1. Introduction

Secure Multi-party Computation (SMC), a method proposed by Yao [1], can securely compute a function without disclosing its data. Each party can get its results but has no access to others’ data. SMC now consists of several constructors, including verifiable secret sharing [2], oblivious transfer [3], mix and match [4] and homomorphic encryption [5–7]. Devised by Rivest et al. [8] in 1978, Fully Homomorphic Encryption (FHE) supports direct encryption of the plaintext, and the same computation can be done on the ciphertext to get decryption results, namely, f(Enc(m)) = Enc(f(m)). Due to this unique feature, FHE has displayed great potential among all constructors of SMC protocols, and thus attracted greater attention over time. Since the launch of a FHE scheme by Gentry [9] in 2009, a wealth of similar schemes emerged, including DGHV10 [10], BV11 [11], BGV12 [12], Bra12 [13], GSW13 [14], BV14 [15], CM15 [5], and NK15 [16]. Meanwhile, scholars in China and abroad also substantially investigated FHE-based SMC protocols.

In 2012, López-Alt et al. [17] put forward the concept of multi-key fully homomorphic encryption (MFHE) for the first time, and made use of NTRU [18] to construct the first MFHE scheme. Therefore, an MFHE-based SMC protocol could be naturally created. Later, a lot of MFHE-based SMC protocols were constantly designed and improved. In 2016, Mukherjee et al. [6] established a two-round SMC protocol that achieved the best two-round interactions based on the GSW scheme, and proved that this scheme was secure in the malicious environment. The protocol needed to choose a common random string (CRS) matrix during the generation of a key, which undermined each user’s ability to generate their key independently. In the meantime, cascading and masking operations were added to the scheme, leading to a considerable volume of ciphertext matrix. Vijayakumar P et al. [19] proposed an efficient group key management technique that reduces the computational complexity without increasing the high storage complexity, thereby providing secure group communication in P2P networks. In the same year, a two-factor authentication scheme and a two-group key management scheme [20] were proposed to improve the security of vehicles communicating with a vehicle-mounted ad hoc network (VANET) environment. Audithan S et al. [21] proposed an anonymous authentication scheme to authenticate users, which is not easy to be maliciously accessed by attackers, and protects data transmitted in Internet business applications through mobile agents. In 2017, by increasing a new round of interaction and taking advantage of key homomorphism and threshold decryption, Wang Huiyong et al. [22] designed a simple three-round GSW-based SMC protocol with CRS, whose security was based on the Some-are-errorless LWE assumption, a variant of the LWE assumption. In this protocol, although a new round was added, the homomorphic computation depth and NAND gate complexity were reduced, and its overall efficiency was optimized compared to the MW16 scheme [6]. In 2018, Kim et al. [23] proposed the LinkAlgo algorithm to expand a single-key ciphertext into a multi-key one, and constructed for the first time a three-round SMC protocol without CRS that did not rely on a CRS matrix during the generation of a public key, allowing every user to generate their own public keys independently. This protocol met the multi-key CPA security requirements and could resist the attack of a semi-malicious adversary, but it was still slightly inferior to the protocol with CRS in terms of security and failed to prove that it was still secure in the malicious environment. In 2020, by employing the tool matrix and the encoding operations offered by Li Zengpeng [24] to improve the ciphertext expansion way of the KLP18 scheme [23], Tang Chunming et al. [25] built a three-round SMC protocol without CRS that outperformed the KLP18 scheme in efficiency, memory, and noise decryption, but it was only proven to be secure in the semi-malicious environment, as well. Dheerendra Mishra et al. [26] built a mutual authentication and key agreement scheme for mobile edge computing without the participation of trusted third parties, ensuring mutual authentication between users and edge servers and generating secure session keys. Vinoth R et al. [27] proposed a secure multi-factor authentication key agreement scheme for the Industrial Internet of Things (IIoT) to enable authorized users to remotely access sensing devices, effectively reducing communication during the authentication key agreement process and computational costs. In 2021, by referring to the multi-bit encryption scheme provided by Li Zengpeng, Tang Chunming et al. [28] pioneeringly developed a three-round SMC protocol with CRS that supports multi-bit encryption, whose security was based on the Ferr-LWE assumption and the Some-are-errorless LWE assumption, making it possible to resist the attack of an adversary in the malicious environment. In the same year, based on the multi-bit encryption scheme proposed by Li Zengpeng [24], Li Xixi et al. [29] modified his encryption algorithm and availed of the LinkAlgo algorithm to build a multi-bit multi-key FHE mechanism without CRS. Xia X et al. [30] proposed a cloud-assisted trustworthiness assessment mechanism and an efficient anonymous authentication and key agreement scheme based on non-interactive zero-knowledge to ensure privacy protection and data security of IoT devices in smart cities.

