A secure multi-party computation protocol without CRS supporting multi-bit encryption

To solve the problems in the existing fully homomorphic encryption (FHE)-based secure multi-party computation (SMC) protocols such as low efficiency, the FHE scheme that supports multi-bit encryption was modified during the generation of the public key so that the users could generate their public keys independently without the common random string (CRS) matrix. Further, a multi-bit Gentry-Sahai-Waters scheme (MGSW) scheme without CRS was constructed. The modified LinkAlgo algorithm was adopted to expand the single-key ciphertext into the multi-key ciphertext and simplify the way of generating the expanded ciphertext. In this way, a multi-key FHE (MFHE) scheme was achieved based on the MGSW scheme. Finally, a three-round SMC protocol without CRS was constructed using the MFHE scheme and the decisional learning with errors (DLWE) assumption, which was secure in the semi-malicious model. Compared to the existing protocols, the protocol proposed herein can support multi-bit encryption and is found with smaller ciphertext size and lower storage overhead and generate the expanded ciphertext in a simpler way. Overall performance is better than existing protocols.


Introduction
Secure Multi-party Computation (SMC), a method proposed by Yao [1], can securely compute a function without disclosing its data. Each party can get its results but has no access to others' data. SMC now consists of several constructors, including verifiable secret sharing [2], oblivious transfer [3], mix and match [4] and homomorphic encryption [5][6][7]. Devised by Rivest et al. [8] in 1978, Fully Homomorphic Encryption (FHE) supports direct encryption of the plaintext, and the same computation can be done on the ciphertext to get decryption results, namely, f(Enc(m)) = Enc(f(m)). Due to this unique feature, FHE has displayed great potential among all constructors of SMC protocols, and thus attracted greater attention over time. Since the launch of a FHE scheme by Gentry [9] in 2009, a wealth of similar schemes emerged, including DGHV10 [10], BV11 [11], BGV12 [12], Bra12 [13], GSW13 [14], BV14 [15], CM15 [5], and NK15 [16]. Meanwhile, scholars in China and abroad also substantially investigated FHE-based SMC protocols.
In 2012, López-Alt et al. [17] put forward the concept of multi-key fully homomorphic encryption (MFHE) for the first time, and made use of NTRU [18] to construct the first a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 MFHE scheme. Therefore, an MFHE-based SMC protocol could be naturally created. Later, a lot of MFHE-based SMC protocols were constantly designed and improved. In 2016, Mukherjee et al. [6] established a two-round SMC protocol that achieved the best two-round interactions based on the GSW scheme, and proved that this scheme was secure in the malicious environment. The protocol needed to choose a common random string (CRS) matrix during the generation of a key, which undermined each user's ability to generate their key independently. In the meantime, cascading and masking operations were added to the scheme, leading to a considerable volume of ciphertext matrix. Vijayakumar P et al. [19] proposed an efficient group key management technique that reduces the computational complexity without increasing the high storage complexity, thereby providing secure group communication in P2P networks. In the same year, a two-factor authentication scheme and a two-group key management scheme [20] were proposed to improve the security of vehicles communicating with a vehicle-mounted ad hoc network (VANET) environment. Audithan S et al. [21] proposed an anonymous authentication scheme to authenticate users, which is not easy to be maliciously accessed by attackers, and protects data transmitted in Internet business applications through mobile agents. In 2017, by increasing a new round of interaction and taking advantage of key homomorphism and threshold decryption, Wang Huiyong et al. [22] designed a simple three-round GSW-based SMC protocol with CRS, whose security was based on the Some-are-errorless LWE assumption, a variant of the LWE assumption. In this protocol, although a new round was added, the homomorphic computation depth and NAND gate complexity were reduced, and its overall efficiency was optimized compared to the MW16 scheme [6]. In 2018, Kim et al. [23] proposed the LinkAlgo algorithm to expand a single-key ciphertext into a multi-key one, and constructed for the first time a three-round SMC protocol without CRS that did not rely on a CRS matrix during the generation of a public key, allowing every user to generate their own public keys independently. This protocol met the multi-key CPA security requirements and could resist the attack of a semi-malicious adversary, but it was still slightly inferior to the protocol with CRS in terms of security and failed to prove that it was still secure in the malicious environment. In 2020, by employing the tool matrix and the encoding operations offered by Li Zengpeng [24] to improve the ciphertext expansion way of the KLP18 scheme [23], Tang Chunming et al. [25] built a three-round SMC protocol without CRS that outperformed the KLP18 scheme in efficiency, memory, and noise decryption, but it was only proven to be secure in the semi-malicious environment, as well. Dheerendra Mishra et al. [26] built a mutual authentication and key agreement scheme for mobile edge computing without the participation of trusted third parties, ensuring mutual authentication between users and edge servers and generating secure session keys. Vinoth R et al. [27] proposed a secure multi-factor authentication key agreement scheme for the Industrial Internet of Things (IIoT) to enable authorized users to remotely access sensing devices, effectively reducing communication during the authentication key agreement process and computational costs. In 2021, by referring to the multi-bit encryption scheme provided by Li Zengpeng, Tang Chunming et al. [28] pioneeringly developed a three-round SMC protocol with CRS that supports multi-bit encryption, whose security was based on the Ferr-LWE assumption and the Someare-errorless LWE assumption, making it possible to resist the attack of an adversary in the malicious environment. In the same year, based on the multi-bit encryption scheme proposed by Li Zengpeng [24], Li Xixi et al. [29] modified his encryption algorithm and availed of the LinkAlgo algorithm to build a multi-bit multi-key FHE mechanism without CRS. Xia X et al. [30] proposed a cloud-assisted trustworthiness assessment mechanism and an efficient anonymous authentication and key agreement scheme based on non-interactive zero-knowledge to ensure privacy protection and data security of IoT devices in smart cities.
It can be seen from the above work that current FHE-based SMC protocols have been equipped with or without CRS. An SMC protocol with CRS is found with higher security. It is also proven to be secure by using the non-commutative zero-knowledge proof in the malicious environment. Still, it needs to choose a CRS matrix during the parameter setting phase. All users are required to generate their keys with the help of this matrix, which dramatically limits the users' ability to generate keys independently. In contrast, an SMC protocol without CRS supports all users to generate their keys independently by eliminating the need for a trusted organization to distribute the CRS matrix. Nevertheless, the existing SMC protocols without CRS are still generally plagued by overlarge ciphertext, colossal memory space and low efficiency.

