Secure Multi-Party Computation of Graphs’ Intersection and Union under the Malicious Model

Abstract

In recent years, with the development of information security, secure multi-party computation has gradually become a research hotspot in the field of privacy protection. The intersection and union computation of graphs is an important branch of secure computing geometry. At present, the intersection and union of graphs are almost designed under the semi-honest model, and few solutions are proposed under the malicious model. However, the solution under the malicious model is more secure and has important theoretical and practical significance. In this paper, the possible malicious behaviors of computing the intersection and union of graphs are analyzed. Using the Lifted-ElGamal threshold cryptosystem and zero-knowledge proof method, the secure multi-party computation algorithm of graphs’ intersection and union under the malicious model is designed. The real/ideal model paradigm is used to prove the security of the algorithm, the efficiency of the algorithm is analyzed in detail, and the feasibility is verified through experiment.

1. Introduction

In recent years, the rapid development of the Internet has brought great convenience to our life. At the same time, privacy protection has become more and more important. Secure multi-party computation (MPC) is proposed to solve privacy computing problems.

In 1982, Yao [1] put forward the millionaire problem which pioneered the MPC field. Turing Award winner Goldwasser [2] predicted that MPC would become an integral part of computer science. Cramer [3] also predicted that MPC would become a new and powerful tool for privacy protection. Cryptologists have studied the MPC algorithms in various fields including secure scientific computing solutions [1,4,5,6], secure data mining [7,8], secure statistical analysis [9,10,11], secure computational geometry [12,13,14,15,16], and secure computing set [17,18,19,20]. These studies promoted the development of MPC.

The problem of secure graph computing is an important topic in secure computing geometry. The intersection and union of graphs are basic problems in secure graph computing, representing a secure and auto-configurable environment for mobile agents in ubiquitous computing scenarios, widely used in the medical, military, and other fields. For example, when studying family medical history in the medical field, we can use security map computing to solve the problem. We can use genes related to family medical history as graph nodes, and use edges to represent the relationship between characters to study related family medical history. This approach can protect patient information and achieve the purpose of privacy computing.

Akavia [21] used homomorphic encryption to solve the problem of generating graphs on the basis of participant edge information. This method can generate graphs under the premise of ensuring privacy, but the computational complexity is high.

Frikken [22] converted network information into a graph problem. All participants have relevant information and then generate relevant graphs. However, the calculation cost of this method is too high; furthermore, it involves an ideal third party and is not suitable for practical applications.

Zhou [23] used homomorphic encryption to store graphs in matrix mode, and then converted them into polynomials to calculate intersections. This scheme uses Paillier encryption for encryption and decryption during operation, which leads to high computational complexity, and the scheme cannot resist malicious attacks.

Wei [24] solved the problem of graph intersection and union calculation of the semi-honest model. First, he designed a new coding rule, then designed a scheme to solve graph intersection and union, and finally analyzed the correctness and security of the scheme. However, the algorithm was designed under the semi-honest model, which cannot resist malicious attacks.

According to the possible malicious attacks of the semi-honest model algorithm [25], the malicious model MPC algorithms of graphs’ intersection and union are designed in this study. The contributions are as follows:

(1)

In this paper, the intersection and union MPC algorithms under the semi-honest model are studied, and then the possible malicious attacks in the algorithms are analyzed.

(2)

According to the malicious attacks, based on the zero-knowledge proof method [26] and Lifted-ElGamal threshold cryptosystem [27], the MPC algorithms of graphs’ intersection and union under the malicious model are proposed.

(3)

Through the efficiency analysis, the algorithm remains efficient, and the real/ideal model paradigm [26] is used to prove the security of the algorithm under the malicious model.

2. Preliminary Knowledge

2.1. MPC Security Definition

Semi-honest model: The algorithm under the semi-honest model [25] refers to the situation where participants faithfully execute the algorithm according to the algorithm rules, but they may record the intermediate results of calculation and try to derive other participants’ information.

Malicious model: Under the malicious model [25], the participants of the algorithm may be malicious participants, and they cannot obey the rules of the algorithm. An MPC algorithm under the malicious model forces participants to execute the algorithm like those under the semi-honest model.

The definition of security under the malicious model: The definition of security under the malicious model involves the comparison between the real model and the ideal model. The security under the malicious model is described below [26].

Let a participant $P_i$ have secure data $x_i$, and let $X=x_1,\dots ,x_n$; a trusted third party (TTP) is needed to compute the function $f(X)=(f_1(X),\dots ,f_n(X))$. Let the malicious participant set be $I=\{i_1,\dots ,i_t\}\subseteq \left[n\right]=\{1,\dots ,n\}$; then, $\overline{I}$ is a collection of honest participants. The malicious participant’s data and calculation function can be represented as follows: let $X=x_1,\dots ,x_n$; then $X_I=(x_{i_1},\dots ,x_{i_t})$, $f(X)=(f_1(X),\dots ,f_n(X))$, and $f_I(X)=(f_{i1}(X),\dots ,f_{it}(X))$.

