Secure Computation Protocol of Text Similarity against Malicious Attacks for Text Classification in Deep-Learning Technology

Abstract

With the development of deep learning, the demand for similarity matching between texts in text classification is becoming increasingly high. How to match texts quickly under the premise of keeping private information secure has become a research hotspot. However, most existing protocols currently have full set limitations, and the applicability of these methods is limited when the data size is large and scattered. Therefore, this paper applies the secure vector calculation method for text similarity matching in the case of data without any complete set constraints, and it designs a secure computation protocol of text similarity (SCTS) based on the semi-honest model. At the same time, elliptic-curve cryptography technology is used to greatly improve the execution efficiency of the protocol. In addition, we also analyzed the possibility of the malicious behavior of participants in the semi-honest-model protocol, and further designed an SCTS protocol suitable for the malicious model using the cut-and-choose and zero-knowledge-proof methods. By proposing a security mechanism, this protocol aims to provide a reliable and secure computing solution that can effectively prevent malicious attacks and interference. Finally, through the analysis of the efficiencies of the existing protocols, the efficiencies of the protocols under the malicious model are further verified, and the practical value for text classification in deep learning is demonstrated.

1. Introduction

In recent years, with the development of Artificial Intelligence, deep learning has become a hot research topic and is widely used in speech recognition [1], automatic driving [2], natural language processing [3], and other fields. In these applications, information retrieval, semantic understanding, and text classification all require the secure computation protocol of text similarity (SCTS). For example, in text classification, the text to be classified can be classified by comparing the similarity between the text to be classified and the text of a known category to determine the category to which it belongs, which is often used in tasks such as sentiment analysis, spam filtering, medical classification, and news classification. When the similarity score between the text to be classified and the text of a known category is above a set threshold, the text to be classified is deemed to belong to that category. To accomplish the text classification task, a selection of commonly used techniques, such as convolutional neural networks, recurrent neural networks, attention mechanisms, and transformer models, can be used. Depending on the specific task and dataset requirements, there is flexibility in choosing the right approach and combining pre-trained models and migration learning to improve the classification performance. In general, deep learning has achieved good results in text-similarity-matching tasks [4,5,6]. Natural language processing is important in deep learning as a vector-based approach to solve the problem of text similarity [7,8,9,10].

However, in the era of big data, text information is highly susceptible to leakage, and the SCTS faces great challenges. The traditional method of calculating text similarity is to calculate the cosine similarity between two text vectors, but it consumes a long processing time and is mostly suitable for short texts, and its information is also easily leaked. This paper breaks the traditional method by increasing the length of the matching string, and there is no full set restriction on the range of the string, which greatly improves its applicability and security. Therefore, the SCTS is a necessary and secure multi-party computation (MPC) technology that can precisely achieve the secure computation of text similarity.

MPC was first introduced by Professor Yao [11], and Goldreich [12] and Cramer et al. [13] further studied MPC algorithms, including secure data mining [14], confidential computing sets and geometric problems [15], and secure vector operations [16]. These studies provide conditions for the development of MPC on the basis of protecting the privacy of their respective information.

SCTS can be abstracted as the secure computation of vectors. For example, the text data are represented as the vectors $x=(x_1,\dots x_n)$, and the user’s text data are represented as the vectors $y=(y_1,\dots ,y_n)$. By setting a threshold ($t$), it is only necessary to judge whether the number of identical components of two vectors reaches the threshold ($t$). If the set threshold ($t$) is reached, then this means that they match; otherwise, they do not match. The user can know the similarity matching degree of two texts by setting the threshold ($t$).

There are few existing SCTS protocols, and the only ones are implemented in a semi-honest model. String matching can be seen as a special case in SCTS. Reference [17] used GM encryption with the aim of computing the similarity of two strings, but the time required to run the algorithm is long and inefficient. Reference [18] designed a string-matching protocol similar to the application scenario of this paper, which implements exact matching and can accurately classify text, but it is less secure and has a full set restriction. Reference [19] converted the string-matching problem into a set membership determination problem, and the string-matching protocol used in the confidential matching process is the BMH algorithm, which can greatly reduce the computational complexity, but it is not secure enough in the execution process, and it is still not able to resist the attacks of malicious adversaries. Reference [20] solved the problem of approximate string matching, and Reference [21] proposed a wildcard-pattern-matching protocol with a query function. However, the number of characters needs to be controlled within a certain range, which has significant limitations and is prone to information leakage. Reference [22] proposed the problem of vector secrecy computation, which can achieve the text similarity computation of two vectors by setting the corresponding thresholds, but the protocol is based on the semi-honest model, which is less efficient and secure.

To address the above issues, this article designs an SCTS protocol for malicious adversaries, which has important guiding significance for further promoting the research and application of the SCTS. The main contributions are as follows:

(1)

The text is converted into a vector by an encoding method, and the number of equal elements in the secure vector computation is compared with the threshold value to judge the similarity of the two texts;

(2)

The SCTS protocol under the semi-honest model is designed using elliptic-curve cryptography without set range limits. Compared with other encryption algorithms, elliptic-curve cryptography has obvious advantages, such as high security, a small key size, fast encryption and decryption, low storage requirements, and high adaptability;

(3)

For the possible malicious behaviors of malicious adversaries in the SCTS semi-honest protocol, based on the cut-and-choose method and zero-knowledge proof, an SCTS protocol under the malicious model is designed. Whether the protocol is secure is verified via the real/ideal-model paradigm, and the efficiency of the protocol is analyzed.

The paper is structured as follows: Section 2 introduces the encoding method and the basic theorem, and then Section 3 describes the solution to the problem and designs the SCTS protocol under the semi-honest model. Section 4 then improves on Section 3 by designing the SCTS protocol under the malicious model using cryptographic tools. Section 5 provides a comparative analysis of the performances of existing protocols. Finally, Section 6 summarizes the work accomplished in this paper and shows future research directions.

2. Related Work

2.1. Elliptic-Curve Cryptography

Elliptic-curve cryptography (ECC) [23] is an asymmetric public-key cryptosystem based on a finite field. Assuming the elliptic curve y² = x³ − x, a straight line passing through point P and Q intersects point R′ on the elliptic curve, and a vertical line passing through point R′ on the X axis intersects point R on the elliptic curve, and then P + Q = R can be obtained. R′ is the additive inverse of R, and R′ and R are symmetric about the X axes. Please refer to Figure 1 for details.

When P = Q, make a straight line through point P to intersect point R′ on the elliptic curve. If P is the tangent point, then there is P + P = R, which is recorded as 2P = R. If there is a P with the same k added, it is recorded as k·P; for example, P + P + P + P = P + 3P = 4P. It is precise because of the discrete logarithm problem on the elliptic curve. When K = k·P, it is easy to obtain K when k and P are known, but it is impossible to obtain k when K and P are known.

The ECC methodology is as follows:

First, select an elliptic curve (E_p(a,b)), select the base point (G) and the private key (k), and then calculate kG = K to obtain the public key (K).

(1)

Encryption: Encode a plaintext (m) to a point (M) on the elliptic curve (E_p(a,b)), select a random positive integer (r), and calculate C₁ = M +rK, C₂ = rG;

(2)

Decryption: Decrypt M through the formula C₁ − kC₂ = M + rK – k(rG) = M. If the plaintext information (m) is obtained, then the point M on the elliptic curve is needed to decode;

(3)

Addition homomorphism: the following properties exist: E(M₁) + E(M₂) = E(M₁ + M₂).

Theorem 1.

Suppose C = E(h) is the ciphertext of 0 or 1 encrypted by the elliptic curve, and −C is its additive inverse. According to the addition homomorphism of ECC, T(C) = E(1) + (−C) = E(1 − h). If C is the ciphertext of 0, then T(C) is the ciphertext of 1, and if C is the ciphertext of 1, then T(C) is the ciphertext of 0; that is, ciphertext T(C) flips the plaintext 1 or 0 corresponding to C; thus, T(C) = E(1) + (−C) is called a flip operation.

Theorem 2.

For any integer (a,b), the following conclusion holds:

(1)

a > b if and only if 2a > 2b +1;

(2)

a ≥ b if and only if 2a + 1 > 2b.

Theorem 3.

In the ECC encryption scheme, it is assumed that a,b take values in the plaintext space Z_N. If C = E(a) + E(−b) = E(a – b mod N) and w = D(C), the following conclusions can be reached:

(1)

w = 0 if and only if a = b;

(2)

If 0 ≤ a,b < N/2, then 0 < w < N/2, if and only if a > b; N/2 < w < N only if a < b.

Note: The specific proof processes of Theorem 1 and Theorem 2 can be referred to in Reference [22].

2.2. Coding Method

In this paper, the ASCL code is used to one-to-one correspond each character with a three-digit decimal system (a specific ASCL table can be queried) and encode text characters into vectors. For example, the text string ‘Love’, according to the ASCL table, corresponds to the characters with three decimal digits. The ASCL code of the character ‘L’ is 076, the ‘o’ is 111, the ‘v’ is 118, and the ‘e’ is 101. Therefore, the number string corresponding to ‘Love’ is 076111118101, and the vector is (076,111,118,101). The number string corresponding to the text string ‘Like’ is 076105107101, which is expressed as the vector (076,105,107,101).

2.3. Cut-and-Choose Method

The cut-and-choose method [24] plays an essential role in resisting the attacks of malicious adversaries. One party sends a large amount of data, and the other party arbitrarily selects a part of the data and requires the other party to verify it. After the verification is passed, the remaining data are selected for calculation. However, after the malicious participant passes the verification in the first step, the other party happens to pick up the wrong data, which are always found in the verification phase; thus, the cut-and-choose method can effectively resist the attack of the malicious opponent.

Input:

(1)

Participant A inputs vector $\overrightarrow{x_i}$ ($i=1,\dots ,\mathcal{l}$); that is, $\overrightarrow{x_i}=<(x_0^{i,1},x_1^{i,1}),(x_0^{i,2},x_1^{i,2}),\dots ,(x_0^{i,s},x_1^{i,s})>$, and there are $l$ vectors in total. $s$ is used as the input to check whether the $X_1,\dots X_s$ value is in $\{0,1{\}}^n$;

(2)

Participant B inputs ${\sigma }_1,\dots {\sigma }_i\in \{0,1\}$ and a set of parameters ($\zeta \in \left[s\right]$).

Output: The receiving party will obtain the following information:

(1)

The receiving party ($R$) receives the $j$-pair in the vector $\overrightarrow{x_i}$, namely, $(x_0^{i,j},x_1^{i,j})$;

(2)

The receiving party ($R$) receives ${\sigma }_i$ (i.e., $<x_{{\sigma }_i}^{i,1},x_{{\sigma }_i}^{i,2},\dots ,x_{{\sigma }_i}^{i,s}>$). Among them, $i=1,\dots ,\mathcal{l}$, $j\in \zeta$, $k\notin \zeta$, and $X_k$ are output by the $R$.

2.4. Security of Malicious Model

The protocol under the malicious model has the highest security. Reference [24] specifically describes the security proofs of protocols under the malicious model.

Ideal protocol: Assume that data $x$ and $y$ are owned by Alice and Bob, respectively. They can compute equation $f(x,y)=\left(f_1\right(x,y),f_2(x,y\left)\right)$ through a trusted third party (TTP) without disclosing their own data. In the end, Alice can only obtain the result $f_1(x,y)$ and Bob can only obtain the result $f_2(x,y)$, as follows:

(1)

Alice and Bob, respectively, send input data $x$ and $y$ to the TTP. If the participants are honest, then they will send authentic data ($x$ or $y$) to the TTP; if the participants are malicious, then the participants might choose to terminate the protocol or input false data ($x^{\prime }$ or $y^{\prime }$);

(2)

The result of the calculation is sent to Alice by the TTP. After the TTP obtains the input pair $(x,y)$, it will independently calculate function $f(x,y)$ and send Alice function $f_1(x,y)$; otherwise, it will send Alice a special symbol ($\perp$);

(3)

The result of the calculation is sent to Bob by the TTP. If Alice is a malicious participant, then she obtains the message from the other side: The first response is to choose to disregard the TTP, at which point the TTP sends $\perp$ to Bob. The second response is to send $f_2(x,y)$ to Bob from the TTP.

When implementing the ideal protocol, the TTP and participants will not disclose any information except their own output information; thus, the protocol with the highest security is the one under the ideal model.

Under the ideal model, the process for the participants to jointly calculate $F(x,y)$ through auxiliary input information $z$ and strategy $\overline{B}$ is $IDEA{L}_{F,\overline{B}\left(z\right)}(x,y)$, which is defined as a random number ($r$) evenly selected by the adversary, making $IDEA{L}_{F,\overline{B}\left(z\right)}(x,y)=\gamma (x,y,z,r)$. The details are as follows:

(1)

When Alice is honest, there are $\gamma (x,y,z,r)=\left(f_1\right(x,y^{\prime }),B_2(y,z,r,f_2(x,y^{\prime })\left)\right)$ and $y^{\prime }=B_2(y,z,r)$;

(2)

When Bob is honest, there is the following:

$$\gamma (x,y,z,r)=\left\{\begin{array}{cc}\left(B_1\right(x,z,r,f_1(x^{\prime },y),\perp ),\perp ),& B_1(x,z,r,f_1(x^{\prime },y\left)\right)=\perp \\ \left(B_1\right(x,z,r,f_1(x^{\prime },y)),f_2(x^{\prime },y\left)\right),& others\end{array}\right.$$

(1)

Both of these cases have $x^{\prime }=B_1(x,z,r)$.

Definition 1.

Security of the protocol under the malicious model.

The actual protocol has policy pair $\overline{A}=(A_1,A_2)$, and the ideal model has policy pair $\overline{B}=(B_1,B_2)$, making $\left\{IDEA{L}_{F,\overline{B}\left(z\right)}\right(x,y\left){\}}_{x,y,z}\stackrel{c}{\equiv }\right\{REA{L}_{\Pi ,\overline{A}\left(z\right)}(x,y){\}}_{x,y,z}$, and then $\Pi$ is secure in computing the function ($F$) (there exists $x,y,z\in \{0,1{\}}^{*}$ such that $\left|x\right|=\left|y\right|$ and $\left|z\right|=poly\left(\left|x\right|\right)$).

Note 1: To design an MPC protocol under the malicious model, it must be ensured that at least one of the participants is honest; otherwise, the MPC protocol will not be implemented (which cannot be avoided under the ideal model).

3. Secure Computation Protocol of Text Similarity under the Semi-Honest Model

3.1. Problem Description

Alice encodes the private text as the vector $x=(x_1,\dots ,x_n)$. Bob encodes the private text as $y=(y_1,\dots ,y_n)$ with an agreed threshold ($t$) (see Section 2.2). Both parties can securely output $L_t(x,y)$ without disclosing any information. If $L_t(x,y)=1$, then it means that the number of equal elements of $x_i=y_i(1\le i\le n)$ in vector $x$ and vector $y$ is $l\ge t$, indicating that the similarity between the two texts is at least $t/n$. Otherwise, it outputs $L_t(x,y)=0$ (where the number of equal elements is recorded as $l=L(x,y)$).

3.2. Solutions

(1)

Alice calculates the vectors $u_i=2x_i$ and $u_i^{\prime }=2x_i+1$. Bob calculates the vectors $v_i=2y_i+1$ and $v_i^{\prime }=2y_i$. Both parties jointly calculate the dominance degree ($h$) of $u=(u_1,\dots ,u_n)$ with respect to $v=(v_1,\dots ,v_n)$ and the dominance degree ($h^{\prime }$) of $v^{\prime }=(v_1^{\prime },\dots ,v_n^{\prime })$ with respect to $u^{\prime }=(u_1^{\prime },\dots ,u_n^{\prime })$ (see Note 2 below for the definition of the dominance degree). According to Theorem 2, the number of elements of $x_i=y_i(1\le i\le n)$ in vector $x$ and $y$ is recorded as $l=L(x,y)=n-h-h^{\prime }$;

(2)

The random vectors $r=(r_1,\dots ,r_n)$ and $r^{\prime }=(r_1^{\prime },\dots ,r_n^{\prime })$ are selected, and the symbols of $t_i=r_i(u_i-v_i)$ and $t_i^{\prime }=r_i^{\prime }(v_i^{\prime }-u_i^{\prime })$ are determined for each $i\in [1,n]$;

(3)

The dominance ($h$) of $u$ with respect to $v$ is determined by the number of the same symbols of $t_i$ and $r_i$. The dominance ($h^{\prime }$) of $v^{\prime }$ with respect to $u^{\prime }$ is calculated via the number of the same symbols of $t_i^{\prime }$ and $r_i^{\prime }$ (the ciphertexts of $h$ and $h^{\prime }$ are obtained). Finally, the sizes of $l$ and $t$ are compared through the ciphertext of $l=n-h-h^{\prime }$.

Note 2: If two n-dimensional vectors ($u=(u_1,\dots ,u_n)$ and $v=(v_1,\dots ,v_n)$) are given, then the number of $u_i>v_i(1\le i\le n)$ in the vector is called the vector dominance of $u$ with respect to $v$.

The specific Algorithm 1 is as follows:

Algorithm 1: Computing the text similarity under the semi-honest model.

Input:$x=(x_1,\dots ,x_n)$: Alice’s input; $y=(y_1,\dots ,y_n)$: Bob’s input; t: agreed threshold between both parties; G: the base point of the elliptic curve (Ep); pk = K: the public key; sk = k: Alice’s private key; E: encrypt; D: decrypt; Encode: encode points onto elliptic curves (Ep); $u_i=2x_i, -u_i^{\prime }=-(2x_i+1)$: Alice’s calculation; $-v_i=-(2y_i+1), v_i^{\prime }=2y_i$: Bob’s calculation; 1 $Encode(u_1,\dots ,u_n)=(M_1,\dots ,M_n)$, $Encode(-u_1^{\prime },\dots ,-u_n^{\prime })=(M_1^{\prime },\dots ,M_n^{\prime })$; 2 $Encode(-v_1,\dots ,-v_n)=(P_1,\dots ,P_n)$, $Encode(v_1^{\prime },\dots ,v_n^{\prime })=(P_1^{\prime },\dots ,P_n^{\prime })$; 3 Select ai, $a_i^{\prime }$, bi, $b_i^{\prime }$; 4 $E_{pk}\left(u_i\right)=(M_i+a_{i}K,a_{i}G), E_{pk}(-u_i^{\prime })=(M_i^{\prime }+a_i^{\prime }K,a_i^{\prime }G)$; 5 $E_{pk}(-v_i)=(P_i+b_{i}K,b_{i}G), E_{pk}\left(v_i^{\prime }\right)=(P_i^{\prime }+b_i^{\prime }K,b_i^{\prime }G)$; 6 Select random vectors $r=(r_1,\dots ,r_n), r^{\prime }=(r_1^{\prime },\dots ,r_n^{\prime })$; 7 Compute $w_i=E_{pk}\left[r_i\right(u_i-v_i\left)\right]=E_{pk}\left(r_i{u}_i\right)+E_{pk}(-r_i{v}_i)$ $\mathrm{and} w_i^{\prime }=E\left[r_i^{\prime }\right(v_i^{\prime }-u_i^{\prime }\left)\right]=E\left(r_i^{\prime }{v}_i^{\prime }\right)+E(-r_i^{\prime }{u}_i^{\prime })$; 8 $D_{sk}\left(w_i\right)=r_i(u_i-v_i)=d_i, D_{sk}\left(w_i^{\prime }\right)=r_i^{\prime }(v_i^{\prime }-u_i^{\prime })=d_i^{\prime }$; 9 $\mathrm{If} d_i<N/2, \mathrm{then} \mathrm{set} h_i=1; \mathrm{otherwise} h_i=0; \mathrm{if} d_i^{\prime }<N/2, \mathrm{then} \mathrm{set} h_i^{\prime }=1; \mathrm{otherwise}, h_i^{\prime }=0$; 10 $Encode(h_1,\dots ,h_n)=(N_1,\dots ,N_n), Encode(h_1^{\prime },\dots ,h_n^{\prime })=(N_1^{\prime },\dots ,N_n^{\prime })$; 11 $\mathrm{Select} b_{1i}, b_{1i}^{\prime }$; 12 $E_{pk}\left(h_i\right)=(N_i+b_{1i}K,b_{1i}G), E_{pk}\left(h_i^{\prime }\right)=(N_i^{\prime }+b_{1i}^{\prime }K,b_{1i}^{\prime }G)$; 13 $\mathrm{For} \mathrm{each} i\in [1,n], \mathrm{when} r_i>0, \mathrm{let} H_i=E\left(h_i\right); \mathrm{when} r_i<0, \mathrm{calculate} H_i=T\left[E\right(h_i\left)\right]$; 14 $\mathrm{When} r_i^{\prime }>0, \mathrm{let} H_i^{\prime }=E\left(h_i^{\prime }\right); \mathrm{when} r_i^{\prime }<0, \mathrm{calculate} H_i^{\prime }=T\left[E\right(h_i^{\prime }\left)\right]$; 15 $\mathrm{Compute} \stackrel{\wedge }{H}={\sum }_{i\in [1,n]}{H}_i+H_i^{\prime }=E\left(e\right)=E(n-l)$; 16 $\mathrm{Select} r^{*}$; 17 $\mathrm{Compute} Z=E_{pk}\left(r^{*}1\right)+E_{pk}\left(r^{*}2n\right)-E_{pk}\left(r^{*}2e\right)+E_{pk}(-2t{r}^{*})=E\left[r^{*}\right(2l+1-2t\left)\right]$; 18 $D_{sk}\left(Z\right)=z^{*}$; 19 $\mathrm{If} z^{*}<N/2, \mathrm{then} L_t(x,y)=1; \mathrm{otherwise}, L_t(x,y)=0$. Output: $L_t(x,y)$.

The specific Protocol 1 is as follows:

Protocol 1: The SCTS protocol under the semi-honest model.

Input: Alice’s text vector ($x=(x_1,\dots ,x_n)$ ), Bob’s text vector ($y=(y_1,\dots ,y_n)$ ), and threshold (t). Output: The size relationship ( $L_t(x,y)$ ) between the number of equal elements (l and t) of two vectors (x and y).

Preparation: For each $i\in [1,n]$, Alice calculates $u_i=2x_i, -u_i^{\prime }=-(2x_i+1)$, and Bob calculates $-v_i=-(2y_i+1), v_i^{\prime }=2y_i (u_i,v_i<N/2$). Alice selects an elliptic curve ($E_p(a,b)$), selects the base point (G) and the private key (k), and then calculates kG = K to obtain the public key (K). Alice sends $E_p(a,b)$, the public key (K), and G to Bob. Protocol Start: (1) Alice encodes the plaintext sets $u=(u_1,\dots ,u_n)$ and $-u^{\prime }=(-u_1^{\prime },\dots ,-u_n^{\prime })$ to points Mi and $M_i^{\prime }(1\le i\le n)$ on the elliptic curve (Ep) one by one, selects n random numbers (ai and $a_i^{\prime }$), and encrypts each element (Mi and $M_i^{\prime }(1\le i\le n)$) with the public key (K). That is, the ciphertexts $E\left(M_i\right)=(C_{1i},C_{2i})\mathrm{and} E\left(M_i^{\prime }\right)=(C_{1i}^{\prime },C_{2i}^{\prime })$ are calculated, where $C_{1i}=M_i+a_{i}K,C_{2i}=a_{i}G \mathrm{and} C_{1i}^{\prime }=M_i^{\prime }+a_i^{\prime }K,C_{2i}^{\prime }=a_i^{\prime }G$. Then, Alice obtains the sets $E\left(u\right)=\left(E\right(M_1),E(M_2),\dots ,E(M_n\left)\right) \mathrm{and} E(-u^{\prime })=\left(E\right(M_1^{\prime }),E(M_2^{\prime }),\dots ,E(M_n^{\prime }\left)\right)$ and sends $E\left(u\right) \mathrm{and} E(-u^{\prime })$ to Bob; (2) After Bob receives $E\left(u\right) \mathrm{and} E(-u^{\prime })$: (a) Bob encodes the plaintext sets $-v=(-v_1,\dots ,-v_n) \mathrm{and} v^{\prime }=(v_1^{\prime },\dots ,v_n^{\prime })$ to points Pi and $P_i^{\prime }(1\le i\le n)$ on the elliptic curve (Ep) one by one, selects n random numbers (bi and $b_i^{\prime }(1\le i\le n)$), and encrypts each element (Pi and $P_i^{\prime }(1\le i\le n)$) with the public key (K). That is, the ciphertexts $E\left(P_i\right)=(I_{1i},I_{2i}) \mathrm{and} E\left(P_i^{\prime }\right)=(I_{1i}^{\prime },I_{2i}^{\prime })$ are calculated, where $I_{1i}=P_i+b_{i}K,I_{2i}=b_{i}G \mathrm{and} I_{1i}^{\prime }=P_i^{\prime }+b_i^{\prime }K,I_{2i}^{\prime }=b_i^{\prime }G$. Then, Bob obtains the sets $E(-v)=\left(E\right(P_1),E(P_2),\dots ,E(P_n\left)\right) \mathrm{and} E\left(v^{\prime }\right)=\left(E\right(P_1^{\prime }),E(P_2^{\prime }),\dots ,E(P_n^{\prime }\left)\right)$. At the same time, Bob selects the random vectors $r=(r_1,\dots ,r_n), r^{\prime }=(r_1^{\prime },\dots ,r_n^{\prime })$, where $0<\left|r_i\right|,\left|r_i^{\prime }\right|<\sqrt{N/2} \mathrm{and} i\in [1,n]$; (b) For each $i\in [1,n]$, Bob calculates wi and $w_i^{\prime }$, including the following: $w_{i1}=E\left(u_i\right),w_{i2}=E(-v_i),w_i=E\left[r_i\right(u_i-v_i\left)\right]=E\left(r_i{u}_i\right)+E(-r_i{v}_i)$, and that is $w_i=\underset{r_i}{\underbrace{(w_{i1}+\dots +w_{i1})}}+\underset{r_i}{\underbrace{(w_{i2}+\dots +{w_i}_2)}}$. At the same time, Bob calculates $w_{i1}^{\prime }=E(-u_i^{\prime }), w_{i2}^{\prime }=E\left(v_i^{\prime }\right),w_i^{\prime }=E\left[r_i^{\prime }\right(v_i^{\prime }-u_i^{\prime }\left)\right]=E\left(r_i^{\prime }{v}_i^{\prime }\right)+E(-r_i^{\prime }{u}_i^{\prime })$, and that is $w_i^{\prime }=\underset{r_i^{\prime }}{\underbrace{(w_{i1}^{\prime }+\dots +w_{i1}^{\prime })}}+\underset{r_i^{\prime }}{\underbrace{(w_{i2}^{\prime }+\dots +w_{i2}^{\prime })}}$. Then, Bob sends the ciphertexts $w_i \mathrm{and} w_i^{\prime }$ to Alice; (3) For each $i\in [1,n]$: (a) $\mathrm{Alice} \mathrm{decrypts} w_i \mathrm{and} w_i^{\prime } \mathrm{and} \mathrm{decodes} \mathrm{the} \mathrm{x}-\mathrm{coordinates} \mathrm{of} \mathrm{points} w_i \mathrm{and} w_i^{\prime } \mathrm{to} \mathrm{obtain} d_i \mathrm{and} d_i^{\prime }. \mathrm{If} d_i<N/2, h_i=1\mathrm{is} \mathrm{set}; \mathrm{otherwise}, h_i=0. \mathrm{Similarly}, \mathrm{if} d_i^{\prime }<N/2, \mathrm{then} h_i^{\prime }=1 \mathrm{is} \mathrm{set}; \mathrm{otherwise}, h_i^{\prime }=0$; (b) $\mathrm{Alice} \mathrm{encodes} h_i \mathrm{and} h_i^{\prime } \mathrm{to} \mathrm{points} N_i \mathrm{and} N_i^{\prime }(1\le i\le n) \mathrm{on} \mathrm{the} \mathrm{elliptic} \mathrm{curve} \left(E_p\right(a,b)) \mathrm{one} \mathrm{by} \mathrm{one}, \mathrm{selects} n \mathrm{random} \mathrm{numbers} (b_{1i} \mathrm{and} b_{1i}^{\prime }), \mathrm{adopts} \mathrm{the} \mathrm{encryption} \mathrm{method} \mathrm{in} \mathrm{step} 1, \mathrm{uses} \mathrm{the} \mathrm{public} \mathrm{key} (K) \mathrm{to} \mathrm{encrypt} \mathrm{each} \mathrm{element} (N_i \mathrm{and} N_i^{\prime }(1\le i\le n)) \mathrm{one} \mathrm{by} \mathrm{one}, \mathrm{obtains} E(h)=(E\left(h_1\right),\dots ,E\left(h_n\right)) \mathrm{and} E\left(h^{\prime }\right)=\left(E\right(h_1^{\prime }),\dots ,E(h_n^{\prime }\left)\right)$, and sends them to Bob; (4) Bob makes the following calculation: (a) $\mathrm{For} \mathrm{each} i\in [1,n], \mathrm{when} r_i>0, \mathrm{let} H_i=E\left(h_i\right); \mathrm{when} r_i<0, \mathrm{calculate} H_i=T\left[E\right(h_i\left)\right]. \mathrm{Similarly}, \mathrm{when} r_i^{\prime }>0, \mathrm{let} H_i^{\prime }=E\left(h_i^{\prime }\right); \mathrm{when} r_i^{\prime }<0, \mathrm{calculate} H_i^{\prime }=T\left[E\right(h_i^{\prime }\left)\right]$; (b) $\mathrm{Compute} \stackrel{\wedge }{H}={\sum }_{i\in [1,n]}{H}_i+H_i^{\prime }=E\left(e\right)$; (c) $$\begin{gathered} \mathrm{Select} \mathrm{the} \mathrm{random} \mathrm{number} r^{*}<\frac{N}{4\left(n+1\right)}, \mathrm{then} \mathrm{select} \mathrm{the} \mathrm{random} \mathrm{numbers} a_{1i},a_{1i}^{\prime },a_{2i},a_{2i}^{\prime }, \mathrm{use} \mathrm{the} \mathrm{encryption} \mathrm{method} \mathrm{in} \mathrm{step} 1 \mathrm{to} \mathrm{encrypt} \mathrm{with} \mathrm{the} \mathrm{public} \mathrm{key} \left(K\right): \\ {Z}_1=E\left(1\right), Z_2=E\left(2n\right), Z_3=E\left(2e\right), Z_4=E(-2t), \\ Z=\underset{r^{*}}{\underbrace{(Z_1+\dots Z_1)}}+\underset{r^{*}}{\underbrace{(Z_2+\dots Z_2)}}-\underset{r^{*}}{\underbrace{(Z_3+\dots Z_3)}}+\underset{r^{*}}{\underbrace{(Z_4+\dots Z_4)}}, \mathrm{and} \mathrm{send} Z \mathrm{to} \mathrm{Alice}; \end{gathered}$$ (5) $\mathrm{Alice} \mathrm{decrypts} \mathrm{to} \mathrm{obtain} z=D\left(Z\right), \mathrm{and} \mathrm{decodes} \mathrm{the} \mathrm{x}-\mathrm{coordinate} \mathrm{of} \mathrm{point} z \mathrm{to} \mathrm{obtain} z^{*}. \mathrm{If} z^{*}<N/2, \mathrm{then} L_t(x,y)=1; \mathrm{otherwise}, L_t(x,y)=0. \mathrm{Bob} \mathrm{will} \mathrm{be} \mathrm{informed} \mathrm{by} \mathrm{outputting} L_t(x,y)$. The protocol ends.

3.3. Correctness Analysis

(1)

Steps (1)–(4) of the protocol, executed in parallel by Alice and Bob with $u$ and $v$ and $u^{\prime }$ and $v^{\prime }$, respectively, reduce its communication complexity;

(2)

In step (2b) of the protocol, for each $0\le u_i,v_i\le \sqrt{N/2}$, $0<\left|r_i\right|<\sqrt{N/2}$, and because $u_i\ne v_i$, the range of the value of $r_i(u_i-v_i)$ is $-N/2<r_i(u_i-v_i)<0$ or $0<r_i(u_i-v_i)<N/2$. According to Theorem 3, if $0<d_i<N/2$, $0<r_i(u_i-v_i)<N/2$, then $r_i$ and $u_i-v_i$ are the same number, and $h_i=1$; if $d_i>N/2$, then $-N/2<r_i(u_i-v_i)<0$, and then $r_i$ and $u_i-v_i$ are different numbers, and $h_i=0$;

(3)

For the input $u$ and $v$, it is known that $u_i>v_i$ when and only when $H_i=E\left(1\right)$; $u_i<v_i$ when and only when $H_i=E\left(0\right)$. It is further known from Theorem 3 that $x_i>y_i$ when and only when $H_i=E\left(1\right)$; $x_i\le y_i$ when and only when $H_i=E\left(0\right)$;

(4)

For the input $u^{\prime }$ and $v^{\prime }$, it is known that $u_i^{\prime }>v_i^{\prime }$ when and only when $H_i^{\prime }=E\left(0\right)$; $u_i^{\prime }<v_i^{\prime }$ when and only when $H_i^{\prime }=E\left(1\right)$. It is further known from Theorem 3 that $x_i<y_i$ when and only when $H_i^{\prime }=E\left(1\right)$; $x_i\ge y_i$ when and only when $H_i^{\prime }=E\left(0\right)$;

(5)

Clearly, the $i$-th component of vectors $x$ and $y$ is equal when $H_i$, $H_i^{\prime }$ are simultaneously 0. By the ECC additive homomorphism, it follows that $\stackrel{\wedge }{H}\left(e\right)={\sum }_{i\in [1,n]}{H}_i+H_i^{\prime }=E(n-l)$;

(6)

Steps (4c) and (5) of the protocol are for $l=L(x,y)$ and $t$ size comparisons, and by the ECC property:

$$Z=\underset{r^{*}}{\underbrace{(Z_1+\dots Z_1)}}+\underset{r^{*}}{\underbrace{(Z_2+\dots Z_2)}}-\underset{r^{*}}{\underbrace{(Z_3+\dots Z_3)}}+\underset{r^{*}}{\underbrace{(Z_4+\dots Z_4)}}=E\left[r^{*}\right(2l+1-2t\left)\mathrm{mod}N\right]$$

(2)

According to Theorem 2, the following is known:

$$0<z^{*}<N/2, \mathrm{then} 2l+1>2t\iff l\ge t\iff L_t(x,y)=1$$

(3)

$$N/2<z^{*}<N, \mathrm{then} L_t(x,y)=0.$$

(4)

For example: Alice’s input vector: $x=(\mathrm{2,6},\mathrm{8,9})$; Bob’s input vector: $y=(\mathrm{2,6},\mathrm{7,8})$; threshold: $t=2$.

Preparation procedure: Alice calculates $u=2x_i=\left(\mathrm{4,12,16,18}\right)$, $-u_{}^{\prime }=-(2x_i+1)=(-5,-13,-17,-19)$. Bob calculates $-v=-(2y_i+1)=(-5,-13,-15,-17)$, $v_{}^{\prime }=2y_i=\left(\mathrm{4,12,14,16}\right)$.

Calculation procedure:

(1)

Alice encrypts $E\left(u\right)=\left(E\right(4),E(12),E(16),E(18\left)\right)$ and $E(-u_{}^{\prime })=\left(E\right(-5),E(-13),E(-17),E(-19\left)\right)$ and sends them to Bob;

(2)

Bob encrypts $E(-v)=\left(E\right(-5),E(-13),E(-15),E(-17\left)\right)$, $E\left(v_{}^{\prime }\right)=\left(E\right(4),E(12),E(14),E(16\left)\right)$ and picks the random vectors $r=(\mathrm{1,2},-3,-1)$ and $r^{\prime }=(\mathrm{1,3},2,-1)$. Then, Bob computes $w_i=E\left[r_i\right(u_i-v_i\left)\right]=\left[E\right(1\times (-1)),E(2\times (-1)),E((-3)\times 1),E((-1)\times 1\left)\right]$ and $w_i^{\prime }=E\left[r_i^{\prime }\right(v_i^{\prime }-u_i^{\prime }\left)\right]=\left[E\right(1\times (-1)),E(3\times (-1)),E(2\times (-3)),E((-1)\times (-3)\left)\right]$, sending them to Alice;

(3)

Alice decrypts to obtain $h_i$ and $h_i^{\prime }$ (i.e., $h=(\mathrm{0,0},\mathrm{0,0})$ and $h^{\prime }=(\mathrm{0,0},0,1)$). Alice encrypts to obtain $E\left(h\right)=\left(E\right(0),E(0),E(0),E(0\left)\right)$ and $E\left(h^{\prime }\right)=\left(E\right(0),E(0),E(0),E(1\left)\right)$ and sends them to Bob;

(4)

For each $i\in [1,n]$, when $r_i>0$, let $H_i=E\left(h_i\right)$; when $r_i<0$, calculate $H_i=T\left[E\right(h_i\left)\right]$. Similarly, when $r_i^{\prime }>0$, let $H_i^{\prime }=E\left(h_i^{\prime }\right)$; when $r_i^{\prime }<0$, calculate $H_i^{\prime }=T\left[E\right(h_i^{\prime }\left)\right]$. Bob obtains the vectors $H_i=\left(E\right(0),E(0),E(1),E(1\left)\right)$ and $H^{\prime }=\left(E\right(0),E(0),E(0),E(0\left)\right)$. $\stackrel{\wedge }{H}=E(0+0)+E(0+0)+E(1+0)+E(1+0))=E(2)$ is computed;

(5)

Bob selects $r^{*}=1$ and brings it into the calculation to obtain $Z=E(1+2n-2e-2t)=E\left(1\right)$, and send $Z$ to Alice. Alice decypts and outputs $L_t(x,y)=1$, which shows that the number of equal elements in $x$, $y$ is greater than or equal to the set threshold (i.e., $l\ge t$), and the similarity of the two vectors is at least $\frac{2}{4}=50\%$.

To sum up, Protocol 1 is secure because the participants are honest under the semi-honest model. However, malicious adversaries can exist in real situations, and so the design of a secure MPC protocol is required under the malicious model.

4. Secure Computation Protocol of Text Similarity under the Malicious Model

4.1. Solutions

By analyzing the possible attack behaviors of malicious participants in Protocol 1, the aim is to detect the attack in time, or the participants will be discovered once the attack is implemented. The following is an analysis of possible malicious actions in Protocol 1:

(1)

In Protocol 1, both Alice and Bob can encrypt plaintexts, but only Alice can decrypt the ciphertext. Once Alice informs Bob of an incorrect result, Bob can only accept the result and is reactive. Compared with Alice, Bob is extremely inequitable. Therefore, two factors should be considered (i.e., both Alice and Bob can perform fairly and obtain the correct result);

(2)

In Protocol 1, Alice and Bob need to inform each other of the encryption results when they execute the protocol. If one party intentionally informs the wrong ciphertext, this is an input error, which cannot be prevented in the ideal protocol, and so it will not be considered;

(3)

In Step 5, Alice may not output the correct results after decryption, but Alice already knows the correct results at this time, and there is some malicious behavior in this step.

Aiming at the above malicious behaviors, this paper designs an SCTS protocol under the malicious model. The design idea is that Alice and Bob have the same status, and each has a public key and a private key and use the zero-knowledge-proof and cut-and-choose methods to verify whether the calculation results are consistent. Please refer to Figure 2 for details.

The specific Algorithm 2 is as follows:

Algorithm 2: Computing the text similarity under the malicious model.

$\mathbf{Input}: x=(x_1,\dots ,x_n): \mathrm{Alice}’\mathrm{s} \mathrm{input}; y=(y_1,\dots ,y_n): \mathrm{Bob}’\mathrm{s} \mathrm{input}; t: \mathrm{agreed} \mathrm{threshold} \mathrm{between} \mathrm{both} \mathrm{parties}; G: \mathrm{the} \mathrm{base} \mathrm{point} \mathrm{of} \mathrm{the} \mathrm{elliptic} \mathrm{curve} (E_p); a: \mathrm{Alice}’\mathrm{s} \mathrm{choice}; b: \mathrm{Bob}’\mathrm{s} \mathrm{choice}; p{k}_1=K_1: \mathrm{Alice}’\mathrm{s} \mathrm{public} \mathrm{key}; p{k}_2=K_2: \mathrm{Bob}’\mathrm{s} \mathrm{public} \mathrm{key}; s{k}_1=k_1: \mathrm{Alice}’\mathrm{s} \mathrm{private} \mathrm{key}; s{k}_2=k_2: \mathrm{Bob}’\mathrm{s} \mathrm{private} \mathrm{key}; E: \mathrm{encrypt}; D: \mathrm{decrypt}; \mathrm{Encode}: \mathrm{encode} \mathrm{points} \mathrm{onto} E_p; u_i=2x_i,-u_i^{\prime }=-(2x_i+1): \mathrm{Alice}’\mathrm{s} \mathrm{calculation};-v_i=-(2y_i+1), v_i^{\prime }=2y_i$: Bob’s calculation; 1 $\mathrm{Compute} q_1=a{K}_1$; 2 $\mathrm{Compute} q_2=b{K}_2$; 3 $\mathrm{Exchange} (K_1,q_1)\mathrm{and} (K_2,q_2)$; 4 $Encode(u_1,\dots ,u_n)=(M_1,\dots ,M_n), Encode(-u_1^{\prime },\dots ,-u_n^{\prime })=(M_1^{\prime },\dots ,M_n^{\prime })$; 5 $Encode(-v_1,\dots ,-v_n)=(P_1,\dots ,P_n), Encode(v_1^{\prime },\dots ,v_n^{\prime })=(P_1^{\prime },\dots ,P_n^{\prime })$; 6 $\mathrm{Select} a_i, a_i^{\prime }, b_i, b_i^{\prime }$; 7 ${E_{pk}}_1\left(u_i\right)=(M_i+a_i{K}_1,a_{i}G), {E_{pk}}_1(-u_i^{\prime })=(M_i^{\prime }+a_i^{\prime }{K}_1,a_i^{\prime }G)$; 8 ${E_{pk}}_2(-v_i)=(P_i+b_i{K}_2,b_{i}G), E_{pk}\left(v_i^{\prime }\right)=(P_i^{\prime }+b_i^{\prime }{K}_2,b_i^{\prime }G)$; 9 $\mathrm{Select} \mathrm{random} \mathrm{vectors} r_a=(r_{a1},\dots ,r_{an}), r_a^{\prime }=(r_{a1}^{\prime },\dots ,r_{an}^{\prime })$; 10 $\mathrm{Select} \mathrm{random} \mathrm{vectors} r_b=(r_{b1},\dots ,r_{bn}), r_b^{\prime }=(r_{b1}^{\prime },\dots ,r_{bn}^{\prime })$; 11 $$\begin{gathered} \mathrm{Compute} w_i=E\left[r_{ai}\right(u_i-v_i\left)\right]=E\left(r_{ai}{u}_i\right)+E(-r_{ai}{v}_i) \\ \mathrm{and} w_i^{\prime }=E\left[r_i^{\prime }\right(v_i^{\prime }-u_i^{\prime }\left)\right]=E\left(r_i^{\prime }{v}_i^{\prime }\right)+E(-r_i^{\prime }{u}_i^{\prime }) \end{gathered}$$; 12 $\mathrm{Compute} g_i=E\left[r_{bi}\right(u_i-v_i\left)\right]=E\left(r_{bi}{u}_i\right)+E(-r_{bi}{v}_i) \mathrm{and} g_i^{\prime }=E\left[r_{bi}^{\prime }\right(v_i^{\prime }-u_i^{\prime }\left)\right]=E\left(r_{bi}^{\prime }{v}_i^{\prime }\right)+E(-r_{bi}^{\prime }{u}_i^{\prime })$; 13 $\mathrm{Exchange} w_i,w_i^{\prime } \mathrm{and} g_i,g_i^{\prime }$; 14 $D_{s{k}_1}\left(w_i\right)=r_{ai}(u_i-v_i)={W_1}_i, D_{s{k}_1}\left(w_i^{\prime }\right)=r_{ai}^{\prime }(v_i^{\prime }-u_i^{\prime })=W_{2i}$; 15 $D_{s{k}_2}\left(g_i\right)=r_{bi}(u_i-v_i)={Q_1}_i, D_{s{k}_2}\left(g_i^{\prime }\right)=r_{bi}^{\prime }(v_i^{\prime }-u_i^{\prime })=Q_{2i}$; 16 $\mathrm{Select} p_{1s}, p_{2s}, f_{1s}, f_{2s}, 0\le s\le m$; 17 $(c_{1a}^s,c_{2a}^s)=(p_{1s}{W}_{1i}+K_1,W_{1i}+p_{1s}{W}_{1i}+aG) \mathrm{and} (o_{1a}^s,o_{2a}^s)=(p_{2s}{W}_{2i}+K_1,W_{2i}+p_{2s}{W}_{2i}+aG)$; 18 $(c_{1b}^s,c_{2b}^s)=(f_{1s}{Q}_{1i}+K_2,Q_{1i}+f_{1s}{Q}_{1i}+bG) \mathrm{and} (o_{1b}^s,o_{2b}^s)=(f_{2s}{Q}_{2i}+K_2,Q_{2i}+f_{2s}{Q}_{2i}+bG)$; 19 $\mathrm{Exchange} (c_{1a}^s,c_{2a}^s),(o_{1a}^s,o_{2a}^s) \mathrm{and} (c_{1b}^s,c_{2b}^s),(o_{1b}^s,o_{2b}^s)$; 20 $\mathrm{Choose} m/2 \mathrm{groups} (c_{1b}^s,c_{2b}^s) \mathrm{and} (o_{1b}^s,o_{2b}^s)$ 21 $\mathrm{If} (f_{1s}{Q}_{1i}+K_2=c_{1b}^s, f_{2s}{Q}_{2i}+K_2=o_{1b}^s)$, then continue; otherwise, terminate; 22 $\mathrm{Choose} m/2 \mathrm{groups} (c_{1a}^s,c_{2a}^s) \mathrm{and} (o_{1a}^s,o_{2a}^s)$; 23 $\mathrm{If} (p_{1s}{W}_{1i}+K_1=c_{1a}^s, p_{2s}{W}_{2i}+K_1=o_{1a}^s)$, then continue; otherwise, terminate; 24 $\mathrm{Choose} \mathrm{one} (c_{1b}^j,c_{2b}^j) \mathrm{and} (o_{1b}^j,o_{2b}^j)$ from remaining groups; 25 $c_b=a(c_{2b}^j-c_{1b}^j-W_{1i}+K_2)=a(Q_{1i}-W_{1i})+abG, c_b^{\prime }=a(o_{2b}^j-o_{1b}^j-W_{2i}+K_2)=a(Q_{2i}-W_{2i})+abG$; 26 $O_1=q_1^{*}G,{\lambda }_b=q_1^{*}{K}_2, O_1^{\prime }=q_1^{\prime }G,{\lambda }_b^{\prime }=q_1^{\prime }{K}_2$; 27 $\mathrm{Choose} \mathrm{one} (c_{1a}^j,c_{2a}^j) \mathrm{and} (o_{1a}^j,o_{2a}^j)$ from remaining groups;; 28 $c_a=b(c_{2a}^j-c_{1a}^j-Q_{1i}+K_1)=b(W_{1i}-Q_{1i})+abG, c_a^{\prime }=b(o_{2b}^j-o_{1b}^j-Q_{2i}+K_1)=b(W_{2i}-Q_{2i})+abG$; 29 $O_2=q_2^{*}G, {\lambda }_a=q_2^{*}{K}_1, O_2^{\prime }=q_2^{\prime }G, {\lambda }_a^{\prime }=q_2^{\prime }{K}_1$; 30 $\mathrm{Exchange} c_b+O_1, c_b^{\prime }+O_1^{\prime } \mathrm{and} c_a+O_2, c_a^{\prime }+O_2^{\prime }$; 31 ${\beta }_a=k_1(c_a+O_2), m_a=k_1{c}_a \mathrm{and} {\beta }_a^{\prime }=k_1(c_a^{\prime }+O_2^{\prime }), m_a^{\prime }=k_1{c}_a^{\prime }$; 32 ${\beta }_b=k_2(c_b+O_1), m_b=k_2{c}_b \mathrm{and} {\beta }_b^{\prime }=k_2(c_b^{\prime }+O_1^{\prime }), m_b^{\prime }=k_2{c}_b^{\prime }$; 33 $\mathrm{Exchange} {\beta }_a, m_a, {\beta }_a^{\prime }, m_a^{\prime } \mathrm{and} {\beta }_b, m_b, {\beta }_b^{\prime }, m_b^{\prime }$; 34 $\mathrm{If} (m_b={\beta }_b-{\lambda }_b, m_b^{\prime }={\beta }_b^{\prime }-{\lambda }_b^{\prime })$, then continue; otherwise, terminate; 35 $\mathrm{If} (m_a={\beta }_a-{\lambda }_a, m_a^{\prime }={\beta }_a^{\prime }-{\lambda }_a^{\prime })$, then continue; otherwise, terminate; 36 $\mathrm{If} k_{2}a(Q_{1i}-W_{1i})=0 \mathrm{by} m_b-a{q}_2 \mathrm{and} k_{2}a(Q_{2i}-W_{2i}) \mathrm{by} m_b^{\prime }-a{q}_2$, continue; 37 $\mathrm{If} k_{1}b(W_{1i}-Q_{1i})=0 \mathrm{by} m_a-b{q}_1 \mathrm{and} k_{1}b(W_{2i}-Q_{2i}) \mathrm{by} m_a^{\prime }-b{q}_1$, continue; 38 $D\left(W_{1i}\right)=d_{1i}, D\left(W_{2i}\right)=d_{1i}^{\prime }; \mathrm{if} d_{1i}<N/2, \mathrm{then} \mathrm{set} h_{1i}=1; \mathrm{otherwise}, h_{1i}=0$; 39 $D\left(Q_{1i}\right)=d_{2i}, D\left(Q_{2i}\right)=d_{2i}^{\prime }; \mathrm{if} d_{1i}^{\prime }<N/2, \mathrm{then} \mathrm{set} h_{1i}^{\prime }=1; \mathrm{otherwise}, h_{1i}^{\prime }=0$; 40 $E_{p{k}_1}\left(h_1\right)=E_{p{k}_1}\left(h_{11}\right),\dots ,E_{p{k}_1}\left(h_{1n}\right)$; 41 $E_{p{k}_2}\left(h_1^{\prime }\right)=E_{p{k}_2}\left(h_{11}^{\prime }\right),\dots ,E_{p{k}_2}\left(h_{1n}^{\prime }\right)$; 42 $\mathrm{Obtain} H_{1i} \mathrm{and} H_{1i}^{\prime }$; 43 $\mathrm{Obtain} H_{2i} \mathrm{and} H_{2i}^{\prime }$; 44 $\mathrm{Compute} \stackrel{\wedge }{H_1}={\sum }_{i\in [1,n]}{H}_{1i}+H_{1i}^{\prime }=E\left(e_1\right)=E(n-l)$; 45 $\mathrm{Compute} \stackrel{\wedge }{H_2}={\sum }_{i\in [1,n]}{H}_{2i}+H_{2i}^{\prime }=E\left(e_2\right)=E(n-l)$; 46 $\mathrm{Select} r_1,r_2$; 47 $\mathrm{Compute} Z=E_{p{k}_1}\left(r_{1}1\right)+E_{pk}\left(r_{1}2n\right)-{E_{pk}}_1\left(r_{1}2e_1\right)+E_{p{k}_1}(-2t{r}_1)=E\left[r_1\right(2l+1-2t\left)\right]$; 48 $\mathrm{Compute} Z^{\prime }={E_{pk}}_2\left(r_{2}1\right)+{E_{pk}}_2\left(r_{2}2n\right)-{E_{pk}}_2\left(r_{2}2e_2\right)+E_{p{k}_2}(-2t{r}_2)=E\left[r_2\right(2l+1-2t\left)\right]$; 49 $D_{s{k}_1}\left(Z\right)=z_1, D_{s{k}_2}\left(Z^{\prime }\right)=z_2$; 50 $\mathrm{Select} p_i \mathrm{and} p_i^{\prime }(0\le i\le m)$; 51 $(c_{11a}^i,c_{12a}^i)=(p_i{z}_1+K_1,z_1+p_i{z}_1+aG)$; 52 $(c_{11b}^i,c_{12b}^i)=(p_i^{\prime }{z}_2+K_2,z_2+p_i^{\prime }{z}_2+bG)$; 53 $\mathrm{Exchange} (c_{11a}^i,c_{12a}^i) \mathrm{and} (c_{11b}^i,c_{12b}^i)$; 54 $\mathrm{Choose} m/2 \mathrm{groups} \mathrm{from} (c_{11a}^i,c_{12a}^i) \mathrm{and} (c_{11b}^i,c_{12b}^i)$; 55 $\mathrm{If} (c_{11b}^i=p_i^{\prime }{z}_2+K_2)$, then continue; otherwise, terminate; 56 $\mathrm{If} (c_{11a}^i=p_i{z}_1+K_1)$, then continue; otherwise, terminate; 57 $\mathrm{Choose} \mathrm{one} (c_{11b}^j,c_{12b}^j) \mathrm{and} (c_{11a}^j,c_{12a}^j)$ from remaining groups; 58 $\mathrm{Compute} c_{b1}=a(c_{12b}^j-c_{11b}^j-z_1+K_2)=a(z_2-z_1)+abG, J_1=q_{3}G, {\lambda }_{b1}=q_3{K}_2$; 59 $\mathrm{Compute} c_{a1}=b(c_{12a}^j-c_{11a}^j-z_2+K_1)=b(z_1-z_2)+abG, J_2=q_{4}G, {\lambda }_{a1}=q_4{K}_1$; 60 $\mathrm{Exchange} c_{b1}+J_1, c_{a1}+J_2$; 61 ${\beta }_{a1}=k_1(c_{a1}+J_2), m_{a1}=k_1{c}_{a1}$; 62 ${\beta }_{b1}=k_2(c_{b1}+J_1), m_{b1}=k_2{c}_{b1}$; 63 $\mathrm{Exchange} {\beta }_{a1}, m_{a1} \mathrm{and} {\beta }_{b1}, m_{b1}$; 64 $\mathrm{If} (m_{b1}={\beta }_{b1}-{\lambda }_{b1})$, then continue; otherwise, terminate; 65 $\mathrm{If} (m_{a1}={\beta }_{a1}-{\lambda }_{a1})$, then continue; otherwise, terminate; 66 $\mathrm{If} k_{2}a(z_2-z_1)=0 \mathrm{by} m_{b1}-a{q}_2$, then continue; 67 $\mathrm{If} k_{1}b(z_1-z_2)=0 \mathrm{by} m_{a1}-b{q}_1$, then continue; 68 $D\left(z_1\right)=z_3; \mathrm{if} z_3<N/2, \mathrm{make} L_t(x,y)=1$; 69 $D\left(z_2\right)=z_4; \mathrm{if} z_4<N/2, \mathrm{make} L_t(x,y)=1$; $\mathbf{Output}\mathbf{:} L_t(x,y)$

The specific Protocol 2 is as follows:

Protocol 2: The SCTS protocol under the malicious model.

$\mathbf{Input}\mathbf{:} \mathrm{Alice}’\mathrm{s} \mathrm{text} \mathrm{vector} (x=(x_1,\dots ,x_n)), \mathrm{Bob}’\mathrm{s} \mathrm{text} \mathrm{vector} (y=(y_1,\dots ,y_n)), \mathrm{and} \mathrm{a} \mathrm{threshold} (t).$ $\mathbf{Output}\mathbf{:} \mathrm{The} \mathrm{size} \mathrm{relationship} \left(L_t\right(x,y)) \mathrm{between} \mathrm{the} \mathrm{number} \mathrm{of} \mathrm{equal} \mathrm{elements} (l \mathrm{and} t) \mathrm{of} \mathrm{two} \mathrm{vectors} (x \mathrm{and} y).$

$\mathbf{Preparation}\mathbf{:} \mathrm{For} \mathrm{each} i\in [1,n], \mathrm{Alice} \mathrm{calculates} u_i=2x_i,-u_i^{\prime }=-(2x_i+1) \mathrm{and} \mathrm{Bob} \mathrm{calculates}-v_i=-(2y_i+1), v_i^{\prime }=2y_i (u_i,v_i<N/2). \mathrm{Alice} \mathrm{and} \mathrm{Bob} \mathrm{together} \mathrm{choose} \mathrm{the} \mathrm{elliptic} \mathrm{curve} (E_p) \mathrm{and} \mathrm{base} \mathrm{point} (G), \mathrm{and} \mathrm{they} \mathrm{choose} \mathrm{the} \mathrm{private} \mathrm{key} (k_1,k_2(k_1,k_2>0)) \mathrm{and} \mathrm{random} \mathrm{number} (a,b), \mathrm{respectively}. \mathrm{Then}, \mathrm{both} \mathrm{parties} \mathrm{calculate} \mathrm{their} \mathrm{public} \mathrm{keys} ( K_1=k_{1}G,K_2=k_{2}G \mathrm{and} q_1=a{K}_1, q_2=b{K}_2, \mathrm{respectively}). \mathrm{Finally}, \mathrm{Alice} \mathrm{and} \mathrm{Bob} \mathrm{exchange} (K_1,q_1) \mathrm{and} (K_2,q_2).$ Protocol Start: (1) Alice and Bob calculate the following: (a) $\mathrm{Alice} \mathrm{encodes} \mathrm{the} \mathrm{plaintext} \mathrm{sets} u=(u_1,\dots ,u_n) \mathrm{and}-u^{\prime }=(-u_1^{\prime },\dots ,-u_n^{\prime }) \mathrm{to} \mathrm{points} M_i \mathrm{and} M_i^{\prime }(1\le i\le n) \mathrm{on} \mathrm{the} \mathrm{elliptic} \mathrm{curve} (E_p) \mathrm{one} \mathrm{by} \mathrm{one}, \mathrm{selects} n \mathrm{random} \mathrm{numbers} (a_i \mathrm{and} a_i^{\prime }), \mathrm{and} \mathrm{encrypts} \mathrm{each} \mathrm{element} (M_i \mathrm{and} M_i^{\prime }(1\le i\le n)) \mathrm{separately} \mathrm{by} \mathrm{using} \mathrm{the} \mathrm{public} \mathrm{key} K_1. \mathrm{That} \mathrm{is}, \mathrm{the} \mathrm{ciphertexts} E\left(M_i\right)=(C_{1i},C_{2i}) \mathrm{and} E\left(M_i^{\prime }\right)=(C_{1i}^{\prime },C_{2i}^{\prime }) \mathrm{are} \mathrm{calculated}, \mathrm{corresponding} \mathrm{to} \mathrm{each} \mathrm{element} (M_i \mathrm{and} M_i^{\prime }(1\le i\le n)), \mathrm{where} C_{1i}=M_i+a_{i}K,C_{2i}=a_{i}G \mathrm{and} C_{1i}^{\prime }=M_i^{\prime }+a_i^{\prime }K,C_{2i}^{\prime }=a_i^{\prime }G. \mathrm{Then}, \mathrm{Alice} \mathrm{obtains} \mathrm{the} \mathrm{sets} E\left(u\right)=\left(E\right(M_1),E(M_2),\dots ,E(M_n\left)\right) \mathrm{and} E(-u^{\prime })=\left(E\right(M_1^{\prime }),E(M_2^{\prime }),\dots ,E(M_n^{\prime }\left)\right), \mathrm{and} \mathrm{sends} E\left(u\right) \mathrm{and} E(-u^{\prime })$ to Bob; (b) $\mathrm{Bob} \mathrm{encodes} \mathrm{the} \mathrm{plaintext} \mathrm{sets}-v=(-v_1,\dots ,-v_n) \mathrm{and} v^{\prime }=(v_1^{\prime },\dots ,v_n^{\prime }) \mathrm{to} \mathrm{points} P_i \mathrm{and} P_i^{\prime }(1\le i\le n) \mathrm{on} \mathrm{the} \mathrm{elliptic} \mathrm{curve} (E_p) \mathrm{one} \mathrm{by} \mathrm{one}, \mathrm{selects} n \mathrm{random} \mathrm{numbers} (b_i \mathrm{and} b_i^{\prime }), \mathrm{and} \mathrm{encrypts} \mathrm{each} \mathrm{element} (P_i \mathrm{and} P_i^{\prime }(1\le i\le n)) \mathrm{separately} \mathrm{by} \mathrm{using} \mathrm{the} \mathrm{public} \mathrm{key} K_2. \mathrm{That} \mathrm{is}, \mathrm{the} \mathrm{ciphertexts} E\left(P_i\right)=(I_{1i},I_{2i}) \mathrm{and} E\left(P_i^{\prime }\right)=(I_{1i}^{\prime },I_{2i}^{\prime }) \mathrm{are} \mathrm{calculated}, \mathrm{corresponding} \mathrm{to} \mathrm{each} \mathrm{element} (P_i \mathrm{and} P_i^{\prime }(1\le i\le n)), \mathrm{where} I_{1i}=P_i+b_{i}K,I_{2i}=b_{i}G,I_{1i}^{\prime }=P_i^{\prime }+b_i^{\prime }K,I_{2i}^{\prime }=b_i^{\prime }G, \mathrm{and} C_{1i}^{\prime }=M_i^{\prime }+a_i^{\prime }K,C_{2i}^{\prime }=a_i^{\prime }G. \mathrm{Then}, \mathrm{Bob} \mathrm{obtains} \mathrm{the} \mathrm{sets} E(-v)=\left(E\right(P_1),E(P_2),\dots E(P_n\left)\right) \mathrm{and} E\left(v^{\prime }\right)=\left(E\right(P_1^{\prime }),E(P_2^{\prime }),\dots ,E(P_n^{\prime }\left)\right), \mathrm{and} \mathrm{sends} E(-v) \mathrm{and} E\left(v^{\prime }\right)$ to Alice; (2) After receiving the ciphertexts of each other, the participants calculate the following: (a) $\mathrm{Alice} \mathrm{selects} \mathrm{random} \mathrm{vectors} r_a=(r_{a1},\dots ,r_{an}) \mathrm{and} r_a^{\prime }=(r_{a1}^{\prime },\dots ,r_{an}^{\prime }), \mathrm{where} 0<\left|r_{ai}\right|,\left|r_{ai}^{\prime }\right|<\sqrt{N/2}, i\in [1,n]. \mathrm{Meanwhile}, \mathrm{Bob} \mathrm{selects} \mathrm{random} \mathrm{vectors} r_b=(r_{b1},\dots ,r_{bn}) \mathrm{and} r_b^{\prime }=(r_{b1}^{\prime },\dots ,r_{bn}^{\prime }), \mathrm{where} 0<\left|r_{bi}\right|,\left|r_{bi}^{\prime }\right|<\sqrt{N/2}, i\in [1,n]$; (b) $\mathrm{For} \mathrm{each} i\in [1,n], \mathrm{Alice} \mathrm{calculates} w_i \mathrm{and} w_i^{\prime }$: $w_{i1}=E\left(u_i\right),w_{i2}=E(-v_i),w_i=E\left[r_{ai}\right(u_i-v_i\left)\right]=E\left(r_{ai}{u}_i\right)+E(-r_{ai}{v}_i), \mathrm{and} \mathrm{that} \mathrm{is} w_i=\underset{r_{ai}}{\underbrace{(w_{i1}+\dots +w_{i1})}}+\underset{r_{ai}}{\underbrace{(w_{i2}+\dots +{w_i}_2)}}. \mathrm{At} \mathrm{the} \mathrm{same} \mathrm{time}, \mathrm{Alice} \mathrm{calculates}{w}_{i1}^{\prime }=E(-u_i^{\prime }), w_{i2}^{\prime }=E\left(v_i^{\prime }\right),w_i^{\prime }=E\left[r_{ai}^{\prime }\right(v_i^{\prime }-u_i^{\prime }\left)\right]=E\left(r_{ai}^{\prime }{v}_i^{\prime }\right)+E(-r_{ai}^{\prime }{u}_i^{\prime }), \mathrm{and} \mathrm{that} \mathrm{is} w_i^{\prime }=\underset{r_{ai}^{\prime }}{\underbrace{(w_{i1}^{\prime }+\dots +w_{i1}^{\prime })}}+\underset{r_{ai}^{\prime }}{\underbrace{(w_{i2}^{\prime }+\dots +w_{i2}^{\prime })}}. \mathrm{Then}, \mathrm{Alice} \mathrm{sends} \mathrm{the} \mathrm{ciphertexts} w_i \mathrm{and} w_i^{\prime }$ to Bob. $\mathrm{For} \mathrm{each} i\in [1,n], \mathrm{Bob} \mathrm{calculates} g_i \mathrm{and} g_i^{\prime }$: $g_{i1}=E\left(u_i\right),g_{i2}=E(-v_i),g_i=E\left[r_{bi}\right(u_i-v_i\left)\right]=E\left(r_{bi}{u}_i\right)+E(-r_{bi}{v}_i), \mathrm{and} \mathrm{that} \mathrm{is} g_i=\underset{r_{bi}}{\underbrace{(g_{i1}+\dots +g_{i1})}}+\underset{r_{bi}}{\underbrace{(g_{i2}+\dots +{g_i}_2)}}. \mathrm{At} \mathrm{the} \mathrm{same} \mathrm{time}, \mathrm{Bob} \mathrm{calculates}{g}_{i1}^{\prime }=E(-u_i^{\prime }), g_{i2}^{\prime }=E\left(v_i^{\prime }\right),g_i^{\prime }=E\left[r_{bi}^{\prime }\right(v_i^{\prime }-u_i^{\prime }\left)\right]=E\left(r_{bi}^{\prime }{v}_i^{\prime }\right)+E(-r_{bi}^{\prime }{u}_i^{\prime }), \mathrm{and} \mathrm{that} \mathrm{is} g_i^{\prime }=\underset{r_{bi}^{\prime }}{\underbrace{(g_{i1}^{\prime }+\dots +g_{i1}^{\prime })}}+\underset{r_{bi}^{\prime }}{\underbrace{(g_{i2}^{\prime }+\dots +g_{i2}^{\prime })}}. \mathrm{Then}, \mathrm{Bob} \mathrm{sends} \mathrm{the} \mathrm{ciphertexts} g_i \mathrm{and} g_i^{\prime }$ to Alice; (3) $\mathrm{For} \mathrm{each} i\in [1,n], \mathrm{Alice} \mathrm{decrypts} w_i \mathrm{and} w_i^{\prime } \mathrm{with} \mathrm{the} \mathrm{private} \mathrm{key} k_1 \mathrm{to} \mathrm{obtain} \mathrm{points} W_{1i} \mathrm{and} W_{2i}. \mathrm{Bob} \mathrm{decrypts} g_i \mathrm{and} g_i^{\prime } \mathrm{using} k_2 \mathrm{to} \mathrm{obtain} \mathrm{points} Q_{1i} \mathrm{and} Q_{2i}$; (4) $\mathrm{For} \mathrm{each} i\in [1,n], \mathrm{Alice} \mathrm{selects} m \mathrm{random} \mathrm{numbers} p_{1s}(0\le s\le m) \mathrm{and} p_{2s}(0\le s\le m), \mathrm{and} \mathrm{calculates} (c_{1a}^s,c_{2a}^s)=(p_{1s}{W}_{1i}+K_1,W_{1i}+p_{1s}{W}_{1i}+aG) \mathrm{and} (o_{1a}^s,o_{2a}^s)=(p_{2s}{W}_{2i}+K_1,W_{2i}+p_{2s}{W}_{2i}+aG). \mathrm{Bob} \mathrm{selects} m \mathrm{random} \mathrm{numbers} f_{1s}(0\le s\le m) \mathrm{and} f_{2s}(0\le s\le m), \mathrm{and} \mathrm{calculates} (c_{1b}^s,c_{2b}^s)=(f_{1s}{Q}_{1i}+K_2,Q_{1i}+f_{1s}{Q}_{1i}+bG) \mathrm{and} (o_{1b}^s,o_{2b}^s)=(f_{2s}{Q}_{2i}+K_2,Q_{2i}+f_{2s}{Q}_{2i}+bG). \mathrm{Finally}, \mathrm{Alice} \mathrm{and} \mathrm{Bob} \mathrm{exchange} (c_{1a}^s,c_{2a}^s),(o_{1a}^s,o_{2a}^s), \mathrm{and} (c_{1b}^s,c_{2b}^s),(o_{1b}^s,o_{2b}^s)$; (5) Using the cut-and-choose method: $\mathrm{Alice} \mathrm{randomly} \mathrm{selects} m/2 \mathrm{groups} \mathrm{from} m \mathrm{groups} (c_{1b}^s,c_{2b}^s) \mathrm{and} (o_{1b}^s,o_{2b}^s) \mathrm{sent} \mathrm{by} \mathrm{Bob} \mathrm{to} \mathrm{publish}, \mathrm{and} \mathrm{Bob} \mathrm{is} \mathrm{required} \mathrm{to} \mathrm{publish} \mathrm{the} \mathrm{corresponding} f_{1s}{Q}_{1i} \mathrm{and} f_{2s}{Q}_{2i}. \mathrm{Then}, \mathrm{Alice} \mathrm{verifies} \mathrm{the} \mathrm{received} \mathrm{data}: f_{1s}{Q}_{1i}+K_2=c_{1b}^s, f_{2s}{Q}_{2i}+K_2=o_{1b}^s. \mathrm{If} \mathrm{the} \mathrm{verification} \mathrm{passes}, \mathrm{then} \mathrm{the} \mathrm{protocol} \mathrm{is} \mathrm{continued}; \mathrm{if} \mathrm{the} \mathrm{verification} \mathrm{does} \mathrm{not} \mathrm{pass}, \mathrm{then} \mathrm{the} \mathrm{protocol} \mathrm{is} \mathrm{terminated}. \mathrm{Bob} \mathrm{randomly} \mathrm{selects} m/2 \mathrm{groups} \mathrm{from} m \mathrm{groups} (c_{1a}^s,c_{2a}^s) \mathrm{and} (o_{1a}^s,o_{2a}^s) \mathrm{sent} \mathrm{by} \mathrm{Alice} \mathrm{to} \mathrm{publish}, \mathrm{and} \mathrm{Alice} \mathrm{is} \mathrm{required} \mathrm{to} \mathrm{publish} \mathrm{the} \mathrm{corresponding} p_{1s}{W}_{1i} \mathrm{and} p_{2s}{W}_{2i}. \mathrm{Then}, \mathrm{Bob} \mathrm{verifies} \mathrm{the} \mathrm{received} \mathrm{data}: p_{1s}{W}_{1i}+K_1=c_{1a}^s, p_{2s}{W}_{2i}+K_1=o_{1a}^s$. If the verification passes, then the protocol is continued; if the verification does not pass, then the protocol is terminated; (6) $\mathrm{Alice} \mathrm{randomly} \mathrm{selects} \mathrm{one} (c_{1b}^j,c_{2b}^j) \mathrm{and} (o_{1b}^j,o_{2b}^j) \mathrm{from} \mathrm{the} \mathrm{remaining} m/2 \mathrm{groups} (c_{1b}^s,c_{2b}^s) \mathrm{and} (o_{1b}^s,o_{2b}^s), \mathrm{respectively}. \mathrm{Bob} \mathrm{randomly} \mathrm{selects} \mathrm{one} (c_{1a}^j,c_{2a}^j) \mathrm{and} (o_{1a}^j,o_{2a}^j) \mathrm{from} \mathrm{the} \mathrm{remaining} m/2 \mathrm{groups} (c_{1a}^s,c_{2a}^s) \mathrm{and} (o_{1a}^s,o_{2a}^s), \mathrm{respectively}. \mathrm{Meanwhile}, \mathrm{Alice} \mathrm{and} \mathrm{Bob} \mathrm{choose} \mathrm{random} \mathrm{numbers} (a,q_1^{*},q_1^{\prime } \mathrm{and} b,q_2^{*},q_2^{\prime } , \mathrm{respectively}). \mathrm{Alice} \mathrm{calculates} c_b=a(c_{2b}^j-c_{1b}^j-W_{1i}+K_2)=a(Q_{1i}-W_{1i})+abG \mathrm{and} c_b^{\prime }=a(o_{2b}^j-o_{1b}^j-W_{2i}+K_2)=a(Q_{2i}-W_{2i})+abG, \mathrm{respectively} \mathrm{making} O_1=q_1^{*}G,{\lambda }_b=q_1^{*}{K}_2 \mathrm{and} O_1^{\prime }=q_1^{\prime }G,{\lambda }_b^{\prime }=q_1^{\prime }{K}_2. \mathrm{Bob} \mathrm{calculates} c_a=b(c_{2a}^j-c_{1a}^j-Q_{1i}+K_1)=b(W_{1i}-Q_{1i})+abG \mathrm{and} c_a^{\prime }=b(o_{2b}^j-o_{1b}^j-Q_{2i}+K_1)=b(W_{2i}-Q_{2i})+abG, \mathrm{respectively} \mathrm{making} O_2=q_2^{*}G, {\lambda }_a=q_2^{*}{K}_1, \mathrm{and} O_2^{\prime }=q_2^{\prime }G, {\lambda }_a^{\prime }=q_2^{\prime }{K}_1. \mathrm{Then}, c_b+O_1, c_b^{\prime }+O_1^{\prime } \mathrm{and} c_a+O_2, c_a^{\prime }+O_2^{\prime }$ are exchanged between Alice and Bob; (7) $\mathrm{After} \mathrm{both} \mathrm{parties} \mathrm{receive} \mathrm{messages} \mathrm{from} \mathrm{the} \mathrm{other}, \mathrm{Alice} \mathrm{calculates} {\beta }_a=k_1(c_a+O_2), m_a=k_1{c}_a \mathrm{and} {\beta }_a^{\prime }=k_1(c_a^{\prime }+O_2^{\prime }), m_a^{\prime }=k_1{c}_a^{\prime }\mathrm{and} \mathrm{sends} \mathrm{them} \mathrm{to} \mathrm{Bob}. \mathrm{Bob} \mathrm{calculates} {\beta }_b=k_2(c_b+O_1), m_b=k_2{c}_b \mathrm{and} {\beta }_b^{\prime }=k_2(c_b^{\prime }+O_1^{\prime }), m_b^{\prime }=k_2{c}_b^{\prime }$ and sends them to Alice; (8) $\mathrm{To} \mathrm{determine} \mathrm{whether} m_b \mathrm{and} m_b^{\prime } \mathrm{sent} \mathrm{by} \mathrm{Bob} \mathrm{are} \mathrm{correct}, \mathrm{Alice} \mathrm{uses} \mathrm{the} \mathrm{zero}-\mathrm{knowledge} \mathrm{proof} \mathrm{to} \mathrm{check} \mathrm{to} \mathrm{prove} \mathrm{that} \mathrm{Bob} \mathrm{really} \mathrm{obtains} \mathrm{the} m_b \mathrm{by} \mathrm{multiplying} \mathrm{her} \mathrm{private} \mathrm{key} (k_2) \mathrm{and} \mathrm{her} \mathrm{own} c_b, \mathrm{and} \mathrm{to} \mathrm{prove} \mathrm{that} \mathrm{Bob} \mathrm{really} \mathrm{obtains} \mathrm{the} m_b^{\prime } \mathrm{by} \mathrm{multiplying} \mathrm{her} \mathrm{private} \mathrm{key} (k_2) \mathrm{and} \mathrm{her} \mathrm{own} c_b^{\prime } \mathrm{to} \mathrm{judge} \mathrm{whether} m_b={\beta }_b-{\lambda }_b \mathrm{and} m_b^{\prime }={\beta }_b^{\prime }-{\lambda }_b^{\prime } \mathrm{are} \mathrm{correct}, \mathrm{respectively}. \mathrm{Similarly}, \mathrm{Bob} \mathrm{uses} \mathrm{the} \mathrm{same} \mathrm{method} \mathrm{to} \mathrm{determine} \mathrm{whether}{m}_a={\beta }_a-{\lambda }_a \mathrm{and} m_a^{\prime }={\beta }_a^{\prime }-{\lambda }_a^{\prime }$ are correct. The party who dose not pass is malicious; (9) $\mathrm{Alice} \mathrm{can} \mathrm{obtain} k_{2}a(Q_{1i}-W_{1i}) \mathrm{by} \mathrm{calculating} m_b-a{q}_2; \mathrm{if} k_{2}a(Q_{1i}-W_{1i})=0, \mathrm{then} Q_{1i}=W_{1i}; \mathrm{at} \mathrm{the} \mathrm{same} \mathrm{time}, \mathrm{Bob} \mathrm{calculates} m_b^{\prime }-a{q}_2 \mathrm{to} \mathrm{obtain} k_{2}a(Q_{2i}-W_{2i}); \mathrm{if} k_{2}a(Q_{2i}-W_{2i})=0, \mathrm{then} Q_{2i}=W_{2i}. \mathrm{Similarly}, \mathrm{Bob} \mathrm{obtains} k_{1}b(W_{1i}-Q_{1i}) \mathrm{by} \mathrm{calculating} m_a-b{q}_1; \mathrm{if} k_{1}b(W_{1i}-Q_{1i})=0, \mathrm{then} Q_{1i}=W_{1i}; \mathrm{at} \mathrm{the} \mathrm{same} \mathrm{time}, \mathrm{Bob} \mathrm{calculates} m_a^{\prime }-b{q}_1 \mathrm{to} \mathrm{obtain} k_{1}b(W_{2i}-Q_{2i}); \mathrm{if} k_{1}b(W_{2i}-Q_{2i})=0, \mathrm{then} Q_{2i}=W_{2i}. \mathrm{If} Q_{1i}=W_{1i} \mathrm{and} Q_{2i}=W_{2i}$ are valid at the same time, it proves that the results required by both parties are correct and equal, or the protocol is terminated; (10) $\mathrm{Alice} \mathrm{decodes} \mathrm{the} \mathrm{points} W_{1i},W_{2i} \mathrm{to} \mathrm{obtain} \mathrm{points} d_{1i},d_{1i}^{\prime }; \mathrm{Bob} \mathrm{decodes} \mathrm{the} \mathrm{points} Q_{1i},Q_{2i} \mathrm{to} \mathrm{obtain} \mathrm{points} d_{2i},d_{2i}^{\prime }. \mathrm{If} d_{1i}<N/2, \mathrm{then} h_{1i}=1 \mathrm{is} \mathrm{set}; \mathrm{otherwise}, h_{1i}=0 \mathrm{is} \mathrm{set}. \mathrm{Similarly}, \mathrm{if} d_{1i}^{\prime }<N/2, \mathrm{then} h_{1i}^{\prime }=1 \mathrm{is} \mathrm{set}; \mathrm{otherwise}, h_{1i}^{\prime }=0 \mathrm{is} \mathrm{set}. \mathrm{Similarly}, \mathrm{Bob} \mathrm{obtains} h_{2i} \mathrm{and} h_{2i}^{\prime }$; (11) $\mathrm{Alice} \mathrm{encodes} \mathrm{the} \mathrm{points} h_{1i} \mathrm{and} h_{1i}^{\prime }\mathrm{to} \mathrm{points} N_{1i} \mathrm{and} N_{1i}^{\prime }(1\le i\le n) \mathrm{on} \mathrm{the} E_p(a,b), \mathrm{selects} n \mathrm{random} \mathrm{numbers} ({\theta }_{1i} \mathrm{and} {\theta }_{1i}^{\prime }), \mathrm{adopts} \mathrm{the} \mathrm{encryption} \mathrm{method} \mathrm{in} \mathrm{step} 1(\mathrm{a}), \mathrm{uses} \mathrm{the} K_1 \mathrm{to} \mathrm{encrypt} \mathrm{each} \mathrm{element} (N_{1i} \mathrm{and} N_{1i}^{\prime }(1\le i\le n)) \mathrm{one} \mathrm{by} \mathrm{one}, \mathrm{obtains} E(h_1)=E(h_{11}),\dots ,E(h_{1n}) \mathrm{and} E\left(h_1^{\prime }\right)=E\left(h_{11}^{\prime }\right),\dots ,E\left(h_{1n}^{\prime }\right)$, and sends them to Bob. $\mathrm{Bob} \mathrm{encodes} \mathrm{the} \mathrm{points} h_{2i} \mathrm{and} h_{2i}^{\prime } \mathrm{to} \mathrm{points} N_{2i} \mathrm{and} N_{2i}^{\prime }(1\le i\le n) \mathrm{on} \mathrm{the} \mathrm{elliptic} \mathrm{curve} \left(E_p\right(a,b)) \mathrm{one} \mathrm{by} \mathrm{one}, \mathrm{selects} n \mathrm{random} \mathrm{numbers} ({\theta }_{2i} \mathrm{and} {\theta }_{2i}^{\prime }), \mathrm{adopts} \mathrm{the} \mathrm{encryption} \mathrm{method} \mathrm{in} \mathrm{step} 1(\mathrm{b}), \mathrm{uses} \mathrm{the} \mathrm{public} \mathrm{key} (K_2) \mathrm{to} \mathrm{encrypt} \mathrm{each} \mathrm{element} (N_{2i} \mathrm{and} N_{2i}^{\prime }(1\le i\le n)) \mathrm{one} \mathrm{by} \mathrm{one}, \mathrm{obtains} E(h_2)=E(h_{21}),\dots ,E(h_{2n}) \mathrm{and} E\left(h_2^{\prime }\right)=E\left(h_{21}^{\prime }\right),\dots ,E\left(h_{2n}^{\prime }\right)$, and sends them to Alice; (12) $\mathrm{Alice} \mathrm{calculates} \mathrm{that} \mathrm{for} \mathrm{each} i\in [1,n], \mathrm{when} r_{ai}>0, \mathrm{let} H_{1i}=E\left(h_{1i}\right); \mathrm{when} r_{ai}<0, \mathrm{calculate} H_{1i}=T\left[E\right(h_{1i}\left)\right]. \mathrm{Similarly}, \mathrm{when} r_{ai}^{\prime }>0, \mathrm{let} H_{1i}^{\prime }=E\left(h_{1i}^{\prime }\right); \mathrm{when} r_{ai}^{\prime }<0, \mathrm{calculate} H_{1i}^{\prime }=T\left[E\right(h_{1i}^{\prime }\left)\right]. \mathrm{Similarly}, \mathrm{Bob} \mathrm{calculates} H_{2i} \mathrm{and} H_{2i}^{\prime }$; (13) $\mathrm{Alice} \mathrm{calculates} \stackrel{\wedge }{H_1}={\sum }_{i\in [1,n]}{H}_{1i}+H_{1i}^{\prime }=E\left(e_1\right), \mathrm{Bob} \mathrm{calculates} \stackrel{\wedge }{H_2}={\sum }_{i\in [1,n]}{H}_{2i}+H_{2i}^{\prime }=E\left(e_2\right)$; (14) $$\begin{gathered} \mathrm{Alice} \mathrm{selects} \mathrm{a} \mathrm{random} \mathrm{number} (r_1<\frac{N}{4\left(n+1\right)}), \mathrm{uses} \mathrm{the} \mathrm{encryption} \mathrm{method} \mathrm{in} \mathrm{step} 1 (\mathrm{a}), \mathrm{selects} \mathrm{the} \mathrm{random} \mathrm{numbers} a_{1i},a_{1i}^{\prime },a_{2i},a_{2i}^{\prime }, \mathrm{encrypts} \mathrm{with} \mathrm{the} \mathrm{public} \mathrm{key} K_1, \mathrm{and} \mathrm{calculates} Z_1=E\left(1\right), Z_2=E\left(2n\right), Z_3=E\left(2e_1\right), Z_4=(-2t), Z=\underset{r_1}{\underbrace{(Z_1+\dots Z_1)}}+\underset{r_1}{\underbrace{(Z_2+\dots Z_2)}}-\underset{r_1}{\underbrace{(Z_3+\dots Z_3)}}+\underset{r_1}{\underbrace{(Z_4+\dots Z_4)}}=(C_1,C_2). \mathrm{Alice} \mathrm{sends} \mathrm{the} \mathrm{point} Z \mathrm{to} \mathrm{Bob}. \mathrm{Bob} \mathrm{selects} \mathrm{a} \mathrm{random} \mathrm{number} (r_2<\frac{N}{4\left(n+1\right)}), \mathrm{uses} \mathrm{the} \mathrm{encryption} \mathrm{method} \mathrm{in} \mathrm{step} 1 (\mathrm{b}), \mathrm{selects} \mathrm{the} \mathrm{random} \mathrm{numbers} a_{3i},a_{3i}^{\prime },a_{4i},a_{4i}^{\prime }, \mathrm{encrypts} \mathrm{with} \mathrm{the} \mathrm{public} \mathrm{key} K_2, \mathrm{and} \mathrm{calculates} Z_1^{\prime }=E\left(1\right), Z_2^{\prime }=E\left(2n\right), Z_3^{\prime }=E\left(2e_2\right), Z_4^{\prime }=E(-2t), \\ {Z}^{\prime }=\underset{r_2}{\underbrace{(Z_1^{\prime }+\dots Z_1^{\prime })}}+\underset{r_2}{\underbrace{(Z_2^{\prime }+\dots Z_2^{\prime })}}-\underset{r_2}{\underbrace{(Z_3^{\prime }+\dots Z_3^{\prime })}}+\underset{r_2}{\underbrace{(Z_4^{\prime }+\dots Z_4^{\prime })}}=(C_1^{\prime },C_2^{\prime }). \mathrm{Bob} \mathrm{sends} \mathrm{point} Z^{\prime } \end{gathered}$$ to Alice; (15) $\mathrm{Alice} \mathrm{decrypts} E\left(Z\right) \mathrm{using} \mathrm{the} \mathrm{private} \mathrm{key} k_1 (\mathrm{i}.\mathrm{e}., \mathrm{calculates} C_1-k_1{C}_2=z_1 \mathrm{and} \mathrm{obtains} \mathrm{point} z_1); \mathrm{Bob} \mathrm{decrypts} E(Z^{\prime }) \mathrm{using} \mathrm{the} \mathrm{private} \mathrm{key} k_2 (\mathrm{i}.\mathrm{e}., \mathrm{calculates} C_1^{\prime }-k_2{C}_2^{\prime }=z_2 \mathrm{and} \mathrm{obtains} \mathrm{point} z_2$); (16) $\mathrm{Alice} \mathrm{selects} m \mathrm{random} \mathrm{numbers} \left(p_i\right(0\le i\le m)) \mathrm{and} \mathrm{calculates} (c_{11a}^i,c_{12a}^i)=(p_i{z}_1+K_1,z_1+p_i{z}_1+aG). \mathrm{Bob} \mathrm{selects} m \mathrm{random} \mathrm{numbers} \left(p_i^{\prime }\right(0\le i\le m)) \mathrm{and} \mathrm{calculates} (c_{11b}^i,c_{12b}^i)=(p_i^{\prime }{z}_2+K_2,z_2+p_i^{\prime }{z}_2+bG). \mathrm{The} \mathrm{final} \mathrm{step} \mathrm{is} \mathrm{for} \mathrm{Alice} \mathrm{and} \mathrm{Bob} \mathrm{to} \mathrm{exchange} (c_{11a}^i,c_{12a}^i) \mathrm{and} (c_{11b}^i,c_{12b}^i)$; (17) $\mathrm{With} \mathrm{the} \mathrm{help} \mathrm{of} \mathrm{the} \mathrm{cut}-\mathrm{and}-\mathrm{choose} \mathrm{method}, \mathrm{Alice} \mathrm{randomly} \mathrm{selects} m/2 \mathrm{groups} \mathrm{from} \mathrm{these} \mathrm{data} (c_{11b}^i,c_{12b}^i)\mathrm{and} \mathrm{publishes} \mathrm{them}, \mathrm{while}, \mathrm{at} \mathrm{the} \mathrm{same} \mathrm{time}, \mathrm{Bob} \mathrm{publishes} p_i^{\prime }{z}_2. \mathrm{Alice} \mathrm{verifies} c_{11b}^i=p_i^{\prime }{z}_2+K_2. \mathrm{Bob} \mathrm{uses} \mathrm{the} \mathrm{same} \mathrm{method} \mathrm{and} \mathrm{asks} \mathrm{Alice} \mathrm{to} \mathrm{publish} p_i{z}_1. \mathrm{Bob} \mathrm{verifies} c_{11a}^i=p_i{z}_1+K_1$. If the equation holds, then the next step is taken; if the equation does not hold, then the protocol is stopped; (18) $\mathrm{Alice} \mathrm{and} \mathrm{Bob} \mathrm{randomly} \mathrm{select} \mathrm{one} (c_{11b}^j,c_{12b}^j) \mathrm{and} (c_{11a}^j,c_{12a}^j) \mathrm{from} \mathrm{the} \mathrm{remaining} m/2 \mathrm{groups} (c_{11b}^i,c_{12b}^i) \mathrm{and} (c_{11a}^i,c_{12a}^i), \mathrm{respectively}. \mathrm{At} \mathrm{the} \mathrm{same} \mathrm{moment}, \mathrm{Alice} \mathrm{and} \mathrm{Bob} \mathrm{each} \mathrm{pick} \mathrm{random} \mathrm{numbers} (a,q_3 \mathrm{and} b,q_4). \mathrm{Alice} \mathrm{calculates} c_{b1}=a(c_{12b}^j-c_{11b}^j-z_1+K_2)=a(z_2-z_1)+abG, J_1=q_{3}G, {\lambda }_{b1}=q_3{K}_2, \mathrm{and} \mathrm{Bob} \mathrm{calculates} c_{a1}=b(c_{12a}^j-c_{11a}^j-z_2+K_1)=b(z_1-z_2)+abG, J_2=q_{4}G, {\lambda }_{a1}=q_4{K}_1. \mathrm{Then}, c_{b1}+J_1, c_{a1}+J_2$ are exchanged between Alice and Bob; (19) $\mathrm{After} \mathrm{both} \mathrm{parties} \mathrm{receive} \mathrm{messages} \mathrm{from} \mathrm{the} \mathrm{other}, \mathrm{Alice} \mathrm{calculates} {\beta }_{a1}=k_1(c_{a1}+J_2) \mathrm{and} m_{a1}=k_1{c}_{a1}, \mathrm{Bob} \mathrm{calculates} {\beta }_{b1}=k_2(c_{b1}+J_1) \mathrm{and} m_{b1}=k_2{c}_{b1}$, and the messages are sent to the other party; (20) $\mathrm{Alice} \mathrm{needs} \mathrm{to} \mathrm{judge} \mathrm{whether} m_{b1}={\beta }_{b1}-{\lambda }_{b1} \mathrm{is} \mathrm{true} \mathrm{if} \mathrm{she} \mathrm{wants} \mathrm{to} \mathrm{prove} \mathrm{whether} \mathrm{the} m_{b1} \mathrm{sent} \mathrm{by} \mathrm{Bob} \mathrm{is} \mathrm{correct} \mathrm{through} \mathrm{the} \mathrm{zero}-\mathrm{knowledge}-\mathrm{proof} \mathrm{method}. \mathrm{If} \mathrm{Bob} \mathrm{wants} \mathrm{to} \mathrm{verify} \mathrm{the} \mathrm{correctness} \mathrm{of} \mathrm{the} m_{a1} \mathrm{sent} \mathrm{by} \mathrm{Alice} \mathrm{through} \mathrm{zero}-\mathrm{knowledge} \mathrm{proof}, \mathrm{then} \mathrm{he} \mathrm{needs} \mathrm{to} \mathrm{judge} \mathrm{whether} m_{a1}={\beta }_{a1}-{\lambda }_{a1}$ is true. If one party’s equation does not hold, the agreement will terminate; (21) $\mathrm{Alice} \mathrm{can} \mathrm{obtain} k_{2}a(z_2-z_1) \mathrm{by} \mathrm{calculating} m_{b1}-a{q}_2. \mathrm{If} k_{2}a(z_2-z_1)=0, \mathrm{then} z_1=z_2; \mathrm{Bob} \mathrm{can} \mathrm{obtain} k_{1}b(z_1-z_2) \mathrm{by} \mathrm{calculating} m_{a1}-b{q}_1. \mathrm{If} k_{1}b(z_1-z_2)=0, \mathrm{then} z_1=z_2. z_1=z_2$ means that both parties’ results are correct; otherwise, the protocol is immediately stopped; (22) $\mathrm{Finally}, \mathrm{Alice} \mathrm{and} \mathrm{Bob} \mathrm{decode} \mathrm{the} \mathrm{x}-\mathrm{coordinates} \mathrm{of} \mathrm{points} z_1 \mathrm{and} z_2, \mathrm{respectively}, \mathrm{to} \mathrm{obtain} z_3 \mathrm{and} z_4. \mathrm{If} z_3<N/2, \mathrm{then} L_t(x,y)=1\mathrm{is} \mathrm{made}; \mathrm{otherwise}, L_t(x,y)=0 \mathrm{is} \mathrm{made}, \mathrm{and} L_t(x,y)\mathrm{is} \mathrm{finally} \mathrm{output}. \mathrm{Similarly}, \mathrm{if} z_4<N/2, \mathrm{then} L_t(x,y)=1\mathrm{is} \mathrm{made}; \mathrm{otherwise}, L_t(x,y)=0 \mathrm{is} \mathrm{made}, \mathrm{and} L_t(x,y)$ is finally output. The protocol ends.

4.2. Correctness Analysis

The execution operations of Alice and Bob in Protocol 2 are identical, and so only Alice’s execution process is analyzed.

(1)

In the protocol preparation stage, Alice converts vector $x$ into vectors $u$ and $-u^{\prime }$ by calculating $u_i=2x_i$ and $-u_i^{\prime }=-(2x_i+1)$. Therefore, Alice does not disclose any information about the privacy vector ($x$) during the protocol execution phase;

(2)

In steps (5) and (6) of the protocol, Alice verifies whether there are malicious adversaries in the protocol via the cut-and-choose method;

(3)

In step (8) of the protocol, Alice uses zero-knowledge proof to verify that $m_b$ and $m_b^{\prime }$ sent by Bob are correct (that is, to determine whether $m_b={\beta }_b-{\lambda }_b$ and $m_b^{\prime }={\beta }_b^{\prime }-{\lambda }_b^{\prime }$ are correct, respectively);

(4)

The possible malicious behavior of Alice in the first round (from step 1 to step (10)) is that the random numbers $p_{1s}$ and $p_{2s}$ selected by Alice in step (4) do not meet the requirements, are not detected in the step 5 verification, and happen to be the choice of Bob in step (6), which leads Bob to obtain a faulty result. If Alice uses the method described above for spoofing, then the maximum probability of successful spoofing is m = 10, as an example. If five groups do not meet the requirements, the probability is $\frac{C_9^5}{C_{10}^5}\times \frac{1}{5}=\frac{1}{10}$. If more than half of the group does not meet the requirements, the probability of successful spoofing drops to zero and is always detected in the verification phase. Therefore, the first round of the protocol is secure;

(5)

In steps (17) and (18), Alice uses the cut-and-choose method to verify whether there are malicious adversaries in the protocol;

(6)

In step (20) of the protocol, whether the $m_{b1}$ sent by Bob is correct is verified by Alice using the zero-knowledge-proof method;

(7)

The possible malicious behavior of Alice in the second round (from step (11) to step (22)) is that the random numbers ($p_i$) selected by Alice in step (16) do not meet the requirements, are not detected in the step (17) verification, and happen to be the choice of Bob in step (18), which leads Bob to obtain a wrong result. The maximum probability of successful Alice spoofing is the same as in step (4). Thus, the second round of the protocol is secure.

4.3. Security Proof

For SCTS protocols under the malicious model, the real/ideal-model paradigm is widely used to prove the security of Protocol 2.

The parties pass two rounds of validation of Protocol 2. In the first round of verification, steps 1–3 are mainly used to calculate $W_{1i},W_{2i}$ and $Q_{1i},Q_{2i}$ confidentially. If Alice and Bob have verified that $W_{1i}=Q_{1i}$ and $W_{2i}=Q_{2i}$ according to the protocol, then they pass the verification. In the second round of verification, step 15 is mainly used to obtain points $z_1$ and $z_2$ confidentially. If Alice and Bob verify that $z_1=z_2$ according to the protocol, then they pass the verification. The $W_{1i},W_{2i}$ and $Q_{1i},Q_{2i}$ in the first step and the $z_1$ and $z_2$ in the second step will be the input data under the ideal model. If the protocol ends, then the input message sent to the TTP is incorrect. Therefore, input information errors will not be considered in the malicious model. In the proof phase, the problem can be transformed into whether $W_{1i}$ is equal to $Q_{1i}$, $W_{2i}$ is equal to $Q_{2i}$, and $z_1$ is equal to $z_2$. Therefore, proving whether $z_1$ is equal to $z_2$ is required.

Theorem 4.

Protocol 2 (denoted as ∏ ) is secure under the malicious model.

See Appendix A for specific certification process.

5. Performance Analysis

This paper analyzes the performance of the protocol via the complexity and communication complexity (number of communication rounds), and it compares the execution times of the existing protocols with those of Protocol 1 and Protocol 2 through experimental simulation.

5.1. Efficiency Analysis

References [17,18] and Protocol 1 are all used to calculate the SCTS under the semi-honest model. In Reference [17], two sequences with lengths of $n$ are coded into two 0–1 sequences with lengths of $4n$ and are encrypted via the GM encryption algorithm. This requires $20n\log N$ times of modular multiplications, but it can only be used for string matching, with a small scope of application. Reference [18] confidentially determined whether two strings are equal, with an encryption number of $n+m$ and a decryption number of $n-m$, requiring $\left[3{\log }_{2}N\right(n+1\left)\right]\log N$ modular multiplication operations ($N$ is usually taken as 1024 bits), but its efficiency is relatively low. However, the ECC encryption method is adopted in Protocol 1 of this paper, assuming that the character length is $n$ (which can be encoded into $n$ vector components), and a total of $16n+6$ modular multiplication operations are required (other simple arithmetic operations and inversion operations can be ignored), which has a wider application range and higher efficiency.

Protocol 2 is an SCTS protocol under the malicious model. At present, no relevant protocol under the malicious model has been found. For solving the problem of text similarity, the protocol proposed in Reference [19] is more efficient. It is based on the GM encryption algorithm. Assuming that the character length is $n$, the protocol requires $8(n+m-1)l^{\prime }\log N$ times of modular multiplications ($l^{\prime }\ge 2$ is a security parameter, $N=1024$ bits), but it cannot defend against malicious attacks. Protocol 2 uses the ECC encryption method (the character length is $n$), which requires $32n+12$ times of modular multiplications (other simple arithmetic operations and flip operations are ignored). Not only does it improve the efficiency, but it can also resist attacks from malicious enemies.

For the communication complexity measured by the amount of communication rounds, Protocol 1 and References [17,18] require two rounds, while Protocol 2 and Reference [19] require four rounds. Obviously, compared with References [17,18], Protocol 1 in this paper improved the computational efficiency and has a wider application range with the same number of communication rounds. Compared with Reference [19], Protocol 2 in this article has advantages in all aspects and can resist attacks from malicious adversaries.

The performances of Protocol 1 and Protocol 2 are compared with those of References [17,18,19], as shown in

Table 1. Protocol comparison.

Protocol	Calculation Complexity (Modular Multiplication)	Communication Rounds	Scope of Application	Resistance to Malicious Behaviors
Protocol 1	$16n+6$	2 rounds	Rational number, string	No
Reference [17]	$20n\log N$	2 rounds	String	No
Reference [18]	$\left[3{\log }_{2}N\right(n+1\left)\right]\log N$	2 rounds	String	No
Protocol 2	$32n+12$	4 rounds	Rational number, string	Yes
Reference [19]	$8(n+m-1)l^{\prime }\log N$	4 rounds	String	No

.

Both Protocol 1 and Protocol 2 in this article adopt ECC, which is not only more efficient but also more widely applicable compared to the GM and Paillier encryption schemes. Protocol 2 in this article is a protocol under the malicious model of ECC encryption, which can resist attacks from malicious adversaries and has improved efficiency compared to References [17,18,19]. With a small difference in the number of communication rounds, Protocol 2 is more efficient and secure. Therefore, Protocol 2 is efficient in terms of both the computational complexity and application scope.

5.2. Experimental Analysis

To further verify the execution efficiencies of the protocols in this paper, the experiment used the Windows 10 64-bit (home version) operating system, and the processor was Inter (R) Core (TM) i7-6600 [email protected] GHZ, the memory was 8 GB, and the Java language was used to run the implementation on MyEclipse. The experiment used textual datasets, such as patients’ electronic health records, medical records, disease databases, etc., used for clinical diagnosis, encoded them into vectors, and combined them with the protocol algorithm of this paper, which, in turn, determined the patients’ disease types, such as infectious diseases, cardiovascular diseases, and other types of diseases. The next step was to compare the execution times of the protocols under the premise of achieving the same classification effect (i.e., the shorter the execution time, the higher efficiency of the protocol).

By comparing the execution times of the protocols through simulation experiments, the execution efficiencies of the protocols could be obtained. First, in this study, when the character length $n$ was 1, 2, 3, …, 10, each set value of $n$ was simulated 1000 times, and the average value was counted. Figure 3 shows a comparison of the execution times for different string lengths in Protocol 2. The horizontal coordinate indicates the string length, and the vertical coordinate indicates the execution time. When $n=10$, the execution time of Protocol 2 is 1000 ms.

Secondly, this study selected the string length $n=5$, carried out 1000 simulation experiments on different values of modulus $N$, and counted the average value. Figure 4 shows a comparison of the execution times for different module $N$ lengths in Protocol 2. The horizontal coordinate indicates the length of module $N$, and the vertical coordinate indicates the execution time. When $n=5$ and $N=1024$ bits, the execution time of Protocol 2 is 712 ms.

Next, Figure 5 compares the execution times of References [17,18,19] with those of Protocol 1 and Protocol 2 in this paper through simulation experiments. The abscissa represents the string length, and the ordinate represents the execution time of the protocol. When the string length is 10, the execution times of the protocols are as follows: Reference [18]: 1440 ms; Reference [17]: 1200 ms; Reference [19]: 1118 ms; and Protocol 2: 1000 ms, which shows that the protocol of this paper has the shortest execution time and higher efficiency in the case of the same length of string. Figure 6 shows the execution times of References [17,18,19] and Protocol 1 and Protocol 2 under different settings of module $N$ ($n=5$ at this time) through simulation experiments. The abscissa represents the length of module $N$, and the ordinate represents the execution time of the protocol. When the length of module $N$ is 1024 bits, the execution times of the protocols are as follows: Reference [18]: 1024 ms; Reference [17]: 932 ms; Reference [19]: 800 ms; and Protocol 2: 712 ms, which shows that in the case of the same number of modes, the execution time of the protocol in this paper is the shortest and more efficient.

Of course, in order to compare the implementation efficiencies of the protocols more comprehensively, the delay times during the experiment should be considered. Figure 7 shows the delay times of Protocol 2 for different string lengths during the experiment. Figure 8 shows the delay times of Protocol 2 for different lengths of module $N$ (when $n=5$). For example, when $n=1$, we can see from Figure 5 that the execution time of Protocol 2 is 100 ms, and from Figure 7, that the delay time of Protocol 2 is 0.6 ms; thus, the total time consumed in the execution process of Protocol 2 should be 100.6 ms.

Figure 5 and Figure 6 show that the execution times of the protocols increase regardless of the character length or module length. The execution times of Protocol 1 and Protocol 2 are the shortest and the most efficient when compared to those of References [17,18,19]. At the same time, Protocol 2 is not only efficient, but it is also resistant to attacks by malicious adversaries, and it has a great improvement in the security performance. Therefore Protocol 2 has greater practical value.

6. Conclusions

Text similarity computation in deep learning and natural language processing has a wide range of application scenarios and important application value in intelligent recommendation systems, information retrieval, data mining, etc. The existing SCTS protocols are inefficient and cannot resist malicious adversaries. Therefore, based on the efficient ECC encryption algorithm, this paper proposes an SCTS protocol under the semi-honest model. For the malicious behaviors that may be committed by malicious participants under the semi-honest protocol, the SCTS protocol under the malicious model is designed using the cut-and-choose and zero-knowledge-proof methods. The security of the protocol is proven by the real/ideal-model paradigm. Compared with the efficiencies of existing schemes, the protocol proposed in this paper is more efficient and can resist malicious attacks, which has practical value.

In future work, we will extend the number of participants from two parties to multiple parties to study the SCTS, and we will use the protocol in this paper as a basic tool to solve more secure multi-party computation problems, such as string-pattern matching, interval determination, etc., so that it can play more roles in more fields in the future.