Skip to main content

Advances, Systems and Applications

Cloud-SMPC: two-round multilinear maps secure multiparty computation based on LWE assumption


Cloud computing has data leakage from all parties, security protection of private data, and existing solutions do not provide a trade-off between security and overhead. With distributed data communication due to data barriers, information interaction security and data computation security have become challenges for secure computing. Combining cloud computing with secure multiparty computation can provide a higher level of data protection while maintaining the benefits of cloud computing. In this case, data can be stored in the cloud and computed through SMPC protocols, thus protecting the privacy and security of the data. However, multiple rounds of information interaction are often required, increasing the communication overhead, and the security strength is limited by the hardness assumption. In this paper, we work to achieve an optimal setting of the number of rounds in secure multi-party computation on the cloud to achieve a sublinear communication overhead and improve the security concept. A 2-round SMPC protocol is constructed in the framework of Universally Composable (UC). A 2-round SMPC protocol is constructed that uses multilinear maps based on the Learning from Errors (LWE) assumption. The participant encodes the input and sends it via broadcast to reduce the interaction, homomorphic computational encoding information for secure access to computational data and secure the SMPC protocol through UC security. This paper extends the participants to multiple parties, reduces the communication rounds to 2, the protocol achieves sublinear communication overhead in poly polynomial time, smaller setup size to poly(k), and static security is achieved.


Cloud computing has grown considerably in recent years, and the development of computing models that store data and applications on remote servers has matured and become popular. While edge cloud computing [1,2,3,4] enables efficient data processing and transmission, and many applications are also available in the Internet of Things [5, 6]. Combining deep learning and model training with cloud computing for web personalized recommendation system and anomaly detection [7,8,9,10].But it also poses some security risks [11]. As data and computation are dispersed to edge nodes, attackers may exploit weaker security mechanisms to compromise these nodes, leading to problems such as data leakage or service disruption. Therefore, strict security measures, including data encryption, authentication, access control, and vulnerability management, must be adopted in edge cloud computing applications to ensure the security and stability of the system. In the background of big data, data security, communication security [12, 13] and secure data sharing, privacy computing have become particularly important.Many researchers have conducted in-depth research and studies in many areas such as data security, privacy protection, and adversary attack and defense [14,15,16,17,18]. From the perspective of cryptography, secure multiparty computation [19] technology provides a reasonable solution. Yao proposed the “millionaire problem” in 1982, leading to the first secure two-party computation protocol [20], which uses the technique of circuits to represent computational functions as boolean circuits and provides computational security for secure two-party computation protocols under a semi-honest model. This was followed by Goldreich et al. who gave the first secure multiparty computation protocol [21] and guaranteed the security of the protocol under a semi-honest model. After decades of development, existing research has focused on the performance of SMPC, mainly on the number of communication rounds, communication complexity, computational complexity, and minimization of complexity assumptions to enhance the concept of security. Abraham et al. [22] construct a protocol based on verifiable secret sharing (VSS) that matches a semi-honest setting with a round complexity that is proportional to the circuit depth. A SMPC protocol against malicious adversaries and without trustworthy assumption settings was proposed [23], setting up a 5-round SMPC protocol based on Decisional Diffie-Hellman (DDH) assumption and a 4-round SMPC protocol constructed by one-way permutations based on sub-exponential security DDH assumption. For the problem of optimizing the number of rounds in a protocol, Ananth et al. [24] study the round complexity of n-party protocols in an honest majority setting to tolerate the corruption of \(t<\frac{n}{2}\) participants and achieve abort security under the plain model where the security of the protocol depends only on the one-way function. For SMPC, cryptographic techniques such as Laconic Function Evaluation (LFE), oblivious transfer (OT) are used to construct secure multiparty computation protocols [25,26,27] and to reduce the number of rounds of interaction between participants. Existing studies have shown that high communication overhead, high complexity of rounds and low security strength in secure multiparty computation. Therefore, this paper is based on cloud computing to achieve a more secure and efficient secure multiparty computation scheme, the general process is as follows Fig. 1.

Fig. 1
figure 1

Secure multiparty computation scheme on the cloud

This paper is devoted to solving the round number complexity optimization problem in SMPC on the cloud by introducing harder security assumptions to improve the security concept, reduce the number of interactions, and achieve low communication overhead for privacy-secure cloud computing. The contributions of this paper are as follows.

  1. 1.

    To optimize the round complexity of the protocol in cloud-based SMPC, we construct a 2-round secure multiparty computation using a multilinear map based on the LWE assumption.

  2. 2.

    In this paper the implementation of the protocol is done in the UC framework, the ideal functionality is delivered to the computing on the cloud and each participant can access the ideal functionality, the protocol is finally implemented on the cloud with UC security for SMPC security and increased security strength.

  3. 3.

    The parameters of the SMPC protocol settings are only related to the LWE instantiation and the depth of the computational circuit, which achieving sublinear overhead for communication.

Related work section describes the Related Work in the area of secure multiparty computation, and Preliminaries section provides an overview of multilinear maps, learning with errors (LWE), universally composable (UC), garbled circuit, and zero-knowledge proof. Protocol construction section describes the specific construction of the scheme in this paper, and Security demonstration section is a security demonstration of the scheme construction.Finally, we summarize our work in Conclusions section.

Related work

Secure multiparty computation with constant rounds was first studied in [28] to reduce the number of interaction rounds, Gordon et al. [29] designed SMPC protocols with constant rounds in honest majority to ensure that the parties have fairness as well as the output is delivered correctly (Table 1). A series of subsequent works target the security of SMPC, based on various difficult assumptions to design protocols for information security against malicious adversaries [30,31,32]. Garbled circuits combined with non-committing encryption (NCE) under the plain model to construct secure multiparty computation protocols with adaptive constant rounds are also described for some extensions and applications [33]. By combining cryptographic primitives, based on learning with errors (LWE) assumptions use fully homomorphic encryption [34] to construct two rounds of secure multiparty computation, allowing one round of distributed decryption of ciphertexts with multiple secret keys [35, 36], which gave a great impetus to later research. The bilinear mapping operation provides a unique operation for secure multiparty computation that would encode the input and then perform the operation, and the evaluation process takes as input the set of confusing protocol components with labels corresponding to the input encoding of each party, and outputs the entire text of the distributed protocol [37], which in turn incorporates the garbled circuit to design the garbled protocol. With the study and development of lattice trapdoors [38,39,40], constructing encoding schemes based on trapdoors and improving the security level of the schemes under the LWE assumption, hierarchical multilinear encoding has been widely used in cryptography, from non-interactive key exchange protocols to broadcast and attribute-based encryption. ciampi et al [41] for the construction of secure two-party computation using oblivious transfer protocols, the construct such protocols from permutations of trapdoors based on four rounds of non-extensible zero-knowledge arguments for delayed inputs. The development of UC [42, 43] likewise has many applications in the field of secure multiparty computation. In the framework of UC, the security of the protocol relies on the security of UC to achieve indistinguishability between ideal and realistic environments. In the concept of static security, protocols for sublinear communication are constructed using threshold FHE as well as zero-knowledge proofs (NIZK) [44], which typically require four rounds of interaction under the threshold PKI model and five rounds under the CRS model. The optimization of the number of rounds is carried out in the honest majority setting, and the protocol design is carried out in the model where the circuit size is the polynomial communication size [24, 29], thus achieving static security. Existing studies have shown that high communication overhead, high complexity of rounds and low security strength in secure multiparty computation. The solution in this paper is dedicated to the optimization of the number of rounds and the communication overhead, introducing harder security assumptions and improving the notion of security.

