CN116566605A - Method for safely sharing careless data under distributed system - Google Patents

Abstract

The invention discloses an careless data safety sharing method under a distributed system, which designs a data safety sharing protocol supporting load balancing, reduces the calculation cost of each server, supports trace hiding, and realizes the load balancing and the data safety sharing of concurrent servers. Aiming at the problems of overlarge calculation cost and unbalanced server load in distributed data sharing, a matrix transposition idea is introduced, an unintentional sharing matrix with load balancing is constructed, a concurrent data sharing protocol with O (beta/lambda) complexity is provided, the protocol performance is improved, and the safe sharing of concurrent server data is realized. The method can realize careless data sharing more quickly, designs a brand new careless sharing scheme, and can protect the privacy of a data owner, a sender and a receiver.

Description

Inadvertent Data Security Sharing Method in Distributed System

technical field

The invention relates to an inadvertent data security sharing method under a distributed system, and belongs to the field of data security transmission.

Background technique

With the development of information technology, today's society has entered the era of big data. With the continuous deepening of informatization, data sharing has become an important way of data use. Due to the singleness of some user data and the limitation of processing power, data sharing can expand the scale of data and improve the efficiency of data mining. Data sharing has become an important part of smart cities. Distributed data sharing is an important way of data usage. Due to the singleness of some user data and the limitation of processing power, distributed data sharing can expand the scale of data and improve the efficiency of data mining. Distributed data sharing means that many servers located in different locations are linked to each other through the network to form a complete and global logically centralized and physically distributed large-scale server, and the data is stored in the server. server for data sharing. Distributed shared data has the characteristics of complicated sources, huge volume and scattered storage. In the process of sharing data between distributed servers and users, the server can speculate on the key data it accesses according to the user's request, and malicious users may steal other people's data when accessing the server. The privacy of both parties in the communication is at risk of being leaked. Oblivious transfer technology (OT) can better protect the privacy of both parties in the process of data sharing, and it is also an important cryptographic primitive in cryptography. However, if the shared data is directly transferred using oblivious transfer technology, the computation and communication overhead will be very large. At the same time, when data is transmitted between the distributed server and the user, the user can know the source of the data. Furthermore, the information on which server the data is on will be leaked. If a proxy is introduced between the user and the server, and the proxy re-encryption technology is used, the traces of data storage can be hidden. However, comparatively speaking, trace hiding can also be achieved using inadvertent extension techniques between distributed servers and users. Moreover, no agent is introduced in the sharing process, which can reduce computation and communication overhead.

[1]Naor M, Pinkas B. Distributed oblivious transfer[C]//International Conference on the Theory and Application of Cryptology and Information Security. Springer, Berlin, Heidelberg, 2000:205-219.

Naor et al. [1] first proposed the concept of distributed inadvertent transfer, introducing m servers between the sender and the receiver, and using the function secret sharing idea among the m servers, the user selects l from the m servers, and Execute n-choice 1OT protocol with l servers (ie ). However, the concept of distributed oblivious transfer is difficult to achieve fast data sharing, and introduces multiple server entities that only provide the splitting function and do not participate in the sharing process.

[2] Ishai Y, Kilian J, Nissim K, et al. Extending oblivious transfers efficiently [C]//Annual International Cryptology Conference. Springer, Berlin, Heidelberg, 2003: 145-161.

[3]Asharov G, Lindell Y, Schneider T, et al.More efficient oblivious transfer and extensions for faster secure computation[C]//Proceedings of the2013ACM SIGSAC conference on Computer&communications security.2013:535-548.

Ishai et al. [2] proposed the first efficient extension of k base-OT protocols to n OT protocols (k<<n), which is a secure OT extension protocol under the semi-honest hand model. However, Asharov et al. [3] found through experiments that IKNP [2] consumes 42% of the computational overhead on matrix transposition. They constructed a new OT scheme under the standard model, that is, using 2×2 matrix to m×n The matrix is transposed to reduce the computational complexity of m×n matrix transposition from O(mk) to O(m/rlogk), where r is the CPU register size. However, if the above two inadvertent transfer protocols are directly applied to a distributed environment (the distributed scenario we consider means that data is stored in different servers, and users need to obtain data from the server), there will be two problems. The first problem is that distributed servers need to jointly generate OT auxiliary parameters. If one server generates and broadcasts to other servers, it will cause load imbalance. The second problem is that the above protocol only supports users to obtain m data from m pairs of data, that is, the data acquisition lacks flexibility.

