 Research
 Open access
 Published:
CloudSMPC: tworound multilinear maps secure multiparty computation based on LWE assumption
Journal of Cloud Computing volume 13, Article number: 22 (2024)
Abstract
Cloud computing has data leakage from all parties, security protection of private data, and existing solutions do not provide a tradeoff between security and overhead. With distributed data communication due to data barriers, information interaction security and data computation security have become challenges for secure computing. Combining cloud computing with secure multiparty computation can provide a higher level of data protection while maintaining the benefits of cloud computing. In this case, data can be stored in the cloud and computed through SMPC protocols, thus protecting the privacy and security of the data. However, multiple rounds of information interaction are often required, increasing the communication overhead, and the security strength is limited by the hardness assumption. In this paper, we work to achieve an optimal setting of the number of rounds in secure multiparty computation on the cloud to achieve a sublinear communication overhead and improve the security concept. A 2round SMPC protocol is constructed in the framework of Universally Composable (UC). A 2round SMPC protocol is constructed that uses multilinear maps based on the Learning from Errors (LWE) assumption. The participant encodes the input and sends it via broadcast to reduce the interaction, homomorphic computational encoding information for secure access to computational data and secure the SMPC protocol through UC security. This paper extends the participants to multiple parties, reduces the communication rounds to 2, the protocol achieves sublinear communication overhead in poly polynomial time, smaller setup size to poly(k), and static security is achieved.
Introduction
Cloud computing has grown considerably in recent years, and the development of computing models that store data and applications on remote servers has matured and become popular. While edge cloud computing [1,2,3,4] enables efficient data processing and transmission, and many applications are also available in the Internet of Things [5, 6]. Combining deep learning and model training with cloud computing for web personalized recommendation system and anomaly detection [7,8,9,10].But it also poses some security risks [11]. As data and computation are dispersed to edge nodes, attackers may exploit weaker security mechanisms to compromise these nodes, leading to problems such as data leakage or service disruption. Therefore, strict security measures, including data encryption, authentication, access control, and vulnerability management, must be adopted in edge cloud computing applications to ensure the security and stability of the system. In the background of big data, data security, communication security [12, 13] and secure data sharing, privacy computing have become particularly important.Many researchers have conducted indepth research and studies in many areas such as data security, privacy protection, and adversary attack and defense [14,15,16,17,18]. From the perspective of cryptography, secure multiparty computation [19] technology provides a reasonable solution. Yao proposed the “millionaire problem” in 1982, leading to the first secure twoparty computation protocol [20], which uses the technique of circuits to represent computational functions as boolean circuits and provides computational security for secure twoparty computation protocols under a semihonest model. This was followed by Goldreich et al. who gave the first secure multiparty computation protocol [21] and guaranteed the security of the protocol under a semihonest model. After decades of development, existing research has focused on the performance of SMPC, mainly on the number of communication rounds, communication complexity, computational complexity, and minimization of complexity assumptions to enhance the concept of security. Abraham et al. [22] construct a protocol based on verifiable secret sharing (VSS) that matches a semihonest setting with a round complexity that is proportional to the circuit depth. A SMPC protocol against malicious adversaries and without trustworthy assumption settings was proposed [23], setting up a 5round SMPC protocol based on Decisional DiffieHellman (DDH) assumption and a 4round SMPC protocol constructed by oneway permutations based on subexponential security DDH assumption. For the problem of optimizing the number of rounds in a protocol, Ananth et al. [24] study the round complexity of nparty protocols in an honest majority setting to tolerate the corruption of \(t<\frac{n}{2}\) participants and achieve abort security under the plain model where the security of the protocol depends only on the oneway function. For SMPC, cryptographic techniques such as Laconic Function Evaluation (LFE), oblivious transfer (OT) are used to construct secure multiparty computation protocols [25,26,27] and to reduce the number of rounds of interaction between participants. Existing studies have shown that high communication overhead, high complexity of rounds and low security strength in secure multiparty computation. Therefore, this paper is based on cloud computing to achieve a more secure and efficient secure multiparty computation scheme, the general process is as follows Fig. 1.
This paper is devoted to solving the round number complexity optimization problem in SMPC on the cloud by introducing harder security assumptions to improve the security concept, reduce the number of interactions, and achieve low communication overhead for privacysecure cloud computing. The contributions of this paper are as follows.

1.
To optimize the round complexity of the protocol in cloudbased SMPC, we construct a 2round secure multiparty computation using a multilinear map based on the LWE assumption.

2.
In this paper the implementation of the protocol is done in the UC framework, the ideal functionality is delivered to the computing on the cloud and each participant can access the ideal functionality, the protocol is finally implemented on the cloud with UC security for SMPC security and increased security strength.

3.
The parameters of the SMPC protocol settings are only related to the LWE instantiation and the depth of the computational circuit, which achieving sublinear overhead for communication.
Related work section describes the Related Work in the area of secure multiparty computation, and Preliminaries section provides an overview of multilinear maps, learning with errors (LWE), universally composable (UC), garbled circuit, and zeroknowledge proof. Protocol construction section describes the specific construction of the scheme in this paper, and Security demonstration section is a security demonstration of the scheme construction.Finally, we summarize our work in Conclusions section.
Related work
Secure multiparty computation with constant rounds was first studied in [28] to reduce the number of interaction rounds, Gordon et al. [29] designed SMPC protocols with constant rounds in honest majority to ensure that the parties have fairness as well as the output is delivered correctly (Table 1). A series of subsequent works target the security of SMPC, based on various difficult assumptions to design protocols for information security against malicious adversaries [30,31,32]. Garbled circuits combined with noncommitting encryption (NCE) under the plain model to construct secure multiparty computation protocols with adaptive constant rounds are also described for some extensions and applications [33]. By combining cryptographic primitives, based on learning with errors (LWE) assumptions use fully homomorphic encryption [34] to construct two rounds of secure multiparty computation, allowing one round of distributed decryption of ciphertexts with multiple secret keys [35, 36], which gave a great impetus to later research. The bilinear mapping operation provides a unique operation for secure multiparty computation that would encode the input and then perform the operation, and the evaluation process takes as input the set of confusing protocol components with labels corresponding to the input encoding of each party, and outputs the entire text of the distributed protocol [37], which in turn incorporates the garbled circuit to design the garbled protocol. With the study and development of lattice trapdoors [38,39,40], constructing encoding schemes based on trapdoors and improving the security level of the schemes under the LWE assumption, hierarchical multilinear encoding has been widely used in cryptography, from noninteractive key exchange protocols to broadcast and attributebased encryption. ciampi et al [41] for the construction of secure twoparty computation using oblivious transfer protocols, the construct such protocols from permutations of trapdoors based on four rounds of nonextensible zeroknowledge arguments for delayed inputs. The development of UC [42, 43] likewise has many applications in the field of secure multiparty computation. In the framework of UC, the security of the protocol relies on the security of UC to achieve indistinguishability between ideal and realistic environments. In the concept of static security, protocols for sublinear communication are constructed using threshold FHE as well as zeroknowledge proofs (NIZK) [44], which typically require four rounds of interaction under the threshold PKI model and five rounds under the CRS model. The optimization of the number of rounds is carried out in the honest majority setting, and the protocol design is carried out in the model where the circuit size is the polynomial communication size [24, 29], thus achieving static security. Existing studies have shown that high communication overhead, high complexity of rounds and low security strength in secure multiparty computation. The solution in this paper is dedicated to the optimization of the number of rounds and the communication overhead, introducing harder security assumptions and improving the notion of security.