Objectives
To solve the problems of low efficiency of existing protocols, this paper converted the scheme of Chen Li et al. [31] into a multi-bit FHE scheme and constructed a multi-key homomorphic encryption scheme using the LinkAlgo algorithm. Finally, a three-round SMC protocol without CRS was designed to outperform all existing protocols in ciphertext size and storage overhead.

Description of symbols
In this study, bold lowercase letters represent vectors, while bold capital letters refer to matrices. Z, R, and Z q refer to the set of integers, the set of real numbers, and the residue class ring of the integer modulo q. The length of the n-dimensional vector a is defined as its Euclidean norm kak ¼ ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi X nÀ 1 i¼0 a 2 i s ; the length of the vector set S is defined as kSk = max a2S kak. a D means that the variable a is randomly chosen from the Probability Distribution D; a R A means that the variable a is randomly and evenly chosen from the set A. The vector a 2 Z n q can be expressed as a = (a 0 ,� � �,a n−1 ); the polynomial b2R q can be written as b = (b 0 ,� � �,b n−1 ). c i refers to the ith row of the matrix C; I n represents the n-dimensional identity matrix; φ(y) means the probability Pr[y�x|y~N(0,1)]. Unless otherwise specified, logn refers to log 2 n.
O and o suggest the computational complexity; also, for poly(�) and negl(�), if f(n) = O(n c ), f (n) can be expressed as poly(n). If f(n) = o(n −c ) holds for any constant c, f(n) can be expressed as negl(n), where n is a negligible function.

Definitions and theorems
Definition 1 [32] (LWE distribution): Define a secret vector s 2 Z n q , take uniform sampling a Z n q , and choose e χ wherein χ is a discrete Gaussian distribution on Z. The sample distribution cA s,χ is outputted in the form of ða; b ¼< a; s > þeðmodqÞÞ 2 Z n q � Z q . Definition 2 (Searching LWE, abbreviated as SLWE): Define m independent samples ða i ; b i Þ 2 Z n q � Z q from a given LWE distribution A s,χ to output s. Definition 3 (Decisional LWE, abbreviated as DLWE): For the security parameter λ, define n = n(λ) and q = q(λ)�2, wherein n and q are integers. A distribution χ = χ(λ) on Z is defined. The LWE n,q,χ problem is utilized to distinguish between the following two distributions: (1) Uniformly choose (a i ,b i ) from Z nþ1 q ; (2) Uniformly choose s Z n q and then take e i χ for the uniform sampling a i Z n q . Supposing that b i = <a i ,s>+e i , ða i ; b i Þ 2 Z n q � Z q is outputted. According to the LWE n,q,χ assumption, the LWE n,q,χ problem is hard to solve.