To sum up, the existing results have problems such as easy disclosure of privacy, traceable storage traces, and excessive sharing complexity, and are not suitable for distributed data security sharing scenarios. Therefore, building a distributed data security sharing scheme that supports privacy protection is a problem that needs to be solved at present.

Contents of the invention

The present invention provides a solution to the problems disclosed in the background art.

In order to solve the problems of the technologies described above, the technical solution adopted in the present invention is:

Inadvertent data security sharing method in distributed system:

Multiple servers form a distributed server system, and the data is encrypted and stored in servers in different locations;

The s servers in the distributed server system generate a session matrix;

Each of the s servers owns part of the session matrix as a sub-session key;

Use the pre-built inadvertently shared communication model to interact, so that each of the s servers can obtain the remaining s-1 sub-session keys, and generate group session keys and message verification codes;

The session key and message verification code are encrypted and transmitted to the user;

The user decrypts the group session key through the message verification code to obtain data.

Further, the data encryption process is:

The data of the data owner is expressed as data set m _i ={tresbps||chol||fbs||...||dia _i }; using the access strategy The public key sk _p and the access control encryption algorithm encrypt the data set for the first time, expressed as ; Then, label the data as public /> get data/> upload data/> To the server S _l where the data owner is located, the distributed server generates a symmetric key _ki for each data, and uses the symmetric encryption algorithm to encrypt the data in the second round, expressed as />

Further, the generation process of group session key and message verification code is:

Determine the corresponding selection relationship between each distributed server and the column of matrix B, and each server /> execute at least In the second 1-2-OT protocol, the server selects columns from the matrix B or matrix B' according to the string a to generate s' matrix Q_l; each server has some columns of the matrix Q; using the equation p=(τmod s )+1 to determine that the τ-th column is stored in the p-th server; the string q corresponding to the τ-th bit of the matrix B/B' is stored in the τ-th bit of the server p; then, each server executes according to the corresponding selection relationship The 1-2-OT algorithm selects columns from the matrix B to generate s' matrices Q_l; among them, the strings are not randomly stored in the server p to ensure that the server can accurately generate the matrix Q after performing data exchange, and the matrix Q is inadvertent data sharing matrix;

Each distributed server has at least The columns of the matrix Q, and the columns of each server are different, S' servers generate the shared matrix Q of the group through two rounds of interaction, and the shared matrix Q is regarded as the group session key;

Each server already has a matrix Q _l , where Q _l is composed of two parts, the matrix Q obtained after the server executes the OT algorithm and the remaining columns filled with 0, the matrix Q _l is used as the server s in the key negotiation process The sub-key of _l , and finally participate in the formation of the group conversation matrix Q generated among all servers; first, each server executes GenSign() to generate the group signature σ _l , at the same time, calculate where /> is a randomly selected parameter; secondly, according to the LBSM structure, determine the N groups in the first round; the server calculates and sends (/> Q _l , CFD _l , σ _l ) to servers in the same subgroup; when each server receives M pieces of information, it calls the signature verification algorithm VerSign() to verify the validity of the information; the server calculates Finally, after the verification is passed, the conversion matrix /> The subscript (i,j)=l, the server computing pair ∨i∈N in the subgroup,/> Servers in each subgroup get the same matrix /> , matrix /> will be used for the second round of key negotiation; in addition, to detect malicious users, the servers in the subgroup compute

In the first round, servers in the same subgroup have the same matrix ;According to the LBSM structure, determine the M groups in the second round, calculate and send to each server in the same subgroup (/> ,C _i ,σ _l ) to other servers; when each server receives N pieces of information, it runs the Versign() algorithm to verify the validity of the information; then, each server calculates /> If authentication succeeds, servers in the same subgroup compute /> Meanwhile, the server calculates /> Each server gets the inadvertent sharing matrix Q and the value used to detect malicious users />