Table 1 The computational function \(F:{({{0,1}}^{l_{in}})}^n\rightarrow {{0,1}}^{l_{out}}\) is compared to the SMPC protocol represented by a circuit C of depth d in the honest majority setting


In this section we will review multilinear maps, learning with errors (LWE), universally composable(UC), garbled circuit, and zero-knowledge proof. We denote \(k\in N\) as the security parameter and for all \(n\in N\),[n] is denoted as \(\left\{ 1,2,...,n\right\}\). PPT denotes probabilistic polynomial time and poly denotes positive polynomial. For a function \(\mu\) with \(\mu \left( k \right) < \frac{1}{poly(k)}\), the function \(\mu\) is said to be negligible. let \(x=(x_1,x_2,... ,x_{n})\) be a vector, the norm of a vector x is defined as \(\left\| x \right\| _{\infty }=max_i(x[i])\). If the two distributions \(D_1\),\(D_2\) are statistically close, we write them as \(D_{1}\overset{s}{\equiv }\ D_{2}\). If the two distributions \(D_1\),\(D_2\) are computational indistinguishability, we write them as \(D_{1}\overset{c}{\equiv }\ D_{2}\).

Multilinear maps

Multilinear maps [39, 40] is a mathematical tool that is abstractly defined and allows us to operate in a series of group elements and to extract a part of the information out of the output in combination with the results. Given t cyclic groups \(G_1,G_2,... ,G_t\) and a target cyclic group G, then for a multilinear maps algorithm e of order t we have.

$$\begin{aligned} e:{G\leftarrow G}_1\times G_2\times ...\times G_t. \end{aligned}$$
$$\begin{aligned} e({g_1}^{x_1},{g_2}^{x_2},...,{g_t}^{x_t})=g^{x_1\times x_2\times ...\times x_t}. \end{aligned}$$

where \(g_1,g_2,...,g_t\) distributions represent t cyclic groups \(G_1,G_2,...,G_t\) generators, g is denoted as the generators of the target group G, \(x_1,x_2,...,x_t\in \left\{ 0,1\right\} ^{*}\), we can consider \({g_i}^{x_i}(i\in [t])\) as the encoding of \(x_i\), and the t-order multilinear maps algorithm can encode the t unknown characters \(x_1,x_2,...,x_t\) string encoding \({g_1}^{x_1},{g_2}^{x_2},...,{g_t}^{x_t}\) on which \(x_1,x_2,...,x_t\) on the group G with the joint product encoding \(g^{\prod x_{i},i\in [t]}\). Similarly we can get the corresponding additive operations, if \(\boxplus\) denotes the operations defined in the group, we have \(g^{x_1}\boxplus g^{x_2})=g^{x_1+x_2}\). However, for multilinear maps of order t, we can only perform at most multiplication of t layers and addition of any layer. For multilinear maps, the result after computation is presented in the form of ciphertext, and we can extract a part of the information of the ciphertext using the zero test algorithm. ZeroTest algorithm:Given an element h, the ZeroTest algorithm verifies that h is an element of the target group G.

$$\begin{aligned} ZeroTest\left( h\right) :h\in G\ or\ h\notin G\ by\ h\overset{?}{=}g^0\ . \end{aligned}$$

If \(h=g^0\) then there is h is an element in the target group G. If \(h\ne g^0\) then h is not an element in the target group G.

Learning with errors

The trapdoor-based LWE design has also been developed through the study of lattice trapdoors [38], where K denotes the security parameter and the parameters \(n=n\left( k\right) ,q=q\left( k\right)\) of the LWE [45] instance are chosen to be integers, \(\chi =\chi (k)\) is a distribution over Z, and \({LWE}_{n,q,m}\) assumes that for all polynomials \(m=m(k)\) there is the following distribution that is indistinguishable.

$$\begin{aligned} \left( A,sA+e\right) \overset{c}{\equiv }\left( A,z \right) . \end{aligned}$$

where \({A}\leftarrow Z_q^{n\times m}\), \({s}\leftarrow Z_q^n\) is the input vector, \({e}\leftarrow \chi ^m\) denotes the noise vector and \({z}\leftarrow Z_q^m\). In the LWE scheme with trapdoor [17, 19], for any \(m^\prime \in N\), A is represented as a uniform random distribution matrix with trapdoor \(R\in Z_q^{m^\prime \times n\log {q}}\) and constructing the LWE hard problem based on this matrix, another matrix \(D_1\) can be generated by the matrix with trapdoor A such that \(AD_1=sA_1+e_1\),Similarly\(A_1D_2=sA_2+e_2\), where the matrix \(A_1\) is also a uniform random distribution matrix with a trap \(R_1\), that is, we can generate the \(D_i\) matrix of the current level based on the trapdoor \(R_{i-1}\) of the previous level, and the whole process forms a nested chain structure.

Theorem 1

(secure MPC with sublinear communication [26, 46], informal). Assuming LWE and secure erasures (alternatively, sub-exponential iO), every function can be securely computed by a 2-round protocol tolerating a malicious adversary that can adaptively corrupt all of the parties, such that the communication complexity, the online-computation complexity, and the size of the common reference string are sublinear in the function size.

Universally composable

In [46,47,48] the universally composable framework is defined as the following two models and indistinguishable security properties are formed in the two models, resulting in UC security as well as compositional security.

Real Model: The whole execution process consists of a UC environment Z, an adversary A, and n participants, which starts with Z invoking all participants, generating all inputs and being able to read all outputs, and ends with Z outputting the result of the whole execution. The output of the environment Z under the realistic model is denoted by \({Real}_{\pi ,A,Z}(x,k,r)\), where \(\pi\) denotes the protocol run by n participants according to the above specification, k is the security parameter, and r denotes the random information.

Ideal Model: F denotes an ideal function under an ideal model, S (simulator) denotes an ideal adversary, n Turing machines denote the participants and an environment Z. Under the ideal model, F defines the behavior of the desired computation and receives inputs from the participants to perform the computation, and then sends the output back to the participants. s cannot see the communication between the participants and F, but s can communicate with F. Denote the environment Z output under the ideal model by \({Ideal}_{F,S,Z}(x,k,r)\), where x denotes the input, k is the security parameter, and r denotes the random information.

Definition 1

(UC Security). Given a protocol \(\pi\), an ideal function F, if for any PPT adversary A and the existence of an adversary S under an ideal model, the following distribution is computationally indistinguishable for any environment Z. The protocol \(\pi\) is UC-realized in the presence of adversaries with an ideal function F.

$$\begin{aligned} {Real}_{\pi ,A,Z}(x,k,r)\overset{c}{\equiv }{Ideal}_{F,S,Z}(x,k,r). \end{aligned}$$

Hybrid Model:The F-hybrid model combines the rational model with the realistic model, extending the realistic model with an ideal function F. Each participant can interact with F. The output of Z under the hybrid model is denoted by \({Hybrid}_{\pi ,A,Z}^F(x,k,r)\).

Definition 2

(security under hybrid model). Given an F and G are ideal function, \(\pi\) is a protocol run by n participants and \(\pi\) satisfies the UC-implementation ideal function G in the F-hybrid model, if for an adversary A in the hybrid model, there exists an adversary S under the ideal model such that the environment Z computation is indistinguishable from the following two distributions.

$$\begin{aligned} {Real}_{G,S,Z}(x,k,r)\overset{c}{\equiv }{Hybrid}_{\pi ,A,Z}^F(x,k,r). \end{aligned}$$

Theorem 2

(UC Compositional Security). a UC-implementation F-protocol \(\pi\), for any F-hybrid protocol \(\rho\), has a combined protocol \(\rho ^\pi\) simulating the execution of the protocol \(\rho\), for adversary A, ideal adversary S, and no environment Z capable of distinguishing with a non-negligible probability whether it is interacting with an adversary A and the protocol \(\rho ^\pi\) interacts with, or interacts with S and the protocol \(\rho\). In other words, \(\rho\) is an F-hybrid protocol, \(\pi\) is a UC-implementation of F, and then there is \(\rho ^\pi\) UC-realized of \(\rho\).

