Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng

Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.Nghiên cứu phát triển một số giao thức tính tổng bảo mật hiệu quả trong mô hình dữ liệu phân tán đầy đủ và ứng dụng.

MINISTRY OF EDUCATION

AND TRAINING VIETNAM ACADEMY OF SCIENCE AND TECHNOLOGY

GRADUATE UNIVERSITY OF SCIENCE AND TECHNOLOGY

Vu Duy Hien

DEVELOPING EFFICIENT AND SECURE MULTI-PARTY

SUM COMPUTATION PROTOCOLS AND THEIR APPLICATIONS

DISSERTATION ON INFORMATION SYSTEM

Hanoi – 2024

BỘ GIÁO DỤC

VÀ ĐÀO TẠO

VIỆN HÀN LÂM KHOA HỌC

VÀ CÔNG NGHỆ VIỆT NAM

HỌC VIỆN KHOA HỌC VÀ CÔNGNGHỆ

BỘ GIÁO DỤC

VÀ ĐÀO TẠO

VIỆN HÀN LÂM KHOA HỌC

VÀ CÔNG NGHỆ VIỆT NAM

HỌC VIỆN KHOA HỌC VÀ CÔNGNGHỆ

PLEDGE

I promise that the thesis: ”Developing efficient and secure

multi-partysumcomputationprotocolsandtheirapplications”ismyoriginalresearchworkunderthe guidance of the academic supervisors All contents of the thesiswere

writtenbasedonpapersandarticlespublishedindistinguishedinternationalconferencesandjournals published by the reputed publishers The source of thereferences

inthisthesisareexplitlycited.Myresearchresultswerepublishedjointlywithotherauth

andwereagreeduponbytheco-authorswhenincludedinthethesis.Newresultsanddiscussionspresentedinthethesisareperfectlyhonestandtheyhavenotyetpublishedbyanyotherauthorsbeyondmypublications.Thisthesishasbeenfinishedduring

thetimeIworkasaPhDstudentatGraduateUniversityofScienceandTechnology,VietnamAcademy of Science andTechnology

Hanoi,2024

PhDstudent

Vu Duy Hien

I also thankthe CAMEL cafe (No.104/1Viet Hung street, Long Bien

dis- trict, Ha Noi)where my publications and thesis had been born in

Finally, I want to send the most special thank tomy big family, my wife,

INTRODUCTION 1

1 OVERVIEW OF SECURE MULTI-PARTY SUM COMPUTATION 7 1.1 Background of securemulti-partycomputation 7

1.1.1 Introduction 7

1.1.2 Basic concept 10

1.1.3 Definitionofsecurity 11

1.1.4 Cryptographicpreliminaries 18

1.2 Securemulti-partysumcomputationproblem 22

1.2.1 Problemformulation 22

1.2.2 Relatedwork 24

1.3 Conclusion 35

2 PROPOSING EFFICIENT SECUREMULTI-PARTYSUMCOMPUTA-TIONPROTOCOLS 36 2.1 Analysis of typical secure multi-party sum computation protocols 36 2.1.1 Simple secure multi-party sumcomputationprotocol 36

2.1.2 Securemulti-partysumcomputationprotocolofUrabeetal 38

2.1.3 Secure multi-party sum computation protocol of Hao etal., 2010inanelectronicvotingsystem 40

2.1.4 Privacy-preserving frequency computation protocol ofYang etal 44

2.1.5 Furtherdiscussion 47

2.2 Proposed secure multi-party sumcomputationprotocols 49 2.2.1 Privacy-preserving frequency computation protocol based

on ellipticcurveElGamalcryptosystem 50

2.2.2 An efficient approach for secure multi-party sum

computationwithout pre-establishingsecure/authenticatedchannels 61

2.2.3 Secure multi-sumcomputation protocol 78

2.3 Conclusion 91

3 DEVELOPING NEW SOLUTIONS BASED ON SECUREMULTI-PARTYSUMCOMPUTATIONPROTOCOLSFORPRACTICALPROBLEMS 93 3.1 Anefficientsolutionforthesecureelectronicvotingschemewithout pre-establishingauthenticatedchannel 93