$F{({\{0,1\}}^{*})}^n\to {({\{0,1\}}^{*})}^n$ is a probability polynomial time function of $n$ element, $\mathrm{\Pi }$ is a algorithm for calculating $F$, $A$ is a polynomial time algorithm of the attacker’s strategy in the real model algorithm, with $(I,A)$ representing the attacker, and $B$ is a probability polynomial time algorithm in the ideal model algorithm, with $(I,B)$ representing the attacker.

In the ideal model, under the control of $(I,B)$, let the attacker select the random number $r$; the auxiliary information is recorded as $z$, and the joint execution process of $f(X)$ is recorded as $IDEA{L}_{F,I,B(Z)}(X)=\gamma (X,I,z,r)$, where $\gamma (X,I,z,r)$ is defined below.

If $P_1$ is an honest participant, then $\gamma (X,I,z,r)=(f_{\overline{I}}(X),B(X_I,I,z,r,f_I(X)))$, where $X=(x_1,\dots ,x_n^{\prime })$ and $i\in I$. Thus, $x_i=B{(X_I,I,z,r)}_i$; otherwise, $x_i=x_i$.

Suppose $P_1$ is a malicious participant. If $B(X_I,I,z,r,f_I(X))=\perp$, then

$$\gamma (X,I,z,r)=({\perp }^{\left|\overline{I}\right|},B(X_I,I,z,r,f_I(X)),\perp ).$$

(1)

Otherwise,

$$\gamma (X,I,z,r)=(f_{\overline{I}}(X),B(X_I,I,z,r,f_I(X)),\perp ).$$

(2)

In the real model, under the control of $(I,A)$, the joint execution process of algorithm $\mathrm{\Pi }$ is recorded as $REA{L}_{\mathrm{\Pi },I,A(z)}(X)$, defined as the output sequence generated by the interaction between $n$ participants. The messages of participants in $I$ are determined by $A(X_I,I,z)$, and the messages of participants in $\overline{I}$ are completely determined by $\mathrm{\Pi }$. That is, the messages of malicious participants are determined by $A$ according to the initial input, auxiliary input $z$ and all messages sent by all participants, including honest participants.

Definition 1.

Security under the malicious model.

For any probabilistic polynomial time algorithm $A$ in the real model algorithm, an acceptable probabilistic polynomial time algorithm $B$ can be found in the ideal model algorithm.

Accordingly, for any $I\subseteq \left[n\right]$, there is $IDEA{L}_{F,I,B(Z)}{(X)}_{X,z}\stackrel{c}{\equiv }REA{L}_{\mathrm{\Pi },I,A(z)}{(X)}_{X,z}$, i.e., the algorithm $\mathrm{\Pi }$ can compute $f$ securely.

Note 1: The security definition under the malicious model requires at least one honest participant to ensure the normal operation of the algorithm. If all participants are malicious, it is impossible to design an MPC algorithm [26].

2.2. Lifted-ElGamal Cryptosystem

The Lifted-ElGamal cryptosystem [27] is a modification based on the ElGamal public key encryption algorithm [28]. The multiplicative homomorphism of the ElGamal encryption algorithm is modified to obtain the additive homomorphism. The specific algorithm is described below.

Key generation: Given the secure parameter $k$, the algorithm generates a large prime $p$ of $k$ bits and a generator $g$ in $Z_P^{*}$; participants choose the random number $x$ as their private key, and the corresponding public key is $h=g^x\mathrm{mod}p$.

Encryption: The random number $r$ is selected for the encrypted message $M(M\in Z_P^{*})$; the ciphertext is $E(M)=(c_1,c_2)=(g^r\mathrm{mod}p,g^M{h}^r\mathrm{mod}p)$.

Decryption: For ciphertext $E(M)=(c_1,c_2)$, the decryption process is $g^M=c_2\cdot c_1^{-x}\mathrm{mod}p$.

Additive homomorphism:

$$\begin{array}{c}E(M_1)\times E(M_1)=(g^{r_1}\mathrm{mod}p,g^{M_1}{h}^{r_1}\mathrm{mod}p)\times (g^{r_2}\mathrm{mod}p,g^{M_2}{h}^{r_2}\mathrm{mod}p)\hfill \\ =(g^{r_1+r_2}\mathrm{mod}p,g^{M_1+M_2}{h}^{r_1+r_2}\mathrm{mod}p)\hfill \\ =E(M_1+M_2).\hfill \end{array}$$

(3)

2.3. Lifted-ElGamal Threshold Cryptosystem

The threshold cryptosystem [29] has a public key jointly generated by $n$ participants, and the decryption key is jointly held by all participants, which can be used to solve the problem of collusion attack. Assuming that at least $t$ participants cooperate in decryption, the cryptosystem is called $(t,n)$ threshold cryptosystem, which can resist the collusion attack of $t-1$ participants. In this paper, the cryptosystem resists the collusion attack of $n-1$ participants; that is, an $(n,n)$ threshold cryptosystem is constructed, as described below.

