Secure multiparty computation protocol based on homomorphic encryption and its application in blockchain

Abstract

Blockchain technology is a key technology in the current information field and has been widely used in various industries. Blockchain technology faces significant challenges in privacy protection while ensuring data immutability and transparency, so it is crucial to implement private computing in blockchain. To target the privacy issues in blockchain, we design a secure multi-party computation (SMPC) protocol DHSMPC based on homomorphic encryption in this paper. On the one hand, homomorphic encryption technology can directly operate on ciphertext, solving the privacy problem in the blockchain. On the other hand, this paper designs the directed decryption function of DHSMPC to resist malicious opponents in the CRS model, so that authorized users who do not participate in the calculation can also access the decryption results of secure multi-party computation. Analytical and experimental results show that DHSMPC has smaller ciphertext size and stronger performance than existing SMPC protocols. The protocol makes it possible to implement complex calculations in multi-party scenarios and is proven to be resistant to various semi-malicious attacks, ensuring data security and privacy. Finally, this article combines the designed DHSMPC protocol with blockchain and cloud computing, showing how to use this solution to achieve trusted data management in specific scenarios.

1. Introduction

With the rapid development of cloud computing and blockchain [1], the issues surrounding user data privacy and security have become increasingly prominent. Secure multiparty computation plays a crucial role in blockchain by allowing different participants to collaboratively process and compute data without revealing their respective sensitive information [2]. This technology enhances privacy protection and data security within blockchain networks, enabling blockchain applications to execute complex collaborative tasks and smart contracts while safeguarding user privacy [3]. Secure multiparty computation provides a secure and flexible data processing method for blockchain, facilitating its widespread application in various fields such as finance, healthcare, and supply chain.

However, in distributed scenarios like blockchain [4], there are numerous low-trust users and attackers. It is necessary to provide privacy protection while ensuring secure computation. SMPC protocol relies on multi-key fully homomorphic encryption (MKFHE) [5], [6] has advantages and can further enhance security and privacy. MKFHE scheme provides the following advantages in building SMPC. (1). MKFHE enables computations to be conducted on encrypted data sans decryption necessity [7]. Consequently, within the realm of SMPC, participants are empowered to execute computations on encrypted data whilst preserving the confidentiality of the underlying information, thus safeguarding data privacy [8]. (2). Reduced trust requirements: In SMPC, participants may not fully trust each other. MKFHE eliminates the need for participants to disclose their private data to each other, allowing them to perform computations only through encrypted data [9], [10], reducing the trust requirements on other participants. (3). Simplified protocol design: MKFHE can be used to design more concise and efficient secure multiparty computation protocols [11]. By leveraging homomorphic properties, computations on ciphertexts can be performed without plaintext computation, avoiding cumbersome interactions and key management. (4). Flexible data merging: SMPC protocols [12], [13], [14], [15] typically involve the merging of computation results from multiple participants [16], [17]. MKFHE allows partial computations on encrypted data, facilitating the merging of computation results, allowing participants to maintain control over their data until the results are merged. Thus, it has been widely used in the design of SMPC protocols.

There has been some work on integrating HE with blockchain systems so as to protect data security. In the study of Chen et al. [18], the researchers applied deep learning, blockchain and FHE techniques to in-vehicle self-organizing networks to effectively protect the privacy and trustworthiness of the vehicle. Yang et al. [19] proposed a federated learning approach combining blockchain, HE and reputation and used HE to secure the parameters during the process of completing the training of cipher models by edge nodes with local data. Ali et al. [20] integrated HE with industrial healthcare IoT and used federated blockchain to protect the data security and privacy of EHRs. Ma et al. [21] proposed a data privacy protection scheme across edge blockchain networks using FHE to encrypt the on-chain data and ensure that the on-chain private data is “available and invisible”. Gupta et al. [22] proposed a data privacy protection scheme across edge blockchain networks using FHE to encrypt the on-chain data and ensure that the on-chain private data is “available and invisible”. “Gupta et al. designed a decentralized blockchain-based federated learning framework for personalized recommendations in the consumer electronics domain and leveraged the power of homomorphic encryption to ensure that customer data remains encrypted and free from prying eyes, thus achieving data security and privacy protection in the federated learning process.

MKFHE-based SMPC protocols without a Common Reference String (CRS) setting offer more flexibility in terms of users independently generating keys but do not guarantee security; they can only achieve security in semi-malicious environments. In 2016, Mukherjee and Wichs presented a two-round SMPC protocol constructed using the MW16 scheme, capable of resisting arbitrary semi-malicious adversaries with proven security. The CRS model is a theoretical model used in cryptography for areas such as SMPC and zero-knowledge proofs. The CRS model is an assumption in which all participating parties have access to a public, pre-generated reference string. This string is assumed to be secure and generated by a trusted third party or by some decentralized way to ensure its security and fairness. In cryptography and SMPC research, a “semi-malicious environment” describes a specific threat model. In this environment, the parties involved in the computation follow predefined protocol rules, but they try to get as much additional information as possible from all the data they have access to during the process.

In the year 2017, Wang et al. [23] devised a succinct three-round hierarchical multi-key secure multiparty computation (SMC) protocol, founded upon the GSW13 scheme within the framework of CRS model. Although this protocol adds one round of interaction compared to the MW16 scheme, it has low encryption and decryption complexity, a small ciphertext expansion rate, and does not require running keys. In 2018, Kim et al. [24] proposed a three-round SMPC protocol designed to mitigate semi-malicious adversaries, which is based on the KLP 18 scheme and does not use a CRS setting, yet falls short of ensuring security against fully malicious adversaries. In the year 2020, Tang et al. [25] enhanced the ciphertext expansion technique of the KLP18 scheme by integrating encoding operations derived from Li's scheme [26], subsequently devising a three-round secure multiparty computation (SMPC) protocol grounded on multi-key FHE within a CRS-free framework. This protocol exhibited enhanced efficiency and decreased decryption noise, albeit lacking formal safety assurances in the existence of fully malicious adversaries. Subsequently, in 2021, Tang et al. [27] showcased the key homomorphism property inherent in Li's multi-bit FHE scheme [28], and formulated a three-round SMPC protocol accommodating multi-bit encryption within the CRS model, thereby further streamlining the intricacies associated with non-gate operations.

According to the above related work, it is evident that SMPC protocols based on MKFHE without a CRS setting strengthen the ability for users to independently generate keys. However, their security cannot be guaranteed, and they can only achieve security in semi-malicious environments, unable to resist fully malicious attacks. On the other hand, protocols with a CRS setting face issues of large ciphertext size and low efficiency. This paper addresses these challenges by utilizing a CRS-based MKFHE scheme proposed by Li et al. [29] to design a three-round SMPC protocol resistant to malicious adversaries in the CRS model. This scheme facilitates the use of multi-bit encryption and, compared to existing SMPC protocols in the CRS model, has a smaller ciphertext size, providing overall better performance.

Moreover, in addition to deploying this proposed scheme directly in the blockchain [30], we can also deploy this SMPC scheme on the blockchain and integrate it with cloud computing so that it can provide computing services to other users. The combination leverages the properties of blockchain as an immutable public ledger, providing a secure, transparent, and verifiable computing environment. The inherent security and transparency features of blockchain contribute to ensuring data security and privacy in the metaverse. By deploying the SMPC scheme on a blockchain, we can not only ensure the correctness of computations and the privacy of data but also take advantage of the portability of the solution, allowing it to run on different blockchain platforms.

