Homomorphic Encryption forSecure Multi-Party Computation

by

Weerasooriya W.A.A.C.P.

(Reg. NO: 2011CS219 Index NO: 11002192)

for

Bachelor of Computer Science (BCSc)

SCS3017-Literature Survey

Supervised by

Dr. Ranasinghe D.N.

University of Colombo School of Computing

No 35,Reid Avenue,Colombo 07

Sri Lanka

http://www.ucsc.cmb.ac.lk

December 12,2014

Reference Style: IEEEWords Count:4864

Tools: Texmaker 4.3 with MikiTex 2.9 and Mendeley Desktop1.12.1 On MS Windows 8

Declaration

I hereby declare that this literature survey report has been prepared byWeerasooriya W.A.A.C.P. based on mainly the reference materiallisted under the References of this report. No major components (sen-tences/paragraphs etc.) of other publications are directly inserted into thisreport without being duly cited.

Name: Weerasooriya W.A.A.C.P. Signature:..................................Date:December 12,2014

ii

Abstract

Security over communication has become one of the most important factorsin the modern world.Secure Multi-Party Computation(SMPC) has been im-proved over the years for few decades.Homomorphic Encrytion(HE) is oneof the candidates for SMPC implementations.Discovering HE schemes thatsupports SMPC is a timely valuable thing.Multi-Party means two or moreparties.When it comes to two parties the most feasible scheme is Fully Homo-morphic Encryption.But to have multiple parties,some complex HE method-ologies should be considered.Threshold Homomorphic Encryption comes asan improvement of the FHE because of this.Considering the weaknesses ofeach scheme this paper provides few schemes.Somewhat Homomorphic En-cryption and Semi Homomorphic Encryption are the other two.Consideringjust theoretical points is useless unless they do not give any practical us-age.Therefore some of the practical usages of SMPC with HE have also beendiscussed at the end.

iii

Acknowledgments

I should thank my supervisor Dr.Ranasinghe D.N. for guiding me on thistopic and for offering of the valuable advice.

Specially a big ”Thank you” should go to all the people who did scarifytheir lives for research on these related areas.All the information which havebeen provided on those reports were highly useful.

Another big ”Thank you” should go to the company which provides meall the experiences in my internship life for giving me the freedom to continuethis work.

Special thanks to my family for giving me the freedom that I need tofinish this work.

And to the person who always be with me in my life in ups as well asdowns to make me comfortable.

Weerasooriya W.A.A.C.P. December 12,2014

iv

Contents

Abstract iii

Acknowledgments iv

List of Figures vii

List of Abbreviations viii

1 Introduction 11.1 Secure Multi-Party Computation . . . . . . . . . . . . . . . . 11.2 Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . 11.3 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Fully Homomorphic Encryption for Secure Two[2]-PartyComputation 42.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 42.3 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 Threshold Homomorphic Encryption for SMPC 63.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 63.3 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4 Somewhat Homomorphic Encryption for SMPC 94.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 94.3 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5 Semi Homomorphic Encryption for SMPC 115.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 115.3 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

6 Applications 136.1 Secret Voting . . . . . . . . . . . . . . . . . . . . . . . . . . . 136.2 Oblivious Negotiation . . . . . . . . . . . . . . . . . . . . . . 136.3 Private Querying of the Database . . . . . . . . . . . . . . . 146.4 Secure Statistical Computation . . . . . . . . . . . . . . . . . 14

v

6.5 Distributed Certification Authority . . . . . . . . . . . . . . . 14

7 Conclusion 16

References 19

vi

List of Figures

Figure 1 Chapter 2:Fully Homomorphic Encryption-2PCFigure 2 Chapter 3:Each party Encrypts their inputsFigure 3 Chapter 3:The final output,each party is entitled to knowFigure 4 Chapter 7:Summarizing the findings

vii

List of Abbreviations

SMPC Secure Multi-Party ComputationMPC Multi-Party ComputationHE Homomorphic EncryptionFHE Fully Homomorphic EncryptionTHE Threshold Homomorphic EncryptionVSS Verifiable Secret SharingSWHE Somewhat Homomorphic EnryptionSHE Semi Homomorphic EncryptionLAN Local Area NetworkDB DatabaseCA Certification Authority

viii

1 Introduction

1.1 Secure Multi-Party Computation

Secure Multi-Party Computation allows multiple parties to do some oper-ations on their data but at the same time to keep the privacy of the datafrom each other.[3, 15].Each person knows his or her own input only.Othersare kept from each other.But they can still perform some operations withother hidden inputs and get some output.[7, 9]