Generation of public key: Given the security parameter $k$, the key generation algorithm generates a large prime $p$ of $k$ bits and a generator $g$ in $Z_p^{*}$. Each participant $P_i$ randomly selects a $p{k}_i$ as their own private key and publishes $h_i=g^{p{k}_i}\mathrm{mod}p$. All participants jointly generate the public key $h=g^{{\displaystyle {\sum }_{i=1}^{n}p{k}_i}}\mathrm{mod}p$ of the Lifted-ElGamal threshold cryptosystem.

The specific encryption algorithm is the same as the above Lifted-ElGamal cryptosystem (Section 2.2). During decryption, each participant needs to compute and publish $c_1^{p{k}_i}$, and then jointly decrypt $g^M=\frac{c_2}{{\displaystyle {\prod }_{i=1}^n{c}_1^{p{k}_i}}}\mathrm{mod}p$.

2.4. Ciphertext Re-Randomization

In the probabilistic encryption system, a ciphertext can be changed into another different ciphertext of the same plaintext by the homomorphic encryption. This operation is the ciphertext re-randomization [30]. The Lifted-ElGamal cryptosystem has additive homomorphism; $E(M)\times E(0)=E(M+0)=E(M)\prime$ can be used for re-randomization, where $E(M)$ and $E(M)\prime$ are computationally indistinguishable.

2.5. Discrete Logarithms Equality

In [31], the method of proving the equal discrete logarithm was used to verify whether the decrypted data provided by the participant are correct under the malicious model.

Let $G$ be a cyclic group whose order is $m$ which is unknown; $g$ is its generator, $h$ is an element in $G$, and Alice knows $\alpha =g^x$, $\beta =h^x$. Alice wants to prove ${\log }_g\alpha ={\log }_h\beta$ to Bob without publishing $x$. The proof process is described below.

Bob selects a random number $r$ in $G$ and computes $X=g^r$, $Y=h^r$, $e=H(g,h,\alpha ,\beta ,X,Y)$, where $H$ is a hash function. Bob sends $r$ to Alice. Alice computes $y=r+e\times x$, $g^y$, and $h^y$, and sends $g^y$, $h^y$ to Bob. Bob can verify whether $g^y$, $h^y$ meets $H(g,h,\alpha ,\beta ,g^y/{\alpha }^e,h^y/{\beta }^e)=e$.

Correctness:

$$g^y/{\alpha }^e=g^{r+ex}/{\alpha }^e=g^r{(g^x)}^e/{\alpha }^e=g^r{\alpha }^e/{\alpha }^e=X{\alpha }^e/{\alpha }^e=X, h^y/{\beta }^e=h^{r+ex}/{\beta }^e=h^r{(h^x)}^e/{\beta }^e=h^r{\beta }^e/{\beta }^e=Y{\beta }^e/{\beta }^e=Y.$$

(4)

If $H(g,h,\alpha ,\beta ,g^y/{\alpha }^e,h^y/{\beta }^e)=e$, then it is judged that $x$ is equal without publishing $x$.

2.6. 0–1 Coding Rule

Suppose that an undirected complete graph $G_0=(V,W)$ is composed of $m$ vertex sets $V$ and edge sets $W$ (an undirected complete graph means that any two vertices have edges, i.e., there are $m(m-1)/2$ edges in total), where $V=\{v_1,\dots ,v_m\}$. The vertex and edge information of the graph are stored in a matrix $M_i$. When there is vertex $v_i$ in the graph, the value of matrix element $m_{ii}$ is 1; otherwise, it is 0. If there is an edge between vertices $v_i$ and $v_j$, the matrix $m_{ij}$ is 1; otherwise, it is 0. Since the matrix generated by an undirected graph is symmetrical about the diagonal, participants only need to take the diagonal of the matrix and its following elements to form a vector $X_i$, which can represent a unique graph.

Example

Set a vertex set $V=\{v_1,v_2,v_3,v_4,v_5\}$, as shown in Figure 1.

Then, the matrix according to the 0–1 coding rule $G_1$ can be expressed as $M_1$. The triangle area in Figure 1, that is, the diagonal of the matrix and its following triangular elements can be used to form a vector $X_1=\left(1,0,0,1,0,1,1,0,1,1,0,0,1,1,1\right)$.

3. The MPC Algorithm of Graphs’ Intersection and Union under the Semi-Honest Model

The algorithm under the semi-honest model is the basis of designing the malicious model algorithm. Therefore, in this paper, the possible malicious behavior of the algorithm under the semi-honest model is analyzed, and then the algorithm under the malicious model is designed. Wei [24] proposed new coding rule, in which, combined with the secure substitution and homomorphic encryption method, an MPC algorithm for the graphs’ intersection and union was designed. In this algorithm, the efficiency of Wei [24] was improved compared with that of Zhou [23].

Problem Description: Participant $P_i$ first generates the storage matrix $M_i$ of the graph according to the 0–1 coding rule, and then takes the diagonal of matrix $M_i$ and its following elements to form the vector $X_i$. They want to compute the intersection of $n$ graphs securely without publishing their respective information.