Definition 4
The adversary models in the secure multi-party computation: a. Semi-honest model: All participants will strictly follow the protocol and not change the protocol or its data. However, the intermediate computation results may be maintained and used for computing the private data of other participants.
b. Semi-malicious model: This model can be seen as an interactive Turing machine with reference and proof tapes. A semi-malicious adversary is obliged to record any data of a certain participant represented by it into the proof tape at any time. The adversary may decide whether to honestly execute the original protocol based on the inputs at random. c. Malicious model: All computational participants in this model can arbitrarily alter and disclose the protocol and its data, and even interfere with its normal performance.

Definition 5 [31]
a and b are determined as the vectors along Z k q ; k is a positive integer; q is a modulo; p is the power of 2; t = dlog p qe; N =kt. The following function is defined: Theorem 1 Supposing that e i (i2[N]) are a series of independent random variables subject to a certain bounded distribution B χ , the random variable e ¼ 1 N X N i¼1 e i is also subject to B χ .

Theorem 2 [33]
For any m�ndlogqe, there is a matrix G 2 Z n�m q and its corresponding "short primary image" matrix function G −1 (�) to achieve G −1 (M)2{0,1} m×m' and GG −1 (M) = M for any matrix M 2 Z n�m 0 q , wherein m' can be any number.

Theorem 3 [31]
In terms of the MGSW scheme proposed herein, L is the maximum NAND gate depth of the circuit to be computed; in the absence of homomorphic computation, if C is the ciphertext obtained by encrypting 0, when jhC mÀ 1 ; s 0 ij < q=½4pðpN þ 1Þ L �, the scheme is correct. Proof. By analyzing the correctness of homomorphic addition and multiplication, the noise is not greater than pN+1 times that of the original ciphertext after each homomorphic computation. As a result, when jhC mÀ 1 ; s 0 ij < q=½4pðpN þ 1Þ L �, jhC mÀ 1 ; s 0 ij < q=ð4pÞ is achieved after no more than L homomorphic computations. According to the decryption algorithm, if jhC mÀ 1 ; s 0 ij < q=ð4pÞ, hs 0 ; C mÀ 1 i=ðq=2pÞ < 1=2 is realized. Consequently, if the encrypted information is 0, hC m−1 ,s'i is closer to 0 than q/(2p), and m ¼ bhs 0 ; C mÀ 1 i=ðq=2pÞ þ 1=2cmod2 < b1=2 þ 1=2cmod2 ¼ 0; when the opposite happens, the correctness of the scheme can be guaranteed.

MGSW scheme that supports multi-bit encryption
The MGSW scheme constructed in this section is a modified FHE scheme that supports multibit encryption based on Literature [31], whose security is based on the DLWE assumption. Each user in Literature [31] relies on the CRS matrix A to generate their public keys during the key generation process, undermining their ability to generate a public key independently. In contrast, our scheme is more advanced because the participants do not need any CRS matrix to generate public keys; instead, each of them can generate his/her public keys independently by randomly choosing a matrix A from Z n�n q . The scheme is detailed as follows: For the given modulo q and the dimension N, the ciphertext C is an N×N dimension matrix defined on Z p , and each matrix component is far less than q. The secret key sk of C is defined as an N-dimension vector along Z p . Supposing that the plaintext μ is a small integer, when C�sk = μ�sk+e, C is defined as the ciphertext of μ wherein e is a small error vector. During the decryption process, first take the ith row C i of C, compute x hC i ,ski = μ�sk i +e i , and output μ = bx/sk i e, wherein sk i is the ith element of sk, e i is the ith element of e, and i2[0,N−1]. The information μ can be considered an eigenvalue of the ciphertext matrix C, while the secret key sk is the approximate eigenvector of C corresponding to the eigenvalue μ.
MGSW.Keygen(n,q): For the positive integer n, take the depth of homomorphic computation as l, randomly and uniformly choose A R Z n�n q from Z n�n q , and take the sample s from the discrete Gaussian distribution χ n×l on Z n×l . The public key pk ¼ ðA; MGSW.Encrypt(pk,μ): For the plaintext μ2Z p , randomly and uniformly choose r i , e i,1 χ n , e i,2 χ and i = 1,� � �,(n+1)�t, compute C i;1 ¼ A T � r i þ e i;1 2 Z n q and C i,2 = b T �r 2 +e i,2 2Z q . Supposing that c' is a matrix composed of m = (n+1)�t ciphertexts arranged as column vectors, whose dimension is (n+1)×m, thus outputting the ciphertext C ¼ mbFlattenðμ � I N þ mbDptðC 0 ÞÞ 2 Z m�m p .
After homomorphic multiplication, since the coefficient of both μ 2 and C 1 are limited to Z p , the noise is not greater than pN+p times that of the original ciphertext. Consequently, during the multi-bit encryption, the limitation exerted by Theorem 3 on the noise becomes jhC mÀ 1 ; s 0 ij < q=½4pðpN þ pÞ L �. Considering pN = pkt�p, the influence of this change on the modulo q can be ignored.

