CN112347473A - Machine learning security aggregation prediction method and system supporting bidirectional privacy protection - Google Patents

Abstract

The application discloses a machine learning security aggregation prediction method and system supporting bidirectional privacy protection, comprising the following steps: the system comprises a client, a computing server and an aggregation server; the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the calculation server processes the data share to obtain a prediction result share; the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the computing server sends the blinded prediction result share to an aggregation server; and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.

Description

Machine learning security aggregation prediction method and system supporting bidirectional privacy protection

Technical Field

The application relates to the technical field of machine learning, in particular to a machine learning security aggregation prediction method and system supporting bidirectional privacy protection.

Background

The statements in this section merely provide background information related to the present disclosure and may not constitute prior art.

Under the promotion of technologies such as big data and machine learning, the artificial intelligence technology changes the life style of people, such as human face, voice recognition, recommendation system, unmanned automobile and the like. But with the misuse of private information, leakage events are frequent. The performance of machine learning, deep learning algorithms all rely on a large amount of training data collected in advance, which may be related to user sensitive information such as medical records, user credit records, etc. A large number of researches show that the machine learning model is extremely easy to be attacked maliciously, and since the machine learning model implies the information of the training data, an attacker can reversely obtain the privacy information of the relevant training data through the analysis model. Such as Tramer et al, attacked online machine learning prediction services (MLaas) like Amazon, BigML through a query prediction API and successfully extracted a machine learning model that approximates the original model. Frdrikson et al disclose original training data by analyzing probability information output by the classifier, and a number of shadow models are trained by a number of mean inference attack designed by shakri to determine whether a piece of data appears in a training set. And once model parameters or training data are leaked, serious security threats and losses can be caused to enterprises and individuals.

With the disclosure of various privacy threats in machine learning, a great deal of research is devoted to solving the privacy protection problem under machine learning, for example, Papernot et al propose a privacy protection machine learning framework, Private Aggregation of Teacher Enterprises (PATE), and "Teacher-student" semi-supervised migration model. PATE is based on the idea that if multiple independent models trained on disjoint datasets have a high degree of consistency in output for the same input data, no relevant privacy training data is revealed. The framework thus migrates knowledge to student models through an aggregation mechanism that satisfies differential privacy by partitioning the private data sets and training a plurality of independent teacher models on the private subsets, i.e., through the teacher models' public data prediction tags to the students, the teacher models can be considered as a machine learning as a service. The enemy can only contact the student model trained based on the public data, so that the safety of the privacy training data is protected. Intuitively, PATE provides strong privacy guarantee, and has flexible expansibility, but the framework also has certain limitation.

Firstly, in privacy, the PATE aggregates the prediction results of a plurality of teachers through a credible aggregator, however, a completely credible entity does not exist in reality, and if the aggregator is malicious or semi-honest, the prediction results can be directly leaked. Secondly, under the condition that the student model does not have public data or the data held by the student model is also private, the privacy of the student model data cannot be ensured. Consider that a hospital wishes to train a machine learning model to help infer patient condition and help self (students) label data sets through other hospitals (teachers), however the PATE framework does not provide effective privacy assurance since patient data cannot be directly disclosed to other hospitals (teachers). And if the enemy decays the students, the teacher model is attacked reversely (member deduces the attack) through the prediction result of the teacher, and the privacy of the teacher model and the training data of the teacher model cannot be guaranteed. The above problems cause a two-way privacy disclosure. In performance, since the PATE framework provides privacy guarantees through differential privacy, the amount of predictable data is also limited in order to control privacy costs. Furthermore, the PATE framework can only be deployed locally, i.e., the teacher model can only provide predictions locally, which requires the teacher to remain online at the time of prediction.

Disclosure of Invention

In order to solve the defects of the prior art, the application provides a machine learning security aggregation prediction method and system supporting bidirectional privacy protection;

in a first aspect, the application provides a machine learning security aggregation prediction method supporting bidirectional privacy protection;

the machine learning security aggregation prediction method supporting bidirectional privacy protection comprises the following steps:

the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client;

the calculation server processes the data share to obtain a prediction result share;

the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share;

the computing server sends the blinded prediction result share to an aggregation server;

and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.