Garbled scheme

\(\pi\) is an n-participant protocol, \(x_i\) denotes the input of participant \(P_i\), \(\pi _i\) denotes the next message function of participant \(P_i\), when \(\pi\) uses \(x_1,... ,x_n\) as input to run as \(\pi \left( x_{1},...,x_{n} \right)\), also as the output of the protocol.

Definition 3

(Garbled scheme GC): a Garbled scheme [30, 33, 37] consists of the following polynomial-time algorithmic tuple GC=Setup,Garble,Eval, and some security features:

\(Setup(1^k)\):This is a polynomial time algorithm that takes as input a security parameter and outputs a common reference string CRS.

\(Garble(CRS,i,\pi _i,x_i)\):This polynomial-time algorithm takes as input the common reference string CRS, index i, \(\pi _i\), and the parties’ input values \(x_i\), and outputs. (1) The next message function \(\pi _i\) is Garbled composed \(\widetilde{\pi _i}\). (2) The input value \(x_i\) is encoded \(\widetilde{x_i}\) with length \(l_e\). (3) The corresponding coded labels \(\left\{ lab_{j,0}^{i},lab_{j,1}^{i} \right\} _{j\in [n\cdot l_{e}]}\) after the input coding of a set of parties.

\(Eval(\widetilde{\pi _i},{\widetilde{x_i}},{lab}_{\widetilde{x_1}||...||\widetilde{x_n}}^i)\):The input \(\widetilde{\pi _i}\), the encoded input set \({\widetilde{x_i}}\) and the corresponding \(\widetilde{x_1}||...||\widetilde{x_n}\) encodes the input label \({lab}_{\widetilde{x_1}||... ||\widetilde{x_n}}^i\), the output result value y or terminator \(\perp\).

Correctness: for n-party agreement \(\pi\) and the set of inputs \(\left\{ x_{i}\right\} _{i\in [n]}\)for each party we have:

\(Pr[CRS\leftarrow Setup(1^k);(\widetilde{\pi _i},\widetilde{x_i},{{lab}_{j,0}^i,{lab}_{j,1}^i})\leftarrow Garble(CRS,i,{{\pi _i},x}_i)\forall i\in [n]:\left( x_{1},...,x_{n} \right) =Eval(\widetilde{\pi _i},\left\{ \widetilde{x_i} \right\} ,{lab}_{\widetilde{x_1}||...||\widetilde{x_n}}^i)]= 1\)

Security:For all protocols \(\pi\), all subsets of honest participants \(H\in [n]\), and the inputs \(H\in [n]\) chosen by each participant there exists a PPT algorithm such that:

$$\begin{aligned} \left\{ CRS,\left\{ \widetilde{\pi _i},\widetilde{x_i},{lab}_{\widetilde{x_1}||...||\widetilde{x_n}}^i\right\} _{i\in [n]}\right\} \overset{c}{\equiv }\left\{ Sim(1^k,\pi ,H,\left\{ x_i\right\} _{i\notin H},\pi \left( x_{1},...,x_{n} \right) )\right\} \end{aligned}$$

where \(CRS\leftarrow Setup(1^k)\), for all \(i\in [n]\) with \((\widetilde{\pi _i},\widetilde{x_i},{{lab}_{j,0}^i,{lab}_{j,1}^i})\leftarrow Garble(CRS, i,{{\pi _i},x}_i)\).

Non-interactive zero-knowledge proofs

The NIZK [29, 44, 46] function is based on the zero-knowledge function in [47], which adjusts and obtains special properties of non-interactive zero-knowledge proof. The argument of NIZK is just a bit string, which anyone can use to verify the validity of the statement. The ideal function \({F}_{{nizk}}^{R}\) is represented as follows.

figure a

The NIZK ideal function is parameterized by an NP relation R with n participants \(P_1,P_2,... ,P_n. ,P_n\), participant \(P_i\) can send a prove request, denoted as (xw), and the function verifies whether \((x,w)\in R\) and asks the adversary S to generate a proof \(\pi\) for statement x. The function stores \((x,\pi )\) and returns the proof to \(P_i\). For the other participants \(\left\{ p_{j} \right\} _{j\in [n],j\notin i }\) can send a verify request, denoted as \((x,\pi )\),if \((x,\pi )\) has been stored, the function outputs 1, otherwise the adversary is asked to present a proof w. If \((x,w)\in R\) the function returns 1, otherwise it returns 0.The proof for the following Theorem 3 is detailed in the literature [46].

Theorem 3

(informal). Assuming LWE, if there exists adaptively secure NIZK arguments for NP, there exists adaptively secure NIZK arguments for NP with proof size sublinear in the circuit size of the NP relation.

Protocol construction

In this section we construct protocols using a series of related techniques, firstly the construction of trapdoor matrices, secondly the application to secure multiparty computation using a trapdoor-based LWE encoding scheme to propose ideal functions that satisfy the properties of secure multiparty computation, and then a realistic protocol \(\pi _{smpc}\).

N-participant trapdoor matrix construction

For performing trapdoor matrix construction in secure multiparty computation, we apply a variant scheme based on the trapdoor construction in [38] on secure multiparty computation. Given \(m_1=\left\lceil n l o g\left( q\right) +\sqrt{n}\right\rceil ,m_2=\left\lceil n l o g(q)\right\rceil ,m=m_1+m_2=\left\lceil 2nlog(q)+\sqrt{n}\right\rceil\), the matrix \(\varvec{A}\) is denoted as \(\varvec{A=[A}_{\varvec{2}}\varvec{|A}_{\varvec{1}}\varvec{],A}_{\varvec{1}}\ \in Z^{n\times m_{2}},\ \varvec{A}_{\varvec{2}}\ \in Z^{n\times m_{1}},\) a matrix \(\varvec{R}\ \in Z_{q}^{m_{1}\times m_{2}}\) is required to satisfy the following requirements when the threshold of \(\varvec{A}\). (1) \(\varvec{R}\) is “small”. (2) Given the matrix \(G\in Z_q^{{n\times m}_2}\), we have \(\varvec{A}_{\varvec{1}}\ =G-\ \varvec{A}_{\varvec{2R}}\) and \(\varvec{A}=[\varvec{A}_{\varvec{2}}|G]\left( \begin{array}{cc} \varvec{I}&{}\varvec{R} \\ \varvec{0}&{}\varvec{I} \\ \end{array}\right)\). The process of generating \(\varvec{\left( A,R\right) }\): the selection matrix \(\varvec{R}\in _{Gaussian}Z_q^{{m_1\times m}_2}\), \(\varvec{R}\) is chosen randomly from the discrete Gaussian distribution, denoted as a trapdoor, and has \(\left\| x_{i} \varvec{R}\right\| _{\infty }\le \left\| x_{i} \right\| _{\infty }\left\lceil 2nlog(q)\right\rceil\). Choose a uniform distribution matrix \(\varvec{A}_{\varvec{2}}\in _{Uniform}Z^{n\times m_1}\) and set \(\varvec{A}=[\varvec{A}_{\varvec{2}}|G]\left( \begin{array}{cc} \varvec{I}&{}\varvec{R} \\ \varvec{0}&{}\varvec{I} \\ \end{array}\right) =\left[ \varvec{A}_{\varvec{2}}| G-\varvec{A}_{\varvec{2R}}\right] , \varvec{A}\in Z_q^{n\times m}\).

The generation of n trapdoors is performed in the setup session of the protocol, and a matrix \(\varvec{A}_{\varvec{i}}\) with trapdoors \(\varvec{R}_{\varvec{i}}\) is generated corresponding to each participant \(P_i\) according to the introduction of a Common Reference String (CRS). the following is the generation algorithm for the n trapdoor matrix.

figure b

Algorithm 1 n trapdoor matrix generation algorithm

In the process of trapdoor matrix, we use the CRS, which stores the parameters of the participants to generate the trapdoor matrix, when the participants receive the CRS can be integrated to generate their own corresponding matrix, the whole process is only related to the security parameter k, the whole generation process is polynomial time size poly(k).

