1. Introduction
With the rise of communication technology and cloud computing, a large amount of data is generated on communication devices such as smartphones and smartwatches, and cloud servers can be used to store and process this data in order to extract valid data and perform data analysis. When the joint computation of data from multiple clients is required, multiple servers can be used to take up the computation task to avoid a single point of failure and perform trusted and secure joint computation on the data from the clients. Although such distributed cloud computing environments have a wide range of applications, it is a serious challenge to ensure data privacy and computational integrity during computation. Homomorphic Encryption (HE) [
1], as an important privacy-preserving technique, provides an effective tool to address data privacy computation in cloud environments. Fully Homomorphic Encryption (FHE) [
2] allows arbitrary computation of ciphertexts, while the obtained ciphertext computation results are the same as those computed directly in plaintexts after decryption, thus protecting the privacy of data during processing. However, in practice, it has a very high computational overhead and cannot be realized for large-scale applications.
To overcome the limitations of FHE in practical computation, Boyle et al. [
3] proposed Homomorphic Secret Sharing (HSS), which can be viewed as a lightweight distributed FHE, which allows for direct function computation on secretly shared data. HSS ensures that no
t server can obtain the original data held by the client. Recently, much work has been devoted to constructing HSS schemes for various families of functions, such as affine functions [
4], point functions [
5], selection functions [
6], branching programs [
7], and multivariate polynomials [
8].
Tsaloli et al. [
9] proposed the Verifiable Homomorphic Secret Sharing (VHSS) scheme, where the client rejects the computation results if a partially colluding malicious server submits incorrect computation results to the client. Chen et al. implemented the publicly verifiable homomorphic secret sharing scheme for higher-order polynomials without FHE [
10] and the privately verifiable homomorphic secret sharing scheme for lower-order polynomials [
11], where the efficiency of secure outsourced computation against polynomials was improved. Ref. [
9] proposed an Additive Homomorphic Secret Sharing (AHSS) structure without HE, which allows for outsourcing the joint addition computation to a cloud server when the client does not disclose the original data to the participants at the same time. Ref. [
12] proposed a Verifiable Additive Homomorphic Secret Sharing (VAHSS) scheme based on AHSS, which provides public verifiability. However, in practical application scenarios, existing schemes still have some problems: (i) All HSS schemes require all servers obtaining secret sharing data to participate in the computation, and once a certain server is unavailable, multiple clients are required to redistribute the secret sharing data; and (ii) VAHSS supporting the publicly verifiable property needs to carry out a large number of additional computations in the verification phase and the proof generation phase.
In this paper, we propose the first homomorphic secret sharing scheme that enables dynamic additive computation, which can solve the problem of restarting the computation task due to the failure of some servers and realize the flexibility of joining and exiting the servers, as well as also propose a more efficient dynamic verifiable additive homomorphic secret sharing scheme based on this scheme. In detail, we solve the cloud computing problem characterized by the following constraints: (i) m servers are employed to perform joint addition on the inputs of n clients; (ii) the original client data need to be kept secret; (iii) the servers are not trusted; (iv) the computation task can still be carried out in the event of partial server failures; and (v) the clients are able to confirm that the computation results are correct (i.e., the private verifiability attribute). More precisely, the scheme has three roles: n input clients (each with a secret input ), m servers, and an output client. n clients compute the secret share of the original data and send them to multiple servers for secret computation. Then, the servers send the results of the computation to the output clients to aggregate, and the final result of the computation is obtained as and sent to the input clients for verification. During the computation, the original secret input is not available to an unauthorized collection of servers. When there are servers that cannot perform the computation, only the client broadcasts the index of a new server that performs the computation task without restarting the computation. In our scheme, as long as the servers with secret sharing shares can participate in the computation, it is this feature that can be exploited to achieve the dynamic joining and exiting of servers, and thus our scheme is more scalable compared to the static additive homomorphic secret sharing scheme.
Our Contributions: We first propose a Dynamic Additive Homomorphic Secret Sharing (DAHSS) scheme based on the Shamir threshold secret sharing [
13] technique, which can solve the problem of restarting the whole outsourcing computation due to a single point of server failure and realize a dynamic secure outsourcing additive computation scheme. Compared to the existing schemes, DAHSS increases the function of dynamic outsourcing computation while offloading part of the computation to the server, thus reducing the client computation time. Secondly, we also propose a privately verifiable Dynamic Verifiable Additive Homomorphic Secret Sharing (DVAHSS) scheme. Although the scheme needs to increase the number of trusted centers to distribute the authentication key, compared to the public VAHSS scheme, the computation of the DVAHSS is more concise, and the computation overheads of both the clients and servers are smaller. Finally, we give detailed correctness, security and verifiability proofs, and experimental tests of the proposed scheme.
