Introduction

Cloud computing has grown considerably in recent years, and the development of computing models that store data and applications on remote servers has matured and become popular. While edge cloud computing [1,2,3,4] enables efficient data processing and transmission, and many applications are also available in the Internet of Things [5, 6]. Combining deep learning and model training with cloud computing for web personalized recommendation system and anomaly detection [7,8,9,10].But it also poses some security risks [11]. As data and computation are dispersed to edge nodes, attackers may exploit weaker security mechanisms to compromise these nodes, leading to problems such as data leakage or service disruption. Therefore, strict security measures, including data encryption, authentication, access control, and vulnerability management, must be adopted in edge cloud computing applications to ensure the security and stability of the system. In the background of big data, data security, communication security [12, 13] and secure data sharing, privacy computing have become particularly important.Many researchers have conducted in-depth research and studies in many areas such as data security, privacy protection, and adversary attack and defense [14,15,16,17,18]. From the perspective of cryptography, secure multiparty computation [19] technology provides a reasonable solution. Yao proposed the “millionaire problem” in 1982, leading to the first secure two-party computation protocol [20], which uses the technique of circuits to represent computational functions as boolean circuits and provides computational security for secure two-party computation protocols under a semi-honest model. This was followed by Goldreich et al. who gave the first secure multiparty computation protocol [21] and guaranteed the security of the protocol under a semi-honest model. After decades of development, existing research has focused on the performance of SMPC, mainly on the number of communication rounds, communication complexity, computational complexity, and minimization of complexity assumptions to enhance the concept of security. Abraham et al. [22] construct a protocol based on verifiable secret sharing (VSS) that matches a semi-honest setting with a round complexity that is proportional to the circuit depth. A SMPC protocol against malicious adversaries and without trustworthy assumption settings was proposed [23], setting up a 5-round SMPC protocol based on Decisional Diffie-Hellman (DDH) assumption and a 4-round SMPC protocol constructed by one-way permutations based on sub-exponential security DDH assumption. For the problem of optimizing the number of rounds in a protocol, Ananth et al. [24] study the round complexity of n-party protocols in an honest majority setting to tolerate the corruption of \(t<\frac{n}{2}\) participants and achieve abort security under the plain model where the security of the protocol depends only on the one-way function. For SMPC, cryptographic techniques such as Laconic Function Evaluation (LFE), oblivious transfer (OT) are used to construct secure multiparty computation protocols [25,26,27] and to reduce the number of rounds of interaction between participants. Existing studies have shown that high communication overhead, high complexity of rounds and low security strength in secure multiparty computation. Therefore, this paper is based on cloud computing to achieve a more secure and efficient secure multiparty computation scheme, the general process is as follows Fig. 1.

Fig. 1
figure 1

Secure multiparty computation scheme on the cloud

Full size image

This paper is devoted to solving the round number complexity optimization problem in SMPC on the cloud by introducing harder security assumptions to improve the security concept, reduce the number of interactions, and achieve low communication overhead for privacy-secure cloud computing. The contributions of this paper are as follows.

  1. 1.

    To optimize the round complexity of the protocol in cloud-based SMPC, we construct a 2-round secure multiparty computation using a multilinear map based on the LWE assumption.

  2. 2.

    In this paper the implementation of the protocol is done in the UC framework, the ideal functionality is delivered to the computing on the cloud and each participant can access the ideal functionality, the protocol is finally implemented on the cloud with UC security for SMPC security and increased security strength.

  3. 3.

    The parameters of the SMPC protocol settings are only related to the LWE instantiation and the depth of the computational circuit, which achieving sublinear overhead for communication.

Related work section describes the Related Work in the area of secure multiparty computation, and Preliminaries section provides an overview of multilinear maps, learning with errors (LWE), universally composable (UC), garbled circuit, and zero-knowledge proof. Protocol construction section describes the specific construction of the scheme in this paper, and Security demonstration section is a security demonstration of the scheme construction.Finally, we summarize our work in Conclusions section.

Related work

Secure multiparty computation with constant rounds was first studied in [28] to reduce the number of interaction rounds, Gordon et al. [29] designed SMPC protocols with constant rounds in honest majority to ensure that the parties have fairness as well as the output is delivered correctly (Table 1). A series of subsequent works target the security of SMPC, based on various difficult assumptions to design protocols for information security against malicious adversaries [30,31,32]. Garbled circuits combined with non-committing encryption (NCE) under the plain model to construct secure multiparty computation protocols with adaptive constant rounds are also described for some extensions and applications [33]. By combining cryptographic primitives, based on learning with errors (LWE) assumptions use fully homomorphic encryption [34] to construct two rounds of secure multiparty computation, allowing one round of distributed decryption of ciphertexts with multiple secret keys [35, 36], which gave a great impetus to later research. The bilinear map** operation provides a unique operation for secure multiparty computation that would encode the input and then perform the operation, and the evaluation process takes as input the set of confusing protocol components with labels corresponding to the input encoding of each party, and outputs the entire text of the distributed protocol [37], which in turn incorporates the garbled circuit to design the garbled protocol. With the study and development of lattice trapdoors [38,39,40], constructing encoding schemes based on trapdoors and improving the security level of the schemes under the LWE assumption, hierarchical multilinear encoding has been widely used in cryptography, from non-interactive key exchange protocols to broadcast and attribute-based encryption. ciampi et al [41] for the construction of secure two-party computation using oblivious transfer protocols, the construct such protocols from permutations of trapdoors based on four rounds of non-extensible zero-knowledge arguments for delayed inputs. The development of UC [42, 43] likewise has many applications in the field of secure multiparty computation. In the framework of UC, the security of the protocol relies on the security of UC to achieve indistinguishability between ideal and realistic environments. In the concept of static security, protocols for sublinear communication are constructed using threshold FHE as well as zero-knowledge proofs (NIZK) [44], which typically require four rounds of interaction under the threshold PKI model and five rounds under the CRS model. The optimization of the number of rounds is carried out in the honest majority setting, and the protocol design is carried out in the model where the circuit size is the polynomial communication size [24, 29], thus achieving static security. Existing studies have shown that high communication overhead, high complexity of rounds and low security strength in secure multiparty computation. The solution in this paper is dedicated to the optimization of the number of rounds and the communication overhead, introducing harder security assumptions and improving the notion of security.

