub.0b.sub.1, (1).sup.b.sup.0a.sub.0+(1).sup.b.sup.1a.sub.1)=(b.sub.0b.sub.1, .sub.0+.sub.1), (b.sub.0, (1).sup.b.sup.0a.sub.0)+(b.sub.1, a.sub.0)+(b.sub.1, (1).sup.b.sup.1a.sub.1)+(b.sub.0, a.sub.1)=y.sub.0+y.sub.1, and therefore, (b.sub.0b.sub.1, .sub.0+.sub.1)=y.sub.0+y.sub.1.

[0087] In addition, the above method may further include the following steps: generating a first intermediate result based on the first element slice, a first arithmetic slice of the first data held by the first participant, and a first Boolean slice of the second data held by the first participant.

[0088] The following steps (d1) to (d4) may be used to implement the above step:

[0089] Step (d1): Generate first masked data based on the first element slice, the first arithmetic slice of the first data held by the first participant, and the first Boolean slice of the second data held by the first participant, and generate second masked data based on the first element slice and the first Boolean slice.

[0090] Step (d2): Send the first masked data and the second masked data to the second participant.

[0091] Step (d3): Receive third masked data and fourth masked data sent by the second participant.

[0092] In the present disclosure, the third masked data is generated based on the second element slice, a second arithmetic slice of the first data held by the second participant, and a second Boolean slice of the second data held by the second participant, and the fourth masked data is generated based on the second element slice and the second Boolean slice.

[0093] The second participant generates the third masked data based on the second element slice, the second arithmetic slice of the first data held by the second participant, and the second Boolean slice of the second data held by the second participant, and generates the fourth masked data based on the second element slice and the second Boolean slice. Then, the third masked data and the fourth masked data are sent to the first participant. The first participant receives the third masked data and the fourth masked data.

[0094] Step (d4): Generate the first intermediate result based on the first Boolean slice, the second masked data, the third masked data, the fourth masked data, and the first element slice.

[0095] Meanwhile, the second participant generates a second intermediate result based on the second Boolean slice, the first masked data, the second masked data, the fourth masked data, and the second element slice. Then, the two participants can share the intermediate results generated by the two participants in a sharing manner, and summarize and merge the intermediate results generated by the two participants to obtain a final computation result (that is, a product of the first data and the second data).

[0096] The first participant masks the data slice held by the first participant and then shares the masked data slice with the second participant. In this way, direct multiplication between the first data and the second data can be implemented by the two participants only through one round of masked data exchange. The first masked data and the third masked data are both N bits, the second masked data and the fourth masked data are both 1 bit, and an online communication volume is (2N+2) bits.

[0097] It should be noted that Step (d3) may be performed before Step (d2), may be performed after Step (d2), or may be performed concurrently with Step (d2). This is not specifically limited in the present disclosure.

[0098] In the above technical solution, when a product of first data that forms an arithmetic sharing form between the two participants and second data that forms a Boolean sharing form between the two participants is computed, direct multiplication between the first data and the second data can be implemented by the two participants only through one round of masked data exchange, without converting the Boolean sharing form into arithmetic sharing form. In this way, communication volume of conversion between the Boolean sharing form and the arithmetic sharing form by the two participants is eliminated, which greatly reduces data communication volume of computing a product of the Boolean sharing and the arithmetic sharing, thereby improving business processing efficiency of secure computation.

[0099] An exemplary implementation of generating first masked data based on the first element slice, the first arithmetic slice of the first data held by the first participant, and the first Boolean slice of the second data held by the first participant in step (d1) is described in detail below. The following steps (11) and (12) may be used to implement this generation:

[0100] Step (11): Mask the first arithmetic slice using the first value, to obtain fifth masked data.

[0101] For example, the first arithmetic slice may be masked using the first value by using the following equation (5) to obtain the fifth masked data:

[00006]$\begin{array}{cc}{a}_0=k_0-{\tilde{a}}_0& \left(5\right)\end{array}$ [0102] where a.sub.0 is the fifth masked data.

[0103] Step (12): Generate the first masked data based on the fifth masked data and the first Boolean slice.

[0104] For example, the first masked data may be generated based on the fifth masked data and the first Boolean slice by using the following equation (6):

[00007]$\begin{array}{cc}C1={\left(-1\right)}^{h_0}*a_0& \left(6\right)\end{array}$ [0105] where C1 is the first masked data.

