Next Article in Journal
Feature Enhanced Anchor-Free Network for School Detection in High Spatial Resolution Remote Sensing Images
Next Article in Special Issue
Advanced Technologies in Data and Information Security
Previous Article in Journal
Marine Geopolymer Concrete—A Hybrid Curable Self-Compacting Sustainable Concrete for Marine Applications
Previous Article in Special Issue
Evaluation of Local Security Event Management System vs. Standard Antivirus Software
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

LPCP: An efficient Privacy-Preserving Protocol for Polynomial Calculation Based on CRT

Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, Shanghai 200062, China
*
Author to whom correspondence should be addressed.
Appl. Sci. 2022, 12(6), 3117; https://doi.org/10.3390/app12063117
Submission received: 25 January 2022 / Revised: 12 March 2022 / Accepted: 16 March 2022 / Published: 18 March 2022
(This article belongs to the Special Issue Advanced Technologies in Data and Information Security)

Abstract

:
With the development of privacy-preserving techniques, the increasing demand for secure multiparty computation (MPC) of mobile devices has become a significant challenge. Unfortunately, it is inapplicable for mobile devices to implement the existing secure multiparty computation schemes that rely on costly computation and communication overhead. To solve this problem, we propose an efficient two-party computation protocol secure against semi-honest adversary based on the Chinese remainder theorem (CRT). Our protocol utilizes CRT-based encryption and re-encryption techniques to realize additional and multiplicative homomorphic encryption, which can be transformed into a two-party secure computation scheme. Then, we extend our two-party LPCP protocol into a multiparty LPCP protocol, which is much faster and more space saving than the previous works. For practical purpose, we describe a distance measurement application for mobile devices based on LPCP. In the end, we implement LPCP codes and compare the experimental results to the state-of-the-art two-party and multiparty computation protocols. The experimental result shows that the high computation and communication efficiency of LPCP makes it possible for low computing-power mobile devices to implement multiparty secure computation protocols in reality.

1. Introduction

Multiparty computation (MPC) [1] allows a group of parties to compute a pre-defined function jointly without revealing their input information. MPC was initially introduced by Yao [2] in the 1980s. After decades of development, MPC has overcome many theoretical bottlenecks [3] and come into use in many areas, such as privacy-preserving machine learning [4,5] and cloud data storage [6]. In particular, two-party computation (2PC) plays a fundamental but indispensable role in the development of MPC because many 2PC schemes can be easily transformed into MPC schemes [7]. So we mainly focus on 2PC in this paper. The traditional 2PC schemes strongly rely on advanced computing power and large storage space machines. In the latest 2PC work by Lindell [8], their 2PC experiments are executed on two Amazon AWS instances: one is c4.8xlarge with 36 virtual 2.9 GHz CPUs and 64 GB RAM, and the other is c4.2xlarge with 8 virtual 2.9 GHz CPUs and 15 GB RAM, which is inapplicable for mobile devices. Although many optimization methods, such as amortization, pre-processing and round optimization, have been employed to decrease the computational and communication complexity in recent works [9,10,11], these improved MPC schemes are still far from daily application on mobile devices. Therefore, it is necessary to introduce a computing-efficient and communication-efficient MPC scheme for mobile devices with low computing ability.
In this paper, we propose an efficient MPC scheme called the lightning polynomial computation protocol (LPCP), which solves the problems mentioned above. Our starting point is a fully homomorphic encryption (FHE) [12], as two-party secure computation schemes can be constructed from a FHE scheme. However, the existing FHE-based 2PC schemes, such as threshold FHE [13,14] and multi-key FHE [15,16], do not meet our computational and communication efficiency demand. Inspired by Zhou’s [17] outsourced secure computation scheme LPPA, we find a delicate way to boost the execution process of MPC. In the LPPA paper, Zhou employed the Chinese remainder theorem (CRT) to construct an online computation scheme that allows additive homomorphic and multiplicative homomorphic operations with the help of a trusted third party and a double server. The advantage of LPPA is that the low computational and space requirement can be easily met by mobile devices, while the disadvantage is that all the computation tasks are assigned to a trusted third party and a double server, which are not allowed to exist in MPC cases. To construct a secure MPC scheme, we aim to remove the trusted third party and the double server. Therefore, we reassign the tasks of the trusted third party and double server directly to the two participant parties. The tasks of the double server are separated apart so that the original re-encryption task is assigned to the first party, and the original evaluation task is assigned to the second party. In the meanwhile, our modifications do not increase the computational and communication complexity. As a result, a 2PC protocol is accomplished without the double server and a trusted third party. Furthermore, we can transform our 2PC protocol into a MPC protocol in a recursive way.

1.1. Our Contributions

In this paper, we propose an efficient CRT-based MPC scheme for polynomial computations, which is secure against a semi-honest adversary. As far as we know, our LPCP scheme is the first protocol that introduces the Chinese remainder theorem encryption [18] and the re-encryption techniques into an MPC scheme. The computational complexity of LPCP is reduced to O ( 1 ) · T t r a p d o o r + O ( m a x ( l o g 2 p + q , t e r m F ) ) · T m u l t i p l i c a t i o n + O ( 1 ) · T h a s h , where ( p , q ) is the big prime parameters, t e r m F is the polynomial term number, T t r a p d o o r is the time of executing a trapdoor permutation encryption, T m u l t i p l i c a t i o n is the time of executing multiplication arithmetic operations, and T h a s h is the time of executing a hash function. The communication complexity of LPCP is reduced to O ( 1 ) · L t r a p d o o r + O ( 1 ) · L c i p h e r t e x t + O ( 1 ) · L h a s h , where L t r a p d o o r is the length of the trapdoor permutation ciphertext, L c i p h e r t e x t is the length of the ciphertext, and L h a s h is the length of the hash value. For two-party secure computation, compared to the latest two-party secure computation protocol Emp-sh2pc [19], our experimental result is more than 100 times faster than Emp-sh2pc in 128-bit and 256-bit additive and multiplicative tests, and more than 100,000 times faster in the 1024-bit modular exponential tests. For multiparty secure computation, our experimental result is much more scalable than those semi-honest protocols from MP-SPDZ [20]. Both the computational and communication overhead of LPCP is affordable for mobile devices with low computation power. As a result, it is feasible for privacy-preserving mobile devices to implement two-party secure computation with our protocol LPCP.

1.2. Related Works

In 1978, Rivest, Adleman and Dertouzos [21] first introduced privacy homomorphism that allows computation on encrypted data without decryption, and they give a CRT-based example. In 2009, Gentry [22] proposed the first concrete fully homomorphic encryption scheme based on ideal lattices. Based on the learning-with-error (LWE) assumption, Cheon [23] proposed a widely used FHE scheme called CKKS, which has been realized in many cryptography libraries. As the fully homomorphic encryption scheme can directly perform the computations on the ciphertexts without decryption, it brings many MPC ideas into being. López-Alt [14] proposed a new MPC scheme based on FHE. In the CRT fields, Kim [18] introduced a CRT-based fully homomorphic encryption scheme over the integers, which is secure against the chosen plaintext attacks under the decisional approximate greatest common divisor (AGCD) assumption and the sparse subset sum assumption. Zhou [17] proposed a CRT-based secure outsourced computation scheme that realizes fully the homomorphic property in a re-encryption way.

1.3. Orgnization

The paper is arranged as follows. Firstly, we introduce the preliminaries in Section 2. Then, the framework for two-party LPCP is described in Section 3. In Section 4, we give the flow chart of LPCP and present the concrete construction of LPCP for a two-party computation situation. In Section 5, we prove the correctness of LPCP and the privacy security of LPCP in the hybrid simulation. In Section 6, the original two-party construction of LPCP is extended into three or more party secure computation schemes. In Section 7, we describe a mobile device application scene based on our LPCP scheme. In Section 8, we evaluate the performance of our protocol in the aspects of running time and communication overhead. Then, we compare the result of our experiment to the latest works. Finally, we make a conclusion of the advantages and disadvantages of LPCP in Section 9.

2. Preliminaries

2.1. One-Way Trapdoor Permutation

One-way trapdoor permutation is a triple of function { f , f 1 , t } , where f is a one-way function and t is secret information generated by security parameter λ . Furthermore, function f : f ( x ) x is also a permutation, where x D ( 1 λ ) . There exists a polynomial algorithm that correctly computes function f 1 with the trapdoor t. For all probabilistic polynomial algorithms without the trapdoor t, there exists
P r [ A ( 1 λ , f ( x ) ) = f 1 ( f ( x ) ) ] ϵ ( λ )
where x D ( 1 λ ) and ϵ ( λ ) are negligible in λ .