Table 1 The computational function \(F:{({{0,1}}^{l_{in}})}^n\rightarrow {{0,1}}^{l_{out}}\) is compared to the SMPC protocol represented by a circuit C of depth d in the honest majority setting
Full size table

Preliminaries

In this section we will review multilinear maps, learning with errors (LWE), universally composable(UC), garbled circuit, and zero-knowledge proof. We denote \(k\in N\) as the security parameter and for all \(n\in N\),[n] is denoted as \(\left\{ 1,2,...,n\right\}\). PPT denotes probabilistic polynomial time and poly denotes positive polynomial. For a function \(\mu\) with \(\mu \left( k \right) < \frac{1}{poly(k)}\), the function \(\mu\) is said to be negligible. let \(x=(x_1,x_2,... ,x_{n})\) be a vector, the norm of a vector x is defined as \(\left\| x \right\| _{\infty }=max_i(x[i])\). If the two distributions \(D_1\),\(D_2\) are statistically close, we write them as \(D_{1}\overset{s}{\equiv }\ D_{2}\). If the two distributions \(D_1\),\(D_2\) are computational indistinguishability, we write them as \(D_{1}\overset{c}{\equiv }\ D_{2}\).

Multilinear maps

Multilinear maps [39, 40] is a mathematical tool that is abstractly defined and allows us to operate in a series of group elements and to extract a part of the information out of the output in combination with the results. Given t cyclic groups \(G_1,G_2,... ,G_t\) and a target cyclic group G, then for a multilinear maps algorithm e of order t we have.

$$\begin{aligned} e:{G\leftarrow G}_1\times G_2\times ...\times G_t. \end{aligned}$$
(1)
$$\begin{aligned} e({g_1}^{x_1},{g_2}^{x_2},...,{g_t}^{x_t})=g^{x_1\times x_2\times ...\times x_t}. \end{aligned}$$
(2)

where \(g_1,g_2,...,g_t\) distributions represent t cyclic groups \(G_1,G_2,...,G_t\) generators, g is denoted as the generators of the target group G, \(x_1,x_2,...,x_t\in \left\{ 0,1\right\} ^{*}\), we can consider \({g_i}^{x_i}(i\in [t])\) as the encoding of \(x_i\), and the t-order multilinear maps algorithm can encode the t unknown characters \(x_1,x_2,...,x_t\) string encoding \({g_1}^{x_1},{g_2}^{x_2},...,{g_t}^{x_t}\) on which \(x_1,x_2,...,x_t\) on the group G with the joint product encoding \(g^{\prod x_{i},i\in [t]}\). Similarly we can get the corresponding additive operations, if \(\boxplus\) denotes the operations defined in the group, we have \(g^{x_1}\boxplus g^{x_2})=g^{x_1+x_2}\). However, for multilinear maps of order t, we can only perform at most multiplication of t layers and addition of any layer. For multilinear maps, the result after computation is presented in the form of ciphertext, and we can extract a part of the information of the ciphertext using the zero test algorithm. ZeroTest algorithm:Given an element h, the ZeroTest algorithm verifies that h is an element of the target group G.

$$\begin{aligned} ZeroTest\left( h\right) :h\in G\ or\ h\notin G\ by\ h\overset{?}{=}g^0\ . \end{aligned}$$
(3)

If \(h=g^0\) then there is h is an element in the target group G. If \(h\ne g^0\) then h is not an element in the target group G.

Learning with errors

The trapdoor-based LWE design has also been developed through the study of lattice trapdoors [38], where K denotes the security parameter and the parameters \(n=n\left( k\right) ,q=q\left( k\right)\) of the LWE [45] instance are chosen to be integers, \(\chi =\chi (k)\) is a distribution over Z, and \({LWE}_{n,q,m}\) assumes that for all polynomials \(m=m(k)\) there is the following distribution that is indistinguishable.

$$\begin{aligned} \left( A,sA+e\right) \overset{c}{\equiv }\left( A,z \right) . \end{aligned}$$
(4)

where \({A}\leftarrow Z_q^{n\times m}\), \({s}\leftarrow Z_q^n\) is the input vector, \({e}\leftarrow \chi ^m\) denotes the noise vector and \({z}\leftarrow Z_q^m\). In the LWE scheme with trapdoor [17, 19], for any \(m^\prime \in N\), A is represented as a uniform random distribution matrix with trapdoor \(R\in Z_q^{m^\prime \times n\log {q}}\) and constructing the LWE hard problem based on this matrix, another matrix \(D_1\) can be generated by the matrix with trapdoor A such that \(AD_1=sA_1+e_1\),Similarly\(A_1D_2=sA_2+e_2\), where the matrix \(A_1\) is also a uniform random distribution matrix with a trap \(R_1\), that is, we can generate the \(D_i\) matrix of the current level based on the trapdoor \(R_{i-1}\) of the previous level, and the whole process forms a nested chain structure.

Theorem 1

(secure MPC with sublinear communication [26, 46], informal). Assuming LWE and secure erasures (alternatively, sub-exponential iO), every function can be securely computed by a 2-round protocol tolerating a malicious adversary that can adaptively corrupt all of the parties, such that the communication complexity, the online-computation complexity, and the size of the common reference string are sublinear in the function size.

Universally composable

In [46,47,48] the universally composable framework is defined as the following two models and indistinguishable security properties are formed in the two models, resulting in UC security as well as compositional security.

Real Model: The whole execution process consists of a UC environment Z, an adversary A, and n participants, which starts with Z invoking all participants, generating all inputs and being able to read all outputs, and ends with Z outputting the result of the whole execution. The output of the environment Z under the realistic model is denoted by \({Real}_{\pi ,A,Z}(x,k,r)\), where \(\pi\) denotes the protocol run by n participants according to the above specification, k is the security parameter, and r denotes the random information.

Ideal Model: F denotes an ideal function under an ideal model, S (simulator) denotes an ideal adversary, n Turing machines denote the participants and an environment Z. Under the ideal model, F defines the behavior of the desired computation and receives inputs from the participants to perform the computation, and then sends the output back to the participants. s cannot see the communication between the participants and F, but s can communicate with F. Denote the environment Z output under the ideal model by \({Ideal}_{F,S,Z}(x,k,r)\), where x denotes the input, k is the security parameter, and r denotes the random information.

