references:

[Can01] Canetti R. Universally composable security: A new paradigm for cryptographic protocols[C]//Proceedings 42nd IEEE Symposium on Foundations of Computer Science. IEEE, 2001: 136-145.
[Gol04] Oded Goldreich. Foundations of Cryptography: Volume 2, Basic Applications. Cam bridge University Press, New York, NY, USA, 1st edition, 2004.
[Reg05]Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In STOC, pages 84–93, 2005.
[LP09] Yehuda Lindell and Benny Pinkas. A proof of security of yao’s protocol for two-party computation. J. Cryptology, 22(2):161–188, 2009.
[AJW11] Asharov G, Jain A, López-Alt A, et al. Multiparty computation with low communication, computation and interaction via threshold FHE[C]//Advances in Cryptology–EUROCRYPT 2012: 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Proceedings 31. Springer Berlin Heidelberg, 2012: 483-501.
[BGV12] Brakerski Z, Gentry C, Vaikuntanathan V. (Leveled) fully homomorphic encryption without bootstrapping[J]. ACM Transactions on Computation Theory (TOCT), 2014, 6(3): 1-36.
[MP12] Micciancio D, Peikert C. Trapdoors for lattices: Simpler, tighter, faster, smaller[C]//Annual International Conference on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012: 700-718.
[GSW13] Gentry C, Sahai A, Waters B. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based[C]//Annual Cryptology Conference. Springer, Berlin, Heidelberg, 2013: 75-92.
[CM15] Clear M, McGoldrick C. Multi-identity and multi-key leveled FHE from learning with errors[C]//Advances in Cryptology–CRYPTO 2015: 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part II 35. Springer Berlin Heidelberg, 2015: 630-656.
[MW16] Mukherjee P, Wichs D. Two round multiparty computation via multi-key FHE[C]//Advances in Cryptology–EUROCRYPT 2016: 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part II 35. Springer Berlin Heidelberg, 2016: 735-763.

Note that "TFHE" below refers to: Tthreshold FHE (distributed threshold decryption), not TFHE scheme (optimization of GSW).

Article Directory

3 rounds of MPC based on TFHE

3 rounds of MPC based on TFHE

FHE can naturally implement the two-party MPC protocol: Alice generates FHE public and private keys to encrypt her input, Bob also uses Alice's public key to encrypt her input, and then Bob performs homomorphic calculations and only sends the resulting ciphertext to Alice for decryption.

To directly extend the above idea to multiple participants, the following questions arise:

Each party independently generates its own public and private keys, so it is difficult to calculate the ciphertext encrypted by different public keys (this is actually MK-FHE, see [CM15] for details)
A public and private key is generated by a single participant, and other participants use this public key, so once it is compromised, the privacy of all participants will be destroyed

[AJW11] proposed threshold fully homomorphic encryption ( TFHE , threshold fully homomorphic encryption). All participants collaborate to generate a public public-private key pair . Each participant only holds the secret share of the private key . The decryption process is a distributed decryption protocol , and " smudge " needs to be added to hide their private key information. In addition, the FHE of the BGV/BFV route also needs an evaluation key, and the process of generating it is relatively complicated (while GSW does not need it and can be simplified).

TFHE can be used to construct a secure 3-round MPC protocol under the semi-honest model (honest execution, random and uniform), and the multi-party coin toss protocol and ZKP can be transformed into a secure MPC protocol under the malicious model (arbitrary execution), but the round complexity will increase. In fact, [AJW11]'s TFHE is secure under the semi-malicious model (honest execution, but arbitrarily chosen random bands), thus allowing the multi-party coin-flipping protocol to be omitted. There is NIZKP in NP language under CRS model , so a 3-round malicious secure MPC protocol can be obtained, but it is not efficient. [AJW11] designed a dedicated Sigma protocol for LWE language under RO model .