In a second aspect, the present application provides a machine learning security aggregation prediction system that supports bi-directional privacy protection;

machine learning security aggregation prediction system supporting bi-directional privacy protection, comprising: the system comprises a client, a computing server and an aggregation server;

the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the calculation server processes the data share to obtain a prediction result share; the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the computing server sends the blinded prediction result share to an aggregation server; and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.

Compared with the prior art, the beneficial effects of this application are:

1. a security framework is presented that can provide two-way privacy protection that can protect the security of privacy training models (teacher models) and privacy inputs (student inputs). For a model provider, the server cannot acquire complete model parameters, a user cannot attack the model and original training data through a prediction result, and for the user, privacy input cannot be acquired by a model holder and the server.

2. The high privacy cost caused by adding differential privacy in the traditional method for protection is avoided. The frame dynamically adds noise to the prediction vector according to the entropy value by calculating the information entropy contained in the prediction vector, can effectively resist membership inference attack and does not influence the amount of the predictable data.

3. By combining the SGX technology, the framework ensures that valuable information cannot be obtained even if a certain server is corrupted by a malicious adversary in the calculation process, and meanwhile, the prediction output (teacher prediction) in the calculation process is protected.

4. The flexibility of the PATE framework is increased, the server receives and stores the model shares in the off-line stage, and model holders (teachers) do not need to be added into the on-line prediction process.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application.

FIG. 1 is a flow chart of an off-line phase method of the first embodiment;

FIG. 2 is a flow chart of the online prediction calculation of the first embodiment;

fig. 3 is a diagram of dependencies between the SecureNN base protocol of the first embodiment;

fig. 4 is a flowchart of the prediction result optimization according to the first embodiment.

Detailed Description

It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.

It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and it should be understood that the terms "comprises" and "comprising", and any variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

The embodiments and features of the embodiments in the present application may be combined with each other without conflict.

Interpretation of terms:

SecureNN: SecureNN is a three-party secure computing protocol proposed by Wagh et al in 2018, and can support the training and prediction of neural networks. The protocol is mainly based on a secret sharing technology, compared with the prior protocol which can only support the security under the half-honest enemy, the SecureNN protocol ensures that the input or the output of the honest client can not be known even if any single server is corrupted by the malicious enemy. The protocol comprises three servers, wherein S₀，S₁Holding a secret input share of 2-out-of-2 at the beginning of protocol execution and a secret output share of 2-out-of-2 at the end of computation, S₂Assist the other two servers in protocol execution. For the nonlinear activation function, in addition to fitting the nonlinear activation function by using a linear polynomial, for the ReLu function, the SecureNN is indirectly calculated by calculating the derivative thereof first, so that the calculation error caused by fitting by using the linear function is reduced. Fig. 3 shows the dependencies between the SecureNN base protocols. The following are some of the primitives of the secret sharing technique.

The shared value is: shared value for a<a>We have<a>₀+<a>₁≡ a (modF), wherein<a>₀，<a>₁And a is equal to F, and F is a finite field.

Sharing share₀(a)：S_iSelecting a value r ∈ F, then<a>_iA-r and sends r to S_1-iAt S_1-iIn<a>_1-i＝r。

Reconstruction of Rec_i(a)：S_1-iWill share a value<a>_1-iIs sent to S_i，S_iCalculating a ═<a>₀+<a>₁。

Addition operation<c>＝<a>+<b>：S_iCan directly calculate locally<c>_i＝<a>_i+<b>_i

Multiplication operations<c>＝<a>·<b>: multiplication needs to be carried out by virtue of pre-existing multiplication triples<u>_i，<v>_i，<z>_iWherein<z>_i＝<u>_i·<v>_imod F。S_iNeed to calculate first<e>_i＝<a>_i-<u>_i，<f>_i＝<b>_i-<v>_iThen both parties calculate Rec (e) and Rec (f) locally and will<c>_i＝-i·e·f+f·<u>_i+e·<v>_i+<z>_i

Intel SGX: the Intel software protection extension is a set of new instructions and memory access mechanisms added to the Intel architecture. These extensions allow an application to instantiate a safe zone, called Enclave. The operations can be executed in a safe environment, and confidentiality and integrity protection can be provided even if a privileged system or a malicious program exists, so that the codes and data in the operations are prevented from being maliciously tampered and acquired. Enclave code and data are optionally examined and analyzed before creating the Enclave. Once the code and data of the application program are loaded into an Enclave, all external software access to it is protected and any attempt to access and modify the contents of the Enclave is prohibited. The SGX provides two authentication mechanisms, local authentication and remote authentication, to ensure that an authenticated application can safely run in a trusted environment.

