Verifiable Additive Homomorphic Secret Sharing with Dynamic Aggregation Support

Abstract

$(n,m,t)$-Homomorphic Secret Sharing (HSS) allows n clients to share data secretly to m servers, which compute a function f homomorphically on the received secretly shared data while restricting the input data acquired by a collection of t servers to private ones. In Verifiable Homomorphic Secret Sharing (VHSS), if there are partially colluding malicious servers submitting erroneous computation results to the client, such erroneous computation results will be rejected by the client. In traditional static homomorphic secret sharing schemes, once a secret share of raw data is assigned to a group of servers, then all servers in the group must participate in the computation, which means that the computation has to be restarted once some servers fail to perform the task. In order to solve the above problem, we propose the first dynamic homomorphic secret sharing scheme for additive computation in this paper. In our scheme, once some servers fail, there is no need to recalculate the secret sharing but only the need to reissue the index set of servers that perform the computation, Our structure assigns more computation to the servers, which is very useful in real scenarios. In addition, we propose dynamic verifiable homomorphic secret sharing schemes based on the above schemes, which have less computational overhead compared to the existing schemes, although we sacrifice the public verifiability property. Finally, we give a detailed correctness, security, and verifiability analysis of the two proposed schemes and provide the theoretical and experimental evaluation results of the computational overhead.

1. Introduction

With the rise of communication technology and cloud computing, a large amount of data is generated on communication devices such as smartphones and smartwatches, and cloud servers can be used to store and process this data in order to extract valid data and perform data analysis. When the joint computation of data from multiple clients is required, multiple servers can be used to take up the computation task to avoid a single point of failure and perform trusted and secure joint computation on the data from the clients. Although such distributed cloud computing environments have a wide range of applications, it is a serious challenge to ensure data privacy and computational integrity during computation. Homomorphic Encryption (HE) [1], as an important privacy-preserving technique, provides an effective tool to address data privacy computation in cloud environments. Fully Homomorphic Encryption (FHE) [2] allows arbitrary computation of ciphertexts, while the obtained ciphertext computation results are the same as those computed directly in plaintexts after decryption, thus protecting the privacy of data during processing. However, in practice, it has a very high computational overhead and cannot be realized for large-scale applications.

To overcome the limitations of FHE in practical computation, Boyle et al. [3] proposed Homomorphic Secret Sharing (HSS), which can be viewed as a lightweight distributed FHE, which allows for direct function computation on secretly shared data. HSS ensures that no t server can obtain the original data held by the client. Recently, much work has been devoted to constructing HSS schemes for various families of functions, such as affine functions [4], point functions [5], selection functions [6], branching programs [7], and multivariate polynomials [8].

Tsaloli et al. [9] proposed the Verifiable Homomorphic Secret Sharing (VHSS) scheme, where the client rejects the computation results if a partially colluding malicious server submits incorrect computation results to the client. Chen et al. implemented the publicly verifiable homomorphic secret sharing scheme for higher-order polynomials without FHE [10] and the privately verifiable homomorphic secret sharing scheme for lower-order polynomials [11], where the efficiency of secure outsourced computation against polynomials was improved. Ref. [9] proposed an Additive Homomorphic Secret Sharing (AHSS) structure without HE, which allows for outsourcing the joint addition computation to a cloud server when the client does not disclose the original data to the participants at the same time. Ref. [12] proposed a Verifiable Additive Homomorphic Secret Sharing (VAHSS) scheme based on AHSS, which provides public verifiability. However, in practical application scenarios, existing schemes still have some problems: (i) All HSS schemes require all servers obtaining secret sharing data to participate in the computation, and once a certain server is unavailable, multiple clients are required to redistribute the secret sharing data; and (ii) VAHSS supporting the publicly verifiable property needs to carry out a large number of additional computations in the verification phase and the proof generation phase.

In this paper, we propose the first homomorphic secret sharing scheme that enables dynamic additive computation, which can solve the problem of restarting the computation task due to the failure of some servers and realize the flexibility of joining and exiting the servers, as well as also propose a more efficient dynamic verifiable additive homomorphic secret sharing scheme based on this scheme. In detail, we solve the cloud computing problem characterized by the following constraints: (i) m servers are employed to perform joint addition on the inputs of n clients; (ii) the original client data need to be kept secret; (iii) the servers are not trusted; (iv) the computation task can still be carried out in the event of partial server failures; and (v) the clients are able to confirm that the computation results are correct (i.e., the private verifiability attribute). More precisely, the scheme has three roles: n input clients (each with a secret input $x_i$), m servers, and an output client. n clients compute the secret share of the original data and send them to multiple servers for secret computation. Then, the servers send the results of the computation to the output clients to aggregate, and the final result of the computation is obtained as $f(x_1,\dots ,x_n)$ and sent to the input clients for verification. During the computation, the original secret input $(x_1,\dots ,x_n)$ is not available to an unauthorized collection of servers. When there are servers that cannot perform the computation, only the client broadcasts the index of a new server that performs the computation task without restarting the computation. In our scheme, as long as the servers with secret sharing shares can participate in the computation, it is this feature that can be exploited to achieve the dynamic joining and exiting of servers, and thus our scheme is more scalable compared to the static additive homomorphic secret sharing scheme.

Our Contributions: We first propose a Dynamic Additive Homomorphic Secret Sharing (DAHSS) scheme based on the Shamir threshold secret sharing [13] technique, which can solve the problem of restarting the whole outsourcing computation due to a single point of server failure and realize a dynamic secure outsourcing additive computation scheme. Compared to the existing schemes, DAHSS increases the function of dynamic outsourcing computation while offloading part of the computation to the server, thus reducing the client computation time. Secondly, we also propose a privately verifiable Dynamic Verifiable Additive Homomorphic Secret Sharing (DVAHSS) scheme. Although the scheme needs to increase the number of trusted centers to distribute the authentication key, compared to the public VAHSS scheme, the computation of the DVAHSS is more concise, and the computation overheads of both the clients and servers are smaller. Finally, we give detailed correctness, security and verifiability proofs, and experimental tests of the proposed scheme.

Organization: Section 2 summarizes the related work. Section 3 provides the basic definitions required for scheme construction. Section 4 provides the DAHSS structure and the proof of security. Section 5 provides the DVAHSS structure and security proof. In Section 6, we analyze the computational time of the two proposed schemes and provide the results of our experimental tests. Finally, we provide the final caveats in Section 7.

2. Related Work

Homomorphic Secret Sharing: Boyle et al. [3] proposed a homomorphic secret sharing construction for function computation on secret sharing data. Phalakarn et al. [14] proposed a t-secure homomorphic secret sharing scheme that supports low-degree polynomials based on a construction, and they constructed the scheme to support threshold security. Tsaloli et al. proposed an HSS scheme for additive computation. However, the HSS does not guarantee that the computation is correct, i.e., it does not provide verifiability.