Security
Theorem 4 Supposing that the parameters n = poly(λ) and q = poly(λ) constitute a polynomial with the security parameter λ, and that the Attacker can distinguish the ciphertext of the MGSW scheme and the uniform distribution on Z m�m p with a non-ignorable advantage, the DLWE problem is also solved. Therefore, if it is supposed that this problem is hard to solve, the MGSW scheme can meet the plaintext's (IND-CPA) security criteria.
Proof. The Theorem is proven by defining the following game sequences: a) Game0. Initialization: The Challenger runs MGSW.Keygen(n,q) to generate the public-secret key pair (pk, sk), and gives the public key to the AttackerÃ.
Step 1: The Attacker may encrypt the information μ2{0,1} independently or through the Challenger. If the latter method is adopted, the Challenger needs to return the ciphertext accurately.
Step 2: Just as done in Step 1, the Attacker may encrypt the information μ2{0,1} independently or through the Challenger.
Initialization: The Challenger randomly and uniformly chooses the public key A R Z ðnþ1Þ�n q and gives it to the AttackerÃ. The Attacker's advantage in Game1 is marked as Adv Game1 ðÃÞ. In Game1, the public key is no longer generated through the secret key. As the public key in Game0 can be seen as n×1 LWE q,n,χ instances, the public key in Game1 is randomly chosen from the uniform distribution. Therefore, if the DLWE q,n,n,χ problem can be solved via the non-ignorable advantage, Game0 and Game 1 can also be distinguished based on the same edge. If the assumption DLWE q,n,n,χ holds, the advantage of the Attacker to distinguish between Game0 and Game1 is negligible, thus getting c) In Game2, except for the challenge period, the Challenger follows all other steps as with Game1. At a given time, the Attacker challenges the Challenger and sends the challenge plaintext μ 1 ,μ 2 2{0,1}. The Challenger randomly chooses b2{0,1} and C R Z nþ1 q , and sends the challenge ciphertext c' =c+(o,μ�bq/2c) to the Attacker. The advantage of the Attacker in Game2 is marked as Adv Game2 ðÃÞ. Likewise, Adv Game1 ðÃÞ � Adv Game2 ðÃÞ þ neglðlÞ. d) In Game3, except for the challenge period, the Challenger follows all other steps as with Game2. The Challenger sends the challenge ciphertext to the Attacker. The advantage of the Attacker in Game3 is marked as Adv Game3 ðÃÞ. In Game3, both the public key and the challenge ciphertext are taken from uniform distributions, and do not contain any information of the plaintext, so Adv Game3 ðÃÞ ¼ 0. Since C in both Game2 and Game3 is taken from the uniform distribution on Z nþ1 q , C' in Game2 and C in Game3 are statistically indistinguishable, namely, Adv Game2 ðÃÞ � Adv Game3 ðÃÞ þ neglðlÞ.

Modified LinkAlgo algorithm
It is often the case that the construction of a multi-key FHE scheme relies on the homomorphic computation of the ciphertexts under different keys, but the MGSW scheme proposed herein can just generate the multi-bit single-key ciphertext. Consequently, in our scheme, the LinkAlgo algorithm [23] is adopted for expanding the multi-bit single-key ciphertext into the multi-bit multi-key ciphertext. As mentioned in the KLP18 scheme [23], the expansion of multi-key ciphertext involves complicated steps, leading to low efficiency, high memory space and loud decryption noise. Therefore, the complicated ciphertext expansion way is optimized herein to get simpler expanded ciphertext, further increasing the efficiency. The modified Lin-kAlgo algorithm is detailed as follows: For the matrix R2{0,1} m×m , V (s,t) is the β noise ciphertext of R (s,t) encrypted with the GSW encryption algorithm under ðpk; skÞ ¼ ðK; � tÞ. Supposing that ðpk 0 ; sk 0 Þ ¼ ðK 0 ; � t 0 Þ is another pair of keys, by inputting pk' and all R (s,t) into the modified LinkAlgo algorithm, Y is outputted to achieve tY = tK'R+e and kek 1 �m 3 β (e is the noise), thus outputting the optimized expanded ciphertextĈ i .