Our contributions:

1. Aiming at the privacy problem in blockchain, this paper designs a homomorphic encryption-based secure multi-party computation (SMPC) protocol DHSMPC, and designs a directed decryption function of DHSMPC to resist malicious adversaries in the CRS model, so that the authorized users who do not participate in the computation can access the decrypted results of secure multi-party computation.

2. Through analysis and experiments, it is demonstrated that DHSMPC has smaller ciphertext size and stronger performance than existing SMPC protocols, and it is also shown that DHSMPC is able to resist a variety of semi-malicious attacks to ensure the security and privacy of data.

3. Finally, this paper combines the designed DHSMPC protocol with blockchain and cloud computing, and shows how the scheme can be utilized to achieve trusted data management in specific scenarios.

The succeeding chapters of our manuscript are organized as follows. Section 2 delineates the symbols and definitions employed within the framework of the scheme. Section 3 describes the MKFHE on which the constructed secure multiparty computation scheme is based. Section 4 introduces the DHSMPC scheme we construct which is a SMPC protocol based on MKFHE with directional decryption and proves the security of the scheme. Section 5 conducts experiments and performance analysis. Section 6 describes the application of the scheme. Section 7 summarizes the entire paper.

2. Symbol definition

In this paper, we employ $negl(\lambda )$ to signify the negligible function of λ, where λ is the security parameter. The notation $\mathbf{a}[i]$ is used to represent the i-th component of vector a. Furthermore, vector a may be conceptualized as a matrix possessing a single row. Additionally, $\mathbf{A}[i,j]$ refers to the element located at the intersection of the i-th row and the j-th column within matrix A.

In the present manuscript, we define the degree of ${\mathrm{\Phi }}_m(X)$ as $n=\phi (m)$, where $\phi (\cdot )$ represents the Euler totient function and ${\mathrm{\Phi }}_m(X)$ is identified as the m-th cycotomic polynomial. The investigations are conducted over the rings $\mathrm{R}=\mathbb{Z}[\mathrm{X}]/{\mathrm{\Phi }}_m(X)$ and $R_q=R/qR$. Herein, the additive and multiplicative operations are performed on the coefficients of the aforementioned rings component-wise. The integer q, a prime, adheres to the relationship $q=q(\lambda )$. The notation $[x]q$ indicates that the coefficients of x are normalized to the interval $[-q/2,q/2]$ under the condition that $q\ne 2$. The term $\chi ={}_{\chi }(\lambda )$ is employed to denote the distribution of B-bounded errors within the ring R, where coefficients lie within the range $[-B,B]$, B is a constant bound on the error distribution χ. The expression $x\leftarrow D$ signifies that the element x is drawn from the probability distribution D, and $\mathrm{x}\underleftarrow{\mathrm{\$}}\mathrm{D}$ specifies that x is sampled uniformly from D.

The general learning with errors problem

Given that the Ring Learning with Errors (RLWE) problem may be construed as an instantiation of the Learning with Errors (LWE) problem within the context of rings, the BGV12 scheme consolidates the LWE and RLWE problems into the Generalized Learning with Errors (GLWE) problem. This unification is predicated on the syntactic similarities inherent to both problems.

Definition 1

GLWE Problem: Let λ denote a security parameter. Consider the polynomial ring$R=Z[X]/x^d+1$and its quotient ring$R_q=R/qR$, along with an error distribution$\chi =\chi (\lambda )$defined over R. The problem of Generalized Learning With Errors (GLWE) involves distinguishing between two distinct distributions. In the first distribution, a tuple$(a_i,b_i)\in R_q^{n+1}$is uniformly and randomly sampled from$R_q^{n+1}$. In contrast, for the second distribution, the elements$a_i$are initially uniformly drawn from$R_q^n$. Subsequently, one uniformly selects$s\leftarrow R_q^n$and$e_i\leftarrow {}_{\chi }$, and constructs the tuple$(a_i,b_i)\in R_q^{n+1}$where$b_i$is set as$b_i=\langle a_i,s\rangle +e_i$. The foundational assumption of the GLWE problem asserts the computational infeasibility of distinguishing these two distributions.

Definition 2

LWE & RLWE Problems: as mentioned earlier, the LWE and RLWE problems are syntactically identical, specifically, the LWE and RLWE problems can be viewed as instances of the GLWE problem when $d=1$ and $n=1$ respectively.

Here we present two subroutines (BitDecomp(-) and Powesof (-)) that are widely used in the FHE scheme. Let $\mathbf{x}\in {\mathbf{R}}_{\mathbf{q}}^{\mathbf{n}}$ be an n-dimensional polynomial on $R_q^n$ and let $\beta =\lfloor \log \rfloor +1$.

$\begin{array}{c}\hfill \mathbf{\text{BitDecomp}}(\mathbf{x}\in {\mathrm{R}}_{\mathrm{q}}^{\mathrm{n}},q)\end{array}$: decompose the n-dimensional vector of integers of modulus q$\mathbf{x}=\{x_1,x_2,...,x_n\}$ into a binary representation. Specifically, for the input $\mathbf{x}=\{x_1,x_2,...,x_n\}\in {\mathrm{R}}_{\mathrm{q}}^{\mathrm{n}}$, the output $(x_{1,0},\cdots ,x_{1,\beta -1},\cdots ,x_{n,0}$, $\cdots ,x_{n,\beta -1})\in {\{0,1\}}^{\mathrm{n}\cdot \beta }$ is obtained, where $x_{i,j}$ is the jth bit in the binary representation of $x_i$ (ordered from least significant bit to most significant bit).

$\mathbf{\text{Powersof2}}\left(\begin{array}{c}\hfill y\in R_q^n,q\hfill \end{array}\right)$: Its output is a vector of n-dimensional modulo q integers $\mathbf{y}=\{y_1,y_2,....,y_n\}$ by different powers of 2. Specifically, for the input $\mathbf{y}=\{y_1,y_2,...,y_n\}\in {\mathrm{R}}_{\mathrm{q}}^{\mathrm{n}}$, get the output $(y_1,2y_1,\cdots ,2^{\beta -1}{y}_1,\cdots ,y_n,2y_n$, $2y_n,\cdots ,2^{\beta -1}{y}_n)\in {\mathrm{R}}_{\mathrm{q}}^{\mathrm{n}\cdot \mathit{\beta }}$.

It is easy to verify that for any $\mathbf{x},\mathbf{y}\in R_q^n$, there is $\langle \mathbf{\text{BitDecomp}}(\mathbf{x},q)$, $\mathbf{\text{Powesof2}}(\mathbf{y},q)\rangle =\langle \mathbf{x},\mathbf{y}\rangle \mathrm{mod}\text{q}$.

Moreover, in the discourse presented herein, we introduce two robust methodologies—key-switching and modulus-switching—as delineated in BGV12. These techniques are adeptly utilized to regulate the dimensionality and noise attributes of ciphertexts throughout the process of homomorphic evaluation. Such strategic management enhances both the computational efficiency and security robustness of FHE schemes.