[0106] An exemplary implementation of generating second masked data based on the first element slice and the first Boolean slice in step (d1) is described in detail below. The first Boolean slice is masked using the first pseudo-random number, to obtain the second masked data.

[0107] For example, the first Boolean slice may be masked using the first pseudo-random number by using the following equation (7) to obtain the second masked data:

[00008]$\begin{array}{cc}{h}_0=h_0{b}_0& \left(7\right)\end{array}$ [0108] where h.sub.0 is the second masked data.

[0109] An exemplary implementation of generating third masked data based on the second element slice, the second arithmetic slice of the first data held by the second participant, and the second Boolean slice of the second data held by the second participant by the second participant is described in detail below. The following steps (21) and (22) may be used to implement this generation:

[0110] Step (21): Mask the second arithmetic slice using the third value, to obtain sixth masked data.

[0111] For example, the second arithmetic slice may be masked using the third value by using the following equation (8) to obtain the sixth masked data:

[00009]$\begin{array}{cc}{a}_1=k_1-{\tilde{a}}_1& \left(8\right)\end{array}$ [0112] where a.sub.1 is the sixth masked data.

[0113] Step (22): Generate the third masked data based on the sixth masked data and the second Boolean slice.

[0114] For example, the third masked data may be generated based on the sixth masked data and the second Boolean slice by using the following equation (9):

[00010]$\begin{array}{cc}C2={\left(-1\right)}^{h_1}*a_1& \left(9\right)\end{array}$ [0115] where C2 is the third masked data.

[0116] An exemplary implementation of generating fourth masked data based on the second element slice and the second Boolean slice is described in detail below. The second Boolean slice may be masked using the seventh pseudo-random number, to obtain the fourth masked data.

[0117] For example, the second Boolean slice may be masked using the seventh pseudo-random number by using the following equation (10) to obtain the fourth masked data:

[00011]$\begin{array}{cc}{h}_1=h_1{b}_1& \left(10\right)\end{array}$ [0118] where h.sub.1 is the fourth masked data.

[0119] An exemplary implementation of generating the first intermediate result based on the first Boolean slice, the second masked data, the third masked data, the fourth masked data, and the first element slice in step (d4) is described in detail below. The first intermediate result may be generated based on the first value, the third value, the first Boolean slice, the second masked data, the third masked data, the fourth masked data, and the fifth masked data.

[0120] For example, the first intermediate result is generated based on the first value, the third value, the first Boolean slice, the second masked data, the third masked data, the fourth masked data, and the fifth masked data by using the following equation (11):

[00012]$\begin{array}{cc}{r}_0=f\left(h_{0^{}}{a}_0+{\left(-1\right)}^{h_1}{a}_1\right)+f\left(h{\tilde{a}}_0\right)+{\left(-1\right)}^h{y}_0& \left(11\right)\end{array}$ [0121] where r.sub.0 is the first intermediate result; and h=h.sub.0h.sub.1.

[0122] An exemplary implementation of generating the second intermediate result based on the second Boolean slice, the first masked data, the second masked data, the fourth masked data, and the second element slice by the second participant is described in detail below. The second participant may generate the second intermediate result based on the third value, the fourth value, the second Boolean slice, the first masked data, the second masked data, the fourth masked data, and the sixth masked data.

[0123] For example, the second participant may generate the second intermediate result based on the third value, the fourth value, the second Boolean slice, the first masked data, the second masked data, the fourth masked data, and the sixth masked data by using the following equation (12):

[00013]$\begin{array}{cc}{r}_1=f\left(h_{1^{}}{a}_1+{\left(-1\right)}^{h_0}{a}_0\right)+f\left(h{\tilde{a}}_1\right)+{\left(-1\right)}^h{y}_1& \left(12\right)\end{array}$ [0124] where r.sub.1 is the second intermediate result.

[0125] After the two parameter parties obtain the first intermediate result and the second intermediate result, the two intermediate results can be added to obtain a final computation result (that is, a product of the first data and the second data). The above method may further include the following two steps: obtaining the second intermediate result generated by the second participant, where the second intermediate result is generated based on the second element slice, the second arithmetic slice of the first data held by the second participant, and the second Boolean slice of the second data held by the second participant; and determine a sum of the first intermediate result and the second intermediate result as the product of the first data and the second data.