3.1.1 Introduction 93

3.1.2 Relatedwork 94

3.1.3 Preliminaries 96

3.1.4 Asecureend-to-endelectronicvotingscheme 97

3.1.5 Securityanalysis 99

3.1.6 Experimentalevaluation 102

3.2 An efficient and practical solution for privacy-preservingNaiveBayes classificationinthehorizontaldatasetting 103 3.2.1 Introduction 104

3.2.2 Relatedwork 107

3.2.3 Preliminaries 109

3.2.4 Newprivacy-preservingNaiveBayes classifier for the hori-zontalpartitiondatasetting 112 3.2.5 Privacyanalysis 115

3.2.6 Accuracyanalysis 115

3.2.7 Experimentalevaluation 115

3.3 Conclusion 120

CONCLUSION 122

BIBLIOGRAPHY 124

APPENDICES 137

PUBLICATIONLIST 140

PSI Private setintersection

RAM Random AccessMachines

LIST OF TABLES

2.1 ThebriefcomparisonsofthecomputationalcomplexityamongthreetypicalSMSprotocols

48

2.2

Thecomputationalcomplexitycomparisonsamongtheproposedpro-tocolandthetypicalprotocols 562.3 ThecommunicationcostcomparisonsamongthetypicalPPFCprotocols.57

2.4 Thestoreddatavolumeoftheminercomparisonsamongthetypical

PPFCprotocols(inmegabytes) 622.5 Thecomparisonsofeachuser’scomputationalcomplexityamongtheproposedprotocolandthetypicalprotocols

87

isonsamongthecomparedsolutions(inseconds) 91

2.12Therunningtimefortheminertocomputethesumvaluescompar-2.13The stored data volume of the miner comparisons among paredsolutions(inmegabytes) 91

thecom-3.1 Spam short-messagesdatasetinformation 118

3.2 calPPNBCsolutionsontherealdataset(inseconds) 119

Therunningtimecomparisonsamongthenewproposalandthetypi-LIST OF FIGURES

1.1 Thedistributedcomputingmodelinasecuremanner 8

1.2 An example of the authentication method without knowinguser’spassword 8 1.3 Anexampleofmonitoringuser’spasswords 9

1.4 AnexampleoftheDNApattern-matchingproblem 9

1.5 Thesecureelectronicsealed-bidauctionmodel 10

1.6 Therealandidealmodelsindistributedcomputingfield 15

1.7 The computational model of the secure multi-party sum computation problem 22 1.8 Thesingle-candidateendtoenddecentralizede-votingmodel 23

1.9 Anexampleoftheprivacy-preservingfrequentitemsetminingproblem23 2.1 Thecomputationalmodelofthesimplesecuremulti-partysumcom-putationprotocol 37 2.2 TherunningtimeofeachusercomparisonsamongthetypicalPPFC protocols 59

2.3 Thetimefortheminer/theservercomputingthepublickeyscompar-isonsamongthetypicalPPFCprotocols 60

2.4 The time for the miner/the server computing the frequency value com-parisons among the typicalPPFCprotocols 61 2.5 Therunningtimeofeachusercomparisonsamongtheproposedpro-tocolandthetypicalprotocols 75 2.6

Thetimeofthepre-computationphasecomparisonsamongthepro-posedprotocolandthetypicalprotocols

76

2.7 The time of the user authentication phase comparisons among theproposedprotocolandthetypicalprotocols.

77

2.8 The time of the securen-parties sum phase comparisons

Therunningtimefortheminertocomputethepublickeyscompar-103

3.3 Thevotingserver’stotalrunningtimecomparisonsbetweenthenewsolutionandHao’sscheme

104

3.4 The horizontally distributedcomputingmodel 1113.5 Anexampleofdatatransformation 112

amountofdataownedbyorganizationsorindividuals.Thishasspurredthedevel-opmentofthedistributedcomputingfieldwherethedataownersperformtogether

computationaltasksbasedontheircooperativedata[1,2].Basically,thedistributedcomputingfieldhasbroughtalotofsubstantialbenefitstoorganizationsandindivid-uals,such asreducing significantly costs, understanding comprehensivelycustomers,and making good business decisions.However,in fact,

orbusinesssecrets,participantsofdistributedcomputingsystemsoftenwishtoob-taincooperativetasks’correctoutputwithoutrevealingtheirinputdata.Forinstance,somebankscooperatetogethertoimprovemachinelearning-

basedcreditscoringtoolusingtheircustomers’data,buttheyarenotreadytosharetheircustomers’dataforanyone.Similarly,althoughtherearesomehospitalswhowanttojointlydevelopdis-

easediagnosismethodsbasedonalargeuniteddatabase,howevertheydonotwanttoprovidetheirpatients’datatoothers.ThesechallengeshadmotivatedthebirthofSECURE MULTI-PARTY COMPUTATIONarea (SMC, for short) that has been considered asasubfield of moderncryptography