SMPC in trapdoor LWE-based multilinear maps

We propose an encoding computation scheme for secure secure multiparty computation based on the graded encoding scheme mentioned in [39, 40], using a variant of its scheme applied to secure multiparty computation. A graded encoding scheme consists of the following polynomial program, \(ges=(PrmGen,InstGen,Sample,Garble.enc,Eval,ZeroTest,Extract)\):

InstGen(gp):Given the global parameter gp, the following processes are instantiated and generated:

  1. (1)

    Use trapdoor-sampling to generate a matrix set \(\varvec{U}_{\varvec{A}}\) with a trapdoor set \(\varvec{R}\). Each participant corresponds to a trapdoor matrix under a common random reference string and has the following properties.

    $$\begin{aligned} \forall \varvec{R}_{\varvec{i}}\in \varvec{R},\forall \varvec{A}_{\varvec{i}}\in \varvec{U}_{\varvec{A}}\varvec{,(A}_{\varvec{i}},\varvec{R}_{\varvec{i}})\leftarrow trapGen(1^k,1^n,1^m,q). \end{aligned}$$
  2. (2)

    Generate the public parameters \(pp{:=}\left( x,\left\{ \varvec{A}_{\varvec{i}}\varvec{:A}_{\varvec{i}}\varvec{\in U}_{\varvec{A}}\right\} \right)\), where x denotes the public parameter used for the proof, and the private parameter \(sp{:=}\varvec{R}_{\varvec{i}}:\varvec{R}_{\varvec{i}}\in \varvec{R}\).

Sample(pp):Generate an input plaintext to implement sampling an LWE input \(\varvec{S}\leftarrow Z_q^n\).

\(Garble.Enc(pp,sp, \varvec{S})\): The input matrix \(\varvec{A}_{\varvec{i}}\in \varvec{U}_{\varvec{A}}\), and the set of trapdoors R, the input \(\varvec{s}_{\varvec{i}}\varvec{\leftarrow S}\), samples an LWE error matrix \(\varvec{e}_{\varvec{i}}\leftarrow \chi ^m\) or \(\left\| \varvec{e}_{\varvec{i}} \right\| <\frac{q}{o(\sqrt{nlog(q)})}\), computes \(\varvec{A}_{\varvec{i-1}} \widetilde{\varvec{D}_{\varvec{i}}}\varvec{=s}_{\varvec{i}}\varvec{A}_{\varvec{i}}\varvec{+e}_{\varvec{i}}\) using the trapdoor \(\varvec{R}_{\varvec{i}}\in \varvec{R}\), encodes the input \(\varvec{s}_{\varvec{i}}\) into \(\widetilde{\varvec{D}}_{\varvec{i}}\) and output \(\widetilde{\varvec{D}}_{\varvec{i}}\) and the corresponding encoded labels \(\left\{ lab_{j,0}^{i},lab_{j,1}^{i} \right\} _{j\in [n\cdot l_{e}] }\).

\(Eval(\widetilde{\varvec{D}_{\varvec{i}}},{lab}_{\varvec{A||}\widetilde{\varvec{D}_{\varvec{1}}}\varvec{||...||}\widetilde{\varvec{D}_{\varvec{n}}}}^i)\): The calculation operations include addition and multiplication operations as follows.

N participants \(P_1,P_2,... ,P_n\),with \(\varvec{s}_{\varvec{1}},\varvec{s}_{\varvec{2}}\varvec{,\ldots ,s}_{\varvec{n}}\) corresponding to the inputs of each participant, where \(\varvec{s}_{\varvec{i}}\leftarrow Z_q^n,i=[n]\).There are \(n+1\) sets of matrices with trapdoors \(\varvec{U_A=\left\{ A,A_1,\ldots ,A_n \right\} }\) and each participant encodes \(\varvec{s}_{\varvec{i}}\) using the corresponding matrix \({\varvec{A}_{\varvec{i}}\varvec{\in U}}_{\varvec{A}}\), \(P_1\) encodes \(\varvec{A}\widetilde{\varvec{D}_{\varvec{1}}} \varvec{=s}_{\varvec{1}}\varvec{A}_{\varvec{1}}\varvec{+e}_{\varvec{1}}\) for its own \(\varvec{s}_{\varvec{1}}\), and \(P_2\) encodes \(\varvec{A}_{\varvec{1}}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{=s}_{\varvec{2}}\varvec{A}_{\varvec{2}}\varvec{+e}_{\varvec{2}}\) for its own \(\varvec{s}_{\varvec{2}}\) until \(P_n\) encodes \(\varvec{A}_{\varvec{n-1}}\widetilde{\varvec{D}_{\varvec{n}}}\varvec{=s}_{\varvec{n}}\varvec{A}_{\varvec{n}}\varvec{+e}_{\varvec{n}}\), the whole process forms a nested chain structure that generates the current matrix \(\widetilde{\varvec{D}_{\varvec{i}}}\) based on the matrix \(\varvec{A}_{\varvec{i-1}}\) with trapdoors at the previous level, so that the input \(\varvec{s}_{\varvec{i}}\) is encoded into \(\widetilde{\varvec{D}_{\varvec{i}}}\) and \(\varvec{s}_{\varvec{i}}\) is hidden.

In a multilinear maps system, given n pairwise operations from level 1 to n, \(\varvec{A}\) as well as \(\widetilde{\varvec{D}_{\varvec{i}}},i\in [n]\), the coding results of all participants are multiplied together:

$$\begin{aligned}&\varvec{A}\widetilde{\varvec{D}_{\varvec{1}}}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{\ldots }\widetilde{\varvec{D}_{\varvec{n}}}=\varvec{(s}_{\varvec{1}}\varvec{A}_{\varvec{1}}\varvec{+e}_{\varvec{1}}\varvec{)}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{\ldots }\widetilde{\varvec{D}_{\varvec{n}}}\nonumber \\&=\varvec{(s}_{\varvec{1}}\varvec{A}_{\varvec{1}}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{+e}_{\varvec{1}}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{)}\widetilde{\varvec{D}_{\varvec{3}}}\ldots \widetilde{\varvec{D}_{\varvec{n}}}\nonumber \\&= \varvec{(s}_{\varvec{1}}\varvec{s}_{\varvec{2}}\varvec{A}_{\varvec{2}}\varvec{+s}_{\varvec{1}}\varvec{e}_{\varvec{2}}\varvec{+e}_{\varvec{1}}\widetilde{\varvec{D}_{\varvec{2}}}\varvec{)}\widetilde{\varvec{D}_{\varvec{3}}}\varvec{\ldots }\widetilde{\varvec{D}_{\varvec{n}}}\nonumber \\&=......=\varvec{s}_{\varvec{1}}\varvec{s}_{\varvec{2}}\varvec{\ldots }\varvec{s}_{\varvec{n}}\varvec{A}_{\varvec{n}}\varvec{+e}_{\varvec{noise}}. \end{aligned}$$

Where \(\varvec{e}_{\varvec{noise}}\) denotes the noise obtained by the final multiplication, which is obtained by the product of the above equation encoding the \(\varvec{s}_{\varvec{1}}\varvec{s}_{\varvec{2}}\varvec{... .}\varvec{s}_{\varvec{n}}\) instances, performing n levels of nesting. In the information with the same order encoding can be combined with each other for addition and subtraction operations, which can be expressed as \(g_i^{\varvec{s}_{\varvec{1}}}, g_i^{\varvec{s}_{\varvec{2}}}\) in the initial multilinear maps, for addition and subtraction operations to calculate \(g_i^{\varvec{s}_{\varvec{1}}\varvec{\pm } \varvec{s}_{\varvec{2}}}\). In the multilinear maps system with trapdoor LWE instances, for \(\widetilde{\varvec{D}_{\varvec{i}}^{\varvec{\prime }}}\) with \(\widetilde{\varvec{D}_{\varvec{i}}}\) that has encoded \(\varvec{s}_{\varvec{i}}^{\varvec{\prime }}\) with \(\varvec{s}_{\varvec{i}}\) of the same order i, making addition and subtraction operations yields.