Preliminaries
In this section we will review multilinear maps, learning with errors (LWE), universally composable(UC), garbled circuit, and zeroknowledge proof. We denote \(k\in N\) as the security parameter and for all \(n\in N\),[n] is denoted as \(\left\{ 1,2,...,n\right\}\). PPT denotes probabilistic polynomial time and poly denotes positive polynomial. For a function \(\mu\) with \(\mu \left( k \right) < \frac{1}{poly(k)}\), the function \(\mu\) is said to be negligible. let \(x=(x_1,x_2,... ,x_{n})\) be a vector, the norm of a vector x is defined as \(\left\ x \right\ _{\infty }=max_i(x[i])\). If the two distributions \(D_1\),\(D_2\) are statistically close, we write them as \(D_{1}\overset{s}{\equiv }\ D_{2}\). If the two distributions \(D_1\),\(D_2\) are computational indistinguishability, we write them as \(D_{1}\overset{c}{\equiv }\ D_{2}\).
Multilinear maps
Multilinear maps [39, 40] is a mathematical tool that is abstractly defined and allows us to operate in a series of group elements and to extract a part of the information out of the output in combination with the results. Given t cyclic groups \(G_1,G_2,... ,G_t\) and a target cyclic group G, then for a multilinear maps algorithm e of order t we have.
where \(g_1,g_2,...,g_t\) distributions represent t cyclic groups \(G_1,G_2,...,G_t\) generators, g is denoted as the generators of the target group G, \(x_1,x_2,...,x_t\in \left\{ 0,1\right\} ^{*}\), we can consider \({g_i}^{x_i}(i\in [t])\) as the encoding of \(x_i\), and the torder multilinear maps algorithm can encode the t unknown characters \(x_1,x_2,...,x_t\) string encoding \({g_1}^{x_1},{g_2}^{x_2},...,{g_t}^{x_t}\) on which \(x_1,x_2,...,x_t\) on the group G with the joint product encoding \(g^{\prod x_{i},i\in [t]}\). Similarly we can get the corresponding additive operations, if \(\boxplus\) denotes the operations defined in the group, we have \(g^{x_1}\boxplus g^{x_2})=g^{x_1+x_2}\). However, for multilinear maps of order t, we can only perform at most multiplication of t layers and addition of any layer. For multilinear maps, the result after computation is presented in the form of ciphertext, and we can extract a part of the information of the ciphertext using the zero test algorithm. ZeroTest algorithm:Given an element h, the ZeroTest algorithm verifies that h is an element of the target group G.
If \(h=g^0\) then there is h is an element in the target group G. If \(h\ne g^0\) then h is not an element in the target group G.
Learning with errors
The trapdoorbased LWE design has also been developed through the study of lattice trapdoors [38], where K denotes the security parameter and the parameters \(n=n\left( k\right) ,q=q\left( k\right)\) of the LWE [45] instance are chosen to be integers, \(\chi =\chi (k)\) is a distribution over Z, and \({LWE}_{n,q,m}\) assumes that for all polynomials \(m=m(k)\) there is the following distribution that is indistinguishable.
where \({A}\leftarrow Z_q^{n\times m}\), \({s}\leftarrow Z_q^n\) is the input vector, \({e}\leftarrow \chi ^m\) denotes the noise vector and \({z}\leftarrow Z_q^m\). In the LWE scheme with trapdoor [17, 19], for any \(m^\prime \in N\), A is represented as a uniform random distribution matrix with trapdoor \(R\in Z_q^{m^\prime \times n\log {q}}\) and constructing the LWE hard problem based on this matrix, another matrix \(D_1\) can be generated by the matrix with trapdoor A such that \(AD_1=sA_1+e_1\),Similarly\(A_1D_2=sA_2+e_2\), where the matrix \(A_1\) is also a uniform random distribution matrix with a trap \(R_1\), that is, we can generate the \(D_i\) matrix of the current level based on the trapdoor \(R_{i1}\) of the previous level, and the whole process forms a nested chain structure.
Theorem 1
(secure MPC with sublinear communication [26, 46], informal). Assuming LWE and secure erasures (alternatively, subexponential iO), every function can be securely computed by a 2round protocol tolerating a malicious adversary that can adaptively corrupt all of the parties, such that the communication complexity, the onlinecomputation complexity, and the size of the common reference string are sublinear in the function size.
Universally composable
In [46,47,48] the universally composable framework is defined as the following two models and indistinguishable security properties are formed in the two models, resulting in UC security as well as compositional security.
Real Model: The whole execution process consists of a UC environment Z, an adversary A, and n participants, which starts with Z invoking all participants, generating all inputs and being able to read all outputs, and ends with Z outputting the result of the whole execution. The output of the environment Z under the realistic model is denoted by \({Real}_{\pi ,A,Z}(x,k,r)\), where \(\pi\) denotes the protocol run by n participants according to the above specification, k is the security parameter, and r denotes the random information.
Ideal Model: F denotes an ideal function under an ideal model, S (simulator) denotes an ideal adversary, n Turing machines denote the participants and an environment Z. Under the ideal model, F defines the behavior of the desired computation and receives inputs from the participants to perform the computation, and then sends the output back to the participants. s cannot see the communication between the participants and F, but s can communicate with F. Denote the environment Z output under the ideal model by \({Ideal}_{F,S,Z}(x,k,r)\), where x denotes the input, k is the security parameter, and r denotes the random information.
Definition 1
(UC Security). Given a protocol \(\pi\), an ideal function F, if for any PPT adversary A and the existence of an adversary S under an ideal model, the following distribution is computationally indistinguishable for any environment Z. The protocol \(\pi\) is UCrealized in the presence of adversaries with an ideal function F.
Hybrid Model:The Fhybrid model combines the rational model with the realistic model, extending the realistic model with an ideal function F. Each participant can interact with F. The output of Z under the hybrid model is denoted by \({Hybrid}_{\pi ,A,Z}^F(x,k,r)\).
Definition 2
(security under hybrid model). Given an F and G are ideal function, \(\pi\) is a protocol run by n participants and \(\pi\) satisfies the UCimplementation ideal function G in the Fhybrid model, if for an adversary A in the hybrid model, there exists an adversary S under the ideal model such that the environment Z computation is indistinguishable from the following two distributions.
Theorem 2
(UC Compositional Security). a UCimplementation Fprotocol \(\pi\), for any Fhybrid protocol \(\rho\), has a combined protocol \(\rho ^\pi\) simulating the execution of the protocol \(\rho\), for adversary A, ideal adversary S, and no environment Z capable of distinguishing with a nonnegligible probability whether it is interacting with an adversary A and the protocol \(\rho ^\pi\) interacts with, or interacts with S and the protocol \(\rho\). In other words, \(\rho\) is an Fhybrid protocol, \(\pi\) is a UCimplementation of F, and then there is \(\rho ^\pi\) UCrealized of \(\rho\).
Garbled scheme
\(\pi\) is an nparticipant protocol, \(x_i\) denotes the input of participant \(P_i\), \(\pi _i\) denotes the next message function of participant \(P_i\), when \(\pi\) uses \(x_1,... ,x_n\) as input to run as \(\pi \left( x_{1},...,x_{n} \right)\), also as the output of the protocol.
Definition 3
(Garbled scheme GC): a Garbled scheme [30, 33, 37] consists of the following polynomialtime algorithmic tuple GC=Setup,Garble,Eval, and some security features:
\(Setup(1^k)\):This is a polynomial time algorithm that takes as input a security parameter and outputs a common reference string CRS.
\(Garble(CRS,i,\pi _i,x_i)\):This polynomialtime algorithm takes as input the common reference string CRS, index i, \(\pi _i\), and the parties’ input values \(x_i\), and outputs. (1) The next message function \(\pi _i\) is Garbled composed \(\widetilde{\pi _i}\). (2) The input value \(x_i\) is encoded \(\widetilde{x_i}\) with length \(l_e\). (3) The corresponding coded labels \(\left\{ lab_{j,0}^{i},lab_{j,1}^{i} \right\} _{j\in [n\cdot l_{e}]}\) after the input coding of a set of parties.
\(Eval(\widetilde{\pi _i},{\widetilde{x_i}},{lab}_{\widetilde{x_1}...\widetilde{x_n}}^i)\):The input \(\widetilde{\pi _i}\), the encoded input set \({\widetilde{x_i}}\) and the corresponding \(\widetilde{x_1}...\widetilde{x_n}\) encodes the input label \({lab}_{\widetilde{x_1}... \widetilde{x_n}}^i\), the output result value y or terminator \(\perp\).
Correctness: for nparty agreement \(\pi\) and the set of inputs \(\left\{ x_{i}\right\} _{i\in [n]}\)for each party we have:
\(Pr[CRS\leftarrow Setup(1^k);(\widetilde{\pi _i},\widetilde{x_i},{{lab}_{j,0}^i,{lab}_{j,1}^i})\leftarrow Garble(CRS,i,{{\pi _i},x}_i)\forall i\in [n]:\left( x_{1},...,x_{n} \right) =Eval(\widetilde{\pi _i},\left\{ \widetilde{x_i} \right\} ,{lab}_{\widetilde{x_1}...\widetilde{x_n}}^i)]= 1\)
Security:For all protocols \(\pi\), all subsets of honest participants \(H\in [n]\), and the inputs \(H\in [n]\) chosen by each participant there exists a PPT algorithm such that:
where \(CRS\leftarrow Setup(1^k)\), for all \(i\in [n]\) with \((\widetilde{\pi _i},\widetilde{x_i},{{lab}_{j,0}^i,{lab}_{j,1}^i})\leftarrow Garble(CRS, i,{{\pi _i},x}_i)\).
Noninteractive zeroknowledge proofs
The NIZK [29, 44, 46] function is based on the zeroknowledge function in [47], which adjusts and obtains special properties of noninteractive zeroknowledge proof. The argument of NIZK is just a bit string, which anyone can use to verify the validity of the statement. The ideal function \({F}_{{nizk}}^{R}\) is represented as follows.
The NIZK ideal function is parameterized by an NP relation R with n participants \(P_1,P_2,... ,P_n. ,P_n\), participant \(P_i\) can send a prove request, denoted as (x, w), and the function verifies whether \((x,w)\in R\) and asks the adversary S to generate a proof \(\pi\) for statement x. The function stores \((x,\pi )\) and returns the proof to \(P_i\). For the other participants \(\left\{ p_{j} \right\} _{j\in [n],j\notin i }\) can send a verify request, denoted as \((x,\pi )\),if \((x,\pi )\) has been stored, the function outputs 1, otherwise the adversary is asked to present a proof w. If \((x,w)\in R\) the function returns 1, otherwise it returns 0.The proof for the following Theorem 3 is detailed in the literature [46].
Theorem 3
(informal). Assuming LWE, if there exists adaptively secure NIZK arguments for NP, there exists adaptively secure NIZK arguments for NP with proof size sublinear in the circuit size of the NP relation.
Protocol construction
In this section we construct protocols using a series of related techniques, firstly the construction of trapdoor matrices, secondly the application to secure multiparty computation using a trapdoorbased LWE encoding scheme to propose ideal functions that satisfy the properties of secure multiparty computation, and then a realistic protocol \(\pi _{smpc}\).
Nparticipant trapdoor matrix construction
For performing trapdoor matrix construction in secure multiparty computation, we apply a variant scheme based on the trapdoor construction in [38] on secure multiparty computation. Given \(m_1=\left\lceil n l o g\left( q\right) +\sqrt{n}\right\rceil ,m_2=\left\lceil n l o g(q)\right\rceil ,m=m_1+m_2=\left\lceil 2nlog(q)+\sqrt{n}\right\rceil\), the matrix \(\varvec{A}\) is denoted as \(\varvec{A=[A}_{\varvec{2}}\varvec{A}_{\varvec{1}}\varvec{],A}_{\varvec{1}}\ \in Z^{n\times m_{2}},\ \varvec{A}_{\varvec{2}}\ \in Z^{n\times m_{1}},\) a matrix \(\varvec{R}\ \in Z_{q}^{m_{1}\times m_{2}}\) is required to satisfy the following requirements when the threshold of \(\varvec{A}\). (1) \(\varvec{R}\) is “small”. (2) Given the matrix \(G\in Z_q^{{n\times m}_2}\), we have \(\varvec{A}_{\varvec{1}}\ =G\ \varvec{A}_{\varvec{2R}}\) and \(\varvec{A}=[\varvec{A}_{\varvec{2}}G]\left( \begin{array}{cc} \varvec{I}&{}\varvec{R} \\ \varvec{0}&{}\varvec{I} \\ \end{array}\right)\). The process of generating \(\varvec{\left( A,R\right) }\): the selection matrix \(\varvec{R}\in _{Gaussian}Z_q^{{m_1\times m}_2}\), \(\varvec{R}\) is chosen randomly from the discrete Gaussian distribution, denoted as a trapdoor, and has \(\left\ x_{i} \varvec{R}\right\ _{\infty }\le \left\ x_{i} \right\ _{\infty }\left\lceil 2nlog(q)\right\rceil\). Choose a uniform distribution matrix \(\varvec{A}_{\varvec{2}}\in _{Uniform}Z^{n\times m_1}\) and set \(\varvec{A}=[\varvec{A}_{\varvec{2}}G]\left( \begin{array}{cc} \varvec{I}&{}\varvec{R} \\ \varvec{0}&{}\varvec{I} \\ \end{array}\right) =\left[ \varvec{A}_{\varvec{2}} G\varvec{A}_{\varvec{2R}}\right] , \varvec{A}\in Z_q^{n\times m}\).
The generation of n trapdoors is performed in the setup session of the protocol, and a matrix \(\varvec{A}_{\varvec{i}}\) with trapdoors \(\varvec{R}_{\varvec{i}}\) is generated corresponding to each participant \(P_i\) according to the introduction of a Common Reference String (CRS). the following is the generation algorithm for the n trapdoor matrix.
In the process of trapdoor matrix, we use the CRS, which stores the parameters of the participants to generate the trapdoor matrix, when the participants receive the CRS can be integrated to generate their own corresponding matrix, the whole process is only related to the security parameter k, the whole generation process is polynomial time size poly(k).
SMPC in trapdoor LWEbased multilinear maps
We propose an encoding computation scheme for secure secure multiparty computation based on the graded encoding scheme mentioned in [39, 40], using a variant of its scheme applied to secure multiparty computation. A graded encoding scheme consists of the following polynomial program, \(ges=(PrmGen,InstGen,Sample,Garble.enc,Eval,ZeroTest,Extract)\):
InstGen(gp):Given the global parameter gp, the following processes are instantiated and generated:

(1)
Use trapdoorsampling to generate a matrix set \(\varvec{U}_{\varvec{A}}\) with a trapdoor set \(\varvec{R}\). Each participant corresponds to a trapdoor matrix under a common random reference string and has the following properties.
$$\begin{aligned} \forall \varvec{R}_{\varvec{i}}\in \varvec{R},\forall \varvec{A}_{\varvec{i}}\in \varvec{U}_{\varvec{A}}\varvec{,(A}_{\varvec{i}},\varvec{R}_{\varvec{i}})\leftarrow trapGen(1^k,1^n,1^m,q). \end{aligned}$$(7) 
(2)
Generate the public parameters \(pp{:=}\left( x,\left\{ \varvec{A}_{\varvec{i}}\varvec{:A}_{\varvec{i}}\varvec{\in U}_{\varvec{A}}\right\} \right)\), where x denotes the public parameter used for the proof, and the private parameter \(sp{:=}\varvec{R}_{\varvec{i}}:\varvec{R}_{\varvec{i}}\in \varvec{R}\).
Sample(pp):Generate an input plaintext to implement sampling an LWE input \(\varvec{S}\leftarrow Z_q^n\).
\(Garble.Enc(pp,sp, \varvec{S})\): The input matrix \(\varvec{A}_{\varvec{i}}\in \varvec{U}_{\varvec{A}}\), and the set of trapdoors R, the input \(\varvec{s}_{\varvec{i}}\varvec{\leftarrow S}\), samples an LWE error matrix \(\varvec{e}_{\varvec{i}}\leftarrow \chi ^m\) or \(\left\ \varvec{e}_{\varvec{i}} \right\ <\frac{q}{o(\sqrt{nlog(q)})}\), computes \(\varvec{A}_{\varvec{i1}} \widetilde{\varvec{D}_{\varvec{i}}}\varvec{=s}_{\varvec{i}}\varvec{A}_{\varvec{i}}\varvec{+e}_{\varvec{i}}\) using the trapdoor \(\varvec{R}_{\varvec{i}}\in \varvec{R}\), encodes the input \(\varvec{s}_{\varvec{i}}\) into \(\widetilde{\varvec{D}}_{\varvec{i}}\) and output \(\widetilde{\varvec{D}}_{\varvec{i}}\) and the corresponding encoded labels \(\left\{ lab_{j,0}^{i},lab_{j,1}^{i} \right\} _{j\in [n\cdot l_{e}] }\).
\(Eval(\widetilde{\varvec{D}_{\varvec{i}}},{lab}_{\varvec{A}\widetilde{\varvec{D}_{\varvec{1}}}\varvec{...}\widetilde{\varvec{D}_{\varvec{n}}}}^i)\): The calculation operations include addition and multiplication operations as follows.
N participants \(P_1,P_2,... ,P_n\),with \(\varvec{s}_{\varvec{1}},\varvec{s}_{\varvec{2}}\varvec{,\ldots ,s}_{\varvec{n}}\) corresponding to the inputs of each participant, where \(\varvec{s}_{\varvec{i}}\leftarrow Z_q^n,i=[n]\).There are \(n+1\) sets of matrices with trapdoors \(\varvec{U_A=\left\{ A,A_1,\ldots ,A_n \right\} }\) and each participant encodes \(\varvec{s}_{\varvec{i}}\) using the corresponding matrix \({\varvec{A}_{\varvec{i}}\varvec{\in U}}_{\varvec{A}}\), \(P_1\) encodes \(\varvec{A}\widetilde{\varvec{D}_{\varvec{1}}} \varvec{=s}_{\varvec{1}}\varvec{A}_{\varvec{1}}\varvec{+e}_{\varvec{1}}\) for its own \(\varvec{s}_{\varvec{1}}\), and \(P_2\) encodes \(\varvec{A}_{\varvec{1}}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{=s}_{\varvec{2}}\varvec{A}_{\varvec{2}}\varvec{+e}_{\varvec{2}}\) for its own \(\varvec{s}_{\varvec{2}}\) until \(P_n\) encodes \(\varvec{A}_{\varvec{n1}}\widetilde{\varvec{D}_{\varvec{n}}}\varvec{=s}_{\varvec{n}}\varvec{A}_{\varvec{n}}\varvec{+e}_{\varvec{n}}\), the whole process forms a nested chain structure that generates the current matrix \(\widetilde{\varvec{D}_{\varvec{i}}}\) based on the matrix \(\varvec{A}_{\varvec{i1}}\) with trapdoors at the previous level, so that the input \(\varvec{s}_{\varvec{i}}\) is encoded into \(\widetilde{\varvec{D}_{\varvec{i}}}\) and \(\varvec{s}_{\varvec{i}}\) is hidden.
In a multilinear maps system, given n pairwise operations from level 1 to n, \(\varvec{A}\) as well as \(\widetilde{\varvec{D}_{\varvec{i}}},i\in [n]\), the coding results of all participants are multiplied together:
Where \(\varvec{e}_{\varvec{noise}}\) denotes the noise obtained by the final multiplication, which is obtained by the product of the above equation encoding the \(\varvec{s}_{\varvec{1}}\varvec{s}_{\varvec{2}}\varvec{... .}\varvec{s}_{\varvec{n}}\) instances, performing n levels of nesting. In the information with the same order encoding can be combined with each other for addition and subtraction operations, which can be expressed as \(g_i^{\varvec{s}_{\varvec{1}}}, g_i^{\varvec{s}_{\varvec{2}}}\) in the initial multilinear maps, for addition and subtraction operations to calculate \(g_i^{\varvec{s}_{\varvec{1}}\varvec{\pm } \varvec{s}_{\varvec{2}}}\). In the multilinear maps system with trapdoor LWE instances, for \(\widetilde{\varvec{D}_{\varvec{i}}^{\varvec{\prime }}}\) with \(\widetilde{\varvec{D}_{\varvec{i}}}\) that has encoded \(\varvec{s}_{\varvec{i}}^{\varvec{\prime }}\) with \(\varvec{s}_{\varvec{i}}\) of the same order i, making addition and subtraction operations yields.
If there are multiple \(\widetilde{\varvec{D}_{\varvec{i}}}\) of the same order, we can get at this point we can get \(\varvec{A}_{\varvec{i1}}\widetilde{\varvec{D}_{\varvec{i}_{\varvec{1}}}}\varvec{+}\varvec{A}_{\varvec{i1}}\widetilde{\varvec{D}_{\varvec{i_2}}}+... +\varvec{A}_{\varvec{i1}}\widetilde{\varvec{D}_{\varvec{i_n}}}=\sum _{i={i_1,i_2,... ,i_n}} \varvec{s}_{\varvec{i}}+\varvec{e}_{\varvec{noise}}^{\varvec{\prime }}\), the same can be obtained from the operation of subtraction, at this point the multilinear maps system to achieve the basic operation.
\(ZeroTest(pp,\varvec{A}\widetilde{\varvec{D}_{\varvec{i}}})\): Given the matrix \(\widetilde{\varvec{D}_{\varvec{i}}}\) after the LWE encoding input, the result obtained by the Operation operation combined with the multilinear maps operation,If and only if \(\left\ \varvec{A}\cdot \widetilde{\varvec{D}_{\varvec{i}}} \right\ _{\varvec{A}\varvec{\in U}_{\varvec{A}}\varvec{\setminus A}_{\varvec{i}},i=[n]}\le \frac{q}{o(\sqrt{nlog(q)})}\),the ZeroTest program outputs 1.
\(Extract(pp,\varvec{A}\widetilde{\varvec{D}_{\varvec{i}}})\): The extractor takes as input the public parameter pp, \(\varvec{A}\widetilde{\varvec{D}_{\varvec{i}}}\), and outputs a string that represents a \(\lambda\) bit.
For the graded encoding scheme, Fig. 2 represents the process of computation of encoded inputs for each participant, if the noise does not exceed a certain threshold value, it is a bounded value, and the computed information can be extracted from the ZeroTest program and Extract program, ZeroTest program and Extract program for correctness are detailed in [40].The operation of multiparty computation in a multilinear maps system is given below.
Ideal function \(F_{smpc}\)
There are n mutually distrustful participants \(P_1,P_2,... ,P_n\) want to jointly compute in polynomial time the computable function \(f(x_1,x_2,... ,x_n)=(y_1,y_2,... ,y_n)\), where \(x_1, x_2,... ,x_n\) are the input variables, \(y_1, y_2,... ,y_n\) are the output values. The protocol \(\pi\) of a multiparty computation of a computational function should satisfy the following requirements:

(1)
Privacy: The input information of each participant is invisible with respect to other participants, each participant does not obtain more information from other participants than what is inferred from its own results.

(2)
Correctness: the protocol \(\pi\) can correctly calculate the function f and return the corresponding correct result.

(3)
Security: each party gets the corresponding correct output, and no other additional information can be obtained.
In this paper, we design a secure multiparty computation protocol based on the above requirements and design a secure multiparty computation ideal function \(F_{smpc}:\left( \left\{ 0,1 \right\} ^{l_{in}} \right) ^{n}\rightarrow \left\{ 0,1 \right\} ^{l_{out}}\) as shown below:
Cloudbased secure multiparty computation protocol \(\pi _{smpc}\)
This section constructs a 2round protocol \(\pi _{smpc}\) under the LWE assumption, based on LWE encoding the input, using multilinear maps operations to compute it locally before transmitting it over the broadcast channel, with the following protocol. A total of three phases which including prephase and 2 rounds of interaction processes, as included in Fig. 3, enable each participant to safely compute each encoded input, through 2 rounds of communication and local computation, so as to compute the corresponding computational function result values.
After each participant receives the output result y on the broadcast channel, a ZeroTesttest will be performed on the result. If \(\prod _{i=[n]}s_i\) is 0, only the noise distribution remains, and the threshold of the noise is used to determine whether the result encodes a value of 0. By simply designing the circuit using a combination of multilinear maps, the specific information contained in the ciphertext can be gradually inferred by a ZeroTest algorithm and extracted using a The extractor Extract is a very randomized extractor. However, ZeroTest cannot reveal too much information about the ciphertext, so we can use ZeroTest to extract part of the information for our computational purpose with certain security.
SemiMalicious Security. A semimalicious protocol can be defined over a broadcast channel where the input must be encrypted and then transmitted. This scheme is based on the LWE assumption that the n inputs are all elements in \(Z_q^n\) in an honest majority setting of the participants, and the inputs are encoded and then broadcast for transmission by an LWE instance, with each participant using confusion circuit locally on the encoded inputs and the output is broadcasted.
Theorem 4
(Theorem 1, restated). Assume the existence of a special ges scheme and NIZK scheme with LWE assumption, and that \(F:\left( \left\{ 0,1 \right\} ^{l_{in}} \right) ^{n}\rightarrow \left\{ 0,1 \right\} ^{l_{out}}\) is an effectively computable function of depth d. The function \(F_{smpc}\) can be implemented by a communication under an honest majority of the hybrid model tworound protocol UC realized with \(poly(l_{in},l_{out},d,k,n)\) complexity and tolerates the presence of semimalicious adversaries.
Security demonstration
Secure MultiParty Computation has two kinds of security, static security and adaptive security, static security means that during the operation of the MPC protocol, the security of the protocol can be guaranteed as long as the number of participants does not exceed the maximum number of participants predefined by the protocol. In other words, in the static security model, once the number of participants is determined, then the security of the protocol can be guaranteed. Adaptive security means that during the operation of the MPC protocol, even if there are malicious participants trying to interfere with the operation of the protocol, the security of the protocol is still guaranteed. the operation of the protocol, the security of the protocol can still be guaranteed. In realistic protocols, since a matrix \(U_A\) with trapdoors is used to generate a series of \(\varvec{D}\)matrices, will the original privacy inputs be exposed in the presence of trapdoors and also the encoded Dmatrices of the privacy inputs are disclosed? A specific elaboration is given in [40].According to the encoding rules, the two matrices \(\varvec{A}_{\varvec{i1}}\) with trapdoor are nested with \(\varvec{A}_{\varvec{i}}\), denoted as \(\varvec{A}_{\varvec{i1}}\widetilde{\varvec{D}_{\varvec{i}}}=\varvec{s}_{\varvec{i}}\varvec{A}_{\varvec{i}}\varvec{+e}_{\varvec{i}}\), and when encoding to the last one \(\varvec{A}_{\varvec{n1}}\widetilde{\varvec{D}_{\varvec{n}}} \varvec{=s}_{\varvec{n}}\varvec{A}_{\varvec{n}}+\varvec{e}_{\varvec{n}}\), the trapdoor of matrix \(\varvec{A}_{\varvec{n}}\) is not involved in the calculation, if \(\varvec{s}_{\varvec{n}}\) distribution is randomized enough, then the whole encoding process is an LWE instance. According to the LWE assumption, the last encoding process is represented by a uniform random distribution matrix \(\triangle\), \(\varvec{A}_{\varvec{n1}}\widetilde{\varvec{D}_{\varvec{n}}}=\triangle\), which becomes known as the product of \(\varvec{A}_{\varvec{n1}}\) and \(\widetilde{\varvec{D}_{\varvec{n}}}\) as a uniform random distribution matrix \(\triangle\). Given a trapped \(\varvec{A}_{\varvec{n1}}\) with a trapdoor and a uniformly randomly distributed matrix \(\triangle\), if \(\widetilde{\varvec{D}_{\varvec{n}}}\) can be generated without this trapdoor, then \(\varvec{A}_{\varvec{n1}}\) with \(\widetilde{\varvec{D}_{\varvec{n}}}\) does not give away information about the trapdoor. Suppose there are two environments, real and simulated, and in the real environment using the trapdoor of \(\varvec{A}_{\varvec{n1}}\) trapdoor to generate \(\widetilde{\varvec{D}_{\varvec{n}}}\) in the real environment and not using \(\varvec{A}_{\varvec{n1}}\) trapdoor to generate in the simulated environment, the results of the two are computationally indistinguishable.The following lemma was obtained according to the literature [40]. If the LWE assumption holds, the input encoded based on the trapdoor LWE assumption is secure.
Theorem 5
The ideal function \(F_{smpc}\) is a polynomialtime computable deterministic function with N inputs and one output, and the protocol \(ges=(PrmGen,InstGen,Sample,Garble.enc,Eval,ZeroTest,Extract)\) is Secure multiparty computation in trapdoor LWEbased multilinear maps operations, then the protocol \(\pi _{smpc}\) UC realized the ideal function \(F_{smpc}\) in the honest majority participant setting.
Proof
To demonstrate security under an honest majority of participants based on a valid PPT simulator Sim, Adv represents a static semimalicious adversary and the simulator is simulated as follows.\(\square\)
The Simulator: In the first round, it can encrypt the false inputs \(\widehat{\varvec{s}_{\varvec{i}}}\) and get the inputs of the other participants on the “witness tape”, which can encode the inputs. And send these inputs to the ideal function and receive the corresponding output y. After getting this result, the simulator computes \(\widetilde{y}\leftarrow Sim.eval(\widetilde{\pi _i},\widehat{s_i},\widetilde{\varvec{D}_{\varvec{i}}},{lab}_{\varvec{A}\widetilde{\varvec{D}_{\varvec{1}}}\varvec{\ldots }\widetilde{\varvec{D}_{\varvec{n}}}}^i)\) and broadcast it.
Hybrid Games: Define a series of hybrid games to demonstrate the indistinguishability of real and ideal scenarios:
The output of the entire environment Z is used as the output of each game.
The game \({Real}_{\pi _{smpc},Adv,Z}\) : In the real world, the protocol \(\pi _{smpc}\) is executed in the environment Z in the presence of a semimalicious adversary Adv.
The game \(\ {HYB}_{\pi _{smpc},Adv,Z}^1\): In this game, we modify the experiment of \({Real}_{\pi _{smpc},Adv,Z}\) as follows, introducing the \(F_{nizk}^R\)hybrid model, where each participant \(P_i\) encodes its own input followed by \((prove, sid,x,\varvec{s}_{\varvec{i}})\) to \(F_{nizk}^R\), outputs a Proof \(\pi\), and sends \((proof,sid,\widetilde{\varvec{D}_{\varvec{i}}},\pi )\) for broadcast, and when participant \(\left\{ P_{j} \right\} _{j\in [n]\setminus i}\) receives the message, \(P_j\) sends a verification request to \(F_{nizk}^R (verify,sid ,x,\pi )\), and \(F_{nizk}^R\) returns 1 or 0 after verification.
Claim 1
\({Real}_{\pi _{smpc},Adv,Z}\overset{c}{\equiv }{HYB}_{\pi _{smpc},Adv,Z}^1\) Proving the indistinguishability of realistic protocols under hybrid models.
Proof
Let Adv be the adversary in the real environment and Sim denote the adversary in the ideal environment such that for any environment Z only the real or ideal environment can be distinguished with negligible probability, and for the adversary Sim in the ideal environment, any input from the environment Z is sent to Adv and any output of Adv is regarded as the output of Sim.For the adversary Sim in interaction with the ideal function \(F_{nizk}^R\), provide input \(\varvec{s}_{\varvec{i}}\), and when \((proof,sid,\widetilde{\varvec{D}_{\varvec{i}}},\pi )\) is received from \(F_{nizk}^R\), emulate an identical message for Adv. When the realworld adversary Adv taps participant \(P_i\), then the adversary Sim in the ideal environment also taps participant \(P_i\) and forwards all internal states to Adv.If at this time the adversary Adv replaces the message \(\varvec{s}_{\varvec{i}}\) with the false message \(\widehat{\varvec{s}_{\varvec{i}}}\) on behalf of the participant \(P_i\) and forges the proof \(\pi ^\prime\) against \(\pi\) and broadcasts the message \((proof,sid,\widehat{\varvec{D}_{\varvec{i}}},\pi ^\prime )\), when the other participants receive this message and verify the proof when , query whether \(F_{nizk}^R\) has stored \(\pi ^\prime\), and since \(\pi ^\prime\) is not generated by \(F_{nizk}^R\), determine whether \((x,\widehat{\varvec{D}_{\varvec{i}}})\in R\). According to the security of LWE assumptions and the security of zeroknowledge proofs, only the input encoded by LWE instances can pass the verification , in other words, the probability that a nonLWE encoded input passes verification is negligible.\(\square\)
So \({HYB}_{\pi _{smpc},Adv,Z}^1\) is indistinguishable from \({Real}_{\pi _{smpc},Adv,Z}\) computation, and the scheme under the hybrid model is semantically secure.
The game \(\ {HYB}_{\pi _{smpc},Adv,Z}^2\): Unlike \({HYB}_{\pi _{smpc},Adv,Z}^1\), a realistic proof protocol \(\pi _{nizk}\) will be used instead of the ideal function \(F_{nizk}^R\), modifying the proof process to a local circuit for computation.
Claim 2
\({HYB}_{\pi _{smpc},Adv,Z}^1\overset{c}{\equiv }{HYB}_{\pi _{smpc},Adv,Z}^2\)
Proof
realistic zeroknowledge proof protocol notated as \(\pi _{nizk}\), composed by the garbled circuit GC, first generates the proof parameters \((S_p,S_v)\leftarrow GC.Setup(1^K)\) through the circuit, which in turn computes the proof \(\pi \leftarrow GC.Prove(S_p,x,\widetilde{\varvec{D}_{\varvec{i}}})\), sends \(S_v ,\pi\) is broadcasted and sent at the first round, and the other participants compute \(GC(x,\widetilde{\varvec{D}_{\varvec{i}}})\) through the NAND gate for Verify \(0/1\leftarrow GC.Verify(S_v,x,\pi )\). If the LWE assumption holds, since the probability that an adversary performs a pseudoproof under a protocol with honest majority participants and is adopted by honest participants is negligible, for environment Z, it does not distinguish whether it is in the environment where the protocol \(\pi _{nizk}\) interacts with Adv or in the environment where \(F_{nizk}^R\) interacts with Sim. In other words, if the LWE assumption holds, the protocol \(\pi _{nizk}\) can UC to achieve the ideal function \(F_{nizk}^R\).\(\square\)
The game \({Ideal}_{F_{smpc},Sim,Z}\): computes the ideal function \(F_{smpc}\) and outputs the result correctly under the ideal model.
Claim 3
\({HYB}_{\pi _{smpc},Adv,Z}^2\overset{c}{\equiv }{Ideal}_{F_{smpc},Sim,Z}\)
Proof
experiments by the semantic security of the underlying ges scheme, encryption of the input by LWE assumptions, and then computation using multilinear maps operations, encryption is computationally indistinguishable, \(\pi _{smpc}\) is able to compute the encoded input correctly and get a correct in the presence of semimalicious adversaries, honest majority of participants output, and since the protocol \(\pi _{nizk}\) can UC the ideal function \(F_{nizk}^R\), from Theorem 2 it follows that the protocol \(\pi _{smpc}\) can UC the ideal function \(F_{smpc}\), then \({HYB}_{\pi _{smpc},Adv,Z}^2\) and \({Ideal}_{F_{smpc},Sim,Z}\) computation is indistinguishable.\(\square\)
Combining the above statements, we get \({Real}_{\pi _{smpc},Adv,Z}\overset{c}{\equiv }{Ideal}_{F_{smpc},Sim,Z}\), which leads to the proof of Theorem 5.
To conclude, Tables 1 and 2 summarize the previous work and the results of this paper in an honest majority setting, the main parameters considered are security, number of rounds, communication complexity, setup settings, etc. Under the LWE assumption, this scheme requires only 2 rounds of communication interactions for secure distributed multiparty secure computation and achieves static security in an honest majority of settings. Compared with previous work, this paper optimizes the number of rounds of secure multiparty computation and reduces the Setup Size, and the communication overhead is sublinear. Although static security is achieved, which already meets the security requirements in most scenarios, this is a minor limitation of the work in this paper, and research improvements for further adaptive security are necessary in future work.
Conclusions
Cloud Secure MultiParty Computation (CSPC) is suitable for a number of application prospects such as cloudbased data streaming information sharing, data trading and eauctions in distributed environments, for which CSPC provides a secure computation as well as privacy guarantees. In this paper, we combine the concept of cloud computing and secure multiparty computation and use the harder polynomial time puzzle assumption to provide the security concept of the protocol as well as the strength, based on the LWE assumption, the input of the participants is encoded using LWE instances with lattice trapdoor under a graded encoding scheme and transmitted over the broadcast channel, the execution of the protocol is computed by multilinear maps to achieve the optimization of the number of rounds of the secure multiparty computation protocol on the cloud, the communication sublinear overhead, and in the UC framework , the protocol security is achieved through UC security implementation. In future work, it is an important research direction to achieve adaptive security of secure multiparty computation protocols with guaranteed round count optimization and low communication overhead, by combining stronger cryptographic primitives and related techniques to achieve adaptive security of the protocols, while the rise of quantum cryptography also points to a direction for the development of secure multiparty computation.
Availability of data and materials
Data sharing is not applicable to this paper as no datasets were generated or analyzed during the current study.
References
Zhou X, He Yang X, Ma J, Wang KIK (2021) Energyefficient smart routing based on link correlation mining for wireless edge computing in iot. IEEE Internet Things J 9:14988–14997
Zhou X, Liang W, Yan K, Li W, Wang KIK, Ma J, Jin Q (2023) Edgeenabled twostage scheduling based on deep reinforcement learning for internet of everything. IEEE Internet Things J 10:3295–3304
He Q, Tan S, Chen F, Xu X, Qi L, Hei X, Zomaya A, Jin H, Yang Y (2023) Edindex: Enabling fast data queries in edge storage systems. ACM SIGIR 675–685
Yuan L, He Q, Chen F, Zhang J, Qi L, Xu X, Xiang Y, Yang Y (2021) Csedge: Enabling collaborative edge storage for multiaccess edge computing based on blockchain. IEEE Trans Parallel Distrib Syst PP:1–1
Qi L, Yang Y, Zhou X, Rafique W, Ma J (2022) Fast anomaly identification based on multiaspect data streams for intelligent intrusion detection toward secure industry 4.0. IEEE Trans Ind Inform 18:6503–6511
Zhou X, Xu X, Liang W, Zeng Z, Yan Z (2021) Deeplearningenhanced multitarget detection for endedgecloud surveillance in smart iot. IEEE Internet Things J 8:12588–12596
Qi L, Lin W, Zhang X, Dou W, Xu X, Chen J (2022) A correlation graph based approach for personalized and compatible web apis recommendation in mobile app development. IEEE Trans Knowl Data Eng 35:5444–5457
Wu S, Shen S, Xu X, Chen Y, Zhou X, Liu D, Xue X, Qi L (2023) Popularityaware and diverse web apis recommendation based on correlation graph. IEEE Trans Comput Soc Syst 10:771–782
Li Z, Xu X, Hang T, Xiang H, Cui Y, Qi L, Zhou X (2022) A knowledgedriven anomaly detection framework for social production system. IEEE Trans Comput Soc Syst 1–14
Dai H, Yu J, Li M, Wang W, Liu AX, Ma J, Qi L, Chen G (2022) Bloom filter with noisy coding framework for multiset membership testing. IEEE Trans Knowl Data Eng 35:6710–6724
Xu X, Gu JF, Yan H, Liu W, Qi L, Zhou X (2023) Reputationaware supplier assessment for blockchainenabled supply chain in industry 4.0. IEEE Trans Ind Inf 19:5485–5494
Chaudhary R, Aujla GS, Garg S, Kumar N, Rodrigues JJ (2018) Sdnenabled multiattributebased secure communication for smart grid in iiot environment. IEEE Trans Ind Inform 14:2629–2640
Luo Y, Chen Y, Li T, Wang Y, Yang Y, Yu X (2022) An entropyview secure multiparty computation protocol based on semihonest model. J Organ End User Comput 34:1–17
Li T, Wang Z, Yang G, Cui Y, Chen Y, Yu X (2021) Semiselfish mining based on hidden markov decision process. Int J Intell Syst 36:3596–3612
Li T, Chen Y, Wang Y, Wang Y, Zhao M, Zhu H, Tian Y, Yu X (2020) Yang Y (2020) Rational protocols and attacks in blockchain system. Secur Commun Netw 8839047(1–8839047):11
Sun J, Chen Y, Li T, Liu J, Yang Y (2021) Psspr: A source location privacy protection scheme based on sector phantom routing in wsns. In: 2021 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), AB, Canada, p 334–340
Li T, Wang Z, Chen Y, Li C, Jia Y, Yang Y (2021) Is semiselfish mining available without being detected? Int J Intell Syst 37:10576–10597
Wang Y, Li T, Liu M, Li C, Wang H (2022) Stsiiml: Study on token shuffling under incomplete information based on machine learning. Int J Intell Syst 37:11078–11100
Zhao C, Zhao S, Zhao M, Chen Z, Gao CZ, Li H, Tan YA (2019) Secure multiparty computation: Theory, practice and applications. Inf Sci 476:357–372
Yao ACC (1982) Protocols for secure computations. In: 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982), Chicago, IL, USA, pp 160–164
Goldreich O, Micali S, Wigderson A (1987) How to play any mental game. In: Proceedings of the nineteenth annual ACM symposium on Theory of computing, New York, NY, United States pp 218–229
Abraham I, Asharov G, Yanai A (2022) Efficient perfectly secure computation with optimal resilience. J Cryptol 35:66–96
Ananth PV, Choudhuri AR, Jain A (2017) A new approach to roundoptimal secure multiparty computation. In: Katz, J., Shacham, H. (eds) Advances in Cryptology – CRYPTO 2017. CRYPTO 2017. Lecture Notes in Computer Science(), Springer, Cham, vol 10401, pp 468–499
Ananth PV, Choudhuri AR, Goel A, Jain A (2018) Roundoptimal secure multiparty computation with honest majority. In: Shacham, H., Boldyreva, A. (eds) Advances in Cryptology – CRYPTO 2018. CRYPTO 2018. Lecture Notes in Computer Science(), Springer, Cham, vol 10992, pp 395–424
Cohen R, Garay JA, Zikas V (2020) Broadcastoptimal tworound mpc. Adv Cryptol EUROCRYPT 2020 12106:828–858
Quach W, Wee H, Wichs D (2018) Laconic function evaluation and applications. In: 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), Paris, France, pp 859–870
Patra A, Srinivasan A (2021) Threeround secure multiparty computation from blackbox tworound oblivious transfer. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), Springer, Cham, vol 12826, pp 185–213
Beaver D, Micali S, Rogaway P (1990) The round complexity of secure protocols. In: Symposium on the Theory of Computing, New York, NY, United States, pp 503–513
Gordon SD, Liu FH, Shi E (2015) Constantround mpc with fairness and guarantee of output delivery. In: Gennaro, R., Robshaw, M. (eds) Advances in Cryptology  CRYPTO 2015. CRYPTO 2015. Lecture Notes in Computer Science(), Springer, Berlin, Heidelberg, vol 9216, pp 63–82
Boyle E, Gilboa N, Ishai Y (2016) Breaking the circuit size barrier for secure computation under ddh. In: Robshaw, M., Katz, J. (eds) Advances in Cryptology – CRYPTO 2016. CRYPTO 2016. Lecture Notes in Computer Science(), Springer, Berlin, Heidelberg, vol 9814, pp 509–539
Garg S, Srinivasan A (2018) Tworound multiparty secure computation from minimal assumptions. J ACM 69:1–30
Hazay C, Orsini E, Scholl P, SoriaVazquez E (2018) Tinykeys: A new approach to efficient multiparty computation. J Cryptol 35:1–66
Canetti R, Poburinnaya O, Venkitasubramaniam M (2017) Equivocating yao: constantround adaptively secure multiparty computation in the plain model. In: Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, New York, NY, United States, pp 497–509
Chen Y, Dong S, Li T, Wang Y, Zhou H (2021) Dynamic multikey fhe in asymmetric key setting from lwe. IEEE Trans Inf Forensic Secur 16:5239–5249
Mukherjee P, Wichs D (2016) Two round multiparty computation via multikey fhe. In: Fischlin, M., Coron, JS. (eds) Advances in Cryptology – EUROCRYPT 2016. EUROCRYPT 2016. Lecture Notes in Computer Science(), Springer, Berlin, Heidelberg, vol 9666, pp 735–763
Brakerski Z, Halevi S, Polychroniadou A (2017) Four round secure computation without setup. In: Kalai, Y., Reyzin, L. (eds) Theory of Cryptography. TCC 2017. Lecture Notes in Computer Science(), Springer, Cham, vol 10677, pp 645–677
Garg S, Srinivasan A (2017) Garbled protocols and tworound mpc from bilinear maps. 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS), Berkeley, CA, USA, pp 588–599
Micciancio D, Peikert C (2012) Trapdoors for lattices: Simpler, tighter, faster, smaller. IACR Cryptol ePrint Arch 2011:501
Garg S, Gentry C, Halevi S (2013) Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds) Advances in Cryptology – EUROCRYPT 2013. EUROCRYPT 2013. Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, vol 7881, pp 1–17
Gentry C, Gorbunov S, Halevi S (2015) Graphinduced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds) Theory of Cryptography. TCC 2015. Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, vol 9015, pp 498–527
Ciampi M, Ostrovsky R, Siniscalchi L, Visconti I (2017) Roundoptimal secure twoparty computation from trapdoor permutations. In: Kalai, Y., Reyzin, L. (eds) Theory of Cryptography. TCC 2017. Lecture Notes in Computer Science(), Springer, Cham, vol 10677, pp 678–710
DachmanSoled D, Katz J, Rao V (2015) Adaptively secure, universally composable, multiparty computation in constant rounds. In: Dodis, Y., Nielsen, J.B. (eds) Theory of Cryptography. TCC 2015. Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, vol 9015, pp 586–613
Canetti R, Goldwasser S, Poburinnaya O (2015) Adaptively secure twoparty computation from indistinguishability obfuscation. IACR Cryptol ePrint Arch 2014:845
Asharov G, Jain A, LópezAlt A, Tromer E, Vaikuntanathan V, Wichs D (2012) Multiparty computation with low communication, computation and interaction via threshold fhe. IACR Cryptol ePrint Arch 2011:613
Regev O (2005) On lattices, learning with errors, random linear codes, and cryptography. In: Symposium on the Theory of Computing, New York, NY, United States, pp 84–93
Cohen R, Shelat A, Wichs D (2019) Adaptively secure mpc with sublinear communication complexity. In: Boldyreva, A., Micciancio, D. (eds) Advances in Cryptology – CRYPTO 2019. CRYPTO 2019. Lecture Notes in Computer Science(), Springer, Cham, vol 11693, 30–60
Canetti R (2001) Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings 2001 IEEE International Conference on Cluster Computing, Newport Beach, CA, USA, pp 136–145
Hazay C, Venkitasubramaniam M (2016) Composable adaptive secure protocols without setup under polytime assumptions. In: Hirt, M., Smith, A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science(), Springer, Berlin, Heidelberg, vol 9985, pp 400–432
Acknowledgements
This research was supported by both State Key Laboratory of Public Big Data, College of Computer Science and Technology that of Guizhou University.
Funding
This research was supported by Foundation of National Natural Science Foundation of China(61962009 and 62202118), and Top Technology Talent Project from Guizhou Education Department([2022]073).
Author information
Authors and Affiliations
Contributions
Y.L. was a major contributor in writing the manuscript as a 1st Author and others were CoCorresponding Authors. Y.C. and T.L. proposed some important ideas. C.T. and H.D. gave some suggestions for this paper. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Luo, Y., Chen, Y., Li, T. et al. CloudSMPC: tworound multilinear maps secure multiparty computation based on LWE assumption. J Cloud Comp 13, 22 (2024). https://doi.org/10.1186/s13677023005865
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s13677023005865