2.2. Euler’S Theorem

Let n and a be coprime positive integers, that is, g c d ( n , a ) = 1 , then
a φ ( n ) 1 mod n
where φ is Euler’s totient function.

2.3. Chinese Remainder Theorem (CRT)

The Chinese remainder theorem asserts that if positive integers m 1 , m 2 , , m k are pairwise coprime, g c d ( m i , m j ) = 1 for i j and every integer a 1 , a 2 , , a n satisfies 0 a i < m i , there exists one and only one solution x such that 0 x < m to the following congruence.
x a 1 mod m 1 , x a 2 mod m 2 , x a k mod m k
with m = i = 1 k m i , m = m i M i and M i M i 1 mod m i , the solution x = M 1 M 1 b 1 + M 2 M 2 b 2 + + M k M k b k mod m .

2.4. Hash Function

Hash function H is a function which maps data of arbitrary size to fixed-size values { 0 , 1 } λ { 0 , 1 } λ . A good hash function should be collision resistant such that for all probabilistic polynomial-time adversaries A , A cannot find a collision x x such that H ( x ) = H ( x ) with non-negligible probability.

3. Framework for Two-Party LPCP

In this section, we introduce the framework for our semi-honest two-party secure computation protocol LPCP.
First of all, we define the security model of our two-party LPCP scheme. Considering the following situation, two semi-honest parties P 1 and P 2 intend to calculate a polynomial function F ( m 1 , m 2 ) with inputs m 1 and m 2 , respectively. For convenience, we use S to denote sender P 1 and R to denote receiver P 2 in this section. At the beginning of the protocol execution, one party is statically corrupted by the adversary. The corrupted party is allowed to learn as much information as possible, but cannot violate the protocol rules, which meets the definition of a semi-honest adversary.
To reduce the time and communication complexity, we abandon those widely used techniques, such as garbled circuits, oblivious transfer and secret sharing. Instead, LPCP implements the Chinese remainder theorem and re-encryption technique to realize additive and multiplicative homomorphism. The main idea of LPCP is that two parties encrypt their plaintexts with different secret keys, initially. Then, one party re-encrypts the other party’s ciphertext, transforming both parties’ ciphertext under the same secret key, where the computation process can be executed quickly. Finally, both parties decrypt the computed ciphertext to obtain the resulting answer. For concrete proof of the homomorphism, see Proof Section 4. LPCP consists of five ideal functionalities—the setup functionality F S e t u p , the key generation functionality F K e y G e n , the encryption functionality F E n c , the re-encryption functionality F R e E n c , the evaluation functionality F E v a l , and the decryption functionality F D e c .
In F S e t u p , two parties jointly decide the security parameter λ and the polynomial function F ( m 1 , m 2 ) . The polynomial function F ( m 1 , m 2 ) = i a i m 1 b i m 2 c i takes in m 1 and m 2 , and is expected to output the correct result. All the coefficients a i and degrees b i , c i of polynomial terms are decided by S and R in advance.
Ideal Functionality F S e t u p
  • S and R run p a r a S e t u p ( 1 λ ) .
  • S and R decide the polynomial function F = i = 1 n a i m 1 b i m 2 c i .
Once the initial parameter p a r a and the polynomial function are decided, both S and R begin to generate their private keys according to the parameter p a r a given in the functionality F K e y G e n . It is important to remember that our protocol implements symmetric encryption instead of asymmetric encryption. Therefore, the private key generated should be kept secret by each party respectively. Additionally, the randomness parameter should not be leaked as well.
Ideal Functionality F K e y G e n
  • S and R call the parameter p a r a to generate their secret keys s k and randomness parameters r by running { s k , r } K e y G e n ( p a r a ) .
In the encryption phase, S encrypts its message m 1 with its private key s k 1 and a random element r generated in F K e y G e n . Receiver R encrypts its message in the same way as sender S , except that R does not multiply a random element with its ciphertext.
Ideal Functionality F E n c
  • S and R encrypt their messages respectively by running C E n c s k ( m , r ) .
  • S sends its ciphertext to R .
As mentioned above, sender S and receiver R encrypt their messages with different private keys and different randomness tuples, which results in their ciphertexts being in two distinct ciphertext spaces. Direct addition and multiplication on such two ciphertexts result in a wrong answer. That is why we introduce the re-encryption functionality F R e E n c r y p t i o n . The re-encryption functionality aims to make sure that m a t h c a l S ’s ciphertext is correctly calculated with receiver R ’s ciphertext without leaking secret information.
Ideal Functionality F R e E n c
  • Receiver R receives the original ciphertext C from sender S .
  • Receiver R partially decrypts the ciphertext C in order to obtain the intermediate ciphertext C i n t e r m e d i a t e .
  • Receiver R re-encrypts the intermediate ciphertext C i n t e r m e d i a t e to obtain the sender S ’s ciphertext under the receiver R ’s secret key by running C R e E n c s k ( C i n t e r m e d i a t e ) .
  • Receiver R sends back the re-encryption result C to sender S .
The evaluation functionality is the key step where sender S finishes the calculation. The ciphertexts are transformed into the same ciphertext space; however, with different polynomial degrees. It is necessary for sender S to unify the degree of every term in the polynomial before the evaluation. After that, sender S calculates the sum of every polynomial term, finishing the evaluation step.
Ideal Functionality F E v a l
  • Sender S receives R ’s ciphertext C together with the re-encryption ciphertext C and reduces the initial randomness r from its re-encryption ciphertext.
  • Sender S carries out the computation function C F E v a l ( C , C ) .
  • Sender S transfers C F to receiver R .
In the end, we reach the final step—the decryption functionality. Receiver R , who owns the private key s k 2 , implements the decryption and sends the output back to S .
Ideal Functionality F D e c
  • Receiver R runs the decryption functionality to obtain O u t p u t D e c s k , r ( C F ) .
  • Receiver R shares the O u t p u t to S .
In a nutshell, sender S appends a random integer r to its message m 1 and encrypts them with S ’s private key. Receiver R encrypts its message m 2 with R ’s private key. Up to now, the two ciphertexts from S and R lie in the different ciphertext space. Then, S sends its ciphertext to R . R re-encrypts S ’s ciphertext with R ’s private key so that both S ’s ciphertext and R ’s ciphertext lie in the same ciphertext space, where the addition and multiplication operations can be performed directly. After that, R sends the re-encrypted ciphertexts to S . It is S ’s turn to eliminate the random integer r introduced by itself and carry out the polynomial calculation. At last, S sends the calculation result back to R , which can only be decrypted by R ’s private key. Once R finishes the decryption, it shares the output with S . Throughout the process, the privacy of the inputs and intermediate results are kept secret, which fulfills the goal of 2PC.