[0126] The foregoing steps may be performed not only by the first participant but also by other electronic devices besides the two participants mentioned above. In this case, the other electronic devices separately obtain the first intermediate result and the second intermediate result from the two participants, and then determines a sum of the two intermediate results as the product of the first data and the second data.

[0127] Correctness of the foregoing protocol (that is, the first intermediate result+the second intermediate result=the first data*the second data) is ensured by the following equation:

[00014]$f\left(hk\right)=f\left(hk-\tilde{a}\right)+f\left(h\tilde{a}\right)=f\left(h_0{h}_{1^{}}{a}_0\right)+f\left(h_0{h}_{1^{}}{a}_1\right)+f\left(h\tilde{b}\tilde{b}\tilde{a}\right)=f\left(h_{0^{}}{a}_0\right)+f\left({h_{1^{}}\left(-1\right)}^{h_0}{a}_0\right)+f\left(h_{1^{}}{a}_1\right)+f\left({h_{0^{}}\left(-1\right)}^{h_1}{a}_1\right)+f\left(h\tilde{a}\right)+{\left(-1\right)}^{h}f\left(\tilde{b}\tilde{a}\right)=f\left(h_{0^{}}{a}_0\right)+f\left({h_{0^{}}\left(-1\right)}^{h_1}{a}_1\right)+f\left(h{\tilde{a}}_0\right)+{\left(-1\right)}^h{y}_0+f\left(h_{1^{}}{a}_1\right)+f\left({h_{1^{}}\left(-1\right)}^{h_0}{a}_0\right)+f\left(h{\tilde{a}}_1\right)+{\left(-1\right)}^h{y}_1=f\left(h_{0^{}}{a}_0+{\left(-1\right)}^{h_1}{a}_1\right)+f\left(h{\tilde{a}}_0\right)+{\left(-1\right)}^h{y}_0+f\left(h_{1^{}}{a}_1+{\left(-1\right)}^{h_0}{a}_0\right)+f\left(h{\tilde{a}}_1\right)+{\left(-1\right)}^h{y}_1$ [0128] where =.sub.0+.sub.1, and {tilde over (b)}=b.sub.0b.sub.1.

[0129] In an implementation, the first data may be a query field in a structured query language (SQL) statement, and the second data may be a query condition in the SQL statement.

[0130] For example, when the following SQL statement is run, the above data processing method may be performed: [0131] select sum (a) from table1 where b; [0132] In another implementation, in the field of machine learning, to compute RELU(a), b=DRELU(a)=(a>0) may be first computed, and then f(b, a) is computed.

[0133] FIG. 2 is a block diagram of an apparatus for generating a data tuple for secure computation according to another exemplary embodiment. The apparatus 200 is applied to a first participant, the first participant is one of two participants of the secure computation, and the apparatus 200 includes: a protocol execution module 201 and an element slice generation module 202.

[0134] The protocol execution module 201 is configured to separately obtain a first pseudo-random number pair and a second pseudo-random number pair by jointly executing a random oblivious transfer (R-OT) protocol with a second participant twice, where the second participant is the other one of the two participants.

[0135] The element slice generation module 202 is configured to generate a first element slice of a data tuple for secure computation based on the first pseudo-random number pair and the second pseudo-random number pair, where the data tuple comprises the first element slice and a second element slice, the second element slice is generated by the second participant based on a third pseudo-random number pair and a fourth pseudo-random number pair, and the third pseudo-random number pair and the fourth pseudo-random number pair are separately obtained when the second participant executes the R-OT protocol for two times.

[0136] In the above technical solution, the two participants of the secure computation separately obtain two pseudo-random number pairs by jointly executing a random oblivious transfer (R-OT) protocol twice; and then, the two parties can separately generate element slices of a data tuple for secure computation based on the two pseudo-random number pairs obtained by the two parties, so that the data tuple for secure computation can be obtained. In this way, the two participants can generate the data tuple for secure computation by jointly executing the R-OT protocol for two times, which is convenient and efficient, and improves business processing efficiency of secure computation. In addition, the two participants can generate the data tuple for secure computation through interaction, without the need of a third party, which simplifies the data interaction process, makes generation of the data tuple autonomous and controllable, reduces the risk of data tuple leakage, and can achieve the effect of saving resources.