• (1)Key-Switching

  The technique of key switching represents a pivotal operation within the realm of Fully Homomorphic Encryption (FHE) schemes, primarily utilized to mitigate the dimensionality of an expanded ciphertext to conventional levels. More comprehensively, it facilitates the transformation of a ciphertext $c_1\in R_q^{n_1}$ encrypted under a specific secret key $s_1$, into another ciphertext $c_2\in R_n^{n_2}$ that remains encrypted under a different secret key $s_2$, while preserving the integrity of the underlying message. For a given FHE scheme E, and defining $\beta =\lfloor \log \rfloor +1$, the process of key switching is predominantly governed by two distinct procedures:

  E. SwitchKeyGen($s_1\in R_q^{n_1},s_2\in R_n^{n_2})$: Compute $\overline{s}=Powersof2({\mathit{s}}_1)\in R_q^{n_1\cdot \beta }$, and outputs the computation of Eq. (1).

  $${\tau }_{s_1\to s_2}:={\{K_i=En{c}_{s_2}(\overline{s}[i])\in R_n^{n_2}\}}_{i=1,\cdots ,n_1\beta }$$ (1)
  E. SwitchKey(${\tau }_{s_1\to s_2},c_1$,q): Compute ${\overline{c}}_1=BitDecomp({\mathit{c}}_1)\in R_q^{n_1\cdot \beta }$, and $c_2$ is calculated from Eq. (2).

  $$c_2=\sum _{i=1}^{n_1\beta }{K}_i\cdot {\bar{c}}_1[i]\in R_n^{n_2}$$ (2)

  Lemma 1 BGV12 —

  Consider a ciphertext$c_1$under the secret key$s_1$for a modulus q, where the error term$e_1$, defined as$e_1\leftarrow {[\langle c_1,s_1\rangle ]}_q$, has a maximum length of B. Additionally, let$\mathfrak{m}$denote the message encoded as${\left[{\mathit{e}}_1\right]}_2$with$\mathfrak{p}=2$. Suppose further that$c_2$is derived from$c_1$by applying a key switching function, represented as$c_2\leftarrow E.\mathit{\text{SwitchKey}}({\tau }_{s_1\to s_2},c_1,q)$, and subsequently, let$e_2$be the new error term acquired via$e_2\leftarrow {[\langle c_2,s_2\rangle ]}_q$.

  Then, the magnitude of$e_2$(the new noise component) is constrained to at most$B+2\cdot {\gamma }_{\mathbb{R}}\cdot {\beta }_{\mathbb{X}}\cdot [\log q]\cdot \sqrt{\mathbb{n}}$, assuming that this error magnitude remains below$q/2$. Under this condition, the message$\mathfrak{m}$can be correctly retrieved as$\mathfrak{m}={\left[{\mathit{e}}_2\right]}_2$, thus ensuring the fidelity of the message through the key-switching process. This lemma underscores the impact of key-switching operations on the error characteristics and the stability of the encrypted message within the framework of the cryptographic system.

• (2)Modulus-Switching

  Within the framework of FHE schemes, the growth of noise within ciphertexts due to homomorphic operations necessitates mechanisms to manage and mitigate this escalation. Modulus switching is a technique employed to address this issue by altering the internal modulus of a ciphertext from a higher value $q_{l+1}$ to a lower value $q_l$. This operation adeptly diminishes the noise approximately by $\frac{q_{l+1}}{q_l}$, concurrently maintaining the integrity of decryption with the same secret key.

  The procedure, denoted as $\text{ModulusSwitch}(c_1,q_{l+1},q_l)$, involves the following steps: Given an input ciphertext ${\mathbf{c}}_1\in {\mathbb{R}}_{q_{l+1}}^{n_1}$ and a smaller modulus $q_l$, the function outputs a new ciphertext ${\mathbf{c}}_2\in {\mathbb{R}}_{q_l}^{n_1}$. This new ciphertext ${\mathbf{c}}_2$ is calculated to be the element that is closest to $(\frac{q_{l+1}}{q_l})\cdot {\mathbf{c}}_1$, thereby approximating the original ciphertext while scaling down its modulus and correspondingly its associated noise. This technique is irreplaceable in extending the practical utility of FHE by facilitating operations on encrypted data while managing noise to maintain decryption integrity.

  Lemma 2 BGV12 —

  Consider a ciphertext${\mathbf{c}}_1$encrypted under the key$s_1$for a modulus$q_{l+1}$, where the associated error term$e_{l+1}$is derived as$e_{l+1}\leftarrow {[\langle {\mathbf{c}}_1,{\mathbf{s}}_1\rangle ]}_{q_{l+1}}$and is constrained to a maximum length B. Let$\mathfrak{m}$be the message encoded by${[e_{l+1}]}_2$. Subsequently, let${\mathbf{c}}_2$be obtained through the operation${\mathbf{c}}_2\leftarrow \mathit{\text{ModulusSwitch}}({\mathbf{c}}_1,q_{l+1},q_l)$, and define the new error term$e_l$as$e_l\leftarrow {[\langle {\mathbf{c}}_2,{\mathbf{s}}_1\rangle ]}_{q_l}$.

  The amplitude of the emergent noise component$e_l$is constrained to a maximum of$\mathrm{t}(q_l/q_{l+1})\cdot B+\sqrt{n}\cdot \gamma \cdot B_{\chi }$, provided that this amplitude does not exceed$q_l/2$. Subject to this condition, the original message$\mathfrak{m}$is accurately recovered as$\mathfrak{m}={[e_{l+1}]}_2$.

  This lemma highlights the efficacy of the Modulus Switch technique in controlling noise growth within homomorphic encryption schemes. The detailed theoretical underpinnings and practical implications of this technique, along with key switching, are elaborated further in BGV12 [28], providing a comprehensive framework for understanding and applying these critical cryptographic operations.

3. Basic DHSMPC

The MKFHE scheme enables secure computation across multiple parties, permitting the evaluated ciphertext to be jointly decrypted by all involved participants. However, situations may occur where it is necessary that the final decryption outcome remains inaccessible to certain participants. In such instances, it is preferable to restrict access to the decryption outcome exclusively to designated and authorized users, regardless of their participation in the computation process. Implementing a directed decryption protocol is crucial to strengthen the data owner's governance over their plaintext. Therefore, this manuscript designs a secure multiparty computation protocol with directed decryption, termed as the DHSMPC protocol, which consists of two parts, section 3.1 and section 3.2. The basic version of the DHSMPC protocol shares similarities first part with reference [29] and the second part with reference [31].

3.1. MKFHE protocol

MKFHE.Setup $(1^{\lambda },1^{\mathbb{K}},1^{\mathbb{L}})$:Firstly, select a security parameter λ, an upper limit k on the permissible number of keys, and a maximum L for the circuit depth, ensuring a decreasing sequence of moduli ${\mathfrak{q}}_{\mathfrak{L}}\gg {\mathfrak{q}}_{\mathfrak{L}-1}\gg \cdots \gg {\mathfrak{q}}_0$. Additionally, designate a small integer p that is coprime to all moduli ${\mathfrak{q}}_l$. The rings $R=\mathbb{Z}[X]/{\mathrm{\Phi }}_m$ and $R_{q_l}=R/q_{l}R$ are established as described previously. Define an error distribution ${}_x=_x(\lambda )$ over R, bounded by B, with coefficients within the interval $[-B,B]$. Define ${\beta }_l=[\log B]+1$, and for each level l in $\{0,\dots ,L\}$, select $L+1$ random public vectors $a_l\in R_{q_l}^{2{\beta }_l}$.