4. Concrete Construction for Two-Party LPCP

In this section, we give a detailed description of our two-party secure computation protocol LPCP. For three-party and more parties MPC cases, see Section 6.
In the setting of two-party LPCP, there are two semi-honest parties P 1 and P 2 , with inputs m 1 and m 2 , respectively. Both parties intend to compute a polynomial function F ( m 1 , m 2 ) = i = 1 n a i m 1 b i m 2 c i without leaking any information of their input. Here, we assume the communication channel and both parties’ identifications are authenticated, so they do not need additional negotiations. For convenience, we use S to denote sender P 1 and R to denote receiver P 2 . As Section 3 shows, our protocol consists of six phases—the Setup phase, KeyGen phase, Enc phase, Re-Enc phase, Eval phase, and Dec phase in four communication rounds. Figure 1 shows the sketch map of our protocol.
Setup: At the beginning of the protocol, P 1 and P 2 decide the security parameter 1 λ . If party P i has not generated the one-way trapdoor permutation function, P i runs the one-way trapdoor permutation generation algorithm to obtain a one-way trapdoor permutation function pair ( f , f 1 ) on { 0 , 1 } 2 λ . We denote the one-way trapdoor permutation function key pair of sender S as ( s k S e n , p k S e n ) and the key pair of receiver R as ( s k R e c , p k R e c ) . If both parties have generated their one-way trapdoor permutation function, they can skip the above generation process.
Once the security parameter length λ is decided, all the parameters can be generated without this communication. For this reason, we can pre-process the setup phase as follows. Both parties pre-process the generation of parameters while they are free. In this way, we can reduce one communication round to optimize the setup phase. As a result, when the request arrives, both parties choose the corresponding security parameters from the parameter library and run the protocol as soon as possible.
KeyGen: In the key generation phase, both parties initialize an integer N 0 { 0 , 1 } 2 λ . The message space M is set to be Z N 0 * where N 0 = { 0 , 1 } λ 1 .
For each party P i where i = 0 or i = 1 , three primes p i , q i , s i are randomly and independently chosen such that | p i | = | q i | = | s i | = λ . P i computes N i = p i q i satisfying N i N 0 and T i = p i q i s i . p i 1 is the multiplicative inverse element of p i modulo q i such that p i 1 p i 1 mod q i and q i 1 is the multiplicative inverse element of q i modulo p i such that q i 1 q i 1 mod p i . Each party holds ( p i , q i , s i , N i , T i ) , where p i , q i , N i , s i remain secret, while T i is public. As LPCP only involves symmetric encryption, there is no public key. This generation of big primes p i , q i , s i and the multiplicative inverse elements p i 1 , q i 1 can be pre-processed before the protocol when the parties are free. When the secure computation request comes, the parties can quickly choose a tuple of pre-generated parameters and consume it in the following execution. It must be ensured that every secure computation consumes a differently new tuple of ( p i , q i , s i ) .
Enc: In the encryption phase, sender S randomly chooses r 1 { 0 , 1 } λ and r 1 , r { 0 , 1 } 2 λ , then computes
C S e n = f p k R e c ( N 1 | | T 1 | | r ) m 1 , p 1 = m 1 mod p 1 m 1 , q 1 = m 1 mod q 1 C 1 , C R T = p 1 1 p 1 m 1 , q 1 q 1 + q 1 1 q 1 m 1 , p 1 p 1 C 1 = < r 1 , r 1 > · < C 1 , C R T , N 1 > mod T 1 = ( r 1 ( p 1 1 p 1 m 1 , q 1 q 1 + q 1 1 q 1 m 1 , p 1 p 1 ) + r 1 N 1 ) mod T 1 h a s h 1 = H ( C S e n | | C 1 )
S encrypts his secret modulus N 1 and a random element r with the public key of R ’s trapdoor permutation. Then S implements the Chinese remainder theorem and the Euler’s theorem to construct C 1 , C R T . Here, the purpose of introducing Euler’s theorem is to mess up the plaintext information. The ciphertext C 1 equals the inner product of randomness tuple < r 1 , r 1 > and secret tuple < C 1 , C R T , N 1 > modulo T 1 . In the first communication round, S sends C = ( C 1 , C S e n ) together with the hash value h a s h 1 to R .
On the other hand, receiver R randomly chooses r 2 { 0 , 1 } λ and computes
C R e c = f p k S e n ( T 2 ) m 2 , p 2 = m 2 mod p 2 m 2 , q 2 = m 2 mod q 2 C 2 , C R T = p 2 1 p 2 m 2 , q 2 q 2 + q 2 1 q 2 m 2 , p 2 p 2 C 2 = < 1 , r 2 > · < C 2 , C R T , N 2 > mod T 2 = ( p 2 1 p 2 m 2 , q 2 q 2 + q 2 1 q 2 m 2 , p 2 p 2 + r 2 N 2 ) mod T 2
The encryption process of receiver R slightly differs from S , as the first component of ciphertext C 2 , C R T is multiplied by the constant 1 instead of a random element. For S , the existence of the random element r 1 is to mask the message for the subsequent process and expand the ciphertext space into Z T 2 . As there is no need for C 2 to be masked and re-encrypted, R multiplies C 2 , C R T by the constant 1. To reduce the communication round, receiver R does not send out the ciphertext immediately. Instead, receiver R delays sending the ciphertext to the re-encryption phase.
Re-Enc: After receiving the ciphertext, R checks whether H ( C 1 | | C S e n ) equals the hash value h a s h 1 . If verified, R continues the re-encryption process. Otherwise, R outputs to abort the execution. Then R decrypts C S e n to obtain the modulus N 1 and randomly chooses r 2 R { 0 , 1 } 2 λ . R re-encrypts S ’s ciphertext C 1 as follows.
N 1 | | r = f s k R e c ( C S e n ) C 1 = C 1 mod N 1 C 1 , q 2 = C 1 mod q 2 C 1 , p 2 = C 1 mod p 2 C 1 r e e n c = ( p 2 1 p 2 C 1 , q 2 q 2 + q 2 1 q 2 C 1 , p 2 p 2 + r 2 N 2 ) mod T 2 h a s h 2 = H ( C R e c | | C 2 | | C 1 r e e n c )
As a result, the ciphertext C 1 is equivalent to r 1 m 1 mod N 1 according to the Chinese remainder theorem and Euler’s theorem. The re-encryption operation transforms S ’s ciphertext space into R ’s ciphertext space T 2 , which lays a foundation for the next evaluation phase. In the second communication round, receiver R sends ciphertext ( C 1 r e e n c , C 2 ) with the hash signature h a s h 2 back to S . Here, the security problem comes if R knows the ciphertext C 1 and the modulus N 1 , does it reveal any information about the input of sender S .
Theorem 1.
Assuming the secret parameter r is randomly chosen from { 0 , 1 } 2 λ and the modulus T are known to the adversary. The encryption scheme of receiver R
C = ( ( p 1 p m q q + q 1 q m p p ) + r N ) mod T
is semantically secure in the presence of an eavesdropper.
Proof. 
First, our protocol is under the private key encryption scheme. We define the experiment P r i v K A , Π e v a as follows.
  • The adversary A outputs a pair of messages | m 0 | = | m 1 | where m 0 , m 1 { 0 , 1 } λ .
  • Two big primes p and q are generated using K e y G e n , and a uniform bit b { 0 , 1 } is chosen. Ciphertext C E n c s k ( p , q ) ( m b ) is computed and given to A .
  • A outputs a bit b .
  • The output of the experiment is defined to be 1 if b = b , and 0 otherwise. We write P r i v K A , Π e v a = 1 if the output of the experiment is 1 and in this case we say that A succeeds.
We construct an adversary A so that it emulates the eavesdropping experiment for A . We define the experiment F a c t o r A ( T ) as follows.
  • Take as input the product of three primes T { 0 , 1 } 3 λ .
  • Generate the ciphertext C as in E n c .
  • Give C to A and obtain output N. Output 1 if T = N s , and output 0 otherwise.
If A can break the ciphertext C to obtain the plaintext m b , then A can calculate C m b mod T . As ( C m b ) 0 mod N , A can obtain the modulus N by calculating the greatest common divisor g c d ( C m b , T ) . A returns the modulus N to A . A can factor the product of big primes T = N s , which breaks the factor assumption. That is, if A can break the ciphertext with a non-negligible advantage, A can break the factor assumption. Therefore, the encryption scheme is semantically secure in the presence of an eavesdropper. □
Theorem 2.
Assume that the secret parameter r is randomly chosen from { 0 , 1 } λ and the moduli N and T are known to the adversary A . The encryption scheme of the sender
C = ( r ( p 1 p m q q + q 1 q m p p ) + r N ) mod T
is semantically secure in the presence of an eavesdropper.
Proof. 
First, our protocol is under the private key encryption scheme. We define the experiment P r i v K A , Π e v a as follows.
  • The adversary A outputs a pair of messages | m 0 | = | m 1 | where m 0 , m 1 { 0 , 1 } λ .
  • Two big primes p and q are generated using K e y G e n , and a uniform bit b { 0 , 1 } is chosen. Ciphertext C E n c s k ( p , q ) ( m b ) is computed and given to A .
  • A outputs a bit b .
  • The output of the experiment is defined to be 1 if b = b , and 0 otherwise. We write P r i v K A , Π e v a = 1 if the output of the experiment is 1 and in this case, we say that A succeeds.
We construct an adversary A so that it emulates the eavesdropping experiment for A . We define the experiment F a c t o r A ( N ) as follows.
  • Take as input the product of two primes N { 0 , 1 } 2 λ .
  • Generate the ciphertext C as in E n c .
  • Give C to A and obtain output p , q . Output 1 if N = p q , and output 0 otherwise.
If A can break the ciphertext C to obtain the plaintext m b , then A can obtain the randomness r by multiplying m 1 , the inverse element of m, with the result of C mod N . According to the Euler theorem, m q q 1 1 mod q and m p p 1 1 mod p . We can obtain m q q m q mod q and m p p m p mod p . According to the Chinese theorem, the adversary A can obtain m p and m q . Thus, A obtains the prime p by calculating the greatest common divisor g c d ( N , m m p ) and obtains the prime q by calculating the greatest common divisor g c d ( N , m m q ) .
Now the adversary A takes N as input. A constructs the ciphertext C and gives ( C , N ) to A as input. As A can break the ciphertext and return the big primes p , q to A , A can return N = p q and achieve the prime decomposition, which breaks the factor assumption. A can factor the product of big primes N = p q , which breaks the factor assumption. That is, if A can break the ciphertext with a non-negligible advantage, A can break the factor assumption. Therefore, the encryption scheme is semantically secure in the presence of an eavesdropper. □
Now the focus of our work is the presentation of the LPCP protocol and a more formal security analysis is required in future work.
Eval: Before introducing the evaluation phase, we prove the additive and multiplicative homomorphism of our CRT-based encryption scheme. The purpose of the re-encryption phase is to unify ciphertexts of P 1 and P 2 into the same ring space Z T 2 . After the re-encryption, ciphertexts C 1 r e e n c and C 2 are encrypted by the same private key of P 2 in the same ring space Z T 2 , where the additional and multiplicative operations can be performed directly on the ciphertexts. Below, we prove the homomorphism property that the decryption result of C 1 r e e n c + C 2 r 1 m 1 + m 2 mod N 2 and the decryption result of C 1 r e e n c * C 2 r 1 m 1 * m 2 mod N 2 .
Proof. 
E n c ( r 1 m 1 ) + E n c ( m 2 ) = C 1 r e e n c + C 2 p 2 1 p 2 ( C 1 , q 2 q 2 + C 2 , q 2 q 2 ) + q 2 1 q 2 ( C 1 , p 2 p 2 + C 2 , p 2 p 2 ) + R N 2 mod T 2 E n c ( r 1 m 1 ) * E n c ( m 2 ) = C 1 r e e n c * C 2 ( p 2 1 p 2 ) 2 ( C 1 , q 2 C 2 , q 2 ) q 2 + ( q 2 1 q 2 ) 2 ( C 1 , p 2 C 2 , p 2 ) p 2 + R N 2 mod T 2 D e c ( C 1 r e e n c + C 2 ) ( m 1 + m 2 ) mod N 2 D e c ( C 1 r e e n c * C 2 ) ( m 1 * m 2 ) mod N 2
After receiving the message ( C 1 r e e n c , C 2 , C R e c , h a s h 2 ) , sender S checks whether H ( C 1 r e e n c | | C 2 | | C R e c ) equals the hash value h a s h 2 . If verified, S continues the evaluation process. Otherwise, S outputs to abort the execution. Then S decrypts C R e c to obtain T 2 and partially decrypts C 1 r e e n c while keeping C 2 unchanged. The multiplicative inverse of r 1 satisfies r 1 r 1 1 = 1 mod T 2 . As parameter N 2 is known to R , it is easy for R to obtain the inverse element r 1 1 in the decryption phase. Degree d e g F is the maximum degree of polynomial F ( x 1 , x 2 ) , and d e g i is the degree of the i t h term of the polynomial. There are two reasons why the random element r is introduced into the ciphertext. One reason is to prevent R from deducing the plaintext m 1 , reversely referring to C F . The other reason is to unify the degree of the polynomial terms to perform the additive operations. In the third communication round, S sends the final ciphertext C F and hash signature h a s h 3 to R .
T 2 = f s k S e n ( C R e c ) , C 1 , e v a l = r r 1 1 C 1 r e e n c mod T 2 C 2 , e v a l = r C 2 mod T 2 C t e r m i = a i r ( d e g F d e g i ) C 1 , e v a l b i C 2 , e v a l c i mod T 2 d e g F = max i ( d e g i ) d e g i = b i + c i C F = i = 1 n C t e r m i h a s h 3 = H ( C F )
Dec: In the decryption phase, after receiving the message ( C F , h a s h 3 ) , receiver R checks whether H ( C F ) equals the hash value h a s h 3 . If verified, R continues the decryption process. Otherwise, R outputs to abort the execution. R obtains the random element r from the trapdoor permutation and computes the multiplicative inverse of r that satisfies r r 1 = 1 mod N 2 . In the last communication round, R shares the result O u t p u t with S .
r = f s k R e c ( C S e n ) O u t p u t = r d e g F C F mod N 2
At the end, S and R obtain the result of polynomial function F ( m 1 , m 2 ) without revealing their inputs m 1 and m 2 , which achieves the goal of secure two-party computation.