Organization:
Section 2 summarizes the related work.
Section 3 provides the basic definitions required for scheme construction.
Section 4 provides the DAHSS structure and the proof of security.
Section 5 provides the DVAHSS structure and security proof. In
Section 6, we analyze the computational time of the two proposed schemes and provide the results of our experimental tests. Finally, we provide the final caveats in
Section 7.
3. Preliminaries
3.1. Additive Secret Sharing
Additive Secret Sharing (ASS) is defined over a finite field F, where the secret will be randomly divided into n shares that satisfy . Practical schemes where security operations are mostly performed on arithmetic circuits use ASS defined over a finite ring or a finite field F, which determines the form of the secret shares and the type of circuits to be executed by each party.
ASS is an threshold scheme that requires all secret shares to work together to recover the secret, and thus the technique is resistant to collusion by participants. The additive secret sharing technique satisfies the additive homomorphism property and is characterized by its simplicity and efficiency.
3.2. (t, n)-Threshold Secret Sharing
Shamir’s -threshold secret sharing scheme is a polynomial interpolation-based secret sharing scheme proposed by Adi Shamir in 1979. In Shamir’s -threshold secret sharing scheme, the number of participants n determines the number of secret shares to be distributed, and the number of thresholds t specifies the minimum number of participants required to recover the original secret. The scheme consists of a secret sharing and a secret reconstruction phase, in which the secret holder converts the secret s into n secret sharing shares and distributes them to n participants. In the secret reconstruction phase, the original secret information s is reconstructed when at least secret sharing share holders jointly provide their secret holding shares.
Let be a finite field and q be a large prime number; the steps of the scheme implementation are as follows:
Secret Sharing: Construct a
-dimensional polynomial over
:
where
s is the secret data selected on
, and
coefficients
are the results of random sampling on
. Select
n ; then, each participant
is assigned the subsecret
.
Secret Reconstruction: When at least t participants need to reconstruct the original secret, they can unite all secret sharing shares and use Lagrange interpolation to reconstruct the polynomial and compute , which is the original secret information.
The
t participants construct the following linear equation using
t subsecrets
:
where
are all different. By the Lagrange interpolating polynomial theorem, it follows that
By substituting 0 into this interpolating polynomial, the secret is recovered.
Shamir’s Threshold Secret Sharing Scheme has become an important tool in cryptography for its outstanding performance in security, flexibility, and reliability, and it is widely used in various security fields. For example, in distributed systems, it is used to store and manage data securely; in cryptographic protocols, it can be used to implement distributed signatures and key management; in the field of data recovery, it ensures that data can still be recovered in the case of partial damage or loss; in electronic voting systems, it can guarantee the privacy and fairness of voting; and in digital rights management, it can be used to protect and manage the digital content of the access control.
4. Dynamic Additive Homomorphic Secret Sharing
According to the -HSS definition, the client needs to compute the algorithm based on the original secret data to obtain the secret share shares and send them to m servers. Then, for all clients , each server has n secret shares. For any t servers that may be corrupted, the original data are private.
Unlike the existing schemes, our scheme broadcasts the set W of server indexes for this computation before the start of a computation task, the set of servers indexed within the set W computes the algorithm to obtain the partial addition aggregation result about all the secret inputs, and it finally outputs the client to compute the algorithm to obtain the final aggregation result. During the computation, when there exists a part of the computation servers that cannot perform the task, it is only necessary to rebroadcast a new set W of server indexes without resharing the secrets.
Definition 1. The -Dynamic Additive Homomorphic Secret Sharing Scheme (DAHSS) is a 3-tuple system consisting of the PPT algorithm , which is given the formal definition as follows:
: The inputs to the algorithm are the security parameter λ, the client index , and the secret input , which will be sent to m servers as a secret sharing share as output.
: The input to the algorithm is the set of server indices where this computation is performed , the server indexes and the secret shared shares , and it outputs the partial result .
: The algorithm inputs a partial result , and it outputs the final result of the computation y or the error identifier ⊥.
DAHSS should satisfy Correctness and t-Input Privacy. Correctness guarantees that the output of the aggregation computation algorithm is always the correct computation result when all participants perform an honest computation.The t-input privacy guarantees that no information about the original secret data can be obtained when any t servers launch a conspiracy attack.