Definition 1

(UC Security). Given a protocol \(\pi\), an ideal function F, if for any PPT adversary A and the existence of an adversary S under an ideal model, the following distribution is computationally indistinguishable for any environment Z. The protocol \(\pi\) is UC-realized in the presence of adversaries with an ideal function F.

$$\begin{aligned} {Real}_{\pi ,A,Z}(x,k,r)\overset{c}{\equiv }{Ideal}_{F,S,Z}(x,k,r). \end{aligned}$$
(5)

Hybrid Model:The F-hybrid model combines the rational model with the realistic model, extending the realistic model with an ideal function F. Each participant can interact with F. The output of Z under the hybrid model is denoted by \({Hybrid}_{\pi ,A,Z}^F(x,k,r)\).

Definition 2

(security under hybrid model). Given an F and G are ideal function, \(\pi\) is a protocol run by n participants and \(\pi\) satisfies the UC-implementation ideal function G in the F-hybrid model, if for an adversary A in the hybrid model, there exists an adversary S under the ideal model such that the environment Z computation is indistinguishable from the following two distributions.

$$\begin{aligned} {Real}_{G,S,Z}(x,k,r)\overset{c}{\equiv }{Hybrid}_{\pi ,A,Z}^F(x,k,r). \end{aligned}$$
(6)

Theorem 2

(UC Compositional Security). a UC-implementation F-protocol \(\pi\), for any F-hybrid protocol \(\rho\), has a combined protocol \(\rho ^\pi\) simulating the execution of the protocol \(\rho\), for adversary A, ideal adversary S, and no environment Z capable of distinguishing with a non-negligible probability whether it is interacting with an adversary A and the protocol \(\rho ^\pi\) interacts with, or interacts with S and the protocol \(\rho\). In other words, \(\rho\) is an F-hybrid protocol, \(\pi\) is a UC-implementation of F, and then there is \(\rho ^\pi\) UC-realized of \(\rho\).

Garbled scheme

\(\pi\) is an n-participant protocol, \(x_i\) denotes the input of participant \(P_i\), \(\pi _i\) denotes the next message function of participant \(P_i\), when \(\pi\) uses \(x_1,... ,x_n\) as input to run as \(\pi \left( x_{1},...,x_{n} \right)\), also as the output of the protocol.

Definition 3

(Garbled scheme GC): a Garbled scheme [30, 33, 37] consists of the following polynomial-time algorithmic tuple GC=Setup,Garble,Eval, and some security features:

\(Setup(1^k)\):This is a polynomial time algorithm that takes as input a security parameter and outputs a common reference string CRS.

\(Garble(CRS,i,\pi _i,x_i)\):This polynomial-time algorithm takes as input the common reference string CRS, index i, \(\pi _i\), and the parties’ input values \(x_i\), and outputs. (1) The next message function \(\pi _i\) is Garbled composed \(\widetilde{\pi _i}\). (2) The input value \(x_i\) is encoded \(\widetilde{x_i}\) with length \(l_e\). (3) The corresponding coded labels \(\left\{ lab_{j,0}^{i},lab_{j,1}^{i} \right\} _{j\in [n\cdot l_{e}]}\) after the input coding of a set of parties.

\(Eval(\widetilde{\pi _i},{\widetilde{x_i}},{lab}_{\widetilde{x_1}||...||\widetilde{x_n}}^i)\):The input \(\widetilde{\pi _i}\), the encoded input set \({\widetilde{x_i}}\) and the corresponding \(\widetilde{x_1}||...||\widetilde{x_n}\) encodes the input label \({lab}_{\widetilde{x_1}||... ||\widetilde{x_n}}^i\), the output result value y or terminator \(\perp\).

Correctness: for n-party agreement \(\pi\) and the set of inputs \(\left\{ x_{i}\right\} _{i\in [n]}\)for each party we have:

\(Pr[CRS\leftarrow Setup(1^k);(\widetilde{\pi _i},\widetilde{x_i},{{lab}_{j,0}^i,{lab}_{j,1}^i})\leftarrow Garble(CRS,i,{{\pi _i},x}_i)\forall i\in [n]:\left( x_{1},...,x_{n} \right) =Eval(\widetilde{\pi _i},\left\{ \widetilde{x_i} \right\} ,{lab}_{\widetilde{x_1}||...||\widetilde{x_n}}^i)]= 1\)

Security:For all protocols \(\pi\), all subsets of honest participants \(H\in [n]\), and the inputs \(H\in [n]\) chosen by each participant there exists a PPT algorithm such that:

$$\begin{aligned} \left\{ CRS,\left\{ \widetilde{\pi _i},\widetilde{x_i},{lab}_{\widetilde{x_1}||...||\widetilde{x_n}}^i\right\} _{i\in [n]}\right\} \overset{c}{\equiv }\left\{ Sim(1^k,\pi ,H,\left\{ x_i\right\} _{i\notin H},\pi \left( x_{1},...,x_{n} \right) )\right\} \end{aligned}$$

where \(CRS\leftarrow Setup(1^k)\), for all \(i\in [n]\) with \((\widetilde{\pi _i},\widetilde{x_i},{{lab}_{j,0}^i,{lab}_{j,1}^i})\leftarrow Garble(CRS, i,{{\pi _i},x}_i)\).

Non-interactive zero-knowledge proofs

The NIZK [29, 44, 46] function is based on the zero-knowledge function in [47], which adjusts and obtains special properties of non-interactive zero-knowledge proof. The argument of NIZK is just a bit string, which anyone can use to verify the validity of the statement. The ideal function \({F}_{{nizk}}^{R}\) is represented as follows.

figure a

The NIZK ideal function is parameterized by an NP relation R with n participants \(P_1,P_2,... ,P_n. ,P_n\), participant \(P_i\) can send a prove request, denoted as (xw), and the function verifies whether \((x,w)\in R\) and asks the adversary S to generate a proof \(\pi\) for statement x. The function stores \((x,\pi )\) and returns the proof to \(P_i\). For the other participants \(\left\{ p_{j} \right\} _{j\in [n],j\notin i }\) can send a verify request, denoted as \((x,\pi )\),if \((x,\pi )\) has been stored, the function outputs 1, otherwise the adversary is asked to present a proof w. If \((x,w)\in R\) the function returns 1, otherwise it returns 0.The proof for the following Theorem 3 is detailed in the literature [46].