Multi-key Fully Homomorphic Encryption (MFHE)
In this section, based on the above MGSW scheme that supports multi-bit encryption, the modified LinkAlgo algorithm is adopted to expand the multi-bit single-key ciphertext to the multi-bit multi-key ciphertext and construct an MFHE scheme. To be specific, G and G −1 (�) are the same as those described in Theorem 2; G is expanded intoĜ t ¼ diagðG; � � � GÞ 2 Z nN�mN q , andĜ À 1 t ð�Þ is its corresponding function. This scheme is composed by the polynomial algorithm MFHE = (Sepup, Keygen, Enc, Expand, Eval, Dec) for a series of probability events, as detailed below: 2. Output C = mbFlatten(μ�I N +mbDpt(C')) À MFHE:Expandððpk 1 ; pk 2 ; � � � ; pk t Þ; i; CÞ ! ðĈ i Þ After the modified LinkAlgo algorithm is adopted to input the key and new ciphertext, the expanded ciphertext is outputted as: Threshold decryption can be implemented on the above-expanded ciphertextĈ i , as detailed below: À MFHE:PartDecðC; � t i Þ ! ðp i Þ 1. Present an expanded ciphertextĈ and the ith key � t i 2 Z ðmþ1Þ�t q , and divide the ciphertext ; dq=2e; � � � ; dq=2e |ffl ffl ffl ffl ffl ffl ffl ffl ffl ffl ffl ffl ffl {zffl ffl ffl ffl ffl ffl ffl ffl ffl ffl ffl ffl ffl } t" 1. Input p 1 ,� � �,p t , and compute p ¼

Correctness of expanded ciphertext
C i MFHE:Expandððpk 1 ; pk 2 ; � � � ; pk N Þ; i; CÞ can be obtained by expanding the ciphertext of the ith user, wherein C is the multi-key ciphertext of the plaintext μ after being encrypted by the MGSW scheme under ðK;t i Þ. By defining the multi-keyt ¼ ðt 1 ; � � � ;t N Þ and the public matrixĜ, ifĈ Þ, it is natural for us to promote the MGSW scheme. Next, the correctness of the expanded ciphertext will be proven: and ke 0 i k 1 � mB w . Therefore, kek 1 �(m+2)B χ . To get it correctly decrypted, the condition (m+2)B χ� q/(4mN) shall be met. An appropriate parameter q can be chosen to achieve the result that (m+2)B χ� q/ (4mN) holds.

Security of the proposed scheme
a) First of all, the scheme encryption resembles that of the above MGSW scheme constructed. It can be known from the security of the MGSW scheme that this encryption process meets the IND-CPA security criteria. b) Security of the expanded ciphertext. The expanded ciphertext is obtained from the Lin-kAlgo algorithm where Y is generated by V (s,t) and G −1 (L s,t ), as G −1 (L s,t ) means the bit decomposition of L s,t and V (s,t) refers to the encryption of R (s,t) . It can be seen from Literature [13] that V (s,t) G −1 (L s,t ) and the matrix uniformly chosen from Z ðmþ1Þ�N q are indistinguishable in terms of computation, so this expanded ciphertext is secure. Therefore, the proposed scheme herein is proven to be secure.

Three-round Secure Multi-party Computation (SMC) protocol
This section utilizes the above MFHE scheme to construct a three-round SMC protocol without CRS that supports multi-bit encryption. Although the best two-round interactions have been realized in the protocol with CRS in Literature [6], an SMC protocol without CRS requires at least three rounds to complete the entire protocol: As no CRS matrix is used in the protocol, each participant generates his/her key pair independently, and distributes the key before the protocol comes into force, which takes at least one round; it also takes another two rounds to generate and release ciphertext and compute and release the partially decrypted result. As a result, an SMC protocol with CRS requires at least three rounds. π f : In the SMC protocol without CRS, the single-valued function f is securely solved. The protocol is secure in the semi-honest and semi-malicious models, as detailed below: -Use the public key pk i to encrypt the plaintext m' and get the ciphertext C MFHE.Enc(pk,m').
-Run the expanded algorithm to get the expanded ciphertext C i MFHE:Expandððpk 1 ; pk 2 ; � � � ; pk t Þ; i; CÞ, and then release the expanded ciphertextĈ i .

