Abstract
While multiparty computations are becoming more and more efficient, their performance has not yet reached the required level for wide adoption. Nevertheless, many applications need this functionality, while others need it for simpler computations; operations such as multiplication or addition might be sufficient. In this work we extend the well-known multiparty computation protocol (MPC) for summation of Kurswave et al. More precisely, we introduce two extensions of the protocol one which bases its security on the Decisional Diffie-Hellman hypothesis and does not use pairings, and one that significantly reduces the pairings of the original. Both protocols are proven secure in the semi-honest model. Like the original, the protocols are entirely broadcast-based and self-bootstrapping, but provide a significant performance boost, allowing them to be adopted by devices with low processing power and can also be extended naturally to achieve \(t\)-privacy in the malicious model, while remaining practical. Finally, the protocols can further improve their performance if users decide to decrease their collusion tolerance.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
References
Asharov, G., Lindell, Y.: A full proof of the BGW protocol for perfectly-secure multiparty computation. Electron. Colloq. Comput. Complex. (ECCC) 18, 36 (2011)
Ben-David, A., Nisan, N., Pinkas, B.: Fairplaymp: a system for secure multi-party computation. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 257–266. ACM (2008)
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, pp. 1–10. ACM (1988)
Blake, I.F., Studholme, C.: Properties of random matrices and applications. Unpublished report (2006). http://www.cs.toronto.edu/~cvs/coding
Bogetoft, P., Christensen, D.L., Damgård, I., Geisler, M., Jakobsen, T.P., Krøigaard, M., Nielsen, J.D., Nielsen, J.B., Nielsen, K., Pagter, J., et al.: Multiparty computation goes live. IACR Cryptology ePrint Archive 2008, p. 68 (2008)
Chaum, D., Crépeau, C., Damgard, I.: Multiparty unconditionally secure protocols. In: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, pp. 11–19. ACM (1988)
Clifton, C., Kantarcioglu, M., Vaidya, J., Lin, X., Zhu, M.Y.: Tools for privacy preserving distributed data mining. ACM SIGKDD Explor. Newsl. 4(2), 28–34 (2002)
Cooper, C.: On the rank of random matrices. Random Struct. Algorithms 16, 2000 (2000)
Damgrd, I., Pastro, V., Smart, N.P., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. IACR Cryptology ePrint Archive 2011, p. 535 (2011)
Department of Energy and Climate Change. Smart metering equipment technical specifications: second version July 2013. https://www.gov.uk/government/consultations/smart-metering-equipment-technical-specifications-second-version
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, pp. 218–229. ACM (1987)
Hao, F., Zieliński, P.: A 2-round anonymous veto protocol. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols. LNCS, vol. 5087, pp. 202–211. Springer, Heidelberg (2009)
Hart, G.W.: Nonintrusive appliance load monitoring. Proc. IEEE 80(12), 1870–1891 (1992)
Kursawe, K., Danezis, G., Kohlweiss, M.: Privacy-friendly aggregation for the smart-grid. In: Fischer-Hübner, S., Hopper, N. (eds.) PETS 2011. LNCS, vol. 6794, pp. 175–191. Springer, Heidelberg (2011)
Laughman, C., Lee, K., Cox, R., Shaw, S., Leeb, S., Norford, L., Armstrong, P.: Power signature analysis. IEEE Power Energy Mag. 1(2), 56–63 (2003)
Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay-secure two-party computation system. In: USENIX Security Symposium, pp. 287–302 (2004)
Molina-Markham, A., Shenoy, P., Fu, K., Cecchet, E., Irwin, D.: Private memoirs of a smart meter. In: Proceedings of the 2nd ACM Workshop on Embedded Sensing Systems for Energy-efficiency in Building, pp. 61–66. ACM (2010)
Pereira, G.C.C.F., Simplício Jr., M.A., Naehrig, M., Barreto, P.S.L.M.: A family of implementation-friendly bn elliptic curves. J. Syst. Softw. 84(8), 1319–1326 (2011)
Schnorr, C.: Efficient identification and signatures for smartcards. pp. 239–252 (1990)
Shi, E., Chow, R., Chan, T.H.H., Song, D., Rieffel, E.: Privacy-Preserving Aggregation of Time-Series Data. Technical report, UC Berkeley (2011)
Weiss, M., Helfenstein, A., Mattern, F., Staake, T.: Leveraging smart meter data to recognize home appliances. In: 2012 IEEE International Conference on Pervasive Computing and Communications (PerCom), pp. 190–197. IEEE (2012)
Yang, Z., Zhong, S., Wright, R.N.: Privacy-preserving classification of customer data without loss of accuracy. In: SIAM International Conference on Data Mining, pp. 1–11 (2005)
Yao, A.C.-C.: Protocols for secure computations. In: FOCS, vol. 82, pp. 160–164 (1982)
Yao, A.C.-C.: How to generate and exchange secrets. In: 27th Annual Symposium on Foundations of Computer Science, 1986, pp. 162–167. IEEE (1986)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Theorem 1
Lemma 1
Let \(m = \lfloor k / 2 \rfloor \). Let \(A^{(1)}, \ldots , A^{(m)}\) be skew-symmetric \(k \times k\) matrices with uniformly random entries in \(\mathbb {Z}_p\). Let \(B^{(1)} = \mathsf {coeff}(A^{(1)})[1, \ldots , k - 1], \ldots , B^{(m)} = \mathsf {coeff}(A^{(m)})[1, \ldots , k - 1]\) where the notation \([1, \ldots , k - 1]\) signifies the first \(k - 1\) rows of the matrix. Let \(M = (B^{(1)};\ldots ; B^{(m)}) \in \mathbb {Z}_p^{m(k - 1) \times m(k - 1)}\) be the joint matrix consisting of \(k - 1\) rows from each of the \(m\) coefficient matrices. Then \(\mathsf {Pr}[\mathsf {rank}(M) \ne m(k - 1)] \le \frac{\mathsf {poly}(k)}{p}\).