Theorem 3

(informal). Assuming LWE, if there exists adaptively secure NIZK arguments for NP, there exists adaptively secure NIZK arguments for NP with proof size sublinear in the circuit size of the NP relation.

Protocol construction

In this section we construct protocols using a series of related techniques, firstly the construction of trapdoor matrices, secondly the application to secure multiparty computation using a trapdoor-based LWE encoding scheme to propose ideal functions that satisfy the properties of secure multiparty computation, and then a realistic protocol \(\pi _{smpc}\).

N-participant trapdoor matrix construction

For performing trapdoor matrix construction in secure multiparty computation, we apply a variant scheme based on the trapdoor construction in [38] on secure multiparty computation. Given \(m_1=\left\lceil n l o g\left( q\right) +\sqrt{n}\right\rceil ,m_2=\left\lceil n l o g(q)\right\rceil ,m=m_1+m_2=\left\lceil 2nlog(q)+\sqrt{n}\right\rceil\), the matrix \(\varvec{A}\) is denoted as \(\varvec{A=[A}_{\varvec{2}}\varvec{|A}_{\varvec{1}}\varvec{],A}_{\varvec{1}}\ \in Z^{n\times m_{2}},\ \varvec{A}_{\varvec{2}}\ \in Z^{n\times m_{1}},\) a matrix \(\varvec{R}\ \in Z_{q}^{m_{1}\times m_{2}}\) is required to satisfy the following requirements when the threshold of \(\varvec{A}\). (1) \(\varvec{R}\) is “small”. (2) Given the matrix \(G\in Z_q^{{n\times m}_2}\), we have \(\varvec{A}_{\varvec{1}}\ =G-\ \varvec{A}_{\varvec{2R}}\) and \(\varvec{A}=[\varvec{A}_{\varvec{2}}|G]\left( \begin{array}{cc} \varvec{I}&{}\varvec{R} \\ \varvec{0}&{}\varvec{I} \\ \end{array}\right)\). The process of generating \(\varvec{\left( A,R\right) }\): the selection matrix \(\varvec{R}\in _{Gaussian}Z_q^{{m_1\times m}_2}\), \(\varvec{R}\) is chosen randomly from the discrete Gaussian distribution, denoted as a trapdoor, and has \(\left\| x_{i} \varvec{R}\right\| _{\infty }\le \left\| x_{i} \right\| _{\infty }\left\lceil 2nlog(q)\right\rceil\). Choose a uniform distribution matrix \(\varvec{A}_{\varvec{2}}\in _{Uniform}Z^{n\times m_1}\) and set \(\varvec{A}=[\varvec{A}_{\varvec{2}}|G]\left( \begin{array}{cc} \varvec{I}&{}\varvec{R} \\ \varvec{0}&{}\varvec{I} \\ \end{array}\right) =\left[ \varvec{A}_{\varvec{2}}| G-\varvec{A}_{\varvec{2R}}\right] , \varvec{A}\in Z_q^{n\times m}\).

The generation of n trapdoors is performed in the setup session of the protocol, and a matrix \(\varvec{A}_{\varvec{i}}\) with trapdoors \(\varvec{R}_{\varvec{i}}\) is generated corresponding to each participant \(P_i\) according to the introduction of a Common Reference String (CRS). the following is the generation algorithm for the n trapdoor matrix.

figure b

Algorithm 1 n trapdoor matrix generation algorithm

In the process of trapdoor matrix, we use the CRS, which stores the parameters of the participants to generate the trapdoor matrix, when the participants receive the CRS can be integrated to generate their own corresponding matrix, the whole process is only related to the security parameter k, the whole generation process is polynomial time size poly(k).

SMPC in trapdoor LWE-based multilinear maps

We propose an encoding computation scheme for secure secure multiparty computation based on the graded encoding scheme mentioned in [39, 40], using a variant of its scheme applied to secure multiparty computation. A graded encoding scheme consists of the following polynomial program, \(ges=(PrmGen,InstGen,Sample,Garble.enc,Eval,ZeroTest,Extract)\):

InstGen(gp):Given the global parameter gp, the following processes are instantiated and generated:

  1. (1)

    Use trapdoor-sampling to generate a matrix set \(\varvec{U}_{\varvec{A}}\) with a trapdoor set \(\varvec{R}\). Each participant corresponds to a trapdoor matrix under a common random reference string and has the following properties.

    $$\begin{aligned} \forall \varvec{R}_{\varvec{i}}\in \varvec{R},\forall \varvec{A}_{\varvec{i}}\in \varvec{U}_{\varvec{A}}\varvec{,(A}_{\varvec{i}},\varvec{R}_{\varvec{i}})\leftarrow trapGen(1^k,1^n,1^m,q). \end{aligned}$$
    (7)
  2. (2)

    Generate the public parameters \(pp{:=}\left( x,\left\{ \varvec{A}_{\varvec{i}}\varvec{:A}_{\varvec{i}}\varvec{\in U}_{\varvec{A}}\right\} \right)\), where x denotes the public parameter used for the proof, and the private parameter \(sp{:=}\varvec{R}_{\varvec{i}}:\varvec{R}_{\varvec{i}}\in \varvec{R}\).

Sample(pp):Generate an input plaintext to implement sampling an LWE input \(\varvec{S}\leftarrow Z_q^n\).

\(Garble.Enc(pp,sp, \varvec{S})\): The input matrix \(\varvec{A}_{\varvec{i}}\in \varvec{U}_{\varvec{A}}\), and the set of trapdoors R, the input \(\varvec{s}_{\varvec{i}}\varvec{\leftarrow S}\), samples an LWE error matrix \(\varvec{e}_{\varvec{i}}\leftarrow \chi ^m\) or \(\left\| \varvec{e}_{\varvec{i}} \right\| <\frac{q}{o(\sqrt{nlog(q)})}\), computes \(\varvec{A}_{\varvec{i-1}} \widetilde{\varvec{D}_{\varvec{i}}}\varvec{=s}_{\varvec{i}}\varvec{A}_{\varvec{i}}\varvec{+e}_{\varvec{i}}\) using the trapdoor \(\varvec{R}_{\varvec{i}}\in \varvec{R}\), encodes the input \(\varvec{s}_{\varvec{i}}\) into \(\widetilde{\varvec{D}}_{\varvec{i}}\) and output \(\widetilde{\varvec{D}}_{\varvec{i}}\) and the corresponding encoded labels \(\left\{ lab_{j,0}^{i},lab_{j,1}^{i} \right\} _{j\in [n\cdot l_{e}] }\).