Threshold FHE

The formal definition of threshold fully homomorphic encryption scheme (TFHE) is as follows:

$Key G e n (se t u p)$ ：Interactive protocol among $N$ $P_k,k \in [N]$ Execute the protocol together to generatethe public public key $p k$ ,public relinearization key $ev k$ , andthe secret share of the private key $skk$ $sk_k$ , they imply public and private keys $s k$
$Enc(pk,\mu)$ : non-interactive algorithm, each participant uses $p k$ independently encrypted message $\mu$
$Eval(pk,f,c_1,\cdots,c_l)$ : non-interactive algorithm, each participant uses $p k$ performs homomorphic operations independently
$Dec(sk_1,\cdots,sk_N,c)$ ： $N$ 个参与者之间的交互式协议，各个参与者 $P_k,k \in [N]$ 使用各自的 $sk_k$ 作为输入，协议结束后各方都获得明文 $\mu$

[AJW11] 使用 BGV 方案作为基础加密方案，密文 $c = (a, b)$ 可以被视为多变元线性多项式 $\phi_c(x):=b-a^Tx$ , the decryption algorithm is $Dec(s,c)=(\phi_c(s)\pmod q)\pmod 2$ . Homomorphic addition is $\phi_{add}(x) = \phi_{c_1}(x)+\phi_{c_2}(x)$ , the ciphertext is still a linear polynomial; and the homomorphic multiplication is $\phi_{mul}(x) = \phi_{c_1}(x) \cdot \phi_{c_2}(x)$ ，多项式度数上升为 $2$ ，因此需要 “重线性化” 运算。假设原始私钥为 $s$ ，新的私钥为 $s^{'}$ ，令 $s[i]=s_i,i \in [n]:=\{1,\cdots,n\}$ 表述私钥向量的各分量，并设置 $s [0] = 1$ , then the corresponding relinearization key is:
$\{\psi_{i,j,\tau} \leftarrow SymEnc(s', s_i \cdot s_j \cdot 2^\tau):\,\, i \in [n], j \in [n] \cup\{0\}, \tau \in \{0,\cdots,\lfloor\log (q)\rfloor\}\}$

Key-Homomorphic

我们将判定型 LWE 问题记为 $LWE_{n,q,\phi,\chi}$ ，其中 $\phi$ 是秘密 $s$ 的分布， $\chi$ 是噪声 $e$ 的分布。容易证明，当模数 $q$ 是奇数时， $LWE_{n,q,\phi,2\chi}$ 与 $LWE_{n,q,\phi,\chi}$ 一样难，其中的 $2\chi$ 是指采样 $\leftarrow \chi$ 然后将 $2 e$ 作为输出。

Uniqueness of LWE Secrets：安全参数 $\kappa$ ，令 $n$ 是正整数， $q$ 是素数，设置 $m>n\log(q)+w(\log(\kappa))$ 以及 $B < q /8$ ，那么均匀选取的 $\leftarrow \mathbb Z_q^{m \times n}$ 以概率 $1-negl(\kappa)$ 使得：对于任意的 $\in \mathbb Z_q^m$ ，存在至多单个 $(s, e)$ 满足 $\in \mathbb Z_q^n$ 以及 $\in [-B,B]^m$ ，使得 $p = A s + 2 e$ 。如果存在 $\neq (s',e')$ 使得 $p = A s + 2e_= A s^{'} + 2e_^{'}$ , then $\in [-2B,2B]^m$ , for any fixed $s^*=ss'$ , the uniformly selected $A$ The probability that the above formula is true is only $(4B/q)^m \le 2^{-m}$ 。

Now we give a basic encryption scheme based on LWE:

$Setup(1^\kappa)$ ：输入安全参数 $1^\kappa$ ，计算奇数 $q=q(\kappa)$ ，维度 $m=m(\kappa),n=n(\kappa)$ ，环 $\mathbb Z_q$ 上噪声分布 $\phi=\phi(\kappa),\chi=\chi(\kappa)$ ，输出参数 $params=(1^\kappa,q,m,n,\phi,\chi)$
$S y m Key G e n (p a r am s)$ ：采样秘密 $\leftarrow \phi^n$ ，输出 $s k := s$ 作为对称秘钥
$P u b Key G e n (s)$ : uniform sampling $\leftarrow \mathbb Z_q^{m \times n}$ , sampling noise $\leftarrow \chi^m$ ，计算 $\in \mathbb Z_q^m$ (Can be regarded as $m$ ciphertexts $S y m E n c (s k, 0)$ ), output $p k := (A, p)$ as the corresponding public key
$SymEnc(sk,\mu)$ : input message $\mu \in \{0,1\}$ , uniform sampling $\leftarrow \mathbb Z_q^n$ , sampling noise $\leftarrow \chi$ ，计算 $b=a^Ts+2e+\mu \in \mathbb Z_q$ , output ciphertext $c t := (a, b)$
$PubEnc(pk,\mu)$ ：输入消息 $\mu \in \{0,1\}$ ，均匀采样 $\leftarrow \mathbb \{0,1\}^m$ ，计算 $a=r^TA \in \mathbb Z_q^n$ 以及 $b=r^Tp+\mu$ （若 $p = A s + 2 e$ ，则 $b$ 中的噪声为 $2r^Te$ ), output ciphertext $c t := (a, b)$
$Dec (s k, c t)$ : input ciphertext $c t = (a, b)$ ，输出 $(b-a^Ts \pmod q) \pmod 2$