Proof
We can rearrange the rows of \(M\) such that the \(t\)-th block \(M^{(t)}\) consists of the \(t\)-th rows of the coefficient matrices. In each such row, there are only \(k - 1\) nonzero entries. Eliminating the zero columns results in an \(m \times (k - 1)\) matrix \(M^{(t)\prime }\) with independent and uniformly random elements from \(\mathbb {Z}_p\). Since \(m < k - 1\), the probability that \(M^{(t)\prime }\) is linearly independent is at least the probability that its left \(m \times m\) submatrix is linearly independent.It is mentioned in [4] (the result is due to Cooper [8]) that the probability that an \(m \times m\) random matrix over \(\mathbb {Z}_p\) is linearly independent is at least:
Now the probability that this does not hold is bounded by \(\frac{m}{p}\). Observe that if \(M^{(t)}\) is linearly independent for all \(1 \le k - 1\) then so is \(M\), since each submatrix \(M^{(t)}\) contains a unique column that is zero in all other submatrices, provided that a submatrices’s unique column is nonzero. The probability of the latter not holding is \(\frac{k - 1}{p^m}\). Therefore, an upper bound on the probability of \(M\) not being linearly independent is:
\(\square \)
Theorem 1
Under the DDH assumption, our multi-aggregation protocol is computationally \(t\)-private for all \(t \le n\) with at most \(\mathsf {max}(1, \lfloor (n - t) / 2 \rfloor )\) rounds in the random oracle model.
Proof
Let \(\ell \le \mathsf {max}(1, \lfloor (n - t)/2 \rfloor )\) be the number of aggregations. Let \(h = n - t\) be the number of honest users. If \(h \le 1\), it is trivial to construct a simulator \(\mathcal {S}\) since \(\mathcal {S}\) can fully learn \(\varvec{m}\) and then simulate all parties. Therefore, we assume that \(h \ge 2\). Let \(w = h(h - 1) / 2\). Consider the following series of Hybrids.
Hybrid 0: This is the same as the real distribution i.e. the LHS of Eq. 2 with the exception that we “simulate” each honest party \(P_k\) using input \(m^{(\rho )}_k\); therefore we have access to \(x_k\).
For \(1 \le q \le w\): Hybrid \(q\) involves two honest parties which we denote by \(P_i\) and \(P_j\). Their equations share the monomial \(x_ix_j\). There are \(w = h(h - 1) / 2\) such monomials and the goal of each Hybrid \(q\) is to replace the \(q\)-th monomial with a uniformly random element.
Hybrid q: The changes between Hybrid \(q\) and Hybrid \(q - 1\) involve changing the protocol messages of the honest parties \(P_i\) and \(P_j\) in all \(\ell \) aggregations. Let \(m^{(\rho )}_i\) and \(m^{(\rho )}_j\) be the inputs of these honest parties in round \(\rho \). Generate a uniformly random integer \(r \in \{0, \ldots , p - 1\}\) and replace all occurrences of \(g^{x_ix_j}\) by \(g^r\) in the computation of the second messages in all aggregations.
Hybrid \(q - 1\) and Hybrid \(q\) are computationally indistinguishable under the DDH assumption. Hybrid \(q - 1\) involves the DDH instance \((g, g^{x_i}, g^{x_j}, g^{x_ix_j})\) and Hybrid \(q\) involves the DDH instance \((g, g^{x_i}, g^{x_j}, g^r)\) where \(x_i, x_j\) and \(r\) are uniformly distributed in \(\{0, \ldots , p - 1\}\). A non-negligible advantage distinguishing between Hybrid 0 and Hybrid 1 implies a non-negligible advantage against DDH.