All subsequent algorithms inherently consider the public parameters $pp=(R,B,\chi ,{\{q_l,a_l\}}_{l\in \{0,\dots ,L\}},P)$ as input. Define S as an ordered set encapsulating all user indices pertinent to the ciphertext, arranged in ascending order without duplication. Thus, a ciphertext is succinctly represented as a tuple $ct=\{c,S,l\}$.

MKFHE.KeyGen(pp):The key generation algorithm operates based on the provided public parameters pp, producing keys suitable for a circuit depth l for the j-th party, where l ranges from 0 to L.

• (1)
  Sample $z_{l,j}{\leftarrow }_{\chi }$ and subsequently compute secret key as Eq. (3).

  $$s{k}_{l,j}=s_{l,j}:(1,-z_{l,j})\in R_3^2.$$ (3)
• (2)
  Randomly select $e_{l,j}\stackrel{s}{\leftarrow }{x}^{2{\beta }_l}$ and compute it as Eq. (4) to get user j's public key

  $$p{k}_{l,j}={\mathit{p}}_{l,j}:=[a_{l,j}{z}_{l,j}+p{e}_{l,j},a_{l,j}]=[b_{l,j},a_{l,j}]\in R_q^{2{\beta }_l\times 2}$$ (4)
• (3)
  Compute the material used to generate the evaluation key according to Eq. (5) to Eq. (8).

  $$e{m}_j=\{({\mathrm{\Phi }}_{l,j,m}\in R_{ql}^{2{\beta }_B}),{({\mathrm{\Psi }}_{l,j}\in R_{ql}^{2{\beta }_l\times 2},F_{l,j}\in R_{ql}^{{\beta }_l\times 2})\}}_{l=\{L,\cdots ,0\}}$$ (5)

  where

  $${\mathrm{\Phi }}_{lj.m}\triangleq RBGV.En{c}_{s_{l-1,j}}(2^m\cdot z_{l,j})=\{r_{l,j,m}{\mathit{b}}_{l-1,j}[1]+2e_{l,j,m}+2^m\cdot z_{l,j},r_{l,j,m}{\mathit{a}}_{l,j}[1]+2e_{l,j,m}^{\prime }\}\in R_{ql}^2$$ (6)

  $${\mathrm{\Psi }}_{l,j}\cong RGSW.En{c}_{s_{l-1}}(z_{l,j})=\{r_{l,j}^{\prime }[{\mathit{b}}_{l-1},{\mathit{a}}_{l-1}]+p{\mathit{E}}_{l,j}^{\prime }+z_{l,j}\mathit{G}\}\in R_{ql}^{2{\mathit{\beta }}_l\times 2}$$ (7)

  $${\mathit{F}}_{l,j}\triangleq RGSW.EncRand(r_{l,j},p{k}_{l-1,j})\in R_{ql}^{{\beta }_l\times 2}$$ (8)

MKFHE.Enc($p{k}_{L,j},{\mu }_j$): Taking the plaintext ${\mu }_j\in R_p$ as input, the plaintext is encrypted using the public key $p{k}_{L,j}$ and a randomly selected error $\mathrm{r},\mathrm{e},{\mathrm{e}}^{\prime }$ from χ to obtain the ciphertext as Eq. (9):

$$\mathbf{c}=(\begin{array}{c}\hfill c_{j,0},c_{j,1}\hfill \end{array})=(r{\mathbf{b}}_{\mathrm{L},\mathrm{j}}[1]+\mathrm{pr}+{\mu }_j,r{\mathbf{a}}_{\mathrm{L}}[1]+{\mathrm{pe}}^{\prime })\in {\mathbb{R}}_{\mathrm{ql}}^2.$$ (9)

The resultant tuple $xct=\{\mathbf{c},j,L\}$, encapsulating the ciphertext along with the index of the keyholder and the encryption level, is then outputted.

MKFHE.Dec($s{k}_S$, $ct=(c,S,l)$): The decryption function is formulated to process a level-l ciphertext $ct=(c,S,l)$, where $S=\{j_1,\cdots ,j_k\}$ denotes the set of indices corresponding to the involved parties. The associated secret keys for these indices are given as $s_{{\mathrm{j}}_1,l},\cdots ,s_{{\mathrm{j}}_k,l}$, each a vector in ${\mathbb{R}}_3^{2\mathrm{k}}$. The procedure constructs an augmented secret key vector ${\overline{s}}_{S,l}=(1,-z_{{\mathrm{j}}_1,l},\cdots ,-z_{{\mathrm{j}}_k,l})$ in ${\mathbb{R}}_3^{\mathrm{k}+1}$, then recover the encrypted message as Eq. (10).

$$\mu \leftarrow <\mathbf{c},{\overline{\mathit{s}}}_{S,l}>mod{q}_{l}modp$$ (10)

MKFHE.Eval($(p{k}_{l,j_1},...p{k}_{l,j_k}),\mathrm{e}{\mathrm{m}}_{\mathrm{S}},\mathrm{C},(c{t}_1,...,c{t}_t))$:The evaluation function entails the evaluation of a Boolean circuit C over a sequence of ciphertexts $c{t}_i={\{c_i,S_i,l\}}_{i\in \{1,\cdots ,t\}}$, all of which are assumed to reside at the same level l. If necessary, key switching and modulus switching are applied to ensure uniformity in the encryption level. Let $S={\bigcup }_{i=0}^t{S}_i=(j_1,\cdots ,j_k)$. The evaluation process proceeds as follows:

• (1)For each $i\in \{1,\cdots ,t\}$, employ RBGV.CTExt($c_i,S$) to obtain an extended ciphertext ${\overline{c}}_i$ under the extended secret key ${\bar{\mathit{s}}}_i:=(1,-z_{j_1,l},\cdots ,-z_{j_k,l})$.
• (2)
  Generate the evaluation keys by computing Eq. (11).

  $$ev{k}_S={\tau }_{{\hat{s}}_l}\to {\bar{s}}_{l-1}=\text{MKFHE.EVKGen}(e{m}_s,p{k}_{l,s})$$ (11)
• (3)Execute the evaluation of the circuit C utilizing the two fundamental homomorphic operations, namely $\mathrm{MKFHR}.\mathrm{EvalAdd}(ev{k}_S,{\bar{\mathit{c}}}_{i_1},{\bar{\mathit{c}}}_{i_2})$ and $\mathrm{MKFHR}.\mathrm{EvalMult}(ev{k}_S,{\overline{\mathit{c}}}_{i_1},{\overline{\mathit{c}}}_{i_2})$.

3.2. Directed decryption protocol

In this study, we integrate the directed decryption protocol with MKFHE to establish the foundational Directed Homomorphic Secure Multi-Party Computation (DHSMPC) scheme. This configuration permits users to designate the intended recipient of the final decryption result during the homomorphic evaluation process, thereby augmenting the data owner's authority over their plaintext.