Consider this example.There are two rich people.They want to knowwho is the richest.But their problem is they don’t want to reveal any otherinformation (How much of total money each other has etc.).This problemis known as the millionaire’s problem and was published for the first timein 1982 by Andrew Yao.What type of concept that can be used to helpthem.The concept is Secure Multi-Party Computation.

Consider this general problem.Think that m number of people want tocompute the value of the function f(x1, x2, x3, ...., xm).x is an integer and1, 2, 3...m represent each person.Now in the above situation according to theconditions each person should be able to evaluate the value of the function.Atthe same time everyone should know their own input (x) only.In the aboveexamplem = 2.Therefore f(x1, x2) = 1 if x1 > x2 else 0.The reason for suchcomputation is people tend to cheat each other.In the original implementa-tion of the SMPC, many types of functions can be evaluated securely.But itis far from the reality.Therefore many algorithms have been introduced toimplement SMPC under certain conditions for certain configurations. Secretvoting,electronic auctions,private querying of database,oblivious negotiationand playing mental poker are some of the applications of secure multi-partycomputation.Different types of methodologies are used to implement SecureMulti-Party Computation.Homomorphic encryption algorithms are one ofthe candidates.[16, 13]

1.2 Homomorphic Encryption

A given encryption algorithm is said to be a homomorphic encryptionalgorithm if the following things can be done.[14]

P1 =1st plain textP2 =2nd plain textE[P1] = encrypted P1

E[P2] =encrypted P2

1

Then if we can obtain E[P1 ⊕ P2] without decrypting E[P1] and E[P2]then that encryption algorithm is said to be a homomorphic encyptionalgorithm.[12]

Following example illustrates the multiplicative homomorphic encryp-tion.

Given ci = E(mi) = mei mod N

c1 = E(m1) = me1 mod N

c2 = E(m2) = me2 mod N

c1.c2 = me1.m

e2 mod N = (m1.m2)

e mod N

RSA demonstrate multiplicative homomorphic property:[10]E(m1).E(m2) = E(m1.m2)

There is another type which is additive homomorphic encryption and ithas the following property.

E(m1) + E(m2) = E(m1 +m2)

The idea of computing on encrypted data has a long history.It was backin 1978 by Rivest Adleman and Dertouzos through a paper.It was then calledPrivacy Homomorphism.Now under modern terminology it is known asHomomorphic encryption.

1.3 Motivation

Implementation of the Secure Multi-Party Computation can be consideredin different view points.If all the people are honest,then there is no needof SMPC.But the problem is people tend to cheat.If the total number ofpersons in the communication is n, then the following terms can be definedrelated with SMPC.

Dishonest minority:If the total number of persons that try tocheat(dishonest)is no more than n/2 then that communication contains Dis-honest minority.Implementation of such scenario is little bit easy.

Dishonest majority:If the total number of persons that try tocheat(dishonest)is more than n/2 then that communication contains Dis-honest majority.This is one of the hardest condition to implement.Moreclose to a real world scenario.

Static adversaries:If the total number of persons that try tocheat(dishonest)is fixed form the beginning of the communication then the

2

communication contains Static adversaries.Implementation is not that muchhard.

Dynamic adversaries:If the total number of dishonest persons arechanging during the communication then that communication contains Dy-namic adversaries.This is hard to implement and more close to a real worldscenario.

Passive adversaries:Cheaters can read the data.But they can notchange it.

Active adversaries:Cheaters can both read and change the data.Thisis a more dangerous situation and close to the real world scenario.

Semi malicious party:This is a party which follows the specificationsproperly in the communication but at the same time tries to learn as muchas possible information form the other parties dishonestly

Fully malicious party:In this party they do not even follow the spec-ifications in the communication.