Homomorphic Signatures: Homomorphic Signatures (HomSigs) [15] are valid signatures that allow any entity to generate new data by performing homomorphic operations on certified data and obtaining a valid signature for the new data in the absence of a signing private key. Catalano et al. [16] proposed homomorphic signatures on polynomial functions and explored their application to verifiable computation. Gorbunov et al. [17] constructed for the first time a fully homomorphic signature (FHS), with the scheme built on a lattice, which supports the evaluation of signed data on arbitrary Boolean circuits of bounded polynomial depth.

3. Preliminaries

3.1. Additive Secret Sharing

Additive Secret Sharing (ASS) is defined over a finite field F, where the secret $x\in F$ will be randomly divided into n shares $\left\{x_1,\dots ,x_n\right\}$ that satisfy $x=x_1+x_2+\dots +x_n$. Practical schemes where security operations are mostly performed on arithmetic circuits use ASS defined over a finite ring $Z_{2^l}$ or a finite field F, which determines the form of the secret shares and the type of circuits to be executed by each party.

ASS is an $(n,n)$ threshold scheme that requires all secret shares to work together to recover the secret, and thus the technique is resistant to collusion by $n-1$ participants. The additive secret sharing technique satisfies the additive homomorphism property and is characterized by its simplicity and efficiency.

3.2. (t, n)-Threshold Secret Sharing

Shamir’s $(t,n)$-threshold secret sharing scheme is a polynomial interpolation-based secret sharing scheme proposed by Adi Shamir in 1979. In Shamir’s $(t,n)$-threshold secret sharing scheme, the number of participants n determines the number of secret shares to be distributed, and the number of thresholds t specifies the minimum number of participants required to recover the original secret. The scheme consists of a secret sharing and a secret reconstruction phase, in which the secret holder converts the secret s into n secret sharing shares and distributes them to n participants. In the secret reconstruction phase, the original secret information s is reconstructed when at least $t<n$ secret sharing share holders jointly provide their secret holding shares.

Let $GF\left(q\right)$ be a finite field and q be a large prime number; the steps of the scheme implementation are as follows:

Secret Sharing: Construct a $(t-1)$-dimensional polynomial over $GF\left(q\right)$:

$$F\left(X\right)=s+a_{1}x+a_2{x}^2+...+a_{t-1}{x}^{t-1}$$

(1)

where s is the secret data selected on $GF\left(q\right)$, and $t-1$ coefficients $a_i(i\in \{1,\dots ,n\})$ are the results of random sampling on $GF\left(q\right)$. Select n $I_l\in GF\left(q\right)(l\in \{1,\dots ,n\})$; then, each participant $P_l$ is assigned the subsecret $(I_l,F\left(I_l\right))$.

Secret Reconstruction: When at least t participants need to reconstruct the original secret, they can unite all secret sharing shares $(I_l,F\left(I_l\right))$ and use Lagrange interpolation to reconstruct the polynomial $F\left(X\right)$ and compute $F\left(0\right)$, which is the original secret information.

The t participants construct the following linear equation using t subsecrets $(I,F(I\left)\right)$:

$$\begin{array}{cc}s+a_1\left(I_1\right)+\dots +a_{(t-1)}{\left(I_1\right)}^{t-1}& =F\left(I_l\right)\\ s+a_1\left(I_2\right)+\dots +a_{(t-1)}{\left(I_2\right)}^{t-1}& =F\left(I_2\right)\\ ⋮& ⋮\\ s+a_1\left(I_t\right)+\dots +a_{(t-1)}{\left(I_t\right)}^{t-1}& =F\left(I_t\right)\end{array}$$

(2)

where $I_l(l=1,\dots ,t)$ are all different. By the Lagrange interpolating polynomial theorem, it follows that

$$\phi \left(x\right)=\sum _{j=1}^{k}F\left(I_l\right){\prod }_{i=1,i\ne j}^k\frac{I_l-x}{I_l-I_j}modq$$

(3)

By substituting 0 into this interpolating polynomial, the secret is recovered.

$$s=\phi \left(0\right)=\sum _{j=1}^{k}F\left(I_l\right){\prod }_{i=1,i\ne j}^k\frac{I_l}{I_l-I_j}modq$$

(4)

Shamir’s Threshold Secret Sharing Scheme has become an important tool in cryptography for its outstanding performance in security, flexibility, and reliability, and it is widely used in various security fields. For example, in distributed systems, it is used to store and manage data securely; in cryptographic protocols, it can be used to implement distributed signatures and key management; in the field of data recovery, it ensures that data can still be recovered in the case of partial damage or loss; in electronic voting systems, it can guarantee the privacy and fairness of voting; and in digital rights management, it can be used to protect and manage the digital content of the access control.

4. Dynamic Additive Homomorphic Secret Sharing

According to the $(n,m,t)$-HSS definition, the client $C_i(i\in n)$ needs to compute the $Share$ algorithm based on the original secret data $x_i$ to obtain the secret share shares $(x_{i,1},\dots ,x_{i,m})$ and send them to m servers. Then, for all clients $\{C_1,\dots ,C_n\}$, each server $S_j(j\in m)$ has n secret shares. For any t servers that may be corrupted, the original data $(x_1,\dots ,x_n)$ are private.

Unlike the existing schemes, our scheme broadcasts the set W of server indexes for this computation before the start of a computation task, the set of servers $S_j$ indexed within the set W computes the $PartialEval$ algorithm to obtain the partial addition aggregation result about all the secret inputs, and it finally outputs the client to compute the $FinalEval$ algorithm to obtain the final aggregation result. During the computation, when there exists a part of the computation servers that cannot perform the task, it is only necessary to rebroadcast a new set W of server indexes without resharing the secrets.

Definition 1. 

The $(n,m,t)$-Dynamic Additive Homomorphic Secret Sharing Scheme (DAHSS) is a 3-tuple system consisting of the PPT algorithm $(Share,PartialEval,FinalEval)$, which is given the formal definition as follows:

• $(x_{i,1},\dots ,x_{i,m})\leftarrow Share(1^{\lambda },i,x_i)$: The inputs to the algorithm are the security parameter λ, the client index $i\in \left[n\right]$, and the secret input $x_i$, which will be sent to m servers as a secret sharing share $(x_{i,1},\dots ,x_{i,m})$ as output.
• $y_j\leftarrow PartialEval(W,j,(x_{1,j},\dots ,x_{n,j}))$: The input to the algorithm is the set of server indices where this computation is performed $W=\{j_1,\dots ,j_{t+1}\}$, the server indexes $j\in \left[n\right]$ and the secret shared shares $(x_{1,j},\dots ,x_{n,j})$, and it outputs the partial result $y_j$.
• $y\leftarrow FinalEval(y_{j_1},\dots ,y_{j_{t+1}})$: The algorithm inputs a partial result $(y_{j_1},\dots ,y_{t+1})$, and it outputs the final result of the computation y or the error identifier ⊥.

