1 Efficient Privacy-Preserving Computation Based on Additive Secret Sharing

Lizhi Xiong, Wenhao Zhou, Zhihua Xia, Member,IEEE, Qi Gu, and Jian Weng, Member,IEEE

Abstract—The emergence of cloud computing provides a new computing paradigm for users—massive and complex computing tasks can be outsourced to cloud servers. However, the privacy issues also follow. Fully homomorphic encryption shows great potential in privacy-preserving computation, yet it is not ready for practice. At present, secure multiparty computation (MPC) remains mainly approach to deal with sensitive data. In this paper, following the secret sharing based MPC paradigm, we propose a secure 2-party computation scheme, in which cloud servers can securely evaluate functions with high efficiency. We first propose the multiplicative secret sharing (MSS) based on typical additive secret sharing (ASS). Then, we design protocols to switch shared secret between MSS and ASS, based on which a series of protocols for comparison and nearly all of the elementary functions are proposed. We prove that all the proposed protocols are Universally Composable secure in the honest-but-curious model. Finally, we will show the remarkable progress of our protocols on both communication efficiency and functionality completeness.

Index Terms—Privacy-Preserving Computation, Secure Multiparty Computation, Additive Secret Sharing, Cloud Computing. !

1 INTRODUCTION

LOUD computing as a new computing and data pro- towards protecting user privacy and against infringement of C cessing paradigm has significantly influenced the way data breach. Nevertheless, merely by virtue of socio-legal, it we live. By aggregating the virtualized and interconnected is insufficient to provide truly convincing cloud computing computers and other IT infrastructures, cloud computing security. Therefore, recent researches on privacy-preserving provides high-quality Internet service with characteristics of computation offered a way to achieve this and on-demand, broad network access, resource pooling, rapid it was shown on feasible in theoretical. elasticity, and measured service for users [1], [2]. More con- The most direct idea is to use Homomorphic Encryption cretely, for individuals, cloud computing reduces the thresh- (HE) which happens to coincide with the requirement of old of accessing computing resources, eliminates obstacles cloud computing security: allows performing a series of brought by infrastructures, and makes possible complex certain functions on with reserving the ability tasks such as deep learning [3]. For groups and compa- to be decrypted. For example, Paillier [6] is one of the nies, cloud computing gives more flexibility in allocating partially homomorphic encryption (PHE) with additive ho- resources, make them concentrate more on their business, momorphism. Considering two plaintexts m1 and m2, cloud and cuts expenses. In the past decade, the needs of economy servers can compute E(m1 + m2) with E(m1) and E(m2) constantly promoted the development of cloud computing, without knowing the private under Paillier encryption which in turn played an important role in integrating social scheme. Yet PHE like Paillier allows only one type of op- resources and improving social efficiency. eration on ciphertext and thus is not competent for some However, behind such a perfect cooperation model, complex cloud computing tasks. Somewhat homomorphic there are some privacy concerns that cannot be ignored [4]. encryption (SHE) improves the number of types of opera- In the cloud computing scenario, users inevitably have to tions comparing to PHE, such as SYY [7], BGN [8], IP [9]. arXiv:2009.05356v2 [cs.CR] 31 Mar 2021 hand over data which contain sensitive information to the These schemes introduce noise to achieve security, resulting cloud server. This means that cloud servers can access our in an increase of noise on ciphertext with every evaluation. private data whenever and wherever they like. And as it When the accumulation of noise on ciphertext exceeds a turns out, the rise of more and more data breach issues, threshold, the ciphertext will lose the ability to be decrypted, such as the massive data leakage of Facebook impacting which against the definition of HE. Therefore, SHE limits the 267 million users in 2017, attracts more attention from the number of operations on ciphertext and the possibility of public and drives the implementation of relevant laws [5]. fully computation offload. In 2009, a pioneering scheme [10] For instance, General Data Privacy Regulation (GDPR), the proposed by Gentry introduced bootstrapping technique most comprehensive and widely applied privacy regulation, to eliminate the noise of ciphertext and achieved the first implemented in the European Union in 2018, is geared plausible fully homomorphic encryption (FHE) which can evaluate any operation on ciphertext for any times. In a nutshell, bootstrapping means homomorphically decrypt • L. Xiong (email: [email protected]), W. Zhou (email: the ciphertext to get a clean ciphertext that contains no noise [email protected]), Z. Xia (corresponding author, email: xia [email protected]) and Q. Gu are with the School of Computer and is decryptable. However, bootstrapping is costly and and Software, Nanjing University of Information science and takes tens to hundreds of minutes for every ”clean” [11], Technology, Nanjing, China. [12]. Hence, HE remains a long way to go from theory to • J. Weng is with Jinan University, Guangzhou 510632, China. practice. 2

Another way is to use secure multiparty computation means that our scheme is not limited to specific float- (MPC) which allows a group of parties who don’t trust each ing point precision and avoids the loss of accuracy in other jointly compute a certain function F(x1, x2, ··· , xn) theoretical. Moreover, all the protocols are with con- without revealing their private input xi. MPC first intro- stant round complexities and low communications. duced by Yao in his seminal Two Millionaires Problem [13] • We prove that all the proposed protocols are Uni- has been developed for four decades and a lot of valuable versally Composable secure against the honest-but- work for it has emerged. In 1986, Yao proposed a well- curious model. known secure 2-party computation (2PC) technic called Garbled Circuits (GC) [14] where Alice first generates a Oranization. The organization of this paper is as follows: garbled Boolean circuit C which represents the function that We briefly introduce the related work of HE and MPC want to perform with their private input, in Section 2. The system model and preliminaries are in then Bob receives the circuit C and evaluate it by interacting Section 3. We formally describe secure protocols for linear with Alice. Later, Ben-Or et al. proposed BGW protocol [15] and multiplication in Section 4 and our proposed protocols which allow parties to evaluate arithmetic circuit consisting can be found in Section 5. The complexity of protocols is of addition and multiplication. In the privacy-preserving summarized in Section 6. Finally, we give conclusions about computation field, the GMW (aka. secret sharing based our work in Section 7. MPC) paradigm [16] is usually applied, where users can use secret sharing technic [17] to share their private data 2 RELATED WORK to servers and then servers evaluate a circuit which repre- sents the function users want to perform. Although Boolean In cloud computing, privacy-preserving computation means circuit or arithmetic circuit that contains only addition and that cloud servers can evaluate some functions on ”en- multiplication is Turing-complete in theoretical, construct- crypted” user data and return ”encrypted” results to users, ing a specific circuit for nonlinear functions to improve where the term ”encrypted” indicates that the privacy of efficiency is still a meaningful work. Many efforts to design data is preserved. There are mainly two methodologies secure protocols for nonlinear functions such as comparison, which could achieve it: homomorphic encryption and secure division, exponent, etc. have been made [18], [19], [20]. multiparty computation. However, these schemes either use Taylor series to fit or Homomorphic Encryption. Since the term ”homomor- directly construct Boolean circuit, which not only lead to phic encryption” first proposed by Rivest et al. [21] in 1978, accuracy loss, but also to low efficiency. The purpose of this the purist of FHE has never stopped. As the first attempts paper is to design secure protocols that generate arithmetic of HE, PHE can be divided into two categories: additive circuit for nonlinear functions without Taylor series or bit- HE and multiplicative HE. RSA is the first public key level operation as with typical addition and multiplication cryptography proposed by Rivest et al. [22] in 1978, later protocols. Rivest et al. [21] showed the multiplicative homomorphism Contribution. In this paper, we propose a secure 2- of RSA and presented the term HE in the same year. party computation scheme, which can be applied in privacy- Elgamal [23] proposed another widely used multiplicative preserving computation under the context of cloud comput- HE scheme which has higher security than RSA. The addi- ing. The main contributions can be described as follows: tive HE schemes represented by Paillier [6] mainly include GM [24], Benaloh [25], OU [26], NS [27], Galbraith [28] • Inspired by additive secret sharing (ASS) in the con- and KTX [29]. Since PHE only supports either addition text of MPC, we first introduce the multiplicative or multiplication, in some privacy-preserving schemes us- secret sharing (MSS) into secret sharing based MPC. ing PHE [30], users usually have to undertake part of or The shares shared through ASS are with additive even most of the computing tasks, and cloud servers fulfill homomorphism, while shares shared through MSS more of an auxiliary role. Before Gentry’s seminal work are with multiplicative homomorphism. It is almost in 2009, the development of SHE is very limited, where impossible to give share fully homomorphism, yet it BGN proposed by Boneh et al. [8] is one of the famous is possible to give share proper homomorphism at SHE schemes, which allow one multiplication and unlimited the right time. addition to being performed on ciphertext. In 2009, Gentry • We design two basic 2PC protocols for switch- [10] proposed the first FHE scheme in his Ph.D. thesis. ing shared secret between MSS and ASS, including Gentry first showed a SHE scheme based on ideal lattices, SecMulRes that converts shared secret over MSS and then introduced bootstrapping technique (also called to over ASS, and SecAddRes that is the inverse of decrypt homomorphically) to reduce noise of ciphertext. If a SecMulRes. SHE scheme can evaluate its decryption algorithm, then this • Based on the above two basic protocols, we design scheme is bootstrappable and can be transformed to FHE a series of 2PC protocols for comparison, expo- scheme through bootstrapping technique. After Gentry’s nentiation, logarithm, power, division, product and work, many SHE schemes have been proposed [31], [32], trigonometric functions, where both the input and [33], [34], and bootstrapping also be used to realize FHE. output are shared secrets, which follows the GMW Due to the inefficiency of bootstrapping, Brakerski et al. [35] paradigm. Finally, we nearly achieve all the elemen- proposed a leveled-FHE scheme that can evaluate functions tary functions. with predefined circuit depth without using bootstrapping. • All of these protocols contain only arithmetic oper- However, the scheme is hardly considered as real FHE, it ation and no bit-level operation or any fitting. This has better performance than other FHE schemes in some 3