Different implementations of SMPC have been introduced from time totime to address each of the above scenarios.In this report the focus is onimplementations using Homomorphic encryption.The hardest scenario toimplement is active and dynamic adversaries.Since most of the applicationsof SMPC contain huge number of parties (eg: Voting in an election) mostof the research papers focus on implementing those hardest scenarios witha reasonable time complexity for large number of parties.

Implementation of SMPC using HE is described in this review and theycome under different scenarios.The relevant scenario is described in eachchapter accordingly.The order of the HE presentation is significant.It goesfrom one of the simplest scenarios to one of the hardest scenarios.It should benoted that when presenting,HE scheme is considered along with its SMPCimplementation.Therefore original description of the HE scheme may varyin some situations.

3

2 Fully Homomorphic Encryption for SecureTwo[2]-Party Computation

2.1 Overview

Normally a Homomorphic Encryption scheme is either additive or multi-plicative.But Fully Homomorphic Encryption can be used for both opera-tions.This is the reason for the name ”Fully”.Secure two(2) party com-putation can be performed using FHE.For that,the requirement is SemiHonest parties.That means FHE for two semi honest parties exhibits se-cure two party computation.When considering with the implementation ofsecure multi-party computation, Fully Homomorphic Encryption may looklike one of the simplest one.It is because the scenario is very simple.It shouldbe noted that in the homomorphic encryption world Fully Homomorphic En-cryption is considered as one of the best in business for most of the cases.[8]

2.2 Implementation

As described earlier application of the Fully Homomorphic Encryption fortwo semi honest parties exhibits secure two(2)-party computation.This al-lows to perform arbitrary computation on encrypted data.Fully homomor-phic encryption is one of the powerful encryption scheme that comes withhomomorphic encryption bundle,since it provides both additive and multi-plicative homomorphic encryption.But when it comes to implementation ofsecure multi-pary computation,fully homomorphic encryption it self can beapplied to one of the primitive scenarios of SMPC.

Consider the following example to understand this concept prop-erly.There are two people (Charlie and Sally).Charlie encrypts his inputA = Encrypt(a) and sends the cipher text to Sally.What sally can dois evaluate only the Charlie’s cipher text using the evaluation function(Y = Eval(f,A,B)) with her own input.Then sends only the final encryptedresult Y back to Charlie.Charlie can decrypt it.Refer the Figure 1.[1]

2.3 Performance

In this case communication complexity and Charlie’s computation complex-ity are small and only proportional to Charlie’s input/output sizes.Theyare independent from the function being evaluated.It should be noted thatthis only contains two-2 parties and this contains only two rounds of inter-actions.This can be extended to have multiple parties.That means Secure

4

Figure 1: Fully Homomorphic Encryption-2PC [8]

Multi-Party Computation.For that we can use Threshold Homomorphic En-cryption as an extension to FHE which will be described in the next chapter.

5

3 Threshold Homomorphic Encryption for SMPC

3.1 Overview

The methodology which was described in the previous chapter only addressestwo semi honest party problem.It should be extended to have multiple par-ties in the communication.The solution for that is Threshold Homomor-phic Encryption.This can be applied to static and dynamic adversaries aswell as for dishonest minority.Adversary’s view can be thought of as a ma-chine which can access only the information that the machine is entitled toknow.Two modules can be considered in the communication.Cryptographic model:Adversary may see all the messages that are sentbetween parties in this situation.But he can do no harm since encryptedmessages are being used.Unconditionally secure MPC:No need of encryption of the data sinceno third party is capable of viewing a message that is sent between giventwo parties.Because each party use private,dedicated channel.Cryptographic model is a good solution for shared channel and thus min-imize the use of resources.Since encrypted channels are used here this hasthe resistance over active adversaries.[4]

3.2 Implementation

The following implementation methodology can be seen as the implementa-tion of the Threshold Homomorphic Encryption.This simply begins by eachparty publishing their encrypted inputs and proving with the zero knowledgeconcept that they know the input(they have the access to their inputs).[1]

To understand this protocol easily,these concepts may be useful.Proving you know the plain text:If someone has created an encryp-

tion of particular plain text,then that person can claim with zero knowledgethat he knows the plain text.