Example one

The embodiment provides a machine learning security aggregation prediction method supporting bidirectional privacy protection;

the machine learning security aggregation prediction method supporting bidirectional privacy protection comprises the following steps:

s101: the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client;

s102: the calculation server processes the data share to obtain a prediction result share;

s103: the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share;

s104: the computing server sends the blinded prediction result share to an aggregation server;

s105: and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.

As one or more embodiments, before the step of the method S101, the method further includes:

s1001: dividing the locally trained machine learning model into a plurality of model shares by a model holder; sending the model share to a corresponding calculation server;

s1002: and the aggregation server randomly generates a blind matrix in the credible region and sends the blind matrix to the corresponding calculation server.

Further, before the step S1001, the method further includes:

s1000: and the aggregation server creates an Enclave trusted zone, and the model holder and the computing server perform remote authentication to ensure that the computing server operates in a safe SGX environment.

Further, the S1001: the model holder divides the locally trained model into two model shares; the method refers to a model holder, and a locally trained model is divided into a plurality of model shares by adopting secret sharing.

Illustratively, the S1001: the model holder divides the locally trained model into two model shares; the specific implementation mode is as follows:

P_imodel W using secret sharing locally_iDivided into two model shares, i.e. P_iRandomly selecting one r epsilon Z_LWherein Z is a ring, L-2⁶⁴Calculating model share₀(W_i)＝W_i-r(mod L)，share₁(W_i) R and sends the model shares to two computation servers S₀，S₁. The computation server cannot directly contact the original model, and can only obtain the model share.

Illustratively, the S1002: the aggregation server randomly generates a blinded matrix in the credible region and sends the blinded matrix to the corresponding calculation server; the specific implementation mode is as follows:

aggregation server randomly generates blind matrix mask in Enclave₀And mask₁And sending the blinded matrix to a computing server through a secure channel.

The blinding matrix protects the share of the prediction result after the calculation server completes the prediction calculation, and avoids being attacked in an untrusted area of the aggregation server.

It should be understood that the blinding matrix is a random matrix used to protect the prediction shares. The method is generated in credible Enclave and then sent to two computing servers through a secure channel, and after model prediction is completed by the computing servers, the predicted result share is blinded.

Considering that if no blinding matrix exists, two servers calculate the share of the completion prediction₀(Y_i) (ii) a Share prediction₁(Y_i) And directly sending the data to the aggregation server.

The untrusted aggregation server can directly reconstruct the prediction result Y_i＝share₀(Y_i)+share₁(Y_i) Thereby directly revealing the privacy of the user prediction result; on the other hand, the adversary can also indirectly attack the training model by predicting the result using, for example, membership inference attack.

After protection of the blinding matrix is added, the untrusted server can only receive the blinding prediction share, and the blinding prediction result Y is obtained after reconstruction_mask＝share₀(Y_i)+mask₀+share₁(Y_i)+mask₁＝Y_i+ mask, and the removal of the blinded matrix can only be done in Encalve, so the prediction result is not revealed.

The generation mode of the blind matrix is as follows: randomly sampling a random matrix from the uniform distribution, wherein the data type of the matrix needs to be consistent with the data type of the predicted secret share.

As will be appreciated, Encalve: the intel SGX program consists of two parts, namely untrusted application and trusted Enclave, wherein the intel SGX instruction creates a trusted encalve in a specific protected memory area during running to store data and codes to be protected, and the data leakage can be effectively prevented.

Further, the S1000, S1001 and S1002 are all completed in the offline stage, as shown in fig. 1.