In the context where a level-l ciphertext, denoted as $\mu =C({\mu }_1,\cdots ,{\mu }_k)$, requires decryption, and where $S=({\mathrm{j}}_1,\cdots ,{\mathrm{j}}_{\mathrm{k}})$ represents the corresponding set of user indices involved with the plaintext $\mu =C({\mu }_1,\cdots ,{\mu }_k)$ computed through a Boolean circuit C, consider the scenario wherein the target user designated as i is to receive the final decrypted output. This user receives the ciphertext c, and the decryption protocol proceeds as outlined below:

• (1)
  Semi-Decryption: Each user within the set S performs a partial decryption on the ciphertext c using their unique extended keys. For instance, user $j_1$ with secret key $s_{{\mathrm{l},\mathrm{j}}_1}=(1,-Z_{{\mathrm{l},\mathrm{j}}_1})$, employs the extended key ${\overrightarrow{{\mathbf{s}}^{\prime }}}_{l,j_1}=(1,-{\text{Z}}_{{\text{l,j}}_1},0,\cdots ,0)$ to obtain a semi-decrypted result ${\mathbf{c}}_{j_1}^{\prime }=({\mathbf{c}}_{j_1},0)$, calculated as Eq. (12).

  $$c_{j_1}^{\prime }=(c_{j_1},0)=(<c,{\overline{s^{\prime }}}_{l,j_1}>,0)=(b_l-a_l,j_1\cdot Z_{l,j_1},0)$$ (12)

  Similar operations are conducted by other users in S.

• (2)
  Encryption of Zero by the Target User: Each user in S computes the encryption of zero using the public key of user i, designated as $p{k}_{l,i}$. As shown in Eq. (13), the encryption result for user $j_1$ is:

  $$c_i=RBGV.Enc(p{k}_{l,i},0)=(b_{l,i_1},a_{l,i_1})\in R_{ql}^2$$ (13)
  Then, user $j_1$ computes the sum of his semi-decryption result $c_{j_1}$ and the encryption $c_i$, which is derived by Eq. (14):

  $$c_{j_1}^{″}=(b_l-a_{l,j_1}\cdot Z_{l,j_1}+b_{l,i_1},a_{l,i_1})$$ (14)

  Following the same procedure, the other users compute and gather $\{{\mathbf{c}}_{j_1}^{″},{\mathbf{c}}_{j_2}^{″},\cdots ,{\mathbf{c}}_{j_k}^{″}\}$, which are then transmitted to user i.

• (3)
  Final decryption: Upon receipt of $\{\mathbf{c}^{{}^{″}}{}_{j_1},\mathbf{c}^{{}^{″}}{}_{j_2},\cdots ,\mathbf{c}^{{}^{″}}{}_{j_k}\}$, user i calculates the summation ${\mathit{c}}_{sum}={\mathit{c}}_{j_1}^{″}+{\mathit{c}}_{j_2}^{″}+\cdots +{\mathit{c}}_{j_k}^{″}$, and then computes the final decryption result as Eq. (15).

  $$\mu =({\mathit{c}}_{sum}-(k-1){\mathbf{b}}_{\mathbf{l}})\cdot {\mathit{s}}_{\mathrm{l},\mathrm{i}}=({\mathit{c}}_{j_1}^{″}+\cdots +{\mathit{c}}_{j_k}^{″}-(k-1)b_l)\cdot (1,-Z_{l,i})=k{b}_l-\sum _{m=1}^k{a}_{l,j_m}\cdot Z_{l,j_m}-(k-1)b_l+\sum _{m=1}^k(b_{l,i_m}-a_{l,i_m}\cdot Z_{l,j})=b_l-\sum _{m=1}^k{a}_{l,j_m}\cdot Z_{l,j_m}+\sum _{m=1}^k(b_{l,i_m}-a_{l,i_m}\cdot Z_{l,i})=C({\mu }_1,\cdots ,{\mu }_k)+e_{j_1}+\cdots +e_{j_k}+e_{i_1}+\cdots +e_{i_k}=C({\mu }_1,\cdots ,{\mu }_k)mod{q}_{l}modp$$ (15)

Lemma 3: Define B as the noise boundary of an initial RBGV ciphertext, and $B_l$ as the noise boundary for a ciphertext at level l within the RBGV scheme. The directed decryption process is demonstrated to be correct if Eq. (16)

$$|e_{j_1}+\cdots +e_{j_k}+e_{i_1}+\cdots +e_{i_k}|\le |e_{j_1}+\cdots +e_{j_k}|+kB\le k{B}_l+kB<\mathfrak{q}/4$$ (16)

holds. This inequality ensures that the accumulated noise from multiple decryption steps remains within acceptable limits to maintain the integrity of decryption.

It should be noted that within existing MKFHE frameworks, the results of homomorphic evaluations are generally confined to decryption exclusively by users involved in the evaluation process. The directed decryption protocol introduced in this manuscript extends this capability, permitting any duly authorized user to decrypt the resultant ciphertext. Furthermore, this protocol does not incorporate homomorphic multiplication, obviating the need for additional techniques commonly employed to manage noise growth during such operations. This simplification contributes to the robustness and efficiency of the proposed decryption methodology.

4. Our SMPC protocol enhanced DHSMPC

As shown in Fig. 1, the most notable feature of DHSMPC constructed in this paper, compared to other schemes, is the inclusion of a directional decryption algorithm. As a result, the secure multiparty computation protocol built on this scheme can operate in two modes. (1) DHSMPC with collective decryption; (2) DHSMPC scheme with direct decryption. In second mode, only the target user possesses the decryption capability for the final result.

Figure 1.

DHSMPC with directed decryption.

4.1. DHSMPC with collective decryption

(1). Run $\mathrm{MKFHE}.\mathrm{Setup}(1^{\lambda },1^{\mathrm{K}},1^{\mathrm{L}})$, all participants have the same parameter settings

(2). Each participant $P_i$ has input ${\mu }_i\in \{0\text{,1}\}$

Round one: Each participant $P_i$ performs the following steps

 (1). Generate $(\mathrm{p}{\mathrm{k}}_{\mathrm{l},\mathrm{i}},\mathrm{s}{\mathrm{k}}_{\mathrm{l},\mathrm{i}})$ and component $e{m}_i\leftarrow MKFHE.KeyGen$ $(params)$ for ${\mathrm{evk}}_{\mathrm{s}}$

 (2). Obtained $C_i\leftarrow MKFHE.Enc(\mathrm{p}{\mathrm{k}}_{\mathrm{l},\mathrm{i}},{\mu }_i)$ through encrypt ${\mu }_i$ by ${\mathrm{pk}}_{\mathrm{l},\mathrm{i}}$

 (3). Announce $\mathrm{p}{\mathrm{k}}_{\mathrm{l},\mathrm{i}},\mathrm{e}{\mathrm{m}}_{\mathrm{i}}$ and $C_i$

Round two: Each participant $P_i$ receives $\mathrm{p}{\mathrm{k}}_{\mathrm{l},\mathrm{i}},\mathrm{e}{\mathrm{m}}_{\mathrm{i}}$ and $C_i$ of other participants and performs the following steps:

 (1). Homomorphic evaluation was performed according to Eq. (17) to obtain the evaluation ciphertext

$$C_e\leftarrow MKFHE.Eval((p{k}_{l,j_1},\cdots ,p{k}_{l,j_k}),e{m}_s,(c{t}_1,\cdots ,c{t}_t))$$ (17)

 (2). Each participant performs semi-decryption

 (3). Publish semi decryption results, all parties obtain results by decryption

4.2. DHSMPC with direct decryption

(1). Setup: Run $\mathrm{MKFHE}.\mathrm{Setup}(1^{\lambda },1^{\mathrm{K}},1^{\mathrm{L}})$, all participants have the same parameter settings