In essence,Secure Multi-party Computationrefers distributedcomputingmethods in security concerns [1, 3] Particularly, in a secure

model,thereareseveralparties,inwhicheachparticipantownsaprivateinput.These

participantswishtoobtaintheresultofthespecificfunctionfoverallprivateinputs

whileeachpartyrevealsnothingabouthis/herinputbuttheoutputresult.Unliketraditionalcryptographyfield,theadversaryofSMCproblemsingeneralandtheSMSprobleminparticularcanbeinsidethesystemofparticipants.Theattacksofthead-

2versarymaybetolearnthehonestparticipants’privateinputortocausetheoutputstobeincorrect[1].Asaresult,the”secure”termheremeans:(1)theoutput’scor-

rectness is guaranteed , and(2) each party’s input is privately kept by himself/herself.

Nowadays,SMChasbecomeaninterestingtopicthathasattractedmoreandmoreattentionfromresearchcommunity.AvarietyofSMCproblemshavebeenfor-

mulatedandtheirsolutionshavebeenproposedintoSMCprotocols,suchassecurecomparison protocols[4,5],secure multi-party sum computation protocols [6–8],

11].Furthermore,suchSMCprotocols

havebeenap-pliedtovariouspracticalproblems,suchassecureonlineauction[14],securee-votingsystems[12,13],privacy-preserving queries system [15], privacy-preserving financial data analytic [16], privacy-preserving onlineadvertising [17], andprivacy-preservingmachine learning/data mining[18–20]

This thesis has investigated one of the most important andpopularSMCprob-lems[6]thatisthesecuremulti-

partysumcomputationone(SMS,forshort).IntheSMSproblem,itisassumedthatwheretherearesomeparties,inwhicheachparty

ownsaprivatevalueashis/herinput,andthepartieswishtoobtainthesumofall

inputsbuttheyrevealnothingabouttheirinputsbeyondthesumvalue.SimilarlytoSMCproblemsingeneral,thebirthofSMSonehasbeenbasedonthesecurityrequirementsofspecificdistributedcomputingproblems.Currently,alotofproto-

colshavebeenpropoundedfortheSMSproblem,andtheyhaveawideapplicabilityin

various practical computing tasks, such as privacy-preserving tem [21], privacy-preserving multi-party data analytics [22], secureelectronicvotingsystem [12, 13], privacy-preserving association rule

privacy-preservingclassification[23],securedatacollectionforthesmartgrid[24],andsecureauc-tion [25,26]

ForSMCproblemsingeneral,andSMSoneinparticular,theprotocolsmustbesecure(mainlyincludingthepreservationoftheprivacyoftheparticipants’local

inputsandthecorrectnessofthehonestparties’outputs[3])enoughtopreventtheadversary’s harmful behaviors Besides,SMSprotocols should be goodperformance(i.e.lowcomputationalcomplexityandcommunicationcost)tobeimplementedinreal-life applications This is perfectly understandable,

practicalSMSproblemsrequiretoperformcomputationaltasksasquicklyaspossible,such

as secure e-voting, secure online auction.SMSpreservationsolutions such as privacy-preserving Apriori algorithm for

associationrules,privacy-preservingNaiveBayesclassifier,andsecuregradientdescentalgorithmhavetoexecuteSMSprotocol multiple times to compute necessary mediate values.More-

over,inmanydistributedcomputingscenarios,participantsusedeviceslimitedincomputationalability,storage capacity, and connectivity, e.g smartphones,tablets.Thus,itissignificanttodevelopSMSprotocolshavingbothhighsecuritylevelandgoodperformance