5. Security Proof

In this section, we give the security proof of LPCP.

5.1. Correctness

Before the security proof, we present the correctness of LPCP.
r d e g F C F mod N 2 = r d e g F i = 1 n k i r ( d e g F d e g i ) C 1 , e v a l d e g i 1 C 2 , e v a l d e g i 2 mod N 2 = i = 1 n k i ( r 1 1 C 1 ) d e g i 1 C 2 d e g i 2 mod N 2 = i = 1 n k i ( r 1 1 C 1 mod N ) d e g i 1 ( C 2 mod N ) d e g i 2 mod N 2 = i = 1 n k i ( r 1 1 r 1 m 1 ) d e g i 1 ( m 2 ) d e g i 2 mod N 2 = i = 1 n k i m 1 d e g i 1 m 2 d e g i 2 mod N 2

5.2. Privacy

We give the privacy proof of the 2PC LPCP protocol by simulation.
First, we consider the case of sender S being corrupted by the semi-honest adversary A 1 . The adversary A 1 obtains access to all the input and output of S , including S ’s security parameter 1 λ , the input message m 1 , the prime tuple ( p 1 , q 1 , s 1 ) , the randomness tuple, the polynomial function F ( m 1 , m 2 ) and the ciphertexts received. Receiver R sends the ciphertexts to the adversary A 1 in the second communication round and fourth communication round. The input ciphertexts are simulated as follows:
  • In the second round simulation, S receives the ciphertext ( C 1 r e e n c , C 2 ) .
  • In the fourth round simulation, S receives the plaintext O u t p u t .
Below, we prove that the honest sender S cannot distinguish its simulated view with its real execution view.
  • H r e a l : This hybrid is the same as the real-world execution.
  • H 1 : This hybrid is the same as H r e a l , except we change the output from O u t p u t to O u t p u t S i m . R randomly chooses O u t p u t S i m { 0 , 1 } 2 λ . According to Theorem 2 and the reason that S does not know the modulus N 2 for decryption, S cannot distinguish the real output O u t p u t from the simulated output O u t p u t S i m .
  • H 2 : This hybrid is the same as H 1 , except we change the ciphertext from ( C 1 r e e n c , C 2 ) to ( C 1 r e e n c S i m , C 2 S i m ) . R randomly chooses the ciphertext C 1 r e e n c S i m T and C 2 S i m T . As S has no information about R ’s value m 2 , N 2 , r 2 , S cannot distinguish the real ciphertext C 2 from the simulated ciphertext C 2 S i m . According to Theorem 1, S cannot distinguish the real re-encryption ciphertext C 1 r e e n c from the simulated re-encryption ciphertext C 1 r e e n c S i m .
The hybrid model H r e a l is statistically indistinguishable from the hybrid model H 2 , where H r e a l is the real-world view of S , and H 2 is the ideal world view of S . Therefore, the 2PC LPCP protocol is secure when S is corrupted.
Secondly, we consider the case of R being corrupted by the semi-honest adversary A 2 . The adversary A 2 gets access to all the input and output of receiver R , including R ’s security parameter 1 λ , the input message m 2 , the prime tuple ( p 2 , q 2 , s 2 ) , the randomness tuple, the polynomial function F ( m 1 , m 2 ) and the ciphertexts received. The adversary A 2 receives ciphertexts in the first and third communication round.
  • In the first round, R receives the ciphertext C 1 .
  • In the third round, R receives the ciphertext C F .
Below, we prove that the semi-honest sender R can not distinguish the simulated view with the real execution view.
  • H R e a l : This hybrid model is the same as the real-world execution.
  • H 1 : This hybrid model is the same as H r e a l , except we change the ciphertext ( C 1 r e e n c , C 2 ) to the randomly simulated ciphertexts ( C 1 r e e n c , S i m , C 2 S i m ) . When S simulates the ciphertext ( C 1 r e e n c , C 2 ) , S chooses a random element C F S i m { 0 , 1 } 3 λ and sends C F S i m to R . As R does not know the randomness r 1 , the ciphertext C 1 r e e n c is multiplied with r 1 1 , the inverse element of r 1 . Therefore, R cannot distinguish the randomly forged ciphertext C F S i m from the real ciphertext C F .
The hybrid model H r e a l is statistically indistinguishable from the hybrid model H 1 , where H r e a l is the real-world view of R and H 1 is the ideal-world view of R . Therefore, the 2PC LPCP protocol is secure when R is corrupted.
In summary, our 2PC LPCP is secure against the semi-honest adversary and guarantees the privacy of both parties’ input information. Now the focus of our work is the presentation of the LPCP protocol. A more formal security analysis is required in future work.