Correctness: If for all secret inputs
, all
algorithms generate secret shares
, thenall
algorithm outputs
, and the DAHSS scheme is correct if it satisfies the following:
t-Input Privacy: Let represent the set of t servers, and assume that A is an arbitrary adversary and is able to control the server . Assume the following experiment:
Experiment :
- 1.
The adversary A gives to the challenger, where , and ;
- 2.
The challenger randomly chooses ;
- 3.
If , compute ;
If , compute ;
- 4.
The adversary outputs a guess to the challenger based on all the secret shared shares held by the t servers under its control; Return 1 if ; otherwise, return 0.
We define the advantage of the adversary
A as follows:
A DAHSS scheme is t-input private if is satisfied for any adversary A.
4.1. Construction of DAHSS
The advantages of Shamir’s threshold secret sharing scheme include flexibility and security. Since any number of secrets can be sent in the secret distribution phase, but the secret reconstruction needs to reach at least the threshold number of participants, applying it to computation can realize the security provided while also providing flexibility. Firstly, we describe how to realize the dynamic distribution of additive aggregation tasks based on this scheme.
Dynamic task distribution: First, in the secret sharing algorithm, Shamir’s threshold secret sharing scheme is used to assign secret shares to all servers that can complete the computation task. Consider that in real computing scenarios, there may be some servers that are temporarily unable to provide computation services due to failures. To solve the above problem, the client (multiparty data holder) in our scheme sends to the server an indexed set of servers performing this computation task. When the server executes the partial computation algorithm, the server with index computes an interpolation polynomial locally based on all the indices in the set to obtain n additive secret shared values, and according to the polynomial difference theorem, all the additive secret shared values of this server are summed to obtain the partial result of the summation of the original secret data of all the clients. Finally, an output client sums up the partial results obtained from all servers to obtain the final computation result. When the client learns that some of the servers performing this computation are unable to continue the computation, it simply resends the set of server indexes without recomputing the secret shared values and redistributing them as in the existing scheme. When a new server joins the computation, each client only needs to compute the locally generated polynomial once based on the server index j, and the newly joined server will obtain the secret shared value from the n client.
Based on the above ideas, the specific construction of the DAHSS scheme is given as follows:
- 1.
Secret sharing:
; the client
generates a
t-dimensional polynomial
based on the security parameter
and the secret input
.
where
is the result of random sampling on
, and the constant term
is the original secret data. Substituting
m server indices
into the polynomial
generates the full secret shared share
of the secret
, and we send
to server
.
- 2.
Partial Evaluation:
; for all
, the server
obtains the set of server indexes
and
n secret shared shares
.
first computes the corresponding interpolating polynomials according to the Lagrange interpolating polynomial theorem.
Multiply the constant
by all the local secret sharing shares
to obtain the additive secret sharing share
.
At this point, the shared share of additive secrets held locally by all servers
satisfies the following:
The final server
local computation is as follows:
Obtain the partial outsourcing addition calculation and output .
- 3.
Final Evaluation:
; output the client obtains from
t partial results from the server. Compute Equations (4)–(9), and sum all the partial results to obtain the result of the outsourced computation.
4.2. Proof of DAHSS
Theorem 1. The DAHSS program is correct.
Proof of Theorem 1. In the DAHSS outsourced computing scheme, for clients
holding data
, and for all servers
whose index
j is contained in the set of indexes
W, then, according to the Lagrange Interpolation Polynomial Theorem, it is obtained that
So, the DAHSS program has perfect correctness. □
Theorem 2. The DAHSS program has t-Input Privacy.
Proof of Theorem 2. Assume that and that the adversary A can control t servers and can obtain secret sharing shares from the controlled servers. Without loss of generality, assume that the first t servers are the controlled servers, i.e., .
For
, set
is denoted as the additive secret share secret of
, and
is the polynomial value of
in the threshold secret share of Shamir’s
published to each server multiplied by the interpolation coefficient of
to obtain an additive secret share shares that satisfies
At this point, the challenger chooses
i by tossing a coin and sends
and
to the adversary
A, and based on Shamir’s Threshold Secret Sharing Security, no PPT adversary can distinguish whether
is the
th share of
or the
th share of
. Thus, the adversary
A can only guess with a probability of
whether
corresponds to
or
and return
to the challenger. Thus,
is satisfied for any
adversary
A, so the DAHSS scheme is
t-input private. □
5. Dynamic Verifiable Additive Homomorphic Secret Sharing
The dynamically verifiable additive homomorphic secret sharing scheme uses the DAHSS of
Section 4 as a base scheme, where
n clients
will be the original secret data
into the
algorithm to obtain the output secret shared shares
, and we also multiply the private authentication key
by the secret data
to obtain
and input it into the
algorithm, which sends the generated
and
shared shares to
m servers together, where
is used to validate the computation results. Each server
has
shared shares. The set
W of the server indexes for this computation is broadcast before the start of a computation task, and the set of servers
indexed within the set
W applies the algorithm
to compute a linear combination of all the secret inputs while generating a proof, and it finally outputs the final output of the client computation and verifies the computation to be plausible based on the proof results. During the computation, for any potentially corrupted
t server raw data,
are private. When there exists a portion of the computational servers that cannot perform the task, a new set
W of server indexes is rebroadcast.