B Researchobjectives

Asmentionedbefore,firstofall,SMSprotocolsneedtobesecure.Todothis,SMSprotocolseither(1)requireeachparticipanttosplithis/herprivatevalueintoa

tionchannelsor(2)usehomomorphiccryptosystemssuchasElGamalencryptionscheme[27]orPailliercryptosystem[28].Consideringtheapproach(1),suchpro-tocolsobviouslyhavehighcostofcommunication,andtheyareunsuitableformulti-

numberofparts,andhethensharesthemwithallothersusingsecurecommunica-partycomputationalmodelswithalargenumberofparticipants.Incontrast,SMSprotocolsbasedonthesecondapproach(2)oftenhavepriceycostofcomputation.Asaresult,itcanbestatedthatthebiggestchallengefordesigningSMSprotocolsishowtocreateSMSprotocolshavingbothhighsecuritylevelandgoodperformance.Thus,theresearchobjectivesofthisthesisinclude:

• Designing efficient and secure multi-party sum computationprotocols

thathavethecapabilitytopreservetheprivacyoftheparties’localinputsandthecorrectnessofthehonestparties’outputs,aswellasgoodperformance

• DevelopingSMS-based solutions for practical problemsthathavebeencur-

rentlysolvedbyexistingSMSprotocolsbutarenotyetsecureandefficient

C Maincontributions

The scientific story of this thesis is narrated as follows:

• The thesis starts with basic distributed computing problemsrequiring toex-ecuteSMSprotocolsonce(e.g.thesingle-candidatesecuree-votingprob-lem) Through a comprehensivelyanalysis, one of the most typicalSMSprotocols has been chosen

mal cryptosystem-based variant Hence, the first proposedprotocol hasnotonly highlevelof security, but also good

basedononeofthemosttypicalSMSprotocolsmentionedabove,thethesistriestointegrateaSchnorrsignature-

derivedauthenticationmethodintoasecuremulti-partysumcomputationfunction,inwhichboththesecryptographictoolsemploy the same private and public keys Hence, thesecondproposedprotocolhasauniquefeaturewhichisunliketheexistingwork,thatisno needtopre-establishanyauthenticatedchannelbetweeneachtupleofpar-ties.Furthermore,thisprotocolisstillsecureinthecommonsemi-

honestmodel,aswellasefficientinreal-lifeapplications

• Inthenextstage,thethesisconsiderspracticalproblemswhereSMStocolshavebeenperformedmultipletimesforsolvingspecificdistributedcomputingtasks(e.g.privacy-

pro-preservingdataminingandmachinelearningproblems).TheselectedtypicalSMSprotocolisre-designedwiththeaim

ofobtainingmanysumvaluesonlyinoneroundofcomputationandcom-munication.Asaresult,thethirdproposedprotocolefficientlycomputesmultiplesumvalues.Inaddition,thisproposalsignificantlysavesthecostofkeygeneration andmanagement

• Finally,todemonstratetheapplicabilityoftheaboveresults,thethesiscon-structsthenewprotocols-based solutions for the secure end-to-ende-votingschemeandtheprivacy-

preservingNaiveBayesclassificationprobleminthe horizontaldatasetsetting

ThegeneralcontributionofthisthesisistoproposenovelSMSprotocols.ever,unlike the previous work, theSMSprotocols of this thesis areefficient tobeimplemented in real-lifeapplications.

How-In particular, the contributions of this thesis are presented inthefollowingsections.

The first contribution

The thesis proposes three novelSMSprotocols based on thehomomorphic El- Gamal encryption Because this standard cryptography

semanticallyse-cure,allproposedprotocolsachieveahighlevelofsecuritywithoutusinganytrustedpartyormorethantwonon-colludingparties.ThreenewSMSprotocolsinclude:

• The privacy-preserving frequency computation (PPFC) protocol

ob-tainafrequencyvalueinthecontextwherecommunicationchannelsamongpartiesareauthenticated.Inadditiontohighlevelofsecurity,thisprotocolhasgoodperformance,sinceitisoptimallyre-

designedfromtheideasofthetypicalSMSonesandtheellipticcurvecryptography.Consequently,thepro-

posedPPFCprotocolcanbeemployedasakeybuildingblocktosecurelyandrapidlycomputesingleormultiplesumvalues(e.g.countingtheresultof securee-votingproblems)