6. Extension to Three and More Parties LPCP

In Section 4, we present a two-party secure computation construction. Furthermore, LPCP can be extended into an MPC scheme with three and more parties utilizing the two-party LPCP scheme. In the following part, we present a three-party MPC construction. There are three parties P 1 , P 2 and P 3 with inputs m 1 , m 2 and m 3 , respectively, who aim to compute a polynomial function F ( m 1 , m 2 , m 3 ) = i k i m 1 a i m 2 b i m 3 c i .
Our main idea is that P 1 and P 2 perform the LPCP protocol and then perform the other LPCP protocol with P 3 . Concretely speaking, we execute the two-party LPCP scheme between P 1 and P 2 . Then we see P 1 and P 2 as a whole part and execute the other two-party LPCP scheme between this whole part and P 3 . To ensure the privacy security, the original two-party LPCP scheme is modified slightly. First, P 1 executes the operations as the sender, and P 2 executes the same operations as the receiver in Section 4, except that P 1 does not send the last ciphertext C F to P 2 in the re-encryption phase. Instead, P 1 encrypts the last ciphertext with its secret keys p 2 , q 2 and begins a new round of the two-party LPCP scheme with P 3 . The true decryption phase is delayed to the end of the whole protocol, where P 2 and P 1 decrypt the final ciphertext to obtain the answer.
Setup: The setup phase is the same as the two-party LPCP scheme.
KeyGeneration: For i = 0 , 1 , 2 , each party P i randomly and independently chooses three length-equal primes p i , q i , s i which satisfy | p i | = | q i | = | s i | = λ . Each party P i generates a trapdoor permutation key pair s k P i and p k P i . Then, P i computes N i = p i q i and T i = p i q i s i .
Encryption: P 1 randomly chooses r 1 { 0 , 1 } λ and r 1 , r { 0 , 1 } 3 λ . Then P 1 computes as follows and sends C P 1 and C 1 to P 2 .
C P 1 = f p k P 2 ( N 1 ) m 1 , p 1 = m 1 mod p 1 m 1 , q 1 = m 1 mod q 1 C 1 , C R T = p 1 1 p 1 m 1 , q 1 q 1 + q 1 1 q 1 m 1 , p 1 p 1 C 1 = < r 1 , r 1 > · < C 1 , C R T , N 1 > mod T 1 = ( r 1 ( p 1 1 p 1 m 1 , q 1 q 1 + q 1 1 q 1 m 1 , p 1 p 1 ) + r 1 N 1 ) mod T 1
P 2 randomly chooses r 2 { 0 , 1 } 3 λ and computes
C P 2 = f p k P 1 ( T 2 ) m 2 , p 2 = m 2 mod p 2 m 2 , q 2 = m 2 mod q 2 C 2 , C R T = p 2 1 p 2 m 2 , q 2 q 2 + q 2 1 q 2 m 2 , p 2 p 2 C 2 = < 1 , r 2 > · < C 2 , C R T , N 2 > mod T 2 = ( p 2 1 p 2 m 2 , q 2 q 2 + q 2 1 q 2 m 2 , p 2 p 2 + r 2 N 2 ) mod T 2
P 3 randomly chooses r 3 { 0 , 1 } λ and r 3 { 0 , 1 } 3 λ . Then, P 3 computes as follows and sends C P 3 and C 3 to P 2 .
C P 3 = f p k P 2 ( N 3 ) m 3 , p 3 = m 3 mod p 3 m 3 , q 3 = m 3 mod q 3 C 3 , C R T = p 3 1 p 3 m 3 , q 3 q 3 + q 3 1 q 3 m 3 , p 3 p 3 C 3 = < r 3 , r 3 > · < C 3 , C R T , N 3 > mod T 3 = ( r 3 ( p 3 1 p 3 m 3 , q 3 q 3 + q 3 1 q 3 m 3 , p 3 p 3 ) + r 3 N 3 ) mod T 3
Re-Encryption: In the re-encryption phase, P 2 receives the ciphertexts C P 1 and C 1 from P 1 and C P 3 and C 3 from P 3 . P 2 opens the trapdoor permutation with its secret key s k P 2 , randomly chooses r 2 and r 2 { 0 , 1 } 3 λ , then re-encrypts the ciphertexts C 1 and C 3 as follows.
N 1 = f s k P 2 ( C P 1 ) N 3 = f s k P 2 ( C P 3 ) C 1 = C 1 mod N 1 C 1 , p 2 = C 1 mod p 2 C 1 , q 2 = C 1 mod q 2 C 1 r e e n c = ( p 2 1 p 2 C 1 , q 2 q 2 + q 2 1 q 2 C 1 , p 2 p 2 + r 2 N 2 ) mod T 2 C 3 = C 3 mod N 3 C 3 , p 2 = C 3 mod p 2 C 3 , q 2 = C 3 mod q 2 C 3 r e e n c = ( p 2 1 p 2 C 3 , q 2 q 2 + q 2 1 q 2 C 3 , p 2 p 2 + r 2 N 2 ) mod T 2
After the re-encryption, P 2 sends the re-encrypted ciphertexts C 1 r e e n c and C 3 r e e n c back to P 1 . P 1 randomly chooses r 4 { 0 , 1 } 3 λ and re-encrypts C 3 r e e n c as follows.
C 3 , p 2 r e e n c = C 3 r e e n c mod p 1 C 3 , q 2 r e e n c = C 3 r e e n c mod q 1 C 3 r e e n c = ( p 1 1 p 1 C 3 , q 2 r e e n c q 1 + q 1 1 q 1 C 3 , p 2 r e e n c p 2 + r 4 N 1 ) mod T 1
Evaluation Round1: In the first round of the evaluation phase, P 1 encrypts the resulting ciphertext C r o u n d 1 instead of sending it back to P 2 . P 1 randomly chooses r 5 { 0 , 1 } λ and r 5 { 0 , 1 } 3 λ .
T 2 = f s k P 1 ( C P 2 ) , C 1 , e v a l = r 1 1 C 1 r e e n c mod T 2 C 2 , e v a l = C 2 mod T 2 C t e r m i = k i C 1 , e v a l a i C 2 , e v a l b i mod T 2 C r o u n d 1 = i = 1 n C t e r m i
Then P 2 computes the ciphertext C r o u n d 1 and sends it to the third participant party P 3 .
C r o u n d 1 , p 1 = C r o u n d 1 mod p 1 C r o u n d 1 , q 1 = C r o u n d 1 mod q 1 C r o u n d 1 , C R T = p 1 1 p 1 C r o u n d 1 , q 1 q 1 + q 1 1 q 1 C r o u n d 1 , p 1 p 1 C r o u n d 1 = < r 5 , r 5 > · < C r o u n d 1 , C R T , N 1 > mod T 1 = ( r 5 ( p 1 1 p 1 C r o u n d 1 , q 1 q 1 + q 1 1 q 1 C r o u n d 1 , p 1 p 1 ) + r 5 N 1 ) mod T 1
Evaluation Round2 P 3 receives the ciphertext C r o u n d 1 and C 3 r e e n c , then computes as follows.
C r o u n d 1 , e v a l = r 3 1 C r o u n d 1 mod T 1 C 3 , e v a l r e e n c = C 3 r e e n c mod T 1 C t e r m i = C r o u n d 1 , e v a l C 3 , e v a l r e e n c c i mod T 1 C r o u n d 2 = i = 1 n C t e r m i
After the evaluation, the ciphertext C r o u n d 2 is sent to P 1 for partial decryption.
Decryption In the decryption phase, P 1 performs the first decryption, then P 2 performs the second decryption.
C F = C r o u n d 2 mod N 1 O u t p u t = C F mod N 2 O u t p u t = F ( m 1 , m 2 , m 3 )
The existence of two rounds of evaluation is to make sure the ciphertexts are encrypted by the same private space and lie in the same ring space. When there are more than three parties, we can make use of the paradigm above to modify our LPCP scheme. However, the more parties there are, the more communication rounds there will be. When the party number grows large, the communication overhead increases rapidly, which leads to high latency. We will research this problem in our later work.