Definition 2. The Dynamic Verifiable Additive Homomorphic Secret Sharing the (DVAHSS) scheme is a 6-tuple system consisting of the PPT algorithm, which is formally defined as follows:
Secret Sharing: ; the input to the algorithm is the security parameter λ, the secret data , and the authentication key α, and the output is the secret shared share .
Partial Evaluation: ); the inputs to the algorithm are the set of server indexes , the server index , and the secret share , and the output is a partial computation .
Partial Proof: ; the inputs to the algorithm are the set of server indexes , server indexes , and secret shared shares , and the output is the partial proof result .
Final Evaluation: ; the input to the algorithm is the result of the partial computation , and the output is the final computation y.
Final Proof: ; the input to the algorithm is the partial proof , and the output is the final proof σ.
Verification: ; the inputs to the algorithm are the verification key α, the final computation of the result y, and the final proof σ, and the output of the verification result .
The DVAHSS scheme should satisfy Correctness, t-Input Privacy, and t-Verifiability.
Correctness: If for all secret inputs
, all
algorithms generate secret shares
and all
algorithm outputs
, the DAHSS scheme is correct if it satisfies the following:
t-Input Privacy: Let represent the set of t servers, and assume that A is an arbitrary adversary and is able to control the server . Assume the following experiment:
Experiment :
- 1.
The adversary A gives to the challenger, where , and ;
- 2.
The challenger randomly chooses ;
- 3.
If , compute ;
If , compute ;
- 4.
The adversary outputs a guess to the challenger based on all the secret shared shares held by the t servers under its control; Return 1 if ; otherwise, return 0.
We define the advantage of the adversary
A as follows:
A DAHSS scheme is t-input private if is satisfied for any adversary A.
t-Verifiability: Let , assuming that A is a adversary and can control the server . Assume the following experiment:
Experiment :
- 1.
Initialization: The challenger initializes a list for recording queries from A.
- 2.
Shared Queries: A adaptively queries . For a given , the challenger runs , generates the shared share , updates the list , and sends to the adversary A.
- 3.
Validation Queries: A performs an adaptive validation query. Suppose that is a query from A, where is a modified output share. For a given validation query, the challenger performs the following operation: for each , obtain from B ; for all , compute ; accordingly, compute . During the validation of the query, if , the output is 1. Otherwise, the output is 0.
We define the advantage of the adversary
A as follows:
A DVAHSS scheme is t-input private if, for any adversary A, it satisfies T.
5.1. Construction of DVAHSS
Based on the DAHSS scheme, we propose a more compact DVAHSS scheme for implementing verifiable secure outsourced additive computation. The DVAHSS scheme requires the distribution of authentication keys by trusted centers and only supports private authentication, but compared to publicly verifiable additive homomorphic secret shared secure outsourced computation, the proposed scheme is more computationally compact and has less computational overhead for both the clients and the servers. Firstly, we introduce the computation initialization verification key and verifiable computation settings.
Verification key generation: Adopting the third party trusted center setup, the trusted center randomly selects an element as the validation key on the finite field , and that is when the client joins the computation, and the trusted center sends this validation key to the client to ensure that all the clients locally hold the same validation key .
Validation Queries: In DVAHSS, all clients combine the private authentication key with the secret data to obtain . In the secret sharing phase, in addition to the computed secret sharing share of , the secret sharing share of is also computed and sent to the server separately. The server needs to generate partial proofs based on the share in addition to the partial computation results. Finally, the output client aggregates all the partial proof results, generates the final proof result, and sends it to the client, which accepts the final computation result if .
Based on the above working idea, the specific construction of DAHSS scheme is given as follows:
- 1.
Secret sharing: The client
generates two t-th degree polynomials on
according to the security parameter
and the secret input
:
where
is the result of random sampling on
. Assume that
. Bring
m server indices
into the polynomials
and
to generate the full secret shared share
of the secret
and the full secret share of secret
, and finally, send
to all servers
.
- 2.