Calculation rules: Each participant uses the Lifted-ElGamal threshold cryptosystem. $P_1$ sends their own data to $P_2$; then, $P_2$ overwrites the element with 0 in their own data on $P_1$, and $P_2$ encrypts the data and sends them to $P_3$. $P_3$ performs the same operation, until $P_n$ completes encryption. After joint decryption, the diagonal and lower triangular elements of the matrix are restored, and its symmetry is used to restore the original matrix to obtain the intersection of the graph.

The set union calculation algorithm only needs to change the value 0 in steps (3) and (4) into 1 to compute the union of sets. Therefore, the graphs’ union MPC algorithm under the semi-honest model is not repeated.

Correctness of Algorithm 1: The correctness of Algorithm 1 can be guaranteed by the coding rule. For the intersection of each graph, the graph is first re-encoded with coding rule. During the execution, $P_1$ sends the encrypted vector to $P_2$, and $P_2$ overwrites the element with 0 in their vector in the received vector, modifies it to 0, then re-randomizes it, and so on. In order to ensure that the final result only contains all elements with the value 1, only re-randomization is carried out in the process of algorithm execution. However, the Lifted-ElGamal threshold cryptosystem has additive homomorphism and can be re-randomized; thus, the intersection of all graphs can be jointly decrypted.

Algorithm 1.Graphs’ intersection MPC algorithm under the semi-honest model.

Input: Participants $P_1,P_2,\dots ,P_n$ respectively own graphs $G_1,G_2,\dots ,G_n$. Output: Intersection of $G=G_1\cap G_2\cap \dots \cap G_n$. Start: (1) All participants jointly select a large prime $p$ and a generator $g$; each participant $P_i$ selects $p{k}_i$ as their private key and publishes $h_i=g^{p{k}_i}\mathrm{mod}p$; all participants jointly generate the public key of the Lifted-ElGamal threshold cryptosystem $h=g^{{\sum }_{i=1}^{n}p{k}_i}\mathrm{mod}p$. (2) $P_1$ converts graph $G_1$ into storage matrix $M_1$ according to 0–1 coding rule, and takes $M_1$ diagonal and lower triangular elements to form vector $X_1=(x_{11},x_{12},\dots ,x_{1t})$. After encryption, it is marked as $E\left(X_1\right)=\left(E\left(x_{11}\right), E\left(x_{12}\right), \dots E\left(x_{1t}\right)\right)$, and sent to $P_2$. (3) Participant $P_i(i=2,3,\dots n)$ overwrites the element in $E(X_i)$ with the value is 0 in $E(X_{i-1})$. Then, the unmodified element is re-randomized and assigned to $E(X_i)\prime$, before being sent to $P_{i+1}$. (4) Participant $P_n$ overwrites the element in $E(X_{n-1})\prime$ with the value of 0 in $E(X_n)$. The unmodified element is re-randomized and assigned to $E(X_n)\prime$ and then published. (5) All participants jointly decrypt $Y=D(c)$, restore the storage matrix $M$ of the intersection of graphs according to $Y$, and restore $M$ to the intersection matrix of $n$ graphs according to the 0–1 coding rule. The algorithm ends.

4. The MPC Algorithm of Graphs’ Intersection and Union under the Malicious Model

4.1. Ideas and Solution

When designing the MPC algorithm of graphs’ intersection under the malicious model, the possible malicious behaviors in Algorithm 1 are analyzed, and corresponding preventive measures are proposed for these behaviors, such that the attacks of the malicious party cannot be implemented or the malicious behaviors are found, so as to force them to participate in the algorithm in an honest way.

First of all, it should be made clear that some malicious attacks cannot be prevented in the ideal model algorithm, nor can they be stopped under the malicious model [25]. There are mainly three kinds of malicious behaviors: (1) refusing to participate in the algorithm; (2) providing false input or replacing one’s own input; (3) terminating the algorithm.

The following malicious attacks may occur in Algorithm 1:

(1)

In step (3), $P_i\left(i=1,2,\dots ,n\right)$ retains the correct result and sends $P_{i+1}$ the wrong result.

(2)

In step (4), $P_n$ publishes an incorrect result.

(3)

When all participants jointly decrypt, the participant provides wrong decryption information, which leads to a decryption error.

In order to solve the above malicious attacks, one solution is to encrypt the graph vectors of all participants and make them public, whereby all participants compute the intersection of graphs to prevent malicious attacks in steps (1) and (2). Finally, the zero-knowledge proof is used to prevent malicious attack in step (3). This is used to design the MPC algorithm of graphs’ intersection under the malicious model.

4.2. Correctness Analysis

(1)

Steps (1) and (2) of Algorithm 2 are mainly to re-encode the elements in the graph according to the coding rule, before encrypting and publishing them after coding. Because each participant is encrypted after coding, the participants’ data cannot decrypt the data of other participants; therefore, the algorithm is correct.

(2)

In step (3), all participants compute the product of each column, and each participant computes the product of all column elements to avoid unfairness.

(3)

In step (4), the participant judges whether the decrypted data provided by the other participant is correct through the zero-knowledge proof. Here, the method of proving the equality of discrete logarithms is used to prove ${\log }_g{h}_i={\log }_{c_{k1}}{y}_i$. If they are all correct, the algorithm continues to be executed, and the intersection can be restored according to the results.