(2). Each participant $P_i$ has input ${\mu }_i\in \{0\text{,1}\}$

Round one: Each participant $P_i$ performs the following steps

 1. Generate $(\mathrm{p}{\mathrm{k}}_{\mathrm{l},\mathrm{i}},\mathrm{s}{\mathrm{k}}_{\mathrm{l},\mathrm{i}})$ and component $e{m}_i\leftarrow MKFHE.KeyGen$ $(params)$ for ${\mathrm{evk}}_{\mathrm{s}}$

 2. Obtained $C_i\leftarrow MKFHE.Enc(\mathrm{p}{\mathrm{k}}_{\mathrm{l},\mathrm{i}},{\mu }_i)$ through encrypt ${\mu }_i$ by ${\mathrm{pk}}_{\mathrm{l},\mathrm{i}}$

 3. Announce $\mathrm{p}{\mathrm{k}}_{\mathrm{l},\mathrm{i}},\mathrm{e}{\mathrm{m}}_{\mathrm{i}}$ and $C_i$

Round two: Each participant $P_i$ receives $\mathrm{p}{\mathrm{k}}_{\mathrm{l},\mathrm{i}},\mathrm{e}{\mathrm{m}}_{\mathrm{i}}$ and $C_i$ of other participants and performs the following steps:

 (1). Homomorphic evaluation was performed according to Eq. (18) to obtain the evaluation ciphertext.

$$C_e\leftarrow MKFHE.Eval((p{k}_{l,j_1},\cdots ,p{k}_{l,j_k}),e{m}_s,(c{t}_1,\cdots ,c{t}_t))$$ (18)

 (2). Semi decryption by all parties involved.

 (3). Each participant encrypts 0 using the target user's public key and adds it into semi decrypted ciphertext.

 (4). All participants will receive the encrypted 0 and half decrypted ciphertext and send it to the target user.

Round three: The target user receives semi decrypted ciphertext from all users and performs the following steps: The target user executes Final decryption to obtain the decryption result.

4.3. Security proof

In the realm of multi-party secure computing, adversaries are typically categorized into several models. The first type is the semi-honest model, wherein all participants conform to the protocol specifications without active alterations to the protocol or data. However, they may retain intermediate results from the computations to deduce the confidential data of other participants. The second type is the semi-malicious model, characterized by adversaries who decide whether to adhere to the protocol based on the input data and certain stochastic elements. The third type encompasses malicious models, in which participants may freely manipulate or disclose protocols and data, and are even capable of obstructing the normal execution of protocols.

In the context of SMPC, a protocol that is secure within a semi-malicious model can be elevated to security in a malicious model through the application of non-interactive zero-knowledge proofs (NIZKs) in the CRS model. Thus, our analysis primarily focuses on the security of the MPC protocol in the semi-malicious model.

Correctness: The overall architecture of our scheme mirrors that of MKFHE, with modifications confined to the decryption component.

Consider a ciphertext C that encrypts a bit μ. Upon evaluating the ciphertext with the secret key ss, and based on the correctness analysis of non-threshold MKFHE, the Eq. (19) holds:

$$<\overline{s_l},\bar{c}>=\sum _{i\in [k]}<\overline{s_{l,i}},\overline{c_i}>=\mu +pe,$$ (19)

where $|e|\infty \le K\cdot B_0$. If the partial decryption ${\rho }_i$ adheres to the preceding structure, then as shown in Eq. (20):

$$\sum _{i\in [k]}{\rho }_i=\sum _{i\in [k]}{\gamma }_i+p\sum _{i\in [k]}{e}_i^{sm}=\sum _{i\in [k]}<\overline{s_{l,i}},\overline{c_i}>+p{e}^{sm}=\mu +pe+p{e}^{sm}$$ (20)

Here, $e^{sm}={\sum }_{i\in [k]}{e}_i^{sm}$, and $|e^{sm}|\infty \le K\cdot Bsmd{g}^{dec}\le K\cdot 2^{O(\lambda )}{B}_{max}$, with $|e|\infty \le Bmax$. Setting $q_0=4K\cdot 2^{\lambda }{B}_{max}$ and ensuring $|e_0+e_{sm}|<q/4$, the accuracy of the decryption is thereby assured.

Definition 3

Security of DHSMPC protocol: Let $\epsilon \in [0,1]$ be the advantage of the adversary in successfully forging ciphertexts. The scheme is considered to have ciphertext indistinguishability when the Eq. (21) holds:

$$\epsilon =Pr[|{\rho }_i-{\rho }_i^{\prime }|<B_{max}]-Pr[|{\rho }_i-{\rho }_i^{\prime }|\ge B_{max}]\approx 0$$ (21)

Game based proof is a universal method for proving the security of cryptographic protocols. It describes the behavior of attackers in the form of a game and proves the security of the protocol by setting game testing conditions and restrictions. In a semi malicious environment, we can use game proof based methods to prove the security of the scheme. Specifically, we can use the impersonation model to test the security of the protocol. In this model, attackers can impersonate the user's identity to participate in the protocol, but cannot change or crack the ciphertext.

$\mathit{G}\mathit{a}\mathit{m}\mathit{e}\mathbf{0}$: Baseline Game

(1). Attackers can freely choose n public key pks, PKE and its own private key SKG

(2). The game will randomly generate a plaintext m and encrypt it using the n public keys mentioned above to obtain the ciphertext q=E (pk,. m).

(3). The game randomly selects a set s that includes both the attacker and other users, and sends the public key pk and ciphertext q of all users in S to the attacker, while sending m to other users.

(4). The attacker needs to output plaintext m'

(5). The game determines whether m'=m is valid. If true, the game is successful; otherwise, the game fails.

$\mathit{G}\mathit{a}\mathit{m}\mathit{e}\mathbf{1}$: Attackers can impersonate a user in user group S's game

Based on game 0, we further assume that the attacker can impersonate a user in user group S. Unlike Game 0, in Game 1, attackers can know the user ID corresponding to a ciphertext and can choose to impersonate the user's identity to completely replace the real user in the protocol.

Drawing from the conceptual frameworks delineated in the aforementioned games, we employ the security paradigms of these games to validate the security of the proposed scheme within a semi-malicious environment. If the adversary fails to mount a successful attack in Game 1, it can be asserted that the scheme upholds IND-CPA security in a semi-malicious setting.

Security proof under the semi-malicious model encompasses the following games:

(1) Game $REA{L}_{\pi ,A,Z}$: In the authentic environment denoted as Z, a semi-malicious adversary engages in protocol execution.

(2) Game $HY{B}_{\pi ,A,Z}$: Analogous to Game $REA{L}_{\pi ,A,Z}$, the principal distinction lies in the presumption that all private keys are apprehended by $p_h$ subsequent to the second round, and in the third round, simulated partial decryption is employed in lieu of genuine decryption for publication.

(3) Game $IDEA{L}_{\pi ,A,Z}$: Bearing similarity to Game $HY{B}_{\pi ,A,Z}$, yet differing in the second round where the honest party $p_h$ opts to encrypt and release a constant zero instead of actual input data.