DAHSS should satisfy Correctness and t-Input Privacy. Correctness guarantees that the output of the aggregation computation algorithm is always the correct computation result when all participants perform an honest computation.The t-input privacy guarantees that no information about the original secret data can be obtained when any t servers launch a conspiracy attack.

• Correctness: If for all secret inputs ${\left\{x_i\right\}}_{i\in \left[n\right]}$, all $Share$ algorithms generate secret shares $\{x_{i,1},\dots ,x_{i,m}{\}}_{i\in \left[n\right]}$, thenall $PartialEval$ algorithm outputs $\{y_{j_1},\dots ,y_{j_{t+1}}{\}}_{j\in W}$, and the DAHSS scheme is correct if it satisfies the following:

  $$Pr[FinalEval(y_{j_1},\dots ,y_{j_t})=f(x_1,\dots ,x_n)]=1$$

  (5)
• t-Input Privacy: Let $\mathrm{T}\in {\left(\left[m\right]\right)}_t$ represent the set of t servers, and assume that A is an arbitrary $PPT$ adversary and is able to control the server ${\left\{S_j\right\}}_{j\in T}$. Assume the following experiment:
  Experiment $Ex{p}_{A,DAHSS}(1^{\lambda },T)$:

  1.

  The adversary A gives $(i,x_i,{x_i}^{\prime })\leftarrow A\left(1^{\lambda }\right)$ to the challenger, where $i\in \left[n\right]$, $x_i\ne {x_i}^{\prime }$ and $|x_i|\ne |{x_i}^{\prime }|$;

  2.

  The challenger randomly chooses $b\leftarrow \{0,1\}$;

  3.

  If $b=0$, compute $(x_{i,1},\dots ,x_{i,m})\leftarrow Share(1^{\lambda },i,x_i)$;

  If $b=1$, compute $({x_{i,1}}^{\prime },\dots ,{x_{i,m}}^{\prime })\leftarrow Share(1^{\lambda },i,{x_i}^{\prime })$;

  4.

  The adversary outputs a guess $b^{\prime }=A\left({\left(x_{i,j}\right)}_{j\in T}\right)$ to the challenger based on all the secret shared shares held by the t servers under its control; Return 1 if $b^{\prime }=b$; otherwise, return 0.

  We define the advantage of the adversary A as follows:

  $$Ad{v}_{A,DAHSS}(1^{\lambda },T)=|Pr[Ex{p}_{A,DAHSS}(1^{\lambda },\mathrm{T})=1]-\frac{1}{2}]|$$

  (6)
  A DAHSS scheme is t-input private if $Ad{v}_{A,DAHSS}(1^{\lambda },T)\le negl\left(\lambda \right)$ is satisfied for any $PPT$ adversary A.

4.1. Construction of DAHSS

The advantages of Shamir’s threshold secret sharing scheme include flexibility and security. Since any number of secrets can be sent in the secret distribution phase, but the secret reconstruction needs to reach at least the threshold number of participants, applying it to computation can realize the security provided while also providing flexibility. Firstly, we describe how to realize the dynamic distribution of additive aggregation tasks based on this scheme.

Dynamic task distribution: First, in the secret sharing algorithm, Shamir’s threshold secret sharing scheme is used to assign secret shares to all $m>t$ servers that can complete the computation task. Consider that in real computing scenarios, there may be some servers that are temporarily unable to provide computation services due to failures. To solve the above problem, the client (multiparty data holder) in our scheme sends to the server an indexed set $W={\{j_1,\dots ,j_{t+1}\}}_{j\in \left[m\right]}$ of $t+1$ servers performing this computation task. When the server executes the partial computation algorithm, the server with index $j\in W$ computes an interpolation polynomial locally based on all the indices in the set to obtain n additive secret shared values, and according to the polynomial difference theorem, all the additive secret shared values of this server are summed to obtain the partial result of the summation of the original secret data of all the clients. Finally, an output client sums up the partial results obtained from all servers to obtain the final computation result. When the client learns that some of the servers performing this computation are unable to continue the computation, it simply resends the set of server indexes without recomputing the secret shared values and redistributing them as in the existing scheme. When a new server joins the computation, each client only needs to compute the locally generated polynomial once based on the server index j, and the newly joined server will obtain the secret shared value from the n client.

Based on the above ideas, the specific construction of the DAHSS scheme is given as follows:

1.

Secret sharing: $(x_{i,1},\dots ,x_{i,m})\leftarrow Share(1^{\lambda },i,x_i)$; the client $C_i$ generates a t-dimensional polynomial $P_i$ based on the security parameter $\lambda$ and the secret input $x_i$.

$$P_i\left(X\right)=x_i+a_{1}x+a_2{x}^2+\dots +a_t{x}^t$$

(7)

where ${\left\{a_i\right\}}_{i\in \left[t\right]}$ is the result of random sampling on $GF\left(q\right)$, and the constant term $x_i$ is the original secret data. Substituting m server indices $j\in \left[m\right]$ into the polynomial $P_i$ generates the full secret shared share $x_i$ of the secret ${\left\{x_{i,j}\right\}}_{j\in \left[m\right]}=\{P_i\left(1\right),\dots ,P_i\left(m\right)\}$, and we send $x_{i,j}$ to server $S_i$.

2.

Partial Evaluation: $y_j\leftarrow PartialEval(W,j,(x_{1,j},\dots ,x_{n,j}))$; for all $j\in W$, the server $S_j$ obtains the set of server indexes $W=\{j_1,\dots ,j_{t+1}\}$ and n secret shared shares $(x_{1,j},\dots ,x_{n,j})$. $S_j$ first computes the corresponding interpolating polynomials according to the Lagrange interpolating polynomial theorem.

$$c_j\left(x\right)=\prod _{j\in W={\left\{j_e\right\}}_{e\in [t+1]}}\frac{x-j_e}{j-j_e}$$

(8)

$$c_j\left(0\right)=\prod _{j\in W={\left\{j_e\right\}}_{e\in [t+1]}}\frac{-j_e}{j-j_e}$$

(9)

Multiply the constant $c_j\left(0\right)$ by all the local secret sharing shares $(x_{1,j},\dots ,x_{n,j})$ to obtain the additive secret sharing share $\{s_{1,j},\dots ,s_{n,j}\}$.

$$\{s_{1,j},\dots ,s_{n,j}\}=\{c_j\left(0\right)x_{1,j},\dots ,c_j\left(0\right)x_{n,j}\}$$

(10)

At this point, the shared share of additive secrets held locally by all servers ${\left\{S_j\right\}}_{j\in W}$ satisfies the following:

$$x_i=\sum _{j\in W}{s}_{i,j}$$

(11)

The final server $S_j$ local computation is as follows:

$$y_j=s_{1,j}+s_{2,j}+\dots +s_{n,j}$$

(12)

Obtain the partial outsourcing addition calculation and output $y_j$.

3.