[0137] Optionally, the secure computation is used for the two participants to collaboratively compute a product of first data and second data, the first data forms an arithmetic sharing form between the two participants, and the second data forms a Boolean sharing form between the two participants.

[0138] The first pseudo-random number pair comprises a first pseudo-random number b.sub.0 and a second pseudo-random number u.sub.0, the second pseudo-random number pair comprises a third pseudo-random number a.sub.0 and a fourth pseudo-random number v.sub.0, a third pseudo-random number pair comprises a fifth pseudo-random number a.sub.1 and a sixth pseudo-random number u.sub.1, the fourth pseudo-random number pair comprises a seventh pseudo-random number b.sub.1 and an eighth pseudo-random number v.sub.1, the first pseudo-random number pair and the third pseudo-random number pair are obtained by executing the R-OT protocol for one time, the second pseudo-random number pair and the fourth pseudo-random number pair are obtained by executing the R-OT protocol for another time, (b.sub.0, a.sub.1)=u.sub.0+u.sub.1, (b.sub.1, a.sub.0)=v.sub.0+v.sub.1, if b=1, then (b, a)=a, if b=0, then (b, a)=0, b.sub.0 b.sub.1 and b belong to a modulus 2 space, and a, u.sub.0, a.sub.0, v.sub.0, a.sub.1, u.sub.1, and v.sub.1 all belong to a modulus 2 to the power of N space.

[0139] Optionally, the element slice generation module 202 includes: a first determination submodule, a second determination submodule and a generation submodule.

[0140] The first determination submodule is configured to determine a first value based on the first pseudo-random number and the third pseudo-random number.

[0141] The second determination submodule is configured to determine a second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value.

[0142] The generation submodule is configured to generate the first element slice of the data tuple for secure computation using the first pseudo-random number, the first value, and the second value as elements.

[0143] Optionally, the second determination submodule is configured to determine the second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value by using the following formula:

[00015]$y_0=f\left(b_{0^{}}{\tilde{a}}_0\right)+u_0+v_0$ [0144] where y.sub.0 is the second value; and .sub.0 is the first value.

[0145] Optionally, the first determination submodule is configured to: if the first pseudo-random number is 0, determine the third pseudo-random number as the first value; or if the first pseudo-random number is 1, determine an opposite of the third pseudo-random number as the first value.

[0146] Optionally, the apparatus 200 further includes an intermediate result generation module, configured to generate a first intermediate result based on the first element slice, a first arithmetic slice of the first data held by the first participant, and a first Boolean slice of the second data held by the first participant.

[0147] Optionally, the apparatus 200 further includes an obtaining module and a determination module.

[0148] The obtaining module is configured to obtain a second intermediate result generated by the second participant, where the second intermediate result is generated based on the second element slice, a second arithmetic slice of the first data held by the second participant, and a second Boolean slice of the second data held by the second participant.

[0149] The determination module is configured to determine a sum of the first intermediate result and the second intermediate result as the product of the first data and the second data.

[0150] The present disclosure further provides a computer-readable medium having stored thereon a computer program that, when executed by a processing unit or a processor, causes the steps of the method for generating a data tuple for secure computation provided in the present disclosure to be implemented.

[0151] Reference is made to FIG. 3 below, which is a schematic structural diagram of an electronic device (for example, a terminal device or a server) 600 applicable for implementing an embodiment of the present disclosure. The terminal device in this embodiment of the present disclosure may include, but is not limited to, mobile terminals such as a mobile phone, a notebook computer, a digital broadcast receiver, a personal digital assistant (PDA), a tablet computer (PAD), a portable multimedia player (PMP), and a vehicle-mounted terminal (such as a vehicle navigation terminal), and fixed terminals such as a digital TV and a desktop computer. The electronic device shown in FIG. 3 is merely an example, and should not impose any limitation on the function and scope of use of the embodiments of the present disclosure.

[0152] As shown in FIG. 3, the electronic device 600 may include a processing unit (for example, a central processing unit, a graphics processing unit, etc.) 601 that may perform a variety of appropriate actions and processing in accordance with a program stored in a read-only memory (ROM) 602 or a program loaded from a storage unit 608 into a random-access memory (RAM) 603. The RAM 603 further stores various programs and data required for the operation of the electronic device 600. The processing unit 601, the ROM 602, and the RAM 603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to the bus 604.