Simulation: The simulator, denoted as ${\mathrm{S}}^{\mathrm{thr}}(\mathit{\mu },\hat{\mathrm{c}},{\{{\mathrm{s}}_{\mathrm{l},\mathrm{j}}\}}_{\mathrm{j}\in [\mathrm{k}]/\mathrm{i}})$, receives the keys ${\{{\mathbf{s}}_{\mathrm{l},\mathrm{j}}\}}_{\mathrm{j}\in [\mathrm{k}]/\mathrm{i}}$, the evaluated ciphertext $\hat{\mathfrak{c}}\in {\mathbb{R}}_{\mathfrak{q}}^{2\mathrm{k}}$, and the encrypted output value $\mu =\mathsf{C}({\mu }_1,\cdots ,{\mu }_{\mathrm{k}})$ using $\hat{\mathbb{C}}$ as inputs. It simulates the decryption of part of the output as Eq. (22):

$${\rho }_{\mathrm{i}}^{\prime }=\mu -\sum _{\mathrm{i}\ne \mathrm{j}}{\gamma }_{\mathrm{i}}+\mathrm{p}{\mathrm{e}}_{\mathrm{i}}^{\mathrm{s}{\mathrm{m}}^{\prime }}$$ (22)

where ${\mathrm{e}}^{\mathrm{sm}}\in [-B_{smdg}^{dec},B_{smdg}^{dec}]$ and ${\gamma }_{\mathrm{i}}=\langle s_{\mathrm{l},\mathrm{i}},c_{\mathrm{i}}\rangle$. As shown in Eq. (23), to evaluate indistinguishability, observe that if ${\mathrm{p}}_{\mathrm{i}}={\mathit{\gamma }}_{\mathrm{i}}+\mathrm{p}{\mathrm{e}}_{\mathrm{i}}^{\mathrm{sm}}$ represents the true partial decryption, it decrypts to:

$${\mathit{\rho }}_{\mathrm{i}}={\mathit{\gamma }}_{\mathrm{i}}+\mathrm{p}{\mathrm{e}}_{\mathrm{i}}^{\mathrm{sm}}=\sum _{\mathrm{i}\in [\mathrm{k}]}{\gamma }_{\mathrm{i}}-\sum _{\mathrm{i}\ne \mathrm{j}}{\gamma }_{\mathrm{i}}+\mathrm{p}{\mathrm{e}}_{\mathrm{i}}^{\mathrm{sm}}=\mu +\mathrm{pe}+\mathrm{p}{\mathrm{e}}_{\mathrm{i}}^{\mathrm{sm}}-\sum _{\mathrm{i}\ne \mathrm{j}}{\mathit{\gamma }}_{\mathrm{i}}.$$ (23)

The distinction between the actual value ${\rho }_i$ and the simulated value ${\rho }_i^{\prime }$ lies in the noise e, which adheres to $|\mathrm{e}|\infty \le {\mathrm{B}}_{\max }$. According to lemma 4, the distributions of ${\mathrm{e}}_{\mathrm{i}}^{\mathrm{sm}}$ and ${\mathrm{e}}_{\mathrm{i}}^{\mathrm{s}{\mathrm{m}}^{\prime }}$ are statistically close, as each coefficient of esm is uniformly sampled within $[-{\mathrm{B}}_{\mathrm{smdg}}^{\mathrm{dec}},{\mathrm{B}}_{\mathrm{smdg}}^{\mathrm{dec}}]$, where ${\mathrm{B}}_{\mathrm{smdg}}^{\mathrm{dec}}=2^{\lambda }{\mathrm{B}}_{\max }$, ensuring ${\mathrm{B}}_{\mathrm{smdg}}^{\mathrm{dec}}/|\mathrm{e}{|}_{\infty }\ge 2^{\lambda }$. Hence, simulated partial decryption and actual partial decryption are statistically indistinguishable.

Lemma 4. Let positive integers $B_1=B_1(\lambda )$ and $B_2=B_2(\lambda )$ and let $e_1\in [-B_1,B_1]$ be a fixed integer. Further let the integer $e_2\in [-B_2,B_2]$ be chosen by uniform randomization. If the condition $B_1/B_2=negl(\lambda )$ is satisfied, then the distribution of the integers $e_2$ is statistically indistinguishable from the distribution of $e_1+e_2$. Similarly, when considering the ring $\mathrm{R}=\mathrm{Z}[\mathrm{X}]/{\mathrm{\Phi }}_{\mathrm{m}}(\mathrm{X})$, if $e_1\in {\mathbb{R}}_q$ is a stationary ring element and satisfies ${\Vert e_1\Vert }_{\infty }\le B_1$, and if the ring element $e_2$ with coefficients chosen uniformly at random from the interval $[-B_2,B_2]$. The distribution of $e_2$ is also statistically indistinguishable from that of $e_1+e_2$ under the condition $B_1/B_2=negl(\lambda )$.

Drawing from the MW16 scheme, if the SMC protocol in the CRS model is substantiated as secure within a semi-malicious environment, it can be extrapolated to a malicious model employing methodologies such as NIZKs.

This experiment compares the CDKS19 scheme, CZW17 scheme, and the secure multiparty computation proposed in this paper. The aim is to investigate the strengths and weaknesses of the proposed scheme and to use the findings for future optimization.

The experiment maintains an equal number of participants, comparing the space and time complexity consumption of the two existing schemes and the proposed scheme under different dimensions $\prime n^{\prime }$ of challenging assumptions. The performance of the proposed scheme surpasses CCS19 and CDKS19 until the dimension of challenging assumptions reaches a certain threshold (correlated with the number of participants). Beyond this threshold, the performance of the proposed scheme falls between CCS19 and CDKS-19.

5. Experiment and analysis

5.1. Experiment

From the experimental observations presented in Fig. 2, it is discernible that the efficiency of the proposed scheme, in relation to challenging assumptions, exhibits an enhancement concomitant with an increase in dimensionality. However, considering that as the dimension of challenging assumptions increases, the parameters in the proposed scheme also increase, leading to increased storage overhead in practical usage. Therefore, taking the efficiency and storage overhead of the proposed scheme and CCS19 scheme as an example, the point at which both schemes exhibit similar performance is the optimal efficiency and storage overhead node for the proposed scheme. The position of this node is influenced by the number of participants, showing a positive correlation: the more participants, the larger the value of this node.

Figure 2.

Efficiency comparison.

Fig. 3 presents a comparative analysis of the storage overheads associated with our proposed scheme, CCS19, and CDKS19. It is evident from the data that the storage overhead incurred by our proposed scheme is substantially greater than that observed in the other two schemes utilized for comparison.

Figure 3.

Storage consumption comparison.

In order to support directional decryption techniques, our proposed scheme includes additional settings and parameters compared to the other two schem-es in the experiment. This results in a sacrifice of some efficiency and overhead. Consequently, the performance of our proposed scheme in the experimental evaluation did not exceed that of the CDKS19 scheme.

5.2. Performance analysis

The SMPC protocol developed in this article, along with the protocol described in reference [9], are both predicated on MKFHE, specifically of the BGV (Brakerski-Gentry-Vaikuntanathan) type. This foundational similarity endows both schemes with specific advantages in terms of encrypting cyclic elements, optimizing the ciphertext-to-plaintext ratio, and facilitating computation leveraging the Chinese remainder theorem.

As shown in Table 1. Although the protocol proposed in this article has an additional round of three compared to the two-round scheme in reference [9], the multi key FHE used in this article for constructing SMPC optimizes the ciphertext extension and reduces the ciphertext size by half compared to reference [9]. The unique evaluation key generation method significantly reduces the input and output volume. Moreover, compared to traditional SMPC protocols, the SMPC protocol proposed in this article with a directed decryption protocol can choose between directed decryption or decryption, which can be applied to more scenarios.

Table 1.

Comparison.