Final Evaluation: $y\leftarrow FinalEval(y_{j_1},\dots ,y_{j_t})$; output the client obtains from t partial results from the server. Compute Equations (4)–(9), and sum all the partial results to obtain the result of the outsourced computation.

$$y=y_{j_1}+y_{j_2}+\dots +y_{j_{t+1}}$$

(13)

4.2. Proof of DAHSS

Theorem 1. 

The DAHSS program is correct.

Proof of Theorem 1. 

In the DAHSS outsourced computing scheme, for clients $C_i$ holding data $x_i$, and for all servers $S_j$ whose index j is contained in the set of indexes W, then, according to the Lagrange Interpolation Polynomial Theorem, it is obtained that

$$\begin{array}{c}y={\displaystyle \sum _{j\in W}}{\displaystyle \sum _{i\in \left[n\right]}}{c}_j\left(0\right)x_{i,j}\hfill \\ ={\displaystyle \sum _{j\in W}}{\displaystyle \sum _{i\in \left[n\right]}}({\displaystyle \prod _{j\in W={\left\{j_e\right\}}_{e\in \left[t\right]}}}\frac{-j_e}{j-j_e}{x}_{i,j})\hfill \\ ={\displaystyle \sum _{j\in W}}{\displaystyle \sum _{i\in \left[n\right]}}({\displaystyle \prod _{j\in W={j_e}_{e\in \left[t\right]}}}\frac{-j_e}{j-j_e}{x}_{i,j})\hfill \\ ={\displaystyle \sum _{i\in \left[n\right]}}{P}_i\left(0\right)\hfill \\ =x_1+x_2+...+x_n\hfill \end{array}$$

(14)

So, the DAHSS program has perfect correctness. □

Theorem 2. 

The DAHSS program has t-Input Privacy.

Proof of Theorem 2. 

Assume that $\left|T\right|=t$ and that the adversary A can control t servers and can obtain $tn$ secret sharing shares from the controlled servers. Without loss of generality, assume that the first t servers are the controlled servers, i.e., $W=\{1,\dots ,t+1\}$.

For $i\in \{0,1\}$, set ${\{s_{i,1},s_{i,2},\dots ,s_{i,t+1}\}}_{i\in \left[n\right]}$ is denoted as the additive secret share secret of $x_i$, and $s_{i,1}$ is the polynomial value of $x_{i,j}$ in the threshold secret share of Shamir’s $(t,n)$ published to each server multiplied by the interpolation coefficient of $c_j\left(0\right)$ to obtain an additive secret share shares that satisfies

$$\begin{array}{c}{x}_i={\displaystyle \sum _{j\in [t+1]}}{s}_{i,j}\hfill \\ ={\displaystyle \sum _{j\in [t+1]}}{c}_j\left(0\right)x_{i,j}\hfill \\ =s_{i,t+1}-{\displaystyle \sum _{j\in \left[t\right]}}{s}_{i,j}\hfill \end{array}$$

(15)

At this point, the challenger chooses i by tossing a coin and sends $\{s_{i,1},s_{i,2},\dots ,s_{i,t+1}{\}}_{i\in \left[n\right]}$ and $s_{i,t+1}$ to the adversary A, and based on Shamir’s Threshold Secret Sharing Security, no PPT adversary can distinguish whether $s_{i,t+1}$ is the $(t+1)$th share of $x_0$ or the $x_1$th share of $x_1$. Thus, the adversary A can only guess with a probability of $1/2$ whether $s_{i,t+1}$ corresponds to $x_0$ or $x_1$ and return $b=0/1$ to the challenger. Thus, $Ad{v}_{A,DAHSS}(1^{\lambda },T)\le negl\left(\lambda \right)$ is satisfied for any $PPT$ adversary A, so the DAHSS scheme is t-input private. □

5. Dynamic Verifiable Additive Homomorphic Secret Sharing

The dynamically verifiable additive homomorphic secret sharing scheme uses the DAHSS of Section 4 as a base scheme, where n clients $\{{\mathrm{C}}_1,\dots ,C_n\}$ will be the original secret data $(x_1,\dots ,x_n)$ into the $Share$ algorithm to obtain the output secret shared shares $(x_{1,1},\dots ,x_{n,m})$, and we also multiply the private authentication key $\alpha$ by the secret data $x_i$ to obtain $r_i=\alpha x_i$ and input it into the $Share$ algorithm, which sends the generated $x_i$ and $r_i$ shared shares to m servers together, where $r_i$ is used to validate the computation results. Each server $S_j$ has $2n$ shared shares. The set W of the server indexes for this computation is broadcast before the start of a computation task, and the set of servers $S_j$ indexed within the set W applies the algorithm $PartialEval$ to compute a linear combination of all the secret inputs while generating a proof, and it finally outputs the final output of the client computation and verifies the computation to be plausible based on the proof results. During the computation, for any potentially corrupted t server raw data, $(x_1,\dots ,x_n)$ are private. When there exists a portion of the computational servers that cannot perform the task, a new set W of server indexes is rebroadcast.

Definition 2. 

The Dynamic Verifiable Additive Homomorphic Secret Sharing the (DVAHSS) scheme is a 6-tuple system $(Share,PartialEval,PartialProof,FinalEval,FinalProof,verify)$ consisting of the PPT algorithm, which is formally defined as follows:

• Secret Sharing: $(s_{i,1},\dots ,s_{i,m})\leftarrow Share(1^{\lambda },i,x_i,\alpha )$; the input to the algorithm is the security parameter λ, the secret data $x_i$, and the authentication key α, and the output is the secret shared share $(s_{i,1},\dots ,s_{i,m})$.
• Partial Evaluation: $y_j\leftarrow PartialEval(W,j,(s_{1,j},\dots ,s_{n,j}))$); the inputs to the algorithm are the set of server indexes $W=\{j_1,\dots ,j_{t+1}\}$, the server index $j\in \left[n\right]$, and the secret share $(s_{1,j},\dots ,s_{n,j})$, and the output is a partial computation $y_j$.
• Partial Proof: ${\sigma }_j\leftarrow PartialProof(W,j,(s_{1,j},\dots ,s_{n,j}))$; the inputs to the algorithm are the set of server indexes $W=\{j_1,\dots ,j_{t+1}\}$, server indexes $j\in \left[n\right]$, and secret shared shares $(s_{1,j},\dots ,s_{n,j})$, and the output is the partial proof result ${\sigma }_j$.
• Final Evaluation: $y\leftarrow FinalEval(y_{j_1},\dots ,y_{j_{t+1}})$; the input to the algorithm is the result of the partial computation $(y_{1,1},\dots ,y_{m,1},y_{1,2},\dots ,y_{m,2})$, and the output is the final computation y.
• Final Proof: $\sigma \leftarrow FinalProof({\sigma }_{j_1},\dots ,{\sigma }_{j_{t+1}})$; the input to the algorithm is the partial proof $({\sigma }_1,\dots ,{\sigma }_m)$, and the output is the final proof σ.
• Verification: $\perp /1\leftarrow Verify(\alpha ,y,\sigma )$; the inputs to the algorithm are the verification key α, the final computation of the result y, and the final proof σ, and the output of the verification result $\perp /1$.