[0153] Generally, the following units may be connected to the I/O interface 605: an input unit 606, an output unit 607, a storage unit 608 and a communication unit 609. The input unit 606 includes, for example, a touch screen, a touchpad, a keyboard, a mouse, a camera, a microphone, an accelerometer, and a gyroscope. The output unit 607 includes, for example, a liquid crystal display (LCD), a speaker, and a vibrator. The storage unit 608 includes, for example, a tape and a hard disk. The communication unit 609 may allow the electronic device 600 to perform wireless or wired communication with other devices to exchange data. Although FIG. 3 shows the electronic device 600 having various units, it should be understood that it is not required to implement or have all of the units as shown. It may be an alternative to implement or have more or fewer units.

[0154] In particular, according to an embodiment of the present disclosure, the process described above with reference to the flowcharts may be implemented as a computer software program. For example, this embodiment of the present disclosure includes a computer program product, which includes a computer program carried on a non-transitory computer-readable medium, where the computer program includes program code for performing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded from a network through the communication unit 609 and installed, installed from the storage unit 608, or installed from the ROM 602. When the computer program is executed by the processing unit 601, the above-mentioned functions defined in the method of the embodiment of the present disclosure are performed.

[0155] It should be noted that the above computer-readable medium described in the present disclosure may be a computer-readable signal medium, a computer-readable storage medium, or any combination thereof. The computer-readable storage medium may be, for example but not limited to, electric, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatuses, or devices, or any combination thereof. Another example of the computer-readable storage medium may include, but is not limited to: an electrical connection having one or more wires, a portable computer magnetic disk, a hard disk, a random-access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination thereof. In the present disclosure, the computer-readable storage medium may be any tangible medium containing or storing a program which may be used by or in combination with an instruction execution system, apparatus, or device. In the present disclosure, the computer-readable signal medium may include a data signal propagated in a baseband or as a part of a carrier, the data signal carrying computer-readable program code. The propagated data signal may be in various forms, including but not limited to an electromagnetic signal, an optical signal, or any suitable combination thereof. The computer-readable signal medium may also be any computer-readable medium other than the computer-readable storage medium. The computer-readable signal medium can send, propagate, or transmit a program used by or in combination with an instruction execution system, apparatus, or device. The program code contained on the computer-readable medium may be transmitted by any suitable medium, including but not limited to: electric wires, optical cables, radio frequency (RF), etc., or any suitable combination thereof.

[0156] In some implementations, the client and the server can communicate using any currently known or future-developed network protocol such as a hypertext transfer protocol (HTTP), and can be connected to digital data communication (for example, a communication network) in any form or medium. Examples of the communication network include a local area network (LAN), a wide area network (WAN), an internetwork (for example, the Internet), a peer-to-peer network (for example, an ad hoc peer-to-peer network), and any currently known or future-developed network.

[0157] The above computer-readable medium may be contained in the above electronic device. Alternatively, the computer-readable medium may exist independently, without being assembled into the electronic device.

[0158] The above computer-readable medium carries one or more programs that, when executed by the electronic device, cause the electronic device to: separately obtain a first pseudo-random number pair and a second pseudo-random number pair by jointly executing a random oblivious transfer (R-OT) protocol with a second participant twice, where the second participant is the other one of the two participants; and generate a first element slice of a data tuple for secure computation based on the first pseudo-random number pair and the second pseudo-random number pair, where the data tuple comprises the first element slice and a second element slice, the second element slice is generated by the second participant based on a third pseudo-random number pair and a fourth pseudo-random number pair, and the third pseudo-random number pair and the fourth pseudo-random number pair are separately obtained when the second participant executes the R-OT protocol for two times.

[0159] The computer program code for performing operations in the present disclosure may be written in one or more programming languages or a combination thereof, where the programming languages include but are not limited to an object-oriented programming language, such as Java, Smalltalk, and C++, and further include conventional procedural programming languages, such as C language or similar programming languages. The program code may be completely executed on a computer of a user, partially executed on a computer of a user, executed as an independent software package, partially executed on a computer of a user and partially executed on a remote computer, or completely executed on a remote computer or server. In the circumstance involving the remote computer, the remote computer may be connected to the computer of the user over any type of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computer (for example, connected over the Internet using an Internet service provider).