\(Eval(\widetilde{\varvec{D}_{\varvec{i}}},{lab}_{\varvec{A||}\widetilde{\varvec{D}_{\varvec{1}}}\varvec{||...||}\widetilde{\varvec{D}_{\varvec{n}}}}^i)\): The calculation operations include addition and multiplication operations as follows.

N participants \(P_1,P_2,... ,P_n\),with \(\varvec{s}_{\varvec{1}},\varvec{s}_{\varvec{2}}\varvec{,\ldots ,s}_{\varvec{n}}\) corresponding to the inputs of each participant, where \(\varvec{s}_{\varvec{i}}\leftarrow Z_q^n,i=[n]\).There are \(n+1\) sets of matrices with trapdoors \(\varvec{U_A=\left\{ A,A_1,\ldots ,A_n \right\} }\) and each participant encodes \(\varvec{s}_{\varvec{i}}\) using the corresponding matrix \({\varvec{A}_{\varvec{i}}\varvec{\in U}}_{\varvec{A}}\), \(P_1\) encodes \(\varvec{A}\widetilde{\varvec{D}_{\varvec{1}}} \varvec{=s}_{\varvec{1}}\varvec{A}_{\varvec{1}}\varvec{+e}_{\varvec{1}}\) for its own \(\varvec{s}_{\varvec{1}}\), and \(P_2\) encodes \(\varvec{A}_{\varvec{1}}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{=s}_{\varvec{2}}\varvec{A}_{\varvec{2}}\varvec{+e}_{\varvec{2}}\) for its own \(\varvec{s}_{\varvec{2}}\) until \(P_n\) encodes \(\varvec{A}_{\varvec{n-1}}\widetilde{\varvec{D}_{\varvec{n}}}\varvec{=s}_{\varvec{n}}\varvec{A}_{\varvec{n}}\varvec{+e}_{\varvec{n}}\), the whole process forms a nested chain structure that generates the current matrix \(\widetilde{\varvec{D}_{\varvec{i}}}\) based on the matrix \(\varvec{A}_{\varvec{i-1}}\) with trapdoors at the previous level, so that the input \(\varvec{s}_{\varvec{i}}\) is encoded into \(\widetilde{\varvec{D}_{\varvec{i}}}\) and \(\varvec{s}_{\varvec{i}}\) is hidden.

In a multilinear maps system, given n pairwise operations from level 1 to n, \(\varvec{A}\) as well as \(\widetilde{\varvec{D}_{\varvec{i}}},i\in [n]\), the coding results of all participants are multiplied together:

$$\begin{aligned}&\varvec{A}\widetilde{\varvec{D}_{\varvec{1}}}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{\ldots }\widetilde{\varvec{D}_{\varvec{n}}}=\varvec{(s}_{\varvec{1}}\varvec{A}_{\varvec{1}}\varvec{+e}_{\varvec{1}}\varvec{)}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{\ldots }\widetilde{\varvec{D}_{\varvec{n}}}\nonumber \\&=\varvec{(s}_{\varvec{1}}\varvec{A}_{\varvec{1}}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{+e}_{\varvec{1}}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{)}\widetilde{\varvec{D}_{\varvec{3}}}\ldots \widetilde{\varvec{D}_{\varvec{n}}}\nonumber \\&= \varvec{(s}_{\varvec{1}}\varvec{s}_{\varvec{2}}\varvec{A}_{\varvec{2}}\varvec{+s}_{\varvec{1}}\varvec{e}_{\varvec{2}}\varvec{+e}_{\varvec{1}}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{)}\widetilde{\varvec{D}_{\varvec{3}}}\varvec{\ldots }\widetilde{\varvec{D}_{\varvec{n}}}\nonumber \\&=......=\varvec{s}_{\varvec{1}}\varvec{s}_{\varvec{2}}\varvec{\ldots }\varvec{s}_{\varvec{n}}\varvec{A}_{\varvec{n}}\varvec{+e}_{\varvec{noise}}. \end{aligned}$$
(8)

Where \(\varvec{e}_{\varvec{noise}}\) denotes the noise obtained by the final multiplication, which is obtained by the product of the above equation encoding the \(\varvec{s}_{\varvec{1}}\varvec{s}_{\varvec{2}}\varvec{... .}\varvec{s}_{\varvec{n}}\) instances, performing n levels of nesting. In the information with the same order encoding can be combined with each other for addition and subtraction operations, which can be expressed as \(g_i^{\varvec{s}_{\varvec{1}}}, g_i^{\varvec{s}_{\varvec{2}}}\) in the initial multilinear maps, for addition and subtraction operations to calculate \(g_i^{\varvec{s}_{\varvec{1}}\varvec{\pm } \varvec{s}_{\varvec{2}}}\). In the multilinear maps system with trapdoor LWE instances, for \(\widetilde{\varvec{D}_{\varvec{i}}^{\varvec{\prime }}}\) with \(\widetilde{\varvec{D}_{\varvec{i}}}\) that has encoded \(\varvec{s}_{\varvec{i}}^{\varvec{\prime }}\) with \(\varvec{s}_{\varvec{i}}\) of the same order i, making addition and subtraction operations yields.

$$\begin{aligned}&\varvec{A}_{\varvec{i-1}}\widetilde{\varvec{D}_{\varvec{i}}^{\varvec{\prime }}}+\varvec{A}_{\varvec{i-1}}\widetilde{\varvec{D}_{\varvec{i}}} = \varvec{A}_{\varvec{i-1}}\left( \widetilde{\varvec{D}_{\varvec{i}}}^{\varvec{\prime }}\varvec{+}\widetilde{\varvec{D}_{\varvec{i}}}\right) \nonumber \\&=\varvec{(s}_{\varvec{i'}}\varvec{+s}_{\varvec{i)}}\varvec{A}_{\varvec{i-1}}\varvec{+(e}_{\varvec{i}}\varvec{'}\varvec{+e}_{\varvec{i).}} \end{aligned}$$
(9)

If there are multiple \(\widetilde{\varvec{D}_{\varvec{i}}}\) of the same order, we can get at this point we can get \(\varvec{A}_{\varvec{i-1}}\widetilde{\varvec{D}_{\varvec{i}_{\varvec{1}}}}\varvec{+}\varvec{A}_{\varvec{i-1}}\widetilde{\varvec{D}_{\varvec{i_2}}}+... +\varvec{A}_{\varvec{i-1}}\widetilde{\varvec{D}_{\varvec{i_n}}}=\sum _{i={i_1,i_2,... ,i_n}} \varvec{s}_{\varvec{i}}+\varvec{e}_{\varvec{noise}}^{\varvec{\prime }}\), the same can be obtained from the operation of subtraction, at this point the multilinear maps system to achieve the basic operation.