According to the article in [Reg05], in $LWE_{n,q,\phi,\chi}$ 假设下，上述加密方案是语义安全的，同时也是伪随机密文的。之后的一些著名全同态加密都是基于上述加密算法的，例如 BGV、BFV、CKKS 等等。除了加法同态和乘法同态，[AJW11] 进一步提出了“秘钥同态”，这可以用于构造分布式的门限解密协议。将系数 $a, A$ 以及噪声 $e$ 作为图灵机随机带，公钥生成算法的符号记为 $P u b Key G e n (s; A, e)$ ，加密算法的符号记为 $SymEnc(sk,\mu;a,e)$ 和 $PubEnc(pk,\mu;A,e)$ 。

Key-Homomorphic Properties : Given two private keys $s_1,s_2 \in \mathbb Z_q^n$ , two plaintexts $\mu_1,\mu_2 \in \{0,1\}$ ，

Fix a coefficient $\in \mathbb Z_q^n$ , given two noises $e_1,e_2 \in \mathbb Z_q$ , Symmetric encryption $(a,b_1) = SymEnc(s_1,\mu_1;a,e_1)$ 以及 $(a,b_2) = SymEnc(s_2,\mu_2;a,e_2)$ , Natsumimon $a,b_1+b_2)$ 满足
$(a,b_1+b_2) = SymEnc(s_1+s_2,\mu_1+\mu_2;a,e_1+e_2)$
is the addition of the second component of the ciphertext, and the resulting new ciphertext is the homomorphic addition ciphertext under the sum of the two private keys.
Fix a coefficient $\in \mathbb Z_q^{m \times n}$ ，任给两个噪声 $e_1,e_2 \in \mathbb Z_q^m$ ，公钥生成 $A,p_1)=PubKeyGen(s_1;A,e_1)$ 以及 $A,p_2)=PubKeyGen(s_2;A,e_2)$ ，那么公钥 $A,p_1+p_2)$ 满足
$A,p_1+p_2)=PubKeyGen(s_1+s_2;A,e_1+e_2)$
is the addition of the second components of the public key, and the resulting new public key is the public key corresponding to the sum of the two private keys.

We expect the combined public key $A,p_1+p_2)$ , the above basic encryption scheme is still semantically secure, but the combined public key distribution is different from the original distribution. [AJW11] proposed that a large noise can be used to pollute (smudge out) any small value, and then prove that the distribution of the ciphertext under the combined public key after contamination is indistinguishable from the uniform distribution.

Smudging Lemma : Security parameter $\kappa$ , let $B_1,B_2$ is a positive integer, $e_1 \in [-B_1,B_2]$ is a fixed integer, $e_2 \leftarrow [B_2,B_2]$ is a uniform random number. Then as long as $B_1/B_2 = negl(\kappa)$ , $e_2$ The distribution of $e_1+e_2$ The distributions of are statistically indistinguishable.
$D = \frac{1}{2} x = - (B_{1} + B_{2}) \sum B_{1} + B_{2} P r [e_{2} = x] - P r [e_{1} + e_{2} = x] = \frac{1}{2} x = - (B_{1} + B_{2}) \sum - B_{2} \frac{1}{B _{2}} + x = - (B_{2}) \sum B_{1} + B_{2} \frac{1}{B _{2}} = \frac{B _{1}}{B _{2}}$
Security of combined keys : we define the adversary $\mathcal A$ and Challenger $\mathcal C$ Game between $C$ $JoinKey^{\mathcal A}(params,B_1,B_2)$ ，

$\mathcal C$ Generate private key $\leftarrow SymKeyGen(params)$ , calculate the public key $(A, p) = P u b Key G e n (s)$ ，将公钥发送给 $\mathcal A$
$\mathcal A$ 自适应地选择 $p^{'}, s^{'}, e^{'}$ ，满足 $p^{'} = A s^{'} + 2 e^{'}$ 以及 $\|e'\|_1 \le B_1$ ，选择明文 $\mu$ ，发送 $(p',s',e',\mu)$ 给 $\mathcal C$
$\mathcal C$ 计算组合秘钥 $A,p^*=p+p')$ ，均匀掷硬币 $\beta \leftarrow \{0,1\}$ ，当 $\beta=0$ 时均匀采样 $pk^*=(a^*,b^*) \leftarrow \mathbb Z_q^{n+1}$ ，当 $\beta=1$ 时计算 $(a^*,b) \leftarrow PubEnc(pk^*,\mu)$ , sampling "pollution noise" $e^* \leftarrow [-B_2,B_2]$ , set $b^*=b+2e^*$ , send "polluted ciphertext" $a^*,b^*)$ A $\mathcal A$
$\mathcal A$ Class $A$ $a^*,b^*)$ In which case, output $\beta' \in \{0,1\}$

我们说组合秘钥是安全的，如果对于任意的 PPT 敌手 $\mathcal A$ ，都有
$\Big|Pr[JoinKey^{\mathcal A}(params,B_1,B_2)=1] - \dfrac{1}{2}\Big| = negl(\kappa)$
可以证明，给定一组参数 $p a r am s$ 使得基础加密方案是语义安全的，那么对于任意的 $B_1,B_2$ ，满足 $B_1/B_2 = negl(\kappa)$ ，组合秘钥是安全的。否则，存在一个 PPT 敌手 $\mathcal A$ 打破组合秘钥安全性。我们构造另一个敌手 $\mathcal B$ ，它的输入是公钥 $p k = (A, p)$ 和密文 $(a, b)$ ，它试图区分 $(a, b)$ 是真正的密文 $P u b E n c (p k, 0)$ 还是均匀随机数。敌手 $\mathcal B$ 以敌手 $\mathcal A$ 作为子程序，为它模拟 $JoinKey^{\mathcal A}$ 游戏中的视图，

$\mathcal B$ 直接将 $p k$ 发送给 $\mathcal A$ ，收到回应 $(p',s',e',\mu)$
$\mathcal B$ 采样噪声 $e^* \leftarrow [-B_2,B_2]$ ，设置 $a^*=a,b^*=b+a^Ts'+\mu+2e^*$ ，发送 $a^*,b^*)$ 给 $\mathcal A$
$\mathcal B$ 输出 $\mathcal A$ 所返回的 $\beta$

易知 $\mathcal B$ 是 PPT 敌手。假设 $(a, b)$ 是均匀的，那么 $a^*,b^*)$ 明显也是均匀的。假设 $\leftarrow PubEnc(pk,0)$ , since $p^{'} = A s^{'} + 2e_^{'}$ ，那么有
$b^* = (r^Tp+2e)+r^T(p'-2e')+\mu+2e^* = r^Tp^*+\mu+(2e^*-2r^Te')$
r $r^Te' \le \|e'\|_1 \le B_1$ , is a small constant, so according to Smudging Lemma, $b^* \overset{s}{\equiv} r^Tp^*+\mu+2e^*$ , so $\mathcal B$ to $\mathcal A$ models statistically indistinguishable views. Thus $\mathcal A$ breaks the security of the combined key, $\mathcal B$ also breaks the pseudo-randomness of the ciphertext of the basic encryption scheme, resulting in a contradiction. Therefore, the tainted ciphertext under the combined key is indistinguishable from the uniform random number, and the combined key is safe.

Construction

Using BGV as the basic encryption algorithm, TFHE is constructed as follows:

$TF H E . Set up ()$ : All participants reach a consensus on all the following parameters to determine the operation $depth$ $of$ $BGV$ $D$ , the encryption algorithm parameter of each layer is $param_d:=(1^\kappa,q_d,m,n,\phi,\chi)$ , noise range $B_\phi,B_\chi \in \mathbb Z$ , the range of pollution noise $B_{eval},B_{enc},B_{dec} \in \mathbb Z$ ，系数 $\{A_d \leftarrow \mathbb Z_{q_d}^{m \times n}\}$ 和 $\{a_{d,i,\tau}^k \leftarrow \mathbb Z_{q_d}^{n}\}$
$TF H E . Key G e n (se t u p)$ :a two-round interactive protocol,

The first round of communication (generate public public key ):
1. Parties $P_k$ Independently generate the public-private key pair of each layer ${(s_d^k,(A_d,p_d^k:=A_ds_d^k+2e_d^k))\}$ , where $A_d$ is the public random string. Parties $P_k$ independent calculation $(a_{d,i,\tau}^k,b_{d,i,\tau}^{k,k}) \leftarrow BGV.SymEnc(s_d^k, 2^\tau \cdot s_{d-1}^k[i]; _{d,i,\tau}^{k,k})$ 以及 $(a_{d,i,\tau}^l,b_{d,i,\tau}^{l,k}) \leftarrow BGV.SymEnc(s_d^k, 0; a_{d,i,r}^l,e_{d,i,\tau}^{l,k}),l \neq k$ , these ${b_{d,i,r}^{l,k}\}$ will be used to create the relinearization key.
2. All parties broadcast ${p_d^k\},\{b_{d,i,r}^{l,k}\}$ , calculate $lpdlp^*_d:=\sum_l p_d^l$ ， $b_{d,i,\tau}^l:=\sum_l b_{d,i,\tau}^{l,k}$ ，将 $A_d,p_d^*)$ as the public public key of each layer, and $\{b_{d,i,\tau}^l\}$ is the ciphertext of the private key fragment.
3. 可以验证，
  $\begin{aligned} (A,d,p_d^*) &= BGV.PubKeyGen(s_d^*;A_d,e_d^*), s_d^*:=\sum_{l=1}^N s_d^l, e_d^*:=\sum_{l=1}^N e_d^l\\ (a_{d,i,\tau}^l, b_{d,i,\tau}^l) &= BGV.SymEnc(s_d^*,2^\tau \cdot s_{d-1}^l[i];a_{d,i,\tau}^l,e_{d,i,\tau}^l), e_{d,i,\tau}^l:=\sum_{k=1}^N e_{d,i,\tau}^{l,k} \end{aligned}$
The second round of communication (generate public relinearization key ):
1. Each participant $P_k$ 采样 $(v_{d,i,j,\tau}^{l,k},w_{d,i,j,\tau}^{l,k}) \leftarrow BGV.PubEnc(p_d^*,0)$ 以及污染噪声 $\leftarrow [-B_{eval},B_{eval}]$ ，计算 $(\alpha_{d,i,j,\tau}^{l,k}, \beta_{d,i,j,\tau}^{l,k}) := s_{d-1}^k[j]\cdot(a_{d,i,\tau}^l, b_{d,i,\tau}^l) + (v_{d,i,j,\tau}^{l,k}, w_{d,i,j,\tau}^{l,k} + 2e)$
2. 各方广播 $\{(\alpha_{d,i,j,\tau}^{l,k}, \beta_{d,i,j,\tau}^{l,k})\}$ ，对于 $\in [n]$ 计算 $\phi_{d,i,j,\tau} := \sum_l\sum_k(\alpha_{d,i,j,\tau}^{l,k}, \beta_{d,i,j,\tau}^{l,k})$ ，对于 $j = 0$ ϕ $\phi_{d,i,j,\tau} := \sum_l(a_{d,i,j,\tau}^{l}, b_{d,i,j,\tau}^{l})$
3. 可以验证，
  $\begin{aligned} (\alpha_{d,i,j,\tau}^{l,k}, \beta_{d,i,j,\tau}^{l,k}) &= BGV.SymEnc(s_d^*,2^\tau \cdot s_{d-1}^l[i]\cdot s_{d-1}^k[j])\\ \phi_{d,i,j,\tau} &= BGV.SymEnc(s_d^*,2^\tau \cdot s_{d-1}^*[i]\cdot s_{d-1}^*[j])\\ \end{aligned}$
The output of the algorithm is: public public key $pk:=(A_0,p_0^*)$ , public relinearization key $evk:=\{\phi_{d,i,j,\tau}\}$ , participant $P_k$ holds the private key $sk_D$ Secret sharing $s_D^k$
$TFHE.Enc(pk,\mu)$ : in parameter $param_0$ Calculate the ciphertext $\leftarrow BGV.Enc(pk,\mu)$ , and then sample additional pollution noise $\leftarrow [-B_{enc},B_{enc}]$ , output ciphertext $c := ((v, w + 2e),_l e v e l = 0)$
$TFHE.Eval(evk,f,c_1,\cdots,c_l)$ : non-interactive algorithm, simply output $BGV.Eval(evk,f,c_1,\cdots,c_l)$
$TFHE.Dec(s_D^1,\cdots,s_D^N,c)$ :a round of interactive protocol,
1. Suppose the ciphertext is of the form $c = (v, w, D)$ , the combined private key is $s_D^*:=\sum_k s_D^k$
2. Parties $P_k$ calculationwk $ekw^k = v^Ts_D^k+2e_k$ , where $e_k \leftarrow [-B_{dec},B_{dec}]$ is the pollution noise, which will partially decrypt the value $w^k$ broadcast to other participants
3. 各方设备 $\phi_c(s_D) = w-\sum_k w^k$ , output plaintext $(\phi_c(s) \pmod q_D) \pmod 2$

We choose a set of parameters so that the basic FHE scheme is semantically safe, and then choose the appropriate pollution noise $B_{eval},B_{enc},B_{dec}$ Make the combined secret key $lpdlp^*_d=\sum_l p_d^l$ is safe. In addition, TFHE also needs to prove the security of its threshold decryption algorithm.

Semi-Malicious MPC

Now, we use the above TFHE, and immediately get a general MPC protocol: let $loutf:(\{0,1\}^{l_{in}})^N \to \{0,1\}^{l_{out}}$ is a deterministic function of any common output , and the multiplication depth of the corresponding logic circuit is $D$ , protocol $\Pi_f$ Proceed as follows:

Initialization: Each participant negotiates the parameter $se t u p$ , let $P_k$ The input is $x_k \in \{0,1\}^{l_{in}}$
The first round of communication: each participant $P_k$ 执行 $TF H E .$ The first round of $Key$ $G$ $e$ $n$ $($ $se$ $t$ $u$ $p$ $)$ $p k$ and private key secret share $sk_k$
The second round of communication: each participant $P_k$ Use the obtained $p k$ $x_k$ bit by bit $x_{k}$ , get ciphertext $c_{k,i} \leftarrow TFHE.Enc(pk,x_k[i])$ . Simultaneously execute $The second round of TF H E . Key G e n (se t u p)$ , obtain the public relinearization key $e v k$ ，将 ${c_{k,i}\},evk)$ pack and broadcast to other participants
The third round of communication: order $f_j$ is the function $The operation function of each output bit of f$ , the homomorphic calculation of all parties $c_j = Eval(evk,f_j,\{c_{k,i}\})$ . When decryption is required, all participants cooperate to execute $y_j = TFHE.Dec(s_D^1,\cdots,s_D^N,c_j)$ to obtain the output value $y=f(x_1,\cdots,x_N)$

According to the standard transformation technique in [Gol04], for any random function $yg(x_1,\cdots,x_N;r) \mapsto y$ , we can define a deterministic function
$f((x_1,r_1),\cdots,(x_N,r_N)) := g(x_1,\cdots,x_N; bigotimes_{i=1}^N r_i)$
As long as there is a participant who flips a coin evenly, then $\bigotimes_{i=1}^N r_i$ will be an unbiased random string. The above conversion process does not increase the round complexity of MPC.

According to the standard transformation technique in [LP09], for any private output function $g(x_1,\cdots,x_N) \mapsto (y_1,\cdots,y_N)$ , we can all define a common output function
$f((x_1,s_1),\cdots,(x_N,s_N)) := y_1 \otimes s_1 \| \cdots \|y_N \otimes s_N$
where $s_k$ is a symmetric encrypted private key independently selected by each party. Execute the MPC protocol to calculate the above functions, and finally each participant $P_k$ $y_k \otimes s_k$ in the calculation result $y_{k} \otimes s_{k}$ Partially decrypted. This only adds a local post-processing pass with minimal overhead and does not increase the round complexity of MPC.

It can be proved that the above MPC protocol is semi-malicious and secure under the UC framework. The UC framework is described in [Can01], the paper has more than 100 pages, and I haven't read it yet, so I won't write the security proof here. The "semi-malicious adversary" here is a stronger concept proposed by [AJW11] than the semi-honest adversary, so it will be easier to switch from a semi-malicious security protocol to a malicious security protocol.

Universal Composability Framework ([Can01]): Define PPT environment $\mathcal Z$ , input as security parameter $1^\kappa$ and auxiliary input $z$ , which operates in the real or ideal world.

Ideal world : There are several virtual participants $\tilde P_1,\cdots,\tilde P_N$ , an ideal rival $\mathcal S$ invades some virtual participants, they calculate a functional $\mathcal F$
Real World : There are several PPT participants $P_1,\cdots,P_N$ , a real adversary $\mathcal A$ has hacked some participants, they execute a protocol $\pi$
Environment $\mathcal Z$ provides input to the participantinteracts with the adversaryduring execution, and finally $\mathcal Z$ judgeswhether it is in the real world or an ideal world. Define random variables $IDEAL_{\mathcal F,S,\mathcal Z}(1^\kappa,z)$ is the view after interaction between the environment and the participants and opponents in the ideal world, let $IDEAL_{\mathcal F,S,\mathcal Z}$ is a distribution cluster. Define the random variable $REAL_{\pi,\mathcal A,\mathcal Z}(1^\kappa,z)$ is the view after interaction between the environment and the participants and adversaries in the ideal world, let $REAL_{\pi,\mathcal A,\mathcal Z}$ is a distribution cluster.

UC Security : Given a positive integer $N$ , let $\mathcal F$ is a $N-$ variable functionality, $\pi$ is a $N-$ party agreement. We say $\pi$ safe calculation $\mathcal F$ , if for any PPT real adversary $\mathcal A$ , both exist in the PPT ideal opponent $\mathcal S$ , such that any PPT environment $\mathcal Z$ 都有
$REAL_{\pi,\mathcal A,\mathcal Z} \overset{c}{\equiv} IDEAL_{\mathcal F,S,\mathcal Z}$
In order to facilitate the construction of the protocol, we often restrict the capabilities of the adversary, for example: semi-honest adversary, malicious adversary, only a certain number of participants can be hacked, and so on. There is also " security-with-abort ", where the ideal opponent $\mathcal S$ can abort, resulting in no functional output on some participants; and "fairness" means that the adversary does not have the ability to abort, and honest participants will always obtain functional output.

Semi-Malicious Adversaries : A semi-malicious adversary is an interactive Turing machine, which has a " witness tape " in addition to the standard input-output tape and random tape . In each round of interaction of the protocol, the adversary replaces $P_k$ send message $m$ , and write the tuple $(x, r)$ , making the opponent $P_k^*$ The history records exactly match the honest execution $P_k(x,r)$ view. In each round, after receiving the message from the honest party, the adversary adaptively chooses $(m, (x, r))$ in different rounds $(x, r)$ can be inconsistent. At the same time, the adversary can terminate the agreement in any round of interaction.

Any semi-honest adversary chooses random bands evenly, and can simply write the random bands on the witness tape, so semi-malicious opponents are more free than semi-honest adversaries. on the witness tape $(x, r)$ , so it is indeed more limited than a malicious adversary. The capabilities of a semi-malicious adversary lie strictly between those of a semi-honest adversary and a malicious adversary.

Full-Malicious MPC

In order to obtain a secure MPC protocol under a malicious model, a standard compiler can be used to convert a semi-honest security protocol, which requires a fair coin-toss protocol and a zero-knowledge proof protocol. Since the MPC protocol based on TFHE constructed by [AJW11] is semi-malicious and secure , the coin tossing link can be omitted . There is a general NIZKP protocol under the CRS model, but it is less efficient. Therefore [AJW11] designed an efficient Gap Sigma protocol (the weakening of the Sigma protocol) for LWE language, and the NIZKP protocol under the RO model can be obtained by using the FS heuristic.

Gap Sigma Protocol：令 $\mathcal R_{zk} \subseteq \mathcal R_{sound}$ are two NP relations, and the corresponding language is $L_{zk} \subseteq L_{sound}$ . About language $L_{zk},L_{sound})$ Gap Sigma protocol $\langle P,V \rangle$ , is a three-round interactive protocol that states $x$ , given $w$ , process $\langle P(w),V \rangle(x)$ produces copies of the form $(a, c, z)$ . It satisfies the following properties:

Correctness : For any $\in \mathcal R_{zk}$ , have $\langle P(w),V \rangle(x)=1$
Special Soundness : Exist PPT Extractor $E$ , any statementTwo acceptable copies of $x$ $\neq c'$ ，那么 $\in \mathcal R_{sound}(x)$
Honest-Verifier Zero-Knowledge : There is a PPT simulator $S$ , given any statement $\in L_{zk}$ and challenge $c$ ，使得 $\leftarrow S(x,c)$ 满足 $\{(a',c,z')\} \overset{s}{\equiv} \{(a,c,z)\}$ , where $(a, c, z)$ is determined by both parties $\langle P(w),V \rangle(x)$ generated interactively

In the Gap Sigma protocol, its completeness and zero knowledge are about the relation $\mathcal R_{zk}$ , while reliability is about the relation $\mathcal R_{sound}$ , satisfy the relation $\mathcal R_{zk} \subseteq \mathcal R_{sound}$ . That is, in $\mathcal R_{zk}$ ( x , w ) in $(x, w)$ all satisfy the above three properties; and for $\mathcal R_{sound}$ Some of ( x , w ) in $(x, w)$ Only reliability is satisfied, and the protocol does not guarantee correctness and zero-knowledge.

[AJW11] constructed a Gap Sigma protocol for the LWE language. Order $B$ is the scale of noise, we define an NP relation:
$\mathcal R_{LWE}^B := \ { ((A,b),(s,2e)): b=As+2e, A \in \mathbb Z_q^{m \times n}, b \in \mathbb Z_q^{m}, s \in \mathbb Z_q^{n}, 2e \in [-B,B]^m \}$
Its corresponding language is recorded as $L_{LWE}^B$ , for $BB^* \ge B$ ，易知 $\mathcal R_{LWE}^{B} \subseteq \mathcal R_{LWE}^{B^*}$ 以及 $L_{LWE}^{B} \subseteq L_{LWE}^{B^*}$ . Now we construct about $(\mathcal R_{LWE}^{B}, \mathcal R_{LWE}^{B^*})$ Gap Sigma protocol $\langle P,V \rangle_{LWE}$ , statement for $\in L_{LWE}^B$ , given that $\in \mathcal R_{LWE}^B(A,b)$ ，

$P$ uniform sampling mask $\leftarrow \mathbb Z_q^n$ And even noise $\leftarrow [-(B^*/2-B), B^*/2-B]^m$ , calculate $b^{'} = A s^{'} + 2e_^{’}$ and send to $V$
$V$ randomly chooses to challenge $\in \{0,1\}$ Send to $P$
$P$ calculation $z = s^{'} + cs$ and send to $V$
$V$ calculation $2e^* = b'+cb-Az$ , judge whether it is a short even noise $2e^* \in [-B^*/2,B^*/2]^m$

It can be proved that when $B/B^* = negl(\kappa)$ a Gap Sigma protocol.

Proof completeness: for the honest prover $P$ , easy to verify $The z = (b^{'} - 2e_^{'}) + c (b - 2e)_= b^{'} + c b - 2 (e^{'} + e)$ ，其中 $\in [-(B^*/2-B), B^*/2-B]^m, 2e \in [-B,B]$ ，therefore $b^{'} + c b - The z = 2 (e^{'} + e)$ is a short even noise
Proving special reliability: Given the statement $(A,$ Two acceptable copies of $b$ $)$ $b',1,z_1), (b',0,z_2)$ , we construct the extractor $E$ , which computes $s^*=z_1-z_2$ 和 $2e^*=b-As^*$ , output $s^*,2e^*)$ . It is easy to verify that $b=As^*+2e^*$ 且 $2e^* \in [-B^*,B^*]$ ,let $(s^*,2e^*) \in \mathcal R_{LWE}^{B^*}(A,b)$ is a proof.
Prove that the honest verifier is zero-knowledgeable: given $(A, b)$ and $c$ , we construct the simulator $E$ , which uniformly samples $\leftarrow \mathbb Z_q^n$ 和 $2e^* \leftarrow [-(B^*/2-B), B^*/2-B]^m$ , calculate $b'=Az+2e^*-cb$ , output simulation view $(b^{'}, c, z)$ 。由于 $b'=Az+2e^*-c(As+2e)$ , so let $s'=z-cs, 2e'=2e^*-2ce$ , then $b^{'} = A s^{'} + 2e_^{'}$ . when $c = 0$ , the analog view is exactly the same as $The real view of V$ is identically distributed. When $c = 1$ , in the real view $b^{'} = A s^{'} + 2e_^{'}$ ，其中 $\leftarrow [-(B^*/2-B), B^*/2-B]^m$ . in the simulation view $b^{'} = A s^{'} + 2e_^{'}$ , of which $2e'=2e^*-2e$ , where $\in [-B,B]^m$ is a fixed small noise, because $2e^* \leftarrow [-(B^*/2-B), B^*/2-B]^m$ . According to Smudging Lemma, when $B/B^* = negl(\kappa)$ in the simulated view and the real view $2e_^{’}$ distribution is statistically indistinguishable.

Using the above protocol $\langle P,V \rangle_{LWE}$ , can construct multiple ZKP protocols on other related languages, and then use the FS heuristic to obtain NIZKP under the RO model. Assemble them into the semi-malicious secure MPC protocol based on TFHE, and force all participants to implement the protocol honestly, so as to realize the maliciously secure MPC protocol. In addition, it needs to be proved that the gap does not affect the security of the protocol.

MPC based on Threshold FHE