Further, the process of encrypting the session key and message verification code is:

Input: the sender S, the server, has n data (de ₁ , d ₂ ,…,d _n ), the length of each data is β-bit, and these data have the same label, the receiver R, the user, Generate a request r=(r ₁ ,r ₂ ,…,r _n ), where r _i ∈{0,1}, the rule for r is:

Output: the selected data obtained by R (d ₁ ,d ₂ ,…,d _k );

Each group server S _l initializes a string with a length of k-bit; each server randomly generates characters in the selected column position, and supplements the remaining positions with 0 characters; R randomly selects two k×k matrices B and B', calculate x _j =G(b _j ), generate m×kbits matrix X=[x ₁ ||x ₂ ||...||x _k ], and then calculate Where b _j and b _j 'represent the columns (j∈[k]) of matrix B and matrix B' respectively, and R sends u _j to server S _l respectively according to the corresponding selection relationship;

2) Execute k times between S _l and R Algorithm, select the column b _j or column b _j ′ of the seed matrix B or matrix B' according to the string a; at this moment, S and R exchange identities, and the user is the sender /> , the server as receiver /> Input matrix B and matrix B'; each server /> Input the corresponding string a _s1 , /> calculation /> set column Get the matrix Q _l of each server's own m×kbits = [q _l,1 ||q _l,2 ||...||q _l,k ];

Call the inadvertent sharing communication algorithm between S _l and R to generate the inadvertent sharing matrix ; For each 1≤j≤k, set m×kbits matrix /> It is known through calculation that the relationship between q _j and a _j satisfies the formula:

The server S _l selects the matrix according to the serial number of the stored data For row i, calculate i∈[n]; server S _l chooses randomly /> ξ _i ∈ G, calculate Then, calculate /> send /> For R, R calculates /> then calculate /> Get the correct auxiliary parameter /> ; server exploit /> Encrypt the symmetric key />

Further, the process for the user to decrypt the group session key to obtain data through the message verification code is:

The user uses the matrix B to decrypt the ciphertext CT _i ′ for the first time with the CR ^key , namely Then, use the access control policy to decrypt the ciphertext for the second time, that is, The end user gets the requested pair of k data from n data.

Correspondingly, a computer-readable storage medium storing one or more programs, the one or more programs including instructions, the instructions, when executed by a computing device, cause the computing device to perform the either method.

Accordingly, a computing device comprising:

one or more processors, one or more memories, and one or more programs, wherein the one or more programs are stored in the one or more memories and configured to be executed by the one or more processors, The one or more programs include instructions for performing any one of the above-mentioned methods.

The beneficial effect that the present invention reaches:

1. The present invention can implement a distributed inadvertent sharing scheme that supports privacy protection.

In the present invention, in order to realize inadvertent data sharing more quickly, a brand-new inadvertent sharing scheme is designed, which can protect the privacy of the data owner, sender and receiver.

2. The present invention innovatively constructs the inadvertent sharing matrix:

In the present invention, based on this, a data security sharing protocol supporting load balancing is designed, and while reducing the computing cost of each server, it supports trace hiding, and realizes concurrent server load balancing and data security sharing. Aiming at the problems of excessive computing overhead and unbalanced server load in distributed data sharing, the idea of matrix transposition is introduced to construct a load-balanced inadvertent sharing matrix, and a concurrent data sharing protocol with O(β/λ) complexity is proposed to improve protocol performance , to achieve concurrent server data security sharing.

Description of drawings

Fig. 1 is a schematic flow sheet of the present invention;

Fig. 2 is an example of a spiral matrix structure in the present invention;

FIG. 3 is a schematic diagram of a key agreement process.

Detailed ways

The present invention will be further described below in conjunction with the accompanying drawings. The following examples are only used to illustrate the technical solution of the present invention more clearly, but not to limit the protection scope of the present invention.

