Two-Cloud-Servers-Assisted Secure Outsourcing Multiparty Computation

We focus on how to securely outsource computation task to the cloud and propose a secure outsourcing multiparty computation protocol on lattice-based encrypted data in two-cloud-servers scenario. Our main idea is to transform the outsourced data respectively encrypted by different users' public keys to the ones that are encrypted by the same two private keys of the two assisted servers so that it is feasible to operate on the transformed ciphertexts to compute an encrypted result following the function to be computed. In order to keep the privacy of the result, the two servers cooperatively produce a custom-made result for each user that is authorized to get the result so that all authorized users can recover the desired result while other unauthorized ones including the two servers cannot. Compared with previous research, our protocol is completely noninteractive between any users, and both of the computation and the communication complexities of each user in our solution are independent of the computing function.


Introduction
Secure multiparty computation (SMC) [1][2][3][4][5][6][7] is dedicated to computing a certain function among a set of mutually distrusted participants on their private inputs without revealing private information. Informally speaking, assuming that there are participants, 1 , 2 , . . . , , each of them has a private number, respectively, 1 , 2 , . . . , . They want to cooperate to compute the function = ( 1 , 2 , . . . , ) without revealing of to other parties , ̸ = , , ∈ {1, . . . , }, as well as guaranteeing that any unauthorized ones cannot get the result . In the past, researchers mainly focused on designing the style of secure multiparty computation protocols by which users themselves cooperatively accomplish the function evaluation through their internal interactions [1,3,[8][9][10][11]. The computation and communication complexities always depend polynomially on the complexity of the function to be computed. Therefore, users suffer from the heavy overload of these protocols.
The emergence of the cloud [12,13] inspires users to apply the powerful computing ability of the cloud to help them to conduct complicated computations, that is, secure outsourcing computation [14][15][16][17][18] to the cloud. They expect that the cloud can independently complete any function computation on their outsourced data although the data has been encrypted by their own keys for security. Moreover, the final result should be kept private to the cloud even though it is the cloud that conducts all of the computations about the computing function. In this way, users only need to encrypt their data and decrypt the returned message to get the desired result. All computations about the computing function are in the charge of the cloud. There are no interactions between any users, and the computation and communication complexities of each user are independent of the computing function. However, this expectation is proven to be impossible in the single cloud server setting due to the impossibility of program obfuscation [19]. Therefore, in this paper, we try to realize it by introducing one more cloud server to the original model described above. More precisely, we consider the following scenario.
There are + 2 distrusted parties including users and two cloud servers in our system. We assume that all of them act semihonestly. The users 1 , 2 , . . . , , with each having a private input, respectively, , as well as a pair of 2 The Scientific World Journal public-private keys ( , ), = 1, . . . , , encrypt their respective private inputs by their own public keys and then upload the ciphertexts of the inputs to a cloud server. They want to obtain the value = ( 1 , 2 , . . . , ) even if they may not be aware of what the computing function (⋅) is by applying two cloud servers to operate on the outsourced encrypted data without revealing 1 , 2 , . . . , and the result .
In this paper, we study the outsourcing computation problem in multiple users-two-cloud-servers scenario and propose a two-cloud-servers-assisted secure outsourcing multiparty computation protocol to compute any function on lattice-based encrypted data under multiple keys of the users. Herein, we apply one cloud server called the storingcloud (SC) to store the outsourced data encrypted by users and make a midtransformation to these ciphertexts once some function begins to be computed. We call the other cloud server the computing-cloud (CC). It is responsible for transforming the midtransformed ciphertexts by SC to the ones that are blinded by the same two private keys of the two assisted cloud servers so that CC can further compute following the function on the ciphertexts. Finally, in order to protect the result, the two servers cooperatively produce a custom-made result for each user. Compared with previous solutions, our protocol has the following three advantages.
(1) Our protocol is completely noninteractive between any users.
(2) The cloud is to do all of the computations related to the computing function, while users would do nothing except for encrypting their private inputs and decrypting the returned result.
(3) The computation and communication complexities of each user in our solution are independent of the computing function.
Organization. The rest of this paper is organized as follows. In Section 2, we briefly give an overview of some recent related works. Herein, we consider the problems in secure outsourcing computation from the point of view of the users and the cloud servers, respectively, and then rationally construct our protocol in the multiple users-two-cloud-servers setting.
In Section 3, we briefly introduce a lattice-based encryption scheme and the security model and then present our protocol in Section 4 in detail. In Section 5, we analyze the proposed protocol in detail and give a strict proof based on real-ideal simulation paradigm. Finally, we summarize our work of this paper in the last section.

Related Works
According to previous research, there are many problems to be considered when outsourcing private data for function computation to the cloud. We discuss the difficulties in secure outsourcing computation to the cloud from the following two aspects.
(1) To Users: Privacy of the Inputs and Results. In secure outsourcing computation, users have to contribute their private data as the inputs of the function while not participating in the computation process. Moreover, all parties of the protocol including all users and cloud servers are mutually distrusted. Therefore, users would not like to submit their private data to the cloud. Allowing for security, a usual solution is to encrypt the private data before outsourcing them to the cloud. And there are some basic encryption models according to the encryption keys that users used.
In 2009, Gentry [20] presented a model where all users use a joint public key to encrypt their own private inputs while sharing the private key. Therein, the cloud cannot obtain the inputs or the result because they are protected by the encryption scheme, while the cloud does not have the private key. However, users have to participate in another interactive protocol to firstly recover the private key and then achieve the desired result. The processes, producing a joint public key, sharing the private key, and jointly recovering the result by their shared private key, bring large number of additional interactions among users, which is contrary to our expectation that we want to design a secure protocol with the least communications. Encrypting private data by the joint public key is not so satisfactory either. In cloud outsourcing scenario, it means that there are no interactions among the users whatsoever and the least two rounds of inevitable interactions between the user and the cloud server, sending out the inputs and receiving the result. Therefore, we look forward to a protocol with the least communications as well as low computations and high security. A recent work by Asharov et al. [21] proposes a scheme where users utilize their own public keys to encrypt their inputs, respectively, and guarantee that the cloud can succeed in computing the function on their private inputs by computing on the ciphertexts of the inputs encrypted under different keys. Although users still have to interact to obtain the result in the last step, encrypting respective input by the public key of each user is the best encryption model so far.
As to the privacy of the result, in 2011, Halevi et al. [22] proposed a noninteractive protocol to securely realize outsourcing computation. Therein, the server is entitled to learn the result. However, the computing result may be the vital information to the users in some scenario and so it cannot be revealed to others. Hence, besides the security of the inputs discussed above, users must consider the security of the result when constructing protocols. It should guarantee that any unauthorized users are not able to get the result although they may contribute their inputs and the cloud servers are not able to get the result although the result is computed by them. To this aspect, [20] has already protected the result by a joint public key of the users. However, this method is still not satisfactory since each authorized user is also not able to get it individually.
(2) To Cloud Servers: Feasibility of Operating on Encrypted Inputs. As discussed above, users would like to upload the encrypted inputs under their respective public keys to the cloud server rather than the original inputs. Therefore, the cloud servers, whose task is to compute a function on users' private inputs, would only obtain the ciphertexts of the inputs. That means that the cloud has to compute the function The Scientific World Journal 3 (i) KeyGen(1 ): sample a ring element vector ← and a ring element from the distribution , denoted as ← , a ring element vector from the distribution , denoted as ← . Then, the private key is = ; the public key is = + 2 ∈ . (ii) Enc( , ): sample ← and compute 0 := ⟨ , ⟩ + ∈ and 1 := ⟨ , ⟩ ∈ . Output the ciphertext : and output := (mod2).
Algorithm 1 on users' private inputs through performing corresponding computations on the ciphertexts of the inputs encrypted by different public keys of users. As we know, fully homomorphic encryption (FHE) [20,23] can operate on the ciphertexts of the inputs to compute the desired result produced by the inputs. But the usual FHE schemes are single-key schemes in the sense that they only can perform computations on ciphertexts encrypted under the same key. It is not feasible to conduct computations on the ciphertexts encrypted under different keys. In order to solve this problem, López-Alt et al. [24] propose a new FHE called multikey fully homomorphic encryption (MFHE) which has applied the techniques of bootstrapping, modulus reduction, and relinearization to operate on the ciphertexts of the inputs encrypted by multiple, unrelated keys. When outsourcing private data to the cloud, user can firstly encrypt it by its own key by applying MFHE. It is indeed the optimal solution from the point of view of the feasibility of ciphertexts and the privacy of inputs. However, as we mentioned before, it is still not satisfactory because users need to evaluate the decryption key and then use it to recover the result interactively by participating in another SMC protocol. In fact, according to [19], it is proved that it is indeed impossible to construct a completely noninteractive protocol in the single server setting due to the impossibility of program obfuscation. Hence, if we want to obtain a secure protocol with complete noninteraction of users in outsourcing computation, we need at least two cloud servers.
In brief, allowing for the privacy of inputs and results from the perspective of users as well as the feasibility of operating on the outsourced encrypted data from the perspective of the cloud servers, if we want to construct a completely noninteractive secure outsourcing multiparty computation protocol where the computation and communication complexities of each user are independent of the computing function, we have the following conclusions.
(1) All private data should be encrypted by the owners themselves using their respective public keys before outsourcing to the cloud servers.
(2) The returned messages for each user should be different so that all authorized users can recover the final result by their respective private key but the unauthorized ones cannot.
(3) It is reasonable to consider it in two-cloud-servers scenario.

Lattice-Based Encryption.
Since the privacy of the inputs and the computation complexity of each user depend on the encryption algorithm that the user used, an encryption scheme outstanding in both security and efficiency is the right one that users want to adopt. Hence, lattice-based encryption, which is against quantum attacks and is much more efficient than RSA and even the elliptic curve cryptosystem, becomes the first choice of rational users. Herein, we will show how the two cloud servers deal with the outsourced data encrypted by the lattice-based public key encryption scheme proposed in [24,25] (denoted as LE scheme in this paper). Specifically, we recall it as follows.
Notations. Let be the security parameter. Then, the LE scheme is parameterized by a prime = ( ), a degree polynomial ( ) ∈ Z[ ], and an error distribution over the ring = Z [ ]/⟨ ( )⟩. The parameters , , , and are public. It assumes that, given the security parameter , there are polynomial-time algorithms that output and and a sample from the error distribution . The LE encryption scheme consists of the following three algorithms: KeyGen(⋅), Enc(⋅), and Dec(⋅) (Algorithm 1).
In [24], they apply the techniques of bootstrapping, modulus reduction, and relinearization to realize and to operate on the ciphertexts of the inputs encrypted by multiple, unrelated keys. Therein, they have obtained a secure outsourcing multiparty computation protocol on lattice-based encrypted data under multiple keys of users in one server scenario. However, it is not satisfactory because the interaction in the decryption stage is still inevitable.
In this paper, based on this encryption scheme, we consider the outsourcing problem in two-cloud-servers scenario and succeed to construct a secure noninteractive outsourcing protocol that achieves the least computation and communication complexities for users.

Security Model.
In this paper, we will discuss our protocol in the semihonest model and analyze its security using the real-ideal paradigm [5].
Firstly, in the ideal world, the computation of the functionality F on users' private inputs is conducted by an additional trusted party that receives from user , = 1, 2, . . . , , and returns the result ( 1 , 2 , . . . , ) to the authorized users , while other unauthorized parties do not get any output. Hence, in the ideal world, all users' private inputs are well protected, and only authorized users are able to learn about the result. However, there is no trusted party in the real world, and so all parties have to run a protocol Π to get the desired result. During executing the protocol Π, all parties act semihonestly following the protocol but make effort to gain more information about other parties' inputs, intermediate results, or overall outputs by the transcripts of the protocol. An adversary can corrupt a party to receive all messages directed to it and control the messages to be sent out from it. Herein, we denote the joint output of the ideal world adversary S and the outputs of the remaining parties in an ideal execution for computing the functionality F with inputs ⃗ = ( 1 , 2 , . . . , ) as IDEAL F,S ( ⃗ ), the joint output of the real world adversary A, and the outputs of the remaining parties in an execution of protocol Π with inputs ⃗ = ( 1 , 2 , . . . , ) as REAL Π,A ( ⃗ ). Then, we say that protocol Π securely realizes functionality F if, for every real adversary A corrupting any parties and possibly the cloud servers, there exists an ideal world adversary S with black-box access to A such that, for all input vectors ⃗ , IDEAL F,S ( ⃗ ) ≈ REAL Π,A ( ⃗ ).

Our Result
We consider the secure outsourcing computation problem in the multiple users-two-cloud-servers scenario described as follows. There are + 2 parties including users and 2 noncolluding cloud servers: one is called the storing-cloud (SC), and the other is called the computing-cloud (CC). Each user has a private input denoted as and a pair of publicprivate keys ( , ) while sharing a private random with SC that has a private number sc . CC has a private number cc . Users want to outsource the task of computing function (⋅) on users' private inputs to the two cloud servers. They only provide the ciphertexts of the private data encrypted by a lattice-based encryption scheme under their different public keys and require the cloud servers to give the authorized users the result while keeping the security of the inputs. What is more, users wish that the cloud servers take charge of all of the computations related to the function (⋅) and that there is noninteraction of users whatsoever so that the computation and communication complexities of each user are independent of the function to be computed. Herein, we deem that the two rounds of inevitable communications and a request from a user to the cloud servers for computing function (⋅) are the three basic rounds of communication in this paper. Then, for each user, they expect that there are no other interactions at all between any user-to-user or user-toserver except the three basic rounds of communication. Furthermore, the computation complexity of each user depends on the encryption scheme it has used. The framework of our construction can be illustrated in Figure 1.
In this following section, we formally propose our solution denoted as protocol Π for convenience in detail and then analyze its security using the real-ideal paradigm in the semihonest model.
Without loss of generality, we represent the function (⋅) to be computed by means of arithmetic circuit C consisting of any number of addition gates and multiplication gates where each gate has two input wires and one output wire. Then, any functionality can be reduced to the two basic operations, addition and multiplication, over two inputs. Our construction can be summarized in Algorithm 2.
The Scientific World Journal 5 Protocol : Two cloud servers-assisted secure outsourcing computation protocol Setup. For = 1, 2, . . . , , sample a ring element vector ← , a ring element ← , and a ring element vector ← . Then, the private key of is := ; the public key of is := + 2 ∈ . And then, shares a private random with SC that has a private number sc . CC has a private number cc . As a preparation, user firstly sends ⋅ to CC; CC computes cc ⋅ ⋅ and then sends it back to SC. Then, SC can obtain cc ⋅ by removing .

Outsourcing Computation.
After receiving all ciphertexts of the private inputs from users, SC stores all ciphertexts and executes a midtransformation to the outsourced data when computing some function (⋅). After that, CC further transforms the midtransformed ciphertexts and then computes the function (⋅) following the circuit C that consisted of addition gates and multiplication gates.
Add. For each addition gate, Mul. For each multiplication gate, (3) Producing Custom-Made Result. After computing gate by gate following the circuit C , CC obtains the intermediate result encrypted by the private numbers of the two assisted cloud servers SC and CC; that is, = +1 ⋅ = sc +1 ⋅ cc +1 ⋅ , where = ( 1 , 2 , . . . , ) and is the number of the multiplication gates of C . To produce a custom-made result for each user, CC firstly sends to SC. SC removes +1 sc and adds to compute = ⋅ +1 cc ⋅ and then sends back to CC. CC finally removes +1 cc to produce the custom-made ciphertext = ⋅ and sends it to the authorized party , ∈ {1, 2, . . . , }.

Algorithm 2
In setup, each user invokes KeyGen(1 ) to compute its public-private keys ( , ). At the same time, each selects a random and sends it to SC via secure channels, while SC and CC, respectively, choose private numbers sc and cc . Assuming that all users' private data , = 1, 2, . . . , , are the real inputs of function (⋅), then each sends ⋅ to CC. CC further computes cc ⋅ ⋅ and sends it to SC. After that, submits the ciphertext of the private input encrypted by its own public key to SC in the upload process.
In computation process, SC firstly midtransforms the outsourced data which are encrypted by different keys of users, and CC further transforms the midtransformed ciphertexts to the ones that are blinded by the same private numbers of the two servers so that CC can operate on the ciphertexts to compute (⋅). Specifically, for addition/multiplication gate, CC can easily get the result by . Computing gate by gate following the circuit C , CC can obtain the intermediate result = +1 ⋅ = +1 sc ⋅ +1 cc ⋅ . In order to guarantee that only the authorized user can get the final result, SC and CC cooperatively produce a custommade result for each authorized user as follows. (Herein, we assume that , ∈ {1, 2, . . . , }, is authorized to get the result.) Firstly, CC sends to SC. SC removes +1 sc and adds to compute = ⋅ +1 cc ⋅ and then sends back to CC. CC finally removes +1 cc to obtain the custom-made ciphertext = ⋅ and sends it to . 6 The Scientific World Journal In the last process, the authorized user obtains the result by removing from .

Analysis
From the protocol described above, the correctness is obvious due to the homomorphic properties of the transformed ciphertexts. We will have a detailed discussion on its security. Note that, before the actual computations which are performed by SC and CC, there are setup and upload processes. We will individually illustrate their security at first. Afterwards, we will prove the security of the core of our protocol, that is, the outsourcing computation process, in the real-ideal framework. Finally, from the composition theorem [5], we can conclude that our protocol is secure. Theorem 1. Protocol Π is secure as long as the LE scheme is secure and SC and CC are noncolluding.
Proof. Firstly, we look at the setup and upload processes individually.
In setup, each user, respectively, encrypts its private input by its own public key which is produced by invoking a semantically secure LE scheme. The security of this process is obvious. Afterwards, sends ⋅ to CC and CC sends cc ⋅ ⋅ to SC. Herein, 's private key is protected by the blinding factors: which is private to and SC and cc which is private to CC. Therefore, the private keys of users will not be revealed in this process.
In upload, users outsource the encrypted data to SC. Since the LE scheme is semantically secure, given two ciphertexts ( 1 ), ( 2 ) of the two plaintexts 1 , 2 uploaded by , it is computationally infeasible for SC to distinguish the two ciphertexts. Hence, users can store their encrypted data in SC securely.
In outsourcing computation process, SC firstly midtransforms to and sends to CC. It is obvious that it is secure since SC blinds the midtransformed ciphertext by the private number sc , which is secret to CC. As to the core of the computation process, we will discuss the security in the real-ideal framework. From the security definition, we say that protocol Π is secure if all adversarial behavior in the real world can be simulated in the ideal model where there exists an additional trusted party to perform all computations related to the function (⋅) to be computed. We assume that there is a simulator S in the ideal world and then prove that it can simulate the semihonest adversary A that exists in the real execution. Since CC is able to independently complete addition and multiplication operations, we only need to prove that Add and Mul are secure against the semihonest adversary A corrupting CC. We prove this as follows.
Secondly, A sends two ciphertexts S ( * 1 ), S ( * 2 ) to S. Then, S computes S ( * 1 + * 2 ) = S ( * 1 ) ⊕ S ( * 2 ) ; and returns S ( * 1 + * 2 ), S ( * 1 × * 2 ) to A. Finally, S outputs what A outputs. Now, we can prove the security of Add and Mul algorithms by contradiction. Firstly, we assume that the view of the adversary A in the real world is distinguishable from the view simulated by the simulator S. Then, we could find an algorithm to distinguish the ciphertexts encrypted by the LE encryption scheme, which is contrary to our assumption that the LE is semantically secure. Hence, the view of the adversary A in the real world is indistinguishable from the view simulated by the simulator S. That is, IDEAL F,S ( S ( )) ≈ REAL Π,A ( S ( )) , = 1, 2. (3) Therefore, the two algorithms Add and Mul are secure. Furthermore, from the composition theorem [5], we can conclude that our protocol is secure as long as the LE scheme is secure and SC and CC are noncolluding in semihonest scenario.

Conclusion
Only contributing the encrypted forms of their private inputs under their own public keys to gain the desired result of some function on the private inputs via powerful cloud with minimal computations and communications is the optimal method especially when users want to compute some complex function. In this paper, we introduce two noncolluding cloud servers to construct a secure outsourcing multiparty computation protocol on lattice-based encrypted cloud data under multiple keys in semihonest scenario. All computations related to the computing function are in the charge of the two cloud servers. Therefore, the computation complexity of each user only depends on the encryption scheme it has used. What is more, the communication complexity of each user is also independent of the function to be computed and there is no interaction of users whatsoever any more.