今天看了秘密分享架构中的ABY架构,尤其看了Arithmetic sharing部分,对于该秘密分享机制下的加法与乘法的计算有了一定的了解,而且了解了如何通过Pailler同态加密方法产生c=axb的三元组。但是对于OT-Base产生三元组的方法不太了解,明天会对非对称加密体系,安全分享公钥的方法还有Diffie-Hellman算法进行学习以求更加熟悉OT-Base办法
也欢迎各位大佬光临我滴博客啦!
论文:ABY - A Framework for efficient Mixed-Protocol Secure Two-Party Computation
1). Share Semantics:
1. Shared values:
对于一个数
x
x
x的l字节Arithmetic共享
⟨
x
⟩
A
\langle x\rangle ^A
⟨x⟩A,我们有
⟨
x
⟩
0
A
+
⟨
x
⟩
1
A
=
⟨
x
⟩
A
,
⟨
x
⟩
0
A
,
⟨
x
⟩
1
A
∈
Z
2
l
\langle x\rangle^A_0 + \langle x\rangle^A_1=\langle x\rangle^A , \langle x\rangle_0^A,\langle x\rangle_1^A\in Z_{2^l}
⟨x⟩0A+⟨x⟩1A=⟨x⟩A,⟨x⟩0A,⟨x⟩1A∈Z2l
2. Sharing:
定义 S h r i i A ( x ) : Shri^A_i(x): ShriiA(x): P i P_i Pi随机选 r ∈ Z 2 l , r\in Z_{2^l}, r∈Z2l, 令 ⟨ x ⟩ i A = x − r \langle x\rangle_i^A=x-r ⟨x⟩iA=x−r,并发送r给 P 1 − i P_{1-i} P1−i, P 1 − i P_{1-i} P1−i 将 ⟨ x ⟩ 1 − i A \langle x\rangle_{1-i}^{A} ⟨x⟩1−iA 设为r
3. Reconstruction:
定义 R e c i A ( x ) : Rec_i^A(x): ReciA(x): P 1 − i P_{1-i} P1−i 将 ⟨ x ⟩ 1 − i A \langle x\rangle_{1-i}^A ⟨x⟩1−iA给 P i P_{i} Pi, P i P_i Pi计算 x = ⟨ x ⟩ 0 A + ⟨ x ⟩ 1 A x=\langle x\rangle_0^A+\langle x\rangle_1^A x=⟨x⟩0A+⟨x⟩1A
2). Operations:
1. Addition
需要计算 ⟨ z ⟩ A = ⟨ x ⟩ A + ⟨ y ⟩ A \langle z\rangle^A=\langle x\rangle^A+\langle y\rangle^A ⟨z⟩A=⟨x⟩A+⟨y⟩A,只需要 P i P_i Pi本地计算 ⟨ z ⟩ i A = ⟨ x ⟩ i A + ⟨ y ⟩ i A \langle z\rangle_i^A=\langle x\rangle_i^A+\langle y\rangle_i^A ⟨z⟩iA=⟨x⟩iA+⟨y⟩iA
2. Multiplication
需要计算 ⟨ z ⟩ A = ⟨ x ⟩ A ⟨ y ⟩ A \langle z\rangle^A=\langle x\rangle^A\langle y\rangle^A ⟨z⟩A=⟨x⟩A⟨y⟩A
初始状态:
A : ⟨ x ⟩ 0 A , ⟨ y ⟩ 0 A A: \langle x\rangle^A_0,\langle y\rangle^A_0 A:⟨x⟩0A,⟨y⟩0A
B : ⟨ x ⟩ 1 A , ⟨ y ⟩ 1 A B:\langle x\rangle^A_1,\langle y\rangle_1^A B:⟨x⟩1A,⟨y⟩1A
目标状态:
A : ⟨ z ⟩ 0 A A:\langle z\rangle^A_0 A:⟨z⟩0A
B : ⟨ z ⟩ 1 A B:\langle z\rangle^A_1 B:⟨z⟩1A
s . t . ⟨ z ⟩ 0 A + ⟨ z ⟩ 1 A = ⟨ z ⟩ A = ⟨ x ⟩ A × ⟨ y ⟩ A s.t. \langle z\rangle^A_0+\langle z\rangle^A_1=\langle z\rangle_A=\langle x\rangle_A\times\langle y\rangle_A s.t.⟨z⟩0A+⟨z⟩1A=⟨z⟩A=⟨x⟩A×⟨y⟩A
方案如下:
-
准备三元组 ( a , b , c = a × b ) (a,b,c=a\times b) (a,b,c=a×b) 然后将 ( a , b , c = a × b ) (a,b,c=a\times b) (a,b,c=a×b) 加法共享给 P 0 , P 1 P_0,P_1 P0,P1(具体方案会在之后介绍)
A : ⟨ x ⟩ 0 A , ⟨ y ⟩ 0 A , ⟨ a ⟩ 0 A , ⟨ b ⟩ 0 A , ⟨ c ⟩ 0 A A:\langle x\rangle_0^A,\langle y\rangle_0^A,\langle a\rangle^A_0,\langle b\rangle_0^A,\langle c\rangle_0^A A:⟨x⟩0A,⟨y⟩0A,⟨a⟩0A,⟨b⟩0A,⟨c⟩0A
B : ⟨ x ⟩ 1 A , ⟨ y ⟩ 1 A , ⟨ a ⟩ 1 A , ⟨ b ⟩ 1 A , ⟨ c ⟩ 1 A B:\langle x\rangle_1^A,\langle y\rangle_1^A,\langle a\rangle_1^A,\langle b\rangle_1^A,\langle c\rangle_1^A B:⟨x⟩1A,⟨y⟩1A,⟨a⟩1A,⟨b⟩1A,⟨c⟩1A
-
两方各自计算 ⟨ e ⟩ i A = ⟨ x ⟩ i A − ⟨ a ⟩ i A , ⟨ f ⟩ i A = ⟨ y ⟩ i A − ⟨ b ⟩ i A \langle e\rangle^A_i=\langle x\rangle^A_i-\langle a\rangle^A_i,\langle f\rangle_i^A=\langle y\rangle^A_i-\langle b\rangle^A_i ⟨e⟩iA=⟨x⟩iA−⟨a⟩iA,⟨f⟩iA=⟨y⟩iA−⟨b⟩iA(盲化 ⟨ x ⟩ , ⟨ y ⟩ \langle x\rangle,\langle y\rangle ⟨x⟩,⟨y⟩)
A : ⟨ x ⟩ 0 A , ⟨ y ⟩ 0 A , ⟨ a ⟩ 0 A , ⟨ b ⟩ 0 A , ⟨ c ⟩ 0 A , ⟨ e ⟩ 0 A , ⟨ f ⟩ 0 A A:\langle x\rangle_0^A,\langle y\rangle_0^A,\langle a\rangle^A_0,\langle b\rangle_0^A,\langle c\rangle_0^A,\langle e\rangle_0^A,\langle f\rangle_0^A A:⟨x⟩0A,⟨y⟩0A,⟨a⟩0A,⟨b⟩0A,⟨c⟩0A,⟨e⟩0A,⟨f⟩0A
B : ⟨ x ⟩ 1 A , ⟨ y ⟩ 1 A , ⟨ a ⟩ 1 A , ⟨ b ⟩ 1 A , ⟨ c ⟩ 1 A , ⟨ e ⟩ 1 A , ⟨ f ⟩ 1 A B:\langle x\rangle_1^A,\langle y\rangle_1^A,\langle a\rangle_1^A,\langle b\rangle_1^A,\langle c\rangle_1^A,\langle e\rangle^A_1,\langle f\rangle_1^A B:⟨x⟩1A,⟨y⟩1A,⟨a⟩1A,⟨b⟩1A,⟨c⟩1A,⟨e⟩1A,⟨f⟩1A
-
双方共享自己的 ⟨ e ⟩ , ⟨ f ⟩ \langle e\rangle,\langle f\rangle ⟨e⟩,⟨f⟩
A : ⟨ x ⟩ 0 A , ⟨ y ⟩ 0 A , ⟨ a ⟩ 0 A , ⟨ b ⟩ 0 A , ⟨ c ⟩ 0 A , ⟨ e ⟩ A , ⟨ f ⟩ A A:\langle x\rangle_0^A,\langle y\rangle_0^A,\langle a\rangle^A_0,\langle b\rangle_0^A,\langle c\rangle_0^A,\langle e\rangle^A,\langle f\rangle^A A:⟨x⟩0A,⟨y⟩0A,⟨a⟩0A,⟨b⟩0A,⟨c⟩0A,⟨e⟩A,⟨f⟩A
B : ⟨ x ⟩ 1 A , ⟨ y ⟩ 1 A , ⟨ a ⟩ 1 A , ⟨ b ⟩ 1 A , ⟨ c ⟩ 1 A , ⟨ e ⟩ A , ⟨ f ⟩ A B:\langle x\rangle_1^A,\langle y\rangle_1^A,\langle a\rangle_1^A,\langle b\rangle_1^A,\langle c\rangle_1^A,\langle e\rangle^A,\langle f\rangle^A B:⟨x⟩1A,⟨y⟩1A,⟨a⟩1A,⟨b⟩1A,⟨c⟩1A,⟨e⟩A,⟨f⟩A
-
计算 ⟨ z ⟩ 0 A = f × ⟨ a ⟩ 0 A + e × ⟨ b ⟩ 0 A + ⟨ c ⟩ 0 A \langle z\rangle_0^A=f\times \langle a\rangle^A_0+e\times \langle b\rangle^A_0+\langle c\rangle_0^A ⟨z⟩0A=f×⟨a⟩0A+e×⟨b⟩0A+⟨c⟩0A与 ⟨ z ⟩ 1 A = e × f + f × ⟨ a ⟩ 1 A + e × ⟨ b ⟩ 1 A + ⟨ c ⟩ 1 A \langle z\rangle_1^A=e\times f+f\times \langle a\rangle^A_1+e\times\langle b\rangle^A_1+\langle c\rangle_1^A ⟨z⟩1A=e×f+f×⟨a⟩1A+e×⟨b⟩1A+⟨c⟩1A
故有 ⟨ z ⟩ A + ⟨ z ⟩ B = e × f + f × a + e × b + c = x × y \langle z\rangle^A+\langle z\rangle^B=e\times f+f\times a+e\times b+c=x\times y ⟨z⟩A+⟨z⟩B=e×f+f×a+e×b+c=x×y
3. 生成三元组 ( a , b , c = a × b ) (a,b,c=a\times b) (a,b,c=a×b)
(1). 通过同态加密实现
注释:Pailler同态加密指的是 E n c 0 ( a + b ) = E n c 0 ( a ) × E n c 0 ( b ) Enc_0(a+b)=Enc_0(a)\times Enc_0(b) Enc0(a+b)=Enc0(a)×Enc0(b)
初始状态: P 0 , P 1 P_0,P_1 P0,P1分别随机 ⟨ a ⟩ 0 A , ⟨ a ⟩ 1 A , ⟨ b ⟩ 0 A , ⟨ b ⟩ 1 A \langle a\rangle_0^A,\langle a\rangle_1^A,\langle b\rangle_0^A,\langle b\rangle_1^A ⟨a⟩0A,⟨a⟩1A,⟨b⟩0A,⟨b⟩1A, P 1 P_1 P1随机一个随机数 r r r
需要获得一个 ⟨ c ⟩ A , ⟨ c ⟩ 1 A \langle c\rangle^A,\langle c\rangle^A_1 ⟨c⟩A,⟨c⟩1A,使得 ⟨ c ⟩ 0 A + ⟨ c ⟩ 1 A = ⟨ c ⟩ A = ⟨ a ⟩ A ⟨ b ⟩ A = ( ⟨ a ⟩ 0 A + ⟨ a ⟩ 1 A ) ( ⟨ b ⟩ 0 A + ⟨ b ⟩ 1 A ) \langle c\rangle_0^A+\langle c\rangle_1^A=\langle c\rangle^A=\langle a\rangle^A\langle b\rangle^A=(\langle a\rangle^A_0+\langle a\rangle^A_1)(\langle b\rangle_0^A+\langle b\rangle^A_1) ⟨c⟩0A+⟨c⟩1A=⟨c⟩A=⟨a⟩A⟨b⟩A=(⟨a⟩0A+⟨a⟩1A)(⟨b⟩0A+⟨b⟩1A)
方案如下:
-
P 0 P_0 P0发送给 P 1 P_1 P1: E n c 0 ( ⟨ a ⟩ 0 A ) , E n c 0 ( ⟨ b ⟩ 0 A ) Enc_0(\langle a\rangle_0^A), Enc_0(\langle b\rangle^A_0) Enc0(⟨a⟩0A),Enc0(⟨b⟩0A)
P 0 : ⟨ a ⟩ 0 A , ⟨ b ⟩ 0 A P_0:\langle a\rangle^A_0,\langle b\rangle^A_0 P0:⟨a⟩0A,⟨b⟩0A
P 1 : ⟨ a ⟩ 0 A , ⟨ b ⟩ 1 A , r , E n c 0 ( ⟨ a ⟩ 0 A ) , E n c 0 ( ⟨ b ⟩ 0 A ) P_1:\langle a\rangle^A_0,\langle b\rangle^A_1,r,Enc_0(\langle a\rangle_0^A),Enc_0(\langle b\rangle_0^A) P1:⟨a⟩0A,⟨b⟩1A,r,Enc0(⟨a⟩0A),Enc0(⟨b⟩0A)
-
P 1 P_1 P1发给 P 0 P_0 P0:
d = E n c 0 ( ⟨ a ⟩ 0 A ) ⟨ b ⟩ 1 A × E n c 0 ( ⟨ b ⟩ 0 A ) ⟨ a ⟩ 1 A × E n c 0 ( r ) d=Enc_0(\langle a\rangle_0^A)^{\langle b\rangle^A_1}\times Enc_0(\langle b\rangle_0^A)^{\langle a\rangle_1^A}\times Enc_0(r) d=Enc0(⟨a⟩0A)⟨b⟩1A×Enc0(⟨b⟩0A)⟨a⟩1A×Enc0(r)
-
P 0 P_0 P0计算 ⟨ c ⟩ 0 A = ⟨ a ⟩ 0 A ⟨ b ⟩ 0 A + D e c 0 ( d ) = ⟨ a ⟩ 0 A ⟨ b ⟩ 0 A + ⟨ a ⟩ 0 A ⟨ b ⟩ 1 A + ⟨ a ⟩ 1 A ⟨ b ⟩ 0 A + r \langle c\rangle_0^A=\langle a\rangle_0^A \langle b\rangle_0^A+Dec_0(d)=\langle a\rangle_0^A\langle b\rangle^A_0+\langle a\rangle_0^A\langle b\rangle^A_1+\langle a\rangle_1^A\langle b\rangle_0^A+r ⟨c⟩0A=⟨a⟩0A⟨b⟩0A+Dec0(d)=⟨a⟩0A⟨b⟩0A+⟨a⟩0A⟨b⟩1A+⟨a⟩1A⟨b⟩0A+r
-
P 1 P_1 P1计算
⟨ c ⟩ 1 A = ⟨ a ⟩ 1 A ⟨ b ⟩ 1 A − r \langle c\rangle_1^A=\langle a\rangle_1^A\langle b\rangle_1^A-r ⟨c⟩1A=⟨a⟩1A⟨b⟩1A−r
(2).通过OT实现
暂时还不会 明天看!
357
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