(4)

Step (5) uses the additive homomorphism of the Lifted-ElGamal threshold cryptosystem, i.e., $E\left(M_1\right)\times E\left(M_2\right)=E\left(M_1+M_2\right)$, to decrypt, and the intersection elements are judged according to the decrypted value.

(5)

Example: suppose vertex set $V=\{v_1,v_2,v_3,v_4,v_5\}$, $p=1117$; participants $P_1,P_2,P_3,P_4$ respectively have $G_1,G_2,G_3,G_4$ as shown in Figure 2 to compute the intersection of the graph.

Algorithm 2. The MPC algorithm of graphs’ intersection under the malicious model.

Input: Participant $P_1,P_2,\dots ,P_n$ respectively own graphs $G_1,G_2,\dots ,G_n$. Output: Intersection of $G=G_1\cap G_2\cap \dots \cap G_n$. Preparation stage: The plaintext space of the Lifted-ElGamal threshold cryptosystem is $Z_p$; $(Z_p,+)$ is used to form an addition group. There is no difference between positive and negative in this group; however, if $x+y=0\mathrm{mod}p$ and $x\in (0,p/2)$, there must be $y>p/2$. In this case, $y$ is the addition inverse of $x$. When encoding $M_1$, the vertices and edges existing in the additive inverse of $p-(n-1)$ are set. All participants jointly select a large prime $p$ and a generator $g$, and each participant $P_i$ selects $p{k}_i$ as their private key and publishes $h_i=g^{p{k}_i}\mathrm{mod}p$; all participants jointly generate the public key of the Lifted-ElGamal threshold cryptosystem with additive homomorphism $h=g^{{\displaystyle {\sum }_{i=1}^{n}p{k}_i}}\mathrm{mod}p$. Start: (1) $P_1$ sets the existing vertices and edges as the additive inverse of $p-(n-1)$, and the nonexistent vertices and edges as the random number $r$. $P_2,\dots ,P_n$ re-encode according to the 0–1 coding rule, and take the diagonal and lower triangular elements to form the vector $X_i=(x_{i1},x_{i2},\dots ,x_{it})$. (2) Vector $X_i$ of participant $P_i$ is encrypted and recorded as $E(X_i)=(E(x_{i1}),E(x_{i2}),\dots ,E(x_{it}))$, and $E(X_i)$ is made public. (3) All participants compute the component product of each column separately. Let $c=(c_1,c_2,\dots ,c_t)=({\displaystyle {\prod }_{i=1}^{n}E(x_{i1}),}{\displaystyle {\prod }_{i=1}^{n}E(x_{i2}),}\dots ,{\displaystyle {\prod }_{i=1}^{n}E(x_{it})})$. (4) All participants jointly decrypt; assuming decryption of $c_k=(c_{k1},c_{k2})$, participant $P_i$ first computes and publishes $y_i=c_{k1}^{p{k}_i}\mathrm{mod}p$, and then uses the zero-knowledge proof to prove to other participants that the decrypted data provided by themselves are correct, i.e., ${\log }_g{h}_i={\log }_{ck1}{y}_i$. If the verification fails, this indicates that there is deception, and the algorithm is terminated. If the verification is passed, decryption continues. (5) All participants decrypt and get $g^{M_k}=\frac{c_{k2}}{{\displaystyle {\prod }_{i=1}^n{y}_i\mathrm{mod}p}}$. If $g^{M_k}$ = 1, it exists in the intersection; if $g^{M_k}\ne 1$, it does not exist. According to the decrypted data and 0–1 coding rule, the intersection of the graph is restored. The algorithm ends.

According to the 0–1 coding rule, the matrix of graph $G_1,G_2,G_3,G_4$ can be expressed as shown in Figure 3.

The triangle area in Figure 3, that is, the diagonal of the matrix and the following elements can be taken to form a vector:

$$\begin{array}{c}{X}_1=\left(-3,-3,-3,-3,12,-3,11,1,2,3,2,1,2,3,3\right),X_2=\left(1,0,0,1,0,1,1,0,0,1,0,0,0,1,1\right),\hfill \\ X_3=\left(1,1,1,1,0,1,0,0,0,0,1,0,0,0,1\right),X_4=\left(1,0,1,1,1,1,1,1,0,1,0,0,1,1,1\right).\hfill \end{array}$$

After the elements are encrypted and published, the product of each column is computed. In the operation process, the third element of $X_1$ is used as $p-3$, i.e., 1117 − 3 = 1114. Since the algorithm uses the Lifted-ElGamal threshold cryptosystem with additive homomorphism, it has the characteristics of $E(M_1)\times E(M_2)=E(M_1+M_2)$.

It can be obtained that $c=(c_1,c_2,\dots ,c_t)=\left(0,-2,-1,0,13,0,13,2,2,5,3,1,3,5,6\right)$.