Partial Evaluation:
; for all
, the server
obtains the set of server indexes
and
n secret shared shares
. The server
computes the interpolating polynomial corresponding to the local secret share:
Multiplying the constant
by the local secret share
) of
to obtain the additive secret sharing share
yields the following:
According to the Lagrange Interpolation Polynomial Theorem, the shared share of additive secrets held locally by all servers
satisfies the following:
The server locally computes , obtains the result of the partially outsourced additive computation , and outputs it.
- 3.
Partial proof:
; since the set of server indexes
W obtained by the server
is fixed, the constant
obtained by the
algorithm is multiplied by the local secret sharing share of
to obtain the following additive secret sharing share:
According to the Lagrange Interpolation Polynomial Theorem, the shared share of additive secrets held locally by all servers
satisfies the following:
Then, the server locally computes to obtain the partial proof and outputs it.
- 4.
Final Evaluation:
; output the client to obtain
t partial results from the server, and add up all the partial results to obtain the final calculation.
- 5.
Final proof:
; this outputs that the client obtains
t partial proofs from the server, as in Equations (4)–(20), and sums up all partial results to obtain the proof result.
- 6.
Verify: ; this inputs the client to compute whether is satisfied, outputs 1 if it is satisfied, and otherwise outputs ⊥.
5.2. Proof of DVAHSS
Theorem 3. The DVAHSS program is correct.
Proof of Theorem 3. In the DVAHSS scheme, for all clients
holding data
and data
, and for all servers
whose index
j is contained in the set of indexes
W, the result of the computation satisfies the following:
Similarly, it is easy to obtain the following:
If
, the client will accept
. Thus, if the DAHSS scheme satisfies correctness, then DVAHSS has correctness. □
Theorem 4. The DVAHSS program has t-Input Privacy.
Proof of Theorem 4. The secret sharing shares of and obtained by the server in the secret sharing phase are computed and shared by two different polynomials, and according to Theorem 2, it is not possible for any adversary A to distinguish whether is the th share of or ’s share, nor can they guess whether is ’s share or ’s share, and thus, for any adversary A, it satisfies , so the DVAHSS scheme is t-input private. □
Theorem 5. The DVAHSS program has t-Verifiability.
Proof of Theorem 5. Let , thus assuming that A is a adversary and can control the server . Let E be the event , and let be the event that the experiment outputs after b validation queries. For the event of 1, Let be the upper bound of the validation query initiated by the adversary A. Then, there is . What needs to be proved is that .
Let
be the
verification query proposed by the adversary
A. For all
, the challenger extracts from B
and computes the following:
The challenger will accept and output
only when
. Assume that
is the result of the server’s honest computation of the correct computation of the program, where
. Suppose that
and at the same time that
. Then, the event
occurs when and only when both
and
hold, as well as when
. Clearly,
occurs when it satisfies the following:
After
unsuccessful queries, the adversary
A can exclude
values of
. From the adversary
A’s perspective, the
at the
bth validation query is still uniformly distributed over more than
elements. Thus, by union bounds, it follows that
For
and
,
is a negligible function. So,
, which leads to a scheme satisfying
t-verifiability. □
7. Conclusions
The work in this paper focuses on the security, efficiency and practicality of joint additive computation by multiple participants, and proposes a homomorphic secret sharing scheme and a verifiable homomorphic secret sharing scheme for additive computation. Firstly, a secure dynamic additive homomorphic secret sharing scheme is proposed based on the security and flexibility of Shamir’s threshold secret sharing to realize the dynamic outsourcing computation function, and at the same time, more computations are offloaded to the server to reduce the client computation overhead. Secondly, combining the above outsourcing computation scheme and verifiable computation idea, a dynamic verifiable additive homomorphic secret sharing scheme with lower computation overhead is then proposed. Finally, the detailed security and other proofs of the two schemes are given, and the theoretical analysis as well as the experimental test results are analyzed, which show that the proposed scheme has more flexible computational mechanism, lower client computational overhead, and at the same time, it can realize a more efficient and secure outsourced additive computation scheme while guaranteeing the security of multi-party data. The two schemes in this chapter broaden the application scenarios of secure outsourced computation of multiparty data and provide new solution ideas for the multiparty secure and trustworthy computation problem.
Future work hopes to propose traceable verifiable homomorphic secret sharing schemes. The existing schemes only support the cheating server traceability function for simple multiplication outsourcing computation and require a large number of servers, there is no server traceability scheme for other functions yet, and it is necessary to deeply explore how to use a smaller verification overhead to realize a more powerful cheating server traceability function in the outsourcing computation process.