The DVAHSS scheme should satisfy Correctness, t-Input Privacy, and t-Verifiability.

• Correctness: If for all secret inputs ${\left\{x_i\right\}}_{i\in \left[n\right]}$, all $Share$ algorithms generate secret shares $\{x_{i,1},\dots ,x_{i,m}{\}}_{i\in \left[n\right]}$ and all $PartialEval$ algorithm outputs $\{y_{j_1},\dots ,y_{j_t}{\}}_{j\in W}$, the DAHSS scheme is correct if it satisfies the following:

  $$Pr[FinalEval(y_{j_1},\dots ,y_{j_t})=f(x_1,\dots ,x_n)]=1$$

  (16)
• t-Input Privacy: Let $\mathrm{T}\in {\left(\left[m\right]\right)}_t$ represent the set of t servers, and assume that A is an arbitrary $PPT$ adversary and is able to control the server ${\left\{S_j\right\}}_{j\in T}$. Assume the following experiment:
  Experiment $Ex{p}_{A,DAHSS}(1^{\lambda },T)$:

  1.

  The adversary A gives $(i,x_i,{x_i}^{\prime })\leftarrow A\left(1^{\lambda }\right)$ to the challenger, where $i\in \left[n\right]$, $x_i\ne {x_i}^{\prime }$ and $|x_i|\ne |{x_i}^{\prime }|$;

  2.

  The challenger randomly chooses $b\leftarrow \{0,1\}$;

  3.

  If $b=0$, compute $(x_{i,1},\dots ,x_{i,m})\leftarrow Share(1^{\lambda },i,x_i)$;

  If $b=1$, compute $({x_{i,1}}^{\prime },\dots ,{x_{i,m}}^{\prime })\leftarrow Share(1^{\lambda },i,{x_i}^{\prime })$;

  4.

  The adversary outputs a guess $b^{\prime }=A\left({\left(x_{i,j}\right)}_{j\in T}\right)$ to the challenger based on all the secret shared shares held by the t servers under its control; Return 1 if $b^{\prime }=b$; otherwise, return 0.

  We define the advantage of the adversary A as follows:

  $$Ad{v}_{A,DVAHSS}(1^{\lambda },T)=|Pr[Ex{p}_{A,DVAHSS}(1^{\lambda },\mathrm{T})=1]-\frac{1}{2}]|$$

  (17)
  A DAHSS scheme is t-input private if $Ad{v}_{A,DAHSS}(1^{\lambda },T)\le negl\left(\lambda \right)$ is satisfied for any $PPT$ adversary A.
• t-Verifiability: Let $T\in {\left(\left[m\right]\right)}_t$, assuming that A is a $PPT$ adversary and can control the server ${\left\{S_j\right\}}_{j\in T}$. Assume the following experiment:
  Experiment $Ex{p}_{A,DVAHSS,Ver}(1^{\lambda },T)$:

  1.

  Initialization: The challenger initializes a list $B\ne Ø$ for recording queries from A.

  2.

  Shared Queries: A adaptively queries $x_i(i\in \left[n\right])$. For a given $x_i$, the challenger runs $(s_{i,1},\dots ,s_{i,m})\leftarrow Share(1^{\lambda },i,x_i,\alpha )$, generates the shared share $s_{i,1},\dots ,s_{i,m}$, updates the list $B=B\cup \{x_i,s_{i,1},\dots ,s_{i,m}\}$, and sends ${\left\{s_{i,j}\right\}}_{j\in T}$ to the adversary A.

  3.

  Validation Queries: A performs an adaptive validation query. Suppose that ${\left\{{\widehat{y}}_j\right\}}_{j\in T}$ is a query from A, where ${\left\{{\widehat{y}}_j\right\}}_{j\in T}$ is a modified output share. For a given validation query, the challenger performs the following operation: for each $i\in \left[n\right]$, obtain from B $(x_i,s_{i,1},\dots ,s_{i,m})$; for all $j\in \left(\right[m\left]\right)\setminus T$, compute ${\widehat{y}}_j\leftarrow PartialEval{(W,j,\{s_{i.j}\}}_{i\in \left[n\right]})$; accordingly, compute $\widehat{y}\leftarrow FinalEval({\widehat{y}}_1,\dots ,{\widehat{y}}_m)$. During the validation of the query, if $\widehat{y}\ne \{(x_1+\dots +x_n),\perp \}$, the output is 1. Otherwise, the output is 0.

  We define the advantage of the adversary A as follows:

  $${Adv}_{A,Ver}(1^{\lambda },T)=|Pr[Ex{p}_{A,Ver}(1^{\lambda },T)=1]-\frac{1}{2}]|$$

  (18)
  A DVAHSS scheme is t-input private if, for any $PPT$ adversary A, it satisfies $Ad{v}_{A,DVAHSS.Ver}(1^{\lambda },$T$)\le negl(\lambda )$.

5.1. Construction of DVAHSS

Based on the DAHSS scheme, we propose a more compact DVAHSS scheme for implementing verifiable secure outsourced additive computation. The DVAHSS scheme requires the distribution of authentication keys by trusted centers and only supports private authentication, but compared to publicly verifiable additive homomorphic secret shared secure outsourced computation, the proposed scheme is more computationally compact and has less computational overhead for both the clients and the servers. Firstly, we introduce the computation initialization verification key and verifiable computation settings.

Verification key generation: Adopting the third party trusted center setup, the trusted center randomly selects an element $\alpha$ as the validation key on the finite field $GF\left(q\right)$, and that is when the client joins the computation, and the trusted center sends this validation key $\alpha$ to the client to ensure that all the clients locally hold the same validation key $\alpha$.

Validation Queries: In DVAHSS, all clients combine the private authentication key $\alpha$ with the secret data $x_i$ to obtain $r_i=\alpha x_i$. In the secret sharing phase, in addition to the computed secret sharing share of $x_i$, the secret sharing share of $r_i$ is also computed and sent to the server separately. The server needs to generate partial proofs based on the $r_i$ share in addition to the partial computation results. Finally, the output client aggregates all the partial proof results, generates the final proof result, and sends it to the client, which accepts the final computation result if $y=\alpha \sigma$.

Based on the above working idea, the specific construction of DAHSS scheme is given as follows:

1.