\(ZeroTest(pp,\varvec{A}\widetilde{\varvec{D}_{\varvec{i}}})\): Given the matrix \(\widetilde{\varvec{D}_{\varvec{i}}}\) after the LWE encoding input, the result obtained by the Operation operation combined with the multilinear maps operation,If and only if \(\left\| \varvec{A}\cdot \widetilde{\varvec{D}_{\varvec{i}}} \right\| _{\varvec{A}\varvec{\in U}_{\varvec{A}}\varvec{\setminus A}_{\varvec{i}},i=[n]}\le \frac{q}{o(\sqrt{nlog(q)})}\),the ZeroTest program outputs 1.

\(Extract(pp,\varvec{A}\widetilde{\varvec{D}_{\varvec{i}}})\): The extractor takes as input the public parameter pp, \(\varvec{A}\widetilde{\varvec{D}_{\varvec{i}}}\), and outputs a string that represents a \(\lambda\) bit.

For the graded encoding scheme, Fig. 2 represents the process of computation of encoded inputs for each participant, if the noise does not exceed a certain threshold value, it is a bounded value, and the computed information can be extracted from the ZeroTest program and Extract program, ZeroTest program and Extract program for correctness are detailed in [40].The operation of multiparty computation in a multilinear maps system is given below.

Fig. 2
figure 2

The process of computation of encoded inputs for each participant

Full size image
figure c

Algorithm 2 Evaluation algorithm

Ideal function \(F_{smpc}\)

There are n mutually distrustful participants \(P_1,P_2,... ,P_n\) want to jointly compute in polynomial time the computable function \(f(x_1,x_2,... ,x_n)=(y_1,y_2,... ,y_n)\), where \(x_1, x_2,... ,x_n\) are the input variables, \(y_1, y_2,... ,y_n\) are the output values. The protocol \(\pi\) of a multiparty computation of a computational function should satisfy the following requirements:

  1. (1)

    Privacy: The input information of each participant is invisible with respect to other participants, each participant does not obtain more information from other participants than what is inferred from its own results.

  2. (2)

    Correctness: the protocol \(\pi\) can correctly calculate the function f and return the corresponding correct result.

  3. (3)

    Security: each party gets the corresponding correct output, and no other additional information can be obtained.

In this paper, we design a secure multiparty computation protocol based on the above requirements and design a secure multiparty computation ideal function \(F_{smpc}:\left( \left\{ 0,1 \right\} ^{l_{in}} \right) ^{n}\rightarrow \left\{ 0,1 \right\} ^{l_{out}}\) as shown below:

figure d

Cloud-based secure multiparty computation protocol \(\pi _{smpc}\)

This section constructs a 2-round protocol \(\pi _{smpc}\) under the LWE assumption, based on LWE encoding the input, using multilinear maps operations to compute it locally before transmitting it over the broadcast channel, with the following protocol. A total of three phases which including pre-phase and 2 rounds of interaction processes, as included in Fig. 3, enable each participant to safely compute each encoded input, through 2 rounds of communication and local computation, so as to compute the corresponding computational function result values.

figure e
Fig. 3
figure 3

\(\pi _{smpc}\) Flow Chart

Full size image

After each participant receives the output result y on the broadcast channel, a ZeroTesttest will be performed on the result. If \(\prod _{i=[n]}s_i\) is 0, only the noise distribution remains, and the threshold of the noise is used to determine whether the result encodes a value of 0. By simply designing the circuit using a combination of multilinear maps, the specific information contained in the ciphertext can be gradually inferred by a ZeroTest algorithm and extracted using a The extractor Extract is a very randomized extractor. However, ZeroTest cannot reveal too much information about the ciphertext, so we can use ZeroTest to extract part of the information for our computational purpose with certain security.

Semi-Malicious Security. A semi-malicious protocol can be defined over a broadcast channel where the input must be encrypted and then transmitted. This scheme is based on the LWE assumption that the n inputs are all elements in \(Z_q^n\) in an honest majority setting of the participants, and the inputs are encoded and then broadcast for transmission by an LWE instance, with each participant using confusion circuit locally on the encoded inputs and the output is broadcasted.

Theorem 4

(Theorem 1, restated). Assume the existence of a special ges scheme and NIZK scheme with LWE assumption, and that \(F:\left( \left\{ 0,1 \right\} ^{l_{in}} \right) ^{n}\rightarrow \left\{ 0,1 \right\} ^{l_{out}}\) is an effectively computable function of depth d. The function \(F_{smpc}\) can be implemented by a communication under an honest majority of the hybrid model two-round protocol UC realized with \(poly(l_{in},l_{out},d,k,n)\) complexity and tolerates the presence of semi-malicious adversaries.