As one or more embodiments, the S101: the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the method comprises the following specific steps:

a first computing server receives a first data share of data to be predicted, which is sent by a client; and the second computing server receives a second data share of the data to be predicted, which is sent by the client.

Illustratively, the S101: the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the method comprises the following specific steps:

the client side and the computing server perform remote authentication to ensure the safety authenticity and integrity of the computing server hardware, and after the authentication is passed, the client side C divides the data x to be predicted into two data share shares₀(x) R and share₁(x) X-r (mod L) to the server S₀，S₁。

share () and share operation, the client selects a random value r belonging to Z for protecting the input x of the local privacy_LWherein Z is a ring, L-2⁶⁴As the first secret share₀(x)；

Re-computing x-r (mod L) as a second secret share₁(x) The two secret shares are sent to the server, where mod is a modulo operation.

As one or more embodiments, the S102: the calculation server processes the data share to obtain a prediction result; the method comprises the following specific steps:

the first calculation server calculates a first prediction result based on the first data share; the second computing server computes a second prediction result based on the second data share.

Illustratively, the S102: the calculation server processes the data share to obtain a prediction result share; the method comprises the following specific steps:

server S₀，S₁，S₂Carrying out safe three-party prediction calculation based on a SecureNN protocol and obtaining a prediction result share₀(Y_i) And share₀(Y_i)。

It should be understood that the computation between servers in this application is essentially a secret share based computation.

Before performing secure multiparty computation, S₀Possession of model secret share₀(W_i) And data share from user₀(x)，S₁Possession of model secret share₁(W_i) And share of data to be predicted of user₁(x) In that respect Two servers are at S₂With the assistance of SecureNN protocol, interactive calculation is completed, and respective prediction results share are calculated₀(Y_i) And share₀(Y_i)。

The SecureNN protocol comprises basic protocols such as addition, multiplication, matrix multiplication, activation function, privacy comparison and the like based on secret sharing, and can complete machine learning prediction calculation.

As one or more embodiments, the S103: the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the method comprises the following specific steps:

the first calculation server carries out blind processing on the first prediction result share to obtain a first blind prediction result share; and the second calculation server performs blind processing on the second prediction result share to obtain a second blind prediction result share.

Further, the first calculation server performs blinding processing on the first prediction result share to obtain a first blinded prediction result share; the method comprises the following steps: and the first computing server performs blinding processing on the first prediction result share through the first blinding matrix to obtain a first blinded prediction result share.

Further, the second calculation server performs blinding processing on the second prediction result share to obtain a second blinded prediction result share; the method comprises the following steps: and the second calculation server performs blinding processing on the second prediction result share through a second blinding matrix to obtain a second blinded prediction result share.

Illustratively, the S103: the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the method comprises the following specific steps:

calculation server S₀，S₁Blinding the respectively owned prediction result shares, i.e. using a previously obtained blinding matrix

It should be understood that if the prediction share is not blinded, the aggregation server is obtaining share₀(Y_i) And share₁(Y_i) Then, Y can be directly reconstructed_i＝share₀(Y_i)+share₁(Y_i) And leaking the prediction result.

Further, the step S103: the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the method comprises the following specific steps:

and the calculation server performs blind processing on the share of the prediction result by adopting a blind matrix to obtain the share of the blind prediction result.

Further, the step of obtaining the blinding matrix includes:

and the aggregation server randomly generates a blinding matrix in the credible region.

As one or more embodiments, the S104: the computing server sends the blinded prediction result share to an aggregation server; the method comprises the following specific steps:

the first computing server sends the first blinded prediction result share to the aggregation server; the second computing server sends the second blinded prediction result share to the aggregation server.

As one or more embodiments, the S105: the aggregation server carries out blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client; the method comprises the following specific steps:

s1051: the aggregation server reconstructs the blind prediction result from the first blind prediction result share and the second blind prediction result share in the untrusted area to obtain a third blind prediction result share;

s1052: the aggregation server carries out de-blinding processing on the third blinded prediction result share in the credible area to obtain an intermediate result; the aggregation server calculates an aggregation prediction result based on the intermediate result;

s1053: and the aggregation server performs noise processing on the aggregation prediction result and sends the aggregation prediction result subjected to the noise processing to the client.