Proving multiplications correct:If Pi has encrypted a plain text aand using a constant value α a random encryption of α.a is created.Thenone can simply argue that E(α.a) contains products of E(α) and E(a) withzero knowledge.

Threshold decryption:In this concept it is assumed that the commonpublic key is Pk and encryption is E(a).Each party contains their own pri-vate key.Protocol is capable of creating securely a as the out put for eachparty.(1).The parties generate an additive secret sharing of a:

6

Figure 2: Each party encrypts their inputs [8]

(a) Each party Pi chooses at random a value diεR,broadcasts anencryption of di, and proves he knows di,let d denotes

∑ni=1 di.

(b) The parties use the third protocol to decrypt a⊕d1⊕d2d3.....dn.(c)Party P1 sets a1 = (a+d)−d1,all other parties Pi set ai = −di.Notethat a =

∑ni=1 ai.

(2).Each Pi broadcasts an encryption ai.b,and invoke the secondprotocol with inputs b,ai and ai.b.(3).Let H be the set of parties for which the previous stepsucceeded,and let C be the complement of H.The parties de-crypt ⊕iεC .ai,learn aC =

∑iεC .ai, and compute aC .b.From this,

and ai.b|iεH, all parties can compute an encryption (⊕iεH .ai.b)⊕aCb,which is indeed an encryption of a.b. Refer [4]

In the final stage the decryption of the output value can be taken.Theremaining task is just decrypt it.The above highlighted points describe thebasic idea of threshold homomorphic encryption scheme.This methodologyis secure, if the encryption is secure.This methodology is more efficient.Thisadds more protection against faults without loosing the efficiency.

7

Figure 3: The final output which each party is entitled to know [8]

3.3 Performance

Unlike Fully Homomorphic Encryption this method can be applied to mul-tiple parties.Low communication complexity is the major advantage of thismethod.One of the alternative for this scenario is to use a Verifiable Se-cret Sharing.Separate protocol is needed to securely distribute this secretvalue among parties.With that implementation number of bits that are sentis Ω(n2k|C|).Where k is the security parameter and |C| is the boolean orarithmetic circuit.But the efficiency of THE is O(nk|C|).These type of ef-ficiency can not be achieved by other types for this scenario.The same effi-ciency can be achieved in Franklin and Haber method using joint encryptionscheme.But the problem is adversaries should be passive ones.

One of the problems in this method is adversaries are static and thiscan be only applied to dishonest minority.(maximum total dishonest par-ties should be n/2,if the total parties are n).Therefore there should be amethodology which fits for dishonest majority as well as active and dynamicadversaries.Such algorithm will be described in the next chapter.

8

4 Somewhat Homomorphic Encryption for SMPC

4.1 Overview

As discussed in the introductory section the n parties in secure multi-partycomputation hold x1, x2...xn inputs and they compute a given functionf(x1, x2...xn).For doing this securely honest players should get the correctresult as the only available output.In this case dishonest people should not beable to disturb the computation.In this scenario majority is the dishonestpeople.These type of implementations are normally inefficient and expen-sive.Things get harder when this requires dynamic and active adversaries tobe included apart from the dishonest majority.This new implementation canbe considered as a theoretically huge step in the Secure Multi-Party Com-putation as this allows to consider the hardest scenario.If the total numberof parties are n then this is secure up to n−1 adversaries.But the only prob-lem here is this works only for selected function.(Not for all the evaluationfunctions).This problem gives this the name ”Somewhat”.

4.2 Implementation

Unlike other implementations of SMPC,implementation using SomewhatHomomorphic Encryption consists of two stages.[14]

Preprocessing phase:This phase is independent form both the func-tion to be computed as well as of the input.

Online phase: In this phase the actual computation occurs.Thisstage should be highly secure.(Unconditionally secure against adver-saries).Complexity of this stage is linear to n where n is the total numberof parties.

Somewhat homomorphic encryption occurs in the preprocessing stage.Asdescribed in the introduction chapter,in SMPC honest people should receivethe correct result as the only new available information.

Under dishonest majority scenario where only one honest party is possi-ble with all the other dishonest parties,implementing an efficient algorithmis very difficult.[5]

This new approach has been developed to facilitate this difficulty.Firstdesign a general MPC protocol in the preprocessing stage.To accomplishthis task a ”trusted dealer” is needed.Dealer just provides the row materielfor the computation.He does not need to know the function or inputs.Thisprocedure allows online protocol to use only cheap information and makes itmore efficient.Trusted dealer can be implemented through a secure protocol.

9

4.3 Performance

In Somewhat Homomorphic Encryption scheme only O(n2/s) public key op-erations are needed.In other implementations most of the times that com-plexity is Ω(n2).This s grows with the security parameter of Somewhat Ho-momorphic Encryption.When compared with the complexities of FHE im-plementations where the complexity is O(n|C|) this is much faster.It shouldbe noted that for practicable values n2/s <<< n.

When it comes to the performance analysis in practice for both the pre-processing and online phase the following results can be seen.Two phaseswere implemented using three players on machines which are connected ona Local Area Network(LAN).It takes about 13ms amortized time to pre-pare one multiplication for 64bit.The online phase executes a secure 64bitmultiplication in 0.05ms amortized time.Refer [5]

Secure Multi-Party Computation has practical applications which con-tains thousands of parties.(Ex: an election).In such cases the time complex-ity of the methodology matters.As well as this Somewhat HomomorphicEncryption scheme can only be applied to certain selected evaluation func-tions.These things matter when it comes to the practical world.

10

5 Semi Homomorphic Encryption for SMPC

5.1 Overview

It is a good thing to consider the idea of the homomorphic encryption againsince the discussion have gone a bit deeper from the beginning.This fantasticidea which is computations on encrypted data has a little bit of history.It wasin 1978. Rivest Adleman and Dertouzos described this idea from a paper forthe first time ever in the history.It was then called ”Homomorphism”.Withmodern terminologies it is now called ”Homomorphic Encryption”.It is apublic key scheme.It holds the following relationship. D(E(a)⊗E(b)) = a⊕b.⊕ and ⊗ are some operations on the cipher text.When ⊕ represents mod-ular addition,this encryption mechanism is called ”Additive HomomorphicEncryption”.This encryption helps multiple parties to perform secure com-putations.

Secure multi-party computation comes with various scenar-ios.Considering the practicability of the SMPC as well as consideringactive and dynamic adversaries with dishonest majority(This is the hardestscenario in secure multi-party computation) this Semi HomomorphicEncryption scenario can be discussed.Implementing an unconditionallysecure scheme for n − 1 adversaries where n is the total number of partiesin the communication is very difficult.The problem becomes more difficultgiven that in practical scenarios millions of parties are involving.Efficiencymatters a lot in this situations.Normal public key technologies like Thresh-old Homomorhic Encryption is very expensive under those conditions.FullyHomomorphic Encryption contains huge computational overhead.Solutionis to build a scheme under some assumptions.This makes the path to SemiHomomorphic Encryption.[2]

5.2 Implementation

This contains two parts just like Somewhat Homomorphic Encryption.Inthis scheme plain text can be recovered as long as the computed functiondoes not increase the size of the input too much.Above mentioned two partsof this scheme are Online phase and Offline phase.In the online phaseparties are given additive sharing of multiplicative triples.Because of that,this phase is optimal.Here the main idea is rather than using a trusteddealer,implementing secure multi-party computation using semi homomor-phic encryption efficiently for dishonest majority.

Let’s try to understand the concept of the semi-homomorphic encryptionwith the following example.Refer [2]

11

Let (G,E,D) be a semi-homomorphic cryptosystem.Following game isplayed between A and B.A is considered as the adversary and B is con-sidered as the challenger.G(1k, p) (where k is the security parameter and amodulus p) is used to generate the public/secret key pair (Pk, Sk).(1).B generates the public/secret key pair (Pk, Sk) using the above func-tion.He selects y, s, r integers according to a randomized algorithm(Dσ).Then he flips a coin and sets z to be y or s accordingly.Then sendsY = EPk

(y, r) to A.(2)A outputs integer x and cipher text C. Here x must be small enough forxy to not to exceed the bound for the correct decryption(This is one of thedrawbacks in Seim Homomorphic Encryption).(3) B checks if xy mod p = DSk

(C) and sends either ”no” or ”yes”.If thecase is ”yes” B also sends z to A.(4) As a reply to this B’s reply A outputs a bit guessing that B has selectedz = y or s.A wins if his guess is correct.

The above game exhibits the use of Semi Homomorphic Encryption forSecure Multi-Party Computation.

5.3 Performance

Implementing dishonest majority and active and dynamic adversary sce-nario is a very hard problem.Therefore to increase the efficiency andmake the solution more practicable semi homomorphic encryption has beenintroduced.This matches O(n2) public key operations per multiplicationgate.Online phase is more efficient since no encryption mechanism is usedin this phase.The only problem is the size of the input is limited for theevaluation function in order to facilitate the decryption.This is one of thedrawbacks of this scheme.

12

6 Applications

Few homomorphic encryption types which supports Secure Multi-PartyComputation were discussed in the previous chapters.All the researches inthe world that have been done so far is basically with some purpose ofmaking some task much more easier or to change the way a certain thingis done to increase the efficiency and so on.In this area also several typesof applications can be found as a result of new implementations.Followingsubsections will briefly describe those.Most of the concepts of implementingSecure Multi-Party Computation using Homomorphic Encryption are stillin the research status.Most of the proposed methodologies have found moredifficulties when they come to the practical world.The reason is lack of ef-ficiency and required security when it is implemented with large number ofparties.Since the man has the thirst for knowledge as well as the curiosity todiscover,it will not take a long time to see much more practicable solutionsfor implementing SMPC from HE.

6.1 Secret Voting

This is one of the most important applications of Secure Multi-Party com-putation.Consider the following simple example.

A group of m member’s wish to have a yes/no vote for a certainaction.[6](Consider a Referendum).If each members’ vote is considered asxi then the final result can be evaluated as f(xi, x2, ...xm).These m peopleneed the guarantee that no one can know each others vote but the finalresult.[16]

There are certain solutions for that.One is a protocol that assumesan anonymous channel is available for voters.[11] This is blind signa-ture.Although this is computationally efficient this fails to achieve universalverification.But with Threshold Homomorphic Encryption system this uni-versal verification can be achieved.As well as no need of anonymous chan-nel.Here encryption mechanism is used rather than using VSS-VerifiableSecret Sharing.

6.2 Oblivious Negotiation

First of all it is very important to understand what Oblivious Negotiationis.[16] Think that Charlie wants to sell Sally a house.Each one has somestrategy.But anyone do not want to reveal it to the other one.Let’s take Char-lie’s all the possible strategies as C1, C2, C3..., Cn.Sally’s as S1, S2..., Sm.Out

13

come can be considered as x dollors of no deal(with the function f).Then onecan guarantee that Charlie can not get Sally’s strategies and vice versa.Onlythe output will be revealed.This can be applied for two parties most of thetimes.Therefore simply Fully Homomorphic Encryption can be used.

6.3 Private Querying of the Database

Over the internet new types of criminals spread rapidly.[16] There maybe various ways to get to know our private information such as pass-words,preferences etc.The people who steal our information for certain pur-poses do their task most of the times with internet queries.This problemguided to the idea of Private Querying of the Database.If such a security istheir over a network we can freely interact with that network.Secure Multi-party Computation is useful in such cases.Some kind of extension is neededfor that purpose.That is each person is computing a different function.Forinstance think Charlie wants to compute the function f(i, j) and Sally isup to compute another function g(i, j) = constant and she will get nothingabout i.One can think Sally as the database query system and its state isj.Charlie is the person who queries the database and the query is i.Charliecan get the result without knowing anything else about the data.As well asmore importantly DB system does not know what Charlie has queried.Wecan use SWHE for this type of SMPC.

6.4 Secure Statistical Computation

The usage of this can be understand using the following practical scenario.Think that the European countries want to calculate the total of somesensitive information on their region.(income,military strength etc)Theseinformation can be considered as statistical information.Each countrydoes not want to reveal their sensitive statistical information to oth-ers.But somehow all the countries want to know some statistical informa-tion(average,sum,standard deviation etc) which includes all the countriesin the Europe.This problem exhibits the secure multi-party computationproperty and algorithms like Semi homomorphic encryption or Somewhathomomorphic encryption can be used.