Security demonstration

Secure Multi-Party Computation has two kinds of security, static security and adaptive security, static security means that during the operation of the MPC protocol, the security of the protocol can be guaranteed as long as the number of participants does not exceed the maximum number of participants predefined by the protocol. In other words, in the static security model, once the number of participants is determined, then the security of the protocol can be guaranteed. Adaptive security means that during the operation of the MPC protocol, even if there are malicious participants trying to interfere with the operation of the protocol, the security of the protocol is still guaranteed. the operation of the protocol, the security of the protocol can still be guaranteed. In realistic protocols, since a matrix \(U_A\) with trapdoors is used to generate a series of \(\varvec{D}\)-matrices, will the original privacy inputs be exposed in the presence of trapdoors and also the encoded D-matrices of the privacy inputs are disclosed? A specific elaboration is given in [40].According to the encoding rules, the two matrices \(\varvec{A}_{\varvec{i-1}}\) with trapdoor are nested with \(\varvec{A}_{\varvec{i}}\), denoted as \(\varvec{A}_{\varvec{i-1}}\widetilde{\varvec{D}_{\varvec{i}}}=\varvec{s}_{\varvec{i}}\varvec{A}_{\varvec{i}}\varvec{+e}_{\varvec{i}}\), and when encoding to the last one \(\varvec{A}_{\varvec{n-1}}\widetilde{\varvec{D}_{\varvec{n}}} \varvec{=s}_{\varvec{n}}\varvec{A}_{\varvec{n}}+\varvec{e}_{\varvec{n}}\), the trapdoor of matrix \(\varvec{A}_{\varvec{n}}\) is not involved in the calculation, if \(\varvec{s}_{\varvec{n}}\) distribution is randomized enough, then the whole encoding process is an LWE instance. According to the LWE assumption, the last encoding process is represented by a uniform random distribution matrix \(\triangle\), \(\varvec{A}_{\varvec{n-1}}\widetilde{\varvec{D}_{\varvec{n}}}=\triangle\), which becomes known as the product of \(\varvec{A}_{\varvec{n-1}}\) and \(\widetilde{\varvec{D}_{\varvec{n}}}\) as a uniform random distribution matrix \(\triangle\). Given a trapped \(\varvec{A}_{\varvec{n-1}}\) with a trapdoor and a uniformly randomly distributed matrix \(\triangle\), if \(\widetilde{\varvec{D}_{\varvec{n}}}\) can be generated without this trapdoor, then \(\varvec{A}_{\varvec{n-1}}\) with \(\widetilde{\varvec{D}_{\varvec{n}}}\) does not give away information about the trapdoor. Suppose there are two environments, real and simulated, and in the real environment using the trapdoor of \(\varvec{A}_{\varvec{n-1}}\) trapdoor to generate \(\widetilde{\varvec{D}_{\varvec{n}}}\) in the real environment and not using \(\varvec{A}_{\varvec{n-1}}\) trapdoor to generate in the simulated environment, the results of the two are computationally indistinguishable.The following lemma was obtained according to the literature [40]. If the LWE assumption holds, the input encoded based on the trapdoor LWE assumption is secure.

Theorem 5

The ideal function \(F_{smpc}\) is a polynomial-time computable deterministic function with N inputs and one output, and the protocol \(ges=(PrmGen,InstGen,Sample,Garble.enc,Eval,ZeroTest,Extract)\) is Secure multiparty computation in trapdoor LWE-based multilinear maps operations, then the protocol \(\pi _{smpc}\) UC realized the ideal function \(F_{smpc}\) in the honest majority participant setting.

Proof

To demonstrate security under an honest majority of participants based on a valid PPT simulator Sim, Adv represents a static semi-malicious adversary and the simulator is simulated as follows.\(\square\)

The Simulator: In the first round, it can encrypt the false inputs \(\widehat{\varvec{s}_{\varvec{i}}}\) and get the inputs of the other participants on the “witness tape”, which can encode the inputs. And send these inputs to the ideal function and receive the corresponding output y. After getting this result, the simulator computes \(\widetilde{y}\leftarrow Sim.eval(\widetilde{\pi _i},\widehat{s_i},\widetilde{\varvec{D}_{\varvec{i}}},{lab}_{\varvec{A||}\widetilde{\varvec{D}_{\varvec{1}}}\varvec{||\ldots ||}\widetilde{\varvec{D}_{\varvec{n}}}}^i)\) and broadcast it.

Hybrid Games: Define a series of hybrid games to demonstrate the indistinguishability of real and ideal scenarios:

$$\begin{aligned} {Real}_{\pi _{smpc},Adv,Z}\overset{c}{\equiv }{Ideal}_{F_{smpc},Sim,Z}. \end{aligned}$$
(10)

The output of the entire environment Z is used as the output of each game.

The game \({Real}_{\pi _{smpc},Adv,Z}\) : In the real world, the protocol \(\pi _{smpc}\) is executed in the environment Z in the presence of a semi-malicious adversary Adv.

The game \(\ {HYB}_{\pi _{smpc},Adv,Z}^1\): In this game, we modify the experiment of \({Real}_{\pi _{smpc},Adv,Z}\) as follows, introducing the \(F_{nizk}^R\)-hybrid model, where each participant \(P_i\) encodes its own input followed by \((prove, sid,x,\varvec{s}_{\varvec{i}})\) to \(F_{nizk}^R\), outputs a Proof \(\pi\), and sends \((proof,sid,\widetilde{\varvec{D}_{\varvec{i}}},\pi )\) for broadcast, and when participant \(\left\{ P_{j} \right\} _{j\in [n]\setminus i}\) receives the message, \(P_j\) sends a verification request to \(F_{nizk}^R (verify,sid ,x,\pi )\), and \(F_{nizk}^R\) returns 1 or 0 after verification.

Claim 1

\({Real}_{\pi _{smpc},Adv,Z}\overset{c}{\equiv }{HYB}_{\pi _{smpc},Adv,Z}^1\) Proving the indistinguishability of realistic protocols under hybrid models.

$$\begin{aligned}&Pr[(x,\widehat{\varvec{D}_{\varvec{i}}})\in \varvec{R|}\widehat{\varvec{D}_{\varvec{i}}}{:=}\nonumber \\&Sim\left( \begin{array}{c} \pi {:=}\pi \leftarrow F_{nizk}^R(\varvec{s}_{\varvec{i}})\\ \widehat{\varvec{s}_{\varvec{i}}}\leftarrow Sample\left( pp,1^k\right) \\ \pi ^\prime \leftarrow Sim(x,\widehat{\varvec{s}_{\varvec{i}}},\pi )\\ \widehat{\varvec{D}_{\varvec{i}}}\leftarrow Sim.ecn\left( pp,sp,\widehat{s_i}\right) \end{array}\right) ] \le negligible \end{aligned}$$
(11)

Proof

Let Adv be the adversary in the real environment and Sim denote the adversary in the ideal environment such that for any environment Z only the real or ideal environment can be distinguished with negligible probability, and for the adversary Sim in the ideal environment, any input from the environment Z is sent to Adv and any output of Adv is regarded as the output of Sim.For the adversary Sim in interaction with the ideal function \(F_{nizk}^R\), provide input \(\varvec{s}_{\varvec{i}}\), and when \((proof,sid,\widetilde{\varvec{D}_{\varvec{i}}},\pi )\) is received from \(F_{nizk}^R\), emulate an identical message for Adv. When the real-world adversary Adv taps participant \(P_i\), then the adversary Sim in the ideal environment also taps participant \(P_i\) and forwards all internal states to Adv.If at this time the adversary Adv replaces the message \(\varvec{s}_{\varvec{i}}\) with the false message \(\widehat{\varvec{s}_{\varvec{i}}}\) on behalf of the participant \(P_i\) and forges the proof \(\pi ^\prime\) against \(\pi\) and broadcasts the message \((proof,sid,\widehat{\varvec{D}_{\varvec{i}}},\pi ^\prime )\), when the other participants receive this message and verify the proof when , query whether \(F_{nizk}^R\) has stored \(\pi ^\prime\), and since \(\pi ^\prime\) is not generated by \(F_{nizk}^R\), determine whether \((x,\widehat{\varvec{D}_{\varvec{i}}})\in R\). According to the security of LWE assumptions and the security of zero-knowledge proofs, only the input encoded by LWE instances can pass the verification , in other words, the probability that a non-LWE encoded input passes verification is negligible.\(\square\)

So \({HYB}_{\pi _{smpc},Adv,Z}^1\) is indistinguishable from \({Real}_{\pi _{smpc},Adv,Z}\) computation, and the scheme under the hybrid model is semantically secure.

The game \(\ {HYB}_{\pi _{smpc},Adv,Z}^2\): Unlike \({HYB}_{\pi _{smpc},Adv,Z}^1\), a realistic proof protocol \(\pi _{nizk}\) will be used instead of the ideal function \(F_{nizk}^R\), modifying the proof process to a local circuit for computation.

Claim 2

\({HYB}_{\pi _{smpc},Adv,Z}^1\overset{c}{\equiv }{HYB}_{\pi _{smpc},Adv,Z}^2\)

Proof

realistic zero-knowledge proof protocol notated as \(\pi _{nizk}\), composed by the garbled circuit GC, first generates the proof parameters \((S_p,S_v)\leftarrow GC.Setup(1^K)\) through the circuit, which in turn computes the proof \(\pi \leftarrow GC.Prove(S_p,x,\widetilde{\varvec{D}_{\varvec{i}}})\), sends \(S_v ,\pi\) is broadcasted and sent at the first round, and the other participants compute \(GC(x,\widetilde{\varvec{D}_{\varvec{i}}})\) through the NAND gate for Verify \(0/1\leftarrow GC.Verify(S_v,x,\pi )\). If the LWE assumption holds, since the probability that an adversary performs a pseudo-proof under a protocol with honest majority participants and is adopted by honest participants is negligible, for environment Z, it does not distinguish whether it is in the environment where the protocol \(\pi _{nizk}\) interacts with Adv or in the environment where \(F_{nizk}^R\) interacts with Sim. In other words, if the LWE assumption holds, the protocol \(\pi _{nizk}\) can UC to achieve the ideal function \(F_{nizk}^R\).\(\square\)

The game \({Ideal}_{F_{smpc},Sim,Z}\): computes the ideal function \(F_{smpc}\) and outputs the result correctly under the ideal model.

Claim 3

\({HYB}_{\pi _{smpc},Adv,Z}^2\overset{c}{\equiv }{Ideal}_{F_{smpc},Sim,Z}\)

Proof

experiments by the semantic security of the underlying ges scheme, encryption of the input by LWE assumptions, and then computation using multilinear maps operations, encryption is computationally indistinguishable, \(\pi _{smpc}\) is able to compute the encoded input correctly and get a correct in the presence of semi-malicious adversaries, honest majority of participants output, and since the protocol \(\pi _{nizk}\) can UC the ideal function \(F_{nizk}^R\), from Theorem 2 it follows that the protocol \(\pi _{smpc}\) can UC the ideal function \(F_{smpc}\), then \({HYB}_{\pi _{smpc},Adv,Z}^2\) and \({Ideal}_{F_{smpc},Sim,Z}\) computation is indistinguishable.\(\square\)

Combining the above statements, we get \({Real}_{\pi _{smpc},Adv,Z}\overset{c}{\equiv }{Ideal}_{F_{smpc},Sim,Z}\), which leads to the proof of Theorem 5.

To conclude, Tables 1 and 2 summarize the previous work and the results of this paper in an honest majority setting, the main parameters considered are security, number of rounds, communication complexity, setup settings, etc. Under the LWE assumption, this scheme requires only 2 rounds of communication interactions for secure distributed multi-party secure computation and achieves static security in an honest majority of settings. Compared with previous work, this paper optimizes the number of rounds of secure multiparty computation and reduces the Setup Size, and the communication overhead is sublinear. Although static security is achieved, which already meets the security requirements in most scenarios, this is a minor limitation of the work in this paper, and research improvements for further adaptive security are necessary in future work.

Table 2 This is an additional description of Table 1
Full size table

Conclusions

Cloud Secure MultiParty Computation (CSPC) is suitable for a number of application prospects such as cloud-based data streaming information sharing, data trading and e-auctions in distributed environments, for which CSPC provides a secure computation as well as privacy guarantees. In this paper, we combine the concept of cloud computing and secure multiparty computation and use the harder polynomial time puzzle assumption to provide the security concept of the protocol as well as the strength, based on the LWE assumption, the input of the participants is encoded using LWE instances with lattice trapdoor under a graded encoding scheme and transmitted over the broadcast channel, the execution of the protocol is computed by multilinear maps to achieve the optimization of the number of rounds of the secure multiparty computation protocol on the cloud, the communication sublinear overhead, and in the UC framework , the protocol security is achieved through UC security implementation. In future work, it is an important research direction to achieve adaptive security of secure multiparty computation protocols with guaranteed round count optimization and low communication overhead, by combining stronger cryptographic primitives and related techniques to achieve adaptive security of the protocols, while the rise of quantum cryptography also points to a direction for the development of secure multiparty computation.