[0160] The flowcharts and block diagrams in the accompanying drawings illustrate the possible system architectures, functions, and operations of the system, the method, and the computer program product according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagram may represent a module, program segment, or part of code, and the module, program segment, or part of code contains one or more executable instructions for implementing the specified logical functions. It should also be noted that in some alternative implementations, the functions marked in the blocks may also occur in an order different from that marked in the accompanying drawings. For example, two blocks shown in succession can actually be performed substantially in parallel, or they can sometimes be performed in the reverse order, depending on the functions involved. It should also be noted that each block in the block diagram and/or the flowchart, and a combination of the blocks in the block diagram and/or the flowchart may be implemented by a dedicated hardware-based system that executes specified functions or operations, or may be implemented by a combination of dedicated hardware and computer instructions.

[0161] The modules involved in the embodiments described in the present disclosure may be implemented by software, or may be implemented by hardware. The name of a module does not constitute a limitation on the module itself in some cases. For example, an obtaining module may also be described as a module that obtains a second intermediate result generated by the second participant.

[0162] The functions described herein above may be performed at least partially by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: a field programmable gate array (FPGA), an application-specific integrated circuit (ASIC), an application-specific standard product (ASSP), a system on chip (SOC), a complex programmable logic device (CPLD), and the like.

[0163] In the context of the present disclosure, a machine-readable medium may be a tangible medium that may contain or store a program for use by or in combination with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatuses, or devices, or any suitable combination thereof. Another example of the machine-readable storage medium may include an electrical connection based on one or more wires, a portable computer disk, a hard disk, a random-access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination thereof.

[0164] According to one or more embodiments of the present disclosure, Example 1 provides a method for generating a data tuple for secure computation, the method being applied to a first participant, the first participant being one of two participants of the secure computation, and the method including: [0165] separately obtaining a first pseudo-random number pair and a second pseudo-random number pair by jointly executing a random oblivious transfer (R-OT) protocol with a second participant twice, where the second participant is the other one of the two participants; and [0166] generating a first element slice of a data tuple for secure computation based on the first pseudo-random number pair and the second pseudo-random number pair, where the data tuple comprises the first element slice and a second element slice, the second element slice is generated by the second participant based on a third pseudo-random number pair and a fourth pseudo-random number pair, and the third pseudo-random number pair and the fourth pseudo-random number pair are separately obtained when the second participant executes the R-OT protocol for two times.

[0167] According to one or more embodiments of the present disclosure, Example 2 provides the method of Example 1, where the secure computation is used for the two participants to collaboratively compute a product of first data and second data, the first data forms an arithmetic sharing form between the two participants, and the second data forms a Boolean sharing form between the two participants;

[0168] the first pseudo-random number pair comprises a first pseudo-random number b.sub.0 and a second pseudo-random number u.sub.0, the second pseudo-random number pair comprises a third pseudo-random number a.sub.0 and a fourth pseudo-random number v.sub.0, a third pseudo-random number pair comprises a fifth pseudo-random number a.sub.1 and a sixth pseudo-random number u.sub.1, the fourth pseudo-random number pair comprises a seventh pseudo-random number b.sub.1 and an eighth pseudo-random number v.sub.1, the first pseudo-random number pair and the third pseudo-random number pair are obtained by executing the R-OT protocol for one time, the second pseudo-random number pair and the fourth pseudo-random number pair are obtained by executing another R-OT protocol, (b.sub.0, a.sub.1)=u.sub.0+u.sub.1, (b.sub.1, a.sub.0)=00+v.sub.1, if b=1, then (b, a)=a, if b=0, then (b, a)=0, b.sub.0 b.sub.1 and b belong to a modulus 2 space, and a u.sub.0, a.sub.0, v.sub.0, a.sub.1, w.sub.1, and v.sub.1 all belong to a modulus 2 to the power of N space.

[0169] According to one or more embodiments of the present disclosure, Example 3 provides the method of Example 2, where the generating a first element slice of a data tuple for secure computation based on the first pseudo-random number pair and the second pseudo-random number pair includes: [0170] determining a first value based on the first pseudo-random number and the third pseudo-random number; [0171] determining a second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value; and [0172] generating the first element slice of the data tuple for secure computation using the first pseudo-random number, the first value, and the second value as elements.

[0173] According to one or more embodiments of the present disclosure, Example 4 provides the method of Example 3, where the determining a second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value includes:

[0174] determining the second value based on the first pseudo-random number, the second pseudo-random number, the fourth pseudo-random number, and the first value by using the following formula:

[00016]$y_0=f\left(b_{0^{}}{\tilde{a}}_0\right)+u_0+v_0$ [0175] where y.sub.0 is the second value; and .sub.0 is the first value.

[0176] According to one or more embodiments of the present disclosure, Example 5 provides the method of Example 3, where the determining a first value based on the first pseudo-random number and the third pseudo-random number includes: [0177] if the first pseudo-random number is 0, determining the third pseudo-random number as the first value; or [0178] if the first pseudo-random number is 1, determining an opposite of the third pseudo-random number as the first value.

[0179] According to one or more embodiments of the present disclosure, Example 6 provides the method of any one of Examples 2 to 5, where the method further includes: [0180] generating a first intermediate result based on the first element slice, a first arithmetic slice of the first data held by the first participant, and a first Boolean slice of the second data held by the first participant.

[0181] According to one or more embodiments of the present disclosure, Example 7 provides the method of Example 6, where the method further includes: [0182] obtaining a second intermediate result generated by the second participant, where the second intermediate result is generated based on the second element slice, a second arithmetic slice of the first data held by the second participant, and a second Boolean slice of the second data held by the second participant; and [0183] determining a sum of the first intermediate result and the second intermediate result as the product of the first data and the second data.

[0184] According to one or more embodiments of the present disclosure, Example 8 provides an apparatus for generating a data tuple for secure computation, the apparatus being applied to a first participant, the first participant being one of two participants of the secure computation, and the apparatus including a protocol execution module and an element slice generation module.

[0185] The protocol execution module is configured to separately obtain a first pseudo-random number pair and a second pseudo-random number pair by jointly executing a random oblivious transfer (R-OT) protocol with a second participant twice, where the second participant is the other one of the two participants.

[0186] The element slice generation module is configured to generate a first element slice of a data tuple for secure computation based on the first pseudo-random number pair and the second pseudo-random number pair, where the data tuple comprises the first element slice and a second element slice, the second element slice is generated by the second participant based on a third pseudo-random number pair and a fourth pseudo-random number pair, and the third pseudo-random number pair and the fourth pseudo-random number pair are separately obtained when the second participant executes the R-OT protocol for two times.

[0187] According to one or more embodiments of the present disclosure, Example 9 provides a computer-readable medium having stored thereon a computer program that, when executed by a processing unit, causes the steps of the method of any one of Examples 1 to 7 to be implemented.

[0188] According to one or more embodiments of the present disclosure, Example 10 provides an electronic device, including: a storage unit having stored thereon a computer program; and a processing unit configured to execute the computer program in the storage unit, to implement the steps of the method of any one of Examples 1 to 7.

[0189] The foregoing descriptions are merely preferred embodiments of the present disclosure and explanations of the applied technical principles. Persons skilled in the art should understand that the scope of disclosure involved in the present disclosure is not limited to the technical solutions formed by combinations of the foregoing technical features, and shall also cover other technical solutions formed by any combination of the foregoing technical features or equivalent features thereof without departing from the foregoing concept of disclosure. For example, a technical solution formed by replacing the foregoing features with technical features with similar functions disclosed in the present disclosure (but not limited thereto).

[0190] In addition, although various operations are depicted in a certain order, it should be understood as requiring these operations to be performed in the certain order shown or in a sequential order. Under some circumstances, multitasking and parallel processing may be advantageous. Similarly, although several implementation details are included in the foregoing discussions, these details should not be construed as limiting the scope of the present disclosure. Some features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. In contrast, various features described in the context of a single embodiment can also be implemented in a plurality of embodiments individually or in any suitable sub-combination.

[0191] Although the subject matter has been described in a language specific to structural features and/or logical actions of the method, it should be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or actions described above. In contrast, the specific features and actions described above are merely exemplary forms of implementing the claims. With respect to the apparatus or device in the foregoing embodiments, a specific manner in which each module performs an operation has been described in detail in the embodiments related to the method, and will not be detailed herein.