According to the algorithm, if $g^{M_k}=1$, it exists in the intersection set; if $g^{M_k}\ne 1$, it does not exist. Therefore, the intersection set is $X=\left(1,0,0,1,0,1,0,0,0,0,0,0,0,0,0\right)$. After completing $x$ according to the 0–1 coding rule, Restore $X$ to the triangle area in the Figure 4, and the original matrix is restored as $M$. According to the coding rule, the graphs’ intersection can be obtained as shown in Figure 4.

4.3. Security Proof

The proof of the algorithm’s security under the malicious model was defined in [26], which is the real/ideal model paradigm.

Theorem 1.

Algorithm 2 is secure under the malicious model.

Because the status of each participant in the algorithm is equal, the participants can be divided into honest participants and malicious participants; only the largest set of collusive attackers needs to be considered. If the algorithm is secure for the set of maximum collusive attackers, the set of collusive attackers composed of any subset of the set of maximum collusive attackers is secure.

The maximum collusive attacks are composed of any $n-1$ participants, set as $I=\{P_2,P_3,\dots ,P_n\}$.

It needs to be proven that, for any probabilistic polynomial time algorithm strategy $A$ adopted by the attacker who controls all participants in $I$ in the real model algorithm, there is a probabilistic polynomial time algorithm strategy $B$ in the ideal model algorithm, such that $\left\{IDEA{L}_{f,I,B(z)}{(X)}_{X,z}\right\}\stackrel{c}{\equiv }\left\{REA{L}_{\prod ,I,A(z)}{(X)}_{X,z}\right\}$.

In the real model algorithm, the ciphertext $X_1$ disclosed in step (2) is encrypted by the threshold encryption algorithm. During decryption, all participants need to decrypt together; thus, this step is secure and does not disclose any information.

When executing the real model algorithm, $I$ is taken as a whole, and the input of the algorithm is $X=(x_1,A(x_2,\dots ,x_n))$. When decrypting in step (4), if there is a participant $P_i(i\in I)$ who cannot prove that their decrypted data are correct, the algorithm is terminated. At this point, $P_1$ cannot get $f(x)$, but a malicious participant may get the correct $f(x)$. At this time, the attacker can determine the output result according to their own strategy. That is, the attacker outputs $A(X_I,I,r,z,C,y_i,v_i,f(X))$; thus, $\left\{IDEA{L}_{f,I,B(z)}{(X)}_{X,z}\right\}=\{A(X_I,I,r,z,C,y_i,v_i,f(X)),\perp \}$.

If the algorithm is not terminated, $P_1$ receives $f(x)$, and $\left\{IDEA{L}_{f,I,B(z)}{(X)}_{X,z}\right\}=\{A(X_I,I,r,z,C,y_i,v_i,f(X)),f(X)\}$, where $r$ represents the random number selected by the attacker, $z$ represents auxiliary information, $c$ is the result obtained by calculating the product in step (3), $y_i$ is the decryption information provided by participant $P_i$, and $v_i$ is the information to verify whether $y_i$ is correct according to the zero-knowledge proof.

In the ideal model algorithm, $P_1$ sends their data $x_1$ to TTP, whereas $B$ sends malicious participant data $X_I$ to $A$, gets $A(X_I)$, and sends it to TTP. TTP computes $f(X)$ according to the obtained $X=(X_1,A(X_I))$ and sends the result to $B$. $B$ randomly selects $x_1^{\prime }$ to make $f(x_1^{\prime },A(X_I))=f(x_1,A(X_I))$. $B$ executes the algorithm and provides $I$ with the ciphertext vector $C_1^{\prime }$ of $x_1$ and $y_i^{\prime }$; $v_i^{\prime }$ is required for zero-knowledge proof.

When executing the algorithm, if the algorithm is terminated, TTP does not send $P_1$ the calculation result, whereby $P_1$ can only get $\perp$; otherwise, it sends the calculation result.

Whether TTP sends the correct result to $P_1$ or not, $B$ uses $(X_I,I,r,z,C_1^{\prime },y_i^{\prime },v_i^{\prime },f(X))$ to invoke $A$, i.e., output $A(X_I,I,r,z,C_1^{\prime },y_i^{\prime },v_i^{\prime },f(X))$. Therefore, if the real model algorithm is terminated, the output is $\left\{IDEA{L}_{f,I,B(z)}{(X)}_{X,z}\right\}=\{(X_I,I,r,z,C_1^{\prime },y_i^{\prime },v_i^{\prime },f(X)),\perp \}$. Otherwise, the output is $\left\{IDEA{L}_{f,I,B(z)}{(X)}_{X,z}\right\}=\{(X_I,I,r,z,C_1^{\prime },y_i^{\prime },v_i^{\prime },f(X)),f(X)\}$.