• TheSMSprotocolcansecurelycomputeasumvalueinthescenariowherecommunicationchannelsamongpartiesareonlypublic.ThisproposalismethodicallycombinedofasecuresumfunctionandaSchnorrsignature-

derivedauthenticationmethod,sothesecondSMS

protocolnotonlysatis-fiesthemandatoryrequirementofsecurity,butalsoisefficient.Especially,thisprotocolcanbedirectlyimplementedonpublicchannels(e.g.Internet)without pre-establishing any authenticated/secure channels Becauseoftheabove advantages, the secondSMSprotocol can become asuitable solution for the secure single-candidate electronic votingproblem in thesemi-honestmodel

•

Thesecuremulti-

sumcomputationprotocolthatcanprivatelycomputemul-tiplesumvaluesinoneroundofcomputationandcommunication.Byusinga

noptimaltechniqueforsolvingdiscretelogarithmproblemswithsmallspaceofsolutions,thisprotocolhasnotonlyahighsecuritylevelbutalso

endvotingschemeoftenrequiretoaccuratelyandrapidlycountthevotingresultovervarioustypesofcommunicationchannel,thecombinationoftheproposedPPFCandtheSMSprotocolsarechosentosolvethis problem.Fortheprivacy-preservingNaiveBayesclassifierthatrequirestosumupfrequencyvaluesusedforconstructingtheNaiveBayesclassificationmodelwhile

Chapter1providesageneralbackgroundaboutsecuremulti-partycomputa-• Chapter 2 analyzes typicalSMSprotocols in detail Based on theanaly-sis result, this chapter proposes threenewprotocols forprivacy-preserving frequency computation, secure multi-party

withoutpre-tionproblems

establishingsecure/authenticatedchannels,andsecuremulti-sumcomputa-•Chapter3developsthesolutionsbasedonthenewSMS

protocolsfortwoprac-preservingNaiveBayesclassifier

ticalapplications,i.e.thesecureelectronicvotingschemeandtheprivacy-CHAPTER 1 OVERVIEW OF SECURE MULTI-PARTY SUM

1.1 Background of secure multi-partycomputation

Here,itneedstobeexpressedthatthe”secure”conceptmeansthetwofol-lowingconstraints:

• The correctness of the function’s output isguaranteed

• Eachparty’sinputisprivatelykeptbyhimself/herself

Generally,thesecuritypropertyofaSMCprotocoldependsontheadversary

nicationchannels(i.e.secure,authenticated,orpublic),andcapabilitiesofadversary(i.e.numberofcontrolledparties,eavesdroppingtransferredmessages,andcomputa-

modelincludingtypeofadversary(i.e.semi-honestormalicious),typeofcommu-tionalpower).Hence,thedesignofaSMCprotocolneedstoachievethesecuritylevelcorrespondingtotheselectedadversarymodel.Thisaspectisfullyanalyzedinthenextsections

Figure 1.1: The distributed computing model in a secure manner

passwords.AsdepictedinFigure1.3,Apple

’stechnologiescandetecttheuser’spass-wordsoccurringonthelistofweakorleakedpasswords(e.g.12345678,password,an

diloveyou)withoutknowingwhattheuser’spasswordsare

Figure 1.3: An example of monitoring user’s passwords

Figure 1.4: An example of theDNApattern-matching

problem

ConsideringtheDNApattern-matchingproblem[30]

(asillustratedinFigure1.4),thereareapartywhowantstodetermineaspecificDNAsubsequence’sexistence(e.g.ashortDNAstringthatdescribesamutationleadingtoadisease)insideaDNAsequence

ownedbyanotherpartywithoutdisclosingtoeachparty’sinput

AnothertypicalSMCproblemasdepictedinFigure1.5isthesealed-bidauction

systemwheretheauctioneerexactlydeterminesthewinnerwithoutopeningthebids

Ingeneral,thesolutionsforSMCproblemshavebeenformulatedintoSMCprotocolsthathavebeendefinedasasetofspecificrulesandguidelinesforprocessing,com-

amelength(|v i |=v j w i t h ∀i,j).Themulti-partycomputationfunctionfis defined

asfollows:

(1.1.1)

AsdepictedaboveinFigure1.1,thei th partywhoownstheprivateinputvalue

v i wishes toobtainthei th element inf(v1, ,v n )thatisf i (v1, ,v n )(denotedasy i