Protocol	Basic	Round	Ciphertext Ratio	Cipertext Size	Evaluation Key
Che et al. [5]	BGV12	2	O(1)	2kn	4n
Ours	BGV12	3	O(1)	(k+1)n	n

To address the lack of efficiency of this scheme, one possible direction of improvement is to combine the DHSMPC protocol with the Trusted Execution Environment (TEE), and utilize the secure and isolated environment provided by the TEE to accelerate and protect the sensitive computation process in the SMC. For example, we can transfer the homomorphic encryption evaluation step in the DHSMPC protocol to be performed in the TEE. By feeding the data directly into the TEE and performing all the sensitive computations in it, the exposure of the data to the external environment can be minimized since the data is only decrypted and processed inside the TEE; at the same time, the TEE has direct access to the hardware resources, which provides a higher computational efficiency compared to a fully software-implemented SMC. Higher computational efficiency, the computation within the TEE can use hardware acceleration features, such as encryption and decryption engines, which makes it faster than the traditional, fully software-based SMC, thus achieving efficiency improvement while ensuring the security of the DHSMPC protocol, so the use of the TEE to optimize the DHSMPC protocol will be the focus of our subsequent work.

6. Application of our DHSMPC in blockchain

In this section, we initially introduce an application exemplar of our proposed scheme within the framework of a blockchain scenario. Subsequently, we will provide a detailed explanation of how the scheme is utilized to achieve trusted data management.

The system architecture comprises a Trusted Authority (TA), a Cloud Server (CS), and Data Holders (DH), as illustrated in Fig. 4. Trusted Authority: The Trusted Authority is considered responsible for completing identity registration and authentication for each data holder in the blockchain during the registration phase. It also manages the recording and reporting of malicious nodes.

Figure 4.

System model of DHSMPC in blockchain.

Cloud Server (CS): The Cloud Server is a cloud server with a certain storage capacity and is responsible for storing user-encrypted data. Data Holder (DH): Data holders are users of data resources and act as nodes in the blockchain. They can synchronize block information generated in the cloud. By adopting a combination of on-chain and off-chain approaches, the off-chain part handles data generation and key generation, using homomorphic encryption technology to encrypt the data. Computing tasks are placed on the blockchain to ensure transparency. All steps of the computation can be publicly verified, and all inputs and outputs of the data are encrypted to ensure data privacy.

In the model, a cloud server is used as an accounting node. All data-holding users form a group with reliable data management and computation requirements. Due to the high cost of local storage, this group can effectively reduce costs by renting cloud servers. In our model, data holders upload encrypted data to the cloud. While storing the data, the cloud generates data blocks according to predefined rules. When a data holder needs to perform a computation using the data, a request is sent to all users. The users that fulfill the requirements form a secure multiparty computation group and perform the computation according to the protocol. The detailed process is as follows:

(1). Initially, data-holding users complete registration in the blockchain, obtaining the key generation program for the corresponding secure multiparty computation protocol. Subsequently, they generate their respective keys (sk, pk).

(2). Each data-holding user encrypts their data and stores it in the cloud, generating the corresponding data blocks.

(3). Data-holding users with computation requirements send out requests for their computation needs. Upon receiving a request, other users retrieve their data based on the requirements. Users that meet the criteria form a task group to perform a complete SMPC. Each user contributes the data from the relevant data blocks to the agreed-upon computation model. The computation and decryption are carried out according to the protocol. Depending on the specific requirements, individual computation needs initiate a SMPC protocol with directional decryption, while collective computation needs initiate a SMPC protocol with collective decryption. Each protocol initiation process is recorded on the blockchain, ensuring public transparency and data security.

In Fig. 5, blockchain is utilized to provide secure multiparty computation services, offering a secure and reliable solution not only for web services but also for the data security and privacy protection of these web services. This deployment employs a decentralized approach to store and process data, ensuring the immutability of data. Simultaneously, the integration of secure multiparty computation technology effectively guarantees the confidentiality and security of data among all parties involved in the data processing.

Figure 5.

Secure multi-party computing services deployed on blockchain.

The advantages of secure multiparty computation technology lie in its ability to handle data involving multiple parties, ensuring the privacy and security of the data, while also exhibiting high portability. By leveraging blockchain technology, services are distributed across multiple nodes, inherently possessing high portability. Moreover, deploying secure multiparty computation algorithms on the blockchain using smart contract technology allows them to run on any platform through API, further enhancing portability and scalability.

However, it is crucial to note that the combination of secure multiparty computation and blockchain imposes higher requirements on processing speed, data scalability, and the executability of algorithms. Therefore, in practical applications, algorithm optimization based on specific circumstances is necessary, leveraging hardware devices to enhance processing speed and scalability. Simultaneously, strict security measures must be implemented to guard against various security attacks.

7. Discussion

With the continuous growth of digital transformation and the demand for data privacy protection, the application potential of full homomorphic encryption is becoming more and more prominent. The efficient fully homomorphic encryption protocol DHSMPC proposed in this study provides a new solution for handling sensitive information while ensuring data security and operational efficiency. In the future, this protocol is expected to play an important role in the field of federated learning, especially when dealing with cross-agency data collaboration, to ensure data privacy protection and security.

In a federated learning environment, different participants can jointly train models without directly exchanging data, and all parties only need to upload encrypted local updates to the shared model. The DHSMPC protocol, through its small ciphertext expansion rate and efficient homomorphic operation, can significantly reduce communication and computation costs, enabling efficient operation even in resource-constrained scenarios. A more feasible direction is to use the DHSMPC protocol to encrypt the local model gradients of each participant in federated learning and use its support for homomorphic evaluation to aggregate the ciphertexts of the model gradients at a central server, which is a more secure scheme than the mainstream homomorphic encryption algorithms that are currently being applied with federated learning while maintaining a certain level of efficiency. In addition, the protocol's ability to withstand malicious attacks makes it promising for a wide range of applications in industries where data security is particularly sensitive, such as finance, healthcare and personal privacy data processing.

Looking ahead, with technological advances and algorithmic optimizations, the application of the DHSMPC protocol in federated learning and other multi-party secure computing scenarios will be further expanded, especially in combination with blockchain technology, which can provide even more robust and secure support in decentralized data transactions and management. This will not only drive the development of federated learning technology, but also promote the innovation and maturity of the entire intelligent data processing field.

8. Conclusion

Leveraging an efficient FHE scheme, the paper introduces a hierarchical multi-bit, multi-key SMPC (DHSMPC) under the PRC model. This protocol comprises three communication rounds and has been validated for security in semi-honest and semi-malicious environments, as well as demonstrating resistance to malicious adversaries in the CRS model. Compared with existing protocols, the proposed protocol has smaller ciphertext expansion rate, significantly reduces the number of homomorphic operations for multi-bit encryption, has smaller ciphertext size, and efficiently generates evaluation keys. Finally, this article shows how to use this solution to achieve trusted data management in specific scenarios by combining it with blockchain and cloud computing.

CRediT authorship contribution statement

Haijun Bao: Writing – original draft, Software, Methodology, Conceptualization. Minghao Yuan: Writing – review & editing, Investigation, Data curation. Haitao Deng: Writing – original draft, Software, Data curation. Jiang Xu: Project administration, Funding acquisition. Yekang Zhao: Writing – review & editing, Supervision, Resources, Conceptualization.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Data availability

The data that has been used is confidential.