Security of the protocol
Next, we will prove that the SMC protocol constructed herein is secure in the semi-malicious environment; that is to say, the protocol is secure when facing a semi-malicious adversary, who is weaker than the malicious adversary but more robust than the semi-honest adversary. a) First, a PPT simulator S is designed for a semi-malicious adversary who has captured N −1 users. The semi-malicious adversary in the static state is marked as A. Assuming that P h is the only surviving honest participant. On behalf of P h , Simulator S follows the steps below.
In the second round, Simulator S replaces the real input of the honest participant P h with 0 for encryption. Subsequently, Simulator S obtains the inputs and secret keys of N−1 captured participants from "the proof tape." S sends these inputs into an ideal machine to get the output y and the ciphertext C after the homomorphic computation. Then, S computes and simulates the partially decrypted ρ h S(y,C,h,{sk i } i2[N]\{h} ) for P h and discloses the partially decrypted result simulated in the third round to replace the real decryption.
By using a series of hybrid attacking games REAL π,A,Z , HYB π,A,Z , and IDEAL F,S,Z , it is proven that the real and simulation results are indistinguishable. The definitions and proving means of these games resemble those in Literature [6], so it is concluded that REAL p;A;Z statstatHYB p;A;Z and HYB p;A;Z compcompIDEAL F;S;Z . More proving details can be found in Literature [6]. It is finally proven that the real and simulation computations are indistinguishable, namely, IDEAL F;S;Z compcompREAL p;A;Z . b) Assuming that the adversary has corrupted multiple honest participants, just like Literature [6], a pseudorandom function can be adopted to prove that the protocol proposed herein is secure.
Therefore, the protocol is secure in a semi-malicious environment. The proving process ends.

Comparisons and analyses of protocol performance
Compared to the KLP18 scheme [23] that supports single-bit encryption only, the proposed protocol can support multi-bit encryption. Assuming that the information to be encrypted is in B-bit, the KLP18 scheme needs to be encrypted for B times, but only one encryption is required by adopting our protocol.
In comparison with Literature [29], the scheme in this study needs to be improved from two aspects: a) Ciphertext size: Both the basic MGSW scheme proposed herein and the scheme offered in Literature [29] support multi-bit encryption. However, the former changes how the GSW scheme is implemented, requiring smaller ciphertext size and achieving ðnþ1Þ 2 dlogqe 2 dlogpe ; the latter demands a ciphertext size of (n+1) 2 dlogqe 2 . For B-bit encryption and decryption, the ciphertext sizes in Literature [10] and this study are ðn þ BÞ 2 dlogqe 2 and ðnþBÞ 2 dlogqe 2 dlogpe , respectively. b) Storage overhead: Although the GSW scheme is adopted as the basic scheme for both this study and Literature [29], the former's ciphertext size is much smaller than the latter, suggesting that our protocol dramatically reduces the ciphertext size. In this way, the protocol proposed in this study occupies a smaller memory space but offers higher overall efficiency than in Literature [25].
The comparisons of protocol performance are detailed in Table 1, where "basic" refers to the basic scheme adopted in the protocol; "multi-bit" suggests whether the scheme supports multi-bit encryption; "Storage" is the Storage overhead; n is the lattice dimension; q is the modulo; p means the power of 2; B is the bit quantity inputted.

Conclusion
In this study, the key generation algorithm in the FHE scheme offered by Chen Li et al. was modified to construct the MGSW scheme so that the participants do not need to rely on the CRS matrix to generate their keys. Further, the MGSW scheme and the LinkAlgo algorithm were adopted for achieving the MFHE scheme. Finally, a three-round interactive SMC protocol without CRS that supports multi-bit encryption was designed using the MFHE scheme. Its security was based on the DLWE assumption, and it was proven secure in the semi-malicious Ours GSW13 Yes model. The protocol proposed herein outperforms the existing ones in terms of the support for multi-bit encryption, ciphertext size and storage overhead, and functions more efficiently as a whole. Yet, all existing FHE-based SMC protocols without CRS were proven to be secure in the semi-malicious environment only, but cannot resist the attack of a malicious adversary [34]. How to construct an SMC protocol without CRS in a malicious environment remains to be solved, indicating our future research direction.