scenario though. At present, FHE is gradually applied in the other hand, it decouples the secret owner and practice and has great efficiency improvement potential. the sharing holder, i.e., the private data owner Secure Multiparty Computation. After Yao presented and the party. Therefore, secret sharing expands the Two Millionaires Problem [13], he proposed GC [14] input sources, which means that non-parties, such which is one of the first MPC protocols. Later, Beaver et as users, can provide data to parties, while in MPC al. [36] proposed BMR protocols which extend GC from 2PC scenarios, the private data owner is equal to the to MPC by separating Alice’s task. Since GC is high costly, party. In this paper, the ASS is set to the default many optimization techniques have been proposed to im- secret sharing technic. Since ASS is an (n, n) thresh- prove efficiency and could be divided into three categories: old scheme, sharing private input entails that every optimization in GC generation [37], [38], optimization in GC party holds a share of every input. evaluation [36], [39], [40], optimization in protocol level [41]. 2) The parties evaluate the circuit on shares. In MPC, par- In GC-type schemes, the parties are the private data owner, ties will generate corresponding circuit according to in other words, they know what input data meaning for. specific tasks before the execution of protocol, while Therefore, Goldreich, Micali, and Wigderson (GMW) [16] in the context of cloud computing, since the party presented another MPC paradigm in 1987, where every (i.e., the server) is the outsourcer, the users need party first shares his private input (into n shares); then to send the circuit to the parties. Indeed, the users n parties run MPC protocols on shares; finally, n parties can also send the function to be executed and the recover results from output shares. Specifically, GMW using circuit will be generated by the parties. Regardless ASS over Z2 to share each bit of input, where oblivious of the data source, the function and its details are transfer [42] is used to evaluate AND gate and XOR gate clear and public to parties. This means that users can can be evaluated locally. The GMW paradigm expands the only keep data private to the server but not function source of MPC input, that is, allowing private input outside private. In this paper, we specify that there are two the parties such as users. Follow this paradigm, Ben-Or et al. parties P1 and P2 (i.e., two servers) due to the fact [15] proposed BGW protocol which allows parties evaluate that the fewer servers involved in computing, the arithmetic circuit based on Shamir secret sharing [17], where more secure it is for users. both addition and multiplication can be evaluated locally. 3) The final result is recovered by output shares. After Since multiplication will double the order of polynomial the evaluating stage, parties will output shares of and thus the secret cannot be recovered from shares, BGW the result. In cloud computing, these shares will introduced degree reduction via resharing shares. However, then be sent back to users. The principal feature of this method is not only inefficient, but also limits the thresh- GMW paradigm is that input and output, including old of Shamir secret sharing requiring that 2t < n. To solve intermediate results, are in the form of share, which this problem, Beaver creatively introduced Beaver triple [43] is similar to the ciphertext form in homomorphic generated in offline phase to significantly improve efficiency encryption. of evaluating multiplication. In 2006, Damgard˚ et al. [44] In GMW paradigm, the main effort (include this paper) is presented bit-decomposition protocol to convert shared se- to design efficient protocols to generate circuit for functions. cret over arithmetic sharing to over bitwise sharing. This Moreover, since the users are not involved in computation, technique allows us to combine the advantages of Boolean the number of users and communication between users and circuit and arithmetic circuit. Since then many MPC schemes parties are not considered in protocol design. based on ASS and bit-decomposition technique have been proposed [19], [41], [45]. In addition, there are many works that are dedicated to implementing MPC protocols and even 3.2 Threat and Security Model provide secure language to hide details of MPC protocols Similar to most secret sharing based MPC schemes [16], [19], [41], [45], [46], [47]. Recently, with the rapid development of [45], the honest-but-curious model (aka. semi-honest model) machine learning, many schemes that use MPC technic to is used in this paper, where an honest-but-curious adversary support privacy-preserving for the task have been proposed could corrupt parties before the execution of protocol, in [20], [48], [49]. Most of them optimized MPC they used other words, each party could be seen as honest-but-curious according to the characteristics of machine learning. adversary. An honest-but-curious adversary will abide by the protocol honestly but will analyze all the data he has as 3 SYSTEM MODELAND PRELIMINARIES much as possible. In addition, we assume that two parties In this section, we describe the GWM paradigm which is will not collude with each other, which means the one the basis of this paper, the threat model we use, definition adversary cannot corrupt two parties at the same time. of security, and the secret sharing technic. The real-ideal paradigm firstly presented in [50] is widely used to prove security of stand-alone MPC protocol. T 3.1 GMW Paradigm In the ideal world, there is a trusted third party who will receive private input xi sent by every party to compute GMW [16] introduced secret sharing in MPC to encrypt pri- F(x1, x2, ··· , xn) and send results to parties. The trusted vate input and become a new MPC paradigm called GMW third party T is also called ideal functionality F, in other paradigm. In this paper, we follow the GMW paradigm, and words, with the help of T , parties securely compute the which can be divided into three stages: function F. In the real world, there is no such T , parties 1) All private inputs are shared by their owners. On the have to interact with each other to compute F according one hand, secret sharing encrypts private data, on to protocol. Roughly, a protocol π is secure or securely 4

realizes ideal functionality F if the distributions of input defined over a finite field Z2 and is suitable for Boolean and output in the ideal world and in the real world are circuit. In [19], [20], [45], [48], [49], ASS defined over a finite indistinguishable. ring Z2l or a finite filed F is used and most of the secure However, the real-ideal paradigm cannot guarantee the operation is on arithmetic circuit. The defined field for ASS composability of secure protocol, which means that a com- determines the element form of shares and type of circuit plex protocol composed of secure sub-protocols is still a on which parties want to perform. In this paper, the ASS stand-alone protocol and should be proved from scratch. defined over real field R is considered, which is adequate The Universally Composable (UC) Security framework pro- for comprehensive operations on arithmetic circuit. posed by Canetti [51] introduced the environment on the Inspired by ASS, we introduce the multiplicative secret basis of the real-ideal paradigm to give secure protocol with sharing (MSS) defined over real field R for the needs of the composability. A sub-protocol can be considered as the protocol design. Specifically, in MSS, a secret u ∈ R will be ideal functionality in proving security, if it is UC-secure. In randomly divided into n shares [u1, u2, ··· , un] such that this paper, we will prove the security of our protocols under u1 × u2 × · · · × un = u. Similar to ASS, MSS defines an UC framework and the following security definition will be (n, n) threshold scheme. Note that it is not appropriate to used. use MSS defined over some fields such as Z2 due to the fact Definition 1. A protocol π is UC-secure or UC-securely that once a share is 0, the party could know the secret is 0. realizes the ideal functionality F if for any real world The original intention of secret sharing is to provide adversary A there exists a probabilistic polynomial-time access control for sensitive data. In this case, the threshold simulator S that can simulate an ideal world view such t should make a tradeoff between security and reliability, that is indistinguishable from real world view. where a higher t means more security and less reliability, while a lower t is the opposite. As an (n, n) threshold To prove that a protocol is UC-secure, it suffices to scheme, ASS and MSS obviously sacrifice reliability and show that the incoming view consisting of the message sent thus is not suitable in this scenario. However, they provide by other parties and output is simulatable for any parties MPC with capabilities of data encryption and data distribu- (adversary). In addition, the following lemmas will be used. tion. Lemma 1. The element x + r is uniformly distributed and For the sake of brevity, we use [[x]] to denote all of shares independent from x for any element x ∈ F if the element [x1, x2, ··· , xn] generated by the secret x through ASS, and r ∈ F is also uniformly distributed and independent use hui to denote all of shares [u1 × u2 × · · · × un] generated from x [19]. by the secret u through MSS. More precisely, the notation [[x]] or hui mean share x or u for party P , in other words, Proof: Readers can refer to the proof in [19]. i i i it represents an ensemble of individuals. Lemma 2. The nonzero element x·r is uniformly distributed and independent from x for any element x ∈ F if the element r ∈ F is also uniformly distributed and 4 LINEARAND MULTIPLICATION PROTOCOLS independent from x. Secure protocols for addition can be implemented directly Proof: If the nonzero element r ∈ F is uniformly based on additive homomorphism of ASS, meanwhile, se- distributed and independent from all x then so is x · r, since cure multiplication protocol can be constructed efficiently with Beaver triple [43]. The implementation of these proto- fr(x) := x · r is a bijective mapping for F. cols is not the contribution of this paper, but we still devote a section here to formally describe them for completeness. 3.3 Secret Sharing As illustrated in Algorithm 1, secure linear protocol Secret sharing introduced by Shamir [17] is aimed at ad- which further considers the operation of multiplication by dressing a problem in which the secret data divided into public number takes n shared secrets [[x1]], [[x2]], ··· , [[xn]] n pieces can be restored with over a certain number of with their public coefficient a1, a2, ··· , an and a public bias Pn j j pieces, whereas cannot with less of those. Specifically, in b as input, and return the shared secret [[ j=1 a · x + b]]. [17], Shamir presented a (k, n) threshold scheme such that: For clarity, superscript here is used to distinguish differ- 1) the secret data s which is named secret will be securely ent secrets or public numbers, whereas subscript is used divided into n pieces si which are named shares; 2) any to represent the share of corresponding party. During the k shares are able to reveal complete information about execution of secure linear protocol, P1 and P2 are only the secret; 3) any k − 1 or less shares reveals no useful required to perform same linear operation on their own information about the secret. One wants to share a secret shares asynchronously. s, he first securely divides secret into n shares si via secret Theorem 1. Algorithm 1 is correct and UC-secure in the sharing, then sends them to n parties respectively. Finally, honest-but-curios model. any k parties can restore the secret s together, whereas any k − 1 or less parties cannot. Proof: For correctness, there are Additive secret sharing (ASS) is defined over a field F. n n X j j X j j In ASS, a secret x ∈ F will be randomly divided into n f =f1 + f2 = a · x1 + a · x2 + b shares [x1, x2, ··· , xn] such that x1 + x2 + ··· + xn = x. j=1 j=1 Specially, ASS defines an (n, n) threshold scheme, since the n n X j j j X j j restoration of the secret requires all of the shares. The secret = a · (x1 + x2) + b = a · x + b sharing used in GMW protocol [16] can be regarded as ASS j=1 j=1 5

For security, note that Algorithm 1 contains only local Algorithm 2 Secure Multiplication Protocol [[f]] ← operations and no interaction with each party. Therefore, SecMul([[x]], [[y]]) the protocol is perfectly simulatable and is UC-secure in the Input: honest-but-curios model. Shared secrets [[x]] and [[y]]. Beaver triple: [[a]], [[b]], [[c]], where c = a · b. Algorithm 1 Secure Linear Protocol [[f]] ← Output: Shared secret [[f]] such that f = x · y. SecLinear([[x1]], [[x2]], ··· , [[xn]], a1, a2, ··· , an, b) 1: P1 computes d1 ← x1 − a1, e1 ← y1 − b1. j j Input: Shared secrets [[x ]], public coefficient a for all j ∈ 2: P2 computes d2 ← x2 − a2, e2 ← y2 − b2. {1, 2, ··· , n} and bais b. 3: P1 and P2 collaboratively reveal d and e. Pn j j Output: Shared secret [[f]] such that f = j=1 a · x + b. 4: P1 computes f1 ← c1 + d · b1 + e · a1. Pn j j 5: P f ← c + d · b + e · a + e · d 1: P1 computes f1 ← j=1 a · x1. 2 computes 2 2 2 2 . Pn j j 6: Return [[f]] 2: P2 computes f2 ← j=1 a · x2 + b. 3: Return [[f]].

incoming view of P1 is (d2, e2) and the output is (f1), where Unlike linear operation, secure protocol for multiplica- d2 = x2 − a2, e2 = y2 − b2, and f1 = c1 + d · b1 + e · a1. tion cannot be constructed by such intuitive way, since The values a2, b2, and c1 are uniformly distributed and [[x · y]] = [[x]] · [[y]] fails. In 1991, Beaver [43] presented a independent from any private input, due to Lemma 1, the crucial work to solve this problem, where a multiplicative incoming view and output are simulatable. Since P1 and triple (aka. Beaver triple) is used to assist parties to securely P2 are symmetric in Algorithm 2, it is trivial to build a compute product. The idea of beaver triple has its roots simulator S for P2. in a simple but inconspicuous mind: obfuscate inputs and then use a particular linear combination to correct them. A Beaver triple consists of three numbers a, b, c such that 5 PROPOSED PROTOCOLS c = a · b where a and b are random and will be generated In this section, we firstly propose two resharing protocols. and shared by ASS in offline phase. It means that each party Then, based on these, we design a series of secure proto- Pi will own shares of input xi and yi and shares of Beaver cols for comparison, exponentiation, logarithm, power, and triple ai, bi, and ci before the execution of the protocol. In trigonometric functions. Finally, we discuss the remainder general, there are two ways to generate and share Beaver of basic elementary functions—inverse trigonometric func- triple in offline phase: 1) done by parties through other tions. MPC technic [49]; 2) done by trusted third party T [20]. Specially, in privacy-preserving computation, users can act as a trusted third party. 5.1 Resharing Secure multiplication protocol takes two shared secrets MSS described in Preliminaries has multiplicative homo- [[x]] and [[y]] as input, and return the shared secret [[x · y]]. morphism different from ASS, and in fact, is the basis Firstly, two random number a and b used to mask two of all the remaining protocols. However, all data (secret) multipliers x and y respectively via computing differences should eventually return to the form shared by ASS in our [[d]] ← [[x]] − [[a]], [[e]] ← [[y]] − [[b]]. Secondly, parties reveal d setting, hence the resharing technic which switches shared and e to make them into public numbers. Since both a and b secret between MSS and ASS need to be first implemented. are random and privately shared, revealing d and e leaks no Besides, based on MSS, we can directly construct secure information about x and y. Now multiply two differences d protocol for comparison. and e to obtain d · e = x · y − a · y − b · x + a · b, where x · y is the result that we want, meanwhile a · y, b · x, and a · b can 5.1.1 Multiplicative Resharing be eliminated by e · [[a]], d · [[b]], and [[c]]. Finally, it conclude The multiplicative resharing is to convert shared secret over that [[x · y]] = d · e + d · [[b]]+ e · [[a]]+ [[c]]. Algorithm 2 shows MSS to over ASS. In fact, it is homologous with of multipli- the details, where the term e · d can be computed by either cation. Recall that multiplication is essentially to compute P party, and we specify 2 here without loss of generality. (f1 + f2) ← (x1 + x2) · (y1 + y2), where the inputs of Pi are Moreover, secure protocol for product which has more than xi and yi; whereas multiplicative resharing is essentially to 2 multipliers can be implemented by recursively splitting compute (x1 + x2) ← (u1 · u2), where the input of Pi is ui. input sequences in half and then computing each pair in The outputs of both are isomorphic, while in terms of input, parallel. u1 can be considered as (x1 + x2) and u2 can be considered Theorem 2. Algorithm 2 is correct and UC-secure in the as (y1 +y2). That is to say, for P1, he has x1 and x2 instead of honest-but-curios model. x1 and y1, thereby Beaver triple allocation needs to change Proof: For correctness, there are accordingly. Specifically, a Beaver triple will be generated and the value c will be shared by ASS in offline phase f =f1 + f2 as usual. The difference is that the values a and b will be =c1 + d · b1 + e · a1 + c2 + d · b2 + e · a2 + e · d directly sent to P1 and P2 instead of sharing them, since for P x x a a =c + d · b + e · a + e · d = x · y 1, he owns 1 and 2 and hopes to get 1 and 2. In other words, before the execution of this protocol, P1 owns u1, a, To prove security, we first consider the incoming view and and c1, meanwhile P2 owns u2, b, and c2. As illustrated in output of P1 and prove that both are simulatable. The Algorithm 3, at first, P1 computes d ← u1 − a which can 6 Algorithm 3 Secure Multiplicative Resharing Protocol FAR interacts with parties P1, P2, and adversary S. [[x]] ← SecMulRes(hui)

Input: 1. FAR receives xi from Pi for all i = 1, 2. Shared secret hui over MSS. 2. FAR computes x ← x1 + x2. Beaver triple: a, b, [[c]], where c = a · b. The value c is 3. FAR chooses random nonzero value u2 ∈ F. 4. FAR computes u1 ← x/u2. shared by ASS, meanwhile a is held by P1 and b is held 5. FAR sends u1 to P1 and u2 to P2. by P2. Output: Shared secret [[x]] over ASS such that x = u.

1: P1 computes d ← u1 − a. Fig. 1. Additive resharing ideal functionality FAR. 2: P2 computes e ← u2 − b. 3: P1 sends d to P2. Algorithm 4 Secure Additive Resharing Protocol hui ← 4: P2 sends e to P1. SecAddRes([[x]]) P x ← c + e · a 5: 1 computes 1 1 . Input: P x ← c + d · b + e · d 6: 2 computes 2 2 . Shared secret [[x]] over ASS. 7: Return [[x]] Beaver triple: a, b, [[c]], where c = a · b. The value c is shared by ASS, meanwhile a is held by P1 and b is held by P2. be seen as [[e]] ← [[y]] − [[b]]. Then the values d and e are Output: Shared secret hui over MSS such that u = x. revealed by two parties. At last, P1 computes x1 ← c1 +e·a 1: P1 computes e = (x1 − c1)/a. and P2 computes x2 ← c2 + d · b + e · d respectively, which 2: P1 sends e to P2. can be seen as [[c]] + d · [[b]] + e · [[a]] + e · d. Same as secure 3: P2 computes u2 ← e + b, d ← (x2 − c2)/u2. multiplication protocol, the term e · d is specified here to be 4: P2 sends d to P1. computed by P2. 5: P1 computes u1 ← d + a. Theorem 3. Algorithm 3 is correct and UC-secure in the 6: Return hui honest-but-curios model.

Proof: For correctness, there are case needs to point out is that when the input value x = 0 (i.e., x1 = −x2), the share of result x =x1 + x2 = c + d · b + e · a + e · d

=c + u1 · b − a · b + u2 · a − a · b x2 − c2 + u1 · u2 − u2 · a − u1 · b + a · b u =d + a = + a 1 u =u · u = u 2 1 2 −x − c −ac + a2b = 1 2 + a = = 0, P P x1−c1 To prove security, since 1 and 2 are symmetric in Algo- a + b x1 − c1 + ab rithm 3, it suffices to show that the view of P1 is simulatable. The incoming view of P1 is (e) and the output is (x1), where is identically equal to zero. This means that once P1 get e = u2 − b and x1 = c1 + e · a. Since the values b and c1 are u1 = 0, he can know that the secret value x = 0, but it uniformly distributed and independent of any private input, is the necessary price of performing this protocol. Even in due to Lemma 1, it is easy to perfectly build a simulator for the ideal world, one of the parties Pi will get knowledge P1. of the secret value when it is zero. As illustrated in Figure 1, the ideal functionality FAR which the additive resharing 5.1.2 Additive Resharing protocol wants to securely realize describes the behavior in the ideal world. Additive resharing which converts shared secret over ASS to over MSS is defined as the inverse of multiplicative re- Theorem 4. Algorithm 4 is correct and UC-secure in the sharing and secure protocol for it can be constructed by fol- honest-but-curios model. lowing Algorithm 3 backward step by step. In offline phase, the allocation of Beaver triple is the same as Algorithm 3. Proof: For correctness, there are In online phase, P1 and P2 first compute [[t]] = [[x]] − [[c]]. Note that since the term e · d is assumed to be done by u =u1 · u2 = (d + a) · (e + b) [[P ]]2, the difference e can then be restored with e ← t1/a. =x2 − c2 + ae + ab = x2 − c2 + x1 − c1 + ab When P2 receives e from P1, the share of result u2 can be =x1 + x2 = x directly obtained by computing u2 ← e + b and another difference d can be restored with d ← t2/u2. Lastly, P1 To prove security, we need to show that both views of P1 compute u1 ← d + a after he received d from P2. Algorithm and P2 are simulatable. For P2, his incoming view is (e), 4 shows full details of this protocol and combines some where e = (x1 − c1)/a. And for P1, his incoming view is computations. (d), where d = (x2 − c2)/(e + b). Since the values a, b, c1, c2 It is worth mentioning that Algorithm 4 includes two are uniformly distributed and independent of any private division operations and thus may cause the problem of input, due to Lemma 1 and Lemma 2, the incoming views division by zero. However, in fact, the cases that a happens of P1 and P2 are simulatable. Besides, it is trivial to see that to be 0 or b happens to be (c1 −x1)/a are negligible. Another the outputs of P1 and P2 can be also simulated. 7 Algorithm 5 Secure Comparison Protocol SecCom([[x]], [[y]]) Algorithm 6 Secure Exponentiation Protocol [[f]] ← Input: Shared secrets [[x]] and [[y]]. SecExp([[x]], a) Output: 0 if x == y, 1 if x > y, −1 if x < y. Input: Shared secret [[x]] and public base number a. x 1: P1 computes d1 ← x1 − y1. Output: Shared secret [[f]] such that f = a . x1 2: P2 computes d2 ← x2 − y2. 1: P1 computes u1 ← a . x2 3: P1 and P2 collaboratively compute hui ← 2: P2 computes u2 ← a . SecAddRes([[d]]). 3: P1 and P2 collaboratively compute [[f]] ← 4: P1 and P2 reveal the signs of u1 and u2. SecMulRes(hui). 5: if u1 == 0 or u2 == 0 then 4: Return [[f]]. 6: Return 0. 7: else if (u1 > 0 and u2 > 0) or (u1 < 0 and u2 < 0) then 8: Return 1. in computing. However, such case should be avoided in 9: else designing function, not be guaranteed of this algorithm. 10: Return −1. 11: end if Theorem 6. Algorithm 6 is correct and UC-secure in honest- but-curios model.

5.1.3 Comparison Proof: According to correctness of SecMulRes, we It is easy to see that MSS allows share to reserve the sign have of secret, thus secure comparison can be accomplished via f1 + f2 = u1 · u2, additive resharing. As presented in Algorithm 5, P1 and P2 compute the difference [[d]] = [[x]] − [[y]] at first, then call therefore, the correctness of this algorithm can be proven as secure additive resharing protocol to get the difference hui follow over MSS, and after that, the sign of hui will be revealed f = f + f = u · u = ax1 · ax2 = ax1+x2 = ax. between each party. Since there exists round-off error in 1 2 1 2 practice, two floating-point numbers are almost impossible Since SecMulRes is secure and this algorithm contains no to be completely equal. A precision threshold ∆ could be additional communication, security is trivial. set to determine whether two floats are equal, i.e., whether their difference is reduced to zero. When the signs of all multiplicative shares are public, parties will arrive at a 5.2.2 Logarithm consensus over the comparison of two numbers. As the inverse of exponentiation, secure logarithm is to Theorem 5. Algorithm 5 is correct and UC-secure in honest- compute [[f]] ← loga[[x]], where a is a base number. Similar but-curios model. to exponentiation, logarithm has its own ”product-to-sum” identity Proof: It is trivial to prove the correctness and security of Algorithm 5, since those of SecAddRes protocol has been proven. loga(u1 · u2) = loga u1 + loga u2. (2)

From this point, parties first call the protocol SecAddRes 5.2 Nonlinear Functions to convert additive shares into multiplicative shares and Switching shared secret between two sharing forms as well then perform logarithmic operation on each share. Since as some identities makes possible secure protocols for expo- logarithmic function requires positive input, we have to nentiation, logarithm, and power without any approximate make the share absolute in advance. It means that what we or bit-level operation. Besides, the division can be seen as a actually designed is the secure function [[f]] ← loga |[[x]]|, special case of power. and which is more reasonable. Note that the steps of SecLog are exactly the opposite of SecExp, in which the 5.2.1 Exponentiation steps of SecAddRes and SecMulRes they called are also Secure exponentiation is to compute [[f]] ← a[[x]], where a is a opposite. public base number and is usually specified as e. According Theorem 7. Algorithm 7 is correct and UC-secure in honest- to the identity but-curios model.

x +x x x a 1 2 = a 1 · a 2 , (1) Proof: For correctness, there are when parties perform exponential operation on their shares, f = f1 + f2 = log |u1| + log |u2| = log |u1 · u2|, the problem can be transformed into the problem of con- a a a verting multiplicative shares which has been solved by due to the correctness of SecAddRes, we have SecMulRes. Without loss of generality, Algorithm 6 takes a secret exponent [[x]] and a public base number a as input, f = loga |u1 · u2| = loga |x1 + x2| = loga |x|. and returns the shared result [[ax]]. In addition, when base number a is negative, an in- Since SecAddRes is secure and this algorithm contains no appropriate exponent such as 1/2 will lead to a mistake additional communication, security is trivial. 8 Algorithm 7 Secure Logarithm Protocol [[f]] ← Algorithm 9 Secure Sine Protocol [[f]] ← SecSin([[x]]) SecLog([[x]], a) Input: Shared secret [[x]]. Input: Shared secret [[x]] and public base number a. Output: Shared secret [[f]] such that f = sin x. Output: Shared secret [[f]] such that f = loga |x|. 1: P1 computes m1 ← sin x1, n1 ← cos x1. 1: P1 and P2 collaboratively compute hui ← 2: P2 computes n2 ← sin x2, m2 ← cos x2. m SecAddRes([[x]]). 3: P1 and P2 collaboratively compute [[f ]] ← n 2: P1 computes f1 ← loga |u1|. SecMulRes(hmi), [[f ]] ← SecMulRes(hni) in parallel. m n 3: P2 computes f2 ← loga |u2|. 4: P1 computes f1 ← f1 + f1 . m n 4: Return [[f]]. 5: P2 computes f2 ← f2 + f2 . 6: Return [[f]]. Algorithm 8 Secure Power Protocol [[f]] ← SecP ow([[x1]], [[x2]], ··· , [[xn]], α1, α2, ··· , αn) Algorithm 10 Secure Cosine Protocol [[f]] ← SecCos([[x]]) Input: Shared secrets [[xj]] and public integers αj for all j ∈ Input: Shared secret [[x]]. {1, 2, ··· , n}. Output: Shared secret [[f]] such that f = cos x. j Qn jα 1: P1 computes m1 ← sin x1, n1 ← cos x1. Output: Shared secret [[f]] such that f = j=1 x . j 2: P2 computes m2 ← sin x2, n2 ← cos x2. 1: P1 and P2 collaboratively compute hu i ← m j 3: P1 and P2 collaboratively compute [[f ]] ← SecAddRes([[x ]]) for all j ∈ {1, 2, ··· , n} in parallel. n j SecMulRes(hmi), [[f ]] ← SecMulRes(hni) n j α in parallel. Q n m 2: P1 computes v1 ← j=1 u1 . 4: P1 computes f1 ← f − f . j 1 1 n j α n m Q 5: P2 computes f2 ← f2 − f2 . 3: P2 computes v2 ← j=1 u2 . 6: Return [[f]]. 4: P1 and P2 collaboratively compute [[f]] ← SecMulRes(hvi). 5: Return [[f]]. 5.2.4 Trigonometric Functions Trigonometric functions which contain sine, cosine, tangent, 5.2.3 Power cotangent, cosecant, and secant describe the relationship of Secure power is to compute [[f]] ← [[x]]α, where α is a public an angle and two edges of a right triangle. We first design integer. Inspired by the identity secure protocols for two basic functions: sine and cosine, then discuss the remains. α α α Secure sine is to compute [[f]] ← sin[[x]]. Considering the (u1 · u2) = u · u , (3) 1 2 angle sum and difference identity we can first turn shares into multiplicative shares, then perform power operation on each share, and finally, turn sin(x + x ) = sin x · cos x + cos x · sin x , (5) shares back to additive. In fact, the above identity also holds 1 2 1 2 1 2 for multiple multipliers, in other words, multiplication and the problem is transformed into how to convert shares. power are to MSS what linear is to ASS. For n multipliers, Algorithm 9 first computes the sine and cosine of each we have share, then divides above four trigonometric results into two groups of multiplicative shares, and the rest is to call 1 1 2 2 n n α 1 2 n α 1 2 n α SecMulRes for each group in parallel. (u u u u ··· u u ) = (u u ··· u ) ·(u u ··· u ) . (4) 1 2 1 2 1 2 1 1 1 2 2 2 Secure cosine is to compute [[f]] ← cos[[x]]. Similar to Therefore, as shown in Algorithm 8, we design secure Algorithm 9, it is easy to design secure cosine protocol that power protocol which implements secure function [[f]] ← securely implements cosine according to the identity j Qn jα j=1 [[x]] . Note that division is the special case of power, SecPow([[x]],[[y]],1,−1) i.e., , and product is also the special cos(x1 + x2) = cos x1 · cos x2 − sin x1 · sin x2. (6) case, i.e., SecPow([[x1]],[[x2]],··· ,[[xn]],1,1,··· ,1). In addition, when the exponent α is a real number or Algorithm 10 shows the details. even a shared secret, this algorithm no longer applies. We Theorem 9. Algorithm 9 and Algorithm 10 are correct and discussed both cases in the Appendix. secure in honest-but-curios model. Theorem 8. Algorithm 8 is correct and UC-secure in honest- Proof: For the correctness of Algorithm 9, there are but-curios model. f =f + f = f m + f n + f m + f n = f m + f n Proof: For correctness, there are 1 2 1 1 2 2 =m + n = m1m2 + n1n2 = sin x1 · cos x2 + cos x1 · sin x2 n j j n j n j Y j α j α Y α Y α j j = sin(x1 + x2) = sin x. f = f1+f2 = v1·v2 = u1 ·u2 = u = x . j=1 j=1 j=1 Referring to the above proof, it is trivial to prove the Since SecAddRes and SecMulRes are secure and this al- correctness of Algorithm 10. Since SecMulRes is secure gorithm contains no additional communication, security is and Algorithm 9 and Algorithm 10 contain no additional trivial. communication, security of both is trivial. 9

Tangent, cotangent, cosecant, and secant could be de- TABLE 1 fined by sine and cosine as sine/cosine, cosine/sine, 1/sine, and Complexities of protocols 1 (Here, l is the bit-width of the element in practice, and n denotes the /cosine respectively. Therefore, constructing secure proto- number of inputs) cols for these functions is merely a combination of SecSin, SecCos, and SecPow, and it is trivial to prove the correct- Protocol Round Complexities Communications ness and security of them. SecMul 1 4l SecMulRes 1 2l 5.3 Inverse Trigonometric Functions SecAddRes 2 2l SecCom 3 2l + 2 The inverse trigonometric functions is the final problem to SecExp 1 2l integrity basic elementary functions. However, there is no SecLog 2 2l SecPow angle sum and difference identity for inverse trigonometric 3 (2n + 2)l SecSin, SecCos 1 4l functions. Therefore, we have to settle for second best by Division 3 6l using Taylor series. For instance, arcsin(x) can be calculated Product min(3, dlog2 ne) (2n + 2)l, (4n − 4)l using Maclaurin series: Tagent, Cotangent 4 14l Secant, Cosecant 4 12l

1 x3 1 · 3 x5 1 · 3 · 5 x7 arcsin(x) = x+ + + +··· 2 3 2 · 4 5 2 · 4 · 6 7 product and division derived from power. Additionally, we (7) discussed the cases about power with real exponent or with Since secure power protocol is with constant round com- secret exponent in Appendix, and constructed protocols plexities, high order Taylor series (Maclaurin series) will not for them. All the protocols proposed in this paper are increase additional interaction between parties. As a result, composed of arithmetic operations and contain no bit-level we could increase the order of Taylor series as much as operation with low constant round complexities, and have possible to improve accuracy. been proven secure in honest-but-curios model. Specially, secure power protocol with constant round 6 COMPLEXITY complexities provides the possibility of higher order Taylor series which can approximate most functions that include Table 1 summarized round complexities and communica- those not implemented in this paper and will benefit from tions of all the protocols in this paper. We can see that all higher order. Meanwhile, secure sine and cosine protocols proposed protocols have low constant round complexities provide the possibility of efficient Fourier series which can and low communications, which is suitable for practice. approximate an arbitrary function in a period. The round complexities of SecCom are 3 which contains 2 rounds of SecAddRes and 1 round of revealing signs. As the sign of secret over MSS is precisely in ASS form, parties ACKNOWLEDGEMENTS do not need to know the exact result of comparison in some This work is supported in part by the National Natural Sci- scenarios. Consequently, SecAddRes can be regarded as ence Foundation of China under grant numbers 61702276, secure comparison protocol with semaphore, and its round 61672294, 61502242, in part by the Priority Academic Pro- complexities are 2. gram Development of Jiangsu Higher Education Institutions Secure product is available in two methods: 1) recur- (PAPD) fund. sively splitting input sequences in half and then computing each pair in parallel; 2) as a special case of power. The Round complexities of the two methods are dlog2 ne and REFERENCES the constant 3, and communications are (4n − 4)l and (2n + 2)l, respectively. Hence the round complexities of [1] M. Hamdaqa and L. Tahvildari, “Cloud computing uncovered: a research landscape,” in Advances in Computers. Elsevier, 2012, product are min(3, dlog2 ne) by selecting the appropriate vol. 86, pp. 41–85. method according to the number of inputs. [2] P. Mell, T. Grance et al., “The nist definition of cloud computing,” The round complexities of secure protocols for tangent, 2011. cotangent, cosecant and secant defined by sine and cosine [3] R. Shokri and V. Shmatikov, “Privacy-preserving deep learning,” in Proceedings of the 22nd ACM SIGSAC conference on computer and are 4, while what using the angle sum and difference iden- communications security, 2015, pp. 1310–1321. tities are 4 as well. [4] M. D. Ryan, “Cloud computing privacy concerns on our Table 2 compared the complexities of secure protocols for doorstep,” Communications of the ACM, vol. 54, no. 1, pp. 36–38, 2011. comparison and division with previous work, and showed [5] J. Mancuso, “Privacy-preserving machine learning 2018: A year in that our scheme is more efficient. review,” Tech. Rep., 2019. [6] P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in International conference on the theory and 7 CONCLUSIONS applications of cryptographic techniques. Springer, 1999, pp. 223– 238. In this paper, we firstly proposed two basic protocols, multi- [7] T. Sander, A. Young, and M. Yung, “Non-interactive cryptocom- plicative resharing and additive resharing, which can switch puting for nc/sup 1,” in 40th Annual Symposium on Foundations of shared secrets. And then, based on this ability, protocols Computer Science (Cat. No. 99CB37039). IEEE, 1999, pp. 554–566. [8] D. Boneh, E.-J. Goh, and K. Nissim, “Evaluating 2-dnf formulas on for comparison, exponentiation, logarithm, power, product, ,” in Theory of Cryptography Conference. Springer, 2005, division, and trigonometric functions were proposed, where pp. 325–341. 10

TABLE 2 Comparison of Round Complexities and Communications 0 0 (Here, l is the bit-width, l = log2 l, and the values of m, n determine the accuracy of division)

Comparison Division Scheme Rounds Comm. Rounds Comm. [18] 15 279l + 5 - - [19] l0 + 3 5l02 + 12(l0 + 1)l 4l0 + 9 2ml + 6ml0 + 39l0l + 35l0n0 + 126l + 32n0 + 24 [20] l + 3 10l − 2 - - Ours 3 2l + 2 3 6l

[9] Y. Ishai and A. Paskin, “Evaluating branching programs on en- [28] S. D. Galbraith, “Elliptic curve paillier schemes,” Journal of Cryp- crypted data,” in Theory of Cryptography Conference. Springer, 2007, tology, vol. 15, no. 2, pp. 129–138, 2002. pp. 575–594. [29] A. Kawachi, K. Tanaka, and K. Xagawa, “Multi-bit cryptosystems [10] C. Gentry and D. Boneh, A fully homomorphic encryption scheme. based on lattice problems,” in International Workshop on Public Key Stanford university Stanford, 2009, vol. 20, no. 9. Cryptography. Springer, 2007, pp. 315–329. [11] J.-S. Coron, D. Naccache, and M. Tibouchi, “Public key compres- [30] Y. Aono, T. Hayashi, L. Wang, S. Moriai et al., “Privacy-preserving sion and modulus switching for fully homomorphic encryption deep learning via additively homomorphic encryption,” IEEE over the integers,” in Annual International Conference on the Theory Transactions on Information Forensics and Security, vol. 13, no. 5, pp. and Applications of Cryptographic Techniques. Springer, 2012, pp. 1333–1345, 2017. 446–464. [31] M. Van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully [12] J.-S. Coron, A. Mandal, D. Naccache, and M. Tibouchi, “Fully homomorphic encryption over the integers,” in Annual Interna- homomorphic encryption over the integers with shorter public tional Conference on the Theory and Applications of Cryptographic keys,” in Annual Cryptology Conference. Springer, 2011, pp. 487– Techniques. Springer, 2010, pp. 24–43. 504. [32] P. S. Pisa, M. Abdalla, and O. C. M. B. Duarte, “Somewhat ho- [13] A. C. Yao, “Protocols for secure computations,” in 23rd annual momorphic encryption scheme for arithmetic operations on large symposium on foundations of computer science (sfcs 1982). IEEE, integers,” in 2012 Global Information Infrastructure and Networking 1982, pp. 160–164. Symposium (GIIS). IEEE, 2012, pp. 1–8. [14] A. C.-C. Yao, “How to generate and exchange secrets,” in 27th [33] Z. Brakerski and V. Vaikuntanathan, “Fully homomorphic encryp- Annual Symposium on Foundations of Computer Science (sfcs 1986). tion from ring-lwe and security for key dependent messages,” in IEEE, 1986, pp. 162–167. Annual cryptology conference. Springer, 2011, pp. 505–524. [15] M. Ben-Or, S. Goldwasser, and A. Wigderson, “Completeness [34] ——, “Efficient fully homomorphic encryption from (standard) theorems for non-cryptographic fault-tolerant distributed compu- lwe,” SIAM Journal on Computing, vol. 43, no. 2, pp. 831–871, 2014. tation,” in Providing Sound Foundations for Cryptography: On the [35] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(leveled) fully Work of Shafi Goldwasser and , 2019, pp. 351–371. homomorphic encryption without bootstrapping,” ACM Transac- [16] O. Goldreich, S. Micali, and A. Wigderson, “How to play any tions on Computation Theory (TOCT), vol. 6, no. 3, pp. 1–36, 2014. mental game, or a completeness theorem for protocols with honest [36] D. Beaver, S. Micali, and P. Rogaway, “The round complexity of majority,” in Providing Sound Foundations for Cryptography: On the secure protocols,” in Proceedings of the twenty-second annual ACM Work of Shafi Goldwasser and Silvio Micali, 2019, pp. 307–328. symposium on Theory of computing, 1990, pp. 503–513. [17] A. Shamir, “How to share a secret,” Communications of the ACM, [37] E. M. Songhori, S. U. Hussain, A.-R. Sadeghi, T. Schneider, and vol. 22, no. 11, pp. 612–613, 1979. F. Koushanfar, “Tinygarble: Highly compressed and scalable se- [18] T. Nishide and K. Ohta, “Multiparty computation for interval, quential garbled circuits,” in 2015 IEEE Symposium on Security and equality, and comparison without bit-decomposition protocol,” in Privacy. IEEE, 2015, pp. 411–428. International Workshop on Public Key Cryptography. Springer, 2007, [38] Y. Huang, D. Evans, and J. Katz, “Private set intersection: Are pp. 343–360. garbled circuits better than custom protocols?” in NDSS, 2012. [19] D. Bogdanov, M. Niitsoo, T. Toft, and J. Willemson, “High- [39] M. Naor, B. Pinkas, and R. Sumner, “Privacy preserving auctions performance secure multi-party computation for data mining and mechanism design,” in Proceedings of the 1st ACM conference applications,” International Journal of Information Security, vol. 11, on Electronic commerce, 1999, pp. 129–139. no. 6, pp. 403–418, 2012. [40] V. Kolesnikov and T. Schneider, “Improved garbled circuit: Free [20] K. Huang, X. Liu, S. Fu, D. Guo, and M. Xu, “A lightweight xor gates and applications,” in International Colloquium on Au- privacy-preserving cnn feature extraction framework for mobile tomata, Languages, and Programming. Springer, 2008, pp. 486–498. sensing,” IEEE Transactions on Dependable and Secure Computing, [41] D. Demmler, T. Schneider, and M. Zohner, “Aby-a framework for 2019. efficient mixed-protocol secure two-party computation.” in NDSS, [21] R. L. Rivest, L. Adleman, M. L. Dertouzos et al., “On data banks 2015. and privacy homomorphisms,” Foundations of secure computation, [42] J. Kilian, “Founding crytpography on ,” in Pro- vol. 4, no. 11, pp. 169–180, 1978. ceedings of the twentieth annual ACM symposium on Theory of com- [22] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining puting, 1988, pp. 20–31. digital signatures and public-key cryptosystems,” Communications [43] D. Beaver, “Efficient multiparty protocols using circuit random- of the ACM, vol. 21, no. 2, pp. 120–126, 1978. ization,” in Annual International Cryptology Conference. Springer, [23] T. ElGamal, “A public key cryptosystem and a signature scheme 1991, pp. 420–432. based on discrete logarithms,” IEEE transactions on information [44] I. Damgard,˚ M. Fitzi, E. Kiltz, J. B. Nielsen, and T. Toft, “Un- theory, vol. 31, no. 4, pp. 469–472, 1985. conditionally secure constant-rounds multi-party computation for [24] S. Goldwasser and S. Micali, “Probabilistic encryption & how equality, comparison, bits and exponentiation,” in Theory of Cryp- to play mental poker keeping secret all partial information,” in tography Conference. Springer, 2006, pp. 285–304. Proceedings of the Fourteenth Annual ACM Symposium on Theory of [45] D. Bogdanov, S. Laur, and J. Willemson, “Sharemind: A framework Computing, 1982, pp. 365–377. for fast privacy-preserving computations,” in European Symposium [25] J. Benaloh, “Dense probabilistic encryption,” in Proceedings of the on Research in Computer Security. Springer, 2008, pp. 192–206. workshop on selected areas of cryptography, 1994, pp. 120–128. [46] D. Malkhi, N. Nisan, B. Pinkas, Y. Sella et al., “Fairplay-secure two- [26] T. Okamoto and S. Uchiyama, “A new public-key cryptosystem party computation system.” in USENIX Security Symposium, vol. 4. as secure as factoring,” in International conference on the theory and San Diego, CA, USA, 2004, p. 9. applications of cryptographic techniques. Springer, 1998, pp. 308–318. [47] W. Henecka, S. K ogl,¨ A.-R. Sadeghi, T. Schneider, and I. Wehren- [27] D. Naccache and J. Stern, “A new public key cryptosystem based berg, “Tasty: tool for automating secure two-party computations,” on higher residues,” in Proceedings of the 5th ACM conference on in Proceedings of the 17th ACM conference on Computer and commu- Computer and communications security, 1998, pp. 59–66. nications security, 2010, pp. 451–462. 11

[48] S. Wagh, D. Gupta, and N. Chandran, “Securenn: Efficient and Jian Weng received the B.S. and M.S. degrees private neural network training.” IACR Cryptol. ePrint Arch., vol. in computer science and engineering from South 2018, p. 442, 2018. China University of Technology, Guangzhou, [49] P. Mohassel and Y. Zhang, “Secureml: A system for scalable China, in 2000 and 2004, respectively, and the privacy-preserving machine learning,” in 2017 IEEE Symposium on Ph.D. degree in computer science and engineer- Security and Privacy (SP). IEEE, 2017, pp. 19–38. ing from Shanghai Jiao Tong University, Shang- [50] S. Goldwasser and S. Micali, “Probabilistic encryption,” Journal of hai, China, in 2008. From 2008 to 2010, he computer and system sciences, vol. 28, no. 2, pp. 270–299, 1984. held a Postdoctoral position with the School of [51] R. Canetti, “Universally composable security: A new paradigm for Information Systems, Singapore Management cryptographic protocols,” in Proceedings 42nd IEEE Symposium on University. He is currently a Professor and the Foundations of Computer Science. IEEE, 2001, pp. 136–145. Dean with the College of Information Science [52] S. Ioffe and C. Szegedy, “Batch normalization: Accelerating deep and Technology, Jinan University, Guangzhou,China. He has authored network training by reducing internal covariate shift,” arXiv or coauthored more than 100 papers in cryptography and security con- preprint arXiv:1502.03167, 2015. ferences and journals, such as CRYPTO, EUROCRYPT, ASIACRYPT, TCC, PKC, TPAMI, TIFS, and TDSC. His research interests include public key cryptography, cloud security, and blockchain. He was the PC Co-Chairs or PC Member for more than 30 international conferences. He also serves as an Associate Editor for the IEEE TRANSACTIONS ON VEHICULART ECHNOLOGY. Lizhi Xiong received Ph.D. degree in Commu- nication and Information System from Wuhan University, China in 2016. From 2014 to 2015, he was a Joint-Ph.D. student with Electrical and Computer Engineering, New Jersey University of Technology, New Jersey, USA. He is currently an Associate Professor with School of Com- puter and Software, Nanjing University of Infor- mation Science and Technology, Nanjing, China. His main research interests include privacy- preserving computation, information hiding, and multimedia security.

Wenhao Zhou is currently pursuing his M.S. degree in the School of Computer and Soft- ware, Nanjing University of Information Sci- ence and Technology, China. His research inter- ests include secure multiparty computation and privacy-preserving computation.

Zhihua Xia received his B.S. degree in Hunan City University, China, in 2006, and the Ph.D. degree in computer science and technology from Hunan University, China, in 2011.He is currently an associate professor with the School of Com- puter and Software, Nanjing University of Infor- mation Science and Technology, China. He was a visiting professor with the Sungkyunkwan Uni- versity, Korea, 2016. His research interests in- clude cloud computing security and digital foren- sic. He is a member of the IEEE.

Qi Gu is currently pursuing his M.S. degree in the School of Computer and Software, Nanjing University of Information Science and Technol- ogy, China. His research interests include func- tional encryption, image retrieval and nearest neighbor search. 12

APPENDIX secure power with secret exponent protocol. The protocol POWERWITH REALOR SECRET EXPONENT requires complexity of 5 rounds and 8l +2 communications. When the exponent is real as well as the base is negative, Theorem 11. Algorithm 12 is correct and UC-secure in Algorithm 8 will produce wrong result, since the identity honest-but-curios model. 3 doesn’t hold under this case. However, we note that the Proof: For correctness, if x is negative, there are identity s1 y1 s2 y2 y s f =f1 + f2 = v1 · v2 = e · (−1) · e · (−1) = (−1) e α α uα = (−1) |u| , (8) =(−1)yety = (−1)yey ln |x| = (−1)y|x|y = xy. where u is a negative number. This provides us with an Otherwise, it is trivial. Since this algorithm consists of only α idea: firstly, compute |[[x]]| as with Algorithm 8, secondly, secure protocols and contains no additional communication, α multiply each share by (−1) if x is negative. We thus security is trivial. constructed secure power with real exponent protocol as described in Algorithm 11, where to simplify the problem, Algorithm 12 Secure Power with Secret Exponent Protocol the case with one multiplier is considered. The protocol is [[f]] ← SecP SE([[x]], [[y]]) with complexity of 4 rounds and 4l + 2 communications. Input: Shared secrets [[x]] and [[y]]. Besides, it should be emphasized that the coefficient Output: Shared secret [[f]] such that f = xy. (−1)α usually not only directs the real field to the complex 1: P1 and P2 collaboratively compute [[t]] ← SecLog([[x]]). field, but also leads to multiple results. Although all proto- 2: P1 and P2 collaboratively compute [[s]] ← cols in this paper also available in the complex field with SecMul([[t]], [[y]]). necessary adjustments, many practical applications do not 3: if SecCom([[x]], [[0]]) == 1 then need to enter the complex field. In this case, it only needs α α 4: P1 and P2 collaboratively compute [[f]] ← to compute |[[x]]| without multiplying (−1) . For example, SecExp([[s]]). batch normalization [52] involving root operation assumes 5: Return [[f]]. that the input is positive. 6: else if SecCom([[x]], [[0]]) == −1 then s1 y1 Theorem 10. Algorithm 11 is correct and UC-secure in 7: P1 computes v1 ← e · (−1) . s2 y2 honest-but-curios model. 8: P2 computes v2 ← e · (−1) . 9: P and P collaboratively compute [[f]] ← Proof: For correctness, if x is negative, there are 1 2 SecMulRes(hvi). α α α α α f = (−1) (f1 + f2) = (−1) (v1v2) = (−1) |u| = x . 10: Return [[f]]. 11: else SecAddRes SecCom If not, it is same as Algorithm 8. Since , , 12: Return [[0]]. SecMulRes are secure and this algorithm contains no addi- 13: end if tional communication, security is trivial.

Algorithm 11 Secure Power with Real Exponent Protocol [[f]] ← SecP RE([[x]], α) Input: Shared secret [[x]] and public real α. Output: Shared secret [[f]] such that f = xα. 1: P1 and P2 collaboratively compute hui ← SecAddRes([[x]]). α 2: P1 computes v1 ← |u1| . α 3: P2 computes v2 ← |u2| . 4: P1 and P2 collaboratively compute [[f]] ← SecMulRes(hvi). 5: if SecCom([[x]], [[0]]) == −1 then α 6: P1 computes f1 ← f1 · (−1) . α 7: P2 computes f2 ← f2 · (−1) . 8: end if 9: Return [[f]].

We now discuss the case that even the exponent is a shared secret. Since share cannot be exponentiated directly, we need to use the identity

α ln u = ln uα, (9) to convert exponentiation into multiplication. In addition, as a shared secret, the exponent is almost impossible to be an integer, thereby we should also classify the positive and negative of the base. Algorithm 12 shows the details of