7. Mobile Device Distance Measurement Applications

In this section, we present a mobile device distance measurement application based on LPCP.
Nowadays, many mobile phone applications (APP) services are built on the location based service (LBS) [24,25]. For example, when users want to search the nearest take-out restaurant for dinner or they want to make friends with the stranger within a three-kilometer range on dating software, they need to upload their location information to APP servers. However, this uploading location information may reveal their location or even reveal their home address. Therefore, it is necessary to introduce location privacy techniques into those LBS-based APPs. Multiparty secure computation techniques can solve the location privacy problems above. However, it takes too much time, from seconds to minutes, for traditional MPC protocols to be executed on mobile devices with low computing power. Our secure computation protocol LPCP becomes of use in such circumstances. LPCP’s advantages of fast execution and low communication overhead make it possible for mobile devices to execute MPC protocols.
Supposing there are two users U s e r 1 , U s e r 2 with mobile devices who wish to measure the distance between each other in an APP locally. The main idea is as follows. As the local APP service only makes sense in a limited and effective range, we divide the geographical positions into many n × m two-dimensional planes, where n , m 2 λ δ . Here, the notation λ is the security parameter, and δ is the amplification factor. Then, the location of each user is mapped into the coordinate system ( x i , y i ) in a co-located rectangle area. Concretely, the location of U s e r 1 is scaled up by δ and mapped into the integer coordinate system ( x 1 , y 1 ) . The location of U s e r 2 is also scaled up by δ and mapped into the integer coordinate system ( x 2 , y 2 ) so that our LPCP can perform arithmetic operations. The problem of the privacy-preserving distance measurement is now transformed into calculating the polynomial ( x 1 x 2 ) 2 + ( y 1 y 2 ) 2 , which can be efficiently solved by the LPCP protocol.
In the setup phase, both mobile devices obtain their geographical information from the location service and map the geographical information into the integer coordinate system ( x 1 , y 1 ) and ( x 2 , y 2 ) . The security parameter 1 λ of LPCP is assumed to be fixed to a static value. To avoid the known-plaintext attack, each mobile device adds a relatively small noise ( e i , e i ) , where e i , e i 2 λ / δ to its location ( x i , y i ) to conceal its real position. After the pre-processing, the coordinate of U s e r 1 becomes ( x 1 + e 1 , y 1 + e 1 ) , and the coordinate of U s e r 2 becomes ( x 2 + e 2 , y 2 + e 2 ) where the introduced small noise e 1 , e 1 , e 2 , e 2 does not cause a distance result error.
In the key generation phase, both mobile devices implement the KeyGen algorithm to generate the prime tuple and the randomness as Section 4.
In the encryption phase, U s e r 1 plays the role as sender and U s e r 2 plays the role as receiver. U s e r 1 executes the sender’s encryption scheme to encrypt messages x 1 + e 1 and y 1 + e 1 , respectively. U s e r 2 executes the receiver’s encryption scheme to encrypt messages x 2 + e 2 and y 2 + e 2 , respectively. U s e r 1 and U s e r 2 deal with the x-coordinate and y-coordinate calculations separately.
The remaining re-encryption phase, evaluation phase, and decryption phase are the same as Section 4. In the re-encryption phase, U s e r 2 executes the Re-Enc algorithm. In the evaluation phase, U s e r 1 executes the Eval algorithm. In the decryption phase, U s e r 2 executes the Dec algorithm.
In the end, both mobile devices obtain the approximate distance between each other while keeping their exact position unexposed.

8. Performance and Evaluation

In this section, we evaluate the theoretical computation and communication complexity of LPCP and evaluate the performance of LPCP.

8.1. Theoretical Analysis

For the computation aspects, the computation overhead comprises three parts—the one-way trapdoor permutation, arithmetic ring operations and hash operations. Both the one-way trapdoor permutation encryption and the one-way trapdoor permutation decryption are implemented twice. The main overhead of the arithmetic ring operations lies in the re-encryption phase. The hash operations is implemented six times. Therefore, the computational complexity of LPCP is O ( 1 ) · T t r a p d o o r + O ( m a x ( l o g 2 p + q , t e r m F ) ) · T m u l t i p l i c a t i o n + O ( 1 ) · T h a s h , where ( p , q ) is the big prime parameters, t e r m F is the polynomial term number, T t r a p d o o r is the time of executing a trapdoor permutation encryption, T m u l t i p l i c a t i o n is the time of executing the multiplication arithmetic operations, and T h a s h is the time of executing a hash function.
For the communication aspects, the communication packages contain two trapdoor permutation ciphertexts, five 3 λ -long ciphertexts and three hash signature messages. To sum up, the communication complexity of LPCP is reduced to O ( 1 ) · L t r a p d o o r + O ( 1 ) · L c i p h e r t e x t + O ( 1 ) · L h a s h , where L t r a p d o o r is the length of the trapdoor permutation ciphertext, L c i p h e r t e x t is the length of the ciphertext and L h a s h is the length of the hash signature.

8.2. Practical Performance

Firstly, we run the LPCP code on a Raspberry Pi to show the compatibility of our scheme with the ARM architecture. The concrete configuration of our ARM environment is shown in Table 1.
Secondly, we run the LPCP code on the Intel X86 architecture computer in order to compare the experimental results with other secure computation protocol implementations which are only supported in the X86 instruction set. The concrete configuration of our X86 environment is shown in Table 2.
All the experiments are run on the two virtual machines on the same localhost, where the bandwidth bound is 100 Mbps and the latency can be ignored. Given the input m i , the addition operation expression is i = 1 n m i and the multiplication operation expression is i = 1 n m i .
Figure 2 shows the LPCP running time comparison of different arithmetic operation types both on ARM architecture and X86 architecture. When the security parameter length is 32 bits, 64 bits and 128 bits, the running time of LPCP on the ARM architecture is approximately 10 times slower than the running time of LPCP on the X86 architecture. When the security parameter length grows to 256 bits and 1024 bits, the running time of LPCP on the ARM architecture is approximately four times slower than the running time of LPCP on the X86 architecture. It turns out that LPCP protocol can be effectively implemented on the mobile devices based on ARM architecture.
Table 3 shows the practical performance of the two-party LPCP protocol on additive and multiplicative arithmetic operations in both the ARM architecture and the X86 architecture environment. In Table 3, the first column is the arithmetic operation type; the second column is the running time of LPCP execution in ARM architecture environment; the third column is the running time of LPCP execution in X86 architecture environment; and the last column is the communication overhead of ciphertexts transferred between two parties.
For comparison with other works, we choose one fully homomorphic encryption open-source library and two secure computation open-source libraries. The homomorphic encryption library is HElib, which realizes a leveled fully homomorphic encryption BGV [26] and CKKS [23]. As for the MPC libraries, one is the EMP toolkit [19], which realizes a 2PC protocol Emp-sh2pc secure against a semi-honest adversary. The other is the MP-SPDZ library [20], which benchmarks various secure multi-party computation (MPC) protocols, such as SPDZ [27], SPDZ2k, MASCOT [28], Overdrive [29], BMR garbled circuits [30], Yao’s garbled circuits, and MPC based on Shamir’s secret sharing.
For the FHE comparison, we choose the BGV implementation of arithmetic operations in the HElib library and compare the experimental results to our LPCP data. The experiment divides the running time into encryption time, arithmetic operation time and decryption time. Table 4 respectively shows the encryption time, arithmetic operation time, decryption time and total running time of 64-bit and 1024-bit arithmetic operations. In the additive arithmetic operations, the running time of 64-bit and 1024-bit HElib addition is much faster than LPCP. However, the encryption and decryption times of HElib lag behind, which results in the total running time of HElib being slower than LPCP. In the multiplicative arithmetic operations, the running time of both 64-bit and 1024-bit Helib multiplication is slower than LPCP.
Next, we analyze the two-party secure computation experimental results comparison between LPCP and Emp-sh2pc. Figure 3 shows the running time comparison of different arithmetic operations, and Figure 4 shows the communication overhead comparison. We can see that LPCP comes in the lead in both the running time and communication overhead. The running time of our protocol is more than 100 times faster than Emp-sh2pc in 128-bit and 256-bit additive and multiplicative tests. In particular, in the 1024-bit modular exponential operation test, the running time of LPCP is more than 100,000 times faster than Emp-sh2pc. Although the running time of LPCP’s additive computation becomes almost as costly as Emp-sh2pc when the bit length of the security parameter comes to 1024 bits. According to the analytic computational and space complexity, the running time of our protocol grows linearly with the largest exponent of the polynomial, which means the multiplicative computation of LPCP takes almost the same amount of time as the additive computation. For this reason, the running time of LPCP’s multiplicative computation is exponentially faster than Emp-sh2pc. As the communication latency increases, the additional one communication round of LPCP results in more communication time than the other 2PC protocols. In the communication space comparison, the total communication space is more than 10,000 times smaller than the result of Emp-sh2pc in 128-bit and 256-bit additive and multiplicative tests.
When it comes to three-party and four-party secure computation, we compare our LPCP experimental result with MP-SPDZ. To ensure fairness, we choose two kinds of MPC protocols, Semi and Hemi, which are both secure against the semi-honest adversary from the MP-SPDZ library. The difference of the chosen MPC protocol lies in that Semi is built based on oblivious transfer (OT) [31] and Hemi is built based on semi-homomorphic encryption [27]. Figure 5 shows the running time of Semi, Hemi and LPCP in the two-party, three-party and four-party experiments. Figure 6 shows the total communication overhead of Semi, Hemi and LPCP in the two-party, three-party and four-party experiments. The advantage of the fast execution and low communication cost of LPCP becomes much more clear as the number of parties grows because the time complexity and communication complexity grow approximately linearly to the party numbers. From the figures above, we can see that LPCP has better scalability than other traditional MPC protocols in the same condition. It is especially suitable for those mobile devices with low computing power and small storage space to execute LPCP for data privacy.

9. Conclusions

In this paper, an efficient CRT-based secure computation protocol LPCP for polynomial calculation is proposed. Based on LPCP, we propose a privacy-preserving distance measurement computation protocol that is affordable for mobile devices.
In the end, we implement LPCP in the ARM architecture environment to show its compatibility with mobile devices. We also implement LPCP in the X86 architecture environment and compare the experimental results with fully homomorphic encryption schemes and different kinds of MPC schemes. In both 2PC and MPC comparisons, our LPCP scheme has a great advantage of both running time and communication overhead, which makes it possible to implement secure computation on mobile devices. For future works, we aim to perform a formal security analysis of LPCP protocol and strengthen the security model against the malicious adversary.

Author Contributions

Conceptualization and methodology, J.T., Z.C. and J.S.; writing—original draft, formal analysis, software and visualization, J.T.; writing—review and editing, Z.C., J.S., X.D.; project administration, funding acquisition, Z.C., J.S. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported in part by the National Key Research and Development Program of China (Grant No. 2020YFA0712300), in part by the National Natural Science Foundation of China (Grant No. 62132005, 61632012, 62172162).

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
2PCTwo-party computation
MPCMultiparty computation
CRTChinese remainder theorem
LPCPLightning polynomial computation protocol
FHEFully homomorphic encryption
KeyGenKey generation
EncEncryption
Re-EncRe-encryption
DecDecryption
S Sender
R Receiver
λ Security parameter