Comparing the real model algorithm with the ideal model algorithm, it can be found that the output of $P_1$ is the same. Because $C_1$,$C_1^{\prime }$ is the ciphertext encrypted by the probabilistic encryption algorithm, $C_1\stackrel{c}{\equiv }{C}_1^{\prime }$. $y_i$ and $y_i^{\prime }$ are the same form; thus, $y_i\stackrel{c}{\equiv }{y}_i^{\prime }$. $v_i$ and $v_i^{\prime }$ can be guaranteed by the zero-knowledge proof; thus, $v_i\stackrel{c}{\equiv }{v}_i^{\prime }$. Therefore, $A(X_I,I,r,z,C_1,y_i,v_i,f(X))\stackrel{c}{\equiv }$$A(X_I,I,r,z,C_1^{\prime },y_i^{\prime },v_i^{\prime },f(X))$, i.e., $\left\{IDEA{L}_{f,I,B(z)}{(X)}_{X,z}\right\}\stackrel{c}{\equiv }\left\{REA{L}_{\prod ,I,A(z)}{(X)}_{X,z}\right\}$.

Therefore, the ideal model algorithm and the real model algorithm are computationally indistinguishable, i.e., the algorithm is secure under the malicious model.

4.4. The MPC Algorithm of Graphs’ Union under the Malicious Model

The difference between the intersection algorithm and the union algorithm of graphics is, firstly, the different encoding methods and, secondly, the different determination results after decryption. In addition, the algorithm steps and encryption and decryption methods are the same; hence, correctness analysis and security proof of Algorithm 3 are omitted.

Algorithm 3.The MPC algorithm of graphs’ union under the malicious model.

Input: Participants $P_1,P_2,\dots ,P_n$ respectively own graphs $G_1,G_2,\dots ,G_n$. Output: Union of $G=G_1\cup G_2\cup \dots \cup G_n$. Preparation stage: All participants jointly select a large prime $p$ and a generator $g$, and each participant $P_i$ selects a $p{k}_i$ as their private key and publishes $h_i=g^{p{k}_i}\mathrm{mod}p$; all participants jointly generate the public key of the Lifted-ElGamal threshold cryptosystem with additive homomorphism $h=g^{{\displaystyle {\sum }_{i=1}^{n}p{k}_i}}\mathrm{mod}p$. Start: (1) $G_1,G_2,\dots ,G_n$ is encoded according to the 0–1 coding rule, and the diagonal and lower triangular elements are taken to form the vector $X_i=(x_{i1},x_{i2},\dots ,x_{it})$. (2) Participant $P_i{}^{\prime }s$ vector $X_i$ is encrypted and recorded as $E(X_i)=(E(x_{i1}),E(x_{i2}),\dots ,E(x_{it}))$, and $E(X_i)$ is made public. (3) All participants compute the component product of each column separately. Let $c=(c_1,c_2,\dots ,c_t)=({\displaystyle {\prod }_{i=1}^{n}E(x_{i1}),}{\displaystyle {\prod }_{i=1}^{n}E(x_{i2}),}\dots ,{\displaystyle {\prod }_{i=1}^{n}E(x_{it})})$. (4) All participants jointly decrypt; assuming decryption of $c_k=(c_{k1},c_{k2})$, participant $P_i$ first computes and publishes $y_i=c_{k1}^{p{k}_i}\mathrm{mod}p$, and then use the zero-knowledge proof to prove to other participants that the decrypted data provided by themselves are correct, i.e., ${\log }_g{h}_i={\log }_{ck1}{y}_i$. If the verification fails, it indicates that there is deception, and the algorithm is terminated. If the verification is passed, decryption continues. (5) All participants decrypt and get $g^{M_k}=\frac{c_{k2}}{{\displaystyle {\prod }_{i=1}^n{y}_i\mathrm{mod}p}}$. If $g^{M_k}\ne$ 1, it exists in the intersection; if $g^{M_k}=1$, it does not exist. According to the decrypted data and coding rule, the intersection of the graph is restored. The algorithm ends.

5. Efficiency Analysis

5.1. Computational Complexity and Communication Complexity

In this paper, the MPC algorithm of graphs’ intersection and union under the malicious model was proposed. Since the graphs’ intersection and union MPC algorithm under the malicious model has not been seen yet, it cannot be compared with the existing algorithms under the malicious model. Therefore, the graphs’ intersection algorithm under the semi-honest model is selected for comparison with Algorithm 2. Since the application scenarios in [21,22] are different from this paper, the results in [23,24] are compared with Algorithm 2′s efficiency.

Computational complexity analysis.

The computational complexity of the algorithm is measured by modular exponential operation. Zhou [23] first used the Paillier encryption algorithm to express the set as a polynomial to compute the intersection. At this time, $m^2+7m+2$ modular exponential operations are required. The encryption process requires $2m^2$ modular exponential operations, homomorphic operation of matrix requires $m^2$ modular exponential operations, and decryption requires $2m^2$ modular exponential operations. That is, $6m^2+7m+2$ modular exponential operations are required to compute the intersection, and ${(6m^2+7m+2)}^{n-1}$ modular exponential operations are required for n party to compute the intersection.

Wei [24] used the Lifted-ElGamal threshold cryptosystem, which requires a total of $n$ modular exponential operations. In the encryption process, $n$ participants need a total of $3nt$ modular exponential operations. The joint decryption process requires at most $nt$ modular exponentiation. Therefore, in the case of $n$ participants, Wei [24] needs $n(4t+1)$ modular exponential operations, i.e., $2m^{2}n+2mn+n$ modular exponential operations.

In Algorithm 2, all participants jointly generate the public key $h=g^{{\sum }_{i=1}^{n}p{k}_i}\mathrm{mod}p$; a total of $n$ modular exponential operations are required. In the encryption process, encrypting a plaintext requires three modulo exponential operations. There are $n$ participants in Algorithm 2, and each person has $t$ vectors, i.e., $3nt$ modulo exponential operations are required for encryption. In the decryption process, decrypting a ciphertext requires $nt$ modular exponential operations. The method of proving the equality of discrete logarithms is used in the zero-knowledge proof. Every time the decrypted data are verified, there are four modular exponential operations, a total of $n$ participants, a total of $t$ decrypted vectors to be verified, and a total of $4nt$ modular exponential operations. Therefore, this algorithm requires a total of $n+3nt+nt+4nt=n(8t+1)$ modular exponential operations, i.e., $4m^{2}n+4nm+n$ modular exponential operations.

Communication complexity analysis.

In [23], when the set is expressed as a polynomial, it needs two rounds. When it is sent to the client to find the intersection, it needs one round. When it is sent to the server after homomorphic operation, it needs one round. That is, the two parties need four rounds. If the intersection of $n$ parties is multiple two parties, a total of $4^{(n-1)}$ rounds of communication are required.

In [24], when $n$ participants first construct a threshold, $n-1$ rounds are needed. In the encryption and replacement process, $n-1$ rounds are needed. The decryption process needs $n-1$ rounds. Therefore, a total of $3(n-1)$ rounds are needed.

In Algorithm 2, when $n$ participants to construct a threshold, $n-1$ rounds are needed. In the encryption process, $n-1$ rounds are needed. In the decryption process, $(t+1)(n-1)$ rounds are needed. Therefore, a total of $(3+t)(n-1)$ communication rounds are needed, as shown in

Table 1. Overall performance comparison.

Algorithm	Computational Complexity	Communication Rounds	Resist Malicious Attacks
Zhou [23]	${(6m^2+7m+2)}^{n-1}$	$4^{n-1}$	No
Wei [24]	$2m^{2}n+2mn+n$	$3(n-1)$	No
Algorithm 2	$4m^{2}n+4nm+n$	$(3+t)(n-1)$	Yes

$t:\frac{m(m+1)}{2}$; $n:$ the number of participants; $m:$ the number of vertices.

.

As can be seen from the Table 1, compared with Zhou [23], Algorithm 2 is applicable to $n$ participants, and the research scope is wider compared with Wei [24]. Algorithm 2 not only has high efficiency, but can also resist the attacks of malicious participants.

5.2. Experimental Simulation

In order to prove the efficiency of Algorithm 2, it was verified by experiment simulation. The experimental environment was as follows: Intel (R) core (TM) i5-8400 CPU, 8 GB memory, Windows 10 64 bit operating system, and Pychar + Python programming enviroment. The prime numbers $p$ and $q$ in [23] were set to 256 bits, and the parameter $p$ of [24] and the Lifted-ElGamal cryptosystem were set to 512 bits. Under the malicious model, we outsourced the modular multiplication required for the cut-and-choose step of Algorithm 2 to improve efficiency.

The algorithms from [23,24] and Algorithm 2 in this paper were simulated in practice. Multiple experiments were carried out for each algorithm, and the experimental results were randomly selected 50 times to obtain the average value. The running time of the algorithms is shown in Figure 5.

It can be seen from the experimental results that the running efficiency of the algorithm in [23] was lower than that of Algorithm 2. Compared with [24], this paper used the threshold encryption and zero-knowledge proof to prove the correctness of decrypted data during decryption, which can resist malicious attacks.

Note 2: Under the malicious model algorithm, the zero-knowledge proof is usually used to force malicious participants to act like semi-honest participants. Through the zero-knowledge proof, the computational complexity is greatly increased and the execution efficiency is significantly reduced. Therefore, the zero-knowledge proof uses preprocessing or computing outsourcing methods to improve efficiency. This aspect of the data does not involve private data, and its calculation can be outsourced. This is feasible in our algorithms, which can at least double the efficiency.

6. Conclusions

The MPC algorithms of graphs’ intersection and union are important research problems in the field of MPC, with a very wide application prospect in family medical history and military activities. Most of the existing graphs’ intersection and union algorithms are secure under the semi-honest model, but not secure in the presence of malicious participants. In this paper, two malicious MPC algorithms were proposed. The innovation of this paper’s algorithm is that it can target multiple participants; combined with the threshold Lifted-ElGamal threshold cryptosystem, the graphs’ intersection and union MPC algorithms are designed under the malicious model. Using the real/ideal model paradigm, it is proven that the algorithm is secure under the malicious model and remains efficient compared with related studies.

In the future, we will continue to study the set problem under the malicious model, design more efficient MPC algorithms related to the confidentiality decision set under the malicious model, promote the development of MPC research, and further explore solutions for privacy protection.