It can be seen from the above work that current FHE-based SMC protocols have been equipped with or without CRS. An SMC protocol with CRS is found with higher security. It is also proven to be secure by using the non-commutative zero-knowledge proof in the malicious environment. Still, it needs to choose a CRS matrix during the parameter setting phase. All users are required to generate their keys with the help of this matrix, which dramatically limits the users’ ability to generate keys independently. In contrast, an SMC protocol without CRS supports all users to generate their keys independently by eliminating the need for a trusted organization to distribute the CRS matrix. Nevertheless, the existing SMC protocols without CRS are still generally plagued by overlarge ciphertext, colossal memory space and low efficiency.

2. Knowledge base

2.2 Definitions and theorems

Definition 1 [32] (LWE distribution): Define a secret vector , take uniform sampling , and choose e←χ wherein χ is a discrete Gaussian distribution on ℤ. The sample distribution cA_s,χ is outputted in the form of .

Definition 2 (Searching LWE, abbreviated as SLWE): Define m independent samples from a given LWE distribution A_s,χ to output s.

Definition 3 (Decisional LWE, abbreviated as DLWE): For the security parameter λ, define n = n(λ) and q = q(λ)≥2, wherein n and q are integers. A distribution χ = χ(λ) on ℤ is defined. The LWE_n,q,χ problem is utilized to distinguish between the following two distributions: (1) Uniformly choose (a_i,b_i) from ; (2) Uniformly choose and then take e_i←χ for the uniform sampling . Supposing that b_i = <a_i,s>+e_i, is outputted. According to the LWE_n,q,χ assumption, the LWE_n,q,χ problem is hard to solve.

Definition 4 The adversary models in the secure multi-party computation:

1. Semi-honest model: All participants will strictly follow the protocol and not change the protocol or its data. However, the intermediate computation results may be maintained and used for computing the private data of other participants.
2. Semi-malicious model: This model can be seen as an interactive Turing machine with reference and proof tapes. A semi-malicious adversary is obliged to record any data of a certain participant represented by it into the proof tape at any time. The adversary may decide whether to honestly execute the original protocol based on the inputs at random.
3. Malicious model: All computational participants in this model can arbitrarily alter and disclose the protocol and its data, and even interfere with its normal performance.

Definition 5 [31] a and b are determined as the vectors along ; k is a positive integer; q is a modulo; p is the power of 2; t = ⌈log_pq⌉; N =kt. The following function is defined: (1) wherein a’ is a N-dimensional vector ; a_i,j∈ℤ_p.

(2)(3)(4)

Theorem 1 Supposing that e_i(i∈[N]) are a series of independent random variables subject to a certain bounded distribution B_χ, the random variable is also subject to B_χ.

Theorem 2 [33] For any m≥n⌈logq⌉, there is a matrix and its corresponding "short primary image" matrix function G⁻¹(⋅) to achieve G⁻¹(M)∈{0,1}^m×m’ and GG⁻¹(M) = M for any matrix , wherein m’ can be any number.

Theorem 3 [31] In terms of the MGSW scheme proposed herein, L is the maximum NAND gate depth of the circuit to be computed; in the absence of homomorphic computation, if C is the ciphertext obtained by encrypting 0, when , the scheme is correct.

Proof. By analyzing the correctness of homomorphic addition and multiplication, the noise is not greater than pN+1 times that of the original ciphertext after each homomorphic computation. As a result, when , is achieved after no more than L homomorphic computations. According to the decryption algorithm, if , is realized. Consequently, if the encrypted information is 0, 〈C_m−1,s’〉 is closer to 0 than q/(2p), and ; when the opposite happens, the correctness of the scheme can be guaranteed.

3. MGSW scheme that supports multi-bit encryption

The MGSW scheme constructed in this section is a modified FHE scheme that supports multi-bit encryption based on Literature [31], whose security is based on the DLWE assumption. Each user in Literature [31] relies on the CRS matrix A to generate their public keys during the key generation process, undermining their ability to generate a public key independently. In contrast, our scheme is more advanced because the participants do not need any CRS matrix to generate public keys; instead, each of them can generate his/her public keys independently by randomly choosing a matrix A from . The scheme is detailed as follows:

For the given modulo q and the dimension N, the ciphertext C is an N×N dimension matrix defined on ℤ_p, and each matrix component is far less than q. The secret key sk of C is defined as an N-dimension vector along ℤ_p. Supposing that the plaintext μ is a small integer, when C⋅sk = μ⋅sk+e, C is defined as the ciphertext of μ wherein e is a small error vector. During the decryption process, first take the ith row C_i of C, compute x←〈C_i,sk〉 = μ⋅sk_i+e_i, and output μ = ⌊x/sk_i⌉, wherein sk_i is the ith element of sk, e_i is the ith element of e, and i∈[0,N−1]. The information μ can be considered an eigenvalue of the ciphertext matrix C, while the secret key sk is the approximate eigenvector of C corresponding to the eigenvalue μ.