Further, the S1051 aggregation server reconstructs the blind prediction result from the first blind prediction result share and the second blind prediction result share in the untrusted region, to obtain a third blind prediction result share; the method comprises the following specific steps:

the aggregation server obtains the share of the blinded prediction result and rebuilds the blinded prediction result, namely Y in advance in the untrusted region_mask＝share₀(Y_i)+mask₀+share₁(Y_i)+mask₁＝Y_i+mask。

It should be understood that the prediction Y is not revealed here since there is no blinding matrix in the untrusted region_i。

Further, the S1052: the aggregation server carries out de-blinding processing on the third blinded prediction result share in the credible area to obtain an intermediate result; the method comprises the following specific steps:

the aggregation server removes the blinded matrix from the trusted zone Encalve to obtain a prediction result:

Y_i＝Y_mask-mask。

further, the S1052: the aggregation server calculates an aggregation prediction result based on the intermediate result; the method comprises the following specific steps:

the aggregation server calculates the aggregated prediction result after voting by using a soft voting method

Soft voting has a higher accuracy than hard voting.

Further, the S1053: the aggregation server carries out noise processing on the aggregation prediction result and sends the aggregation prediction result subjected to the noise processing to the client; the method comprises the following specific steps:

aggregating server first computes entropy of results

For predictors with higher entropy, less noise is added, whereas for predictors with lower entropy, more noise is added.

According to the entropy, the aggregation server calculates the corresponding noise coefficient

Wherein d is the distribution of classes of training data;

finally, the aggregation Server adds noise, Y ', to the prediction'_a＝Y_a+N*c*(d-Y_a) Wherein c is a control coefficient for controlling the magnitude of the noise addition.

In order to solve the privacy disclosure problem of the PATE framework in knowledge transfer from a teacher model to a student model and solve the performance limitation of the PATE framework, the scheme combining secret sharing and trusted computing SGX is provided. In the off-line stage, a model holder (teacher) uses secret sharing to divide the technology into two model shares to be uploaded and stored in two computing servers, and moreover, an aggregation server generates a blinding matrix in a credible region and sends the blinding matrix to the two computing servers so as to protect the prediction result. In the online prediction stage, as shown in fig. 2, the client (student) also uploads private data to be predicted to two servers in a share form for prediction calculation, the calculation server protects the share of the prediction result through a blinding matrix, the aggregation server receives the blinded prediction share and removes the blinding matrix in the trusted zone, the prediction results from a plurality of privacy models are aggregated, noise is added to the aggregation result for optimization protection, and the aggregation result is returned to the client as shown in fig. 4.

The method is divided into three parts, namely a model holder, a server (comprising two omega computing servers and an aggregation server), and a client specifically comprises the following steps:

1. model holder P_iThe locally trained model W is used_iShare divided into two models₀(W_i) And share₁(W_i) Sent to a calculation server S₀，S₁。

2. Aggregation server S₂Randomly generating a blind matrix mask in a trusted zone Encalve₀，mask₁，mask＝mask₀+mask₁And sent to the calculation server S through a secure channel₀，S₁。

3. The client C divides the data x to be predicted into two data share shares share₀(x) And share₁(x) Is sent to the server S₀，S₁。

4. Server S₀，S₁Calculating a prediction result, namely share, on owned model shares₀(Y_i) And share₁(Y_i) Where Y is the predicted vector ═ Y₁，y₂，.....y_j) J is the category of the prediction result, and y is the prediction probability.

5. Server S₀，S₁Blinded prediction of the result share is:

and sending the blinded result to an aggregation server.

6. Aggregation server calculates blinded prediction result Y in untrusted zone_mask＝share₀(Y_i)+mask0+share1Yi+mask1＝Yi+mask

7. Aggregation server removes blinding Y in trusted zone Encalve_i＝Y_mask-mask

8. Aggregation server computing aggregated prediction results using soft voting

9. The aggregation server optimizes the aggregation result, adds noise, reduces the information entropy of the prediction result, and adds the noise-added prediction result Y'_aAnd sending the data to the client C.

Table 1 algorithm 1: execution of the framework

Example two

The embodiment provides a machine learning security aggregation prediction system supporting bidirectional privacy protection;

machine learning security aggregation prediction system supporting bi-directional privacy protection, comprising: the system comprises a client, a computing server and an aggregation server;

the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the calculation server processes the data share to obtain a prediction result share; the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the computing server sends the blinded prediction result share to an aggregation server; and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.

In the foregoing embodiments, the descriptions of the embodiments have different emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

Translated fromChinese

1.支持双向隐私保护的机器学习安全聚合预测方法，其特征是，包括：1. A machine learning security aggregation prediction method supporting bidirectional privacy protection, characterized in that it includes:计算服务器接收客户端发送的待预测数据的数据份额；The calculation server receives the data share of the data to be predicted sent by the client;所述计算服务器对数据份额进行处理，得到预测结果份额；The computing server processes the data share to obtain the predicted result share;所述计算服务器对预测结果份额进行盲化处理，得到盲化预测结果份额；The computing server performs blind processing on the predicted result share to obtain the blinded predicted result share;所述计算服务器将盲化预测结果份额发送给聚合服务器；The computing server sends the blinded prediction result share to the aggregation server;所述聚合服务器对盲化预测结果份额进行移除盲化处理和加噪声处理，将结果反馈给客户端。The aggregation server performs blind removal processing and noise addition processing on the shares of the blinded prediction results, and feeds back the results to the client.2.如权利要求1所述的支持双向隐私保护的机器学习安全聚合预测方法，其特征是，所述计算服务器接收客户端发送的待预测数据的数据份额步骤之前，还包括：2. The machine learning security aggregation prediction method supporting bidirectional privacy protection as claimed in claim 1, wherein before the computing server receives the data share step of the data to be predicted sent by the client, it also comprises:模型持有方将本地已经训练好的机器学习模型分成若干个模型份额；并将模型份额发送给对应的计算服务器；The model holder divides the locally trained machine learning model into several model shares; and sends the model shares to the corresponding computing server;聚合服务器在可信区中随机生成盲化矩阵，并将盲化矩阵发送给对应的计算服务器。The aggregation server randomly generates a blinding matrix in the trusted zone, and sends the blinding matrix to the corresponding computing server.3.如权利要求1所述的支持双向隐私保护的机器学习安全聚合预测方法，其特征是，所述计算服务器接收客户端发送的待预测数据的数据份额；具体步骤包括：3. The machine learning security aggregation prediction method supporting bidirectional privacy protection as claimed in claim 1, wherein the computing server receives the data share of the data to be predicted sent by the client; Concrete steps include:第一计算服务器接收客户端发送的待预测数据的第一数据份额；第二计算服务器接收客户端发送的待预测数据的第二数据份额。The first calculation server receives the first data share of the data to be predicted sent by the client; the second calculation server receives the second data share of the data to be predicted sent by the client.4.如权利要求3所述的支持双向隐私保护的机器学习安全聚合预测方法，其特征是，所述计算服务器对数据份额进行处理，得到预测结果；具体步骤包括：4. The machine learning security aggregation prediction method supporting bidirectional privacy protection as claimed in claim 3, wherein the computing server processes the data share to obtain a prediction result; the concrete steps include:第一计算服务器基于第一数据份额，计算出第一预测结果；第二计算服务器基于第二数据份额，计算出第二预测结果。The first calculation server calculates the first prediction result based on the first data share; the second calculation server calculates the second prediction result based on the second data share.5.如权利要求4所述的支持双向隐私保护的机器学习安全聚合预测方法，其特征是，所述计算服务器对预测结果份额进行盲化处理，得到盲化预测结果份额；具体步骤包括：5. The machine learning security aggregation prediction method supporting bidirectional privacy protection as claimed in claim 4, wherein the computing server performs blind processing on the prediction result share, and obtains the blind prediction result share; Concrete steps include:第一计算服务器对第一预测结果份额进行盲化处理，得到第一盲化预测结果份额；第二计算服务器对第二预测结果份额进行盲化处理，得到第二盲化预测结果份额。The first calculation server performs blind processing on the first prediction result share to obtain the first blinded prediction result share; the second calculation server performs blind processing on the second prediction result share to obtain the second blinded prediction result share.6.如权利要求4所述的支持双向隐私保护的机器学习安全聚合预测方法，其特征是，所述计算服务器对预测结果份额进行盲化处理，得到盲化预测结果份额；具体步骤包括：6. The machine learning security aggregation prediction method supporting bidirectional privacy protection as claimed in claim 4, wherein the computing server performs blind processing on the prediction result share, and obtains the blind prediction result share; Concrete steps include:所述计算服务器采用盲化矩阵，对预测结果份额进行盲化处理，得到盲化预测结果份额。The computing server uses a blinded matrix to perform blinded processing on the predicted result share to obtain the blinded predicted result share.7.如权利要求6所述的支持双向隐私保护的机器学习安全聚合预测方法，其特征是，所述盲化矩阵的获取步骤包括：聚合服务器在可信区随机生成盲化矩阵。7 . The machine learning security aggregation prediction method supporting bidirectional privacy protection according to claim 6 , wherein the step of obtaining the blinded matrix comprises: the aggregation server randomly generates a blinded matrix in a trusted zone. 8 .8.如权利要求5所述的支持双向隐私保护的机器学习安全聚合预测方法，其特征是，所述计算服务器将盲化预测结果份额发送给聚合服务器；具体步骤包括：8. The machine learning security aggregation prediction method supporting bidirectional privacy protection as claimed in claim 5, wherein the computing server sends the blind prediction result share to the aggregation server; the specific steps include:第一计算服务器将第一盲化预测结果份额发送给聚合服务器；第二计算服务器将第二盲化预测结果份额发送给聚合服务器。The first calculation server sends the first share of the blinded prediction result to the aggregation server; the second calculation server sends the second share of the blinded prediction result to the aggregation server.9.如权利要求8所述的支持双向隐私保护的机器学习安全聚合预测方法，其特征是，所述聚合服务器对盲化预测结果份额进行移除盲化处理和加噪声处理，将结果反馈给客户端；具体步骤包括：9. The machine learning security aggregation prediction method supporting bidirectional privacy protection as claimed in claim 8, wherein the aggregation server performs a blinded prediction result share removal blinding processing and noise processing, and feeds the result back to Client; specific steps include:聚合服务器在不可信区中对第一盲化预测结果份额和第二盲化预测结果份额重建盲化预测结果，得到第三盲化预测结果份额；The aggregation server reconstructs the blinded prediction result for the first blinded prediction result share and the second blinded prediction result share in the untrusted area, and obtains the third blinded prediction result share;聚合服务器在可信区对第三盲化预测结果份额进行移除盲化处理，得到中间结果；聚合服务器基于中间结果，计算出聚合预测结果；The aggregation server removes the blinding processing of the third blinded prediction result share in the trusted zone to obtain an intermediate result; the aggregation server calculates the aggregated prediction result based on the intermediate result;聚合服务器对聚合预测结果进行加噪声处理，并将加噪声处理后的聚合预测结果发送给客户端。The aggregation server performs noise processing on the aggregated prediction result, and sends the aggregated prediction result after noise addition to the client.10.支持双向隐私保护的机器学习安全聚合预测系统，其特征是，包括：客户端、计算服务器和聚合服务器；10. A machine learning security aggregation prediction system supporting bidirectional privacy protection, characterized in that it includes: a client, a computing server and an aggregation server;计算服务器接收客户端发送的待预测数据的数据份额；所述计算服务器对数据份额进行处理，得到预测结果份额；所述计算服务器对预测结果份额进行盲化处理，得到盲化预测结果份额；所述计算服务器将盲化预测结果份额发送给聚合服务器；所述聚合服务器对盲化预测结果份额进行移除盲化处理和加噪声处理，将结果反馈给客户端。The calculation server receives the data share of the data to be predicted sent by the client; the calculation server processes the data share to obtain the prediction result share; the calculation server performs blind processing on the prediction result share to obtain the blind prediction result share; The computing server sends the blinded prediction result share to the aggregation server; the aggregation server performs blind removal processing and noise addition processing on the blinded prediction result share, and feeds back the result to the client.

Images