Secret sharing: The client $C_i$ generates two t-th degree polynomials on $GF\left(q\right)$ according to the security parameter $\lambda$ and the secret input $x_i$:

$$P_i\left(X\right)=x_i+a_{1}x+a_2{x}^2+\dots +a_t{x}^t$$

(19)

$${P_i}^{\prime }\left(X\right)=\alpha x_i+b_{1}x+b_2{x}^2+\dots +b_t{x}^t$$

(20)

where ${\left\{a_i\right\}}_{i\in \left[t\right]},{\left\{b_i\right\}}_{i\in \left[t\right]}$ is the result of random sampling on $GF\left(q\right)$. Assume that $r_i=\alpha x_i$. Bring m server indices $j\in \left[m\right]$ into the polynomials $P_i$ and ${P_i}^{\prime }$ to generate the full secret shared share $x_i$ of the secret ${\left\{x_{i,j}\right\}}_{j\in \left[m\right]}=\{P_i\left(1\right),\dots ,P_i\left(m\right)\}$ and the full secret share of secret $r_i$${\left\{r_{i,j}\right\}}_{j\in \left[m\right]}=\{{P_i}^{\prime }\left(1\right),\dots ,{P_i}^{\prime }\left(m\right)\}$, and finally, send $\left\{s_{i,j}\right\}={\left\{x_{i,j}\right\}}_{j\in \left[m\right]}\cup {\left\{r_{i,j}\right\}}_{j\in \left[m\right]}$ to all servers $S_j$.

2.

Partial Evaluation: $y_j\leftarrow PartialEval(W,j,(x_{1,j},\dots ,x_{n,j}))$; for all $j\in W$, the server $S_j$ obtains the set of server indexes $W=\{j_1,\dots ,j_{t+1}\}$ and n secret shared shares $(s_{1,j},\dots ,s_{n,j})$. The server $S_j$ computes the interpolating polynomial corresponding to the local secret share:

$$c_j\left(x\right)=\prod _{j\in W={\left\{j_e\right\}}_{e\in [t+1]}}\frac{x-j_e}{j-j_e}$$

(21)

$$c_j\left(0\right)=\prod _{j\in W={\left\{j_e\right\}}_{e\in [t+1]}}\frac{-j_e}{j-j_e}$$

(22)

Multiplying the constant $c_j\left(0\right)$ by the local secret share $(x_i$) of $(x_{1,j},\dots ,x_{n,j})$ to obtain the additive secret sharing share $(s_{1,j},\dots ,s_{n,j})$ yields the following:

$$x_i=\sum _{j\in W}{c}_j\left(0\right)x_{i,j}=\sum _{j\in W}{x}_{i,j}$$

(23)

According to the Lagrange Interpolation Polynomial Theorem, the shared share of additive secrets held locally by all servers ${\left\{S_j\right\}}_{j\in W}$ satisfies the following:

$$x_i=\sum _{j\in W}{s}_{i,j}$$

(24)

The server $S_j$ locally computes $y_j=x_{1,j}+x_{2,j}+\dots +x_{n,j}$, obtains the result of the partially outsourced additive computation $y_j$, and outputs it.

3.

Partial proof: ${\sigma }_j\leftarrow PartialProof(W,j,(s_{1,j},\dots ,s_{n,j}))$; since the set of server indexes W obtained by the server $S_j$ is fixed, the constant $c_j\left(0\right)$ obtained by the $PartialEval$ algorithm is multiplied by the local secret sharing share of $r_i$ to obtain the following additive secret sharing share:

$${\sigma }_{1,j},\dots ,{\sigma }_{n,j}=c_j\left(0\right)r_{1,j},\dots ,c_j\left(0\right)r_{n,j}$$

(25)

According to the Lagrange Interpolation Polynomial Theorem, the shared share of additive secrets held locally by all servers ${\left\{S_j\right\}}_{j\in W}$ satisfies the following:

$$r_i=\sum _{j\in W}{c}_j\left(0\right)r_{i,j}=\sum _{j\in W}{\sigma }_{i,j}$$

(26)

Then, the server $S_j$ locally computes ${\sigma }_j={\sigma }_{1,j}+{\sigma }_{2,j}+\dots +{\sigma }_{n,j}$ to obtain the partial proof ${\sigma }_j$ and outputs it.

4.

Final Evaluation: $\sigma \leftarrow FinalProof({\sigma }_{j_1},\dots ,{\sigma }_{j_t})$; output the client to obtain t partial results from the server, and add up all the partial results to obtain the final calculation.

$$y=y_{j_1}+y_{j_2}+\dots +y_{j_t}$$

(27)

5.

Final proof: $\sigma \leftarrow FinalProof({\sigma }_{j_1},\dots ,{\sigma }_{j_t})$; this outputs that the client obtains t partial proofs from the server, as in Equations (4)–(20), and sums up all partial results to obtain the proof result.

$$\sigma ={\sigma }_{j_1}+{\sigma }_{j_2}+\dots +{\sigma }_{j_t}$$

(28)

6.

Verify: $\perp /1\leftarrow Verify(\alpha ,y,\sigma )$; this inputs the client to compute whether $y=\alpha \sigma$ is satisfied, outputs 1 if it is satisfied, and otherwise outputs ⊥.

5.2. Proof of DVAHSS

Theorem 3. 

The DVAHSS program is correct.

Proof of Theorem 3. 

In the DVAHSS scheme, for all clients $C_i$ holding data $x_i$ and data $\alpha x_i$, and for all servers $S_j$ whose index j is contained in the set of indexes W, the result of the computation satisfies the following:

$$y=x_1+x_2+\dots +x_n$$

(29)

Similarly, it is easy to obtain the following:

$$\begin{array}{c}\sigma ={\displaystyle \sum _{j\in W}}{\displaystyle \sum _{i\in \left[n\right]}}{c}_j\left(0\right)r_{i,j}\hfill \\ ={\displaystyle \sum _{j\in W}}{\displaystyle \sum _{i\in \left[n\right]}}({\displaystyle \prod _{j\in W={\left\{j_e\right\}}_{e\in \left[t\right]}}}\frac{-j_e}{j-j_e}{r}_{i,j})\hfill \\ ={\displaystyle \sum _{i\in \left[n\right]}}{P_i}^{\prime }\left(0\right)\hfill \\ =\alpha x_1+\alpha x_2+\dots +\alpha x_n\hfill \end{array}$$

(30)

If $\sigma =\alpha y$, the client will accept $y=f(x_1,\dots ,x_n)$. Thus, if the DAHSS scheme satisfies correctness, then DVAHSS has correctness. □

Theorem 4. 

The DVAHSS program has t-Input Privacy.

Proof of Theorem 4. 

The secret sharing shares of $x_i$ and $\alpha x_i$ obtained by the server $S_j$ in the secret sharing phase are computed and shared by two different polynomials, and according to Theorem 2, it is not possible for any $PPT$ adversary A to distinguish whether $s_{i,t+1}$ is the $t+1$th share of $x_0$ or $x_1$’s $t+1$ share, nor can they guess whether $r_{i,t+1}$ is $r_0$’s $t+1$ share or $r_1$’s $t+1$ share, and thus, for any $PPT$ adversary A, it satisfies $Ad{v}_{A,DAHSS}(1^{\lambda },T)\le negl\left(\lambda \right)$, so the DVAHSS scheme is t-input private. □

Theorem 5. 

The DVAHSS program has t-Verifiability.

Proof of Theorem 5. 