As shown in Figure 1, the present invention is in a distributed system, where interacting parties (such as servers and users) wish to share data without compromising privacy. Taking smart healthcare as an example, assume a practical scenario. Servers in multiple hospitals form a distributed server system. A patient visits multiple hospitals, and his pathological data are distributed and stored in servers in different locations. The doctor uses the data tag to query the requested data from the distributed server system. It is worth noting that what the OT protocol transmits in this paper is not the patient's medical data, but the key used to encrypt the medical data. In the process of data sharing, doctors send requests containing keywords to s servers, and s servers return n pieces of data to users. During this process, in order to achieve inadvertent data sharing, a group of s servers in a distributed system need to generate a session matrix as an auxiliary parameter of the OT protocol. Each server owns a portion of the matrix to be shared as a subsession key. After the interaction, each server obtains the remaining s-1 sub-session keys, and generates a group conversation matrix and a message verification code. The session key negotiated by multiple servers (this paper is a matrix) provides security for the operation of the OT protocol, and also prevents a single server from broadcasting the session key. In particular, it achieves server load balancing and decentralization of distributed systems. Moreover, exploiting the structural features of the proposed LBSM in inadvertent data sharing can effectively identify malicious servers.

The present invention is mainly divided into four parts, which are the encryption stage, the inadvertently shared communication model, the data transmission stage and the decryption stage.

Take the data information retrieved by a doctor from a patient's medical record as an example:

1. Data encryption stage

The patient's data and diagnostic records are denoted by the data owner as data set m _i ={tresbps||chol||fbs||...||diai}. access policy , public key sk _p and access control encryption algorithm to encrypt the data set for the first time, denoted as /> Then, label the data publicly upload data/> to the server S _l where the data owner resides. Finally, the distributed server generates a symmetric key _ki for each data, and uses the symmetric encryption algorithm to encrypt the data in the second round, expressed as />

2. Inadvertently share communication models and algorithms

The group key agreement phase uses the oblivious sharing communication model to generate the oblivious sharing matrix, which will be used to generate the ciphertext that can transmit the symmetric key.

1) Determine the corresponding selection relationship between each distributed server and the columns of matrix B. in particular, and each server /> execute at least /> In the second 1-2-OT protocol, the server needs to select columns from matrix B or matrix B' according to string a to generate s' matrix Q_l. Then, the need of each distributed server to perform the OT algorithm on which column of matrix B and matrix B' is determined. In other words, each server has some columns of matrix Q. Use the equation p=(τmod s)+1 to determine that the τ-th column is stored in the p-th server. The character string q corresponding to the τth position of the matrix B/B' will be stored in the τth position of the server p. Subsequently, each server executes the 1-2-OT algorithm according to the corresponding selection relationship, selects columns from the matrix B, and generates s' matrices Q_l. Note that strings cannot be randomly stored in server p, in order to ensure that the server can accurately generate matrix Q after performing data exchange.

2) Generate the inadvertent data sharing matrix Q. Using the LBSM communication model, the distributed servers go through two rounds of matrix interaction, and finally each server obtains the matrix Q. Specifically, after executing Step2, each distributed server has at least The columns of a matrix Q are different for each server. S' servers generate a group sharing matrix Q (which can be regarded as a session key) through two rounds of interaction.

3)-Round 1:--The encryption method of the sending matrix Q is based on the DL difficulty problem. Round 1: Each server (including virtual servers) already has a matrix Q _l . Among them, Q _l is composed of two parts, some columns of the matrix Q obtained after the server executes the OT algorithm and the remaining columns filled with 0. The matrix Q _l is used as the sub-key of the server s _l during the key negotiation process, and finally participates in forming the group conversation matrix Q generated between all servers. First, each server executes GenSign() to generate a group signature σ _l . At the same time, calculate where /> are randomly selected parameters. Second, according to the LBSM structure, determine the N groups of the first round. The server calculates and sends /> For servers in the same subgroup. When each server receives M pieces of information, they call the signature verification algorithm VerSign() to verify the validity of the information. server computing/> Finally, after the verification is passed, the conversion matrix /> The subscript (i,j)=l, the server computing pair ∨i∈N in the subgroup,/> Servers in each subgroup get the same matrix /> matrix /> Will be used for the second round of key negotiation. Additionally, to detect malicious users, servers in subgroups compute

4)-Round 2: In the first round, servers in the same subgroup have the same matrix According to the LBSM structure, M groups for the second round are determined. Compute and send /> to each server in the subgroup to other servers. When each server receives N pieces of information, they run the Versign() algorithm to verify the validity of the information. Subsequently, each server computes the /> If authentication succeeds, the servers in the same subgroup compute Meanwhile, the server calculates /> Each server gets inadvertently shared matrix /> and a value for detecting malicious users />

5) Example: Assume that there are 16 servers in the distributed server network, and user u's 10 ciphertexts about {Tag1=heart disease} are distributedly stored in 4 of the 16 servers. Let the data length be 6 bits. When the doctor sends a data request to the server, the distributed system executes the DOT and GKA algorithms. First, all servers determine the server to which the data belongs according to the tag (u,Tag ₁ ). The server S _gm determines the group members (S ₁ -S ₄ ), and runs Algorithm 3 to calculate the number of empty servers that need to be supplemented (S _empt =0). Second, the server S _gm uses Algorithm 2 to construct the optimal LBSM structure (N=2, M=2). Thirdly, the doctor as the sender owns the matrix B and the matrix B', and the group server obtains the data as the receiver. The server S _gm uses Algorithm 4 to determine the sequence number that each group server should receive matrix data. Then execute the 1-2-OT algorithm between the sender and the receiver to obtain the matrix Q _l . Finally, the group servers use the LBSM structure to perform two rounds of interaction, so that each server can obtain the inadvertently shared matrix Figure 3 shows the process of four servers executing the GKA stage.

3. Data transmission stage

Input: The sender (S, the server) has n data (d ₁ ,d ₂ ,…,d _n ), the length of each data is β-bit, and these data have the same label. The receiver (R, ie user) generates a request r=(r ₁ ,r ₂ ,...,r _n ), where r _i ∈{0,1}. The rule for r is

Output: R outputs the selected data (d ₁ , d ₂ , . . . , d _k ) that can be obtained.

1) Each group server S _l initializes a character string with a length of k-bit. According to the corresponding selection relationship of Algorithm 4, each server randomly generates characters in the selected column position, and supplements the remaining positions with 0 characters.

R randomly selects two k×k matrices B and B′, calculates x _j =G(b _j ), and generates an m×kbits matrix X=[x ₁ ||x ₂ ||...||x _k ]. Then calculate where _bj and _bj ' denote the columns (j∈[k]) of matrix B and matrix B', respectively. R sends u _j to server S _l respectively according to the corresponding selection relationship. 2) Execute k times between S _l and R /> Algorithm, select column b _j or column b _j ′ of seed matrix B or matrix B' according to character string a. At this moment, S and R exchange identities, and the user is the sender /> , the server as receiver /> . /> Input two matrices B and B'. per server /> Enter his string a _s1 . /> calculate set column /> Obtain each server's own matrix Q _l of m×kbits = [q _l,1 ||q _l,2 ||...||q _l,k ].

3) Call the inadvertent sharing communication algorithm between S _l and R to generate the inadvertent sharing matrix . For each 1≤j≤k, set a matrix of m×kbits /> It can be known by calculation that the relationship between q _j and a _j satisfies the formula

4) Commitment stage: server _S1 selects the matrix according to the serial number of the stored data For row i, calculate i∈[n]. Server S _l chooses randomly /> ξ _i ∈ G, calculate Then, calculate /> send /> to R. R calculation /> then calculate /> Get the correct auxiliary parameter /> . server use/> Encrypt the symmetric key />

4. Data decryption stage

The user uses the matrix B to decrypt the ciphertext CT _i ′ for the first time with the CT ^key , namely Then, use the access control policy to decrypt the ciphertext for the second time, that is, The end user obtains the requested pair of k data from the n data, realizes data security sharing, and protects the privacy of the data owner, sender and receiver.

The present invention mainly accomplishes the following tasks.

A privacy-preserving distributed oblivious sharing framework is designed. The framework is based on an OT extension between client and server and a load balancing spiral matrix (LBSM) between s distributed servers to determine the communication between users and servers. In particular, this framework protects the privacy of the sender (server) and receiver (user). Specifically, the receiver can only export the data requested by k, without other n-k data, and the sender has no way of knowing the data requested by the receiver. Furthermore, s servers can form groups to efficiently share a casual shared matrix and authenticate each other by performing key agreement.

A distributed oblivious sharing protocol (DOS- ). DOS-/> Agreement, mainly completed ×/> , implemented in a distributed server system, hides traces of stored data without invoking proxies. The protocol uses s-servers to process the n × β bit matrix in order to share it. By adding a commitment phase, we improve the security of semi-honest receivers against DOS-/> Security for malicious recipients. Experimental results show that when k is much smaller than n, the overhead of the oblivious data sharing scheme is not affected by n and is positively correlated with k. if /> The lower the number of executions (k) of the protocol, the lower the overhead of the scheme. In the present invention, the oblivious data-sharing protocol can be instantiated with different parameters, allowing us to trade off computational communication. where β represents the number of bits of the key, that is, the columns of the n×β sharing matrix. n represents the total amount of data that the user has in the distributed server. k represents the amount of data the user wants to access. s represents the number of servers in a distributed environment.

Build a load-balancing spiral matrix to share data and detect malicious servers. We provide two algorithms for spiral matrix structure construction. In addition, this paper proposes an optimal solution algorithm based on the LBSM construction based on the number of distributed servers. Assuming N = M, the total number of server interactions in LBSM is Where s=N*M holds true. The communication complexity of LBSM is N represents the number of rows of the spiral matrix, and M represents the number of columns of the spiral matrix. The specific structure and example of the spiral matrix are shown in Figure 2.

A computer-readable storage medium storing one or more programs, the one or more programs including instructions that, when executed by a computing device, cause the computing device to execute a method for inadvertent data security sharing under a distributed system .

A computing device comprising one or more processors, one or more memories, and one or more programs, wherein the one or more programs are stored in the one or more memories and configured to be executed by the one or more Executed by a plurality of processors, the one or more programs include instructions for executing the method for unintentional data security sharing in a distributed system.

Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

The above is only an embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention are included in the pending application of the present invention. within the scope of the claims.

Claims (7)