6.5 Distributed Certification Authority

Certification Authority-CA plays a big role in the internet.Specially whentransactions occur over the internet, verification of the payees identity is

14

very important.To verify those,certificates which are signed by Certifica-tion Authorities can be used.To sign those, Certification Authorities use asecret key.To protect it,it has been shared among several sites.To protectthat key while taking signatures from that key(Using the key,signatures aretaken.But the key can not be viewed)secure computation methodology canbe used.Threshold homomorphic encryption can be used for that.

15

7 Conclusion

With the improvement of new technologies,security in information technol-ogy has become much more considerable factor than ever before in the his-tory.Secure Multi-Party Computation concept plays a big role under this sit-uation.How the Multi-Party Computation can be implemented using homo-morphic encryption was discovered in this review.There were several typesof homomorphic encryption algorithms that have been introduced to theworld.Among them the algirithms that are feasible with secure multip-partycomputation have been considered in this review.

Fully Homomorphic Encryption is one of the important ones to con-sider.Here the Communication complexity is very small.Fully HomomorphicEncryption it self can be applied to two semi honest parties scenario.But theproblem is this can be implemented only for two parties at the same timefully malicious scenario is not applicable here.To eliminate the first prob-lem one can use Threshold Homomorphic Encryption which can be used formultiple parties as well as static and dynamic adversaries.This method ismore efficient than most of its competitors.O(nk|C|) complexity is providedwith this method.Previously such a complexity was only provided for pas-sive adversaries.But this can provide this complexity for active adversariesalso.But the problem here is this can not provide protection for dynamicadversaries as well as this can not be securely implemented for maliciousmajority.Initially the number of adversaries are fixed.(less than n/2).

In Somewhat Homomorphic encryption scheme above problems havebeen eliminated.It can be applied to active and dynamic adversaries sce-nario with dishonest majority(up to n− 1).It contains two stages.First oneis the Preprocessing stage.Second one is the online stage.This is a much moreefficient one.O(n2/s|C|) public key operations are needed in this scheme.Oneof the major drawback in this scheme is evaluation function is limited to cer-tain types.That means this works for some evaluation functions(This guidesthe name to become ”Somewhat”)Other major problems of this scheme isimpracticability to large number of parties.Since most of the applications insecure multi-party computation contain large number of parties this factorshould not be neglected.

In Semi Homomorphic Encryption above problems have been eliminatedsince the unconditional security has been provided for dishonest majorityfor any evaluation function(up to n − 1).This provides security against dy-namic and active adversaries.This contains two stages.First one is the pre-processing stage(Normally called as Offline stage).Second one is the Onlinestage.Online phase has become more efficient since it does not contain any

16

Figure 4: Summarizing the findings

17

cryptographic operations.Here using certain assumptions the requirementsfor Homomorphic Encryption scheme has been relaxed to reduce the com-munication complexity.Because of that reason plain text can be recoveredas long as the computational function does not increase the size of the inputtoo much.This scheme can be applied to any evaluation function.But theproblem is limitations of the input size.

Specially when the practical applications of the Secure Multi-Party Com-putation are considered it is very common thing to have huge number ofparties for the communication.In such cases efficient implementation of thesecure multi-party computation with homomorphic encryption scheme hasbecome a hard problem.One can have active and dynamic adversary pro-tected HE scheme for SMPC. But its performance goes down rapidly whenthe number of parties are increased.One of the premium practical applica-tion of Secure Multi-Party Computation is Secure Voting.In such cases theremay be huge number of voters.(General Election).So practically there arelarge number of parties in most of the cases.At the same time there is aproblem with evaluation function.Some schemes like SWHE provides a verygood security for the hardest scenario,but the problem is evaluation func-tion has some limitation.Specially when SHE is considered limitations of theinput size is one of the drawbacks.Above figure-4 summarizes the findingsof this literature survey.