Let $T\in {\left(\left[m\right]\right)}_t$, thus assuming that A is a $PPT$ adversary and can control the server ${\left\{S_j\right\}}_{j\in T}$. Let E be the event $Ex{p}_{A,DVAHSS.Ver}(1^{\lambda },T)=1$, and let $E_b$ be the event that the experiment $Ex{p}_{A,DVAHSS.Ver}(1^{\lambda },T)$ outputs after b validation queries. For the event of 1, Let $Q=poly\left(\lambda \right)$ be the upper bound of the validation query initiated by the adversary A. Then, there is $E={\cup }_{l=1}^Q$. What needs to be proved is that $Pr\left[E\right]\le negl\left(\lambda \right)$.

Let ${\left\{{\widehat{y}}_j\right\}}_{j\in \Gamma }$ be the $b_{t}h$ verification query proposed by the adversary A. For all $j\in \left[m\right]$, the challenger extracts from B ${\{x_i,s_{i,1},\dots ,s_{i,m}\}}_{i\in \left[n\right]}$ and computes the following:

$${\widehat{u}}_j\leftarrow PartialEval(pk,j,f,{\left\{s_{i,j}\right\}}_{i\in \left[n\right]}),{\widehat{v}}_j\leftarrow PartialProof(pk,j,f,{\left\{s_{i,j}\right\}}_{i\in \left[n\right]}))$$

(31)

$$\begin{array}{c}\widehat{u}=HE.Dec(sk,{\widehat{u}}^{\prime }\leftarrow FinalEval(sk,{\widehat{u}}_1,\dots ,{\widehat{u}}_m))\hfill \\ \widehat{v}=HE.Dec(sk,{\widehat{v}}^{\prime }\leftarrow FinalProof(sk,{\widehat{v}}_1,\dots ,{\widehat{v}}_m))\hfill \end{array}$$

(32)

The challenger will accept and output $\widehat{u}$ only when $\widehat{v}=\alpha \widehat{u}$. Assume that $u,v$ is the result of the server’s honest computation of the correct computation of the program, where $v=\alpha u$. Suppose that ${\Delta }_u=\widehat{u}-u$ and at the same time that ${\Delta }_v=\widehat{v}-v$. Then, the event $E_b$ occurs when and only when both $\widehat{v}=\alpha \widehat{u}$ and $v=\alpha u$ hold, as well as when ${\Delta }_u\ne 0$. Clearly, $E_b$ occurs when it satisfies the following:

$$\left({\Delta }_u\ne 0\right)\wedge \left(\alpha ={\Delta }_u{\Delta }_u^{-1}\right)$$

(33)

After $b-1$ unsuccessful queries, the adversary A can exclude $\le b-1$ values of $\alpha \in GF\left(q\right)\setminus \left\{0\right\}$. From the adversary A’s perspective, the $\alpha \in GF\left(q\right)\setminus \left\{0\right\}$ at the bth validation query is still uniformly distributed over more than $\left|q\right|-1-(b-1)$ elements. Thus, by union bounds, it follows that

$$Pr\left[E\right]\le \frac{1}{\left|q\right|-1-(b-1)}=\frac{1}{\left|q\right|-b}$$

(34)

$$Pr\left[E\right]\le \sum _{b=1}^{Q}Pr\left[E_b\right]\le \sum _{b=1}^Q\frac{1}{\left|q\right|-b}\le \frac{Q}{\left|q\right|-Q}$$

(35)

For $\left|q\right|\approx 2^{\lambda }$ and $Q=poly\left(\lambda \right)$, $\frac{Q}{\left|q\right|-Q}$ is a negligible function. So, $Pr\left[E\right]\le negl\left(\lambda \right)$, which leads to a scheme satisfying t-verifiability. □

6. Discussion

As seen in

Table 1. Description of symbols for program analysis.

Notation	Description
$T_{mul}$	Multiplication time
$T_{add}$	Additive computation time
$T_{Peval}$	Polynomial computation time for secret sharing
$T_{coeff}$	Calculation time for each Lagrangian coefficient
$T_H$	Linear homomorphic hash operation time
$T_e$	Exponential computation time

, this section first gives a description of the notation in the analysis.

6.1. Efficiency

An interesting finding is that our proposed scheme can implement both verification computation with dynamic aggregation and verification computation without dynamic aggregation. When the number of servers is equal to the threshold $t+1$, it will degenerate into a static verifiable homomorphic secret sharing scheme, i.e., a verification scheme without dynamic aggregation; when the number of servers is greater than the threshold $t+1$, it will be able to achieve dynamic aggregation verification. The verification methods with and without dynamic aggregation will not affect the computation step; the difference is only that the verification method with dynamic aggregation requires more servers, and when the server performing the computation in the computation task fails, there is no need to restart the computation as in the existing scheme but only to broadcast another server index collection.

6.1.1. Efficiency of DAHSS

The first static outsourcing additive computation scheme (AHSS) based on homomorphic secret sharing was proposed in [9]. When taking $t=m-1$, the DAHSS scheme degenerated into a static outsourcing computation scheme, with which it was analyzed and compared at this point. Considering all clients executing in parallel with all servers, the average computational overhead per server and per client in both schemes were compared.

Table 2. Comparison with AHSS.

Algorithm	AHSS	DAHSS
$Share$ (Client)	$m{T}_{Peval}+m{T}_{coeff}+m{T}_{mul}$	$m{T}_{Peval}$
$PartialEval$ (Server)	$n{T}_{add}$	$n{T}_{add}+T_{coeff}+n{T}_{mul}$
$FinalEval$ (Output Client)	$m{T}_{add}$	$m{T}_{add}$

shows the comparison between this scheme and the AHSS scheme in terms of the computational overhead.

In the AHSS scheme, each client performs m polynomial computations in the $Share$ algorithm to generate m threshold secret share values, then computes m Lagrange interpolation coefficients, multiplies the m threshold secret share values to the additive secret share values, and finally distributes the additive secret share results directly to the server. Each server only needs to sum up the obtained n additive secret sharing shares from n clients and finally send them to the output clients.

In the DAHSS scheme, each client performs only m polynomial evaluations in the $Share$ algorithm to generate m threshold secret sharing values, which are sent directly to the server. The server only needs to compute one Lagrangian interpolation coefficient computation, then multiply the obtained n threshold secret sharing values to obtain the additive secret sharing result, and then perform n more additive computations.

In summary, the DAHSS scheme proposed in Section 4.2 not only provides more powerful dynamic computation functions compared to the AHSS scheme, but it also has a lower computation time per client and offloads more computations to the server, which is beneficial in practical application scenarios.

6.1.2. Efficiency of DVAHSS

Ref. [12] proposed three publicly verified verifiable outsourcing additive computation schemes, among which the linear homomorphic hash-based verifiable outsourcing additive computation scheme (VAHSS-HSS) was the most efficient in synthesis, so this section analyzes and compares this scheme.

Table 3. Comparison with VAHSS-HSS.