1. Inadvertent data security sharing method under distributed system, characterized in that: Multiple servers form a distributed server system, and the data is encrypted and stored in servers in different locations; The s servers in the distributed server system generate a session matrix; Each of the s servers owns part of the session matrix as a sub-session key; Use the pre-built inadvertently shared communication model to interact, so that each of the s servers can obtain the remaining s-1 sub-session keys, and generate group session keys and message verification codes; The session key and message verification code are encrypted and transmitted to the user; The user decrypts the group session key through the message verification code to obtain data. 2. The inadvertent data security sharing method under the distributed system according to claim 1, characterized in that: the process of said data encryption is: The data of the data owner is expressed as data set m _i ={tresbps||chol||fbs||...||dia _i }; using the access strategy The public key sk _p and the access control encryption algorithm encrypt the data set for the first time, expressed as Then, label the data as public /> get data/> upload data/> To the server S _l where the data owner is located, the distributed server generates a symmetric key _ki for each data, and uses the symmetric encryption algorithm to encrypt the data in the second round, expressed as /> 3. The casual data security sharing method under the distributed system according to claim 1, characterized in that: the generation process of the group session secret key and the message verification code is: Determine the corresponding selection relationship between each distributed server and the column of matrix B, and each server /> execute at least /> In the second 1-2-OT protocol, the server selects columns from matrix B or matrix B' according to string a, and generates s' matrix Q_l; each server has some columns of matrix Q; using the equation p=(τ mod s)+1 determines that the τ-th column is stored in the p-th server; the string q corresponding to the τ-th bit of the matrix B/B' is stored in the τ-th bit of the server p; then, each server selects according to the corresponding relationship, Execute the 1-2-OT algorithm, select columns from the matrix B, and generate s' matrix Q_l; among them, the strings are not randomly stored in the server p, so as to ensure that the server can accurately generate the matrix Q after performing data exchange, and the matrix Q is inadvertent data sharing matrix; Each distributed server has at least The columns of the matrix Q, and the columns of each server are different, S' servers generate the shared matrix Q of the group through two rounds of interaction, and the shared matrix Q is regarded as the group session key; Each server already has a matrix Q _l , where Q _l is composed of two parts, the matrix Q obtained after the server executes the 0T algorithm and the remaining columns filled with 0, the matrix Q _l is used as the server s in the key negotiation process The sub-key of _l , and finally participate in the formation of the group conversation matrix Q generated among all servers; first, each server executes GenSign() to generate the group signature σ _l , at the same time, calculate where /> is a randomly selected parameter; secondly, according to the LBSM structure, determine the N groups in the first round; the server calculates and sends /> For servers in the same subgroup; when each server receives M pieces of information, it calls the signature verification algorithm VerSign() to verify the validity of the information; the server calculates Finally, after the verification is passed, the conversion matrix /> The subscript (f, j) = l, the server computing pair Vi∈N in the subgroup, /> Servers in each subgroup get the same matrix /> matrix /> will be used for the second round of key negotiation; in addition, to detect malicious users, the servers in the subgroup compute In the first round, servers in the same subgroup have the same matrix According to the LBSM structure, determine the M groups in the second round, calculate and send to each server in the same subgroup to other servers; when each server receives N pieces of information, run the Versign() algorithm to verify the validity of the information; then, each server calculates /> If authentication succeeds, servers in the same subgroup compute /> Meanwhile, the server calculates /> Each server gets inadvertently shared matrix /> and a value for detecting malicious users /> 4. The inadvertent data security sharing method under the distributed system according to claim 1, characterized in that: the process of session key and message authentication code encryption is: Input: the sender S, namely the server, has n data (d ₁ , d ₂ , ..., d _n ), the length of each data is β-bit, and these data have the same label, and the receiver R, namely User, generate a request r = (r ₁ , r ₂ , ..., r _n ), where r _i ∈ {0, 1}, the rule for r is: Output: selected data (d ₁ , d ₂ , . . . , d _k ) obtained by R; Each group server S _l initializes a string with a length of k-bit; each server randomly generates characters in the selected column position, and supplements the remaining positions with 0 characters; R randomly selects two k×k matrices B and B′, calculate x _j =G(b _j ), generate a matrix of m×k bits X=[x ₁ ||x ₂ ||...||x _k ], and then calculate Where b _j and b _j 'represent the columns (j∈[k]) of matrix B and matrix B' respectively, and R sends u _j to server S _l respectively according to the corresponding selection relationship; 2) Execute k times between S _l and R Algorithm, select the column b _j or column b _j ′ of the seed matrix B or matrix B' according to the string a; at this moment, S and R exchange identities, and the user is the sender /> server as receiver /> Input matrix B and matrix B'; each server /> Input the corresponding string a _s1 , /> calculation /> set column /> Get the matrix Q _l of each server's own m×k bits = [q _{l, 1} ||q _{l, 2} ||...||q _{l, k} ]; Call the inadvertent sharing communication algorithm between S _l and R to generate the inadvertent sharing matrix For each 1≤j≤k, set a matrix of m×k bits /> It is known through calculation that the relationship between q _j and a _j satisfies the formula: The server S _l selects the matrix according to the serial number of the stored data For row i, calculate Server S _l chooses randomly /> ξ _i ∈ G, calculate Then, calculate /> send /> For R, R calculates /> then calculate /> Get the correct auxiliary parameter /> server use/> Encrypt the symmetric key /> 5. The inadvertent data security sharing method under the distributed system according to claim 4, characterized in that: the process for the user to decrypt the group session key to obtain data through the message verification code is: The user uses the matrix B to decrypt the ciphertext CT _i ′ for the first time with the CT ^key , namely Then, use the access control policy to decrypt the ciphertext for the second time, that is, /> The end user gets the requested pair of k data from n data. 6. A computer-readable storage medium storing one or more programs, wherein the one or more programs comprise instructions which, when executed by a computing device, cause the computing device to perform the Any one of the methods described in 1 to 5. 7. A computing device, comprising: one or more processors, one or more memories, and one or more programs, wherein the one or more programs are stored in the one or more memories and configured to be executed by the one or more processors, The one or more programs include instructions for performing any of the methods according to claims 1-5.