References

  1. Lindell, Y. Secure Multiparty Computation (MPC). IACR Cryptol. ePrint Arch. 2020, 2020, 300. [Google Scholar]
  2. Yao, A.C. Protocols for Secure Computations (Extended Abstract). In Proceedings of the 23rd Annual Symposium on Foundations of Computer Science, Chicago, IL, USA, 3–5 November 1982; IEEE Computer Society: Washington, DC, USA, 1982; pp. 160–164. [Google Scholar]
  3. Mouchet, C.; Troncoso-Pastoriza, J.R.; Hubaux, J. Multiparty Homomorphic Encryption: From Theory to Practice. IACR Cryptol. ePrint Arch. 2020, 2020, 304. [Google Scholar]
  4. Patra, A.; Suresh, A. BLAZE: Blazing Fast Privacy-Preserving Machine Learning. In Proceedings of the 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, CA, USA, 23–26 February 2020; The Internet Society: Reston, VA, USA, 2020. [Google Scholar]
  5. Byali, M.; Chaudhari, H.; Patra, A.; Suresh, A. FLASH: Fast and Robust Framework for Privacy-preserving Machine Learning. Proc. Priv. Enhancing Technol. 2020, 2020, 459–480. [Google Scholar] [CrossRef]
  6. Rezaeipour, D. Secure Computation for Cloud data Storage. IACR Cryptol. ePrint Arch. 2019, 2019, 709. [Google Scholar]
  7. Demmler, D.; Schneider, T.; Zohner, M. ABY - A Framework for Efficient Mixed-Protocol Secure Two-Party Computation. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, CA, USA, 8–11 February 2015; The Internet Society: Reston, VA, USA, 2015. [Google Scholar]
  8. Lindell, Y.; Riva, B. Blazing Fast 2PC in the Offline/Online Setting with Security for Malicious Adversaries. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; Ray, I., Li, N., Kruegel, C., Eds.; ACM: New York, NY, USA, 2015; pp. 579–590. [Google Scholar]
  9. Rindal, P.; Rosulek, M. Faster Malicious 2-Party Secure Computation with Online/Offline Dual Execution. In Proceedings of the 25th USENIX Security Symposium, USENIX Security 16, 10–12 August 2016; Holz, T., Savage, S., Eds.; USENIX Association: Austin, TX, USA, 2016; pp. 297–314. [Google Scholar]
  10. Smart, N.P.; Tanguy, T. TaaS: Commodity MPC via Triples-as-a-Service. In Proceedings of the 2019 ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW@CCS 2019, London, UK, 11 November 2019; Sion, R., Papamanthou, C., Eds.; ACM: New York, NY, USA, 2019; pp. 105–116. [Google Scholar]
  11. Ciampi, M.; Ostrovsky, R.; Waldner, H.; Zikas, V. Round-Optimal and Communication-Efficient Multiparty Computation. IACR Cryptol. ePrint Arch. 2020, 2020, 1437. [Google Scholar]
  12. Brakerski, Z.; Vaikuntanathan, V. Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages. In Proceedings of the Advances in Cryptology-CRYPTO 2011—31st Annual Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2011; Proceedings. Rogaway, P., Ed.; Springer: Berlin/Heidelberg, Germany, 2011; Volume 6841, pp. 505–524. [Google Scholar]
  13. Asharov, G.; Jain, A.; López-Alt, A.; Tromer, E.; Vaikuntanathan, V.; Wichs, D. Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE. In Proceedings of the Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Pointcheval, D., Johansson, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7237, pp. 483–501. [Google Scholar]
  14. López-Alt, A.; Tromer, E.; Vaikuntanathan, V. On-the-Fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption. IACR Cryptol. ePrint Arch. 2013, 2013, 94. [Google Scholar]
  15. Mukherjee, P.; Wichs, D. Two Round Multiparty Computation via Multi-key FHE. In Proceedings of the Advances in Cryptology—EUROCRYPT 2016—35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, 8–12 May 2016; Part II. Fischlin, M., Coron, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9666, pp. 735–763. [Google Scholar]
  16. Li, Z.; Ma, C.; Zhou, H. Multi-key FHE for multi-bit messages. Sci. China Inf. Sci. 2018, 61, 1–3. [Google Scholar] [CrossRef] [Green Version]
  17. Zhou, J.; Cao, Z.; Qin, Z.; Dong, X.; Ren, K. LPPA: Lightweight Privacy-Preserving Authentication From Efficient Multi-Key Secure Outsourced Computation for Location-Based Services in VANETs. IEEE Trans. Inf. Forensics Secur. 2020, 15, 420–434. [Google Scholar] [CrossRef]
  18. Kim, J.; Lee, M.S.; Yun, A.; Cheon, J.H. CRT-based Fully Homomorphic Encryption over the Integers. IACR Cryptol. ePrint Arch. 2013, 2013, 57. [Google Scholar]
  19. Wang, X.; Malozemoff, A.J.; Katz, J. Faster Secure Two-Party Computation in the Single-Execution Setting. In Proceedings of the Advances in Cryptology—EUROCRYPT 2017—36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, 30 April–4 May 2017; Part, III. Coron, J., Nielsen, J.B., Eds.; Volume 10212, pp. 399–424. [Google Scholar]
  20. Keller, M. MP-SPDZ: A Versatile Framework for Multi-Party Computation. IACR Cryptol. ePrint Arch. 2020, 2020, 521. [Google Scholar]
  21. Rivest, R.L.; Adleman, L.; Dertouzos, M.L. On data banks and privacy homomorphisms. Found. Secur. Comput. 1978, 4, 169–180. [Google Scholar]
  22. Gentry, C. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, 31 May—2 June 2009; Mitzenmacher, M., Ed.; ACM: New York, NY, USA, 2009; pp. 169–178. [Google Scholar]
  23. Cheon, J.H.; Kim, A.; Kim, M.; Song, Y.S. Homomorphic Encryption for Arithmetic of Approximate Numbers. In Proceedings of the Advances in Cryptology—ASIACRYPT 2017—23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, 3–7 December 2017; Proceedings, Part I. Takagi, T., Peyrin, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2017; Volume 10624, pp. 409–437. [Google Scholar]
  24. Zhou, J.; Dong, X.; Cao, Z.; Vasilakos, A.V. Secure and privacy preserving protocol for cloud-based vehicular DTNs. IEEE Trans. Inf. Forensics Secur. 2015, 10, 1299–1314. [Google Scholar] [CrossRef]
  25. Ren, W.; Tong, X.; Du, J.; Wang, N.; Li, S.; Min, G.; Zhao, Z.; Bashir, A.K. Privacy-preserving using homomorphic encryption in Mobile IoT systems. Comput. Commun. 2021, 165, 105–111. [Google Scholar] [CrossRef]
  26. Brakerski, Z.; Gentry, C.; Vaikuntanathan, V. (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT) 2014, 6, 1–36. [Google Scholar] [CrossRef]
  27. Damgård, I.; Pastro, V.; Smart, N.P.; Zakarias, S. Multiparty Computation from Somewhat Homomorphic Encryption. In Proceedings of the Advances in Cryptology—CRYPTO 2012—32nd Annual Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2012; Safavi-Naini, R., Canetti, R., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7417, pp. 643–662. [Google Scholar]
  28. Keller, M.; Orsini, E.; Scholl, P. MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016; Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S., Eds.; ACM: New York, NY, USA, 2016; pp. 830–842. [Google Scholar]
  29. Keller, M.; Pastro, V.; Rotaru, D. Overdrive: Making SPDZ Great Again. In Proceedings of the Advances in Cryptology—EUROCRYPT 2018—37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, 29 April–3 May 2018; Part, III. Nielsen, J.B., Rijmen, V., Eds.; Springer: Berlin/Heidelberg, Germany, 2018; Volume 10822, pp. 158–189. [Google Scholar]
  30. Beaver, D.; Micali, S.; Rogaway, P. The Round Complexity of Secure Protocols (Extended Abstract). In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 13–17 May 1990; Ortiz, H., Ed.; ACM: New York, NY, USA, 1990; pp. 503–513. [Google Scholar]
  31. Tzeng, W. Efficient oblivious transfer schemes. IACR Cryptol. ePrint Arch. 2001, 2001, 73. [Google Scholar]
Figure 1. The interaction flow chart of LPCP’s framework. The process of P 1 is on the left side and the process of P 2 is on the right side.
Figure 1. The interaction flow chart of LPCP’s framework. The process of P 1 is on the left side and the process of P 2 is on the right side.
Applsci 12 03117 g001
Figure 2. The running time comparison of additive, multiplicative and exponential arithmetic operations of LPCP on ARM and X86 architecture.
Figure 2. The running time comparison of additive, multiplicative and exponential arithmetic operations of LPCP on ARM and X86 architecture.
Applsci 12 03117 g002
Figure 3. The running time comparison of additive operation between LPCP and Emp-sh2pc.
Figure 3. The running time comparison of additive operation between LPCP and Emp-sh2pc.
Applsci 12 03117 g003
Figure 4. The running time comparison of multiplicative operation between LPCP and Emp-sh2pc.
Figure 4. The running time comparison of multiplicative operation between LPCP and Emp-sh2pc.
Applsci 12 03117 g004
Figure 5. Running time of Semi, Hemi and LPCP in different party numbers conditions.
Figure 5. Running time of Semi, Hemi and LPCP in different party numbers conditions.
Applsci 12 03117 g005
Figure 6. Total communication overhead of Semi, Hemi and LPCP in different party numbers conditions.
Figure 6. Total communication overhead of Semi, Hemi and LPCP in different party numbers conditions.
Applsci 12 03117 g006
Table 1. Configurations of experiment on ARM architecture.
Table 1. Configurations of experiment on ARM architecture.
CPUQuad core Cortex-A72 (ARM v8) 64-bit @ 1.5 GHz
RAM1GB LPDDR4
OSUbuntu 20.04
Programming languagec++11
Compilergcc version 9.3.0
Librariesopenssl-3.0.1, gmp-6.2.1
Table 2. Configurations of experiment on X86 architecture.
Table 2. Configurations of experiment on X86 architecture.
CPUi5-8259U
RAM8GB DDR4
OSUbuntu 20.04.3 LTS
Programming languagec++11
Compilergcc version 9.3.0
Librariesopenssl-3.0.1, gmp-6.2.1
Table 3. Performance of LPCP on additive, multiplicative and exponential operations.
Table 3. Performance of LPCP on additive, multiplicative and exponential operations.
Arithmetic Operation TypeRunning Time of ARM ArchitectureRunning Time of X86 ArchitectureTotal Communication
32-bit add1.219 ms0.1779 ms89B
32-bit mul1.268 ms0.1931 ms89B
32-bit exp1.279 ms0.2098 ms89B
64-bit add1.395 ms0.2387 ms111B
64-bit mul1.54 ms0.2366 ms111B
64-bit exp1.651 ms0.2969 ms111B
128-bit add2.189 ms0.484 ms155B
128-bit mul2.171 ms0.4693 ms155B
128-bit exp2.346 ms0.5529 ms155B
256-bit add5.716 ms2.0154 ms243B
256-bit mul5.845 ms2.0358 ms243B
256-bit exp6.79 ms2.3488 ms243B
1024-bit add213.43 ms85.376 ms771B
1024-bit mul221.993 ms86.446 ms771B
1024-bit exp238.629 ms86.21 ms771B
Table 4. Performance of BGV implemented in HElib library on additive and multiplicative operations.
Table 4. Performance of BGV implemented in HElib library on additive and multiplicative operations.
Arithmetic Operation TypeEncryption TimeArithmetic Operation TimeDecryption TimeTotal Running Time
64-bit add0.643 ms0.000000011 ms2.010 ms2.653 ms
64-bit mul0.643 ms6.972 ms2.010 ms9.625 ms
1024-bit add935.44 ms0.000126427 ms589.312 ms1524.752 ms
1024-bit mul935.44 ms3843.84 ms589.312 ms5368.592 ms
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Tang, J.; Cao, Z.; Shen, J.; Dong, X. LPCP: An efficient Privacy-Preserving Protocol for Polynomial Calculation Based on CRT. Appl. Sci. 2022, 12, 3117. https://doi.org/10.3390/app12063117

AMA Style

Tang J, Cao Z, Shen J, Dong X. LPCP: An efficient Privacy-Preserving Protocol for Polynomial Calculation Based on CRT. Applied Sciences. 2022; 12(6):3117. https://doi.org/10.3390/app12063117

Chicago/Turabian Style

Tang, Jiajian, Zhenfu Cao, Jiachen Shen, and Xiaolei Dong. 2022. "LPCP: An efficient Privacy-Preserving Protocol for Polynomial Calculation Based on CRT" Applied Sciences 12, no. 6: 3117. https://doi.org/10.3390/app12063117

APA Style

Tang, J., Cao, Z., Shen, J., & Dong, X. (2022). LPCP: An efficient Privacy-Preserving Protocol for Polynomial Calculation Based on CRT. Applied Sciences, 12(6), 3117. https://doi.org/10.3390/app12063117

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop