Secure three-party computational protocols for triangle area

Abstract

In this work, we have put forth two different protocols to address a concrete secure multi-party computational (MPC) problem related to a triangle, of which the coordinates of the three vertices are confidentially kept by the three participants, respectively. The three parties wish to collaboratively compute the area of this triangle while preserving their own coordinate privacy. As one of the merits, our protocols employ weaker assumptions of the existence of pseudorandom generators. In particular, unlike massive secure MPC protocols that rely a lot on oblivious transfer, ours utilize a new computing idea called “pseudorandom-then-rounding” method to avoid this burdensome obstacle. The two protocols are based on different theorems, while they both make use of the same underlying idea. At last, we provide a detailed proof for the first protocol by a series of security reductions of our newly defined games, which seems somewhat stronger than the previous simulation-based proofs and a proof sketch for the second one. Analysis and discussion about the reasons are provided as well to round off our work.

Appendix

1.1 Brief note on the simulation-based proof and the differences from ours

The traditional simulation-based proofs take advantage of a simulator \(\mathcal {S}\) to build a (computational indistinguishable) relationship between the real execution and the emulated execution. We now illustrate the major differences between the simulation-based proof and ours in order to indicate the reason why ours seem stronger. For the sake of simplicity, we just prove in Alice’s stance as before.

To this end, assume that there are two simulators (resp. \(\mathcal {S}_b\) and \(\mathcal {S}_c\)) that execute the protocol with Alice. In simulation-based proof, we should prove that Alice’s real view sequence \(view_{real}\) is computationally indistinguishable from the ideal view sequence \(view_{ideal}\). In the simulation procedures, the adversary is only given the output of the protocol function and access to simulators. For our proof, the most remarkable difference from the simulation-based proof is that we permit the access to the private inputs of others (only in proof, not in protocol). That is why restriction b) in \(\mathbf{Game}_{\mathcal {A},{\varPi }}^{\text {ind-pps}}(n,\kappa )\) is needed. Otherwise, the adversary can win the game by directly comparing the two value

$$\begin{aligned} slope_0=\frac{y_{c,0}-y_{b,0}}{x_{c,0}-x_{b,0}} \quad \text { and }\quad slope_1=\frac{y_{c,1}-y_{b,1}}{x_{c,1}-x_{b,1}} \end{aligned}$$

from the computation of

$$\begin{aligned} slope_i=\frac{\text {Dec}_{SK_a}(\text {CT}_{a\leftarrow b,2})-\text {Dec}_{SK_a}(\text {CT}_{a\leftarrow c,2})}{\text {Dec}_{SK_a}(\text {CT}_{a\leftarrow b,1})-\text {Dec}_{SK_a}(\text {CT}_{a\leftarrow c,1})} \end{aligned}$$

Besides, our proof supports another stronger change that the adversary can choose the protocol’s output, while the simulation-based ones do not have such ability. Moreover, due to the different game design mechanism, we prove security in different manner. For instance, some sequences in our proof are different from that in traditional proof which would result in different proofs. Take the third part \(Com_a\) in \(sequence_{g_3}\) of \(\mathbf{Game}_3\) as an example. In our proof, we replace the pseudorandom strings by random ones. It is on contrary to the simulation-based proof in which they prove indistinguishability without those changes.

1.2 The reason for the assertion that protocol \(\varPi \) is more secure than protocol \(\varPi _2\)

Let us recall the second step of both protocols. In protocol \({\varPi }\), Carol who plays the computing role cannot directly obtain useful information from only one pair of the received ciphers due to the existence of \(r_{c_1}\), while in protocol \({\varPi }_2\), Carol indeed has the ability to obtain some possibly useful information like \(y_a/x_a\) by directly computing

$$\begin{aligned} \text {Dec}_{SK_c}(\text {CT}_{c\leftarrow a,2}) / \text {Dec}_{SK_c}(\text {CT}_{c\leftarrow a,1}) \end{aligned}$$

That is the main reason why we claim that protocol \({\varPi }_2\) is not as secure as protocol \({\varPi }\). We also affirm that this problem can be solved by more advanced techniques like bilinear maps. Below we provide a toy example to mask the ratio of \(y_i/x_i\) via bilinear maps in composite order groups.

Suppose in the first round, Alice and Bob agree on two composite order groups \(\mathbb {G}^{(ab)}\) and \(\mathbb {G}^{(ab)}_{T}\) with order \(N=pqr\) where \(p,\, q\) and \(r\) are enough large primes. In this circumstance, they can use elements in subgroup \(\mathbb {G}_p\) to encode their coordinates and elements in subgroup \(\mathbb {G}_q\) and \(\mathbb {G}_r\) to mask the encoded results. Then, the group elements in subgroup \(\mathbb {G}_q\) and \(\mathbb {G}_r\) can be easily eliminated via the equipped bilinear map \(e\), namely,

$$\begin{aligned} e(g_{p}^{x_a}g_{q}^{r_{x,a}},g_{p})=e(g_p,g_p)^{x_a} \end{aligned}$$

and

$$\begin{aligned} e(g_{p}^{y_a}g_{r}^{r_{y,a}},g_{p})=e(g_p,g_p)^{y_a}. \end{aligned}$$

It is the same for \((x_b,y_b)\).

However, we emphasize that if we employ those high-level cryptographic techniques, it goes against our original intention to avoid high-level techniques (about “high-level techniques,” although we just explicitly mention OT but not bilinear maps, it should be implicitly included due to expensive cost in pairing computation).