).Amulti-partycomputationfunctionfcanfallintooneofthefollowingtypes:

f: ({0,1}∗)n →( {0,1}∗)n

v ¯=(v1, ,v n)→ f(v¯)=(f1(v¯), ,f n (v¯))

• General functions (including both deterministic and

indeterministicfunc-tions):thatcanreturndifferentoutputswiththesameinputvalueindifferentexecutions

Conceptually, the secure multi-party computation field refers to

us, theSMCarea has become a crucial part of the modern cryptography[3].Inthe opposite perspective, there still exists the difference between

Next,thethesisprovidesawell-knownsecuritydefinitionofageneralsecuremulti-1.1.3 Definition ofsecurity

BeforerepresentingthestandarddefinitionofsecurityfortheSMCfield,thethesisdescribesanadversarymodelchosenforthisstudy,ageneralapproachformal-izingthesecurityofaSMCprotocol,andnecessarytechnicalpreliminaries

1.1.3.1 Adversarymodel

ThissectionformalizespossibleattacksonaSMCprotocolintoanadversary

graphicprotocols.Referredfromthework[31],theadversarymodelofthisstudyalso consists of three components, i.e assumptions, goals, andcapabilities of anadversary

modelthathasbeenusedasanimportantbasistodesignprovablesecurecrypto-i Adversaryassumptions

Basically,oneofthemostdifferentcharacterizesbetweentheSMCfieldwiththetraditional cryptography (e.g encryption, digital signature) that

aSMCprotocolcanbeattackedbynotonlyanexternalentitybutalsoasetofthecorruptedinternalpartiescontrolledbyanexternalentity[3].Consequently,thecomputationalmodelofSMCincludesthreetypesofentity:(1)honestpartieswhofollowtheruleofprotocol

andtheydonotcolludewithanyonetoperformmaliciousbehaviors,

(2)corruptedpartieswhoarereadytocolludewithothersorcanbecontrolledbyanexternalad-

versarialentitytoexecutemaliciousbehaviorsagainsthonestparties,and(3)externaladversarywho

controlscorruptedpartiestoperformmaliciousbehaviors

Consideringthecorruptedparties’behaviors,ifthecorruptedpartiesaresemi-honest,thentheystillfollowtheprotocol’srulebuttheycancolludetogetherorbecontrolledbytheadversarytoexecutetheharmfulbehaviorssuchastryingtogain

others’privatedatainput.Incontrast,inthecasethecorruptedpartiesaremalicious,theycanarbitrarilyperformtheirbehaviorswithoutfollowingtheprotocol’srule,evenmayaborttheprotocolanytime.Basedonthecorruptedparties’behaviors,therearetwotypesofSMCmodel,i.e.th

becauseifapartywhoisreadytoparticipateinaSMCprotocolexecutionwithhisgoodwillandreputation,thenheshouldfollowtheruleofprotocol.For example,thereareseveralhospitalswhowishtojointlyresearchontheirunitedpatientrecords.Duetoprivacyconstraints,eachhospitalisnotallowedtoknowothers’data.Clearly,thesemi-honestmodelisappropriateforsuchscenario.Inthecasethereexistcurious

partieswhowanttodiscoverothers’privatedatabasedonwhattheyobserved,theyshouldbepreventedbytheprotocol’sdesign

Here,itshouldbeemphasizedthatthepartiesinthesemi-honestmodelonly

adheretotherulesofcomputation,sothatthenon-collusionassumption(e.g.in[23, 35–37])isunreasonable[1].ItisalsonotedthatalthoughthesecurityrequirementofSMCprotocolsinthesemi-honestmodelisnottoostrict,thismodelisanimportantfirst step towardachieving higher levels of security The semi-honest modelthuswillplayamajorroleinthedesignofprotocolsforthemaliciousmodel,anditcanbetransformedprotocolsthataresecureinthesemi-

honestmodelintoprotocolsthataresecure in the malicious model[3]

Next,becauseofcontrollingthecorruptedinternalparties,itisassumedthattheadversaryknowsthecorruptedinternalparties’knowledge(e.g.privatekeys,con-

fidentialdatainput),aswellasaccessingcommunicationchannelsamongparties.Inaddition,toconsolidatethecontributions,thisthesisassumesthatthecommunicationchannelsbetweenthepartiesareonlyauthenticatedorevenpublic

ii Adversary’sgoals

Whiletheclassicaldistributedcomputingfieldoftenfaceinadvertentthreatssuch asunstable communication and machine crashes,SMCprotocols areconcernedwithsomeadversarialentity’sattackswiththeaimsoflearningthehonestparties’privateinputorcausingtheoutputresulttobeincorrect[1]

iii Adversary’scapabilities

As mentioned before, the adversary has an extremely powerfulcapability

thatcontrolsupto(n−2)corruptedinternalparties(ofcourse,wecannotknowwhothe

1.1.3.2 Definitionalapproach

ThedirectwaytodefinethesecurityofaSMCprotocolistopredeterminetherequirements,thenshowthattheprotocolsatisfiesallofthem[3,38].However,thisapproachisnotgeneralbecause:(i)animportantpropertycanbeignored,

(ii)thesecuritydefinitionissimpleenoughtoseethattheadversary’spossibleattackscanbeprevented[1]

TochooseasuitableapproachfordefiningsecurityofSMCprotocols,

letusbe-

ginwithaverybasicparadigmforapublic-keycryptosystem,thatissemanticsecu-

rity.GoldwasserandMicali[39]statedthatapublic-keycryptosystemissemantically

secureifwhateveranadversarycancomputeabouttheplaintextgiventheciphertext,

thenitcanalsocomputewhenreceivingnothing.Obviously,iftheadversaryreceivesnothing,thenitgainsnothingabouttheplaintext.Thecontextwheretheadversaryreceives nothing seems to imply an ”ideal world” [40] Explicitly

asys-temissecureintherealworld,iftheadversaryreceivestheciphertextbutnothingis

learned(equivalenttotheidealworldwheretheadversaryreceivesnothing).Moregenerally,thesecurityofasystemisprovedbycomparingwhathappensinthe”real

world”towhathappensinthe”idealworld”.Asaresult,thisformulationofsecu-rity iscalled the ”ideal/real simulation paradigm”.Moreover,the simulation-basedsecuritymodelisthesimplestbutthemostrigorousamongthesecuritymodelsformaliciousadversaries

Forthesecuremulti-partycomputationfield(seeFigure1.6),theidealworldmodeliswherethereexistsatrustedpartywhohelpstheparticipantstocomputethe

outputwithoutsecurityconcerns,andtherealoneiswherenotrustedpartyexists.Intheotherwords,everyparticipantdoesnottrustanyoneintherealworld.Thesecurityofaprotocolisdeterminedbycomparingtheoutcomeofarealprotocolexecutionto

Figure 1.6: The real and ideal models in distributed computing fieldthe one of an ideal protocol execution [3].

Thus,inSMCfield,

Definition 1.1.1.A function µ(u)is called negligible with n if for all positive

polyno-mial p (.), there exists a non-negative integer N such that∀n>N:

µ(u)< 1

ii Computationallyindistinguishable

ThenotionofcomputationalindistinguishabilityisverycrucialforboththecryptographyandSMCfield[41].Hence,thefollowingdefinition[3]isprovided

Definition1.1.2.LetX (n,a),Y(n,a)betworandomensemblesindexedby(n,a)andX={X (n,a)} n ∈N,a∈{0,1}∗ ,Y={Y(n,a)} n ∈N,a∈{0,1}∗ arecorrespondingdistributions.

X,Yarecalled ”computationally indistinguishable” (denoted as X C Y)in

honestmodelusingpublicchannelsthatisreferredfromtheSMCframework[3]

Definition 1.1.3.(privacy with respect to the semi-honest model using public

chan-nels [3])

Let f be a secure multi-party computation function as defined in Section 1.1.1.

• In the case f is a deterministic function: the protocolΠprivately

computesthefunctionfagainsttcorruptedparticipantsif∀I⊆{1,2, ,n}such that

∥I∥ =t, there exists a probabilistic polynomial-time algorithmMsuch that

A, I

0 1 ∗ n v∈({ , } )v)}

Π A,IVIEW(

c

∗ n ≡ {} ) ({0,1 v∈

v))}

II

I, v , f ({M(

n v∈({0,1} ∗ )}

)v

Π v), OUTPUT (

Π A,IVIEW(

c

n ≡ {v∈({0,1} ∗ )

v )}

v , f ( )II

I, v , f ( ){M(

(1.1.4)

• In general case: the protocolΠprivately computes the function f against tcorruptedparticipantsif∀I⊆{1,2, ,n}suchthat∥I∥=t,thereexistsapro babilistic polynomial-time algorithmMsuchthat

Besides, there is a composition theorem often used to

constructSMCprotocolsin the semi-honest model (see Theorem

1.1.1)

Theorem 1.1.1.Suppose that the function g is privately reducible to the function

f ,and f is privately computed by a secure protocol Then there exists a protocol for privately computing g [3].

This theorem says that if a protocol can be decomposed into protocols,then it will be secure if its sub-protocols are secure [3]

sub-

Inthisthesis,allproposals’securityisprovedusingDefinition1.1.3andThe-orem1.1.1

Next,thethesispresentsfoundationofcryptographyusedaspreliminariesofsecure multi-party computationfield

1.1.4 Cryptographicpreliminaries

1.1.4.1 Discrete logarithmproblems

Forgeneralcryptographicprotocols,thediscretelogarithmproblemscanbeseenasoneofthemostimportantpreliminaries.Asaresult,thissectionprovides

basicconceptsrelatedtothediscretelogarithmproblemsreferredfromthebook[41]

ConsideringacyclicgroupGoforderq(G={g0,g1, ,g q−1}).Thisequalsto

∀h∈G,thereonlyexistsauniquevaluex∈Z q such thatg x =h.Inthatcontext,

itcanbecalled”xisdiscretelogarithmofhwiththebaseg”andwrittenx=log g h.Theharddiscretelogarithmproblemisdefinedasfollows:

Definition1.1.4.[ 4 1 ] LetGbeacyclicgroupoforderq( ∥q∥=n)withthegeneratorg and a

random element h ∈G The discrete logarithm problem inGis to computelog g h.The experiment simulating the discrete logarithm problem inG(denoted asDLog A,G (n))

is described in the followingsteps:

• Runthepoly-nominalalgorithmG(1 n )toobtaintheparameters(G,q,g).

• Choose a random element h∈G.

• ThealgorithmAisgiven(G,q,g,h)andoutputthevaluex∈Z q

• If g x =h, then the output of this experiment is1 And0ifotherwise.

The discrete logarithm problem is hard relative toG, if for all probabilisticpolynomial-time algorithms A, then there exists a negligible functionµ(n)such that

• Decisional Diffie-Hellman (DDH)problem

Giventheparameters(G,q,g)andthreeelementsX=g x ,Y=g y ,Z=g z withx,y,zar

e randomly chosen inZq.The hard decisional Diffie-Hellman problemisdefined asfollows:

Definition 1.1.5.The DDH problem is hard relative toGif for all

probabilisticpolynomial-time algorithms A, then there exists a negligible functionµ(n)such that

• Thediscretelogarithmproblemishardestinthesegroups,andthedecisionalDiffie-Hellmanassumptionisalsoheldinsuchgroups

• Itiseasytochooseageneratorofacyclicgroupoflargeprimeorder(i.e.everyelement, excepting theidentity)

Additionally, cyclic groups of large prime order are suitable forSMCmodels

1.1.4.2 ElGamal public-key cryptosystem: a homomorphicencryption

This section represents a common variant of the ElGamal encryption scheme [27]that is based on discrete logarithm problems

fiedintoC(m1)=(g m1 hk1, g k1) ;C(m2)=(g m2 hk2, g k2),respectively.Conseque

ntly,thevalueC(m1)C(m2)=(g m1 +m 2hk1 +k 2, g k1 +k2)

isthecipher-textof(m1+m2

).Simultaneously,thesmall-sizedvaluemcanbeeasilyextracted fromg m without spending much time,

because there exist alot

ofmethodssolvingthisproblem,inwhichtheShanks’baby-stepgiant-stepalgorithm is one of bestcandidates

In addition, there exists an elliptic curve analog of the ElGamal

cryptosys-tem [43] described as follow:

Letq,E(F q ),O,G,qbe secure cryptographic parameters The privatekeyis

d ∈ [1,q−1], and the publickeyQ=dG.