Algorithm	VAHSS-HSS	DVAHSS
$Share$ (Client)	$m{T}_{Peval}+m{T}_{coeff}+m{T}_{mul}+T_H$	$2m{T}_{Peval}$
$PartialEval$ (Server)	$n{T}_{add}$	$n{T}_{add}+T_{coeff}+n{T}_{mul}$
$PartialProof$ (Server)	$T_H$	$n{T}_{add}+T_{coeff}+n{T}_{mul}$
$FinalEval$ (Verifier)	$m{T}_{add}$	$m{T}_{add}$
$FinalEval$ (Verifier)	$m{T}_e$	$m{T}_{add}$
$Verify$ (Verifier)	$n{T}_e+T_H$	$T_{mul}$

shows the computational overhead comparison between this scheme and the VAHSS-HSS scheme.

The DVAHSS scheme builds on the DAHSS scheme, and the computational overhead of executing DVAHSS once is approximately equal to executing the DAHSS scheme twice. Each client performs $2m$ polynomial evaluations in the $Share$ algorithm to generate $2m$ threshold secret shared values. The server computes one Lagrangian interpolation coefficient, then multiplies the obtained $2n$ threshold secret sharing values to obtain the additive secret sharing result, and then performs $2n$ additive computations.

The VAHSS-HSS scheme performs the same secret sharing operation as the AHSS scheme in the $Share$ phase while performing a linear hash mapping of the message once. The server’s partial proof result generation computes one linear homomorphic hash mapping. The computational overhead is high compared to the DAHSS verifier that needs to perform $m+n$ additional exponential computations and one linear homomorphic hash mapping.

In summary, DVAHSS has smaller server and client computational overheads compared to the VAHSS-HSS scheme, and it is significantly more computationally efficient than the VAHSS-HSS scheme, although at the expense of the publicly verifiable property.

6.2. Experiments

6.2.1. Experimental Testing of DAHSS

The DAHSS scheme and AHSS scheme were implemented in PyCharm (2023.3.2) on a Windows 10, Intel(R) Core(TM) i5-8500 CPU @ 3.00 GHz 3.00 GHz processor. The client held data from a dataset of retail transaction data from the University of California, Irvine Machine Learning Repository. Since the values in the dataset are floating point numbers, all input values were multiplied by 100 to preprocess. Each client $C_n$ held the total transaction amount once. We fixed the number of servers of m to be 5. At the number of clients $n=\{10,20,30,40,50\}$, we recorded the total running time of the clients and servers, and the average running time of each client and server (in $\mathsf{\mu }$s), as shown in Figure 1. DAHSS offloads part of the computation to the server, and this structure increases the server computation time, but with the increase in the number of clients, the total client runtime of the DAHSS scenario was significantly smaller than that of the AHSS scenario. Since the primary task of secure outsourcing computation in multiparty data scenarios is to perform joint outsourcing computation while ensuring that the local data of multiple data holders are not known to others, the computation effectiveness cannot simply compare the client and server running time, but it must consider how to offload more computation to the server without disclosing the privacy of multiparty data. Consistent with the theoretical analysis, in the actual multiparty data secure outsourcing computation scenario, the client had a lower computation configuration compared to the server, so the DAHSS scheme of offloading more computations to the server is more suitable for the verifiable secure outsourcing computation scenario of multiparty data.

In addition, the paillier homomorphic encryption scheme [18] can be naturally applied to secure outsourced additive computation scenarios with multiparty data, so this paper additionally adds a comparison experiment with the paillier homomorphic encryption scheme.

Table 4. Paillier homomorphic encryption scheme runtime.

Operation	Time (s)
Client encryption	13.020
Server homomorphic computation	0.005
Client decryption	0.087

shows the total running time of the client (encryption and decryption time) and the server (addition computation time) when using the paillier homomorphic encryption scheme and $n=50$.

It can be seen that the DAHSS and AHSS schemes were significantly faster than paillier homomorphic encryption schemes. Our scheme, as a lightweight alternative to additive homomorphic schemes, has a better performance, but its application scenarios are limited to multiserver computation scenarios, and it cannot resist the complicity of any number of servers, whereas traditional additive homomorphic schemes such as the paillier additive homomorphic scheme have higher confidentiality (security) and can resist arbitrary number of servers coconspiring in multiserver scenarios, but its running time was much higher than our additive homomorphic secret sharing scheme.

6.2.2. Experimental Testing of DVAHSS

The DVAHSS scheme and the VAHSS-HSS scheme were implemented in a Python-based language. The test environment was a virtual machine on a 64-bit Ubuntu 20 system configured with Intel^® Core™ i7-6700 CPU @ 3.40 GHz × 2 and 8G RAM. Linear homomorphic hashing was computed by the group “SS1024”, and the Shamir secret share $Z_p$ was taken to be 1022 bit. A fixed number of clients and servers m of three were used. For a fixed number of clients and servers m of three, an average of 100 runs was performed to test the average running time of each client and each server(in ms), as shown in

Table 5. Comparison with VAHSS-HSS.

Algorithm	VAHSS-HSS	DVAHSS
Client ($Share$)	127.120	2.392
Server ($PartialEval$, $PartialProof$)	125.639	0.381
Verifier ($FinalEval$, $FinalEval$, $FinalEval$)	131.576	16.196 (us)

.

Consistent with the theoretical analysis, DVAHSS does not have a linear homomorphic hashing operation step compared to VAHSS-HSS, and since the linear homomorphic hashing running time is much larger than the time for another secret distribution, DVAHSS operated significantly more efficiently than VAHSS-HSS in private verification scenarios, although it sacrificed the publicly verifiable property.

7. Conclusions

The work in this paper focuses on the security, efficiency and practicality of joint additive computation by multiple participants, and proposes a homomorphic secret sharing scheme and a verifiable homomorphic secret sharing scheme for additive computation. Firstly, a secure dynamic additive homomorphic secret sharing scheme is proposed based on the security and flexibility of Shamir’s threshold secret sharing to realize the dynamic outsourcing computation function, and at the same time, more computations are offloaded to the server to reduce the client computation overhead. Secondly, combining the above outsourcing computation scheme and verifiable computation idea, a dynamic verifiable additive homomorphic secret sharing scheme with lower computation overhead is then proposed. Finally, the detailed security and other proofs of the two schemes are given, and the theoretical analysis as well as the experimental test results are analyzed, which show that the proposed scheme has more flexible computational mechanism, lower client computational overhead, and at the same time, it can realize a more efficient and secure outsourced additive computation scheme while guaranteeing the security of multi-party data. The two schemes in this chapter broaden the application scenarios of secure outsourced computation of multiparty data and provide new solution ideas for the multiparty secure and trustworthy computation problem.

Future work hopes to propose traceable verifiable homomorphic secret sharing schemes. The existing schemes only support the cheating server traceability function for simple multiplication outsourcing computation and require a large number of servers, there is no server traceability scheme for other functions yet, and it is necessary to deeply explore how to use a smaller verification overhead to realize a more powerful cheating server traceability function in the outsourcing computation process.