Practical SS-MPC for collusion whole

Huizheng Geng; Sixu Guo; Li Su; Yiran Zhang

doi:10.1117/12.2662617

28 December 2022 Practical SS-MPC for collusion whole

Huizheng Geng, Sixu Guo, Li Su, Yiran Zhang

Author Affiliations +

Proceedings Volume 12506, Third International Conference on Computer Science and Communication Technology (ICCSCT 2022); 125061N (2022) https://doi.org/10.1117/12.2662617
Event: International Conference on Computer Science and Communication Technology (ICCSCT 2022), 2022, Beijing, China

Abstract

Secret sharing (SS) technology is widely used in multi-party computation (MPC) because of its simple secret structure and low computational overhead. Aiming at solving the problem that the existing SS-MPC scheme cannot solve the collusion of all computing parties to recover the original data, this work designs a practical SS-MPC for collusion whole (PSCW) scheme. Through the negotiation of redundant computing nodes and redundant security parameters between computing parties, PSCW scheme can ensure that original data cannot be recovered even if all computing nodes collude to obtain all secret shares, which guarantees the confidentiality of the scheme. At the same time, with the addition of redundant computing nodes, PSCW scheme can correctly realize computing requirements of users and ensure the correctness of the calculation results. Compared with the existing SS-MPC scheme, PSCW scheme has higher security and higher application value in real scenes.

1. INTRODUCTION

Secret sharing (SS) is widely used in multi-party computation (MPC) because of its simple secret structure and low computational overhead. SS was first proposed by Shamir and Blakley in 1979^1-2. For secret sharing- secure multi-party computation (SS-MPC), participants calculate the secret shares of different secret data to obtain the shares of calculation results. A sufficient number of result shares can be combined to recover the calculation results. According to different secret splitting methods, SS-MPC is divided into polynomial interpolation based SS and additive SS. Compared with Shamir’s polynomial interpolation based SS, additive SS has less overhead and high efficiency in calculating linear operation, and is more widely used in SS-MPC.

The early SS-MPC schemes have the characteristics of many interaction rounds and high communication overhead, such as GMW³, BMW⁴ and other schemes. Most SS-MPC schemes optimize these two indexes. AFL+16⁵, ASTRA⁶ and other schemes optimize SS-MPC by reducing the number of communication rounds and interaction of SS-MPC to varying degrees. In 2011, Bendlin proposed BDOZ scheme⁷, which realized the SS-MPC operation with the majority of dishonest participants for the first time, and achieved the suspension security, that is, the protocol was suspended when the malicious behavior of the computing party was found. In order to solve the problem of storage overhead in BDOZ, Damgård proposed SPDZ scheme in 2012⁸. SPDZ scheme is an SS-MPC scheme based on additive SS. At the same time, each participant stores a constant number of MAC codes to verify whether the data is maliciously tampered by the computing party. After that, References^9-10 and other schemes have optimized the SPDZ scheme to varying degrees. At present, the importance of SS-MPC in MPC is obvious, and many studies are still ongoing.

However, whether the dishonest computing party tampers with the data share is concerned or not, the existing SS-MPC scheme cannot solve the problem that all computing parties participate in collusion. If all computing parties are involved in collusion, all secret shares will be combined. To solve the above problems, this work proposes an SS-MPC scheme (PSCW) that can effectively deal with the collusion of all computing parties. Based on the calculation of additive SS, through the negotiation of redundant computing nodes and redundant security parameters between participants, it can ensure that even if all computing nodes collude to obtain all secret shares, they cannot recover the original data. At the same time, PSCW scheme can still carry out addition and multiplication correctly when adding redundant calculation nodes, which ensures the correctness of calculation results. This scheme solves the problem of collusion of all computing parties in SS-MPC scheme, optimizes the security level, and has high application value.

2. PRELIMINARY

The main idea of additive SS is that the secret distributor divides a secret x into n shares {x₁,x₂,…,x_n} and sends them to the participant P_i, i = 1,2,… n respectively. All participants can cooperate and reconstruct the secret with these shares, the secrets cannot be recovered when the number of participants is less than n. In this paper, similar with Reference¹⁰, our scheme operates on ℤ_2^k, which consists of two algorithms (Sharing,Reconst) :

(1) [x] ← Sharing (x,n) : secret x and the number of shares n are taken as input, then n shares of x denoted are output as [x]. n–1 random numbers are randomly selected as n–1 secret shares. is calculated as the n^th secret share.
(2) x ← Reconst ([x]) : n secret shares [x] are taken as input, then output secret x.

Because the additive secret SS has additive homomorphism¹¹, given the share [x], [y] of the secret x, y, the participant can calculate the share [x + y] = [x] + [y] of the secret x + y, so arithmetic addition can be calculated.

Given the share [x],[y] of the secret x, y, the participant can calculate arithmetic multiplication share [x·y] = [x]·[y]with beaver triple¹¹. The specific calculation process is as follows:

(1) Randomly generated triplet share [a],[b],[c], a, b are completely random integers and are confidential to all participants, c = a·b.
(2) All participants disclose [α] = [x]–[a], so α = Reconst([α]).
(3) All participants disclose [β] = [y]–[β], so β = Reconst([β]).
(4) One participant calculates [z] = [c]+α·[b]+β·[a]+α·β = [x·y], other participants calculate [z] = [c]+α·[b]+β·[a]=[x·y], so that arithmetic multiplication [x·y] can be calculated.

3. PSCW SCHEME

This work designs a secret sharing scheme PSCW, which can effectively solve the problem of collusion of all share holders.

3.1 PSCW scheme model

The model of the scheme is shown in Figure 1.

Figure 1.

PSCW model.

The PSCW scheme involves the following roles: user, processing node, calculation node and coordination node. User provides the data required for calculation and negotiates that some nodes in the calculation nodes are redundant nodes. The scheme sets up a private data processing node for each user, which is responsible for secret share segmentation and aggregation of data. The computing node is responsible for calculating the data. The existence of redundant calculation node can ensure that the original data cannot be restored even if all computing nodes conspire. The coordination node is responsible for providing security parameters for all computing nodes for secret sharing multiplication. In the scheme, the number of participating users is 2, the original data value held is X,Y, and the number of calculation nodes is n. This scheme can be extended to the scenario of multiple participating users.

3.2 Security assumption and security requirements

Security assumption: in PSCW scheme, there is the possibility that all computing nodes conspire to recover the original data.

Security requirements: the security requirements of PSCW scheme include its correctness and confidentiality, which are introduced below:

• Correctness: when redundant nodes are added, PSCW scheme will not be affected by redundant nodes and data, and can correctly calculate any calculation results obtained by user requirements.
• Confidentiality: the confidentiality of PSCW scheme includes two parts. Firstly, the real data value of each user will not be exposed in the process of secret sharing calculation. The second is to assume that all computing nodes conspire, that is, they have all the secret sharing share of data, but still cannot recover the original data.

3.3 Introduction to scheme algorithm

The algorithm of PSCW scheme is described in detail below:

Input: user U₁,U₂ ’s private data X, Y.

Output: calculation result RS obtained according to user requirements.

Step 1: Before starting the calculation, the user U₁, U₂ privately negotiates that p (p˂n) nodes are the effective computing node CNode and the other nodes are the redundant computing node RNode for secret sharing operation;
Step 2: the coordination node randomly generates parameters a, b, c = a·b, a,b,c are divided into p parts, each triplet [a],[b],[c] are sent to each CNode separately. n – p parts redundant parameters [d],[e],[f] are sent to each RNode;
Step 3: U₁,U₂ send the held data X,Y to its corresponding data processing node, the data processing node executes the Sharing algorithm to obtain [X] ← Sharing (X, p),[Y] ← Sharing (Y, p). At the same time, redundant data are generated by executing the Sharing algorithm to obtain [M] ← Sharing (M, n – p), [N] ← Sharing (N, n – p), which satisfy

[X],[Y] are sent to each CNode and [M],[N] are sent to each RNode.
Step 4: after all computing nodes have obtained the secret shares, they perform any operations required by the user according to their secret shares. After the calculation, each node sends the local calculation results [s] to the data processing node of each user.
Step 5: after receiving [s] from each computing node, the data processing node selects all the data sent by CNode and recovers the data by using the Reconst algorithm to obtain the final result RS ← Reconst([s]), and does not process the data sent by RNode. The whole PSDW scheme ends.

4. SECURITY PROOF

4.1 Correctness proof

Theorem 1: PSCW scheme can correctly calculate addition X +Y and multiplication X ·Y in the state of secret sharing when adding redundant computing node RNode, so PSCW scheme can correctly compute calculation results obtained by user requirements.

Proof: first consider the addition operation. According to preliminary, the addictive SS algorithm has the characteristics of additive homomorphism. Since only the effective computing node CNode holds the secret share [X],[Y] of the data X,Y to be calculated, while RNode holds the secret share [M],[N] of redundant data M,N, therefore, the data processing node only needs to recover the Reconst algorithm of [X +Y] = [X]+[Y] calculated by all CNode, that is, it can get the correct result of X +Y.

Next, consider multiplication. As described in equation (2), multiplication operation needs to be realized with the help of beaver triples. Therefore, it is necessary to coordinate the nodes to send security parameters to each computing node. During the calculation, all CNode disclose [α] = [X]–[a] and [β] = [Y]–[a], all RNode disclose [μ] = [M]–[d] and [σ] = [N]–[e]. According to the preliminary, all CNode calculate

Since the data processing node only needs to process the data sent by CNode, it does not need to consider the calculation results of RNode. Recover all the calculated [Z] by CNode by Reconst algorithm, that is, X·Y can be obtained correctly. To sum up, PSCW scheme meets the requirements of correctness.

4.2 Confidentiality proof

Theorem 2: if the secret sharing algorithm used in PSCW scheme is secure, the confidentiality of user data can be guaranteed in the calculation process.

Proof: In the calculation process of PSCW scheme, the interactive parameters are the secret sharing share [X],[Y] of data X,Y, the secret sharing share [M],[N] of redundant data M,N and the secret sharing share of security parameters generated by the coordination node. Because the security parameters are randomly generated by the coordination node, and no data transmission between users is done, as long as the secret sharing algorithm is secure, PSCW scheme can ensure that the users’ respective real data X,Y will not be exposed in the calculation process.

Theorem 3: in the case of all computing nodes conspire, PSCW scheme can ensure that the adversary cannot obtain the real information about user data.

Proof: If all computing nodes conspire, the adversary can get all the secret sharing shares [X],[Y],[M],[N] of data X, Y and redundant data M, N. However, due to redundancy, computing nodes are negotiated between users, the calculation node cannot determine whether it is a redundant node. Therefore, if all calculation nodes participate in the conspiracy, the secret sharing share [M],[N]of the redundant data RNode will interfere with the Reconst algorithm when recovering data, so that the adversary cannot obtain the real information of user data.

To sum up, PSCW scheme meets the requirements of confidentiality.

5. SCHEME COMPARISON

Table 1 compares the safety of PSCW scheme with the existing ss-mpc scheme.

Table 1.

Security comparison between PSCW and other schemes.

Scheme	Security model	Calculate the maximum number of collusions
AFL+16	Semi-honest	n − 2
ASTRA	Semi-honest	n − 2
SPDZ	Malicious	n − 1
Our Scheme	Semi-honest	n − 1
	Malicious	n

According to Table 1, we can find that compared with other SS-MPC schemes, in terms of security, this scheme not only supports semi-honest computing parties and malicious computing parties at the same time, but also solves the problem of collusion of all computing parties, avoids the recovery of secret data and reach greater security. In terms of computational efficiency, this scheme uses additive SS secret sharing, which is not different from the above scheme, only the calculation part of redundant computing nodes is added. Therefore, our scheme does not sacrifice much in computational efficiency.

6. CONCLUSION

Aiming at the problem that the existing SS-MPC scheme cannot deal with the collusion of all computing parties to recover the original data, this paper proposes PSCW scheme, which effectively solves this problem through the negotiation of redundant computing nodes on the basis of additive SS. The security proof shows that the scheme can still carry out addition and multiplication effectively when adding redundant computing nodes; our scheme can meet the confidentiality of data in the calculation process in the case of collusion of all nodes. Compared with the existing SS-MPC scheme, this scheme optimizes the security without sacrificing the computing efficiency, solves the security problem of collusion of all computing parties, and can be effectively applied to the MPC scenario.

REFERENCES

[1]

Shamir, A., “How to share a secret,” Communications of the ACM, 22 (11), 612 –3 (1979). https://doi.org/10.1145/359168.359176 Google Scholar

[2]

Blakley, G. R., “Safeguarding cryptographic keys,” AFIPS, 313 (1979). Google Scholar

[3]

Goldreich, O., Micali, S. and Wigderson, A., “How to play any mental game, or a completeness theorem for protocols with honest majority,” Providing Sound Foundations for Cryptography: On the Work of Shafi Goldwasser and Silvio Micali, 307 –28 (2019). Google Scholar

[4]

Ben-Or, M., Goldwasser, S. and Wigderson, A., “Completeness theorems for non-cryptographic fault-tolerant distributed computation,” STOC, (1988). Google Scholar

[5]

Furukawa, J., Lindell, Y., Nof, A., et al., “High-throughput secure three-party computation for malicious adversaries and an honest majority,” in Annual Int. Conf. on the Theory and Applications of Cryptographic Techniques, (2017). https://doi.org/10.1007/978-3-319-56614-6 Google Scholar

[6]

Patra, A. and Suresh, A., “BLAZE: Blazing fast privacy-preserving machine learning,” in Network and Distributed System Security Symp., 28 (2020). Google Scholar

[7]

Yehuda, L. and Ben, R., “Blazing fast 2PC in the offline/online setting with security for malicious adversaries,” in Proc. of the 22nd ACM SIGSAC Conf. on Computer and Communications Security (CCS’15), (2015). Google Scholar

[8]

Damgård, I., Pastro, V., Smart, N. and Zakarias, S., “Multiparty computation from somewhat homomorphic encryption,” Advances in Cryptology-CRYPTO, 7417 643 –62 Springer, Berlin, Heidelberg (2012). Google Scholar

[9]

Damgård, I., Keller, M., Larraia, E., Pastro, V., Scholl, P. and Smart, N. P., “Practical covertly secure MPC for dishonest majority-or: Breaking the SPDZ limits,” ESORICS, 2013 1 –18 (2013). Google Scholar

[10]

Cramer, R., Damgrd, I., Escudero, D., Scholl, P. and Xing, C., Spdz^2k: Efficient MPC mod 2k for dishonest majority, (2018). Google Scholar

[11]

Beaver, D., “Efficient multiparty protocols using circuit randomization,” CRYPTO, 1991 420 –32 (1992). Google Scholar

Citation Download Citation

Huizheng Geng, Sixu Guo, Li Su, and Yiran Zhang "Practical SS-MPC for collusion whole", Proc. SPIE 12506, Third International Conference on Computer Science and Communication Technology (ICCSCT 2022), 125061N (28 December 2022); https://doi.org/10.1117/12.2662617

Access the abstract

PROCEEDINGS
6 PAGES

DOWNLOAD PAPER SAVE TO MY LIBRARY

GET CITATION

RIGHTS & PERMISSIONS

Get copyright permission Get copyright permission on Copyright Marketplace

KEYWORDS

Computer security

Data processing

Remote sensing

Astatine

Data storage

Data transmission

Distribution

1.

INTRODUCTION

2.

PRELIMINARY

3.

PSCW SCHEME

3.1

PSCW scheme model

Figure 1.

3.2

Security assumption and security requirements

3.3

Introduction to scheme algorithm

4.

SECURITY PROOF

4.1

Correctness proof

4.2

Confidentiality proof

5.

SCHEME COMPARISON

Table 1.

6.

CONCLUSION

REFERENCES

Show All Keywords

Keywords/Phrases

Search In:

Publication Years