Finally,it can be concluded that there is a necessity of having a Homo-morphic Encryption scheme which is much more efficient and has a goodperformance even with large number of parties and can be applied to anyevaluation function for Secure Multi-Party Computation with a good secu-rity against active and passive adversaries with dishonest majority withoutlimiting the size of the input.

18

References

[1] Gilad Asharov, Abhishek Jain, Adriana Lpez-alt, Eran Tromer, VinodVaikuntanathan, and Daniel Wichs. Multiparty computation withlow communication, computation and interaction via threshold fhe ,2012. URL http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.225.2213.

[2] Rikke Bendlin, Ivan Damgrd, Claudio Orlandi, and Sarah Zakarias.Semi-homomorphic encryption and multiparty computation. Cryptol-ogy ePrint Archive, Report 2010/514, 2010. URL http://eprint.iacr.org/.

[3] Peter Bogetoft and DL Christensen. Secure multiparty computationgoes live. . . .Cryptography and Data . . . , pages 1–13, 2009. URL http://link.springer.com/chapter/10.1007/978-3-642-03549-4 20.

[4] Ronald Cramer, Ivan Damga rd, and Jesper Buus Nielsen. MultipartyComputation from Threshold Homomorphic Encryption. In Proceed-ings of the International Conference on the Theory and Applicationof Cryptographic Techniques: Advances in Cryptology, pages 280–299,2001. ISBN 3-540-42070-3. doi: 10.1007/3-540-44987-6\ 18. URLhttp://iacr.org/archive/eurocrypt2001/20450279.pdf.

[5] I Damga rd, Valerio Pastro, Nigel Smart, and Sarah Zakarias. Multi-party computation from somewhat homomorphic encryption. Advancesin Cryptology . . . , pages 1–46, 2012. URL http://link.springer.com/chapter/10.1007/978-3-642-32009-5 38.

[6] II ECRYPT. European Network of Excellence in Cryptology II. YearlyReport on Algorithms and Keysizes (2009-2010), pages 539–556, 2010.URL http://link.springer.com/chapter/10.1007/3-540-45539-6 38.

[7] II ECRYPT. European Network of Excellence in Cryptol-ogy II. Yearly Report on Algorithms and Keysizes (2009-2010),2010. URL http://scholar.google.com/scholar?hl=en&btnG=Search&q=intitle:European+Network+of+Excellence+in+Cryptology#5.

[8] Adriana Lopez-alt and Daniel Wichs. Multiparty Computation withLow Communication , Computation and Interaction via Threshold FHE

19

Gilad Asharov Abhishek Jain 2-Party Computation Using FHE. URLhttp://www.frontiersinai.com/turingfiles/January/Asharov.pdf.

[9] Claudio Orlandi. Is multiparty computation any good in practice? 2011IEEE International Conference on Acoustics, Speech and Signal Pro-cessing (ICASSP), pages 5848–5851, May 2011. doi: 10.1109/ICASSP.2011.5947691. URL http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5947691.

[10] Lecturer Ron Rivest. Lecture Notes 15 : Voting , Homomorphic En-cryption Homomorphic Encryption. 2002. URL http://web.mit.edu/6.857/OldStuff/Fall02/handouts/L15-voting.pdf.

[11] Kazue Sako and Joe Kilian. Secure voting using partially compatiblehomomorphisms. Advances in CryptologyCRYPTO’94, pages 411–424,1994. URL http://link.springer.com/chapter/10.1007/3-540-48658-537.

[12] Manoj Prabha Shankar. Homomorphic encryption, . URL https://courses.engr.illinois.edu/cs598man/fa2011/.

[13] Manoj Prabha Shankar. Multi-party computation, . URL https://courses.engr.illinois.edu/cs598man/fa2011/.

[14] Wikipedia. Homomorphic encryption, . URL http://en.wikipedia.org/wiki/Homomorphic encryption.

[15] Wikipedia. Secure multi-party computation, . URL http://en.wikipedia.org/wiki/Secure multi-party computation.

[16] Andrew C. Yao. Protocols for secure computations. 23rd AnnualSymposium on Foundations of Computer Science (sfcs 1982), pages160–164, November 1982. doi: 10.1109/SFCS.1982.38. URL http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=4568388.

20