MGSW.Setup(1^λ,1^L): λ is the security parameter; L is the maximum NAND gate depth of the circuit; the lattice dimension n = n(λ,L); for the modulo q, the error distribution χ = χ(λ,L); m = m(λ,L) = O(nlogq). By choosing appropriate parameters, the LWE assumption holds, thus outputting params = (n,q,χ,m).

MGSW.Keygen(n,q): For the positive integer n, take the depth of homomorphic computation as l, randomly and uniformly choose from , and take the sample s from the discrete Gaussian distribution χ^n×l on ℤ^n×l. The public key is computed, and the secret key is .

MGSW.Encrypt(pk,μ): For the plaintext μ∈ℤ_p, randomly and uniformly choose r_i, e_i,1←χⁿ, e_i,2←χ and i = 1,⋯,(n+1)⋅t, compute and C_i,2 = b^T⋅r₂+e_i,2∈ℤ_q. Supposing that c’ is a matrix composed of m = (n+1)⋅t ciphertexts arranged as column vectors, whose dimension is (n+1)×m, thus outputting the ciphertext .

MGSW.Decrypt(sk,C): For the ciphertext and the secret key , supposing that s’ = pofmb(sk), compute and output the plaintext .

MGSW.Add(C₁,C₂): Input the ciphertexts C₁ and C₂, and output the new ciphertext C = mbFlatten(C₁+C₂) after the homomorphic addition.

MGSW.Mult(C₁,C₂): Input the ciphertexts C₁ and C₂, and output the new ciphertext C = mbFlatten(C₁⋅C₂) after the homomorphic multiplication.

4. Modified LinkAlgo algorithm

It is often the case that the construction of a multi-key FHE scheme relies on the homomorphic computation of the ciphertexts under different keys, but the MGSW scheme proposed herein can just generate the multi-bit single-key ciphertext. Consequently, in our scheme, the LinkAlgo algorithm [23] is adopted for expanding the multi-bit single-key ciphertext into the multi-bit multi-key ciphertext. As mentioned in the KLP18 scheme [23], the expansion of multi-key ciphertext involves complicated steps, leading to low efficiency, high memory space and loud decryption noise. Therefore, the complicated ciphertext expansion way is optimized herein to get simpler expanded ciphertext, further increasing the efficiency. The modified LinkAlgo algorithm is detailed as follows:

For the matrix R∈{0,1}^m×m, V^(s,t) is the β noise ciphertext of R^(s,t) encrypted with the GSW encryption algorithm under . Supposing that is another pair of keys, by inputting pk’ and all R^(s,t) into the modified LinkAlgo algorithm, Y is outputted to achieve tY = tK’R+e and ‖e‖_∞≤m³β (e is the noise), thus outputting the optimized expanded ciphertext .

Modified LinkAlgo Algorithm

Input: pk’ and {R^(s,t)}_s,t∈[m]

Output:

Output:

1. Define , wherein s,t∈[m]

2. Output

Output:

Now, by defining tY = tK’R+e, the following detailed processes are presented to prove that ‖e‖_∞≤m³β holds: (7) wherein and .

Now, it is time to prove (8)

Therefore, tY = tK’R+e, wherein and ‖e‖_∞≤m³β.

5. Multi-key Fully Homomorphic Encryption (MFHE)

In this section, based on the above MGSW scheme that supports multi-bit encryption, the modified LinkAlgo algorithm is adopted to expand the multi-bit single-key ciphertext to the multi-bit multi-key ciphertext and construct an MFHE scheme. To be specific, G and G⁻¹(⋅) are the same as those described in Theorem 2; G is expanded into , and is its corresponding function. This scheme is composed by the polynomial algorithm MFHE = (Sepup, Keygen, Enc, Expand, Eval, Dec) for a series of probability events, as detailed below:

−MFHE.Setup(1^λ,1^L)→(params)

1. Run MGSW.Setup(1^λ,1^L)
2. Output params = (n,q,χ,m)

−MFHE.Keygen(params)→(pk,sk)

1. Run MGSW.Keygen(n,q)
2. Output

−MFHE.Enc(pk,μ)→C

1. Run MGSW.Encrypt(pk,μ)
2. Output C = mbFlatten(μ⋅I_N+mbDpt(C’))

After the modified LinkAlgo algorithm is adopted to input the key and new ciphertext, the expanded ciphertext is outputted as:

1. Present l expanded ciphertexts and the matrix functions corresponding to
2. Output

1. Present the key and an expanded ciphertext , and define
2. Run MGSW.Decrypt(sk,C)
3. Output μ

Threshold decryption can be implemented on the above-expanded ciphertext , as detailed below:

1. Present an expanded ciphertext and the ith key , and divide the ciphertext into N-row submatrices wherein . Define

2. Compute

3. Output p_i = γ_i+e_i, wherein e_i is a small noise.

MFHE.FinDec(p₁,⋯,p_t)→(μ)

1. Input p₁,⋯,p_t, and compute
2. Output .

6. Three-round Secure Multi-party Computation (SMC) protocol

This section utilizes the above MFHE scheme to construct a three-round SMC protocol without CRS that supports multi-bit encryption. Although the best two-round interactions have been realized in the protocol with CRS in Literature [6], an SMC protocol without CRS requires at least three rounds to complete the entire protocol: As no CRS matrix is used in the protocol, each participant generates his/her key pair independently, and distributes the key before the protocol comes into force, which takes at least one round; it also takes another two rounds to generate and release ciphertext and compute and release the partially decrypted result. As a result, an SMC protocol with CRS requires at least three rounds.

π_f: In the SMC protocol without CRS, the single-valued function f is securely solved. The protocol is secure in the semi-honest and semi-malicious models, as detailed below:

Preprocessing: Set up the parameters (params)←MFHE.Setup(1^λ,1^L) to make sure that all participants share the parameter settings.

Input: For i∈[N], each participant P_i inputs the private data x_i∈{0,1} to compute the function f({0,1}^N→{0,1}), wherein L is the circuit depth of f.

Round 1. For each participant P_i, the following steps are carried out.

- Generate (pk_i,sk_i)←MFHE.Keygen(params).

- Release the public key {pk_i}_i∈[N].

Round 2. Each participant P_i receives the public key {pk_i}_i∈[N]\{i} from others and follows the steps below.

- Use the public key pk_i to encrypt the plaintext m’ and get the ciphertext C←MFHE.Enc(pk,m’).

- Run the expanded algorithm to get the expanded ciphertext , and then release the expanded ciphertext .

Round 3. Each participant P_i receives the ciphertext from others and follows the steps below.

- Output the assessed ciphertext after homomorphic computation.

- Threshold encryption is implemented. Get the partially decrypted result , and then release p_i.

Output: Each participant P_i receives the partially decrypted result {p_j}_j≠i from others, and computes the final decryption result μ←MFHE.FinDec(p₁,⋯p_t).

7. Comparisons and analyses of protocol performance

Compared to the KLP18 scheme [23] that supports single-bit encryption only, the proposed protocol can support multi-bit encryption. Assuming that the information to be encrypted is in B-bit, the KLP18 scheme needs to be encrypted for B times, but only one encryption is required by adopting our protocol.

In comparison with Literature [29], the scheme in this study needs to be improved from two aspects:

a) Ciphertext size: Both the basic MGSW scheme proposed herein and the scheme offered in Literature [29] support multi-bit encryption. However, the former changes how the GSW scheme is implemented, requiring smaller ciphertext size and achieving ; the latter demands a ciphertext size of (n+1)²⌈logq⌉². For B-bit encryption and decryption, the ciphertext sizes in Literature [10] and this study are and , respectively.

b) Storage overhead: Although the GSW scheme is adopted as the basic scheme for both this study and Literature [29], the former’s ciphertext size is much smaller than the latter, suggesting that our protocol dramatically reduces the ciphertext size. In this way, the protocol proposed in this study occupies a smaller memory space but offers higher overall efficiency than in Literature [25].

The comparisons of protocol performance are detailed in Table 1, where "basic" refers to the basic scheme adopted in the protocol; "multi-bit" suggests whether the scheme supports multi-bit encryption; “Storage” is the Storage overhead; n is the lattice dimension; q is the modulo; p means the power of 2; B is the bit quantity inputted.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 1. Performance comparison of schemes without CRS.

https://doi.org/10.1371/journal.pone.0265572.t001

8. Conclusion

In this study, the key generation algorithm in the FHE scheme offered by Chen Li et al. was modified to construct the MGSW scheme so that the participants do not need to rely on the CRS matrix to generate their keys. Further, the MGSW scheme and the LinkAlgo algorithm were adopted for achieving the MFHE scheme. Finally, a three-round interactive SMC protocol without CRS that supports multi-bit encryption was designed using the MFHE scheme. Its security was based on the DLWE assumption, and it was proven secure in the semi-malicious model. The protocol proposed herein outperforms the existing ones in terms of the support for multi-bit encryption, ciphertext size and storage overhead, and functions more efficiently as a whole.

Yet, all existing FHE-based SMC protocols without CRS were proven to be secure in the semi-malicious environment only, but cannot resist the attack of a malicious adversary [34]. How to construct an SMC protocol without CRS in a malicious environment remains to be solved, indicating our future research direction.