Relation of PPAtMP and Scalar Product Protocol and ...

Viewer
Transcript

Relation of PPAtMP and Scalar Product Protocol and Their Applications † (National

Youwen Zhu†,‡ , Liusheng Huang†,‡ and Wei Yang†,‡ High Performance Computing Center at Hefei, Department of Computer Science and Technology, University of Science and Technology of China, Hefei, 230026, China) ‡ (Suzhou Institute for Advanced Study, University of Science and Technology of China, Suzhou, 215123, China) E-mail: [email protected], {lshuang, qubit}@ustc.edu.cn

Abstract— Scalar product protocol and privacy preserving add to multiply protocol (PPAtMP) are two significant basic secure multiparty computation protocols. In this paper, we claim that the two protocols are equivalent to each other and we can achieve one based on the other with the same communication and computation complexity. Then, we propose Secure Two-party Mean Protocol, Secure Shared x ln x Protocol and Secure Shared Generic Polynomial Protocol based on scalar product protocol and PPAtMP. Additionally, we analyze the correctness, security, communication overheads and computation complexity of each protocol proposed in this paper.

I. I NTRODUCTION As the development of communication technology, privacy-preserving distributed computation, including privacy-preserving data mining [1], [2], privacy-preserving social network [3], etc., has received more and more attentions. Through cooperatively perform privacy-preserving distributed computation protocols, participants can obtain expectant output from all the private data while no confidential information is disclosed. There are mainly two techniques which can be used to achieve privacy-preserving distributed computation: randomization and secure multiparty computation (SMC). Usually, randomization is more efficient but it cannot receive precise results. SMC requires more cost of communication and computation. Nevertheless, SMC always returns the precise values. Besides, SMC is stronger in security than randomization. In this paper, we focus on the SMC protocols and their applications. SMC enables some parties to perform cooperative computations based on their confidential inputs while each participant obtains the cooperative computation’s result but anybody knows nothing about other parties’ private information. Since the seminal paper [4], SMC has attracted numerous researchers [5]–[7]. Nowadays, a great many SMC protocols, including secure comparison protocol [4], scalar product protocol [5], [6], privacy preserving add to multiply protocol (PPAtMP ) [8], [9], etc., have severed as the secure building blocks in privacy-preserving data mining [1], [2] , privacypreserving social networks [3], etc. Scalar product protocol [5], [6] and PPAtMP [8], [9] are two significant basic SMC protocols. In this paper, we claim that the two protocols are equivalent to each other and we can

978-1-4244-7755-5/10/$26.00 ©2010 IEEE

achieve one based on the other with the same communication overheads and computation complexity. Then, we propose some application protocols based on them. Our main contributions in this paper are 1) we confirm that scalar product protocol and PPAtMP are equivalent to each other and one of them can be achieved based on the other. The euqivalence will extend the applications of them and could arouse some more efficient schemes to achieve them. 2) we propose Secure Two-party Mean Protocol, Secure Shared x ln x Protocol and Secure Shared Generic Polynomial Protocol based on scalar product protocol and PPAtMP. 3) we detailedly analyze the correctness, security, communication overheads and computation complexity of each protocol proposed in this paper. The rest of the paper is organized as follows. Section 2 describes some notions in SMC and the related work. We confirm that scalar product protocol and PPAtMP are equivalent to each other and one of them can be achieved based on the other in section 3. Based on scalar product protocol and PPAtMP, some application protocols are proposed in section 4. We conclude the paper in section 5. II. P RELIMINARIES AND R ELATED W ORK In this section, we will describe some notions in SMC and the related work. A. Computation Models and Security Definition The majority of SMC protocols [4]–[6], [9]–[11] are under the semi-honest model [7]. Generally speaking, a semi-honest participant is the one who accurately follows the secure protocols, but it keeps a record of all its intermediate calculating data to analyze for more information. Here, we assume that all the participants are semi-honest behaviors. The formal security definition in the semi-honest model has been presented by Goldreich [7] in 2004. Broadly speaking, a SMC protocol is capable to securely compute a multivariate function f if and only if all the data that a participant has or receives during an execution could be deduced from his private input and confidential output.

184

Authorized licensed use limited to: University of Science and Technology of China. Downloaded on August 18,2010 at 07:09:06 UTC from IEEE Xplore. Restrictions apply.

B. Homomorphic Encryption System and 1-out-of-n Oblivious Transfer Protocol

Alice

There is a public cryptosystem (E, D) where E is the encryption function and D is the decryption function. If the following condition holds on, D(E(x1 ) × E(x2 )) = x1 + x2 , where x1 and x2 are any plaintext, then, the public encryption system is homomorphic. It is obvious that E(x1 ) × E(x2 ) is the corresponding ciphertext of x1 + x2 in a homomorphic cryptosystem. Therefore, using homomorphic cryptosystem, E(x1 + x2 ) can be computed from E(x1 ) and E(x2 ) without decrypting them. There are some schemes [10], [11] of performing scalar product protocol which were proposed by employing the efficient homomorphic cryptosystem [12]. 1-out-of-n obvious transfer protocol [7] also has two participants: Alice and Bob. In 1-out-of-n obvious transfer protocol, Bob has n private numbers x1 , x2 , · · · , xn , and Alice has a secret natural number i (1 6 i 6 n). The goal of them is that Alice obtains xi and learns nothing of xj (1 6 j 6 n, j 6= i), at the same time, Bob knows nothing about Alice’s secret number i. Based on 1-out-of-n obvious transfer protocol, a scalar product protocol was put forth in [13]. C. Semi-honest Third Party A semi-honest third party is an independent party, who functions as an auxiliary person in an SMC protocol. The third party may generate some random numbers and assist in computing some middle data. However, a semi-honest third party could find out no private information of any participant. Besides, it should defer to the step of the SMC protocols and cannot collude with any party. In reality, a semi-honest third party is a feasible choice, though there will be a price to pay. Du and Zhan [5] proposed a scalar product protocol with the help of a commodity server which is a semi-honest third party in effect. D. Scalar Product Protocol and PPAtMP Scalar product protocol [5], [6] is a significant basic secure building of SMC. Up to now, a great lot of problems in SMC can essentially be reduced to computing the scalar product [6], [14]. In scalar product protocol, there are two participants: Alice and Bob. Alice has a private vector x = (x1 , x2 , · · · , xn ) where n is a positive integer, Bob holds another confidential vector y = (y1 , y2 , · · · , yn ) and they want to securely perform cooperative computation such that Alice receives a confidential number u and Bob obtains his private output v which meet x · y = u + v. Several researchers have proposed some scalar product protocols with different security. Du and Zhan [5] proposed a scalar product protocol by using a semi-honest third party, the ”commodity server” . Based on oblivious transfer , another scheme for achieving scalar product protocol was put forth in [13]. [10] put forward a scalar product protocol based on Homomorphic Cryptosystem . In 2007, [11] presented an efficient scalar product protocol.

978-1-4244-7755-5/10/$26.00 ©2010 IEEE

x

x+y=u·v

Bob

u

y

v

PPAtMP Fig. 1.

Privacy-preserving Add to Multiply Protocol

Xu [8] proposed PPAtMP and privacy-preserving multiply to add protocol (PPMtAP). In a two-party cooperative computation, if Alice and Bob respectively hold private number x and y, they share the secret s = x · y. Using PPMtAP, they can change the sharing manner from multiplying (s = x · y) to adding (s = u + v). Opposite to PPMtAP, PPAtMP (shown 0 in Figure 1) changes the sharing modality from adding (s = 0 x + y) to multiplying (s = u · v). The interconversion of data sharing form could arouse some solutions for many privacypreserving distributed cooperative computations [8]. [9] has proposed some schemes for performing PPAtMP. In this paper, we confirm that scalar product protocol and PPAtMP are equivalent to each other and one of them can be achieved based on the other. Besides, we extend the applications of scalar product protocol and PPAtMP. III. T HE R ELATION OF PPAT MP AND S CALAR P RODUCT P ROTOCOL In this section, we confirm the relation of PPAtMP and scalar product protocol that they are equivalent to each other and one of them can be achieved by employing the other one. The euqivalence will extend the applications of them and could arouse some more efficient schemes to achieve them. More details are as follows. A. How to Perform Scalar Product Protocol through PPAtMP PPAtMP can change the shared manner from adding to multiplying. By invoking the protocol PPAtMP, we propose a novel scalar product protocol which has no need of any semi-honest third party. As mentioned above, some solutions [5], [10], [11], [13] to perform scalar product protocol have been proposed. In this sub-section, we will present a new scheme, which has no need of any semi-honest third party, for privately computing the shared scalar product of two confidential vectors . The new solution is denoted as Scalar Product Protocol based on PPAtMP (SPP PPAtMP). In the protocol, Alice has a private vector x = (x1 , x2 , · · · , xn ) where n is a positive integer and Bob hold another confidential vector y = (y1 , y2 , · · · , yn ). They want to cooperatively compute the scalar product of the two private vectors x and y such that Alice obtains a private number u, Bob receives another private output v and there is x · y = u + v. Highlight of SPP PPAtMP: In the protocol, Alice generates n uniformly random numbers ra1 , ra2 , · · · , ran and Bob privately generates another n uniformly random numbers rb1 , rb2 , · · · , rbn . Then, Alice and Bob respectively obtain

185

Authorized licensed use limited to: University of Science and Technology of China. Downloaded on August 18,2010 at 07:09:06 UTC from IEEE Xplore. Restrictions apply.

Protocol 1 Scalar Product Protocol based on PPAtMP (SPP PPAtMP ) Input: Alice has a private vector x = (x1 , x2 , · · · , xn ) and Bob holds another confidential vector y = (y1 , y2 , · · · , yn ). Output: Alice and Bob respectively obtain private u and v which enable the equation x · y = u + v to hold. 1: Step 1: Alice generates n uniformly random numbers ra1 , ra2 , · · · , ran and Bob privately generates another n uniformly random numbers rb1 , rb2 , · · · , rbn . 2: Step 2: 3: for i = 1 to n do 4: Alice and Bob collaboratively perform the protocol PPAtMP to securely compute Rai and Rbi which are respectively Alice’s and Bob’s private output such that rai + rbi = Rai × Rbi holds. 5: end for 6: Step 3: 7: for i = 1 to n do 0 0 8: Alice computes xi = xi + Rai and sends xi to Bob, at the 0 0 same time, Bob calculates yi = yi + Rbi and sends yi to Alice. 9: end for 10: Step 4: Bob generates a uniformly random number v, computes P Pn 0 mid data = n i=1 rbi + i=1 xi yi − v and sends mid data to Alice. Pn 0 11: Step i=1 Rai yi + Pn 5: Alice computes u = mid data − i=1 rai . Then there is u + v = x · y. // End of the protocol

privateRai and Rbi (i = 1, 2, · · · , n) such that rai + rbi = Rai ×Rbi through PPAtMP. At last, they can securely compute the scalar product x · y with the help of the foregoing random numbers rai , Rai , rbi and Rbi (i = 1, 2, · · · , n). The details of SPP PPAtMP are presented as Protocol 1. Correctness To display the correctness of SPP PPAtMP, we need to consider how u + v = x · y holds. Theorem 1: (correctness of SPP PPAtMP) SPP PPAtMP is correct, that is to say, u + v = x · y holds in the protocol. Proof: According to the step 5 of SPP PPAtMP, we have, u = mid data −

n X

0

Rai yi +

n X

rai .

i=1

i=1

In the step 4 of SPP PPAtMP, there is, mid data =

n X

rbi +

i=1

n X

0

xi yi − v.

i=1

Then, u+v =

n X

(rai + rbi ) +

i=1

n X

0

xi yi −

i=1

n X

0

Rai yi .

i=1

According to the step 2 of SPP PPAtMP, there is rai +rbi = Rai × Rbi (i = 1, 2, · · · , n). As a result we have, u+v =

n X

0

Rai (Rbi − yi ) +

i=1 0

n X

0

xi yi .

i=1 0

There are yi = yi +Rbi and xi = xi +Rai (i = 1, 2, · · · , n) 0 in the step 3 of SPP PPAtMP, that is, −yi = Rbi − yi and

978-1-4244-7755-5/10/$26.00 ©2010 IEEE

0

xi = xi − Rai . Therefore, we have, u+v =

n X i=1

0

(xi − Rai )yi =

n X

xi yi = x · y,

i=1

which completes the proof. Security SPP PPAtMP is secure if and only if each participant’s privacy will be well preserved and no one can find out other party’s confidential information. Theorem 2: (security of SPP PPAtMP) If the sub-protocol PPAtMP is secure, SPP PPAtMP is secure. Proof: We will respectively analyze Alice’s and Bob’s view (input, intermediate data and output) during the execution of SPP PPAtMP. During the execution of SPP PPAtMP, Alice receives 0 0 0 y1 , y2 , · · · , yn and mid data. Besides, she has her private vector x = (x1 , x2 , · · · , xn ), n private random numbers 0 0 0 ra1 , ra2 , · · · , ran , Ra1 , Ra2 , · · · , Ran , x1 , x2 , · · · , xn and her confidential output u. Distinctly, Alice can find out nothing 0 0 0 0 from y1 , y2 , · · · , yn and mid data. On the one hand, yi = yi + Rbi (i = 1, 2, · · · , n) and Rbi are Bob’s confidential uniformly random number, then neither of yi and P Rbi can be 0 n inferred from y data = . On the other hand, mid i i=1 rbi + Pn 0 i=1 xi yi − v and Alice can find out nothing since rbi , yi (i = 1, 2, · · · , n) and v all are unknown. To sum up, Alice 0 0 0 can construct n + 1 linear equations from y1 , y2 , · · · , yn and mid data what she receives, but there are 3n + 1 unknown variables in the n + 1 linear equations. Therefore, Bob’s private information will be well preserved in the protocol SPP PPAtMP. Correspondingly, during the execution of SPP PPAtMP, 0 0 0 Bob only receives x1 , x2 , · · · , xn . Furthermore, Bob knows his private vector y = (y1 , y2 , · · · , yn ), rb1 , rb2 , · · · , rbn , 0 0 0 Rb1 , Rb2 , · · · , Rbn , y1 , y2 , · · · , yn , mid data and v . It is 0 obvious that xi = xi + Rai and Rai are uniformly generated by Alice’s private random number generator, then Bob cannot find out any confidential information of Alice. Altogether, if PPAtMP is secure, no privacy of participants will be disclosed and SPP PPAtMP is secure. Communication Overheads and Computation Complexity In the step 2 of SPP PPAtMP, they invoke PPAtMP n times. The communication overheads of step 3 to step 5 of SPP PPAtMP are O(n).Therefore, if the communication cost of PPAtMP is O(C), the total communication overheads of SPP PPAtMP are O(nC + n). Correspondingly, if PPAtMP’s computation complexity is O(P), the computation complexity of SSP PPAtMP is O(nP + n). B. How to Perform PPAtMP based on Scalar Product Protocol In this sub-section, by invoking one-dimension scalar product protocol, we propose a novel PPAtMP which is as efficient as the one-dimension scalar product protocol. We denote the new scheme as PPAtMP based on Scalar Product Protocol (PPAtMP SPP). In the protocol PPAtMP SPP, Alice has a private number x and Bob holds another confidential number y. They want to cooperatively perform a computation such

186

Authorized licensed use limited to: University of Science and Technology of China. Downloaded on August 18,2010 at 07:09:06 UTC from IEEE Xplore. Restrictions apply.

that Alice obtains a private number u , Bob receives another private output v which meet x + y = u × v. Highlight of PPAtMP SPP: In the protocol, Alice generates a uniformly random number R1 and Bob privately generates another uniformly random number R2 . Then, Alice and Bob respectively obtain private r1 and r2 such that r1 + r2 = R1 × R2 through invoking one-dimension scalar product protocol. After that, they can securely compute respective private output u and v, which meet x + y = u + v, with extra const cost of communication and computation. The details of PPAtMP SPP are presented as Protocol 2. Correctness The correctness of PPAtMP SPP is shown as follows. Theorem 3: (correctness of PPAtMP SPP) PPAtMP SPP is correct, that is to say, x + y = u × v holds in the protocol. Proof: According to the step 5 of PPAtMP SPP, we have, u = mid data1 − R1 × mid data2 + r1 . 0

In the step 4 of PPAtMP SPP, there are, mid data1 = (x + y)/v + r2 and mid data2 = 1/v + R2 . Then, 0

u = (x + y − R1 )/v + (r1 + r2 ) − R1 × R2 . According to the step 2 of PPAtMP SPP, there is r1 + r2 = R1 × R2 . As a result we have, 0

u × v = x + y − R1 . 0

There is x = x + R1 in the step 3 of PPAtMP SPP, then, x + y = u × v. Therefore, Theorem 3 is correct. Security PPAtMP SPP is secure if and only if each participant’s privacy will be well preserved and anybody can find out nothing about the other party’s confidential information. Theorem 4: (security of PPAtMP SPP) If the invoked scalar product protocol is secure, PPAtMP SPP is secure. Proof: We will respectively analyze Alice’s and Bob’s view (input, intermediate data and output) during the execution of PPAtMP SPP. During the execution of PPAtMP SPP, Alice receives mid data1 and mid data2 . Besides, Alice has her private Protocol 2 PPAtMP based on Scalar Product Protocol (PPAtMP SPP ) Input: Alice has a private number x and Bob holds another confidential number y . Output: Alice and Bob respectively obtain private u and v which meet x + y = u × v. 1: Step 1: Alice generates a uniformly random number R1 and Bob privately generates another uniformly random number R2 . 2: Step 2: Alice and Bob collaboratively perform one-dimension scalar product protocol such that Alice receives r1 and Bob obtains r2 which enable r01 + r2 = R1 × R2 to hold. 0 3: Step 3: Alice computes x = x + R1 and sends x to Bob. 4: Step 4: Bob independently generates a uniformly random non0 zero number v, then computes mid data1 = (x +y)/v +r2 and mid data2 = 1/v + R2 , and sends mid data1 and mid data2 to Alice. 5: Step 5: Alice computes u = mid data1 −R1 ×mid data2 +r1 . Then, there is x + y = u × v. // End of the protocol

978-1-4244-7755-5/10/$26.00 ©2010 IEEE

0

input x, r1 , R1 , x and the confidential output u. Because y, r2 , R2 and v all are Bob’s confidential data, Alice can find out noting about Bob’s confidential information. Correspondingly, during the execution of PPAtMP SPP, 0 Bob only receives x . Furthermore, Bob knows mid data1 , 0 mid data2 , y, r2 , R2 and v . It is obvious that x = x + R1 and R1 is uniformly generated by Alice’s private random number generator, then Bob cannot find out Alice’s confidential number x and R1 . Therefore, if the invoked scalar product protocol is secure, the privacy of neither of participants will be revealed and PPAtMP SPP is secure. Communication Overheads and Computation Complexity In the step 2 of PPAtMP SPP, they invoke one-dimension scalar product protocol once. The communication overheads of step 3 to step 5 of PPAtMP SPP are O(1).Therefore, if the communication cost of one-dimension scalar product protocol is O(S) , the total communication overheads of PPAtMP SPP are O(S) too. Correspondingly, if one-dimension scalar product protocol’s computation complexity is O(Q), the computation complexity of PPAtMP SPP is O(Q) as well. IV. A PPLICATIONS Based on scalar product protocol and PPAtMP, Xu [8] proposed a secure Minkowski distance protocol. In this section, we will propose some other practical protocols, including Secure Two-party Mean Protocol, Secure Shared x ln x Protocol and Secure Shared Generic Polynomial Protocol, based on scalar product protocol and PPAtMP. A. Secure Two-party Mean Protocol Two-party mean problem deals with the situation that Alice and Bob respectively have some confidential numbers and they want to securely compute the mean of all the number of both without any private being disclosed. Based on scalar product protocol and PPAtMP, we propose Secure Two-party Mean Protocol (STMP) to achieve the above computation in a secure manner. The whole protocol is presented as Protocol 3. Correctness To displayP the correctness Pn of STMP, we need m to consider how u + v = ( i=1 xi + i=1 yi )/(m + n) holds. Theorem 5: (correctness ofP STMP) STMP is correct, that Pm n is to say, u + v = ( i=1 xi + i=1 yi )/(m + n) holds in the protocol. Proof: According to the step 3 of STMP, we have u+v = ra × rb . Then, ra2 × rb2 . u+v = ra1 × rb1 In the step 1 and step 2 of STMP, × rb1 = Pm there are ra1P n m + n, ra2 × rb2 = x + y, x = i=1 xi and y = i=1 yi . As a result we have, Pm Pn x+y i=1 xi + i=1 yi = . u+v = m+n m+n Pm Pn Therefore, u + v = ( i=1 xi + i=1 yi )/(m + n) holds in the protocol STMP. Theorem 5 is correct.

187

Authorized licensed use limited to: University of Science and Technology of China. Downloaded on August 18,2010 at 07:09:06 UTC from IEEE Xplore. Restrictions apply.

Protocol 3 Secure Two-party Mean Protocol (STMP)

Protocol 4 Secure Shared x ln x Protocol

Input: Alice has m private numbers x1 , x2 , · · · , xm and Bob holds n confidential number y1 , y2 , · · · , yn . x1 , x2 , · · · , xm and m all are Alice’s confidential information. y1 , y2 , · · · , yn and n all are Bob’s confidential numbers. Output: Alice and P Bob respectively Pn obtain private u and v which meet u + v = ( m i=1 xi + i=1 yi )/(m + n), that is, u + v is the mean of their m + n confidential numbers. 1: Step 1: Alice and Bob collaboratively perform the protocol PPAtMP such that Alice receives a private non-zero number ra1 and Bob obtains another confidential non-zero number rb1 which enable ra1 × rb1 = m + n to hold. Pm 2: Step P 2: Alice computes x = i=1 xi and Bob reckons up n y = i=1 yi . Then, Alice and Bob collaboratively perform the protocol PPAtMP such that Alice receives a private number ra2 and Bob obtains another confidential number rb2 which meet ra2 × rb2 = x + y. 3: Step 3: Alice obtains ra = ra2 /ra1 and Bob computes rb = rb2 /rb1 . Then, Alice and Bob collaboratively perform scalar product protocol such that Alice receives a private number u and Bob obtains another confidential number v which meet u + v = ra × rb . // End of the protocol

Input: Alice has a private number x1 and Bob holds another confidential number x2 . Output: Alice and Bob respectively obtain private u and v which enable the equation u + v = (x1 + x2 ) ln(x1 + x2 ) to hold. 1: Step 1: Alice and Bob collaboratively perform the protocol PPAtMP such that Alice receives a private non-zero number r1 and Bob obtains another confidential non-zero number r2 which enable r1 × r2 = x1 + x2 to hold. 2: Step 2: Alice and Bob respectively computes R1 = ln r1 and R2 = ln r2 at their local site. Then, Alice sets her confidential two-dimension vector x = (x1 , R1 ) and Bob sets his private two-dimension vector y = (R2 , x2 ). 3: Step 3: Alice and Bob collaboratively perform scalar product protocol to compute the dot product of x and y such that Alice obtains confidential output u1 , Bob gets his private output v1 and they meet u1 + v1 = x · y. 4: Step 4: Alice computes u = x1 R1 + u1 and Alice computes v = x2 R2 + v1 . // End of the protocol

Security STMP is secure if and only if each participant’s privacy will be well preserved and neither can find out other party’s confidential information. In STMP, each step is independent. If both the invoked scalar product protocol and PPAtMP are secure, each step will be secure. Therefore, if the invoked scalar product protocol is secure, the privacy of neither of participants will be revealed and STMP is secure. Communication Overheads and Computation Complexity In the step 1 and step 2 of STMP, PPAtMP is invoked and the step 3 of STMP executes one-dimension scalar product protocol. Therefore, if the communication cost of onedimension scalar product protocol and PPAtMP are respectively O(S) and O(C), the total communication overheads of STMP are O(C + S). If computation complexity of PPAtMP is O(P), the computation complexity of step 2 of STMP is O(n+P). Thus, if onedimension scalar product protocol’s computation complexity is O(Q), the computation complexity of STMP is O(n+P +Q). B. Secure Shared x ln x Protocol In the shared x ln x problem, Alice has a private number x1 and Bob holds another confidential number x2 . They want to collaboratively obtain a share of (x1 + x2 ) ln(x1 + x2 ) such that Alice and Bob respectively obtain private u and v which enable u + v = (x1 + x2 ) ln(x1 + x2 ) to hold, at the same time, no privacy is disclosed. How to privately compute the shared x ln x is a significant problem in privacy-preserving data mining [1]. Lindell [1] proposed a secure protocol to compute shared (x1 + x2 ) ln(x1 + x2 ). However, Lindell’s protocol is too complex and can not find out the accurate result. In this sub-section, we will present an efficient Secure Shared x ln x Protocol based on scalar product protocol and PPAtMP. The new scheme is efficient and can return the exact

978-1-4244-7755-5/10/$26.00 ©2010 IEEE

value of (x1 + x2 ) ln(x1 + x2 ). The details of Secure Shared x ln x Protocol are described as Protocol 4. Correctness It is easy to say that Secure Shared x ln x Protocol is correct. We briefly present the reasons as below. According to step 3 and step 4 of the protocol, we can get u + v = x1 R1 + x · y + x2 R2 . Then, u + v = x1 R1 + x1 R2 + x2 R1 + x2 R2 = (x1 + x2 )(R1 + R2 ). Because R1 = ln r1 , R2 = ln r2 and r1 × r2 = x1 + x2 , we have u + v = (x1 + x2 ) ln(r1 r2 ) = (x1 + x2 ) ln(x1 + x2 ). That is to say, Secure Shared x ln x Protocol is correct. Security Similar to STMP, if the invoked scalar product protocol and PPAtMP are secure, Secure Shared x ln x Protocol is secure. In Secure Shared x ln x Protocol, each step is independent. If both the invoked scalar product protocol and PPAtMP are secure, each step will be secure. Thus, the privacy of neither of participants will be disclosed and Secure Shared x ln x Protocol is secure. Communication Overheads and Computation Complexity In the step 1 of Secure Shared x ln x Protocol, PPAtMP is invoked and Secure Shared x ln x Protocol executes twodimension scalar product protocol in the step 3. Therefore, if the communication cost of two-dimension scalar product protocol is O(S) and PPAtMP’s communication overhead is O(C), the total communication overheads of Secure Shared x ln x Protocol are O(C + S). Accordingly, if computation complexity of PPAtMP is O(P) and two-dimension scalar product protocol’s computation complexity is O(Q), the computation complexity of Secure Shared x ln x Protocol is O(P + Q). C. Secure Shared Polynomial Protocol f (x) = c1 xp1 + c2 xp2 + · · · + cn xpn , where ci (i = 1, 2, · · · , n) are coefficients and pi (i = 1, 2, · · · , n) are exponential, is a generic polynomial function. While x = x1 + x2 , Alice privately holds x1 and Bob has the confidential

188

Authorized licensed use limited to: University of Science and Technology of China. Downloaded on August 18,2010 at 07:09:06 UTC from IEEE Xplore. Restrictions apply.

Protocol 5 Secure Shared Polynomial Protocol (SSPP) Input: Alice has a private number x1 and Bob holds another confidential number x2 . f (x) = c1 xp1 +c2 xp2 +· · ·+cn xpn is a public polynomial function, ci (i = 1, 2, · · · , n) are coefficients and pi (i = 1, 2, · · · , n) are exponential. Output: Alice and Bob respectively obtain private u and v which meet u + v = f (x1 + x2 ). 1: Step 1: Alice and Bob collaboratively perform the protocol PPAtMP such that Alice receives a private number Ra and Bob obtains another confidential number Rb which meet Ra × Rb = x1 + x2 . 2: Step 2: Alice computes ai = ci · Rapi (i = 1, 2, · · · , n) and sets her private vector a = (a1 , a2 , · · · , an ) . At the same time, Bob independently computes bi = Rbpi (i = 1, 2, · · · , n) and sets his confidential vector b = (b1 , b2 , · · · , bn ) . They collaboratively perform scalar product protocol such that Alice receives a private number u and Bob obtains another confidential number v which enable u + v = a · b to hold. // End of the protocol

x2 , how they can securely compute the function f (x1 + x2 ) is a important problem in SMC. Then, we present Secure Shared Polynomial Protocol (SSPP) to achieve the goal in a secure manner. The protocol SSPP is presented as Protocol 5. Correctness The reasons that SSPP is correct are displayed as follows. According to the step 2 of SSPP, there is u+v =a·b=

n X

ai bi .

i=1

Then, u+v =

n X

ci Rapi Rbpi .

i=1

In the step 1 of SSPP, there is Ra × Rb = x1 + x2 , as the result, we have u+v =

n X

ci (x1 + x2 )pi .

i=1

That is, u + v = f (x1 + x2 ). Therefore, u + v = f (x1 + x2 ) holds in SSPP ant the protocol is correct. Security There are two steps in SSPP and each step is independent. If the invoked scalar product protocol and PPAtMP are secure, each step will be secure. As a consequence, SSPP is secure and no privacy is revealed. Communication Overheads and Computation Complexity In the step 1 of SSPP, there is a PPAtMP and n-dimension scalar product protocol is invoked in the step 2 of SSPP. Therefore, if the communication cost of the invoked scalar product protocol is O(nS) and PPAtMP’s communication overhead is O(C), SSPP’s total communication overheads are O(C + nS). Similarly, if PPAtMP’s computation complexity is O(P) and the computation complexity of n-dimension scalar product protocol is O(nQ), the computation complexity of SSPP is O(P + nQ).

978-1-4244-7755-5/10/$26.00 ©2010 IEEE

V. C ONCLUSION AND F UTURE W ORK In this paper, we claimed that scalar product protocol and PPAtMP are equivalent to each other and we achieved one based on the other with the same communication and computation complexity. Then, we proposed some application protocols based on them. Additionally, we analyzed the correctness, security, communication overheads and computation complexity of each protocol proposed in this paper. For the future work, we will propose some privacy-preserving distributed computation protocols based on the protocols in this paper. ACKNOWLEDGMENT This work was supported by the Major Research Plan of the National Natural Science Foundation of China (No. 90818005), the National Natural Science Foundation of China (Nos. 60903217 and 60773032), and the China Postdoctoral Science Foundation funded project (No. 20090450701). R EFERENCES [1] Y. Lindell and B. Pinkas. Privacy Preserving Data Mining. In Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology, pages 36–54. Springer-Verlag London, UK, 2000. [2] M. Barni, C. Orlandi, and A. Piva. A privacy-preserving protocol for neural-network-based computation. In Proceedings of the 8th workshop on Multimedia and security. ACM, 2006. [3] F. Kerschbaum and A. Schaad. Privacy-preserving social network analysis for criminal investigations. In Proceedings of the 7th ACM workshop on Privacy in the electronic society, pages 9–14. ACM New York, NY, USA, 2008. [4] A. C. Yao. Protocols for secure computations. In Proceedings of the 23rd Annual IEEE Symposium on Foundations of Computer Science, pages 160–164, 1982. [5] W. Du and Z. Zhan. A practical approach to solve secure multi-party computation problems. In Proceedings of the 2002 workshop on New security paradigms, pages 127–135. ACM New York, NY, USA, 2002. [6] I. Ioannidis, A. Grama, and M. Atallah. A secure protocol for computing dot-products in clustered and distributed environments. In Proceedings of the International Conference on Parallel Processing, pages 379–384, 2002. [7] O. Goldreich. Fotmdations of Cryptography: Volume II, Basic Applications. Cambridge: Cambridge University Press, 2004. [8] W. Xu. Research on Private Data Protection and Its Applications in Network Computing. PhD thesis, University of Science and Technology of China, 2008. [9] Y. Zhu, L. Huang, W. Yang, D. Li, Y. Luo, and F. Dong. Three New Approaches to Privacy-preserving Add to Multiply Protocol and its Application. In Proceedings of the 2009 Second International Workshop on Knowledge Discovery and Data Mining, pages 554–558. IEEE Computer Society, 2009. [10] B. Goethals, S. Laur, H. Lipmaa, and T. Mielikainen. On private scalar product computation for privacy-preserving data mining. In ICISC, volume 3506, pages 104–120. Springer, 2004. [11] A. Amirbekyan and V. Estivill-Castro. A new efficient privacypreserving scalar product protocol. In Proceedings of the sixth Australasian conference on Data mining and analytics-Volume 70, pages 209–214. Australian Computer Society, Inc., 2007. [12] P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. Lecture Notes in Computer Science, pages 223–238, 1999. [13] W. Du and M.J. Atallah. Privacy-preserving cooperative statistical analysis. In Proceedings of the 17th Annual Computer Security Applications Conference, volume 102, pages 10–14, 2001. [14] J. Vaidya and C. Clifton. Privacy preserving association rule mining in vertically partitioned data. In Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, pages 639–644. ACM New York, NY, USA, 2002.

189

Authorized licensed use limited to: University of Science and Technology of China. Downloaded on August 18,2010 at 07:09:06 UTC from IEEE Xplore. Restrictions apply.