$$\begin{aligned}&\varvec{A}_{\varvec{i-1}}\widetilde{\varvec{D}_{\varvec{i}}^{\varvec{\prime }}}+\varvec{A}_{\varvec{i-1}}\widetilde{\varvec{D}_{\varvec{i}}} = \varvec{A}_{\varvec{i-1}}\left( \widetilde{\varvec{D}_{\varvec{i}}}^{\varvec{\prime }}\varvec{+}\widetilde{\varvec{D}_{\varvec{i}}}\right) \nonumber \\&=\varvec{(s}_{\varvec{i'}}\varvec{+s}_{\varvec{i)}}\varvec{A}_{\varvec{i-1}}\varvec{+(e}_{\varvec{i}}\varvec{'}\varvec{+e}_{\varvec{i).}} \end{aligned}$$

If there are multiple \(\widetilde{\varvec{D}_{\varvec{i}}}\) of the same order, we can get at this point we can get \(\varvec{A}_{\varvec{i-1}}\widetilde{\varvec{D}_{\varvec{i}_{\varvec{1}}}}\varvec{+}\varvec{A}_{\varvec{i-1}}\widetilde{\varvec{D}_{\varvec{i_2}}}+... +\varvec{A}_{\varvec{i-1}}\widetilde{\varvec{D}_{\varvec{i_n}}}=\sum _{i={i_1,i_2,... ,i_n}} \varvec{s}_{\varvec{i}}+\varvec{e}_{\varvec{noise}}^{\varvec{\prime }}\), the same can be obtained from the operation of subtraction, at this point the multilinear maps system to achieve the basic operation.

\(ZeroTest(pp,\varvec{A}\widetilde{\varvec{D}_{\varvec{i}}})\): Given the matrix \(\widetilde{\varvec{D}_{\varvec{i}}}\) after the LWE encoding input, the result obtained by the Operation operation combined with the multilinear maps operation,If and only if \(\left\| \varvec{A}\cdot \widetilde{\varvec{D}_{\varvec{i}}} \right\| _{\varvec{A}\varvec{\in U}_{\varvec{A}}\varvec{\setminus A}_{\varvec{i}},i=[n]}\le \frac{q}{o(\sqrt{nlog(q)})}\),the ZeroTest program outputs 1.

\(Extract(pp,\varvec{A}\widetilde{\varvec{D}_{\varvec{i}}})\): The extractor takes as input the public parameter pp, \(\varvec{A}\widetilde{\varvec{D}_{\varvec{i}}}\), and outputs a string that represents a \(\lambda\) bit.

For the graded encoding scheme, Fig. 2 represents the process of computation of encoded inputs for each participant, if the noise does not exceed a certain threshold value, it is a bounded value, and the computed information can be extracted from the ZeroTest program and Extract program, ZeroTest program and Extract program for correctness are detailed in [40].The operation of multiparty computation in a multilinear maps system is given below.

Fig. 2
figure 2

The process of computation of encoded inputs for each participant

figure c

Algorithm 2 Evaluation algorithm

Ideal function \(F_{smpc}\)

There are n mutually distrustful participants \(P_1,P_2,... ,P_n\) want to jointly compute in polynomial time the computable function \(f(x_1,x_2,... ,x_n)=(y_1,y_2,... ,y_n)\), where \(x_1, x_2,... ,x_n\) are the input variables, \(y_1, y_2,... ,y_n\) are the output values. The protocol \(\pi\) of a multiparty computation of a computational function should satisfy the following requirements:

  1. (1)

    Privacy: The input information of each participant is invisible with respect to other participants, each participant does not obtain more information from other participants than what is inferred from its own results.

  2. (2)

    Correctness: the protocol \(\pi\) can correctly calculate the function f and return the corresponding correct result.

  3. (3)

    Security: each party gets the corresponding correct output, and no other additional information can be obtained.

In this paper, we design a secure multiparty computation protocol based on the above requirements and design a secure multiparty computation ideal function \(F_{smpc}:\left( \left\{ 0,1 \right\} ^{l_{in}} \right) ^{n}\rightarrow \left\{ 0,1 \right\} ^{l_{out}}\) as shown below:

figure d

Cloud-based secure multiparty computation protocol \(\pi _{smpc}\)

This section constructs a 2-round protocol \(\pi _{smpc}\) under the LWE assumption, based on LWE encoding the input, using multilinear maps operations to compute it locally before transmitting it over the broadcast channel, with the following protocol. A total of three phases which including pre-phase and 2 rounds of interaction processes, as included in Fig. 3, enable each participant to safely compute each encoded input, through 2 rounds of communication and local computation, so as to compute the corresponding computational function result values.

figure e
Fig. 3
figure 3

\(\pi _{smpc}\) Flow Chart

After each participant receives the output result y on the broadcast channel, a ZeroTesttest will be performed on the result. If \(\prod _{i=[n]}s_i\) is 0, only the noise distribution remains, and the threshold of the noise is used to determine whether the result encodes a value of 0. By simply designing the circuit using a combination of multilinear maps, the specific information contained in the ciphertext can be gradually inferred by a ZeroTest algorithm and extracted using a The extractor Extract is a very randomized extractor. However, ZeroTest cannot reveal too much information about the ciphertext, so we can use ZeroTest to extract part of the information for our computational purpose with certain security.

Semi-Malicious Security. A semi-malicious protocol can be defined over a broadcast channel where the input must be encrypted and then transmitted. This scheme is based on the LWE assumption that the n inputs are all elements in \(Z_q^n\) in an honest majority setting of the participants, and the inputs are encoded and then broadcast for transmission by an LWE instance, with each participant using confusion circuit locally on the encoded inputs and the output is broadcasted.

Theorem 4

(Theorem 1, restated). Assume the existence of a special ges scheme and NIZK scheme with LWE assumption, and that \(F:\left( \left\{ 0,1 \right\} ^{l_{in}} \right) ^{n}\rightarrow \left\{ 0,1 \right\} ^{l_{out}}\) is an effectively computable function of depth d. The function \(F_{smpc}\) can be implemented by a communication under an honest majority of the hybrid model two-round protocol UC realized with \(poly(l_{in},l_{out},d,k,n)\) complexity and tolerates the presence of semi-malicious adversaries.

