Abstract: Embodiments of this specification provide methods and apparatuses for multi-party joint data processing to protect data privacy. The method is performed by the ith party, and includes: acquiring two calculation fragments corresponding to the ith party from three calculation fragments obtained by dividing calculation data; determining a first result fragment of a product result of the target data and the calculation data based on the fragment sum value, the specified fragment, and the two calculation fragments, and sending the first result fragment to a next participating party of the ith party; and receiving a second result fragment of the product result from a previous participating party of the ith party, where the second result fragment is determined by the previous participating party based on a fragment sum value and a specified fragment that are held by the previous participating party, and two calculation fragments corresponding to the previous participating party.

Abstract: A computer-implemented method includes obtaining, by each secure multi-party computation (MPC) computation party of n secure MPC computation parties, a first data component sent by a data provider, obtained after the data provider splits to-be-processed data into n data components, and n is an integer not less than 3. M secure MPC computation parties are selected to respectively perform a shuffling operation on respectively held first data components, to obtain a second data component, so as to perform an MPC operation, wherein 1<m<n, and wherein m is a positive integer. Selecting m secure MPC computation parties is cyclically performed to perform a shuffling operation on first data components, until each secure MPC computation party is not selected for at least one time to perform the shuffling operation, where m secure MPC computation parties selected each time are not completely identical.

Abstract: In an example data processing method, a data processing task is received, which includes a to-be-processed non-polynomial function and to-be-processed data corresponding to an independent variable of the non-polynomial function. A first linear transformation is performed on the to-be-processed data, so that an independent variable value corresponding to data obtained after the first linear transformation falls within a fitting domain of definition. The fitting domain of definition is an interval selected from a domain of definition of the independent variable of the non-polynomial function. A fitting polynomial function value is obtained based on the data obtained after the first linear transformation. The fitting polynomial is obtained by performing Chebyshev series fitting on the non-polynomial function in the fitting domain of definition.

Abstract: Data processing methods, apparatuses, and computer-readable media are applied to a system including a data provider and N secure multi-party computation (MPC) computation parties. N is an integer greater than 3. In an example method, each MPC computation party obtains a first data component from a data message sent by the data provider. The first data component is a part of a plurality of data components obtained after the data provider splits private data, and the first data component is a logical component. Then, the first data component is converted from the logical component to an arithmetic component, to obtain a second data component, so as to perform MPC processing.

Abstract: A computer-implemented method for data processing includes obtaining, by each secure multi-party computation (MPC) computation party of a system including a data provider and n secure MPC computation parties, a data message sent by the data provider, where n is an integer greater than 3. As an obtained data message, a first data component is obtained based on the data message. Each MPC computation party, by using the first data component, performs arithmetic sharing processing to obtain a second data component, so as to perform MPC processing, where n data messages received by the n MPC computation parties include: a data message sent after the data provider splits private data into m data components and m data messages each are used to carry one data component, where m is greater than 1 and is less than or equal to n, and m is a positive integer.

Abstract: A computer-implemented method for data processing includes obtaining, by each secure multi-party computation (MPC) computation party of a system comprising a data provider and n secure MPC computation parties, a first data component from a data message sent by the data provider, where n is an integer greater than 3, where the first data component is one of a plurality of data components obtained after the data provider splits private data, and where the first data component is an address-geocoded component. Perform MPC processing to obtain a second data component by converting the first data component from the address-geocoded component and to a one-hot encoded component.

Abstract: Data query methods, apparatuses and computer-readable media are described. In an example process of processing, by a third party, a federated data table formed based on data of a plurality of data parties, if related data need to be obtained based on sorting of multiple attribute columns of the data table, when the federated data table is sorted based on attribute values of the attribute columns, a row identifier is introduced for an out-of-order data table obtained by disordering the federated data table, and an index is created based on the row identifier. The row identifier is determined by the third party and exists in a form of ciphertext in an index table. A row identifier of a candidate row can be restored to a plaintext.

Abstract: Embodiments of this specification provide methods and apparatuses for data privacy protection. An embodiment of the methods comprises receiving, by a first party from a second party, an encrypted integrated vector, determining an encrypted result vector based on the original matrix and the encrypted integrated vector, determining a data processing result based on the encrypted result vector, and sending the data processing result to the second party for the second party to obtain a multiplication calculation result of the original matrix and the n original vectors based on the data processing result.

Abstract: Embodiments of this specification provide multi-party data query methods and apparatuses for data privacy protection. One implementation of the methods includes obtaining, from each of a plurality of data owners, attribute value ciphertexts of N target objects to form a ciphertext table, disordering the ciphertext table in units of rows to obtain a disordered table, sorting, in response to a query instruction of querying sorting-related data for a target attribute item in the plurality of attribute items, attribute value ciphertexts corresponding to the target attribute item in the disordered table to obtain a target sorted table, and obtaining the sorting-related data as a query result based on the target sorted table.

Abstract: Computer-implemented methods, apparatuses and systems for obtaining data authorization are described. In an example method, a first computing node in a trusted computing center receives an authentication request from a first provider. Authentication information is returned to the first provider, where the authentication information comprises a first code hash of a first computing logic running in the first computing node. A channel establishment request sent by the first provider is received after determining that the first computing node passes trusted authentication and the first code hash passes correctness verification. A first trusted channel is established between the first provider and the first computing node according to the channel establishment request. A target encryption key is received through the first trusted channel, thereby authorization to perform computation on a target encrypted shard corresponding to the target encryption key based on the first computing logic is obtained.

Abstract: A key management method includes: sending, by a security chip of a computer device, a request for obtaining a service key to a key management service; receiving, by the security chip, a service key ciphertext from the key management service, wherein the service key ciphertext is obtained by encrypting the service key by the key management service based on a migration key of the security chip; decrypting, by the security chip, the service key ciphertext based on the migration key to obtain the service key; storing, by the security chip, the service key in the security chip; and providing, by the security chip, the service key to an application program of the computer device when the application program needs to encrypt data based on the service key.

Abstract: A trusted computing method applicable in a computer device, a computer device, and a storage medium are provided. The method comprises: during a startup process of the computer device including first and second trusted computing chips, the first trusted computing chip performing a static measurement on the computer device to obtain a static measurement result, and sending the static measurement result to a verification center; and during operations of the computer device after startup of the computer device, the second trusted computing chip performing a dynamic measurement on the computer device to obtain a dynamic measurement result, and sending the dynamic measurement result and association evidence to the verification center, wherein the association evidence indicates that the first and the second trusted computing chips are disposed in the same computer device, and the verification center associates the two measurement results and verifies the integrity of a software system of the computer device.

Abstract: A trusted computing method applicable in a computer device, a computer device, and a storage medium are provided. The method comprises: during a startup process of the computer device including first and second trusted computing chips, the first trusted computing chip performing a static measurement on the computer device to obtain a static measurement result, and sending the static measurement result to a verification center; and during operations of the computer device after startup of the computer device, the second trusted computing chip performing a dynamic measurement on the computer device to obtain a dynamic measurement result, and sending the dynamic measurement result and association evidence to the verification center, wherein the association evidence indicates that the first and the second trusted computing chips are disposed in the same computer device, and the verification center associates the two measurement results and verifies the integrity of a software system of the computer device.

Abstract: A key management method includes: sending, by a security chip of a computer device, a request for obtaining a service key to a key management service; receiving, by the security chip, a service key ciphertext from the key management service, wherein the service key ciphertext is obtained by encrypting the service key by the key management service based on a migration key of the security chip; decrypting, by the security chip, the service key ciphertext based on the migration key to obtain the service key; storing, by the security chip, the service key in the security chip; and providing, by the security chip, the service key to an application program of the computer device when the application program needs to encrypt data based on the service key.

Abstract: A computer-implemented method includes: verifying, by a trusted server, an identity of a first terminal; determining that the verification is a success; based on determining that the verification is a success, determining, using a remote attestation protocol, that the first terminal is in a trusted state; and based on determining that the first terminal is in the trusted state, issuing a digital certificate including a trusted identifier to the first terminal, in which the digital certificate is usable by a second terminal to verify the identity of the first terminal.

Abstract: A computer-implemented method includes: verifying, by a trusted server, an identity of a first terminal; determining that the verification is a success; based on determining that the verification is a success, determining, using a remote attestation protocol, that the first terminal is in a trusted state; and based on determining that the first terminal is in the trusted state, issuing a digital certificate including a trusted identifier to the first terminal, in which the digital certificate is usable by a second terminal to verify the identity of the first terminal.

Abstract: A system and method for providing cryptographic operation service in a virtualization environment. In the system, a configuration subsystem provides an interface for an administrator and a common user to input information about a virtual cryptographic device. A key file storage subsystem stores a key file and protects it with the protection password. A virtual machine operating subsystem obtains a corresponding key file from the storage subsystem according to the input of the configuration subsystem, creates a virtual device for a guest virtual machine, and finally operates the guest virtual machine to provide cryptographic computing service for the guest virtual machine. Thus the administrator/the common user can specify a key file and input a protection password for a guest virtual machine via the corresponding interface to facilitate the creation of a virtual cryptographic device, and can manage the virtual cryptographic device in a user-friendly and centralized manner.

Abstract: A system and method for providing cryptographic operation service in a virtualization environment. In the system, a configuration subsystem provides an interface for an administrator and a common user to input information about a virtual cryptographic device. A key file storage subsystem stores a key file and protects it with the protection password. A virtual machine operating subsystem obtains a corresponding key file from the storage subsystem according to the input of the configuration subsystem, creates a virtual device for a guest virtual machine, and finally operates the guest virtual machine to provide cryptographic computing service for the guest virtual machine. Thus the administrator/the common user can specify a key file and input a protection password for a guest virtual machine via the corresponding interface to facilitate the creation of a virtual cryptographic device, and can manage the virtual cryptographic device in a user-friendly and centralized manner.

Abstract: The present invention discloses a method and a system for protecting root CA certificates in a virtualization environment. The method installs a root CA certificate security manager on a host computer. The root CA certificate security manager stores the lists of root CA certificates and provides certificate validation service to virtual machines via a read-only interface. When a virtual machine needs the verification of a certificate, it sends a certificate validation service request to the root CA security manager. The root CA certificate security manager provides certificate validation services to the virtual machine in response to the request.

Abstract: The present invention discloses a method and a system for protecting root CA certificates in a virtualization environment. The method installs a root CA certificate security manager on a host computer. The root CA certificate security manager stores the lists of root CA certificates and provides certificate validation service to virtual machines via a read-only interface. When a virtual machine needs the verification of a certificate, it sends a certificate validation service request to the root CA security manager. The root CA certificate security manager provides certificate validation services to the virtual machine in response to the request.