Hybrid w + 1: (where \(w = h(h - 1) / 2\)) \(H\) is modelled as a random oracle and as such the skew-symmetric matrices contain uniformly random elements in \(\mathbb {Z}_p\). In this Hybrid, we program \(H\) such that the joint coefficient matrix \(M \in \mathbb {Z}_p^{\ell (n - t - 1) \times (n - t)(n - t - 1)/2}\) formed from the coefficient matrix in every aggregation is linearly independent. By Lemma 1, the probability of \(M\) not being linearly independent when generated as in the real world is at most \(\frac{\mathsf {poly}(n - t)}{p}\). Because \(p\) is superpolynomial in the security parameter, an adversary has a negligible chance between distinguishing Hybrid \(w + 1\) and Hybrid \(w\).
Hybrid w + 2: Without loss of generality, assume that parties \(P_1, \ldots , P_h\) are the honest parties. For all \(1 \le i < h\) and \(1 \le \rho \le \ell \), replace the protocol message \(v^{(\rho )}_i\) of party \(P_i\) in aggregation \(\rho \) with \(g^{r^{(\rho )}_i} \cdot g^{m^{(\rho )}_i}\) for uniformly random \(r^{(\rho )}_i \in \mathbb {Z}_p\). Furthermore, for every \(1 \le \rho \le \ell \), replace the protocol message \(v^{(\rho )}_h\) with \(g^{-\sum _{j = 1}^{h - 1} r^{(\rho )}_j + m^{(\rho )}_h}\). Due to the linear independence of the coefficient matrix \(M \in \mathbb {Z}_p^{\ell (n - t - 1) \times (n - t)(n - t - 1)/2}\), distinguishing between Hybrid \(w + 2\) and Hybrid \(w + 1\) is impossible.
Hybrid w + 3: Finally, in this Hybrid, the inputs \(m^{(\rho )}_1, \ldots , m^{(\rho )}_h\) are replaced by a random partition of \(\sum _{k = 1}^h m^{(\rho )}_k\), namely the values \(s^{(\rho )}_1, \ldots , s^{(\rho )}_h\) for every \(\rho \in \{1, \ldots , \ell \}\).
An adversary has a zero advantage distinguishing Hybrid \(w + 3\) and Hybrid \(w + 2\). To see this, suppose the adversary could distinguish the hybrids. Then it can determine that some party’s input (say \(P_i\)) in some aggregation \(\rho \) is not \(s^{(\rho )}_i\). But \(v^{(\rho )}_i = g^{r^\prime }\) for some uniformly random \(r^\prime \), which provides no information about the message (whether it is \(m^{(\rho )}_i\) or \(s^{(\rho )}_i\)). Note that \(v^{(\rho )}_h\) gives no additional information since it can be derived from the information known to the adversary (recall that the sum in each aggregation is known).
Since Hybrid \(w + 3\) no longer relies on the honest parties’ messages, and all other information needed to construct the distribution can be derived from the simulators’ inputs in Eq. 2, it follows that there exists an algorithm \(\mathcal {S}\) that can simulate the real distribution. \(\square \)
B \(t\)-privacy in the Malicious Setting
We only give a brief overview here of how to prove \(t\)-privacy of the extended protocol described in Sect. 3.2 in the presence of malicious adversaries. Recall that the protocol uses a NIZK argument system \((\mathsf {Setup}, \mathsf {Prove}, \mathsf{Verify})\) for statements of the form \(S_i = \{(x_i) : u_i = g^{x_i}\}\). The common reference string \(\sigma \leftarrow \mathsf {Setup}(1^\kappa )\) is known to all parties and consists of a description of a hash function \(H_{\mathsf {NIZK}}\), which is modeled in the proof as a random oracle. A party \(P_j\) rejects a public key and proof pair \((u_i, \mathfrak {p}_i)\) if \(\mathsf {Verify}(\sigma , S_i, \mathfrak {p}_i) \ne 1\). As a result, we can argue that the \(x_i\) for \(i \in I\) are independent of \(\{x_j\}_{j \in [n] \setminus I}\) with all but negligible probability. The main modification to the proof of Theorem 1 involves the simulation of the NIZK proofs for the honest parties, since we need to embed DDH challenges and thus do not know the exponents. Before embedding the DDH challenges, we have a series of \(h = n - t\) hybrids, where in the \(k\)-th such hybrid, we invoke the zero-knowledge property of the NIZK argument system to simulate (which will involve programming the oracle \(H_{\mathsf {NIZK}}\)) the proof string \(\mathfrak {p}_k\) for honest party \(P_k\) with a computationally indistinguishable proof string \(\mathfrak {p}^\prime _k\). The remainder of the proof proceeds in the same manner as the proof of Theorem 1.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Patsakis, C., Clear, M., Laird, P. (2015). Private Aggregation with Custom Collusion Tolerance. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-16745-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16744-2
Online ISBN: 978-3-319-16745-9
eBook Packages: Computer ScienceComputer Science (R0)