Security demonstration

Secure Multi-Party Computation has two kinds of security, static security and adaptive security, static security means that during the operation of the MPC protocol, the security of the protocol can be guaranteed as long as the number of participants does not exceed the maximum number of participants predefined by the protocol. In other words, in the static security model, once the number of participants is determined, then the security of the protocol can be guaranteed. Adaptive security means that during the operation of the MPC protocol, even if there are malicious participants trying to interfere with the operation of the protocol, the security of the protocol is still guaranteed. the operation of the protocol, the security of the protocol can still be guaranteed. In realistic protocols, since a matrix \(U_A\) with trapdoors is used to generate a series of \(\varvec{D}\)-matrices, will the original privacy inputs be exposed in the presence of trapdoors and also the encoded D-matrices of the privacy inputs are disclosed? A specific elaboration is given in [40].According to the encoding rules, the two matrices \(\varvec{A}_{\varvec{i-1}}\) with trapdoor are nested with \(\varvec{A}_{\varvec{i}}\), denoted as \(\varvec{A}_{\varvec{i-1}}\widetilde{\varvec{D}_{\varvec{i}}}=\varvec{s}_{\varvec{i}}\varvec{A}_{\varvec{i}}\varvec{+e}_{\varvec{i}}\), and when encoding to the last one \(\varvec{A}_{\varvec{n-1}}\widetilde{\varvec{D}_{\varvec{n}}} \varvec{=s}_{\varvec{n}}\varvec{A}_{\varvec{n}}+\varvec{e}_{\varvec{n}}\), the trapdoor of matrix \(\varvec{A}_{\varvec{n}}\) is not involved in the calculation, if \(\varvec{s}_{\varvec{n}}\) distribution is randomized enough, then the whole encoding process is an LWE instance. According to the LWE assumption, the last encoding process is represented by a uniform random distribution matrix \(\triangle\), \(\varvec{A}_{\varvec{n-1}}\widetilde{\varvec{D}_{\varvec{n}}}=\triangle\), which becomes known as the product of \(\varvec{A}_{\varvec{n-1}}\) and \(\widetilde{\varvec{D}_{\varvec{n}}}\) as a uniform random distribution matrix \(\triangle\). Given a trapped \(\varvec{A}_{\varvec{n-1}}\) with a trapdoor and a uniformly randomly distributed matrix \(\triangle\), if \(\widetilde{\varvec{D}_{\varvec{n}}}\) can be generated without this trapdoor, then \(\varvec{A}_{\varvec{n-1}}\) with \(\widetilde{\varvec{D}_{\varvec{n}}}\) does not give away information about the trapdoor. Suppose there are two environments, real and simulated, and in the real environment using the trapdoor of \(\varvec{A}_{\varvec{n-1}}\) trapdoor to generate \(\widetilde{\varvec{D}_{\varvec{n}}}\) in the real environment and not using \(\varvec{A}_{\varvec{n-1}}\) trapdoor to generate in the simulated environment, the results of the two are computationally indistinguishable.The following lemma was obtained according to the literature [40]. If the LWE assumption holds, the input encoded based on the trapdoor LWE assumption is secure.

Theorem 5

The ideal function \(F_{smpc}\) is a polynomial-time computable deterministic function with N inputs and one output, and the protocol \(ges=(PrmGen,InstGen,Sample,Garble.enc,Eval,ZeroTest,Extract)\) is Secure multiparty computation in trapdoor LWE-based multilinear maps operations, then the protocol \(\pi _{smpc}\) UC realized the ideal function \(F_{smpc}\) in the honest majority participant setting.


To demonstrate security under an honest majority of participants based on a valid PPT simulator Sim, Adv represents a static semi-malicious adversary and the simulator is simulated as follows.\(\square\)

The Simulator: In the first round, it can encrypt the false inputs \(\widehat{\varvec{s}_{\varvec{i}}}\) and get the inputs of the other participants on the “witness tape”, which can encode the inputs. And send these inputs to the ideal function and receive the corresponding output y. After getting this result, the simulator computes \(\widetilde{y}\leftarrow Sim.eval(\widetilde{\pi _i},\widehat{s_i},\widetilde{\varvec{D}_{\varvec{i}}},{lab}_{\varvec{A||}\widetilde{\varvec{D}_{\varvec{1}}}\varvec{||\ldots ||}\widetilde{\varvec{D}_{\varvec{n}}}}^i)\) and broadcast it.

Hybrid Games: Define a series of hybrid games to demonstrate the indistinguishability of real and ideal scenarios:

$$\begin{aligned} {Real}_{\pi _{smpc},Adv,Z}\overset{c}{\equiv }{Ideal}_{F_{smpc},Sim,Z}. \end{aligned}$$

The output of the entire environment Z is used as the output of each game.

The game \({Real}_{\pi _{smpc},Adv,Z}\) : In the real world, the protocol \(\pi _{smpc}\) is executed in the environment Z in the presence of a semi-malicious adversary Adv.

The game \(\ {HYB}_{\pi _{smpc},Adv,Z}^1\): In this game, we modify the experiment of \({Real}_{\pi _{smpc},Adv,Z}\) as follows, introducing the \(F_{nizk}^R\)-hybrid model, where each participant \(P_i\) encodes its own input followed by \((prove, sid,x,\varvec{s}_{\varvec{i}})\) to \(F_{nizk}^R\), outputs a Proof \(\pi\), and sends \((proof,sid,\widetilde{\varvec{D}_{\varvec{i}}},\pi )\) for broadcast, and when participant \(\left\{ P_{j} \right\} _{j\in [n]\setminus i}\) receives the message, \(P_j\) sends a verification request to \(F_{nizk}^R (verify,sid ,x,\pi )\), and \(F_{nizk}^R\) returns 1 or 0 after verification.

Claim 1

\({Real}_{\pi _{smpc},Adv,Z}\overset{c}{\equiv }{HYB}_{\pi _{smpc},Adv,Z}^1\) Proving the indistinguishability of realistic protocols under hybrid models.

$$\begin{aligned}&Pr[(x,\widehat{\varvec{D}_{\varvec{i}}})\in \varvec{R|}\widehat{\varvec{D}_{\varvec{i}}}{:=}\nonumber \\&Sim\left( \begin{array}{c} \pi {:=}\pi \leftarrow F_{nizk}^R(\varvec{s}_{\varvec{i}})\\ \widehat{\varvec{s}_{\varvec{i}}}\leftarrow Sample\left( pp,1^k\right) \\ \pi ^\prime \leftarrow Sim(x,\widehat{\varvec{s}_{\varvec{i}}},\pi )\\ \widehat{\varvec{D}_{\varvec{i}}}\leftarrow Sim.ecn\left( pp,sp,\widehat{s_i}\right) \end{array}\right) ] \le negligible \end{aligned}$$


Let Adv be the adversary in the real environment and Sim denote the adversary in the ideal environment such that for any environment Z only the real or ideal environment can be distinguished with negligible probability, and for the adversary Sim in the ideal environment, any input from the environment Z is sent to Adv and any output of Adv is regarded as the output of Sim.For the adversary Sim in interaction with the ideal function \(F_{nizk}^R\), provide input \(\varvec{s}_{\varvec{i}}\), and when \((proof,sid,\widetilde{\varvec{D}_{\varvec{i}}},\pi )\) is received from \(F_{nizk}^R\), emulate an identical message for Adv. When the real-world adversary Adv taps participant \(P_i\), then the adversary Sim in the ideal environment also taps participant \(P_i\) and forwards all internal states to Adv.If at this time the adversary Adv replaces the message \(\varvec{s}_{\varvec{i}}\) with the false message \(\widehat{\varvec{s}_{\varvec{i}}}\) on behalf of the participant \(P_i\) and forges the proof \(\pi ^\prime\) against \(\pi\) and broadcasts the message \((proof,sid,\widehat{\varvec{D}_{\varvec{i}}},\pi ^\prime )\), when the other participants receive this message and verify the proof when , query whether \(F_{nizk}^R\) has stored \(\pi ^\prime\), and since \(\pi ^\prime\) is not generated by \(F_{nizk}^R\), determine whether \((x,\widehat{\varvec{D}_{\varvec{i}}})\in R\). According to the security of LWE assumptions and the security of zero-knowledge proofs, only the input encoded by LWE instances can pass the verification , in other words, the probability that a non-LWE encoded input passes verification is negligible.\(\square\)

So \({HYB}_{\pi _{smpc},Adv,Z}^1\) is indistinguishable from \({Real}_{\pi _{smpc},Adv,Z}\) computation, and the scheme under the hybrid model is semantically secure.

The game \(\ {HYB}_{\pi _{smpc},Adv,Z}^2\): Unlike \({HYB}_{\pi _{smpc},Adv,Z}^1\), a realistic proof protocol \(\pi _{nizk}\) will be used instead of the ideal function \(F_{nizk}^R\), modifying the proof process to a local circuit for computation.

Claim 2

\({HYB}_{\pi _{smpc},Adv,Z}^1\overset{c}{\equiv }{HYB}_{\pi _{smpc},Adv,Z}^2\)


realistic zero-knowledge proof protocol notated as \(\pi _{nizk}\), composed by the garbled circuit GC, first generates the proof parameters \((S_p,S_v)\leftarrow GC.Setup(1^K)\) through the circuit, which in turn computes the proof \(\pi \leftarrow GC.Prove(S_p,x,\widetilde{\varvec{D}_{\varvec{i}}})\), sends \(S_v ,\pi\) is broadcasted and sent at the first round, and the other participants compute \(GC(x,\widetilde{\varvec{D}_{\varvec{i}}})\) through the NAND gate for Verify \(0/1\leftarrow GC.Verify(S_v,x,\pi )\). If the LWE assumption holds, since the probability that an adversary performs a pseudo-proof under a protocol with honest majority participants and is adopted by honest participants is negligible, for environment Z, it does not distinguish whether it is in the environment where the protocol \(\pi _{nizk}\) interacts with Adv or in the environment where \(F_{nizk}^R\) interacts with Sim. In other words, if the LWE assumption holds, the protocol \(\pi _{nizk}\) can UC to achieve the ideal function \(F_{nizk}^R\).\(\square\)

The game \({Ideal}_{F_{smpc},Sim,Z}\): computes the ideal function \(F_{smpc}\) and outputs the result correctly under the ideal model.

Claim 3

\({HYB}_{\pi _{smpc},Adv,Z}^2\overset{c}{\equiv }{Ideal}_{F_{smpc},Sim,Z}\)


experiments by the semantic security of the underlying ges scheme, encryption of the input by LWE assumptions, and then computation using multilinear maps operations, encryption is computationally indistinguishable, \(\pi _{smpc}\) is able to compute the encoded input correctly and get a correct in the presence of semi-malicious adversaries, honest majority of participants output, and since the protocol \(\pi _{nizk}\) can UC the ideal function \(F_{nizk}^R\), from Theorem 2 it follows that the protocol \(\pi _{smpc}\) can UC the ideal function \(F_{smpc}\), then \({HYB}_{\pi _{smpc},Adv,Z}^2\) and \({Ideal}_{F_{smpc},Sim,Z}\) computation is indistinguishable.\(\square\)

Combining the above statements, we get \({Real}_{\pi _{smpc},Adv,Z}\overset{c}{\equiv }{Ideal}_{F_{smpc},Sim,Z}\), which leads to the proof of Theorem 5.

To conclude, Tables 1 and 2 summarize the previous work and the results of this paper in an honest majority setting, the main parameters considered are security, number of rounds, communication complexity, setup settings, etc. Under the LWE assumption, this scheme requires only 2 rounds of communication interactions for secure distributed multi-party secure computation and achieves static security in an honest majority of settings. Compared with previous work, this paper optimizes the number of rounds of secure multiparty computation and reduces the Setup Size, and the communication overhead is sublinear. Although static security is achieved, which already meets the security requirements in most scenarios, this is a minor limitation of the work in this paper, and research improvements for further adaptive security are necessary in future work.

Table 2 This is an additional description of Table 1


Cloud Secure MultiParty Computation (CSPC) is suitable for a number of application prospects such as cloud-based data streaming information sharing, data trading and e-auctions in distributed environments, for which CSPC provides a secure computation as well as privacy guarantees. In this paper, we combine the concept of cloud computing and secure multiparty computation and use the harder polynomial time puzzle assumption to provide the security concept of the protocol as well as the strength, based on the LWE assumption, the input of the participants is encoded using LWE instances with lattice trapdoor under a graded encoding scheme and transmitted over the broadcast channel, the execution of the protocol is computed by multilinear maps to achieve the optimization of the number of rounds of the secure multiparty computation protocol on the cloud, the communication sublinear overhead, and in the UC framework , the protocol security is achieved through UC security implementation. In future work, it is an important research direction to achieve adaptive security of secure multiparty computation protocols with guaranteed round count optimization and low communication overhead, by combining stronger cryptographic primitives and related techniques to achieve adaptive security of the protocols, while the rise of quantum cryptography also points to a direction for the development of secure multiparty computation.

Availability of data and materials

Data sharing is not applicable to this paper as no datasets were generated or analyzed during the current study.


  1. Zhou X, He Yang X, Ma J, Wang KIK (2021) Energy-efficient smart routing based on link correlation mining for wireless edge computing in iot. IEEE Internet Things J 9:14988–14997

    Article  Google Scholar 

  2. Zhou X, Liang W, Yan K, Li W, Wang KIK, Ma J, Jin Q (2023) Edge-enabled two-stage scheduling based on deep reinforcement learning for internet of everything. IEEE Internet Things J 10:3295–3304

    Article  Google Scholar 

  3. He Q, Tan S, Chen F, Xu X, Qi L, Hei X, Zomaya A, Jin H, Yang Y (2023) Edindex: Enabling fast data queries in edge storage systems. ACM SIGIR 675–685

  4. Yuan L, He Q, Chen F, Zhang J, Qi L, Xu X, Xiang Y, Yang Y (2021) Csedge: Enabling collaborative edge storage for multi-access edge computing based on blockchain. IEEE Trans Parallel Distrib Syst PP:1–1

  5. Qi L, Yang Y, Zhou X, Rafique W, Ma J (2022) Fast anomaly identification based on multiaspect data streams for intelligent intrusion detection toward secure industry 4.0. IEEE Trans Ind Inform 18:6503–6511

    Article  Google Scholar 

  6. Zhou X, Xu X, Liang W, Zeng Z, Yan Z (2021) Deep-learning-enhanced multitarget detection for end-edge-cloud surveillance in smart iot. IEEE Internet Things J 8:12588–12596

    Article  Google Scholar 

  7. Qi L, Lin W, Zhang X, Dou W, Xu X, Chen J (2022) A correlation graph based approach for personalized and compatible web apis recommendation in mobile app development. IEEE Trans Knowl Data Eng 35:5444–5457

  8. Wu S, Shen S, Xu X, Chen Y, Zhou X, Liu D, Xue X, Qi L (2023) Popularity-aware and diverse web apis recommendation based on correlation graph. IEEE Trans Comput Soc Syst 10:771–782

    Article  Google Scholar 

  9. Li Z, Xu X, Hang T, Xiang H, Cui Y, Qi L, Zhou X (2022) A knowledge-driven anomaly detection framework for social production system. IEEE Trans Comput Soc Syst 1–14

  10. Dai H, Yu J, Li M, Wang W, Liu AX, Ma J, Qi L, Chen G (2022) Bloom filter with noisy coding framework for multi-set membership testing. IEEE Trans Knowl Data Eng 35:6710–6724

  11. Xu X, Gu JF, Yan H, Liu W, Qi L, Zhou X (2023) Reputation-aware supplier assessment for blockchain-enabled supply chain in industry 4.0. IEEE Trans Ind Inf 19:5485–5494

    Article  Google Scholar 

  12. Chaudhary R, Aujla GS, Garg S, Kumar N, Rodrigues JJ (2018) Sdn-enabled multi-attribute-based secure communication for smart grid in iiot environment. IEEE Trans Ind Inform 14:2629–2640

    Article  Google Scholar 

  13. Luo Y, Chen Y, Li T, Wang Y, Yang Y, Yu X (2022) An entropy-view secure multiparty computation protocol based on semi-honest model. J Organ End User Comput 34:1–17

    Article  Google Scholar 

  14. Li T, Wang Z, Yang G, Cui Y, Chen Y, Yu X (2021) Semi-selfish mining based on hidden markov decision process. Int J Intell Syst 36:3596–3612

    Article  Google Scholar 

  15. Li T, Chen Y, Wang Y, Wang Y, Zhao M, Zhu H, Tian Y, Yu X (2020) Yang Y (2020) Rational protocols and attacks in blockchain system. Secur Commun Netw 8839047(1–8839047):11

    Google Scholar 

  16. Sun J, Chen Y, Li T, Liu J, Yang Y (2021) Psspr: A source location privacy protection scheme based on sector phantom routing in wsns. In: 2021 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), AB, Canada, p 334–340

  17. Li T, Wang Z, Chen Y, Li C, Jia Y, Yang Y (2021) Is semi-selfish mining available without being detected? Int J Intell Syst 37:10576–10597

    Article  Google Scholar 

  18. Wang Y, Li T, Liu M, Li C, Wang H (2022) Stsiiml: Study on token shuffling under incomplete information based on machine learning. Int J Intell Syst 37:11078–11100

    Article  Google Scholar 

  19. Zhao C, Zhao S, Zhao M, Chen Z, Gao CZ, Li H, Tan YA (2019) Secure multi-party computation: Theory, practice and applications. Inf Sci 476:357–372

    Article  Google Scholar 

  20. Yao ACC (1982) Protocols for secure computations. In: 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982), Chicago, IL, USA, pp 160–164

  21. Goldreich O, Micali S, Wigderson A (1987) How to play any mental game. In: Proceedings of the nineteenth annual ACM symposium on Theory of computing, New York, NY, United States pp 218–229

  22. Abraham I, Asharov G, Yanai A (2022) Efficient perfectly secure computation with optimal resilience. J Cryptol 35:66–96

  23. Ananth PV, Choudhuri AR, Jain A (2017) A new approach to round-optimal secure multiparty computation. In: Katz, J., Shacham, H. (eds) Advances in Cryptology – CRYPTO 2017. CRYPTO 2017. Lecture Notes in Computer Science(), Springer, Cham, vol 10401, pp 468–499

  24. Ananth PV, Choudhuri AR, Goel A, Jain A (2018) Round-optimal secure multiparty computation with honest majority. In: Shacham, H., Boldyreva, A. (eds) Advances in Cryptology – CRYPTO 2018. CRYPTO 2018. Lecture Notes in Computer Science(), Springer, Cham, vol 10992, pp 395–424

  25. Cohen R, Garay JA, Zikas V (2020) Broadcast-optimal two-round mpc. Adv Cryptol EUROCRYPT 2020 12106:828–858

    MathSciNet  Google Scholar 

  26. Quach W, Wee H, Wichs D (2018) Laconic function evaluation and applications. In: 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), Paris, France, pp 859–870

  27. Patra A, Srinivasan A (2021) Three-round secure multiparty computation from black-box two-round oblivious transfer. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), Springer, Cham, vol 12826, pp 185–213

  28. Beaver D, Micali S, Rogaway P (1990) The round complexity of secure protocols. In: Symposium on the Theory of Computing, New York, NY, United States, pp 503–513

  29. Gordon SD, Liu FH, Shi E (2015) Constant-round mpc with fairness and guarantee of output delivery. In: Gennaro, R., Robshaw, M. (eds) Advances in Cryptology -- CRYPTO 2015. CRYPTO 2015. Lecture Notes in Computer Science(), Springer, Berlin, Heidelberg, vol 9216, pp 63–82

  30. Boyle E, Gilboa N, Ishai Y (2016) Breaking the circuit size barrier for secure computation under ddh. In: Robshaw, M., Katz, J. (eds) Advances in Cryptology – CRYPTO 2016. CRYPTO 2016. Lecture Notes in Computer Science(), Springer, Berlin, Heidelberg, vol 9814, pp 509–539

    Google Scholar 

  31. Garg S, Srinivasan A (2018) Two-round multiparty secure computation from minimal assumptions. J ACM 69:1–30

    Article  MathSciNet  Google Scholar 

  32. Hazay C, Orsini E, Scholl P, Soria-Vazquez E (2018) Tinykeys: A new approach to efficient multi-party computation. J Cryptol 35:1–66

    MathSciNet  Google Scholar 

  33. Canetti R, Poburinnaya O, Venkitasubramaniam M (2017) Equivocating yao: constant-round adaptively secure multiparty computation in the plain model. In: Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, New York, NY, United States, pp 497–509

  34. Chen Y, Dong S, Li T, Wang Y, Zhou H (2021) Dynamic multi-key fhe in asymmetric key setting from lwe. IEEE Trans Inf Forensic Secur 16:5239–5249

    Article  Google Scholar 

  35. Mukherjee P, Wichs D (2016) Two round multiparty computation via multi-key fhe. In: Fischlin, M., Coron, JS. (eds) Advances in Cryptology – EUROCRYPT 2016. EUROCRYPT 2016. Lecture Notes in Computer Science(), Springer, Berlin, Heidelberg, vol 9666, pp 735–763

  36. Brakerski Z, Halevi S, Polychroniadou A (2017) Four round secure computation without setup. In: Kalai, Y., Reyzin, L. (eds) Theory of Cryptography. TCC 2017. Lecture Notes in Computer Science(), Springer, Cham, vol 10677, pp 645–677

  37. Garg S, Srinivasan A (2017) Garbled protocols and two-round mpc from bilinear maps. 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS), Berkeley, CA, USA, pp 588–599

  38. Micciancio D, Peikert C (2012) Trapdoors for lattices: Simpler, tighter, faster, smaller. IACR Cryptol ePrint Arch 2011:501

    Google Scholar 

  39. Garg S, Gentry C, Halevi S (2013) Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds) Advances in Cryptology – EUROCRYPT 2013. EUROCRYPT 2013. Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, vol 7881, pp 1–17

  40. Gentry C, Gorbunov S, Halevi S (2015) Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds) Theory of Cryptography. TCC 2015. Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, vol 9015, pp 498–527

    Google Scholar 

  41. Ciampi M, Ostrovsky R, Siniscalchi L, Visconti I (2017) Round-optimal secure two-party computation from trapdoor permutations. In: Kalai, Y., Reyzin, L. (eds) Theory of Cryptography. TCC 2017. Lecture Notes in Computer Science(), Springer, Cham, vol 10677, pp 678–710

  42. Dachman-Soled D, Katz J, Rao V (2015) Adaptively secure, universally composable, multiparty computation in constant rounds. In: Dodis, Y., Nielsen, J.B. (eds) Theory of Cryptography. TCC 2015. Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, vol 9015, pp 586–613

  43. Canetti R, Goldwasser S, Poburinnaya O (2015) Adaptively secure two-party computation from indistinguishability obfuscation. IACR Cryptol ePrint Arch 2014:845

    Google Scholar 

  44. Asharov G, Jain A, López-Alt A, Tromer E, Vaikuntanathan V, Wichs D (2012) Multiparty computation with low communication, computation and interaction via threshold fhe. IACR Cryptol ePrint Arch 2011:613

    Google Scholar 

  45. Regev O (2005) On lattices, learning with errors, random linear codes, and cryptography. In: Symposium on the Theory of Computing, New York, NY, United States, pp 84–93

  46. Cohen R, Shelat A, Wichs D (2019) Adaptively secure mpc with sublinear communication complexity. In: Boldyreva, A., Micciancio, D. (eds) Advances in Cryptology – CRYPTO 2019. CRYPTO 2019. Lecture Notes in Computer Science(), Springer, Cham, vol 11693, 30–60

  47. Canetti R (2001) Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings 2001 IEEE International Conference on Cluster Computing, Newport Beach, CA, USA, pp 136–145

  48. Hazay C, Venkitasubramaniam M (2016) Composable adaptive secure protocols without setup under polytime assumptions. In: Hirt, M., Smith, A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science(), Springer, Berlin, Heidelberg, vol 9985, pp 400–432

Download references


This research was supported by both State Key Laboratory of Public Big Data, College of Computer Science and Technology that of Guizhou University.


This research was supported by Foundation of National Natural Science Foundation of China(61962009 and 62202118), and Top Technology Talent Project from Guizhou Education Department([2022]073).

Author information

Authors and Affiliations



Y.L. was a major contributor in writing the manuscript as a 1st Author and others were Co-Corresponding Authors. Y.C. and T.L. proposed some important ideas. C.T. and H.D. gave some suggestions for this paper. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Yuling Chen.

Ethics declarations

Competing interests

The authors declare no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Luo, Y., Chen, Y., Li, T. et al. Cloud-SMPC: two-round multilinear maps secure multiparty computation based on LWE assumption. J Cloud Comp 13, 22 (2024).

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: